Cryptography-Digest Digest #404, Volume #9 Fri, 16 Apr 99 21:13:04 EDT
Contents:
Re: AES Competition ("Steven Alexander")
Re: Thought question: why do public ciphers use only simple ops like shift and XOR?
(Terry Ritter)
Re: Thought question: why do public ciphers use only simple ops like shift and XOR?
(Patrick Juola)
Re: discreate logarithm problem (Medical Electronics Lab)
Re: One-Time-Pad program for Win85/98 or DOS ("Steven Alexander")
Re: Radiation/Random Number question ("R H Braddam")
Re: Thought question: why do public ciphers use only simple ops like shift and XOR?
(Terry Ritter)
Re: Thought question: why do public ciphers use only simple ops like shift and XOR?
(Terry Ritter)
Another Scramdisk question (+ reposting of old one) ("N")
Re: AES Competition (Casey Sybrandy)
How robust are pencil and paper cyphers? (InEN97)
Re: PGP=NSA (PGP 6 totally cracked by NSA!!) (Sandy Harris)
----------------------------------------------------------------------------
From: "Steven Alexander" <[EMAIL PROTECTED]>
Subject: Re: AES Competition
Date: Fri, 16 Apr 1999 15:16:09 -0700
Hmmmm.
I'd say that the following are taken out:
Loki97
DEAL
FROG
Magenta
MARS
Hasty Pudding
Crypton
DFC
TwoFish
RUNDAEL
leaving:
RC6
Serpent
CAST-256
SAFER+
E2
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Thought question: why do public ciphers use only simple ops like shift
and XOR?
Date: Fri, 16 Apr 1999 22:32:57 GMT
On Fri, 16 Apr 1999 14:06:57 -0700, in
<jKNR2.591$[EMAIL PROTECTED]>, in sci.crypt "Steven
Alexander" <[EMAIL PROTECTED]> wrote:
>>[...]
>>I dispute this. This is essentially what Schneier would have us
>>believe, and it is false.
>>
>>The truth is that we *never* know the "real" strength of a cipher. No.....
>
>I don't think that you understand the point that Schneier and others have
>made.
>If I(a nobody) create a new cryptosystem tommorrow, nobody will have
>any confidence in it.
This is seriously disturbing: The issue is not who makes a thing, but
instead what the thing actually is. Deliberately judging a design in
the context of who made it is actually anti-scientific, and should be
widely denounced as the superstition it is.
>But, If I learn to break the ciphers of others and
>use my experience to create a new cipher that others cannot break it will be
>listened to because I am known to be knowledgeable in how ciphers work.
Nonsense. Knowing how to break some ciphers does not mean that you
know how ciphers work. That idea *is* the point "that Schneier and
others have made" and it is a fantasy. It is especially fantastic
when ciphers use technology which academics have ignored. But in any
case, without a LOWER bound on strength, academics REALLY do not even
know that ciphers work *at* *all*, let alone how.
>But, it will still not be trusted. Only after many people have analyzed and
>failed to break my cipher will people say..."his cipher has held up to
>five(ten) years of cryptanalysis by very knowledgeable cryptanalysts.
Nonsense. There is no such conclusion. Ciphers do not ripen like
cheese.
We first of all do not know how many attacks were made (if any), nor
how much effort was placed into them. Attacks made by experienced,
well-paid, well-motivated teams with all the equipment they need are
quite different from those of single individuals working at a desk at
night and coming up with a new mathematical equation. Not finding an
equation does not mean some team has not had success.
We only know what success is reported in the academic literature.
Unfortunately, when we use a cipher, we are very rarely concerned
whether academics can break our cipher or not. We are instead
concerned about "bad guys," and they don't tell us when they have been
successful.
So this delay -- supposedly for gaining confidence -- in reality tells
us nothing at all about the strength of the cipher.
