Cryptography-Digest Digest #62, Volume #10 Tue, 17 Aug 99 00:13:04 EDT
Contents:
Re: chat sessions? ([EMAIL PROTECTED])
Re: NIST AES FInalists are.... (wtshaw)
Re: NIST AES FInalists are.... (wtshaw)
Re: NIST AES FInalists are.... (wtshaw)
Re: Do I have a problem with semantics? ("rosi")
S/MIME compatible digital IDs for use with Netscape and Outlook ("Adrian Cho")
Re: Q. a hash of a hash ... ("Brian McKeever")
Re: Future Cryptology (wtshaw)
Re: Blowfish algorithm - Is it foolproof? (Eric Lee Green)
Re: I HOPE AM WRONG (wtshaw)
Re: rsa in other fields ([EMAIL PROTECTED])
Re: The Most Secure Symmetric Algorithm (not counting the one-time pad) Ever!
(wtshaw)
Re: NIST AES FInalists are.... ("Douglas A. Gwyn")
Kana, was occurrence of letters in english (wtshaw)
Re: The Most Secure Symmetric Algorithm (not counting the one-time pad) Ever!
(wtshaw)
Re: The Most Secure Symmetric Algorithm (not counting the one-time pad) Ever!
(wtshaw)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: chat sessions?
Date: Sun, 15 Aug 1999 16:11:48 -0400
[EMAIL PROTECTED] wrote:
> Can anyone make it for say 10 minutes at least tonight (1AM GMT) just
> to get an idea of who can show up (or responsed to the posts here)?
Yeah, I'll bring some friends too.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: NIST AES FInalists are....
Date: Mon, 16 Aug 1999 20:24:05 -0600
In article <7p1jv0$hl6$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(SCOTT19U.ZIP_GUY) wrote:
> I am sure that the so called acadmeic types could design a better
> secure method if I tried to play be there rules. That is some weak
> short keyed block encryption method using the phony blessed out
> of date chainning methods that should have died when the computer
> was invented.
>
I feel that I know what you intended to say here. So, I point out that
the academic rules for crypto design and those used in open design here
are quite different. To compare the processes, saying that one is better
or worse, is complaining about methods that might yield useful results.
Methods don't matter, results do; some good cooks make a mess of the
kitchen, and, in spite of their productions would be unacceptable if
monitored mid-dish by a health inspector who did not understand that flour
and suger on the floor and egg on the wall were temporary conditions
perhaps caused by lack of staff, or having never to meet the demands of a
head chef.
An open faced design method begs for input and constructive criticism.
Because an academic can farm much of the grunge work to students, and use
secretaries to tidy up presentations, does not mean that all necessary
steps, including false starts, bad ideas, blind alleys, did not occur, all
it means is that you cannot see them. In a way, this is not as honest a
process as an open one, but essential to maintain god-like images.
I make no pretence for what I do, warts and all, but, I do produce, be
lots of them questionable, new and useful algorithms for your
consideration. It is important to have raw data, a thing one of my
graduate professors hammered in. You may get data, but incomplete data at
the most, from an academic presentation. I encourage more transparency in
design processes from even these people.
--
All's fair in love, war, and crypto. ERACE
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: NIST AES FInalists are....
Date: Mon, 16 Aug 1999 20:34:58 -0600
In article <7p1scj$cik$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>
> Most people tend to make bad ciphers because they spend little time
> trying to break it. Or they try to break it using one type of attack.
> That's why I trust Serpent and Twofish since they (well Twofish is
> admitedly better here) documented types of attacks and why they would
> not work (feasibly).
>
Bad is relative to your requirements and expectations. For some
applications, a burdensome and more secure cipher would be the bad one.
It is important to rank ciphers, learn to understand characteristics of
strength as best we can. No one should use a cipher which is improper for
their use. For learning about ciphers, and considering techniques, all
are proper.
