Cryptography-Digest Digest #445, Volume #13 Tue, 9 Jan 01 13:13:01 EST
Contents:
Re: RSA recoverable signature trick (Hans-Peter Baron)
$$$ MAKE A LOT OF MONEY EASY $$$ ([EMAIL PROTECTED])
Re: RSA recoverable signature trick ("Jakob Jonsson")
Re: Comparison of ECDLP vs. DLP ("Jakob Jonsson")
Re: Bluetooth security? ("Ingmar Grahn")
Re: Reviews of 50 cryptography books (Ross Anderson)
Re: Can anyone break these cryptograms? ("Jakob Jonsson")
Re: Comparison of ECDLP vs. DLP (DJohn37050)
Re: Idiots guide to Montgomery multiplication (Francois Grieu)
Re: Seeking frequency distributions ("Keith Monahan")
Linear analysis (Benjamin Goldberg)
secure DOS files ("Peter Osborne")
Re: Comparison of ECDLP vs. DLP (Roger Schlafly)
Re: Need of very simple algorithms? (wtshaw)
Re: Simple Sublimibimbimal Exercise (wtshaw)
Re: xor'd text file - Cryptanalyis of Simple Aperiodic Substitution ("Douglas A.
Gwyn")
----------------------------------------------------------------------------
Date: Tue, 09 Jan 2001 12:25:36 +0100
From: Hans-Peter Baron <[EMAIL PROTECTED]>
Subject: Re: RSA recoverable signature trick
Mark Currie wrote:
>
> Hi,
>
> Years ago someone told be about a trick that you can pull when you want to sign
> a public key of the same bit order. If you want to perform an RSA private key
> operation on another RSA public key modulus where both modulii have the same
> bit order you have a problem in that the to-be-signed value is one bit too
> large. The only methods that I can think of are:
>
> 1. Send 1024th bit in the clear or,
> 2. Clear the 1024th bit always and let the recipient perform at most two trial
> public key operations using the decrypted modulus.
>
> The first method is theoretically less secure and requires additional
> transmission space to send the troublesome bit with the encrypted modulus. The
> second method is a bit tedious for the recipient.
>
> Can anyone think of any other methods ?
>
> PS: Please don't recommend signing a hash of the public key, I specifically
> need a recoverable signature and I don't have too much additional transmission
> space.
I think you shouldn't sign anything without padding. You compromise
your security otherwise. In your setup, a man-in-the-middle attack
seems to be easy, since the man-in-the-middle can replace your
original signature with something invented by him. Since he can
be assumed to have the recipients public key, he can decode his
invented signature to retrieve his modulus. Since there's no
padding, he needs just a few tries to invent a signature which
will look like a modulus after decryption.
Since a RSA public key consists also of the exponent, and the
public exponent is usually something small, why not send two
signed packages _with_ padding (e.g. PKCS #1 OAEP), the first
containing one part of the modulus, the second package
containing the second part of the modulus and the exponent.
Or, if you don't send the exponent because it is fixed, why
not fix some part of the modulus too and code it accordingly
before signing to reduce its size and have space for padding.
Or use the fixed part as padding. Fixing just a part of
the modulus can be done without compromizing security
too much, if the modulus size has some security in "reserve".
>
> Thanks in advance
>
> Mark
--
Mit freundlichen Grüßen,
Hans-Peter Baron
Senior Software Developer
FAKTUM Softwareentwicklung GmbH
www.faktum.com
Robert-Koch-Str. 50, D-55129 Mainz
Postanschrift: Postfach 100262, D-55133 Mainz
Tel: +49-6131-583700, Fax: +49-6131-583704
*************************************************************************************
Wenn diese E-Mail digital signiert ist, dient dies AUSSCHLIESSLICH folgenden Zwecken:
- Sicherstellen, daß diese E-Mail tatsächlich von mir stammt.
- Sicherstellen, daß der Inhalt der E-Mail nicht verändert wurde.
Andere Zwecke und Interpretationen werden hiermit AUSDRÜCKLICH ausgeschlossen. Zur
Zeit wird von mir Software zum digitalen Signieren und Verschlüsseln von E-Mail
entwickelt. Die verwendeten Schlüssel dienen lediglich zum Testen. Da auch andere
Zugang zu diesen Schlüsseln haben, können o.g. Zwecke nicht sicher erfüllt werden.
