Cryptography-Digest Digest #996, Volume #8 Fri, 29 Jan 99 09:13:02 EST
Contents:
Re: what do u think about this algorithm of mine? ("Uta Loeckx")
Smaller RC6 (handWave)
Fialka Punch Card Speculation
Re: Smaller RC6 (Fabrice Noilhan)
Re: Sanity check on authentication protocol (Paul Onions)
Re: Random numbers generator and Pentium III (R. Knauer)
Re: Random numbers generator and Pentium III (R. Knauer)
Re: Fialka Punch Card Speculation (Frode Weierud)
Re: Coin Toss Theory (R. Knauer)
Re: Random numbers from a sound card? (Patrick Juola)
Re: hardRandNumbGen (Patrick Juola)
Re: hardRandNumbGen (Patrick Juola)
Re: Question on key lengths (Patrick Juola)
----------------------------------------------------------------------------
From: "Uta Loeckx" <[EMAIL PROTECTED]>
Subject: Re: what do u think about this algorithm of mine?
Date: Fri, 29 Jan 1999 13:07:50 +0100
Klaus Rohde wrote:
> i don't know anything about encryption, but one day i was thinking about
> it and had an idea for an algorithm which, as far as i can see, is
> unbreakable.
>
> you take byte n of a text stream and XOR it with byte n of the key to
> produce byte n of the cipher text.
>
> to me this seem's unbreakable, because by applying the right key any
> cipher text can be decoded into literally anything of the same length,
> meaning that unless someone has the key, they can't gain anything out of
> the cipher text.
Read Bruce Schneier's "Applied Cryptography" and you'll see that you haven't been
the first one to come up with this algorithm. It's about the first thing you
encounter when you start with cryptography as I did myself some months ago. Any
other introduction will do, by the way (Beutelspacher: "Moderne Verfahren der
Kryptographie" for German Speaking is quite funny to read).
If I am not mistaken the thing you re-invented is called "One Time Pad". It is, as
you pointed out, unbreakable. But...
...once you use the key twice or more often, it is most easily breakable. Imagine
two ciphertexts of a certain length L in bits, and ONE key with the very same
length. There are 2^L possible keys, 2^L possible plain texts for each cipher text.
Only a small amount of the possible plain texts make sense, that's why only the
same small amount of the possible keys are candidates for decrypting each
ciphertext. You will hardly find more than one key which fits both ciphertexts if
these ciphertext exceed a (un)certain length. This length depends on the structure
of the encrypted data.
Conclusion: One time pads are used. Spies use them. They may have a one time pad of
some million or so byte key length. Somebody at home can read the ciphertext, but
afterwards they have to throw the key pad away. God help them if some of the
ciphertext gets lost and they do not know which byte of the key they have to use.
The problem is, that you have to transmit the key through a secure channel. But,
since the key is as long as the data, you could as well transmit that (provided you
know it at this point of time).
So, the method does not really apply to a lot of situations where encryption is
needed.
For instance, if you simply want to store a file securely on your computer, it does
not help to encrypt it with a one time pad, because you would have to hide the pad.
Andreas
>
>
> any thoughts or ideas (or proof that what im saying is nonsense) would be cool.
>
> :-) peter
--
======================================================================
Andreas Jaeger
Institut für Geoinformatik, Universität Münster
Robert-Koch-Straße 26/28
D-48149 Münster
Tel.: (0251) 83 - 3 00 11
Fax: (0251) 83 - 3 97 63
mailto:[EMAIL PROTECTED]
======================================================================
Andreas Jaeger
Hammer Straße 14
D-48153 Münster
Tel.: (0251) 53 37 78
======================================================================
------------------------------
From: handWave <[EMAIL PROTECTED]>
Subject: Smaller RC6
Date: Fri, 29 Jan 1999 04:39:49 -1000
The RC6 candidate for the Advanced Encryption Standard can use small
parameters for smart cards. RC6-w/r/b can use w=32 bit words, r=4 rounds,
and b=10 byte keys. It may use cipher block chaining so the small block
size does not leave it vulnerable to adversaries accumulating a
dictionary of 4 billion words. After 4 rounds, the mixing is nearly
ideal. The 80 bit key is good enough for rock and roll.
