Cryptography-Digest Digest #618, Volume #9 Sat, 29 May 99 16:13:03 EDT
Contents:
Re: OTP Problems (Dan)
Re: 8Bit encryption code. Just try and break it. (Squitter Shivwits)
Re: OTP Problems (David A Molnar)
Re: DSA (Digital Signature Standard) and the Schnorr Patents (Jerry Coffin)
Re: Threatening SW ^besides^ Strong-Crypto (Aidan Skinner)
Re: PGP Implementation of DH/DSS vs. RSA. (Bodo Moeller)
Re: The BRUCE SCHNEIER Tirade (Geoff Thorpe)
Re: NSA proves banks use poor crypto (Ronald Benedik)
Re: The BRUCE SCHNEIER Tirade (Steve Rush)
Re: being burnt by the NSA ("Steven Alexander")
Re: alt.timestamp (Helger Lipmaa)
Re: Oriental Language Based Enryption (Aidan Skinner)
Re: Review of Scottu19 (Aidan Skinner)
Re: The BRUCE SCHNEIER Tirade (John Kennedy)
Re: The BRUCE SCHNEIER Tirade (John Kennedy)
Re: The BRUCE SCHNEIER Tirade (John Kennedy)
Re: DSA (Digital Signature Standard) and the Schnorr Patents ("Roger Schlafly")
Re: The BRUCE SCHNEIER Tirade (Sundial Services)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Dan)
Subject: Re: OTP Problems
Date: 29 May 1999 11:37:04 -0500
>Wait for the next shipment of key material, or switch to another cipher,
>or reuse portions of the key material in some way (and sacrifice
>unconditional secrecy in the process, if acceptable).
[snip]
>This problem can be solved quite easily. (Re)synchronization can be
>achieved by transmitting in the clear the offset of key bits in the
>one-time pad.
Assuming the following scenario:
Bob meets Alice once a month and delivers to her a CD-ROM containing
650MB of randomly generated data. Each time Alice and Bob communicate,
the message of length n is sent, and is prefixed with offset y. Starting
at offset y, using n bytes, the message is decrypted.
The problems with this are obvious:
i) Anyone duplicating the CD can read messages
ii) Any overlap in the keys will weaken the process
Ignoring the problems caused by (i), I wouldn't mind trying something of
the following nature. Instead of prefixing the encrypted message with
a single offset, prefix it with randomly generated n offsets.
In other words, instead of reading the key sequentially, you use the bytes
one at a time, in random order. Your 650MB CD is suddenly capable of
being used for a lot more than 650MB of messages. However, this method
increases the size of the message being sent by 4 (assuming 32 bit offsets)
and is also much, much SLOWER.
>Nicol
Regards,
-Dan
------------------------------
From: Squitter Shivwits <[EMAIL PROTECTED]>
Subject: Re: 8Bit encryption code. Just try and break it.
Date: Sat, 29 May 1999 08:56:51 -1000
Phoenix <[EMAIL PROTECTED]> wrote:
> 8Bit encryption code. Just try and break it.
> Thanks for trying to break my code.
> If you decrypt it ignore the contents of the
> message it was typed awhile back.
> �5�a�0P|'�p�S�Қ6�& �TUh��w��A��
...snip
Since you posted binary ciphertext, it came out on my screen
with many square characters. So I can be sure I have a correct
copy of your ciphertext, please confirm that the hexadecimal
representation below is an accurate representation of the
binary ciphertext you posted.
Once you confirm this, I will begin to break you code.
Notice that most bytes are over 80, most left
nibbles are from 8 to F, and most right nibbles are
less than 8. This looks like it will be easy.
