Cryptography-Digest Digest #259, Volume #10 Fri, 17 Sep 99 22:13:03 EDT
Contents:
Re: Okay "experts," how do you do it? (Tom St Denis)
Re: crypto export rules changing ("John K. Taber")
Re: 3des? (Tom St Denis)
Re: Okay "experts," how do you do it? ("Joseph Ashwood")
Hushmail.com and Bruce Schneier (Jon Gilliam)
Re: Second "_NSAKey" ("Trevor Jackson, III")
Re:peekboo needs help :( (Anonymous)
Re: 3des? (Tom St Denis)
Re: Okay "experts," how do you do it? (Patrick Juola)
Re: unix clippers that implement strong crypto. (Alwyn Allan)
Re: Neal Stephenson's Cryptonomicon: Crypto Cop-Out ("Danno")
Re: The good things about "bad" cryptography ("Trevor Jackson, III")
The Cracking of Gregory Braun's Crypto v3.5 by CASIMIR (JPeschel)
Re: Large number arithmetic (Eric Lee Green)
Re: Okay "experts," how do you do it? ("Trevor Jackson, III")
Re: arguement against randomness ("Trevor Jackson, III")
Re: Example of a one way function? ("Boris Kolar")
'noise' as a random source bleaching problems (Guillaume Filion)
Re: The good things about "bad" cryptography ("Trevor Jackson, III")
Re: Analogues to ECC over higher dim. abelian groups (Alex)
Re: Ritter's paper ("Trevor Jackson, III")
Re: Ritter's paper ("Trevor Jackson, III")
----------------------------------------------------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Okay "experts," how do you do it?
Date: Fri, 17 Sep 1999 21:55:48 GMT
In article <7rtcmo$n9u$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> It no more has a 19bit block size than IDEA has a 16bit block size.
> But then you are not an expert and if they don't tell you. You can't seem
> to understadn logic.
No, understand this.
Idea is said to have a 64-bit block because it's a bijective function of
64-bits input. Yours is a bijective function of 19-bits input. So it's a
19-bit block. Just because you use a special encoding mode doesn't increase
the block sizes of the cipher.
> Actaully as Joe P. Says it has been blessed by Mr Wagner as imune to his
> Slide attack. Also other have tested variuos plain text attacks and
> differential analysis so you cut the crap tommy.
Whoopy.. There is about 50 other attacks known that you have not examined...
start working.
Tom
--
damn windows... new PGP key!!!
http://people.goplay.com/tomstdenis/key.pgp
(this time I have a backup of the secret key)
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "John K. Taber" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: crypto export rules changing
Date: Fri, 17 Sep 1999 17:52:57 -0500
Bill Unruh wrote in message <7rspn9$aro$[EMAIL PROTECTED]>...
>In <7rrb4k$[EMAIL PROTECTED]> [EMAIL PROTECTED] (Paul Rubin)
writes:
>
>>A big liberalization of export rules is supposed to be announced
>>today, but apparently there will also be some key escrow provisions.
>
>Hardly big. Basically an attempt to buy off the large corporations so
>that they will not join in the push for open systems. It makes their
>stance more and more of a farce.
If I can export my cryptanalysis program to most of the world without
let or hindrance, then this new rule is for real.
My program does nothing more than provide aids for solving newspaper
type simple substitution ciphers, and a few more puzzle ciphers; all
of which are worthless for real security. Yet I have been stymied for
a decade getting my program overseas because it falls under the
goddamn crypto regs.
So, my program is a test whether this announcement is one more
in a string of phony liberalizations announced by the Government, or
is for real.
The test of the pudding is in the eating.
John K. Taber
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: 3des?
Date: Fri, 17 Sep 1999 23:03:35 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Savard) wrote:
> I remember a claim in AC that the key strength of DES with independent
> keys is really only about 65 bits.
Really? Hmm... have any refs for this fact? I want to look em up.
Tom
--
damn windows... new PGP key!!!
http://people.goplay.com/tomstdenis/key.pgp
(this time I have a backup of the secret key)
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Okay "experts," how do you do it?
Date: Fri, 17 Sep 1999 17:25:39 -0700
> he's paranoid but not totally wrong. just an example.
