Cryptography-Digest Digest #800, Volume #9 Tue, 29 Jun 99 13:13:02 EDT
Contents:
Re: Secure link over Inet if ISP is compromized. (Medical Electronics Lab)
Re: RSA and Diffie-Hellmann ([EMAIL PROTECTED])
Re: Hardware RNG description (Medical Electronics Lab)
Re: Secure link over Inet if ISP is compromized. (Casper H.S. Dik - Network Security
Engineer)
Re: Secure link over Inet if ISP is compromized. (Sundial Services)
Re: one time pad ("Tony T. Warnock")
Re: trapdoor one way functions (Patrick Juola)
Re: A few questions on RSA encryption ([EMAIL PROTECTED])
Re: trapdoor one way functions ([EMAIL PROTECTED])
Re: PIII Random Number Generator? ([EMAIL PROTECTED])
Re: Windows9x Crypt Function (S.T.L.)
Re: Hardware RNG description ([EMAIL PROTECTED])
two questions ([EMAIL PROTECTED])
MP3 Piracy Prevention is Impossible ([EMAIL PROTECTED])
SSL Overhead ([EMAIL PROTECTED])
Re: How do you make RSA symmetrical? ("Anton Stiglic")
Re: How do you make RSA symmetrical? ([EMAIL PROTECTED])
Windows9x Crypt Function ("Andrew Whalan")
Re: Secure link over Inet if ISP is compromized. (Jim Felling)
Re: SSL Overhead (Patrick Juola)
Re: PIII Random Number Generator? (John Savard)
Re: one time pad (John Savard)
Re: Test Sorry (Gergo Barany)
Re: The One-Time Pad Paradox (John Savard)
Re: PIII Random Number Generator? (John Savard)
Re: Moores Law (a bit off topic) (Jim Felling)
----------------------------------------------------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: Secure link over Inet if ISP is compromized.
Date: Tue, 29 Jun 1999 09:15:40 -0500
Gene Sokolov wrote:
> How can public key cryptography be a solution here? Please read the original
> post again - *all* data is exchanged over what is assumed a compromized
> channel. If Alice sends Bob her public key or starts DH key exchange
> procedure, how does Bob know the data comes from Alice and not her
> compromized ISP?
A-->ISP-A----------ISP-B<--B is the data exchange link
A<--->B is the out of band key exchange link.
The key exchange can take place using a newspaper, or magazine ad.
A does not have to know who B is and vice versa, they just need to
be interested in what the other has to say. They can exchange
public keys "out of band" to help foil the man-in-the-middle
attack. If somebody wants to sell something, they want to publish
their key widely. The buyer may not want to do that.
Making one key exchange out of band is not too hard, but transfering
lots of data is. It may well be worth a phone call, a radio link
and a newspaper ad to make sure the key is what you think it is,
but that's kind of overkill.
It is safe to assume the internal links are compromised (read
about ECHELON) and the out of band links might be too. But as
long as A and B can be pretty sure they've got the other's public
key, the rest is secure (up to a point).
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: RSA and Diffie-Hellmann
Date: Tue, 29 Jun 1999 14:48:26 GMT
In article <[EMAIL PROTECTED]>,
chicago <"gabriel. nock"@siemens.de> wrote:
> I'm searching for an implementation of RSA and Diffie-Hellmann...
> I only have a windows machine so i can't need a unix compressed
file...
> and I did'n find anything in /ftp:...applied-crypto/pub...
> but where can i find it??
>
>
WINZIP can read .Z and .GZ files.
GZIP from www.gzip.org is avail in source code and binaries for various
platforms.
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: Hardware RNG description
Date: Tue, 29 Jun 1999 08:47:03 -0500
[EMAIL PROTECTED] wrote:
>
> I am printing of your paper. I might actually try it out (could be
> fun).
>
Glad to hear it worked for you. One person sent me e-mail saying
the link didn't work. So if anyone else has that problem, it may
be my ISP was down and you need to try again later. It also might
be a direct connect doesn't work, so go to
http://www.terracom.net/~eresrch and click on the /dev/null hyperlink.
That should download the postscript file.
It was definitly fun for me to build it. Took a long time to pass
all the stats tests, but we found lots of parameter space that gave
good results.
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED] (Casper H.S. Dik - Network Security Engineer)
Subject: Re: Secure link over Inet if ISP is compromized.
