Cryptography-Digest Digest #664, Volume #10 Thu, 2 Dec 99 12:13:01 EST
Contents:
Re: What part of 'You need the key to know' don't you people get? (SCOTT19U.ZIP_GUY)
Hey, NSA! Venona html errors! ("John K. Taber")
Re: Elliptic Curve Public-Key Cryptography (DJohn37050)
Re: What part of 'You need the key to know' don't you people get? (Johnny Bravo)
Re: been a while since I used pgp (Johnny Bravo)
Re: Encrypting short blocks (Eric Lee Green)
Re: Pleasantville: civilty under duress ([EMAIL PROTECTED])
Re: The $10,000.00 contesta (Bruce Schneier)
Re: Elliptic Curve Public-Key Cryptography (Bruce Schneier)
Re: Elliptic Curve Public-Key Cryptography (DJohn37050)
Re: What part of 'You need the key to know' don't you people get? (wtshaw)
Re: Elliptic Curve Public-Key Cryptography (David Wagner)
Re: Random Noise Encryption Buffs (Look Here) (Guy Macon)
Re: Noise Encryption ("Tim Wood")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: What part of 'You need the key to know' don't you people get?
Date: Thu, 02 Dec 1999 15:10:00 GMT
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
>Brian Chase wrote:
>> I think what I'm finding most disturbing, if not just outright disgusting,
>> is how quickly disregarded are Scott's challenges to the conventions of
>> the cryptology community. Sure he's an asshole, but as a community is it
>> not true that we don't conclusively know how secure the contemporary
>> algorithms are?
>
>Neither does D.Scott! The main problem with his arguments is that
>he asserts weaknesses in everybody's encryption schemes except his,
>but doesn't *demonstrate* the weaknesses. When he claims, for
>example, that CBC itself creates exploitable weaknesses, yet there
>happen to be solid mathematical papers demonstrating that CBC used
>with a *strong* block cipher is not substantially weaker than the
>block cipher by itself, it is incumbent on *him* to prove his claim,
Again I see the assholes misquote me. I never said that
CBC makes a cipher weaker. What I have said is that the diffusion
is not more than 2 blocks. So that an attacler using a small number of
blocks would never have to look at the whole file. Since all the 3 letter
modes that you dumb people ever use really add very little strength
the the cipher. I even give examples that show the information is not
distributed through the whole file. Most are to stupid to understand this
fact. Of those smart enough to understand most don't seem to care.
In the three letter modes when some one does even a partical plain
text attack you can get the input output pairs to the underlying
blokc cipher. These may or may not be of use to the person breaking
the cipher. With 3 rounds of "wrapped PCBC" this information is not easily
available. So it can't be used. One is forced to examine the encryption
as a whole. Something that the nomral block chaining methods have
gone out of there way to avoid. To me the reason is obvious.
The NSA has done a good job of keeping people stupid about using
chaining to secure a ciper.
>or at least to exhibit an error in the previous work that proved the
>opposite. That's not only standard professional practice, it's
>plain common sense. Since he doesn't make a convincing case,
>preferring to curse and challenge the integrity of anyone who
>disagrees with him, it is not surprising that he is being almost
>entirely ignored by the professional community.
I guess I just like to call a spade a spade big fucking deal.
you can call it a shovel.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website NOT FOR WIMPS
http://members.xoom.com/ecil/index.htm
Scott rejected paper for the ACM
http://members.xoom.com/ecil/dspaper.htm
Scott famous Compression Page WIMPS allowed
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
------------------------------
From: "John K. Taber" <[EMAIL PROTECTED]>
Subject: Hey, NSA! Venona html errors!
Date: Thu, 2 Dec 1999 08:18:50 -0600
You have duplicate gif names on the Aug 43 page, for the 12th and
19th. Are the duplicates supposed to be, or is this an error?
Also, there are apparent html errors on the Jul 43 page that
cause non-selected hyperlinks to appear as if selected.
Finally, you really need a webmaster email address for queries
like this. How about it?
