Cryptography-Digest Digest #406, Volume #9 Sat, 17 Apr 99 01:13:06 EDT
Contents:
Re: True Randomness & The Law Of Large Numbers ("Douglas A. Gwyn")
Re: discreate logarithm problem ("Douglas A. Gwyn")
Re: Quantum computing ("Douglas A. Gwyn")
Re: Thought question: why do public ciphers use only simple ops like shift and XOR?
(Terry Ritter)
Re: Thought question: why do public ciphers use only simple ops like shift and XOR?
(Terry Ritter)
Re: Thought question: why do public ciphers use only simple ops like shift and XOR?
(Terry Ritter)
Re: Thought question: why do public ciphers use only simple ops like ("Douglas A.
Gwyn")
Re: Adequacy of FIPS-140 (wtshaw)
Re: Thought question: why do public ciphers use only simple ops like ("Douglas A.
Gwyn")
Re: John Savard is REALLY REALLY STUPID!! (Boris Kazak)
Re: Adequacy of FIPS-140 ("Douglas A. Gwyn")
Re: Radiation/Random Number question ("Douglas A. Gwyn")
Re: How robust are pencil and paper cyphers? ("Douglas A. Gwyn")
----------------------------------------------------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: True Randomness & The Law Of Large Numbers
Date: Sat, 17 Apr 1999 04:18:03 GMT
Alan Braggins wrote:
> [EMAIL PROTECTED] (R. Knauer) writes:
> > Most people know me as a Devil's Advocate
> How do you know? It could be that most people think you are
> babbling, and are grateful that Mr. Gwyn can be bothered to
> take the time to answer you. I mention this as a purely
> hypothetical possibility, of course...
It could be that he has misinterpreted the label "D.A." :-)
But, seriously, Alan, you make a valid point --
I don't recall seeing any postings other than R. Knauer's
calling him a "Devil's Advocate", and even that occurred
only when it was made so patently clear that he had been
saying stupid things that he had to try to save face.
(It is generally good diplomacy to allow the compromiser
to save face. We have lots of sayings about cornered rats
and the like.)
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: discreate logarithm problem
Date: Sat, 17 Apr 1999 04:25:30 GMT
Medical Electronics Lab wrote:
> It's been a mighty long time since I've done QM, but decoherence
> is just wave function decay with time.
That is avoidable with solitons.
> When you add other interactions things fall apart faster.
That's the real practical problem.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Quantum computing
Date: Sat, 17 Apr 1999 04:28:23 GMT
Coen Visser wrote:
> I don't think we are able to construct an algorithm that
> can withstand 50 years of cryptanalysis, 256 bit keys
> or not.
Lone Ranger: Look at all those bloodthirsty warriors! Looks like
we're in real trouble now, Tonto!
Tonto: Whatcha mean "we", white man?
50 years is a standard design goal for US governmental
cryptosystems, and it has been pretty much attained.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Thought question: why do public ciphers use only simple ops like shift
and XOR?
Date: Sat, 17 Apr 1999 04:39:12 GMT
On Fri, 16 Apr 1999 17:05:05 -0700, in
<xlQR2.1311$[EMAIL PROTECTED]>, in sci.crypt "Steven
Alexander" <[EMAIL PROTECTED]> wrote:
>What exactly is your suggestion for the creation of a cipher in which we can
>place our trust?
Absent a theory or overall test of strength, there can be no trust in
a cipher. All the trust one can have is delusion.
>The best we can do at any one point is to create a cipher
>that is secure against the attacks that we know of . If we do not know of
>many attacks this will not entail much. If we have a group of the best
>cryptanalysts who analyze a cipher and find no vulnerabilities, this does
>not mean that any vulnerabilities do not exist...it only means that those
>that we know of...and variations thereof do not exist in that cipher.
Exactly.
>This
>gives us a degree of trust in the cipher.
What most people want is a strong cipher. Absent evidence of strength
there is no basis for such trust.
>In RSA for example, we believe
>that the only way to break the cipher is to factor n. If I find a new way
>to factor n in just a couple of minutes on your typical PC the cipher is
>broken. However, the odds that someone will invent a way to factor that is
>so phenomenally better is very unlikely.
This is a disturbingly-unwarranted statement: Nobody has any idea
what the true odds are, so we cannot infer that they are good or bad.
