Cryptography-Digest Digest #497, Volume #13 Fri, 19 Jan 01 10:13:01 EST
Contents:
Re: Why Microsoft's Product Activation Stinks (Gordon Walker)
Re: AES sbox generating code. (Tom St Denis)
Re: Differential Analysis (Tom St Denis)
Re: SAC question (Tom St Denis)
Re: Why Microsoft's Product Activation Stinks (David Schwartz)
Re: Kooks (was: NSA and Linux Security) ([EMAIL PROTECTED])
ideas of D.Chaum about digital cash and whether tax offices are (Ariel Burbaickij)
Re: AES sbox generating code. ("Brian Gladman")
Re: Problem with Lanaki Lession #1 ("Rob Marston")
Re: A Small Challnge ("Frog2000")
Re: Comparison of ECDLP vs. DLP (DJohn37050)
Another poorman's cipher (Mok-Kong Shen)
___ECC encrypt/decrypt (kctang)
----------------------------------------------------------------------------
From: Gordon Walker <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,misc.survivalism
Subject: Re: Why Microsoft's Product Activation Stinks
Date: Fri, 19 Jan 2001 09:56:17 +0000
On Thu, 18 Jan 2001 13:22:39 -0800, David Schwartz
<[EMAIL PROTECTED]> wrote:
>> Which begs the question of how they could tell it was being abused.
>
> Oh, come on. You think they don't already know which serial numbers are
>being abused? They're posted in warez newsgroups for chrissakes.
Think about it for a moment. The scheme being proposed would no longer
permit you to grab a serial number from a warez site or group since it
must be generated from your hardware (unless MS leave in backdoor
codes). Therefore that apparently easy means of blacklisting numbers
is not available to them.
Consider what is actually going to happen. A legitimate customer
changes his harddrive, or processor or whatever and finds he cannot
reinstall Windows. He calls Microsoft for a new code. Exactly what
criteria are you suggesting they use to determine whether or not to
give out the code? How do they know he's not asking for a code for his
mate, his mother-in-law etc? What it comes down to is whether they
will tend to believe or tend to disbelieve. If they tend to disbelieve
then a lot of customers will get badly treated. If they tend to
believe their copy protection scheme becomes a pointless irritation.
The worst of it is the scheme won't stop the large scale pirates whose
cost Microsoft so much since they will either patch the OS or else
produce key generators. The only people it will affect are the
individual users giving a copy or two to their friends and in stopping
this insignificant trickle of piracy they will inconvenience the vast
majority of their customers.
--
Gordon
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: AES sbox generating code.
Date: Fri, 19 Jan 2001 09:58:54 GMT
In article <[EMAIL PROTECTED]>,
Benjamin Goldberg <[EMAIL PROTECTED]> wrote:
> Tom St Denis wrote:
> >
> > In article <[EMAIL PROTECTED]>,
> > Benjamin Goldberg <[EMAIL PROTECTED]> wrote:
> > > I've written some code to generate the sbox used in AES. I'm not
> > > certain if it's correct. Would someone check it for me?
> >
> > Why not just do the code a brute force way that way you can be sure.
> > Or just use my affine.c/goodbox.c from my website (at geocities) to
> > make it....
>
> Is your affine() in affine.c the *same* affine transform as the one used
> by AES? Your thing takes up 8 lines. Anyway, I'm fairly certain that I
> at least got that part right:
>
> j = i ? pow[255 - log[i]] : 0;
> k = ((j >> 7) | (j << 1)) ^ ((j >> 6) | (j << 2));
> j ^= 0x63 ^ k ^ ((k >> 6) | (k << 2));
>
> Especially since it is copied from one of the reference implementations.
>
> Can the functions in goodbox.c be used to make the function log3(x) mod
> 2 mod p? Maybe, but not easily.
What on earth are you yawling about? AES uses x^-1 in GF(2^n) as it's sbox.
Not some logarithmic type construction.
> > What I did is do a brute force search for the multiplicative
> > inverse...
>
> How do multiplicative inverses relate to powers and logarithms of 3?
Because if you know what you are doing it would.
> > If you don't know what you are doing, DON'T DO IT! (or at least try to
> > understand it first).
>
> If *you* don't know *what* I'm doing (and it seems you don't), then
> don't try to tell me *how* to do it or not do it.
