Cryptography-Digest Digest #947, Volume #12 Tue, 17 Oct 00 23:13:01 EDT
Contents:
Enigma: Stolen German Code Machine Turns Up in BBC Mailroom (Anthony Stephen Szopa)
Re: Smartcard, Mathematical Proof? (Mykhailo Lyubich)
SDMI Successfully Hacked ("David C. Barber")
Re: Pegwit group started to make a alternative to PGP based on ECC (Paul Rubin)
Re: the cipher challenge cracked ... (Paul Rubin)
How about the ERIKO-CHAN cipher? ([EMAIL PROTECTED])
Re: "The code book" where ("ajd")
Re: "The code book" where (Paul Rubin)
Re: Enigma: Stolen German Code Machine Turns Up in BBC Mailroom (Mathew Hendry)
---- As I study Rinjdael... (Greggy)
Re: ---- As I study Rinjdael... (Paul Rubin)
Re: ---- As I study Rinjdael... (David Schwartz)
Re: How about the ERIKO-CHAN cipher? (wtshaw)
Re: ---- As I study Rinjdael... (Greggy)
Re: ---- As I study Rinjdael... (David Blackman)
Re: FTL Computation ([EMAIL PROTECTED])
Re: Enigma: Stolen German Code Machine Turns Up in BBC Mailroom (John Savard)
Re: Dense feedback polynomials for LFSR (Joaquim Southby)
Re: ---- As I study Rinjdael... ([EMAIL PROTECTED])
Re: ---- As I study Rinjdael... (John Savard)
Re: ---- As I study Rinjdael... (Dido Sevilla)
Re: ---- As I study Rinjdael... (David Schwartz)
The Gillogly Papers (JPeschel)
----------------------------------------------------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Enigma: Stolen German Code Machine Turns Up in BBC Mailroom
Date: Tue, 17 Oct 2000 15:19:03 -0700
Stolen German Code Machine Turns Up in BBC Mailroom
http://ap.tbo.com/ap/breaking/MGA5JU6YFEC.html
------------------------------
From: Mykhailo Lyubich <[EMAIL PROTECTED]>
Subject: Re: Smartcard, Mathematical Proof?
Date: Wed, 18 Oct 2000 00:32:35 +0200
Reply-To: [EMAIL PROTECTED]
David Schwartz wrote:
>
> Suppose hypothetically that the smart card in S2 made it physically
> impossible to retrieve the key. You could only request that the smart
> card encrypt or sign specific values. In this case, someone who
> compromised the software security of general purpose computer S1 could
> construct a duplicate of it, whereas that would not be possible for S2.
> Perhaps they could dupe S2 into signing/encrypting/decrypting on their
> behalf, but they couldn't construct a duplicate of it.
>
> DS
I find such kind of reasoning useful in the case of a small specification.
The problem arises when we deal with big spec where many keys could
be stored inside the card. Do we need something more formal to
atomize the proof process?
--
Mykhailo Lyubich
Dept.of Computer Science office phone +49-381-4983407
University of Rostock office fax +49-381-4983440
Albert Einstein Strasse 21 http://wwwtec.informatik.uni-rostock.de/~ljubich/
D-18051 Rostock, Germany mailto:[EMAIL PROTECTED]
------------------------------
From: "David C. Barber" <[EMAIL PROTECTED]>
Subject: SDMI Successfully Hacked
Date: Tue, 17 Oct 2000 15:35:07 -0700
http://www.theregister.co.uk/content/1/14057.html
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: Pegwit group started to make a alternative to PGP based on ECC
Date: 17 Oct 2000 15:46:27 -0700
Mike Rosing <[EMAIL PROTECTED]> writes:
> > Actually, nothing stops you from generating El Gamal (or these days
> > even RSA) private keys from a passphrase. What's nice about ECC is
> > that it's reasonably practical to type *public* keys into a program
> > (example: AF646-BEJTR-BTGAP-7MFPW-GRVYX-RRGQW = 150 bits of info).
> > This is a central feature of the program I've been wanting to write.
> >
> > It'll be cool if Pegwit can do stuff like this.