82b55182e1e13781b0d0fce1a79e5c825cf05a81d39252e19ab62482a6a05e81
d4a079e1d5e89c83f7e17d8291c15b8394b640e1d0f5fd81d4a04882c8a4fbe1
f6a66381d3927c82f499dee1b9957b81d3a23782c3e07e81a6e081e0a2ad82d4
846081d8859b81e8f8f881f92c7781f67d2281a098ca8283e148e1d5902482a0
5cd2827d46db83e1853ee1c5a42b819d46ee83b0e0f8e1d8a9728284964582d9
d5ade17df84f82d7d26582e5b5388182e62782a1d63282d6e52ce1f3882382b4
b29c82c7a27be1e0832182e9923083c8e12ee1b8a84582a6b6ca82d0a64982a4
c621e1d69e5d82a99059819d4665e1f7f2dc82c9c0ae8199a7bb8196e13782b6
b53882a87daa81b9a04d8298c5ba81b5f25181d392368383855981b1b72ce19e
e8db839690ac81c783cce1b8a8ad82a6e5fa81d4a058825c924ce1e07dab81d0
d1b981b088fd8198c02e8284c57d82a22c2f81a3a56a81c17d5982a8d2d28287
b5aa8112d72482d0d6af8293954482a2f2be8285b2dd81e8a0bc8198c07d815c
b67381a3a5238294b064815cb65483f5d57de1b7c124819d46cd8346e038e1d4
7d3882b6e43383b28544e1f49a4d81f5967d82f2e0fde1d0c63682b09e3f82a6
a06b8192a3cf829cc85882b9a55de1b0e16182d99e7883c6d59de1e692f88394
b6ba82d0a6cce1b29953e1b2c83b82b9a52d819af058e19c937082c0f0ab8287
9c52e1c4882782d2b0fa81e2e96081c9e42582f5d0fa81a0982781f0d2ba82e2
c57d81b2a4cee1d4d22783b4a23881c8f77ae1b0b2f883f8c5fb8291c1bde1c8
f279e1e2b57181c09d2882c1a89d8185a65081d4a0bf82e992d281e5b09b8193
e25982a7b6d28291f06081f2a67081a6e025819db07781e0a25082c8a4e1e32c
cb81c6962382a8d2fa8287b56782b0d5ce8199d67de1e07d5be1c4b72981a0f6
6c837d857de1f0c76981a0f67483c3e5d2e198b5ed8283e1cd82f5d08d8ae1e1
f7668296995182a6e56181874628825c922482a7e552e193d76082d4844083c5
90ebe1e8f3af8396e84682c9c06fe1b8a8ebe1d69e9f83d2b55a82b2a9f8e1b0
b23682c6d03e8284c5aae1d184af82d5a06f81e19a77e19ee82882a0c05b81e7
98f881d193d2829af5bf81b4a6ade1c6c04f8391f5ce81c3d52de194c42683e6
a6588291c163e1c7d6aee1d6d5bf81d2a5ce8382f66b81a2f5558d8a8d8a
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: OTP Problems
Date: 29 May 1999 15:46:41 GMT
Dan <[EMAIL PROTECTED]> wrote:
> Ignoring the problems caused by (i), I wouldn't mind trying something of
> the following nature. Instead of prefixing the encrypted message with
> a single offset, prefix it with randomly generated n offsets.
> In other words, instead of reading the key sequentially, you use the bytes
> one at a time, in random order. Your 650MB CD is suddenly capable of
> being used for a lot more than 650MB of messages. However, this method
Why does this let you get more than 650MB of messages? It seems like
you would still have to worry about what might happen if you ever
re-used a key unit -- just because they aren't next to each other doesn't
mean that the system will be secure over time.
Although if you are expecting that sequential portions of your 650MB could
be compromised while the rest left secure, maybe this is a good idea.
In that respect this system sounds much closer to those cryptosystems which
work in a model with a computationally unbounded attacker who has
some limited amount of storage; the "digitize the face of the moon"
system mentioned in Applied Cryptography is an example.
oh, and by sending the offsets in the clear instead of agreeing on
them in advance, does this ensure that an adversary will immediately
notice re-used parts of the key ?
