Cryptography-Digest Digest #168, Volume #9 Mon, 1 Mar 99 15:13:04 EST
Contents:
Re: paper on all 15 AES candidates ?? (Fauzan Mirza)
Re: compression?security
Opinions on Microsoft's CryptoAPI? (Paul)
Re: New high-security 56-bit DES: Less-DES ([EMAIL PROTECTED])
environmental key generation (nobody)
environmental key generation (nobody)
Re: My Book "The Unknowable" (R. Knauer)
Re: True Randomness - DOES NOT EXIST!!! (R. Knauer)
Re: Common meaning misconception in IT, was Re: Unicity of English, was Re: New
high-security 56-bit DES: Less-DES (John Savard)
Re: Quantum Randomness (Bill Unruh)
Re: Unicity of English, was Re: New high-security 56-bit DES: Less-DES
([EMAIL PROTECTED])
Re: Can the quantum computer determine the truth from a lie? (Bill Unruh)
----------------------------------------------------------------------------
From: Fauzan Mirza <[EMAIL PROTECTED]>
Subject: Re: paper on all 15 AES candidates ??
Date: 1 Mar 1999 17:54:23 GMT
Reply-To: [EMAIL PROTECTED] (Fauzan Mirza)
[EMAIL PROTECTED] wrote:
> Christopher Jobmann <[EMAIL PROTECTED]> writes:
>>I'm looking for a paper (or any other information) giving a brief
>>overview over all the 15 AES candidates, considering underlying
>>structure (Feistel-Network, SP-Network and such), Numbers of Rounds, as
>>well as safety (I heard a couple of the candidates are already broken -
>>is that true ??).
> I have comments on some of that in my paper:
> L. Brown, " A Current Perspective on Encryption Algorithms", to be
> presented at the UniforumNZ'99 conference in NZ, April 1999. This has
> been revised from the version presented to AUUG98. You can grab it from:
> http://www.adfa.edu.au/~lpb/papers/unz99.html
> The references include pointers to a number of other sites with additional
> comments.
> As to the broken ciphers - there are major problems known for:
> DEAL, FROG, LOKI97 (sigh!!!), and MAGENTA, as well as some minor
> caveats on DFC and MARS.
Also, Twofish has an interesting property which will be described
at the AES conference. The AES version of the paper can be downloaded
from either Sean Murphy's or my home page.
Fauzan
==================================================================
Fauzan Mirza Department of Mathematics
Research Postgraduate Royal Holloway, University of London
==================================================================
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: compression?security
Date: 1 Mar 1999 18:23:04 GMT
[Posted and mailed]
In article <[EMAIL PROTECTED]>,
Somniac <[EMAIL PROTECTED]> writes:
> alex wrote:
>>
>> Hi,
>> Can any experts tell me that what is the relationship between dat
>> compression and data security? I am new in security and so where can I
>> pick up some basic materia?
>> Thanks
>
> Compression does not provide enough security to be safe from educated
> cryptanalysts. But it can provide a small amount of security if you know
> that your adversary is only one uneducated person. For example, maybe you
> do not want your father to read you messages on a home computer that both
> of you share. Then if you compress the messages, store the decompression
> program on a floppy disk that you hide in your school locker, then it may
> be safe. You may know that your father does not know about compression
> software, and so, you can feel secure that your known adversary does not
> have the technical knowledge to crack the code.
I think the question was in the sense of Information theory, since both compression
and encryption are forms of source coding, and there are some theorems that apply to
both:
Shannon gives a theorem that data can be compressed upto it's level of entropy, and we
measure the security of a cryptosystem by the relative entropy (relative information)
H(Y|X), where X is a message, Y is it's ciphertext and H is the entropy function. In
particular,
Def: A cryptosystem is unconditionally secure if H(Y) - H(Y|X) = 0.
------------------------------
From: [EMAIL PROTECTED] (Paul)
Subject: Opinions on Microsoft's CryptoAPI?
Date: Mon, 01 Mar 1999 18:59:37 GMT
Reply-To: [EMAIL PROTECTED]
Are there any opinions on Microsoft's CryptoAPI?