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Fialka Punch Card Speculation
Date: 29 Jan 99 12:45:27 GMT
The post with "Information Pool" (well, really "inforamtionpool") in the
header concerns Joerg Drobick's web site, with information about some
cipher machines from behind the Iron Curtain.
The Fialka is claimed to be a 10-rotor Enigma, with a punched card
performing the function of the plugboard.
It occurs to me that, if the punched card is used to open connections in a
crossbar patch panel, as only one hole out of 30 is punched of those used,
it should not be necessary to use combinations difficult to produce on a
conventional keypunch machine.
After some thought, the following possible arrangement suggested itself to
me.
Up to 26 characters can be sent to their destinations by using 3 columns
for each one, the first column having a punch in any of the twelve hole
positions, and the remaining two using only positions 1 through 9.
Then, the unused 12, 11, and 0 zone punches from five characters amount to
30 more hole positions, so there is no problem taking care of the four
remaining characters.
The punched card codes of the characters that would be used are the
following:
12 & 12
11 - 11
0 0 0
1 1 A J /
2 2 B K S
3 3 C L T
4 4 D M U
5 5 E N V
6 6 F O W
7 7 G P X
8 8 H Q Y
9 9 I R Z
John Savard
------------------------------
From: [EMAIL PROTECTED] (Fabrice Noilhan)
Subject: Re: Smaller RC6
Date: 29 Jan 1999 12:52:19 GMT
According to handWave <[EMAIL PROTECTED]>:
> The RC6 candidate for the Advanced Encryption Standard can use small
> parameters for smart cards. RC6-w/r/b can use w=32 bit words, r=4 rounds,
> and b=10 byte keys. It may use cipher block chaining so the small block
> size does not leave it vulnerable to adversaries accumulating a
> dictionary of 4 billion words. After 4 rounds, the mixing is nearly
> ideal. The 80 bit key is good enough for rock and roll.
You have only decreased the number of rounds and the key length. It is
noted in the AES submission paper that there are attacks up to 16 rounds
which explains that they chose 20 rounds. And with 4 rounds, it should
be easy to have an attack faster than exhaustive search... even for
smart cards, we want the algorithm to be secure (speed comes second)!
Fabrice
------------------------------
From: [EMAIL PROTECTED] (Paul Onions)
Subject: Re: Sanity check on authentication protocol
Date: Fri, 29 Jan 1999 13:05:27 GMT
On Thu, 28 Jan 1999 19:58:59 -0600, Eric Norman
<[EMAIL PROTECTED]> wrote:
>Edward Keyes wrote:
>>
>> I'm trying to do a nice secure mutual authentication and session key
>> exchange using only symmetric ciphers (since public key algorithms are
>> too computationally intensive for the platform). Could someone please
>> tell me if I'm missing anything obvious in the following protocol?
>> It is assumed that Alice and Bob share a secret key prior to this.
>
>Since Alice and Bob share a secret, don't you get authentication
>for free? That is, Alice encrypts a message with the secret and
>sends it to Bob. Bob now knows that the message came from Alice
>since she's the only one who could have encrypted it (this
>assumes that Bob can recognize a "valid message").
You don't get authentication for free. The final parenthesised
comment hits the nail on the head. It's not always possible for Bob
to recognise a valid message. For example if Alice is just sending an
encrypted nonce (single-use random value) then Bob has no means of
verifying (upon decryption) that the value he computes is indeed the
one that Alice sent. That's why it's always good practice to use MACs
(as was pointed out by Antti).
>> As far as I can tell, this is secure against packet sniffers,
>> man-in-the-middle attacks, and replay attacks.
>
>S'pose you need to do something about replay attacks, though.
That's why he used nonces!
Paul(o)
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Random numbers generator and Pentium III
Date: Fri, 29 Jan 1999 13:12:49 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 29 Jan 1999 11:38:12 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>> >Do you have ANY scientifically precise (quatifiable through exactly
>> >defined and practically executable measurement methodologies)
>> >'characterization' of crytp-grade randomness??
>> Yes.
>Then let the readers of this group know these and say clearly and in
>detail, PLEASE.
You have to define "scientifically precise" first.
Or will you accept "mathematically precise"?
They are not the same thing.
Bob Knauer
"No Freeman shall ever be debarred the use of arms. The strongest
reason for the people to retain the right to keep and bear arms is,
as a last resort, to protect themselves against tyranny in government."
