Cryptography-Digest Digest #822, Volume #9 Fri, 2 Jul 99 14:13:03 EDT
Contents:
Re: How do you make RSA symmetrical? ([EMAIL PROTECTED])
Re: How do you make RSA symmetrical? (Ed Yang)
Re: The One-Time Pad Paradox ("Dr.Gunter Abend")
Re: Quantum Computers (SCOTT19U.ZIP_GUY)
Re: The One-Time Pad Paradox (Jim Gillogly)
Re: The One-Time Pad Paradox (Patrick Juola)
Re: How do you make RSA symmetrical? ([EMAIL PROTECTED])
Re: Standard Hash usage (JPeschel)
Re: additive RNGs ("Oliver Wiedemann")
Decorelation again ([EMAIL PROTECTED])
Re: OTP is it really ugly to use or not? ("Dr.Gunter Abend")
Posting on sci.crypt.research (John Savard)
Re: Quantum Computers (Patrick Juola)
Re: MP3 Piracy Prevention is Impossible (Medical Electronics Lab)
Re: Hey dave scott, some questions ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: How do you make RSA symmetrical?
Date: Fri, 02 Jul 1999 16:00:33 GMT
[EMAIL PROTECTED] wrote:
> You got the first part right. Their are two keys. But their are no
> self inverse (des-weak) keys.
No self inverses in RSA? Sure there are.
Try e = LCM(p-1, q-1) + 1. (LCM is least common
multiple.)
> Making a system symmetrical means the same on both halves. This would
> imply using a shared secret key. Which PKC is not for.
A symmetric (not symmetrical) cipher is one that uses the
same key for encryption and decryption. That's now what
he meant, as you'll see if you read his post.
--Bryan
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Ed Yang <[EMAIL PROTECTED]>
Subject: Re: How do you make RSA symmetrical?
Date: Fri, 02 Jul 1999 09:01:59 -1000
Gilad Maayan wrote:
> So what the system does is ID the user (or who he claims to be), get
> his modulus from a central database stored in RAM, and decrypt the 96
> bits he generated using the decryption key and the relevant modulus.
> The system gets back the original 20 bits, compares them to time-now,
> and if equal, positively IDs the user.
If you want to read about an excellent Identification scheme, see
the Guillou-Quisquater ID Algorithm. Please purchse the following
excellent book from amazon.com :
"Cryptography: Theory and Practice" by Douglas Stinson
This is the best book for your purposes, it answers all of the
issues raised in this discussion. It is very well written,
authoritative, detailed, and technically at your level and mine.
After reading that for a month, all will become clear!
------------------------------
From: "Dr.Gunter Abend" <[EMAIL PROTECTED]>
Subject: Re: The One-Time Pad Paradox
Date: Fri, 02 Jul 1999 18:37:29 +0200
Reply-To: [EMAIL PROTECTED]
S.T.L., tomstdenis, -kitten, Jim Gillogly, William Tanksley,
Douglas Gwyn, they all told me that a spurious, occasional pattern
will leak *no* information.
I'm sure: OTP *is* secure, it doesn't leak *information*, and an
adversary cannot *know* whether the apparent message is true.
But: if any occasional message is *persuasive*, he can assume
that it *might* be true. Like blackmail. Thus, this spurious
message can have an undesirable effect. Even in the more likely
case that he got a *wrong* idea, he still joins it with me and
possibly acts upon it. I'd like to avoid that.
Robert Paulsen gave an example (cancer research), and received
the same answers (there is *no* information, nothing *known*).
Douglas Gwyn: "... a rational adversary must reject *all* such
"messages" (assuming he knows the OTP is working properly)".
If he doesn't know that OTP is used? If he -- irrationally --
assumes that the encryption technique might have failed?
Why should we encrypt our e-mails anymore, if transmitting a
plaintext message doesn't give an adversary any information,
provided, he *believes* that OTP is used? We only have to
append something to assure our adversaries that we use OTP.
I wouldn't rely on that -- would you?
If (a) the fact that I sent an encrypted mail and
(b) the occasion that the eavesdropper saw an intelligible
text of persuasive content led him to *guess* my message, all
my OTP effort was futile. Thus, I would prefer such encryption
techniques that *never* produce intelligible ciphertexts.