>
> that's the goal. Creating a DLL from it so it's a portable
> package is also a goal. We'll get there one step at a time,
> but the more people, the more steps we can take at once :-)
OK. I don't have much interest in a DLL but want to make a Java
applet that can be put onto web pages to encrypt the contents of web
forms, for use in a webmail application. I looked at the old Pegwit
for this but it seemed too bloated, and as I remember the choice of
curve was weak.
I'd like to propose that the new Pegwit give up on characteristic 2
and use a curve over GF(p) for some p of about 160 or maybe 165 bits.
That allows writing public keys in the format
2BJAH-7UKPQ-XXPP5-FBZXT-5W975-HEB62-Q4LAU
which holds 175 bits, allowing specifying a curve point with a few
bits left over for a checksum or some other annotation. (The encoding
holds 5 bits per character because it uses the letters and digits
excluding I, O, 1, and 0, to avoid typographic confusion).
Implementing GF(p) EC arithmetic using calls to a bignum library
should be much simpler than the GF(2) implementation in the old Pegwit
code, and it probably runs faster in Java than the GF(2) stuff,
because it can use the native java.math.BigInteger class instead of
doing all that bit-twiddling in interpreted code. I'm not sure how a
speed comparison between fully native implementations would work out,
but I think raw EC speed should not be a primary goal for Pegwit.
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: the cipher challenge cracked ...
Date: 17 Oct 2000 15:50:08 -0700
Sundial Services <[EMAIL PROTECTED]> writes:
> It's also quite revealing that the DES portion of the cipher was solved
> in eight hours, "by throwing a computer at it."
The DES portion included 8 bits of the key as a starting point,
so there was only 48 bits of keyspace to search through. According
to Jim Gillogly's essay, this took 80 minutes on half of Deep Crack.
------------------------------
From: [EMAIL PROTECTED]
Subject: How about the ERIKO-CHAN cipher?
Date: Tue, 17 Oct 2000 22:41:13 GMT
The ERIKO-CHAN cipher is a private-key cipher.
You use the following table to encode a message:
0 1 2 3 4 5
-+-----------
0|A B C D E F
1|G H I J K L
2|M N O P Q R
3|S T U V W X
4|Y Z 0 1 2 3
5|4 5 6 7 8 9
Then you take your key, a 20-digit (or longer) integer, take its square
root, and starting at the decimal point, you take every digit less than
6 until you have as many digits as are in your message. Then you
modulo-6-add this to the digits of your message.
Could the NSA crack this? Of course, with each message the key must be
different.
A variation which does not have the "different key each time" weakness
is to start your message with a 20-digit number which is to be added to
the key before the square root is taken. But I don't have good feelings
about it. Unless you send the key *in* code, followed by the message.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "ajd" <[EMAIL PROTECTED]>
Subject: Re: "The code book" where
Date: Tue, 17 Oct 2000 15:42:09 +0100
I don't think Simon Singh would like it if you start downloading his books
for free. Anyway, I think the all the code puzzles at the back have been
cracked and someone has won the top prize (i may be wrong).
I got my copy from a shop, I just picked it up, paid for it, and they let me
take it home IMMEDIATELY! cool eh?
ajd
<[EMAIL PROTECTED]> wrote in message
news:8shkn7$i47$[EMAIL PROTECTED]...
> Hey
>
> I have just ordered "The code book" but I have to wait 3-4weeks before
> I can get it. Do somebody know where I can download an PFD of it,
> becouse I will like to spend some time whit breaking the codes?
>
> Best reg.
> Nenad
> [EMAIL PROTECTED]
>
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: "The code book" where
Date: 17 Oct 2000 17:22:04 -0700
[EMAIL PROTECTED] writes:
>
> I have just ordered "The code book" but I have to wait 3-4weeks before
> I can get it. Do somebody know where I can download an PFD of it,
> becouse I will like to spend some time whit breaking the codes?
I'm guessing you're posting from central europe. You can probably
order the book from www.amazon.de and have it within a few days.