*************************************************************************************
------------------------------
From: [EMAIL PROTECTED]
Subject: $$$ MAKE A LOT OF MONEY EASY $$$
Date: Mon, 08 Jan 2001 16:21:48 GMT
sz
begin 644 cash.html
M/&AT;6P^#0H\:&5A9#X-"CQT:71L93Y5;G1I=&QE9"!$;V-U;65N=#PO=&ET
M;&4^#0H\;65T82!H='1P+65Q=6EV/2)#;VYT96YT+51Y<&4B(&-O;G1E;G0]
M(G1E>'0O:'1M;#L@8VAA<G-E=#UI<V\M.#@U.2TQ(CX-"CQS8W)I<'0@;&%N
M9W5A9V4](DIA=F%38W)I<'0B/@T*/"$M+0T*9G5N8W1I;VX@34U?;W!E;D)R
M5VEN9&]W*'1H95523"QW:6Y.86UE+&9E871U<F5S*2![("\O=C(N,`T*("!W
M:6YD;W<N;W!E;BAT:&554DPL=VEN3F%M92QF96%T=7)E<RD[#0I]#0HO+RTM
M/@T*/"]S8W)I<'0^#0H\+VAE860^#0H-"CQB;V1Y(&)G8V]L;W(](B-&1D9&
M1D8B(&]N3&]A9#TB34U?;W!E;D)R5VEN9&]W*"=H='1P.B\O=W=W+G!R:79A
M=&5G;VQD+F-O;2]J;VEN+G!H=&UL/W=M7VQO9VEN/71T8F]Y,C1F<29A;7`[
M=VU?<')O9W)A;3U40R9A;7`[=VU?<F5F=7)L/6AT='`E,T$O+W=W=RYM:6ME
M=FED+G1O<&UO9&5L+F-X+R<L)W1E<W0G+"=W:61T:#TQ+&AE:6=H=#TQ)RDB
M/@T*/'`@86QI9VX](F-E;G1E<B(^/&9O;G0@<VEZ93TB-2(^/&(^/&9O;G0@
M8V]L;W(](B,P,#`P,#`B/DY%140@0T%32"P@1D%35"!-3TY%62`-"B`@250@
M4D5!3$Q9(%=/4DM3(2$A(3PO9F]N=#X\+V(^/"]F;VYT/CPO<#X-"CQP/B`\
M82!H<F5F/2)H='1P.B\O;6]B>61I8VMS+F-O;2]C;VUM;VYS+U1O;4-L86YC
M>6AA;&PO;65S<V%G97,O.30N:'1M;"(^:'1T<#HO+VUO8GED:6-K<RYC;VTO
M8V]M;6]N<R]4;VU#;&%N8WEH86QL+VUE<W-A9V5S+SDT+FAT;6P\+V$^/"]P
5/@T*/"]B;V1Y/@T*/"]H=&UL/@T*
`
end
���������������������������������
------------------------------
From: "Jakob Jonsson" <[EMAIL PROTECTED]>
Subject: Re: RSA recoverable signature trick
Date: Tue, 9 Jan 2001 13:12:34 +0100
"Hans-Peter Baron" <[EMAIL PROTECTED]> wrote:
> Or, if you don't send the exponent because it is fixed, why
> not fix some part of the modulus too and code it accordingly
> before signing to reduce its size and have space for padding.
> Or use the fixed part as padding. Fixing just a part of
> the modulus can be done without compromizing security
> too much, if the modulus size has some security in "reserve".
Arjen Lenstra has written a paper on the subject, "Generating RSA Moduli
with a Predetermined Portion" (presented at ASIACRYPT'98, don't know if the
paper is available online). There is also a heuristic security discussion
in the paper. I would recommend applying RSA-PSS-R to the modulus; let the
predetermined part of the modulus be non-recoverable from the signature (it
can be agreed on in advance), and let the remaining part be recoverable.
RSA-PSS-R is described in the draft IEEE P1363a (IFSSR with EMSR3), see
http://grouper.ieee.org/groups/1363/ (finding out how to get the password
needed to download the document is a stimulating exercise...).
