Cryptography-Digest Digest #339, Volume #10 Thu, 30 Sep 99 17:13:03 EDT
Contents:
Re: Schrodinger's Cat and *really* good compression ("Trevor Jackson, III")
Re: Can anyone help me out with Differential Power Analysis? (James Muir)
Re: Irish schoolgirl wins European Young Scientist Award ("Michael Scott")
Re: SNAKE Web Page (Peter Gunn)
Re: EAR Relaxed? Really? (Greg)
Random number generation ("j.w.altena")
Re: EAR Relaxed? Really? ("karl malbrain")
Re: EAR Relaxed? Really? (Greg)
Re: RSA in your own code (Michael J. Fromberger)
Re: Random number generation ("Trevor Jackson, III")
Re: RSA in your own code (Doug Stell)
Re: On oldy encryptions (Jim Dunnett)
----------------------------------------------------------------------------
Date: Thu, 30 Sep 1999 15:07:01 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Schrodinger's Cat and *really* good compression
This is the intuitive explanation, but it is at least incomplete if not
wrong. There are experiments that, observed, produce a defined result such
as an electron passing through a particular slit. When the same experiment
is conducted without observation the result differs, such as an electron
passing through two slits and the two paths interfering with one another.
Reality is more subtle than our (classical) intuition.
[EMAIL PROTECTED] wrote:
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (John Savard) wrote:
> > Alan Braggins <[EMAIL PROTECTED]> wrote, in part:
> >
> > >One explanation I've seen is that the cat is just as good an observer
> > >and causes a collapse inside the box, but leaves the box as whole in
> a
> > >superposition. Then when the box is opened there is another collapse,
> > >but the cat/box/experimenter system is still in a superposition. Then
> > >when the lab door is opened and someone else asks "How's the cat?"
> > >there is another collapse. Then when the paper is published there is
> > >another collapse for each reader who previously didn't know what
> state
> > >the cat was in, and so on, ad infinitum.
> >
> > Actually, opening the lab door won't cause a collapse; that collapse
> > will have happened beforehand, unless the lab was *very* well
> > insulated.
>
> The wave function collapses no matter whether the door is very well
> insulated or not.
>
> My understanding is this: the wave function collapses when it can be
> observed. In other words, when information is emitted then, trivially,
> the probabilistic wave function disappears. No human observer, or
> feline observer, or sentient observer is necessary for this to happen.
>
> Schroediger's cat is really either dead or alive. We, outside the box
> don't know for sure. A fly inside the box knows. The air inside the box
> "knows" too (it is cold, so the cat is dead). The wave function
> collapsed long before we opened the box. For the same reason a quantum
> computer doesn't require "observers", it only requires processes that
> can be observed.
>
> The wave function is a property of matter. I don't think it is right to
> say that each time we find out something, a wave function collapses. It
> is not our personal act of observing that collapses the wave function.
> It is the other way around: when a wave function collapses (but not
> only then) information is created and therefore it is possible for us
> to find out something. Or: every time information must be created (e.g.
> a photon - or a bullet - strikes a wall) then its wave function
> collapses.
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
From: James Muir <[EMAIL PROTECTED]>
Subject: Re: Can anyone help me out with Differential Power Analysis?
Date: Thu, 30 Sep 1999 18:50:43 GMT
In article <[EMAIL PROTECTED]>,
aa wrote:
> Hi there
>
> I wonder if anyone can help me to get keys out of a smartcard with
> Differential Power Analysis.
>
> Best Regards
> Goran
>
> email: [EMAIL PROTECTED]
>
Help yourself. There's a five step DPA recipe at
http://www.cryptography.com/dpa/technical/index.html
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Michael Scott" <[EMAIL PROTECTED]>
Subject: Re: Irish schoolgirl wins European Young Scientist Award
Date: Thu, 30 Sep 1999 20:59:35 +0100
According to a report on Irish radio, the schoolgirl in question, Sarah
Flannery, has herself found an "attack" on her own scheme.
She is only a kid, and the whole thing got hyped up beyond all reason.