>If I try to build a cipher and do
>not understand cryptanalysis I will not ahve any idea how to protect my
>cipher. If you have a better way to design ciphers, please share.
Actually, I think there are better ways. For one thing we can use
very simple constructs with few types of component, each of which can
be fully understood for what it does. For another we can design
scalable ciphers that can be scaled down to experimental size.
However, the real issue is that while supposedly everyone knows that
any cipher can be weak, there has been essentially no attention given
to protocols which deal with this problem.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Thought question: why do public ciphers use only simple ops like shift
and XOR?
Date: Sat, 17 Apr 1999 04:39:19 GMT
On Sat, 17 Apr 1999 02:22:42 GMT, in
<[EMAIL PROTECTED]>, in sci.crypt
[EMAIL PROTECTED] (ybizmt) wrote:
>On Fri, 16 Apr 1999 23:53:14 GMT, Terry Ritter <[EMAIL PROTECTED]> wrote:
>> *I* think you are being selective in stating "the" point Schneier has
>> made. While he may have conceded that no cipher is secure after long
>> discussion, his point often is that cryptanalysis is necessary to know
>> the strength of a cipher. Of course, the fact that he sells such
>> services would have nothing to do with it.
>
>Refresh my memory. What do you sell?
Just the truth, lately.
I just find it an interesting coincidence when people promote errors
in reasoning which just happen to benefit their business.
On the other hand, promoting truths which also happen to benefit one's
business seems not nearly as disturbing.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Thought question: why do public ciphers use only simple ops like shift
and XOR?
Date: Sat, 17 Apr 1999 04:39:24 GMT
On Sat, 17 Apr 1999 02:28:52 GMT, in
<[EMAIL PROTECTED]>, in sci.crypt
[EMAIL PROTECTED] (ybizmt) wrote:
>On Fri, 16 Apr 1999 23:53:19 GMT, Terry Ritter <[EMAIL PROTECTED]> wrote:
>> It is not provably better. And not provably better admits the
>> possibility of contradiction. So we do not know. Which means that
>> interpreting years of intensive analysis as strength is nothing more
>> than DELUSION. Cryptanalysis of any length whatsoever provides no
>> rational scientific indication of strength.
>
>Nor is it intended to. Who has ever claimed that analysis equals
>strength in any field? It is intended to make you more confident
>that something is strong. No one is saying it proves strength.
Sure they are. As far as I know, Schneier's point has always been
that cryptanalysis is the way we know a cipher's strength. I'm sure
he would agree that this is not proof, but I do not agree that it says
anything at all. The implication that cryptanalysis would like to
promote is indeed that of tested strength.
>Not at least trying cryptanalysis on a cipher is stupid which
>I'm sure you agree with.
I do. But there is no one cryptanalysis. Indeed, there is no end to
it. But we do have to make an end before we can field anything. This
in itself tells us that cryptanalysis as certification is necessarily
incomplete.
Our main problem is that cryptanalysis does NOT say that there is no
simpler attack. It does NOT say that a well-examined cipher is secure
from your kid sister. Oh, many people will offer their opinion, but
you won't see many such a claims in scientific papers, because there
we expect actual facts, as opposed to wishes, hopes, and dreams.
Cryptanalysis does NOT give us an indication of how much effort our
Opponent will have to spend to break the cipher. Yet that is exactly
what the cryptanalytic process would like us to believe: That is why
we have the process of: 1) design a cipher, and 2) certify the
cipher by cryptanalysis. As I see it, the real opportunity for
cryptanalysis is as part of a dynamic and interactive cipher design
process, as opposed to final certification.
>> In some cases this process is a deliberate attempt to make
>> cryptanalysis seem more than it is, so that ciphers which have
>> "passed" (whatever that means) will be accepted as "strong," which
>> should never be done. We can see this in the path of the AES process,
>> which, presumably, gets us a "strong" cipher. We see NO attempt to
>> innovate constructions or protocols which give strength in the context
>> of ciphers which may be weak. Yet you would have us assume that
>> everyone knows that ciphers may be weak, and simply chooses to do
>> nothing about it.
>
>Nice rant.
Thanks. I suggest you learn it by heart if you intend to depend upon
cryptography.
>Where are you going with this and how does it sell your
>product?
