Cryptography-Digest Digest #269, Volume #13 Mon, 4 Dec 00 13:13:01 EST
Contents:
Re: On mutation of crypto algorithms (Mok-Kong Shen)
Re: Crypto Proceedings (Mok-Kong Shen)
Re: CanCrypt: Canadian cryptographic resources (Mok-Kong Shen)
Re: Q: Discrete transforms in practice (Mok-Kong Shen)
Re: Q: Discrete transforms in practice (Mok-Kong Shen)
Re: Revised cipher (Mok-Kong Shen)
Re: keysize for equivalent security for symmetric and asymmetric keys (DJohn37050)
Re: Using raw RSA? (Paul Schlyter)
Re: keysize for equivalent security for symmetric and asymmetric keys (DJohn37050)
Re: hardware RNG's (John Myre)
Re: hardware RNG's (John Myre)
Re: keysize for equivalent security for symmetric and asymmetric keys (DJohn37050)
Re: keysize for equivalent security for symmetric and asymmetric keys (Roger
Schlafly)
Re: RC4 or Rijndael ("Julian Morrison")
Logic of authentication (Erik-Oliver Blass)
Re: Crypto Proceedings (Ichinin)
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On mutation of crypto algorithms
Date: Mon, 04 Dec 2000 17:11:14 +0100
Tom St Denis wrote:
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> > Tom St Denis wrote:
> > > Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> > > > Tom St Denis wrote:
> > > > > [EMAIL PROTECTED] wrote
> > > > > >
> > > > > > The Rijndael state doesn't have to be square. Either a 2x4
> array
> > > > > > (Nb = 2, word size 4 bytes, and shift offsets C1 = 1, C2 = 0,
> C3
> > > = 1,
> > > > > > for example) or a 4x2 array (Nb = 4, word size 2 bytes, C1 =
> 1)
> > > appear
> > > > > > to work.
> > > > >
> > > > > Wouldn't it have to be a 4x2 to work? The C(x) column
> transform is
> > > a
> > > > > 4x4 MDS is it not?
> > > >
> > > > But you can use a 2*2 matrix. (On scaling-down, one normally
> > > > has to twist a little bit.)
> > >
> > > You can't perform the C(x) on a 2x2, only on a 4x1. Otherwise it is
> > > NOT rijndael.
> >
> > If you want to talk rigorously, then ANY modification to
> > what described in Rijndeal is NOT Rijndael. You can
> > define a analogous 2*2 matrix to do the column combination,
> > can't you?
>
> My math skills are that of a high school student, but I am not aware of
> being able to turn a 4x4 matrix into an equivalent 2x2 matrix. The c
> (x) transform is really a 4x4 matrix multiplied by a 4x1. That is why
> modifications to Rijndael modify the number of columns not rows. If
> you make rijndael use 4x2 blocks it should work compared to 2x4 blocks.
>
In scaling-down, one's goal is only having something very
similar. One certainly can't have everything the SAME, or
else one would remain at the original. The MixColumn matrix
is actually a very special Hill matrix (in a Galois field).
You can look at its nature and define one of 2*2 that is
rather similar, keeping so to say the the 'spirit' of the
original. That's the best one can do and expect and with all
these small twists (we have changed also the ShiftRow, don't
we?) we can at least get a reasonable scaled-down version
to carry out our investigation. This is a practical
consideration, limited by natural constraints. Engineers
and architects also build models that are smaller than
the prototypes. It is by definition impossible to have
everything exactly the SAME in the models as in the
prototypes, only some 'approximations' and 'similarities'.
One has naturally to accept certain compromises. (Or else
why do we scale-down in the first place?)
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Crypto Proceedings
Date: Mon, 04 Dec 2000 17:11:44 +0100
"M.S. Bob" wrote:
>
> Mark Harrop wrote:
> >
> > Does anyone know of an ONLINE source of the CRYPTO PROCEEDINGS from as far
> > back as possible ?
