Cryptography-Digest Digest #155, Volume #9 Sun, 28 Feb 99 00:13:03 EST
Contents:
Re: Testing Algorithms ("Trevor Jackson, III")
A New Public-Key Cryptosystem (Cryptoad)
Re: A New Public-Key Cryptosystem (Cryptoad)
Re: Testing Algorithms [moving off-topic] (Darren New)
Re: Unicity of English, was Re: New high-security 56-bit DES: Less-DES
([EMAIL PROTECTED])
Re: Scramdisk File ("Sam Simpson")
Re: Quantum Computation and Cryptography (Anthony Stephen Szopa)
Can the quantum computer determine the truth from a lie? (Anthony Stephen Szopa)
----------------------------------------------------------------------------
Date: Sat, 27 Feb 1999 19:54:45 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Testing Algorithms
R. Knauer wrote:
> On Sat, 27 Feb 1999 14:45:39 -0500, "Trevor Jackson, III"
> <[EMAIL PROTECTED]> wrote:
>
> >> Yes, but it does not have to consume energy. By returning to the
> >> original state, all the energy needed to trigger it was returned. The
> >> concept of reversibility involves a closed cycle.
>
> >I think not. There must be some non-zero energy expenditure or we're into perpetual
> >motion.
>
> Perpetual motion means that you can extract MORE work than is
> available in the form of stored energy. In a totally non-dissipative
> environment, a reversible system can cycle forever.
>
> >For example, an object passing a massive body on an open (hyperbolic) orbit
> >experiences gravity as a conservative force. But, inevitably, the energy available
> >on ext is going to be less than that available on entry.
>
> Not if the only force is gravity.
>
> >Even in the hardest vacuum with no friction against an ambient medium, the tidal
> >effects will heat both objects a tiny amount as a side effect of the frictional
> >losses internal to the objects. That energy is lost.
>
> You are introducing extraneous features. Those tidal effects are
> caused by irreversible processes.
False. Gravity stretches objects along an axis parallel to the gravity vector and
compresses them in the plane normal to the gravity vector. These relative forces are
called tides.
The irreversibilty and comcomitant loss of energy is the internal friction that resists
the deformation of the object by the tidal forces. Only a tidally locked object (whose
rotation matches its revolution) avoids tidal frictions.
Note that even the case of mutually locked bodies the system eventually degenerates due
to loss of orbital energy during interactions with the cosmic background radiation.
>
>
> Bob Knauer
>
> "If you want to build a robust universe, one that will never go wrong, then
> you don't want to build it like a clock, for the smallest bit of grit will
> cause it to go awry. However, if things at the base are utterly random, nothing
> can make them more disordered. Complete randomness at the heart of things is the
> most stable situation imaginable - a divinely clever way to build a universe."
> -- Heinz Pagels
------------------------------
From: [EMAIL PROTECTED] (Cryptoad)
Subject: A New Public-Key Cryptosystem
Date: 28 Feb 1999 02:28:21 GMT
In the continuum of plaintext/ciphertext mappings (encryptions) between those
that can be achieved deterministically, e.g. by a nonsingular matrix and those
that can be achieved only by table lookup (random mappings), there is a vast
hierarchy of ever more complex (larger) programmable mappings. It appears that
Craig's proposed mappings -- and most contemporary encryption systems -- lie in
this territory. It seems significant that S-box functions in contemporary
cryptosystems moves mappings in the direction of table lookup. I think the
essence of the Craig query is this: can one with a reasonable work factor
reverse a nonsingular mapping (encryption) achieved by a rectangular "public
key matrix (PKM)" ? In such a system, bit states in the plaintext select rows
in the PKM which are XOR'd to produce the ciphertext. The plaintext can be
recovered with secret private key information (not shown in his example).
However, if the rows which were selected to produce the ciphertext can be
computed solely from the PK M and the ciphertext, then the system is manifestly
insecure.
------------------------------
From: [EMAIL PROTECTED] (Cryptoad)
Subject: Re: A New Public-Key Cryptosystem
Date: 28 Feb 1999 02:29:53 GMT
In the continuum of plaintext/ciphertext mappings (encryptions) between those
that can be achieved deterministically, e.g. by a nonsingular matrix and those
that can be achieved only by table lookup (random mappings), there is a vast
hierarchy of ever more complex (larger) programmable mappings. It appears that
Craig's proposed mappings -- and most contemporary encryption systems -- lie in
this territory. It seems significant that S-box functions in contemporary
cryptosystems moves mappings in the direction of table lookup. I think the
essence of the Craig query is this: can one with a reasonable work factor
reverse a nonsingular mapping (encryption) achieved by a rectangular "public
key matrix (PKM)" ? In such a system, bit states in the plaintext select rows
in the PKM which are XOR'd to produce the ciphertext. The plaintext can be
recovered with secret private key information (not shown in his example).
