Cryptography-Digest Digest #71, Volume #10 Wed, 18 Aug 99 18:13:04 EDT
Contents:
Re: Wrapped PCBC mode (SCOTT19U.ZIP_GUY)
Re: CRYPTO DESIGN MY VIEW (SCOTT19U.ZIP_GUY)
Re: Q. a hash of a hash ... ("Brian McKeever")
Re: CRYPTO DESIGN MY VIEW (Jerry Coffin)
Re: My web site is up! (John Savard)
Is RC5 still safe (enough)? ([EMAIL PROTECTED])
Re: NIST AES FInalists are.... ([EMAIL PROTECTED])
Re: Definition of cracked? (D. J. Bernstein)
Re: Decrypted International Crypto inside the US (JPeschel)
Re: Q. a hash of a hash ... (Helger Lipmaa)
Re: I HOPE AM WRONG (Greg)
Re: Q. a hash of a hash ... (Anton Stiglic)
Re: Decrypted International Crypto inside the US (Doug Stell)
Re: Decrypted International Crypto inside the US ("Dan Kaminsky")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Wrapped PCBC mode
Date: Wed, 18 Aug 1999 22:23:38 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
>As Bruce S. has said before at 100 to 150 rounds of most student cyphers
>become very resistant to attack. The art of the thing is getting that attack
>resistance with as little effort, space, etc. as possible
>
Well Mr BS likes to attack many people. Yes there are many weak
student ciphers. He even has attacked my method along wiht his Buddy
Wagner. Wagner said he stated mine was dead and the Slide attack
would show so. Well he was full of shit. Know he is to busy to susposedly
look at it. Yet these Phony Crpyto Gods can point to a few bad student
ciphers and they use that fact to bash everyone else. With out the open
honesty of actually looking at it. Mr BS has stated numerous times that
he is to busy to look at student ciphers. So how the hell can he make
statements about them.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: CRYPTO DESIGN MY VIEW
Date: Wed, 18 Aug 1999 22:14:01 GMT
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>SCOTT19U.ZIP_GUY wrote:
>>
>> I don't write well and I think the code speaks for itself. I mean your
>> can test it and look at a series of dumps. But basically it some times
>> does not write out the last bits and the decompression routine knows what
>> the droped bits are. But some times it adds extra bits to pad the byte out
>> when its is short. But the fact that I limit the 1's to a max of 8 in huffman
>> tables and the all 0's to a min of 8. But I feel the C code is more important
>
>May I repeat:
>Let's simplify matters by not considering the case of needing any
>padding. Then if the last symbol output consists of 9 bits (this
>does not necessarily contradict your above limitations) and I delete
>the last byte, then in the 'wrong' file thus obtained the last bit
>cannot be decoded, because it needs some more bits following it in
>order to be a valid output symbol on the compressed file side and
>hence properly decoded to a symbol on the uncompressed file side.
>
Then I will make it simple for you the 9 bit symbol in question is
as below and starts on a byte boundary so that in this particual case
it does not depend on previous symbol and my code for the 2 examples
I am giving in one case the 9 become 8 in the next the nine become 16.
symbol is 001100111 this is bits what goes out is 00110011 notice bit dropped
symbol is 001100110 when out it is 0011001100000000 this is for this
case only.
>Side note: One can hardly 'test' your program to see whether this
>constructed special example works or not, because there is no obvious
>way to construct (and verify) an input file to your program such that
>the last symbol output by the program has 9 bits and that the last bit
>is on byte boundary. So the reasonable way of argumentation is to
>say in plain English how your program reacts to this situation of
>8 missing bits. (This is also the simplest way in my humble opinion,
>since you are the author of the program and consequently knows better
>than anyone else the workings of your program.)
You can test just the code is such that at any state you can dump the
huffman table. It is made to bebugged. Really it is not that heard I just
think you lazy. You can easly change the program to write out another
file is that you see 0's 1's and SPACES this would made it easyer. I have
left this code with many test routines and such in so that it is easy to add
or use debugging code. You just have to look.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: "Brian McKeever" <[EMAIL PROTECTED]>
Subject: Re: Q. a hash of a hash ...
Date: Wed, 18 Aug 1999 12:24:40 -0700
<[EMAIL PROTECTED]> wrote in message
news:7pda4e$55s$[EMAIL PROTECTED]...
