Cryptography-Digest Digest #859, Volume #9 Fri, 9 Jul 99 18:13:03 EDT
Contents:
Re: The Constrained One-Time Pad and the Cryptanalyst's Lucky Day (Patrick Juola)
Re: randomness of powerball, was something about one time pads (AllanW)
Re: The Iraqi Block Cipher (David A Molnar)
Re: Uncrackable? (NFN NMI L.)
Re: I don't trust my sysadmin (Jerry Coffin)
Re: The Constrained One-Time Pad and the Cryptanalyst's Lucky Day (AllanW)
Re: Properties of Chain Addition? ("John Shonder")
Re: Impossible to decrypt files encrypted with attached program - encrypt.exe [0/1]
(Ben)
Re: The Iraqi Block Cipher (John Savard)
Re: Possible Extension for Block Ciphers (Mok-Kong Shen)
Re: Stream Cipher != PRNG (Mok-Kong Shen)
Re: Weakness of MLCG style encryption (Mok-Kong Shen)
Re: Summary of 2 threads on legal ways of exporting strong crypto (Mok-Kong Shen)
Re: Summary of 2 threads on legal ways of exporting strong crypto (Mok-Kong Shen)
Re: Summary of 2 threads on legal ways of exporting strong crypto (Mok-Kong Shen)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: The Constrained One-Time Pad and the Cryptanalyst's Lucky Day
Date: 9 Jul 1999 15:15:41 -0400
In article <7m5f24$h6e$[EMAIL PROTECTED]>, AllanW <[EMAIL PROTECTED]> wrote:
>
>> "Robert C. Paulsen, Jr." wrote:
>> > But the next thing to consider is that the tiny degree to which
>> > quantum randomness affects the initial conditions may be enough so
>> > that the quantum randomness is magnified to be the primary factor
>> > in the results. (These "initial" conditions get applied at every
>> > bump and bounce the dice take.)
>
>"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
>> Rolling dice would be just as random if physics were Newtonian
>> and not quantum. You were right in identifying this as an
>> example of chaos, however. The outcome is determined by many
>> nonlinearly interacting, hard-to-control factors.
>
>Suppose I had the money and inclination to perform an experiment.
>I construct a device which will launch a die with a constant
>force. Another device is responsible for loading the die into the
>first device in an absolutely consistent fashion -- the same
>orientation (1 up, 2 faces forward) and pressure. I bring these
>devices into a small enclosed room which has no living organisms.
>There are also no air currents and constant air pressure -- say a
>partial vacuum -- we can make it a perfect vacuum if that helps.
>The devices do not move, so every time they launch the die they
>shoot in the same direction and the die hits the same spot on
>the floor. The die and the floor are both made from hardened
>steel or something else that resists scratches, dents, etc. The
>room has no windows and is illuminated only by an incandescent
>bulb, hooked up to a voltage regulator to ensure that the bulb's
>brightness does not vary.
>
>Can we expect to "roll" the same number each time?
No. Not under Newtonian *nor* quantum physics. The device you
describe that launches the die with "a constant force" cannot be
built; the best that you can build is a device that launches
the die with a force that deviates from constancy by a very
small amount. Similarly, you can't load the die "absolutely
consistent[ly]", nor can you make any enclosed space a "perfect
vacuum." In all of your preparations there will inevitably be a
very slight residuum of error which may be magnified depending on
how the die hits and bounces. This is the essence of chaos theory.
Of course, depending on how the die is thrown, the die may come to
rest before the small effects have a chance to amplify; for example,
if instead of throwing a die, you *drop* a die (vertically), it
may not bounce at all and will land in the same orientation in which
it was dropped; this would be paradoxically, *more* pronounced if
you were to drop it onto a soft surface such as closed-cell foam
instead of the hardened steel floor you recommend (and if the die
itself were made of closed-cell foam).
So in practical terms you *could* guarantee rolling the same number
every time by making sure that the minor effects didn't have a
chance to influence the final result. An easier way would be to
load the dice.
-kitten
------------------------------
From: AllanW <[EMAIL PROTECTED]>
Subject: Re: randomness of powerball, was something about one time pads
Date: Fri, 09 Jul 1999 18:34:30 GMT
[EMAIL PROTECTED] wrote:
> On lotteries: you can help yourself by only selecting numbers
> greater than 31. This means that you won't have to share with
> people who select birthdays (or other dates). It doesn't
> improve you chances of winning but it gives you a better
> expectation. Only works if you select dates.
