Cryptography-Digest Digest #266, Volume #10 Sat, 18 Sep 99 22:13:03 EDT
Contents:
Re: Ritter's paper (Terry Ritter)
Re: Ritter's paper (Terry Ritter)
Re: Ritter's paper (Terry Ritter)
Re: Ritter's paper (Terry Ritter)
Re: Ritter's paper (Terry Ritter)
Re: unix clippers that implement strong crypto. (Terry Ritter)
Re: Ritter's paper (Terry Ritter)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Ritter's paper
Date: Sun, 19 Sep 1999 00:31:04 GMT
On Tue, 14 Sep 1999 21:55:14 -0700, in
<[EMAIL PROTECTED]>, in sci.crypt Sundial Services
<[EMAIL PROTECTED]> wrote:
>Terry Ritter wrote:
>
>> > I check it out nice article. But what I did not get was the comment about
>> >if you use a patented system and someone breaks it you can recover damages.
>> >What did you mean by that Mr. Ritter. Are you saying it is against the law to
>> >decode something this is encrypted with a patented method?
>>
>> Against the law? Well, yes, sort of: using a patented cipher without
>> an explicit license is grounds for a suit to recover damages in
>> federal court.
>
>
>It may be so, Mr. Ritter, but personally I felt that the article was a
>bit too self-defensive about the issue of a cipher being patentable or
>not, and patented or not.
If you would count sentences which did not refer to patenting, as
opposed to those which did, you might have a different slant on what
"self-defensive" means.
The problem is that academics refuse to address patented cryptographic
technology, for the various reasons Schneier discusses. But whatever
those reasons are, they prevent academics from becoming expert on that
new technology, and we all lose.
>An algorithm's patent status is neither a
>crown nor a scarlet-letter and should not interfere with objective
>judgement of it. You have some original ideas and should be justifiably
>pleased to have a patent and you should continue to exploit it.
I don't know that I have been exploiting very much. I do note that my
work is not discussed in the literature -- despite ink-on-paper
publication as well as patents -- while many arguably lesser systems
have been.
>But I debate in my mind how successful one would be, asking a jury to
>reward one spook for stealing secrets from another spook.
Actually, we would be asking a jury for damages, subsequent to misuse
of trade secrets. The deciphering would be clear indication of a
patent infringement, and the worth of that would be the value of the
lost information.
>I debate how
>successful software patents really are, anyway. You just can't
>touchy-feely computer software like you can a physical invention...
This does not appear to apply to me: It would be difficult to call my
patents "software patents" in any conventional sense. While it is
true that they do apply to software, they are very much conventional
machine patents. And their purpose is to protect new cryptographic
technology, not particular ciphers.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Ritter's paper
Date: Sun, 19 Sep 1999 00:42:36 GMT
On 15 Sep 99 03:02:44 GMT, in <[EMAIL PROTECTED]>, in sci.crypt
[EMAIL PROTECTED] () wrote:
>Terry Ritter ([EMAIL PROTECTED]) wrote:
>[...]
>However, the cryptanalytic effort directed against DES has demonstrated
>that it is unlikely - very unlikely - that there is some stupid flaw in
>DES that would be obvious to a moderately competent opponent.
Saying that something we do not know is "unlikely" implies an
unwarranted and unfortunate extrapolation from what we do know to what
we do not. That is inductive reasoning, and it must be handled very
carefully, because it is very easy to get wrong. Normally, inductive
reasoning must be backed up by deduction from the conclusion, which is
not possible here. So in this case, it is bad Science.
>: The only interaction of interest is
>: between the cipher and The Opponent, and the Opponents are not
>: talking.
>
>Yes, but I think that an underworld cabal with cryptanalytic competence
>approaching that of the NSA, for example, is a subject for a James Bond
>movie, but not a threat analysis. However, not all cryptography is aimed
>at mere hackers; one might be involved in human-rights efforts, and not
>wish the Chinese government to read one's mail.
>
>My point here is that a cipher beyond the reach of Eli Biham and the like
>*is* beyond the reach of a large number of likely opponents.
And you apparently recommend that same cipher for tasks which *would*
engage NSA and organized crime as well as for ordinary business and
personal use. Then, if the cipher *is* broken (in secret), why do you
think that the technology would be applied against only serious
communications?
Moreover, the basic concept is wrong. What is beyond Biham now may
not be beyond the ordinary hacker after new technology is published.
So when I say that we do not know strength, I mean we *really* do not
know cipher strength. It is not that we know some minimum strength
and someone may eventually have the tools to surmount that.
>: >(That the history of
>: >cryptography is replete with systems that have been proposed for
>: >serious use, but which had serious and obvious flaws, as Bruce noted,
>: >is surely a fact beyond dispute.)