Date: 29 Jun 1999 13:40:08 GMT
[[ PLEASE DON'T SEND ME EMAIL COPIES OF POSTINGS ]]
[EMAIL PROTECTED] (Keith A Monahan) writes:
>Absolutely. And keep in mind that the current version of IP does not allow
>for any sort of authentication of packets. And the ID and authentication
>of people accessing machines is low and easily comprimised. The newer
>version of IP (v6) which I don't expect to be implemented for QUITE some time
>adds security built into the protocol.
IPsec can be used on top of both IPv4 and IPv6. (But implementing it
is only mandatory for IPv6 implementations)
Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.
------------------------------
Date: Tue, 29 Jun 1999 07:09:45 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Secure link over Inet if ISP is compromized.
Gene Sokolov wrote:
>
> Let's assume that Alice and Bob both have dial-up Internet accounts. They
> want to establish a secure channel.
>
> Alice <--> ISP-A <--> Internet <--> ISP-B <--> Bob
>
> Do I understand this correctly, assuming that *all* their data is passed
> through ISP-A and ISP-B, there is absolutely no way to ensure secure
> communication between them if either of the ISP is controlled by the
> adversary? Alice and Bob would need another trusted channel to exchange data
> before secure Internet link can be established.
Actually, there -are- protocols (Diffie-Hellman, sp?) by which secrets
can be established between two parties using public links.
But the usual way that the need for a trusted-channel is avoided is
through the use of public-key cryptology. Alice obtains Bob's public
key and uses that key to send messages to Bob, who can decrypt them only
using his [secret] private key. He can also recognize if the message
has been tampered with. Various other protocols enable him to be
certain the message really did come from Alice.
It is prudent to assume that not only is the Internet channel insecure,
but that all messages sent through it (e.g. e-mail, news) are
intercepted and archived, either temporarily or for all time. Whether
or not that is actually true is irrelevant. You should use a
cryptosystem that will deter an attack for some time... and you STILL
shouldn't use the channel for traffic that you cannot tolerate ever
being decrypted.
------------------------------
From: "Tony T. Warnock" <[EMAIL PROTECTED]>
Subject: Re: one time pad
Date: Tue, 29 Jun 1999 08:09:17 -0600
Reply-To: [EMAIL PROTECTED]
William Tanksley wrote:
> On Mon, 28 Jun 1999 19:13:02 GMT, Greg Ofiesh wrote:
>
>
> >I agree so much with your statement on predicting radio active decay
> >that I would even bet my life on the proposition that we will never be
> >able to predict decay. And that is the first and (at this time) the
> >only thing I would be willing to bet my life on.
>
> That's one of the last things I would bet on. The hypothesis that quantum
> fluxuations are random is one of the weakest in science today; it's not
> backed by any theory with any predictive value.
>
Actually, quantum mechanics predicts quite well. The hypothesis that quantum
fluxuations are random is one of the strongest.
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: trapdoor one way functions
Date: 29 Jun 1999 10:34:35 -0400
In article <[EMAIL PROTECTED]>,
S.T.L. <[EMAIL PROTECTED]> wrote:
><<In the case of RSA you can
>find the private key by factoring the modulus and building the keys.
>If they work then voila. You would have to check out how they cracked
>RSA-140 and such cause I am not sure....>>
>
>Cracking RSA in the orthodox way always involves factoring the modulus: that is
>how they cracked RSA140 - using the General Number Field Sieve across a bunch
>of computers. There are thus two problems that would be nice to have solved:
>
>A) IS FACTORING INTRINSICALLY DIFFICULT? This question has plagued
>mathematicians for centuries.
>
>B) Even if factoring is hard, is there a way to break RSA that is easier than
>factoring?
>
>Most people conjecture that the answers to A and B are Hell Yes and No, in that
>order. :-D
Schneier claims somewhere in Applied Crypto -- no, I haven't verified
the claim myself, so I just present it as heresay -- that there are
RSA variants that are *provably* as strong as factoring.
-kitten
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: A few questions on RSA encryption
Date: Tue, 29 Jun 1999 14:52:05 GMT
In article <7lahu5$ftl$[EMAIL PROTECTED]>,
Bob Silverman <[EMAIL PROTECTED]> wrote:
> Have people forgotten how to use the library?
