Cryptography-Digest Digest #935, Volume #8 Wed, 20 Jan 99 11:13:05 EST
Contents:
Re: Turing Machines For Sale (R. Knauer)
Re: Metaphysics Of Randomness (Patrick Juola)
RSA Cryptography Today FAQ (1/1) ([EMAIL PROTECTED])
Re: Java speed vs 'C' (was Re: New Twofish Source Code Available) ("Trevor Jackson,
III")
Multiple sign-on? (Al Grant)
Re: Metaphysics Of Randomness ("Trevor Jackson, III")
Re: french law about cryptography ("Trevor Jackson, III")
Re: Turing Machines For Sale ("Trevor Jackson, III")
Re: Metaphysics Of Randomness (R. Knauer)
Re: Trying to find simple, yet effective implementation of crypto... (fungus)
Re: Metaphysics Of Randomness (R. Knauer)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Turing Machines For Sale
Date: Wed, 20 Jan 1999 12:04:16 GMT
Reply-To: [EMAIL PROTECTED]
On Tue, 19 Jan 1999 21:55:49 -1000, "J. Staphros" <[EMAIL PROTECTED]> wrote:
>I have built a small number of Turing Machines in my garage and now I am
>ready to sell the first production run. They come with either paper tape
>or magnetic tape operation. The prices are $2,000 and $1,800 US dollars,
>respectively. They are guaranteed to halt. Options include binary and
>ternary operations. The tapes cost $12 each for open reel forms, or $35
>for closed loop format. Call 1-900-818-9743 for details, each call costs
>$200 per second. The voicemail system will lead you through the product
>selection menus, and you should use touch-tone phones, since the
>pulse-dial receptionist will pick up after 45 seconds.
Every owner of a Turing Machine needs Turing Machine Oil (tm), to keep
it well lubricated. After all, you wouldn't want it to halt just
because it ran out of oil, would ya?
As a one time promotion for the crypto community, the single largest
user of Turing Machines, we offer a quart of Turing Machine Oil (tm)
for only 10,000 dollars down and one century of convenient monthly
payments of only 2,995 per month.
Helluva deal, eh. You just can't pass it up, since a quart of Turing
Machine Oil (tm) will last at least a century for any properly
designed Turing Machine.
Be the first in your neighborhood to own genuine Turing Machine Oil
(tm) - accept no substitutes.
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Metaphysics Of Randomness
Date: 20 Jan 1999 08:13:48 -0500
In article <782qep$lth$[EMAIL PROTECTED]>,
Coen L.S. Visser <[EMAIL PROTECTED]> wrote:
>[EMAIL PROTECTED] (Patrick Juola) writes:
>>Coen L.S. Visser <[EMAIL PROTECTED]> wrote:
>>>[EMAIL PROTECTED] writes:
>
>[...]
>
>>>>Whether a Turing Machine program halts or not is random.
>>>
>>>Hmm, wouldn't that imply that the halting probability is 0.5?
>>
>>No. Whether a die rolls a six or not is also random -- but not 0.5.
>
>To halt or not to halt that's the question :-) So that gives only two events.
>If halting (or not) would be random the probability would be 0.5.
>For a fair die there are six choices so the equivalent probability would
>be 1/6. I could have made a mistake somewhere, if so please tell.
You are assuming that all "events" are equally probable. This is
a mistake. If you want to subcategorize the "event" of not rolling
a six into five separate sub-"events", you can -- and a fair die
would make all six sub-events equally probable. But this method
doesn't work in the general case -- for instance, not all dice
are fair, nor is it always possible to decompose events.
Another example -- the probability of any random child being a boy
is slightly higher than 0.5 (more boys are born than girls, by
a ratio of about 11:10). And, at the extreme, if I had a single
atom of uranium in my possession, the odds of it decaying (or not)
while I watch it are not only not 0.5 -- but also dependent upon
the time I watch it.
-kitten
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To:
talk.politics.crypto,alt.security.ripem,sci.answers,talk.answers,alt.answers,news.answers
Subject: RSA Cryptography Today FAQ (1/1)
Date: 20 Jan 1999 13:29:18 GMT
Reply-To: [EMAIL PROTECTED]
Archive-name: cryptography-faq/rsa/part1
Last-modified: 1997/05/21
An old version of the RSA Labs' publication "Answers to Frequently Asked
Questions about Today's Cryptography" used to be posted here until May
1997. These postings were not sponsored or updated by RSA Labs, and
for some time we were unable to stop them. While we hope the information
in our FAQ is useful, the version that was being posted here was quite
outdated. The latest version of the FAQ is more complete and up-to-date.
