Cryptography-Digest Digest #256, Volume #10 Fri, 17 Sep 99 12:13:03 EDT
Contents:
Re: Okay "experts," how do you do it? (Tom St Denis)
Re: Okay "experts," how do you do it? (SCOTT19U.ZIP_GUY)
Re: The good things about "bad" cryptography (SCOTT19U.ZIP_GUY)
Re: Comments on ECC (Robert Harley)
Re: Okay "experts," how do you do it? (SCOTT19U.ZIP_GUY)
Re: Okay "experts," how do you do it? (jerome)
Re: The good things about "bad" cryptography (Patrick Juola)
Re: 3des? (John Savard)
Re: 3des? (Anton Stiglic)
Re: Example of a one way function? (Anton Stiglic)
Re: Okay "experts," how do you do it? (Anton Stiglic)
Re: The good things about "bad" cryptography (Patrick Juola)
Re: Okay "experts," how do you do it? (Anton Stiglic)
Re: Okay "experts," how do you do it? (Tom St Denis)
----------------------------------------------------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Okay "experts," how do you do it?
Date: Fri, 17 Sep 1999 12:11:09 GMT
In article <7rs87a$11u8$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> In article <7rrlo2$830$[EMAIL PROTECTED]>,
>[EMAIL PROTECTED] (David Wagner) wrote:
> >In article <[EMAIL PROTECTED]>,
> >Sundial Services <[EMAIL PROTECTED]> wrote:
> >> Or, to
> >> put it another way, let's figure out what exactly it is that makes Bruce
> >> Scheirer's opinion better than anyone else's besides the fact that he's
> >> written a book.
> >
> >The whole point of the scientific process is that you _don't_ have
> >to trust Schneier's opinion any more than anyone else's. If someone
> >has a practical attack, it doesn't matter who he is, or whether he
> >is an expert; we can immediately conclude that the cipher is insecure.
> No that is not ture I think that you guys just publish and pat your selves
> on the back. You thought your attack would make mince meat out of my
> stuff my it did not. You would think that since you invented it you could test
> it but you couldn't. Scott19u is better then the short block ciphers you and
> your employee can write for file portection. if NOT PROVE IT unstand of lying
> like you have done so in the past Mr Wagner.
Hate to burst your bubble but Scottu19 has a 19-bit block size. Plus you
have zero scientific evidence proving it's strong against any form of attack.
So I really don't think you are in a place to talk down to real
cryptographers (note: I don't really consider myself a 'real' cryptographer
but I would like to think I am less surjective then most).
Tom
--
damn windows... new PGP key!!!
http://people.goplay.com/tomstdenis/key.pgp
(this time I have a backup of the secret key)
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Okay "experts," how do you do it?
Date: Fri, 17 Sep 1999 13:48:26 GMT
In article <7rtbin$4g7$[EMAIL PROTECTED]>, Tom St Denis <[EMAIL PROTECTED]> wrote:
>In article <7rsber$8r6$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (David Wagner) wrote:
>> In article <7rs7s8$11u8$[EMAIL PROTECTED]>,
>> SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote:
>> > They check to see how wrote it. If it is some one they don't know
>> > they say it is weak and go on since they are afraid of there own
>> > shadows.
>>
>> Do you really believe this?
>>
>> If you truly believe that your ideas are being ignored not because of
>> lack of technical merit but rather because of your name, there's an
>> easy way to prove it: submit a paper anonymously (or under a fake name)
>> to some respected crypto conference. If it gets accepted, you can
>> boast all you like about how you fooled all those evil cryptographers...
>>
>> Or, post to sci.crypt via an anonymous remailer. (See www.replay.com.)
>> If people react differently to your post, you can claim glorious victory.
>>
>> In the meantime, I fear that these types of remarks only diminish the
>> chances that anyone will take you seriously.
>
>Heck if he submitted a mechanical/technical paper under his real name I would
>read it. I have read about 300 crypto papers (in about 6 months) and I am
>not biased. I will however NOT READ OBFUSCATED SOURCE CODE.