Paul
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: New high-security 56-bit DES: Less-DES
Date: Mon, 01 Mar 1999 18:28:02 GMT
In article <[EMAIL PROTECTED]>,
Bryan Olson <[EMAIL PROTECTED]> wrote:
>
> [EMAIL PROTECTED] wrote:
> > You are drowning yourself in a glass of water. This whole sub-thread is
> > really very simple: it is nonsense to talk about 'unicity distance' since it
> > is not a 'distance'.
>
> Unicity distance makes perfect sense because it is perfectly well
> defined.
>
Not as a distance. You miss the main point here. The main point is not that
you should not say "unicity distance" when referring to unicity but that
unicity is NOT a distance -- it does not have the mathematical properties of
a metric-function and offer a series of other possibilities which
metric-functions do not have. So, there is understanding of a different sort
here -- not only terminology.
The secondary point is that, once you realize that unicity is not a distance
then .. how could you continue to call it a distance? A good lawyer should not
try to defend a cause where his conscience confutes his tongue ;-)
> > But, I am sure the world is not going to turn any slower
> > if you or Humpty-Dumpty call it whatever you guys like.
>
> Us guys? It's part of the technical terminology of the
> discipline.
As we can read for 50 years -- but history is not an argument, Bryan, since
distance has been used in a quite different sense for more than 4,000 years.
Further, when I wanted to revisit the unicity concept, the first point which
needed to be changed in order to enlarge its scope was that added term
"distance" which buys you nothing and contradicts other properties of unicity
that can be deduced.
> > Which, likewise the first, is nonsense... so, it is nonsense to ask about
> > the unicity distance of a cipher in the same way that it does not make sense
> > to ask what is the distance of your hand. Got it?
>
> The "it" that I get is a misunderstanding of terms of art. Unicity
> distance is well defined in cryptology. Just think of it as one
> term, not two words. I'm not aware of any definition for the
> distance of a hand.
>
Of course you are not aware of any definition for the
distance of a hand because mathematicians have been careful enough. Since
cryptography is a branch of mathematics I believe that all terms should be
coherently used as much as possible -- otherwise, will soon be talking
pidgin-crypto.
But, I won't quibble if you want to use it personally, but this discussion is
public.
Cheers,
Ed Gerck
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: nobody <[EMAIL PROTECTED]>
Subject: environmental key generation
Date: Mon, 01 Mar 1999 13:37:25 -0500
I am a student looking for information on environmental key generation.
If anyone has any information I would appreciate it.
------------------------------
From: nobody <[EMAIL PROTECTED]>
Subject: environmental key generation
Date: Mon, 01 Mar 1999 13:37:36 -0500
I am a student looking for information on environmental key generation.
If anyone has any information I would appreciate it.
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Crossposted-To: sci.math,sci.physics,sci.logic
Subject: Re: My Book "The Unknowable"
Date: Mon, 01 Mar 1999 19:19:00 GMT
Reply-To: [EMAIL PROTECTED]
On Mon, 01 Mar 1999 16:26:44 GMT, Neil Nelson <[EMAIL PROTECTED]>
wrote:
>That's right. _True Randomness_ is a self contradictory (paradoxical)
>notion.
Only when you try to describe it formally (see below)
>I am having trouble with this sequence. There is: (1) the message to
>be secured, (2) the key sent by a secure channel, and (3) the
>encrypted message sent openly. If I needed to run an XOR each time to
>get my key that would be the length of my intended message and could
>send the key securely, I should just send my message securely and
>forget encryption.
I did not intend that example to be the protocol for an actual
cryptosystem. It was an exercise to make a point.
>Clearly, if you can send a key the length of the encrypted message
>after the message has been encrypted, then the encrypted message is
>technically redundant as you have shown. But traditionally, the key
>is relatively small with respect to the entire message set used for
>that key and the key is sent before any particular messages to be
>encrypted are known, making the previous sequence incompatible with
>common circumstances.
I was talking solely about the OTP system, because it best expresses
the need for true randomness, or something so close that the ciphers
do not leak significant amounts of information to allow an attacker to
decide that he has discovered the intended message.
The problem with messages that are longer than the unicity distance is
that they are the only (intelligible) message that can be decrypted.
That makes relatively easy way to detect the intended message.
One way to circumvent the key distribution problems of the OTP system
is to use a text cipher which has been post-processed sufficiently
that it leaks insignificant amounts of information. The text can be
from a source that can be viewed on the Internet that changes daily,
and can be keyed from numbers that change every day like closing
market averages.