For recreation breaking with pencil and paper methods, relatively weak
cipher are needed. To challenge the computer analysis method type person,
something more is necessary. What makes the difference in these ciphers?
That is most important if ciphers are to be made which foil even computer
attacks.
Finding computer breaking too easy, some would be upset if certain ciphers
were not easy conquests. Others would be extremely happy to find simple
methods which withstood computer-assisted torture. Others would want to
control the whole field, if not for another reason than they want their
technology to be center stage.
--
All's fair in love, war, and crypto. ERACE
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: NIST AES FInalists are....
Date: Mon, 16 Aug 1999 21:01:50 -0600
In article <[EMAIL PROTECTED]>, fungus
<[EMAIL PROTECTED]> wrote:
>
> You don't need a billion computers. The NSA can make custom chips
> and put several processors in each die. Assuming this, they only
> need a few million chips stuck to circuit boards with very minimal
> support logic (maybe no support logic at all for such a specialised
> chip). This is quite possible for them, think of large telephone
> exchanges...
>
With govenment entry into all telephone exchanges, there is no reason that
in the dead of the night, or whenever, that the diverse power of all
telephone exchange computers could not be assigned special tasks, having
little to do with those we would expect them to have. Indeed, with the
stealth of MS technology, computers on the net could also be used.
--
All's fair in love, war, and crypto. ERACE
------------------------------
From: "rosi" <[EMAIL PROTECTED]>
Subject: Re: Do I have a problem with semantics?
Date: Mon, 16 Aug 1999 22:12:35 -0400
Dear Nicol,
Thanks for the comments. Find two relevant things, others not quite
IMO. Of course noticed "I don't want to say I have read the paper",
which can make it hard for anybody to respond. If you read the paper
(as my invitation suggests) you may say things slightly differently. Will
not comment on all those, except one to show a point (unless you want
me to comment).
One thing is the request for the definition of 'semantics density'. I
may greatly disappoint you here. I am not good at formalism. Informally,
semantics density is the (reaching at) equal assurance about two (or
more) interpretations of some finite, mininal representation according to
some particular syntax, grammar, semantics rules. Notice that I said this
is informal. If it is not good enough, I am sorry. I can rephrase my words:
if Alice and Bob start with some advantage over Eve (e.g. giving Eve
some intrinsic uncertainty), they will have some advantage over Eve.
(Or as the application of such a scenario has it: the advantange can
be distilled)
The second is the question asking for the assumption(s) that I feel
missing in Paper. This I think is obvious if you read Paper and give
the concept a bit more thought. I would like to refer to something you
said that I believe says more or less the exact thing: the not explicitly
stated assumption (NOT conjecture). Your words:
5 unknowns but 4 equations
You also said, I am aware, that it is 'loose', but I am not picky. However,
it is exactly the place we can not afford to be loose. The simple question
to put this in focus is: How come that the fifth equation can not be
obtained? Is this a conjecture? Is this an assumption? What do you think
about this assumption? Hint for your reading of Paper: how reasonable
is the assumption if it be one? Another hint: one may be a bit off if he
forms the opinion that I have had only active attacks in my head. Still
another hint: if anyone can ask the author(s) how the bits in the demo
were obtained.
Thanks again for the discussion.
--- (My Signature)
P.S.
One of the major reasons for the irrelevancy of some of your
comments, IMO, is that you did not get what I was saying. I said
(not exact words) I seem to have a problem with semantics. I did
NOT say that I have a problem with some proof, or any proof. If you
would like, you may also reflect on your words and logic about
'*vacuously* true'. Thanks.
===========================================
Nicol So wrote in message <[EMAIL PROTECTED]>...
>rosi wrote:
>>
>> Concrete and specific: "Secret Key Agreement by Public
>> Discussion", which I will refer to as Paper here. (C.f. a post
>> from David Molnar on July 17, 1999)
>>
>> ...
