Cryptography-Digest Digest #534
Cryptography-Digest Digest #534, Volume #14 Wed, 6 Jun 01 10:13:01 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: PRP = PRF (TRUNCATE) (Nicol So) Re: PRP = PRF (TRUNCATE) (Nicol So) Re: function notation (injection, bijection, etc..) one last time ([EMAIL PROTECTED]) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Def'n of bijection (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P.(John Myre) Re: Are RS codes a type of PRF? (Niels Ferguson) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Wed, 6 Jun 2001 12:32:18 GMT Tom St Denis [EMAIL PROTECTED] wrote: : SCOTT19U.ZIP_GUY [EMAIL PROTECTED] wrote in message : [EMAIL PROTECTED] (Tom St Denis) wrote in : SCOTT19U.ZIP_GUY [EMAIL PROTECTED] wrote in message : Tell what little get a third party to encrypt using your ctr : mod a one cipher text output file. I will guess the input. I may : be wrong. Then you get to guess the input to a one byte output : file encrypted with BICOM. If you miss I guess again. And we : keep doing this till one gets it right. I am willing to put : a thousand bucks on this. On second thought you go first. : Do you feel secure enough to really bet. I doubt it. : As long as all messages are uniformly probable you win. [...] : It's still uniformly distributed... so again I win. So, would you like to take that bet? Or not? -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Nicol So [EMAIL PROTECTED] Subject: Re: PRP = PRF (TRUNCATE) Date: Wed, 06 Jun 2001 08:48:12 -0400 Reply-To: see.signature Gregory G Rose wrote: A PRP (by definition) produces every output value in its range once, and only once, if you enumerate the possible inputs. Now ignore for a moment that a PRF need not have a restricted domain, and assume the same set of 2^N inputs (N-bit inputs and outputs). Then *on average* each output appears once. But if the PRF is for real, approximately 1/e of the outputs won't appear at all, and some will appear multiple times. (If I recall correctly, the number of occurrences of a particular value is poisson distributed, but don't hold me to that...) This difference still applies as you truncate the output of a PRP. For example, take the silly case where you just drop one bit. Now each output value appears exactly twice for a PRP, and on average twice for a PRF, but sometimes *more* than twice. As soon as you notice a value appear three times, you know that it was a truncated PRF. Conversely, based on the expected distribution of outputs, when you have enough inputs and have *not* seen a distribution anomaly, you know you were truncating a PRP, not a PRF. What you said is true, but it doesn't mean that you can efficiently tell whether a truncated PRF is a truncated PRP. If that were possible, you could turn it into an efficient test for telling whether a PRF is a PRP. As you scale up the scheme, it will be more and more difficult to detect the statistical anomaly caused by collisions in a non-PRF PRP. Asymptotically, no efficient computer can tell whether a PRF is a PRP significantly better than blind guessing. -- Nicol So, CISSP // paranoid 'at' engineer 'dot' com Disclaimer: Views expressed here are casual comments and should not be relied upon as the basis for decisions of consequence. -- From: Nicol So [EMAIL PROTECTED] Subject: Re: PRP = PRF (TRUNCATE) Date: Wed, 06 Jun 2001 08:51:58 -0400 Reply-To: see.signature Nicol So wrote: What you said is true, but it doesn't mean that you can efficiently tell whether a truncated PRF is a truncated PRP. If that were possible, you could turn it into an efficient test for telling whether a PRF is a PRP. As you scale up the scheme, it will be more and more difficult to detect the statistical anomaly caused by collisions in a non-PRF PRP. ^^^ Typo. What I meant was a PRF which is not a permutation. Asymptotically, no efficient computer can tell whether a PRF is a PRP significantly better than blind guessing. -- Nicol So, CISSP // paranoid 'at' engineer 'dot' com Disclaimer: Views expressed here are casual comments and should not be relied upon as the basis for decisions
Cryptography-Digest Digest #534
Cryptography-Digest Digest #534, Volume #12 Fri, 25 Aug 00 12:13:00 EDT
Contents:
Navigator and Internet Explorer SSL X.509 Profile (Klaus Schmeh)
Re: My encryption algorithm ([EMAIL PROTECTED])
Re: PGP Bug: IMPORTANT Personal test report (Steven Markowitz)
Re: "Warn when encrypting to keys with an ADK" (Phil Harrison)
Re: "Warn when encrypting to keys with an ADK" (S.R. Heller)
Re: "Warn when encrypting to keys with an ADK" (Ron B.)
