Cryptography-Digest Digest #743
Cryptography-Digest Digest #743, Volume #10 Wed, 15 Dec 99 07:13:01 EST Contents: Re: NAI granted export license for PGP ([EMAIL PROTECTED]) Re: Simple newbie crypto algorithmn (Steven Siew) Re: How easy would this encryption be to crack? - revised (Steven Siew) Re: Why no 3des for AES candidacy ("Douglas A. Gwyn") Re: Why no 3des for AES candidacy ("Douglas A. Gwyn") Re: Deciphering without knowing the algorithm? ("Douglas A. Gwyn") Re: security of 3des ?= des ("Douglas A. Gwyn") Re: Simple newbie crypto algorithmn ("Douglas A. Gwyn") Re: Deciphering without knowing the algorithm? (Guy Macon) Re: The Code Book (Guy Macon) Re: Simple newbie crypto algorithmn ([EMAIL PROTECTED]) Re: Why no 3des for AES candidacy ("Tim Wood") Re: Why no 3des for AES candidacy ("Tim Wood") Re: Why no 3des for AES candidacy ("Tim Wood") Re: Simple newbie crypto algorithmn (Steven Siew) Re: Simple newbie crypto algorithmn (Steven Siew) Re: Deciphering without knowing the algorithm? (CLSV) Re: Simple newbie crypto algorithmn (CLSV) Re: Simple newbie crypto algorithmn (CLSV) From: [EMAIL PROTECTED] Subject: Re: NAI granted export license for PGP Date: Wed, 15 Dec 1999 05:27:36 GMT Mike Andrews [EMAIL PROTECTED] wrote: : Why haven't we seen any people ranting about "NSA must have solved the : discrete log and factoring problems" yet? :) They've all been taken away in the black helicopters. Don't be silly, the NSA uses standard rental car models and colors for this sort of thing, not an eye-catching black helicoptor. They've all been taken away in white Plymouth Voyagers. :) -- Matthew Gauthier [EMAIL PROTECTED] -- From: Steven Siew [EMAIL PROTECTED] Subject: Re: Simple newbie crypto algorithmn Date: Wed, 15 Dec 1999 16:46:44 +1100 David Wagner wrote: In article [EMAIL PROTECTED], Steven Siew [EMAIL PROTECTED] wrote: It's not designed to be fast. It's designed to be secure. Again memory was not considered by me during the design process. Anyone can design a secure cipher if it's allowed to be big and slow. Just use umpteen-DES, or somesuch, with ten copies of D. Scott's favorite chaining mode thrown in for good measure (why not?). The question is, why would anyone use a new, slow algorithm when there are others available that are both faster and better understood (= more likely to be secure)? (Maybe this was intended only for fun, and was not suggested for actual use. If so, I apologize; my comments would be irrelevant in such a case.) Why would anyone uses a new slow algorithmn? People would use it if they can TRUST it! Please refer to my design criteria. So I set about proving the above statement. In short I want to write a crypto program with the following chracteristics: 1. The program must be simple and easy to understand. Thus the public can see easily the strengths of the encryption. 2. The program must be cryptographically powerful enough not to be cracked even by using all the computers in the world in less than a 1000 years. 3. No special knowledge of arcane cryptography is required. No maths more difficult than that encountered in high school is required. Remember I'm aiming at people who is not particularly skilled in cryptography. People are naturally reluctant to use program which they don't understand how it works. Steven Siew -- From: Steven Siew [EMAIL PROTECTED] Subject: Re: How easy would this encryption be to crack? - revised Date: Wed, 15 Dec 1999 17:05:27 +1100 Christoffer Lernö wrote: Oops.. saw the flaws myself. What about this: (the class itself holds the two key arrays (byte[]) meKeyA and meKeyB, there are also two looking variables, meSpin (getting its starting value from meKeyA meKeyB) and meSpin2 with starting value 0) To decode a byte b: Can you tell us why you think this is a strong crypto algo? Frankly I'm not good at java, is byte same as char or is it same as unsigned char? Kindly