Cryptography-Digest Digest #416, Volume #14 Wed, 23 May 01 13:13:01 EDT
Contents:
Re: Unix file encryptor (Eric Lee Green)
Re: Generate 256 bit prime numbers from passphrase (jlcooke)
Re: Generate 256 bit prime numbers from passphrase (jlcooke)
Re: TC15a analysis (jlcooke)
Re: People with x86 cpus (please reply) (jlcooke)
Re: Small (not fast) RIPEMD-160 (jlcooke)
Re: survey (Tom St Denis)
Re: survey ("Douglas A. Gwyn")
Re: survey ("Douglas A. Gwyn")
Re: Best, Strongest Algorithm ("Douglas A. Gwyn")
Re: CIA Kryptos last 97 characters ([EMAIL PROTECTED])
Re: Help with a message ("Douglas A. Gwyn")
Re: Digital Signature Sheeme (Mark Wooding)
Re: Best, Strongest Algorithm (SCOTT19U.ZIP_GUY)
Re: OAP-L3: "The absurd weakness." (Mark Wooding)
Re: Help with a message (Dave Smith)
Re: TC15a analysis (Mark Wooding)
Re: DES ENCRYPTIOn:64-bit key (Mark Wooding)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Eric Lee Green)
Subject: Re: Unix file encryptor
Reply-To: [EMAIL PROTECTED]
Date: Wed, 23 May 2001 12:46:13 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
On Tue, 22 May 2001 18:05:13 -0400, Arik Shelter <[EMAIL PROTECTED]>
wrote:
>I am looking for a command-line Unix file encryptor that uses 128 bit (or
>higher) encryption. Does anyone know of anything out there besides PGP (too
>much $$$) or GnuPG (not recommended for production environments) ?
Just out of curiousity, why do you say "not recommended for production
environments" about GnuPG? Version 1.0.5 appears to be every bit as ready
for primetime as any piece of software on the planet. Red Hat Software
certainly seems to agree -- every piece of software they release is signed
with GnuPG.
GnuPG's only big shortcoming is that it is rather slavish about implementing
the PGP interface. If you're looking for a slick little stream (CFB-128)
cipher that's fast and useful within shell scripts, and are going to be
doing your key management somewhere else, me and RandyK's AEScrypt is
useful as sort of a "swiss army knife" Unix tool. aescrypt v0.5 was
ported to virtually every Unix platform on the planet, worked perfectly on
all of them (no big endian or little endian problems), and was a core part
of the BRU-Pro backup product (which used a Python-based key manager -- we
didn't care how fast our public key encryption went, since that was only
used for symmetric key exchange, we just wanted our streams to scream).
http://aescrypt.sourceforge.net/ gets you there.
=====BEGIN PGP SIGNATURE=====
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7C7AC3DrrK1kMA04RAn7gAKC9+UbT8Ok6KV6pG8z3mULzIXxAIQCcD0Ll
DKkAbcFpp/RvIiagvY9+51U=
=7uJi
=====END PGP SIGNATURE=====
------------------------------
From: jlcooke <[EMAIL PROTECTED]>
Subject: Re: Generate 256 bit prime numbers from passphrase
Date: 23 May 2001 13:39:22 GMT
4 iteration probably refers to the strengthening of the primes P and Q
from Pollard P-1 and Williams P+1 attacks.
Basically if P+1 or P-1 have only small factors there are algorithms to
very quickly crack these numbers. With large RSA keys (>1024) the
probability of a randomly generated P to have a P-1 or P+1 with these
properties is very low so most packages don't both with "hardening"
their primes. One iteration would be:
Generate a prime P'.
k = 0;
do {
P = (P' * k) + 1;
k++;
] while (!isPrime(P));
Do that 4 times and I think you'll get what you refer to as "4
iterations"
JLC
"Mr. Nice Guy" wrote:
>
> > You can come up with an algorithm for this pretty easily (hash the
> > passphrase into two 256-bit numbers and search for the closest prime
> > to each of them), but if you want to generate keys from passphrase,
> > RSA probably isn't what you want. The key generation will be awfully
> > slow, and at 512 bits for the modulus, security won't be so good.
