Cryptography-Digest Digest #816, Volume #11 Fri, 19 May 00 03:13:00 EDT
Contents:
Re: sci.crypt cipher contest (Boris Kazak)
Re: Chosen plaintext attack, isn't it absurd? (Boris Kazak)
Re: random.org? (Benjamin Goldberg)
Re: random.org? ("Steve and Darla Wells")
Re: random.org? ("Steve and Darla Wells")
Re: NSA hardware evaluation of AES finalists (Kenneth Almquist)
Re: Unbreakable encryption. (wtshaw)
Re: Unbreakable encryption. (wtshaw)
Re: AES final comment deadline is May 15 (Kenneth Almquist)
Re: Unbreakable encryption. (wtshaw)
Re: Unbreakable encryption. (wtshaw)
Re: Base Encryption: Revolutionary Cypher (wtshaw)
Re: Base Encryption: Revolutionary Cypher (wtshaw)
what is the status finite automata base cryptosystems? (Christopher Pollett)
Re: Matching substrings in a signature (Paul Rubin)
Re: Matching substrings in a signature (Anders Thulin)
Re: Interpretation of Hitachi patent claims (Richard Heathfield)
Re: AES final comment deadline is May 15 (Volker Hetzer)
Re: Matching substrings in a signature (Anders Thulin)
----------------------------------------------------------------------------
From: Boris Kazak <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: sci.crypt cipher contest
Date: Fri, 19 May 2000 02:12:19 GMT
[EMAIL PROTECTED] wrote:
>
> Is publishing a cipher on the web (including source code) an equivalent
> of exporting it? Is the website accessible from outside the U.S.?
>
> Joseph Poe
=====================
AFAIK, restrictions apply specifically in case of "exporting",
which means that crypto software in question must be considered a
commercial entity.
The ciphers at the crypto-contest Web site are by definition placed
into public domain, thus they are non-commercial.
Or at least I hope so. BNK
------------------------------
From: Boris Kazak <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Chosen plaintext attack, isn't it absurd?
Date: Fri, 19 May 2000 02:41:51 GMT
Tim Tyler wrote:
********************
> I suspect the original question was mis-phrased. *Nothing* is normally
> intended to stop the attacker finding out what the decryption machinery
> is. Commonly little attempt is made to conceal that - since sufficient
> security should reside in the key alone - and the attacker is assumed to
> know about the machinery in security analyses.
>
> In such attacks, the cryptographer aims primarily to prevent recovery of
> the key - or at least access to other plaintest encrypted with the same
> key - where plaintexts are partly under the control of opponents.
> --
> __________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
> |im |yler The Mandala Centre http://mandala.co.uk/ Goodbye cool world.
====================
However, crypto professionals are now considering some additional
class
of attacks which they call "distinguishing attacks". These have as a
goal
just to determine what kind of algorithm was used in order to encrypt a
particular ciphertext. The attack is deemed successful, if the name of
the
algorithm can be established - DES or BLOWFISH or CAST or whatever.
In many cases these attacks no not lead to key or plaintext recovery,
but still experts think that a really strong cipher should resist them.
I recently submitted 2 ciphers to the sci.crypt contest at
<http://www.wizard.net/~echo/crypto-contest.html> ,
(see LETSIEF2 and MMBOOZE) but Dave Wagner found "distinguishing"
differential attacks against both(!!). Now I am considering repairs
and resubmission.
Doesn't matter that these attacks cannot recover key or plaintext...
Best wishes BNK
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: random.org?
Date: Fri, 19 May 2000 04:29:00 GMT
Steve and Darla Wells wrote:
[snip]
> > You may take a look at http://fourmilab.ch/hotbits/
> >
> Random.org's solution is to take a commercial quality radio (i.e. not great
> signal, not low noise) tune it to a frequency where there is no station
> (they hope it stays that way) and capture noise. The simple coin-flip
> corrector scheme, although doing a great job at fixing the bias, tends to
> leave residual correlations.
