Cryptography-Digest Digest #725
Cryptography-Digest Digest #725, Volume #9 Tue, 15 Jun 99 20:13:02 EDT
Contents:
Re: Cracking DES (David Wagner)
SLIDE ATTACK & large state SYSTEMS (SCOTT19U.ZIP_GUY)
Re: SLIDE ATTACK & large state SYSTEMS (David Wagner)
Re: Export restrictions question ([EMAIL PROTECTED])
Re: TEA vs Blowfish ([EMAIL PROTECTED])
Signing with two keys and verifying use one the key? (Yang Yang)
Test, please ignore (Yang Yang)
Re: Algorithm from easy spec please! ([EMAIL PROTECTED])
Challenge: signing with two keys, verifiable with one of the key, but can not fake
with one key? (Yang Yang)
Re: SLIDE ATTACK & large state SYSTEMS (SCOTT19U.ZIP_GUY)
Re: [Q]: Session key exchange ([EMAIL PROTECTED])
Re: DES and BPANN (James Pate Williams, Jr.)
Re: DES (Jerry Coffin)
Re: "Breaking" a cipher ("Steven Alexander")
Re: DES (Jim Gillogly)
Secret info for MACS (Casey Sybrandy)
Re: DES lifetime (was: being burnt by the NSA) (Jerry Coffin)
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Cracking DES
Date: 15 Jun 1999 12:04:15 -0700
In article <7k5tfs$pui$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
> Let us suppose that 2^73 bytes of memory is actually feasible. I
> understand that for this attack to work we would need about 2^140
> memory accesses.
Not quite right; the naive MITM attack takes 2^73 bytes of memory
and 2^70 memory accesses. A considerable improvement over exhaustive
search, but still, as you say, not very practical due to the massive
memory requirements.
An improvement that drastically reduces the memory requirements
(at some modest cost in computational complexity) is van Oorschot
and Wiener's parallel collision search techniques. See e.g. their
paper on breaking double-DES; I think it was in a recent CRYPTO.
In general, I would argue that it would be prudent to assume that
a cleverer adversary might be able to find an algorithm that entirely
eliminates the memory requirements, leaving a MITM attack that takes
just 2^70 operations. I think it is entirely possible that such an
algorithm exists, given van Oorschot and Wiener's clever techniques.
> I think that the cryptanalytic community should agree on an attack cost
> function that is more appropriate than just counting encryptions. In an
> official comment to NIST I have proposed a simple metric towards that
> end.
Ooh! I agree: I think this is a very interesting research question.
I wonder whether you can approximate the cost pretty well as a linear
function of the resource requirements, at least for some resources.
For instance,
1 MB of fast memory ~ 100 MB of slow memory
~ 2^36 trial encryptions / year ~ 1 KB of known plaintext
(These are just examples, I don't know if they're reasonable estimates.)
I'll look forward to reading your comment to NIST. Is it available?
--
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: SLIDE ATTACK & large state SYSTEMS
Date: Tue, 15 Jun 1999 19:20:46 GMT
Lets look at the Slide Attack as it applies to a
large key system instead of a small key of a mere
few hundred bits or less. The problem with small
keyed systems is that after only a few dozen bytes
if the encrpyted message came from text there is generally
only one solution as to what that text is.