> But I must use RSA. I use passphrase so that users don't have to remember P
> & Q. It is easier to remember a passphrase than P & Q. In this case, using
> passphrase is optional. So how does PGP generates keys from a passphrase?
>
> Do you know the meaning of this term: "RSA 256 bits, 4 iterations". As far
> as I know from the algorithm, RSA doesn't use iteration.
>
> Thanks in advance.
------------------------------
From: jlcooke <[EMAIL PROTECTED]>
Subject: Re: Generate 256 bit prime numbers from passphrase
Date: 23 May 2001 13:39:08 GMT
4 iteration probably refers to the strengthening of the primes P and Q
from Pollard P-1 and Williams P+1 attacks.
Basically if P+1 or P-1 have only small factors there are algorithms to
very quickly crack these numbers. With large RSA keys (>1024) the
probability of a randomly generated P to have a P-1 or P+1 with these
properties is very low so most packages don't both with "hardening"
their primes. One iteration would be:
Generate a prime P'.
k = 0;
do {
P = (P' * k) + 1;
k++;
] while (!isPrime(P));
Do that 4 times and I think you'll get what you refer to as "4
iterations"
JLC
"Mr. Nice Guy" wrote:
>
> > You can come up with an algorithm for this pretty easily (hash the
> > passphrase into two 256-bit numbers and search for the closest prime
> > to each of them), but if you want to generate keys from passphrase,
> > RSA probably isn't what you want. The key generation will be awfully
> > slow, and at 512 bits for the modulus, security won't be so good.
> But I must use RSA. I use passphrase so that users don't have to remember P
> & Q. It is easier to remember a passphrase than P & Q. In this case, using
> passphrase is optional. So how does PGP generates keys from a passphrase?
>
> Do you know the meaning of this term: "RSA 256 bits, 4 iterations". As far
> as I know from the algorithm, RSA doesn't use iteration.
>
> Thanks in advance.
------------------------------
From: jlcooke <[EMAIL PROTECTED]>
Subject: Re: TC15a analysis
Date: 23 May 2001 13:44:13 GMT
Tom St Denis wrote:
> a = ROTL(a, 1);
> b = ROTL(b, 9);
> c = ROTL(c, 17);
> temp = (c*3) + (d*9);
> a += temp;
> b -= temp;
> temp = (a*3) + (b*9);
> c += temp;
> d -= temp;
>
> We see by the second "temp = (a*3) + ..." that the first "temp" will
> evaluate to -6 * temp which losses a bit but at least is not zero.
I'll suggest using a multiply by 2 in GF(2^8) again. But you've heard
me say this before and are probably getting annoyed, right Tom? :)
> Also the
> reason I picked 3 and 9 is that on an x86 you can mult by these in a single
> clock cycle. I believe if I am not mistaken that even Alphas have special
> +- 2^k multipliers upto k=3 don't they?
Yes. And DSPs have native "scale and accumulate" operations if you're
interested in designing a good embedded cipher.
a = a + b*c;
a = a - b*c;
JLC
------------------------------
From: jlcooke <[EMAIL PROTECTED]>
Subject: Re: People with x86 cpus (please reply)
Date: 23 May 2001 13:57:54 GMT
PIII 666 + 2/3. 215 cycles
Also, for Linux. Your tc15_x86.asm isn't POSIX asembly. as86 will not
assemble it.
JLC
Tom St Denis wrote:
>
> I need people with the following cpus to run a program (or alternatively
> build the source which is on my website) to test the speed of my cipher.
>
> - Pentium, PPro, PII, PIII
> - Amd K6, K6-II, K7 (original not T-bird)
> - Cyrix MII
>
> The program gives speeds in clock cycles so the clock rate of your cpu is
> irrelevant. The program was tested with DJGPP but should port easily to
> Linux via GCC. I need people to run the program in a shell prompt with all
> other stuff closed (or alternatively goto dos completely). Once you run it
> copy all of the output and email it to me.
