Cryptography-Digest Digest #517, Volume #9 Sat, 8 May 99 09:13:04 EDT
Contents:
Re: Algorithms where encryption=decryption?
Re: AES (wtshaw)
Re: Thought question: why do public ciphers use only simple ops like shift and XOR?
(wtshaw)
ALF'S PRIVACY MAIL DROP (ALF)
Re: Roulettes (Francois Grieu)
Re: Shamir's TWINKLE Factoring Machine (Damian Weber)
Re: Shamir's Announcement (Mok-Kong Shen)
Re: Triple DES cracked? NYT says so...
Re: BEST ADAPTIVE HUFFMAN COMPRESSION FOR CRYPTO (Mok-Kong Shen)
Re: Factoring breakthrough? ([EMAIL PROTECTED])
Re: True Randomness & The Law Of Large Numbers (R. Knauer)
RSA Cryptography Today FAQ (1/1) ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: <[EMAIL PROTECTED]>
Subject: Re: Algorithms where encryption=decryption?
Date: Mon, 03 May 1999 11:31:48 GMT
In article <[EMAIL PROTECTED]>,
Anne Veling <[EMAIL PROTECTED]> wrote:
>Emmanuel BRESSON wrote:
>>
>> Anne Veling wrote:
>>
>> > Or f(x)=1/x (not so useful for encryption)
>>
>> Why not ??? It works perfectly (computing modulo n, of course)
>> Emmanuel
>
>Because division of integers yields reals from time to time.
>
>If my message is 4 (modulo 5) and I use 1/x for encryption, then what is
>the encrypted message? 1/4=0.25 modulo 5??
Well, if you define y = 1/x to be that y that makes x*y = 1, then:
y = 1/4 mod 5 means 4*y = 1 mod 5
and such a y does exist -- 4. So:
4 = 1/4 mod 5
The reason this is not real useful for encryption is that it is rather
easy to compute by an attacker. Even if he doesn't know the modulus,
a few plaintext/ciphertext pairs will allow him to compute it.
>According to the latest official figures, 43% of all statistics are
>totally worthless.
Actually, that statement makes it officially 44% :-)
--
poncho
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: AES
Date: Fri, 07 May 1999 22:39:51 -0600
In article <[EMAIL PROTECTED]>, William Hugh Murray
<[EMAIL PROTECTED]> wrote:
> This is a multi-part message in MIME format.
> --------------AA628054C29A7C879F30D1A4
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
>
> wtshaw wrote:
> > DES has proven to be in these days, still a moderately useful cipher, some
> > semifirm ground; now the problem is to extract from it what is more solid
> > and what is more liquid: I maintain that the lessons of DES are not fully
> > learned, and we may still harvest something good out of it if we can trim
> > away at the rotten parts, which I am expressly trying to do to the
> > complaints of the multitudes.
>
> Moderately useful? After more than twenty years, the cost of attack as
> a function of the cost of encryption is exactly where it was when DES
> was announced. I would suggest that that is a very useful cipher. I
> would suggest that that is a timeless cipher. Until that ratio begins
> to fall, I can continue to make good use of that cipher.
We are spliting hares (I say that because of a rabbit that I dressed out a
couple of days ago). It's hard to find middle ground these days...so on a
scale of 1 to 10, perhaps still 8+. Ritter would not like the use of
numbers; saying *moderate* was an attempt to satisfy calling it good but
declining, as in it used to be a 10 for some. I disliked it at its
beginning, including some of the same reasons it is falling into disfavor
with others these days. Some of the very things I am now saying were old
thoughts with me when I read of DES in the original Scientific American
article.
Other ciphers appear less attackable. As for me, I'll go with them now.
--
What's HOT: Honesty, Openness, Truth
What's Not: FUD--fear, uncertainty, doubt
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Thought question: why do public ciphers use only simple ops like shift
and XOR?
Date: Fri, 07 May 1999 22:58:17 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Savard) wrote:
> [EMAIL PROTECTED] (D. J. Bernstein) wrote, in part:
>
> >Once again: What do you do when the attacker notices that most of the
> >amateur designs incorporated into your system are vulnerable to simple,
> >easily automated differential attacks?
