Cryptography-Digest Digest #519, Volume #13 Sun, 21 Jan 01 22:13:01 EST
Contents:
Re: Comparison of ECDLP vs. DLP (Paul Rubin)
Re: Comparison of ECDLP vs. DLP (Splaat23)
Re: Kooks (was: NSA and Linux Security) (digiboy | marcus)
Fitting Dynamic Transposition into a Binary World (John Savard)
Re: Kooks (was: NSA and Linux Security) ([EMAIL PROTECTED])
Re: stegonographic overuse (Niels Provos)
Re: Differential Analysis (Benjamin Goldberg)
Re: Kooks (was: NSA and Linux Security) ([EMAIL PROTECTED])
Re: FAQ (Dido Sevilla)
Re: Fitting Dynamic Transposition into a Binary World (John Savard)
Re: Differential Analysis (Tom St Denis)
Re: cryptographic tourism in Russia (Dido Sevilla)
----------------------------------------------------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: Comparison of ECDLP vs. DLP
Date: 21 Jan 2001 17:10:26 -0800
[EMAIL PROTECTED] (DJohn37050) writes:
> As I have said previously in this thread, there are RNG statistical
> tests to check for RNG failure. So there are ways to address the
> fear of low-entropy keys.
Really, statistical tests can only detect catastrophic RNG failures. They
won't detect a simply poorly seeded RNG.
------------------------------
From: Splaat23 <[EMAIL PROTECTED]>
Subject: Re: Comparison of ECDLP vs. DLP
Date: Mon, 22 Jan 2001 01:13:15 GMT
You put _way_ too much faith in RNG statistical tests. Yes, it would
detect a catastrophic RNG failure, but anything less would remain
undetected.
Low-entropy keys generated by a lousy, but still functioning RNG is a
real concern and completely undetectable. First off, a low-entropy key
is undetectable to others without actively trying to attack the RNG,
which is time-consuming and not always successful. Even given the
output of a users RNG, you will still have to attack the RNG to prove
it is low-entropy.
Just imagine that you use any CSPRNG, but you take the key and restrict
it to values 0-100. The output will pass every known general-purpose
statistical test. It is good output, usable by everyone in the world as
a source of random numbers EXCEPT for crypto. The output can be
predicted. That is the final qualifier for a PRNG to be used in crypto.
Almost as important as being randomly distributed is being
unpredictable, and just as there is no general-purpose block cipher
attack program, there is no general-purpose CSPRNG attack program. No
FIPS named, NSA approved, NIST sanctioned test will solve this problem.
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (DJohn37050) wrote:
> As I have said previously in this thread, there are RNG statistical
tests to
> check for RNG failure. So there are ways to address the fear of low-
entropy
> keys.
> Don Johnson
>
Sent via Deja.com
http://www.deja.com/
------------------------------
From: digiboy | marcus <[EMAIL PROTECTED]>
Subject: Re: Kooks (was: NSA and Linux Security)
Date: Mon, 22 Jan 2001 01:22:02 GMT
In article <94fum5$c4f$[EMAIL PROTECTED]>,
Greggy <[EMAIL PROTECTED]> wrote:
> I notice that you continue to snip the points you cannot refute which
> really drive the issue home, and instead attack the messenger...
Your post wasn't in response to me, so why should I quote any of it,
let alone all of it?
--
[ marcus ] [ http://www.cybergoth.cjb.net ]
[ ---- http://www.ninjakitten.net/digiboy ]
Sent via Deja.com
http://www.deja.com/
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Fitting Dynamic Transposition into a Binary World
Date: Mon, 22 Jan 2001 01:11:58 GMT
Well, I noted that the chief problem with Dynamic Transposition is its
bandwidth cost, and that has started me thinking of ways to avoid that
cost.
As I noted, there are 252 balanced strings of 10 bits, as against 256
arbitrary strings of 8 bits.
Because the number of balanced strings, as one increases the length of
a string by 2 bits, increases by a factor that is just under 4, one
has to go quite a way to find other good coincidences.
