Cryptography-Digest Digest #944, Volume #11 Mon, 5 Jun 00 05:13:01 EDT
Contents:
Re: Cipher design a fading field? (Benjamin Goldberg)
Re: Actually this person faxed me an article of the U.S. commercial espionage in
August, 1995 .... good work Tatu Ylonen ... actually I have tried to provide some
intel in the past ... ([EMAIL PROTECTED])
Re: No-Key Encryption (Mok-Kong Shen)
Re: RSA Algorithm (Mok-Kong Shen)
Re: Cipher design a fading field? (Mok-Kong Shen)
Re: Cipher design a fading field? (Mok-Kong Shen)
Re: Faster than light Cryptanalysis (Mok-Kong Shen)
Re: HTML encryption (Niklas Frykholm)
Re: TC3 Update (Niklas Frykholm)
Re: An interesting page on the Rabin-Miller PP test (Robin Chapman)
Re: XTR independent benchmarks (Wei Dai)
Re: Newcomer seeks clarification re download encryption (David Formosa (aka ? the
Platypus))
Re: HTML encryption (Mark Wooding)
----------------------------------------------------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Cipher design a fading field?
Date: Mon, 05 Jun 2000 07:11:46 GMT
Mok-Kong Shen wrote:
>
> John Savard wrote:
>
> > "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote, in part:
> >
> > >(a) It has not been demonstrated that a group of amateurs can
> > >in fact design a truly "strong" cipher.
> >
> > I wouldn't want to try decrypting something enciphered using
> > Blowfish.
> >
> > But you are right, although what 'has not been demonstrated' is very
> > nearly inherently impossible to demonstrate.
>
> I think that the question is ill-defined and can't be properly argued.
I agree. It's impossible to show that any cipher is a ''truly "strong"
cipher.'' It is only possible to show that a cipher is weak.
> In fact, if an amateur succeeds to design a strong cipher (we put
> aside the issue of 'strong'), then he is thereafter counted as a
> professional. Thus the proposition that no amateur has designed a
> strong cipher is sort of tautology.
It isn't *designing* a strong cipher that gets one considered a
professional, it's discovering and publishing a reviously-unknown
'break' in an existing well-known cipher.
> > >(b) I wish that the amateurs would quit inventing a plethora
> > >of new encryption schemes until they have figured out how to
> > >defeat the existing ones. This may be relevant to your thesis.
> >
> > But just because _they_ don't know how to crack the existing ones
> > doesn't mean...
>
> I don't think that there is any professional who has done the
> excercise of cracking all ciphers that exist, before he attains the
> status of being professional.
Heh, "all ciphers that exist" ... there are more new ciphers being
invented all of the time, so of course one isn't expected to be able
to break *all* of them to be a professional... Just one or two of the
more well-known ciphers, and to publish those findings.
> On the other hand, cryptanalysis knowledge is evidently required for
> a good design.
Not necessarily... it's entirely possible that one could create a strong
cipher with a lot of mathematical knowledge, a little bit of luck, and a
little cleverness. Of course, unless you are already considered a
professional -- that is, have broken other people's ciphers, and
published those breaks -- it's less likely that anyone will consider
your cipher seriously.
> However, I doubt that cryptanalysis of lots of very old ciphers are
> unconditionally advantageous (from a economical point of view) for
> would-be designers. For, if too much time is spent on these, one will
> never finish to be able to learn the more modern stuffs. (I believe
> that what wtshaw once expressed as 'climbing the fool's hill' is
> related to this issue. BTW, there might be certain people wishing to
> sponsor that sport, because that can be fun.)
How many do you consider "lots of," and what ciphers do you consider
"very old?" While breaking every pre-existing cipher isn't necessary
to be a professional, it *is* important to understand how 'classical'
ciphers work, and why they are no longer used, so as not to incorporate
the same problems into your own ciphers.
> > >> Will AES be the -final- cipher?
> >
> > >Of course not. It won't even be the final encipherment
> > >scheme that somebody eventually figures out how to crack.
> >
> > that someone else might not. So, people who want security *now*
> > might well need something that has a chance of being better than
> > what exists.