My city library has books which are useless. People in my city fear
knowledge :)
Maybe I will have to check the Ottawa Library instead. I have never
seen any advanced book in my library (i.e books that don't cover the
mating habits of earth worms...)
> I will be happy to answer any technical questions you might have that
> are beyond the scope of a standard reference. But your questions
> suggest that you have not yet done your homework. You lack a basic
> understanding of what RSA is and how it works.
One could always get the original RSA paper as a good starting point.
Getting books involves buying them. The problem which I have termed
lack-o-moola is of some relevance here...
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: trapdoor one way functions
Date: Tue, 29 Jun 1999 14:56:09 GMT
In article <[EMAIL PROTECTED]>,
Nicol So <[EMAIL PROTECTED]> wrote:
> So, what's the trapdoor information?
In the IFP the problem is factoring pq into p and q. Obviously knowing
p and q will allow you to compute the inverse of the public key (which
ever you gave out). That's the trapdoor.
In DLP the trapdoor is the exponent. It's not really a trapdoor
persae. If you know x them finding x is really simple... I think
there was a cryptosystem like
mg^x mod n
Obviously knowing x is of importance... I dunno...I am probably wrong,
but DL is certainly a one-way function.
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: PIII Random Number Generator?
Date: Tue, 29 Jun 1999 15:00:19 GMT
In article <[EMAIL PROTECTED]>,
Ed Yang <[EMAIL PROTECTED]> wrote:
> > How 'random' are these? Do you have a standard unit of meausre of
> > 'randomness'?
> >
> > M. K. Shen
>
> Yes, the unit of measure is the "knauer", which dimensionless,
> since it measures non-deterministic bits per bits available.
> The imaginary part of the knauer is called "true" and the real
> part is called "written". The complex conjugate of the knauer,
> when multiplied by the measured knauer value is called the
> size of the random string.
>
I like 'entropy' or H(M) myself... I have never heard of a 'Knauer'.
Are there any good online links/papers on it (sounds a bit vague to me).
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (S.T.L.)
Subject: Re: Windows9x Crypt Function
Date: 29 Jun 1999 15:30:08 GMT
<<I am looking to doing some research on some distributed networking and it
has come up that it would be an ideal situation to implement a brute force
cryptanalysis engine.>>
Hasn't that been done already? Distributed RC5 (Bovine! MOOOO!) cracking,
distributed DES stuff, distributed.net, etc.
Anyways, everyone knows that the best distributed-computing application is the
search for Mersenne primes.
-*---*-------
S.T.L. ===> [EMAIL PROTECTED] <=== BLOCK RELEASED! 2^3021377 - 1 is PRIME!
Quotations: http://quote.cjb.net Main website: http://137.tsx.org MOO!
"Xihribz! Peymwsiz xihribz! Qssetv cse bqy qiftrz!" e^(i*Pi)+1=0 F00FC7C8
E-mail block is gone. It will return if I'm bombed again. I don't care, it's
an easy fix. Address is correct as is. The courtesy of giving correct E-mail
addresses makes up for having to delete junk which gets through anyway. Join
the Great Internet Mersenne Prime Search at http://entropia.com/ips/ Now my
.sig is shorter and contains 3379 bits of entropy up to the next line's end:
-*---*-------
Card-holding member of the Dark Legion of Cantorians, the Great SRian
Conspiracy, the Triple-Sigma Club, the Union of Quantum Mechanics, the
Holy Order of the Catenary, and People for Ethical Treatment of Digital
Tierran Organisms
Avid watcher of "World's Most Terrifying Causality Violations", "World's
Scariest Warp Accidents", "When Tidal Forces Attack: Caught on Tape",
and "When Kaons Decay: World's Most Amazing CP Symmetry Breaking Caught
On [Magnetic] Tape"
Patiently awaiting the launch of Gravity Probe B and the discovery of M39
Physics Commandment #5: Thou Shalt Not Remain At Rest Inside An Ergosphere.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Hardware RNG description
Date: Tue, 29 Jun 1999 15:07:25 GMT
In article <[EMAIL PROTECTED]>,
Medical Electronics Lab <[EMAIL PROTECTED]> wrote:
> Glad to hear it worked for you. One person sent me e-mail saying
> the link didn't work. So if anyone else has that problem, it may
> be my ISP was down and you need to try again later. It also might
> be a direct connect doesn't work, so go to
> http://www.terracom.net/~eresrch and click on the /dev/null hyperlink.
