Cryptography-Digest Digest #658, Volume #11 Sat, 29 Apr 00 00:13:00 EDT
Contents:
Shortcut authenticated Diffie Hellman (lcs Mixmaster Remailer)
Re: Science Daily overstates significance? ("Douglas A. Gwyn")
Re: sci.crypt think will be AES? (Terry Ritter)
Re: sci.crypt think will be AES? (Terry Ritter)
Re: sci.crypt think will be AES? (Terry Ritter)
Re: U-571 movie (OT) ("Stou Sandalski")
Re: Speaking of HD Overwriting... (Guy Macon)
Re: Speaking of HD Overwriting... (Guy Macon)
Re: sboxes for the bored... (Terry Ritter)
Re: sboxes for the bored... (Terry Ritter)
Re: Vs: Requested: update on aes contest (Terry Ritter)
----------------------------------------------------------------------------
Date: 29 Apr 2000 01:40:08 -0000
From: lcs Mixmaster Remailer <[EMAIL PROTECTED]>
Subject: Shortcut authenticated Diffie Hellman
Here is an idea for a shortcut way to do authenticated Diffie Hellman key
exchange. It might be useful for an application where exponentiations
are expensive.
In this situation, only the server will authenticate. The client is
anonymous and so it does not authenticate itself. But the client has
a public key for the server.
In Diffie Hellman key exchange, the client and server each choose secret
values k1 and k2 respectively, and then send g^k1 and g^k2. The shared
secret value is then g^(k1*k2), which each one can calculate but an
eavesdropper cannot. (All this is mod p.)
To authenticate, the server needs to sign its part of the exchange. It
has a secret value x and has published y = g^x as its public key.
In most discrete log based systems the server needs to start off the
signature calculation by choosing a random k and doing g^k. The proposal
for this shortcut is to use that same k as the k1 in the Diffie Hellman
exchange. By doing this the "signature" can be over empty data and
reduces to an identity protocol.
Using the Schnorr identification protocol, the server sends g^k1.
The client sends g^k2 for the DH exchange, and also a challenge value c.
The server responds with r = c*x + k1, mod p-1, which the client verifies
by g^r =?= y^c * g^k1. This is the standard Schnorr ID protocol.
It proves that the server knows the long-term secret key value x, but
also incidentally proves that it knows k1. This is therefore in effect
a signature on k1.
The two sides complete the DH exchange by calculating g^(k1*k2) as usual.
The MITM attack is thwarted because he could not respond with a valid
r value since he does not know x.
Has anyone analyzed a protocol like this? Does it seem reasonable?
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Science Daily overstates significance?
Date: Sat, 29 Apr 2000 00:46:58 GMT
Joseph Ashwood wrote:
> The security of Quantum Cryptography relies on the proof of
> One Time Pad
> The One Time Pad proof relies on a true random number
> generator
> The existance of a true random number generator has never
> been proven, it has actually been proven that you cannot
> prove it's existance.
The *properties* of uniform randomness are quite definite
and suffice for the OTP perfect-secrecy proof.
What I think you're referring to is that there is no way
to prove that a bit generator is generating with perfect
randomness by inspection of its output (which is obvious
when you consider that at time T after the test, it could
suddenly enter a different mode). There is also a notion
of "randomness" a la Chaitin that labels some *finite*
bit strings as "random" or "nonrandom", and a proof that
some string (containing a few thousand bits) is "random"
by that definition but cannot be shown to be so.
> ...r does not take into account the fact that it may be
> possible to force the state some other way. If for example
> I, as an attacker, could force your protons to follow my
> protons, I would have your pad. If I could force your
> protons to follow a random number generator of any kind that
> I have in my possession, I will have broken you encryption.
It's not protons, but (typically) photons. It is a
fundamental and well-established fact of quantum theory
that you cannot do such things without destroying the
state coherence, which means your meddling will be
detected by the communicants and they will discard the
compromised section of the key stream.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: sci.crypt think will be AES?
Date: Sat, 29 Apr 2000 01:53:20 GMT
On 28 Apr 2000 14:28:01 -0600, in <8ecs8h$kr7$[EMAIL PROTECTED]>,
in sci.crypt [EMAIL PROTECTED] (Vernon Schryver) wrote:
>In article <[EMAIL PROTECTED]>, Terry Ritter <[EMAIL PROTECTED]> wrote:
>
>> ...
>>Since I already have patents, I don't have to *argue* that I *thought*
>>I have something new and unique; that has been confirmed.
>>
>
>yeah, confirmed by the same experts who determined that
>http://patent.womplex.ibm.com/details?&pn=US05446889__ and
>http://www.patents.ibm.com/details?&pn=US06025810__&s_all=1#23
>are new and unique. 6025810 looks like a somewhat but not entirely
>new or unique to me idea, but I can't see how anyone skilled in the art
>might think 5446889 is new or unique.