>
> For those who are conservative and believe (whether justified or
> not) to be in need of higher security, the way of multiple encryptions
> is always open.
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: alt.politics.org.cia,so.culture.nordic,soc.culture.russian
Subject: Re: Actually this person faxed me an article of the U.S. commercial espionage
in August, 1995 .... good work Tatu Ylonen ... actually I have tried to provide some
intel in the past ...
Date: Mon, 05 Jun 2000 07:18:27 GMT
I'm sorry but compared to the private security firms the government
spies are a joke. Almost all companies around the world are vitally
concerned about the competition. Be assured that the first product
from the production line will be bought and disassembled by your
competitor. And they will stop at nothing to learn your secrets to put
them at an advantage. This is just business.
The spy agencies are more interested in the big picture. Most of
their information could probably found in public magazines and
newspapers.
Don't fear the CIA,FBI, etc. fear GM and Toyota. Motorola and Sony.
They are far more efficient in their spying.
On Thu, 25 May 2000 19:09:32 GMT, Markku J. Saarelainen
<[EMAIL PROTECTED]> wrote:
>
>
>NOTE: Personally I was aware of the CIA/FBI?NSA espionage specified in
>this article already ..... actually this was around the time, when "M"
>discovered some U.S. gov's business intel spies on the Internet and on
>the cipherpunks (toad.com) mailing etc. lists ....
>
>"Kaikkea hyvää ei voi antaa ilmaiseksi"
>
> Salausguru Tatu Ylöselle insinöörityöpalkinto
>
>
>Tekniikan Akateemisten liitto myönsi suomalaisen insinöörityöpalkinnon
>tekniikan lisensiaatti Tatu Ylöselle, 32, hänen ansioistaan internetin
>tietoturvan kehittämisessä. 100 000 markan palkinnon Ylönen sai
>pääteyhteyksiä salaavasta SSH-ohjelmistosta.
>
>http://www.helsinginsanomat.fi/uutiset/juttu.asp?
>id=20000525TA16&pvm=20000525
>
>
>
>Sent via Deja.com http://www.deja.com/
>Before you buy.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: No-Key Encryption
Date: Mon, 05 Jun 2000 09:45:50 +0200
David Hopwood wrote:
>
> If *, / and \ are binary operators on S, and ^-1 is a unary operator on S
> (written on the right, i.e. as a^-1), then
>
> "/ is a right-inverse to *" means "for all a, b in S: (a * b) / b = a"
> "\ is a left-inverse to *" means "for all a, b in S: a \ (a * b) = b"
> "^-1 is an inverse to *" means
> "there exists I in S such that for all a in S:
> (a * a^-1 = a^-1 * a = I and I * a = a * I = a)"
>
> (The \ notation isn't particularly standard; I just made up an arbitrary
> symbol for left-inverse.)
>
> If * is associative in S and has an inverse ^-1 according to the above
> definition, then (S, *) is a group; if the group is written multiplicatively,
> then I is normally written as '1' (often in bold to distinguish it from the
> integer 1, if it needs to be distinguished).
>
Sorry for not having expressed myself correctly in my previous post.
My difficulty was not with the standard definitions of inverse,
associativity and commutativity, but the existence of REAL objects
(integers and other commonly known mathematical constructs) that
satisfy what you mentioned in a previous post, namely A\A being
not the same, being dependent on A. Could you please give a
concrete example for that showing A\A as well as A*A? Thanks.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: RSA Algorithm
Date: Mon, 05 Jun 2000 09:46:08 +0200
tomstd wrote:
> "Joseph Ashwood"<[EMAIL PROTECTED]> wrote:
> >Unfortunately it is comletely impossible to create a message
> >that is actually smaller than one with entropy of 1 bit per
> >bit, this is easily proven because by reducing the size of
> >the message the space to hold the entropy must decrease, and
> >hence we lose information. I don't know if in cases where
> >there is less than 1 bit per bit of entropy it would be
> >possible to compress the encrypted data, but if it is
> >possible you will have made significant progress against
> >RSA, because you will have proven with absolute assuredness
> >that RSA is not strong cryptography.
