Cryptography-Digest Digest #758
Cryptography-Digest Digest #758, Volume #13 Tue, 27 Feb 01 14:13:00 EST Contents: Re: How to find a huge prime(1024 bit?) ("Brendan Shaw") Re: how long can one Arcfour key be used?? ("Scott Fluhrer") Re: How to find a huge prime(1024 bit?) (Christian Bau) Re: On RC4 in C ("Roger Schlafly") Re: On RC4 in C (Ted Dennison) Re: How to find a huge prime(1024 bit?) (Christian Bau) Re: Again on key expansion. (Paul Crowley) Re: Rijndael S-box inverse (Paul Crowley) Re: The Key Vanishes: Scientist Outlines Unbreakable Code, Read it and Weep Boys ([EMAIL PROTECTED]) Re: Was there ever a CRM-114 Discriminator? (Mike Rosing) Re: On RC4 in C (William Hugh Murray) Re: Again on key expansion. ("Cristiano") What is the probability that an md5sum of a group of md5sums will be the (jtnews) From: "Brendan Shaw" <[EMAIL PROTECTED]> Crossposted-To: alt.security.pgp,sci.math Subject: Re: How to find a huge prime(1024 bit?) Date: Tue, 27 Feb 2001 16:18:38 - "Lynn Killingbeck" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]... > Not correct, here. This is the proof that there is no largest prime. > When you compute 1*2*...*N+1, then either: (1) this number is also a > prime, and larger than N; or (2) there is a prime larger than N that > divides this number. In either case, there is a prime larger than N, > completing the proof-by-contradiction. Your statement that this number > is necessarily prime, is not a correct statement (but, it is a common > mis-statement!). Try N=4, for example, where 1*2*3*4+1=25 is not prime. > As I said in an earlier post, I think the Greeks (Euclid?) multiplied the first N *prime* numbers together. And re this by Thomas Boschloo - > by 4, etc. So in fact, I have proven that in the distribution of prime > numbers, you can find a gap of ANY length you like. The gap in the > previous example is e.g. x-1, and maybe even larger. Now what does this > mean if we still want the number of primes until 'N' to approach > N/ln(N)? (I can't prove this fact myself, but I have a book that has the > proof for this I think). Well, if there are large gaps like this (and I > don't feel like calculating P(1..x)/log(P(1..x)), I guess it is getting > late again), maybe there are also places where there are a lot of prime > numbers after one-other. Which the prime generation methode of PGP 263i > will (statistically) MISS!! Yes there are abritrarily large runs of composite numbers. But there aren't such runs of prime numbers. Every second number is even and thus, er, composite :)) And don't forget, if you do have some billion long sequence of numbers without a prime, the number of decimal digits in those numbers is probably in the quadrillions of quadrillions. So when you step back and look at the amount of 'space' that doesn't contain a prime, it is still pretty small. I guess the number of primes, pi(n), is still somewhere near n/ln(n). I'm not a mathmetician, as should be fairly obvious ;) Brendan. -- From: "Scott Fluhrer" <[EMAIL PROTECTED]> Subject: Re: how long can one Arcfour key be used?? Date: Tue, 27 Feb 2001 08:28:13 -0800 Julian Morrison <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]... > "Scott Fluhrer" <[EMAIL PROTECTED]> wrote: > > >> Also, does anyone know how this varies with key length and > >> number-of-mixes (N in CipherSaber-2)? > > Is 'number-of-mixes' the number of passes you do during key setup (with > > 1 being standard RC4)? > > Yes. > > > If so, then no, that has no effect. > > Ok. How about key length? One of my intended algorithms will use throwaway > from-scratch DH to setup a key, but creating DH primes for a full length > 256 byte RC4 key would take several minutes a pop, way too slow. (I'm > doing it this way so as to have "forward security" - once the transaction > is over, there should be no way to decrypt it from wiretap records and a > siezed machine.) > > For example, CipherSaber suggests a 62 byte key + IV; for how long could > that be used? Again, that has no effect against the best known distinguishing attacks. -- poncho -- From: [EMAIL PROTECTED] (Christian Bau) Crossposted-To: alt.security.pgp,sci.math Subject: Re: How to find a huge prime(1024 bit?) Date: Tue, 27 Feb 2001 16:47:39 + In article <97gk1v$1rm$[EMAIL PROTECTED]>, "Brendan Shaw" <[EMAIL PROTECTED]> wrote: > "Lynn Killingbeck" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED]... > > > > Not correct, here. Th
Cryptography-Digest Digest #758