Unless many people take your advice. In that case, most people
would choose numbers greater than 31, and when they won they
would share the prize more often than the rarely-picked 31-and-
under crowd.
> Of course, always take the cash, let the credit go. You
> might not live out the span of an annuit. Might as well
> live well immediately.
Good idea for mere mortals, such as yourself. Personally, I
intend to live forever. I might not make it, but so far it's
worked out rather well.
--
[EMAIL PROTECTED] is a "Spam Magnet," never read.
Please reply in newsgroups only, sorry.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: The Iraqi Block Cipher
Date: 9 Jul 1999 19:08:37 GMT
John Savard <[EMAIL PROTECTED]> wrote:
> David Crick <[EMAIL PROTECTED]> wrote, in part:
>>For those of you who haven't seen it....
>>/* The IRAQI BLOCK CIPHER BSF-1.052.36*/
>>/* Iraqi cipher standard 1998 */
>>/* 160-bit keys, 256-bit block */
> I guess I read the program too quickly; is this a joke at the expense
> of Saddam Hussein, or a real block cipher? If so, wherever was this
> standard published?
It showed up at ftp://ftp.replay.com/pub/crypto/incoming/ibc.c
and possibly elsewhere as an anonymous upload. Your guess is
as good as mine about how "real" it is. In that respect it's
kind of like the "S-1" cipher posted to cypherpunks a few years
back -- mysterious block cipher out of nowhere with intriguing
name suddenly shows up, invites analysis.
-David
------------------------------
From: [EMAIL PROTECTED] (NFN NMI L.)
Subject: Re: Uncrackable?
Date: 09 Jul 1999 18:46:41 GMT
<<The algorithm is completely reversible>>
And completely not provided. (Because you didn't post binaries to sci.crypt, we
won't flame you, but provide algorithms next time!)
Moo-Cow-ID: 73 Moo-Cow-Message: your
-*---*-------
S.T.L. (NFN NMI L. also) -===> [EMAIL PROTECTED] <===- 2^6972593 - 1 IS PRIME!
Quotations: http://quote.cjb.net Main site: http://137.tsx.org F00FC7C8 MOO!
"Xihribz! Peymwsiz xihribz! Qssetv cse bqy qiftrz!" e^(i*Pi)+1=0 Mail block
is gone, but will return if I'm bombed again. It was an easy fix. Address is
correct as-is. Giving the correct address is COURTEOUS; junk gets in anyway.
Join the Great Internet Mersenne Prime Search at http://entropia.com/ips/ My
.sig is even shorter, and contains 3046 bits of entropy including next line:
-*---*-------
Card-holding member of the Dark Legion of Cantorians, People for the Ethical
Treatment of Digital Tierran Organisms, the Holy Order of the Catenary, the
Great SRian Conspiracy, the Triple-Sigma Club, the Polycarbonate Syndicate,
the Union of Quantum Mechanics, the Roll-Your-Own Crypto Alliance, and the
Organization for the Advocation of Two-Letter Acronyms (OATLA)
Avid watcher of "World's Most Terrifying Causality Violations", "When Kaons
Decay: World's Most Amazing CP Symmetry Breaking Caught On [Magnetic] Tape",
"World's Scariest Warp Accidents", "When Renormalization Fails", "World's
Most Energetic Cosmic Rays", and "When Tidal Forces Attack: Caught on Tape"
Patiently awaiting the launch of Gravity Probe B and the discovery of M39
Physics Commandment #15: Tidal Forces Fall Off As 1/r^3.
TO INTREPID DEJANEWS SEARCHERS: Physics Commandment 15 properly refers to tidal
forces, Commandment 14 refers to the electromagnetic force. Please excuse my
one-post error when I called the tidal force commandment the 14th. Ah well, it
shall be a test of your skills as a searcher.
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: I don't trust my sysadmin
Date: Fri, 9 Jul 1999 13:43:27 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
[ ... ]
> The technology to verify an implementation really doesn't exist yet -
> verifying the design is near the limits of the state of the art. Note
> that NSA and DoD put out deliberate challenges in an attempt to advance
> the state of the art. They know they want an A2 system eventually, but
> don't expect to see one for years - probably many years.