Unfortunately, our FAQ is no longer available in ASCII due to its
mathematical content. Please visit our website at
http://www.rsa.com/rsalabs/ to view the new version of the FAQ with your
browser or download it in the Adobe Acrobat (.pdf) format.
RSA Labs FAQ Editor
[EMAIL PROTECTED]
------------------------------
Date: Wed, 20 Jan 1999 08:34:44 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Java speed vs 'C' (was Re: New Twofish Source Code Available)
[EMAIL PROTECTED] wrote:
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (Ian Miller) wrote:
> > In article <781vl4$qrv$[EMAIL PROTECTED]>,
> > [EMAIL PROTECTED] wrote:
> > > Actual this is not true. Good assembly language is dam hard to bet.
> > In the short term, only.
> >
> > >I have seen old code written on old univacs fly circles around the
> > >newer compiled stuff even though the newer univacs have a larger
> > >instruction set.
> > This is entirely predictable if the compiler code generators have not been
> > brought up to date. Once they have been the old assembly code will loose
> > out.
> >
> > >Also the newer compliers the designers have not
> > >given much thought to good design.
> > On this I disagree radically. The compiler design is now a very well
> > understood art, and modern processors are designed (among other criteria)
> > to be easy to optimise for. The best modern compilers generate first rate
> > code.
> >
>
> Actually I can give a modern example I was using a real key
> for my original scott16u but I never could get the C code to
> come with in a factor of ten of the speed of good assembly.
> The best compliers do not come close to good assembly if
> one wants speed period.
>
> C is nice and portable but it still is a dog compared to
> assemble code.
The effect you describe is real, but restricted to Intel architectures. The
Intel instruction set is so bad that one major language vendor (starts with an
M) actually embedded a p-code interpreter in their C compiler's runtime. The
compiler translated the source into p-code which was interpreted at run-time.
Case in point: 11 generations after the original, the Intel instruction set
still does not support position-independent code.
Computers that were designed instead of "jest growed" are heavily optimized for
good compilation space and time efficiency.
If you've never worked on anything but Intel you've been damaged by that
experience. Djikstra wrote a famous paper about this kind of thing in the '70s
called "GoTo considered harmful".
------------------------------
From: Al Grant <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc
Subject: Multiple sign-on?
Date: Wed, 20 Jan 1999 13:48:18 +0000
Single sign-on is about a user U on client C having an authenticator
which they can use to sign on as U to multiple services S1 and S2.
Now here's a different scenario. U, on C, has signed on to some
service S. U, on C, is also doing client-server stuff with application
server A. C wants A to do work, using service S, under U's identity.
But S doesn't trust A any more than it trusts C.
So the requirement is for C to give A some kind of credential
that A uses to authenticate, as U, to S. We may want the credential
to be limited, either by the location of A (so that A cannot pass it
on to other systems) or by time. This is a lot safer than C giving
A all the information that was used by U to authenticate.
As far as I can see, Kerberos can't do this, because Kerberos
tickets include the network address. I.e. the tickets are specific
to C, so it's no use C giving A a ticket. Is there a name for what
we're trying to do, and are there any systems which do it?
------------------------------
Date: Wed, 20 Jan 1999 08:48:15 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Metaphysics Of Randomness
R. Knauer wrote:
> On Tue, 19 Jan 1999 15:39:39 -0500, "Trevor Jackson, III"
> <[EMAIL PROTECTED]> wrote:
>
> >> That alone shows that the key K is no longer random, otherwise it
> >> could not have resulted in the non-random message M when mixed with
> >> the cipher C. IOW, if K were truly random, how could K xor C, the
> >> mixture of two random sequences, result in a non-random message?
>
> >The correct answer is that the two entities K and C are correlated by the
> >message M. The entities are not indepedent. They contain the same entropy.
> >Not the same amount of entropy, the very same entropy.
>
> What is wrong in saying that the entropy of the key K was transferred
> to the ciphertext C via the message M, and that now K has no entropy
> of its own left - that is, it is unique in the new universe it finds
> itself as the sole key capable of reproducing the original message?
Here's what is wrong. There is no lower limit on the triviality of the operation
you can perform on the number K to "remove" its randomness. For example, (bad) L
= K + 1. K is the only number that produces L when one is added, thus K is no
longer random.
