Cryptography-Digest Digest #429, Volume #9 Tue, 20 Apr 99 17:13:05 EDT
Contents:
More info. about Computational Information Theory (Jaap-Henk Hoepman)
Re: RC6 new key standard from AES conference? ([EMAIL PROTECTED])
Generalized TEA paper ([EMAIL PROTECTED])
ANN: Next Beta-release of Kwik-Crypt (Andy Jeffries)
Re: Radiation/Random Number question ([EMAIL PROTECTED])
Re: Dynamic Data Dependant Key Schedule (John Savard)
Re: True Randomness & The Law Of Large Numbers (Herman Rubin)
Re: Question on confidence derived from cryptanalysis. (John Savard)
Re: Radiation/Random Number question ([EMAIL PROTECTED])
Re: Radiation/Random Number question ([EMAIL PROTECTED])
Re: PGP=NSA (what is it about crypto?) (Medical Electronics Lab)
Re: testing encrypted files ([EMAIL PROTECTED])
Re: AES R1 comments/papers available & my views (David Crick)
----------------------------------------------------------------------------
From: Jaap-Henk Hoepman <[EMAIL PROTECTED]>
Crossposted-To: comp.theory
Subject: More info. about Computational Information Theory
Date: 20 Apr 1999 13:04:08 +0200
Does anybody have more references (or other information) to recent work using
Yao's computational information theory. I want to use this to prove certain
properties of a cryptographic protocol I'm designing. I have both Yao's papers
on the topic (23rd FOCS and "Complexity in Information Theory"), but found
them to be very terse, and wondered whether there are papers extending and
using this theory.
Any info would be appreciated.
Jaap-Henk
--
Jaap-Henk Hoepman | Sure! We've eaten off the silver
Dept. of Computer Science | (when even food was against us)
University of Twente | - Nick Cave
Email: [EMAIL PROTECTED] === WWW: www.cs.utwente.nl/~hoepman
PGP ID: 0xFEA287FF Fingerprint: 7D4C 8486 A744 E8DF DA15 93D2 33DD 0F09
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: RC6 new key standard from AES conference?
Date: Tue, 20 Apr 1999 10:56:43 -0500
=====BEGIN PGP SIGNED MESSAGE=====
In <[EMAIL PROTECTED]>, on 04/20/99
at 05:40 AM, [EMAIL PROTECTED] (Paul Rubin) said:
>In article <7fgf1v$9pn$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
>wrote: >> What debacle was that? I missed something.
>>> I think it is important that the AES perform reasonably well on smartcardts.
>>>
>>See the "Live from the Second AES conference" thread. In general the idea is
>>this: you only need AES on a smartcard if you need high levels of security;
>>but then the recently discovered practical attacks against smartcard
>>implementation of ciphers (particularly PDA) make today's smartcard
>>technology of little use for high security applications.
>I don't think that makes sense. The smartcard hardware attacks assumed a
>hostile card reader. Maybe you are using smartcards for key management
>where you control the reader. Or perhaps you're not literally using a
>smartcard electrical interface, but you want to use a smartcard processor
>in some other type of device to hold encryption keys. If the AES can't
>run acceptably on a smartcard, then the smartcard will have to use a
>different algorithm, and the implementer is left having to choose the
>alternate algorithm, precisely what the AES hoped to avoid. Even still,
>it's cumbersome to have to use a separate algorithm on the smartcard.
>Anyway, for most applications of AES on workstation processors, I suspect
>the keys will be stored on disk. That is almost certainly less secure
>than any smartcard implementation. That isn't necessarily bad, since not
>all applications require really high security. What it means is that AES
>is intended to be used where the security is high and also where it is
>not so high. So it should work on smartcards despite smartcards'
>vulnerability to hardware attacks. Workstations after all are also
>vulnerable to such attacks.
I may be missing something here but shouldn't the AES algorithm be chosen
based on the best security not how it performs on any particular piece of
hardware? If the SmartCard people want to use the AES algorithm then they
should design their cards to do so (not the other way around).
- --
- ---------------------------------------------------------------
William H. Geiger III http://www.openpgp.net
Geiger Consulting Cooking With Warp 4.0
Author of E-Secure - PGP Front End for MR/2 Ice
PGP & MR/2 the only way for secure e-mail.