2^160 equals
1461501637330902918203684832716283019655932542976
and the number of 164-bit balanced strings is
1454706556296192477283016662986999417820887445240
so one way to use Dynamic Transposition on arbitrary binary sequences
would be to have a coding for 160-bit arbitrary sequences into 164-bit
balanced sequences.
Some sequences of 160 bits wouldn't have an equivalent, and so would
have to be converted to something else; either to shorter balanced
sequences, which could also be enciphered by Dynamic Transposition, or
to some other kind of object to be enciphered in another way.
A somewhat fancier possibility would allow at least some binary
sequences to be enciphered directly.
There are
1532495540865888858358347027150309183618739122183602176
possible strings of 180 bits.
Of these,
91012248672832285155575331798825309656983959185522800
contain the same number of ones and zeroes,
leaving
1532495540865888858358347027150309183618739122183602176
- 91012248672832285155575331798825309656983959185522800
-------------------------------------------------------
1441483292193056532202771695351483873961755162998079376
strings of 180 bits that do not contain the same number of ones and
zeroes.
And, as it happens, there are
1440324277491745714862934407631385920577295594888710800
strings of 184 bits that contain the same number of ones and zeroes.
So at this point, we can do the following:
1) Take string of 180 bits to encrypt.
2) Is it balanced?
YES: encipher directly using Dynamic Transposition.
NO: continue
3) Attempt to code it to a balanced string 184 bits long. Does it have
an equivalent in this form?
YES: encipher equivalent using Dynamic Transposition.
NO: continue
and then find some suitable coding again for the leftovers.
Of course, this kind of begs the question of how to devise an
efficient coding for arbitrary strings into balanced strings. From
arbitrary binary strings, one could use a simple numeration of
balanced strings...
00000000 = 0000011111
00000001 = 0000101111
00000010 = 0000110111
00000011 = 0000111011
...
11111011 = 1111100000
11111100 ... coded to something else
and maybe there *might* be a simple algorithm to do this for strings
too large to put in a table
but my second idea, coding unbalanced strings to balanced ones, seems
less likely to be workable. Of course, if an algorithm _did_ exist, it
would produce a nicely weird mathematical structure.
Since the ratio between successive numbers of balanced blocks is just
slightly less than 4, one could perhaps use Dynamic Transposition 'all
the way down' if one allowed leftovers to be coded as a balanced block
plus a single symbol from an alphabet of 2 or 3 symbols - this single
symbol to be enciphered somehow based on a function of the whole
balanced block between its two transpositions.
But eventually we would get to areas where only a small number of
leftovers remained, and the division into groups by whatever coding we
used to make balanced blocks out of arbitrary blocks wouldn't be
blurred. So we would still have to do a conventional encipherment of
blocks before and after doing Dynamic Transposition in this case -
that isn't Terry Ritter's fault, it's the fault of the debasement I've
applied to his method to make it fit the binary world. Note that
Rijndael happens to be, handily, available in a 160-bit block size!
Ah, well, at least we are having some lucky mathematical coincidences
here.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Kooks (was: NSA and Linux Security)
Date: Mon, 22 Jan 2001 01:34:43 GMT
In article <94fum5$c4f$[EMAIL PROTECTED]>,
Greggy <[EMAIL PROTECTED]> wrote:
> In article <94ej9t$al5$[EMAIL PROTECTED]>,
> digiboy | marcus <[EMAIL PROTECTED]> wrote:
> > In article <94e1fj$u6l$[EMAIL PROTECTED]>,
> > Greggy <[EMAIL PROTECTED]> wrote:
> >
> > > Give it a rest, will you?
> >
> > Why do you end off each of your posts with such an idiotic line as
> > such? And isn't it questionable as to the relevance this all has with
> > cryptography now? You've managed to drag it _completely_ away from
> > anything relevant, into kookville.
