Cryptography-Digest Digest #150, Volume #9 Sat, 27 Feb 99 01:13:03 EST
Contents:
USENIX Workshop on Smartcard Technology, May 10-11 (Jennifer Radtke)
IDEA ("Anna Popivanova")
Re: Interesting DES results (Bill Unruh)
Re: What do you all think about the new cipher devised by a 16 year old? (Bill Unruh)
Re: True Randomness - DOES NOT EXIST!!! (Bill Unruh)
Re: RC4 40 bit compared to RC4 128 bit. (Bill Unruh)
Re: Interesting DES results ("Douglas A. Gwyn")
Re: Quantum Cryptography ("Douglas A. Gwyn")
Re: One-Time-Pad program for Win85/98 or DOS (Helmut Kreft)
Re: What do you all think about the new cipher devised by a 16 year old? ("Douglas
A. Gwyn")
Re: True Randomness ("Douglas A. Gwyn")
Re: HMM (was: True Randomness) ("Douglas A. Gwyn")
Re: random number generator??? ("Douglas A. Gwyn")
Re: Unicity of English, was Re: New high-security 56-bit DES: Less-DES ("Douglas A.
Gwyn")
Re: Unicity of English, was Re: New high-security 56-bit DES: Less-DES (Bryan Olson)
Re: New high-security 56-bit DES: Less-DES ([EMAIL PROTECTED])
Re: Testing Algorithms ("Trevor Jackson, III")
Re: Testing Algorithms ("Trevor Jackson, III")
----------------------------------------------------------------------------
Crossposted-To: misc.security
From: [EMAIL PROTECTED] (Jennifer Radtke)
Subject: USENIX Workshop on Smartcard Technology, May 10-11
Date: Sat, 27 Feb 1999 00:28:26 GMT
For Researchers, Product Developers and Smart Card Deployers
USENIX WORKSHOP ON SMARTCARD TECHNOLOGY
May 10-11, 1999
McCormick Place South
Chicago, Illinois, USA
=======================================================================
Review the full program and register online at
http://www.usenix.org/events/smartcard99/
Save when registering before Friday, April 16, 1999
=======================================================================
Advanced Technical Program
Peer-reviewed papers and selected presenters from around the world.
You'll hear reports of the latest research, developments, and
deployments in:
* smart card hardware
* smart card software
* system issues
* strengths and weaknesses of smart cards
* smart cards' role in operating systems
* smart cards as a base technology in cryptographic systems
First of Its Kind in North America
The USENIX Workshop brings together researchers and practitioners for
authoritative how-to and who's doing what in smart card systems and
technologies. Join them for this unique opportunity to learn about what
is possible today in smart card technology, and on the drawing boards
for tomorrow.
Free Admission to the Largest Card & Security Exhibition
Attend the USENIX Workshop on Smart Card Technology and enjoy visiting
the CardTech/SecureTech '99 Exhibition, May 12-14, 1999, co-located in
McCormick Place South, Chicago. For more details, go to
http://www.ctst.com
=======================================================================
Sponsored by The USENIX Association
USENIX is an international membership society of scientists, engineers,
and systems administrators working on the cutting edge of systems and
software. Since 1975, USENIX conferences and workshops have been
recognized as bridging research, innovation and the practical.
Excellence is assured by peer review. The open exchange of technical
ideas and solutions prevails, unfettered by commercialism or stodginess.
------------------------------
From: "Anna Popivanova" <[EMAIL PROTECTED]>
Subject: IDEA
Date: Thu, 25 Feb 1999 03:06:57 +0200
Hi, every1!
Recently I read, that there is an error in the IDEA description in Bruce
Schneier's book Applied Cryptography.
So, my question is: could some1 specify it, if any at all.
I couldn't find much about the algorithm, I mean not much as for DES :), so
I will be thankful, if u can give me some hints on further reading. I am
interested at most in cryptanalysing the algorithm, statistical tests,
linear, related-key, anything.
Also, if there are projects such as distributed.net etc. but 4 IDEA.
And the last one: is there any information or research wheter IDEA is a
group.
Pls, answer directly 2 me, as I am not able 2 read the sci.crypt often.
Thank u in advance.