>
> I don't think Terry Ritter is claiming he can turn a sow's ear into a
> silk purse. One does have to start with ciphers that are _not_ already
> known to be weak.
>
> He is more optimistic about being able to find sufficiently strong
> ciphers in the required quantity. I think that there are conditions
> under which such optimism is justified: but I don't deny that this
> point needs to be addressed.
>
I'm again in the business of trying to define moderately good ciphers.
Yes, surely it is easy to tell that ROT13 need not be on a routine cipher
list as it is easily recognized. It should be easy to determine that
certain ciphers cannot be broken with a single message, even if we
recognize that they could not handle lots of traffic with one key.
What is sufficiently strong is rather subjective as well, depending on the
use you want.
On getting to a plan for multicipher encryption, it is neither a good nor
a bad idea in itself as it depends on addition details.
I rather like Ritter's idea of including some public-key in the mix, but
none of this appeals to the fanatics that seek to find a sole algorithm to
worship. The in-house solution to the possibility of failure of continued
resistance to attack is to offer a pantheon of demi-god terracotta
algorithms to appeal to individual tastes while keeping them all store
under a roof that may leak, more or less.
--
What's HOT: Honesty, Openness, Truth
What's Not: FUD--fear, uncertainty, doubt
------------------------------
From: ALF <[EMAIL PROTECTED]>
Crossposted-To: alt.wired,aol.misc,alt.activism
Subject: ALF'S PRIVACY MAIL DROP
Date: Fri, 07 May 1999 22:48:44 -0700
This is a multi-part message in MIME format.
==============4C6045BF1FDA
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
--
__/ __/ __/ __/ __/ __/ __/ __/ __/ __/ __/ __/
ALF'S PRIVACY MAIL DROP
http://members.theglobe.com/lost471/md.htm
__/ __/ __/ __/ __/ __/ __/ __/ __/ __/ __/ __/
==============4C6045BF1FDA
Content-Type: text/html; charset=us-ascii; name="alfmd2.htm"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="alfmd2.htm"
Content-Base: "http://members.theglobe.com/lost471/al
fmd2.htm"
<BASE HREF="http://members.theglobe.com/lost471/alfmd2.htm">
<HTML>
<HEAD>
<TITLE>ALF'S PRIVACY MAIL DROP</TITLE>
<META HTTP-EQUIV=REFRESH CONTENT="1500;
URL=http://www.theglobe.com/login/logout.taf?src=hp"></HEAD>
<BODY BGCOLOR=WHITE TEXT=BLACK LINK=BLUE VLINK=PURPLE><SCRIPT LANGUAGE="JavaScript">
<!-- hiding
var remoteWin = null;
var popup_url =
"http://adpop.theglobe.com/popup/default.ad?ord=28492&username=lost471";
if (self.parent.frames.length == 0){
self.name="preview";
}
function popup_hp_ad() {
remoteWin = window.open(popup_url, "ad_popup",
"toolbar=0,location=0,directories=0,status=0,menubar=0,scrollbars=0,resizable=0,width=626,height=130");
}
popup_hp_ad();
// End of hiding -->
</SCRIPT>
<noscript>
<CENTER>
<TABLE WIDTH="468" HEIGHT="60"><TR><TD>
<A
HREF="http://ad.doubleclick.net/jump/www.webgenesis.com/hppopup/;sz=468x60;ord=27099">
<IMG
SRC="http://ad.doubleclick.net/ad/www.webgenesis.com/hppopup/;sz=468x60;ord=27099"
WIDTH="468" HEIGHT="60" BORDER="0"></A>
</TD></TR></TABLE>
</CENTER>
</noscript>
<CENTER><TABLE BGCOLOR=yellow BORDER=10 CELLSPACING=2 CELLPADDING=2><TR><TH>
<a href="http://members.theglobe.com/lost471/md.htm">
<img src="http://members.theglobe.com/lost471/md2.gif" alt="ALF'S PRIVACY MAIL
DROP"></table>
<a href="http://members.theglobe.com/lost471/md.htm">Click Here for Web
Site</a></center>
</BODY>
</HTML>
==============4C6045BF1FDA==
------------------------------
From: [EMAIL PROTECTED] (Francois Grieu)
Subject: Re: Roulettes
Date: Fri, 07 May 1999 10:38:02 +0200
Mok-Kong Shen <[EMAIL PROTECTED]> wrote
> > you can get N-sided dice for
> > various N including N=4, 6, 8, 10, 12, 20, etc.