The post processing consists in the usual anti-skewing and hashing to
distill the approximate 1 bit of entropy in text. One poster on
sci.crypt suggests a CRC hash, so you would have to feed it 32
characters to get 4 back if it were CRC-32. Presumably those 4
characters would have full entropy density and simulate true random
numbers sufficiently well that they serve as the OTP keystream. I ahve
no idea how much message volume such a scheme could be used for before
significant amounts of information would leak permitting the attacker
to decide he has broken your system. If you skip around in the kinds
of text used each day, say a newspaper one day and the Bible the next,
etc., that might help confuse things a bit.
>Non-random is defined as a string that can be completely defined via a
>smaller string (prefix code) within a given string generating system
>(language).
That is Algorithmic Prefix Complexity Randomness, the kind that
Kolmogorov and Chaitin discuss, and is not suitable for the OTP
system.
For purposes of the OTP cryptosystem, a true random number is one
which is produced by a process that is capable of generating all
possible finite sequences equiprobably, that is a uniform
nondeterministic generator.
That process is called a True Random Number Generator (TRNG).
Equiprobable means that the sequences are independently generated and
are equidistributed in the sample space. Notice the use of the word
"capable" - a TRNG does not have to actually produce all possible
strings.
Kolmogorov-Chaitin Randomness is a different kind from the
crypto-grade randomness needed to make the OTP system proveably
secure. For example, regular sequences that fail the test for
randomness in terms of complexity are valid for OTP ciphers. In fact
you cannot filter out any sequences in the OTP system, regular or
complex, or else the attacker will be able to use that to advantage.
>First we must define what it is to have a random number, which was
>just indicated to be according to a non-random perspective (a
>language). If, according to the previous discussion, random means a
>string sequence not compressible in the language then a sufficiently
>long run of 0's would be compressible and hence that string not random
>wherever it might appear.
Although it would be incredibly dumb to send a cipher made from the
null key, it still is a valid key if it is produced by a TRNG.
Fortunately it is incredible improbable for any sequence of useable
length.
>I welcome the result of Berry's Paradox from the notion of `True
>Randomness' and am interested in your definition of `True Randomness'
>that avoids a paradox.
See above, in terms of the OTP system.
That definition serves as the specification for building a working
TRNG. My favorite is the one based on radioactive decay, like HotBits
http://www.fourmilab.ch/hotbits/
To ensure that a TRNG is behaving properly one would need to treat it
like a piece of scientific equipment, e.g., conduct a complete peer
revieved design audit and provide for full diagnostics on each
subsystem. But even then it will not be perfectly random, because
nothing is perfect in the real world. And using statistical tests on
its output is of no value other than a diagnostic warning of a
possible malfunction, like a shorted input or an open output.
The real question is how you characterize it in terms of the amount of
information that is leaked in the ciphers it is used to make. The only
thing I can think to do is use it to make worst case test ciphers out
of messages that leak the greatest amount of information and see if
those ciphers leak enough information to cause a cryptanalyst to
decide he has broken the system.
I have no idea how to carry out that program, much less if it is even
feasible. I assume that there is a computer somewhere that is set up
to attack stream ciphers systematically, so it should be possible to
use that same attack protocol to fashion the kinds of tests alluded to
above.
Bob Knauer
"There is much to be said in favour of modern journalism. By giving us the opinions
of the uneducated, it keeps us in touch with the ignorance of the community."
--Oscar Wilde
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: True Randomness - DOES NOT EXIST!!!
Date: Mon, 01 Mar 1999 19:40:05 GMT
Reply-To: [EMAIL PROTECTED]
On 1 Mar 99 11:39:09 -0400, [EMAIL PROTECTED] (John Briggs)
wrote:
>Still devoid of meaning. If it's outside the Universe, it can't affect
>something inside the Universe. That's basic to pretty much any definition
>of "the Universe".
That is a definition of the Universe in terms of Physics. But Physics
is not intended to address questions outside the material realm.
The best you can do is claim that only material objects exist - IOW,
deny the existence of the non-material (spiritual) real - but that
does no good, because you still have to explain how finite mutable
objects came into existence.
>Fallacy one: Why just one first cause? Why not two? Or three?
I am not invoking any "first cause" arguments. I do not care for
Aquinas's famous "Five Ways".
