Cryptography-Digest Digest #953, Volume #13 Tue, 20 Mar 01 15:13:01 EST
Contents:
Re: My cypher system ("bookburn")
Re: NSA in the news on CNN ("Douglas A. Gwyn")
Re: Signing/Not signing posts ("Joseph Ashwood")
Re: Codes that use *numbers* for keys ("Joseph Ashwood")
Re: A future supercomputer (DJohn37050)
Re: Is SHA-1 Broken? (Jim Steuert)
Re: Cipher Idea #1 Block Cipher 512-bit block, arbitrary keysize (long) (Terry
Ritter)
Re: Is SHA-1 Broken? (David Wagner)
looking for "Crowds" ("thomas kuehne")
RC5 hardware performance data (Adam Elbirt)
Re: Defining a cryptosystem as "broken" (Mok-Kong Shen)
Re: What do we mean when we say a cipher is broken? (wtshaw)
Re: What the Hell...Here's what my system can do at it's best... (wtshaw)
Re: What the Hell...Here's what my system can do at it's best... (wtshaw)
Re: Signing/Not signing posts (Darren New)
Re: Fast and Easy crypt send (amateur)
----------------------------------------------------------------------------
From: "bookburn" <[EMAIL PROTECTED]>
Subject: Re: My cypher system
Date: Tue, 20 Mar 2001 10:09:04 -0800
"Deano" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> How does this scheme help in the real world with sender
non-repudiation
> and message integrity ?
I aimed for private, discrete, fast encryption-decryption, not to help
the real world, primarilly. I'm not sure non-repudiation or integrity
were design requirements.
> bookburn wrote:
> >
> > "Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
> > news:[EMAIL PROTECTED]...
> > >
> > >
> > > bookburn wrote:
> > > >
> > > > This is a "what if" by a mere bumbler who looked at an
> > encyclopedia
> > > > article, so I expect to be shot down.
> > > >
> > > > My cipher system is basically a simple three-layered process
> > using: 1)
> > > > clear text; 2) use of a published text, like a page of a daily
> > > > newspaper, which is chosen by a formula based on something
> > variable
> > > > like time and temperature of alternating cities on certain
days,
> > with
> > > > identification of letters of the alphabet by numbered spaces
in
> > the
> > > > text; 3) random use of the numbered spaces identifying letters
of
> > the
> > > > alphabet, blank spaces, and punctuation, producing a long
list of
> > > > single numbers in bytes (spaces before and after set off
numbers)
> > ; 4)
> > > > use of a mask to select only words in the clear text that are
the
> > > > message; 5) in addition, a key list of coded terms could be
used
> > to
> > > > refer to some things.
> > > >
> > > > I'm basically thinking my system could be set up with computer
> > > > programs at each end so that the long list of numbers can be
> > instantly
> > > > converted with the use of the same key text.
> > > >
> > > > Is this a workable cipher system? How could you ever break
it?
> > > > bookburn
> > >
> > > Point (2) of using some contrived (uncommon, hence difficult
> > > to guess) scheme to identify a piece of publically available
> > > text for the purpose of deriving a shared secret is known.
> > > How secure that is, is difficult to say in my view. (I would
> > > vaguely say 'it depends'.) Points (3-5) are unclear to me.
> > > Perhaps you could provide a tiny example to illustrate your
> > > scheme.
> >
> > Sorry if my parameters are unclear. I wanted to describe three
phases:
> > substitution, masking, and encoding with key terms. But the
> > substitution part is really the guts of it.
> >
> > I assume transmission between two computers, A-B, using the
Internet.
> > Clear text of message is composed, then a text from some common
> > source is used by A for substitution, such as a page of a
periodical
> > available on the internet. Every space location on the page is
> > numbered by computer, resulting in numbers for all the alphabet,
blank
> > spaces, and punctuation marks. The computer program then randomly
> > selects numbers on the page that go with the letters in the
message,
> > resulting in a long list of single digits in binary code. This
long
> > list of numbers then is sent by e-mail to B, who uses the same
> > computer program and common source text to translate the random
> > numbers on the page back to alphabet. Spaces between words are
just
> > numbers indicating emplty spaces on the text page.
> >
> > That's basically it, just substituting numbers representing
location
> > on a page for the letters on that page, except that more program
> > filters could be added to permute the numbers, null words could be
> > woven into the product and be filtered out, etc. I assume that
the
> > weak point would be in identifying the text source of the
> > substitution, but it seems like it would take a lot of mainframe
> > computers and data bases including all the possible sources to do
it.
