Cryptography-Digest Digest #681, Volume #12 Thu, 14 Sep 00 19:13:01 EDT
Contents:
Re: RSA Questions (Bryan Olson)
Re: Weaknesses in this algorithm? (Benjamin Goldberg)
Re: [Q] Design criteria for sboxes in Tiger/192 ? (Mok-Kong Shen)
Re: DH -> 3DES ([EMAIL PROTECTED])
Re: Dickman's function (D. J. Bernstein)
Re: Looking for Partners (and Investors) ("root@localhost " <[EMAIL PROTECTED]>)
Re: Looking for Implementation Site ("root@localhost " <[EMAIL PROTECTED]>)
Re: 20 suggestions for cryptographic algorithm designers (D. J. Bernstein)
Re: Scottu19 Broken (JPeschel)
"Secrets and Lies" at 50% off (Bruce Schneier)
Re: cellular automata rng? (Tim Tyler)
Re: [Q] Design criteria for sboxes in Tiger/192 ? (Tim Tyler)
Re: Fresh Meat: New Crypto Algorithms Announced (David A Molnar)
Re: DH -> 3DES (Tom St Denis)
Re: "Secrets and Lies" at 50% off (Tom St Denis)
Comments TC6a please (Tom St Denis)
Re: Recent crypto text (David A Molnar)
Re: free ssl cert (Paul Rubin)
----------------------------------------------------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: RSA Questions
Date: Thu, 14 Sep 2000 20:07:11 GMT
Jim Trek wrote:
> Does anybody know what goes wrong with RSA
> if p or q or both are not necessarily prime?
The modulus must be the product of distinct primes for
encryption to be invertible.
> Surely there is still a way to select a d such
> that decryption works for the receiver.
If the prime factors of n are
p_1, p_2, ..., p_k (all distinct)
let lambda be the least common multiple of
(p_1 - 1, p_2 - 1..., p_k - 1).
then choose d as the modulo lambda inverse of e.
> If RSA becomes weaker, does anybody know how
> messages would be decrypted without d?
If the factors get too small, the modulus becomes easier to
factor. The attack is to find d, not to decrypt without it.
> I ask these questions because the strength of RSA seems
> to depend upon the size of the numbers. The numbers encrypted
> by RSA must be large; otherwise, a table could be made...
The table attack is exponential in time and space, and much
more expensive than factoring.
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Weaknesses in this algorithm?
Date: Thu, 14 Sep 2000 20:25:39 GMT
Runu Knips wrote:
>
> Patrick Schultz wrote:
> > Ok, I see the weakness is in the fact that RC4 is just \xoring a
> > psuedo-random string with the one-time pad.
>
> No, the problem is that sending an OTP encrypted means that
> you always weaken the security of the whole protocol to the
> security of the encryition of the OTP. Therefore you can
> drop the OTP and use that encrytion directly.
But what if that the plaintext has much structure/guessability, eg being
mostly zeros? If numbers in the range 0..1000 are sent as 4-byte
values, we *know* 2 bytes are 0, and 6 bits of a 3rd byte are also 0.
If we encrypt this data directly with a block cipher, we have quite a
bit of known plaintext, which will significantly assist in breaking that
block cipher. Doing the thing with the OTP means that the block cipher
cannot be so easily attacked.
--
... perfection has been reached not when there is nothing left to
add, but when there is nothing left to take away. (from RFC 1925)
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: [Q] Design criteria for sboxes in Tiger/192 ?
Date: Thu, 14 Sep 2000 23:01:18 +0200
"David C. Barber" wrote:
>
> As I recall once hearing, DES proved surprisingly resistant to later
> developed attacks (differential cryptanalysis) and it was determined that
> its S-boxes appeared optimized against that type of attack. When asked, one
> of the original designers basically just smiled and did not comment further.
> The implication was that the designers knew of the DC attack, and perhaps
> others not publicly known, and armored DES against it.
One of the designers of DES acknowledged to have known at
design time the differential analysis technique when the
same was very much (14 years) later re-invented by Biham
and Shamir. It is not unreasonable to conjecture that the
knowledge and capability of the non-public experts are
always ahead of those of the public experts. (Hence
reason to be conservative.)