Cryptography-Digest Digest #758, Volume #12 Sat, 23 Sep 00 23:13:00 EDT Contents: Re: A Note on news groups. (SCOTT19U.ZIP_GUY) Re: Music Industry wants hacking information for cheap (Scott Craver) Re: New Strong Password-Authentication Software (Thomas Wu) Re: What am I missing? (Scott Craver) Re: A Note on news groups. (MIchael Erskine) Re: Please verify (John Savard) Re: How many possible keys does a Playfair cipher have? (John Savard) Re: Please verify (John Savard) Re: Please verify (John Savard) Re: Big CRC polynomials? ("bubba") Re: New Strong Password-Authentication Software (Benjamin Goldberg) Re: A Note on news groups. ("Paul Pires") From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: A Note on news groups. Date: 24 Sep 2000 01:04:30 GMT [EMAIL PROTECTED] (John A. Malley) wrote in <[EMAIL PROTECTED]>: >Paul Pires wrote: >> >> I don't know if anyone else has noticed but Usenet has been >> acting stranger than usual lately. Particularly on the west coast. >> >> news-west.usenetserver.com >> >> From what I have been able to find out, a major player out west >> has had problems, is trying to rebuild, and has off-loaded much >> of their traffic to the east cost servers, mucking them up too. >> >> I see missing posts, Re: 's to new topics where the root post is >> missing and reply's to reply's of some of my posts where I can't see >> the first reply. > >I noticed this, too. I am also on the West Coast of the U.S. >Gaps in threads appeared this week when viewing sci.crypt postings via >news.compuserve.com. > >John A. Malley >[EMAIL PROTECTED] > >> >> Paul I thought I read an article a while back that stated USENET is dying and the transmissons interfers with other webstuff that people use more frequently so it is not given the retransmission priority it once had. I know is a lie "the interfer part" but how many people use telenet any more. And yet here in El Paso the USENET stuff is off for days when I call my ISP they act surprised since they feel so few people use it I was the first to complain. David A. Scott -- SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE http://www.jim.com/jamesd/Kong/scott19u.zip Scott famous encryption website **now all allowed** http://members.xoom.com/ecil/index.htm Scott LATEST UPDATED source for scott*u.zip http://radiusnet.net/crypto/ then look for sub directory scott after pressing CRYPTO Scott famous Compression Page http://members.xoom.com/ecil/compress.htm **NOTE EMAIL address is for SPAMERS*** I leave you with this final thought from President Bill Clinton: -- From: [EMAIL PROTECTED] (Scott Craver) Subject: Re: Music Industry wants hacking information for cheap Date: 24 Sep 2000 01:36:04 GMT zapzing <[EMAIL PROTECTED]> wrote: > >So do you really beieve that *all* of >the recording, copying, and playing equip. >will be SDMI compliant ??? What if I want to >put a private surveillance camera in my >own house ??? You seem to be a bit confused about what SDMI is. The "DM" in "SDMI" stands for DIGITAL MUSIC. SDMI is not going to be applied to camcorders or TVs, but to portable devices for playing digital music. Also, you seem to be a bit confused about what watermarking is. This won't prevent you from recording your own stuff, like with a camera or a microphone. Even if you connected a surveillance camera to a digital video recording device with DVD watermark detection (which would be stupid overkill, considering the low quality of the camera,) it wouldn't somehow refuse to record. Input from your camera won't have any watermark magically embedded in it! The proposed DVD watermarking scheme would only refuse to record something that has already been marked, "do not record." >That the entertainment industry has a right to >protect it's patents, I agree. That they have a >right to protect them in this way, which would >be so intrusive into people's lives that it's >ridiculous, I disagree. You don't think they have the legal power to do so? It's very simple: if you want to manufacture and sell DVD recorders, legally, you need to license their patents. They won't let you use their patents unless you agree to incorporate DVD watermark detection. >Void where prohibited by law. -S -- From: Thomas Wu <[EMAIL PROTECTED]> Subject: Re
Cryptography-Digest Digest #758
