Cryptography-Digest Digest #815, Volume #9 Thu, 1 Jul 99 12:13:05 EDT
Contents:
Re: Quantum Computers (Patrick Juola)
Re: Secure link over Inet if ISP is compromized. (Patrick Juola)
Re: The One-Time Pad Paradox (Patrick Juola)
Re: Quantum Computers (Patrick Juola)
Re: Performance of cryptographic algorithms (David A Molnar)
Re: one time pad (David A Molnar)
Re: Secure link over Inet if ISP is compromized. (Sundial Services)
Re: How do you make RSA symmetrical? (wtshaw)
"Silk to Cyanide" (Neil)
Re: Secure link over Inet if ISP is compromized. (Patrick Juola)
Re: BLT update (long) with (rec) ciphertexts (wtshaw)
Re: A Quanitative Scale for Empirical Length-Strength (wtshaw)
Re: The One-Time Pad Paradox ("Douglas A. Gwyn")
workshop on elliptic curve cryptography (Alfred John Menezes)
Re: BAN Logic considered useful? (Helger Lipmaa)
Re: "Silk to Cyanide" ("Douglas A. Gwyn")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Quantum Computers
Date: 1 Jul 1999 09:59:50 -0400
In article <7lf4l4$5uo$[EMAIL PROTECTED]>,
Greg Ofiesh <[EMAIL PROTECTED]> wrote:
>Let us begin with the following assertion that I think you will all
>agree with. If a quantum computer exists, then the only form of
>encryption that cannot be broken by it, or at least has half a chance
>to survive an attack, is OTP. All other forms of encryption are
>deterministic in nature and are not "cracked" but simply "translated"
>(to convey the ease with which cryptanalysis is performed) by a quantum
>computer.
This doesn't follow; contrary to popular belief, quantum computers
are not necessarily -- or even likely to be -- magic boxes that will
perform *any* operations flawlessly and in zero time. Current approaches
(or at least current publically-known approaches) have difficulties
with maintaining the coherence of the quantum states as the problems
get more complex. You may cheerfully believe that the NSA is ahead of
the civilians in this regard -- but I doubt that they can maintain quantum
coherence through an infinite amount of computation. Any "sufficiently
complex" form of encryption would be too complex for the quantum machine
to solve.
Furthermore, quantum machines don't run infinitely fast, either.
Decryption takes time.
Or to put it another way, QM isn't God.
>Now let me make my assertion - The US government, most likely the NSA,
>has operational quantum computers.
Assert away. They do not, however, have operational quantum computers
with infinite capacity.
>Contrary to a point raised earlier, the quantum computer is not used by
>the NSA. It is simply left running - translating everything it sees on
>the internet into plain text and then passing it off to storage devices.
This is nonsense; the amount of data on the internet would require
computational capacity comparable to the rest of the computers on the
planet to decrypt and store.
>God I wish this were not true, but I have strong reasons to believe it
>is. My brother was studying how to build a quantum computer at UC
>Berkeley in the early to mid 80's and talked with people from around
>the country on this subject.
>Can anyone provide any additional insight. And please don't say I am
>nuts, or kook, or anything else. If that is all you have to say, get a
>life or a wife and go somewhere else.
>
Let me get this straight. Your brother was doing some preliminary
research in this area fifteen years ago, and therefore he knows better
than all the experts on this forum who are current on the technology?
Again, you're not looking for information; you're looking for sock
puppets to confirm your prejudices.
-kitten
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Secure link over Inet if ISP is compromized.
Date: 1 Jul 1999 10:08:50 -0400
In article <7lfi2r$38f$[EMAIL PROTECTED]>,
Gene Sokolov <[EMAIL PROTECTED]> wrote:
>
>Jim Felling <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>> Else wrote:
>> > Jim Felling wrote in message <[EMAIL PROTECTED]>...
>> > >That is incorrect. Any internet encryption sceme is as secure as the
>> > >parameters allow it to be.
>> >
>> > Show please how SSL is secure against man-in-the-middle attack.
>> >
>> > >If, for example, a trusted certification authority/ trusted public key
>> > >collection exists, internet communication is as secure as that
>> > certification
>> > >authority/trusted key repository are. (Trusted authority)
>> >
>> > How do you access this authority? Whould not it be thorough the ISP?