> >
> > Also, are they still being held, and do they have a web site ?
>
> There are two sources likely to be of interest:
>
> Advances in Cryptology, 1981-1997 : Electronic Proceedings and Index
> of the Crypto and Eurocrypt Conferences 1981-1997 (Lecture Notes in
> Computer science)
> by Kevin S. McCurley (Editor), Claus Dieter Ziegler (Editor)
> Paperback Bk & CD-ROM edition June 1999
> Springer Verlag; ISBN: 3540650695
> (approx. $99.00 US)
>
> Or actually online:
> link.springer.de or link.springer-ny.com
> but access is not free or AFAIK cheap.
>
> Also see eprint.iacr.org for a recent archive.
However the cited Springer stuff doesn't give the actual texts
of the papers, which the original poster seems to demand.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: CanCrypt: Canadian cryptographic resources
Date: Mon, 04 Dec 2000 17:12:05 +0100
"M.S. Bob" wrote:
>
> I have been updating CanCrypt, a directory of Canadian cryptographic
> resources. It is intended to be a clearing house of Canadian related
> cryptographic resources.
>
> Canada is very crypto-friendly compared to both the USA (re: export) and
> UK (re: RIP).
>
> http://www.privacy.nb.ca/cancrypt/
I believe that the many organizations for freedom of information
privacy like EFF etc. as well as a number of internet groups
and mailing lists have very essentially contributed to
withstanding the wavefront of stringent crypto controls of
certain governments and the eventual development of hegemonial
crypto powers. (Many years ago, as I was doing computations
under a certain operating system, the command 'crypt' was not
available, being deleted by the manufacturer in deliveries
to crypto-second-class nations.)
If a person in some of the countries with severe crypto laws
and regulations today download AES via the standard location
onto his laptop and with it go abroad, what kind of punishments
is he risking? Could someone knowledgeable in the matter
exactly tell? Thanks.
M. K. Shen
================================
http://home.t-online.de/mok-kong.shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Q: Discrete transforms in practice
Date: Mon, 04 Dec 2000 17:11:25 +0100
Tom St Denis schrieb:
>
> In article <[EMAIL PROTECTED]>,
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> >
> >
> > Tom St Denis wrote:
> > >
> > > Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> > > >
> > > > I like very much to know whether, which kinds of, and to
> > > > what extent and success, if any, discrete transforms (other
> > > > than PHT used in some algorithms) have occured in actual
> > > > practical applications. Thanks in advance.
> > >
> > > Things like the DFT and DCT are not normally "invertable" in
> practice.
> > > The Fast Fourier Transform is used in numerous designs such as the
> CS-
> > > Cipher and FFT-HASH (and TC2 out of my personal collection).
> >
> > The invertibility can be assured with sufficient
> > computational precision, I suppose. The Hadarmard transform
> > is in any case invertible with ease. (BTW, what I mean is
> > transfomations applied to a larger group of bits, not like
> > locally in a block encryption algorithm.)
>
> I fail to see the distinction between "group of bits" and "local group
> of bits". If your algorithm works on n-bits of data p-bits at a time
> it's still a n-bit cipher not a p-bit one.
>
> Also transforms such as the DCT/DFT are often lossy because you would
> require infinite bits of precision otherwise...
What I know till now of applications of discrete transforms
is that PHT has been employed in some block ciphers. As is
commonly the case, these transforms are only applied to a
small number of bits (i.e. within the block). I like to know
(because I am curious about the issue) whether in actual
practice people have tried to apply discrete transforms to
larger number of groups, perhaps to 20 blocks or even the
entire message, as an independent processing step.