> an unknown designs a new cypher A and coppersmith, rivest and shamir
> design a another new cypher B. Will you read both papers with the
> same 'open mind' ?
I see no reason not to, one paper is likely to be very interesting, while
the other is likely to involve a large body of comedic work.
> if yes, that's mean you read all the cypher descriptions posted sci.scrypt
> and elsewhere and study them as much as you study any AES proposal.
> in fact i hope you don't because it is obviously a waste of time.
With an AES candidate it is unlikely to find a break no matter how much time
one spends, however the cypher A is likely to be broken (or at least
suspected) by the time the reading is finished.
As a side note I find it rather odd that Scott19u fails compilation due to
non-standard headers, which basically means that although I am willing to
dig through his source code (which last time I went over it was poorly
documented, and wouldn't compile on any of the 7 compiler/machine
combinations I tried it on). I may not be one of the crypto gods but even I
won't waste my time trying to read it, and I didn't even get past the
#include's.
Joseph
------------------------------
From: Jon Gilliam <[EMAIL PROTECTED]>
Subject: Hushmail.com and Bruce Schneier
Date: Fri, 17 Sep 1999 19:19:57 -0500
Reply-To: [EMAIL PROTECTED]
Hello,
For all who are interested, we've replied to Bruce's article on our
website regarding potential security concerns for HushMail.Com.
(www.hushmail.com/bruce_comments.htm)
We're sorry we were unable to join any newsgroup discussions, we were so
slammed during the first few months of our release. We'll try to be more
involved in the future.
Thanks.
jg
--
Jon Gilliam
Hush Communications USA
[EMAIL PROTECTED]
------------------------------
Date: Fri, 17 Sep 1999 20:49:09 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Second "_NSAKey"
Douglas A. Gwyn wrote:
> "Trevor Jackson, III" wrote:
> > We may not be able to determine what the actual purpose of their
> > "backup key" may have been, ...
>
> To the contrary, Microsoft *has* explained the purpose, and it
> was quite plausible (although perhaps ill-advised). The "role
> that NSA played" was, according to Microsoft, that NSA would be
> reviewing the product for export, and Microsoft didn't want to
> be forced to hand over their private key to NSA, so they
> anticipated this by providing for a second, NSA-private, key
> that could not be used to authenticate Microsoft modules but
> could be used by NSA to verify how the framework operated,
> using NSA's own (test) modules.
>
> I know I've mentioned this in previous posts; haven't they
> reached the newsgroup?
Whether they have reached the newsgroup or not your claims are false.
In "http://www.microsoft.com/security/bulletins/backdoor.asp"
Microsoft(tm) claims that they have not given either key to anyone,
particularly not the NSA. Thus, according to Microsoft(tm), the second
key labeled _NSAKEY is purely a disaster prevention mechanism.
Of course you are free to dispute that claim as I do. Do you believe it
has a purpose other than disaster mitigation?
------------------------------
Date: Fri, 17 Sep 1999 17:51:31 +0200 (CEST)
From: Anonymous <[EMAIL PROTECTED]>
Subject: Re:peekboo needs help :(
>It supports RC5/Cast/Blowfish/RC4 and
>Twofish (good varierty)
For a really good *variety* add Leapfrog or Diamond2
(not designed by the cabal!)
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: 3des?
Date: Sat, 18 Sep 1999 00:17:56 GMT
In article <[EMAIL PROTECTED]>,
Anton Stiglic <[EMAIL PROTECTED]> wrote:
> Tom St Denis wrote:
>
> > Ok here's an interesting question?
> >
> > If using DES with 768-bit keys provides no better resistance (and no less) to
> > iterative attacks but allows a key strength of 384 bits (because of the mitm
> > attack) [...]
>
> Where in the world did you read that? What do you mean by man in the middle
> attack on DES. Are you talking about 3DES?
In Applied Crypto, talking about normal des using independnant round keys.
> The most powerfull known attack agaisnt DES is Linear Cryptanalysis.
> You need 2^{47} known plaintexts.
> For a differential attack, you need 2^{47} choosen plaintext attacks (which
> is harder to get then the known plaintexts....).
