Cryptography-Digest Digest #789, Volume #9 Mon, 28 Jun 99 01:13:03 EDT
Contents:
Re: one time pad ([EMAIL PROTECTED])
Re: Hamming Weight ([EMAIL PROTECTED])
Re: Hamming Weight (Jim Gillogly)
Re: The One-Time Pad Paradox (Jim Gillogly)
Re: New version of free disk encryption product for NT (with Scramdisk support)
(Limo Narkey)
Re: one time pad (David A Molnar)
Re: one time pad (David A Molnar)
Re: one time pad (Jim Gillogly)
Re: The One-Time Pad Paradox ("Robert C. Paulsen, Jr.")
Re: one time pad (D. J. Bernstein)
Re: one time pad (David A Molnar)
Re: The One-Time Pad Paradox (Charles Blair)
Re: Moore's Trend (Christopher)
Re: one time pad (Terry Ritter)
Re: Bytes of "truly random" data for PRNG seed. (Terry Ritter)
Re: determining number of attempts required (Keith A Monahan)
----------------------------------------------------------------------------
Date: Sun, 27 Jun 1999 07:12:57 -0400
From: [EMAIL PROTECTED]
Subject: Re: one time pad
I plead complete ignorance, but am interested in an update. What work
needs to be done?
David A Molnar wrote:
>
> [EMAIL PROTECTED] wrote:
>
> > No. This issue may belong in the FAQ. The secure channel may have
>
> By the way, is there a project underway to update the crypt
> cabal FAQ ? I remember seeing some discussion of this, but
> wasn't following it closely enough.
>
> Thanks,
> -David Molnar
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Hamming Weight
Date: Sun, 27 Jun 1999 23:19:56 GMT
In article <7l672p$vra$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> What is a Hamming Weight and how does one calculate it?
Hamming weight is the number of different bits in two bit vectors. It
is calculated by performing
(1) C = A xor B
(2) Count the 1 bits in C.
The result from #2 is the hamming weight. Normally one looks at the
hamming eight to measure diffusion. Ideally you want a rate of n/2 per
round (n is normally 32 bits for 64-bit feistel ciphers). This means
that half the bits change. Now the tricky part is to get 'random' half
parts (i.e not the same n/2 in each difference...). If A and B are
truly random (or at least one of them) n/2 will occur most of the
time. In ciphers where this is not true, attacks can be mounted.
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Hamming Weight
Date: Sun, 27 Jun 1999 16:58:43 -0700
[EMAIL PROTECTED] wrote:
>
> What is a Hamming Weight and how does one calculate it?
It's the number of 1-bits in your data. If your machine has a
"population count" instruction, that's the easiest way; a table
lookup or a shifting strategy may be the next best, depending on
your architecture.
One use is to determine how close your attempted plaintext is
to some actual known plaintext.
--
Jim Gillogly
Hevensday, 4 Afterlithe S.R. 1999, 23:55
12.19.6.5.12, 3 Eb 20 Zotz, Fourth Lord of Night
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: The One-Time Pad Paradox
Date: Sun, 27 Jun 1999 16:59:59 -0700
Robert C. Paulsen, Jr. wrote:
> Please read _Between_Silk_and_Cyanide_ by Leo Marks.
I just got it from Amazon, and I'm finding it both informative
and hilariously entertaining.
--
Jim Gillogly
Hevensday, 4 Afterlithe S.R. 1999, 23:59
12.19.6.5.12, 3 Eb 20 Zotz, Fourth Lord of Night
------------------------------
From: [EMAIL PROTECTED] (Limo Narkey)
Subject: Re: New version of free disk encryption product for NT (with Scramdisk
support)
Date: Sun, 27 Jun 1999 23:02:32 GMT
[EMAIL PROTECTED] wrote:
>Not to be a pain, but can we have a link please?
It's here: http://www.e4m.net/
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: one time pad
Date: 27 Jun 1999 23:36:51 GMT
[EMAIL PROTECTED] wrote:
[Question about updating crypt cabal FAQ]
> I plead complete ignorance, but am interested in an update. What work
> needs to be done?
Logistically - I remember someone mentioning that the FAQ is
posted via an autoposting service hosted at rtfm.mit . This
is password-protected. Some way must be found around that. :-)
Content -- The list of references probably needs updating.
The discussion of one-time pads could be
enlarged, especially since it keeps coming up.
