Cryptography-Digest Digest #111, Volume #9 Sat, 20 Feb 99 01:13:04 EST
Contents:
Re: Snake Oil (from the Feb 99 Crypto-Gram) (JPeschel)
Re: Benchmarks ("Michael Scott")
Re: OTP+MP3+CDR = practical, unbreakable voice encryption (Anonymous)
Re: Bruce's Feb. "CRYPTO-GRAM" (Bruce Schneier)
Re: OTP?? = practical, unbreakable voice encryption ("hapticz")
Re: New high-security 56-bit DES: Less-DES ([EMAIL PROTECTED])
Naval Enigma - Extra rotor stepping an advantage? (John Halliwell)
Re: Bruce's Feb. "CRYPTO-GRAM" ([EMAIL PROTECTED])
Re: Snake Oil (from the Feb 99 Crypto-Gram) ([EMAIL PROTECTED])
Re: Bruce's Feb. "CRYPTO-GRAM" ([EMAIL PROTECTED])
Re: Bruce's Feb. "CRYPTO-GRAM" (JPeschel)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: Snake Oil (from the Feb 99 Crypto-Gram)
Date: 20 Feb 1999 00:17:35 GMT
>Shai Halevi <[EMAIL PROTECTED]>writes:
>This is irrelevant here, but the notion of chosen ciphertex attacks
>against public-key encryption has been around for less than 10 years
>(Naor-Yung'90, Rackoff-Simon'91, Dolev-Dword-Naor'91).
But see: "A chosen text attack on the RSA cryptosystem and some discrete
logarithm schemes,"
Y. Desmedt and A. M. Odlyzko, pp. 516-522 in Advances in Cryptology - CRYPTO
'85.
http://www.research.att.com/~amo/doc/arch/rsa.attack.pdf
The papers references, I think, indicate attacks even earlier
J
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: "Michael Scott" <[EMAIL PROTECTED]>
Subject: Re: Benchmarks
Date: Sat, 20 Feb 1999 01:44:06 -0000
Medical Electronics Lab wrote in message
<[EMAIL PROTECTED]>...
>Michael Scott wrote:
>>.....
>I'm not from Certicom, but I can explain a few things.
>They are using GF(2^n) fields instead of prime fields. That means
>they don't need the fp math unit, just the integer units to do bit
>manipulation.
You don't need the fp unit for modular exponentiation either. On a Pentium
Pro its slower than just using plain old integer multiplication....
I suspect they are maybe using a 1024 bit exponent for DH, which would be an
unfair comparison. The exponent should be 163. Certainly a modular
exponentiation to a 163 bit exponent mod a 1024 bit modulus can be done a
lot quicker than quoted here (at least 6 times faster).
>Key Generation comes from each side creating a random number,
>multiplying that with a random point, .....
I think you mean with a fixed point. The generator, usually referred to as
g.
Mike Scott
>Patience, persistence, truth,
>Dr. mike
------------------------------
Date: Sat, 20 Feb 1999 02:51:51 +0100
From: Anonymous <[EMAIL PROTECTED]>
Subject: Re: OTP+MP3+CDR = practical, unbreakable voice encryption
>And I'll bet terrorists have
>physical meetings too, to swap plutonium or whatever it is they do.
I would like to nominate this sentence for the single most humorous piece
of text posted to sci.crypt this year, possibly ever. Seconds?
(The rest of the post was fine though; this one just tickled me.)
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: Re: Bruce's Feb. "CRYPTO-GRAM"
Date: Sat, 20 Feb 1999 00:23:28 GMT
On Fri, 19 Feb 1999 12:08:28 -0600, [EMAIL PROTECTED] (wtshaw) wrote:
>I government is guilty of hype in all this stuff, perhaps he has begun to
>pick-up their ways by osmosis through close association. I suppose, as a
>person of high profile, he could even be sued by someone unhappy with his
>pronouncements, not a problem for government it seems.
Indeed, the author of the Snake Oil FAQ (a first, and an excellent,
essay on the warnings of snake oil) had been afraid to name names for
just that reason. I was more willing to take the risk, so I decided
to name names and give actual quotes from product literature. So far
no one has threatened me.
Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: "hapticz" <[EMAIL PROTECTED]>
Subject: Re: OTP?? = practical, unbreakable voice encryption
Date: Fri, 19 Feb 1999 22:23:39 -0500
+ACI-at the present time , we are swapping tales of just how to manage the
rampant chaos created between quibbling wine afficionados+ACI- +ADs--))
--
best regards
hapticz+AEA-email.msn.com
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: New high-security 56-bit DES: Less-DES
Date: Sat, 20 Feb 1999 03:18:55 GMT
In article <7akrit$gio$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> I never saw a reply,
;-) as I said yesterday, of course you saw my reply ...as it was done here
...since your "new" questions had already been answered by myself before. I
see no need to answer twice.