> That should download the postscript file.
The problem was the '.ps' part of the link was not highlighted in the
HTML markup. Make sure you keep links on the same line or the browser
will not recongnize it.
Well I am not much of a techy but I did read the paper. Well done!
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: two questions
Date: Tue, 29 Jun 1999 15:11:51 GMT
It seems much attention is put towards block ciphers. My first
question is why not stream ciphers? Stream ciphers are more versatile
then block ciphers, normally much faster and smaller then block
ciphers. For example RC4 uses only about 256 bytes of ram whereas RC5
uses about 1KB and is much slower. So shouldn't attention be put
towards stream ciphers?
What about RC4? Has there been any progress to cracking it? What
about alternatives? Are there any ciphers like it that perhaps use
less ram/time?
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: MP3 Piracy Prevention is Impossible
Date: 29 Jun 1999 15:42:17 GMT
It's completely impossible to make sure that somebody can't share
the plaintext of a document with somebody else. Why try?
------------------------------
From: [EMAIL PROTECTED]
Subject: SSL Overhead
Date: Tue, 29 Jun 1999 15:17:59 GMT
I have a customer who was wondering how much overhead is added when
encrypting a web page. For example, a web page and graphics is 20kbytes
what does that convert to once it is encrypted?
I was wondering if there are formulas out there for the different
encryption methods that can calculate the number. Or if someone has done
a benchmark test with a sniffer and can give me some of the numbers they
have found that would be greatly appreciated.
-David
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Anton Stiglic" <[EMAIL PROTECTED]>
Subject: Re: How do you make RSA symmetrical?
Date: Tue, 29 Jun 1999 11:46:48 -0700
<[EMAIL PROTECTED]> wrote in message
news:7lamsg$i2f$[EMAIL PROTECTED]...
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (Gergo Barany) wrote:
> > Use the algorithm as is, but don't give the public key to everybody;
> > instead, distribute the whole key pair as you would a key to a
> symmetric
> > system (i.e. only give it to trusted persons).
>
> Then whats the point?
>
> Tom
It makes for a cute little problem, that is what crypto is realy about!
If you look at the RSA algo, you can found a better solution then to give
both public/private
keys. RSA works as follows, you start by choosing p, q wich are prime, note
n = pq.
Then you have to choose ab = 1 mod (phi(n)). a and b make up the public
and private keys.
So if you want a symetric key system, you choose a and b such that a=b, that
is, you need
and element of the field wich is it`s own inverse.
Isn`t that a cute little solution? :)
Now, if you were to realy implement this, you would need to study it`s
security (the adversary
has much more info, he knows that a*b = 1 mod (phi(n)), this is much more
info then in RSA
and therefor surely makes it more easily breakable).
Anton Stiglic
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: How do you make RSA symmetrical?
Date: Tue, 29 Jun 1999 14:57:28 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Gergo Barany) wrote:
> Use the algorithm as is, but don't give the public key to everybody;
> instead, distribute the whole key pair as you would a key to a
symmetric
> system (i.e. only give it to trusted persons).
Then whats the point?
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Andrew Whalan" <[EMAIL PROTECTED]>
Subject: Windows9x Crypt Function
Date: Wed, 30 Jun 1999 00:51:37 +1000
I am looking to doing some research on some distributed networking and it
has come up that it would be an ideal situation to implement a brute force
cryptanalysis engine. Other ideas include proving/disproving various
mathematical theories via exhaustion, but I am primarly interested in
cryptography and data security.
If anyone could provide me with some information about the windows 9x crypt
function or provide me with some resources as where I could find some info
it would be great.
Thankyou in advance,
Andrew Whalan
------------------------------
From: Jim Felling <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Secure link over Inet if ISP is compromized.
Date: Tue, 29 Jun 1999 11:00:25 -0500
Keith A Monahan wrote:
> Douglas A. Gwyn ([EMAIL PROTECTED]) wrote:
> : Gene Sokolov wrote:
> : > ... If Alice sends Bob her public key or starts DH key exchange
> : > procedure, how does Bob know the data comes from Alice and not her
> : > compromized ISP?