OS/2 PGP 5.0 at: http://www.openpgp.net/pgp.html
Talk About PGP on IRC EFNet Channel: #pgp Nick: whgiii
Hi Jeff!! :)
- ---------------------------------------------------------------
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 5.0i OS/2 for non-commercial use
Comment: Registered_User_E-Secure_v1.1b1_ES000000
Charset: cp850
wnUDBQE3HKRn0fdTsSGZnTUBAZDiAwCk8vCARi5IMO38+CX7g7QiGNwQ1IuCrfS/
MtlwJqx/KCewxU8Cx0iAZ0F6V40W6RjZGIjF4gman5JApy+annrzOok6Oxt2aCrT
WuPDUVug47PEWf2re63K5AMoEK5+Ts0=
=XdeU
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED]
Subject: Generalized TEA paper
Date: Tue, 20 Apr 1999 14:15:46 GMT
I finished the draft of my paper on TEA and generalizations of it. I want to
add more content to the end of the paper, but for the most part it's
complete. I would like someone (s) to review the numbers in the paper,
primarly the probabilities. I believe most of them are accurate, or
pratically accurate, but I would like some review.
I invite everyone to take a peak, it's available in HTML format (which messed
up the TABS) at
http://members.tripod.com/~tomstdenis/gtea.html
When I finish the paper I will make RTF formats available.
Thanks for your time,
Tom
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (Andy Jeffries)
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: ANN: Next Beta-release of Kwik-Crypt
Date: Tue, 20 Apr 1999 13:45:51 +0100
Release Candidate 2 of Kwik-Crypt is released. This release fixes a minor
memory leak and contains a smaller Windows GUI mode self restoring
capability.
The full version should be released in about a month. Archives created with
the previous release can still be opened and verified with this version.
Thank you to everyone who has sent in bug reports and feature enhancements,
most have been made in the release although some are planned for the full-
version.
--
Andy Jeffries
Kwik-Rite Development
--See http://www.kwikrite.clara.net/ for Kwik-Crypt BETA - Self-restoring
archive maker for Windows 95/98/NT using Blowfish (FREEWARE)
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Radiation/Random Number question
Date: Tue, 20 Apr 1999 17:58:40 GMT
In article <7f8tdg$787$[EMAIL PROTECTED]>,
"R H Braddam" <[EMAIL PROTECTED]> wrote:
>
> Medical Electronics Lab wrote in message
> <[EMAIL PROTECTED]>...
>
> Actually, I was hoping for (soft error) problems. I had read somewhere that
> a few sheets of paper would stop alpha radiation. I suspected that the
> encapsulation would block alpha particles, and that was the reason for the
> next question.
You could always go get a couple Thoriated lantern mantles (which
give off everything, and can be detected through 0.5 mm steel)
and place them near your chips.
5 mantles in a plastic film canister give about 300 counts/min, or 300 uR/hr.
Background here is about 15 cpm, or 15 uR/hr. The Am-241 source gives 30000
counts/min (yes, this is in your living room!), if the source is as close to
the thin mica beta-window on the geiger counter as I can get it.
If you have FSU friends maybe you can get better isotopes :-(
> I agree that starting with something that works already should be simpler.
> The smoke detector board is kind of big, though. I was hoping to find a way
> which would result in a smaller package.
Use a sound card to acquire FM hiss, and distill it. This will
give you several orders of magnitude more entropy/sec than
any radioactive decay you'd want to play with. Much more
practical than any of this fun radiation stuff Dr. Mike et al.
enjoy.
(And you can take your soundcard or fm-receiver card on a plane; not
supposed to haul isotopes..)
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Dynamic Data Dependant Key Schedule
Date: Tue, 20 Apr 1999 17:15:16 GMT
[EMAIL PROTECTED] wrote, in part:
>This is basically dynamic key scheduling. Pretty cool no? What does anyone
>think about it?
Rotating the subkey based on the other half of the block isn't really that
much different than rotating the data; the two could be made almost
equivalent through a suitable analysis in all likelihood.
But I *absolutely* agree that making the key schedule dynamically variable
is a good idea.
Take a peek at the MISHMASH concept in
http://members.xoom.com/quadibloc/co0412.htm
for an illustration of how I think this sort of thing could be taken fairly
far, and then applied to a block cipher.
John Savard ( teenerf<- )
http://members.xoom.com/quadibloc/index.html
------------------------------
From: [EMAIL PROTECTED] (Herman Rubin)
Subject: Re: True Randomness & The Law Of Large Numbers
Date: 20 Apr 1999 13:56:41 -0500
In article <[EMAIL PROTECTED]>,
R. Knauer <[EMAIL PROTECTED]> wrote:
>On Mon, 19 Apr 1999 22:00:55 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
>wrote:
>>If I buy a bit-stream generator that has been advertised as generating
>>a "truly random" (uniform equiprobable) bit stream, and the acceptance
>>test shows the likelihood of its meeting its advertised specification
>>is less than 1 in 1,000,000, I am justified in rejecting it and finding
>>another vendor.