> Both schemes are practicaly impossible for now, and many years to come
> (imagine storing 2^{47} plaintexts!, you're better off using brute force, which
> will take you in average 2^{55} DES calls and uses 0 memory.).
I thought linear was around 2^43? ... anyways... I was just thinking if DES
with ind round keys gives you a bigger keyspace why not use that? instead of
the slower 3des?
Tom
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Okay "experts," how do you do it?
Date: 17 Sep 1999 11:34:03 -0400
In article <7rtmb6$ci7$[EMAIL PROTECTED]>,
Tom St Denis <[EMAIL PROTECTED]> wrote:
>In article <[EMAIL PROTECTED]>,
> "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
>> Tom St Denis wrote:
>> > I think you should try designing a system before you break one. If
>> > you design one you can get a field for what/how you are trying to
>> > protect the information.
>>
>> That is the opposite of the invariable advice given by the true
>> experts. It is true that you need to learn *cryptography*, i.e.
>> the techniques of encryption, before *cryptanalysis*, but that's
>> not the same as saying that you should try to *be* a codemaker
>> before becoming a codebreaker. The term "analysis" is part of
>> "cryptanalysis" for a good reason; issues of vulnerability are
>> matters for analysis, not construction.
>>
>
>But most of the time it's easier to analyze a system if you knowthe guts. I
>think the only way to know how to protect data is to try and do it. Then to
>try and break it.
>
>I could break a 20 year old system, but why?
*Could* you? That's the question.
If you have the knowledge to break a 20-year old system, then you've
already learned quite a bit about cryptanalysis. I suspect that most
of the cypher designers out there *can't* break a 20 year old system
and many of them couldn't even follow explicit cookbook-style directions
for an attack known to work on a given system.
Yes, it's much easier to analyze a system if you know the guts. But
you also need to know the techniques of analysis -- and until/unless
you've done several analyses, you're unlikely to have mastered them.
As a professor of mine told me long ago, "Mathematics is not a
spectator sport."
-kitten
------------------------------
Date: Fri, 17 Sep 1999 20:38:35 -0400
From: Alwyn Allan <[EMAIL PROTECTED]>
Crossposted-To: comp.security.unix
Subject: Re: unix clippers that implement strong crypto.
"Christopher J. Mattern" wrote:
> "Illegal but perhaps difficult to prosecute" is *still* illegal...
Illegal is not a precisely defined legal term. In general use it means "forbidden by
law."
There is no law which forbids the use of patented technology, therefore it is not
illegal.
Patent law simply allows the patent holder, through civil court action, to stop the
commercial use of the patented technology for a period of time. It does not provide for
damages, even in cases of flagrant and willful infringement.
I'm not a lawyer, but I have one!
-----------== Posted via Newsfeeds.Com, Uncensored Usenet News ==----------
http://www.newsfeeds.com The Largest Usenet Servers in the World!
======== Over 73,000 Newsgroups = Including Dedicated Binaries Servers =======
------------------------------
From: "Danno" <[EMAIL PROTECTED]>
Crossposted-To: rec.arts.sf.written,alt.cyberpunk
Subject: Re: Neal Stephenson's Cryptonomicon: Crypto Cop-Out
Date: Fri, 17 Sep 1999 17:01:26 +0100
> > Present-day, the US could easily offer a reward on Saddam Hussein's
head.
> > Some large sum of US dollars, payable in cash at a secret location or
> > whatever. With the cooperation of both sides of the exchange, one of
which
> > is a government for crying out loud, tracing it isn't a realistic
option.
> > The problem is that anyone who attempts to kill Saddam is likely to
fail.
>
> The problem is that it's against the law to assasinate foreign
> leaders. The bigger problem is people like you who think the government
> should ignore this law cause after all we're killing bad people. Yet
> this ugly, underground shit has a habit of coming back to haunt us.
2 bones:
"bad people?" C'mon. Saddam Hussein has been "monstorised" by the west, when
all he is is a clever man,
who keeps trying to work out ways to improve his country, working out how he
can sneak around "laws" and aqquired resourced.
And about the idea of it being against the law. - Laws are made by the
Goverments, or communities of Goverments, but once again
it always comes down to who has the biggest force. Laws can be made and
broken in a second when needed.