>Fallacy two: Why not a causal loop?
???
>Fallacy three: Why not infinite regress?
???
>Fallacy four: What causes the first cause?
The essence of the Supreme Being is existence. It has no cause.
>Looks like a fallacious argument to me.
These are the standard arguments against the existence of the Supreme
Being. They are straw men arguments, since the Five Ways were never
meant to be rigorous proofs of the existence of the Supreme Being.
>>>The universe can proceed perfectly well without this "law".
>>
>> Oh really - the very Universe we observe, eh?
>Yes, the very Universe we observe. We see plenty of effects without
>any visible cause.
Name one. And don't give us this nonsense about virtual particles. We
want real physical processes, not virtual processes.
BTW, relativity is based on the law of causality.
>I didn't say that there is no such thing as cause and effect. I said
>that the law of cause and effect _WHICH I EXPLICITLY STATED AND WHICH
>YOU HAD LEFT COMPLETELY UNSPECIFIED_ was not needed by the Universe.
Then you claim that the efficient cause of the Universe is Nothing.
How can Noting cause the Universe, when Nothing does not exist?
The cause of the existence of the Supreme Being, by contrast, is the
Supreme Being. The very uncausality that you are so willing to
attribute to a finite mutable world, where it is impossible to be, is
contained in the Supreme Being, where it is possible to be.
>Now, if you want to loosen up the definition of "cause and effect" to
>the point where radioactive decay and quantum fluctuations in the vacuum
>have causes then you can make a credible argument in favor of this law.
Radioactive decay is an instance of spontaneous emission, which is
caused by zero point fluctuations in the quantum vacuum.
>But then you are left with the question: What causes a TRNG based on
>radioactive decay to emit the sequence it does?
Vacuum fluctuations.
The better question is what causes the nucleas from decaying
instantaneously? What keeps it in an excited state for so long? Vacuum
fluctions only help it to lower its energy by decaying - by supplying
the needed randomness to get it to make the transition. And what keeps
the electron in hydrogen from radiating electromagnetic energy and
ending up inside the nucleus permanently?
Must be God playing dice, eh.
Bob Knauer
"There is much to be said in favour of modern journalism. By giving us the opinions
of the uneducated, it keeps us in touch with the ignorance of the community."
--Oscar Wilde
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Common meaning misconception in IT, was Re: Unicity of English, was Re:
New high-security 56-bit DES: Less-DES
Date: Mon, 01 Mar 1999 19:47:52 GMT
[EMAIL PROTECTED] wrote, in part:
>The
>example calls upon unicity in order to define it and uncity is defined by
>language statistics not by a savvy human reader.
Language statistics, as they become more detailed, are simply
approximations to a human writer - or reader. Hence, the redundancy of
English text can only be approximated through language statistics,
which give a _lower bound_ for the actual redundancy.
John Savard (teneerf is spelled backwards)
http://members.xoom.com/quadibloc/index.html
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Quantum Randomness
Date: 1 Mar 1999 20:01:14 GMT
In <[EMAIL PROTECTED]> [EMAIL PROTECTED] (R. Knauer) writes:
]We believe that the strongest kind of randomness is that which is
]generated in Quantum Mechanical processes before the collapse of the
]statevector. Therefore, if you were able to generate random sequences
]with a Quantum Computer, they would be certifiably random in the sense
You do NOT need a quantum computer to use quantum randomness.
Observation of any quantum phenomenon will do.
Howeve the problem with any physical source of randomness is biases. The
set up of the apparatus can introduce biases into the observations. Thus
those parts of the observations which are random are truely random, but
those parts where the apparatus has introduced its biases are not. For
example, examining the polarisation of a photons of light-- ie looking
at say the 45 degree polarization of photons which you know you prepared
up and down polarised is such a quantum random process. However, what
happens if the two polarisers are not at exactly 45 degrees? Now one
polariasation comes out prefered by a lesser or greater amount. There is
a predictable and measurable bias in the output. The changes in the
results are still random (ie you now have a probability distribution
which is not 50-50, but the results are purely random given that biased
distribution). Measuring apparatuses can produce more subtle biases as
well. If you know what they are (or could be) then you can correct for
them, but you do not always know what they are.