> > Of course N=6 is the easiest to find. N != 6 is mostly
> > used for role playing games like Dungeons and Dragons.
>
> But according to mathematics there exist exactly 5 regular polyhedra:
> tetrahedron, hexahedron, octahedron, dodecahedron and icosahedron.
One can make an "N-dice" for any N>2 (for N=2, use a coin). The section of
the thing by an horizontal plane is a regular N-gon inscribed in a circle
of diameter 1-z*z/9 inch for |z|<3 inch.
This "N-dice", when held vertical, is 6 inch tall and about 1 inch in
diameter. It will fall horizontaly on one of it's N identical faces.
Francois Grieu
------------------------------
From: [EMAIL PROTECTED] (Damian Weber)
Subject: Re: Shamir's TWINKLE Factoring Machine
Date: 6 May 1999 11:24:00 GMT
In article <7gqqb2$e32$[EMAIL PROTECTED]>,
David A Molnar <[EMAIL PROTECTED]> writes:
> [EMAIL PROTECTED] wrote:
>> Could there be mathematical advances which make the matrix problem for
>> the discrete-log problem equivalent to the factoring one?
> Where exactly does the "more difficult" lie? does it have to do with
> the fact that discrete log algorithms require so much more space?
it has to do with solving matrix equations mod large primes
instead of mod 2.
> I want to say that the difference between the two is that we have a notion
> of "smoothness" for primes, but no corresponding notion for discrete logs,
> and therefore end up having to build a much larger table of discrete logs
> than possible L(something)-smooth primes. Unfortunately I think I need to
> go sit down and look at the algorithms again to pin that down.
No, the smoothness notion refers to the relation collection
stage of modern factoring and index calculus algorithms which
is similar for both problems.
-- Damian
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Shamir's Announcement
Date: Fri, 07 May 1999 11:34:42 +0200
I like to forward a post which I have just received from another
group and which might be of some relevance to this thread.
M. K. Shen
=========================================
"Vladimir Z. Nuri" wrote:
> there is a huge buzz around a new paper
> by Shamir of the 'S' in RSA cryptography..
> it's called "twinkle" and would be used for
> code breaking.. "light based".. I just read
> Peter Hines' paper on using interference to
> create gates and I wonder if there is some
> similarity..
My paper? I don't know what you mean, Vlad ... there must be some
mistake.
However, group members may be interested in the following work that was
posted anonymously here:
http://www.bangor.ac.uk/~iss06b/paper.ps
and the associated diagrams for it,
http://www.bangor.ac.uk/~iss06b/diagrams.ps
I've had a look at Shamir's paper, and there doesn't seem to be that
much
similarity, apart from the general idea of using optical computing
systems.
As far as the anonymous paper goes, it's about using interference to
create
logic gates, and using the principle of reversibility of light to solve
the
inverse problem (i.e. given a logical expression, what initial
conditions
will make it true?). I guess that's the SAT problem.
Personally, I'm not sure I'm convinced about the reversibility sections
- I
can't help thinking there's some missing steps. Any comments anyone?
Best wishes,
Peter
--
============
P.M.Hines [EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: Triple DES cracked? NYT says so...
Date: 5 May 99 04:11:55 GMT
John Myre ([EMAIL PROTECTED]) wrote:
: If I'm right about the 3DES mode being the subject, the reference
: could be to "Cryptanalysis of the ANSI X9.52 CMCM Mode" at
: http://www.cs.technion.ac.il/!biham/publications.html
>From your post, and some of the others, it appears to be quite definitely
true that you are right. I saw this article as a "related item" to others
I was looking up, and didn't realize it was several months old.
