Cryptography-Digest Digest #440, Volume #9 Wed, 21 Apr 99 15:13:03 EDT
Contents:
Re: Question on confidence derived from cryptanalysis. (Geoff Thorpe)
Re: Question on confidence derived from cryptanalysis. (Terry Ritter)
Re: One-Time-Pad program for Win85/98 or DOS (Earth Wolf)
Re: Question on confidence derived from cryptanalysis. (Earth Wolf)
----------------------------------------------------------------------------
From: Geoff Thorpe <[EMAIL PROTECTED]>
Subject: Re: Question on confidence derived from cryptanalysis.
Date: Wed, 21 Apr 1999 11:51:36 -0400
Hi,
I'm clipping liberally now in part of a joint effort (with Terry I
believe) to get this down to a managable size again. Particularly as the
themes seem quite universal throughout.
First let me quote the more "emotive" stuff before getting the heart of
the issue itself:
Terry Ritter wrote:
> You seem to be in conflict between your ego and reality. You have
OK, so now I have an ego problem - after caveats of not being a
cipher-designer, knowing that my views of "tested strength" are based on
"fuzzy" quantities and "judgement". But then you go on to demonstrate
some hypocrisy:
> told us how good you see yourself as being, which leaves very little
> room to realize that your entire argument has been wrong from the
> beginning.
how arrogant, and yet somehow sad too.
> Aw, man, this is soooooo bogus. You have no idea what you are talking
> about.
once again.
> Son of a gun, it *is* one of mine. Why, what a surprise!
>
> The first thing that happens in these discussions is the outright
> denial of my points. Then, as my points become unassailable, there is
> denial that I was the one who presented solutions -- in the very same
> discussion! Then we will have denial that I originated this issue,
> then condescending comments that I was not the first to ever do so
> (despite the level of controversy implying that earlier discussions
> had little effect). And then, since I talk about this periodically,
> we will have comments it has to be considered public domain anyway.
>
> Is it any wonder that I patent my stuff?
Is it any wonder you so acidically slam views that do not concur with
your own - I'm not rallying behind anything other than my opinion - and
I am impartial of the quantities we're dealing with here, I maintain no
patents or profit - I do not get paid to do anything "free" (as per the
academics) - and yet what I do contribute (coding), in the area of
crypto at least, goes straight into the public domain. I stand accused
of getting stuck between ego and reality, but all I've done is state
that I don't agree with your radical view on the value (or lack of
value) one can put on "tested strength" - you however seem guilty of
exactly that which you accuse me of. At least I've engaged in discussion
with you, it seems your beef should be with those who pay no attention
to you.
> I'm *sure* we will disagree. But if your disagreement is with the
> above issues, you again disagree with your particular extrapolation of
> such a system. Let me describe the right way:
"the right way" ... why am I not surprised.
[snipped a description of a basic and extensible architecture for a
user-maintained collection of ciphers and an outline of how the online
protocols might proceed from that].
Frankly Terry there are much better people to comment on this from audit
and cryptanalytic points of view but from a software engineer/designer
point of view, really nothing here surprises me a great deal. My initial
reaction is that it looks a little bit held together with
"chicken-wire", and you already know my point of view on standards that
just say "plug in the ciphers you feel most 'connected' to" - I'm still
not compelled that this will be interoperable but that's not to say you
don't have an explanation why it could be - and I'm certainly compelled
that this is irresponsible in the extreme, but that of course hinges on
my view that triple-DES is a better option than mysticTarot128 even
though the latter could have a sexier web-site. And we already know we
disagree on that premise so it boils down to axiomatic differences.
> I could go on with a specific cipher-change message protocol, but will
> not.
Might I just say that it seems to me that this approach (a) seems to
demand a complicated protocol that itself must be a vulnerable-looking
target for a "winner-takes-all" breakage, (b) if you want to to sling
requirements of "scientific literature" around then why don't we quote
the oft-quoted phrase "security by obscurity". I would still rather use
one 128-bit triple-DES stage, than two 128-bit toys in a random
configuration. The latter looks more like snake-oil to me and may well
impress end-users (for being "configurable" and "too complicated to
break (TM)") and impress Opponents ("ha, the fools"). Again, this could
boil down to our fundamental difference.
> Show me one scientific article which *does* specify cipher strength.
> Crypto scientists *know* they CANNOT state a "strength" (as we know
> the term). There *is* no (reputable) literature like this. Yet that
> is exactly what YOU are trying to do.
You go on to say that you welcome all the concerted cryptanalysis people
can come up with. For what? Is that cryptanalysis worthless if it does
not actually break a cipher? If not, tell me what value you place on
such cryptanalysis (let's say the analysis in question is on
DES/triple-DES), call it a unit of "tested strength", and perhaps we
don't disagree as much as we did.
> In this case I agree with virtually the entire body of cryptanalytic
> literature in that one CANNOT know cipher strength. I also think it
Yet much of it fails to break the cipher in question, and is often
littered with conclusions such as "seems to hold up well in the face of
[*]", "seems to have some strong properties with respect to [*]", etc.
These are morsels that contribute to what I perceive as "tested
strength". You seem to think that cryptanalysis is valuable, and yet you
place no value on most of it. I choose to. And you also say that the
entire body of cryptanalytic literature supports you in all this and it
is I who must find evidence, proof, references to support my
disagreements with you - when what I'm saying is that cryptanalytic work
against a cipher (that doesn't bust it) gives me some confidence over a
lack of cryptanalytic work against another. You've still not convinced
me that I must abandon that view - you've just stated that I should, and
that the literature supports you in that conclusion.
> is fruitless to speculate on strength, or on the capabilities of our
> Opponents, and that we are better of spending our time protecting
> against failures which cryptanalysis cannot avoid.
That is a noble objective - but whatever the result, it will employ
ciphers - and that's where my niggly (and probably highly frustrating to
some obsessed with an all-ciphers-are-equal philosophy) little view
comes back into the frame.
> Which means that attempts to do this -- exactly what you are doing --
> are simply unscientific. When you can show that this works, then we
Define "scientific" and we'll probably see you've defined the
possibility of discussing this issue scientifically out of existence.
> But my "contrary opinion" -- that the past history of the strength of
> a cipher does NOT tell us about its future strength -- again reflects
> the scientific literature. I am aware of no articles at all that show
Does it indeed. Funny that rather prolific contributors to the
scientific literature are competing in a battle to see whose cipher
holds up the best to "historical strength testing" so as to be utilised
with *improved* expectations of "future strength". Perhaps these
luminaries won't come out and argue the point with you, but because I'm
not so highly esteemed and you're here arguing with me - naivety,
unfamiliarity with the literature, historical record, blah blah blah are
all valid accusations for you to dismiss the view outright.
> such a correlation. That is not *my* opinion, that is the prevailing
> scientific understanding. You are the one proposing a clear opinion
> with no scientific basis whatsoever.
The opinion that placing "tested strength" in something that has
withstanded attempts to break it over things which haven't is a core
scientific principle in many fields, many of them where disastrous risks
of being wrong are involved - and it IS common sense. Telling me it
isn't does seem to put a burden of proof on you that goes beyond simply
stating it, and making sweeping assertions that "the vast scientific
literature" supports you.
> Nonsense. My point is precisely that cryptanalysis ("breaking")
> *cannot* tell us if a cipher is weak. My point is that we must assume
And apparently cryptanalysis ("not breaking") *cannot* tell us if a
cipher is "strong". What value is it that you actually see in this field
of science? How are anyone except the scientists themselves supposed to
use or apply the outcome of that work in any practical way?
> I think unscientific arguments *would* be called "incorrect." You
> assume something trivial like extrapolating the strength of a cipher
> from its cryptanalytic testing -- something which does not exist in
> the scientific literature.
Common-sense usage of scientific literature itself not being documented
in scientific literature. An interesting rebuttal and one that has me
tiring of this pointless back-and-forth. If you are blind, this will go
nowhere - if you are right, you need to find a better way of
understanding my view and showing me constructively why it is
definitively wrong if you want to get anywhere. Bear in mind that my
view happens to be shared by many who can not so trivially be swept
aside with back-handed commentary about "the scientific literature" and
"not knowing what you're talking about".
Regards,
Geoff
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Question on confidence derived from cryptanalysis.
Date: Wed, 21 Apr 1999 18:59:45 GMT
On Wed, 21 Apr 1999 19:44:12 -0400, in <[EMAIL PROTECTED]>,
in sci.crypt "Trevor Jackson, III" <[EMAIL PROTECTED]> wrote:
>Terry Ritter wrote:
>[...]
>Some clarification may be called for in that your statements can be
>construed as claims that cipher diversity solves the problem of inferior
>talent/resources/etcetera with respect to dark-side adversaries and
>future adversaries of all shades. I believe this absolutist position to
>be false.
I am not sure that I have made such a claim, which I also think is
false.
I don't know what could be clearer than my repeated statement that we
can trust no cipher. Cipher use cannot build trust in strength.
Cryptanalysis cannot certify strength. We must always be aware that
failure is a possibility, and we are even unable to estimate that
probability. When the consequences of cipher failure are
catastrophic, we simply cannot afford to depend on any one cipher.
The many-cipher part of the fix package has multiple goals, the first
being to compartmentalize information so that if the cipher (which we
do not and can not trust!) protecting that information fails, we do
not lose everything, throughout all society.
An implicit part of using multiple ciphers is that we change ciphers
at various times, so that we personally or corporately have similar
protection (i.e., cipher failure exposes only part of our
information). Once we have a way to change ciphers quickly, we have
vastly reduced the consequences of an academic break which finds a
weakness in our cipher. If any of our ciphers are found wanting, we
just use something else. No big deal.
With respect to the talents of the "dark-side adversaries" (a view
with which I doubt they would agree), we certainly must assume that
they have far greater resources than we do. But even their vast
resources are not unlimited; they must make the same tradeoffs any
project makes. So if they eventually do succeed against some cipher,
they expect a payoff from that success. If there is just one cipher
throughout society, that payoff will be huge, but if many ciphers are
used, the payoff will be minor.
By injecting a constant flow of new ciphers into the mix we force the
"adversaries" to "keep up" if they wish to maintain whatever level of
success they have. Each new cipher must be identified, acquired,
analyzed, broken, and software and perhaps hardware constructed to
automate the break. Their alternative is that less and less
information flows under ciphers which they can break. As we often
have seen discussed, it is far easier (thus cheaper) to construct a
new cipher than it is to analyze that cipher. This advantage in
cipher diversity provides *some* benefit, even if some of the ciphers
are weak. This is hardly an absolutist position.
Now, each of these paragraphs have discussed one or two specific
problems being solved by the fix package. I doubt that I would say
that *all* problems would be fixed, since that would be the cipher
argument in another guise. We cannot know. But very substantial
problems *are* fixed, and for the first time we take the battle to the
cryptanalytic "adversaries" and make them pay a price. The
alternative is to sit back and wish and hope for cipher strength,
because we sure cannot prove it or test it.
>Your statements can also be constrused to claim that cipher diversity
>will reduce whatever gap exists. I believe this relative position to be
>true.
I'm not quite sure what this means, but thanks!
>> Moreover, by using a wide variety of ciphers, we act to limit the
>> amount of data disclosed by any break that does occur. I do assume
>> that this will reduce the attraction of cryptanalysis, by limiting the
>> eventual payoff. Again, I think this a reasonable assumption.
>
>Some consideration also has to be given to the definition of payoff.
>The dark-side adversaries get payoff in reaching thei information
>goals. But academic researchers get payoff by earning the admiration of
>their peers. That admiration can be earned in the absence of sccessful
>attacks on a cipher system. A successful attack on a component of a
>cipher system would be just as admirable as a successful attack on a
>homogeneous cipher.
I suppose you mean a particular cipher -- a component in the
multi-cipher system. Not *just* as admirable perhaps, but admirable
nevertheless. OK.
>Thus the cipher collection is not immune to attack
>by reason of its lack of information leakage.
I would say that we cannot trust any cipher, and we cannot trust any
cipher system, including the fix package applied to current methods.
No cipher system can possibly be immune. If we could prove or build
"immune," we wouldn't need all this stuff.
>A large body of talented
>attackers will still be just as motivated as they are now.
Which is great, right? We want all the cryptanalysis we can get. If
a cipher fails, we just use something else.
Maybe I had some trouble following your reasoning here.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Earth Wolf)
Crossposted-To: alt.security,alt.privacy
Subject: Re: One-Time-Pad program for Win85/98 or DOS
Date: Wed, 21 Apr 1999 19:07:14 GMT
On Fri, 16 Apr 1999 07:50:31 -0700, Sundial Services
<[EMAIL PROTECTED]> wrote:
>Earth Wolf wrote:
>
>> There's a simple (though inefficient) way to guarantee a truly random
>> bit sequence from a biased random bit sequence:
>>
>> 1) Break the biased bit sequence into pairs;
>> 2) If the two bits in a pair are the same, discard that pair;
>> 3) The remaining pairs are either (with equal probability) 0-1 or 1-0.
>> Discard the second bit from each of these pairs.
>I do not profess to be a mathematician but I must intuitively question
>the validity of the assumption in "(3)" namely: "with equal
>probability."
>
>If the incoming stream of bits (or eight-bit groups) from the RNG is
>biased, then groups-of-bits of any size would also be biased. The
>difference in probability between 00, 01, 10, and 11 might be extremely
>small and/or hard to measure but I cannot accept that the probability of
>01 and 10 are precisely 0.250000...
Who said anything about "precisely 0.250000..."? Suppose the
probability of a 1-bit is .75, and the probability of a 0-bit is .25?
then the probability of "0-1" is .25 * .75, while the probability of
"1-0" is .75 * .25, or 0.1875 - but they're still equal.
Okay, I admit that this presumes the bits are not sequentially biased.
i.e. the probability of a 0 is the same regardless of the length or
values of the preceding bit sequence.
------------------------------
From: [EMAIL PROTECTED] (Earth Wolf)
Subject: Re: Question on confidence derived from cryptanalysis.
Date: Wed, 21 Apr 1999 19:07:13 GMT
On Mon, 19 Apr 1999 19:05:13 GMT, [EMAIL PROTECTED] (Terry Ritter) wrote:
>I have just previously covered my main argument, which is basically
>that IN MY OPINION, with a single standard cipher, there will be far
>too much value at risk to endure even a small possibility of
>single-cipher failure.
Depends on what you're trying to protect. Is it tactical or strategic
information? i.e. does it have to be kept secret for the next
millennium, or will it be public knowledge at 9:00 a.m. next Tuesday?
If this secret is revealed, will I lose a hundred dollars on the stock
market, or will the world be sucked into a black hole? Is my quest for
the "ultimate" cryptosystem going to be so horrendously cumbersome
that the users will refuse to use it? Is the decrease in bandwidth
going to prevent vital information from being disseminated in a timely
fashion?
Remember Pearl Harbour, where warning of the impending attack arrived
by messenger amid the smoking aftermath? A clear case of how too much
security can be almost as bad as none at all. Real world security
deals with these kinds of trade-offs in a way that your ivory tower
thinking can never comprehend, I'm afraid.
>1) I dispute the idea that by applying various attacks to a cipher we
>somehow can predict how it will perform on future unknown and
>potentially unrelated attacks. (And if this were true, we should be
>able to see the effect with respect to past ciphers. This should be
>measurable and quantifiable in a scientific sense. But we have no
>such reports.)
What kinds of reports are you looking for? There are lots of archaic
ciphers which were considered unbreakable in their day which are
child's play to solve with modern technology. The Jefferson wheel, for
example. What more were you looking for?
>In summary: 1) We cannot estimate the probability that an effective
>attack exists which we did not find;
Of course we can. I estimate it to be 17.375%. It may not be the most
reliable estimate, of course :-)
>I thus claim that we CAN know nothing of the
>probability of future cipher failure, and cannot even reason that this
>probability is "small." The practical consequence of this is that we
>cannot trust any cipher.
I'll trust DES a heck of a lot more than I trust ROT-13. And I'll
trust 3DES a heck of a lot more than I trust DES.
>
>IF we were willing to assume that our Opponents would use only the
>attacks we know and have tried, presumably we *could* have insight
>into the amount of effort needed to break a cipher (although we might
>have screwed up in testing). But I am of the opinion that we cannot
>assume that our Opponents have our limitations. Indeed, I think this
>is very basic cryptography.
No, basic cryptography involves making your best estimate of your
opponents' capabilities and desiging a cipher which, to the best of
your knowledge, will be impervious to those capabilities for as long
as it needs to be.
>And upon what evidence do you base you opinion that we *can* predict
>what our Opponents can do?
Basically, the same way we can predict what the surface temperature is
on Mercury, or anything else that cannot be measured directly. We take
what observations we can and attempt to extrapolate what we *don't*
know.from what we *do* know.
That's basic physics, btw. :-)
>Presumably, you would handwave about what our Opponents can do both
>now and in the future and say that caution is silly. But that
>conclusion is based on your opinion that we can predict what others
>may do in the future, which I find very strange. If that were true in
>general, we could put criminals in jail before they did anything.
This author makes no distinction between being able to predict
something with 100% accuracy and being able to predict something with
lesser accuracy. For example, magician and card-sharp John Scarne once
described playing gin rummy (for money) with a player who, after
shuffling the cards, would square up the deck with the bottom facing
towards him. An innocent-seeming idiosyncracy, except that he now knew
the bottom card in the deck (which in gin rummy never comes into
play). Suppose this card were the 8 of hearts; the player cannot
predict, with 100% accuracy, what the next card in the deck will be,
but he knows it will not be the 8 of hearts. This seemingly
insignificant piece of information gives him a huge advantage; he
knows that there is little percentage in trying to fill a meld of 8's
or a run of 6-7-8 or 8-9-T of hearts, and none whatsoever in trying to
fill an inside run of 7-8-9.
In studying PRBGs, ability to predict the next bit with a probability
of 0.5 + epsilon, where epsilon is a small number (usually on the
order of 1/polynomial(log n) ) can be a huge advantage.
>With respect to the problem of potential catastrophic failure from a
>single-cipher system, no amount of cryptanalysis can prevent such
>failure. Both untested ciphers and massively-tested ciphers are the
>same in the sense that neither can be trusted.
Rubbish. I don't trust Charlie the counterfeiter, Ernie the embezzler,
Rocco the rapist, or Sammy the serial killer. But I can give you a
rough estimate of who I'd *least* like to crash my sister's slumber
party.
Earth Wolf
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
