Cryptography-Digest Digest #866, Volume #8 Fri, 8 Jan 99 13:13:10 EST
Contents:
OCX/DLL wanted ("Jonas Westberg")
Re: On the Generation of Pseudo-OTP (Mok-Kong Shen)
Re: On the Generation of Pseudo-OTP (Mok-Kong Shen)
OCX/DLL wanted ("Jonas Westberg")
Re: What is left to invent? ("almis")
Re: On the Generation of Pseudo-OTP (Mok-Kong Shen)
Re: RSA-Modulus decomposition ([EMAIL PROTECTED])
Re: On leaving the 56-bit key length limitation ([EMAIL PROTECTED])
Re: Help: a logical difficulty (John Savard)
Re: On the Generation of Pseudo-OTP (R. Knauer)
Re: On the Generation of Pseudo-OTP (R. Knauer)
I'm SOOO Lucky i found these SLUTS on this dope site!! They're so fine too! (CyBeR)
Re: On the Generation of Pseudo-OTP (R. Knauer)
PGP International ("Jason Shea")
Re: coNP=NP Made Easier? (Steve Tate)
Re: On the Generation of Pseudo-OTP (Mok-Kong Shen)
Well-written books on mathematics ? (Rx Video)
----------------------------------------------------------------------------
From: "Jonas Westberg" <[EMAIL PROTECTED]>
Subject: OCX/DLL wanted
Date: Fri, 8 Jan 1999 14:07:18 +0100
Please let me know if you know of any Components that can be used in Visual
Basic applications (OCX/DLL).
- Public Key Algorithm (RSA key generation, encryption and signing)
- Secret Key Algorithm (free block- or fiestelchipher like CAST)
Thanks....
Jonas Westberg
[EMAIL PROTECTED]
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On the Generation of Pseudo-OTP
Date: Fri, 08 Jan 1999 15:00:24 +0100
R. Knauer wrote:
>
> On Fri, 08 Jan 1999 08:30:24 +0100, Mok-Kong Shen
> <[EMAIL PROTECTED]> wrote:
>
> >Have you ever encountered a physical device that is absolutely
> >perfect??
>
> Have you ever encountered a written statement that is Absolutely
> Perfect?
>
> For example, is the written statement you just made Absolutely
> Perfect?
I don't think this group is the right place for meta-logical
tricky sentences. We want concrete discussions relevant to
the issue being discussed.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On the Generation of Pseudo-OTP
Date: Fri, 08 Jan 1999 15:11:49 +0100
R. Knauer wrote:
> For example, one of the primary rules about a PRNG is that it is
> periodic, whereas as you just stated the digit expansion of a
> transcendental is not periodic. Yet a digit expansion is an
> algorithmic procedure that can be carried out on a finite state
> machine (computer) just like a PRNG. What makes the two different in
> that regard?
All real computations have accuracy bounds. You don't actually
compute the transcendental number but obtain a real number close
to it to within a certain accuracy after a certain number of steps.
For that you have to write your program appropriately and, before that,
do an error analysis appropriately. Simple types of PRNG, the LPRNGs,
are based on integer computations. There is no error in computations
and the period is a definite finite value.
M. K. Shen
------------------------------
From: "Jonas Westberg" <[EMAIL PROTECTED]>
Subject: OCX/DLL wanted
Date: Fri, 8 Jan 1999 14:07:18 +0100
Please let me know if you know of any Components that can be used in Visual
Basic applications (OCX/DLL).
- Public Key Algorithm (RSA key generation, encryption and signing)
- Secret Key Algorithm (free block- or fiestelchipher like CAST)
Thanks....
Jonas Westberg
[EMAIL PROTECTED]
------------------------------
From: "almis" <[EMAIL PROTECTED]>
Subject: Re: What is left to invent?
Date: Fri, 8 Jan 1999 08:06:02 -0600
Douglas A. Gwyn wrote in message <[EMAIL PROTECTED]>...
|Frank Gifford wrote:
|> If you do a little research into rotor machines, you can get the
|> feeling that all one has to do is make the rotor movement complex
|> enough and the rotor system can't be broken.
|
|No, because rotor machines are by nature composed of loosely coupled
|*short-cyclic* components, and there are ways to exploit that.
Not necessarily. ...al
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On the Generation of Pseudo-OTP
Date: Fri, 08 Jan 1999 15:35:50 +0100
R. Knauer wrote:
>
>
> But if the offset is very large, he would have to calculate all digits
> all offsets until he found your offset, which I presume could be made
> computationally infeasible for large enough offsets, especially if you
> mixed the streams from several arbitrary transcendental constants
> together.