--
Mike Scott
=========================================
Fastest is best. MIRACL multiprecision C/C++ library for big number
cryptography
ftp://ftp.compapp.dcu.ie/pub/crypto/miracl.zip
------------------------------
From: Peter Gunn <[EMAIL PROTECTED]>
Subject: Re: SNAKE Web Page
Date: Thu, 30 Sep 1999 20:59:41 +0100
[EMAIL PROTECTED] wrote:
> Peter Gunn wrote:
> >
> > I think Ive got this covered, Im restricting values for
> > g^X mod f(k,P,R) such that
> > g^(g^X mod f(k,P,R)) > Z (being the minimum f(k,P,R)).
> >
> > [ J was the public value in the previous example ]
> >
> > I dont need to 'crack' the public values, just do a compare....
> >
> > for instance, when g==4, if I restrict public values to
> > be > 256 (value, not bits, since 4^256 is > any 512bit value)
> > then all powers of g < Z are forbidden.
> >
> > So attack cannot happen... (hopefully :-)
>
> Ah, now I see what you mean. Unfortunately though, this won't
> protect against the attack I described.
Unfortunately, you'll have to bear with me for a bit... my brains
running a bit slow right now (prolly need more swap:-)
> For ease of explanation let me recast the description of SNAKE
> as follows (using a 3-part version just for concreteness):-
>
> 1) A->B: U, R, V1, V2, V3
>
> where V1 = g^X1 mod Q1
> V2 = g^X2 mod Q2
> V3 = g^X3 mod Q3
>
> Q1 = f(1,P,R)
> Q2 = f(2,P,R)
> Q3 = f(3,P,R)
>
> 2) B->A: S, W1, W2, W3
>
> where W1 = g^Y1 mod Q1
> W2 = g^Y2 mod Q2
> W3 = g^Y3 mod Q3
>
> Q1 = f(1,P,R)
> Q2 = f(2,P,R)
> Q3 = f(3,P,R)
>
> Now A calculates K from:-
>
> K = H(U,S,R,P,V1,V2,V3,W1,W2,W3,D1,D2,D3)
>
> where D1 = W1^X1 mod Q1
> D2 = W2^X2 mod Q2
> D3 = W3^X3 mod Q3
>
> and B calculates K from:-
>
> K = H(U,S,R,P,V1,V2,V3,W1,W2,W3,E1,E2,E3)
>
> where E1 = V1^Y1 mod Q1
> E2 = V2^Y2 mod Q2
> E3 = V3^Y3 mod Q3
>
> and they both arrive at the same K because Di = Ei, i=1,2,3.
>
> 3) A->B: E[K](S)
>
> 4) B->A: E[K](R)
>
> Now, I can re-describe the attack I posted yesterday as follows:-
>
> The adversary impersonates B.
>
> Let n be such that g^n < Qi, i=1,2,3.
> The adversary sends S, g^n, g^n, g^n to A in step (2).
>
> Now because g^n < Qi, we have g^n = g^n (mod Qi) for i=1,2,3. This
> means that when A computes Wi^Xi mod Qi it is computing (g^n)^Xi mod Qi
> which is the same as (g^X1)^n mod Qi which equals V1^n mod Qi.
>
> (I'm using the notation A = B (mod N) for the congruence relationship
> between A and B, and the notation A mod N to mean A reduced to its
> least non-negative residue modulo N).
>
> The important thing is that we didn't have to guess the Qi in step (2).
> We gave A values of Wi = g^n that would work for all moduli. This means
> that we can do our guessing of the password/moduli offline as follows:-
>
> First, accept E[K](S) from A in step (3) and abort.
>
> Now offline, guess P. From P compute the moduli Qi.
> From Qi compute V1^n mod Qi. Now compute the key K and check it
> against E[K](S).
>
> Doing this we can recover P.
>
> Returning to your restriction on the public values you describe
> above, I take this to mean that you restrict Vi and Wi such that
> g^Vi, g^Wi > Z where Z is the smallest possible modulus Qi.
>
> To illustrate that this is not enough I'll use your figures from above.
> With g=4 I could set n=5 in the attack so that Wi = 1024. This is less
> than all 512-bit moduli Qi so the attack will work, and greater than 256
> so that your proposed restriction will not stop it.
