Cryptography-Digest Digest #911, Volume #9 Mon, 19 Jul 99 17:13:03 EDT
Contents:
Re: Why public key in PGP ([EMAIL PROTECTED])
Re: A Good Key Schedule (Mok-Kong Shen)
Logic based ciphers (Gabriel Belingueres)
Re: Decimal numbers in hex string ("John Dickinson")
OT ... lottieries and probability Re: The Constrained OTP...Lucky Day (William
Ricker)
SSLeay for HP-UX ([EMAIL PROTECTED])
Length of public key in PGP? ([EMAIL PROTECTED])
Re: randomness of powerball, was something about one time pads (William Ricker)
Re: Traffic Analysis (David A Molnar)
OT English Re: DES-NULL attack (William Ricker)
Re: Funny News (Bradley Yearwood)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Why public key in PGP
Date: Mon, 19 Jul 1999 19:14:19 GMT
[EMAIL PROTECTED] wrote:
> [EMAIL PROTECTED] wrote:
> > Because it doesn't provide the advantages that David
> > Molnar was discussing. Authenticated key exchange
> > can provide perfect forward secrecy given that each
> > side starts with the others authenticated public key.
> >
> > You have not clearly described what you mean with this
> > intractable PRNG system, but it clearly either doesn't
> > provide perfect forward secrecy or relies on stronger
> > initial assumptions.
> >
>
> Possibly so. What I mean is both start by seeding a PRNG. The PRNG
> has to have outputs which do not reveal the state any faster then
brute
> force of the state. Then each session just uses another random key.
> This way no session is encoded with the same key and you get
> independance in any direction.
The cipher for the session isn't the issue. How do
you get the random session key across?
> I think for this specific situation a PKC maybe more work then is
> required.
You can build a system with perfect forward secrecy
from a shared secret, but it's generally more work
than using authenticated key exchange.
--Bryan
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: A Good Key Schedule
Date: Mon, 19 Jul 1999 21:00:07 +0200
John Savard wrote:
>
> Well, I'm talking about how to use a passphrase to generate keys.
>
> If I'm generating keys for several different cipher steps, the fact
> that these different steps are getting keys from the same source
> creates a weakness: break one step, and you have a clue to the key
> used by the others.
>
> By using hash functions in the keying process, I prevent the
> cryptanalyst from working backwards from one key to get the other
> keys.
I understand that you apply function or functions to a given
passphrase to get different keys and use these in different steps.
Isn't this analogous to the transformations e.g. DES does to its
key? Or have I missed something?
M. K. Shen
------------------------------
Date: Mon, 19 Jul 1999 13:15:14 -0600
From: Gabriel Belingueres <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Logic based ciphers
Hi,
I have a question:
Exists any cryptosystem, witch is based in the semi-decidibility
property of first-order logic, or based in the undecibility property of
second-order logic?
Gabriel
------------------------------
From: "John Dickinson" <[EMAIL PROTECTED]>
Subject: Re: Decimal numbers in hex string
Date: Mon, 19 Jul 1999 20:41:09 +0100
John Dickinson wrote in message <7mti7p$p1g$[EMAIL PROTECTED]>...
>The decimal numbers on the left are encrypted? into the following hex
string
>using the same algorithm for each one. Any suggestions (sensible) about
>where I start. I tried putting the lot into one long binary string and
>looking for a match, reversed it and inverted it but I have not done any
>exor signature feedback or anything like that.
>
>I realise that it will probably require that type of approach but need help
>starting off (there's optimism).
>
>206, F8 D2 B2 AC 1C 75 71 16 AF 22 6E 38 EE A3 1E C5
>
>196, 0E D0 36 05 18 29 FA 16 AF 13 67 3C 6C 43 24 CF
>
>163, FC D5 32 1D 1D 51 5B 16 AF 5B 6F 38 69 73 2A CD
>
>139, C5 D8 98 2A 1A 0C 92 17 AE AC 68 32 C4 23 3D CB
>
>100, 4E C2 AE C1 1C 5C 38 11 AE EF 63 24 FE 83 4D C5
0, FC CD CA F1 17 FE CA 13 AE 43 63 20 91 93 71 CE
------------------------------
From: William Ricker <[EMAIL PROTECTED]>
Subject: OT ... lottieries and probability Re: The Constrained OTP...Lucky Day
Date: Mon, 19 Jul 1999 18:38:17 GMT
> (I'm guessing that Powerball is something like the UK National
> Lottery, with a load of numbered balls bouncing around in a container
> being stirred for a while before being allowed to fall out a slot.