One could also use several offsets for the same mathematical constant,
just as for a text. BTW, if you have collected a bunch of bits
from hardware (OTP), you could also use a number of offsets on it in a
similar manner, i.e. combine the sequences with XOR, etc. (You would
say that results in a pseudo-OTP, but it could be an economical way
of using the resource.)
>
> >You may want a certain distribution
> >and the question is how good is the expected approximation to that.
> >For cryptological applications, I believe the ideal that is to be
> >approximated is white noise, which means that the auto-correlation
> >function has the value zero, except at a single point.
>
> You persist in the false belief that you can characterize a
> crypto-grade random number by formal means. That is a fundamental
> error. There is no formal method to decide that a number is random for
> crypto purposes. None, zip, nicht, nada.
>
> If you want an insight of the implications of this, I recommend
> reading the works of Greg Chaitin (op. cit.).
There is NO (computationally feasible) method to decide that a number
is random for ANY purposes, not just crypto purpose. We have discussed
in another thread that the high theories of Chaitin and others are
non-practical!
>
> >> Remember that you cannot formally prove that a number is random, only
> >> that it is not random. Just because a given number has no bias or
> >> correlation does not mean that it is crypto-grade.
>
> >Please compare the first part of my response of 07 Jan 18:00:11+0100.
>
> I do not maintain nor refer to archives. Please state your response
> here so I and the others following this thread can see it. Thanks.
I meant, that what you said about randomness is similar to what I
said about the strength of algorithms in general. Here is the quote
you requested (apology to other readers for repetition):
There is in my humble opinion one fundamental dilemma in cryptology,
namely to prove the strength of a (non-trivial) algorithm, because,
as was discussed sometime ago in the group, a scientifically
rigorous measure of strength cannot be defined. If you find a method
to break a cipher in a practical was, you can forget that cipher.
If a cipher is not yet broken, that does NOT mean that it is strong
or unbreakable, only that no method is yet found (or more exactly
publically disclosed) for that. An ideal OTP is totally secure but,
as I said above, is unfortunately an unobtainable theoretical
concept. Thus, since exact proofs cannot be done, one has to resort
to more or less heuristic arguments. In the present case, if
n texts are used to construct a psudo-OTP using an adequate
combination of the techniques such as those I mentioned, then it is
intuitively quite clear (though NOT a rigorous proof) that, as n
becomes larger, the sequence obtained should be increasingly harder
for the analyst to infer. Now one may ask how is n to be chosen. I
can offer NO scientifically clean answer but can only say that one
could use some intuitively guided judgement to choose that and use
a factor of safety (like the engineers do in their designs) to
plausibly ensure that one is on the safe side. (There is always
a non-zero chance, though, that one's decision turns out to be wrong.)
>
> >Why do you
> >exclude software devices from capable of being good from the
> >very beginning? If software devices can be made as good, then
> >they have the advatange of being cheap.
>
> I am not excluding "software devices" outright. I am rejecting PRNGs.
There are the so-called cryptologically strong PRNGs, e.g. the one
of BBS. What is the reason of your general opposition to PRNGS?
>
> Digit Expansion Generators might have some merit if constructed
> properly, although that remains to be seen. Stay tuned for further
> developments as more people join this thread (hopefully).
As I said, I was not familiar with the term. Could you give the
reference to a good paper on DEG?
M. K. Shen
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: RSA-Modulus decomposition
Date: Fri, 08 Jan 1999 15:08:07 GMT
In article <774lbj$m4r$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Hello all,
>
> It is very easy to find decomposition of a
> modulus to it�s primes.
> Let n=pq be a modulus. Let m be a least
> message for which m^2 mod n = m.
> Then m-1 is p or q.
Perhaps you will enlighten us by telling how to find m? And the amount of
work it takes?
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: On leaving the 56-bit key length limitation
Date: Fri, 08 Jan 1999 14:43:35 GMT
In article <774mjg$n49$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
>
> Consider the situation in which the message space has several
> plausible messages, but the conditional probabilities, given the
> ciphertext, show that "Attack at dawn with 3000 men." has a
> probability of 0.599999, and "Attack at dawn with 3006 men"
> has a probability of 0.399999. Using Shannon's formula for
> entropy, I calculate the equivocation of the plaintext is
> 0.97 bits. Shannon defined the unicity distance as the number
> of intercepted characters for which the equivocation in the
> plaintext is very close to 0. 0.97 bits is not very close to
> zero, therefore unicity has not been reached.