This weakness is also exploited by methods such as
the slide attack where one searchs for slide pairs
and then checks to see if the single round has a
has a solution. If it does then this solution is
the one that is assumed to be the one for the multi
round case. This is a good attack for small key
systems but lets look a theoritical large key system
where it fails. This is a theorictical system only
suppose I represent it by a large S box that is re
peated twice. Such the C0 = F ( F (P0) ) this is
just the S-box repeated twice in series. The method can
be such that instead of keeping the S box in memory
The entry is calculated on the fly as the data is
available. OF course it could have been respresent by
one S-box but is wasn't. The task is to find entries
in the S-box so that the function used can be found
lets assume that if all zeores goes in all zeros
come out. That is as simple a slide pair you can get
the all zero case. Know you look at the basic S box
and see of there is a entry where 0 gets mapped to
zero lets say there is a valid set of keys that produce
this as a solution actaully if your method almost allows
for all S-tables there are many such possible keys that
could lead to this. Kow you think you have part
of the soultion. But in realitiy 0 could map to 1 and
1in stage 1. In the second stage 1 could map to 0. So that both
the slide critea are meet in that over all 0 can map to
0 and in the single stage. But it was not in the one
used in the code. As the key space gets large these
false soultions get more common. This is just a simple
example to show how one can be mislead in trying to
fin
Cryptography-Digest Digest #724
Cryptography-Digest Digest #724, Volume #9 Tue, 15 Jun 99 15:13:03 EDT
Contents:
Re: IDEA in "aplied cryptography" BRUCE SCHNEIER (Nick Barron)
Re: IDEA in "aplied cryptography" BRUCE SCHNEIER (Nick Barron)
Re: stream ciphers ([EMAIL PROTECTED])
Re: sbox design ([EMAIL PROTECTED])
Re: Key Schedule Question ([EMAIL PROTECTED])
Re: Has this cipher been broken yet ? ([EMAIL PROTECTED])
Re: TEA vs Blowfish ([EMAIL PROTECTED])
Algorithm from easy spec please! ("Kenneth N Macpherson")
Re: Speed comparison of RSA/DES/SHA1 ("Bruce Geist")
Re: Speed comparison of RSA/DES/SHA1 ("Gernot Schuh")
Re: Export restrictions question (Jim Gillogly)
Re: TEA vs Blowfish (Paul Rubin)
Re: Algorithm from easy spec please! (Mok-Kong Shen)
Re: [Q]: Session key exchange (Paul Rubin)
[Q]: Session key exchange (Jyrki O Saarinen)
Re: Book Usefulness Question ("Anton Stiglic")
Re: [Q]: Session key exchange (Thierry Moreau)
Re: Algorithm from easy spec please! ([EMAIL PROTECTED])
From: [EMAIL PROTECTED] (Nick Barron)
Subject: Re: IDEA in "aplied cryptography" BRUCE SCHNEIER
Date: Tue, 15 Jun 1999 13:39:42 GMT
On Mon, 14 Jun 1999 21:13:37 GMT, [EMAIL PROTECTED] wrote:
>On Mon, 14 Jun 1999 20:44:06 GMT, [EMAIL PROTECTED]
>(John Savard) wrote:
>
>
>>Not to keep criticizing you for being helpful, but I doubt the United
>>States has annexed Germany any time lately...
>You never know
Surely NATO's maps aren't *that* bad! :)
Nick Barron
SGML/XML Systems and Applications Development Manager
Solvera Information Services Ltd
Disclaimer: The views expressed in this message are mine,
not necessarily those of my company
--
From: [EMAIL PROTECTED] (Nick Barron)
Subject: Re: IDEA in "aplied cryptography" BRUCE SCHNEIER
Date: Tue, 15 Jun 1999 13:39:09 GMT
On Mon, 14 Jun 1999 14:31:52 +0200, chciago <"gabriel.
nock"@siemens.de> wrote:
>hey, i wanted to implement the IDEA-algorythm by the sources in bruce
>schneiers book
>
>is there a fault in this codes, or am i only too silly, to copy code
>from a book, but : "it doesn't work"
>
>or where can I find sources of IDEA which are working, I only want to
>use it for myself, not in a commercial way..
>
Have a look at ftp.replay.com in pub/crypto/crypto/applied-crypto and
you'll find the full source set from the book.
Nick Barron
SGML/XML Systems and Applications Development Manager
Solvera Information Services Ltd
Disclaimer: The views expressed in this message are mine,
not necessarily those of my company
--
From: [EMAIL PROTECTED]
Subject: Re: stream ciphers
Date: Tue, 15 Jun 1999 13:39:04 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (James Pate Williams, Jr.) wrote:
> From 1993 SEAL (Software-Optimized Encryption Algorithm), see
> _Handbook of Applied Cryptography_ Section 6.4.1 pages 213-216.
> If you are a citizen of the United States of America, currently
> residing in the U.S., then you can obtain a C implementation of
> Algorithm 6.68 (SEAL 2.0) from the _Handbook..._ by writing me at the
> following address requesting SEAL 2.0.
I would look for SEAL 3.0 which is avail from my website :) at
http://mypage.goplay.com/tomstdenis/block.html
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
--
From: [EMAIL PROTECTED]
Subject: Re: sbox design
Date: Tue, 15 Jun 1999 13:31:59 GMT
In article <[EMAIL PROTECTED]>,
Medical Electronics Lab <[EMAIL PROTECTED]> wrote:
> Here's where Entrust has the CAST papers:
> http://www.entrust.com/downloads/whitepapers.htm
>
> A "bent" function is a nonlinear boolean function of several
> inputs and outputs. You need to get hold of Carlile's paper
> "Good S-boxes are hard to find", it describes everything you
> want to know in lots of detail. If you can't find it in your
> library, I'll snail mail a copy to you.