> Brian McKeever wrote:
> > Anton Stiglic wrote:
> > > It is a simple and nice proof, it prooves that H and H^2 are equaly
> > > collision resistant.
>
> > You've drawn the wrong conclusion from the proof.
> > The only valid conclusion one can draw is "H is
> > collision-free if and only if H^2 is collision-free."
>
> I think that's equivalent to the conclusion he did
> draw. According to Menezes, van Oorshot and Vanstone,
> /Handbook of Applied Cryptography/,
>
> Collision resistance - it is computationally infeasible
> to find any two distinct inputs x, x' which hash to the
> same output
>
> "Collision resistant" and "collision free" are synonyms.
> The former is gaining favor, since "free" suggest
> nonexistence, rather than inability to locate. I think
> "Collision free" will live on since it looks better in
> research paper titles of the form "Function x is not
> collision free".
>
> --Bryan
Then I suppose part of the confusion stems from the fact that we are using
different definitions. When I said
> The only valid conclusion one can draw is "H is
> collision-free if and only if H^2 is collision-free."
I meant it in the mathematical sense -- that H and H^2 are both permutations
(ie are bijections on the set S).
Do we agree that there *are* more collisions for H^2 than for H? It's clear
that H(H(S)) is smaller than H(S), right? (and in fact there is a chain of
containment S > H(S) > H(H(S)) > ...) Therefore collisions are easier to
find. Is your position that a problem that's, say, twice as easy as an
intractible one is still intractible (based on the "half of infinity is
still infinity" argument? If so I agree, but I nevertheless maintain that H
is "better" than H^2, and as we iterate H, the difference become larger (up
to a point).
Brian
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: CRYPTO DESIGN MY VIEW
Date: Wed, 18 Aug 1999 15:31:00 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> Okay, while our local network was down today I did a bit of research
> in the tech library, and found that "arithmetic coding" seems to be
> the compression method of choice. The basic idea seems to be to
> dynamically repartition the code space so as to always minimize the
> expected size of the *next* symbol; if you have a good model of the
> population statistics, this method is supposed to achieve nearly
> optimal compression (better than Huffman coding). There is supposed
> to be a good tutorial in the Mar. 1984 IBM J. of Rsch. & Devel., and
> it's described in some textbooks. The library closed before I could
> find out more, but that should be enough to get you started.
> http://www.cs.toronto.edu/~radford/ac.software.html contains pointers
> to software for this and an associated article by Moffat et al.
For a commercial product, arithmetic encoding has a basic problem.
The general idea of arithmetic encoding was kicked around for a long
time, but nobody could figure out a practical method of actually doing
it. IBM finally figured out a way to make it work, and work quite
well at that. They, however, patented it. Since then, they've gotten
a number (rather a large number, AAMOF) of patents on related
technology, such as hardware implementations, parallel
implementations, etc. In addition, a number of other companies have
patents on other related technology.
It comes down to the fact, that by the time you implement arithmetic
encoding in a product, chances are that you'll owe royalties to a
number of different companies, many of whom are not ones you'd prefer
to get into fights with. OTOH, since nobody in their right mind would
use Dave Scott's garbage anyway, he might as well use the patents
themselves as tutorials on how to do things (patent number 4,122,440
for a start). Given Mr. Scott's apparent coding ability, using the
patent as a tutorial on how to do things will ensure against actually
infringing the patent at all. It will also reduce the chances of his
code working, but since he doesn't seem to know how (or even that) to
works right now, that shouldn't be a problem...
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: My web site is up!
Date: Wed, 18 Aug 1999 21:40:41 GMT
Greg <[EMAIL PROTECTED]> wrote, in part:
>In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (John Savard) wrote:
>> Greg <[EMAIL PROTECTED]> wrote, in part:
>> >If he has a product of his own, does he offer the binaries or the
>> >source code for free?
>> Yes, he does.
>Does the government consider his crypto program weak? Or is he
>violating the EAR?
No, he only offers it within the United States and Canada. Copies have
made their way out of the country to other servers, but that wasn't
his fault.
His program would be export controlled, since it has the ability to
accept a very large key. As one might expect for a block cipher that
uses an S-box with 524,288 entries.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED]
Subject: Is RC5 still safe (enough)?
Date: Wed, 18 Aug 1999 20:53:39 GMT
Hi,
I'm rather new to the crypto stuff and I know I probably shouldn't be
posting here as a newbie. But I just couldn't find definitive answers
to this question anywhere. So I figured I'd ask the specialists.