>
> If you can help just download
>
> http://tomstdenis.home.dhs.org/tc15a_asm.zip
>
> or the binary
>
> http://tomstdenis.home.dhs.org/tc15a_spd.exe
>
> Thanks,
> --
> Tom St Denis
> ---
> http://tomstdenis.home.dhs.org
------------------------------
From: jlcooke <[EMAIL PROTECTED]>
Subject: Re: Small (not fast) RIPEMD-160
Date: 23 May 2001 14:49:52 GMT
I'll write you one for $500. :)
JLC - picking on the little guys.
Ian Stirling wrote:
>
> Anyone know of any small C or perl implementation of this?
>
> I'm looking for something under the 5-10K (compiled) of ones I've found.
> Under 2K would be ideal.
> For computing a password hash, so another cipher isn't an option.
>
> --
> http://inquisitor.i.am/ | mailto:[EMAIL PROTECTED] | Ian Stirling.
> ---------------------------+-------------------------+--------------------------
> "Melchett : Unhappily Blackadder, the Lord High Executioner is dead
> Blackadder : Oh woe! Murdered of course.
> Melchett : No, oddly enough no. They usually are but this one just got
> careless one night and signed his name on the wrong dotted line.
> They came for him while he slept." - Blackadder II
------------------------------
From: [EMAIL PROTECTED] (Tom St Denis)
Subject: Re: survey
Date: 23 May 2001 08:01:53 -0700
Pascal Junod <[EMAIL PROTECTED]> wrote in message
news:<[EMAIL PROTECTED]>...
> On Tue, 22 May 2001, Tom St Denis wrote:
>
> > > g) Most of us are quite busy and don't have enough time to read carefully
> > > what you write.
> >
> > Which is ironic because I know with 90% certainity that you have downloaded
> > all my papers including MDFC, NA and TC15 ...
>
> That's right. But there isn't an ounce of irony in my previous sentence. I
> have used the word "carefully". Just have a look at a paper is not at all
> the same thing than reading it and thinking about it and proof every
> sentence, theorem, ...: there is a gap of several hours ! So I keep your papers
> on my laptop in order to have them for my retirement time ;-)
Is that suppose to be a kind way of saying "I don't have time".
No offense group but it seems you guys have alot to learn about "Tact"
yourselves. (Well not all, some people are very kind like Fluhrer,
Rubin, etc...).
BTW I think I figured out why the SAC bias works for four rounds of
TC15 for anyone who has read the paper.
It's because we get 4*1 mod 32 = 4*9 mod 32 = 4. So after four rounds
both words line up again. That's not the entire reason but I bet if
the words didn't line up until the eigth rotation (or at all) the SAC
bias would be very weak.
Note that after eight rounds (8*4 mod 32 does equal 8*9 mod 32) the
SAC bias doesn't seem to be strong enough.
Now I know most of you are saying "no Sh#t tom..." but to me that's
new. I plucked around with the math a bit and whammo something new
popped out.
Now what if some other newbie reads this post and says "Wow if the
rotations are congruent before long there could be a problem". I
think my posts are not as trivial and useless as most people suggest
(Got some really nasty email feedback).
Tom
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: survey
Date: Wed, 23 May 2001 14:40:24 GMT
Joseph Ashwood wrote:
> ... Explore the boundaries, we know that the middle of the sandbox
> offers some good secure areas, but it's crowded, find something that can
> distinguish your designs from the designs of others. ...
Joseph made some good points. One class of cryptosystem that has
not been thoroughly explored in the open literature is stream
ciphers that are *not* of the key-generator class. Some solid
theoretical results there would be publishable, and a good system
along those lines would have many uses. Not all communications
are block-oriented!
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: survey
Date: Wed, 23 May 2001 14:42:14 GMT
Tom St Denis wrote:
> "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > Tom St Denis wrote:
> > > Well my design is simple and faster than most other known block ciphers.
> > > Does that count?
> > No.
> > void encrypt(const char *key, char *data) { } // very fast and simple
> And you call me immature? Wow, you guys have high standards... double
> standards but high none the less.
I was making an important point. I'm sorry you missed it.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm
Date: Wed, 23 May 2001 15:02:52 GMT
Tom St Denis wrote:
> And it's not only "crypto gods" that admire these people. It's only
> you who is the outsider. Everyone is invited into the world of modern
> cryptanalysis, you'd rather just sit and wave.