>>
>> 1. To me some assumptions are left out from Paper and I likely do
>> not understand the term 'provably secure'. I also seem to get the
>> impression that the system Paper illustrates is referred to as
>> 'unconditionally secure'. (Can some help tell exactly which is
>> being characterized with?)
>
>I visited the website David Molnar pointed to and took a cursory look at
>the pages, but I don't want to say I have read the paper.
>
>Generally, provable security is what it says--that a cipher satisfies
>some precisely defined notion of security can be demonstrated with a
>rigorous mathematical proof. Often times (but not always) results about
>provably secure ciphers take the form "cipher C is secure (in the sense
>of S) if the well-known conjecture A is true". Assuming the proof is
>correct, a result like that is rigorous--no new discoveries will
>invalidate it. However, if the well-known conjecture turns out to be
>false, the result is only *vacuously* true.
>
>Instead of focussing on what "provably secure" means independent of the
>context, it would be more fruitful to try to understand what an author
>is trying to say in a particular context.
>
>BTW, what assumptions do you think have been left out in the paper?
>
>> 2. (a more specific extension of 1) 'unconditionally secure' seem
>> to refer to no-better-chance-than-half even with unlimited computing
>> power. As the state of the art stands, this seems to be a very weak
>> security.
>
>It seems that you misunderstood definition of "unconditional secrecy".
>
>(Security is a multi-faceted notion, of which secrecy is one aspect. I
>use the term "unconditional secrecy" to emphasis the aspect of security
>we're talking about). In information theory, the intuition behind
>"information" is that information is reduction of uncertainty.
>Computational complexity is not constrained.
>
>"Unconditional secrecy" means that seeing a ciphertext does not provide
>the adversary with any information about the plaintext, regardless of
>how much computation he does.
>
>Before the adversary sees a ciphertext, he may have an a priori
>probability assigned to every possible plaintext, reflecting his
>(partial) knowledge about the source. If the cipher is such that after
>seeing the ciphertext, the conditional probability of each possible
>plaintext (conditioned on the observed ciphertext) is exactly the same
>as its a priori probability, the cipher has unconditional secrecy. In
>other words, seeing the ciphertext does not affect the adversary's
>estimate of the relative likelihood of each possible plaintext,
>regardless of how much computation he does.
>
>I can think of a loosely analogous situation in which the lack of
>information defeats any computational attempt to find the answer.
>Consider an underdetermined system of linear equations (say 5 unknowns
>but 4 equations). No matter how much computation you do, you can't
>narrow the solutions down to a unique one.
>
>> 4. Semantics density creates favorable conditions. (But this may
>> not be an issue alone)
>
>I haven't come across the term "semantic density". How is it defined?
>
>Nicol
------------------------------
From: "Adrian Cho" <[EMAIL PROTECTED]>
Crossposted-To: microsoft.public.cryptoapi,netscape.public.mozilla.crypto
Subject: S/MIME compatible digital IDs for use with Netscape and Outlook
Date: Tue, 17 Aug 1999 13:00:54 +1000
Reply-To: "Adrian Cho" <[EMAIL PROTECTED]>
My friend has Netscape 4.04. I have Outlook 98. Normally I use PGP but it
doesn't have a plug-in for Netscape. However I have found out that both
support S/MIME. I have read about compatibility problems with digital IDs
and either Outlook or Netscape or both or something like that.
Can anyone shed any light here?
Thanks
Adrian
--
Adrian Cho
[EMAIL PROTECTED]
------------------------------
From: "Brian McKeever" <[EMAIL PROTECTED]>
Subject: Re: Q. a hash of a hash ...
Date: Mon, 16 Aug 1999 19:34:34 -0700
Anton Stiglic <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> >
> > > P.S I to would also like to see some mathematical analysis on this
> > > question.
>
> The question I refer to is : Is H(H(x) as collision resistent as H(x).
>
> And in the more specific case, for H = SHA_1.
>
>
> Anyone have any refs?