provide some explaination to your algo. What are your design criterias? Have you thought about how to crack it yourself? How well does it defend against known plaintext attacks? How well does it encrypt a plaintext which differs from another plaintext by a single bit? Steven Siew -- From: "Douglas A. Gwyn" [EMAIL PROTECTED] Subject: Re: Why no 3des for AES candidacy Date: Wed, 15 Dec 1999 06:48:49 GMT albert wrote: Get a clue, watch some conspiracy movies or something. That's apparently where you get *your* "information". Mine is much more reliable. -- From: "Douglas A. Gwyn" [EMAIL PROTECTED] Subject: Re: Why no 3des for AES candidacy Date: Wed, 15 Dec 1999 06:50:23 GMT Jim Gillogly wrote: Is it also against the law for
Cryptography-Digest Digest #744
Cryptography-Digest Digest #744, Volume #10 Wed, 15 Dec 99 11:13:02 EST Contents: Re: Better encryption? PGP or Blowfish? (Tom St Denis) Re: security of 3des ?= des (Frank Gifford) Re: Why no 3des for AES candidacy ("Tim Wood") Re: discrete logorithm reduction to factoring (Nick Williams) help: I need to crack a ms-access pwd (Olaf Kesch) Re: how easy would this encryption be to crack? (Christoffer =?iso-8859-1?Q?Lern=F6?=) Re: discrete logorithm reduction to factoring (Anton Stiglic) SSL/RC4_128_EXPORT40 ("Tobias Martin") Re: help: why q|(p-1) (Anton Stiglic) Re: Non-linear PRNGs (John Myre) Prime series instead (Re: Pi) (Matthew Montchalin) Re: SSL/RC4_128_EXPORT40 (Arturo) Re: Better encryption? PGP or Blowfish? (James Felling) Re: Why no 3des for AES candidacy (Paul Koning) Re: discrete logorithm reduction to factoring (John Bailey) From: Tom St Denis [EMAIL PROTECTED] Subject: Re: Better encryption? PGP or Blowfish? Date: Wed, 15 Dec 1999 12:32:42 GMT In article 836gmb$1g50$[EMAIL PROTECTED], [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote: Asshole even if I used a 4 bit key if the program I used was done correctly you may not know what the anwser is. With a ZERO knowledge method you KNOW what the encyrpted message is. You may not know what it means but you know what the message is ASSHOLE wake up and learn something. I getting tired of changing your diapers so to keep from using so many swear words you going back on my Kill file list. Actually your the only one on it. You are possibly the most ignorant person on the face of earth and may god have mercy on your soul. BTW: If the message space is larger then the key space as is the case for all block ciphers/stream ciphers, then you can always brute force the keyspace. It might be infeasible in the ammount of time it will require, but it's still possible. Tom Sent via Deja.com http://www.deja.com/ Before you buy. -- From: [EMAIL PROTECTED] (Frank Gifford) Subject: Re: security of 3des ?= des Date: 15 Dec 1999 08:29:58 -0500 In article [EMAIL PROTECTED], Tim Tyler [EMAIL PROTECTED] wrote: karl malbrain [EMAIL PROTECTED] wrote: : [EMAIL PROTECTED] wrote in message : i was wondering if it has been shown that 3des is more secure : than des. : : my understanding is that if des transformations form a group : than any composition of des transformations is equivalent to : a single des encryption, : In the sense that DES is a 64 bit block function that MAPS one input to one : output, yes, you can combine DES operations as a single MAPPING, and there : is no security gain. [...] However you look at it, it's been proven not to be true that any composition of DES transformations is equivalent to a single DES encryption. Well, you should be clear here. It's true that since DES is not a group, that 3-DES cannot be reduced to 1-DES. But that does not imply that it is impossible for some (plaintext1, key1, ciphertext1) tupple in N-DES to be found as (plaintext1, key2, ciphertext1) in 1-DES. -Giff -- Too busy for a .sig -- From: "Tim Wood" [EMAIL PROTECTED] Subject: Re: Why no 3des for AES candidacy Date: Wed, 15 Dec 1999 