IT is not obfuscated but had a friend at work who wrote code for that
purpouse I should have used his program to make it obfuscated.
And to say your not biased is to say the pope is not catholic. Every one
is biased and it is ignorant to assume otherwise.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: The good things about "bad" cryptography
Date: Fri, 17 Sep 1999 13:45:00 GMT
In article <[EMAIL PROTECTED]>, Eric
Lee Green <[EMAIL PROTECTED]> wrote:
>"SCOTT19U.ZIP_GUY" wrote:
>> Would you call some one who designs a million byte plus key method
>> where the whole file is a single block Paranoid.
>
>Yes. Not that it may not be a useful paranoia under certain
>circumstances. Doesn't work for my particular applications in any event,
>I need a combination of speed and "streamability" (i.e., so I can start
>streaming data out before the entire file is encrypted). But then I
>don't have to be too paranoid in my particular case because the file is
>presumably already going over a "secured" network, this is just an
>additional layer of security on top of it...
>
>> Or just some one who
>> wants something better for the real world of file encryption than a toy
>> method that use a tiny key on tiny blocks.
>
>It's a tradeoff. 128-bit blocks allow me to stream data in real time, at
>the cost of being possibly succeptible to known-plaintext attacks and
>possibly other attacks. 19U may actually be more secure than Twofish,
>but it doesn't meet the primary criteria, which is to be able to do this
>in real time.
> As far as key size goes, I stopped at 128-bit key size because I
>don't have more random bits than that in my particular environment.
You don't have to use the whole file as random. You can just
send 128 bits and use more bits that you change only once a year or
what ever.
>256-bit key size would not have gotten me anything because I had no way
>of generating more than 2**128 possible keys no matter what the key
>length. Again, this is a case where your algorithm would not have worked
>for my particular situation. I'm sure you had to do a lot of work to get
>adequate random bits to make long keys work in your environment (e.g.
>have them wave the mouse around, type random characters, etc.), and I
>don't have access to that kind of stuff (most of my boxes live in wiring
>closets somewhere far from human interaction).
> Which doesn't mean 19U is cr*p, just that it's suited for what it's
>suited for, not for what I'm doing. You must admit that if the goal is
>speed and streamability rather than absolute security, 19U is not the
>right choice.
>
I don't think it is suited for everything. It was not meant to be.
But having one cipher do all as is what AES is all about is
cr*p.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: Robert Harley <[EMAIL PROTECTED]>
Subject: Re: Comments on ECC
Date: 17 Sep 1999 10:11:57 +0200
Helger Lipmaa <[EMAIL PROTECTED]> writes:
> > [...] The post I
> > was responding to asserted that solving an ECDLP is much harder than a
> > hard factoring problem of the same size, and I was wondering whether
> > this assertion was absolute, or relates only to current algorithms for
> > solving ECDLP's.
>
> [...] sqrt-exponential lower bounds if you are restricted only to so called
> generic algorithms (or, if the underlying group is sc generic group). Most
> people take EC groups to be "generic".
I'll make that more precide, since it doesn't apply *all* EC groups.
For instance when a curve is defined over a sub-field of the base
field then the group is definitely NOT generic.
Likewise for some other special cases.
Ideally, pick a large field and a random elliptic curve over it, then
check that the group order is "almost" prime. Perhaps also check that
you haven't picked one that is definitely weak by known methods.
Under these conditions it seems likely that the group is generic and
the discrete log problem is exponential. For this to fail appears to
require either astronomically bad luck or a major advance in
mathematics.
But if you purposely pick a case with special field or group
properties, then all bets are off. Those get "broken" regularly.
I would even stick to prime fields with a randomly chosen prime,
because almost all fields are of that form.
> No proofs are known for this (at least not to me).
Me neither, and I suspect that this cannot be proved with the
mathematical machinery we currently have at our disposal.
Bye,
Rob.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Okay "experts," how do you do it?