> > bookburn.
> >
> > >
> > > I my humble view answering questions like your last one is
> > > in general difficult. For breaking a given cipher (that
> > > is susceptible to be broken by the current state of
> > > knowledge) may often require much thoughts/intuitions and
> > > experimentations/work/time. Thus it is always easy to put
> > > up a challenge but hard to take it up. If nobody answers
> > > that question of yours, it doesn't follow at all that your
> > > cipher is strong. An analogy: In mathematics it is easy to
> > > put up problems that are hard to get worked out. Some may
> > > need much work to be solved, others may be not solvable
> > > but the non-solvability is rather difficult to prove (e.g.
> > > the trisection of an angle). But this is all opionions of
> > > a humble non-expert like me. I don't exclude that some
> > > experts would at once give a very easy break of your scheme
> > > or prove the opposite.
> > >
> > > M. K. Shen
> > > ---------------------------
> > > http://home.t-online.de/home/mok-kong.shen
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: NSA in the news on CNN
Date: Tue, 20 Mar 2001 18:54:27 GMT
Mxsmanic wrote:
> CNN has a special series on the NSA (how times change!) this week, which
> may generate some interest in PGP, as I presume they'll eventually get
> around to mentioning the program. They are supposed to talk about
> encryption in days to come, but I don't know to what extent. The series
> even shows pictures from inside the NSA! Those people at Fort Meade
> must be getting desperate for funding, or something!
There have been TV news specials on NSA before. Some of them are
even available on videotape in the nonfiction section of video stores.
Presumably the motivation is to help offset the Hollywood misconception
that is the only idea most people have of the Agency, to reduce future
political and funding problems.
Also don't forget the National Cryptologic Museum.
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Signing/Not signing posts
Date: Tue, 20 Mar 2001 11:05:24 -0800
"Deano" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> 1) No signatures - i.e. No comfort that a particular post is fromany
> particular person. Ever.
> (Not good for reader, and not good for poster)
Actually Good for readers, and good for posters. Readers don't have to
bother filtering out the PGP (or S/MIME or XML Sig, or ..........) data,
there is no extra overhead on the phone lines that many people use, and they
don't have to wait through the significant compute time needed to verify a
signature. It's good for the poster because there are many people here who
use pseudo-nyms specifically to avoid directly linking themselves to their
posts (amateur is one example). Additionally I would appreciate the ability
to plausibly deny that I posted something, I don't anticipate the need to
use it but it is a possibility none the less.
>
> 1) Any signature - <100% Comfort in knowing that a particular poster is
> always the same person, but we don't necessarily know who.
> (Good for reader to an extent, and good for poster as he knows he
> will be rcongised by his persona)
Bad for reader, reader has to filter through all the worthless signatures
just to ignore them, Bad for poster because a simple scan of his computer
will link him permanently to those posts.
>
> 2) Trusted Singature - 100%'ish certain knowledge of WHO we are dealing
> with. Every time.
> (Good for readers, not good for privacy concerns of poster)
Horrendously bad for readers, now they have to deal with every fool in the
place signing every post they made. Horrendously bad for the poster who can
now be linked completely with their posts without even having to be
subjected to a search.
> Have I missed any options ?
You missed:
3) Sign only posts that need strong linking of identity to be understood
Good for reader, only has to drag through signatures on posts that require
signatures. Good for posters, they can't be reasonably linked to their
posts.
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Codes that use *numbers* for keys
Date: Tue, 20 Mar 2001 11:14:17 -0800
<glances at PGP>
Lets see here.
upset concurrent waffle handiwork
bluebird forever adult yesteryear
jawbone rebellion stormy holiness
rematch consensus payday Norwegian
fallout antenna topmost unicorn
Nope no strange letter/word combinations, and the only other needed
information is the name. So what is it that you are talking about?
By the way I don't like decimal when it comes to computers, it takes too *%$
long to parse in.
Joe
"Juuichiketajin" <[EMAIL PROTECTED]> wrote in message
news:996l6l$rdd$[EMAIL PROTECTED]...
> Several months ago, I saw on the Web some sort of code called Manticore.