>
> I hope this explains things more fully and that it's understandable!
Yes, Im starting to get my head around it.
> Of course, feel free with any questions.
Here is some thinking out loud...
1) Using a larger g, perhaps > SQRT(max modulous) as you suggested
earlier would seem to go a long way towards stopping this, but would I
have problems finding a single g that is a valid egenerator for a table of
large primes... how do you work that out anyway??
2) Perhaps I could just ban all values g^n ?? for g==4 this would mean
I lost 25% of possible values, but it would be pretty easy to implement
the check (just look at least significant bits). But what else would this
affect??
Perhaps another value 4 < g < 256(?) might work and not lose too many
values?
3) Perhaps there is some value in changing the verification procedure??
Instead of sending the plain values for verfiers R and S, I could
send E[P](R) and E[P](S)... this would mean that the impersonator
would have to check each guessed K' value against E[P'](S) and I cant
immediately see how he could do this??
Im also open to ideas ;-)
ttfn
PG.
PS Thanks for the input!
------------------------------
From: Greg <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: EAR Relaxed? Really?
Date: Thu, 30 Sep 1999 19:21:30 GMT
> You are CORRECT!!! Do you have a position to move from???? Karl M
I have no idea- no idea- why you just could not answer my question,
"What do you mean by position?" in private e-mail, but if you really
want everyone to be bored to death with my question and your answer
that you will only answer me if I ask here, then fine.
What do you mean?
--
Truth is first ridiculed, then violently opposed, and then it is
accepted as self evident ("obvious").
I love my president... I love my president... I love my president...
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "j.w.altena" <[EMAIL PROTECTED]>
Subject: Random number generation
Date: Thu, 30 Sep 1999 21:25:55 +0200
At Statistics Netherlands we would like to have to our disposition about
10E9 random identifying numbers with a length of 10 (decimal) positions.
These numbers should preferably not be generated all at the same moment, but
the set should be extendable in steps. We think we can use encryption for
the generation of these numbers. An idea is to take the numbers 1 to n in
the first step and encrypt them. In the next step n+1 to m is encrypted and
so on. As an additional requirement we would like the encrypted numbers to
be numbers (and not letters or other characters) as well.
Who knows a solution for this problem or does somebody has an other
solution?
(The solution to assign the ascci-value to each byte doesn't work, for
then more than 10 positions are required.)
Erik van Lith ( [EMAIL PROTECTED] )
------------------------------
Reply-To: "karl malbrain" <[EMAIL PROTECTED]>
From: "karl malbrain" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: EAR Relaxed? Really?
Date: Thu, 30 Sep 1999 13:39:55 -0700
Greg <[EMAIL PROTECTED]> wrote in message
news:7t0d7b$g2k$[EMAIL PROTECTED]...
>
> > You are CORRECT!!! Do you have a position to move from???? Karl M
>
>
> I have no idea- no idea- why you just could not answer my question,
> "What do you mean by position?" in private e-mail, but if you really
> want everyone to be bored to death with my question and your answer
> that you will only answer me if I ask here, then fine.
What I actually said PRIVATELY was for you to EMIT your position publicly as
a BEGINNING. You've gone forward and reduced the contradiction. I'll grant
you GROUNDS once only, so here it is.
> What do you mean?
You might try the NATIONAL SECURITY ARCHIVES organization for POSITION. I
don't know if they have a presence on the INTERNET now, but they did exist
SOMEWHERE not all that long ago, as far as I know.
As you may have been following the FBI investigation of the COBBS CREEK
MASACRE, they determined that CRIMES WERE COMMITTED AND THEY CAN FIND NO
CRIMINALS. They're about to start in again on WACO. Can you set this
straight???? How's that for position????
Karl M
------------------------------
From: Greg <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: EAR Relaxed? Really?
Date: Thu, 30 Sep 1999 19:36:46 GMT
> Sure. Why not just:
> Prosecution: Your honour, the police have filed a charge against this
> person. I ask you for summary judgement.
> Judge: Granted.
This does not have any case argued for the law. This would
not fly.