[snip]
> From the beginning I've given accurate citations, talked in
> precise terms, and offered mathematical justification. You've
> edited them out and complained about my style and content.
[snip]
I want to call your attention to the fact that if your understanding of the
concept of "unicity" would be correct, then the "example" you cited for it
some e-mails ago in this very thread would not be misleading -- such as
considering that the unicity condition would be lost *after* it was reached.
To recall, your "example" was:
|Consider the situation in which the message space has several
|plausible messages, but the conditional probabilities, given the
|ciphertext, show that "Attack at dawn with 3000 men." has a
|probability of 0.599999, and "Attack at dawn with 3006 men"
|has a probability of 0.399999. Using Shannon's formula for
|entropy, I calculate the equivocation of the plaintext is
|0.97 bits. Shannon defined the unicity distance as the number
|of intercepted characters for which the equivocation in the
|plaintext is very close to 0. 0.97 bits is not very close to
|zero, therefore unicity has not been reached.
So, I considered that "example" impossible in regard to DES (which was being
discussed) but gave you the opportunity to present the cipher system for
which it would apply -- in other words, how did you calculate percentages
such as "0.599999" and "0.399999", and with so many digits of precision? How
could unicity be lost after it was reached and then regained after it was
lost, so that one could unambiguously initially read "Attack at dawn with
300" *before* unicity was lost between a "6" or a "0" and then recuperated
afterwards to unambiguously read " men" at the end -- and all that well past
the limit of DES unicity.
To which you have not answered == of course, such system does NOT even exist
as we all know, don't we? It was an "example" out of thin air, misleading
rather than illuminating. This lack of proper dialogue in your presentations
has IMO confused issues even more -- to yourself. For example, in one of
your last msgs you again claimed the impossible:
|The unicity distance of English without any key is zero.
and then you proceeded to "prove" it -- which of course would imply that any
English message is unambiguously known before being even written! As I
pointed out yesterday. But, instead of recognizing the mistake in a positive
dialogue, as you should have done also with the impossible cipher above, you
tried now to "justify" that the message you had in mind was "" ;-)
However, your "claim" about the unicity of plain English is obviously NOT
correct -- and, as I pointed out yesterday, Shannon even calculated it in his
paper ...but you cannot seem to find it in his text.
So, looking to our exchange I see that I cannot help you further than
suggesting you keep earnstly reading Shannon's paper until you convince
yourself that:
1. the unicity of plain English is NOT zero (please, do find his value),
2. the concept of unicity is broader in scope than the mathematical expression
of it in the special case of a random cipher as given by Shannon in terms of
conditional entropies (aka, equivocation),
3. the concept of unicity was defined by Shannon as the least number of
letters which provide a unique solution to a cryptogram under certain
assumptions, which I did NOT diverge from except as to the term "distance",
but summarized in http://www.mcg.org.br/unicity.htm as:
===============BEGIN QUOTE========================= Shannon [Sha49] defined
"unicity distance" (hereafter, "n") as the least amount of plaintext which
can be uniquely deciphered from the corresponding ciphertext -- given
unbounded resources by the attacker. The "amount" of plaintext (i.e., "n")
can be measured in any units the user may find convenient, such as bits,
bytes, letters, symbols, etc. Actually, Shannon used "letters" in his paper.
NOTE: Please note that "unicity distance" is actually not a "distance". It is
not a metric function and does not satisfy the intuitive properties we ascribe
to distance. Thus, to reduce confusion, from now on I will only use the term
"unicity".
In few words, "unicity" is the least message length that can be uniquely
deciphered. As we will see, this number depends on several factors -- some
explicit, most implicit. And, it is a fundamental property of secrecy systems.
==============END QUOTE=====================================
4. I also showed in that paper that the current literature ambiguity on the
definition of unicity is not relevant, as both definitions current cited
(Shannon's and another) are equivalent for random ciphers:
===========BEGIN QUOTE=================== This resolves a difference in the
literature, by showing that for random ciphers it is equivalent to consider
"the least amount of plaintext that can be deciphered" or the "maximum amount
of plaintext that gives just one expected false decipherment". Since the last
case may be easier to calculate, for some systems, one may choose.
==========END QUOTE=======================
5. the unicity of a block cipher can NEVER exceed that cipher's block-size
and that is why Bruce Schneier's and Menezes' calculations using unicity for
DES and other block-ciphers are in error, as I showed in
http:///www.mcg.org.br/nrdes.htm
which paper I suggest you read until you convince yourself that:
6. The unicity of DES is LESS than a block-size of 8 bytes because DES is a
random cipher only over 7 bytes and NOT over 8 bytes.