-David
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Crossposted-To: talk.politics.crypto
Subject: Re: DSA (Digital Signature Standard) and the Schnorr Patents
Date: Sat, 29 May 1999 11:17:14 -0600
In article <7inuhl$hqf$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
> Jerry Coffin wrote in message ...
>
> > [discussion of equivalents in patent law and fallibility of the courts
> snipped]
[ ... ]
> On the subject of the DSA-related patents, there is no need to trust
> me or anyone else. The matter has been litigated.
Given that the majority of lower-court cases are overturned on appeal,
this doesn't mean a whole lot until or unless the case has been run
ALL the way through the system.
> In court, the owners
> of the Diffie-Hellman and Hellman-Merkle patents put forth an argument
> as to how those patents cover all digital signatures. Neither side was
> able to win on summary judgment.
This doesn't mean a whole lot -- summary judgement can only be granted
if the entire case can be decided on legal grounds rather than on the
facts.
> McLellan started this with a theory that the RSA and Schnorr patents
> somehow inhibited GAK. The theory makes no sense to me. The
> Schnorr patent had no impact on DSA. Even if it did, the GAK issue
> involves encryption keys, not signature keys.
...which, given a sufficiently ignorant jury, might be found to be
equivalent. I know of at least one fairly recent patent case in which
the attorneys managed to keep everybody off the jury if they had ANY
post-secondary education AT ALL. Given a jury like that, I can see a
smart attorney and/or "expert" witness convincing the jury that
encryption and signing are equivalent.
------------------------------
From: [EMAIL PROTECTED] (Aidan Skinner)
Subject: Re: Threatening SW ^besides^ Strong-Crypto
Date: 29 May 1999 15:29:57 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 28 May 1999 00:42:42 +0100, Ray Girvan <[EMAIL PROTECTED]> wrote:
>everyone is obsessed with finding American secrets. I think that
>outside the US, most users are interested in crypto for simple
>practical reasons: their own communications security. The same
Actually I'm interested in crypto so that I can bring the free world
under the heel of lucifer in a New World Order headed by the united
nations. ;)
- Aidan
--
http://www.skinner.demon.co.uk/aidan/
Real men whistle ed commands at 300 baud into a can.
------------------------------
From: [EMAIL PROTECTED] (Bodo Moeller)
Subject: Re: PGP Implementation of DH/DSS vs. RSA.
Date: Sat, 29 May 1999 16:34:40 GMT
[EMAIL PROTECTED] (Bill Unruh):
> The quantum break of factoring relies on the fact that if the modular
> log problem is solved then so it factoring. Thus if DH is broken by
> having solved the modular log problem, then youalso have a way to break
> RSA.
Wrong. Breaking DH by solving "the" modular log problem means being
able to compute logarithms modulo a prime p, while breaking RSA by
solving "the" modular log problem means being able to compute
logarithms modulo a composite number n without being given the factors
of n. That's not the same thing: if you can do the former, this does
not imply that you can also do the latter. Shor's quantum computer
algorithm can handle both cases, but efficient discrete log algorithms
for non-quantum computers (if any are found) may rely on the modulus
being prime.
------------------------------
From: Geoff Thorpe <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy,talk.politics.crypto
Subject: Re: The BRUCE SCHNEIER Tirade
Date: Sat, 29 May 1999 13:28:46 -0400
Hi,
"SCOTT19U.ZIP_GUY" wrote:
> your death threat is a common response to idots who are afraid to see
> the truth.
Boy did you just hit the nail on the head - of course I don't think you
said what you meant to say, but it was certainly an excellent mistake.
But perhaps you're afraid to see that truth also?
Cheers,
Geoff
------------------------------
From: Ronald Benedik <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: NSA proves banks use poor crypto
Date: Fri, 28 May 1999 19:00:00 +0200
> Er, what's the connection between encryption technology and Y2K?
Investment in new computer stuff. Implementing encryption costs money
for information tech and fixing Y2K too. That`s shrinkening the
profits.
Before liberalization of the capital markets there was no need for
encryption to protect against outside hostilities.
I don`t think banks take problem serious. On the other hand where`s the
difference for a bank between a valid transaction and a faulty? Banks
like credit card companys earn money in both cases.
------------------------------
From: [EMAIL PROTECTED] (Steve Rush)
Subject: Re: The BRUCE SCHNEIER Tirade
Date: 29 May 1999 18:20:25 GMT
>>>I don't see anything wrong with asking why a true one time pad is
>>>supposed to be unusable.
>>
>>It's not supposed. It IS unbreakable provided the key
>>is random and only ever used once.
>
>Non sequitor. I asked why it's *supposed* to be _unusable_ and you
>reply that it *is* _unbreakable_.
>
>
Come on, people. Dig into the archives and find Schneier's original statement.
He never said that OTP is unusable, just that it is unsuited to mass-market
applications.
If you have a lot of traffic or stored data to encrypt, the requirement that
the key be as long as the message rules out OTP. If you need to establish a
secure channel without having a secure (even if very low-bandwidth) channel to
begin with, OTP just doesn't work, but public-key systems do.
If you have secure data storage at both ends of the channel, can transfer the
key by trusted courrier or equivalent, and need to encrypt a little traffic
whose content you can't predict when you send the key, OTP is the easiest
strong cypher to implement, but that's not a mass-market application.
How about taking this thread over to alt.flame?
**********************************************************************
If it's spam, it's a scam. Don't do business with Net abusers.
------------------------------
From: "Steven Alexander" <[EMAIL PROTECTED]>
Subject: Re: being burnt by the NSA
Date: Sat, 29 May 1999 10:30:16 -0700
While this group is not meant for politics, people post here constantly
about the NSA. Even if their post is about another topic, many people seem
to HAVE to get a comment in about the NSA.
-steven
Steve Sampson wrote in message <3EJ33.2336$[EMAIL PROTECTED]>...
>This group is not designed for politics, keep moving...
>
>[EMAIL PROTECTED] wrote
>>Who has actually been burnt by the NSA? As far as I know they are so
>>secretive they don't exist.
>
>
>
------------------------------
From: Helger Lipmaa <[EMAIL PROTECTED]>
Crossposted-To: alt.config
Subject: Re: alt.timestamp
Date: Sat, 29 May 1999 19:08:08 +0000
[EMAIL PROTECTED] wrote:
> http://www.itconsult.co.uk/stamper.htm is one example.
>
> And I trust them *far* more than I trust dejanews...
You are correct.
Cf http://home.cyber.ee/helger/crypto/link/timestamp.html for pretty
exhaustive time-stamping link collection.
Helger
http://home.cyber.ee/helger
------------------------------
From: [EMAIL PROTECTED] (Aidan Skinner)
Subject: Re: Oriental Language Based Enryption
Date: 29 May 1999 15:18:34 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 28 May 1999 17:13:15 -0700, Markku J. Saarelainen
<[EMAIL PROTECTED]> wrote:
>Has anybody ever applied Sun-Tzu practically to encryption...?
I suspect Sun-Tzu would reccomend that you kill anybody who might be
interested in stealing information from you.
It's the only way to be totally sure.
- Aidan
--
http://www.skinner.demon.co.uk/aidan/
Real men whistle ed commands at 300 baud into a can.
------------------------------
From: [EMAIL PROTECTED] (Aidan Skinner)
Subject: Re: Review of Scottu19
Date: 29 May 1999 15:48:08 GMT
Reply-To: [EMAIL PROTECTED]
On Wed, 26 May 1999 20:26:13 GMT, SCOTT19U.ZIP_GUY
<[EMAIL PROTECTED]> wrote:
>tool to help one write code. But only a modern lazy programmer would
>blindly code without giving the underlying machine some serious thought.
So why isn't all of it in assembler?
>the proper control theory back ground or knowledge of what is happening at the
>machine level.