>
> Anyway, since seeing your Trollish posting in response to my question, I
> did a search for AES implementations. Take a good, hard, look at the
> gen_tabs() function in the following:
They use a factoring trick to speed up the gentabs function. It's still just
an inversion. I call your attention to the middle of Page 23 of the Rijndael
Submission paper.
"We have decided to take from the candidate constructions in [Ny94] the S-box
defined by the mapping x -> x^-1 in GF(2^8)."
> http://fp.gladman.plus.com/cryptography_technology/rijndael/aes.c
>
> , and then tell me that my code is wrong. Dare ya!
What is wrong is that you are trying to use code that you don't understand.
Tom
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Differential Analysis
Date: Fri, 19 Jan 2001 10:01:25 GMT
In article <[EMAIL PROTECTED]>,
Benjamin Goldberg <[EMAIL PROTECTED]> wrote:
> Tom. Your sboxgen will not generate the AES sbox. Or at least, it
> might, but not in the lifetime of the universe.
My intent was to rebut the fact that your diff code is wrong because you
don't know what you are doing.
The AES sbox is not as good as you think it is my friend. It fails the SAC
test has a low algebraic degree (which means the millions of cryptographers
better then me can use it in an attack).
Sboxgen can at least make sboxes with a little more desirable properties.
Tom
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: SAC question
Date: Fri, 19 Jan 2001 10:02:44 GMT
In article <948gtd$jti$[EMAIL PROTECTED]>,
Splaat23 <[EMAIL PROTECTED]> wrote:
> Is there much advantage to having sboxes that are two-way SAC? Your 3x3
> box below is only one-way SAC, which I assume would be sufficient since
> that is the most important way, but there are strong biases in the
> inverse.
Oh you mean like { 3, 2, 7, 1, 6, 0, 4, 5 }?
Um "2-way" SAC is only cool iff you use the inverse.
Tom
Sent via Deja.com
http://www.deja.com/
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,misc.survivalism
Subject: Re: Why Microsoft's Product Activation Stinks
Date: Fri, 19 Jan 2001 02:16:23 -0800
Gordon Walker wrote:
>
> On Thu, 18 Jan 2001 13:22:39 -0800, David Schwartz
> <[EMAIL PROTECTED]> wrote:
>
> >> Which begs the question of how they could tell it was being abused.
> >
> > Oh, come on. You think they don't already know which serial numbers are
> >being abused? They're posted in warez newsgroups for chrissakes.
>
> Think about it for a moment. The scheme being proposed would no longer
> permit you to grab a serial number from a warez site or group since it
> must be generated from your hardware (unless MS leave in backdoor
> codes). Therefore that apparently easy means of blacklisting numbers
> is not available to them.
Huh? You're still going to have some kind of product key or something,
otherwise how would they know whether or not you bought the software?
The value the installer generates will contain a combination of your
fixed 'serial number' and a hardware-dependent value.
> Consider what is actually going to happen. A legitimate customer
> changes his harddrive, or processor or whatever and finds he cannot
> reinstall Windows. He calls Microsoft for a new code. Exactly what
> criteria are you suggesting they use to determine whether or not to
> give out the code? How do they know he's not asking for a code for his
> mate, his mother-in-law etc? What it comes down to is whether they
> will tend to believe or tend to disbelieve. If they tend to disbelieve
> then a lot of customers will get badly treated. If they tend to
> believe their copy protection scheme becomes a pointless irritation.
Nonsense. I don't think Microsoft really cares about people installing
software for their friend of mother-in-law. In fact, that's how
Microsoft's products got the dominance they have now. What they really
do care about, however, is mass piracy, especially for money.
> The worst of it is the scheme won't stop the large scale pirates whose
> cost Microsoft so much since they will either patch the OS or else
> produce key generators. The only people it will affect are the
> individual users giving a copy or two to their friends and in stopping
> this insignificant trickle of piracy they will inconvenience the vast
> majority of their customers.
I don't think you understand how the scheme works. There is no key to
generate.