>
> I notice that you continue to snip the points you cannot refute which
> really drive the issue home, and instead attack the messenger...
Says Greggy, who is now desperately trying to ignore and/or snip all of
the evidence that his claims about the "missing 13th amendment" are
delusions without a shread of supporting evidence.
> Jol Silversmith - I wasn't there so I cannot say why no one
> protested within the Virginian legislature that day in 1819
> not to include the 13th amendment in their publications, or to
> require all 21 states to ratify the same. But I am absolutely
> certain I know more than they did back then what was really
> going on all around them. Boy, I'm good!
Greggy - I wasn't there and never cite any evidence so I cannot say
why I know that the inclusion of an unratified amendment in a
compilation of state law only could have been an attempt to ratify
it, or why I know that 19th century legislators were infallible, much
less why I lie about whether the authenticity of the "missing 13th
amendment" was ever questioned. But I am absolutely certain that
I know more than anyone who has actually researched the subject.
Boy I'm good!
And Greggy, you still haven't said if you still such a kook as to
believe that the "missing 13th amendment"
"if it was truly ratified, then the Honorable William Jeferson
Clinton cannot be president, that every congressman and
senator (who also hold the title, the Honorable- see their
letter heads) are not allowed to hold office, and every judge
and lawyer cannot operate in the US."
--Greggy, 12/19/99
Sent via Deja.com
http://www.deja.com/
------------------------------
From: [EMAIL PROTECTED] (Niels Provos)
Subject: Re: stegonographic overuse
Date: 22 Jan 2001 01:40:48 GMT
On Sat, 26 Aug 2000 13:41:38 GMT, John Savard wrote:
>Although I had heard of watermark methods claimed to work on .jpg
>images, I have now learned more about the methods that work with this
>format: actually adding the hidden information to the image after
>compression is possible, for example.
One such program is OutGuess, http://www.outguess.org/
I wrote it a while ago. It uses the least significant bits of the
quantized DCT coefficients. I am about to release a new version
which will address how to fool the current steganalysis methods.
--
Niels Provos <[EMAIL PROTECTED]> finger [EMAIL PROTECTED] for pgp info
"Gravity is the soul of weight." - Anonymous.
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Differential Analysis
Date: Mon, 22 Jan 2001 01:44:26 GMT
David Thompson wrote:
>
> Tom St Denis <[EMAIL PROTECTED]> wrote :
[snip]
> More substantively, unless I misunderstand,
> you want to tabulate output difference
> versus input difference. That would be
> ++table[x^y][sbox[x]^sbox[y]]
> if x and y are the two inputs, or
> ++table[x][sbox[y]^sbox[y^x]]
> if y is one input and x the input difference.
> This is not the same as either your code
> or Benjamin's as posted.
Actually, I did have it right...
See: <news:[EMAIL PROTECTED]>
Tom quotes me:
> I have something which is equivalent to:
> ++table[x][sbox[x]^sbox[x^y]];
And then he replies:
> Your second line here is still WRONG. You have to use [x^y] in the
> first index.
Which would make it
++table[x^y][sbox[x]^sbox[x^y]];
which as any test implementation shows, is quite wrong.
--
Most scientific innovations do not begin with "Eureka!" They begin with
"That's odd. I wonder why that happened?"
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Kooks (was: NSA and Linux Security)
Date: Mon, 22 Jan 2001 01:52:19 GMT
In article <94fv5g$cha$[EMAIL PROTECTED]>,
Greggy <[EMAIL PROTECTED]> wrote:
> You would have us believe entire legislative bodies voted on something
> that they were all entirely ignorant of.
Which happened in the 19th century, and still happens today. Indeed,
you're the one who normally wails on and on about how the government is
incompetent, Greggy.
in the early 19th century, "precise knowledge [about the
Constitution] simply was not common.
--thirdamendment.com
> You would have us believe that the president made a major blunder and
> not one official around him corrected him.