Cryptography-Digest Digest #758, Volume #11 Fri, 12 May 00 02:13:01 EDT Contents: (May 11, 2000) Cipher Contest Update ("Adam Durana") Re: More on Pi and randomness (Gerry Myerson) Re: Prime Generation in C,C++ or Java (David Hopwood) Problems with CBC-MAC (was Is Microsoft CryptoAPI's CALG_MAC really (David Hopwood) Re: The Clinton Emails have been found (The Asshole) Re: Hardware RNG ("ashwood") Re: RSA ("ashwood") Cipher contest analysis [several] ("ashwood") other question for iraqi block cipher ("boby89") Re: Cipher contest analysis [several] (Andru Luvisi) From: "Adam Durana" <[EMAIL PROTECTED]> Subject: (May 11, 2000) Cipher Contest Update Date: Thu, 11 May 2000 21:42:26 -0400 I am going to start doing periodical postings about the contest. Right now there are five ciphers in the listing. The one at the top of the list is LETSIEF2, which was submitted April 7th. The original LETSIEF was successfully analyzed by Matthew Fisher. Matthew Fisher has submitted a cipher called VORTEX and it is in second place at the moment. Next there is another cipher from the author of the LETSIEF ciphers, Boris Kazak, named MMBOOZE. Next in fourth place is PIKACHU and LJA1, by Tom St Denis and Andru Luvisi respectively. These two ciphers were submitted today (May 11th). Ciphers are removed from the listing once they have been broken. Anyone can participate in the contest. Everything you need to know to get your submission together is at http://www.wizard.net/~echo/crypto-contest.html Take a look at some of the other submissions for a better idea of what a submission should look like. I would like to define on the web site what it means to break a cipher, so the cipher is removed from the listing. Right now all the page states is that to get a cipher removed the attack has to be on the full version of the cipher, i.e. no reduced round variants. I would define a successful attack as an attack which is able to recover the plaintext, or key from the ciphertext, with less work than brute force. Now if the key space was say 1024 bits, and attack came up that would recover the key or plain text with 2^1000 work, should that still be considered an attack good enough to get the cipher removed? Obviously no one is going to be able to actually use that attack for a while, if ever. But I think when someone publishes a cipher for analysis, they are saying that the only attack they can come up with is brute force. Any attack better than that would be a break through. So if an attack arises that can recover the key or plaintext faster than brute force, I think that attack should get the cipher removed from the listing. Keep in mind this is a contest of cipher design. - Adam -- From: Gerry Myerson <[EMAIL PROTECTED]> Crossposted-To: sci.math Subject: Re: More on Pi and randomness Date: Fri, 12 May 2000 11:38:50 +1000 In article <8ff6rb$lu9$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Paul Schlyter) wrote: => the algebraic numbers has a periodic chain fraction expansion No, only the quadratic irrationals have a periodic continued fraction. Gerry Myerson ([EMAIL PROTECTED]) -- Date: Fri, 12 May 2000 00:50:07 +0100 From: David Hopwood <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Subject: Re: Prime Generation in C,C++ or Java =BEGIN PGP SIGNED MESSAGE= Mark Wooding wrote: > Herb Savage <[EMAIL PROTECTED]> wrote: > > > That's actually a (1-1/2^98) probability or greater than > > 99.999% probability. > > I don't know the interface details. However, if what you're basically > claiming is that the number `98' is the number of iterations of some > probabilistic test to apply, then you've quoted the probability that the > test will mistakenly pass a composite number as being prime. That's not necessarily the case (that 98 is the number of iterations), and you do need to know the interface details. Here they are: /** * Constructs a randomly generated positive BigInteger that is probably * prime, with the specified bitLength. * * @param bitLength bitLength of the returned BigInteger. * @param certainty a measure of the uncertainty that the caller is * willing to tolerate. The probability that the new * BigInteger represents a prime number will exceed * (1 - 1/2certainty). The execution time * of this constructor is proportional to the value of this * parameter. * @param rnd source of random bits used to select candidates to be * tested for primality. * @throws ArithmeticException bitLength < 2. * @see#bitLength */
Cryptography-Digest Digest #758