>We
>can assume with an adequate level of confidence that the cipher will protect
>our information." However, it is still realized that at any time someone
>can invent a new cryptanalytic attack and my cipher will be rendered
>useless. Schneier and others have acknowledged that any cipher can be
>broken at any time.
As I recall, Schneier and others claim that cryptanalysis is how we
know the strength of a cipher. It is not. Cryptanalysis can only
show weakness, only that when it is successful, and even then it only
gives us the latest upper bound.
But the main problem is not knowing the strength of *new* ciphers, but
rather knowing the strength of *old* ciphers: we are actually using
the old ciphers. When ciphers have been in long use there is a
delusion that we know their strength and can use them as a benchmark
against new ciphers. Absent a non-zero LOWER bound on strength, this
is false on both counts.
As I recall, in his comments on AES, Schneier has said that simply
finding a cryptanalytic weakness in one of the designs would be
sufficient to remove it from competition, even if the weakness was
impractical. He would thus have us believe that the lack of
information about weakness in one cipher is superior to information of
impractical weakness in another cipher. I disagree.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Thought question: why do public ciphers use only simple ops like shift
and XOR?
Date: 16 Apr 1999 17:21:22 -0400
In article <[EMAIL PROTECTED]>, Terry Ritter <[EMAIL PROTECTED]> wrote:
>
>On Fri, 16 Apr 1999 17:28:13 GMT, in
><[EMAIL PROTECTED]>, in sci.crypt
>[EMAIL PROTECTED] (John Savard) wrote:
>
>>[...]
>>- Also, since there are many insecure cipher designs floating around, one
>>can't just accept that a cipher is secure based on its designer's say-so.
>>Instead, what gives real confidence in a cipher design is that it has been
>>studied by experts who have failed to crack it, but who have come away from
>>their attempts with an understanding of the source of the design's
>>strengths.
>
>I dispute this. This is essentially what Schneier would have us
>believe, and it is false.
>
>The truth is that we *never* know the "real" strength of a cipher. No
>matter how much review or cryptanalysis a cipher gets, we only have
>the latest "upper bound" for strength. The lower bound is zero: Any
>cipher can fail at any time.
>
>Since we have only an upper bound for the strength of any cipher, any
>confidence we may have is no more than our own delusion. We wish and
>hope for cipher strength, and -- absent a specific proof otherwise --
>we gradually come to believe in it. But that does not make it true.
So you're suggesting that a cypher that has withstood years of
intensive analysis by professionals is *NO* better than a cypher
that has not been analyzed at all?
I don't believe this; in fact, I think it's total bullshit. It's
certainly true that you may not be able to *formalize* the difference
into a p-value, but you're committing a grievious error if you
think that something doesn't exist merely because you can't quantify
it.
-kitten
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: discreate logarithm problem
Date: Fri, 16 Apr 1999 12:40:14 -0500
David A Molnar wrote:
>
> > Hmmm, those registers are single particles, right? So they're one bit
> > wide!
>
> 1 qubit wide, isn't it? ;-)
>
> yes, but you try getting 3 qubits to play nice with the outside world.
>
> on that note, does anyone have a favorite mathematical explanation of
> 'decoherence' ??
>
> -David (who realizes that he's not at all sure about the particle <--> qubit
> equivalence besides 'stands to reason.')
Not quite. A qubit is a "quantum binary digit" and it can be a
lot more than just one particle (will be for a few hundred years
I suspect :-) A register will need 1024 qubits to factor a
1024 bit number. There are two possible ways to proceed: you set
up 1 register and let it feed possible factors to 2 other registers
(which is why you need 3) and do that until you have a good idea
of what the probable answer is OR you set up a few billion registers
all at once and measure each one's results. The latter method
is what has been done in the laboratory so far (with 2 qubit registers).
A qubit might be a quantum well consisting of several thousand atoms
but it only holds one electron at a time, in various energy levels.
So in one sense there is only 1 particle for the qubit, but it takes
lots of particles to hold it in place.