> I am not 10% sure, but I think it used a PGP-like algorithm. But what I
> like about it more than PGP is that it uses actual *numeric* *numbers*
> for code keys, not weird number / letter / whatever combinations that
> can't be pronounced. Even hiragana would be an improvement, as long as
> they left out Wo and N. (I got this idea from a video game that has
> kana passwords.) You can read off a string of digits or kana, not
> alphabet soup. And if you use digits, they should probably be decimal
> digits. And octal is OK; all octal digits are also decimal. Just mark it
> as octal.
> Do you know where I can find Manticore, or some code that uses numeric
> numbers for keys?
> Why are key lengths always given in bits? Why not a code that takes, oh
> say, 60 decimal digits for a key? I can relate to 60 digits, not to so
> many bits.
>
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Date: 20 Mar 2001 19:40:53 GMT
Subject: Re: A future supercomputer
Duh, that was what I meant, a petaflop computer. Massive.
Don Johnson
------------------------------
From: Jim Steuert <[EMAIL PROTECTED]>
Subject: Re: Is SHA-1 Broken?
Date: Tue, 20 Mar 2001 15:08:13 -0500
I just realized what you are getting at. In general, multiplication mod
2^w
is not bijective (or a multi-permutation) because 0 is included.
But if you read further in my post you'll note that I encoded zero as 1
and made it mod 65537 just to make sure that it was a multipermutation.
David Wagner wrote:
> Jim Steuert wrote:
> >The problem is that SHA-1 doesn't have a multiplication in its step.
>
> Multiplications are not bijective (they lose information)
> and are slow. Are you sure this is the best way to spend
> our CPU budget? Is 1 multiply better than N rounds of SHA-1?
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Cipher Idea #1 Block Cipher 512-bit block, arbitrary keysize (long)
Date: Tue, 20 Mar 2001 19:43:57 GMT
On Tue, 20 Mar 2001 13:00:47 GMT, in
<[EMAIL PROTECTED]>, in sci.crypt Benjamin Goldberg
<[EMAIL PROTECTED]> wrote:
>In some of your ciphers you have an operation of the form: for each of
>the N bytes of the block, substitute the byte through a different sbox,
>where there are N sboxes and each sbox is made by shuffling a 256
>element array.
>
>In a conventional cipher, you would have, each of the N bytes gets one
>byte of keyschedule added, and is then substituted through fixed sbox,
>and repeat the add-substitute step a few times.
So which is stronger?
Unless and until we get some provable theoretical or experimental
results on structural strength, it will be necessary for a cipher
designer to form an opinion. In my opinion, the re-use of a table in
the same computation is generally unwise. (An exception might be made
to limit the number of tables in dynamically variable-length designs,
where any number of tables could be exhausted by a huge block.)
Now, what are the consequences of implementing that opinion?
The amounts of RAM we are talking about (1/4 kB/table) are essentially
meaningless on any modern machine. Smart cards are another story, but
their RAM is surprisingly small and for some reason apparently not
increasing with technological advance. Maybe the smart card makers
are satisfied that ciphers which use little RAM are all that society
needs. In other words, the cards may be built with particular types
of cipher in mind, thus making it rather unsurprising to find that
structurally different ciphers are not a good fit.
It is true that if one has many tables, the tables must be
initialized, and that does take some time. Some years ago I think
this was taking me about a millisecond per table, and 256 tables would
be a quarter of a second (probably much less now). But that is also
how we can hide the key, behind an apparently one-way shuffling
process. We can compare our belief in this strength to that of an
essentially algebraic or shifting key schedule. In other words, this
particular pain has a strength reward.
Caching is another effect. But if the caches cannot hold all the
tables I want to use for strength in a cipher whose whole purpose is
strength, it is the fault of the cache for being too small, not my
fault for using too many tables. We don't have a formula to show how
close one is getting to the edge of insecurity. Absent such
knowledge, I try to err in the opposite direction, and that may have
performance consequences which I am willing to pay.
Ciphering inherently involves trading computation for strength. The
issue is "how much strength is worth buying," and we simply do not
have the knowledge to answer that. My opinion is that an opponent
must find it more difficult to deduce the contents of many tables than
just a few. Ideally, we would like the difference to be exponential
in the number of tables, which is the intent of the mixing structure.
The experiments I performed and published to sci.crypt comparing the
Boolean function nonlinearity of keyed tables of a given size against
mixed half-size tables do seem to indicate such a relationship.
Given that we have no science of cipher design, reasoning about the
strength of ciphers which use each table just once per computation
seems likely to be easier and more correct than reasoning about tables
which are re-used in "rounds."