Re: Bytes, octets, chars, and characters (Dan Pop)
Re: The DeCSS ruling ("Trevor L. Jackson, III")
Re: PGP Bug: IMPORTANT Personal test report ("Michel Bouissou")
Re: Asymmetric Encryption Algorithms ("Paul Montgomery")
Re: My encryption algorithm (jkauffman)
Re: Bytes, octets, chars, and characters (Guy Macon)
Re: need help! (John Myre)
Re: Steganography vs. Security through Obscurity (Guy Macon)
Re: UNIX Passwords ([EMAIL PROTECTED])
Re: Bytes, octets, chars, and characters ("Douglas A. Gwyn")
Re: Asymmetric Encryption Algorithms ([EMAIL PROTECTED])
Re: Bytes, octets, chars, and characters ("Douglas A. Gwyn")
Re: My unprovability madness. ("Douglas A. Gwyn")
Re: Serious PGP v5 v6 bug! ("Douglas A. Gwyn")
challange ([EMAIL PROTECTED])
Re: UNIX Passwords ("Paul Montgomery")
Re: My encryption algorithm (Mack)
Re: Bytes, octets, chars, and characters ("Scott Fluhrer")
From: Klaus Schmeh [EMAIL PROTECTED]
Subject: Navigator and Internet Explorer SSL X.509 Profile
Date: Fri, 25 Aug 2000 15:19:33 +0200
Does anybody have detailed information about the X.509 profile the
Internet Explorer and the Netscape Navigator use for the SSL protocol?
Regards
Klaus
--
From: [EMAIL PROTECTED]
Subject: Re: My encryption algorithm
Date: Fri, 25 Aug 2000 13:25:41 GMT
In article 8o4ij6$eub$[EMAIL PROTECTED],
"Slava K." [EMAIL PROTECTED] wrote:
I have designed a new encryption algorithm, and would like comments
about
it's security. The following is a specification of the algorithm in
general
programming terms. Tell me what you think. EMail me your comments
([EMAIL PROTECTED]).
· A password of any size is inputted (K). If K is the length of zero
or one,
and error is reported.
· A counter N1 is set to the first character of the password. N2 is
set to
the second.
· The two password character (Respective to N1 and N2. They may be
converted
to integers or bytes if required by the language) are XORed together
(X).
· A character is read from the input file (P. This can again be
converted
into an integer or a byte if required) and XORed with X.
· The result is written to the output file.
· If N1 equals the size of K, it is set to 1. Otherwise, N1 equals N1
+ 1.
· If N2 equals the size of K, it is set to 1. Otherwise, N2 equals N2
+ 1.
· The process is repeated if there are any characters left to encrypt.
Wow a modification of a Vinegere Cipher (I think). Righto.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
--
From: [EMAIL PROTECTED] (Steven Markowitz)
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: PGP Bug: IMPORTANT Personal test report
Date: 25 Aug 2000 13:36:12 GMT
In article 8o5kqk$mls$[EMAIL PROTECTED] "Michel Bouissou" [EMAIL PROTECTED]
writes:
[ snip ]
== IMPORTANT NOTE:
THIS IS MOST IMPORTANT. Reading carefully Ralf's paper, the ADK public key
seems NOT to be actually included in public keys that mention mandatory use
of this ADK. YOU MUST HAVE THE ADK public key as well. Only the ADK's key ID
is included in the key that holds and ADK, which is not enough to allow
encryption to the ADK by itself.
If the public key contains only the key id of the ADK, then isn't that a
serious security flaw? My understanding is that it is possible for an
attacker to create a new key having the same key id as an existing key,
although the fingerprints will differ. I have read that this can be done
for RSA keys; I'm not sure about DH/DSS keys. This would allow an
attacker to cause messages to be encrypted to himself, instead of to the
intended ADK, as long as the sender had the attacker's ADK on his
keyring.
This attack would apply even if the recipient's key had not been tampered
with. It seems to me that in order for the ADK mechanism to be secure,
the signed portion of a key would have to include the key id, length, and
key fingerprint of the ADK.
Am I misuderstanding something, or is the current ADK setup inherently
insecure?
Steven Markowitz
--
Any views expressed in this message are those of the individual
sender, except where the sender specifically states them to be the
views of D. E. Shaw Co., L.P. or any of its affiliates.