> If you really want to paint scenarios in which the courts
> completely abrogate their duty not only to apply the law,
> but also to determine whether or not the law in question
> is consistant with the constitution,...
Happens all the time...
> On the other hand, if you grant that in the USA a part of the duty of
> any judge is also to ask whether or not the law in question is
> constitutional and whether or not the rules of evidence have been met,
> then your scenario is fiction.
Not if Reno has her way. She is not joking. If her plans
become law, they WONT have to say how they decrypted jack.
They are very serious about this. They know that once it
is written down on paper, once it has the appearance of a
legitimate law, then it would take a very courageous judge
to stand up against the establishment. This IS reality today.
> There is simply no way that almost any court, and certainly
> not the supreme court, would let stand a law which removed
> the right of the defence to test the evidence against the
> accused.
It would take the supreme court to overturn this, if not
an appeals court. You are correct. But this scenario will
play out if Reno has her way. That was my point all along.
And don't tell me that the Supremes are a certain safe guard
against tyranny. Not by any stretch of the imagination. They
won't touch the second amendment and it is the one law that
is most under attack.
> They might let stand a law which allowed the court to
> hear that evidence in secret,...
Not according to Reno's plan.
--
Truth is first ridiculed, then violently opposed, and then it is
accepted as self evident ("obvious").
I love my president... I love my president... I love my president...
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Michael J. Fromberger <[EMAIL PROTECTED]>
Subject: Re: RSA in your own code
Date: 30 Sep 1999 19:11:21 GMT
In <7t08f5$k51$[EMAIL PROTECTED]> "Mark Reed" <[EMAIL PROTECTED]> writes:
>Are you allowed to write a program that implements say 512 bit RSA
>encryption in the US? Its so darn easy to do ;) I dont see why we
>cant have better encryption (and i dont understand the laws)
>Taking a CS class on algorithms so we did RSA and such fun stuff :)
By all means -- you are free to implement any algorithm you choose,
using keys of any size. The restrictions you may have read about are
on the _export_ of certain classes of software. But even the
U.S. government cannot prevent you from writing the code.
Of course, if Al Gore becomes President next year, that may change;
but for the moment, we still have most of our Constitutional rights.
-M
--
Michael J. Fromberger Software Engineer, Thayer School of Engineering
sting <at> linguist.dartmouth.edu http://www.dartmouth.edu/~sting/
7Y+Am9Ot9EbLLcCgT/BdGdprlj9L6Cy4v1n+KCbbPoU9ucMcLa6wfvoN4NWRMAZdOvBPTJzj
Remove clothing if you wish to reply to this message via e-mail.
------------------------------
Date: Thu, 30 Sep 1999 15:46:41 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Random number generation
j.w.altena wrote:
> At Statistics Netherlands we would like to have to our disposition about
> 10E9 random identifying numbers with a length of 10 (decimal) positions.
> These numbers should preferably not be generated all at the same moment, but
> the set should be extendable in steps. We think we can use encryption for
> the generation of these numbers. An idea is to take the numbers 1 to n in
> the first step and encrypt them. In the next step n+1 to m is encrypted and
> so on. As an additional requirement we would like the encrypted numbers to
> be numbers (and not letters or other characters) as well.
> Who knows a solution for this problem or does somebody has an other
> solution?
> (The solution to assign the ascci-value to each byte doesn't work, for
> then more than 10 positions are required.)
> Erik van Lith ( [EMAIL PROTECTED] )
Do the numbers need to be unique? I assume so.A simple mechanism is to take a
29 or 31-bit LFSR, seed it with a counter, and interate it until you have full
mixing (depends on the number of taps, but 1000 steps should suffice for all
configurations).
The fact that the seeds are unique and you iterate for a constant number of
cycles guarantees that the results are unique.
------------------------------
From: [EMAIL PROTECTED] (Doug Stell)
Subject: Re: RSA in your own code
Date: Thu, 30 Sep 1999 19:41:07 GMT
On Thu, 30 Sep 1999 14:11:32 -0400, "Mark Reed" <[EMAIL PROTECTED]>
wrote:
>Are you allowed to write a program that implements say 512 bit RSA
>encryption in the US?