However, if the rows which were selected to produce the ciphertext can be
computed solely from the PK M and the ciphertext, then the system is manifestly
insecure.
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Subject: Re: Testing Algorithms [moving off-topic]
Date: Sun, 28 Feb 1999 03:16:48 GMT
> > Think of it this way -- what's the minimum amount of energy necessary
> > to move a brick five feet (horizontally)?
One photon?
--
Darren New / Senior Software Architect / MessageMedia, Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
"Be.... the email."
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Unicity of English, was Re: New high-security 56-bit DES: Less-DES
Date: Sun, 28 Feb 1999 00:05:11 GMT
In article <[EMAIL PROTECTED]>,
Bryan Olson <[EMAIL PROTECTED]> wrote:
>
>
> [EMAIL PROTECTED] wrote:
> > Bryan Olson wrote:
> > >
> > > You had implied that if key and message equivocation had to be
> > > zero "at the same length of received text", that would make them
> > > dependent.
> >
> > Which is of course true *if* that would be so ... but I used this argument
> > to actualy warn *against* such naive interpretation.
>
> Given ciphertext, the two are not independent.
No. Given ciphertext, the two equivocations are still independent -- as they
measure different things and they also depend on the type of cipher used,
number of keys, plaintext entropy, etc. And, for a given message length,
message equivocation can be zero much before key equivocation is zero -- see
Fig. 9 in Shannon's paper for example.
So, both conditional entropies (ie, equivocations) ARE independent equations
and there can be no doubts about it.
Rather, it seems to me that you are confusing instances of an equation
(values) with the equation itself. The fact that two equations may agree on
an instance (value) for a particular case does not make them dependent. For
example if I say you wrote so far 19 times on this subject, that does not
make you or your actions dependent on someone else that wrote 19 times on
another thread here, nor implies that such will be always true for any
thread's subject..
> > Indeed, the key conditional
> > entropy can be zero before the message's conditional entropy is zero and
> > Dennis Ritchie just sent an example of that in this very thread! See the
> > archives.
>
> The key entropy is not zero anywhere in Ritchie's example.
Perhaps I was not clear. Let me go to the original article Dennis quoted, at
http://cm.bell-labs.com/cm/cs/who/doug/crypt.html
which describes a ciphertext-only decryption of a substitution cipher.
Of course, each of Doug's two tentative "Maine drag" solutions depends on a
different substitution key, but ...what is the key equivocation? Zero, or
not? A reader may believe that key equivocation is not zero, since you can
sort of read both tentative solutions, and this coincides with your opinion
above.
However, even though Doug provided two tentative messages on equal footing in
regard to English understanding, he did NOT claim that the two correspoding
keys are equally possible. If he would have done that it would be wrong IMO,
since the unigram, digram and trigram, etc. letter frequencies that result
from each key usage must NOT be the same in both messages. In other words,
the key that provides the best fit to the English language entropy
characteristics must be preferred over others in a ciphertext-only analysis
(which is the case posed by Doug).
I would take that this (rather than a mistake made by him) was what led Doug
write the somewhat ambiguous comment text: "Maine, at 129 letters long, far
surpasses Shannon's `unicity distance' of about 30 letters, beyond which it is
almost sure that any solution to a cryptogram is the only solution."
Indeed, entropy-wise, since Maine has 129 letters and is in English ...one
of the two tentative keys MUST be far more likely than the other since 129 >>
30. To say otherwise is to contradict known English statistics for unigrams,
digrams, etc. -- which is not likely at all for a relatively long message of
129 letters... and that is the why unicity of such ciphers is 30 letters ....
And, by unigram count alone, I can easily advance which key is the expected
one. I am "almost sure" (using Doug's wording) that the first message 'I hear
fool...' corresponds to the expected key, based on entropy analysis. As
proof, I note that the first message *consistently* uses common English
letters as key-pairs to uncommon English letters in the second message.