>
>: Yes. But these data do not imply what you think they do. They have
>: shown weakness; they do not imply strength in the remaining ciphers.
>
>No, they do not. But they imply that weakness is likely in an unexamined
>cipher. The ones that have survived winnowing for obvious flaws have been
>shown not to have that particular type of flaw.
Then I would suggest that you demand that paid academics who claim
expertise in this area start serving the public good by performing
such analysis on a broad scale.
>Thus, in using a "new" cipher, I am taking a risk that a moderately
>competent cryptanalyst might be able to break it. In using one that has
>been extensively studied, I can - as a rough estimate - hope that it will
>take an additional period of study, as long as that to which it has
>already been subjected, before a flaw turns up.
>
>(Yes, I am a Bayesian.)
Yet that still does not make your logic correct.
>: I would say that, in cryptography, partial confidence is no confidence
>: at all.
>
>You have a point. However, 1000 times zero is still zero. I trust you can
>see how that makes your position as untenable as Bruce's by that standard.
No, I do not. I do not claim absolute security. However, I do claim
that a multicipher is inherently *more* protective of its ciphering
components than any single component by itself. Being protected is
not the same as being fully exposed, and that is true even if we don't
know the strengths of the component ciphers.
>: My article was a specific response to the earlier column which
>: essentially said that new cryptography was bad cryptography. My
>: article addresses that issue, and apparently you agree that it needed
>: to be said.
>
>Well, you seem to have just said that old cryptography is bad
>cryptography.
Certainly the old ideas about cryptography are bad cryptography.
Cryptanalysis is not how we know cipher strength; we have no such
tool. In fact, cryptanalysis is how we know cipher weakness (and then
only an upper bound -- the "real" strength may be far less) for
ciphers we will not then use. For the untouched ciphers we *will*
use, cryptanalysis has not testified *at* *all* about strength.
>Bruce correctly stated the risks of using untried cipher designs. They
>have a significant likelihood of flaws that are relatively easy to find.
Schneier clearly supports the AES approach to the selection of a
single cipher. That cipher immediately becomes a universal target.
This approach is fundamentally wrong.
>: I am aware that the old point of view is fundamentally flawed and
>: scientifically invalid. It is *not* almost valid. It is *not* partly
>: right. It is *not* right in practice. It is just wrong.
>
>You are correct in saying that certainty of a type recognized in
>mathematics is absent here. Many situations in life involve an absence of
>certainty. There are ways in which people respond rationally to such a
>condition.
Alas, the evidence we have from cryptanalysis is not the sort which
allows prediction of strength. The same logic we might use to decide
about automobile reliability or make use of faulty software simply
does not apply in this situation.
In most risk situations which we know from real life, we have some
understanding of the value we risk, and the probability of failure.
But in crypto, we cannot realistically hope to know the probability of
failure, and extrapolating that from cryptanalytic experience is just
flat wrong and bad Science. Moreover, the value being risked here is
not just one person or one company, but nothing less than the entire
content of our information society: the simple selection of a single
standard cipher thus becomes a threat instead of an advantage.
>Bruce recommends one form of response: gather as much corroborating
>evidence as one can, even if it is of a kind with a fundamental
>limitation.
I agree with that. But knowing the limits of this, I disagree that it
is sufficient, and there has been no Schneier proposal to address the
problem. Quite the contrary, the Schneier proposal is that we do not
use new cryptography, and that we all rely upon one of the few ciphers
which are academically well-regarded. I find this last especially
ironic, since we would normally expect academics to enforce tight
reasoning and good Science.
>You recommend other responses: use multiple ciphers, use a cipher few
>other people are using so as to limit the amount of effort expended
>against it.
>
>Your recommendations are sound *additional* measures to take in this
>situation of uncertainty. But because you are emphasizing that Bruce's
>approach doesn't produce logical certainty, you appear to imply that his
>strategy of response to the uncertainty can, and perhaps even should, be
>neglected.
I not only imply, I directly state that the claim that a cipher is
strong because it survives cryptanalysis is simply false. The idea
that we would bet our information society on any particular opinion
about strength is frankly appalling.
>Obviously, you don't really mean that. You would not seriously offer to
>the public an encryption program that enciphered people's messages using
>10 algorithms taken from a pool of 1000 algorithms - that you had
>developed for you by a local Grade Five class. You wouldn't do that;
>nobody would. And the reasons you don't are the same reasons that are
>behind what Bruce had said. So Bruce is not "just plain wrong".
While I appreciate your attempts to get Schneier and myself to duke it
out while you watch, this is a fundamental issue for cryptographic
science, and not some sort of battle between sides. Schneier merely
represents and promotes the currently accepted but false beliefs about
what ciphers should be. To that same extent, the other side deserves
to be heard, and you will not hear about another side in his works or
writings, and I call that deceptive.