>
>In other words and not merely because of those two stellar examples, anyone
>who points to their name on a patent as proof that they came up with
>something new or unique might have invented something, but certainly has
>personal problems.
It sounds to me like it is *you* who has the personal problem.
The implication of the previous article was that I had to *argue* that
my idea was new and unique. But that is what the patent *application*
is about; we are past that argument with an issued patent. Now, you
may not like that, but, again, that is *your* problem.
>It's possible that those problems are merely abject
>ignorance of the de facto purpose and functioning of the patent system
>but probably not.
It seems likely that you have no concept of what patents are for, how
they are reviewed or obtained, or what they mean.
>The problems usually start with misunderstanding the
>concepts of new and unqiue and continue to difficulties that need
>professional attention or at least extended private reflection.
The patent system exists. Learn to live with it.
Or you can whine, whine, whine, if that is your emotional release.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: sci.crypt think will be AES?
Date: Sat, 29 Apr 2000 02:00:44 GMT
On Fri, 28 Apr 2000 21:25:32 GMT, in
<glnO4.62459$[EMAIL PROTECTED]>, in sci.crypt
[EMAIL PROTECTED] wrote:
>[...]
>In any case, the patent office has issued its share of highly dubious
>patents in the past. It's not entirely their fault either, given the
>flood of totally inane patent applications. (Various shapes for hats,
>a cigerette lighter in the handle of an ice cream scoop, and the Santa
>Claus Detector spring to mind.)
Nobody would argue that in the flood of patents issued by the PTO that
there are no bad patents. But to criticize patents on the basis of
their titles or field shows a fundamental lack of understanding about
what a patent is. A patent is about novelty, and not your particular
interpretation of what might be worthwhile. A patent is also about
claims and what the issued patent actually covers, not your
interpretation of the title. In fact, a good patent will be written
sufficiently broadly to "read on" a wide array of technology, much of
which may be worthless. The interpretation of the meaning of a patent
thus requires some amount of creativity to understand the range of
good technology which may be covered. I have met various professional
cryptography people who are unwilling or unable to grasp that concept.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: sci.crypt think will be AES?
Date: Sat, 29 Apr 2000 02:03:23 GMT
On Fri, 28 Apr 2000 17:27:56 -0700, in <[EMAIL PROTECTED]>,
in sci.crypt Roger <[EMAIL PROTECTED]> wrote:
>Terry Ritter wrote:
>> And I don't find it at all unusual for an inventor to not immediately
>> or in a legally conclusive sense recognize that a different
>> construction may infringe the legal grant. One can have all sorts of
>> opinions, of course, but we are talking about property ownership,
>> rights, testimony, lawyer fees, court time and other serious stuff.
>> This is not something that should be casually addressed. ...
>>
>> >2. You had an opportunity to stop infringement, but chose
>> >not to (for whatever reasons).
>>
>> Well, I *may* have the opportunity -- *IF* I spend time analyzing
>> multiple designs which probably will not be standards. But even that
>> only works if the designs clearly do or do not infringe, a question
>> which is as much legal as technical and thus requires legal services.
>> I certainly do *not* have that opportunity based on a casual glance.
>
>Suppose you owned a plot of land, and a neighbor builds a house
>close to your property line. Certainly the neighbor should know
>where the line is, and build on his side of the line. You may
>not know exactly where the line is, and may not think it is
>your responsibility to know.
>
>Nevertheless, a judge is going to expect you to act in a timely
>manner. If sit back and watch the house being built on your
>property, then you are probably going to lose that property.
If I hear that somebody is building on a plot adjacent to mine, I
expect them to know where the dividing line is. And if they do not, I
may have just gained a living room.
>Likewise, it would be very hard for a professional cryptographer
>to say he didn't know about AES and couldn't be bothered to
>check whether it infringed his patents. I don't think that
>there will be any serious patent claims once AES becomes final.
Well, well, well. I *am* a professional cryptographer, or at least I
have been. And that is *exactly* what I say.
When NIST comes through with funding to analyze their claim, I may
consider allocating my time for that. More likely, when AES comes
into use, I will -- at a time of my choosing -- consider whether the
standard infringes my property and whether substantial damage has been
done.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: "Stou Sandalski" <tangui [EMAIL PROTECTED]>
Subject: Re: U-571 movie (OT)
Date: Fri, 28 Apr 2000 19:15:19 -0700
"Don H" <[EMAIL PROTECTED]> wrote in message
news:QOyN4.9195$[EMAIL PROTECTED]...
> This movie is a complete fiction, even though dramatically well acted --
> about capturing an Enigma machine.