Yes. PowerBall is available in multiple states in the U.S., as a
joint offering of a consortium of state lottery commisions that
lacked sufficient market to hav a Big game like their larger
neighbors. Some absurd number of balls drawn withough replacement
in one urn, and then one ball drawn from another urn is the
"powerball" ... you have to exact match the combination (not
permutation) of the first urn's draws and the powerball from the
second urn to win the jackpot. Various close combinations get fixed
(low) payoffs.
> Allegedly the UK Lottery has a slightly positive expectation of gain
> if you only play on rollover weeks (when the previous week was
> unclaimed, so the jackpot is larger),
Right, after the 50% take (worse than illegal numbers games and much
much worse than even the worst bet in a legal casino) to the state
treasury and all fixed-value prizes are paid, the rest rolls over in
the jackpot until claimed, which allows for a top prize nominally
greater than the odds against the $1 ticket.
However, the stated expected "jackpot" is frequently quoted as 20
times the annual payment, such that the state's take is largely hidden
if you compare the pay-in, pay-out, and quoted jackpots -- the
state's take being not exactly but close to the discount on an annuity.
> and take into account the
> patterns of people choosing numbers non-randomly (which doesn't change
> your chance of winning, but does change your chance of having to split
> a big prize with other winners).
Yes, studies have shown that winning numbers that look like sets of
birthdays and other non-random choices are much more likely to have
multiple claimants, thus diluting the payoff (top-prize winners split
jackpot, unlike the denominated lower prizes). Most if not all such
lotteries offer computer-generated random "quick picks". I
disremember whether it was PowerBall or antoher of which I heard it
claimed that the quick-picks were selected WITHOUT REPLACEMENT,
meaning the lottery was effectively GUARANTEEING that unless someone
manually picked your random numbers, you wouldn't split the pie if
you won unless they had so much action they had to refill the "quick
pick" urn. I don't know that this is true of any lottery, but
interesting if so.
> If something similar is true of
> Powerball,
yes, and many other state lottery games here in the States.
However, one also has to consider that most of these games only pay
prizes as annuities, so you have to figure the present-value-discount
on a 19-year annuity plus down-payment, plus taxes, before you can get
a true expectation. (PowerBall actually allows one to check off
[]lump sum or [] annuity on the wager ticket. I've not tooled out
whether our tax codes make it an obvious win one way or the other.)
However, the same non-linerity of personal utility curves that
explains why the same person would buy both lottery tickets and insurance
predicts that it would be worth buying a ticket at only mildly
negative true expectation.
> and you also had a significant budget (so you don't have to
> play for several lifetimes to expect to win, even if your expectation
> is positive) _and_ better than guesswork prediction of the numbers,
> it's worth playing.
For individuals, it's worth playing at any point where
utility(expectedvalue) > utility(bet), which may occur at
expectedvalue < $1 , while the non-linearity of utility will cap the
amount one is willing to wager.
> Or are there rules forbidding spending federal > money on gambling?)
I think that in general federal agencies are required to let the
treasury invest any budget being saved for later, so that any agency
that "expensed" lottery tickets would have to return the winnings to
the general fund rather than plow them back in to the agency budget.
Institutional utility curves are different than peoples, hence the
existance of insurance companies and state lotteries. If a state
agency wants to play, its simplest solution is to start a lottery
(or even better, have the legislature instruct the lottery commission
to start one for it, as in the UK Arts Lottery and various specific
entitlements from lottery $$ in the US).
--
Bill Ricker N1VUX [EMAIL PROTECTED] "The freedom of the press belongs
http://world.std.com/~wdr to those who own one."--A.J.Liebling
------------------------------
From: [EMAIL PROTECTED]
Subject: SSLeay for HP-UX
Date: Mon, 19 Jul 1999 18:47:47 GMT
Has anyone successfully build the SSLeay shared library on HP-UX 10.x?
TIA,
Greg
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Length of public key in PGP?
Date: Mon, 19 Jul 1999 19:19:06 GMT
I used the algorithm described for PGP at
http://world.std.com/~franl/crypto/rsa-guts.html to implement PGP and
found that it might be flawed -- how long should the PGP key be?