Yeah, Wagner is one of the Good Guys, even if you don't agree with
everything he says or does. It is important to identify the actual
enemy before engaging in a conflict.
> > And you belive that Coppersmith has knowledge that MARS was
> > designed againest all forms of attack even those that the government
> > says are classied. If he said that and it was true and he had
> > knowledge of it being true. He would be dead by now. They do kill
> > people when the need arises. Oh it might be cancer or a car accident
> > but they do have secrets that they consider worth killing for.
> > I suspect SKIPJACK was designed weak. Don't forget it was for
> > the clipper chip to be used by all. It would be foolish to allow
> > a secure cipher for it. Just like vanilla RIJNDEAL has to be weak
> > the NSA would be foolish to allow a strong cipher for common people
> > to use.
> On what are you basing these claims? You wonder why you don't get any
> good feedback Scottu_zip guy? ...
Yeah, it's important to distinguish between D.Scott's actual good
ideas, of which he has had a few, and his paranoid ravings.
In an extreme national-security emergency, the President can
authorize targeting a specific individual for silencing, but
this is practically never done, especially as after-the-fact
retribution. There are more benign mechanisms in place to
limit access to deep secrets and to enforce secrecy among
those with access.
Skipjack was intended, among other things, for safeguarding
information within the government. The only specific known
"weakness" intentionally built in was the key-escrow protocol,
which is not a property of the encryption algorithm itself.
Rijndael wasn't produced nor controlled by NSA at all.
> BTW Scottu_zipguy, the NSA is not out to get you. I bet they have
> never heard of you except in some jokingly fashion. There are what
> 300 million us citizens? Why would the govt care about 1/300million
> of it's population? Randomly that's 2^-28 chance of being picked on.
Now Tom has indulged in some illogical reasoning of his own;
*if* the Agency has a special interest in D.Scott, it wouldn't
be as a randomly chosen citizen, but rather selected on the
basis of special characteristics, to wit his crypto work or
related comments. Although I see no reason why they should be
worried.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: CIA Kryptos last 97 characters
Date: Wed, 23 May 2001 15:33:11 GMT
One of the things I thought was interesting is that K is the most frequent
letter, by a pretty good margin. If you do a running-key encryption using
either beaufort or variant (they only differ by which text is the key and
which is the plaintext), you find that A is the most frequent letter in the
ciphertext. Also, you find that letters like C and J end up with lower
frequencies.
Now, since the Kryptos Vigenere table used a non-standard alphabet of
KRYPTOSABCDE..., I tried converting the last 97 characters from the
KRYPTOSABCDE alphabet to ABC. I thought this was reasonable because the
original table used a standard alphabet for the key and plaintext. That is,
the table looked like:
ABCDEFGHIJK
AKRYPTOSABCD
BRYPTOSABCDE
CYPTOSABCDEF
To me, that means that a simple substitution can transform the output from
that table to the standard vig or beaufort table.
Once I did that, A became the high freq letter instead of K, and I did see
C, Y and J appear in the low range. There are many similarities between the
resulting frequency distribution and the expected distribution for running-key
beaufort, but there are still a lot of differences. It may be a totally false
track, but then, the differences may just result from the short length of the
text.
I never got anywhere with this, but I thought I'd bring it up in case someone
is better at solving running-key ciphers.
--
Mark Wutka
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Help with a message
Date: Wed, 23 May 2001 15:08:44 GMT
Amethyste wrote:
> IC1 = 0.069
> IC2 = 0.054
> IC3 = 0.064
I have to object to this. A proper Index of Coincidence
is the ratio of the observed number of coincidences to the
expected number of coincidences, and therefore is somewhere
around 1. I know there are textbooks that misdefine this,
but it is important to have a standard unit of scale (1)
in order to interpret the statistic.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Digital Signature Sheeme
Date: 23 May 2001 16:03:48 GMT
Umut Bayraktar <[EMAIL PROTECTED]> wrote:
> I want to write a c++ code for DSS. But I did not use big numbers in
> our code. Please help me how can I use these kinds of numbers.