"Mark Currie" <[EMAIL PROTECTED]> wrote:
> 1. Send 1024th bit in the clear or,
> 2. Clear the 1024th bit always and let the recipient perform at most two
trial
> public key operations using the decrypted modulus.
The most significant bit and the least significant bit in a modulus are
always 1; the first bit is 1, because otherwise the modulus wouldn't be
large enough; the last bit is 1 because any RSA modulus is odd.
Jakob
------------------------------
From: "Jakob Jonsson" <[EMAIL PROTECTED]>
Subject: Re: Comparison of ECDLP vs. DLP
Date: Tue, 9 Jan 2001 10:58:15 +0100
Proofs in the random oracle model ARE proofs of security, but you may have
objections against the strength of the proof. The proof tells us that if you
can break the scheme (forge signatures), then you can either invert the
underlying verification primitive or find a flaw in the hash function. Thus,
the security of the whole scheme can be expressed in terms of the security
of two of its components. Of course, the random oracle assumption is a much
stronger assumption than the one-wayness assumption on the verification
primitive -- as soon as you find even the slightest bias in the outputs from
the hash function, the proof will fall apart. In particular, a proof that
relates the security of the scheme directly to the security of the core
primitive would be much better. Yet, a random oracle proof assures us at the
very least that we don't have to fear attacks like the ones on ISO 9796-1
and PKCS #1 v1.5, so such a proof is strictly better than no proof at all of
security (i.e., we achieve something). At least IMHO...
In any case, it would be great to see a security proof with weaker
assumptions on the underlying hash function (e.g., collision-resistance and
one-wayness).
Jakob
"Roger Schlafly" <[EMAIL PROTECTED]> wrote:
> DJohn37050 wrote:
> > Any security proof relies on assumptions. I think the proof is random
oracle,
> > which some do not accept.
>
> IOW, no proof at all of security.
------------------------------
From: "Ingmar Grahn" <[EMAIL PROTECTED]>
Subject: Re: Bluetooth security?
Date: Tue, 9 Jan 2001 13:25:25 +0100
"Michael Schmidt" <[EMAIL PROTECTED]> skrev i
meddelandet news:93er60$a5tbf$[EMAIL PROTECTED]...
>
> "Ingmar Grahn" <[EMAIL PROTECTED]> schrieb im Newsbeitrag
> news:93elac$ijr$[EMAIL PROTECTED]...
> > Thanks for all the answeres!
> >
> > > 1. ."Security Weaknesses in Bluetooth", Markus Jakobsson, Susanne
> Wetzel,
> > > Bell Labs, Murray Hill, New Jersey,
> > > www.bell-labs.com/user/{markusj,sgwetzel}
> > >
> > > This paper addresses several shortcomings of BT in the areas of
> > > authentication and location tracing. Unfortunately, it has been
> > > withdrawn, and is currently not available. It is supposed to be
> > > re-presented at the 2001 RSA conference.
> >
> > Well I just downloaded a copy of it today 2001/01/09, and I've got a
> printed
> > copy of it in my hand right now. Strange..?
>
> Interesting.
> It's even a little more comprehensive than before now... The former
version
> was definitely off-line for some months.
>
>
>
It might have been just a draft before? On the website it says this version
of the document was released on the 8 december 2000.
------------------------------
From: [EMAIL PROTECTED] (Ross Anderson)
Crossposted-To: comp.security.misc,misc.books.technical
Subject: Re: Reviews of 50 cryptography books
Date: 9 Jan 2001 14:04:57 GMT
See also http://www.cl.cam.ac.uk/~rja14/book.html
Ross
In article <93bj76$qpo$[EMAIL PROTECTED]>,
Crypto-Boy <[EMAIL PROTECTED]> writes:
>Check out http://www.youdzone.com/cryptobooks.html
>
>for reviews of 50 cryptography books that I own and have read, plus an
>additional 10 I've yet to finish.
------------------------------
From: "Jakob Jonsson" <[EMAIL PROTECTED]>
Subject: Re: Can anyone break these cryptograms?