I need to encrypt a couple of files as part of a software project. I
ran into RC5 and after some research on the net found that it seems to
be fairly safe.
I know you're going to ask: "how much is the data worth?" and "for how
long does it have to remain safe?". Let's just assume it's worth enough
to justify the search for a *good* algorithm and it should remain safe
for at least 10-15 years.
If we don't take brute force into account, will an RC5-32/16/16 cipher
be broken in the near future? What about Schneier's mod3-attack? Does
it apply to "normal" RC5? Or did Yin in her recent FSE-paper on linear
attacks on RC5 bring any new results (I couldn't get a hold of that
paper)?
I'd appreciate help on this one. Also, you may want to recommend
another algorithm if RC5 is not safe anymore. Can RC6 be trusted
already? That about Blowfish?
Thanks in advance.
Greetings,
Michael Heumann.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: NIST AES FInalists are....
Date: Wed, 18 Aug 1999 20:55:23 GMT
Douglas A. Gwyn wrote:
> JPeschel wrote:
> > but offer some evidence.
>
> Frankly, it's not at all clear what you would find
> persuasive that I am at liberty to offer. You might
> draw your own conclusions from the combination of
> already available evidence such as my employer,
> location, recent research (previously mentioned here),
> and accurate transcription of the Kryptos sculpture.
A number of people who post here have, or previously
had, security clearances. Doug, you are the only one
I've read who is so irresponsible as to act like it
makes him some kind of authority.
Before I moved to Silicon Valley (to work for a
former NSA cryptologist), my employer was JHUAPL,
which mostly does research for the Navy. Its
location is right by where Maryland 32 crosses
Maryland 29. I've heard tons of anecdotes and
rumors about the NSA too. You sure didn't see me
try to pass off my employer and location as
evidence of anything.
> Or you could judge whether I would lie on the basis
> of my reputation; I've been active in Usenet and
> precursor ARPAnet/Internet mailing lists since the
> early 1980s, so there should be plenty of data.
To lie you'd actually have to say something. I can
absolutely believe that you know of at most 12 non-NSA
cryptologists that the NSA wants. That's an upper
bound on your knowledge of the matter. On how many
such cryptologists there are, it's an upper bound on a
lower bound, which carries no information at all.
--Bryan
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (D. J. Bernstein)
Subject: Re: Definition of cracked?
Date: 18 Aug 1999 20:15:35 GMT
James Andrews <[EMAIL PROTECTED]> wrote:
> Which event defines the cracking of an encryption process?
Let's say you have a bit generator G that stretches a short seed into a
1048576-bit string. The standard meaning of ``G is broken'' is that
there's a practical test for which these two percentages are noticeably
different:
(1) the percentage of seeds x such that G(x) passes the test;
(2) the percentage of 1048576-bit strings that pass the test.
For example, SEAL 1.0 was broken by Handschuh and Gilbert. There's a
test that runs in a few seconds for which percentage #1 is measurably
higher than percentage #2.
> Is a system considered broken if it is beaten by a brute force method?
Yes. For example, any fast generator with a 40-bit seed is broken. The
test ``is this equal to G(s) for some s?'' is practical, since it can be
checked with only 2^40 evaluations of G; for this test, percentage #1 is
100%, and percentage #2 is almost exactly 0%.
This is why conservative designers use much larger seeds.
---Dan
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: Decrypted International Crypto inside the US
Date: 18 Aug 1999 20:55:42 GMT
>"Dan Kaminsky" <[EMAIL PROTECTED]>writes:
>I've been informed by a coworker that it's actually illegal to receive and
>decrypt >56bit encoded data from international sources within the US, even
>if the encryption software derives from outside the country(say, a clean
>room Austrailian implementation of Blowfish).
>
>Anybody know anything about this?
Your co-worker is wrong.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: Helger Lipmaa <[EMAIL PROTECTED]>
Subject: Re: Q. a hash of a hash ...
Date: Wed, 18 Aug 1999 15:43:02 +0000
Anton Stiglic wrote:
> Thanks Bryan. I don't think I can make the proof any more simple. I
> proved
> that if I found a collision for H, I have found one for H^2, and if I
> have found
> one for H^2, I have found one for H.
>
> I can't explain this proof in a more simple fashion, does who do not
> understand it
> should just sit down and read it.
Just don't forget to mention my name if you use this proof :-)
Just kidding, proving of such simple things is rather elementary (I wish
I could make money out of it).