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Is SHA-1 Broken?
Date: 20 Mar 2001 19:47:04 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
Jim Steuert wrote:
>Hash or cipher mixers of the Feistel type combine 2 things
>of n-bits each into a single n-bit output: they
>have to lose information. All hash mixers lose information,
>whether they are xors, or whatever. I don't see your point there.
You're right. I was wrong.
>As for speed, the mod 65537 multiply can be done very efficiently
>even using the MMX multiplies. Percentage-wise, I don't think it
>is a fraction of the current SHA-1 step cost. Even normal Pentium II
>or AMD integer multiplies can provide 1 cycle throughput (with a latency
>of 4 cycles which can be used in other step operations).
What is the cost of moving values from ALU registers to MMX registers?
Is it noticeable?
------------------------------
From: "thomas kuehne" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: looking for "Crowds"
Date: Tue, 20 Mar 2001 19:40:25 -0000
Reply-To: "thomas kuehne" <[EMAIL PROTECTED]>
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
[english version below]
In dem im Juni 1999 von Eric Goldstein(Human Rights Watch) geschriebenen
Report "The Internet in the Mideast and North Africa" erwähnter eine
Anonymisierungssoftware Namens "Crowds", welche noch in der
Entwicklungsphase stecke. Gibt es dieses Projekt noch? Wenn ja, kann mir
bitte jemand einen Verweis geben? Danke!
("Crowds" ist ein extem schlechtes Stichwort ...)
* * *
Eric Goldstein(Human Rights Watch) worte a report about "The Internet in the
Mideast and North Africa". In this 1999 report he mentions a privacy tool
"Crowds" which was back than under development. Is this project still
existing? If so, please post me some links!
("Crowds" is a extreamly bad keyword ...)
Thomas
=====BEGIN PGP SIGNATURE=====
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjq3sfUACgkQW6NV6qy/x5iMHACaAvg6TWHEqba7V2fgdscHMXMO
J18AnAnnTprPAJlvZ7oYaTEwunZRlzx5
=Kbdj
=====END PGP SIGNATURE=====
------------------------------
From: Adam Elbirt <[EMAIL PROTECTED]>
Subject: RC5 hardware performance data
Date: Tue, 20 Mar 2001 14:47:23 -0500
Anyone know a good source for hardware performance data for RC5? I'd be
most interested in FPGA implementations but anything would be a help.
Thanks.
Adam
=====================================================================================
Adam Elbirt
Cryptography and Informations Security Laboratory
Electrical and Computer Engineering Department
Worcester Polytechnic Institute
Worcester, Massachusetts
508-831-5840 Phone
508-831-5491 Fax
"Actually intelligence has far less practical use than you would think."
-- Mensa member to Dilbert
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Defining a cryptosystem as "broken"
Date: Tue, 20 Mar 2001 20:50:25 +0100
Joseph Ashwood wrote:
>
> I guess I should have been more particular in my statements. I assumed that
> the threat/attack models would be built to the applications, potentially
> with multiple levels of model, where a secure system has a given model that
> sets requirements, the programs and operating system offer various
> components to this, etc down to whatever arbitrary level is required.
Suppose that one succeeds to do that, i.e. all envisageable
threat/attack models could be selectd for an implementation
of a cipher (to be chosen by parameters input by the
user) -- a matter I, though, seriously doubt --, how sure
is the user in having chosen the right model? For example,
if one model assumes that the opponent has a certain
amount of computing resources but the user doesn't have
exact informations about what opponent has, doesn't the user
have to do some subjective (hence problematical) decisions
in selecting that model?
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: What do we mean when we say a cipher is broken?
Date: Tue, 20 Mar 2001 13:25:35 -0600
In article <[EMAIL PROTECTED]>, John Myre <[EMAIL PROTECTED]> wrote:
>
> Actually what I'd really like is a scheme for describing
> ciphers in a much more comprehensive way. The different
> types of vulnerabilities and the attacks that exploit them
> are not equivalent, and therefore a particular cipher can
> be appropriate in once circumstance and not in another.
> A lattice of evaluations, with "secure" at the top and
> "broken" at the bottom, and other terms based on the types
> and severity of weaknesses, could be defined. A linear
> "strength" scale is just too simplistic, but we still need
> a way to summarize.