I find it difficult to credit Schneier for advocating that we not do
something which nobody would do anyway. Instead, the issue before us
is the opinion he offers as an expert and the process he supports to
provide guidance to the rest of society beyond what they would
normally do. In my view, that opinion and process are fundamentally
flawed in a clear, logical, scientific way that almost everyone can
understand. This is what it means to be just plain -- and completely
-- wrong.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Ritter's paper
Date: Sun, 19 Sep 1999 00:46:41 GMT
On Fri, 17 Sep 1999 03:43:26 GMT, in <7rs9t4$um8$[EMAIL PROTECTED]>, in
sci.crypt [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
>[...]
> Jerry if you think the AES candidate will be hot. What if Ritter used it
>in series with one that he thinks is strong. IF you use both methods
>correctly mostly just insuring the the length of data put in each method
>matches the lenght of data out and that the keys used with each are
>independent. Then you can safely assume the combination will be no
>weaker than the stronger of the two methods used.
I don't recall who pointed this out originally, but it has been widely
discussed, perhaps in the last round on this topic. See:
http://www.io.com/~ritter/NEWS4/LIMCRYPT.HTM
Anybody who likes AES can tell their system to use AES as one of the
ciphers and pick the other two "at random" from a local list of
approved ciphers, in negotiation with the other end. If we use
separate keys for each cipher, the multi-cipher is extremely unlikely
to be weaker than any *one* of the components.
To claim multiciphering is weaker than any single cipher alternative
is to claim that we cannot use that cipher as a component cipher,
which is almost surely wrong.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Ritter's paper
Date: Sun, 19 Sep 1999 00:30:47 GMT
On Wed, 15 Sep 1999 04:35:59 GMT, in <7rn47f$2i26$[EMAIL PROTECTED]>, in
sci.crypt [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
>[...]
> But I fear you make a point that a patented cipher may be weak
>becasue if the break is easy and if one publishes the break you
>could make a suit to recover damages.
That doesn't sound right to me. Patents *disclose* information. A
break might even be a different patentable invention. It is not a
patent infringement to describe a patent which depends on another
patent -- in fact that happens all the time.
On the other hand, using trade secret information which was protected
by cipher and then stolen by infringing on a cipher patent is wrong in
a lot of ways, and we are right to have laws to punish such activity.
We always use ciphers we think cannot be broken. But if they also
have some possibility of legal recovery, that may be some advantage in
some cases.
>How then can one study
>a patented method and tell others the weakness so they don't
>use a weak system. It seems like the patent would actually slow
>the down the science of crypto. Except for groups like the NSA
>which never follow any laws anyway.
Maybe you have the wrong idea about patents: The whole point of a
patent is to *reveal* information, not protect it. It is trade
secrecy which hides information. A patent protects the particular
*use* of particular information, not learning about it.
In reality, a patent is an *economic* right, and rarely has anything
to do with individual use. (One could of course postulate the
existence of a large company with an individual owner who might say
that he was using a patent for his "own personal use" all over the
company, but that is rare.)
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Ritter's paper
Date: Sun, 19 Sep 1999 00:31:19 GMT
On 15 Sep 1999 23:32:35 GMT, in
<7rpaaj$14d$[EMAIL PROTECTED]>, in sci.crypt
[EMAIL PROTECTED] (Bodo Moeller) wrote:
>[...]
>In the multi-cipher scenario, you assume that there's an independent
>team for each cipher ("Each cipher breaks with probability f(R/N)",
>so the assumption is that effort R/N goes into each of the N
>ciphers). However Terry Ritter's model seems to be that all the
>individual designs should be derived from the same `pool' of know-how
>(or he wouldn't talk about having "exponentially many" ciphers).
Not so. That particular point is that when we have 3 layers of
component cipher, with n possible inner ciphers, we have n**3 overall
"ciphers."
>The real discrepancy between your and Terry's opinions might be that
>you assume that the bulk of the analysis work can be done only once
>there's a fixed design to look at, whereas Terry assumes that lots of
>ciphers can be derived from collected knowledge on ciphers without
>analysing each of the resulting ciphers in that much detail.
One discrepancy is that I claim it is impossible to extrapolate cipher
strength from unsuccessful cryptanalytic work. Cryptanalysis can
*only* testify to the weakness of ciphers, and *only* for ciphers
which are "broken," and then only as an upper bound. Cryptanalysis
does *not* testify about the strength of unbroken ciphers, and those
are the only ones we want to use.
Another discrepancy is that I protest anyone's "right" to put the
whole information society at risk on the basis of a few opinions on
strength which are not and cannot be based in scientific reason.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Crossposted-To: comp.security.unix
Subject: Re: unix clippers that implement strong crypto.