M. K. Shen
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: DH -> 3DES
Date: Thu, 14 Sep 2000 20:36:23 GMT
In article <8pr8on$gc7$[EMAIL PROTECTED]>,
Tom St Denis <[EMAIL PROTECTED]> wrote:
> In article <8pr2pf$8hq$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] wrote:
> > I'm looking for a reference on how to exchange 3DES keys with Diffie
> > Helman. What size prime should the DH use to be stronger than 3DES?
> > Should I just take the first 24 bytes of the DH computed key as the
> > computed 3DES key or is more processing necessary?
> > Should I check for weak DES keys?
> > Adjust parity?
>
> My suggetion is to use a 1024-bit DH field (1024 bit prime) which has
a
> large prime factor (i.e p = 2p1 + 1 where p1 is prime). Then hash the
> shared value g^xy mod p, to the desired length. If you need a 168 bit
> key from SHA-1 you can get the last eight bits via linear mixing of
the
> first 160 (or hash it again and keep only eight bits). The effective
> key length will only be 160 bits but that's plenty long for now.
>
> Otherwise use ElGamal and encrypt a random 168 bit string and don't
use
> the hash. ElGamal is the variation of DH that allows for signatures
> and encryption much like RSA (diff math but similar idea).
>
> Tom
Any need to check for weak DES keys? And what if you find them?
Roger
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (D. J. Bernstein)
Crossposted-To: sci.math.num-analysis
Subject: Re: Dickman's function
Date: 14 Sep 2000 20:35:00 GMT
Francois Grieu <[EMAIL PROTECTED]> wrote:
> Somehow this code
> circumvents the error propagation problem encountered in my methods,
Expand rho as a power series to the right of 1, to the right of 3/2, to
the right of 2, etc. Use the integral to evaluate the constant term of
each power series. Use the differential equation to evaluate the next 20
or 30 terms. This is numerically stable.
---Dan
------------------------------
From: "root@localhost <spamthis>" <[EMAIL PROTECTED]>
Crossposted-To: alt.inventors
Subject: Re: Looking for Partners (and Investors)
Date: Thu, 14 Sep 2000 16:45:33 -0400
rosi wrote:
http://www.urbanna.net/myresume.html
If the "system" will approve my participation in your project,
I am interested.
-m-
>
> --- (My Signature)
--
If children don't know why their grandparents did what they
did, shall those children know what is worth preserving and what
should change?
http://www.cryptography.org/getpgp.htm
------------------------------
From: "root@localhost <spamthis>" <[EMAIL PROTECTED]>
Subject: Re: Looking for Implementation Site
Date: Thu, 14 Sep 2000 16:46:31 -0400
rosi wrote:
>
> Looking for a place (for the development) in a country where
> there is NO or little restrictions on cryptographic products with
> regard to using, importing, exporting, etc. Anybody who would
> partner and host such a site, please let me know. One that is
> closest to the U.S. is the most desirable.
>
Ooops, I don't think I will be able to participate. Sorry.
To have troubled you.
-m-
> --- (My Signature)
--
If children don't know why their grandparents did what they
did, shall those children know what is worth preserving and what
should change?
http://www.cryptography.org/getpgp.htm
------------------------------
From: [EMAIL PROTECTED] (D. J. Bernstein)
Subject: Re: 20 suggestions for cryptographic algorithm designers
Date: 14 Sep 2000 20:59:15 GMT
David Hopwood <[EMAIL PROTECTED]> wrote:
> If there is a completely arbitrary choice of byte order, use big-endian.
No. Little-endian is much more widely supported than big-endian, and is
universally supported by new processors.
---Dan
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Date: 14 Sep 2000 21:00:28 GMT
Subject: Re: Scottu19 Broken
Douglas A. Gwyn [EMAIL PROTECTED] writes:
>Tim Tyler wrote:
>> I wonder if James Joyce (Finnegan's Wake) could
>> make use of a similar excuse... ;-)
>
>I suppose it depends on whether we have solid evidence that
>he *could* write decent prose, also on whether the style of
>FW was essential to the story or was just a wild experiment.
"Portrait" is solid evidence of Joyce's ability to
write good, mainstream prose... if you don't care for
"experimental" stuff. But the techniques that were
experimental in Joyce's time are prety much
standard, albeit refined, nowadays.