------------------------------
Date: Fri, 17 Sep 1999 21:01:18 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: The good things about "bad" cryptography
John Savard wrote:
> [EMAIL PROTECTED] (Patrick Juola) wrote, in part:
>
> >The problem is that the first point cited here -- *IF* the attacker
> >doesn't know the algorithm being used -- is widely regarded as a
> >deeply improbable event, especially in the case of a widely used
> >or distributed system. I would, in fact, regard that point as "true
> >but irrelevant", in the same category as "if you make a lucky guess,
> >then any cryptographic method can be broken," or even "I have a blue
> >crayon on my desk."
>
> One could, if one wished, treat an algorithm as if it were a key.
> However, that prevents the algorithm from being analyzed properly.
>
> I do view the points in the second group as being...secondary. This is
> why those in the school of thought that advocates focusing on points
> of that type - of which I only included three representative examples
> - while ignoring the primary considerations that respected and
> conservative authorities advocate is indeed wrongheaded, and largely
> deserves its poor reputation.
>
> But there is a problem. Even Bruce Schneier noted the existence of a
> problem when he recently noted that about the only algorithm that has
> *really* recieved adequate analysis is DES. Not Blowfish, not any of
> the AES candidates.
There's a related problem in that there are no metrics for "adequacy of
analysis". How much, and what quality, of analysis is adequate?
The observation re DES could be based on the conclusion that DES has had
more analysis than any other cipher. This suggests that the most-analyzed
cipher will always be considered "adequately" analyzed (or _almost_
adequately analyzed), and all other siphers will suffer in comparison.
Are we really reduced to Marx's Labor Theory of Value? It leads, ad
absurdum, to the idea that adding additional analysis makes a cipher
stronger. I suspect this rationalization is part of the foundation for
the veneration accorded ciphers analyzed by authorities.
Until there are well-defined engineering techniques, with associated
figures of merit, cryptology will be an Art instead of a Science, and thus
vulnerable to the Aritotelean Fallacy of appear to authority.
> We do need more choices. But that isn't a valid argument for opting
> for poor choices, I agree. I believe, however, that there is a way out
> of this dilemma.
....(drumroll).....
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: The Cracking of Gregory Braun's Crypto v3.5 by CASIMIR
Date: 18 Sep 1999 00:25:20 GMT
Casimir writes: "Braun pretends to use the BlowFish
algorithm to provide secure encryption in his
application Crypto v3.5. Actually the algorithm
used is a weak proprietary one.
"In order to decrypt a file, Crypto v3.5 feeds
with the Password a home-made hash function
which produces a 32-bit key: KEY_1. Then KEY_1
is manipulated (shifts, ANDs) to produce a
second 32-bit key: KEY_2. KEY_2 is compared
against a third 32-bit key: KEY_CHK, which
is stored in the header of the encrypted file. If
KEY_2 = KEY_CHK, then Crypto v3.5 decrypts
file using KEY_1 as the decryption key."
Part A of Casimir's essay is now on my web
site. (See the "Key Recovery Reources"
page.) Part B and Part C, source code for
a cracker, will soon follow.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Subject: Re: Large number arithmetic
Date: Fri, 17 Sep 1999 17:55:10 -0700
Marco Lange wrote:
> I am looking for a performant implementation or algorithm for
> these large number calculations.
Depending upon your platform and programming language, you may wish to
consider the GNU 'mp' (Multiple Precision) library. That's what I use to
do Diffie-Hellman on Unix. It's faster than anything I could have coded
from scratch (the authors have gone to the trouble of implementing
portions of it in assembly language for almost every known CPU type),
and the licensing isn't too bad as long as you deliver a dynamically
linked binary as well as a statically linked binary (the license says
that your program must be linkable against newer versions when they come
out, but otherwise the library is completely and totally free).
--
Eric Lee Green http://members.tripod.com/e_l_green
mail: [EMAIL PROTECTED]
^^^^^^^ Burdening Microsoft with SPAM!
------------------------------
Date: Fri, 17 Sep 1999 21:38:10 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Okay "experts," how do you do it?
Anton Stiglic wrote:
> >
> >
> > Even very tough mathematical problems can eventually be solved.
>
> [...]