There is (usually) no need to know what is going on at a machine level. That is
why we have high level languages and operating systems.
> Yes my program counts on the indianess of the machine but you must
What does "indianess" mean? I'll presume that you mean "endian".
Any decent programmer would have a boolean variable at {compile|run}
time to define the bit-ordering and, for the few functions that rely
on this, to provide alternatives for big and little endian
machines. No need for asm, no need for non-ANSI C, just a simple case
or if-else statement.
>rats ass if the NSA can't get it to run fast on a CRAY using some stupid
>language like ADA. If you feel like good encryption is only good if it can be
Why is Ada stupid? And what does the American Dental Association have
to do with it?
>expressed by the inventor with complete and unambiguous schematics then
>you really only care about appearance and not reality.
No, we care more about security than performance. It seems, from
everything that you've said, that you care more about performance than
security. And in that case surely it's better to use a faster
encryption method like Rot-13? (To be even more secure you could use
Rot-13 twice)
>think something was documented. If you can't flollow C and don't have a basic
>understanding of the PC then you may have trouble with my method.
And you may have trouble porting to a non-x86 architecture.
- Aidan
--
http://www.skinner.demon.co.uk/aidan/
Real men whistle ed commands at 300 baud into a can.
------------------------------
From: [EMAIL PROTECTED] (John Kennedy)
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: The BRUCE SCHNEIER Tirade
Reply-To: [EMAIL PROTECTED]
Date: Sat, 29 May 1999 19:19:47 GMT
On Fri, 28 May 1999 21:03:38 GMT, [EMAIL PROTECTED]
(John Savard) wrote:
>[EMAIL PROTECTED] (John Kennedy) wrote, in part:
>
>>I don't see anything wrong with asking why a true one time pad is
>>supposed to be unusable.
>
>The point is, though, his invention makes it "usable" by allowing a
>short key to encipher a lot of text. He may have a very secure stream
>cipher, but in general calling a stream cipher a "one-time pad" is a
>mark of snake oil, in the same way that hiding from the sun or not
>being visible in a mirror are the marks of a vampire.
I was responding to the statement:
"A true one-time pad is provably secure (against certain attacks), but
is also unusable."
...attributed to Schneier.
It refers to a true one-time pad, not snake oil posing as one.
I do not have the full context, but a comment about a "true one-time
pad" which is "provably secure (against certain attacks)" does not
seem to be a comment on snake oil, nor do I follow why it is unusable.
>
>John Savard ( teneerf<- )
>http://members.xoom.com/quadibloc/index.html
--
John Kennedy
--
The causal world imposes a nonarbitrary distinction between detecting in one's visual
array
the faint outline of a partly camouflaged stalking predator and not detecting it
because of
alternative interpretative procedures. Nonpropagating designs are removed from the
population, whether they believe in naive realism or that everything is an arbitrary
social
construction.
(Tooby and Cosmides, in _The Adapted Mind_, Barkow,
Cosmides and Tooby, editors )
=======
Best Anarchy Links:
David Friedman -> http://www.best.com/~ddfr/
Niels Buhl -> http://www.math.ku.dk/~buhl/
Billy Beck -> http://www.mindspring.com/~wjb3/promise.html
========
------------------------------
From: [EMAIL PROTECTED] (John Kennedy)
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: The BRUCE SCHNEIER Tirade
Reply-To: [EMAIL PROTECTED]
Date: Sat, 29 May 1999 19:19:48 GMT
On 28 May 1999 08:56:31 -0400, [EMAIL PROTECTED] (Patrick Juola)
wrote:
>In article <[EMAIL PROTECTED]>,
>John Kennedy <[EMAIL PROTECTED]> wrote:
>>On Thu, 27 May 1999 22:49:34 -0400, "Brian Hetrick"
>><[EMAIL PROTECTED]> wrote:
>>
>>>Well, I'm not Bruce Schneier, but OTP systems are unusable in practice
>>>because the key size must be the same as the message size -- otherwise
>>>it's not an OTP -- and distributing the key requires a secure channel.
