Cryptography-Digest Digest #651, Volume #13 Wed, 7 Feb 01 16:13:01 EST
Contents:
Re: Disk Overwriting ("N")
Re: Phillo's alg is faster than index calculus ([EMAIL PROTECTED])
Re: Phillo's alg is faster than index calculus ([EMAIL PROTECTED])
Re: relative key strength private vs public key (Mike Rosing)
Re: Low-tech homemade crypto keycards ("Paul Pires")
Re: MQV implementation (Mike Rosing)
Re: Phillo's alg is faster than index calculus (Tom St Denis)
Re: Rijndael's resistance to known plaintext attack (Splaat23)
Re: Pseudo Random Number Generator (Bryan Olson)
Re: Encrypting Predictable Files (Benjamin Goldberg)
Some basic questions ("Geoff Blair")
Re: Disk Overwriting (Jim)
Re: OverWrite freeware completely removes unwanted files from hard drive (Daniel)
Re: Pseudo Random Number Generator (Benjamin Goldberg)
Re: relative key strength private vs public key (DJohn37050)
Re: Phillo's alg is faster than index calculus (Mok-Kong Shen)
ECDSA certs (Roger Schlafly)
----------------------------------------------------------------------------
From: "N" <[EMAIL PROTECTED]>
Subject: Re: Disk Overwriting
Date: Wed, 7 Feb 2001 17:46:09 -0000
Reply-To: "N" <[EMAIL PROTECTED]>
"Albert P. Belle Isle" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
...
> Class 3 attacks (such as with magnetic force microscopy), are
> generally considered able to penetrate any software countermeasures,
> including _any_ kind of overwriting. They are very costly techniques
> to use to recover the complete image-as-it-used-to-be of an
> overwritten multi-gigabyte disk, as opposed to a few specifically
> targeted bytes.
...
Hi
Let's suppose I have a 10Gb drive crammed with data, and I overwrite
its contents with a second, third, ... tenth 10Gb set of non-random
data. Are you saying that this costly technique could be used to
retrieve all 100Gb of old data stored on the drive? If so, how
faithful is the retrieval as you delve further back through the older
layers of data? (And what is the limiting point of the technique?)
Or, did you just mean to imply that only the most recent layers can be
reliably retrieved? (And, if so, how recent?)
Just wondered.
Thanks
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Phillo's alg is faster than index calculus
Date: Wed, 07 Feb 2001 17:51:33 GMT
Look Bob, every time you "correct" my post with nonsense that *isn't*
even correct definitively and fundamentally. Read that carefully. They
aren't correct definitively and fundamentally.
So what's the point of your post?
To show off that you don't know the fundamentals?
Or to show off that you don't think before you type?
> <snip>
>
> Who was it that said "The education of fools is folly"??
>
> I can see that I am wasting my time with you. I won't
> bother trying to correct your nonsense in the future.
>
> --
> Bob Silverman
> "You can lead a horse's ass to knowledge, but you can't make him
think"
>
> Sent via Deja.com
> http://www.deja.com/
>
Sent via Deja.com
http://www.deja.com/
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Phillo's alg is faster than index calculus
Date: Wed, 07 Feb 2001 17:55:57 GMT
It works on this trivial example:
N=101010101010......................0101010101
make N a trillion bits long
Then 2^x=1 mod N, x=a trillion +1
You don't have to do 2^{a trillion} computations.
That's why I find it fascinating.
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
>
> [EMAIL PROTECTED] wrote:
> >
> [snip]
> > So what do you think?
>
> After you have apparently spend quite a bit of 'thinking',
> I recommend you to do an excercise on a real-life example
> to see how easy or difficult it is to do that computation
> and eventually compare with other methods, instead of
> 'extrapolating' from a toy example through merely a 'thought'
> process. (Don't argue too long about the quality of an
> apple pie, taste it.) Please let us know, after you have
> good success.
>
> M. K. Shen
>
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: relative key strength private vs public key
Date: Wed, 07 Feb 2001 12:15:03 -0600
Steve Portly wrote:
>
> In cryptographic applications a symmetric key is often negotiated and
> passed using a public key method. There is often some confusion
> concerning relative strength of RSA public keys and smaller but more
> efficient symmetric keys. As an example, I remember reading somewhere
> that a 1024 bit RSA key should be treated as having an effective
> strength of an ~80 bit symmetric key. In the ideal situation where one
> did not have to discount the effects of hash collisions does this
> correspondence continue? Specifically if we were charged with the task
> of passing a symmetric key for the following key strengths, ideally what
> strength public key should be used?