Anna
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Interesting DES results
Date: 27 Feb 1999 02:08:35 GMT
In <[EMAIL PROTECTED]> bill johnson <[EMAIL PROTECTED]> writes:
>The second test was to measure the + or - difference from one byte to
>the next. This was an eye opener. The plot looks like a nearly perfect
>inverted 'V'. In fact amazingly so.
>I've tried this on two different sources and I get the same result.
What you want to do is to take the modular distance between them --
(A+256-B)%256 That should be a uniform distribution. Otherwise the
difference depends on the value of A as well as the difference.
(Note, to get a difference of the maximum in your technique, one of the
numbers has to be very small and the other very large. That is very
unlikely.)
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: What do you all think about the new cipher devised by a 16 year old?
Date: 27 Feb 1999 02:10:58 GMT
In <[EMAIL PROTECTED]> Darren New <[EMAIL PROTECTED]> writes:
]You can patent something and then license it for free, to assure nobody
]else patents it. Besides, it might not be her choice. Perhaps her
]parents want her to patent it even if she doesn't want to make the money
]from it.
]No need for fishiness on *that* count.
She developed it out of work she did on a summer job with a US company,
who are probably the ones pushing for a patent.
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: True Randomness - DOES NOT EXIST!!!
Date: 27 Feb 1999 02:15:56 GMT
Unfortunately you seem not to have heard of physics developed 100 years
ago, called quantum mechanics. Two identical system, set up identically
will not give the same results in the future.
In <[EMAIL PROTECTED]> BRAD KRANE <[EMAIL PROTECTED]> writes:
] True randomness does not exist. It always depends on some variable
]at some *FIXED* time. FIXED times are not anywhere near random.
]**EVERY** thing that goes on in the universe is hapening because of all
]the forces of **EVERY** thing else in the entire universe. If you where
]to take mesurements at one place in time in one universe and recorded
]it. Then lets say you where able to re-create exactly the universe you
]where just in some where else and you took the exact same measurement
]the so called random number that you recorded before would be the exact
]same as though you took the measurement in the first universe. As
...
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: RC4 40 bit compared to RC4 128 bit.
Date: 27 Feb 1999 02:17:12 GMT
In <7b27s5$k92$[EMAIL PROTECTED]> "Rats" <[EMAIL PROTECTED]> writes:
]However what puzzles me is the referrence sometimes used to describe RC4
]i.e. RC4 40 bit and 128bit. What I don't understand is the relevance of the
]bit values since the algorithm itself doesn't seem to make any mention of
]it.
The length of the key used to set up the state of the generator.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Interesting DES results
Date: Sat, 27 Feb 1999 02:46:34 GMT
[EMAIL PROTECTED] wrote:
> In article <7at5ns$[EMAIL PROTECTED]>,
> Scott Fluhrer <[EMAIL PROTECTED]> wrote:
> > Next step for you to do: compute what graph you would get from truly
> > random data (in particular, data that had all 65536 possible pairs of
> > adjacent bytes equally likely). Compare that graph with the one you
> > obtained.
> Well stated. This is exactly how any RNG "test" (such as Marsaglia's
> Diehard suite) works. Expectation vs. observed.
I don't think that was Scott's point.
His exercise should "enlighten" Bill about what to expect,
since Bill's intuition was quite wrong.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Quantum Cryptography
Date: Sat, 27 Feb 1999 02:51:23 GMT
"R. Knauer" wrote:
> "Moreover, the United States govternment is quietly funding research
> in code-breaking, using quantum computers".
So? It would be criminally negligent to ignore potentially relevant
technology.
Actually, quantum computing is a fairly hot research topic in the
public sector. The basic notion is to obtain massive parallelism
by encoding quantum states. I think there was a Sci.Am. article on
this not too long ago, or I'm sure a Web search would turn up info.
------------------------------
From: Helmut Kreft <[EMAIL PROTECTED]>
Crossposted-To: alt.security,alt.privacy
Subject: Re: One-Time-Pad program for Win85/98 or DOS
Date: Sat, 27 Feb 1999 03:39:52 +0100
HyperReal-Anon wrote:
>
> Found a basic one-time-pad program which uses the XOR function.
> It can be found at http://surf.to/hookah or http://hookah.ddns.org
> depending on which service is working. The site is up most weekends,
> round the clock. Look for "V-OTP".