I would really appreciate that, if you have a copy to spare I could get
you my address in private email. I will take a look at the sight too.
(btw, my library would not have it since they don't believe in books
from this half of the millenium... :) )
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
--
From: [EMAIL PROTECTED]
Subject: Re: Key Schedule Question
Date: Tue, 15 Jun 1999 13:36:04 GMT
In article <[EMAIL PROTECTED]>,
"Timothy Kordas" <[EMAIL PROTECTED]> wrote:
> I'm still working through a bunch of material about cryptanalysis;
> but most of what I've read so far concerns itself primarily with
> the encryption-function portion of a few different algorithms. Are
> there any good references out there about key scheduling ?
In general you want all subkeys to be the same siz
Cryptography-Digest Digest #723
Cryptography-Digest Digest #723, Volume #9 Tue, 15 Jun 99 11:13:03 EDT
Contents:
Re: Export restrictions question (SCOTT19U.ZIP_GUY)
Re: RSA example with small numbers (Jonathan Katz)
Re: IDEA in "aplied cryptography" BRUCE SCHNEIER (Jonathan Katz)
Re: I challenge thee :) (Fiji)
Arbitrary Huffman tree and weights distribution (was: huffman code length) (Alex
Vinokur)
Speed comparison of RSA/DES/SHA1 ("Gernot Schuh")
Re: Subset alphabet encryption ([EMAIL PROTECTED])
Re: Is there a short digest for short messages? ([EMAIL PROTECTED])
Re: encrypt using ASCII 33 to 126 only? ([EMAIL PROTECTED])
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Export restrictions question
Date: Tue, 15 Jun 1999 13:12:58 GMT
In article <7k4mk8$irp$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Bill Unruh) wrote:
>In <7k1nbd$cpl$[EMAIL PROTECTED]> [EMAIL PROTECTED] writes:
>
>>Can anyone provide some clarification for the encryption export
>>restrictions. Let's say my key length is 64 bits (8 bytes). However
>>all I'm doing is performing an XOR on each 8-byte block in the file from
>>beginning to end. It is obviously not any of the fancy algorithms.
>>Does that require export approval?
>
>Under the regulations, all cryptography, even ROT 13 requires a license
>to export it. All. Some gets that license more easily, some can be given
>that license in general rather than having to get a separate license for
>each and every export, but all need it.
>Of course if the Bernstein case is upheld the regulations will be
>replaced by others just as silly and you will still need a license.
Interesting I thought the Bernstien case was such that no license
scheme would be required. Do you say this because it is the law or just
using hisrory as a a fact that the politicians never follow what the court
rules as one of constitutional rights.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
--
From: [EMAIL PROTECTED] (Jonathan Katz)
Subject: Re: RSA example with small numbers
Date: 15 Jun 1999 09:23:37 -0400
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Gergo
Barany) writes:
|> Delurking...
|>
|> Hi. I recently got interested in the RSA algorithm and wanted to test it
|> by puncing a few numbers in my calculator, but that is harder than I
|> thought, and I didn't find any examples of this on the WWW (and the
|> examples in Applied Cryptography are too big for my calculator).
|> Here's what I did:
|> I selected two primes, p=23 and q=37 (I could use any primes, but they
|> shouldn't be a lot bigger or smaller, I felt). Their product n=851,
|> (p-1)(q-1)=792. Then, I had the RSA Algorithm Javascript Page
|> [http://www.orst.edu/dept/honors/makmur/] generate my keys...
|>
|> I chose the number 10 as my plaintext and encrypted it:
|> C=M^e mod n=10^5 mod 851=433
|>
|> Then I took the cyphertext 433 and decrypted it:
|> M=C^d mod n=433^{317} mod 851=499
|>
|> Now, as you can see, my original plaintext is not the same as the result
|> of D(E(M)). My question is, could someone with more knowledge on this
|> subject explain to me what I did wrong or point me to a place where I
|> can find an example of RSA with numbers in about the same range?
|>
|> Gergo
|>
|> --
|> UFOs are for real: the Air Force doesn't exist.
|>
|> GU d- s:+ a--- C++>$ UL+++ P>++ L+++ E>++ W+ N++ o? K- w--- !O !M !V
|> PS+ PE+ Y+ PGP+ t* 5+ X- R>+ tv++ b+>+++ DI+ D+ G>++ e* h! !r !y+
You should be able to calculate this number on any calculator with 8-digit
accuracy...the problem you had with the exponentiation likely arose due to
rounding errors.