> > Joe
>
> That's not true. If you make a crypto-system where the
> ciphertext is larger then the plaintext the ciphertext will have
> less information then the input (well if you don't count the key
> bits). That doesn't mean it's insecure, just inefficient.
I guess one could ask the question of whether it is a good idea to do
also a compression 'after' encryption. But is it a common phenomenon
that the RSA outputs can be substantially compressed? That seems
to be rather questionable.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Cipher design a fading field?
Date: Mon, 05 Jun 2000 09:46:01 +0200
wtshaw wrote:
> "Douglas A. Gwyn"<[EMAIL PROTECTED]> wrote:
> >
> > (a) It has not been demonstrated that a group of amateurs can
> > in fact design a truly "strong" cipher.
>
> Ah..the old problem: What is strength?
This question is virtually in the same category as 'What is truth?'.
> > (b) I wish that the amateurs would quit inventing a plethora
> > of new encryption schemes until they have figured out how to
> > defeat the existing ones. This may be relevant to your thesis.
> >
> A new cipher each day can clear the palate.
This can't be useful for 'regular traffic', like communications of banks.
That's why one needs standards, like 3DES and AES. But as previously
discussed, one can obtain fairly high diversity/variability to tease the
analyst through multiple encryptions and parametrized ciphers (e.g. AES
with variable number of rounds or variable keys, the implementation of
which is no problem at least in software).
On the other hand, 'a new cipher each day' for such traffics as personal
e-mails will create in short time a diversity far exceeding the biodiversity
in nature. (I don't know whether it is true, but I was told that the
biologists don't yet fully oversee the kindom of objects of their study.)
Since any one single e-mail has the potential of carrying some highly
delicate stuffs, like calls for revolutions as well as scandalous expressions
of affections of unlawful couples, which the dutiful and morally impacable
top politicians must attempt to eradicate, this provides a good foundation
for a bill to build a dozen more Echelons.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Cipher design a fading field?
Date: Mon, 05 Jun 2000 10:03:22 +0200
Benjamin Goldberg wrote:
> Mok-Kong Shen wrote:
> > However, I doubt that cryptanalysis of lots of very old ciphers are
> > unconditionally advantageous (from a economical point of view) for
> > would-be designers. For, if too much time is spent on these, one will
> > never finish to be able to learn the more modern stuffs. (I believe
> > that what wtshaw once expressed as 'climbing the fool's hill' is
> > related to this issue. BTW, there might be certain people wishing to
> > sponsor that sport, because that can be fun.)
>
> How many do you consider "lots of," and what ciphers do you consider
> "very old?" While breaking every pre-existing cipher isn't necessary
> to be a professional, it *is* important to understand how 'classical'
> ciphers work, and why they are no longer used, so as not to incorporate
> the same problems into your own ciphers.
For those who like to do lots of such exercises, ACA provides very good
sources for work, if I don't err.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Faster than light Cryptanalysis
Date: Mon, 05 Jun 2000 10:03:14 +0200
"S. T. L." wrote:
> This is an already-known phenomenon, discussed in Discover magazine. When a
> wave packet hits a barrier and tunnels through, it is shifted forward but the
> actual speed of the packet is unaffected. It's a QM "cheat" and GR is
> unaffected, but it may be useful in technology.
I heard the other day a lecture on 'quantized sound'. The lecturer attempted
to establish that sound transmission is also a quantum phenomenon. I guess
there must be some flaws somewhere.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Niklas Frykholm)
Subject: Re: HTML encryption
Date: 5 Jun 2000 07:32:31 GMT
In article <[EMAIL PROTECTED]>, Mark Wooding wrote:
>> The best you can hope to achieve is obscurity. This will probably
>> stop some people, but noone who is serious about stealing your
>> source.
>
>Can you explain to me how this will help? Why can't I just copy[1] the
>`obscured' text? Why won't that work just as well?
True, it is simple to make an exact copy of the obscured text, but it
is somewhat harder (though not for someone who knows her way about these
things) to modify the content, for example replacing the author's
name with your own or the company name with your own company's.