>
> I claimed that an attacker may get useful information from
> the ciphertext even if he does not have enough ciphertext to
> reach unicity. You, Ed, stated that I was wrong. The above
> example is of course contrived, but nevertheless, the
> conditional probabilities are possible. The attacker does
> not have enough ciphertext to reach unicity. The attacker
> does obtain a great deal of useful information from the
> ciphertext. My claim that you quoted above, "A cryptanalyst
> may still get large amounts of useful information." is true.
>
Bryan:
Let us re-start here and recall that I used DES to exemplify some of my
arguments.
I agree with you that you can define unicity in such a way as to make the
phrases "Attack at dawn with 3000 men." and "Attack at dawn with 3006 men"
still shorter than the length required by your definition of unicity.
I also agree you could define pi to be 3.
However, both would be useless exercises because they fail to reflect the
reality behind the concepts. When Shannon defined unicity he was struggling
to define a concept -- which goes far beyond a mere expression of it as n =
H(K)/D.
Let me make my declaration precise. Unicity is (exactly in Shannon`s sense) a
fundamental limitation to the least amount of plaintext which can be uniquely
deciphered from the corresponding ciphertext -- given *unbounded* resources by
the attacker. The attacker can even hire you ;-)
Now, as you say that "Attack at dawn with 3000 men." and "Attack at dawn with
3006 men" cannot be decided by your system and, "therefore unicity has not
been reached" -- then my conclusion is that you have left reality.
Why? Because if you are using DES (as I used, so I assume that in order to
discuss my results you would need to also use DES) then the unicity-5
distance of DES is 3 letters as I argued -- in your case, "Att". Certainly
your phrases are much longer than DES unicity-5, so I could break into your
DES key with only those 3 letters and then unambiguously decipher your whole
long message. This means that I could have uniquely chosen which message was
correct.
But, you say you could not -- again, you may say whatever you desire but the
question is whether it corresponds to reality.
For example, can you show me the DES ciphertext you used, to affirm that
> conditional probabilities, given the
> ciphertext, show that "Attack at dawn with 3000 men." has a
> probability of 0.599999, and "Attack at dawn with 3006 men"
> has a probability of 0.399999.
???
I affirm this is not possible with DES. And, one cannot just invent
"features" to support e-mail discussions. This may be useful in rec.humor but
not here --a technical discussion group.
Now, in the case you tell me you did NOT use DES in your "example" then I say
that is firstly a lack of basic method -- since you cannot compare apples with
speedboats -- also perhaps useful in rec.humor but not here. Second, I ask you
to please produce the exact ciphertext, the cipher and the key that leads to
such "example".
Otherwise, it is just so simple -- define pi to be 3 and next thing you know
you can start to criticize much more people, not just me.
In the absence of supporting evidence for your "example" that we can discuss
not as a poker hand, I guess you can start to try to understand what I really
wrote in the posting before confusing issues before this group.
Cheers,
Ed Gerck
______________________________________________________________________
Dr.rer.nat. E. Gerck [EMAIL PROTECTED]
http://novaware.com.br
--- Meta-Certificate Group member -- http://www.mcg.org.br ---
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Help: a logical difficulty
Date: Fri, 08 Jan 1999 15:31:17 GMT
Nicol So <[EMAIL PROTECTED]> wrote, in part:
>Unless you don't need to store or communicate them in their entirety,
>infinite strings not capable of finite representation are really a
>problem. If you need to talk about such a string, how would you
>*unambiguously* tell someone exactly what it is?
If there is no finite way to describe it (i.e. "the decimal expansion
of pi") you're out of luck.
But finite strings can be paired to the natural numbers. So can
computable strings, algebraic numbers, rational numbers, any number
that can be expressed by a mathematical formula...
Data compression techniques can even compress, therefore, some
infinitely long strings! (But they can't do it by being given the
whole string to examine.)
John Savard
http://www.freenet.edmonton.ab.ca/~jsavard/index.html
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: On the Generation of Pseudo-OTP
Date: Fri, 08 Jan 1999 16:36:32 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 08 Jan 1999 15:35:50 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>BTW, if you have collected a bunch of bits
>from hardware (OTP), you could also use a number of offsets on it in a
>similar manner, i.e. combine the sequences with XOR, etc. (You would
>say that results in a pseudo-OTP, but it could be an economical way
>of using the resource.)
But that would defeat the portability of the proposed system. Remember
the original objective was to have a system that could be used
anywhere without having to worry about OTP key management.
>There is NO (computationally feasible) method to decide that a number
>is random for ANY purposes, not just crypto purpose.
Not true. There is a much relaxed set of criteria for randomness used
in simulations - so relaxed that it would not pass the criteria for
crypto-grade randomness. PRNGs, for example, are used in simulation.