One doesn't need 'infinite' bits for DFT. One certainly
needs a flexible software to provide arbitrarily high
precision for being able to transform sequences of
arbitrary length. Once the precision is high enough such
that the inverse transform, after rounding, gives the
original bit sequence, that will be o.k. This I think is
clear, though I don't know how the situation really is in
practice, i.e. whether the needed precision, though finite,
is too large to be affordable economically. The Hadamard
transform is anyway without rounding errors and thus
without the problem of precision. But that doesn't
automatically mean it is good for practical use. That's
why I posted the article to ask people questions.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Q: Discrete transforms in practice
Date: Mon, 04 Dec 2000 17:11:34 +0100
Matt Timmermans wrote:
>
> FFT? My DCT was invertible on unbounded coefficients, and it would be easy
> enough to do the same thing for FFT, but NTT is the only similar thing I
> know of that's invertible on bounded information sets.
I don't have your experience but from general knowledge of
numerical computations the finite precision of computer
must, beginning at certain extent (size of problem etc.),
be an issue, if there is rounding in the computations at
all. So I guess your claim of always invertibility of
discrete Fourier transforms has to be relativated, unless
you use a package with arbitrarily large precision to
adapt to the actual need of the sequences being processed.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Revised cipher
Date: Mon, 04 Dec 2000 17:11:58 +0100
Benjamin Goldberg wrote:
>
> Mok-Kong Shen wrote:
> >
> > It is in my view extremely remarkable that the authors
> > of Rijndael have succeeded to realize a fairly simple and
> > very strong block cipher. (Of the four components in its
> > rounds, three are key-independent and 'clean', while the
> > remaining one is simply an addition of the round key.)
>
> What do you mean 'clean'? While I'll admit that I think that the
> RowShift is simple, as is the ByteSub step, I don't think that the
> ColMix is simple at all.
By 'clean' I mean it doesn't have things like DES, where
one doesn't clearly know where the S-boxes come from (the
issue of possible backdoor). MixColumn uses a Hill matrix
(applied in Galois field) of a very special (in my opinion
simple) form.
>
> > Independent of Rijndael's status as the future standard of
> > encryption, this fact inevitably means an essential barrier
> > to users' acceptance of alternative future algorithms. For
> > they would ask themselves: Why complicated, if simple
> > stuffs will do? (I subjectively consider your use of LFSR
> > to be not simple.)
>
> Although my *explanation* of how I use the LFSR is [overly?]
> complicated, what I actually do is not. There is probably a way of
> saying it more simply than I did.
>
> Hmm. For each of the 8 rows (which are 16 bits each), raise it to the
> power of 32, under GF(2**16), with a different poly for each row?
>
> How about: For each of the 8 rows, replace it with x**32 * p, where p is
> a different order-16 poly for each row?
>
> Or even more simple: Do a linear transformation on each rows. Can't
> state anything simpler than that.
>
> I'd like to see you describe the MixColumn operation of AES in so simple
> a manner.
You have to derive a number of polynomials. This (in my
subjective view) is more complicated than setting up a
Hill matrix (the general requirement is only that the
matrix be invertible).
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Date: 04 Dec 2000 16:10:21 GMT
Subject: Re: keysize for equivalent security for symmetric and asymmetric keys
The lawyer attack can get tricky. There are lots of assumptions of crypto that
might be challenged in court. Competing interests will have their own experts,
which can conflict in their testimony. Are you willing to let a judge or jury
of non-experts decide?
As I said, there was supposed to be a presentation to X9F1, instead, all they
got was a few statements, which did not convince them or at least enough of
them at the time.
Don Johnson
------------------------------
From: [EMAIL PROTECTED] (Paul Schlyter)
Subject: Re: Using raw RSA?
Date: 4 Dec 2000 16:33:46 +0100
In article <[EMAIL PROTECTED]>,
Julian Morrison <[EMAIL PROTECTED]> wrote:
> If I want to RSA encrypt a tiny chunk of data, is it safe to use raw RSA
> on it instead of the more usual system of symmetric-cyphering the data,
> and RSA-ing the symmetric key?