--
Consuming is dirty business, but somebody has to do it. Robert McTeer
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: Elliptic Curve Public-Key Cryptography
Date: 02 Dec 1999 14:52:25 GMT
For info on coming up with crypto schemes based on math primitives, see IEEE
P1363. I agree there are many factors to consider and many traps to avoid.
Regarding timings, this is not my area of expertise. Certicom did publish
timings a few years ago, and does have info to hand to customers. I am not
sure what is available publicly.
I guess there is the basic problem with publishing timings. What a customer
wants is to solve a problem with HIS constraints, whatever they are. And the
constraints can be severe in one factor and largely irrelevant in another. For
a different customer, they can be reversed.
For example, for some customers the critical resource is time. For others it
may be energy. Money cost is always a factor. Code space and data space are
possible.
The point being that a customer wants HIS answer to fit in a certain size box.
We all know programming techniques that are time/memory tradeoffs.
Certicom works to satisfy their customers and I am sure others do also.
Certicom does research to improve all these factors and I am sure others do
also.
So what is the point of publishing timings? It is often not the deciding
factor as long as it is good enough. But any timing will have assumptions
going along with it. Naysayers will disagree and try to knock the assumptions.
Or someone could try to cheat on the timings, for example, use a low Hamming
weight for the ECC private key, etc. For RSA, someone might use CRT but not
check the signature calculation before outputting the signature, but this risks
losing the private key if there was a bit flip.
The point being that timings are problematic.
Don Johnson
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Subject: Re: What part of 'You need the key to know' don't you people get?
Date: Thu, 02 Dec 1999 10:29:36 GMT
On Thu, 02 Dec 1999 15:10:00 GMT, [EMAIL PROTECTED]
(SCOTT19U.ZIP_GUY) wrote:
>Neither does D.Scott! The main problem with his arguments is that
>he asserts weaknesses in everybody's encryption schemes except his,
>but doesn't *demonstrate* the weaknesses.
><Begin Exact Quote>
>Subject: Re: Which encryption brand is best?
>Date: 1999/11/28
>Author: SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]>
>
>"Yes I think the AES candidates are weak."
><End Exact Qute>
><Begin Exact Quote>
>Subject: Re: weak ciphers and their usage
>Date: 1999/11/17
>Author: SCOTT19U.ZIP_GUY
>
>"Here is something you can do with a crappy AES type of encryption
>with your secret IV."
><End Exact Quote>
No proof in this or any subsequent post was offered that the AES
ciphers are weak or crappy. I'm quoting your words exactly as they
are written, MR DS.
>> Again I see the assholes misquote me. I never said that
>>CBC makes a cipher weaker.
You are a pathetic liar. You should write your delusions down so
you can keep them straight when you post.
><Begin Exact Quote>
>Subject: Re: weak ciphers and their usage
>Date: 1999/11/17
>Author: SCOTT19U.ZIP_GUY
>
>"I have been talking about the general weaknesses in all 3 letter
>chaining mods."
><End Exact Quote>
><Begin Exact Quote>
>Subject: Re: CFB mode with same initialization vector
>Date: 1999/08/04
>Author: SCOTT19U.ZIP_GUY
>
>"As I stated before all the blessed chaining modes are weak."
><End Exact Quote>
><Begin Exact Quote>
>Subject: Re: Challenge to SCOTT19U.ZIP_GUY
>Date: 1999/08/04
>Author: SCOTT19U.ZIP_GUY
>
>"Yes these are my feelings that the chaining methods in use are purposely weak. "
><End Exact Quote>
You claimed that ALL 3 letter chaining modes are weak. Not only do
you claim they are weak, you claim were made weak on purpose, and you
are the only one on the planet who knows the "truth." Yet you offer
not even a hint of an attack against them, not even in theory. Why do
you persist in denying you say this almost constantly.
>Since all the 3 letter modes that you dumb people ever use really
>add very little strength the the cipher.
You are misquoting yourself now, more lies. You claimed that every
single one of them makes the cipher weaker. And as for intelligence,
proper spelling and grammar are not accidental constructions.
>Most are to stupid to understand this fact.