I suggest you delete this programm from your cryptography software
collection. This implementation of OTPs is cryptographically weak.
Helmut
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: What do you all think about the new cipher devised by a 16 year old?
Date: Sat, 27 Feb 1999 03:00:12 GMT
Vonnegut wrote:
> >It seems pretty simple. It uses a
> >2X2 matrices. I wonder how on earth can something so simple been
> >overlooked?
The method was described here previously. Basically, it uses 2x2
matrices *only as part of a larger scheme* that amounts to a faster
way to implement RSA.
> Even if she did find a new way to implement the matrices, I do know that I
> have seen a simple public key encryption algorithm which used matrices in a
> Pre-Calculus books.
> ...
The scheme you describe is not and cannot be made as secure as any
reputable cryptosystem currently in use -- it's utterly linear
(and scrambling the rows and columns doesn't change that).
There was just posted to sci.crypt.research a matrix-based (Hill)
method whose entire security seems to depend on internal use of
one non-linear function (called J in that posting). I'm not sure
that such a function (meeting all the requirements) exists, but if
so then that might be somewhat more secure than a straight matrix
method.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: True Randomness
Date: Sat, 27 Feb 1999 03:33:16 GMT
Herman Rubin wrote:
> Hidden Markov models are far too recent to be in Feller's book.
> And even later probability textbooks might not have this.
The first open-literature publication of HMMs (known then as
"probabilistic functions on Markov chains") was around 1967.
The first edition of Feller's book was, if I recall correctly,
published well before that, and I don't know how extensive
the revisions were for later editions. It may well be that
many textbook authors didn't appreciate their significance.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: HMM (was: True Randomness)
Date: Sat, 27 Feb 1999 03:46:33 GMT
Herman Rubin wrote:
> As for hidden Markov models, one is only likely to find applications.
> The idea that what is observed is a function of an unobserved Markov
> chain is simple to state, and can be quite difficult to work with.
The technology of HMMs (also OOMs and other related techniques)
is a well-developed subfield of its own. The big breakthrough was
the invention of an efficient way to compute the model parameters
(for MLE) from the training data. That was so important that it
was a state secret for mumblety-mumble years before it was published.
To give an idea why it is a powerful method, consider that applying
it to the letter sequence of natural-language text results in an
*automatic* identification of vowel and consonant categories (with
a minimal number of postulated states) or finer-grained resolution
of the roles that letters play (with a larger number of states).
Imagine how this sort of thing could be useful in cryptanalysis.
It has also been applied to analysis of unknown languages such as
the Voynich manuscript.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: random number generator???
Date: Sat, 27 Feb 1999 03:04:42 GMT
"R. Knauer" wrote:
> Don't worry - the NSA is working on quantum computers right now, and
> will be able to break any breakable cipher before you know it.
That's practically a tautology -- a practical working definition of
a "breakable cipher" is one that NSA can break, if they need to.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Unicity of English, was Re: New high-security 56-bit DES: Less-DES
Date: Sat, 27 Feb 1999 03:52:32 GMT
Dennis Ritchie wrote:
> http://cm.bell-labs.com/cm/cs/who/doug/crypt.html
Of course, the trick is that the message was specifically
engineered to have this property. Such a coincidence would
not have occurred by accident (to an extremely high degree
of confidence). Once lesson might be that statistics covers
trends, not individuals.
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: Unicity of English, was Re: New high-security 56-bit DES: Less-DES
Date: Fri, 26 Feb 1999 19:40:38 -0800
[EMAIL PROTECTED] wrote:
> Bryan Olson wrote:
> >
> > You had implied that if key and message equivocation had to be
> > zero "at the same length of received text", that would make them
> > dependent.
>
> Which is of course true *if* that would be so ... but I used this argument to
> actualy warn *against* such naive interpretation.
Given ciphertext, the two are not independent. Not given ciphertext,
they're independent, but it does not then follow that received text
does not relate them.
> Indeed, the key conditional
> entropy can be zero before the message's conditional entropy is zero and
> Dennis Ritchie just sent an example of that in this very thread! See the
> archives.
The key entropy is not zero anywhere in Ritchie's example.
> When Shannon's unicity is reached, this must be understood to mean that the
> message's a posteriori entropy becomes zero -- which is to say, the message's
> conditional entropy becomes zero or, in still other words, the intercepted
> amount of plaintext must provide a unique solution.