Personally, I would like to see sections on
provable prime generation, "strong primes",
low-exponent attacks on RSA, the new
P1363 standard, AES, and probably more.
i
It's been a while since I've closely read the FAQ, so
I'll go do that now.
I'm asking about current efforts because I don't want
to duplicate efforts or step on anyone's toes. Also,
there's the RSADSI FAQ out there now, and if that is
considered current and comprehensive enough
then perhaps it's best to point ppl to it.
Thanks,
-David Molnar
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: one time pad
Date: 27 Jun 1999 23:47:55 GMT
David A Molnar <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] wrote:
> [Question about updating crypt cabal FAQ]
>> I plead complete ignorance, but am interested in an update. What work
>> needs to be done?
> Logistically - I remember someone mentioning that the FAQ is
> posted via an autoposting service hosted at rtfm.mit . This
> is password-protected. Some way must be found around that. :-)
Oh - the FAQ mentions that the editors may be reached by
[EMAIL PROTECTED] . Hopefully this is still active.
Another thing which could be added : the section on hash
functions makes no mention of SHA.
-David
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: one time pad
Date: Sun, 27 Jun 1999 17:29:30 -0700
David A Molnar wrote:
> Oh - the FAQ mentions that the editors may be reached by
> [EMAIL PROTECTED] . Hopefully this is still active.
I suspect it's not. I've been trying to get in some fixes
for years, and I think it hasn't changed for a very long time.
If somebody takes it over, please post an announcement to that
effect.
--
Jim Gillogly
Mersday, 5 Afterlithe S.R. 1999, 00:28
12.19.6.5.13, 4 Ben 1 Tzec, Fifth Lord of Night
------------------------------
From: "Robert C. Paulsen, Jr." <[EMAIL PROTECTED]>
Subject: Re: The One-Time Pad Paradox
Date: Sun, 27 Jun 1999 20:05:49 -0500
Jim Gillogly wrote:
>
> Robert C. Paulsen, Jr. wrote:
> > Please read _Between_Silk_and_Cyanide_ by Leo Marks.
>
> I just got it from Amazon, and I'm finding it both informative
> and hilariously entertaining.
>
I'm almost done. When I finish I'm going to experiment with poem codes
and WOKS.
Marks brought up one interesting topic having to do with security
checks. (Security checks are the unique ways agents modify their
messages and/or coding techniques to ensure they are indeed the author
of a message and not under duress when encoding it.) Marks devised a way
to pass (verbally, I believe) security checks to agents through a third
party in a way that the third party would not be able to reveal the
security check to anyone else. In a footnote he said he was told not to
reveal the technique even now, 50 years later!
--
____________________________________________________________________
Robert Paulsen http://paulsen.home.texas.net
If my return address contains "ZAP." please remove it. Sorry for the
inconvenience but the unsolicited email is getting out of control.
------------------------------
From: [EMAIL PROTECTED] (D. J. Bernstein)
Subject: Re: one time pad
Date: 28 Jun 1999 00:55:24 GMT
David A Molnar <[EMAIL PROTECTED]> wrote:
> By the way, is there a project underway to update the crypt cabal FAQ ?
Yes.
---Dan
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: one time pad
Date: 28 Jun 1999 01:30:58 GMT
Jim Gillogly <[EMAIL PROTECTED]> wrote:
> David A Molnar wrote:
>> Oh - the FAQ mentions that the editors may be reached by
>> [EMAIL PROTECTED] . Hopefully this is still active.
> I suspect it's not. I've been trying to get in some fixes
> for years, and I think it hasn't changed for a very long time.
> If somebody takes it over, please post an announcement to that
> effect.
Yes, I received a bounce from them just now.
I don't want to see more than one version of the same FAQ
posted concurrently. It seems that this means gaining
control of the autoposter or somehow turning it off.
-David
------------------------------
From: [EMAIL PROTECTED] (Charles Blair)
Subject: Re: The One-Time Pad Paradox
Date: 28 Jun 1999 02:29:39 GMT
If my adversary knows that, when my ciphertext looks
like a non-gibberish possible plaintext, that I will generate
a new pad, I don't see how that helps him.
There is a problem with the vagueness of ``non-gibberish
possible plaintext'' and ``looks like,'' but in any case I
think we're talking about very low-probability events.
I don't know thermodynamics, but isn't it like the possibility
that all the gas molecules will migrate to one half of a room,
suffocating the occupants of the other half?