13:43:08 - I am just an Engineer also but had to do programming all my life since most computer people not up on engineer problems. They lack the mathematical background one gets in Engineering. you taking the mickey? David A. Scott -- tim -- From: [EMAIL PROTECTED] (Nick Williams) Crossposted-To: comp.theory Subject: Re: discrete logorithm reduction to factoring Date: 15 Dec 1999 13:54:47 - In article 8373h1$7vb$[EMAIL PROTECTED], [EMAIL PROTECTED] wrote: It is my understanding from these discussions that if there was a solution for discrete log, with say a worst case asymtote that was cubic, that then factoring would be polynomial as well. Given that this is cross-posted to sci.crypt, as well as comp.theory, I guess you're most interested in the cryptographic take on this. To be honest, I've no idea whether being able to do a discrete logarithm in polynomial time implies the ability to factor in polynomial time. I do know that the ability to do discrete logarithms in finite groups would be allow you to break (for example) RSA much more easily, since the inverse operation of modular exponentiation is the calculation of a discrete logarithm in a finite group: the difficulty of breaking the RSA cryptosystem has not (to my knowledge) ever been proven to be difficulty of factoring (pq). Cheers, Nick. -- [ Nick Williams ] [ MSc Computation Mobile - 07957-138179 ] [ New College, Oxford http://www.new.ox.ac.uk/~nick/ ] -- From: Olaf Kesch [EMAIL PROTECTED]
Cryptography-Digest Digest #745
Cryptography-Digest Digest #745, Volume #10 Wed, 15 Dec 99 14:13:01 EST Contents: Re: How easy would this encryption be to crack? - revised ("Tim Wood") Re: Non-linear PRNGs (David Wagner) Re: Non-linear PRNGs (David Wagner) beginner question (Michael Combs) Re: discrete logorithm reduction to factoring (David Wagner) Re: SSL/RC4_128_EXPORT40 (David Wagner) Re: Why no 3des for AES candidacy (wtshaw) Re: Better encryption? PGP or Blowfish? (Tom St Denis) Re: The Code Book Re: Data Encryption in Applet? ("Law Wun Suen, Brian") Re: Conditional (keyed) bidirectional hash function ? (Niall Parker) Re: Why no 3des for AES candidacy (Uri Blumenthal) Skytale? (John Bottoms) Re: Why no 3des for AES candidacy ("Tim Wood") Re: Better encryption? PGP or Blowfish? (SCOTT19U.ZIP_GUY) Re: Better encryption? PGP or Blowfish? (James Felling) Re: Why no 3des for AES candidacy (Eric Lee Green) Re: Deciphering without knowing the algorithm? (SCOTT19U.ZIP_GUY) Re: Non-linear PRNGs (Mok-Kong Shen) From: "Tim Wood" [EMAIL PROTECTED] Subject: Re: How easy would this encryption be to crack? - revised Date: Wed, 15 Dec 1999 16:39:29 - Steven Siew wrote in message [EMAIL PROTECTED]... SNIP Frankly I'm not good at java, is byte same as char or is it same as unsigned char? nothing about the algorithm: but in Java a "char" is a Unicode character (16 bits) a "byte" is 8bits (not pretentious it _could_ be different in Java). SNIP Steven Siew -- From: [EMAIL PROTECTED] (David Wagner) Subject: Re: Non-linear PRNGs Date: 15 Dec 1999 08:36:04 -0800 In article [EMAIL PROTECTED], John Myre [EMAIL PROTECTED] wrote: I'm not convinced that the bootstrapping to more bits would work so straightforwardly. Doesn't the same observation about low bits not depending on high bits hold for linear systems? AFAIK, those are not solved in this stepwise way. Linear systems usually aren't (because there are better ways), but they could be. And even reducing mod 4 leaves f(x) = a_0 + a_1*x + a_2*x^(2) + a_3*x^(3). Suppose there are n unknown coefficients a_0,...,a_n. Then it should be clear that, at the very least, there is an attack using O(m * 2^n) work, since once you know the a_i's mod 2^{k-1}, you can learn them mod 2^k by simply guessing their k-th bits and checking the equation above mod 2^k. Now iterate from k=1 to k=m; in each iteration, you guess n bits (one bit for each coefficient), so the