Most seem to see that this offers no help to the attacker, and since
you can't prove otherwise and just resort to childish name calling why
should we take you seriously. Act like a crying child, and get
treated like one. You lie so much, we no longer care if you ever tell
the truth. From your past history, we would be better off assuming
everything you say is a lie unless you post it with evidence proving
otherwise.
> Of those smart enough to understand most don't seem to care.
You have yet to demonstrate a practical attack that exploits this
weakness. Saying it is weak is no the same as proving it is. Did you
ever get around to showing your break for PGP 2.6.3 yet?
><Begin Exact Quote>
>Subject: Re: AES tweaks
>Date: 1999/05/27
>Author: SCOTT19U.ZIP_GUY
>
>"One area that has greatly interested to me chainning and compression
>PGP at least in 2.6.3 used inferior compression with what I call leaks
>to the solution but this may have been a lack of experience."
><End Exact Quote>
Since the solution is leaking, surely you are ready to publish your
paper detailing your break of PGP 2.6.3. After all you have had 6
months since you noticed the that the solution was just leaking out.
When can we expect to see it, either online or published? Or is the
lack of experience you mentioned your own?
> In the three letter modes when some one does even a partical plain
>text attack you can get the input output pairs to the underlying
>blokc cipher. These may or may not be of use to the person breaking
>the cipher.
May or may not? Prove they are of use to a person breaking the
cipher. May or may not, is not evidence of weakness.
> I guess I just like to call a spade a spade big fucking deal.
>you can call it a shovel.
You like to call a spade a ball, and get all bent out of shape when
people ask you what the hell are you talking about.
Johnny Bravo
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Subject: Re: been a while since I used pgp
Date: Thu, 02 Dec 1999 10:42:20 GMT
On Thu, 2 Dec 1999 11:54:29 +0100, "Julian LEWIS"
<[EMAIL PROTECTED]> wrote:
>> 5.0 and up. Major change for later versions have PGP aquiring their
>> "random" seed without the user having to make random keystrokes.
>>
>
>This is a bit worrying, do you know how the seed is generated, an obvious
>backdoor !!
I'm currently using 6.0.2 and it still is using keystrokes, though
there is an option to use the mouse in place of the keyboard, or both
if you are so inclined.
Why would this worry you, if they wanted to put a backdoor in they
would never be so obvious about it. If you are worried, check the
source code.
Johnny Bravo
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Subject: Re: Encrypting short blocks
Date: Thu, 02 Dec 1999 08:43:09 -0700
Markus Peuhkuri wrote:
> Thanks for all who replied. One thing I didn't remember to
> write up was thet stream cipher or OTPs are not suitable for
> my application. As far I've understand there the result
> depends on order of blocks (or data). While this is generally
> desirable property of encryption, it is not in my case.
I'm not following your reasoning. If you are doing variable-sized blocks of
data, simply re-start the stream cipher for each block of data. If you are
doing fixed-size blocks of data, but they are smaller than, say, what BlowFish
will encrypt, simply pre-pend your transmission with the number of bytes of
data in the transmission, and chop any extraneous gibberish characters out of
the last block at the reception end. Since I don't trust CFB mode (which makes
a block cipher emulate a stream cipher) due to the requirement for unique
initialization vectors (which I cannot ensure in my own environment), that's
what I do when I need to fake encrypting variable-size blocks.
> What I want is following property: given message M1 (length N
> bits) produces same encrypted message E1 (length N bits) every
> time run. Message M2 produces message E2, which is different
> from E1 iff message M2 is different from M1. However, I'm
> willing to accept some probability of collisions, less than
> 1/1000 (different messages M1 and M2 produce same result E1).
This sounds like a description of a digest algorithm such as MD5 or SHA1,
rather than like something you would use a cipher for. Get a good book on
cryptography. I'm using Bruce Schneir's "Applied Cryptography" myself, but I
understand there are now newer/better(?) ones on the market.
> I took look at blowfish, but I don't have knowledge if it is
> possible to modify it to use shorter block lengths than 64
> bits _without_ weakening security. Maybe I'll have try to
> find out if it is technicaly feasible.
No. You do not want a shorter block size. If you need to emulate a stream
cipher, either prepend your packetized data with a length header and at the
recipient strip off the padding added to pad your input to the nearest block
boundary, or use CFB or OFB/Counter mode (see the nice chart on p209 of
Schneir).