I'm quite certain it'll be many years.
> I remember that, after I read Ritchie's
> classic Turing award lecture about "trusting trust" - in which he
> described inserting what amounted to a security-hole-opening virus into
> a C compiler - I asked a friend in the secure computing community how
> they could hope to prove any code secure given these kinds of tricks.
That was actually Ken Thompson, not Dennis Ritchie.
> His answer was: We examine the machine code. Sure, it's a boring job
> that takes a lot of time and manpower - but compared to other expenses,
> it's no big deal, and there really is no choice anyway.
'tis true at the present time. One of the fundamental points of a
verified implementation is that you shouldn't have to do this though.
Of course, given the kinds of systems you'd expect to use verified
implementations, the machine code would probably get examined as well,
just to be sure. If, however, the formal verification process is
complete and accurate, it should be unnecessary. OTOH, the
verification process can only verify things you start out trying to
prove -- if you start with an incomplete (or inconsistent) set of
rules, you can verify absolutely everything from there on without
accomplishing anything of much use.
------------------------------
From: AllanW <[EMAIL PROTECTED]>
Subject: Re: The Constrained One-Time Pad and the Cryptanalyst's Lucky Day
Date: Fri, 09 Jul 1999 18:09:07 GMT
[EMAIL PROTECTED] wrote:
> No matter *how* a readable message is produced accidentally,
> and if it is the real plaintext or any other one of the huge
> amount of possible but misleading texts, the adversary might
> assume that a mistake has revealed just the truth.
That's the closest thing to intelligence so far on this
thread. But how do we take advantage of it?
The only way that I can think of is both simple and
difficult. Before using a cipher to encrypt the message,
use a code.
That's right, a code. For the juniors out there, I will attempt
to explain the difference between a code and a cipher. Please
don't flame me if my attempt is too simplistic.
A cipher changes and/or rearranges the bits in a message so
that they are no longer intelligible. But a code replaces
words with other words. For example, imagine you're watching
a war movie and someone makes this announcement over the
radio: "The cookies have been baked and grandma has the
package. She will deliver it at tea-time." That was a code.
So, put a message into code, so that it seems to say almost
the opposite of what it really means. Then use a really
simple cipher and send it away. If an attacker tries to
decrypt it, they will end up with text that seems to have
meaning -- but it's actually just our code.
> You never can avoid that an adversary might guess the truth.
> Already the *existence* of a message gives him some hint.
> And if he tries to cryptanalyze it he may accidentally get
> something readable. But, the higher the effort to get it, the
> lower the probability that he believes it.
Why do you say that? If I was able to crack a message too
easily, I would worry that I was meant to read it -- that it
was actually "disinformation."
> Only if it is simply visible, he may take it for true --
> because accidentally there could be no encryption at all
> or a malfunction of a usually strong cipher.
So if the ciphertext reads
lkjfdl;9iugeiygMaryLoves-Sallykmkjnfdkunbfdoui
you're likely to believe that the message is really about
Mary and Sally, even though there are trillions of other
more-likely possibilities?
This is interesting. If even 1% of cryptanalysists have
beliefs similar to yours, we could take advantage of it.
Simply add a customizable collection of "Disinformation
Strings" to your favorite encryption algorithm. At random
intervals throughout the message, it emits one of the
strings as if it were part of the ciphertext -- and
anybody naive enough to take it at face value will stop
trying to decrypt the real message.
--
[EMAIL PROTECTED] is a "Spam Magnet," never read.
Please reply in newsgroups only, sorry.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "John Shonder" <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Properties of Chain Addition?
Date: Fri, 9 Jul 1999 16:06:51 -0400
John Savard wrote in message <[EMAIL PROTECTED]>...
>The VIC cipher used by Russian spies involved a technique for
>generating pseudorandom numbers known as "chain addition".
>
>One starts with a number of a certain number of digits...
>
>such as 8492
>
>and continues to produce new digits by appending the modulo-10 sum of
>the first two digits to the end of the number, and deleting the first
>digit of the number.
>
>Thus 8492 generates 2 (8+4=12), then 3 (4+9=13), then 1 (9+2=12), then
>4 (2+2=4), and so on.