Date: Fri, 17 Sep 1999 13:37:28 GMT
In article <7rtb4o$451$[EMAIL PROTECTED]>, Tom St Denis <[EMAIL PROTECTED]> wrote:
>In article <7rs87a$11u8$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
>> In article <7rrlo2$830$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (David Wagner) wrote:
>> >In article <[EMAIL PROTECTED]>,
>> >Sundial Services <[EMAIL PROTECTED]> wrote:
>> >> Or, to
>> >> put it another way, let's figure out what exactly it is that makes Bruce
>> >> Scheirer's opinion better than anyone else's besides the fact that he's
>> >> written a book.
>> >
>> >The whole point of the scientific process is that you _don't_ have
>> >to trust Schneier's opinion any more than anyone else's. If someone
>> >has a practical attack, it doesn't matter who he is, or whether he
>> >is an expert; we can immediately conclude that the cipher is insecure.
>> No that is not ture I think that you guys just publish and pat your
> selves
>> on the back. You thought your attack would make mince meat out of my
>> stuff my it did not. You would think that since you invented it you could
> test
>> it but you couldn't. Scott19u is better then the short block ciphers you and
>> your employee can write for file portection. if NOT PROVE IT unstand of lying
>> like you have done so in the past Mr Wagner.
>
>Hate to burst your bubble but Scottu19 has a 19-bit block size. Plus you
>have zero scientific evidence proving it's strong against any form of attack.
It no more has a 19bit block size than IDEA has a 16bit block size.
But then you are not an expert and if they don't tell you. You can't seem
to understadn logic.
> So I really don't think you are in a place to talk down to real
>cryptographers (note: I don't really consider myself a 'real' cryptographer
>but I would like to think I am less surjective then most).
>
>Tom
Actaully as Joe P. Says it has been blessed by Mr Wagner as imune to his
Slide attack. Also other have tested variuos plain text attacks and
differential analysis so you cut the crap tommy.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (jerome)
Subject: Re: Okay "experts," how do you do it?
Date: 17 Sep 1999 13:40:23 GMT
Reply-To: [EMAIL PROTECTED]
On 16 Sep 1999 20:10:19 -0700, David Wagner wrote:
>In article <7rs7s8$11u8$[EMAIL PROTECTED]>,
>SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote:
>> They check to see how wrote it. If it is some one they don't know
>> they say it is weak and go on since they are afraid of there own
>> shadows.
>
>Do you really believe this?
>
he's paranoid but not totally wrong. just an example.
an unknown designs a new cypher A and coppersmith, rivest and shamir
design a another new cypher B. Will you read both papers with the
same 'open mind' ?
if yes, that's mean you read all the cypher descriptions posted sci.scrypt
and elsewhere and study them as much as you study any AES proposal.
in fact i hope you don't because it is obviously a waste of time.
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: The good things about "bad" cryptography
Date: 17 Sep 1999 09:49:59 -0400
In article <[EMAIL PROTECTED]>,
John Savard <[EMAIL PROTECTED]> wrote:
>[EMAIL PROTECTED] (Bill Unruh) wrote, in part:
>
>>]- if an attacker doesn't know the algorithm being used, he will have a
>>]harder time of even beginning an attack;
>
>>True. But the question is how do you KNOW that your attacker is
>>ignorant. After all you have to distrubute something which impliments
>>the algorithm to others for them to be able to use it. How do you know
>>it has not leaked?
>
>I guess the same way I know that the key I'm using hasn't leaked.
>
>Although a secret algorithm _can_ be of benefit, I agree that it is
>not at all sensible to rely on somebody else's secret algorithm.
>Whatever extravagant claims have been made about it.
>
>But for an organization to use its own algorithm internally does have
>a benefit, *although* that benefit is indeed outweighed by the fact
>that such an algorithm won't have had the kind of algorithm the major
>public algorithms get.
The problem is that you can't use "the same way" you use to protect
the key; one of the major ways that you protect the key, for example,
will probably involve frequent key changes within a large key-space.
For example, a 3DES key can be any 112-bit string, producing a new
3DES key requires next to no effort, and changing keys almost completely
invalidates any advantage derived from studying the previous key --
the cryptanalyst has to start all over again from ground zero.