> 112 bit double DES?
> 168 bit Triple DES?
> 350 bit custom?
This is a non-trivial question because you get different answers based on
different assumptions. If you scan the net for papers, you'll find different
numbers by more than 50%. In any case, it's in the many 1000's of bits
On the other hand, for ECC keys it's simple. Just double the number for the
minimum.
Patience, persistence, truth,
Dr. mike
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Low-tech homemade crypto keycards
Date: Wed, 7 Feb 2001 10:22:55 -0800
Steve Portly <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> This is a neat idea for hobbyists but in a practical application given todays
>technology, wouldn't it
> be a lot more secure to use a very low current induction loop that only a TE device
>could read? The
> cost of TE readers would not be prohibitively expensive for an ATM application.
>Maybe I have just been
> watching too many X file episodes lately.
But why change? ATM's work now. This adds no functionality. Why re-deploy new hardware?
A smart card is a neat idea but it is not just an electronic key. It has different
properties and allows
for more functionality. There is a reason to change. Simple electrical keys are a "So
what" for me.
I could make a key out of unobtainium. Why? What is the return? Without a doubt you
could make
a key like the OP described but a key is only usefull if a lock is made that
corresponds to it.
Forget the key, What's so good about the proposed lock? I don't see anything.
Paul
>
> Paul Pires wrote:
>
> > Ray Dillinger <[EMAIL PROTECTED]> wrote in message
>news:3a5g6.1031$[EMAIL PROTECTED]...
> > >
> > > I've been reading in another thread about the work and worry of
> > > destroying a compromised crypto module, and it occurs to me that
> > > there is a nice way to create a hardware device that physically
> > > embodies a key, and is cheap and durable, simple to make and
> > > simple to destroy.
> >
> > Electricians have had the means to trace the physical routing
> > of circuits in hidden locations for a long time. They pump a RF
> > signal down the wire to make it "sing" and trace it with a localized
> > probe. As was already pointed out, even an Ohm meter can map
> > this thing.
> >
> > The difference between a smart card and a key card is profound.
> > A smart card never reveals it's secret, it proves knowledge of the
> > secret by demonstrating what it can do. It's the difference between
> > using a key to open a door in public where all things are controlled
> > by an adversary.
> >
> > They may have put in a dummy lock that analyzes your key and
> > braoadcasts it. Any number of weaknesses. They might pick
> > your pocket, copy it and replace it.
> >
> > A smart card is more like walking up to a doorman and proving you have
> > the key without divulging it and putting it at risk but doing it in a way that
> > makes the doorman confident enough to open the door and let you in.
> >
> > How an electric key is an advancement over a mechanical key for
> > impoverished people is beyond me. They have access to brass
> > files and hammers now. They need wire, epoxy and the circuity
> > to operate the lock? Why? What does this get them for their
> > efforts?
> >
> > Paul
> >
> > >
> > > First, get a small chunk of cardboard, like a playing card.
> > >
> > > Next, use a small punch to create 54 holes in the left side
> > > and 54 holes in the right side. These holes need to be evenly
> > > spaced.
> > >
> > > Now, take 54 wires and strip the insulation off the ends.
> > >
> > > Poke one end of each wire through a randomly selected,
> > > otherwise-unoccupied hole on the left side of the card.
> > > Poke the other end through a randomly selected, otherwise
> > > unoccupied hole on the right side of the card.
> > >
> > > Now put another playing card on top of the tangle of
> > > insulated wires, which places them in the center of a
> > > cardboard sandwich.
> > >
> > > Wrap the exposed ends around the left and right edges of
> > > the cards and trim any excess.
> > >
> > > Now, cast this card-and-wire sandwich in an opaque epoxy
> > > resin, leaving contact points of the wires exposed along
> > > the edges.
> > >
> > > This device represents a mapping of left to right contacts
> > > with about 220 bits of entropy. It's simple to build a
> > > reader for these devices. It's simple to destroy them
> > > so that the key cannot be recovered. And it is possible
> > > to verify visually that they have been destroyed.