(Worse). K = K + 0. K is the only number that produces K under additive
identity, thus K is not random.
(Worst) K = K. K is the only number with the value K, thus it is not random, it
is K, thus K is not random.
------------------------------
Date: Wed, 20 Jan 1999 08:54:38 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: french law about cryptography
Thank-you for the translation. Also thank Enzo!
The fact that the 128 bit limit is a temporary administrative remedy while
full freedom awaits legislative action is very telling. It means they "get
it" completely. This gives rise to hope that sanity may be evolving among
the bureaucrats.
[Darkly] Or the French Government has stumbled upon a very serious
improvement in cryptanalysis...
Mok-Kong Shen wrote:
> [EMAIL PROTECTED] wrote:
> >
> > 19 jan 1999. the french prime minister announced that the gouvernement
> > will allow the key size up to 128bytes.
> >
> > the original text in french:
> > http://www.premier-ministre.gouv.fr/PM/D190199.HTM
>
> The following is a translation provided by Enzo Michelangeli.
>
> --------------------------------------------
>
> The third legislative initiative concerns cryptography. With the
> development of electronic espionage instruments, cryptography appears
> as an essential instrument of privacy protection.
>
> We had, one year ago, made a first step towards liberalization of
> cryptographic instruments. At that time I had announced that we were
> going to make one further. The Government has, since then, heard the
> players, questioned the experts and consulted its international
> partners. We have today become convinced that the legislation of 1996
> is no longer suitable. In fact, it strongly restricts the usage of
> cryptography in France, on the other hand, for all that, without
> allowing the public powers to fight effectively against criminal
> actions of which encryption could facilitate the dissimulation.
>
> In order to change the orientation of our legislation, the Government
> has thus retained the following orientations, that I have discussed
> with the President of the Republic:
>
> - To offer a complete freedom of use of cryptography
>
> - To remove the compulsory nature or third-party escrow of encryption
> keys
>
> - To supplement the current legal framework by the introduction of
> obligations, together with penal sanctions, concerning the handing-over
> to the legal authorities, when they require it, of the cleartext
> version of encrypted documents. At the same time, the technical
> skills of the public authorities will be significantly improved.
>
> Changing the law will take many months. The Govenment has decided
> that the main obstacles holding up the citizens from protecting the
> confidentiality of their communications and the development of
> electronic commerce be lifted without waiting. Also, waiting
> for the announced legislative changes, the Government has decided
> to raise the the the threshold of cryptology the use of which is
> free, from 40 bit to 128 bit, considered by the experts a level
> suitable to ensure durably a very high security.
------------------------------
Date: Wed, 20 Jan 1999 08:58:17 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Turing Machines For Sale
You failed to specify the warranty. Does it cover every cell or just the
basic power train?
J. Staphros wrote:
> I have built a small number of Turing Machines in my garage and now I am
> ready to sell the first production run. They come with either paper tape
> or magnetic tape operation. The prices are $2,000 and $1,800 US dollars,
> respectively. They are guaranteed to halt. Options include binary and
> ternary operations. The tapes cost $12 each for open reel forms, or $35
> for closed loop format. Call 1-900-818-9743 for details, each call costs
> $200 per second. The voicemail system will lead you through the product
> selection menus, and you should use touch-tone phones, since the
> pulse-dial receptionist will pick up after 45 seconds.
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Metaphysics Of Randomness
Date: Wed, 20 Jan 1999 14:20:54 GMT
Reply-To: [EMAIL PROTECTED]
On 20 Jan 1999 08:13:48 -0500, [EMAIL PROTECTED] (Patrick Juola)
wrote:
>Another example -- the probability of any random child being a boy
>is slightly higher than 0.5 (more boys are born than girls, by
>a ratio of about 11:10).
That must be the result of eugenic sex selection (since people prefer
male babies), since I always heard that female babies outnumbered male
babies by something like 55:45.
I also read that in China that eugenic sex selection has been carried
to an extreme since they are only allowed to have one child in their
Socialist Workers Paradise. That has presumably led to an monstrous
10:1 ratio of males to females, which means that 9 out of 10 males
will have to live an unmarried life - mainly in the military.
>And, at the extreme, if I had a single
>atom of uranium in my possession, the odds of it decaying (or not)
>while I watch it are not only not 0.5 -- but also dependent upon
>the time I watch it.
I have a problem with the last part of that statement.