------------------------------
From: Mathew Hendry <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: Enigma: Stolen German Code Machine Turns Up in BBC Mailroom
Date: Wed, 18 Oct 2000 01:25:23 +0100
On Tue, 17 Oct 2000 15:19:03 -0700, Anthony Stephen Szopa <[EMAIL PROTECTED]>
wrote:
>Stolen German Code Machine Turns Up in BBC Mailroom
>
>http://ap.tbo.com/ap/breaking/MGA5JU6YFEC.html
Or from the horse's mouth
http://news.bbc.co.uk/hi/english/uk/newsid_977000/977127.stm
Three of the four rotors are missing. (Why steal only those?)
-- Mat.
------------------------------
From: Greggy <[EMAIL PROTECTED]>
Subject: ---- As I study Rinjdael...
Date: Wed, 18 Oct 2000 00:22:46 GMT
As I study Rijndael, I am constantly haunted by the question I hope
someone can answer:
If Rijndael is so strong, why does the US government choose NOT to use
it for ANY (not all) classified information?
--
I would prefer to live in a free society than
a drug free society - even if the latter could
actually be achieved.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: ---- As I study Rinjdael...
Date: 17 Oct 2000 17:33:19 -0700
Greggy <[EMAIL PROTECTED]> writes:
> If Rijndael is so strong, why does the US government choose NOT to use
> it for ANY (not all) classified information?
What makes you think they don't? I don't think they'd tell you if they did.
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: ---- As I study Rinjdael...
Date: Tue, 17 Oct 2000 17:32:55 -0700
Greggy wrote:
>
> As I study Rijndael, I am constantly haunted by the question I hope
> someone can answer:
>
> If Rijndael is so strong, why does the US government choose NOT to use
> it for ANY (not all) classified information?
If that's true, it would be because the US government uses a special
process to create algorithms for the encryption of classified data and
Rijndael did not arise from that process. However, as far as I know,
it's not publically known which algorithms are or aren't used for any
classified information, so you it's possible the US government might
already be using it for some classified information.
DS
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: How about the ERIKO-CHAN cipher?
Date: Tue, 17 Oct 2000 18:41:47 -0600
In article <8siki7$g2d$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> The ERIKO-CHAN cipher is a private-key cipher.
>
....
> Of course, with each message the key must be
> different.
This is also a basic weakness of DES/AES
>
> A variation which does not have the "different key each time" weakness
> is to start your message with a 20-digit number which is to be added to
> the key before the square root is taken.
Patches are best worn by pirates.
But I don't have good feelings
> about it. Unless you send the key *in* code, followed by the message.
>
Any quesy feelings are justified. There should be little honor is speaking
of good or best encryption when defects in design are obvious, but so
many have be taught to undershoot perfection.
--
Production technology goes wrong when the producers do not
understand the users. --Patrick Whitney
------------------------------
From: Greggy <[EMAIL PROTECTED]>
Subject: Re: ---- As I study Rinjdael...
Date: Wed, 18 Oct 2000 01:32:38 GMT
In article <[EMAIL PROTECTED]>,
David Schwartz <[EMAIL PROTECTED]> wrote:
>
> Greggy wrote:
> >
> > As I study Rijndael, I am constantly haunted by the question I hope
> > someone can answer:
> >
> > If Rijndael is so strong, why does the US government choose NOT to
use
> > it for ANY (not all) classified information?
>
> If that's true, it would be because the US government uses a
special
> process to create algorithms for the encryption of classified data and
> Rijndael did not arise from that process. However, as far as I know,
> it's not publically known which algorithms are or aren't used for any
> classified information, so you it's possible the US government might
> already be using it for some classified information.
>
> DS
>
I was under the impression they had stipulated somewhere at some time
that they would never use AES for classified data.
--
I would prefer to live in a free society than
a drug free society - even if the latter could
actually be achieved.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: David Blackman <[EMAIL PROTECTED]>
Subject: Re: ---- As I study Rinjdael...
Date: Wed, 18 Oct 2000 13:02:06 +1100
Greggy wrote:
>
> As I study Rijndael, I am constantly haunted by the question I hope
> someone can answer:
>
> If Rijndael is so strong, why does the US government choose NOT to use
> it for ANY (not all) classified information?
This has been discussed here before. Basically, NIST (will probably)
approve Rijndael for sensitive but unclassified US government use. It is
not NIST's job to say what should be used for classified information.
Rijndael might be used for that too. Or it might not. Unless you have a
US government security clearance, you'll probably never find out.