I suppose what you might consider mainstream
and experimental depends on what you've read.
I've had students tell me that Updike's work
is experimental!
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: Bruce Schneier <[EMAIL PROTECTED]>
Crossposted-To: comp.security,comp.security.misc
Subject: "Secrets and Lies" at 50% off
Date: Thu, 14 Sep 2000 16:21:58 -0500
This is the cheapest I've seen the book. I know what the publisher
sells the book for, and FatBrain is losing money on every sale. I
have no idea if this is a temporary promotion, or how long it will
last. But I figured I should get the word out:
http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0471253111
Bruce
**********************************************************************
Bruce Schneier, Counterpane Internet Security, Inc. Tel: 408-556-2401
3031 Tisch Way, Suite 100PE, San Jose, CA 95128 Fax: 408-556-0889
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: cellular automata rng?
Reply-To: [EMAIL PROTECTED]
Date: Thu, 14 Sep 2000 21:15:29 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
: Being conservative, I suggest that you first do some statistical
: tests before considering using such random sources.
Wolfram did some tests of his own in his 1986 paper. See section 10
(Statistical Properties) - and the appendix.
Tom often seems unsympathetic to the use of randomness test suites.
It's true that very often passing tests for randomness is a result of
little value - since it says practically nothing about cryptographic
strength.
It's also true that our ability to generate randomness should normally
*massively* exceed our ability to test for deviations from it. Only if
we're using generators designed with speed in mind - or if we're using
toy, scaled-down models - should randomness tests have any hope of
exposing problems with our more serious random number generators.
Despite these issues, such tests remain very useful for spotting
implementation errors, and other basic problems.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Namaste.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: [Q] Design criteria for sboxes in Tiger/192 ?
Reply-To: [EMAIL PROTECTED]
Date: Thu, 14 Sep 2000 21:26:10 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
[secret s-boxes]
:> : I don't know. But I like to point out that the same
:> : question apparently could apply to almost all well-
:> : known block ciphers that have S-boxes, starting with
:> : DES, whose design rationales are kept secret even
:> : today. [...]
:>
:> These were published by IBM, IIRC. Aren't they as stated on A.C. p. 294?
: No, you erred. There has never been a (complete) publication
: of the DES design informations.
I was talking about the criteria for the selection of the DES s-boxes
which - AFAIK - were subsequently made public.
I'm not sure if it would be possible to describe a complete description of
the design considerations behind the construction a cypher - at least not
without getting into murky, subjective processes.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ VIPAR GAMMA GUPPY.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Fresh Meat: New Crypto Algorithms Announced
Date: 14 Sep 2000 21:52:14 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>> documents, sigh). I see prices of 100 and 1000 EURO's; I think
>> this is per algorithm.
> So that excludes analysts that are poor and one has 'security
> through high cost' :-)
Er, do they plan on *deploying* these ciphers in anything?
-David
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: DH -> 3DES
Date: Thu, 14 Sep 2000 21:57:42 GMT
In article <8prcs5$liq$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> In article <8pr8on$gc7$[EMAIL PROTECTED]>,
> Tom St Denis <[EMAIL PROTECTED]> wrote:
> > In article <8pr2pf$8hq$[EMAIL PROTECTED]>,
> > [EMAIL PROTECTED] wrote:
> > > I'm looking for a reference on how to exchange 3DES keys with
Diffie
> > > Helman. What size prime should the DH use to be stronger than
3DES?
> > > Should I just take the first 24 bytes of the DH computed key as
the
> > > computed 3DES key or is more processing necessary?
> > > Should I check for weak DES keys?
> > > Adjust parity?
> >
> > My suggetion is to use a 1024-bit DH field (1024 bit prime) which
has
> a
> > large prime factor (i.e p = 2p1 + 1 where p1 is prime). Then hash
the
> > shared value g^xy mod p, to the desired length. If you need a 168
bit
> > key from SHA-1 you can get the last eight bits via linear mixing of
> the
> > first 160 (or hash it again and keep only eight bits). The
effective
> > key length will only be 160 bits but that's plenty long for now.
> >
> > Otherwise use ElGamal and encrypt a random 168 bit string and don't
> use
> > the hash. ElGamal is the variation of DH that allows for signatures
> > and encryption much like RSA (diff math but similar idea).