>
> Fourmilab.ch's solution is just a receiver on a much greater frequency!
> Does anyone know what additional post processing they do to either whiten
> the data or improve the actual entropy?
>
[snip]
What do you mean "a receiver on a much greater frequency?" Hotbits
works
by putting a radiation detector next to a radiation source, and
measuring
intervals between ticks... How is this similar to looking at the low
order
bits of atmospheric radio frequency noise?
------------------------------
From: "Steve and Darla Wells" <[EMAIL PROTECTED]>
Subject: Re: random.org?
Date: Thu, 18 May 2000 21:31:51 -0700
> but there are other applications (most notably games and
> lottery type services) that require true randomness but where secrecy
isn't
> important."
>
I've worked with individuals responsible for the entropy sources used in
lotteries and gaming. They seem to have a more real concept of lost revenue
due to aggressive eavesdropping of randomness than even most crypto
engineers I've worked with. I think real entropy is important to both
gaming/lottery and crypto camps. :)
------------------------------
From: "Steve and Darla Wells" <[EMAIL PROTECTED]>
Subject: Re: random.org?
Date: Thu, 18 May 2000 21:52:04 -0700
> Quality of random bits, hahaha that's funny. Either a bit was
> predicted using a model, or it was not predicted. There is no 87%
> random bits for example...But a single individual bit is either random or
not, there is no half-
> way about it.
I think i did say bits (plural) rather than bit. But that's ok. I think we
agree that a bit is random or not: Simplistic example:
101 <---Three bits taken from an ideal random number generator
101 <-- Three bits taken from my RNG which is quite good, yet
quantifiably not ideal
101<--- My son's age in binary (which any good intelligence officer
could figure out) and thus contains little (no) entropy
End yet the first contains 3 bits of entropy, the other contains 2.997, and
the final contains 0.00001. And yet each with only three bits??
Another, although somewhat contrived example but still useful for discussion
purposes, a circuit which selects 87% of the time from an ideal random bit
stream and the rest of the time selects highly deterministic yet dynamic
bits, such as the minute LSB from the NBS atomic clock. (Just for fun lets
also assume that the selection algorithm is complex yet deterministic.)
Thus individual bits are either "random" or "deterministic" yet the quality
of the overall bit stream entropy content is 0.87.
I think it is useful has heck to consider there to be an entropy content per
bit. I tend to shorten the nomenclature to b=bit and e=entropy per bit.
The e of a bit stream fluctuates between >0 and <1 always and has very
dynamic properties. There are many good methods of ensuring that the output
stream contains an e(average) although e per bit fluctuates greatly between
bits. The entropy equivalent of a low pass filter capacitor.
---Steve
------------------------------
From: [EMAIL PROTECTED] (Kenneth Almquist)
Subject: Re: NSA hardware evaluation of AES finalists
Date: Fri, 19 May 2000 05:04:00 GMT
> That says Rijndael is about 2.2x the speed of Serpent in 2.0x the
> chip area, or about 10% faster for equivalent area. I'd call that
> slightly ahead, not well ahead.
Sorry, I got the numbers wrong; here is the corrected table. These
numbers come from section 5 of the NSA report; the report's own
summary table at the bottom of page 37 has larger times for Mars and
Serpent.
time area transistors
Rijndael 211.3 33.85 641,681
Serpent 510.08 23.27 345,483
Twofish 1217.4 16.11 264,058
RC6 1244.80 19.25 307,247
Mars 1987.98 126.83 1941,371
On the metric you use--throughput per unit area--Serpent is actually
better than Rijndael. I gave the NSA's numbers for this later in my
article (and I rechecked them just now to be sure they match the numbers
in the NSA's report).
Kenneth Almquist
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Unbreakable encryption.
Date: Thu, 18 May 2000 22:26:25 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>
> Ob cryptography: The relationship between a complex algorithm and a
> strong one seems to me to be a very loose one - I believe simple
> systems can be very strong.
And, complicated ones can be weak. It seems that the efficiency of strong
simple systems to dut to the chase should make them desirable.