>
> that is actually not true. There are theories (set of axioms) which
> contain true statements that cannot be prooven to be true in that
> set of axioms.
Sure it is. "Very tough" does not describe the Halting Problem, Godel's
Theorem, or incrementing from one to 2^googol. Those problems cannot be
"solved", and we can prove it.
------------------------------
Date: Fri, 17 Sep 1999 21:28:30 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: arguement against randomness
fungus wrote:
> [EMAIL PROTECTED] wrote:
> >
> > Is anything truly random...
> >
>
> Yes.
>
> The time between each new instance of the "random number"
> thread in this group is truly random.
So? Show us proof that would satisfy Knauer! ;-)
>
>
> Unfortunately it doesn't provide enough entropy
> for encryption of extremely long messages.
It is also not unpredictable. It can be trimmed arbitrarily short. Tho
I do not see a way to lengthen the interval...
------------------------------
From: "Boris Kolar" <[EMAIL PROTECTED]>
Subject: Re: Example of a one way function?
Date: Fri, 17 Sep 1999 17:20:32 +0200
Roger Carbol <[EMAIL PROTECTED]> wrote in message
news:8E438698Crcarbol@news...
> I. Michael Mandelberg <[EMAIL PROTECTED]> wrote:
>
> > Can someone point me to a one-way-function that is typically used
> > for encryption?
> > It ought to use a key.
>
>
> Multiplication.
>
>
>
>
> .. Roger Carbol .. [EMAIL PROTECTED]
Of course multiplication is a one-way function, but It's not a very
conveniant one. There are one-way functions with some additional desirable
properties like:
- 1-1 (permutation)
- length preserving ({0,1}^n -> {0,1}^n)
- maximum period (2^n)
However I have not yet found a one-way function with ALL the above
properties. Perhaps someone can help me?
------------------------------
From: [EMAIL PROTECTED] (Guillaume Filion)
Subject: 'noise' as a random source bleaching problems
Date: Fri, 17 Sep 1999 21:15:03 -0400
Hi all,
I'd like to try to have noise as a random number source as described in
Phrack (http://www.phrack.com/search.phtml?view&article=p54-5 ) but I'm
having some problems compiling the code provied to bleach the input.
Here's what I got:
[gfk@gfk bleach]$ make all
gcc -w -c md5/md5.c
gcc -c sha/shs.c
gcc -o sha_distill sha_distill.c shs.o
sha_distill.c: In function `main':
sha_distill.c:9: `stdin' undeclared (first use in this function)
sha_distill.c:9: (Each undeclared identifier is reported only once
sha_distill.c:9: for each function it appears in.)
sha_distill.c:14: `stdout' undeclared (first use in this function)
make: *** [all] Error 1
I'm using RedHat Linux 6 (Kernel 2.2.5-22) on a i586 processor and using
egcs-1.1.2-12 as the compiler.
Anyone knows what I should do to make it compile?
TIA,
GFK's
--
"And despite the multitude of high-tech features on the site, we've
avoided the use of Java, JavaScript, Windows NT, and other
problematic technologies." KPIG.com's Webmaster
------------------------------
Date: Fri, 17 Sep 1999 21:16:52 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: The good things about "bad" cryptography
Steven Alexander wrote:
> I am not against the use of multiple algorithms as it does mean that only a
> fraction of your messages will be uncovered if one of the algorithms is
> cracked. However, when choosing which algorithm/s to use it is best to pick
> algorithms that have been tested so that it is known that at the very least
> there are no obvious attacks against it. If several experts spend a great
> deal of time studying an algorithm and uncover nothing then it will almost
> certainly take an expert of equal or greater skill to uncover a flaw in the
> algorithm. This is not to say, however, that another expert will not break
> it. It only lends weight to the argument that such a task will be
> difficult.
While one needs to include the best tested algorithms, choosing only publicly
known algorithms may be a form of weakness. Any cryptographic attack requires a
significant amount of human resources -- intelligence. By including a few
less-well-known (obscure) or private (secret) algorithms in your mixture you may
be able to evade the threat of comprehensive analysis on a scale we do not
consider available, or a catastrophic failure of classes of algorithms. It may
not be worthwhile for an attacker to muster the human resources necessary to
reduce an obscure or secret algorithm because the value of the result is too low
to justify the effort. Human resource do no scale well. machine resources are
essentially fungible.