>>
>> When I claim a "trusted authority" I am claiming that we somehow have
>trust
>> that this authority is who we think they are, and that the information
>> that they provide is valid.
>
>Let's get down to practical terms. Here is a situation. FBI suspects someone
>who uses 128 bit SSL to deliver his data to a remote location. FBI with a
>warrant goes to the suspect's ISP and stages man-in-the-middle attack on
>him. Do you think he is safe?
> What do you think is the fraction of the Net users who exchange keys
>"out of band", i.e. not through their ISPs?
Through *their* ISPs or through an ISP in general?
My PGP public key is available through a half-dozen different sources,
including one in print (Proc. NeMLaP-2); if the FBI decides to tamper
with the Pittsburgh ISP I use, they can still check the Cambridge site,
the Oxford site, or, hell, Alta-Vista for a number of sites I probably
don't even know about. Here, let me make it available on DejaNews.
=====BEGIN PGP PUBLIC KEY BLOCK=====
Version: 2.6.2
mQCNAzDIPcEAAAEEALvWEowkZJ8sLUnOcMkCykWpjKirlwEv3LAC6c6ciU63bhzn
yVcH22KKZQj6n+A2sIn+qLdKiKlLNOd0Bh7wIwlJrlYb/g6zMyw6TpWPPRopzkis
7U2eofSKZ4L19RSVw8+QejFvHeMx89+QdTzUNXTAAthkJZporyC+v3X+p5ZhAAUR
tCRQYXRyaWNrIEp1b2xhIDxqdW9sYUBtYXRoY3MuZHVxLmVkdT60KlBhdHJpY2sg
SnVvbGEgPHBhdHJpY2suanVvbGFAcHN5Lm94LmFjLnVrPokAlQMFEDPDeVhMFV7q
Il8NHQEBCYIEAMkj0bwG4S93UjKVhtBqtsLgxeywRBivf+ETnhPE7DK+yyqR06jS
xgPLry64A0a1B33AoefnHhw8pI+UDkTFTNZbVp5khxOizYCYgWQBXYnTA7oiiuwF
PzKY8VoK7vdKsF9AkEk723RGvOsryVGBzgbHYPHERkDQaaV9yX9HSz1JiQCVAwUQ
MZH7byC+v3X+p5ZhAQHtaQP+N1tGNL0/P5x++nHmDK2SMaIpYPXWNEYovef16B0j
aYv2rjj3/IJJvLkkNGZAUndh6AGm03pSSuKlwbAAA7u9YEPeMUqUkKLUl2yhT6B/
qw+71jKjUuPZfqXO2djaKb8AzhQHPRjBPfEzuDRZ4wwCPNFu3wwD+oThe2sNTl6Y
Cx6JAJUDBRAw5a+WZXmEuMepZt0BAfSdA/0VQcMu1oV8N1Tx4MTI8gk/FN7BYH5P
HFpF0QrQAhr4NZKN395q7LvMPb6jbsuLAI2eamg6ujQZU3X5iiXMS58dm7F7ATz0
PRVh9768dl62STyMNVMBbYc2Wqruk7jDHIw2HaU+8CMSWJE66FbKO8y7TnAy1TTI
XOvHR6OLEOWLbw==
=hzLS
=====END PGP PUBLIC KEY BLOCK=====
Is the FBI going to compromise *every* site where my key might be?
-kitten
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: The One-Time Pad Paradox
Date: 1 Jul 1999 10:12:52 -0400
In article <[EMAIL PROTECTED]>,
Dr.Gunter Abend <[EMAIL PROTECTED]> wrote:
>"Douglas A. Gwyn" wrote:
>>
>> G.A.> If not more than 10% of the ciphertext looks like words,
>> > nobody can guess that these characters leak the true meaning
>> > of the message.
>>
>> And if 90% of the ciphertext looks like words, nobody can guess
>> that those characters leak the true meaning of the message.
>> Because they almost certainly don't.
>
>*Almost* everytime the encryption process will work properly.
>*Sometimes* you might fail, or you occasionally use a keystring
>that leaks some of your real ideas. It's rather unlikely that
>10% word-like characters carry an intelligible message, but 90%
>might do so. Of course, the true plaintext is *very* unlikely.
Or even a message related to the plaintext in any way.