Cryptography-Digest Digest #758, Volume #10 Fri, 17 Dec 99 20:13:01 EST Contents: Re: DES as pseudo random number generator (Tim Tyler) Re: RSA, how to calculate big numbers (Ian Wehrman) Re: Questions about message digest functions (Tim Tyler) Microsoft- PKI/E-comm Director Opening ([EMAIL PROTECTED]) Re: Reducing Key Sizes (Keith A Monahan) Re: ARC4 cipher... (Bill Unruh) Re: RSA, how to calculate big numbers ([EMAIL PROTECTED]) Re: RSA, how to calculate big numbers ("Dann Corbit") Re: Deciphering without knowing the algorithm? ("Rick Braddam") Re: Q: BBS (Terry Ritter) Re: BBS (Terry Ritter) Re: Euclid Algorithm ("Miryadi") Re: RSA, how to calculate big numbers ([EMAIL PROTECTED]) From: Tim Tyler <[EMAIL PROTECTED]> Subject: Re: DES as pseudo random number generator Reply-To: [EMAIL PROTECTED] Date: Fri, 17 Dec 1999 23:12:04 GMT Markus Eiber <[EMAIL PROTECTED]> wrote: : As you know one-time-pad is a cipher with perfect secrecy. : How about a one-time-pad using a DES generated pseudo random number : sequence? [...] : The seed and DES key will be transmitted secure to the recipiant of the : message and he may decrypt the message after creating the identical pseudo : random number sequence by adding it to the cipher. : The security of this cipher depends only on the quality of the pseudo random : number sequence. : How secure is it? About the same as DES used in OFB mode ;-) OFB is not generally the most secure DES mode. For example, most DES modes diffuse plaintext information over an entire block. OFB mode does not diffuse the plaintext information at all. In other words, it is vulnerable to governmental DES crackers everywhere ;-) -- __ |im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED] Never eat anything bigger than your head. -- From: Ian Wehrman <[EMAIL PROTECTED]> Subject: Re: RSA, how to calculate big numbers Date: Fri, 17 Dec 1999 17:34:03 -0600 get on a unix machine, use 'bc' later, ian Bart Peeters wrote: > > I have to calculate: > > (32567023914^367151)%437 > > How can I do that? -- From: Tim Tyler <[EMAIL PROTECTED]> Subject: Re: Questions about message digest functions Reply-To: [EMAIL PROTECTED] Date: Fri, 17 Dec 1999 23:32:41 GMT James Felling <[EMAIL PROTECTED]> wrote: : Tim Tyler wrote: :> James Felling <[EMAIL PROTECTED]> wrote: :> : Tim Tyler wrote: A hash with only four used values?] :> : [...] and maping all values to 1 of 4 values is very resistant to being :> : worked backward [...] :> :> No. It's likely to be trivial to "work backwards": :> :> Validate the hashes on a few messages - until the values of all four :> hashes are known. :> :> Then append these four hashes in turn to your target message. One of them :> will validate as being correct. You don't need the private information :> about the primes (or whatever) that are used to generate the hash in order :> to be able to do this. : Accepted -- though this attack is equivalent to for an n bit hash append : all 2^N possible hashes to the message and see which one works. Hang on. I thought you said there were only 4 hash values. Do you also mean the hash is only two bits long?? If so, why would reverse engineering the hash be *at all* difficult? I've been assuming the hashes under discussion are suitable for use in signing or validating messages - i.e that it is a one-way hash function which can be generated with a private key, but validated with a publicly available one. Your comments don't make much sense in this context. I presume you are thinking about a hash which is used for something else, and is not suitable for validating messages? : In addition if you are given two messages, both of which hash to value : #4 which message was the valid one? With a 2-bit hash (or effectively a hash with only two bits of information), forging messages is pretty trivial - even if the attacker is just guessing hashes he will succeed about 1 time in 4. Such a scheme offers precious little security - I'm not sure why it is being discussed. :> : One must seek to maximize both and remain aware that when it gets down :> : to it, there are tradeoffs that must occur. :> :> Tradeoffs are not required. Collision resistance and security do not :> pull in opposed directions. : They do indeed, it is simply that if one posseses a very good hash that : manages a high level of both, it is hard to improve one without hurting : the other. You're talking about practical issues in designing hash functions? Such difficulties don't appear to exist in principle. A hash function should be as haerd as possible to rever
Cryptography-Digest Digest #758