A large number of products each utilizing mostly well-respected ciphers, each
having a small set of unique ciphers, is probably the worst threat to the
comprehensive coverage desired by the dark overnment agencies and other
Opponents.
------------------------------
From: Alex <[EMAIL PROTECTED]>
Subject: Re: Analogues to ECC over higher dim. abelian groups
Date: 17 Sep 1999 22:00:56 -0400
> How can #J be that big? At most there are 5 points on any line thru a
> given y, and 2 y's for any x, so that's 10p. Can you try to explain
> what I'm missing?
He's not counting the number of points on the curve, but the number of
points in its Jacobian over F_p. Since the curve is genus two, that's
going to be on the order of the square of the number of points on the
curve, I think.
Alex.
------------------------------
Date: Fri, 17 Sep 1999 22:06:54 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Ritter's paper
Douglas A. Gwyn wrote:
> "Trevor Jackson, III" wrote:
> > There are several gaps here. The grlaring one is that we have no
> > ciphers (excluding OTP) that are secure. We have only ciphers that
> > are not secure or whose security we are unable to determine. Note
> > that last: it does not mean we "think" they are secure. It means we
> > do not know.
>
> (a) OTP is clearly not secure *in practice*. In a simplified
> theoretical framework, it has certain mathematical properties
> that are usually summarized by "is secure", but the exact
> formulation is important.
It is also irrelevant. OTPs are not the topic.
> (b) Other cipher systems have been described in the open literature
> under the appellation "provably secure". Again, one has to examine
> the details to know exactly what that means.
Usually this means as secure/hard as X where X is "thought to be secure"
or "thought to be hard". Hardly a convincing manner of proof.
> (c) Shannon showed one way in which degree of security could be
> quantified, in his description of unicity point. An elaboration
> of this idea can be used to prove certain bounds on insecurity
> for systems on the proper side of the unicity point. (These
> might not correspond to systems in actual use, but it shows that
> there are non-OTP theoretical counterexamples to your claim.)
No it does not. The unicity point concept has little bearing on the great
majority of modern block ciphers. Modern ciphers attempt to
confuse/diffuse/etc until the best attack is brute force. A cipher that
achieves this is considered secure. But that achievement does not prevent
an attacker from identifying the actual plain text once he has found it.
A cipher that provided sufficient variation to eliminate the attackers
ability to identify a successful decryption would be immune to brute force
attack. This is the essential issue addressed by the concept of the
unicity point. It is one basis for claiming provable security. I know of
no others. Do you?
>
>
> (d) By "we" you must mean "Trevor Jackson and people I know about."
> How do you know that point (c), or some other approach, hasn't been
> developed into a full, practical theory by people you *don't* know
> about?
This amounts to a threat of a Blue Queen. I don't know of any. I said
so. Do you know of any? You have not said so.
Until there is a specific claim available for inspection and analysis, I
will maintain that there are none such.
------------------------------
Date: Fri, 17 Sep 1999 22:13:08 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Ritter's paper
Patrick Juola wrote:
> In article <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
> >: (b) Other cipher systems have been described in the open literature
> >: under the appellation "provably secure". Again, one has to examine
> >: the details to know exactly what that means.
> >
> >In the case of these other ciphers, such as Blum-Blum Shub, the term
> >always means "provably as secure as" a mathematical problem, such as
> >factoring or discrete logarithm, which cannot itself be proved to be truly
> >hard.
>
> My understanding is that there are other cyphers -- the Rip van Winkle
> cypher leaps to mind -- that are "provably secure" in the sense of a
> proven lower bound on the work factor.
Yes, but work factor arguments are suspect. QC is the threat on the horizon.
There may be other over-the-horizon threats that may compromise a work factor
evaluation.
>
>
> Of course, these cyphers are also impractical (more impractical than
> the OTP, in fact) -- but this is as much a technological issue as
> a mathematical one.
Hmmm. Does the lower bound proof show a differential effect of technology?
I.e., does using the cipher get easier with the advance in technology faster
than cracking the cipher gets easier?
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