>
> I just rememberd a conversation about /dev/random, it uses SHA_1,
> but a lot of people like to take the result and apply another SHA_1, it
> seems that it is a little bit relevant....
>
>
> Anton
>
I can't say anything for the specific case H=SHA1, but it seems to me that
in general, we lose a lot of collision resistance. If we take H to be a
random permutation of some set S (eg {0.. n -1}, for some n), then the
probability of H(a) = H(b) a != b is 1/n. But consider p( H(H(a)) = H(H(B))
| a != b). I calculate this as 1/n + (n-1)/n * 1/n or about 2/n. We've
about doubled the probability of a collision (which makes sense, since there
are 2 opportunities for collision).
Brian
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Future Cryptology
Date: Mon, 16 Aug 1999 21:19:44 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> lol, but the nsa IS why I am (trying) to learn cryptography.
Perhaps then, they are the root of the high-powered crypto problem? After
all, their folks that interact with civilians encourage the myth of being
able to do anything. Those that want to challenge this by trying to do
better are encouraged to perhaps do better.
--
All's fair in love, war, and crypto. ERACE
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Crossposted-To: comp.lang.clipper,comp.security.misc
Subject: Re: Blowfish algorithm - Is it foolproof?
Date: Mon, 16 Aug 1999 19:34:45 -0700
Tom Leylan wrote:
> I will try one, it is a variation of Pradeep's question. How does one know
> when you've got the answer? Particularly with regard to the well-publicized
> DES decryption contest. Would anybody have noticed they had figured it out
> if I simply used PKZIP on my original plaintext? If it relies on
> recognizing English it is quite easy to disguise that.
For recognizing natural languages frequency analysis might be used, and
if the result seems to indicate a natural language as vs. random
garbage, a human being called in to verify this. As for your PKZIP, all
PKZIP files have an easily-recognized header. I would imagine that any
bogon out there interested in breaking your encryption has computers
quite capable of recognizing all commonly-used compression headers.
For your purposes you could, of course, create a custom PKZIP that has a
different header (or more likely customize the GNU "gzip" program, since
it has source available). I imagine this would complicate the bogon's
task considerably, since compressed files are less amenable to frequency
analysis (the whole point of compression is to eliminate redundancies,
after all!). A real expert would have to tell you whether my imagination
is faulty or not, though, since I am by no means a cryptographer.
In any event, the easiest way to "break" a code is to steal the poor
sod's private key. Second-best is to read over the guy's shoulder after
he's already decrypted the message.
--
Eric Lee Green http://members.tripod.com/e_l_green
mail: [EMAIL PROTECTED]
^^^^^^^ Burdening Microsoft with SPAM!
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: I HOPE AM WRONG
Date: Mon, 16 Aug 1999 21:56:44 -0600
In article <7p51gs$[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]> wrote:
> >
> > What's all this rubbish got to do with crypto?
It is merely has to do with encrypting the entire group, adding noise to
bury vital information, but I class is as an unsuccessful implementation
as it is easy to exclude the noise.
--
All's fair in love, war, and crypto. ERACE
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: rsa in other fields
Date: 16 Aug 1999 23:47:54 -0400
>>Any cryptosystem working in a finite cyclic group Z_pq can
>>be viewed as working in a finite field F_pq.
Let's see ... the security in RSA depends on the big secret ... the
private key, or equivalently, the order of the cyclic group.
Now, I am in a known finite field (known, so I can encrypt using the
public key) ... I know the order of the cyclic group of the non-zero
elements (just the number of non-zero elements ... the size of the
field-1) ... so ...
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: The Most Secure Symmetric Algorithm (not counting the one-time pad) Ever!
Date: Mon, 16 Aug 1999 21:52:47 -0600
In article <[EMAIL PROTECTED]>, "Thomas J. Boschloo"
<[EMAIL PROTECTED]> wrote:
>
> And compressing time would require traveling at near light speed. Moving
> your computer at near light speed requires to much energy. I once
> calculated that it would perhaps be possible to move a computer at 99.9%
> of the speed of light at an enormous cost in energy (don't remember
> precisely). And even that gains you only a factor 1000.