>>>Since you can securely distribute the key, it makes sense to use the
>>>same channel to securely distribute the message, and not bother with a
>>>key. (Actually, there is a time dependency in there. It is possible
>>>that the secure channel existed in the past, but not right at the
>>>moment; in that case, and in that case _alone_, it makes sense to use
>>>an OTP.)
>>>
>>
>>
>>Which is why one time pads have been, and presumably still are used.
>>
>>Which is why I was puzzled by the comment attributed to Schneier that
>>they are unusable.
>>
>>Yes, I understand that they are no replacement for public key
>>cryptography, but in the right situation they are possibly superior if
>>provably secure.
>
>
>But said right situation appears so infrequently as to be a practical
>definition of useless. I'm more likely to need a triphibious automobile
>than an OTP.
A provably secure code could be very useful for a spy.
>
> -kitten
--
John Kennedy
--
The causal world imposes a nonarbitrary distinction between detecting in one's visual
array
the faint outline of a partly camouflaged stalking predator and not detecting it
because of
alternative interpretative procedures. Nonpropagating designs are removed from the
population, whether they believe in naive realism or that everything is an arbitrary
social
construction.
(Tooby and Cosmides, in _The Adapted Mind_, Barkow,
Cosmides and Tooby, editors )
=======
Best Anarchy Links:
David Friedman -> http://www.best.com/~ddfr/
Niels Buhl -> http://www.math.ku.dk/~buhl/
Billy Beck -> http://www.mindspring.com/~wjb3/promise.html
========
------------------------------
From: [EMAIL PROTECTED] (John Kennedy)
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: The BRUCE SCHNEIER Tirade
Reply-To: [EMAIL PROTECTED]
Date: Sat, 29 May 1999 19:19:46 GMT
On Fri, 28 May 1999 14:41:44 GMT, [EMAIL PROTECTED]
(SCOTT19U.ZIP_GUY) wrote:
>In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
>wrote:
>>On Fri, 28 May 1999 02:39:55 +0200, fungus
>><[EMAIL PROTECTED]> wrote:
>>
>>>
>>>
>>>Anthony Stephen Szopa wrote:
>>>>
>>>> A true one-time pad is... unusable? Why: because no one has shown how
>>>> it can be done yet?
>>>>
>>>
>>>Very, very simple.
>>>
>>>A one time pad has a key which is a big as the message. If you
>>>can securely transmit the key to the other party then you obviously
>>>don't need cryptography - you could just send the message by the
>>>same route.
>>
>>Nope. You may pass the pad through a window that may not even exist at
>>the time you need a message transmitted.
>>
>>>
>>>> Let me begin by asking Mr. Schneier why the OTP is unusable?
>>>>
>>>
>>>See above.
>>
>>I don't know what Schneier meant, but your point above is not valid.
>>
>>
>>
>
> I think he meant don't use it since it is PROVABLE secure. A practical
>OTP would not be good for his bottom line. How would he convence people
>to pay large bucks for his systems if the only provable secure and I think
>unpatieented system that any one could sale is a OTP. It would also make
>the work of his associates in the NSA have a harder time breaking things.
> But true it is bulky and hard to transmit since key has to be passes in
>advance.
Nope, I'm fully satisfied his intentions are honorable, but that
doesn't mean I can't question his judgement on a particlar issue.
>
>
>
>David A. Scott
>--
> SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
> http://www.jim.com/jamesd/Kong/scott19u.zip
> http://members.xoom.com/ecil/index.htm
> NOTE EMAIL address is for SPAMERS
--
John Kennedy
--
The causal world imposes a nonarbitrary distinction between detecting in one's visual
array
the faint outline of a partly camouflaged stalking predator and not detecting it
because of
alternative interpretative procedures. Nonpropagating designs are removed from the
population, whether they believe in naive realism or that everything is an arbitrary
social
construction.