--
From: Phil Harrison [EMAIL PROTECTED]
Cryptography-Digest Digest #534
Cryptography-Digest Digest #534, Volume #11 Wed, 12 Apr 00 09:13:01 EDT
Contents:
Re: Q: Entropy (Mok-Kong Shen)
SHA2 (Gregor Leander)
Re: [Q] PGP - RSA - DH/DSS - Newbie ("Gilles Ferrand")
Re: SHA2 (Tom St Denis)
Re: General principles of design (Mok-Kong Shen)
Re: Q: Inverse of large, sparse boolean matrix, anyone? (Mok-Kong Shen)
Re: Q: Inverse of large, sparse boolean matrix, anyone? (Mok-Kong Shen)
Re: DES ("Chris Williams")
Re: Is AES necessary? (Tom St Denis)
Re: SHA2 (Runu Knips)
Re: Checksum for digits (Runu Knips)
Re: OAP-L3: Semester 1 / Class #1 All are invited. ([EMAIL PROTECTED])
Re: Cryptanalysis Challenge - Will anyone accept? ("Geir Rastad")
From: Mok-Kong Shen [EMAIL PROTECTED]
Subject: Re: Q: Entropy
Date: Wed, 12 Apr 2000 12:19:54 +0200
Bryan Olson wrote:
Mok-Kong Shen wrote:
Bryan Olson wrote:
Given a string of, say, a million zeros and a "random"
million-bit string, Kolmogorov complexity does not say which
is more complex.
If the shortest program to describe the former is shorter than
the one for the latter (a case which seems fairly likely), then
by definition the former has less Kolmogorov complexity than
than the latter.
Wrong. Kolmogorov complexity allows the program to be
written in a large class of languages. For any pair of
distinct finite strings there's a pair of legal language that
disagree on which string has the shorter program.
That issue of difference of languages is understandably treated
in Kolmogorov complexity. Otherwise that theory wouldn't be
able to exist at all. The fact that no real-world algorithm to
measure that theoretical quantity exists can also be interpreted
to mean that no very exact comparison could be made, in my view.
But surely some more or less useful comparison can be made.
Allow me to use an analogy: one can surely claim that the code
for an operating system is more complex than one for the
quick sort, and that totally independent of what programming
languages one uses, including those of year 3000, can't one?
M. K. Shen
--
From: Gregor Leander [EMAIL PROTECTED]
Subject: SHA2
Date: Wed, 12 Apr 2000 12:14:10 +0200
Hallo,
I read something about a new hash function from the NSA called SHA-2.
This new function is said to be stronger than SHA1 and that is why I am
interessed in information about SHA2. So I now hope, that somone knows
somthing about this topic, or can tell me where to find more
information.
Thanks
Gregor
--
From: "Gilles Ferrand" [EMAIL PROTECTED]
Subject: Re: [Q] PGP - RSA - DH/DSS - Newbie
Date: Wed, 12 Apr 2000 11:01:15 GMT
Thanxx.
OK, knowing that (ElGamal), I read the chapter in B.Schneier "Applied
Cryptography"
Thanxx again
"Tom McCune" [EMAIL PROTECTED] a écrit dans le message
news: Vo3I4.687$[EMAIL PROTECTED]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
In article [EMAIL PROTECTED], [EMAIL PROTECTED]
(Gilles
F) wrote:
Can you answer me ?
RSA is an asymetric cryptosystem (or algorithm), OK.
PGP uses a secret session key, encrypted with public key, OK
PGP promotes Diffie Hellman/DSS instead of RSA/MD5 (for royaltie-free
reasons, I think).
I know (or I believe) that Diffie Hellman is a key exchange
protocolbetween Alice and Bob, without actually exchanging (sending)
the secret key on the network:
X= g^x mod(p) / Y= g^y mod(p)
and the secret key ist g^xy mod(p) after Alice and Bob have exchanged
information X and Y
In which way this protocol can replace RSA ?
(may be, it's an another Diffie Hellman protocol, diffrent form the
exchanging key protocol ... ?)
Can u help ?
Thanxx a lot ;-)
Hi Gilles,
PGP actually uses ElGamal instead of DH - they refer to it as the ElGamal
variant of DH. PGP uses ElGamal keys in the exact same way as RSA keys -
in either case, the message/file is actually encrypted to a symmetric
algorithm (IDEA, CAST, or 3DES) using a randomly generated session key,
the
session key is then encrypted to the public key (either RSA or DH) and
then
the encrypted message/file is packaged with with encrypted session key.
-BEGIN PGP SIGNATURE-
Version: PGP Personal Privacy 6.5.3
Comment: My PGP Page FAQ: http://McCune.cc/PGP.htm
iQA/AwUBOPDC7g2jfaGYDC35EQK1TQCfREUFOYltfnAKj1vyQvBLvUPbIRkAmwe8
hCOY4nrWw25XZwzbRMhE1Mit
=eVD/
-END PGP SIGNATURE-
--
From: Tom St Denis [EMAIL PROTECTED]
Subject: Re: SHA2
Date: Wed, 12 Apr 2000 11:03:25 GMT
Gregor Leander wrote:
Hallo,
I read something about a new hash function from the NSA called SHA-2.