>[1] I object to the word `steal' here.
Yes, it can be questioned whether a web page design can ever be
original enough to qualify as a work of art and be protected by
copyright laws. (The text on the page can of course, but the
HTML tags...?)
// Niklas
------------------------------
From: [EMAIL PROTECTED] (Niklas Frykholm)
Subject: Re: TC3 Update
Date: 5 Jun 2000 08:06:52 GMT
In article <[EMAIL PROTECTED]>, Mark Wooding wrote:
>The integer 4 is not an element of GF(2^3) = GF(8). There is a
>`natural' mapping N between Z_{p^n} and GF(p^n) represented by
[...lengthy computation...]
>Bingo! (Phew! I need a program to do this for me.)
I have written a Python module... it is quite simple to work with:
>>> from GF import *
>>> g = GF(2,3)
>>> print g.irreducible
x^3 + x + 1
>>> print g.generator
x
>>> c = GFLogarithm(g, 4)
>>> print c
a^4
>>> print c.to_poly()
x^2 + x
>>> cinv = 1/x
>>> print cinv
a^3
>>> print cinv.to_poly()
x + 1
>>> print x * y
a^0
>>> print (x*y).to_poly()
1
Mail me if you want a copy.
// Niklas
------------------------------
From: Robin Chapman <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: An interesting page on the Rabin-Miller PP test
Date: Mon, 05 Jun 2000 08:03:22 GMT
In article <393b2fa0$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Andrew John Walker) wrote:
> Recently I stumbled across an interesting page at
> http://www.geocities.com/SiliconValley/Network/2811/primes/higgins.htm
>
> This paper deals with the number of non-witnesses to a composite
number
> n using the Rabin-Miller test.
>
> For a number n=p*q, p and q distinct primes, they conjecture
> that the number of non-witnesses is a function of
> d=gcd(p-1,q-1)
> and that if d=2^t*r (r odd)
> then the number of non-witnesses is equal to
> r^2*(2+(4^t-4)/3)
>
> Does anyone know
> a) if these results have been proved
> b) if they have been extended to other forms of composite numbers?
I don't know if this has been proved in the literature, but it's
very easy to prove, so I expect it has.
If a is a non-witness then a^{pq-1} = 1 (mod p), but as a^p = a
(mod p) this gives a^{q-1} = 1 (mod p). Since a^{p-1} = 1 (mod p)
we conclude that a^d = 1 (mod p). Similarly a^d = 1 (mod q).
Thus a^d = 1 (mod pq). The solutions to this congruence
form, by the Chinese remainder theorem, a group G isomorphic
to (Z/dZ)^2.
Now G is isomorphic to (Z/rZ)^2 x (Z/2^t Z)^2. The Miller-Rabin test
uses the largest odd factor s of pq - 1, it calcuates a^s then
repeatedly squares this modulo pq. Now t is a factor of s so the
first step essentially projects G onto its subgroup G_1 of elements
b with b^{2^t} = 1 (mod pq). That is for each element b of G_1
there are r^2 elements b with a^s = b (mod pq). Consider b in G_1.
Then b is a non-witness if b has the same order modulo p and modulo q.
There is 1 element of order 1 mod p and mod q,
there is 1 element of order 2 mod p and mod q,
there are 2^2 elements of order 2^2 mod p and mod q, (if 2^2 divides d)
there are 2^4 elements of order 2^3 mod p and mod q, (if 2^3 divides d)
etc.
The number of b giving non-witnesses is thus
1 + 1 + 4 + 4^2 + ... + 4^{t-1} = 1 + (4^t - 1)/3 = (4^t + 2)/3
and so the number of non-witnesses is r^2 (4^t + 2)/3.
--
Robin Chapman, http://www.maths.ex.ac.uk/~rjc/rjc.html
"`The twenty-first century didn't begin until a minute
past midnight January first 2001.'"