7. Due to the 56:64 dimensional reduction in DES, the probability of
obtaining English-looking text (compressed or not) in a DES decryption with a
wrong key is only (3~300):2^56 for one block and effectively zero for two
blocks.
8. The above two properties allow an English message (copmpressed or not)
encrypted with DES to be broken by a ciphertext-only attack which
considers at most trigram frequencies (ie, a three-letter attack) in one
block of ciphertext, followed by a final confirmation with a second-block
test but only for very few keys (3~300).
BTW, this is actually how the EFF's DES Cracker works, as later private
exchanges between myself and John Gilmore have revealed. Only that they allow
for a couple thousand tentative messages after processing the first DES
block, since their plaintext recognition engine favors false positives (this
is IMO a sound design decision, since the cost of a false negative is
higher). Further, by throwing a couple thousand messages to the second test
stage (where a second DES block is tentatively deciphered with the same key)
they incurr in a very small overhead over the "best possible" case of (3~300)
messages with a tighter decision threshhold (as I considered in a
best-decision analysis).
About the term "three-letter DES attack" that I use, please note that my
cited texts are clear about the context of it -- it is a statistical
coherence of unigrams, digrams and trigrams over the full 8 bytes of a DES
block. It is NOT a letter-by-letter coherence of three-letters. It may not
even use a dictionary -- it is purely a decision problem against known
language statistics.
Short of these comments, Bryan, I really cannot see how I can help further but
insist that you read those papers and try to grasp their meaning -- which seem
to remain a bit ellusive as I can read from your postings.
Particularly fruitful will be if you can clearly distinguish between the
concept of unicity as defined in words: "the least amount of plaintext which
can be uniquely deciphered from the corresponding ciphertext -- given
unbounded resources by the attacker", and the mathematical formulation of it
in the *special case* of a random cipher as given by: n = H(K)/(|M| - H(M)).
As I argue, the unicity concept is broader than its restricted mathematical
formulation for that special case -- which opens up new uses for it and new
formulas to calculate it in other regions [cf. the concept of Unicity-5 in
http://www.mcg.org.br/unicity.htm].
Cheers,
Ed Gerck
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: John Halliwell <[EMAIL PROTECTED]>
Subject: Naval Enigma - Extra rotor stepping an advantage?
Date: Sat, 20 Feb 1999 03:32:03 +0000
I've been trying to figure out the following:
The standard Enigma used three rotors from a set of five, these rotors
all stepped in the same positions. The Navy (U-boats at least) added
another four, each of these stepped in different positions (to each
other and the other five). I think?
I've read Kahn's book "Seizing the Enigma" (paperback). In it he
mentions that Bletchly Park initially had problems due to the different
stepping, but once they knew about it (maybe by capturing the rotors),
it made things slightly easier. If BP knew when a rotor started to move,
it enabled them to guess correctly the rotor (it's number and position)
that had turned it (not sure whether to the right or left). Hope I've
explained it in enough detail!
My question, did this difference in the stepping ultimately make it
easier or harder to break?
Any ideas?
--
John
Preston, Lancs, UK.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Bruce's Feb. "CRYPTO-GRAM"
Date: Sat, 20 Feb 1999 05:05:41 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (JPeschel) wrote:
> > [EMAIL PROTECTED] (John Savard) writes that:
>
> >[EMAIL PROTECTED] (JPeschel) wrote, in part:
> >>> [EMAIL PROTECTED] (John Savard) enigmatically writes:
> >
> >>>He names other names in that issue too, and those are names one is
> >>>less likely to have heard before...
I really have a low opinion of Mr. B.S. But since he has more or less
bad mouthed my stuff in this Use Group and since he claims not to have the
time to ananlize everything. I wonder if he is just blowing smoke or if
he actually looked at anything. I for one would not take his word on very
much. All so since I like using Snake Oil vocabullary did he mention my
stuff. I really don't want to go to his site to read his stuff.
So that I would ask here.
> >
> >>What point, if any, are you making?
> >
> >Nothing too terrible. Just that while naming the names of some
> >companies producing cryptographic snake-oil, while it may indeed be
> >quite helpful to some, isn't really revealing anything surprising.
> >
> >
> My, John, for a layman, you seem awfully
> smug about this.
>
> Even some of the best, except for you,
> of course, can be confused when trying to
> discern snake-oil from strong crypto.
>
> While some of the products mentioned in
> the newsletter could be dismissed,
> without inspection, as snake-oil by most
> regulars of this newsgroup, one product,
> UBE fooled a lot of people here and in
> coderpunks. You, I believe, later even
> offered advice on how to fix UBE, without
> having looked at the thing, or having
> read the relevant posts concerning the
> product's problems.