John Savard
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: BEST ADAPTIVE HUFFMAN COMPRESSION FOR CRYPTO
Date: Mon, 03 May 1999 18:47:35 +0200
SCOTT19U.ZIP_GUY wrote:
> Know to beat a dead horse. Take any file "A" uncompress it get a
> file "B". Take this file "B" compress it file "C". Then the method
> to compress decompress is suitable for use with encryption if "A" = "C".
> That is assuming the method used actually compresses text. Look
> at my website. Can you even write C code or not? I am truely
> sorry the concept is to difficult for you to understand.
First, we were discussing the use of an EOF symbol, say, #. I claim that
one can use your program OR any correct compression program to process
a user file to which such a symbol is added to its end. Can we
do it or not? If yes, then what has you argument of A = C have
to do with the functionality of EOF? The point is only whether
the introduction of an EOF is advantageous or not. Adding an EOF
would never cause a correct compression program to be incorrect!
Second, I believe I can code C sufficiently well. But you want me to
read you code, or what? Let me remind you that I am not in US and I am
not supposed (and I don't like) to break the law to illegally fetch
crypto codes from US, be these yours or others. A minor point is that
it is no fun to read any C code from other people unless that is well
documented. (And your 16u, for example, is apparently not well
documented.)
M. K. Shen
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Factoring breakthrough?
Date: Sat, 08 May 1999 12:05:33 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
>
>
> lcs Mixmaster Remailer wrote:
>
> > Paul Rubin <[EMAIL PROTECTED]> wrote:
> > > Oh what the heck. I've heard it is based on work that Prof. Shamir
> > > presented at the Crypto 97 rump session, where you'd stack up 1000's
> > > of sheets of photographic film and see where the dots lined up. Kind
> > > of reminiscent of Zygalski's perforated sheets used for breaking
> > > Enigma ;-). I don't remember details from the Crypto talk though.
> >
> > Here are my notes from that talk:
> >
> > The idea is to break 40 bit DES using film as an analog computer.
> > Photographic film can hold 2^30 pixels per square inch, so 10 yards
> > of 70 mm movie film could hold 2^40 pixels.
> >
> > Treating pieces of such film as long, 2^40 bit "registers", certain
> > logical operations can be performed on them using photographic techniques.
> > Negating a register can be done by taking the photographic negative of
> > the film. NOR is done by stacking multiple strips of film and exposing
> > through them. NAND is a double exposure (first expose through one,
> > then expose through the other). XOR is a combination of these.
> >
>
> etc.....
>
> This looks a lot like some of the Lehmer's machines for sieving. Using logical
> rather than arithmetic operations.
>
More likely a holographic recognition would cover more of the space
"instantaneously", requiring only a one-time computation which could
be ongoing if the film was "dynamic". But there are limitations even
for this.
For example:
http://www.erc.caltech.edu/~psaltis/research/steckman/correlators/
Analog gives infinite precision, but limited accuracy.
Management of such dualisms is somewhat embarassing.
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: True Randomness & The Law Of Large Numbers
Date: Sat, 08 May 1999 12:39:52 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 7 May 1999 12:47:02 GMT, [EMAIL PROTECTED] wrote:
>You need to actually calculate the probable error distribution for the
>sample at hand. 20,000 single bit samples or one 20,000 bit sample.
>Your choice. Assume perfect generators. I claim that the error
>distribution for sample bit bias versus population bit bias is identical
>either way.
Certifying the security of a TRNG will depend on its intended use. If
all you ever intend to use it for is to generate one key of length
1,000 bits, then the security requirements are far less stringent than
if you intended to use it to calculate 10,000 such keys.