> > >
> > > It's not a smart card by any means; in fact, it may be the
> > > dumbest card ever proposed. But it stores a key nicely,
> > > can be built by hand or with relatively simple tools out
> > > of readily-available parts, and can't be read remotely or
> > > surreptitiously (I think). With the appropriate picture and
> > > frame, it could look like the sort of locket or religious
> > > medallion that is common in some areas, and it could have
> > > applications in a fair number of third-world countries
> > > where people who need it don't necessarily have access to
> > > chip fabs or lots of money for commercial hardware.
> > >
> > > Variations; the "wire web" card described here could be
> > > built (with various construction techniques) inside all kinds
> > > of ordinary things, like wallets, purses, knife handles, or
> > > (with some effort) even the teeth of a comb.
> > >
> > > Bear
> >
> > -----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
> > http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
> > -----== Over 80,000 Newsgroups - 16 Different Servers! =-----
>
====== Posted via Newsfeeds.Com, Uncensored Usenet News ======
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
======= Over 80,000 Newsgroups = 16 Different Servers! ======
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: MQV implementation
Date: Wed, 07 Feb 2001 12:26:44 -0600
Alexander Schmitt wrote:
> I have to make a test implementation of the Menezes-Qu-Vanstone (MQV)
> algorithm over elliptic curves in the ONB version (IEEE1363). For this I
> have taken the implentation out of M. Rosings book. But in this book only
> key length of smaller than 160 are suggested. Now I need a length of 233
> bits. Are there any sample hints for using this lenght.
> Are there any optimized versions of the MQV implementation, with less memory
> need and very fast running ;-(?
>
> Any help to the theme MQV is welcome! Like choose of the curve or the right
> parameters.
Use the NIST 233 curve. Change out the integer math from the book a "real"
integer math package. Use the inversion routine from chapter 11 instead of
from 4. Those changes should give you an order of magnitude improvement with
no problem.
Menezes and Vanstone both work with Certicom, but I suspect they are kinda too
busy to answer this question :-)
Patience, persistence, truth,
Dr. mike
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Phillo's alg is faster than index calculus
Date: Wed, 07 Feb 2001 18:35:16 GMT
In article <95s1v0$pdj$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Look Bob, every time you "correct" my post with nonsense that *isn't*
> even correct definitively and fundamentally. Read that carefully. They
> aren't correct definitively and fundamentally.
>
> So what's the point of your post?
> To show off that you don't know the fundamentals?
> Or to show off that you don't think before you type?
Why don't you answer my system?
Tom
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Splaat23 <[EMAIL PROTECTED]>
Subject: Re: Rijndael's resistance to known plaintext attack
Date: Wed, 07 Feb 2001 19:44:44 GMT
Of course! You're absolutely right! No one has taken into consideration
the psychic attacks against these ciphers! ;-)
Of course attackers are going to be creative in their attack methods,
and for all we know the NSA has many attacks against ciphers in
circulation right now. But its not likely - there is generally
diminishing returns as the money spent goes up and up. The academic
community can't be too far behind the NSA at this point. The movement
for key escrow is evidence enough that its getting harder and harder to
break civilian ciphers for the government.
And even if the NSA can destroy our ciphers through some top secret
attack, what should we do? We must simply hope and trust that the peer
review of those ciphers we use is comprehensive. A cipher that is
resistant to all known attacks will stand a good chance of holding up
against specific attacks and unknown attacks. If nothing else, it has a
better chance than proprietary or homemade siphers.
- Andrew
In article <95p4d7$65i$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> In article <[EMAIL PROTECTED]>,
> Benjamin Goldberg <[EMAIL PROTECTED]> wrote:
> > SCOTT19U.ZIP_GUY wrote:
> > >
> > > [EMAIL PROTECTED] (Joseph Ashwood) wrote:
> > > >
> > > >"Marcin" <[EMAIL PROTECTED]> wrote:
> > > >> Hello,
> > > >> Can someone comment or refer me to the analysis on resistance
of
> > > >> Rijndael to known plaintext attacks?
> > > >> Thanks,
> > > >> Marcin Kurzawa
> > > >
> > > >As it stands now, with any even remotely reasonable amount of
> > > >known-plaintext (anything less than the 2^100+ bits) reveals very
> > > >little. I'd expect that for the forseeable future, as long as you
> > > >don't go above 2^90 bits of text there won't be any reasonable
> attack
> > > >against Rijndael.
> > > > Joe
> > >
> > > Actaully with a few 100 bytes of text its highly unlikely that
> > > two seperate keys could exist for a given plain text cipher text
> > > pair. So in theory there most likely is a solution to the problem
> > > with very short amounts of data. The only real questions are
> > > if the solution is well known outside of possible the NSA.