Yes it is. Just be sure you pad your tiny data with random bytes instead of
some constant value up to the RSA key size before you decrypt it, or else
someone trying to break your crypto may have the advantage of parts of your
plaintext being known.
--
================================================================
Paul Schlyter, Swedish Amateur Astronomer's Society (SAAF)
Grev Turegatan 40, S-114 38 Stockholm, SWEDEN
e-mail: pausch at saaf dot se or paul.schlyter at ausys dot se
WWW: http://hotel04.ausys.se/pausch http://welcome.to/pausch
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Date: 04 Dec 2000 16:25:59 GMT
Subject: Re: keysize for equivalent security for symmetric and asymmetric keys
I do not think any group is the fountain of all wisdom. I just claim that X9F1
expected a presentation, did not get it, beyond a few statements and hand
waving, and were not convinced.
Roger, not being there, makes a big point about how bankers know nothing about
crypto. But they do know about their business, which is taking risks. At
least the majority thought that the cost, less than 5%, was worth the risk of
going into court and avoiding the possibility of watching a PC break an RSA key
in front of a judge's eyes by using old factoring methods.
Something I just do not understand (yet) is if there are 10 methods (say) to
attack a key and one is the best, by some measure, why do we assume the
adversary will use that method? Why cannot he use the simplest, even if it has
less overall a chance of success? And if the MIPS are essentially free, why
cannot he run a lottery-style attack? That is, low chance of success, but if
he hits, jackpot! So, he assumes what he needs to be true and goes from there.
It may not be true, but then he loses nothing. If it is true (some special
case) then he wins the lottery. This seems to be a case between the case of
guessing the key (w/ a negligible chance) and doing all the work to crack a key
(w/ a good chance of success) and is not much discussed.
Don Johnson
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: hardware RNG's
Date: Mon, 04 Dec 2000 09:53:59 -0700
Tim Tyler wrote:
<snip>
> The word does not have the universal precise meaning you seem to think.
>
> For example, try http://www.io.com/~ritter/GLOSSARY.HTM#Random for another
> definition of "random".
<snip>
Interestingly, Terry's definition agrees more closely with Doug
than with Tim. He does *not* say that random means uniformly
distributed. He *does* say that a random process is "ideally"
uniform - which for encryption is certainly true. And it also
shows clearly that "random" might *not* be uniform.
JM
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: hardware RNG's
Date: Mon, 04 Dec 2000 09:54:34 -0700
Rob Warnock wrote:
<snip>
> And for still another, try this: ;-}
>
> <URL:http://www.tuxedo.org/~esr/jargon/html/entry/random.html>
<snip>
Thank you!
JM
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Date: 04 Dec 2000 17:03:59 GMT
Subject: Re: keysize for equivalent security for symmetric and asymmetric keys
To further elaborate, say an adversary knows it is supposed to take a gazillion
MIPS-years to break a key. At the end of doing all that work, the key is
expected to be broken. He does not have that many MIPS, but he does have X
MIPS years that are essentially free, however. And he really despises Dudley
Dooright. He is willing to spend X MIPS years on the CHANCE of doing wrong to
Dudley. All that is required is that at the end of spending X MIPS years, he
either knows he broke Dudley's key or he knows he did not.
For example, one way to have a 1 in a million chance on breaking a symmetric
key, is to simply guess the first 20 bits and exhaust the rest. If your 20-bit
guess is wrong, you lose, if right, you will know it.
For ECC, such a situation results in a quadradic decay rate when using Pollard
rho or variants, this means for a one in a million chance, this seems to say he
can only guess the first 10 bits to get a one in a million chance. And as ECC
keys are twice as big as symmetric keys, this is a loser idea, he does better
attacking the symmetric key.
What are the numbers for RSA? How do the various lesser factoring attacks
figure in? This seems less straightforward to figure out.