Cryptography-Digest Digest #758, Volume #9 Thu, 24 Jun 99 04:13:03 EDT Contents: Re: Secure broadcast ("Gene Sokolov") Re: one time pad (Jerry Coffin) Re: Kryptos article ("Douglas A. Gwyn") Re: one time pad ("Douglas A. Gwyn") Re: Sexual Contact Privacy :) ([EMAIL PROTECTED]) Re: "Breaking" a cipher (Jerry Coffin) Re: one time pad ("Douglas A. Gwyn") Re: one time pad ("Douglas A. Gwyn") Re: one time pad (Greg Ofiesh) Re: Encryption Algorithm Functional? ("Douglas A. Gwyn") Re: Arbitrary Huffman tree and weights distribution (was: huffman code length) (Alex Vinokur) Re: Converting arbitrary bit sequences into plain English texts (Boris Kazak) Re: one time pad (Jerry Coffin) From: "Gene Sokolov" <[EMAIL PROTECTED]> Subject: Re: Secure broadcast Date: Thu, 24 Jun 1999 10:11:31 +0400 <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]... > > Yes, it is too expensive. That's why in I.1 I wrote how much data is worth > > ($500/month). I guess "too expensive" starts at about $10K. > > You may be underestimating the value of a cracked password. The threat > model you presented includes only potential customers using your data > without paying for it. What about competitors? A competitor could > spend $500,000, twice what a 56-bit cracker cost a while ago, and recoup > the investment in one year with only a hundred > customers. That's really not an issue. The competition can pay $500/month and then rebroadcast the data. No need to spend half a million. Or, even easier, then can buy this data from us over the Internet - it's cheaper. But, we know our competition. If they start reselling our data, we can always sue them. Individuals are seen as the primary threat. -- From: [EMAIL PROTECTED] (Jerry Coffin) Subject: Re: one time pad Date: Thu, 24 Jun 1999 00:18:24 -0600 In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says... [ ... ] > If you assume that a plausibly valid message is all ASCII, you have about > 100^100 messages to eyeball. Assume that there are spaces on the average > every five letters, and you have about 80^100 potential messages. > > So far, your computer has rejected a huge number of messages, so huge that > it cann't be done. The problem isn't with the number of messages involved. The problem is that if you supply all possible keys, you'll get EVERY message you consider plausible. I.e. the original message will have no effect on what you get -- only the preconceptions YOU bring into it will. If you decide that messages that contain only characters from 32 to 127 (I.e. printable ASCII characters) are plausible, you'll get EVERY possible sequence of characters in that range. > >And then you look through the list only to discover one plain text > >candidate actually has 100 0xa7's and the message looks valid to you. > > How many aeons did you say you had to look through this list? It's irrelevant. The point is that as long as 100 0xa7's in a row is exactly as likely as any other sequence of 100 characters, the attacker has no better idea that this particular decryption is valid compared to all the others that his criteria says are plausible. -- From: "Douglas A. Gwyn" <[EMAIL PROTECTED]> Subject: Re: Kryptos article Date: Thu, 24 Jun 1999 06:50:25 GMT Jerry Coffin wrote: > I think in this case, their cracking it long before the rest of us > mostly had to do with their having easy access to it before the rest > of us did. I'm not sure when Jim started working on the problem, but > from what he's said, it sounds like once he started working on it, he > cracked it in less time than they did... Since I posted an accurate transcript of the Kryptos ciphertext several years ago, there has been plenty of time to work on it. (ACA's The Cryptogram published a slightly incomplete and slightly inaccurate version in the MA92 issue, which was the start of my quest for the complete, accurate text.) Jim took about 9 days, I think, not counting a preliminary glance at it earlier and his previous investment in constructing general cryptanalytic tools (computer and otherwise). Also not counting the time previously invested in learning and practicing cryptanalysis. (Practice is more important than you might think.) I think there are several other people who *could* have cracked Kryptos to the same degree, but didn't have the motivation or time. It would be nice if somebody would get that last piece of Kryptos deciphered. -- From: "Douglas A. Gwyn" <[EMAIL PROTECTED]> Subject: Re: