Cryptography-Digest Digest #435, Volume #9 Wed, 21 Apr 99 07:13:08 EDT
Contents:
Re: Question on confidence derived from cryptanalysis. (Terry Ritter)
Re: True Randomness & The Law Of Large Numbers ("Douglas A. Gwyn")
Re: BEST ADAPTIVE HUFFMAN COMPRESSION FOR CRYPTO (Mok-Kong Shen)
Re: Question on confidence derived from cryptanalysis. ("Trevor Jackson, III")
Re: Question on confidence derived from cryptanalysis. ("Trevor Jackson, III")
Re: Another TEA paper (GTEA and XTEA) (Cedomir Igaly)
Dynamic Key Schedule ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Question on confidence derived from cryptanalysis.
Date: Wed, 21 Apr 1999 07:40:34 GMT
On Tue, 20 Apr 1999 22:31:22 -0700, in <[EMAIL PROTECTED]>, in
sci.crypt Jim Gillogly <[EMAIL PROTECTED]> wrote:
>Terry Ritter wrote:
>> Jim Gillogly <[EMAIL PROTECTED]> wrote:
>> > I prefer ciphers that good analysts have tried and failed to
>> >break over ciphers that nobody with cryptanalytical experience has
>> >looked at. I define a good analyst as someone who has broken a
>> >difficult system.
>>
>> Then I assume you are willing to make the services of such an analyst
>> available free of charge and without delay. The way it is now, one
>> cannot get such analysis unless one is a particular type of person,
>> working in a few selected environments, and with particular types of
>> design.
>
>No, I'm not. Just as you have the right to patent and profit from
>your ideas, an analyst has the right to choose what she's going to
>work on and how much she charges for it. If she'd prefer to spend
>her time analyzing Rijndael than RC6 because the former is going to
>be freely usable in her projects whether or not it's selected as the
>AES, more power to her. We all make choices depending on the
>outcomes we want or expect.
In that case you should agree that each user should have a similar
power to make their own choices of cipher. That sounds just fine to
me.
Of course the benefits of compartmentalizing data under different
ciphers do not really hit home until we have quite a few ciphers. And
the benefits of requiring the Opponents to "keep up" also imply a
growing substantial body of ciphers.
>In order to encourage more analysis one
>could hire appropriate experts (as several crypto developers have
>done)
Then we have the situation of reporting "scientific" results paid for
by the company which hopes to profit from those results. Will we
really trust that process? I wouldn't.
>or offer rewards for interesting analysis whether or not it
>breaks the algorithm (as I think the Twofish people have done).
>But you can't expect to get expert analysis for free... the people
>who chose to enter the AES bake-off aren't getting it free either.
I think they will not get nearly as much as they should. Which does
not mean that we do not offer them to the users just because they have
not met our desired analysis levels.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: True Randomness & The Law Of Large Numbers
Date: Wed, 21 Apr 1999 03:55:39 GMT
"R. Knauer" wrote:
> What are we gonna do when a quantum computer programmed to calculate
> true random numbers generates a sequence which failes the FIPS-140
> Monobit Test? Throw out quantum mechanics?
No, assuming the generator persists in giving this evidence of
nonrandomness, we throw out the specific instance of the
generator -- unless there is even stronger evidence (what could
it be?) that it is indeed functioning correctly. Device failure
and software bugs do occur.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: BEST ADAPTIVE HUFFMAN COMPRESSION FOR CRYPTO
Date: Tue, 20 Apr 1999 17:02:38 +0200
SCOTT19U.ZIP_GUY wrote:
> For those of you interested in the best in "Encryption" and
> "Compression for use with Encryption" take a look at my site.
> There are links to download all the software used. However until
> someone posts the lastest version of scott19u.zip it will be
> available only in the US or to those tricky enough to use
> there brains to download it.
Could you at least answer some questions of non-US people who
can't legally look at US crypto stuffs? Here are my questions:
I suppose scott19u.zip, if it is similar to a version having
another number and available outside, did not have compression
features. Where have you put the compression? Just a run before
the previous version of the program or is compression tightly
incorporated into the previous encryption algorithm? If the later,
how (in principle) and why (is it advantage to do so)?
M. K. Shen
------------------------------
Date: Wed, 21 Apr 1999 19:30:38 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Question on confidence derived from cryptanalysis.
Jim Gillogly wrote:
>
> I think Terry Ritter's right to be concerned about having essentially
> everyone move to a single new cipher. If the danger isn't obvious,
> consider the analogy with biological systems, where a species with no
> genetic diversity can be wiped out by a single virus incident. Or with
> computer systems, where something like Melissa can cause widespread
> annoyance and some down time because almost everyone is using the
> same operating system and office software suite.
>
> I also agree with him that a careful concatenation of ciphers can
> help limit the damage. I think we may disagree on what kinds of
> ciphers would be most appropriate as choices for concatenation,
> since I prefer ciphers that good analysts have tried and failed to
> break over ciphers that nobody with cryptanalytical experience has
> looked at. I define a good analyst as someone who has broken a
> difficult system.
>
> However, I (like John Savard) think Terry overstates some issues.
> Here's a case in point:
>
> Terry Ritter wrote:
> > Your position, dare I state it, is that you *can* estimate the
> > capabilities of your Opponents.
>
> In another article he wrote:
> > But the only thing being "measured" here is the open, academic
> > analysis. The *real* experts do not play this way. We thus have no
> > way to understand their capabilities. The strength value measured on
> > academics cannot apply to the real problem.
>
> These and similar remarks suggest that a conservative threat analysis
> must regard the opponents as god-like in their cryptanalytic
> capabilities. Of course in the limit this isn't useful, since we
> would have no more confidence in a concatenation of ciphers against
> an opponent like this than we would in a single cipher.
>
> However, we do have ways to estimate the capabilities of the opponents.
> I suggest that the government cryptologic agencies of the US and UK
> represent conservative surrogates for the cryptological skills of the
> strongest opponents, and we have seen several unclassified examples of
> times when they were less than perfect.
>
> In one case (factoring circa 1973) the UK agency was no further
> advanced than the academic community, and academic advances in that
> field were made shortly thereafter. In two other cases the US agency
> made embarrassingly public blunders (the Clipper checksum exploited
> by Matt Blaze, and the SHA/SHA-1 botch that they noticed and fixed
> themselves) that would not have been made if they were omniscient.
> I don't include Biham's work suggesting SKIPJACK is not a conservative
> design, since we don't know that it has to be -- for all we know, there
> are wads of supporting theorems that it's precisely as strong as it needs
> to be for its size. We do have a couple of other cases of classified
> discoveries and corresponding unclassified ones: IBM's differential
> cryptanalysis (15 years) and CESG's non-secret encryption (4 years).
> There are also training exercises (the Zendian Problem and a British
> special intelligence course) which anyone can use to compare their skills
> with advanced cipher school students of the 1960s. The latter does not,
> of course, give the peak strength of the best cryppies, but does suggest
> a starting point for the curve. Finally, we have retired NSA cryppie
> Robert H. Morris's remarks at Crypto '95, where he said that by the
> middle to late 1960's cryptanalysis had become less cost-effective than
> other methods of gaining the information. One may choose to disbelieve
> him, but I don't.
>
> In any case, we do have some data points on the capabilities of the
> strongest potential opponents, and assuming they're perfect would be
> overly conservative.
There's no need to assume perfection or god-like omniscience to motivate
as conservative an approach as possible. Considerations of our own
ignorance regarding advances to be made in the open community during the
life cycles of information we want to potect with today's tools dwarfs
any sensible interpretation of current adversarial strength.
And with respect to adversaries from the dark side, the failures you
mentioned do indicate that they err and thus are human. But they will
always be at least as strong as the open community. We have no real
clue hom much stronger they actually are, or _will be_.
Note also that Morris's statement is a relative statement. It can be
construed to mean that cryptanalysis is less effective than before, or
that "other methods" have become so much more effective that the
_relative_ worth of crypto is less. The absolute worth could still be
quite high and his statement could still be valid.
------------------------------
Date: Wed, 21 Apr 1999 19:44:12 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Question on confidence derived from cryptanalysis.
Terry Ritter wrote:
>
> On Tue, 20 Apr 1999 18:50:48 -0700, in <[EMAIL PROTECTED]>, in
> sci.crypt Jim Gillogly <[EMAIL PROTECTED]> wrote:
>
> >I think Terry Ritter's right to be concerned about having essentially
> >everyone move to a single new cipher. If the danger isn't obvious,
> >consider the analogy with biological systems, where a species with no
> >genetic diversity can be wiped out by a single virus incident. Or with
> >computer systems, where something like Melissa can cause widespread
> >annoyance and some down time because almost everyone is using the
> >same operating system and office software suite.
>
> I think I have a right to cheer at this agreement with my major point.
>
> >I also agree with him that a careful concatenation of ciphers can
> >help limit the damage.
>
> And then I cheer again at this agreement with part of my proposed
> solution package.
>
> >I think we may disagree on what kinds of
> >ciphers would be most appropriate as choices for concatenation,
> >since I prefer ciphers that good analysts have tried and failed to
> >break over ciphers that nobody with cryptanalytical experience has
> >looked at. I define a good analyst as someone who has broken a
> >difficult system.
>
> Then I assume you are willing to make the services of such an analyst
> available free of charge and without delay. The way it is now, one
> cannot get such analysis unless one is a particular type of person,
> working in a few selected environments, and with particular types of
> design. Having inherited a democracy, I am unwilling to give that up
> for supposed advantages which, in the limit, do not give us what we
> want anyway. I think people should be able to select their own
> ciphers based on any criteria they want, including superstition and
> innuendo.
>
> >However, I (like John Savard) think Terry overstates some issues.
> >Here's a case in point:
> >
> >Terry Ritter wrote:
> >> Your position, dare I state it, is that you *can* estimate the
> >> capabilities of your Opponents.
> >
> >In another article he wrote:
> >> But the only thing being "measured" here is the open, academic
> >> analysis. The *real* experts do not play this way. We thus have no
> >> way to understand their capabilities. The strength value measured on
> >> academics cannot apply to the real problem.
> >
> >These and similar remarks suggest that a conservative threat analysis
> >must regard the opponents as god-like in their cryptanalytic
> >capabilities.
>
> If that is what you take from these comments (in their proper
> context), I am not surprised that you call my position overstated.
> However, you have exaggerated my position.
>
> In particular, I doubt I have ever said the Opponents are "god-like."
> As far as I can recall, the only people I have accused of being
> "god-like" are the crypto gods who seem to be able to predict: 1) the
> future strength of a cipher, based on past tests; and 2) the
> capabilities of unknown Opponents, based on the capabilities of known
> academics.
>
> >Of course in the limit this isn't useful, since we
> >would have no more confidence in a concatenation of ciphers against
> >an opponent like this than we would in a single cipher.
>
> And so, clearly, I do not so assume. Since I do not assume that an
> Opponent has unlimited capabilities, this comment strongly
> misrepresents my arguments.
>
> But what *are* we to assume? Even a *modest* "value" for Opponent
> capabilities is also "not useful" to us. This is because it is
> (virtually) impossible to *measure* knowledge, experience, and
> innovation. And then it is impossible to *measure* cipher strength.
> So we first don't know the difficulty of the problem, and then don't
> know the capabilities our Opponents can bring to the solution. This
> naturally leave us in a quandary, even *without* assuming unlimited
> capabilities. The problem is *not* that we should assume reasonable
> value for Opponent capabilities, the problem is that *any* such values
> and their implications are unknown, uncalibrated, and unuseful.
>
> I suggest that this whole line of inquiry (into cipher strength and
> Opponent strength) is a waste of time. Since we know that
> single-cipher failures are possible, we can work to fix that. Since I
> assume the triple-cipher scheme will work, it is clear that I do not
> assume unlimited Opponent capabilities. I do assume that whatever
> capabilities they do have will be stressed far harder with
> multi-ciphering than single ciphering. I think this is a reasonable
> assumption.
Some clarification may be called for in that your statements can be
construed as claims that cipher diversity solves the problem of inferior
talent/resources/etcetera with respect to dark-side adversaries and
future adversaries of all shades. I believe this absolutist position to
be false.
Your statements can also be constrused to claim that cipher diversity
will reduce whatever gap exists. I believe this relative position to be
true.
>
> Moreover, by using a wide variety of ciphers, we act to limit the
> amount of data disclosed by any break that does occur. I do assume
> that this will reduce the attraction of cryptanalysis, by limiting the
> eventual payoff. Again, I think this a reasonable assumption.
Some consideration also has to be given to the definition of payoff.
The dark-side adversaries get payoff in reaching thei information
goals. But academic researchers get payoff by earning the admiration of
their peers. That admiration can be earned in the absence of sccessful
attacks on a cipher system. A successful attack on a component of a
cipher system would be just as admirable as a successful attack on a
homogeneous cipher. Thus the cipher collection is not immune to attack
by reason of its lack of information leakage. A large body of talented
attackers will still be just as motivated as they are now.
>
> >However, we do have ways to estimate the capabilities of the opponents.
> >I suggest that the government cryptologic agencies of the US and UK
> >represent conservative surrogates for the cryptological skills of the
> >strongest opponents, and we have seen several unclassified examples of
> >times when they were less than perfect.
> >
> >In one case (factoring circa 1973) the UK agency was no further
> >advanced than the academic community, and academic advances in that
> >field were made shortly thereafter. In two other cases the US agency
> >made embarrassingly public blunders (the Clipper checksum exploited
> >by Matt Blaze, and the SHA/SHA-1 botch that they noticed and fixed
> >themselves) that would not have been made if they were omniscient.
> >I don't include Biham's work suggesting SKIPJACK is not a conservative
> >design, since we don't know that it has to be -- for all we know, there
> >are wads of supporting theorems that it's precisely as strong as it needs
> >to be for its size. We do have a couple of other cases of classified
> >discoveries and corresponding unclassified ones: IBM's differential
> >cryptanalysis (15 years) and CESG's non-secret encryption (4 years).
> >There are also training exercises (the Zendian Problem and a British
> >special intelligence course) which anyone can use to compare their skills
> >with advanced cipher school students of the 1960s. The latter does not,
> >of course, give the peak strength of the best cryppies, but does suggest
> >a starting point for the curve. Finally, we have retired NSA cryppie
> >Robert H. Morris's remarks at Crypto '95, where he said that by the
> >middle to late 1960's cryptanalysis had become less cost-effective than
> >other methods of gaining the information. One may choose to disbelieve
> >him, but I don't.
> >
> >In any case, we do have some data points on the capabilities of the
> >strongest potential opponents, and assuming they're perfect would be
> >overly conservative.
>
> First, none of this tells us about the future. Yet all operation of a
> cipher takes place in the future, after that cipher is designed.
> Unless we have a reasonable way to predict future capabilities, we are
> necessarily forced into conservative measures.
>
> Next, I think it is dangerous to assume our Opponents are the
> intelligence services we know. In another message I suggested that if
> the problem was only NSA (the way it is now), we would not have much
> of a problem. But NSA is only an *example* of an Opponent, and not
> necessarily even the most advanced example in particular areas of the
> technology. We having intractable problems in making any serious
> extrapolations from this data. Again I suggest that this avenue is
> both unfruitful and dangerous.
>
> ---
> Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
> Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: Cedomir Igaly <[EMAIL PROTECTED]>
Subject: Re: Another TEA paper (GTEA and XTEA)
Date: Wed, 21 Apr 1999 11:53:31 +0100
[EMAIL PROTECTED] wrote:
> It's in RTF format (better then text and HTML...) at
>
> http://members.tripod.com/~tomstdenis/xtea.rtf
Extension is .rtf, but this is still in MS Word format :-((
Regards, C.I.
------------------------------
From: [EMAIL PROTECTED]
Subject: Dynamic Key Schedule
Date: Wed, 21 Apr 1999 10:23:11 GMT
I have applied the key schedule to RC5 with some interesting results, the
source is at
http://members.tripod.com/~tomstdenis/rc5x.c
There is only one thing I am wondering about and it is should I use a known
pattern for picking the key words (see the source...)
I have used this key schedule on (my current project) TEA, and wrote the
XTEA.RTF paper.
I would like to write a paper on this dynamic key schedule. It basically
extends the confusion sequence, requires no memory, and makes many attacks
difficult....
Tom
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