>If you use the inconvenient OTP encryption instead of simpler
>methods, you might feel that "very unlikely" is not good enough.
Again, what's your threat model?
How is the message?
ILIKEPEASCARROTSANDJELLY
going to provide any cryptoanalytic clues to
INVADERUSSIAINTHEWINTER!
>The idea of *automatically* avoiding intelligible ciphertexts
>gives you a better feeling (psychic safety),
It still strikes me that it only gives you a better feeling if
you don't know what you're doing; you'd be better off
reading up on the OTP than trying to develop a biased keystream
generator.
-kitten
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Quantum Computers
Date: 1 Jul 1999 10:15:56 -0400
In article <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
>Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>> The power
>> of a quantum computer, built with finite amounts of materials,
>> must be finite and not infinite.
>
>In a sense, this is false. The point to a quantum computer is that a
>system is placed in a mixed state which involves a superposition of all
>the (possibly) infinitely(!) many possible eigenstates of an observable.
>One needs a quantum system so that collapsing the state will lead to (with
>non-neglibible probability) an eigenstate/value which provides at least
>partial help in decrypting a non-negligible fraction of messages encoded
>using some protocol (if using it in cryptanalysis).
But the uncertainty principle implies a limit to our ability to
detect differences between/among eigenstates -- and "the state of
the art" provides a much greater limit.
In either case, the capacity isn't infinite.
-kitten
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Performance of cryptographic algorithms
Date: 1 Jul 1999 07:36:01 GMT
Peter Krueger <[EMAIL PROTECTED]> wrote:
> Hi,
> I'm looking for a survey of the performance of cryptographic
> algorithms, symmetric, asymmetric and one-way hashs.
> Fine would be an analysation of efficient algorithms in
> the O-Notation.
> I couldn't find something in the Internet, that's why I'm asking.
For hash functions and "simpler" constructions like
straight RSA, you can count bit operations. SHA-1 has
so many rounds, each of which uses an operation with
4 or 5 atomic operations like OR or NOT, etc.
RSA requires a modular exponentiation to encrypt
and decrypt. Each of these is O(n^3) in the size
of the number being raised. How big that number
really is depends on whether you use
speedups based on the chinese remainder theorem
and the fact n = p * q.
For anything else based on number-theoretic
constructions, you'll want to check out
Neal Koblitz' _A Course in Number Theory
and Cryptography_. The first chapter talks
all about time analysis for arithmetic.
Do note that this doesn't actually encompass
the prime generation - that's much more
complicated. Much depends on how exactly
your prime generation works.
For symmetric ciphers, I haven't yet tried
figuring out bit operations. It doesn't
seem too difficult, just tedious. Get
a copy of Applied Crypto and start
counting. :-)
Of course, as others have noted, "performance"
is difficult to pin down. If you want to
decide which is best for your implementation,
you'll need real-world data. Counting
bit ops is just something of a first approximation.
-David
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: one time pad
Date: 1 Jul 1999 07:56:41 GMT
William Tanksley <[EMAIL PROTECTED]> wrote:
> I'm almost certain that he's talking about the 1k-bit key cracker, not the
> quantum computer. A quantum computer could, of course, crack a 1kbit key,
> if anything I've heard about it is true.
A 1kbit key for what system ?
* RSA or Diffie-Hellman or other Spawn of Integer Factorization
and Discrete Logs
- Peter Shor's paper gives a quantum algorithm for
doing so in time polynomial in the size of the number.
- The algorithm requires two separate "quantum registers"
for factoring, three for discrete log
- Each "quantum register" consists of a system of
entagled quantum bits ("qubits") big enough to
hold the number and some intermediate products.
- Theoretically known to be possible, but
currently far beyond known engineering.
* 1kbit key for _any system_, asymmetric or symmetric!
- Not known to be possible in time polynomial in
the size of the input.
- If it is, then "BQP" = "all problems solvable in
polytime with bounded probability of error by
a quantum computer" includes NP.
- Best known algorithm is Grover's algorithm,
which takes O(sqrt(n)) (n is size of input)
- sqrt(2^1024) is 2^512 -- still intractable!
- To solve this, the Men in Black not only have
better engineering, but can effectively solve
every problem in NP, too. Be scared.