Unfortunately, in search of strength too many people make the error we
obviously object to.
--
Secrets that are told or available are not secrets any more, surely
not trade secrets. Security of secrets is no dependant on someone
else's stupidy, only in your making them available in any form.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Unbreakable encryption.
Date: Thu, 18 May 2000 22:40:46 -0600
In article <8g0hof$nbp$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> there is a more detailed synopsis of Base Encryption
> located at http://www.edepot.com/phl.html
>
> It explains in more detail the relationship between different
> bases and other ramifications that may interest you. In particular
> the relationship between n-bit cypherblocks and the message
> stream.
>
I'm interested in bits, trits, and all prime information units.
I notice that you seem to be using only two bases, where three tend to be
most popular with me, sometimes two or four. I am taking the approach to
much of the business with campaign in certain number systems, but they
tend to weave into others.
The fertility of potential base algorithms is largely untapped in the
public world, not so elsewhere. It is refreshing to see any interest in
this area. Figure that there will be customary grunts and groans about
anything that is so little contemplated and only cursively understood by
those that are tied up elsewhere. Surely, everyone has some learning to
do, including reflection by those of us working there. The more you work,
the more you learn.
--
Secrets that are told or available are not secrets any more, surely
not trade secrets. Security of secrets is no dependant on someone
else's stupidy, only in your making them available in any form.
------------------------------
From: [EMAIL PROTECTED] (Kenneth Almquist)
Subject: Re: AES final comment deadline is May 15
Date: Fri, 19 May 2000 05:31:34 GMT
[EMAIL PROTECTED] (Mark Wooding) wrote:
> The issue of the RSA patent on RC5 applying to MARS is also cause
> for concern -- I've not seen this resolved one way or the other yet.
Personally I trust IBM to have analyzed the patent issues correctly.
In any case, RSA has agreed not to seek royalties, so there is not
much reason for concern even if Mars is covered by the patent. The
position of RSA is that:
RSA will not require licensing or royalty payments for the
manufacture, use, or sale of products utilizing the algorithm
selected as the AES, which conform with the AES, on the basis
of any patents that RSA may hold that could be deemed to cover
the selected algorithm. However, RSA may require appropriate
notices acknowledging RSA's ownership of such patents.
See <http://www.rsalabs.com/aes/rc6_patent.html>.
Kenneth Almquist
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Unbreakable encryption.
Date: Thu, 18 May 2000 22:54:38 -0600
In article <8g0knj$qem$[EMAIL PROTECTED]>, Tom St Denis
<[EMAIL PROTECTED]> wrote:
>
> But technically if you truncate a fraction you can't go back. For
> example
>
> 1/3 = 0.3333333....
>
> However...
>
> 0.333 * 3 = 0.999, not '1'.
I figure that he will learn to get away frm the canned program to
something better:
0.333...= 0(10)333... = 1/3 = 0(3)1
You can have fractions in any base. You can't call them decimal fractions
if they are not in base ten, but you can write them. By definition a base
point tends to be still in base ten, other wise it would always be (10)
for any base, since the 1 represents overflow from the units place.
>
> Your method is seriously a) inefficient, b) undocumented and c) weak.
>
He has to start somewhere.
--
Secrets that are told or available are not secrets any more, surely
not trade secrets. Security of secrets is no dependant on someone
else's stupidy, only in your making them available in any form.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Unbreakable encryption.
Date: Thu, 18 May 2000 23:08:23 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> [EMAIL PROTECTED] wrote:
>
> : I would welcome any comments on weaknesses in Base Encryption. [...]
>
> Your method (as described in your examples) applies a base change, a
> linear transformation, and then a base change - and that's it.
>
> Try encrypting a file consisting of all zero bytes using this technique
> to see how useless it is.
He seems to be working with defining a primative, which might have
considerable use in other areas. There is not either/or contest here, just
an adding of options to the pile.