> > > It may well be in our life times that no such solution will
> > > me made available to the public. But from an informational point
> > > of view there most likely is an break. If some one can find it.
> >
> > Moron. Joe was not talking about unicity distance. He was talking
> > about things like linear or differential analysis, or other forms of
> > analysis which require known/chosen plaintext.
> >
> > If you only have a few blocks (unicity distance) of known plaintext,
> the
> > only attack you can mount is brute force. Only someone as mind
> > bogglingly obtuse as yourself would consider doing brute force on a
> key
> > of 128 or more bits.
> >
>
> No I would not sugguest doing s blind brutw force attack on such
> a key. All I'm suggesting is the there may be a form of unknown
> plaintext attack that requires far less plaintext than stated.
> Attackers can be far more creative then you or the previous
> writer give credit. I think your the moron for failing to take
> that into account.
>
> Sent via Deja.com
> http://www.deja.com/
>
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: Pseudo Random Number Generator
Date: Wed, 07 Feb 2001 19:50:36 GMT
Mok-Kong Shen wrote:
> > > > Mok-Kong Shen wrote:
> > >
> > > > > What can be proved is the following:
> > > > >
> > > > > For m non-degenerate independent integer random variables
> > > > > over [0,n-1] their sum mod n approaches a uniform random
> > > > > variable as m increases. If one of the random varaible is
> > > > > uniform, then any value of m results in a uniform random
> > > > > variable.
[...]
> > What exactly does your usage of non-degenerate mean?
> A random variable
> over [0, n-1] in general takes on all possible values
> in the range, though some maybe with very low frequencies.
So each value must have non-zero probability. I agree,
that's a theorem.
--Bryan
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Encrypting Predictable Files
Date: Wed, 07 Feb 2001 20:15:51 GMT
[EMAIL PROTECTED] wrote:
[snip]
> A good "all or nothing transform" is scott16u or scott19u
Do you have a proof of that?
> in either
> one a single bit change anywhere in the input file creates totally
> different ouput files.
This is not the only requirement for AONT. One of the requirements of
AONT is that if one applies it to two identical files, one usually gets
two different files. For example, using OAEP as your AONT, two
identical plaintexts will produce two identical transformed texts with
probability 2^-128.
> From front to back so the problem of many
> plaintext messages that contain large protions of repeatable text
> leaking information to an attacker goes away
Is this jumble of words supposed to be a sentence?
--
A solution in hand is worth two in the book.
Who cares about birds and bushes?
------------------------------
From: "Geoff Blair" <[EMAIL PROTECTED]>
Subject: Some basic questions
Date: Wed, 07 Feb 2001 20:16:32 GMT
OK. Im a newbie. With that said I will ask my questions and run for cover in
case i get flamed for asking them in such a respected news group.
1. Can anyone point me to some source material about the very basics of
cryptography?
2. I have been programing using several languages for years now and I
was wondering about a code word I keep hearing about but have never see
explained. What is XOR and what does it do?
3. What is the average key length for the best security systems online
right now?
------------------------------
From: [EMAIL PROTECTED] (Jim)
Subject: Re: Disk Overwriting
Reply-To: Jim
Date: Wed, 07 Feb 2001 20:19:57 GMT
On Wed, 7 Feb 2001 17:46:09 -0000, "N" <[EMAIL PROTECTED]> wrote:
>
>"Albert P. Belle Isle" <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>
>
>...
>> Class 3 attacks (such as with magnetic force microscopy), are
>> generally considered able to penetrate any software countermeasures,
>> including _any_ kind of overwriting. They are very costly techniques
>> to use to recover the complete image-as-it-used-to-be of an
>> overwritten multi-gigabyte disk, as opposed to a few specifically
>> targeted bytes.
>...
>
>
>Hi
>
>Let's suppose I have a 10Gb drive crammed with data, and I overwrite
>its contents with a second, third, ... tenth 10Gb set of non-random
>data. Are you saying that this costly technique could be used to
>retrieve all 100Gb of old data stored on the drive? If so, how
>faithful is the retrieval as you delve further back through the older
>layers of data? (And what is the limiting point of the technique?)
>
>Or, did you just mean to imply that only the most recent layers can be
>reliably retrieved? (And, if so, how recent?)