It's been a mighty long time since I've done QM, but decoherence
is just wave function decay with time. When you add other interactions
things fall apart faster. So the trick to quantum computing is to
hold the qubits away from the rest of the universe while they "think"
about the problem, then look at them in what you hope is a "resting"
state. That is, you hope measuring the answer doesn't change it!
Patience, persistence, truth,
Dr. mike
------------------------------
From: "Steven Alexander" <[EMAIL PROTECTED]>
Crossposted-To: alt.security,alt.privacy
Subject: Re: One-Time-Pad program for Win85/98 or DOS
Date: Fri, 16 Apr 1999 16:03:48 -0700
Correct me if I'm wrong, but if it is biased(for this discussion towards 1)
then there will be more pairs of 1 than of 0 that will be thrown out. This
will result in a lower occurrence of 1 against which the stream was biased.
-steven
>I do not profess to be a mathematician but I must intuitively question
>the validity of the assumption in "(3)" namely: "with equal
>probability."
>
>If the incoming stream of bits (or eight-bit groups) from the RNG is
>biased, then groups-of-bits of any size would also be biased.
>[...]
------------------------------
From: "R H Braddam" <[EMAIL PROTECTED]>
Subject: Re: Radiation/Random Number question
Date: Fri, 16 Apr 1999 18:05:05 -0500
Thank you for replying. With the amount of discussion in another thread
about "True Random Numbers" and the mention that radioactivity is a possible
source, it occurred to me that there is a commonly available source of
radioactivity. If there is a way to use it in an inexpensive device many of
us would benefit.
Lassi Hippeläinen wrote in message
<[EMAIL PROTECTED]>...
>Since I happened to be involved in space engineering a few years ago, I
still
>remember something. But that was a few years ago, I don't have any
reference
>manuals at my elbow, so please don't take the answers as final truth.
>
>Rad-hard components are mainly made for aerospace environments. The problem
is
>not just single errors (SEDs, IIRC), but also cumulative radiation. At
ground
>level the ordinary components are good enough.
>
>Radiation also changes the electrical characteristics of the circuit. Each
>event a little more. The distribution of events would not be constant
during
>the lifetime of the system. As mentioned in the beginning, rad-hard ICs
>tolerate _cumulative_ effects of radiation.
>
>Even with rad-hard ICs, if the rate of radiation induced events is high
enough
>for a random number generator, the chip won't live long :-(
>
>-- Lassi
So, in your experience the cumulative effects would make it impossible to
use solid state devices to detect radiation. Therefore, a solid state
detector would not be feasible. Thanks for your help anyway.
Murphy's Law is the only sure thing in the Universe.
Rick
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Thought question: why do public ciphers use only simple ops like shift
and XOR?
Date: Fri, 16 Apr 1999 23:53:14 GMT
On Fri, 16 Apr 1999 15:41:12 -0700, in
<X6PR2.1145$[EMAIL PROTECTED]>, in sci.crypt "Steven
Alexander" <[EMAIL PROTECTED]> wrote:
>I think the point that Schneier and others have made, which I personally
>agree with, is that no cipher is "secure".
*I* think you are being selective in stating "the" point Schneier has
made. While he may have conceded that no cipher is secure after long
discussion, his point often is that cryptanalysis is necessary to know
the strength of a cipher. Of course, the fact that he sells such
services would have nothing to do with it.
>We can however put more trust
>into an algorithm that has undergone more cryptanalysis and has been tested
>against the newest cryptanalytic techniques because we know what will not
>break the cipher.
Nope. Simply because "we" cannot break it does not mean that others
cannot break it. We are not confronting our clones: our Opponents
know more than we do, and are probably smarter as well.
>I personally would not trust any algorithm that I and
>other motivated people had not tested.
But there *is* no test for strength.
>I also think that understanding how
>to break ciphers
But there is no one way, nor any fixed set of ways, which are "how to
break ciphers." No matter how much you "understand," there is more to
know. That is the problem.