Repeating lies won't make them become true Greggy. First:
After the amendment ... appeared in copies of the
Constitution printed for members of the Fifteenth
Congress, Republican Representative Weldon Nathaniel
Edwards of North Carolina proposed a resolution on
December 31, 1817 to ask President Monroe to provide
the House of Representatives with information as to
"the number of States which have ratified the 13th
article of the amendments . . . ." The resolution was
approved without opposition. Monroe's response,
incorporating the information gathered by John Quincy
Adams, was that TONA had not become part of the
Constitution.
--thirdamendment.com
Second:
on December 2, 1817, John Quincy Adams wrote to Charles
Nicholas Buck of Philadelphia to inform him that TONA
would strip him of his citizenship and right to hold
public office if he accepted an appointment as the Consul
General in the United States of the Imperial City of Hamburg.
National Archives, 17 Domestic Letters of the Dept. of State
93-94 (1943). In a subsequent letter to Buck on March 21,
1818, Adams retracted the claim that TONA had been ratified
--thirdamendment.com
> You would have us believe that the four new states saw it fit not to
> speak up and demand a voice in the matter.
Precisely. It wasn't unprecedented; Tennessee was offered an opportunity
to vote on the 11th Amendment but didn't act on it.
On March 2, 1797, before the Eleventh Amendment was known
to have become part of the Constitution, Congress passed
a resolution requesting the President to obtain information
from states about what action they had taken on the
amendment, including Tennessee, which had not been part of
the Union when the amendment was proposed. On October 16,
1797, Secretary of State Timothy Pickering wrote to
Tennessee Governor John Sevier, enclosing a copy of the
Eleventh Amendment. Pickering stated that he thought it
"expedient to transmit . . . a copy of the resolution, to
be laid before the legislature of Tennessee, for their
adoption or rejection.
--thirdamendment.com
> You would have us believe you know more about their circumstances than
> they did back then.
Precisely. We have access to collections of documents that were
hard to find or unavailable in an era of poor communication.
in the late eighteenth and early nineteenth centuries,
there was frequent confusion about whether proposed
amendments had become part of the Constitution. "At that
time no legal procedure existed to control the communication
of action by States to the Federal Government. . . .
Uncertainty as to the status of [TONA] continued for eight
years." The Eleventh Amendment became effective on February
7, 1795, but was not acknowledged by President John Adams as
being in effect until January 8, 1798. Similarly, President
Thomas Jefferson's Secretary of State, James Madison, did
not declare the Twelfth Amendment in effect until more than
three months after it became part of the Constitution. Even
in 1845, the editors of United States Statutes at Large were
unsure exactly when the Eleventh and Twelfth Amendments had
been ratified.
--thirdamendment.com
and indeed, the Internet in particular has made it easier than ever
before to debunk kooks like you.
> What can one say to such arrogance? Let others decide between us.
They already have, and also have posted to note that you are a kook.
> Jol Silversmith - I wasn't there so I cannot say why no one
> protested within the Virginian legislature that day in 1819
> not to include the 13th amendment in their publications, or to
> require all 21 states to ratify the same. But I am absolutely
> certain I know more than they did back then what was really
> going on all around them. Boy, I'm good!
Greggy - I wasn't there and never cite any evidence so I cannot say
why I know that the inclusion of an unratified amendment in a
compilation of state law only could have been an attempt to ratify
it, or why I know that 19th century legislators were infallible, much
less why I lie about whether the authenticity of the "missing 13th
amendment" was ever questioned. But I am absolutely certain that
I know more than anyone who has actually researched the subject.
Boy I'm good!
And Greggy, you still haven't said if you still such a kook as to
believe that the "missing 13th amendment"
"if it was truly ratified, then the Honorable William Jeferson
Clinton cannot be president, that every congressman and
senator (who also hold the title, the Honorable- see their
letter heads) are not allowed to hold office, and every judge
and lawyer cannot operate in the US."