If you really want to calculate this by your calculator, you should try:
433^2}^2}^2}^2}...etc.
reducing the number mod 851 at each step along the way to keep the number below 8
digits (or whatever the accuracy of your calc. is).
But just calculating 433^317 and reducing that will give a completely wrong
answer due to roundoff.
--
==
Jonathan Katz
[EMAIL PROTECTED]
--
From: [EMAIL PROTECTED] (Jonathan Katz)
Subject: Re: IDEA in "aplied cryptography" BRUCE SCHNEIER
Date: 15 Jun 1999 09:28:43 -0400
In article <[EMAIL PROTECTED]>, chciago <"gabriel. nock"@siemens.de> writes:
|> hey, i wanted to implement the IDEA-algorythm by the sources in bruce
|> schneiers book
|>
|> is there a fault in this codes, or am i only too silly, to copy code
|> from a book, but : "it doesn't work"
|>
|> or where can I find sources of IDEA which are working, I only want to
|> use it for myself, not in a commercial way..
|>
Don't know about the code in Schneier's book, but two other references for IDEA
implementation are: "Network Security
Cryptography-Digest Digest #722
Cryptography-Digest Digest #722, Volume #9 Tue, 15 Jun 99 08:13:03 EDT
Contents:
Re: Message for DSCOTT(was:SLIDE ATTACK FAILS) (Boris Kazak)
Re: IDEA in "aplied cryptography" BRUCE SCHNEIER (Boris Kazak)
Re: Export restrictions question (Bill Unruh)
Re: IDEA in "aplied cryptography" BRUCE SCHNEIER (wtshaw)
Re: encrypt using ASCII 33 to 126 only? (wtshaw)
Re: Cracking DES ([EMAIL PROTECTED])
Re: Is there a short digest for short messages? Continued... (Francois Grieu)
Re: encrypt using ASCII 33 to 126 only? ("Douglas A. Gwyn")
Re: DES and BPANN ("Douglas A. Gwyn")
Cryptonomicon Errata in Neal Stephenson's new fiction: (C T Skinner)
Re: Generating Large Primes for ElGamal (Karel Wouters)
Re: DES ([EMAIL PROTECTED])
Re: DES ([EMAIL PROTECTED])
Re: DES ([EMAIL PROTECTED])
Re: huffman code length (Mok-Kong Shen)
Re: DES ([EMAIL PROTECTED])
Re: DES ([EMAIL PROTECTED])
Re: DES ([EMAIL PROTECTED])
Re: DES ([EMAIL PROTECTED])
DH with composite modulous based on P (Peter Gunn)
From: Boris Kazak <[EMAIL PROTECTED]>
Subject: Re: Message for DSCOTT(was:SLIDE ATTACK FAILS)
Date: Mon, 14 Jun 1999 20:40:27 -0400
Reply-To: [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
> ()
> So I think you should go download some papers and actually *READ*
> them. You declare yourself so smart yet you know so little.
>
> Tom
> --
> PGP key is at:
> 'http://mypage.goplay.com/tomstdenis/key.pgp'.
>
> Sent via Deja.com http://www.deja.com/
> Share what you know. Learn what you don't.
===
This message is for David Scott.
This message is intentionally left unencrypted.
ðÏ ÕÌÉÃÁÍ óÌÏÎÁ ×ÏÄÉÌÉ,
ëÁË ×ÉÄÎÏ, ÎÁÐÏËÁÚ -
éÚ×ÅÓÔÎÏ, ÞÔÏ ÓÌÏÎÙ × ÄÉËÏ×ÉÎËÕ Õ ÎÁÓ -
ôÁË ÚÁ óÌÏÎÏÍ ÔÏÌÐÙ ÚÅ×ÁË ÈÏÄÉÌÉ.
ïÔËÏÌÅ ÎÉ ×ÏÚØÍÉÓØ, ÎÁ×ÓÔÒÅÞÕ íÏÓØËÁ ÉÍ.