>gives a better knowledge of how to build ciphers because
>you know what can break them.
One proper role for cryptanalysis is to support the design of ciphers.
>This is why some of the best security experts
>are hackers...they know how to get in. You cannot prevent your computer
>from being hacked if you do not know what means someone will use to break
>in. It would be like building large stone walls around a military base and
>not expecting someone to fly over and drop a bomb...if you don't know that
>airplanes and bombs can destroy your base as well as ground troops...you've
>already lost.
Then you are lost. Neither you nor anybody else can predict every
possible way to attack a cipher or a base.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Thought question: why do public ciphers use only simple ops like shift
and XOR?
Date: Fri, 16 Apr 1999 23:53:19 GMT
On 16 Apr 1999 17:21:22 -0400, in <7f89ki$gng$[EMAIL PROTECTED]>,
in sci.crypt [EMAIL PROTECTED] (Patrick Juola) wrote:
>[...]
>So you're suggesting that a cypher that has withstood years of
>intensive analysis by professionals is *NO* better than a cypher
>that has not been analyzed at all?
It is not provably better. And not provably better admits the
possibility of contradiction. So we do not know. Which means that
interpreting years of intensive analysis as strength is nothing more
than DELUSION. Cryptanalysis of any length whatsoever provides no
rational scientific indication of strength.
>I don't believe this;
It is not necessary for you to believe it: It is what it is.
>in fact, I think it's total bullshit.
Then you need to think about it more deeply.
>It's
>certainly true that you may not be able to *formalize* the difference
>into a p-value, but you're committing a grievious error if you
>think that something doesn't exist merely because you can't quantify
>it.
The issue is not the "formalization" of something we know but cannot
quantify, but rather something we actually do not know. When we
attempt to formalize what we really do not know we commit logical
error. In fact, I would say that this process is in some cases a
deliberate attempt to hide these issues from management, command staff
and the general user.
In some cases this process is a deliberate attempt to make
cryptanalysis seem more than it is, so that ciphers which have
"passed" (whatever that means) will be accepted as "strong," which
should never be done. We can see this in the path of the AES process,
which, presumably, gets us a "strong" cipher. We see NO attempt to
innovate constructions or protocols which give strength in the context
of ciphers which may be weak. Yet you would have us assume that
everyone knows that ciphers may be weak, and simply chooses to do
nothing about it.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: "N" <[EMAIL PROTECTED]>
Subject: Another Scramdisk question (+ reposting of old one)
Date: Fri, 16 Apr 1999 23:57:36 GMT
In Scramdisk, I normally attempt to mount volumes by dragging and dropping
the container file onto the Scramdisk utility window. After entering the
passwords, sometimes I find that my entries are simply rejected and I am
prompted to try again (the red screen simply disappears and then reappears).
Confident that I have already entered the correct passwords, however, if I
simply escape out of the password entry screen and then perform another drag
and drop, the volume mounts without further ado - demonstrating that the
passwords are now being acknowledged.
I have also noticed that passwords aren't always cached in such a way that
they can be reused once a mounted volume has been dismounted: sometimes, on
attempting a remount of a volume just dismounted, I am prompted once again
for the passwords, whilst at other times the remounting takes place without
this being necessary. Is this to be expected?
Also, could I ask whether Scramdisk can cache more than one set of passwords
at a time? And, when passwords are cached, is there any risk of them being
swapped out of RAM?
Finally, I wonder whether there is any chance of a 'recently opened' list
being added to the <File> menu. Okay, I realise that many will not want
there to be any indication as to which files on their system are mountable,
but presumably such a feature - if it were to be provided - could include a
disabling option.
Many thanks to the authors of this great software!
N
===============================
Here's an earlier posting I made. I've sent it again because I can never
seem to find it amongst postings to the Sci.crypt list!
I have Scramdisk installed and think it's a great piece of software.
Some of the files stored on it are encrypted again (yes, okay - forgive my
overkill!) using a mixture of PGP and Cryptext.