]"The art in creating computer programs that simulate the generation of
]true random numbers is to devise algorithmic methods that generate
]sequences of numbers that pass both the distribution test and
]correlation checks. As we show, even when random number generators
]pass such statistical tests, the sequence of numbers it generates may
]still not be random enough to serve as an approximation to a true
]random process."
All generators (pseudo random generators) are clearly not random. There
is a correlation test (ie the inverse of the generator) under which the
correlation is unity-- ie perfect. Thus you must ask why you want to use
those random numbers-- are the correlations which ARE there such that
they will interfer with the use you want to put the numbers to.
(from a practising physicist).
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Unicity of English, was Re: New high-security 56-bit DES: Less-DES
Date: Mon, 01 Mar 1999 19:12:43 GMT
In article <7bdl39$18r$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> [EMAIL PROTECTED] wrote:
> > Bryan Olson <[EMAIL PROTECTED]> wrote:
> > > Given ciphertext, the two are not independent.
> >
> > No. Given ciphertext, the two equivocations are still independent -- as they
> > measure different things and they also depend on the type of cipher used,
> > number of keys, plaintext entropy, etc. And, for a given message length,
> > message equivocation can be zero much before key equivocation is zero -- see
> > Fig. 9 in Shannon's paper for example.
>
> First, none of those show independence.
You snipped it... I have been saying often enough that independence is shown
simply by looking at the two formulas. I said so even in the same quoted
message.
> Second, what I've been
> saying is that message equivocation H_E(M) must be zero at or
> before the number of intercepted letters for which H_E(K) is
> zero. You say it can be zero "much before". Sure.
You say many things, Bryan, some of them interesting, but unfortunately you
tend to change them around when they do not suit the discussion. That is not
very hepful for the dialogue but may wonderfully help terminate the
discussion topic!
As above, I see that you try to get my words to stand for your words -- and I
am happy about that, but pls acknowledge for dialogue's sake. For example,
you wrote before:
BO> Shannon say that the unicity point has been reached when the
BO> key equivocation drops negligibly far from zero.
which is however at odds with your own new "old" words above. Indeed, message
equivocation is what defines the unicity condition (even to Shannon), not
zero key equivocation -- because message equivocation can be zero before key
equivocation is zero.
This is what I have been saying all along and I am glad you now agree to such
an extent that you made it your own point!
Given that, I believe we are in essential agreement in "what you have been
saying" ;-)
Regarding the random cipher assumption and its careless usage implication
that a message is known before it is transmitted, I believe I can be spared
to further argue against that.
Cheers,
Ed Gerck
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Crossposted-To: alt.privacy,talk.politics.crypto
Subject: Re: Can the quantum computer determine the truth from a lie?
Date: 1 Mar 1999 20:11:28 GMT
In <[EMAIL PROTECTED]> Anthony Stephen Szopa <[EMAIL PROTECTED]> writes:
>Then I encrypt the message. My recipient has the key that will not only
>decrypt the message but remove all the random noise as well.
>How will the quantum computer determine the correct intelligence
>communicated from what was essentially a message that lied?
>Quantum computers may be smart: like an idiot savant child.
>As far as good encryption is concerned, quantum computers pose no real
>threat.
The art of cryptography is not protecting your message against an
opponent who is ignorant, but protecting your message against an
opponent who knows exactly the technique you are using to hide your
message. A one time pad is unbreakable by any system. What a quantum
computer can do is to take some systems with small keys (keys much much
shorter than the information content of the message they are supposed to
hide) and reveal the message in a time frame comparable to that required
to encrypt the message. They must do so by using regualrities
(redundancies) in the message which is sent-- no code breaking can be
done on a message with no redundancy. Ascii text has a huge amount of
redundancy (every single 8th bit is zero.). A binary program has less
so. etc.
However almost all messages which are actually sent have a huge amount
of redundancy. The purpose of encryption in part is to hide that
redundancy. The purpose of small key encryption (ie key much shorter
than the message) is to make it easy to exchange keys. (If all keys have
to be as long as the message, then why don't you exchange the messages
rather than the keys by the same secure path?-- yes this is an
exageration, as there are instances where OTPs are useful.) In such a
real world, quantum computers ARE a threat.
>The idea that by inputting an encrypted message into a black box quantum
>computer and that it will absolutely output the correct encrypted
>message is preposterous.
And that is not what people are trying to do either.
>This is just more dogma from another stupid religion.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