Here is a brief description about the algo:
1. Find P, Q -- two large prime numbers;
2. Find E such that 1) E and (P - 1)(Q - 1) are relatively
prime; 2) E < PQ;
3. Compute D such that DE = 1 mod(P - 1)(Q - 1).
4. Encrypt(Text) = (Text ^ E) mod PQ;
5. Decrypt(Ciphertext) = (Ciphertext ^ D) mod PQ.
After you encrypt a text with encrypt(T) = (T^E) mod PQ, the
length of the ciphertext is always <= PQ, no matter how long "T" is. The
problem arises when "T" is longer than "PQ". In such a case, the
information in "T" will be lost, and you won't be able to decrypt it
back.
Here is an example,
P = 181 Q = 229 E = 7 D = 5863 PQ = 41449; If T = 33245, then
ciphertext = 40140, decryptedtext = 33245. No problem.
P = 137 Q = 191 E = 3 D = 17227 PQ = 26167; If T = 332453243,
then ciphertext = 24661, decryptedtext = 1508. *** Problem ***
Have I done something wrong?
Thanks.
Weedlet
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: William Ricker <[EMAIL PROTECTED]>
Subject: Re: randomness of powerball, was something about one time pads
Date: Mon, 19 Jul 1999 19:58:26 GMT
> > What's played there is Chuck-a-Luck as I described it,
> > where the payoff is the same for 1, 2, or 3 shows of
> > your chosen number, not the originally cited game where
> > the payoff is proportional to the number of shows of
> > your number.
Ouch, that's terrible game. Casino chuck-a-luck with proportionaly
payoff (plus your wager back) is bad enough odds -- while appearing
favorable to the innumerate. Analysis of this game has been a
favorite of mine since high-school.
> > The latter can be factored into orthogonal
> > subproblems: each die's contribution is *independent* of
> > what goes on with the other dice, so the per-die outcome
> > can be scaled up simply by multiplying by the total
That is exactly the argument of the innumerate, which is why proper
casino chuck-a-luck draws so much profit for the house. (It makes up
quite nicely for being slower than craps.) If you see a carnival
operator so jaded as to not pay 3 for 3 of your number showing, assume
all the other games are rigged worse than usual!
> As I understand the game, you put 1 chip (or whatever) on the counter.
> Then depending on the roll of the dice, either they take your
> chip or you keep your chip and they hand you 1, 2 or 3. Let's call
> this "original rules".
This is as played in casinos and any competent, not outrageously
crooked carnival. You can also call this "Chuck-a-luck by the book"
and cite Scarne or Hoyle or Las Vegas Tourism Bureau.
> Result: -1 with probability 125/216 Expected gain: -0.578
> +1 with probability 75/216 Expected gain: +0.347
> +2 with probability 15/216 Expected gain: +0.138
> +3 with probability 1/216 Expected gain: +0.013
> ----------------------
> -0.080
This is the classical accepted analysis in the literature, except
for the rounding error propagated ... expectation is -17/216=-0.078703704
This is far worse than the best bets on the craps table, slightly
worse than roulette with two zeroes, better than most other "sucker" bets.
> Or we could assume your version, you put one chip on the counter.
> Then depending on the roll of the dice, either they take your
> 1 or you keep your 1 and they hand you 1. Let's call this "cheapskate
> rules".
I'd call it crooked rules. :-)
> Result: -1 with probability 125/216 Expected gain: -0.578
> +1 with probability 91/216 Expected gain: +0.421
> ---------------------
> -0.157
That's worse that many crooked fruit machines. That's not chuck-a-luck.
> In neither case does the game decompose cleanly into a set of three
> independent sub-games. The results on the other two dice influence
> the payoff matrix on the remaining die. In particular, if you've already
> got a six, your stake is no longer at risk.
Exactly. Analysis of a decomposed game would start with a unit bet in
EACH decomposed game, which would be paid fairly, and attempt to divide
through later to simplify (it's unlikely to divide cleanly).
A simpler decomposition that shows vividly WHERE the unfairness in
the matrix is: place divide a $6 stake as $1 on each
number, and track your payoffs. But you have to shift mental gears
and count all 6 triples and _all_ pairs that aren't triples;
geometrical modelling of the probability space may help)
6 triples +3 won -5 lost = -2 = -12 (1 way * 6 values)
90 doubles +2+1 won -4 lost = -1 = -90 (6 value * 3 choice * (5=n-1 other))
120 mixed +1+1+1 -3 = +0 = 000 remainder
---- --------
216*6 bet=$1296 -$102/$1296 = -0.078703704 = -17/216 ~ -8%
FYI, a fair game would pay
-1 -0.578703704 -125/216 for none
1 0.347222222 75/216 for one
3 0.208333333 45/216 for two of your kind
5 0.023148148 5/216 for tree of your kind
0 0/216
> If you can be seduced into believing that "original rules" is cleanly
> decomposable into three independent sub-games then you are a mark.