DS
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Kooks (was: NSA and Linux Security)
Date: Fri, 19 Jan 2001 12:05:44 GMT
In article <948fut$j3p$[EMAIL PROTECTED]>,
Greggy <[EMAIL PROTECTED]> wrote:
> > > > When you get done reading through that stuff, if you are
> > > > interested, do a search on the "missing thirteenth amendment"
> > >
> > > The claim that it was ratified by a 13th state relies entirely
> > > on the Virginia legislature's Act No. 280: "... there shall be
> > > published
> > > an edition of the Laws of this Commonwealth in which shall be
> > > contained ..." and the subsequent publication of the Virginia
> > > Civil Code containing the proposed 13th Amendment among other
> > > US and Virginia laws. At that time (1819) there were 21 states,
> > > so even if Virginia had thereby ratified the amendment (which
> > > is debatable, to say the least), it would have still failed to
> > > gain the required 3/4 approval (16 states, not 13).
> >
> > A through article at www.thirdamendment.com/missing.html explains
> > this point in greater detail (if it isn't what you're relying on
> > already).
> >
> > It also talks a bit about the amendment process in general, such
> > as that publishing a book that includes an amendment can't be
> > construed as a ratification of an amendment. And notes that the
> > same kooks who claim the 16th amendment wasn't ratified because of
> > changes in spelling, etc. conveniently ignore the same issues for
> > the "missing 13th amendment."
> >
> > But not that one can expect much rational thought from these kooks.
> > They also claim that the "missing 13th amendment" gives them the
> > right to murder cops (because being a police officer is a "title
> > of nobility," doncha know).
>
> It is interesting - very interesting - that you refer to me as "one of
> those kooks" using that phrase or term as many times as you can in your
> post.
Notice that the kook hasn't tried to defend any of the kooky reasoning he
and others used in support of their delusion that there is a "missing
13th amendment"; he's just upset that he's been identified as a kook.
If you can't stand the fire, get out of the kitchen.
> It is also interesting that NO ONE during the period in question in
> the position of legislature or judicial screamed or even complained
> about the Virginian process to publish the 13th amendment in its 1819
> publication,
Gibberish.
Contemporary scholars understood that the amendment had
not been ratified. William Rawle wrote that it "has been
adopted by some of the states; but not yet by a sufficient
number." Joseph Story wrote that "it has not received the
ratification of the constitutional number of states to make
it obligatory, probably from a growing sense, that it is
wholly unnecessary." Although the 1839 edition is silent on
on the subject, by 1848 Bouvier's Law Dictionary recorded
that TONA "has been recommended by Congress, but it has not
been ratified by a sufficient number of states to make a
part of the constitution."
--thirdamendment.com
> and in fact other states as well when they chose to do the
> same. Their actions show absolutely conclusively that they knew it was
> properly ratified. You cannot explain the deafening silence when those
> critical decisions were being made other than they knew it was correct
> to publish the amendment because it was law.
The best (although slightly flippant) refutation I've seen:
If one believes that TONA became part of the Constitution
merely because it was frequently published, one should
immediately mount an expedition to find Buss Island, a
"phantom" island in the North Atlantic which appeared on
maps from 1592 until 1856. See Donald S. Johnson, Phantom
Islands of the Atlantic 80 (1994). Buss Island had its own
conspiracy theorists; in 1770, an anonymous author accused
the Hudson's Bay Company of keeping its location a secret
in order to maintain financial control over it.
--thirdamendment.com
So, when will your ship be setting off, Greggy?
> In fact, you have to say they were all kooks for including it.
And indeed, they were inexcusably sloppy in publishing it, but:
In the late eighteenth and early nineteenth centuries,
there was frequent confusion about whether proposed
amendments had become part of the Constitution. "At that time
no legal procedure existed to control the communication of
action by States to the Federal Government. . . . Uncertainty
as to the status of [TONA] continued for eight years." The
Eleventh Amendment became effective on February 7, 1795, but
was not acknowledged by President John Adams as being in
effect until January 8, 1798. Similarly, President Thomas
Jefferson's Secretary of State, James Madison, did not declare
the Twelfth Amendment in effect until more than three months
after it became part of the Constitution. Even in 1845, the
editors of United States Statutes at Large were unsure exactly
when the Eleventh and Twelfth Amendments had been ratified.
--thirdamendment.com
> So we can see who the real kook is.
And on that subject, still unwilling to reveal to public scrutiny your
miraculous new argument that proves there is a "missing 13th amendment" -
or anything else in support of your delusions - Greggy?
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Ariel Burbaickij <[EMAIL PROTECTED]>
Subject: ideas of D.Chaum about digital cash and whether tax offices are
Date: Fri, 19 Jan 2001 13:23:47 +0100
Provided that following is indeed possible :
1) Digital money is indeed possible with all features desirable:hard to false
, imposibility
of backtracking , etc.