>We have discussed
>in another thread that the high theories of Chaitin and others are
>non-practical!
I never agreed with any of that. I think there is some applicability
to crypto. But Chaitin is not the one who says what a crypto-grade
random number is. That is dictated by crypto people. See Schneier's
main book for some relevant discussions.
>There are the so-called cryptologically strong PRNGs, e.g. the one
>of BBS.
But there is no way to know for sure that these and similar
"cryptologically strong" PRNGs are really all that secure.
>What is the reason of your general opposition to PRNGS?
The only time I object to PRNGs is when we are discussing the OTP
system, and then on fundamental grounds, not practical grounds.
>As I said, I was not familiar with the term. Could you give the
>reference to a good paper on DEG?
The term itself is made up here for convenience. The concept has been
around for some time. A good starting point, from which you can follow
links to more exposition, is:
http://www.mathsoft.com/asolve/plouffe/plouffe.html
Bob Knauer
"We hold that each man is the best judge of his own interest."
--John Adams
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: On the Generation of Pseudo-OTP
Date: Fri, 08 Jan 1999 16:44:53 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 08 Jan 1999 15:00:24 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>> >Have you ever encountered a physical device that is absolutely
>> >perfect??
>> Have you ever encountered a written statement that is Absolutely
>> Perfect? For example, is the written statement you just made Absolutely
>> Perfect?
>I don't think this group is the right place
You don't know what this group is the right place for. If you don't
believe me, just sift thru dejanews a year ago.
We had some pretty far ranging discussions going back then, which
attracted wide participation and were very enlightening in terms of
the fundamentals of crypto, at least for me.
Books can only go so far, and then it comes time to start wrestling
with the details to gain insight.
>for meta-logical tricky sentences.
The Epimenides Paradox is hardly a "tricky sentence". It along with
the Russell and Berry Paradoxes are most important to mathematics.
>We want concrete discussions relevant to
>the issue being discussed.
Godel must be either laughing his butt off or rolling in his grave
right now.
The foundation of crypto is number theory, and constraints on formal
systems are fully a part of it.
Bob Knauer
"We hold that each man is the best judge of his own interest."
--John Adams
------------------------------
From: CyBeR<[EMAIL PROTECTED]>
Subject: I'm SOOO Lucky i found these SLUTS on this dope site!! They're so fine too!
Date: 08 Jan 1999 05:28:49 PST
You gotta check out
http://www.femalesluts.com/enter.shtml?advertracker+110498fs19adn.CyBeR
It's the dopest fucking site. They have every kind of slut you can imagine.
These sluts will do ANYTHING for you in order fulfill all their sexual needs.
They're crazy! All of them are so horny.
It's great because they have the widest variety too. I love this site!!!!!!!!!
It's sluts galore over there!!!!
http://www.femalesluts.com/enter.shtml?advertracker+110498fs19adn.CyBeR
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: On the Generation of Pseudo-OTP
Date: Fri, 08 Jan 1999 17:02:52 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 08 Jan 1999 16:02:18 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>Again I am convinced that by combining a sufficiently large
>number n of text using appropriate techniques one arbitrarily
>comes near to a good OTP.
Two points:
1) That remains to be proven.
2) You do not mean "good OTP". You mean "good stream cipher".
To use the term "OTP" when you really mean "stream cipher" is
fundamentally wrong and will lead to nothing but confusion.
Believe me, dude - I've been there, done that, even got the t-shirt.
>In which way do you mean incorrect? Why is on the other hand hardware
>OTP, which is also inperfect, correct??
It is fundamentally incorrect. The OTP system and a stream cipher are
two completely different concepts, not just varying degrees of
perfection.
The OTP system is indeed a stream cipher, but it is fundamentally
distinct from all other stream ciphers because it is based on a true
random number and not just some "approximation".
Even if you could prove that a given stream ciper was practically
unbreakable, for example on grounds of computational infeasibility, it
still would not have anything to do with an OTP system.
>Then a hardware device also cannot appoximate an (ideal) OTP
>in your (present) logic.
It can, on a fundamental basis. Once you grasp the fundamental
difference between a strong stream cipher and an OTP you will see why
that is the case.
The emphasis is not on practicality but on methodology.
>Note that one technique I mensioned is to take the parity of a
>32 bit words. That is from 4 bytes, originated from 4 characters,
>one takes one bit. That should be highly effective, I believe,
>to destroy the auto-correlations that are present in the character
>sequence of the texts. And if that is not enough, one can apply
>other techniques and these recursively, as I said in the original
>post.
You need to prove that, to the satisfaction of cryptographers. I am
not a cryptographer, so I must rely on their considered judgement.