Just pointing out that current (public) knowledge about
quantum computers doesn't include an ability to
crack an arbitrary 1kbit key. Yet.
Thanks,
-David Molnar
> I have my suspicions.
>>Sent via Deja.com http://www.deja.com/
> --
> -William "Billy" Tanksley
------------------------------
Date: Thu, 01 Jul 1999 07:47:32 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Secure link over Inet if ISP is compromized.
S.T.L. wrote:
>
> <<face-to-face conversations, are compromised, >>
>
> By compromised, do you mean monitored or prevented? If you monitor a
> face-to-face conversation between me and Bob, then we can still exchange public
> keys and know we can communicate safely. Of course, Bob may be an agent for the
> other side anyways.
The hypothetical issue here is, "How do you know that the key you
received actually came from Bob? How does Bob know the key he received
actually comes from you?" What if there is a "man in the middle" who
somehow gets each message, decrypts it, re-encrypts it and sends it
along?
There are various ways to establish "trust" in a key. Some approaches
use a central "certifying authority." Others, like PGP, use a
de-centralized "voting" system to establish trustworthiness. But all of
these topics are extensively discussed in the help-files and the
literature.
Certainly, existing non-classified crypto techniques *do* allow two
people, even two people who have never met, to establish secure two-way
communications over this extremely vulnerable link we call the World
Wide Web.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: How do you make RSA symmetrical?
Date: Thu, 01 Jul 1999 09:27:32 -0600
In article <92qe3.168906$[EMAIL PROTECTED]>, "Anton
Stiglic" <[EMAIL PROTECTED]> wrote:
>
> Most mathematicians dislike block ciphers and symetric ciphers in general.
> The basis for this dislike is that problems like factoring are much more
> elegantly defined mathematicaly wise and has been studied for MUCH longer
> than bizare permuations that compose symetric ciphers.
> Studies in crypto are not just about things that are practicaly
implemented....
> Most of the stuff that
> is presented
> in CRYPTO and EUROCRYPT is not about survival security or protocols that can
> be implemented, it's mostly about fun things. If math and crypto is not fun
> for you,
> I suggest you involve yourself in another domain.
>
It seems that anything you regard as practical or useful cannot be fun.
You also take great liberties with the opinions you would like others to
have and speak as if you have only studied crypto for ten minutes.
Frankly, I find the preoccupation with a few narrow ideas rather bizare in
its own right. And, I appreciate the factual nature of history that
preempts what you have said in that mathematicians and cryptographers
study many diverse areas, and enjoy them. To make the same mistake in
cryptography that a few mathematicians do make, to get lost in a
never-never land of unrealizable theory, may be fun, but is not fully
justified. The freedom to play at a subject is important, if it is in the
end creative.
Specifically, tell me again that factoring and permutation cannot be both
legitimate subjects for investigation, for fun, profit, or other.
--
Rest sometimes allows you to find new things to worry about but should give you the
patience to do something about them.
------------------------------
From: [EMAIL PROTECTED] (Neil)
Subject: "Silk to Cyanide"
Date: Thu, 01 Jul 1999 14:49:26 GMT
I am reading Leo Marks boob "Silk to Cyanide" in in a early chapter (4
I think) he gives an example of colving a transposition cipher. I
used the transposition key he provided as the answer and can't get the
correct codetext when I try to encrypt the original plaintext.
Can anyone help this newbie and tell me what I might be doing
incorrectly??
Please reply via e-mail to [EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Secure link over Inet if ISP is compromized.
Date: 1 Jul 1999 10:59:03 -0400
In article <[EMAIL PROTECTED]>,
>Certainly, existing non-classified crypto techniques *do* allow two
>people, even two people who have never met, to establish secure two-way
>communications over this extremely vulnerable link we call the World
>Wide Web.
Not in the presence of an opponent who has access to bolt cutters.
There's this little wire-thing that comes out of the back of your
computer and goes into the wall, see, and, like, if you snip it
in half, the bits get homesick and stay inside your computer
instead of going out to party.
Again I ask : What's your threat model? Unless you can assure
physical security of every meter of wire from your computer to
your ISP, and the physical security of at least one appropriately
chosen subset of the Internet, the parties can be prevented from
communicating *at all*.
If you assume that their ability to communicate is not an issue, but
their ability to communicate privately is, then this problem can be
solvable -- but it's also, more or less, assuming that the FBI doesn't
know about bolt cutters.