In financial calculations of the "Value At Risk" (VAR), one first
selects the time horizon for the financial instrument under
consideration. If that is a 90-day holding, e.g. a short term treasury
instrument, then there are approximately 60 trading days to be
considered - so your simulation would entail a time series of 60
points. If the holding is for 1 year, then the time series is
concommitantly longer - and a different set of parameters is obtained.
If a Structured Monte Carlo method is used to solve the VAR problem
then it can require something like 10,000 individual times series
obtained at random, each simulating the day-by-day risks of holding a
given position.
The upshot is that you must test your TRNG multiple times using a key
of proper length for intended usage. Here the term "multiple times"
could be as high as 10,000 times to do a proper analysis. That means
that if, for example, you intend to generate 10,000 bit keys
(typically two pages of ASCII with no compression), then to
characterize the distrubution of those keys from a TRNG, you might
need to take 10,000 keys for the test.
Maybe in that instance 10,000 keys is an overkill - but whatever that
number is, it is certainly not 1. If you think 1-bit bias adequately
characterizes a TRNG process for the purposes of secure crypto, then
go ahead and run the FIPS-140 Monobit Test, but at least run it enough
times under varying circumstances so that you can see a decent
distribution, from which you can then infer the 1-bit bias
characteristic of the TRNG.
Using the Monobit Test only once has no theoretical justification.
Claiming that you are measuring 20,000 samples of a single bit has no
meaning in terms of modeling the TRNG. What you want to do is to
characterize the overall generation process, not a single bit
operation (unless you plan on sending only 1-bit messages). You want
to see how the TRNG behaves for 10,000 bit keys, not 1 bit keys.
So you must generate many 10,000 bit keys until you have a
sufficiently large sample of such keys. Maybe 1,000 such keys is
enough to get a distribution which will let you know with reasonable
certainty that the TRNG will generate crypto-secure 10,000 bit keys.
Any one 10,000 bit key can be anomolous - that is what Feller and Li &
Vitanyi have been trying to tell you. Therefore you cannot use just
one time average from a single sequence to infer anything about the
ensemble average. You have to create a distribution of such sequences
from which you obtain a distribution which in turn you may be able to
sue to infer the characteristics of the ensemble and therefore the
process itself.
Relying on a single-sample test is snake oil.
> Prove me wrong.
How could anyone ever hope to do that - because in your mind you are
always right.
>Show your work.
True Randomness is a meta-mathematical issue - one which most
statiticians and cryprographers won't touch with a 100 foot barge pole
(even Bruce Schneier shuns it in his main book, and he is a physicist
too). There is no "work" to show in the traditional sense of formal
mathematical proofs.
But the honest statiticians I have read admit that random number
generation is a very serious issue - one that cannot be trivialized
away with simplistic arguments. And now that quantum computation is on
the horizon - and since it promises to be able to compute True Random
Numbers - it is a whole new ball game in terms of what is meant by
true randomness in a meta-mathematical sense.
Bob Knauer
"There is much to be said in favour of modern journalism. By giving us the opinions
of the uneducated, it keeps us in touch with the ignorance of the community."
-- Oscar Wilde
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To:
talk.politics.crypto,alt.security.ripem,sci.answers,talk.answers,alt.answers,news.answers
Subject: RSA Cryptography Today FAQ (1/1)
Date: 8 May 1999 12:48:52 GMT
Reply-To: [EMAIL PROTECTED]
Archive-name: cryptography-faq/rsa/part1
Last-modified: 1997/05/21
An old version of the RSA Labs' publication "Answers to Frequently Asked
Questions about Today's Cryptography" used to be posted here until May
1997. These postings were not sponsored or updated by RSA Labs, and
for some time we were unable to stop them. While we hope the information
in our FAQ is useful, the version that was being posted here was quite
outdated. The latest version of the FAQ is more complete and up-to-date.
Unfortunately, our FAQ is no longer available in ASCII due to its
mathematical content. Please visit our website at
http://www.rsa.com/rsalabs/ to view the new version of the FAQ with your
browser or download it in the Adobe Acrobat (.pdf) format.
RSA Labs FAQ Editor
[EMAIL PROTECTED]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