DG mentioned the obssession that he and others have with exactness. It is
that. It is the same preoccupation that slaves block ciphers to a static
model that limits their strength similar to the laws governing biological
surface to volume. Some will understand this analogy; others never will.
--
Secrets that are told or available are not secrets any more, surely
not trade secrets. Security of secrets is no dependant on someone
else's stupidy, only in your making them available in any form.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Base Encryption: Revolutionary Cypher
Date: Thu, 18 May 2000 23:28:58 -0600
In article <[EMAIL PROTECTED]>, Eric Lee Green
<[EMAIL PROTECTED]> wrote:
>....All bases can be represented in base 2, albeit with some
> wasted bits for odd-number (non-power-of-2) bases. Adding other bases thus
> can be considered to be a very crude block-cipher diffusion mechanism, i.e., a
> mechanism for diffusing bits across a larger field of bits, with some
> properties that make it decidedly inferior to most such mechanisms for
> transforming bits (for one thing, a 1-bit change in the input does not have
> the desired avalanche property).
You are quoting dogma which happens to be mathematically wrong. Base 2 is
only fundamental to other powers of two.
Avalanching defined in bits has nothing to do with other bases. What we
see all to often with bit players is usually a shallow test of pattern
manipulation, complete with appropriate designed tests to justify their
own desired results. Statistics often do not just lie, they tell damned
lies, so you had better be careful. Sometimes tests of bit based results
can be seen to be faulty when looked at via another base.
> Based on the above, it is clear that the easiest way to get better security is
> to use a well-designed cipher that uses well-thought-out transformations with
> desirable diffusion and avalanche properties, with an adjustable key size,
> such as Blowfish, and simply add a few bits of key material.
The montra continues...
>
> Sigh. From the snake oil FAQ:
>
> Revolutionary Breakthroughs
>
> Beware of any vendor who claims to have invented a ``new type of
> cryptography'' or a ``revolutionary breakthrough.'' True breakthroughs are
> likely to show up in research literature, and professionals in the field
> typically won't trust them until after years of analysis, when they're not
> so new anymore.
Stated like a true authoritarian....
>
> I already touched upon the 'base' bit up above. Note that all modern computers
> operate using base 2 arithmetic, thus all input and output symbols are
> ultimately decomposed to a string of 1's and 0's. Thus this guy is proposing
> to do a key-dependent transformation to a different set of 1's and 0's and
> saying (seriously?) that this is a better transformation than the
> transformations usually incorporated into Feistel-type block ciphers. Of
> course, avalanche and diffusion properties of his transformation are almost
> non-existent, but why should little things like facts matter?
>
Seems like you are not aware of all technology. You have deluded yourself
into a corner.
--
Secrets that are told or available are not secrets any more, surely
not trade secrets. Security of secrets is no dependant on someone
else's stupidy, only in your making them available in any form.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Base Encryption: Revolutionary Cypher
Date: Thu, 18 May 2000 23:40:35 -0600
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
> 2. Base conversion could facilitate certain encryption
> processing, if suitably done. This is however not new.
> wtshaw of our group has posted quite a lot of that
> in the past. I have asked him (recently a second time)
> to present a basic description of his work for
> discussion in the group.
>
I'm wrapping up the 12th member of a family of related ciphers. I will
explain some ideas agaist a backdrop of data for them. Hopefully, this
will help. Be patient for a couple of days or so.
I would characterize my techniques as defined by adopted goals, accepted
parameters, reasonable structure, and practical for use. There are mainly
to test ideas at the neoclassical level.
--
Secrets that are told or available are not secrets any more, surely
not trade secrets. Security of secrets is no dependant on someone
else's stupidy, only in your making them available in any form.
------------------------------
From: Christopher Pollett <[EMAIL PROTECTED]>
Subject: what is the status finite automata base cryptosystems?
Date: Thu, 18 May 2000 23:49:14 -0700
Hi,
Can anyone out there tell me what the current status of finite automata
based crypto systems?