As I've been telling one of my classes recently : "Assumptions are good.
I like assumptions. I just don't *trust* them, and I like to keep
track of them."
-kitten
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: BLT update (long) with (rec) ciphertexts
Date: Thu, 01 Jul 1999 09:55:34 -0600
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
> wtshaw wrote:
> >
>
> > My point is that things may be more or less illusionary when we increase
> > size from plaintext to ciphertext. I prefer to make things as efficient
> > as possible, but perhaps something is to be learned by not always being a
> > ciphertext tight wad.
>
> My WEAK4-EX, for example, (which is a probabilistic algorithm)
> produces ciphertexts whose length is the length of the plaintexts
> multiplied by a factor ( >= 1 ) that the user can arbitrarily choose
> to suit his desired level of security. See my web page.
I got error 04 trying to connect.
>
There is a fine line where some expansion can be closely related to
increased security. Most casual schemes waste the increase, don't really
get the most out of what could be done with other methods; it is about
these rather sloppy algorithms, including BLT, that I made the comment.
--
Rest sometimes allows you to find new things to worry about but should give you the
patience to do something about them.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: A Quanitative Scale for Empirical Length-Strength
Date: Thu, 01 Jul 1999 09:46:28 -0600
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>
> Applying the classical transposition cipher twice (with different keys
> having different lengths) is a superencipherment. However, it
> appears certain that the result is not equivalent to encryting once in
> the same manner with a certain key. So I wonder whether one can
> determine your length-strength of the total as a function of the
> length strength of the underlying two components. By the way,
> there are people saying that the scheme is hard to crack. I just
> want to call attention to that. Perhaps you could propose one such
> problem to ACA and see if someone could solve it.
>
Consider a simple case where a key one is a permutation of 4 elements and
key two is a permutation of 5 elements; it is easy to demonstrate that a
single key permutation of 20 elements can be used. But, a 20 keyspace is
larger than the permutations that could be produced by using 4 and 5
together; that being the case, you have a lesser keyspace to search than
if you fully utilized the larger keyspace to being with.
--
Rest sometimes allows you to find new things to worry about but should give you the
patience to do something about them.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: The One-Time Pad Paradox
Date: Thu, 01 Jul 1999 15:26:48 GMT
"Robert C. Paulsen, Jr." wrote:
> Although the chance of a OTP encrypting cleartext in a way that the
> resulting ciphertext gives away the secret is vanishingly small it
> is not impossible.
You really need to consider what constitutes knowledge (on the part
of the adversary). He does not learn anything whatsoever from a
properly functioning OTP ciphertext that accidentally appears to
tell him something. That's because there is no basis for taking
the apparent text as plaintext. The actual odds are so great that
any apparent text is *not* the actual message, that a rational
adversary must reject *all* such "messages" (assuming he knows the
OTP is working properly).
This has nothing to do with G�del.
------------------------------
From: [EMAIL PROTECTED] (Alfred John Menezes)
Subject: workshop on elliptic curve cryptography
Date: 1 Jul 1999 15:00:39 GMT
The 3rd workshop on Elliptic Curve Cryptography (ECC '99)
University of Waterloo, Waterloo, Ontario, Canada
November 1, 2 & 3, 1999
First Announcement June 21, 1999
ECC '99 is the third in a series of annual workshops dedicated to the
study of elliptic curve cryptography. ECC '99 will have a broader
scope than ECC '98 and ECC '97, which focussed primarily on the
elliptic curve discrete logarithm problem. The main themes of
ECC '99 will be:
- Provably secure discrete log-based cryptographic protocols for
encryption, signatures and key agreement.
- Efficient software and hardware implementation of elliptic curve
cryptosystems.
- The discrete logarithm and elliptic curve discrete logarithm problems.
It is hoped that the meeting will encourage and stimulate further
research on the security and implementation of elliptic curve
cryptosystems and related areas, and encourage collaboration between
mathematicians, computer scientists and engineers in the academic,
industry and government sectors.
There will be approximately 15 invited lectures (and no contributed
talks), with the remaining time used for informal discussions.
The second announcement will be made on July 12, and will
include registration and local (ie, hotel & transportation)
information. There will be a registration fee this year:
$250 Cdn or $180 US ($100 Cdn or $70 US for students).