The point is, the crypto community usually depends on a cost/benefit analysis
on key breaking. It takes XX and no one has that much, therefore it is
infeasible. But this may be too simplistic. What if the breaking cost is
essentially free and the adversary is willing to try to get lucky?
Don Johnson
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: keysize for equivalent security for symmetric and asymmetric keys
Date: Mon, 04 Dec 2000 09:10:10 -0800
DJohn37050 wrote:
> I do not think any group is the fountain of all wisdom. I just claim that X9F1
> expected a presentation, did not get it, beyond a few statements and hand
> waving, and were not convinced.
So they were uninformed.
> Roger, not being there, makes a big point about how bankers know nothing about
> crypto. But they do know about their business, which is taking risks. At
> least the majority thought that the cost, less than 5%, was worth the risk of
> going into court and avoiding the possibility of watching a PC break an RSA key
> in front of a judge's eyes by using old factoring methods.
If they thought that they were avoiding that, then they are wrong.
> Something I just do not understand (yet) is if there are 10 methods (say) to
> attack a key and one is the best, by some measure, why do we assume the
> adversary will use that method? Why cannot he use the simplest, even if it has
> less overall a chance of success? And if the MIPS are essentially free, why
> cannot he run a lottery-style attack? That is, low chance of success, but if
> he hits, jackpot! So, he assumes what he needs to be true and goes from there.
> It may not be true, but then he loses nothing. If it is true (some special
> case) then he wins the lottery. This seems to be a case between the case of
> guessing the key (w/ a negligible chance) and doing all the work to crack a key
> (w/ a good chance of success) and is not much discussed.
Yes, the attacker could just try to guess the key. The system should
be such that guessing is improbable.
------------------------------
From: "Julian Morrison" <[EMAIL PROTECTED]>
Subject: Re: RC4 or Rijndael
Date: Mon, 04 Dec 2000 17:48:36 +0000
"Bob Silverman" <[EMAIL PROTECTED]> wrote:
> In article <[EMAIL PROTECTED]>,
> "Julian Morrison" <[EMAIL PROTECTED]> wrote:
>> Which of RC4 or Rijndael is better for:
>>
>> - strength of security
>> - ease of coding
>> - speed
>> - smaller key
>>
>
> Q: What's the difference between a duck? A: One of its legs are both the
> same.
>
> Your question is too vague, and too open ended to be answered. Further,
> you are comparing different *kinds* of ciphers.
As I recall, RC4 is a byte-by-byte stream cypher, and Rijndael is a block
cypher that would need CBC or something. In use tho they're both symmetric
cypers useful for the purpose of doing a RSA/symmetric pairing. I'm trying
to figure out which is best for how I want to do that (optimize for
speed, security, and low wastage of bytes).
------------------------------
From: Erik-Oliver Blass <[EMAIL PROTECTED]>
Subject: Logic of authentication
Date: Mon, 04 Dec 2000 18:50:27 +0100
Reply-To: [EMAIL PROTECTED]
Dear all,
are there any (software) tools that help you to inspect a new cryptoprotocol with the
BAN
"Logic of authentication" ?
Regards,
Erik
------------------------------
From: Ichinin <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Crypto Proceedings
Date: Fri, 01 Dec 2000 14:50:25 +0100
Mark Harrop wrote:
> Hi all...
Hi.
> Does anyone know of an ONLINE source of the CRYPTO PROCEEDINGS from as far
> back as possible ?
a limited one is at www.springer.de, a few are at www.securityfocus.com.
If you want all of the proceedings, you have to order them from
Springer, if you are serious, start with the 80-97 CD, then if your
intrest in crypto still is high, you can get the 3 remaining cds as well
(or hunt the papers down on the internet), the 80-97 CD is "a tad"
expensive, but hey if you are fanatical enough that's not a problem :o)
>
> Also, are they still being held
Yes.
> and do they have a web site ?
Not _A_ specific site. The documents are scattered allover the place.
search and you shall find...
Regards,
Ichinin
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