>
> : How does Alice even know there is a human being at the other end
> : of the apparent link, let alone Bob? If Bob introduced himself
> : to Alice via the link, how does she know who he is? This issue
> : involves deep questions of identification, authentication, and
> : trust. It is evident that it cannot be solved without use of
> : some trusted agent.
>
> Absolutely. And keep in mind that the current version of IP does not allow
> for any sort of authentication of packets. And the ID and authentication
> of people accessing machines is low and easily comprimised. The newer
> version of IP (v6) which I don't expect to be implemented for QUITE some time
> adds security built into the protocol.
>
> Keith
>
It doesn't matter a bit even with IPsec or equivalent protocols -- if there is no
trusted agent, or out of band channel, or shared secret -- there is no (known)
way for this to proceed securely, and I believe no unknown way as well, as a MITM
attack is always possible. A tries to set up a confidence with B. A sends data M
replies to her with his own data, and sends his own data on to B. Both validate
and setup. then A has a secure channel to M and M has a secure channel to B, and
the A to B channel is maintained as M can simply echo data between his two
channels.
Without some form of shared knowledge( or means of information sharing) such
communication is impossible over the linkages described.
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: SSL Overhead
Date: 29 Jun 1999 12:01:31 -0400
In article <7lao2q$iit$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
>I have a customer who was wondering how much overhead is added when
>encrypting a web page. For example, a web page and graphics is 20kbytes
>what does that convert to once it is encrypted?
>
>I was wondering if there are formulas out there for the different
>encryption methods that can calculate the number. Or if someone has done
>a benchmark test with a sniffer and can give me some of the numbers they
>have found that would be greatly appreciated.
Depends on the method of encryption you use. In the best case, you
can actually *decrease* the size of the resulting file (if you
compress before encryption, which enhances security as well as
reducing file size). A typical stream cypher will result in a cyphertext
file exactly the same size as the plaintext file; a typical block
cypher will expand the file by at most one block -- which is typically
50-100 bytes depending on exactly which block cypher you use.
-kiten
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: PIII Random Number Generator?
Date: Tue, 29 Jun 1999 16:05:45 GMT
"Dale Clapperton" <[EMAIL PROTECTED]> wrote, in part:
>Does anyone know of any studies done on whether the Random Number Generator
>on the Pentium III chips is truly random or not?
The alleged source of physical randomness is on a support chip. How to
use that chip hasn't been released.
John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: one time pad
Date: Tue, 29 Jun 1999 16:15:43 GMT
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote, in part:
>You don't need a random key generator for provably secure encryption;
>in fact, that is undesirable in most cases -- since random key cannot
>be reliably generated synchronously at both origin and destination,
>it would have to be transferred from one to the other (or from a
>central key generation facility to both), thus you run into the
>standard OTP key management problem. For most purposes, it is much
>better to use a moderate key size along with an encryption algorithm
>against which every known attack methodology can be shown to fare not
>appreciably better than exhaustive search of the key space.
That is not "provably" secure as Terry Ritter would understand it, and
it isn't even provably secure as I understand it (and I think myself
more liberal in allowing the use of that term than he).
Of course, I will gladly admit that this sort of thing is adequately
secure for nearly all purposes. But that's because one doesn't need to
have a cryptosystem that is "provably secure" in the mathematical
sense in real life.
>(By
>"known" I of course mean "known to the experts".) That has been the
>general procedure for official US cryptosystems for many decades, and
>it has worked extremely well in practice.
Of course, one hopes they allow a bit more margin of safety than do
users of Triple-DES or IDEA...rather than allowing their superior
knowlege to convince them they can get by with _less_ (as some have
concluded from the design of SKIPJACK, probably prematurely).
John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (Gergo Barany)
Subject: Re: Test Sorry
Date: 29 Jun 1999 16:16:50 GMT
In article <[EMAIL PROTECTED]>, Alex Mansurov wrote:
>Test only.Sorry, plz.
>
>--
>WBW,
>Alex
I won't complain if you promise that from now on you'll only test in
groups created for that purpose (alt.test, for example).
Grgo
--
Demand the establishment of the government
in its rightful home at Disneyland.