If you did not receive this announcement by email and would like to
be added to the mailing list for the second announcement, please
send email to [EMAIL PROTECTED] The announcements are also
available from our web site: www.cacr.math.uwaterloo.ca
Sponsors:
Certicom Corp.
Communications and Information Technology Ontario (CITO, Canada)
MasterCard International
Mondex International Limited
University of Waterloo
Organizers:
Alfred Menezes (University of Waterloo)
Scott Vanstone (University of Waterloo)
Confirmed Speakers:
Mihir Bellare (University of California at San Diego, USA)
Dan Boneh (Stanford University, USA)
Robert Gallant (Certicom Corp., Canada)
Philippe Golle (Stanford University, USA)
Dan Gordon (Centre for Communications Research, USA)
Reynald Lercier (Centre d'Electronique de L'Armement, France)
Michele Mosca (Oxford University, UK)
Christof Paar (Worcester Polytechnic Institute, USA)
Andreas Stein (University of Waterloo, Canada)
Jacques Stern (Ecole Normale Superieure, France)
Edlyn Teske (University of Waterloo, Canada)
Stefan Wolf (ETH Zurich, Switzerland)
==============================================================================
------------------------------
From: Helger Lipmaa <[EMAIL PROTECTED]>
Subject: Re: BAN Logic considered useful?
Date: Thu, 01 Jul 1999 21:52:45 +0300
Don Davis wrote:
> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>
> > I am wondering if BAN Logic is still considered a acceptable method
> >for the analysis of authentication protocols, or if there are more
> >recent developments in this area.
>
> catherine meadows has written a comparison/critique of
> BAN and more recent protocol analysis tools. the short
> answer is that automated analysis engines can do better
> than BAN, but BAN isn't bad, as hand-cranked protocol
> checkers go. though i like BAN myself, and have used
> it to advantage in the past, i'm persuaded by meadows'
> argument that you need to do more than BAN. use it for
> sanity-checking, but try to do other kinds of analysis,
> too.
>
> meadows is at NRL (nrl.navy.mil). i seem to remember
> having searched out a web-page there that presents some
> of her papers, but i don't have the URL now.
I was once working in this area. BAN logic (as it was presented in the
original paper) has several known flaws. If you want to use a logic for
protocol verification, I would suggest to use SVO ("On Unifying...",
Syverson, van Oorschot; you can ask for one of the authors to send you a
manuscript of the newer version of the paper). Also some recent ideas of
Buttyan, Staamann, Wilhelm & Alves-Foss).
In general, logic is useful tool for spotting stupid errors and making a
first version of the real protocol. But since the known logical methods
are unable to discuss about the probabilities, you cannot be sure exactly
how secure is the resulting protocol (but see the papers of John C.
Mitchell).
Also the logical methods enable you only ascertain whether a protocol
does key confirmation and things related to it. You still have to check
manually if the exchanged key is confidential. This (and some more
reasons like substantiating the encryption {X}_K with a concrete
primitive and the resulting interactions from that ) is why you should
use probabilistic/complexity-theoretic methods to wholly prove the
security.
A lot of links about authentication logic:
http://home.cyber.ee/helger/crypto/link/logic.html
Regards
Helger Lipmaa
http://home.cyber.ee/helger
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: "Silk to Cyanide"
Date: Thu, 01 Jul 1999 15:40:03 GMT
Neil wrote:
> Can anyone help this newbie and tell me what I might be doing
> incorrectly??
You might be doing any number of things incorrectly, and we can't
tell which without seeing your work.
Here is an example of ordinary columnar transposition encryption:
Key: APPLE
14532 <- converted to column rewrite sequence by numbering
the key letters in alphabetical order
Plaintext: PENICILLINNOTAVAILABLEUNTILTWOTHREEOCTOBER
14532
PENIC
ILLIN
NOTAV
AILAB
LEUNT
ILTWO
THREE
OCTOB
ERXXX <- Xs are optional nulls
Rewrite in numerical order:
PINALITOE CNVBTOEBX IIAANWEOX ELOIELHCR NLTLUTRTX
Regroup by fives for transmission:
PINAL ITOEC NVBTO EBXII AANWE OXELO IELHC RNLTL UTRTX
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