On the other hand, that's not the case for algorithms. If you think
about it, a secret algorithm is really "just" a 10,000-or-so bit
key. However, it's difficult to develop and can't be changed as
frequently or easily as most of the 2^10000 possible programs don't do a
useful form of encryption.
As a general rule, the larger the secret, the more expensive it is
to keep it secure; the sort of security appropriate for secure use
of a 112-bit key is not appropriate for a 10,000 bit "key"/algorithm.
>But the trouble is that I can't *prove*, for example, that the NSA or
>someone else doesn't have some kind of attack on most block ciphers
>that the academic community is 10 years away from discovering, that
>allows a block cipher to be cracked in the same amount of time as
>would be taken for brute-force search...of a cipher with half as many
>key bits.
You also can't *prove* that the CIA hasn't built orbital mind control
lasers that read your brainwaves and infer the contents of your
thoughts.
Why does the first possibility bother you but not the second? The
second is clearly a much more serious security breach!
-kitten
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: 3des?
Date: Fri, 17 Sep 1999 14:04:30 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote, in part:
>Ok here's an interesting question?
>
>If using DES with 768-bit keys provides no better resistance (and no less) to
>iterative attacks but allows a key strength of 384 bits (because of the mitm
>attack), why not use that instead of 3des?
I remember a claim in AC that the key strength of DES with independent
keys is really only about 65 bits.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: 3des?
Date: Fri, 17 Sep 1999 10:34:17 -0400
Tom St Denis wrote:
> Ok here's an interesting question?
>
> If using DES with 768-bit keys provides no better resistance (and no less) to
> iterative attacks but allows a key strength of 384 bits (because of the mitm
> attack) [...]
Where in the world did you read that? What do you mean by man in the middle
attack on DES. Are you talking about 3DES?
> [ btw what is the exact resistance to iterative attacks I don't have my
> applied crypto handy now ... I remember it was something like 2^60 for diff
> and 2^47 for linear? Or am I full of beans?]
The most powerfull known attack agaisnt DES is Linear Cryptanalysis.
You need 2^{47} known plaintexts.
For a differential attack, you need 2^{47} choosen plaintext attacks (which
is harder to get then the known plaintexts....).
Both schemes are practicaly impossible for now, and many years to come
(imagine storing 2^{47} plaintexts!, you're better off using brute force, which
will take you in average 2^{55} DES calls and uses 0 memory.).
Anton
>
>
> Tom
> --
> damn windows... new PGP key!!!
> http://people.goplay.com/tomstdenis/key.pgp
> (this time I have a backup of the secret key)
>
> Sent via Deja.com http://www.deja.com/
> Share what you know. Learn what you don't.
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Example of a one way function?
Date: Fri, 17 Sep 1999 11:06:31 -0400
Tom St Denis wrote:
> In article <[EMAIL PROTECTED]>,
> Anton Stiglic <[EMAIL PROTECTED]> wrote:
> >
> >
> > f(x) = x^2 mod N, where N = pq and p, q are primes.
> >
> > is beleived to be one way.
> >
> > It is often used in crypto.
>
> Doest N have to be a blum integer (making it a quadratic residue?) you will
> get four roots for this and one of them at random is correct.
If N is a blum integer (that is, p = 3 mod 4, q = 3 mod 4), then you have a well
defined deterministic algorithm for comuting the four square roots. This is
due in part to the fact that for a mod p where p = 3 mod 4 there is a simple
deterministic algorithm for computing the square roots of a,
sqrt(a) = +/- a^(p+1)/4 mod p.
(This is used in the algo to found the sqaure roots of a mod N).
Whereas if p = 1 mod 4, only a pobabilistic algorithm is known (but it doesn't
take *that* long to execute).
So picking blum integer is just a question of efficiency, not a question of
security
(i.e in this case, of making the function trap door one way....).
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Okay "experts," how do you do it?