------------------------------
Date: Tue, 17 Oct 2000 22:03:43 -0700
From: [EMAIL PROTECTED]
Crossposted-To: sci.astro,sci.physics.relativity,sci.math
Subject: Re: FTL Computation
ca314159 wrote:
>
> You haven't defined information yet.
>
See the post you're responding to. It's a stream of
bits being sent from one point to another point. Not
a spatially separated set of receiver points.
> Consider how QM uses virtual wavefunctions and
> how I/O causes their unusual properties to collapse.
>
> Wavefunctions are a 'cheat' just like FTL computation.
> They do interesting things as long as you don't
> look at or measure or communicate between them (decohere).
>
Then how do you do the computation? Does QM violate
FTL communication? Not that I've heard.
> In the olympics, does the high-jumper jump the height
> if his or her center of mass never goes over the bar ?
> A virtual cheat has its uses.
>
A silly analogy doesn't help here.
> In an earlier thread I gave you a link to a specific use
> for the lighthouse effect. Do you remember ?
>
No I don't remember it, because I didn't read it, because
you don't know what you're talking about.
John Anderson
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Crossposted-To: talk.politics.crypto
Subject: Re: Enigma: Stolen German Code Machine Turns Up in BBC Mailroom
Date: Wed, 18 Oct 2000 02:01:51 GMT
On Wed, 18 Oct 2000 01:25:23 +0100, Mathew Hendry
<[EMAIL PROTECTED]> wrote, in part:
>Three of the four rotors are missing. (Why steal only those?)
Maybe the thief just had trouble cleaning his prints off of them?
Or - since an early British newspaper article claimed that there were
suspicions one disgruntled member of a dissident faction among the
staff at Bletchley had engineered the theft to discredit the current
management - perhaps the rotors will be delivered, one each, to other
media outlets for maximum publicity.
There's even the chance that removing the rotors reduced the Enigma's
weight enough to make returning it in secret somehow easier - either
by making it easier to carry, or because the thief was afraid postal
authorities had been given its weight to watch for it with.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Joaquim Southby <[EMAIL PROTECTED]>
Subject: Re: Dense feedback polynomials for LFSR
Date: 18 Oct 2000 02:16:05 GMT
In article <8sg0h7$a1b$[EMAIL PROTECTED]> Tim Tyler, [EMAIL PROTECTED] writes:
>The question then becomes: how do you have the faintest idea what the
>period of the LFSR is without looking at the corresponding polynomial's
>properties, and checking to see whether it is primitive.
>
>Without performing such a procedure, I don't see how you can claim that
>99% of the state spece is covered from a given position - unless you
>perform an exhaustive search - something which becomes impractical as
>the size of the register grows.
>
One of the most straightforward ways of checking to see if a polynomial
is primitive is to use it as the tap sequence of an LFSR, plug in an init
vector, and start clocking. If one were to note not only the primitive
polynomials (i.e., those that made it to 2^n - 1 clocks before repeating
the init vector), but also those that happened to show a large state
space for that init vector (i.e., a large number of clocks before
repeating the init vector), a library of such sub-maximal LFSR's could be
built. This process sometimes turns a failure (darn! that polynomial
wasn't primitive) into a near-success (hey, at least I got one honkin'
big state space to play with).
With a maximal-length LFSR, the key is any number between zero and 2^n.
Advantage: very easy to choose a suitable key. With a sub-maximal LFSR,
the known init vector is seeded to the LFSR, then the LFSR is clocked a
number of times equal to the key value before using the stream output.
Advantage: key can be larger than 2^n since the clock count will
effectively be the key moduloed by the size of the state space.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: ---- As I study Rinjdael...
Date: Wed, 18 Oct 2000 02:14:36 GMT
David Blackman <[EMAIL PROTECTED]> wrote:
> This has been discussed here before. Basically, NIST (will probably)
> approve Rijndael for sensitive but unclassified US government use. It is
> not NIST's job to say what should be used for classified information.
> Rijndael might be used for that too. Or it might not. Unless you have a
> US government security clearance, you'll probably never find out.