>
> As I're read enough about poor implementations, I would not
> risk spending two years of my life in restricted freedom.
> I would like to make sure.
That is why you should buy a good book and use a stock, unmodified algorithm
to implement your cryptosystem. You'll probably create an insecure
cryptosystem anyhow, but at least you know it'll be because of something
stupid that you did, rather than because of a flaw in the algorithm.
--
Eric Lee Green [EMAIL PROTECTED]
Software Engineer Visit our Web page:
Enhanced Software Technologies, Inc. http://www.estinc.com/
(602) 470-1115 voice (602) 470-1116 fax
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: comp.ai.fuzzy,sci.physics,sci.math
Subject: Re: Pleasantville: civilty under duress
Date: Thu, 02 Dec 1999 15:41:17 GMT
In article <81tkfe$bqg$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> In article <81q7g5$1ag$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> > In article <olZ%3.532$[EMAIL PROTECTED]>,
> > "karl malbrain" <[EMAIL PROTECTED]> wrote:
> > >
> > > That's a nice TRAP you've fallen for: just click the mouse
> > > and whatever is DISTURBING you disappears. Now, if you have
> > > anything about the real place, PLEASANTON, CA, let me know....
> > > (nb, it's where those arrested during
> > > STOP-THE-DRAFT-WEEK were taken.) Karl M
> > >
>
> > It sounds like you have _everything_ worked out in your head.
> > What's the problem ?
>
> It looks like a sticky shift key to me.
>
Lookup "prophet" in Webster's Dictionary:
http://www.m-w.com/cgi-bin/dictionary
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: Re: The $10,000.00 contesta
Date: Thu, 02 Dec 1999 15:51:42 GMT
On Thu, 02 Dec 1999 02:04:43 GMT, [EMAIL PROTECTED] (Johnny Bravo)
wrote:
>On Thu, 02 Dec 1999 00:47:33 GMT, [EMAIL PROTECTED] (Bruce
>Schneier) wrote:]
>>It would be cool if someone could turn this into an attack.
> Wow, that's a hell of a lot of curiosity for you. You'd be happy
>seeing a successful attack on Twofish! This is probably just in the
>general sense that any successful attack on the final five would
>probably have to be something really new or we would have seen it by
>now, if it has to happen may it happen to one of the other four.
><grin>
I think that almost all algorithm designers would be happy to see a
new attack on their algorithms. New attacks means that we're learning
something.
Bruce
**********************************************************************
Bruce Schneier, Counterpane Internet Security, Inc. Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: Re: Elliptic Curve Public-Key Cryptography
Date: Thu, 02 Dec 1999 15:55:23 GMT
On 02 Dec 1999 14:52:25 GMT, [EMAIL PROTECTED] (DJohn37050) wrote:
>So what is the point of publishing timings?
The point of publishing timings is to substantiate unsubstantiated
claims. There are two honest things to do: 1) make arguments based
on timings, and publish data to substantiate your arguments, 2) do not
make arguments based on "secret" data. Making timing arguments and
then asking "what's the point" when challenged on the data makes your
points seem like nothing more than Certicom propaganda.
Bruce
**********************************************************************
Bruce Schneier, Counterpane Internet Security, Inc. Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: Elliptic Curve Public-Key Cryptography
Date: 02 Dec 1999 16:45:55 GMT
Let me clarify.
Bruce said his experience was that SigVer with 64-bit exponent RSA 1024-bit key
was faster than ECC 163 bit key.
I said I had seen a performance sheet at least a year ago where ECC 163-bit was
more like the performance of 17 bit exponent RSA 1024 bit key. (ballpark). I
know this info was presented at a PKS conference a few years back.
Bruce did not give details on the data he gave. Perhaps it is the conventional
wisdon. I did not either, I simply do not know the details, this is not my
area. Research keeps going on to improve things, and the research may lead to
either RSA or ECC or both speeding up.
I do not think it is dishonest to report a data point that one has seen. This
is all I did, I did not create it or test it. People can disregard it or
discount it, regardless.