------------------------------
From: [EMAIL PROTECTED] (Christopher)
Subject: Re: Moore's Trend
Date: Sun, 27 Jun 1999 23:42:33 -0400
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Savard) wrote:
_ [EMAIL PROTECTED] wrote, in part:
_
_ >I think 128-bit keys will be secure for more then a century or two.
_ >Note that they never said 56 bit keys were safe. Even when they
_ >proposed DES they thought the key was too small.
_
_ Well, when DES was proposed, the people proposing it claimed that 56
_ bits was good enough; _others_, but yes, at that time, said the key
_ length was adequate. However, the most prominent objectors recommended
_ that we encrypt everything in RSA instead of using a conventional
_ cipher with a bigger key...
_
_ And there's no way of knowing that it will take a century before
_ quantum computers become practical.
_
_ Can anything, short of the OTP, resist a quantum computer? Is anyone
_ out there wrestling with this question (I'm trying to, but I confess I
_ don't quite have the equipment to grapple with it...).
_
_ John Savard ( teneerf<- )
_ http://members.xoom.com/quadibloc/crypto.htm
I know it's counter to the way things are done around here, but wouldn't
secret algorithms be the choice then. Presuming of course both ends of
the link are secure so the code _cannot_ be examined.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: one time pad
Date: Mon, 28 Jun 1999 04:18:03 GMT
On Sun, 27 Jun 1999 11:04:31 -0600, in
<[EMAIL PROTECTED]>, in sci.crypt
[EMAIL PROTECTED] (Jerry Coffin) wrote:
>[...]
>Right now, we don't know any way of predicting when a radioactive atom
>will decay -- as far as we know, it's entirely random. On a
>reasonable-sized statistical sample, we can predict with reasonable
>accuracy how many will decay in a particular length of time, but still
>have no idea about predicting when an individual one will decay.
>
>I believe Terry Ritter's point was that even though the problem
>appears intractable right now (and has for some time) there's no way
>to prove that nobody will ever be able to do so more accurately than
>we can now.
No, I had not considered new insights into radioactive decay, but I
suppose that would qualify as a possible weakness. More likely would
be unnoticed problems in the detector, or other problems in the
overall design. Maybe we can get some form of predictability in terms
of non-flat distribution in particular situations. Maybe the physical
distribution of the radioactive material and its distance from the
detector is more important than that now seems. Maybe the hardware
will age in a useful way. Maybe the generator becomes nonrandom after
a power outage, or during a brownout, or when the AC fans are on. A
whole design in involved, and there is just a lot more there -- and a
lot more to go wrong -- than a radioactive handwave would indicate.
>[...]
>My observation has been that while Terry has a good basic point, it's
>NOT particularly relevant to a lot of practical use: if you look
>around at products that use encryption, and ways they've been broken,
>it quickly becomes apparent that breaking the fundamental algorithms
>is just about the last thing to worry about.
Yes, but practical strength never was my point. My point is the
unjustified belief in OTP over every other cipher because of the
theoretical proof.
I dispute that the theoretical OTP proof implies a proof for a
practical OTP. I assert that there is no proof for a practical OTP
unless the pad can be proven or guaranteed "random" or "unpredictable"
in practice.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Bytes of "truly random" data for PRNG seed.
Date: Mon, 28 Jun 1999 04:18:37 GMT
On Sun, 27 Jun 1999 22:06:50 GMT, in <7l679l$vts$[EMAIL PROTECTED]>, in
sci.crypt [EMAIL PROTECTED] wrote:
>[EMAIL PROTECTED] (Terry Ritter) wrote:
>
>> Again, from my article:
>>
>> "Because an x^2 mod N generator generally defines multiple cycles with
>> various numbers of states, the initial value x[0] must be specially
>> selected to be sure that it is not on a short cycle (p. 377).
>[...]
>> I am aware by private communication of work investigating the
>> probability of short cycles. This is also very complex, and I am
>> unaware of formal publication. The implication is that we can avoid
>> cycle length checks at low risk, but I think that is almost a step
>> beyond what I would call "proven" strength: Admittedly, any cipher
>> can be solved by guessing the key, which implies that we accept a tiny
>> probability of weakness in ciphers. But it seems a little different
>> if we, by our own choice, have selected a short cycle for our
>> opponents to exploit, while still maintaining the delusion that our
>> generator is "proven" secure.
>
>Is anything wrong with the following argument? It shows
>that under the assumption that factoring Blum integers is
>hard, short cycles are of no concern.