For example, let me analyze "e" and "a" as key-substitution pairs -- while
the first message uses more "e" than "a" letters, in the second message "a"
is more used than "e", which is not natural since "e" is 50% more likely than
"a" in English. The same respectively happens with "a" for "i" (a is +73% of
i), "t" for "d" (t is +130% of d), etc. when comparing the first message with
the second.
So, the first message depends on a sustitution key which more naturally
follows English statistics. Thus, its key conditional entropy should
*decrease* as the message length *increases* from zero to to 129 letters and
more data points are known. In fact, I agree with Dennis that this message is
the correct choice from Doug's riddle and this makes it have zero key
equivocation to me -- in other words, given the ciphertext (which was NOT
given but this is irrelevant here) I can immediately enumerate the
substitution-key and this signifies that the key has zero equivocation.
This much is perhaps clear. It is a standard application of known principles
-- already exemplified 50 years ago by Shannon.
Now, a strange thing happens as I read Dennis' comment to Doug's example --
and I should have made clear what was my reading of it. Dennis asks "What's
the message?"
I liked that comment because, in my reading of it, it highlighgts that even
though the key is known without ambiguity, the message is not clear -- the
message itself is obscure, with different interpretations as seen by its
possible rendering 'A swell buffoon fishing...' already given by Doug.
So, in this case, key equivocation is zero but message equivocation is not --
as I commented in my original message.
Which is worth noting that it goes blatantly against Shannon's Fig. 9 for the
*same* type of cipher and shows that his Fig. 9 was correct for his system
plaintext/ciphertext/cipher) but NOT for all other substitution ciphers, much
less for any other cipher system. Of course, Shannon did not say that his
Fig. 9 applied to all substitution ciphers, nor implied it might to all
ciphers. But, you Bryan did and that is why I made the comment -- as a
counter-example.
The reason for this behavior in Doug's case is that we actually have *two*
cipher systems in series. The decrypted message 'I hear fool...' is correct
... but is not yet the actual plaintext, which is suggested to be 'A swell
buffoon fishing...' and is provided by solving a second (implicit) cipher
system.
Which I used to show in a practical thread-example that key equivocation is
not only independent from message equivocation but their calculations are
actually based on entirely different grounds. And, that neither unambigously
define what unicity is, which depends on the end-to-end
(plaintext-to-plaintext) transformation as I exemplified and calculated here
for M-DES with the final XOR encryption and its unicity calculation.
But, one may ask, what is a cipher's unicity after all? Simple, it depends
*where* your plaintext is. If your plaintext is right after the substitution
cipher, then the unicity is 30 letters for English. But, if plaintext is still
further down, with a second interpretation/decipherment, then unicity will
possibly be different, it can be larger ... or ... even smaller.
That is also one of the reasons why unicity is an intensive measurement, not
an extensive one. Unicity is a number that stands out for a property of the
whole system (like temperature) and not a number that can be obtained by
adding its property values for separated parts of the system (like
bit-strength, adding 56-bit of DES with 14-bit from the post-encryption XOR
of M-DES, to obtain 70-bit security).
And, that is why the unicity of plain English or of a derived-language plays
an important role in the system's unicity.
> > Bryan Olson also wrote:
> > > Shannon's random cipher model works perfectly well for a key space
> > > of one key.
> >
> Ed Gerck replied:
> > There is no randomness in a transformation that only depends on one key of
> > unity probability. Your affirmation above and the ones snipped below do not
> > make sense.
and Brian's rejoinded:
>
> I didn't say it's a cipher that looks random; I said Shannon's
> random cipher model works perfectly well.
Model for what? Works well for what? Shannon's random cipher model was used by
him to model decipherment statistics.
But, it needs at least two keys -- otherwise, the only assumed cause of
variablity does not exist. When you have just one key with unity probability
it does not make sense to use such model since it cannot provide variability,
it cannot provide the different interpretations for the plaintext (see my
comments above to Doug's example) which yet exist and must be accounted for.
So, the random cipher model will not work to provide a valid unicity formula
in this case. It will lead to wrong results in n = H(K)/D.
Cheers,
Ed Gerck
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: "Sam Simpson" <[EMAIL PROTECTED]>
Subject: Re: Scramdisk File
Date: Mon, 22 Feb 1999 09:51:15 -0000
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
Gregg,
Are you still having problems?
(Please don't think I'm patronising with these questions, but it's easy
to make a simple mistake - even as an experienced user....)