Given that the five finalists were of comperable strength, it's a safe
bet that creating a cipher as strong as Rijndael is feasible for a
skilled group of cryptographers. Since the NSA presumably has a
skilled group of cryptographers, they can more likely than not desgin
a cipher as secure as Rijndael in house.
That narrows the choice to a) use Rijndael, and provide advesaries
with complete documentation of the algorithm, and test vectors. Or b)
use an equally strong system and make advesaries guess the algorithm.
--
Matt Gauthier <[EMAIL PROTECTED]>
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: ---- As I study Rinjdael...
Date: Wed, 18 Oct 2000 02:17:42 GMT
On Wed, 18 Oct 2000 00:22:46 GMT, Greggy <[EMAIL PROTECTED]>
wrote, in part:
>If Rijndael is so strong, why does the US government choose NOT to use
>it for ANY (not all) classified information?
Considering they already have secret algorithms that are just as
strong, why make it easy for someone to eventually build a brute-force
cracker?
Maybe it does have weaknesses, but just how strong a cipher needs to
be for the NSA to be happy with it - just how strong a cipher needs to
be before the NSA can no longer crack it - is, naturally, one of their
deepest secrets.
The U.S. government probably doesn't use Blowfish to protect any
classified information either, but there's *nothing* wrong with it -
unless you use one key for so long that a codebook attack becomes
possible.
Based on general principles applicable to more conventional block
ciphers, I have recommended key sizes of 224 and 352 bits for Rijndael
with the 128 bit block size for those who wish to use Rijndael, but
are somewhat anxious about its security. However, Rijndael's S-Box
does have excellent qualities.
Alternating rounds of Rijndael and SAFER+, if there are no patent
obstacles to doing so, allows one to obtain a cipher that is fast in
software, but which has a structure nonuniform enough to resist
attacks well. (The rounds of SAFER+ should, however, be stacked in an
EDED arrangement: that is, if one uses Rijndael with 10 rounds,
arrange the rounds like this: RERERDRDRERERDRDRR.)
But Rijndael was chosen primarily for its speed, so there is also the
option of choosing one of the available ciphers from among the other
finalists, such as Twofish, SERPENT, or, now, MARS as well.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Dido Sevilla <[EMAIL PROTECTED]>
Subject: Re: ---- As I study Rinjdael...
Date: Wed, 18 Oct 2000 10:20:11 +0800
Greggy wrote:
>
> As I study Rijndael, I am constantly haunted by the question I hope
> someone can answer:
>
> If Rijndael is so strong, why does the US government choose NOT to use
> it for ANY (not all) classified information?
>
Well, we're in something of a gray area here, that comes deep into the
process of political doublethink. Well, the same situation applied to
DES, but we've had reports on this newsgroup that the US government
actually *did* use DES to encrypt certain sorts of classified data.
Maybe government thinkers think that simply saying that an algorithm is
classified makes it different from the same algorithm that says on the
box that it is not a classified algorithm...?
--
Rafael R. Sevilla <[EMAIL PROTECTED]> +63 (2) 4342217
ICSM-F Development Team, UP Diliman +63 (917) 4458925
OpenPGP Key ID: 0x0E8CE481
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: ---- As I study Rinjdael...
Date: Tue, 17 Oct 2000 19:48:52 -0700
Greggy wrote:
> I was under the impression they had stipulated somewhere at some time
> that they would never use AES for classified data.
If they did, it was probably before Rijndael was selected to be the
AES, so it certainly wouldn't be a specific comment about that
algorithm. It would be about the difference of process. I don't think
our government is willing to protect its classified data with an
algorithm it didn't develop through a process specifically designed to
produce an algorithm suitable for protecting classified data.
In any event, the requirements are different.
DS
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Date: 18 Oct 2000 03:07:07 GMT
Subject: The Gillogly Papers
I've just added three papers by my friend
Jim Gillogly to my web site: "The Beale
Cipher: A Dissenting Opinion," Breaking
An Eighteenth Century Shorthand System,"
and "Cryptograms From The Crypt," written
with Larry Harnisch.
All of these orignally appeared in
<i>Cryptologia</i>. You'll find them
in the "Historical" section, under "Other
Papers by Jim Gillogly."
I'll soon be adding a new essay by friend
Casimir, too.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