If any kind of encryption technique could be modified in order
to avoid unfortunate keys, at the expense of a little lower
cryptanalytical strength, I'd prefer it. The loss of strength
of OTP can be calculated, easier than for other techniques, so
that finally an adversary has the only (irrational) chance to
read my message in the clouds or in the snow on his TV screen.
The proposed technique of appending some garbage at the beginning
of the plaintext in case of an intelligible ciphertext surely
weakens the keystring, no matter if it is done automatically
or by hand. You refused to quantify this loss of strength.
It's a pity. So I'd stop this request now. Good bye.
Gunter Abend
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Quantum Computers
Date: Fri, 02 Jul 1999 17:17:13 GMT
In article <7lie5g$scq$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Patrick Juola)
wrote:
>In article <7lgqef$qsg$[EMAIL PROTECTED]>,
>Greg Ofiesh <[EMAIL PROTECTED]> wrote:
>>
>>> So why don't you do some reading, instead of scare-mongering?
>>
>>Because scare-mongering is more fun?
>>
>>No seriously, I looked at all your posts. When I said that I did not
>>know of anyone's credentials to comment on my assertion, I was talking
>>about those who posted back to me. However, I thought you made a good
>>point. Rather than ask all of you, I should just look using the search
>>engine - dah! (It's times like these that I ask myself why I bother
>>getting up in the morning.)
>>
>>But I am curious. You are so certain that I am wrong (and dumb), yet
>>you are so patient. Why? I mean, I would not bother writing back if I
>>were you.
>
>I'm a college professor (for my sins). Part of my penance involves
>educating the incorrect. The rest of it involves grading papers and
>tests.
>
>
Yes I can see your sins much better know. I also have a better
appreication for the saying that those that can't do teach.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: The One-Time Pad Paradox
Date: Fri, 02 Jul 1999 10:23:02 -0700
Dr.Gunter Abend wrote:
> I'm sure: OTP *is* secure, it doesn't leak *information*, and an
> adversary cannot *know* whether the apparent message is true.
> But: if any occasional message is *persuasive*, he can assume
> that it *might* be true. Like blackmail. Thus, this spurious
> message can have an undesirable effect. Even in the more likely
> case that he got a *wrong* idea, he still joins it with me and
> possibly acts upon it. I'd like to avoid that.
But you can't avoid it. If you're careful to doctor your OTP
so that it avoids plaintext, you haven't yet solved the problem.
Even more likely than passing plaintext (but still with a
vanishingly small probability -- I and most of your respondents
would say a negligible probability) is that it would result in
a Caesar cipher of your plaintext; more likely still (and still
astronomically unlikely) is that it would give a simple
substitution of your plaintext. Your opponent can easily solve
either of these, and conclude (correctly or incorrectly,
depending on which of the infinite monkeys typed it) that she
has discovered your secret.
> Why should we encrypt our e-mails anymore, if transmitting a
> plaintext message doesn't give an adversary any information,
> provided, he *believes* that OTP is used? We only have to
> append something to assure our adversaries that we use OTP.
> I wouldn't rely on that -- would you?
You seem to be wilfully ignoring the point, which is that any
sensible accidental plaintext-appearing encryption, right or
wrong, has a vanishingly small probability of occurrence.
If the OTP key stream generator is broken, then it must
be fixed before being used -- we all agree on that,
and most of us disagree on how to determine it's broken.
Fine -- that's a legitimate area for disagreement.
Worrying about how random ciphertext in the absence of real
cryptanalysis will affect the mental state of the interceptor
is simply not a problem; and if it were a problem, it's not one
that can be addressed analytically because of the wide variation
of possible mental types that might be trying to intuit
something from your random ciphertext.
> If any kind of encryption technique could be modified in order
> to avoid unfortunate keys, at the expense of a little lower
> cryptanalytical strength, I'd prefer it. The loss of strength
> of OTP can be calculated, easier than for other techniques, so
> that finally an adversary has the only (irrational) chance to
> read my message in the clouds or in the snow on his TV screen.
Then feel free to calculate that loss of strength. Nobody is
stopping you. But your definition of "unfortunate keys" is
sufficiently vague that nobody else can do this for you, and
nobody else seems to agree that the effect you're trying to
achieve is worth achieving. We agree that an alleged RNG
can actually be a broken RNG, this is not at issue: if this
is the case, shifting it by a bit won't fix it.