>
>Just wondered.
Have a look at:
http://www.cs.auckland.ac.nz/~pgut001 (That's zero zero one)
Paper 'Secure Deletion of Data from Magnetic & Solid State
Memory', by Peter Gutman.
--
___________________________________________
Posted by Jim Dunnett
dynastic at cwcom.net
nordland at lineone.net
'We have to control the number of people
travelling' -- GNER spokesman.
__________________________________________
------------------------------
From: [EMAIL PROTECTED] (Daniel)
Crossposted-To: talk.politics.crypto,alt.hacker,alt.conspiracy
Subject: Re: OverWrite freeware completely removes unwanted files from hard drive
Date: Wed, 07 Feb 2001 20:31:56 GMT
On Tue, 06 Feb 2001 22:01:26 -0800, Anthony Stephen Szopa
<[EMAIL PROTECTED]> wrote:
>
>Why don't you reprint the pertinent passages?
?
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Pseudo Random Number Generator
Date: Wed, 07 Feb 2001 20:32:28 GMT
Bryan Olson wrote:
>
> Mok-Kong Shen wrote:
>
> > > > > Mok-Kong Shen wrote:
> > > >
> > > > > > What can be proved is the following:
> > > > > >
> > > > > > For m non-degenerate independent integer random variables
> > > > > > over [0,n-1] their sum mod n approaches a uniform random
> > > > > > variable as m increases. If one of the random varaible is
> > > > > > uniform, then any value of m results in a uniform random
> > > > > > variable.
> [...]
> > > What exactly does your usage of non-degenerate mean?
>
> > A random variable
> > over [0, n-1] in general takes on all possible values
> > in the range, though some maybe with very low frequencies.
>
> So each value must have non-zero probability. I agree,
> that's a theorem.
I would define it slightly differently... There must be at least two
values with non-zero probability, and the GCD of all values and n must
be one.
With this set of requirements, each stream added increases the number of
possible values until all n values have nonzero probability.
An example of something which would be degenerate under my definition:
n=48, and all multiples of 7 are equiprobable (and all others
impossible). No matter how many streams of this type are added together
(mod 47), the result is a multiple of 7.
OTOH, consider n=49, and all NON-multiples of 7 are equiprobable (and
all multiples of 7 impossible). After adding two streams of this type
together (mod 49), all 49 values are possible (though not equiprobable).
Adding more streams of this type together brings the values of the
result closer to equiprobable.
--
A solution in hand is worth two in the book.
Who cares about birds and bushes?
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Date: 07 Feb 2001 20:32:33 GMT
Subject: Re: relative key strength private vs public key
NIST in DSA-2 said that 1024 DSA keys are appropriate for 80 bit symmetric
keys, 2048 DSA keys are appropriate for 112-bit TDES keys (TDES is considered
to have an effective strength of 112 bits due to a meet in the middle attack).
3072 DSA keys for 128 bit AES low keys. up to 15760 DSA keys for 256 bit AES
keys. DSA is considered to be slightly stronger than the same size RSA key, so
the DSA key size can be used as an estimate for RSA. Note this is a TIME
comparison.
Don Johnson
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Phillo's alg is faster than index calculus
Date: Wed, 07 Feb 2001 22:01:01 +0100
[EMAIL PROTECTED] wrote:
>
> It works on this trivial example:
>
> N=101010101010......................0101010101
> make N a trillion bits long
>
> Then 2^x=1 mod N, x=a trillion +1
>
> You don't have to do 2^{a trillion} computations.
>
> That's why I find it fascinating.
I am sure that you are familiar with the general concept
of general cases vs. special cases (not only in math but
also in many other disciplines). A certain class of math
problems may be very difficult to solve, while some special
instances of it may be trivial. In certain contexts, one
may not necessarily care for the worst case, but the average
case must normally always be addressed. To make an analogy
with your example, consider the inversion of a (non-singular)
n*n matrix. The cost of computation in general increases
exponentially with n. But if I have a diagonal matrix
with all 1's on the diagonal, then I can give the inverse
matrix to you for arbitrarily large n in zero time. Do you
see my point?
M. K. Shen
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: ECDSA certs
Date: Wed, 07 Feb 2001 13:04:46 -0800
Is there anyone who is actually using ECDSA certificates?
People talk about using ECDSA, but I couldn't find any
actual certificates on the net. Can anyone point me to
some X9.62 ECDSA certificates?
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