> The carny wants you to think this.
And have been quite successful. The licensed operators in the
state of Nevada can pay state gambling tax, payroll tax, and
everything else and still make a profit running this game with fair
dice. And suckers continue to think the casino has a game the
casino can't win and try to beat it!
State Lotteries are my favorite revenge on the well-meaning folks who
say with disdain "well, I was never any good at math", but Chuck-a-luck
is right up there. :-)
(Yes I _do_ have my own dice cage, but I prefer only to do fundraisers
with prizes not cashable chips ... If I wanted the stress of playing
for money, I'd learn a blackjack system or buy a riverboat, not
volunteer my time and equipment.)
Thanks for reminding me of an old favorite.
BILL
--
Bill Ricker N1VUX [EMAIL PROTECTED] "The freedom of the press belongs
http://world.std.com/~wdr to those who own one."--A.J.Liebling
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Traffic Analysis
Date: 19 Jul 1999 19:52:11 GMT
Roger Carbol <[EMAIL PROTECTED]> wrote:
> Has anyone set up a system (that they can talk about) which regularly
> sent out a lot of noise? Any interesting phenomena arise?
Traffic analysis has come up in conjunction with anonymity -- trying to
ensure that an opponent can't gain information about a nym simply by
spamming it and noticing the flow of messages. The Cypherpunks and
Mixmaster remailers include various measures against traffic analysis,
such as padding all messages to the same length, reordering mesages,
random delays, etc. You will want
to check out a site like http://www.obscura.com/~loki ; in particular note
the essay on "Remailer attacks." Try to get a copy of David Chaum's
papers on "digital mixes", while you're at it.
Also see "onion routing" and "clouds" -- systems by which IP packets are
anonymized by losing them in larger streams of traffic. The current
leading implementation of such technologies is Zero Knowledge Systems'
_Freedom_, now in beta test (I'm a beta tester, or will be once I can get
their token server to acknowledge my pitiful existence). Check out
www.zks.net to try it out and get some info and pointers.
I haven't seen traffic analysis "by itself" much, but if anyone has
pointers, that'd be great.
Thanks,
-David Molnar
------------------------------
From: William Ricker <[EMAIL PROTECTED]>
Subject: OT English Re: DES-NULL attack
Date: Mon, 19 Jul 1999 20:09:14 GMT
In article <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
> S.T.L. wrote:
> Formally, you are supposed to quote Churchill here!
Or G.B.Shaw, according to preference. (They said largely the same
thing with slight difference of emphasis.)
--
Bill Ricker N1VUX [EMAIL PROTECTED] "The freedom of the press belongs
http://world.std.com/~wdr to those who own one."--A.J.Liebling
------------------------------
From: [EMAIL PROTECTED] (Bradley Yearwood)
Subject: Re: Funny News
Date: 19 Jul 1999 20:09:51 GMT
In article <[EMAIL PROTECTED]>,
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
>
>Key escrow can be completely refuted by pointing out that actual
>criminals will simply encrypt with a secure system before using
>the escrowed-key system. As usual, the main effect will be an
>adverse one on *non*criminals.
Yes, and as I pointed out a few years ago when the Clipper and mandatory
key escrow proposals were first floated, this creates an incentive for
smart-enough bad guys to steal or strongarm a legitimate user's
escrow-registered equipment or keys.
Encouraging widespread traffic in escrow-wrapped containers, provides a
wonderful plain sight hiding place which did not previously exist.
The escrow wrapped communication would nominally not be legally
accessible unless law enforcement had identified the specific person
whose equipment or keys had been compromised, to obtain the escrow
release court order for that specific person's keys.
A perverse incentive is thus created to make the victim silent (prevent
specific identification) for as long as possible, which at least in the
Hollywood version of the story, typically means to kill them.
This admittedly assumes very nasty and highly motivated bad guys, but
that's exactly who the key escrow proponents _claim_ they need new means
to pursue.
So you're thrust upon the horns of a devil's dilemma: create this new
threat to the innocent, or erode current wiretap protections so as
not to require the target of wiretap/escrow release to be specifically
identified. It is no trouble at all to guess which one will be argued for.
Brad Yearwood [EMAIL PROTECTED]
Cotati, CA
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