total running time is as claimed. And I think this idea can be further improved, by noting that x^(k) = 0 mod 2^k for all x, and Pr[x^(k) = 0 mod 2^{k+1}] = 1/2, and so on. (Or roughly like that: it might be x^(k+c) for some small constant c.) Consequently, in the k-th iteration, we need to know only k bits of a_0, k-1 bits of a_1, k-2 bits of a_2, ..., one bit of a_{k-1} -- and we don't need to know a_j for any j=k. Therefore it will take only O(k * 2^k) work to be able to predict the low k bits of the output of this generator. This will often already be enough to provide enough of an entry to read a fair amount of traffic, given the redundancy in English text. (It takes O(m*min(2^m,2^n)) work if you want to predict the entire output, using this technique, so better choose n and m to be large...) And I suspect there may well be better attacks. I just don't have time to look any deeper. -- David -- From: [EMAIL PROTECTED] (David Wagner) Subject: Re: Non-linear PRNGs Date: 15 Dec 1999 08:38:18 -0800 In article [EMAIL PROTECTED], Pelle Evensen [EMAIL PROTECTED] wrote: Side note, has anyone studied the cryptographic properties of multiply with carry generators? What cryptographic properties? -- From: Michael Combs [EMAIL PROTECTED] Subject: beginner question Date: Wed, 15 Dec 1999 16:27:29 GMT I have little or no experience with encryption/decryption and have a small problem I hope you can help me with. I am trying to decode a file format that appears to be encrypted by the rearrangement of chunks of data and apparently the use of offsets. Most of the data is text and can be clearly read, although in pieces throughout the file. These files are large and the data doesn't seem to have a simple systematic scheme. A data set, encrypted twice, results in a different output file. This, I am assumming, means that all of the data to decode the file is in the file. Is there any logical or statistical analysis I can use the break this code. I have access to the data set and the encryption app so I can create the encrypted output. I would be extremely greatful to anyone that could assist me. Thanks in advance, mike [EMAIL PROTECTED] Sent via Deja.com http://www.deja.com/ Before you buy. -- From: [EMAIL PROTECTED] (David Wagner) Crossposted-To: comp.theory Subject: Re: discrete logorithm
Cryptography-Digest Digest #746
Cryptography-Digest Digest #746, Volume #10 Wed, 15 Dec 99 18:13:01 EST Contents: Re: Non-linear PRNGs (Mok-Kong Shen) Re: Non-linear PRNGs (Mok-Kong Shen) Re: Non-linear PRNGs (Mok-Kong Shen) Re: discrete logorithm reduction to factoring ("Roger Schlafly") Re: Non-linear PRNGs (John Savard) Re: Skytale? (John Savard) Re: Prime series instead (Re: Pi) (Erik Max Francis) Re: Deciphering without knowing the algorithm? (Paul Koning) which is safer for creating session keys (Tom St Denis) Re: The Code Book (Jim Reeds) Re: how easy would this encryption be to crack? (Frank Gifford) Re: discrete logorithm reduction to factoring (Scott Fluhrer) Re: how easy would this encryption be to crack? (Jerry Coffin) Off topic -- 4 year old (Sukhoi2000) Re: Simple newbie crypto algorithmn ([EMAIL PROTECTED]) Re: Better encryption? PGP or Blowfish? (SCOTT19U.ZIP_GUY) Re: security of 3des ?= des (Paul Schlyter) From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Non-linear PRNGs Date: Wed, 15 Dec 1999 19:44:52 +0100 Tim Tyler wrote: The BBS PRNG derives its security from the difficulty of factoring the modulus into its large prime factors. The generator described at this thread's head has a modulus of 2^m - and multiplying primes together is not even mentioned. I don't think that all cryptologically good PRNG must follow the line of BBS. If the cofficients of the polynomial can be shown to be hard to infer and the bits are statitically good,then one has a serious candidate of use in applications. Note that BBS takes only 1 bit from