This is my bit for public education.
I have no modern products. I do offer cryptographic consulting time,
and then I call it as I see it. I also own patented cryptographic
technology which could be useful in a wide range of ciphers.
I see no problem with someone promoting what they think is an advance
in the field, even if they will benefit. But when reasoning errors
are promoted which just happen to benefit one's business -- in fact, a
whole sub-industry -- some skepticism seems appropriate. Just once I
would like to see delusions promoted which produce *less* business.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Thought question: why do public ciphers use only simple ops like
Date: Sat, 17 Apr 1999 04:39:52 GMT
Sundial Services wrote:
> like: shift, exclusive-OR, and "bit-twiddling." Most of these ops are
> readily reversible.
Yes, that ensures that decryption is feasible.
> About the only "original idea" I've seen, since reading discussions of
> older machines like SIGABA, is Terry Ritter's "Dynamic Substitution"
> patent. At least he is using a more complex transformation than 99.9%
> of the things I've seen ... since SIGABA ... and he's burying a lot more
> information than most designs do.
Complexity in itself is no guarantee of security; witness Knuth's
"super-random" number generator (Algorithm K). As to how "deeply
buried" the information is, how do you determine that? Is there
some computable figure of merit, or what?
> My question is, aside from possible requirements for constructing their
> ciphers in hardware, why do designers routinely limit themselves to
> these simple bitwise operators in designing ciphers?
Simpler systems are, usually, easier to analyze more thoroughly.
The more thoroughly we understand a class of systems, the more
confident we can be that other analysts won't find some shortcut.
> It seems to me as a layman that the older, more complex designs
> were also far more secure than what we have now,
How do you know what we have now? The public didn't have access
to SIGABA systems back then, just as they don't have access to
<censored> today.
> and that a computer program would have no particular difficulty
> implementing them. We are not building hardware devices; we are
> not limited to LFSR's.
It is true that simulation of a Hagelin or Hebern machine, or SIGABA,
is easy these days, and that computer programs don't *have* to follow
a classical hardware model. However, things like LFSRs have been
thoroughly studied by cryptomathematicians, so informed decisions
can be made about how (or whether) to use them. If you attempt a
new system structure, until it is well understood mathematically,
you'd have no justification for thinking it to be secure.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Adequacy of FIPS-140
Date: Fri, 16 Apr 1999 23:24:37 -0600
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote:
> wtshaw wrote:
> > ... In short, we get back to considering the effort and data
> > requirements needed to break a key in given cryptosystems.
>
> Okay, I grant that that is a reasonable metric; now the question
> is how to *measure* this. The cost of a brute-force key search
> only establishes an upper bound, which is useless to us (unless
> it is so low as to already be below our security threshold).
Precisely, you need only make it so costly or unreasonable to attempt to
dissuade attempts to do it. That seems an obtainable goal.
--
Too much of a good thing can be much worse than none.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Thought question: why do public ciphers use only simple ops like
Date: Sat, 17 Apr 1999 05:00:53 GMT
Terry Ritter wrote:
> >But, If I learn to break the ciphers of others and
> >use my experience to create a new cipher that others cannot break it will be
> >listened to because I am known to be knowledgeable in how ciphers work.
> Nonsense. Knowing how to break some ciphers does not mean that you
> know how ciphers work. ...
I think the truth is somewhere in between. I myself maintain that
if you know too little about how cryptosystems are broken, you also
don't know all the potential vulnerabilities of a system you may
design, and so unless you have unusual "beginner's luck", your
system is bound to be vulnerable. Worse, it is vulnerable in ways
that were *preventable* if only you hadn't tried to take a shortcut
to success...
> We only know what success is reported in the academic literature.
> Unfortunately, when we use a cipher, we are very rarely concerned
> whether academics can break our cipher or not. We are instead
> concerned about "bad guys," and they don't tell us when they have been
> successful.
That is the reason for "tiger teams", who act the part of bad guys.
If your system hasn't been attacked by cryptanalysts who know *how*
to mount such an attack, then it hasn't undergone sufficient Quality
Control.
> >... Schneier and others have acknowledged that any cipher can be
> >broken at any time.
The only valid thing they could say is that they don't know any
way to demonstrate that a cipher is inherently secure (to some
agreed level of confidence, under ideal operating conditions).