>
At least some machines would crash less frequently as referenced to our
initial situation.
--
All's fair in love, war, and crypto. ERACE
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: NIST AES FInalists are....
Date: Tue, 17 Aug 1999 03:49:44 GMT
John Savard wrote:
> In any event, DES and SKIPJACK do have another kind of back door.
> Lop off a few rounds from SKIPJACK, and it becomes insecure.
That hardly qualifies as a "back door", because the opponent doesn't
have the ability to alter the innards of your encryptor/decryptor.
If you lopped off a few supports from a bridge, or wires from a TV,
or ..., it would become insecure also, but that doesn't mean much.
Those analogies might be instructive: the most robust bridges were
overdesigned with a huge safety factor, to allow for circumstances
the bridge designer didn't know about; TV sets don't have extra
wires, however, because their designers have sufficient understanding
of the technology that they can leave out unnecessary components.
But there have been some bad TV designs where feasible "attacks on
the system" weren't allowed for in the design.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Kana, was occurrence of letters in english
Date: Mon, 16 Aug 1999 22:02:43 -0600
In article <[EMAIL PROTECTED]>, Paul Koning <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] wrote:
> > ...
> > Most languages has biases (structures) that can be exploited.
>
> All languages, not "most" languages. The details will vary all
> over the map. Consider letter pairs: in Japanese, consonant/vowel
> pairs are the basic building block, which is in fact reflected in
> the writing system (Kana). Some other languages like to pile
> up long strings of consonants.
>
Speaking of Japanese, a general question, exactly how many Kana are needed
and/or used? If not a long list, what are they? Can normal punctuation be
used, period, comma, and period? Is the assumption that various numbers
of Kana can be used for different words, separated by spaces, correct?
--
All's fair in love, war, and crypto. ERACE
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: The Most Secure Symmetric Algorithm (not counting the one-time pad) Ever!
Date: Mon, 16 Aug 1999 21:50:26 -0600
In article <7p2dcs$2mco$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(SCOTT19U.ZIP_GUY) wrote:
> In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Savard) wrote:
> >[EMAIL PROTECTED] (JPeschel) wrote, in part:
> >>[EMAIL PROTECTED] (John Savard) writes:
> >
> >>>Of course, if the flying saucers armed with quantum computers ever
> >>>invade, the thing just might actually be practical...
> >
> >>Yeah, but what about those pesky time-travelling aliens, huh?
> >
> >If they can travel through time, nothing will help.
> >
>
> Actually it depends on what the real model of the universe is.
> It seems time travel may be possible but would you end up
> in another universe or would you change this one?
>
If we knew which posters were in each of them, we could merely go where
our preferences are included; I reject noone in my desired destination,
but I would select one where manners are improved and I am not tempted to
lose my cool either.
--
All's fair in love, war, and crypto. ERACE
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: The Most Secure Symmetric Algorithm (not counting the one-time pad) Ever!
Date: Mon, 16 Aug 1999 21:47:50 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Savard) wrote:
> [EMAIL PROTECTED] (JPeschel) wrote, in part:
> >[EMAIL PROTECTED] (John Savard) writes:
>
> >>Of course, if the flying saucers armed with quantum computers ever
> >>invade, the thing just might actually be practical...
>
> >Yeah, but what about those pesky time-travelling aliens, huh?
>
> If they can travel through time, nothing will help.
>
Assuming that they take you with them, they can punish you for your
messages. Forward travel being the essential, to set something in motion
and go to the end results.
I suggest that convenient forward travel be near impossible, to leave the
impossible for backwards travel....unless you travel forwards while facing
backwards?
--
All's fair in love, war, and crypto. ERACE
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