As I pointed out in the previous posts I believe Shannon implies
that the "unique solution" is the message corresponding to the
intercepted letters. As Shannon writes on page 686,
The summation H_E(K) is over all possible cryptograms of a certain
length, (say N letters) and over all keys. For H_E(M), the summation
is over all messages and cryptograms of length N. Thus H_E(K)
and H_E(M) are both functions of N, the number of intercepted letters.
> > You are right that
> > they are /a priori/ independent, but given ciphertext they are
> > related, as shown in Shannon's theorem 7.
>
> They are not related -- just write down the formulas and even see some of
> Shannon's own graphs. Insisting on this will take you nowhere.
Written and seen. If you don't think H_E(M) is is zero at zero
intercepted letters, why do the graphs on pages 696 and 697 show
H_E(M) starting at (0,0) ? If you don't think message and key
equivocation is related given ciphertext, why does the graph on
697 show H_E(M) taking that quick turn and following H_E(K) down?
[...]
> > Shannon's random cipher model works perfectly well for a key space
> > of one key.
>
> There is no randomness in a transformation that only depends on one key of
> unity probability. Your affirmation above and the ones snipped below do not
> make sense.
I didn't say it's a cipher that looks random; I said Shannon's
random cipher model works perfectly well. In Shannon's
construction, randomness enters in exactly once place: each key
is mapped to a random transformation. Is there some reason that
this cannot be done for a one key keyspace?
> > You hold, correct me
> > if I'm wrong, that the message in question does not depend on the
> > number of intercepted letters; as the attacker intercepts more
> > letters, they form a longer prefix of (the ciphertext of) the same
> > message.
>
> I never said that -- I see you are getting mired in the muck. But, this list
> has archives, so they may serve a good purpose now.
So please tell, if the unicity distance is N, do you agree that the
message for which the N intercepted letter must provide a unique
solution is the N letter corresponding plaintext? If not, what
message are we talking about? If so, why do you think message
equivocation is not zero at zero intercepted letters?
> Please re-read my very
> first message that you replied to and see how much that is now clear and
> acceptable to you. BTW, you have so far in all your "granted" remarks already
> showed us so.
Re-read. I can't see what you mean.
> And, as I remarked here once, there are no winners or losers if discussion was
> done in good faith.
Well, I'm certain my side was done in good faith. How you could
read my previous post as anything other than a good faith attempt
to resolve an issue, I do not know.
--Bryan
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: New high-security 56-bit DES: Less-DES
Date: Sat, 27 Feb 1999 05:31:16 GMT
Bryan:
You are drowning yourself in a glass of water. This whole sub-thread is
really very simple: it is nonsense to talk about 'unicity distance' since it
is not a 'distance'. But, I am sure the world is not going to turn any slower
if you or Humpty-Dumpty call it whatever you guys like. But, please read on
since there may be an important realization in all this, at the end.
In article <[EMAIL PROTECTED]>,
Bryan Olson <[EMAIL PROTECTED]> wrote:
>
> [EMAIL PROTECTED] wrote:
>
> > Sorry... that is the rule. When I have to invoke Humpty-Dumpty then it is
> > time to stop reading -- if it is a technical matter, of course.
> >
> > But, you still did not answer my didactical question. I will pose it again:
> > "What is the distance of your hand?"
>
> I believe the question is nonsense.
Agreed, Bryan. That is why I asked four questions in sequence, that one being
the first. But, since you evidently missed out that clue and snipped out the
last three, I will reinstate their didactical order for you (btw, note the
word "didactical" used above -- that question was posed in order to induce a
lesson). The next didactical question was:
> > Note that this question is analogous to ask: "What is the unicity distance
> > of cipher C?"
Which, likewise the first, is nonsense... so, it is nonsense to ask about the
unicity distance of a cipher in the same way that it does not make sense to
ask what is the distance of your hand. Got it?
The third question is::
> > To help further, I will ask another question: "What is the number of fingers
> > in your hand?"
which is clearly answerable without any 'hand reference' -- five. This is not
a 'distance' question -- no reference is needed, it is a count like the
number of photons in a wave.
and then the consequence:
> > ... and its analogous: "What is the unicity of cipher C?"
which is clearly also answerable without a 'cipher reference' -- the unicity
value does not depend on a reference, it is a count, like the number of
messages you have written in this thread.