--Thomas Jefferson
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Random numbers generator and Pentium III
Date: Fri, 29 Jan 1999 13:33:56 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 29 Jan 1999 05:57:53 GMT, [EMAIL PROTECTED] (Kurt Wismer)
wrote:
>statistical tests can identify bias and temporal (or other) correlations,
>which can be used to describe crypto-grade (as you call it)
It is called "crypto-grade" to distinguish it from the other kinds of
randomness that confuse this discussion.
You do know the difference, don't you?
>randomness
>(ie. 0 bias, 0 temporal correlation, 0 [whatever else] correlation, etc)
So what?
1) The number 1111111111 is a perfectly valid crypto-grade random
number.
2) The number 1001011001 is not crypto-grade random.
Do you know why?
>before you discount the utility of statistical tests you should find out
>about what people are mistaking for defining characteristics...
I know perfectly well what people are mistaking. I have participated
1in this thread far longer than I want to think about. I have seen
just about every mistake there is to make regarding the concept of
crypto-grade randomness. And it is all quite unnecessary too.
The concept of crypto-grade randomness is not profound at all (on the
surface anyway). To understand it all you have to do is unlearn all
your prejudices that you got from thinking you knew what a random
number is, accept the fact that there are different kinds of
randomness, and that crypto-grade randomness is not the same as what
you were taught before.
Crypto-grade randomness is like the randomness one encounters in
Quantum Mechanics. In fact, a TRNG is designed to tap QM randomness.
But QM randomness is not the same as some forms of classical
randomness, like the randomness found in chaotic non-linear classical
systems.
>statistical tests quantify properties of random numbers, they don't test
>definitions... that's the bump in the road people seem to be getting
>caught on...
The problem that people are having is caused by their not
understanding what constitutes a crypto-grade random number. And yet
it is so simple to understand. Here it is in summary form:
+++++
Crypto-grade randomness is necessary to make the OTP system proveably
secure. A crypto-grade random number is generated by a True Random
Number Generator (TRNG), which is a device capable of generating all
possible sequences of a given finite length equiprobably.
+++++
Now tell us, what is so difficult about that?
Bob Knauer
"No Freeman shall ever be debarred the use of arms. The strongest
reason for the people to retain the right to keep and bear arms is,
as a last resort, to protect themselves against tyranny in government."
--Thomas Jefferson
------------------------------
From: [EMAIL PROTECTED] (Frode Weierud)
Subject: Re: Fialka Punch Card Speculation
Date: 29 Jan 1999 13:27:33 GMT
Reply-To: [EMAIL PROTECTED]
[EMAIL PROTECTED] () writes:
>The Fialka is claimed to be a 10-rotor Enigma, with a punched card
>performing the function of the plugboard.
>It occurs to me that, if the punched card is used to open connections in a
>crossbar patch panel, as only one hole out of 30 is punched of those used,
>it should not be necessary to use combinations difficult to produce on a
>conventional keypunch machine.
>After some thought, the following possible arrangement suggested itself to
>me.
>Up to 26 characters can be sent to their destinations by using 3 columns
>for each one, the first column having a punch in any of the twelve hole
>positions, and the remaining two using only positions 1 through 9.
I am not able to follow your thoughts here. The Fialka rotors have 30
contact points and not 26, as it is made for the Russian alphabet. Therefore
the punched card "plugboard" must be seen as a 30x30 matrix. If you look at
this you will discover that this will give you non-reciprocal connections
much like those given by the Enigma Uhr.
Frode
--
Frode Weierud Phone : +41 22 7674794
CERN, SL, CH-1211 Geneva 23, Fax : +41 22 7679185
Switzerland E-mail : [EMAIL PROTECTED]
WWW : wwwcn.cern.ch/~frode
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Coin Toss Theory
Date: Fri, 29 Jan 1999 13:43:55 GMT
Reply-To: [EMAIL PROTECTED]
On Thu, 28 Jan 1999 23:36:46 -0500, "Trevor Jackson, III"
<[EMAIL PROTECTED]> wrote:
>Please consider incorporating the self-flipping
>coins of bimetallic construction, especially in the hot-coin tests.
But it is known that self-flipping coins cannot solve their Godel
incompleteness problem much less their Turing halting problem.
What if a self-flipping coin took forever to stop flipping?
Bob Knauer
"No Freeman shall ever be debarred the use of arms. The strongest
reason for the people to retain the right to keep and bear arms is,
as a last resort, to protect themselves against tyranny in government."