> The proposed technique of appending some garbage at the beginning
> of the plaintext in case of an intelligible ciphertext surely
> weakens the keystring, no matter if it is done automatically
> or by hand. You refused to quantify this loss of strength.
> It's a pity. So I'd stop this request now. Good bye.
So quantify it yourself -- it's <your> research, no? Don't
forget to include a way for the legitimate decryptor to know
how far to shift the OTP to avoid the patterns you want to
eliminate.
--
Jim Gillogly
9 Afterlithe S.R. 1999, 17:08
12.19.6.5.17, 8 Caban 5 Tzec, Ninth Lord of Night
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: The One-Time Pad Paradox
Date: 2 Jul 1999 13:18:08 -0400
In article <[EMAIL PROTECTED]>,
Dr.Gunter Abend <[EMAIL PROTECTED]> wrote:
>
>S.T.L., tomstdenis, -kitten, Jim Gillogly, William Tanksley,
>Douglas Gwyn, they all told me that a spurious, occasional pattern
>will leak *no* information.
>
>I'm sure: OTP *is* secure, it doesn't leak *information*, and an
>adversary cannot *know* whether the apparent message is true.
>But: if any occasional message is *persuasive*, he can assume
>that it *might* be true.
This, however, is also the case for an occasional message that might
exist only spuriously -- and that might in fact be conjured out
of thin air by the recipient in a drunken stupor.
>Like blackmail. Thus, this spurious
>message can have an undesirable effect. Even in the more likely
>case that he got a *wrong* idea, he still joins it with me and
>possibly acts upon it. I'd like to avoid that.
You can't. This has nothing to do with cryptography and everything
to do with psychology; he may decide that your apparently encrypted
text is actually a ZIP-compressed Word file, (attempt to) decompress
it, and, vastly improbably though it seems, find that you sent him
a compressed confession to setting the Reichstag fire.
Similarly, he may not believe that you are using an OTP; he may decrypt
your message with 3DES and find a spurious plaintext underneath. Or
even the correct plaintext.
>Why should we encrypt our e-mails anymore, if transmitting a
>plaintext message doesn't give an adversary any information,
>provided, he *believes* that OTP is used?
Because the adversary probably doesn't believe that you're using an
OTP. Why should he believe this? Upon what evidence would he base
this belief?
>We only have to
>append something to assure our adversaries that we use OTP.
>I wouldn't rely on that -- would you?
Only because you have no way of making your assurances stick.
>If (a) the fact that I sent an encrypted mail and
> (b) the occasion that the eavesdropper saw an intelligible
>text of persuasive content led him to *guess* my message, all
>my OTP effort was futile.
But not harmful. Your adversary could just as easily have guessed
your message from the entrails of goats or the flight of a flock
of birds.
>Thus, I would prefer such encryption
>techniques that *never* produce intelligible ciphertexts.
But this is *provably* impossible -- if you regard spurious guessing
as "intelligibility", then *any* cyphertest is intelligible.
You are frantically searching for a provably impossible solution to
a non-problem.
-kitten
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: How do you make RSA symmetrical?
Date: Fri, 02 Jul 1999 17:13:35 GMT
> Cyphertext length in RSA is always going to be approximately the
length
> of N-- it will be very rare for it to be shorter by an appreciable
number
> of bits. ( Another way of thinking about it is say I use an X bit
block
> cypher on my data my output will pretty much always be X bits long--
if I
> make a policy of discarding leading 0's there will be occasional
shorter
> cyphertexts, but the will also be rare). Thinking of it this way RSA
has
> a block size of log2(N) bits.
You cannot remove 0 bits from the ciphertext if you do you will not be
able to decrypt it (I believe this is the halting problem?). You will
have to store the length with it so you might as well just store the
zeroes...
The ciphertext and plaintext *ARE ALWAYS* the same size. No bends or
curves here...
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: Standard Hash usage
Date: 02 Jul 1999 17:38:23 GMT
>[EMAIL PROTECTED] (Keith A Monahan) writes:
>I'm in the process of collecting some different public domain sources
>together into a brute-force cracker for Blowfish. The cracker isn't designed
>to attack a large key, I need it to recover a few characters that I don't
>remember on my password. Given Blowfish's relatively fast speed, I should
>be able to test a decent amount of passwords per second and combine that with
>some dictionary attacks and so forth, it could be a useful utility.