> >
> > Tom
>
> Any need to check for weak DES keys? And what if you find them?
There are so few weak DES keys that checking is generally not
required. You can though, test and reject them if you like...
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Crossposted-To: comp.security,comp.security.misc
Subject: Re: "Secrets and Lies" at 50% off
Date: Thu, 14 Sep 2000 22:13:42 GMT
In article <[EMAIL PROTECTED]>,
Bruce Schneier <[EMAIL PROTECTED]> wrote:
> This is the cheapest I've seen the book. I know what the publisher
> sells the book for, and FatBrain is losing money on every sale. I
> have no idea if this is a temporary promotion, or how long it will
> last. But I figured I should get the word out:
>
> http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0471253111
I know you are well intentioned but for the same reason I don't like
other spammers, I would suggest that you don't do this.
If you want to talk about your book by all means go ahead, but you
really are spamming this group.
Just my two cents, and seriously no offence intended.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Comments TC6a please
Date: Thu, 14 Sep 2000 22:20:29 GMT
Some may already know about my block cipher TC6a (TC6 was a 128 bit
version, but the a-version is a 64-bit version that is much faster). I
used a pair-wise decorrelated function in GF(2)^32 as the round
function in a homogenous balanced Feistel network.
There are six rounds [1] and the feedback scheme is addition in modulo
2^32. The key schedule takes any key from 1 to 32 bytes (8 to 256
bits) and copies->encrypts the values. (the source is really trivial
to follow). I then check for zero-divisors in the multiplicand part of
the round keys (i.e zeroes :) ) then replace them with a linear
function of the other key words.
In the actual implementation I compute the GF multiplication as series
of four 8x32 look ups, this takes 24kb of ram, but I get 13 cycles/byte
on my K6-2 350mhz. Which is by far the fastest block cipher I have
ever seen in software (C source code).
[1] I think eight rounds should have been used to avoid impossible
differential attacks, but if I understand that attack right the 64-bit
round key will require O(2^64) time to find given sufficient
plaintexts. With eight rounds the cipher runs at about 16~17
cycles/byte with similar source code (requires 32kb of ram).
Obviously eight rounds should be used in real life. The cipher is
versatile in the sense that the GF mult can be done as a multiply or
look ups...
So you are asking why look at it?
1. Provably secure against diff/linear attacks of order 2
2. Very fast
3. Very versatile
4. Very simple
5. Possible work towards 128-bit version that is practical.
The source is on my webpage at http://geocities.com/tomstdenis/
Thanks,
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Recent crypto text
Date: 14 Sep 2000 22:01:17 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> Paul Garrett, "Making, Breaking Codes: An Introduction to Cryptology".
> My copy just arrived and from a quick perusal, e.g.:
> http://www.math.umn.edu/~garrett/crypto/Contents.html
> it seems to be a very comprehensive modern textbook on the subject.
>From the table of contents alone, it seems to fill in many of the gaps
(background on probability, for instance) assumed by other books. Also the
coverage of NTRU and Arithmetica will be neat. I'll have to get a copy. Thanks.
Minor nitpick...The table of contents doesn't seem to mention probabilistic
encryption, semantic security or non-malleability or that "sort of
crypto," which seems unfortunate. While some very good online resources for this
exist (e.g. bellare and goldwasser's lecture notes), I haven't seen a published
book yet which could be an intro. Goldreich's first book is too short, and the
massive "foundations of cryptography" doesn't seem to be an introduction.
-David
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: free ssl cert
Date: 14 Sep 2000 15:41:38 -0700
[EMAIL PROTECTED] writes:
> Hi there,
>
> can anybody tell me how to get a free ssl cert (40 or 128 bit) to test
> web sites? I do not expect anyone to guarantee for my web pages.
>
> I know the Apache package delivers a cert generation tool but I would
> need it for the Netscape server.
Yes you can make certs with openssl (www.openssl.org) and install them
in your netscape server. You can also get a test cert (not signed by
a trusted root and usually with a 2-4 week expiration date) from many
of the commercial ca's, e.g. www.verisign.com, www.thawte.com (now part
of Verisign), or www.equifaxsecure.com.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