--Greggy, 12/19/99
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Dido Sevilla <[EMAIL PROTECTED]>
Subject: Re: FAQ
Date: Mon, 22 Jan 2001 10:19:42 +0800
Alessandro Vanzulli wrote:
>
> Where can I find the FAQ of this newsgroup?
>
ftp://rtfm.mit.edu/pub/usenet/sci.crypt
Be warned however, that the FAQ is sorely out of date.
--
Rafael R. Sevilla <[EMAIL PROTECTED]> +63 (2) 4342217
ICSM-F Development Team, UP Diliman +63 (917) 4458925
OpenPGP Key ID: 0x0E8CE481
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Fitting Dynamic Transposition into a Binary World
Date: Mon, 22 Jan 2001 02:07:24 GMT
On Mon, 22 Jan 2001 01:11:58 GMT, [EMAIL PROTECTED]
(John Savard) wrote, in part:
>Note that
>Rijndael happens to be, handily, available in a 160-bit block size!
Of course, if we do the following:
Rijndael (with fixed key)
fixed mapping to balanced blocks of different sizes
Dynamic Transposition
fixed mapping to arbitrary 160-bit binary blocks
Rijndael (with fixed key)
the result will have the same fundamental weakness as PURPLE, in that
there will be some blocks that only get enciphered to other blocks
from a small group.
While launching a codebook attack against a 160-bit block cipher seems
a bit much, it still seems advisable to include a binary stream cipher
component as well, perhaps before the first mapping and after the
second mapping.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Differential Analysis
Date: Mon, 22 Jan 2001 02:36:22 GMT
In article <[EMAIL PROTECTED]>,
Benjamin Goldberg <[EMAIL PROTECTED]> wrote:
> David Thompson wrote:
> >
> > Tom St Denis <[EMAIL PROTECTED]> wrote :
> [snip]
>
> > More substantively, unless I misunderstand,
> > you want to tabulate output difference
> > versus input difference. That would be
> > ++table[x^y][sbox[x]^sbox[y]]
> > if x and y are the two inputs, or
> > ++table[x][sbox[y]^sbox[y^x]]
> > if y is one input and x the input difference.
> > This is not the same as either your code
> > or Benjamin's as posted.
>
> Actually, I did have it right...
> See: <news:[EMAIL PROTECTED]>
>
> Tom quotes me:
> > I have something which is equivalent to:
> > ++table[x][sbox[x]^sbox[x^y]];
> And then he replies:
> > Your second line here is still WRONG. You have to use [x^y] in the
> > first index.
>
> Which would make it
> ++table[x^y][sbox[x]^sbox[x^y]];
> which as any test implementation shows, is quite wrong.
I already admitted that I posted wrong, stop being an ass by rubbing it in.
Tom
[p.s my sboxgen is in fact correct]
>
> --
> Most scientific innovations do not begin with "Eureka!" They begin with
> "That's odd. I wonder why that happened?"
>
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Dido Sevilla <[EMAIL PROTECTED]>
Subject: Re: cryptographic tourism in Russia
Date: Mon, 22 Jan 2001 10:56:18 +0800
[EMAIL PROTECTED] wrote:
>
> As a high-tech person interested in cryptography, espionage,
> telecommunications, internet, satellite systems and a related gamut of
> topics, I would like to visit interesting places in Moscow and St Petersburg
> on my impending tourist jaunt there. For instance, visiting buildings that
> were or are, the equivalent of the NSA and GCHQ, or whatever other relevant
> sites. Can readers offer me suggestions ?
>
The US Government will not even let you visit the NSA; it's even more
doubtful that the Russian Government will allow you to visit GOST. If
you tried, you might wind up at Lefortovo prison or somewhere similarly
unpleasant! The KGB may very well be defunct, but Russia is still as
conscious of "national security" as the Soviet Union always was...
--
Rafael R. Sevilla <[EMAIL PROTECTED]> +63 (2) 4342217
ICSM-F Development Team, UP Diliman +63 (917) 4458925
OpenPGP Key ID: 0x0E8CE481
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