Though I doubt if this is relevant (but when did that ever stop anyone
from posting to usenet?), the American Cryptogram Association had a
pencil-and-paper system called the "Gromark", which used exactly
that system to generate the key. Back around 1989 I corresponded with
someone who was writing an article about the period of these keys
for "Cryptologia".
J. Shonder
------------------------------
From: Ben <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Impossible to decrypt files encrypted with attached program - encrypt.exe
[0/1]
Date: Fri, 09 Jul 1999 13:47:58 -0800
John Savard wrote:
> [EMAIL PROTECTED] (Bob) wrote, in part:
>
> >Can anyone decrypt files encrypted with the attached program?
>
> I saw this binary in alt.sources.crypto, and binaries don't belong
> there any more than they do here.
>
> Anyhow, few people are inclined to load just any executable someone
> suggests they try from the Internet on their machines, for good
> reason.
Yes, there are many useful irreversible encryption applications floating
around the Internet masquerading as "viruses" and "trojan horses."
Ben
> John Savard ( teneerf<- )
> http://members.xoom.com/quadibloc/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: The Iraqi Block Cipher
Date: Fri, 09 Jul 1999 21:38:55 GMT
David A Molnar <[EMAIL PROTECTED]> wrote, in part:
>It showed up at ftp://ftp.replay.com/pub/crypto/incoming/ibc.c
>and possibly elsewhere as an anonymous upload. Your guess is
>as good as mine about how "real" it is. In that respect it's
>kind of like the "S-1" cipher posted to cypherpunks a few years
>back -- mysterious block cipher out of nowhere with intriguing
>name suddenly shows up, invites analysis.
OK - thanks for the info. Since it wasn't officially published by the
Iraqi bureau of standards (which I'd hardly expect to be making this
kind of contribution to the world community), I suspect the chance of
it being "real" is rather slim.
Of course, Russia has given us GOST, and there are some Chinese
researchers doing work openly in the academic community (on such
things as cellular-automaton based public-key systems, as I've heard
of from AC)...I suppose one of these days a block cipher from China
might turn up.
John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/crypto.htm
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Possible Extension for Block Ciphers
Date: Fri, 09 Jul 1999 13:21:34 +0200
[EMAIL PROTECTED] wrote:
>
> The obvious goal is to have key and time dependant permutations of a
> subset input. Stream ciphers for example are time based. This might
> have some merit.
>
> If the counter is private (possibly encrypted per message based on
> another time/key permutation ) it a) makes chosen plaintext attacks
> very limited (you only get control of a subset of the total block) and
> b) makes the permutations semi non-fixed (i.e it's not fixed for the
> entire key...)
I use in my scheme WEAK3-EX, which uses a mixture of stream and
block techniques, output of PRNG to influence the encryption of
individual blocks. Besides plaintext/ciphertext chaining, I use
what I term 'hash chaining', which is a hash value of a block of
information bits in its 'intermediate' stage of being processed,
i.e. a value that is not directly related to the input or output of
a round (each block in WEAK3-EX is processed by a user choosable
variable number of rounds). I believe my design has some non-trivail
connection to what you suggested.
M. K. Shen
==========================
http://www.stud.uni-muenchen.de/~mok-kong.shen/ (Updated: 12 Apr 99)
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Stream Cipher != PRNG
Date: Fri, 09 Jul 1999 13:30:20 +0200
Nicol So wrote:
>
> In my opinion, the essence of stream ciphers is statefulness.
> Pseudorandom number generators can be used in combination with a
> combiner function to construct stream ciphers, but this common
> construction does not cover the full generality of stream ciphers. An
> obvious limitation of this framework is that the cipher's state has no
> dependency on the plaintext stream.
In my humble opinion it is best to combine stream and block encryption
techniques, thus obtaining advantages from both. I attempted that
in the design of my WEAK3-EX.
M. K. Shen
========================
http://www.stud.uni-muenchen.de/~mok-kong.shen/ (Updated: 12 Apr 99)
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Weakness of MLCG style encryption
Date: Fri, 09 Jul 1999 13:54:36 +0200
[EMAIL PROTECTED] wrote:
>
> Well when using different types you have to make sure their periods are
> relatively prime.