Helger
http://home.cyber.ee/helger
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: I HOPE AM WRONG
Date: Wed, 18 Aug 1999 20:59:14 GMT
>...But since this USE group is kind of like home...
Let me guess, with:
* the rude language in your posts,
* the minimizing of others so that you appear more acceptable,
* the lack of english skills,
* and the lack of logic in your thinking,
I would guess you see yourself as the "black sheep" in this family that
you feel a part of, am I right?
Actually, it would be nice if you did not answer that. In fact, it
would be really nice if you did not answer any post. In fact, it would
be really really nice if you just went away- sort of like run away from
home and never come back until you see the harsh real world and realize
that politeness is a necessary adult trait.
Trust me, I will not miss you. :*
--
The US is not a democracy - US Constitution Article IV Section 4.
Democracy is the male majority legalizing rape.
UN Security Council is a Democracy. NO APPEALS! Welcome to the NWO.
Criminals=Crime. Armies=Tyranny. The 2nd amendment is about tyranny.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Q. a hash of a hash ...
Date: Wed, 18 Aug 1999 17:50:45 -0400
> Then I suppose part of the confusion stems from the fact that we are using
> different definitions. When I said
>
> > The only valid conclusion one can draw is "H is
> > collision-free if and only if H^2 is collision-free."
>
> I meant it in the mathematical sense -- that H and H^2 are both permutations
> (ie are bijections on the set S).
> Do we agree that there *are* more collisions for H^2 than for H?
Yes, I agree that H may have that property.
> It's clear
> that H(H(S)) is smaller than H(S), right? (and in fact there is a chain of
> containment S > H(S) > H(H(S)) > ...) Therefore collisions are easier to
> find. Is your position that a problem that's, say, twice as easy as an
> intractible one is still intractible (based on the "half of infinity is
> still infinity" argument?
Yes, something like that. Say I have a problem that can only be resolved in
exponential time, if I cut that time in half, or in 3, or in any constant, the
problem
still stays exponential, and still difficult to resolve.
> If so I agree, but I nevertheless maintain that H
> is "better" than H^2, and as we iterate H, the difference become larger (up
> to a point).
>
For cryptographical purposes, I'd say that they are the same, in the sens that
they have the same difficulty of beeing broken (founding collisons...).
>
> Brian
Anton
------------------------------
From: [EMAIL PROTECTED] (Doug Stell)
Crossposted-To: talk.politics.crypto
Subject: Re: Decrypted International Crypto inside the US
Date: Wed, 18 Aug 1999 21:27:33 GMT
On Wed, 18 Aug 1999 13:16:17 -0700, "Dan Kaminsky"
<[EMAIL PROTECTED]> wrote:
Dan,
>I've been informed by a coworker that it's actually illegal to receive and
>decrypt >56bit encoded data from international sources within the US, even
>if the encryption software derives from outside the country(say, a clean
>room Austrailian implementation of Blowfish).
>
>Anybody know anything about this?
Having spent many years worrying about export issues, I have never
heard this. Of course, it could be relatively new and I am out of
touch.
I have heard in personal discussions with the powers in control words
to the effect that if strong crypto is used off shore, it is presumed
that someone, possibly the recipient, had previously violated the
export regulations. How else would they obtain it? I believe that the
same would be true for sending a strongly encrypted message to a
foreign party. There seemed to be little or no recognition that a
foreign party could develop a compatible implementation without U.S.
involvement (their words).
"without U.S. envolvement" = "clean room implementation"
------------------------------
From: "Dan Kaminsky" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: Decrypted International Crypto inside the US
Date: Wed, 18 Aug 1999 15:03:44 -0700
> Having spent many years worrying about export issues, I have never
> heard this. Of course, it could be relatively new and I am out of
> touch.
Do you have any evidence anywhere that directly contraverts this legal
interpretation?
> I have heard in personal discussions with the powers in control words
> to the effect that if strong crypto is used off shore, it is presumed
> that someone, possibly the recipient, had previously violated the
> export regulations. How else would they obtain it? I believe that the
> same would be true for sending a strongly encrypted message to a
> foreign party. There seemed to be little or no recognition that a
> foreign party could develop a compatible implementation without U.S.
> involvement (their words).
>
> "without U.S. envolvement" = "clean room implementation"
If a european partner of an American multinational company sends *us* a
propietary decryption application, is it illegal for us to use it?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