>
>
Good luck with the cracker, and don't forget to send it to me if it works! :-)
Is your cracker for Blowfish, or for BestCrypt? As I recall from a previous
thread
you had forgotten your BC password. If the cracker is for BestCrypt
you'll need to be sure about the way in which they've implemented
Blowfish -- if that is what it really is. Does the company make the source
code available?
I hope you're writing this cracker in C and using PCL. Don't forget to give
Pavel
some credit.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: "Oliver Wiedemann" <[EMAIL PROTECTED]>
Subject: Re: additive RNGs
Date: 2 Jul 1999 15:37:10 GMT
<[EMAIL PROTECTED]> wrote:
>
> The site is messed up. It had the link 'Papers related to DIEHARD' but
> it didn't go anywhere... Is there a mirror site?
Just download one of the zipped executables for your operating system at
http://stat.fsu.edu/~geo/diehard.html
They contain the mentioned postscript document and a few others as well.
Best regards ... Oliver
------------------------------
From: [EMAIL PROTECTED]
Subject: Decorelation again
Date: Fri, 02 Jul 1999 15:39:10 GMT
If the module is provably secure to linear and diff types attacks
then...
a) what are the known weaknesses (i.e expansion variables...)
b) would it not make a good building tool for hash functions?
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Dr.Gunter Abend" <[EMAIL PROTECTED]>
Subject: Re: OTP is it really ugly to use or not?
Date: Fri, 02 Jul 1999 19:57:01 +0200
Reply-To: [EMAIL PROTECTED]
Dave Hazelwood wrote:
> McInnis> B) If you've used a PRNG to generate your pad, they can,
>> in theory, tell whether the pad that matches your innocuous
>> cleartext to the ciphertext could have come from your PRNG.
>> Given a cleartext/ciphertext pair and a PRNG algorithm you will
>> probably not be able to produce a PRNG seed that will produce a
>> matching pad.
>>
>> The practicality of "B" depends on PRNG algorithm, bit length of
>> the seed, "randomness" of the seed, whether they expect you to
>> remember the seed, processing power available, etc. but it is a
>> theoretical risk.
>
> Yeah but it is a bit far out. I think it would be more suspect
> if you did remember the seed!
> ... What can they say to that? Nada.
If your PRNG uses a seed of too few bits length, a brute force
attack on it will reveal whether the pretended pad could have
come from your PRNG, or if there is no possible seed for it.
You should use a PRNG with a large seed. This seems to be a huge
effort, and possibly will break the US law.
If you succeed in programming such a PRNG, it might be used as a
strong encryption tool: Use the combination of a secret key and
an arbitrary one-time-appendix as the seed, transmit this appendix
and the XOR of your message with the pseudo-OTP of the PRNG.
Did I invent the wheel again?
Ciao, Gunter
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Posting on sci.crypt.research
Date: Fri, 02 Jul 1999 17:42:13 GMT
Under "e-mail encryption method", there is a posting of a patent
application for a method of encryption that is supposed to give
"perfect" security...
and it uses a random table with 65,536 16-bit entries.
Could someone be trying to steal Scott16u?
John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Quantum Computers
Date: 2 Jul 1999 13:06:36 -0400
In article <7liolq$1en8$[EMAIL PROTECTED]>,
SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote:
>In article <7lie5g$scq$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Patrick Juola)
>wrote:
>>I'm a college professor (for my sins). Part of my penance involves
>>educating the incorrect. The rest of it involves grading papers and
>>tests.
>>
>>
>
> Yes I can see your sins much better know. I also have a better
>appreication for the saying that those that can't do teach.
Yes? And what team do you coach, Mr. Scott?
-kitten
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: MP3 Piracy Prevention is Impossible
Date: Fri, 02 Jul 1999 12:52:12 -0500
Gilles Fayad wrote:
>
> Anyone with good pointers on watermarking techniques?
This looks like an interesting place:
http://www.cl.cam.ac.uk/users/fapp2/steganography/
image_watermarking/
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Hey dave scott, some questions
Date: Fri, 02 Jul 1999 18:02:45 GMT
<snip>
hmm... still no respone. Dave common and save yourself.
btw, if Scottu8 is safe I would not mind promoting it (i.e playing with
it seeing how to get it fast ...). You have to answer the questions
first though (seeing how this is your research and not mine)
Thanks,
Tom
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