However, there *have* been a few academic publications purporting
to demonstrate provable security for certain systems. A valid
proof would mean that the system was secure so long as nothing
went wrong. (That is always an important practical caveat, since
things do occasionally go wrong.)
Absence of knowledge is not knowledge of absence.
> ... He would thus have us believe that the lack of
> information about weakness in one cipher is superior to
> information of impractical weakness in another cipher.
The problem is, a decision has to be made, despite having
incomplete information. All other things being equal, a
demonstrated weakness is *some* evidence against that
system, even if we can't quantify how much, which would
tip the balance. But when there are factor both pro and
con, then your criticism is apropos -- we need to know
the relative amount of weight to give each factor if we
want to make the most rational decision.
------------------------------
From: Boris Kazak <[EMAIL PROTECTED]>
Subject: Re: John Savard is REALLY REALLY STUPID!!
Date: Fri, 16 Apr 1999 21:27:09 -0400
Reply-To: [EMAIL PROTECTED]
John Savard wrote:
>
> "Charles Booher" <[EMAIL PROTECTED]> wrote, in part:
>
> >Can you please give me the next prime number?
>
> No. If the real Mr. Booher is inded not the author of these posts, I hope
> he reads this newsgroup and complains...
>
> John Savard (teneerf is spelled backwards)
> http://members.xoom.com/quadibloc/index.html
======================
Dear Mr. Savard!
(this is a repetition of a post which I did in answer to someone else)
You probably just don't have enough cynicism to understand what is
really going on here. The guy who makes these postings IS NOT and
NEVER WAS Charles Booher.
By writing and distributing the SecureOffice Charlie Booher made
himself a target for a bunch of scoundrels who will stay at nothing
to get him silenced. Now, the technique of attributing outrageous
sentences to somebody who must be discredited is not exactly new.
A classical example is the ruse with "Protocols of the Elders of
Zion", faked by the Russian secret police in 1890-s and subsequently
used by Russian tzar to launch the Jewish pogroms and later by Hitler
to launch the Holocaust.
A recent example of this technique is the accusation of Los Angeles
police detective Mark Fuhrman, who was loudly and cynically accused of
being racist, doubt has been cast on his honesty in handling the
evidence, which in turn resulted in acquital of O.J.Simpson.
A guy(or a bunch) making these postings is clearly building up,
more precisely, faking some "evidence" which ultimately will be used
to lock Charlie Booher into a mental institution. Who is interested in
such an outcome - certainly not C.Booher himself. Are there people who
might be interested in silencing him - certainly.
And please don't tell me that such things cannot happen in America.
I come from Russia, I have seen people locked up with less evidence
than that; Americans, on their side, are very quick learners, so this
Russian method is almost certain to find a second home here.
Best wishes BNK
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Adequacy of FIPS-140
Date: Sat, 17 Apr 1999 05:08:59 GMT
Terry Ritter wrote:
> On Fri, 16 Apr 1999 07:36:38 GMT, in <[EMAIL PROTECTED]>, in
> sci.crypt "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
> >wtshaw wrote:
> >> ... In short, we get back to considering the effort and data
> >> requirements needed to break a key in given cryptosystems.
> >Okay, I grant that that is a reasonable metric; now the question
> >is how to *measure* this. The cost of a brute-force key search
> >only establishes an upper bound, which is useless to us (unless
> >it is so low as to already be below our security threshold).
> All we can get from any cryptanalysis is an upper bound.
Who imposed such a constraint? Cryptanalysis is not the only
method of studying systems.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Radiation/Random Number question
Date: Sat, 17 Apr 1999 05:12:51 GMT
R H Braddam wrote:
> So, in your experience the cumulative effects would make it impossible to
> use solid state devices to detect radiation. Therefore, a solid state
> detector would not be feasible. Thanks for your help anyway.
But we *do* use solid-state radiation detectors, called SQUIDs.
So something is wrong with the argument..
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: How robust are pencil and paper cyphers?
Date: Sat, 17 Apr 1999 05:14:15 GMT
InEN97 wrote:
> It is my understanding that pencil and paper cyphers ... have
> a degree of security ... that is inversly porportional to the
> message length and key length, repeatition and reuse.
No. There is no simple formula for this.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