> For controversy about it see Newsgroup >> "alt.movies"
> ===========================
>
The movie wasn't so much about the enigma as much as about the "heroism of
the silent service" (One of the guys from the movie was on leno a few nights
ago hehe). It was pretty much fiction, but it was very entertaining and
suspenseful. But which Hollywood movie has had more then 2% truth in it?
watching that movie made me wonder how the Germans or in fact any country
generate the codes they used, how did they randomly create the codes in the
codebooks? did they pull numbers out of a hat or something? anyone have info
on this?
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Speaking of HD Overwriting...
Date: 28 Apr 2000 22:52:42 EDT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Mark
Wooding) wrote:
>
>Guy Macon <[EMAIL PROTECTED]> wrote:
>
>> Ever wonder why audio has "io" and video has "eo"?
>
>Well, `audio, -ire, -ivi, -itum' is Latin fourth declension, while
>`video, -ere, -i, -isum' is (slightly odd) second declension. But that
>only begs the quesion.
Good guess! Wrong, though. Think Greek vs. Latin...
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Speaking of HD Overwriting...
Date: 28 Apr 2000 23:09:52 EDT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (NFN NMI L.
a.k.a. S.T.L.) wrote:
>
><<It's more complicated than that. The write laser melts the metal under a
>nonmelting
>transparent layer.>>
>
>I thought CD-RWs were made of some organic compound, not metal. I forget what
>CD-Rs are made of.
CD-Rs are made with various organic dyes, which burn (darken, really) under heat.
CD-RWs are as I described.
><<The actual area that is melted is close to the wavelength of the laser,
>so the very idea of "missing" or "hitting" the spot is fuzzy - you need to get
>into
>the quantum behavior to understand what is going on.>>
>
>I don't understand this objection. The wavelength of visible light, from 400nm
>to 800nm (and CD lasers are red, if I remember, so that's 800nm), in other
>units, is .4 to .8 microns. Quantum behavior in solid stuff isn't _too_
>apparent at this scale, right? After all, transistors don't get all leaky
>until you hit .01 micron or thereabouts. So my original thought remains: the
>very outer edge of the area affected by the laser will not be as heated as more
>central parts of that area. On rewriting, jiggling of the laser, etc, may
>cause the laser to miss those outer edges and not melt the entire previous
>area. Similar to how a HD head may not remagnetize the entire area that
>constitutes a bit (actually, it's a perfect analogy). ....Right?
I apologize for being unclear. The light is showing quantum effects, because
the area hit is about the size of a quantum of infrared light. The pit is hundreds
of atoms across, so you can ignore quantum effects there. In a CD, the pits
and the lands are zeros, and the edges between them are ones (the slope of the
pit wall reflects light off to the side and the pit depth is a quarter wave of
red light, whic leads to destructive interference) The CD-R and CD-RW have to
emulate that system even though the "spots" that are ones as opposed to the
edges. (DVDs use red lasers. CDs use infrared.)
What I failed to make clear is the difficulty of reading the parts where "the
very outer edge of the area affected by the laser will not be as heated as more
central parts of that area [and] on rewriting, jiggling of the laser, etc, may
cause the laser to miss those outer edges and not melt the entire previous area".
You will have a hard time using light, because the wavelength would be too long
to see such small details. You would have to somehow strip off the protective
laquer on the lable side or dissolve the polucarbonate on the shiny side to
use electon or atomic force microscopy. If you know how to do that, send an
email to [EMAIL PROTECTED] and tell him you have a method of testing CDs on
the AFM instead of just being able to test stampers and mothers. No one has been
able toi do this, despite the large cost savings,
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: sboxes for the bored...
Date: Sat, 29 Apr 2000 03:50:43 GMT
On Sat, 29 Apr 2000 00:05:55 GMT, in <[EMAIL PROTECTED]>, in
sci.crypt "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
>Terry Ritter wrote:
>> Measuring Boolean function nonlinearity is well-known technology.
>
>However, there are apparently different measures of nonlinearity;
Yes, of course there would be different measures, in the same sense as
there are many different forms of linearity.
>are they strictly equivalent?
Within the context of Boolean functions (that is, n-bit to 1-bit
lookup tables), such functions are likely equivalent. The extension
to n-bit to m-bit tables, in which we measure each bit-column
independently, seems fairly common, if that is what we want to do.
Now, we might well *want* to do something else in which the sequences
are not measured independently, but I'm unaware of a useful
cryptographic measure for anything like that.
>E.g., do all comparable bent
>functions have the same "Ritter nonlinearity",
My nonlinearity work is not original in the sense of being a new
measure. As far as I know, Boolean function nonlinearity is common,
in fact the most common nonlinearity measure in cryptography. My
position here was to research, explain and implement a well known but
apparently complex cryptographic measure so that more people could
benefit from using it. I give the various references to the work I
used on that same page.
>and is that
>necessarily maximal?
Boolean function nonlinearity seems "maximal" for what it is. There
really is very little wiggle room between the definition of a linear
or affine Boolean function and the number of bit-changes required to
reach the closest such function. In that sense this nonlinearity
measure has a very strong and essential meaning.