Date: Fri, 17 Sep 1999 10:47:22 -0400
If you cannot write a paper explaining your algorithm clearly,
in pseudo code, and proovind to me that it resists well to
linear attacks, differential attacks, slide attacks, etc...., I won't
even bother looking at it. There used to be a time when
cryptosystems were built out of chaos, and the inventors did
not bother proovind anything. If you are so convince that
your cryptosystem is good, start proving parts to hold that
theory. Take for example DES, it is prooven that Linear
cryptanalysis needs 2^{47} known plaintexts, that differential
attack needs 2^{47} choosen plaintexts, etc... Start giving
us results like that, if not no one will bother looking at your
code. A large part of cryptographers, or cryptanalysts, are
not hackers, and won't bother looking at your code if you
don't put down in writting anything...
I actually started to look at your web page, the zipping part,
and the first lines I read contained falsive information ( I
had already pointed them out to you). I don't think you
have the mathematical background to proove to others,
or even convince yourself, that zipping helps.
Why would I bother to start looking at your code??
as
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: The good things about "bad" cryptography
Date: 17 Sep 1999 10:59:32 -0400
In article <[EMAIL PROTECTED]>,
John Savard <[EMAIL PROTECTED]> wrote:
>[EMAIL PROTECTED] (Patrick Juola) wrote, in part:
>
>>The problem is that the first point cited here -- *IF* the attacker
>>doesn't know the algorithm being used -- is widely regarded as a
>>deeply improbable event, especially in the case of a widely used
>>or distributed system. I would, in fact, regard that point as "true
>>but irrelevant", in the same category as "if you make a lucky guess,
>>then any cryptographic method can be broken," or even "I have a blue
>>crayon on my desk."
>
>One could, if one wished, treat an algorithm as if it were a key.
>However, that prevents the algorithm from being analyzed properly.
I don't think it does. 'Treating the algorithm as if it were a
key,' is just another method of analysis -- and a method that's
essential to evaluating the security of a cryptographic *system*,
just as in a traditional key-based system, you need to evaluate
your methods for key storage and distribution as well as your
methods for key generation.
If you're dealing with a secret algorithm, and the security of
your system depends in part on the algorithm remaining secret,
then you have to examine whether or not you can have reasonable
confidence of the algorithm remaining secret. But if the
algorithm takes 10,000 bytes to store, then whatever method you
use to store 10,000 bytes of algorithm could store 10,000 bytes
of anything -- including of course, key data.
The question is whether or not you can count on the algorithm
remaining secure -- if you *assume* that the attacker will have
to break an unknown system, then you need reasonable confidence
that the system is, in fact, unknown to the attacker. Why do
you feel it will remain unknown?
-kitten
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Okay "experts," how do you do it?
Date: Fri, 17 Sep 1999 10:50:47 -0400
>
>
> Even very tough mathematical problems can eventually be solved.
[...]
that is actually not true. There are theories (set of axioms) which
contain true statements that cannot be prooven to be true in that
set of axioms.
>
>
> Think of Godel's Theorem, or the Halting Problem.
>
Thosre are in fact inderect examples!
>
> John Savard
Anton
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Okay "experts," how do you do it?
Date: Fri, 17 Sep 1999 15:22:29 GMT
In article <[EMAIL PROTECTED]>,
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
> Tom St Denis wrote:
> > I think you should try designing a system before you break one. If
> > you design one you can get a field for what/how you are trying to
> > protect the information.
>
> That is the opposite of the invariable advice given by the true
> experts. It is true that you need to learn *cryptography*, i.e.
> the techniques of encryption, before *cryptanalysis*, but that's
> not the same as saying that you should try to *be* a codemaker
> before becoming a codebreaker. The term "analysis" is part of
> "cryptanalysis" for a good reason; issues of vulnerability are
> matters for analysis, not construction.
>
But most of the time it's easier to analyze a system if you knowthe guts. I
think the only way to know how to protect data is to try and do it. Then to
try and break it.
I could break a 20 year old system, but why? I am not using it. I am
making/using peekboo for example so I would want to know how to break it (and
fix it of course). I will not know this until I make peekboo.
Tom
--
damn windows... new PGP key!!!
http://people.goplay.com/tomstdenis/key.pgp
(this time I have a backup of the secret key)
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