>I think the choice of the name is unessential. Essential is the
>purpose that a thing serves.
"Essential" is what the thing is - its essential features.
A baseball bat and a piece of iron pipe can both be used to break a
window, but that does not mean they share the same essence.
>You could instead call it, say, 'a
>somehow generated bit sequence intended to approximate an OTP
>to some satisfactory degree', if you don't mind the length of the name.
You are still missing the point of this discussion.
>But note that there are also auto-correlations. In general, akin to
>the texts, many sources can be used, for instance digitalized pictures,
>photos, etc.
Then that means that you have to come up with a crypto-grade technique
to remove such correlations, and prove that it works as advertised. I
tried that once, citing a published technique, and it got shot down by
the cryptographers on here.
Bob Knauer
"We hold that each man is the best judge of his own interest."
--John Adams
------------------------------
From: "Jason Shea" <[EMAIL PROTECTED]>
Subject: PGP International
Date: Mon, 4 Jan 1999 13:44:22 +1000
Hi all,
i figure ill probably get kicked in the ass for this question, but, is there
a difference between PGP, and PGP international. Nothing in the manuals seem
to indicate that it is in anyway different...
Im told by several people that the PGP international version is considerably
weaker than the american version.
-Peter
------------------------------
From: [EMAIL PROTECTED] (Steve Tate)
Crossposted-To: sci.math,comp.theory
Subject: Re: coNP=NP Made Easier?
Date: 8 Jan 1999 17:19:00 GMT
rosi ([EMAIL PROTECTED]) wrote:
> Planar wrote:
> > The complexity class P is the set of all decision problems
> > that are solvable in polynomial time BY DETERMINISTIC TURING
> > MACHINES.
> Or are you saying that NDTM's can not solve NP problems in P time?
> I hope you are not calling NDTM's pieces of crap. :) That would truly
> offend a lot of people including their inventors. :)
Ok, a lot of people have tried, but let me try to get at the problem
here.
Are you working under the assumption that NDTM's are actual, real
machines? That solve NP problems in polynomial time?
If so, then you've gone way down the wrong path. NDTMs are
mathematical models. They are convenient abstractions so that we can
talk about things. They do not exist beyond a definition on paper.
If NDTMs were real it would be a real boon to computing. We could
solve an awful lot of important problems that we can't solve now. But
that's simply not the case.
--
Steve Tate --- srt[At]cs.unt.edu | Gratuitously stolen quote:
Dept. of Computer Sciences | "The box said 'Requires Windows 95, NT,
University of North Texas | or better,' so I installed Linux."
Denton, TX 76201 |
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On the Generation of Pseudo-OTP
Date: Fri, 08 Jan 1999 18:23:25 +0100
R. Knauer wrote:
>
> On Fri, 08 Jan 1999 15:00:24 +0100, Mok-Kong Shen
> <[EMAIL PROTECTED]> wrote:
>
> >> >Have you ever encountered a physical device that is absolutely
> >> >perfect??
>
> >> Have you ever encountered a written statement that is Absolutely
> >> Perfect? For example, is the written statement you just made Absolutely
> >> Perfect?
>
> >I don't think this group is the right place
>
> You don't know what this group is the right place for. If you don't
> believe me, just sift thru dejanews a year ago.
>
> We had some pretty far ranging discussions going back then, which
> attracted wide participation and were very enlightening in terms of
> the fundamentals of crypto, at least for me.
>
> Books can only go so far, and then it comes time to start wrestling
> with the details to gain insight.
>
> >for meta-logical tricky sentences.
>
> The Epimenides Paradox is hardly a "tricky sentence". It along with
> the Russell and Berry Paradoxes are most important to mathematics.
>
> >We want concrete discussions relevant to
> >the issue being discussed.
>
> Godel must be either laughing his butt off or rolling in his grave
> right now.
>
> The foundation of crypto is number theory, and constraints on formal
> systems are fully a part of it.
If you like to rank yourself with Goedel and Russel then I
suggest that you first keep all discussions tightly within the
bounds of the science of cryptology.
M. K. Shen
------------------------------
From: Rx Video <[EMAIL PROTECTED]>
Subject: Well-written books on mathematics ?
Date: Fri, 08 Jan 1999 12:54:57 -0500
Hello,
I've had linear algebra some time ago, with all its vectors, rings,
fields and matrices, but I didn't manage to quite understand it.
Appears, that it is rather heavily used in the field of data encryption,
so I would like to know, if there are some good books (well-explained,
with examples and so on) which might be helpful with understanding at
least the basics of encryption algorithms (why are they designed the way
they are, and what makes them safe).
Sincerely yours,
Martin
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