The probability that a particular (single) nucleus will decay in the
time interval t -> t + dt is a constant independent of the time of
that interval. This leads to the exponential decay law since:
dN/dt = - k N.
If you are referring to the Poisson distribution, that does not apply
to a *single* nucleus, but to a small sample of nuclei.
You said that you had a *single* nucleus in your possession, in which
case there are no statistics involved, only the uniform probability
for a decay event over time. IOW, the probability for a single nucleus
to decay in the next 1 second interval is the same for it to decay in
any 1 second interval for all time.
The fact that some nucleus in an ensemble of such nuclei does indeed
decay in the next 1 second interval does not mean that the a priori
that any given single nucleus decays is not uniformly random over
time.
Bob Knauer
"Whatever you can do, or dream you can, begin it. Boldness has
genius, power and magic in it."
--Goethe
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: Trying to find simple, yet effective implementation of crypto...
Date: Wed, 20 Jan 1999 15:10:20 +0100
Christopher wrote:
>
> In article <[EMAIL PROTECTED]>, Darren New
> <[EMAIL PROTECTED]> wrote:
>
> >> So you would be advised to avoid IDEA or RC4 as your
> >> conventional encryptions as they would cost money;
> >
> >I'm pretty sure the RC4 algorithm is in the public domain.
Correct...
...hey, Bruce. When are you going to update the book on this???
> >"RC4" is a trademark, but that's a different thing.
Also correct. You can't claim to be using "RC4" unless you pay
RSA a license fee for using the name. You can claim to be using
ARCFOUR though.
>
> I thought it was impossible to patent an idea, only a product.
Wrong - many patents never make it all the way to final products.
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Metaphysics Of Randomness
Date: Wed, 20 Jan 1999 15:02:47 GMT
Reply-To: [EMAIL PROTECTED]
On Wed, 20 Jan 1999 08:48:15 -0500, "Trevor Jackson, III"
<[EMAIL PROTECTED]> wrote:
>Here's what is wrong. There is no lower limit on the triviality of the operation
>you can perform on the number K to "remove" its randomness. For example, (bad) L
>= K + 1. K is the only number that produces L when one is added, thus K is no
>longer random.
>(Worse). K = K + 0. K is the only number that produces K under additive
>identity, thus K is not random.
>(Worst) K = K. K is the only number with the value K, thus it is not random, it
>is K, thus K is not random.
In each of those examples, producing a result that is unique destroys
the randomness of the key K. If I tell you what a number Y is, and
tell you that it was created, say by adding the number one to it like
above, then K is no longer random - it is a unique number given the
value of Y and the method of computing Y. Similarly for the identity
operation above.
What I am trying to get across is that is appears (and this is only a
speculation on my part) that once a random number K is used in an
encryption operation, it loses its randomness because then it becomes
unique in the context of that operation.
There is only one key possible that will reproduce the message, and
that makes K unique, not random since it is no longer just one of the
possible outputs from a TRNG. Only the key K can do that, and that
makes it special, not random.
The fact that you may not know what K is, is not a measure of
randomness but a measure of obscurity. And we all know that obsurity
has nothing to do with true randomness per se - although obscurity is
confused with randomness all the time.
Before K is used to encrypt the message, it is totally random - it can
be any sequence out of a pool of equiprobable sequences of given
length. But once you use it to form the ciphertext, it loses that
characteristic of randomness by virtue of its uniqueness in the new
context in which it has become entangled. And when the inverse
operation of decryption takes place, it is returned to the pool of
random numbers, because it is no longer entangled in any context.
As an analogy consider a beam of free electrons which passes thru one
of the slits of a double slit experiment. Once it passes thru a slit,
it is no longer just "any random electron", but is a very unique
electron by virtue of the fact that it will impinge on an exact place
on the screen behind the slits.
Because it has interacted with the double slit system, it has lost its
original randomness and has become unique in terms of its
wavefunction. Physicists call that the collapse of the wavevector due
to the particular electron's entanglement with the apparatus. If the
electron had not become entangled in such manner, it would not form
the characteristic interference pattern.
Call that "silly" if you must for personal reasons, but I maintain for
purposes of discussion that there is an element of truth contained in
my speculation. How much truth and whether that truth is of any
signifcance is up for comments - preferably ones that are more
intelligent than just "silly" name calling.
Bob Knauer
"Whatever you can do, or dream you can, begin it. Boldness has
genius, power and magic in it."
--Goethe
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