2) Anonymous communication ( imposibility to back-track to source of
communication ,
intractability of even fact of communication of
any
2 persons)
How would tax offices put up with this situation ?
E.g . In many countires tax offices must be informed of facts of purchaes
worth some amount ,
considered serious . So cash is surely frawned upon in such countires
Regards
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: AES sbox generating code.
Date: Fri, 19 Jan 2001 13:34:00 -0000
"Benjamin Goldberg" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> I've written some code to generate the sbox used in AES. I'm not
> certain if it's correct. Would someone check it for me?
>
> unsigned char AES_sbox[256], AES_sibox[256];
>
> void AES_setup() {
> unsigned char pow[256], log[256];
> int i, j;
> for( i = 0, j = 1; i < 256; ++i ) {
> log[pow[i] = j] = i;
> // The above line does pow[i] = 3**i % 0x11b
> // and of course it's inverse.
> j ^= (j << 1) ^ ((j & 0x80) ? 0x11b : 0);
> // The above line does j = j * 3 % 0x11b
> }
> for( i = 0; i < 256; ++i ) { int k;
> j = i ? pow[255 - log[i]] : 0;
> // j is now 3**(-i) % 0x11b
> k = ((j >> 7) | (j << 1)) ^ ((j >> 6) | (j << 2));
> j ^= 0x63 ^ k ^ ((k >> 6) | (k << 2));
> // j now is an affine transform of what it was.
> AES_sibox[AES_sbox[i] = j] = i;
> }
> }
No, this will not work because the variable k is not constrained to be an
8-bit variable, as it would need to be in this particular construction.
Brian Gladman
------------------------------
From: "Rob Marston" <[EMAIL PROTECTED]>
Subject: Re: Problem with Lanaki Lession #1
Date: Fri, 19 Jan 2001 13:26:15 -0000
> A quick script produced the following tally chart. Does it
> match your counts?
>
> :- I- S- T- M- A- P- F
> A 11 :- - /- //- ....- ///- /- -
> B 1 :- - - - .- - - -
> C 1 :- - - /- - - - -
> D 1 :- - - - - - - /-
> F 13 :- //- - - .....- - /- /////-
> G 4 :- - /- - ..- /- - -
> H 9 :- - //- //- .- /- /- //-
> I 6 :- - /- - ...- - //- -
> J 6 :- //- - /- ..- /- - -
> K 5 :- - //- /- .- - /- -
> M 9 :- /- //- /- ..- - ///- -
> N 1 :- - - /- - - - -
> O 3 :- - /- - .- - /- -
> P 1 :- - - - - /- - -
> Q 4 :- /- - /- .- - - /-
> R 3 :- - - - ..- - /- -
> S 7 :- /- /- - ....- - - /-
> T 2 :- /- - - - - /- -
> V 3 :- /- - - .- - - /-
> W 8 :- /- //- - ..- /- /- /-
> X 5 :- ///- - - - //- - -
> Z 3 :- - - - ..- - - /-
I calculated them as this...
{I got bored with / and . after the mess made of the 1st Post :) }
F : I 2 3 M 3 2 E
- : - - - - - - -
A 11 : 0 1 2 4 3 1 0
B 1 : 0 0 0 1 0 0 0
C 1 : 0 0 1 0 0 0 0
D 1 : 0 0 0 0 0 0 1
F 13 : 2 0 0 5 0 1 5
G 4 : 0 1 0 2 1 0 0
H 9 : 0 2 2 1 1 1 2
I 6 : 0 1 0 3 0 2 0
J 6 : 2 0 1 2 1 0 0
K 5 : 0 2 1 1 0 1 0
M 9 : 1 2 1 2 0 3 0
N 1 : 0 0 1 0 0 0 0
O 3 : 0 1 0 1 0 1 0
P 1 : 0 0 0 0 1 0 0
Q 4 : 1 0 1 1 0 0 1
R 3 : 0 0 0 2 0 1 0
S 7 : 1 1 0 4 0 0 1
T 2 : 1 0 0 0 0 1 0
V 3 : 1 0 0 1 0 0 1
W 8 : 1 2 0 2 1 1 1
X 5 : 3 0 0 0 2 0 0
Z 3 : 0 0 0 2 0 0 1
----
106
which seems to match your values as well, that at least makes me happier...