This method of making decisions is an aspect of the typical misuse
of statistics. No test can find the likelihood of it meeting the
advertised random behavior without having a prior distribution of
the various states of nature. What one can test is the probability
that a result in a given class would occur by chance if the precise
hypothesis is true.
But a precise null hypothesis is essentially always false, and
also the type of probability statement made is not what one should
be considering.
>And you could not be faulted. Just realize that you did that to be on
>the safe side, not because you made a reasonably correct
>determination. The TRNG could have been a perfectly good device.
If you take this position, NOTHING can be decided by looking
at the data. The device could be a generator with 99% 1's, and
it still could produce any given sequence.
>In an infinite sequence, all subsequences are possible. There is
>nothing to prevent a TRNG from generating one of them when you decide
>to test it.
One always observes a finite sequence. Probability can deal with
infinite sequences, but probabilities are not known. Only data
is known.
>The false assumption that a time average is the same as an ensemble
>average leads to the bigotry we see in ordinary life. In this case,
>because the TRNG did not output a sequence that had the appearance of
>randomness, you were bigoted against it because you could not take the
>chance that it was not truly random.
"Ensemble" is a term coined by physicists who have the not uncommon
difficulty with accepting probability as primitive.
>Of course, you could be correct - the TRNG could be non-random.
If it is a physical process, it is random. It does not have the
ideal properties; the question is, is it close enough. This takes
a large enough data set to make a reasonable determination, and
the problem is much more difficult than statistics texts admit.
The question is when to act as if something is true, when one knows
it is not.
--
This address is for information only. I do not claim that these views
are those of the Statistics Department or of Purdue University.
Herman Rubin, Dept. of Statistics, Purdue Univ., West Lafayette IN47907-1399
[EMAIL PROTECTED] Phone: (765)494-6054 FAX: (765)494-0558
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Question on confidence derived from cryptanalysis.
Date: Tue, 20 Apr 1999 17:36:26 GMT
[EMAIL PROTECTED] (Terry Ritter) wrote, in part:
>On Sun, 18 Apr 1999 00:35:46 GMT, in <[EMAIL PROTECTED]>, in
>sci.crypt "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
>>I assume you're talking about the open literature, because it's
>>not the case inside the fence. That's one of the frustrating
>>things about this business; there is a lot of (slow) reinvention
>>of the wheel, due to extreme secrecy about what is known.
>Yes, of course, I know only the open literature. I have no idea what
>was developed otherwise. For example, after I developed Dynamic
>Substitution, I realized that one could use a random Latin square as a
>combiner. I would expect that this was long known "inside," but am
>unaware of any open literature about it. (Shannon of course talks
>about Latin squares, but does so in the context of entire cipher
>transformations, and not stream-cipher combiners.)
>>Largely, academia studies what they already know how to study,
>>because the expectation of producing something "publishable"
>>is greater that way. This is really sad, but understandable.
>>Just so you know, I appreciate your work and especially your
>>making useful information available via the Web. Maybe self-
>>publication will help mankind make progress in fields that
>>are currently stagnating due to academic inbreeding.
>Coming from you, that means a lot. Thanks.
Although lately, once again, I've made a number of posts criticizing places
where I think you've overstated your case - and I think it's very important
_not_ to overstate one's case when one is advocating a minority position -
I will take the opportunity to acknowledge both that you have made
contributions through your own work, as well as by representing a point of
view that points in the direction of what I, also, feel is a correction
needed by the cryptographic community.
One needs the very highest credibility when one is engaged in telling
people what they do not want to hear.
As I, too, know "only what I read in the papers", I have no idea if someone
in Serbia reading my web page has forced the NSA to spend X billions of
dollars on new computers - I don't believe I've said anything in my own
designs that would not have been obvious to professionals even in countries
with far less impressive cryptographic capabilities than those of the U.S.
- but I tend to believe that that particular horse was out of the barn even
before Phil Zimmerman came along. But I could be wrong.
John Savard ( teenerf<- )
http://members.xoom.com/quadibloc/index.html
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Radiation/Random Number question
Date: Tue, 20 Apr 1999 17:36:53 GMT
In article <7f8fn2$t2$[EMAIL PROTECTED]>,
"R H Braddam" <[EMAIL PROTECTED]> wrote:
> Thank you for replying. With the amount of discussion in another thread
> about "True Random Numbers" and the mention that radioactivity is a possible
> source, it occurred to me that there is a commonly available source of
> radioactivity. If there is a way to use it in an inexpensive device many of
> us would benefit.