John Brunner, _Stand on Zanzibar_ (1968)
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Wei Dai <[EMAIL PROTECTED]>
Subject: Re: XTR independent benchmarks
Date: Mon, 5 Jun 2000 01:45:58 -0700
In article <8hfbe6$r3o$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
> In article <[EMAIL PROTECTED]>,
> Wei Dai <[EMAIL PROTECTED]> wrote:
> > RSA 1024 Encryption 0.57
> > RSA 1024 Decryption 19.44 (40)
> > XTR-DH 342 Agreement 62.63
> > DH 1024 Agreement 10.53
> > LUCDIF 1024 Agreement 27.16
> > EC over GF(p) 168 DHC Agreement 14.18
>
> So XTR is -- in this implementation, and if we ignore keypair generation
> times -- substantially slower than all the usual competitors? Did I misread
> this chart?
It looks like you're comparing the wrong security levels together. These have
comparable security (confusing isn't it):
RSA 1024 Encryption 0.57
RSA 1024 Decryption 19.44 (40)
XTR-DH 171 Agreement 17.20*
DH 1024 Agreement 10.53*
LUCDIF 512 Agreement 6.96*
EC over GF(p) 168 DHC Agreement 14.18*
*Includes key validation or co-factor multiplication.
> Does the following summary of XTR advantages and disadvantages look right?
> + Pro: low-bandwidth, like ECC
> + Small pro: relatively fast keypair generation
> (but this is probably less important, except where you want forward secrecy)
> - Con: it's slow
> Did I miss something, or does that seem about right?
The situation is a bit complicated. XTR offers:
+ low-bandwidth, but not as low as ECC
+ fast parameter generation
+ fast key-pair generation without precomputation
- can't take advantage of precomputation
- slow key validation
Instead of a clear win, XTR presents us with a different point in the tradeoff
space between bandwidth, parameter generation time, key-pair generation time,
key agreement time, key validation time, and key-pair generation with
precomputation time. It's closest to LUCDIF in this space, compared to which
has:
+ somewhat lower bandwidth (512 vs 342 bits)
+ faster parameter generation
+- may be somewhat faster or slower key-pair generation and key agreement
depending on optimization choices
+- neither can take advantage of precomputation
- slower key validation
All this is probably irrelevant because the differences are just not great
enough to matter. People are either going to use ECC when bandwidth is
important, or DH over GF(p) when it's not.
--
cryptopp.com - a free C++ class library of cryptographic schemes
------------------------------
From: [EMAIL PROTECTED] (David Formosa (aka ? the Platypus))
Subject: Re: Newcomer seeks clarification re download encryption
Date: 5 Jun 2000 08:40:54 GMT
Reply-To: dformosa@[202.7.69.25]
On 4 Jun 2000 16:46:46 GMT, Mark Wooding <[EMAIL PROTECTED]> wrote:
[...]
>The user's machine must be able to read the data in order to display
>it. If it can read the data, it can also store it for later.
>
>Trivial attacks: grab the text off the screen as an image; type it all
>in again. There is nothing at all you can do, while the user still has
>control over the computer. (And I for one won't use a computer which
>doesn't give me that control.)
Non trival attacks, set up a wrapping tool that traces calls to
liberies and the OS. Use it to fake the entries that the system is
looking for.
--
Please excuse my spelling as I suffer from agraphia. See
http://dformosa.zeta.org.au/~dformosa/Spelling.html to find out more.
Interested in drawing platypie for money? Email me.
Crack my Hash win$200 http://dformosa.zeta.org.au/~dformosa/PlatyMAC.txt
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: HTML encryption
Date: 5 Jun 2000 08:47:05 GMT
Niklas Frykholm <[EMAIL PROTECTED]> wrote:
> In article <[EMAIL PROTECTED]>, Mark Wooding wrote:
> >[1] I object to the word `steal' here.
>
> Yes, it can be questioned whether a web page design can ever be
> original enough to qualify as a work of art and be protected by
> copyright laws. (The text on the page can of course, but the
> HTML tags...?)
Actually, the objection is based around the concept that, if I steal
something from you, you don't have it any more. If I copy something,
then we both have one, and you've lost nothing. Governments, for some
reason, insist that you should now have something extra, but I don't see
that not-giving-someone-something is the same as taking-something-from-
someone.
-- [mdw]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