I have noticed that, sometimes when I try to decrypt some of these files on
the mounted volume, I get an error and the decryption will not proceed. The
only way to access my files is by copying them back to my C: drive and
decrypting them from there.
Does anyone know why this might be happening? It only occurs with certain
specific encrypted files, but happens consistently with the ones in
question.
In the case of PGP, the error reported is:
"PGP warning - an error has occurred: bad packet".
In the case of Cryptext, you just get the usual error that is reported when
the password has been mistyped.
=============================
As an aside, does anyone have any opinions as to the security afforded by
Cryptext? I use it in conjunction with other encryption (like PGP), but
haven't
stumbled across many comments on it.
Many thanks
N
------------------------------
From: Casey Sybrandy <[EMAIL PROTECTED]>
Subject: Re: AES Competition
Date: Fri, 16 Apr 1999 20:38:42 -0400
==============CD51F6A4E6542883818A5D61
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
1. MARS made it definately.
2. TwoFish may have made it, not 100% sure
3. It's spelled Rijndeal
Steven Alexander wrote:
> Hmmmm.
> I'd say that the following are taken out:
>
> Loki97
> DEAL
> FROG
> Magenta
> MARS
> Hasty Pudding
> Crypton
> DFC
> TwoFish
> RUNDAEL
>
> leaving:
>
> RC6
> Serpent
> CAST-256
> SAFER+
> E2
==============CD51F6A4E6542883818A5D61
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
1. MARS made it definately.
<p>2. TwoFish may have made it, not 100% sure
<p>3. It's spelled Rijndeal
<p>Steven Alexander wrote:
<blockquote TYPE=CITE>Hmmmm.
<br>I'd say that the following are taken out:
<p>Loki97
<br>DEAL
<br>FROG
<br>Magenta
<br>MARS
<br>Hasty Pudding
<br>Crypton
<br>DFC
<br>TwoFish
<br><b><u>RUNDAEL</u></b>
<p>leaving:
<p>RC6
<br>Serpent
<br>CAST-256
<br>SAFER+
<br>E2</blockquote>
</html>
==============CD51F6A4E6542883818A5D61==
------------------------------
From: [EMAIL PROTECTED] (InEN97)
Subject: How robust are pencil and paper cyphers?
Date: 17 Apr 1999 00:37:23 GMT
It is my understanding that pencil and paper cyphers ( as are all I guess) have
a degree of security ( all other things being equal) that is inversly
porportional to the message length and key length, repeatition and reuse. Is
there some theoretical lowerbound for message length that will ( in theory or
in practice) preclude analysys if a non reused key of, say, 15 or 20 characters
used in a mixed alphebet/multiple transposition hyper encypherment protocol. I
am aware at the time of his capture and trial, Abel's cypher system was not
broken, has that, been independently accomplished? SParkey
------------------------------
From: [EMAIL PROTECTED] (Sandy Harris)
Subject: Re: PGP=NSA (PGP 6 totally cracked by NSA!!)
Date: Fri, 16 Apr 1999 19:56:05 GMT
"Charles Booher" <[EMAIL PROTECTED]> writes:
>There are only 1,000,000,000 possible PGP key pairs with DF implemenation in
>PGP 6.0
If that's true, it's a serious weakness. 10^9 ~= 2^30 which is
appallingly weak.
However, I've no reason to believe it. I've seen you assert that PGP
has this weakness half a dozen times, but if you've attempted to
demonstrate it, I missed that post.
Your tone & attitude are offensive. That of course does not mean
you're wrong, just that it's difficult to take you seriously. You seem
to be working really hard to appear as a loudmouth jackass out to
promote a product by ranting about imaginary inadequacies in the
competition. If you actually have something worthwhile to say, you
are doing yourself a serious disservice with your approach.
Giving you the benefit of the doubt, I'll ask:.
Can you offer any analysis to substantiate this claim?
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