I'd use a bignum library if I were you.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Best, Strongest Algorithm
Date: 23 May 2001 16:02:06 GMT
[EMAIL PROTECTED] (Douglas A. Gwyn) wrote in <[EMAIL PROTECTED]>:
>
>Skipjack was intended, among other things, for safeguarding
>information within the government. The only specific known
>"weakness" intentionally built in was the key-escrow protocol,
>which is not a property of the encryption algorithm itself.
>
However if you've looked at docs it would only be used to
protect nonclassifed materail so thats hardly a glowing
endorcement of it as a secure cipher.
>Rijndael wasn't produced nor controlled by NSA at all.
Rijndeal wasn't openly produced by the NSA. But when
you consider there unlimited amount of money and there
goal of reading all email. It would be very very unlikely
that the NSA didn't have its hand in the cookie jar somewhere
along the line. I think you can even belive this.
>
>> BTW Scottu_zipguy, the NSA is not out to get you. I bet they have
>> never heard of you except in some jokingly fashion. There are what
>> 300 million us citizens? Why would the govt care about 1/300million
>> of it's population? Randomly that's 2^-28 chance of being picked on.
>
>Now Tom has indulged in some illogical reasoning of his own;
Well its common for TOM to shoot his mouth off with
out any real thinking behind it. I can't write well I think
Wagner and his BS friends are enemies of open source crypto.
I may or may not be totally correct about Wagner. But what
is a fact is that he has so much faith in experts or that
most will belive so called experts that he could care less
about telling the honest truth. Its a fact he said scott19u
was dead by the slide attack. He stated it as if he really
looked at it. But it was a lie. So I think I can
honestly say he does not tell the truth. And if he had
any sort of honest bone in him he should tell openly
that he lied about scott19u. He only briefly alluded to it
when someone tried the slide attack on scott19u and he in
one message which was not noticed by many stated that he
didn't actually look at the code. So what kind of man
is he. Do you think he has any intellectual honesty?
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Crossposted-To: alt.hacker,talk.politics.crypto
Subject: Re: OAP-L3: "The absurd weakness."
Date: 23 May 2001 16:11:00 GMT
Anthony Stephen Szopa <[EMAIL PROTECTED]> wrote:
> The transformation of permutations is lesson #1 in linear algebra.
I always thought that the study of permutations was a topic in group
theory, not linear algebra (which concerns itself with vector spaces and
suchlike). I don't think there's any particularly interesting vector
space you can construct from permutations.
I could, of course, be wrong.
-- [mdw]
------------------------------
From: Dave Smith <[EMAIL PROTECTED]>
Subject: Re: Help with a message
Date: Wed, 23 May 2001 16:19:51 GMT
Martin Schramm developed a solution in rec.puzzles. The cipher has a period of
three (apparently) random alphabets:
1. ABCDEFGHIJKLMNOPQRSTUVWXYZ
evfhywmdxrauipsolb-jng-ct-
2. ABCDEFGHIJKLMNOPQRSTUVWXYZ
-grmducytolxhwbqnfaipkves-
3. ABCDEFGHIJKLMNOPQRSTUVWXYZ
algqne-kfwtbrimuxvpydshoc-
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: TC15a analysis
Date: 23 May 2001 16:21:33 GMT
jlcooke <[EMAIL PROTECTED]> wrote:
> I'll suggest using a multiply by 2 in GF(2^8) again.
There isn't an element you can sensibly label `2' in F_{2^8}. The usual
definition of `2' is the result of `1 + 1', but we've already labelled
that `0'.
> Yes. And DSPs have native "scale and accumulate" operations if you're
> interested in designing a good embedded cipher.
> a = a + b*c;
> a = a - b*c;
Yes, but DSPs tend to be relatively poor at rotations. Also, with the
exception of a wide accumulator, some have only (say) 24-bit registers.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: DES ENCRYPTIOn:64-bit key
Date: 23 May 2001 17:07:51 GMT
Simon Johnson <[EMAIL PROTECTED]> wrote:
> As far as I was aware, linearness in key-schedules is not
> exploitable...
If, say, a round key is leaked as a result of a particular type of
attack, it becomes easy to work out bits of other round keys. This is
undesirable. I recall that the best attack on Rijndael exploits simple
relationships between the keys in consecutive rounds in order to attack
more rounds.
-- [mdw]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