Date: Tue, 9 Jan 2001 16:16:38 +0100
"Jim Gillogly" <[EMAIL PROTECTED]> wrote:
[snip]
> I agree that the monoliteral frequency distribution looks
> pretty good for monoalphabetic. I'm not totally convinced that
> this is right, though: if you add the two messages together
> you get an I.C. of 0.0721, which is almost unreasonably high,
> meaning there's more variation in frequency than you would expect
> from English. The individual frequencies look like this:
>
> a b c d e f g h i j k l m n o p q r s t u v w x
y z
> 3 6 2 1 1 0 19 12 23 5 20 7 3 2 5 1 2 0 19 12 30 8 15 14
2 2
>
> Note that we have some good high-frequency letters, but the
> medium-frequency letters are pretty sparse. Perhaps most of
> the sense of the message is carried only in a few of these,
> such as ghikstuwx (like a checkerboard), with the others left
> around for punctuation or nulls or something.
This becomes even more apparent if you write the frequency table as follows:
a b c d e f g h i j k l
3 6 2 1 1 0 19 12 23 5 20 7
m n o p q r s t u v w x
3 2 5 1 2 0 19 12 30 8 15 14
y z
2 2
Note that letters on distance 12 (e.g., g-s, i-u, k-w) tend to have
approximately the same frequency, with a few exceptions (e.g., l-x). Explain
this anyone...
Jakob
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Date: 09 Jan 2001 15:21:05 GMT
Subject: Re: Comparison of ECDLP vs. DLP
Some assumptions of the OTP are:
1) You can generate true randomness.
2) More importantly, you can distribute it ahead of time in sufficient
quantities.
3) You can ensure against reuse and solve sync problems.
Don Johnson
------------------------------
From: Francois Grieu <[EMAIL PROTECTED]>
Subject: Re: Idiots guide to Montgomery multiplication
Date: Tue, 09 Jan 2001 16:36:37 +0100
[EMAIL PROTECTED] wrote:
> I need an idiots guide to Montgomery multiplication
Though not for idiots, I find the Handbook of Applied Cryptography
nice and readable. See
<http://www.cacr.math.uwaterloo.ca/hac/>
chapter 14, page 600-603; there is even an example.
Francois Grieu
------------------------------
From: "Keith Monahan" <[EMAIL PROTECTED]>
Subject: Re: Seeking frequency distributions
Date: Tue, 09 Jan 2001 15:41:14 GMT
Look for "Lanaki's" text. It is online in a couple places and has freq.
distributions for most of the popular languages.
Keith
"Erik Edin" <[EMAIL PROTECTED]> wrote in message
news:K2O56.494$[EMAIL PROTECTED]...
> Hi.
> I'm seeking frequency distributions of letters for use in cryptanalysis of
a
> simple monoalphabetic cipher. I'm specifically looking for frequency
> distributions of the German language, but I'm also interested in all other
> languages. They seem to be less than easy to find on the Internet.
> Thanks.
> Erik Edin
>
>
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Linear analysis
Date: Tue, 09 Jan 2001 17:02:30 GMT
Does anyone know of any program which automatically does analysis of an
sbox to find linear relationships?
Also, does anyone have any suggestions for a program to assist me in
doing linear analysis of a cipher (not just of the sbox) -- perhaps a
symbolic math package, (like maple or matlab or mathematica) might help?
I don't have one, and unless I think it'll help, I'm not going to get
one (I'm a bit short on disk space).
Lastly, has anyone already *done* linear analysis of the Rijndael/AES
sbox?
--
Power interrupts. Uninterruptable power interrupts absolutely.
[Stolen from Vincent Seifert's web page]
------------------------------
From: "Peter Osborne" <[EMAIL PROTECTED]>
Subject: secure DOS files
Date: Tue, 9 Jan 2001 18:34:19 +0100
Reply-To: "Peter Osborne" <[EMAIL PROTECTED]>
I've always dreamt of a real private computer, buttttt....
Since I have probed around with "Scramdisk" and PGP, both seem to be
well-featured, but that's not what I wanted. Isn't there a really
simple programme anywhere which exactly does the following steps:
You type in passphrase before working with your "top-secret"
directory; these files will be decrypted by a quite poweful AND fast
algorithm; files can be used as usual; when work is done, all
sensibel files will be encrypted by that powefull AND fast algorithm,
and, at last, passphrase or keys will be destroyed automatically
before system gets shut down.
Do such code already exist? I don't like to "engineer" it from adam
and eve...