OK, fine, it has been a project of mine for some time to work on that
problem. So, I have five methods of appoaching it for any cipher: SSS, a
scale of strength; ADVIL, attack, dumb vulnerabilities, itemized list;
KP%, keyspace purity; BRR, base recursion rate; and, last but not least,
FUCQ, frequent unknown cipher questions.
>
> (I suppose one could say that we will create (and perhaps
> have, already, in AES) a secure, fast, cheap cipher, and
> therefore anything else is pointless. I think that this
> is wrong, because it isn't obvious that such a holy
> grail is even possible. Certainly our current state of
> knowledge is insufficient to prove it one way or another.)
>
> JM
If you make an extensive list of ideal characteristics, you get a better
picture of how any cipher fits the list. But, such a holy grail will not
be what most are anticipating, or they would have found it already.
--
Most [cryptographic] algorithms are based on assumptions which
could turn out to be false. -- Ron Rivest
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: What the Hell...Here's what my system can do at it's best...
Date: Tue, 20 Mar 2001 13:33:25 -0600
In article <[EMAIL PROTECTED]>, Keill Randor -
([EMAIL PROTECTED]) <[EMAIL PROTECTED]> wrote:
> What my system allows you to do, (at it's best), is turn one peice of
data - (or text), into two or more peices, (neither of which can be proven
to be encrypted), in such a way that is unsolvable - i.e. you need to know
what the original peice of data was in order to get it back - (not
difficult, trust me)....
I found you post interesting, but asking for trust is the redest flag in
the first paragraph. Pehaps this only seems to be a semantic obstacle,
but it the biggest one to deal with in any cryptosystem; first things
first. I hope there is more than that, but I cannot trust that there is,
I can only evalate what I know to be sound logic.
--
Most [cryptographic] algorithms are based on assumptions which
could turn out to be false. -- Ron Rivest
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: What the Hell...Here's what my system can do at it's best...
Date: Tue, 20 Mar 2001 13:39:25 -0600
In article <[EMAIL PROTECTED]>, Keill Randor -
([EMAIL PROTECTED]) <[EMAIL PROTECTED]> wrote:
> This system obeys my three rules of encryption:
>
> 1) Make the actual solution as convoluted as necessary.
Usually a bad idea. But, simple principles are not the same as extreme
convolutions.
>
> 2) Have more than one viable solution, (preferably any).
This can confuse your respondent unless he is a provable psychic, lots of
luck. It is good however for an analyst to be confused.
>
> 3) Have no way of knowing that it's encrypted in the first place.
Fine, stegnography, or??
>
--
Most [cryptographic] algorithms are based on assumptions which
could turn out to be false. -- Ron Rivest
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Subject: Re: Signing/Not signing posts
Date: Tue, 20 Mar 2001 19:58:37 GMT
SCOTT19U.ZIP_GUY wrote:
> You could make a PGP key in my name and
> sign anything. But who would know that it is not my key.
Which is the reason I'd always heard as the reason for signing all your
posts. If you sign even the trivial posts, then any unsigned post is
plausibly deniable. It also links your key to who you are online (i.e., your
set of opinions) even if it doesn't link your key to you as a person.
--
Darren New / Senior MTS & Free Radical / Invisible Worlds Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
A million monkeys in a room with a million typewriters
will only yield half a million pregnant monkeys.
------------------------------
From: amateur <[EMAIL PROTECTED]>
Subject: Re: Fast and Easy crypt send
Date: Tue, 20 Mar 2001 15:03:02 -0400
My valid email is [EMAIL PROTECTED]
Thank you for your reference. I did not find it using sci.crypt
archives.
Mok-Kong Shen wrote:
>
> amateur wrote:
> >
> [snip]
> > If you think that crypting bit by random characters has yet been done,
> > so give me a reference. I will be glad to read it.
> [snip]
>
> Use of bit homophones was mentioned in an article of mine
> posted last year. It is NOT that particular/ingenious/novel
> as your words above seem to suggest in the present context.
> Anyway, that idea is NOT new. For your convenience, here
> is once again the reference (already given in a previous
> response to you in one of your threads):
>
> A general substitution scheme with variable-length codes
> (posted to sci.crypt on 10th Oct 2000)
>
> Note that you have in different threads given apparently
> different versions of your 'idea'. Anyway, what I
> described about bit homophones in that article subsumes
> all versions of your bit homophone scheme.
>
> If you have difficulty in getting it from the archives,
> let me know with an e-mail (with valid return address).
>
> M. K. Shen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