Chris
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: Matching substrings in a signature
Date: 19 May 2000 06:49:30 GMT
In article <[EMAIL PROTECTED]>,
Anders Thulin <[EMAIL PROTECTED]> wrote:
>
>
>Paul Rubin wrote:
>
>> Look in "Programming Pearls" by Jon Bentley, for his description of
>> M. D. McIlroy's implementation of the original Unix spelling checker
>> program on the PDP-11.
>
> Wasn't that one a Bloom filter?
I guess it was. I didn't know the term til just now, but just read up
on it a little. I'm sure it's been re-invented many times.
------------------------------
From: Anders Thulin <[EMAIL PROTECTED]>
Subject: Re: Matching substrings in a signature
Date: Fri, 19 May 2000 06:27:23 GMT
Paul Rubin wrote:
> Look in "Programming Pearls" by Jon Bentley, for his description of
> M. D. McIlroy's implementation of the original Unix spelling checker
> program on the PDP-11.
Wasn't that one a Bloom filter?
--
Anders Thulin [EMAIL PROTECTED] 040-10 50 63
Telia Prosoft AB, Hjälmaregatan 3B, 212 19 Malmö, Sweden
------------------------------
Date: Fri, 19 May 2000 07:45:12 +0100
From: Richard Heathfield <[EMAIL PROTECTED]>
Subject: Re: Interpretation of Hitachi patent claims
Mok-Kong Shen wrote:
>
> I just looked into the letter of Hitachi to NIST in
>
> http://csrc.nist.gov/encryption/aes/round2/comments/20000410-sharano.pdf
>
> I think I could understand the 'claim 1' there, but apparently
> my poor English knowledge prevented me from comprehending
> 'claim 10'.
>
> Would some native English speaker kindly translate these
> claims into (mathematical) symbolic form so that we could
> jointly study and discuss them and eventually detect some
> weakness in Hitachi's claims in relation to the AES
> candidates?
I would be most interested in seeing Hitachi's letter. Unfortunately,
it's in pdf (Portable Document Format) which, ironically, doesn't work
on my system. Is it available anywhere in a portable document format
(i.e. ASCII text)?
--
Richard Heathfield
"Usenet is a strange place." - Dennis M Ritchie, 29 July 1999.
C FAQ: http://www.eskimo.com/~scs/C-faq/top.html
37 K&R Answers: http://users.powernet.co.uk/eton/kandr2/index.html (60
to go)
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: AES final comment deadline is May 15
Date: Fri, 19 May 2000 06:59:07 +0000
David A Molnar wrote:
>
> Volker Hetzer <[EMAIL PROTECTED]> wrote:
> If by "establishment" you mean academic and coporate cryptographers,
> then I'm not sure how any possible resentment on their part will
> influence the AES decision at this point. At least in theory, it's
> supposed to be made by NIST. I don't know anything about
> the politics involved with the NIST -- is there some reason to believe
> that they would be influenced by what personal feelings exist on the part
> of the "establishment" ?
At AES3 there were those votes.
I'm curious as to what weight they have with NIST.
Greetings!
Volker
--
"Isn't it just my luck. Some stranger says to me, "I LOVE YOU"
and next thing I know, I've got this virus..."
------------------------------
From: Anders Thulin <[EMAIL PROTECTED]>
Subject: Re: Matching substrings in a signature
Date: Fri, 19 May 2000 06:59:43 GMT
Ken Christensen wrote:
The intended application is to take a list of names
> and compress them into a signature. Then, with high probability (100%
> certainty is not needed!) determine if, say, "John Doe" is contained in the
> list given only knowledge of the signature.
As you don't mention any other restrictions, it seems easiest to
hash each separate name by some suitable function, and then concatenate
the resulting hashes to make the signature.
CRC16 or CRC32 might be good enough, depending on what degree of
probability and degree of compression you want to achieve.
--
Anders Thulin [EMAIL PROTECTED] 040-10 50 63
Telia Prosoft AB, Hjälmaregatan 3B, 212 19 Malmö, Sweden
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