GU d- s:+ a--- C++>$ UL+++ P>++ L+++ E>++ W+ N++ o? K- w--- !O !M !V
PS+ PE+ Y+ PGP+ t* 5+ X- R>+ tv++ b+>+++ DI+ D+ G>++ e* h! !r !y+
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: The One-Time Pad Paradox
Date: Tue, 29 Jun 1999 16:21:50 GMT
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote, in part:
>Mok-Kong Shen wrote:
>> ... What happens if he doesn't know for sure that the sender uses
>> an OTP? His best guess will be that the sender possibly forgets to
>> encrypt his message.
>No, because the previous zillion times he made that assumption it
>turned out to be incorrect.
Well, I can hardly disagree with _that_ argument, since I made it
myself:
I previously wrote:
>For any given pad of true random numbers, one can't prove that it
>doesn't correspond to the output of a stream cipher that the
>cryptanalyst one is facing might solve!
>Well, I demolished his argument (as I understood it) by noting that if
>the number of possible messages is N, the probability of this
>happening is 1/N the probability of the cryptanalyst obtaining a false
>plaintext this way: hence, nothing has happened to reduce uncertainty
>concerning the plaintext.
and this has brought another clue to the paradox.
If our cryptographer is a member of a large statistical ensemble, a
pad of all zeroes, occuring when one might expect for such an
improbable thing, is no problem.
If, however, by incredibly bad luck, one of the first thousand or so
one-time-pads encountered is all zeroes, and the particular message to
be sent with it is particularly important, the situation at least
seems different.
Since the question at hand is: am I a member of a statistical
ensemble?, I think that the "paradox" is really only a restatement of
one of the paradoxes of statistical mechanics (does the Second Law of
Thermodynamics deserve to be called a physical law?) and not something
peculiar to cryptography.
John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: PIII Random Number Generator?
Date: Tue, 29 Jun 1999 16:25:20 GMT
[EMAIL PROTECTED] wrote, in part:
>I like 'entropy' or H(M) myself... I have never heard of a 'Knauer'.
>Are there any good online links/papers on it (sounds a bit vague to me).
It's a joke. Someone named Bob Knauer posts to this group.
John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/crypto.htm
------------------------------
From: Jim Felling <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Moores Law (a bit off topic)
Date: Tue, 29 Jun 1999 11:20:45 -0500
[EMAIL PROTECTED] wrote:
> <snip>
>
> Searching a 128-bit key in one day would require doing 2^111 keys per
> second. Thats 2596148429267413814265248164610050 keys per second.
>
> I don't think that's a likely thing. Currently in RC5/DES we can
> search about 2^20 keys per second (give or take) on a MII 300
> (233mhz). That would be quite a bit faster at 2^111...
>
> I think we may see rates of around 2^40 (trillion keys per second) by
> the year 2100, but that's a big iffy. If you take rough calcs' at
> 2^20 the DES cracker program (distributed) does 233000000/2^20 or 223
> cycles per key (which is pretty amazing). At 2^40 I would require a
> 2^40(223) or 256,186,209 Mhz computer... Hmm not likely for a while.
>
> Of course we could imagine a parallel network (say of around 2^32 a sec)
>
> Basically I don't think 128-bit keys will be in trouble any time soon.
> Even 64-bit keys are hard to search now, 80-bit is 'out of reach' which
> may not mean much in 15 years...
>
> That's my two cents and a bit (which would get you a hair cut in my
> day... :) )
>
> Tom
>
> Sent via Deja.com http://www.deja.com/
> Share what you know. Learn what you don't.
I have my doubts as to the "permanent" security of 128-bit codes -- mind you
for the very long term they are damn near perfect -- if I want "permanent"
security I'd go with 256-bit.
Reasoning:
assume a computer can be built from 1 atom(, further assume that such a PC
is clocked at a rate such that its clock speed is roughly the length of time
light will take to pass information across it. This allows a reasonable
assumption of how small/fast a hypothetical ULTRAHIGH tech computer for this
purpose can be. this still limits clock speed to a large value(about 2^70
Hz if I remember properly I am away from my references now).Further assume
that this atom can carry out the computation in 1 cycle. Then breaking a
128 bit code will require 2^57 machine seconds on average. Given an array of
these computers as massive as a planet this code can be broken in a few
seconds -- plus of course the time necessary to transmit the signal to the
user that the key is... --
Thus a 128 bit code break will require absolutely ridiculous resources, and
a hell of a long time, but is just barely within the realm of
imagination(for the VERY distant future), but a 256 bit is completely
beyond any reasonable possibility of brute force.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