Let's split "allowed" into three categories, patent, export and use
laws.
Until Sept 20, 2000, the RSA algorithm is covered by a US patent.
RSADSI has traditionally enforced that you must either purchase their
implementation (BSAFE library), use the freebe library (RSAREF) or
purchase rights to infringe on the patent (big, big bucks). If they
didn't enforce their rights, their rights could be lost.
So, technically and from a patent law standpoint, the answer is "No"
for any key length.
If you can infirnge on the patent, as many of us can legally do, key
length of an implementation is not an issue from either a patent or
export law perspective. (See below for the export category.)
> Its so darn easy to do ;) I dont see why we cant have better
>encryption (and i dont understand the laws)
Patent law is intended to foster invention by permitting the inventor
to derive benefit from inventing, for a limited time period, which is
now something like 20 years from the date of filing.
Export law is intended to keep certain capability out of the hands of
terrorist organizations and unfriendly governments for national
security reasons. As argued to death, export laws only really work
when the US has a technical lead, the item can only be made with that
technical lead and the item being controlled is physical. The
non-physical nature of software and the distribution of technical
capability have made the export laws for these items unenforcable,
useless to the US and harmful to US and multi-national companies.
Laws controlling use are not an issue in the US, but are in other
countries. Use laws are intended to keep certain technologies out of
the hands of domestic criminal elements and give law enforcement an
upper hand. When it comes to software, the above enforceability
applies here as well.
The law enforcement and nation security folks are in a difficult
position. The laws don't work. Every hates the laws and thinks they
are silly. Everybody (at least the good guys) depend on these folks to
protect them. The bottom line is that technology is amoral, i.e.,
neiter good nor bad. It just depends on who is using for what and who
you think the good and bad guys are.
>Taking a CS class on algorithms so we did RSA and such fun stuff :)
It is fun stuff and I'm still learning after more than 20 years in the
business. Enjoy and I hope you are getting a useful class.
------------------------------
From: [EMAIL PROTECTED] (Jim Dunnett)
Subject: Re: On oldy encryptions
Reply-To: Jim Dunnett
Date: Thu, 30 Sep 1999 18:49:17 GMT
On Thu, 30 Sep 1999 18:56:40 +0200, Mok-Kong Shen <[EMAIL PROTECTED]>
wrote:
>In the old days most secret messages were very short and infrequent
>and employed only the normal alphabet and spaces in the texts were
>usually omitted. For binary representation of such stuffs 5 bits for
>each character is obviously sufficient. Even for transmission of
>normal texts with a much larger character set, 5-bit telegraphic
>code served fairly well in the sixties, with shift keys helping
>to extend the coding space beyond what is directly representable
>with 5 bits.
>
>I often wonder whether the time has indeed so drastically changed
>our world that nowadays really top secret messages can no longer be
>written except through pushing several megabytes down the
>communication channels. If the messages are of the oldy style and
>infrequent and the 5-channel telegraphic code is used, how easy
>really is the job of the analyst, if a (general) polyalphabetic
>substitution is used, together with sufficiently good key management
>and frequent change of the substitution table? It is also fairly
>easy to employ homophones for a few critical keys and even to
>implement digram substitution (10 bit to 10 bit instead of 5 bit
>to 5 bit).
The 5-bit (plus 1 start and 1.5 stop bits) is still widely used
today.
The ciphers in use are usually stream ciphers using a PRNG with
a very long period XORd with the telegraph signal. It runs
continuously, enchiphering the idle condition as well as
traffic, so that it is traffic-flow-secure. i.e. an
interceptor cannot tell whether traffic is present or not.
The tap points in the PRNG are always changed a very long
time before the end of the system's period, and the 'fill'
(pre-loading of the shift registers with random bits) is
often carried out at intervals within the tap-point change
periods.
--
Regards, Jim. | When a man assumes a public trust,
amadeus%netcomuk.co.uk | he should consider himself as
dynastic%cwcom.net | public property.
|
PGP Key: pgpkeys.mit.edu:11371 | - President Thomas Jefferson.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