(Tooby and Cosmides, in _The Adapted Mind_, Barkow,
Cosmides and Tooby, editors )
=======
Best Anarchy Links:
David Friedman -> http://www.best.com/~ddfr/
Niels Buhl -> http://www.math.ku.dk/~buhl/
Billy Beck -> http://www.mindspring.com/~wjb3/promise.html
========
------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: DSA (Digital Signature Standard) and the Schnorr Patents
Date: Sat, 29 May 1999 11:02:36 -0700
Jerry Coffin wrote in message ...
>> On the subject of the DSA-related patents, there is no need to trust
>> me or anyone else. The matter has been litigated.
>
>Given that the majority of lower-court cases are overturned on appeal,
>this doesn't mean a whole lot until or unless the case has been run
>ALL the way through the system.
The matter has been litigated all the way thru the system. It's done. They
issue is dead. There is no appeal pending. It is final. There is no dispute
about the matter. Am I making myself clear?
>> McLellan started this with a theory that the RSA and Schnorr patents
>> somehow inhibited GAK. The theory makes no sense to me. The
>> Schnorr patent had no impact on DSA. Even if it did, the GAK issue
>> involves encryption keys, not signature keys.
>
>...which, given a sufficiently ignorant jury, might be found to be
>equivalent. I know of at least one fairly recent patent case in which
>the attorneys managed to keep everybody off the jury if they had ANY
>post-secondary education AT ALL. Given a jury like that, I can see a
>smart attorney and/or "expert" witness convincing the jury that
>encryption and signing are equivalent.
There are ignorant judges, too. Most do not have any significant post-
secondary education is science or technology. Even on the Court of
Appeals for the Federal Circuit, which is essentially our highest
patent court, about 80% have no prior patent experience.
So lemme get this straight. You think that we do not have mandatory
GAK in the US because of the possibility that some clever lawyer
will convince a jury that the Schnorr patent covers all use of GAK
encryption? Have you looked at the Schnorr patent? It is a patent
on a very specific interactive smart card identification system. The
claims don't even mention GAK or encryption, or even signatures.
Say all you want about stupid judges and juries, but there are a *lot*
of patents out there that more more relevant to GAK encryption
than Schnorr's.
------------------------------
Date: Sat, 29 May 1999 12:58:39 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Crossposted-To: talk.politics.crypto,alt.privacy
Subject: Re: The BRUCE SCHNEIER Tirade
John Kennedy wrote:
> I was responding to the statement:
>
> "A true one-time pad is provably secure (against certain attacks), but
> is also unusable."
>
> ...attributed to Schneier.
>
> It refers to a true one-time pad, not snake oil posing as one.
>
> I do not have the full context, but a comment about a "true one-time
> pad" which is "provably secure (against certain attacks)" does not
> seem to be a comment on snake oil, nor do I follow why it is unusable.
Unusable in the sense that your local bank does not use a Sherman tank
to bring money to reload the local ATM. While the tank is "provably
secure," certainly more secure than the armored cars (or even
pickup-trucks!) they DO use, it is not the most suitable tool for the
job. Furthermore, your ATM is not located in a building with
fourteen-foot thick walls, even though such walls are "provably more
secure" than the walls of the grocery-store where it IS found.
The simple fact that a cryptosystem is theoretically-unbreakable does
not mean that it meets all of the other logistical requirements of the
job at hand.
Other cryptosystems do. They do so at the theoretical expense of
unbreakability, but pose an acceptable compromise on that issue in the
eyes of their creators and users. For example, that ATM uses either DES
or a more modern cryptosystem to securely exchange with the bank that
highly confidential information that it ... uh, ... prints out on the
little slip of paper that you forgot to take out of the slot yesterday.
;-) In the very unlikely event that you intercepted the communication,
it is known to be sufficient to prevent 99.99% (say...) of all people
who might intercept it from making timely use of it. Which is the
objective of its use in that situation.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