--Thomas Jefferson
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Random numbers from a sound card?
Date: 29 Jan 1999 08:44:58 -0500
In article <78q96o$ka6$[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]> wrote:
>In article <[EMAIL PROTECTED]>,
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>> [EMAIL PROTECTED] wrote:
>> >
>>
>> > Note that even using a highly structured signal (e.g., digitized
>> > video program including your local receiver noise) you could generate
>> > good bits, but you'd have to distill bushels of them.
>>
>> I find your experience interesting. (In another thread I suggested
>> obtaining good bit sequences from such materials as natural
>> language texts.)
>>
>
>There is a big difference. Eve does not know the local, instantaneious
>electromagnetic conditions around my receiver, nor does she know what
>my local electronics are doing.
No, but Mike does. He's fully capable of broadcasting (known)
noise of some sort near your site.
-kitten
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: hardRandNumbGen
Date: 29 Jan 1999 08:56:25 -0500
In article <[EMAIL PROTECTED]>,
R. Knauer <[EMAIL PROTECTED]> wrote:
>On 28 Jan 1999 11:25:33 -0500, [EMAIL PROTECTED] (Patrick Juola)
>wrote:
>
>>as long
>>as the plaintext is finite *AND BOUNDED*, if you can get key material
>>to exceed that bound, you can get perfect secrecy.
>
>>But few of us have bounded secrets.
>
>You are being uncharacteristically obscure.
>
>Please elaborate on the concepts of "bounded", "unbounded" and how
>they apply to a "bounded secret". And just how is a plaintext
>"bounded", given that it is finite in length?
The idea behind a bounded plaintext is fairly simple. Just say
to yourself that you will never, EVER, in your entire life,
encrypt a document larger than X with a single key. Splitting
a big document into two into order to make it smaller doesn't
count, as you need two different keys in that case.
X is, then, "the bound." And it's a measure of how much work you
need to generate the key for each and every message you send --
so make it low.
The difference between bounded and finite is simple -- with finite,
plaintexts, I know that my articles will eventually end, but I don't
know when beforehand. With a bounded plantext, I set myself a rule
beforehand that I won't go over 30 lines, or 300, or 3 million, whatever
*and stick to that rule.*
Can you promise yourself that you'll never want to Email yourself a
copy of Microsoft Word?
-kitten
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: hardRandNumbGen
Date: 29 Jan 1999 08:59:41 -0500
In article <[EMAIL PROTECTED]>,
R. Knauer <[EMAIL PROTECTED]> wrote:
>On 28 Jan 1999 11:23:20 -0500, [EMAIL PROTECTED] (Patrick Juola)
>wrote:
>
>>In terms of finite length numbers, a finite number is not statistically
>>random if I can predict it (or something about it).
>
>>The key word there is "predict." Post hoc analyses don't mean much.
>>A priori analyses, however, are a good way of showing that, in practice,
>>a prediction can be made -- by the simple technique of making and
>>validating a prediction.
>
>[snip]
>
>Your comments are directed at showing reasons for suspecting that a
>generator is not random. What do you do if your statistical tests
>indicate that it IS random?
>
>You throw out the suspect bad generators and argue that such a
>practice is safe. But what is your argument for the generators that
>you do not throw out?
That the amount of the bias *that I measured* is less than some
threshhold. If I can live with that threshhold and I believe that
no other (untested) source of bias is likely to be present, then
the cypher is safe to use.
If I don't believe that -- or the threshhold is too high -- then
I can't place any reliance on a negative result.
-kitten
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Question on key lengths
Date: 29 Jan 1999 09:04:23 -0500
In article <[EMAIL PROTECTED]>,
Brett W <[EMAIL PROTECTED]> wrote:
>Hi
>
>This may sound stupid, but is there any particular reason we have key
>lengths that are a power or multiple of 2. Is it for efficiency, beauty
>(there seems to be something elegant with 1024, 2048 etc) or that
>something restricts it to being like this?
Well, bytes on a standard computer are 8 bits long. Any key size that's
not a multiple of 8 bytes wastes storage when you could get a longer
key more or less for free.
As to powers of two, they're more efficient to implement on a variety
of platforms with different word sizes. And they're "more elegant,"
too, which probably dominates.
-kitten
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