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: Comparison of ECDLP vs. DLP
Date: Tue, 09 Jan 2001 09:43:54 -0800
Jakob Jonsson wrote:
> Proofs in the random oracle model ARE proofs of security, but you may have
> objections against the strength of the proof.
Stop right there. You contradict yourself. Proofs are proofs.
There are no objections to the strength of a valid proof.
Substitute the word "argument" for "proof" in your message, and
it makes more sense. All the RO crowd has is arguments for
security, not proofs.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Need of very simple algorithms?
Date: Tue, 09 Jan 2001 11:08:31 -0600
In article <BzA66.15726$I5.297315@stones>, "Brian Gladman"
<[EMAIL PROTECTED]> wrote:
> The history of information (in)security is that of people/organisations who
> profess to want good security but evidently do not since they are not
> prepared to pay for it. Given the choice between performance or security
> improvements, the former always wins in the market.
>
> In consequence we all get what we (don't) pay for - systems that leak like
> sieves.
>
> Brian Gladman
That sounds great, but there is little or no cost in adequate security,
just knowledge of what it should include and deciding to follow through.
The fast-buck boys always what to sell a deficient product, so that you
will be begging for an improved one, and pay for each baby-step promised
to get you nearer your goal.
--
History repeats itself when given the opportunity.
Question repeating old mistakes.
Be certain of the outcome of repeating mistakes.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Simple Sublimibimbimal Exercise
Date: Tue, 09 Jan 2001 11:18:53 -0600
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>
> ... It seems that a large part of people in the world
> who want to guard their freedom of privacy indeed have to
> actively do something 'themselves' (i.e. presumably in
> addition to what can be obtained from the literature and
> from others) in matters of steganography, which leads us
> back to stuffs like what the title of this thread addresses.
>
> M. K. Shen
Imagine my getting several phone calls where people said, "Wow,' when the
simple technique I presented. It happened. Crypto seems a total mystery
to many, so they leave it alone.
I present the idea that andone that wants to know anything about the field
can and should explore some of the basics of crypto, and even find some
understandable methods that can serve them, third parties not being
parners in that security.
--
Large corporations are touted as heros as job creators.
Many of them should be recognized merely as job exporters,
creating jobs somewhere else for anyone but Americans.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: xor'd text file - Cryptanalyis of Simple Aperiodic Substitution
Date: Tue, 9 Jan 2001 16:43:10 GMT
Paul Pires wrote:
> I'll try again. Where does one go to find out about cryptanalysis
> of "Genuine Stream ciphers"? By the above definition, RC-4,
> Seal, Wake nor any others I have heard of seem to fit the bill.
> Maybe I'm missing something again. Is it the nature of the cipher
> or the mode of operation or the protocol used that transforms it
> into a "Genuine stream cipher"?
The categories "stream" and "block" are fuzzy ones; the essence
of a block cipher is that the space being treated as a computational
unit during the encryption operation is not amenable to exhaustive
search, while the computational unit of a stream cipher (normally a
"character" or perhaps a single bit) is readily searchable.
Simple-minded stream ciphers merely combine the output of a PRNG
with the plaintext in a simple way that can readily be inverted
without knowing anything about the key. Better stream ciphers have
internal state that depends in an essential way on the message as
well as on the key; obviously the intended decipherer must be able
to reconstruct the state from the CT and key, which for example
could be done with some form of CT autokey. Some such systems
(where the CT essentially involves just a convolution of the PT)
are susceptible to correlation attacks. In general, cryptanalytic
technology for this class of system has been highly developed over
the years due to its practical importance in attacking government
communications, although most of the technology has never been
disclosed to the public.
Terry Ritter's page at http://www.io.com/~ritter/RES/COMBCORR.HTM
has additional information on this topic.
> I guess what I really want to know is what is the threshold an
> idea must cross in order to become interesting to those who
> know?
> If I had a "Genuine stream cipher", immune to bit flipping attacks,
> naturally authenticating, and can do all that for around
> 5 clocks per byte in software on a P2, would that illicit a
> response like:
> A, "Pretty mundane, why look at new methods when we
> can already do that"?
> Or would it be;
> B, "Can I have some of that stuff you've been smoking"
> What is the state of the art for the good stuff?
1 clock per byte.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