>
>The logic is that finding a cycle is as hard as finding a
>factor.
I am not qualified to judge the argument about the probability of
short cycles, so I assume it is correct. What I would call wrong is
what that means:
I claim there is something wrong with a system which is supposedly
"proven" secure, in which we are required to choose a random x[0]
value, and our choice of that value can cause *in*secure operation.
Even though this is unlikely, if it is not actually impossible, there
can -- in my opinion -- be no "proof." "Proof," to me, means that we
are logically compelled to a belief because absolutely *no*
alternative exists. To me, "proof" does not mean that we are *almost*
compelled to belief because the alternative is unlikely.
One option is to do the work necessary to find an appropriate x[0]
value which is on a long cycle. Since this option exists, it seems
strange to call anything less "proven security." And there may be
faster ways (than shown in BB&S) to assure that x[0] is on a long
cycle.
>[...]
>We should always remember that the proof of security of
>BBS generator is only a "relative" proof; it depends on
>the intractability of factoring (Blum) integers. One
>would certainly be correct to assert that the BBS
>generator has _not_ been proven secure in the open
>literature.
Some people may have a problem with that, and there may be a problem
with that. But it is not my issue.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Keith A Monahan)
Subject: Re: determining number of attempts required
Date: 28 Jun 1999 05:04:41 GMT
STL,
I remember your posts, too.
As embarrassing as this is, it was scenario 1. I haven't had problems with
remembering ANY of my passwords over the last 15? years. I went on a few
week vacation and now forget the damn thing. I can remember a large portion
of it but I can't remember which chars were in which order.
Since I've never had a problem before remembering the most obscurist of
passwords, I didn't think twice about picking a tough one.
The speed at which I can try keys is actually pretty funny. Since there is
no custom blowfish cracker, I'm stuck at using the interface at which I'm
given - which is BestCrypt NP. BestCrypt takes input from the keyboard,
of course, for the password. I have an rs-232 -> keyboard converter, which
I've attached to my amiga 500, running a BASIC program that generates a
bunch of possible passwords and tries them. The unfortunate part is that
the rs-232 -> keyboard box is only ONE way, and the amiga gets ZERO feedback
from the other computer.... SO, I can only use time to tell the amiga to
enter a password, and to "press enter" at the "Password incorrect" dialog.
The target computer is definitely my local machine which I have 24/7 access
to.
Any other questions? :) Can you add anything of help to my situation?
Thanks,
keith
S.T.L. ([EMAIL PROTECTED]) wrote:
: <<The password picked (by me, if you must know) was designed specifically
: to resist attacks :)>>
: I see several scenarios, increasingly interesting. I'd like to know which (if
: any!) are the case, actually.
: 1) You've encoded something important and have forgotten the exact key.
: However, certain details you stated about how fast you can try keys makes me
: think that the files are on some other computer, which you can't access.
: 2) You've given someone else guidelines to create a password (very, very
: unusual guidelines), and are now trying to crack it. Unlikely.
: 3) You picked a password to encode information, but have forgotten its exact
: contents AND are no longer allowed actual access to the encrypted data. This is
: the most interesting one.
: I'm getting really curious as to what you're trying to crack open! :-D
: -*---*-------
: S.T.L. ===> [EMAIL PROTECTED] <=== BLOCK RELEASED! 2^3021377 - 1 is PRIME!
: Quotations: http://quote.cjb.net Main website: http://137.tsx.org MOO!
: "Xihribz! Peymwsiz xihribz! Qssetv cse bqy qiftrz!" e^(i*Pi)+1=0 F00FC7C8
: E-mail block is gone. It will return if I'm bombed again. I don't care, it's
: an easy fix. Address is correct as is. The courtesy of giving correct E-mail
: addresses makes up for having to delete junk which gets through anyway. Join
: the Great Internet Mersenne Prime Search at http://entropia.com/ips/ Now my
: .sig is shorter and contains 3379 bits of entropy up to the next line's end:
: -*---*-------
: Card-holding member of the Dark Legion of Cantorians, the Great SRian
: Conspiracy, the Triple-Sigma Club, and the Union of Quantum Mechanics
: Avid watcher of "World's Most Terrifying Causality Violations", "World's
: Scariest Warp Accidents", and "When Tidal Forces Attack: Caught on Tape"
: Patiently awaiting the launch of Gravity Probe B and the discovery of M39
: Physics Commandment #2: Thou Shalt Conserve Mass/Energy In Closed Systems.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