1. Buy a $165 geiger counter from aw-el.com; plugs into a serial or
parallel port.
2. Buy a $5 first alert smoke detector. Take it apart. Don't
touch the foil in the cage.
The problem with the Am-241 is that the betas don't go through >1cm
of air, much less some epoxy.
Remember to distill the decay-count-data; its normally, not
uniformly distributed.
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Radiation/Random Number question
Date: Tue, 20 Apr 1999 17:47:01 GMT
In article <[EMAIL PROTECTED]>,
Medical Electronics Lab <[EMAIL PROTECTED]> wrote:
> R H Braddam wrote:
> > Does anyone here know of any efforts to make *more* sensitive ICs for the
> > purpose of detecting radiation?
>
> It's not really necessary. Most people need to detect high energy
> particles and the IC's to do that work pretty well.
You all know about how alphas from the epoxy was flipping bits
in early Intel memories, right?
You could make an interesting rng circuit by plating the Am-241 onto
your die, but the fab people would not like that, nor would the
radiation-regulation people. Or the people who salvage ICs :-)
> Not very feasible. A much simpler way is to amplify the signal
> off a smoke detector and use that for a random noise source. I'm
Can you use an ac-coupled soundcard as your acquisition system?
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: PGP=NSA (what is it about crypto?)
Date: Tue, 20 Apr 1999 12:51:31 -0500
[EMAIL PROTECTED] wrote:
>
> Who let this flake in here?
>
> And what is the deal with cryptography attracting these ranting lunatics?
The net is free for anyone to use. Every newsgroup has it's
lunatics, just like every town has its drunks, flakes and
know-it-alls. Rather than get mad the best approach is pity.
Toss them a quarter every now and then. If they pick it up,
you know you're dealing with something smarter than a dog.
If they know they can buy a clue, you've found someone smarter
than a monkey. Some are trainable, some aren't.
Chill out man, stress shortens your life. I find laughter
a much simpler route.
:-)
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: testing encrypted files
Date: Tue, 20 Apr 1999 17:30:07 GMT
In article <[EMAIL PROTECTED]>,
Ronan Harle <[EMAIL PROTECTED]> wrote:
> Hi,
>
> There is a small program, Stat95 (available on
> http://www.owlnet.rice.edu/~jmott/stat95.zip , 32.8 Kb )
> that makes a statistic analysis on the first 10 kb of an encrypted file,
> and give some statistical data about it.
You may want to look at "Diehard" and Maurer's universal statistical
test for random bit generators, if you're interested in
randomness tests.
Note that any decent cipher (strong or not, block vs. stream, etc.) will give
uniformly distributed data *indistinguishable* from truly random data
*without the key*. With the key, of course, you can tell the
difference.
The tool you have seems to be performing simple measures on your
data (e.g., 1:0 ratio) looking for structure of various sorts.
Diehard does this more extensively.
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
Date: Tue, 20 Apr 1999 18:16:20 +0100
From: David Crick <[EMAIL PROTECTED]>
Subject: Re: AES R1 comments/papers available & my views
Sam Simpson wrote:
>
> David Crick <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > As promised, NIST have published "all" (electronic?) Round 1
> > comments and papers on their web site:
> >
> > http://csrc.nist.gov/encryption/aes/round1/pubcmnts.htm
I should add that I've since had an e-mail from Jim Foti:
: What you see are, in fact, ALL of the comments we received. Only
RSA's
: comments were submitted in letter form (but they also provided us with
the
: PDF file you see on the web site).
> It would appear that TwoFish, Rijndael, Serpent, RC6 & possibly MARS
> are generally perceived to be good candidates.
Yes, with E2 getting a nod as well. Crypton featured (although I'm
told by BS that it was broken at FSE6) and there were some proponents
of DFC/HPC/Safer+ and CAST. On the whole, the straw pole from AES2
was backed up by the official comments.
> Generally, I thought it was nice that the emphasis was moved slightly
> away from performance.
Yup.
David.
--
+---------------------------------------------------------------------+
| David Crick [EMAIL PROTECTED] http://members.tripod.com/~vidcad/ |
| Damon Hill WC '96 Tribute: http://www.geocities.com/MotorCity/4236/ |
| Brundle Quotes Page: http://members.tripod.com/~vidcad/martin_b.htm |
| PGP Public Keys: (2048-bit RSA) 0x22D5C7A9 (4096 DH/DSS) 0x87C46DE1 |
+---------------------------------------------------------------------+
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