Have you checked your Caps Lock key isn't on?
Have you changed any system software in the last day?
Have you upgraded ScramDisk in the last day?
It may be worth running an exhaustive scandisk against the host drive.
Please let me know if you continue to have problems,
- --
Sam Simpson
Comms Analyst
http://www.hertreg.ac.uk/ss/ for ScramDisk hard-drive encryption &
Delphi Crypto Components. PGP Keys available at the same site.
If you're wondering why I don't reply to Sternlight, it's because he's
kill filed. See http://www.openpgp.net/FUD for why!
Gregg Berkholtz wrote in message <[EMAIL PROTECTED]>...
>I am having difficulty mounting my scramdisk file.
>It worked fine yesterday (multiple mount/dismounts) I have the password
>written down (kept in wallet until I remember it, then it will be
eaten)
>and have tried entering it multiple times with no success. I have also
>tried variations of the password.
>
>I can mount my other files on this disk but this one does not mount.
>
>The disk is a single FAT32 Partition on a Seagate 10.6 Gb running
Win95.
>
>The file I am trying to mount was created with 1024Kb specfied as the
>size.
>
>Life just plain sucks sometimes. I just got my tape backup today and I
>have a customer waiting on a final copy of a database program. :-(
>
>Any help is GREATLY appreciated!
>
>Gregg Berkholtz
>
=====BEGIN PGP SIGNATURE=====
Version: PGP 6.0.2
iQA/AwUBNtEoju0ty8FDP9tPEQLeHgCgkPrnQU9kCboKP3ay48RuIHPCEj8An29z
m94IrX2PhwJ0mSYNkgrUG3tx
=Hedp
=====END PGP SIGNATURE=====
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Subject: Re: Quantum Computation and Cryptography
Date: Sat, 27 Feb 1999 20:19:41 -0800
Reply-To: [EMAIL PROTECTED]
"R. Knauer" wrote:
> On Fri, 26 Feb 1999 06:16:26 +0100, fungus
> <[EMAIL PROTECTED]> wrote:
>
> >> A quantum computer results in an exponential increase in computing
> >> capability. That's because it contains all eigenstates simultaneously,
> >> like a massively parallel classical machine. These eigenstates
> >> interact in an exponentially large manner as the computer steps along.
>
> >Ok, so we know the result's in there somewhere...
>
> >...but how do we get it out?
>
> I am only up to the part in the book where the authors are discussing
> the Feynmann quantum computer. In his design, there are so-called
> cursor qubits (quantum bits) that keep track of how far the
> computation has progressed internally. Once the cursor shows up at the
> last posible position, the calculation is finished and the answer is
> guaranteed to be correct.
>
> Interestingly each time the simulation is run it takes a different
> number of steps to get the answer, since the machine evolves
> differently each time. IOW, the time to completion of the computation
> is indeterminant.
>
> Bob Knauer
>
> "Did you ever notice that when a politician does get an idea
> he usually gets it all wrong?"
Can the quantum computer determine the truth from a lie? In other words, I
have a message and add lots of leading and trailing bits of random noise.
And interspersed throughout the message I also insert random noise.
Then I encrypt the message. My recipient has the key that will not only
decrypt the message but remove all the random noise as well.
How will the quantum computer determine the correct intelligence communicated
from what was essentially a message that lied?
Quantum computers may be smart: like an idiot savant child.
As far as good encryption is concerned, quantum computers pose no real
threat.
The idea that by inputting an encrypted message into a black box quantum
computer and that it will absolutely output the correct encrypted message is
preposterous.
This is just more dogma from another stupid religion.
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy,talk.politics.crypto
Subject: Can the quantum computer determine the truth from a lie?
Date: Sat, 27 Feb 1999 20:21:11 -0800
Reply-To: [EMAIL PROTECTED]
Can the quantum computer determine the truth from a lie? In other
words, I have a message and add lots of leading and trailing bits of
random noise. And interspersed throughout the message I also insert
random noise.
Then I encrypt the message. My recipient has the key that will not only
decrypt the message but remove all the random noise as well.
How will the quantum computer determine the correct intelligence
communicated from what was essentially a message that lied?
Quantum computers may be smart: like an idiot savant child.
As far as good encryption is concerned, quantum computers pose no real
threat.
The idea that by inputting an encrypted message into a black box quantum
computer and that it will absolutely output the correct encrypted
message is preposterous.
This is just more dogma from another stupid religion.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