This new function is said to be stronger than SHA1 and that is why I am
interessed in information about SHA2. So I now hope, that somone knows
somthing about this topic, or can tell me wher
Cryptography-Digest Digest #534
Cryptography-Digest Digest #534, Volume #9 Wed, 12 May 99 11:13:03 EDT
Contents:
Re: TwoDeck solution (but it ain't pretty) ([EMAIL PROTECTED])
Re: Crypto export limits ruled unconstitutional (Mok-Kong Shen)
Re: TwoDeck solution (but it ain't pretty) ([EMAIL PROTECTED])
Re: True Randomness The Law Of Large Numbers (R. Knauer)
Re: A challenge for you ! ("Douglas A. Gwyn")
Re: A simple challenge for Tomstdenis ("Ulrich Kuehn")
Re: Crypto export limits ruled unconstitutional (Mok-Kong Shen)
Searching for algorithm overview ("Jonas Krantz")
Re: True Randomness The Law Of Large Numbers ("Douglas A. Gwyn")
Re: Shamir's TWINKLE Factoring Machine (Bob Silverman)
Re: AES ([EMAIL PROTECTED])
Newbie: Encrypting short strings ("Steve K")
From: [EMAIL PROTECTED]
Subject: Re: TwoDeck solution (but it ain't pretty)
Date: Wed, 12 May 1999 11:20:51 GMT
LadyCow, stop this cunttalk and take a shower - you stink.
Although I agree, please keep the discussion civil. I (like others)
want to keep it cool about these punk @#! losers...
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
--
From: Mok-Kong Shen [EMAIL PROTECTED]
Crossposted-To: talk.politics.crypto
Subject: Re: Crypto export limits ruled unconstitutional
Date: Wed, 12 May 1999 14:30:09 +0200
Johnny Bravo wrote:
There is a program that can convert C code directly to english
readable text and back again. Here is a sample of the code for the
Can you provide a pointer to that? I am interested in the manner
the translation gets done.
M. K. Shen
--
From: [EMAIL PROTECTED]
Subject: Re: TwoDeck solution (but it ain't pretty)
Date: Wed, 12 May 1999 11:18:58 GMT
As someone has observed, your website is about the BATTLE data
compression contest - there are no pointers on it to a page with
pointers to the paper and stuff. (We can't see your directory, so we
need links from HTML...)
You could put a link labelled "About Me" on the bottom of the page
which would link to a page saying "Hi, I'm Tom St. Denis", and then
mentioning your other interests, including "Cryptography" - and on
that include a link to your paper. That way you avoid mentioning
cryptography on the BATTLE page itself if you don't want to.
True, that's why I posted links though. I will be making a website for
the cryptography stuff this weekend (if not tonight :) ).
Sorry about the confusion, the paper (in it's current form) is at
http://members.tripod.com/~tomstdenis/TwoDeck.ps
And the rough sketch for the sieving crack is at
http://members.tripod.com/~tomstdenis/solution.ps
Thanks for your time,
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
--== Sent via Deja.com http://www.deja.com/ ==--
---Share what you know. Learn what you don't.---
--
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: True Randomness The Law Of Large Numbers
Date: Wed, 12 May 1999 12:41:29 GMT
Reply-To: [EMAIL PROTECTED]
On Wed, 12 May 1999 06:07:42 GMT, "Douglas A. Gwyn" [EMAIL PROTECTED]
wrote:
Then why does Feller claim that it is fundamentally incorrect to infer
the properties of random number generation from the time average of a
single sequence?
Who cares why he says that, it's not relevant.
Are you saying that Feller does not know what he is talking about?
It's hard to be sure what you mean by terms like "1-bit bias".
There should be no difficulty in understanding that term at all. It is
quite commonly used in discussions about randomness. It is one of the
different kinds of group bias.
The Monobit Test checks the first moment of the distribution,
I think you need to demonstrate that formally.
If John Jones makes only $25,000/year, then there is evidence that he
isn't a very good salesman, and you should consider not using him to
peddle your product.
It depends on whether that is his consistent earnings level. One
annual earnings report is not sufficient to characterize his overall
performance over his productive years.
If you want to formulate a monobit-type test that takes a large number
of samples into account, then I would agree that it might have merit.
But just one test on one small sample is not sufficient.
But a better analogy would be: John Jones
normally makes around $100,000/year,