> > > Can anybody tell me what I'm doing wrong?
> Perhaps it is incorrect to assume there are no typographic errors in the
tally chart.
Maybe its as simple as that, I'm just surprised that a document that is so
widely
circulated would have such large errors in the first chapter...
Thanks for looking at least
Rob
------------------------------
From: "Frog2000" <[EMAIL PROTECTED]>
Crossposted-To: sci.math,comp.theory
Subject: Re: A Small Challnge
Date: Fri, 19 Jan 2001 09:31:14 -0500
--
http://welcome.to/speechsystemsfortheblind
"Bryan Olson" <[EMAIL PROTECTED]> wrote in message
news:947fie$lu0$[EMAIL PROTECTED]...
> rosi wrote:
> > Bryan Olson wrote in part ...
> >
> | | The fact that this obviously useless modification satisfies
> > >the requirements leads me to believe that either the
> > >requirements left out something important, or there just isn't
> > >much to this notion.
> >
> > Correct. Again randomization is not QP otherwise QP embraces
> > some very uninteresting things.
>
> I don't think you understood. My modification (to any PK
> cipher) required no randomness.
It's easier to crack. Randomness, although pseudo, is much harder to reverse
engineer.
>
> The question is whether the notion adds one interesting thing.
> If so, what?
>
>
> --Bryan
>
>
> Sent via Deja.com
> http://www.deja.com/
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Date: 19 Jan 2001 14:33:20 GMT
Subject: Re: Comparison of ECDLP vs. DLP
Yes, you can guard against an RNG failure by use of statistical randomness
tests ala FIPS 140-1 or -2.
Don Johnson
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Another poorman's cipher
Date: Fri, 19 Jan 2001 15:54:12 +0100
Speed of processing is commonly of essential importance in
computations, whether crypto or not. However, in special
situations, where sophisticated algorithms are for some reasons
not available, one might be willing to accept low speed, if the
implementation is simple enough. The following are some rough
ideas for a simple encryption scheme intended for soliciting
your critiques and comments.
Using a PRNG, one can generate a polyalphabetical substitution
table for bytes and then use the output of the PRNG as key
stream to select the columns of the table to encrypt the
plaintext bytes in the well-known manner. For better
performance, the number of columns of the substitution table
can be chosen to be sufficiently large, if the key stream is
adapted to suit. But this would require correspondingly larger
storage space for the table, which may not be desirable. This
leads us to consider the other extreme, namely using only one
single column, whose content is dynamically generated (with
the algorithm of Durstenfeld) for each byte of the plaintext
to be processed. This is of course much slower, since it
consumes more output from the PRNG but on the other hand is
apparently also more difficult to attack for the opponent.
Those who worry nonetheless very much about the
predicatability of PRNGs in general could consider using
two PRNGs (or one PRNG seeded by different values), i.e.
doing the pseudo-random permutation twice for generating the
substitution column, in analogy with double shuffling in
card games -- this point is also mentioned in a recent post
of Terry Ritter on a transposition only scheme. (Note that
ours is a substitution only scheme.)
It remains to consider generation of pseudo-random number
sequences to use for different sessions/messages. A simple
scheme using a shared master key is as follows: Use the master
key as seed to generate a set of parameters (including seeds)
of a number of PRNGs (e.g. maximal period LCPRNGs), which we
term to be at level 1. Use each PRNG of level 1 to similarly
generate PRNGs of level 2, and so on. Now, with this hierachy
of PRNGs one could, for example, let level 1 correspond to
year, level 2 correspond to month, etc. to obtain a unique
PRNG for use in a specific session/message.
M. K. Shen
==========================
http://home.t-online.de/home/mok-kong.shen
------------------------------
From: kctang <[EMAIL PROTECTED]>
Subject: ___ECC encrypt/decrypt
Date: Fri, 19 Jan 2001 16:04:03 +0800
Dear forum,
Is the elgamal type of encryption/decryption scheme still being used
in ECC standards such as IEEE P1363 or ANSI X9.6x?
If not, why?
What encrypt/decryption schemes is/are being used in IEEE P1363?
What encrypt/decryption schemes is/are being used in ANSI X9.6x?
Would you mind provide a quick summary?
Thanks and bye, kctang
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