õ×ÉÄÅ×ÛÉ óÌÏÎÁ, ÎÕ ÎÁ ÎÅÇÏ ÍÅÔÁÔØÓÑ,
é ÌÁÑÔØ. É ×ÉÚÖÁÔØ, É Ò×ÁÔØÓÑ -
îÕ ÔÁË É ÌÅÚÅÔ × ÄÒÁËÕ Ó ÎÉÍ!
"óÏÓÅÄËÁ, ÐÅÒÅÓÔÁÎØ ÓÒÁÍÉÔØÓÑ -
ÅÊ ûÁ×ËÁ ÇÏ×ÏÒÉÔ - ÔÅÂÅ ÌØ Ó óÌÏÎÏÍ ×ÏÚÉÔØÓÑ?
óÍÏÔÒÉ, ÕÖ ÔÙ ÈÒÉÐÉÛØ, Á ÏÎ ÓÅÂÅ ÉÄ£Ô ×ÐÅÒ£Ä
é ÌÁÀ Ô×ÏÅÇÏ ÓÏ×ÓÅÍ ÎÅ ÐÒÉÍÅÞÁÅÔ" -
"üÈ, ÜÈ - ÅÊ íÏÓØËÁ ÏÔ×ÅÞÁÅÔ -
÷ÏÔ ÔÏ-ÔÏ ÍÎÅ É ÄÕÈÕ ÐÒÉÄÁ£Ô,
þÔÏ Ñ ÓÏ×ÓÅÍ ÂÅÚ ÄÒÁËÉ
íÏÇÕ ÐÏÐÁÓÔØ × ÂÏÌØÛÉÅ ÚÁÂÉÑËÉ.
ðÕÓËÁÊ ÖÅ ÇÏ×ÏÒÑÔ ÓÏÂÁËÉ -
"áÊ íÏÓØËÁ, ÚÎÁÔØ ÏÎÁ ÓÉÌØÎÁ,
þÔÏ ÌÁÅÔ ÎÁ óÌÏÎÁ"
I hope you will have no problems reading this. BNK
--
From: Boris Kazak <[EMAIL PROTECTED]>
Subject: Re: IDEA in "aplied cryptography" BRUCE SCHNEIER
Date: Mon, 14 Jun 1999 20:53:15 -0400
Reply-To: [EMAIL PROTECTED]
chciago wrote:
>
> hey, i wanted to implement the IDEA-algorythm by the sources in bruce
> schneiers book
>
> is there a fault in this codes, or am i only too silly, to copy code
> from a book, but : "it doesn't work"
>
> or where can I find sources of IDEA which are working, I only want to
> use it for myself, not in a commercial way..
==
Try and browse their CryptoCD online.
The site is in Switzerland.
Best wishesBNK
--
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Export restrictions question
Date: 15 Jun 1999 04:59:52 GMT
In <7k1nbd$cpl$[EMAIL PROTECTED]> [EMAIL PROTECTED] writes:
>Can anyone provide some clarification for the encryption export
>restrictions. Let's say my key length is 64 bits (8 bytes). However
>all I'm doing is performing an XOR on each 8-byte block in the file from
>beginning to end. It is obviously not any of the fancy algorithms.
>Does that require export approval?
Under the regulations, all cryptography, even ROT 13 requires a license
to export it. All. Some gets that license more easily, some can be given
that license in general rather than having to get a separate license for
each and every export, but all need it.
Of course if the Bernstein case is upheld the regulations will be
replaced by others just as silly and you will still need a license.
--
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: IDEA in "aplied cryptography" BRUCE SCHNEIER
Date: Tue, 15 Jun 1999 00:03:04 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Savard) wrote:
> [EMAIL PROTECTED] (James Pate Williams, Jr.) wrote, in part:
>
> >if you are a citizen of the United
> >States of America currently residing in the U.S.
>
> Not to keep criticizing you for being helpful, but I doubt the United
> States has annexed Germany any time lately...
>
Details...details
--
Weathermen prosphesize and insurance companies predict, while both pretend to be doing
the other to get an audience.
--
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: encrypt using ASCII 33 to 126 only?
Date: Tue, 15 Jun 1999 00:00:59 -0600
In article <[EMAIL PROTECTED]>, "Kenneth
N Macpherson" <[EMAIL PROTECTED]> wrote:
> Hello,
>
> I am trying to find code (vb) that will take a string (all chars in