Don Johnson
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: What part of 'You need the key to know' don't you people get?
Date: Thu, 02 Dec 1999 11:22:29 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Johnny
Bravo) wrote:
>
> Vague claims without testable, repeatable evidence to back them up
> are not science. They make good pseudoscience though, as regularly
> shown over in talk.origins.
I agree that scientific process require follow through, disclosure of
methods, etc. There is, however, reason to talk about hypotheses,
hunches, and educated guesses as reasons for additional effort. Perhaps
the words identifying the differences are missing.
>
> >A *good* scientist willing reveals everything if part of the evidense he
> >exposes is against him. There is no expectation regarding his feelings as
> >long as the data is there.
>
> But tossing out a theory, and saying "That is the truth, prove me
> wrong or admit I'm right." is not science by any stretch of the
> imagination.
>
See above. Asking for proof, verification, and results to the contrary of
ones convictions and personal result results and summaries are sound
requests. But, people can wear several hats, being scientific is only one
of them.
Offering a prize is not scientific as a motivator unless you buy into
extrinsic motivation as more important than intrinsic, yet there are those
who do encourgage this sort of thing. Having such a contest is an attempt
to fit in with someones idea of how to attract interest, nothing more.
--
Love is blind, or at least figure that it has astigmatism.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Elliptic Curve Public-Key Cryptography
Date: 2 Dec 1999 08:22:49 -0800
In article <[EMAIL PROTECTED]>,
DJohn37050 <[EMAIL PROTECTED]> wrote:
> So what is the point of publishing timings?
The point is to substantiate your claims -- which some people have
questioned -- that elliptic curves compare surprisingly well to RSA.
I hate to be argumentative, but you were the one who made the claims in
the first place, so it doesn't seem to be unreasonable to ask for some
sort of substantiation.
After all, if you are going to challenge the `conventional wisdom',
normally it is incumbent on you to provide some evidence if you expect
to persuade many people to change their views.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Random Noise Encryption Buffs (Look Here)
Date: 02 Dec 1999 11:55:13 EST
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Anthony Stephen
Szopa) wrote:
>
>Tom St Denis wrote:
>
>> In article <[EMAIL PROTECTED]>,
>> "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
>> > Tom St Denis wrote:
>> > > If I took two exact copies [leave the copying theory behind here] of
>> > > an atom, and placed them in two exact same environments. Would they
>> > > not decay the same way? If so, that's hardly random at all.
>> >
>> > The simple answer is, no, two identically prepared quantum systems,
>> > constrained as tightly as nature allows, need not evolve along the
>> > same path.
>> >
>>
>> That's like saying each time you went back in time [the exact same
>> time] you would observe a different state. Which means a atom can
>> never be in one state at any time. Kinda like an omni-state..
>>
>> Tom
>>
>> Sent via Deja.com http://www.deja.com/
>> Before you buy.
>
>That's correct.
>
>The atom has all possible states until you observe it.
>
>Thus it is the act of observing that produces the randomness.
>
>And no two observations are exactly the same.
>
>So, guess what?
>
>You have just discovered true randomness.
>
This raises an interesting question about human psychology.
For some reason, various people have a deep need to not
believe in randomness or unbreakable codes. The more rational
among us are content with pointing out the practical difficulties
of using atomic decay or One Time Pads, or the many other ways to
obtain information but there are others who show the following
attributes;
[1] They know in their hearts that unbreakable codes and/or
randomness cannot possibly exist.
[2] They have never been taught critical thinking skills.
I wonder why some of us have this deep need to believe?
------------------------------
From: "Tim Wood" <[EMAIL PROTECTED]>
Subject: Re: Noise Encryption
Date: Thu, 2 Dec 1999 17:11:03 -0600
SCOTT19U.ZIP_GUY wrote in message <81p1jm$2hec$[EMAIL PROTECTED]>...
> Whoops I forgot to include the OTP. It is old
>and it is NONSECURE. but the trick is generating
>the random disks and getting them to your friends.
NONSECURE.
Is that; Insecure, Secure, not secure, or is it that secure and the OTP are
not related?
I don't understand.
>David A. Scott
>--
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