That gives the maximum possible period of the combined output but
is an issue not dependent on whether you use different types or
the same type of constituent generators. If you use a sufficiently
large number of constituent generators (this is no problem at all
with my scheme), it doesn't hurt too much if this condition is not
satisfied between each and every pair of constituent generators.
If you feel uneasy about that, you can easily do a check and
discard those candidate generators that violate the condition. As
said, such and other 'deficiencies' can easily be compensated by
employing a larger number of constituent generators in my scheme.
>
> > That's exactly the 'deficit' not benefit in my view. Why couldn't
> > you afford to have a large number of generators? Yes, one knows
> > only relatively few good PRNGs in the literature. In my scheme
> > I (pseudo-)randomly generate the constituent generators. Since
> > the parameters of these are randomly chosen, the chance that any
> > individual constituent generator is good is very small. On the
> > other hand employing a large number of them (through intermixing
> > their output sequences) compensates the deficiency of qualities
> > of the individual constituent generators. Of course, if you have
> > a number of good PRNGs, you certainly can also use them as
> > constituent generators in my scheme and that would very likely give
> > you a better result than the randomly chosen ones for the same number
> > of constituent generators. But since in my code the constituent
> > generators are automatically created, I can employ a higher number
> > of these to compensate for that deficiency. I hope that the above
> > is sufficient to explain the 'philosophy' underlying my design.
> > If you have further questions about my compound PRNG, I'll try my
> > best to answer them.
>
> Having fewer is not a deficit. Have you heard of a divide-and-conquer
> attack? It worked against A5. If you rely on using many LCG you will
> only prolong the attack, not serious hinder it.
To exaggerate, do I need to care if my secret messages are cracked
after 100 years? (This is intended for 'idealists' who strive for
the theoretically inspired 'absolute' security.) It suffices, if
the resources required for analysis far exceed that what your enemy
possesses currently or in the near future.
>
> Besides why use 256 generators (which must all have different lengths)
> instead of one or two? Algorithm M if you are interested works like
> this
The number of parameters of 256 generators totals 256 times that
of one generator (assuming they are of the same type). These are
unknowns for the analyst to work out. Note that in my code the number
of constituent generators is not fixed but user choosable. That
number itself is also an unknown for the analyst.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: Summary of 2 threads on legal ways of exporting strong crypto
Date: Fri, 09 Jul 1999 14:13:50 +0200
wtshaw wrote:
>
> It is *inconvenient* to have to write any code. It is *inconvenient* to
> fight pitched battles with government bureaucracies. It is *inconvenient*
> to bother with security at all. Being *inconvenient* only means that only
> a few or one might choose to work through the details of doing something.
>
> I suppose that to write a program of the sort is to start with something
> simple, not even in the crypto line. Surely, you would be simulating the
> advice on how to do something that a text or tudor might give you on the
> same particuliars. One real requirement is that the advice be conclusive,
> definitive, and complete; I don't know about you, but that is how I like
> help to come anyway.
If I understand correctly, you are favouring good pedagogical ways of
education of people to design and write their own cryptos.
That's certainly a good point. But if you want others to independently
write a crypto program that is compatible with your own, i.e. able to
communicate with you, the task, I am afraid, is non-trivial in
practice if you confine yourself to giving some 'general' instructions
or guidelines concerning your design.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: Summary of 2 threads on legal ways of exporting strong crypto
Date: Fri, 09 Jul 1999 14:20:16 +0200
Paul Koning wrote:
>
> But you didn't explain how the material that the URL points to got
> there in the first place. If it wasn't in the US at one time, then
> US export rules don't apply; if it was, then they do. It's not the
> pointing that's the issue, it's the material pointed to. Did you
> export THAT legally?
The best example I know of is PGP. US does not hemetically prohibit
export of strong crypto. The exact and true reasons for this is
yet unkown to me. I have todate only my personal speculations on that.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: Summary of 2 threads on legal ways of exporting strong crypto
Date: Fri, 09 Jul 1999 14:25:46 +0200
John Savard wrote:
>
> I'm not sure about the recent amendments arrived at in Austria, but
> Canada has been in the Wassenaar arrangement for quite some time. And
> thus there certainly are laws on the books which implement it.
It is my understanding that the Wassenaar agreement signed by a
country is not effective so long as the congress/parliament of that
country has not approved it.
M. K. Shen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