So, there is no need to get emotional about it and that is why I wrote way
back in my paper at http://www.mcg.org.br/uncity.htm that simple and
unpretentious note:
| NOTE: Please note that "unicity distance" is actually not a "distance". It
| is not a metric function and does not satisfy the intuitive properties we
| ascribe to distance. Thus, to reduce confusion, from now on I will only
| use the term "unicity".
Now, my last comment. The important realization that may result from all
this, as I mentioned above? The concept of 'unicity' is intensive, not
extensive. But, that is another whole can of worms, better left for future
msgs.
Cheers,
Ed Gerck
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
Date: Sat, 27 Feb 1999 01:01:58 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Testing Algorithms
Patrick Juola wrote:
> In article <7b53f6$649$[EMAIL PROTECTED]>,
> Doggmatic <[EMAIL PROTECTED]> wrote:
> >In article <[EMAIL PROTECTED]>,
> > [EMAIL PROTECTED] (Steven Runyeard) wrote:
> >> >No. The guess is only as valid as the assumptions it is based upon.
> >> >Since you have based yours on nothing concrete, your guess is pretty
> >> >useless.
> >>
> >> I don't agree. Because we are brought up in an environment with a
> >> certain level of technology it's hard to imagine anything much
> >> different. Let's look back at the technology surrounding Babbage in
> >> the late 1800s. If anyone had suggested to him that within 100 years
> >> someone could build a processor about an inch square that could
> >> perform 2,000,000,000 instructions per second he would have sent them
> >> to the nearest nut house. It would have taken a massive leap of faith
> >> to believe it was possible. I feel that in another 100 years we would
> >> have made an equally 'unbelievable' leap in technology. Don't limit
> >> your thinking to the size of computers the size of melecules and
> >> atoms. What about a computer made of super strings? Maybe even
> >> smaller. Who knows? The point is we don't know what lies ahead of us.
> >> My guess is no more worthless than yours.
> >>
> >> Steve
> >>
> >
> > Okay .. given all that, as long as your computer is made of matter (or
> >even, anti-matter, I conjecture), it will conform (nasty word!) to the laws
> >of thermodynamics. Bruce Schneier brought up the point in his book. Every
> >action takes a discrete amount of energy to perform and thus, even if your
> >computer can load registers at speeds approaching light-speed, you still have
> >to power it.
>
> This point is incorrect, no matter how many times Schneier's book is
> quoted. There is *no* minimum energy required for computation.
>
There is no minimum energy per reversible computation. There is a minimum energy
per irreversible computation. Between these two true statements lies lots of room
for misunderstanding.
They also raise a question about physics as derived from computation theory. Is
the universe modeled as based on reversible computation or not?
------------------------------
Date: Sat, 27 Feb 1999 01:04:33 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Testing Algorithms
Somniac wrote:
> Patrick Juola wrote:
> in response to someone:
> >Every
> > >action takes a discrete amount of energy to perform and thus, even if your
> > >computer can load registers at speeds approaching light-speed, you still have
> > >to power it.
> >
>
> > This point is incorrect, no matter how many times Schneier's book is
> > quoted. There is *no* minimum energy required for computation.
> >
> > -kitten
>
> This is good news. Where can I buy a computer or logic gate that takes no
> energy? I want one.
I believe there is a difference between computation that requires no energy and
computation that requires an arbitrarily small amount of energy. Reversible
computation falls into the latter category.
> For example, I want to buy one XOR gate that gives
> back one energy unit when it goes to a zero, and takes one energy unit
> when its output goes to a one. Is it made with one molecule? Is it solid
> state or gas? I want to manufacture a 64 bit wide IC XOR gate using this
> technology. Where can I purchase a license? What is the patent number?
> Which journal describes its behaviour? I hope that you will not say one
> has never been built. Do I need to build a black hole to make it work?
> Does it need to travel near the speed of light to function efficiently?
> Does it need to be at absolute zero temperature to give back the energy
> it uses? Please explain its principles or give a reference book citation.
> I have heard of a theory like that but it was never built. Such an
> attractive logic gate should be built, unless it is impractical.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