each number generated. The present scheme is intended, as far as I understand, to use all 32 bits (assuming 32 bit word size). Now one can take the parity of the 32 bits, i.e. obtaining only 1 bit from each number generated. In this case I am not quite sure that the present scheme does not offer quite high security. (Anyway I am not yet aware of any work on analsis about parity bit sequences.) M. K. Shen -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Non-linear PRNGs Date: Wed, 15 Dec 1999 19:44:22 +0100 Tim Tyler wrote: Mok-Kong Shen [EMAIL PROTECTED] wrote: :Let f(x) = a_0 + a_1*x^(1) + a_2*x^(2) + . + a_n*x^(n) :where x^(k) = x(x-1)(x-2)...(x-k+1). :Then the generator u(i) = f(u(i-1)) mod 2^m (m2) has period :2^m if and only if the following congruences hold: :a_0 = 1 mod 2, a_1 = 1 mod 4, a_2 = 0 mod 2, a_3 = 0 mod 4. [...] : Question: Has anyone studied such PRNGs from cryptological point : of view? I surmise that they are extremely hard for analysis even : with moderate values of n. The reference I was thinking of was from RFC1750: Not only have linear congruent generators been broken, but techniques are now known for breaking all polynomial congruent generators [KRAWCZYK]. [KRAWCZYK]: How to Predict Congruential Generators, Journal of Algorithms, V. 13, N. 4, December 1992, H. Krawczyk. http://www.cis.ohio-state.edu/htbin/rfc/rfc1750.html http://blitzen.canberra.edu.au/RFC/rfc/rfc1750.html I /believe/ the generator proposed above *is* simply a polynomial congruent generator - if you expand out the "^" operations into their component parts. You don't have to /believe/. Isn't it at first look obvious to you that f(x) IS polynomial? Isn't BBS based on a polynomial (a quadratic) and hence according to the above broken? M. K. Shen -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Non-linear PRNGs Date: Wed, 15 Dec 1999 19:44:38 +0100 John Savard worte: Mok-Kong Shen [EMAIL PROTECTED] wrote, in part: Question: Has anyone studied such PRNGs from cryptological point of view? I surmise that they are extremely hard for analysis even with moderate values of n. One thing is clear: the Blum-Blum-Shub algorithm, regarded as secure, is closely related to this. I have only poor knowledge of BBS, hence a question: What can be said of the period of BBS in general? (Would the period be dependent on the choice of the seed?) Thanks in advance. M. K. Shen -- From: "Roger Schlafly" [EMAIL PROTECTED] Crossposted-To: comp.theory Subject: Re: discrete logorithm reduction to factoring Date: Wed, 15 Dec 1999 10:07:52 -0800 [EMAIL PROTECTED] wrote in message news:8373h1$7vb$[EMAIL PROTECTED]... Is it true that discrete log reduces to factoring ? Unknown. All we know is that known techniques for factoring have analogous techniques for discrete logs, and vice versa. The asymptotics are similar, but in the range of cryptographic interest the discrete log implementations are a lot more difficult than factoring. -- From: [EMAIL PROTECTED] (John Savard) Subject: Re: Non-linear PRNGs Date: Wed, 15 Dec 1999 12:27:41 GMT Tim Tyler [EMAIL PROTECTED]
Cryptography-Digest Digest #747
Cryptography-Digest Digest #747, Volume #10 Thu, 16 Dec 99 00:13:02 EST Contents: Re: Deciphering without knowing the algorithm? (CLSV) Re: which is safer for creating session keys (Hanna Pehrson) Re: Non-linear PRNGs (Hanna Pehrson) Re: Non-linear PRNGs (Tim Tyler) Re: Non-linear PRNGs (David Wagner) Re: Prime series instead (Re: Pi) (Matthew Montchalin) Re: Deciphering without knowing the algorithm? (SCOTT19U.ZIP_GUY) Invitation to our homepage ("(ÁÖ)»ó¾Æ´º¸Åƽ") "Day of Deceit" by Robert Stinnett (Anonymous) Re: Prime series instead (Re: Pi) ("Trevor Jackson, III") Re: Why no 3des for AES candidacy (Uri Blumenthal) Re: Prime series instead (Re: Pi) (Matthew Montchalin) Re: Off topic -- 4 year old ("r.e.s.") Re: Scott's Screaming Security Method (lobsterboy) From: CLSV [EMAIL PROTECTED] Subject: Re: Deciphering without knowing the algorithm? Date: Wed, 15 Dec 1999 23:18:34 + "SCOTT19U.ZIP_GUY" wrote: [...] Yes I know not all the good cryptoheads live in the US but what makes you think the NSA would not kill or silence them if they are precieved as a threat. I though just this last year there was a strange death of a European expert. Do you really thing the NSA would let some one in Europe make real progress who was not controlled directly by them. Well I wasn't talking specific of Europe. Asia has many bright cryptographers, they can also be found in the Middle East, maybe some are in Africa and South Amerika. The former Soviet Union probably has more than we can count. Some are working for agencies like NSA (i.e. out of reach), many of them work for universities and companies. Their safety lies in their numbers. There are just too much to threaten, bribe or kill. But this kind of discussion belongs to alt.conspiracy. Don't forget even the Swiss are in bed with the NSA you do remember how they modifed the swiss crypto equipment so as to help in spying. I have heard the rumors. But remember that Crypto AG can not really be considered a member of the open cryptographic community. They use many (company)secret algorithms. Breaking a cipher costs effort. So if someone is willing to take time to look into a design on this forum it is a favour. Yes I did consider it a favor. And I understanf Mr BS and friends have looked at my stuff but don't have the balls to say much about it. I think it is to embarassing for them. Well, maybe your cipher is hard to understand and/or break. This does not mean per se that the security is as high as you claim it is. Most attention these days goes to the AES contest which is the most important cryptographic event of this moment. So it is logical to see more cryptanalysis on the contestants than on your (probably complex) cipher. Regards, Coen Visser -- From: Hanna Pehrson [EMAIL PROTECTED] Subject: Re: which is safer for creating session keys Date: Thu, 16 Dec 1999 00:55:36 +0100 Tom St Denis wrote: Which is safer hashing KEY+SALT or SALT+KEY? I meant the actual order in which the data is stored. [or does it matter at all]. I am using SHA-1 as the hash btw. I ask this because I have been fiddling with Peekboo which uses KEY+SALT format, and I wonder if that is ok. Normally if KEY+SALT were under 256 bits it wouldn't matter with sha since it expands them with thourough mixing, however in peekboo I hash the hexidecimal copy of both so it's actually 576 bits of data being hashed. This paper discusses some vulnerabilities in MACs built on hash functions, in particular analysis of using keys as prefix, suffix and envelope for the message; B. Preneel and P. van Oorschot, MDx-MAC and building fast MACs from hash functions, ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/preneel/mdxmac_crypto95.ps.gz /Pell -- From: Hanna Pehrson [EMAIL PROTECTED] Subject: Re: Non-linear PRNGs Date: Thu, 16 Dec 1999 01:32:07 +0100 David Wagner wrote: In article [EMAIL PROTECTED], Pelle Evensen [EMAIL PROTECTED] wrote: Side note, has anyone studied the cryptographic properties of multiply with carry generators? What cryptographic properties? Sorry for being vague. In particular, how easy it would be to deduce the state of a generator of this kind, based on its output? All multiplication and addition is mod 2^w. h = w / 2 m[] are constants satisfying m[x] * 2^h -1 is prime. s[] is the state of the generator m[] and s[] are the same size For each output of h bits, do c' = m[x-1] * s[x-1] + m[x-2] * s[x-2] + m[x-...] * s[x-...] + c / 2^h s[x] = c' / 2^h output = s[x] This assuming m[] is kept secret. /Pell -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Non-linear PRNGs Reply-To: [EMAIL PROTECTED] Date: Thu, 16 Dec 1999 00:20:46 GMT Mok-Kong Shen [EMAIL PROTECTED] wrote: :