On the other hand, there are various sorts of linearity, and we could
try to talk about measuring some sort of structure between the
collected multi-bit values or symbols. This can be both easy and
almost impossible, and unlike the Boolean function case, it is not
clear to me how useful that would be.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: sboxes for the bored...
Date: Sat, 29 Apr 2000 03:50:52 GMT
On Sat, 29 Apr 2000 01:24:40 GMT, in <[EMAIL PROTECTED]>,
in sci.crypt Tom St Denis <[EMAIL PROTECTED]> wrote:
>"Douglas A. Gwyn" wrote:
>>
>> Terry Ritter wrote:
>> > Measuring Boolean function nonlinearity is well-known technology.
>>
>> However, there are apparently different measures of nonlinearity;
>> are they strictly equivalent? E.g., do all comparable bent
>> functions have the same "Ritter nonlinearity", and is that
>> necessarily maximal?
>
>I dunno what he is talking about the walsh transform (taken from "On
>linear cryptanalysis") will give you a negative when the function is
>affine, a positive when it's linear and close to zero if it's neither.
Is that true? I don't think so. Let's see you deliver a few examples
where that is so.
In any case, Boolean function nonlinearity is defined as a distance,
not a direction. Understand that this is not *my* definition; this is
the consensus of a number of different authors. Boolean function
nonlinearity is the number of bits which must change to reach the
closest affine function. It is the number of bit-changes, and not
just the result of a particularly convenient computation. We can get
the same result by counting the bit-changes with respect to each basis
function by hand. Indeed, I thought I covered all this on my page.
See:
http://www.io.com/~ritter/JAVASCRP/NONLMEAS.HTM
>His FWT talks only about affine functions.
I take "affine" to be a generalization of linearity.
In the Glossary I say:
Affine
'Generally speaking, linear. Sometimes affine generalizes
"linearity" to expressions of multiple independent variables, with
only a single-variable expression being called "linear."'
'The Handbook of Mathematics says that if e1, e2, e3 are linearly
independent vectors, any vector a can be expressed uniquely in the
form a = a1e1 + a2e2 + a3e3 where the ai are the affine coordinates.
(p.518)'
Linear
'Like a line; having an equation of the form ax + b .'
'There are various ways a relationship can be linear. One way is
to consider a, x, and b as integers. Another is for them to be
polynomial elements of GF(2n). Yet another is to consider a to be an
n by n matrix, with x and b as n-element vectors. There are probably
various other ways as well.'
'Linearity also depends upon our point of view: For example,
integer addition is linear in the integers, but when expressed as mod2
operations, the exact same computation producing the exact same
results is not considered linear.'
>Question: what is the diff between linear/affine?
In practice, not much. Often we see people talking about not having a
"linear" system, and what they mean is to not have an "affine" system.
The distinction is rarely made and often meaningless.
But the academics among us may have a more precise view, in which case
I wish they would comment on the entries in my Glossary.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Vs: Requested: update on aes contest
Date: Sat, 29 Apr 2000 04:07:22 GMT
On Fri, 28 Apr 2000 21:07:51 +0300, in <8ecuiu$73p$[EMAIL PROTECTED]>, in
sci.crypt "Helger Lipmaa" <[EMAIL PROTECTED]> wrote:
>Terry Ritter mailto:[EMAIL PROTECTED]:
>
>> That's sort of a self-selecting population, don't you think? Or do
>> you suggest that the result is representative of knowledgeable crypto
>> people everywhere?
>>
>> It sure doesn't represent my views.
>>
>> And voting is irrelevant in Science.
>
>This self-selecting population is actually the only population (may be NSA
>excluded) on this planet who knows ANYTHING about the cipher security.
That's just ridiculous. The self-selecting population consists of
those people with a vested interest in the process, AND who could and
wanted to travel to be there. In particular, I was not there; I have
little interest in it. Feel free to look at my work.
I may have had more interest had I been allowed to present my designs
without being required to give them away, but I was not. That issue
is past, but it does not affect my technical ability, whatever that
may be. And I claim there is room for more than one "top" expert in a
field (whatever that might mean); there is in fact room for a broad
range of individual capabilities and specialties, ALL of whom know
SOMETHING about cipher security.
>I was not present this time,
Just my point.
>but looking at the results (for example, answer
>to the question "which algorithms definitely SHOULD be selected for the
>standard") I am not surprised at all: I know from personal experience that
>most of the cryptographers and cryptanalysts really think that way.
>Moreover, also I think that way.
Alas, that does not make you, them, or the entire process, correct.
There have been many, many cases where the specialists in a field
agreed and were wrong.
Perhaps you need to re-think the relationship between scientific fact
and the conventional wisdom of some particular professionals in the
field.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