>
> Additionally, one sci.crypt regular maintains
> a link to GenioUSA from the "Crypto
> Products" page of his web site. Does he
> believe the GenioUSA product is strong? I
> suspect he does, as he is a "professional
> cipher designer," and, so should have
> the cryptanalytic skills to make an
> assessment -- but GenioUSA's CrypEdit was
> broken in InfoWorld a few yearsago.
>
> Again, some of the best, except for you,
> of course, can be confused when trying to
> discern snake-oil from strong crypto.
>
> Even worse, some people without your skills
> will pay real money for products like
> these. True, those people ought to read
> the Snake-oil FAQ. Some of them, however,
> need to have the truth of the FAQ demonstrated
> for them.
>
> I believe they all live in Missouri; I live
> in South Dakota and haven't designed my own
> unbreakable cipher, yet. Someone slap
> some crypto-sense into me if I decide to.
>
> -- Joe (another layman -- and a grouchy one, at
> that...)
>
> __________________________________________
>
> Joe Peschel
> D.O.E. SysWorks
> http://members.aol.com/jpeschel/index.htm
> __________________________________________
>
>
Hay I'm from missouri what's your point.
David scott
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
http://members.xoom.com/ecil/index.htm
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Snake Oil (from the Feb 99 Crypto-Gram)
Date: Sat, 20 Feb 1999 05:23:29 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Bruce Schneier) wrote:
> Snake Oil
>
....
>
> Warning Sign #5: Ridiculous key lengths.
>
> Jaws Technology <http://www.jawstech.com> boasts: "Thanks to the JAWS
> L5 algorithm's statistically unbreakable 4096 bit key, the safety of
> your most valued data files is ensured." Meganet takes the ridiculous
> a step further <http://www.meganet.com>: "1 million bit symmetric keys
> -- The market offer's [sic] 40-160 bit only!!"
>
> Longer key lengths are better, but only up to a point. AES will have
> 128-bit, 192-bit, and 256-bit key lengths. This is far longer than
> needed for the foreseeable future. In fact, we cannot even imagine a
> world where 256-bit brute force searches are possible. It requires
> some fundamental breakthroughs in physics and our understanding of the
> universe. For public-key cryptography, 2048-bit keys have same same
> sort of property; longer is meaningless.
>
Sorry Bruce but longer key lengths are better. But the fact that a
key is long does not nesecciarly mean that it is strong. You just have
a prejiduice towards short key systems so the NSA and folks like you
can stay in business.
...
> Warning Sign #9: Cracking contests.
>
> I wrote about this at length last month:
> <http://www.counterpane.com/crypto-gram-9812.html#contests>. For now,
> suffice it to say that cracking contests are no guarantee of security,
> and often mean that the designers don't understand what it means to
> show that a product is secure.
>
Actully cracking contests are quite good because certain contests can
be set up to show how strong a cipher is compared to others. Like my
contests. The last contests could not even be done with the fishy ciphers
that are being passed off on the AES pusedo contest. However I can
see why someone like you would never hold a real contest. Since some
ameuter could break it and then it would hurt your inflated ego.
David Scott
self appointed cyrpto expert and one man stand alone team.
I would of commented on more but the note was to bloated.
any way for get the crappy military grade crypto get the
Universe Plus Strength Grade stuff wirtten be me.
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
http://members.xoom.com/ecil/index.htm
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Bruce's Feb. "CRYPTO-GRAM"
Date: Sat, 20 Feb 1999 05:42:15 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (wtshaw) wrote:
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (John Savard) wrote:
>
> >
> > He names other names in that issue too, and those are names one is
> > less likely to have heard before...
> >
> Speaking of names, he could use an original title for his rag instead of
> one that has been used for many decades elsewhere. Perhaps he is trading
> on a well established reputation on purpose, maybe he just doesn't know
> better.
> --
> A much too common philosophy:
> It's no fun to have power....unless you can abuse it.
>
My guess is that he new of the association and in his arragance and god
like view of himslf chose to name it the way he did becasue he felt like
it. By the way I would like to coin a term for his fishy smelly codes or
codes like his. "Fish Oil"
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
http://members.xoom.com/ecil/index.htm
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: Bruce's Feb. "CRYPTO-GRAM"
Date: 20 Feb 1999 06:04:00 GMT
>[EMAIL PROTECTED] writes:
> My guess is that he new of the association and in his arragance and god
>like view of himslf chose to name it the way he did becasue he felt like
>it. By the way I would like to coin a term for his fishy smelly codes or
>codes like his. "Fish Oil"
>
>
Nonsense, Dave. I don't even have to coin a term for this message.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