Date: Sun, 19 Sep 1999 00:32:50 GMT
On Fri, 17 Sep 1999 20:38:35 -0400, in
<[EMAIL PROTECTED]>, in sci.crypt Alwyn Allan
<[EMAIL PROTECTED]> wrote:
>"Christopher J. Mattern" wrote:
>
>> "Illegal but perhaps difficult to prosecute" is *still* illegal...
>
>Illegal is not a precisely defined legal term. In general use it means "forbidden by
>law."
>There is no law which forbids the use of patented technology, therefore it is not
>illegal.
>
>Patent law simply allows the patent holder, through civil court action, to stop the
>commercial use of the patented technology for a period of time. It does not provide
>for
>damages, even in cases of flagrant and willful infringement.
Absolutely false. Where do you get this stuff? Damages are at the
heart of patent infringement litigation.
Specific damages include lost royalty income and profits made from
infringement. In "cases of flagrant and willful infringement," one
could recover attorney fees with *triple* damages. Deliberately
breaking a cipher well-known to be patented is clearly willful and
might be flagrant.
>I'm not a lawyer, but I have one!
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Ritter's paper
Date: Sun, 19 Sep 1999 00:31:26 GMT
On Thu, 16 Sep 1999 16:50:04 -0400, in <[EMAIL PROTECTED]>, in
sci.crypt Jerry Leichter <[EMAIL PROTECTED]> wrote:
>[...]
>Ignoring the probability of ruin is at the heart of many bad probabilis-
>tic arguments - e.g., many naive arguments about martingales, and all
>sorts of bad investment strategies in the real world.
Yes. The question is whether we would bet our grandmother's income on
our *opinion* that a particular mathematical conundrum could not be
solved. Would we do it, and would it be right if we did?
Cryptanalysis simply does not testify to the strength of an unbroken
cipher. To have everyone use one of those ciphers serves to target
that cipher for more analysis that it will have had. And if it does
fall (typically in secret), the whole information society is at risk.
Will the cryptanalysts who approved it then compensate the rest of us
for their error? And if not, is it not time for us to look this gift
horse in the mouth?
>On the other hand, I think there are practical difficulties with Mr.
>Ritter's approach. Even the cryptanalytic attacks known in the public
>literature are sufficiently powerful to slice right through most simple
>designs. The ciphers that can survive *even the attacks we know about*
>are pretty rare on the ground. Where will we find a large collection of
>reasonably secure ciphers to use for Mr. Ritter's scheme?
>
>Mr. Ritter likes to design parameterized families of ciphers - a
>powerful approach, and probably the only way to get a large number of
>reasonable cipher designs in hand quickly. But that opens the door to
>attacks against whole families.
Whether you think I like to design parameterized families of ciphers
mostly depends upon what you call a parameter: I do argue for the use
of scalable ciphers, which would certainly be parameterized in size,
but specifically *not* parameterized in ways which would change their
operation. I do point out that many new cipher constructions simply
have not been considered by academics, which is a loss for all of us,
not just me.
I advocate getting all the analysis we can, not using ciphers we think
are weak, and using multiple ciphers in sequence. It is this last
which quickly expands the body of overall "ciphers," and also tends to
protect individual ciphers from unknown weakness they may possess.
>If the collection of ciphers to be used in this scheme is fixed up
>front, it will be subject to attack - and likely many ciphers will be
>picked off.
Anything can be attacked; the question is how successful the attack
will be. Most modern attacks are forms of known-plaintext or
defined-plaintext which cannot be mounted here. If a cipher's only
weakness is to known-plaintext, it ceases to be weak when used in a
cipher stack.
Multiciphering does, by itself, protect component ciphers against
known-plaintext attack, which is a very significant advantage.
Consequently, the (unknown) strength of a multi-cipher using one's
favorite cipher as one component is likely to be far stronger than the
(unknown) strength of that favorite cipher alone.
>So there will likely have to be a mechanism to add new
>ciphers to the mix.
Indeed, I see this as a necessary part of increasing the cost of doing
business for our cryptanalytic opponents.
>However, that opens a powerful line of attack to a
>knowledgeable opponent: He can contribute (through apparently unrelated
>3rd parties, of course) a large number of apparently very good ciphers
>that he knows how to break.
I'm not at all sure that this is as easy as it is made to sound here.
>Since no one will be in a position to do
>really deep analyses of many different ciphers, it's unlikely that the
>"spiked" ciphers will be found:
Again, we all suffer when academics will not address the many new
ciphering constructions which have blossomed in recent years.
>It took many years to become convinced
>that DES doesn't have a trap door, and even today there are people who
>retain their suspicions. (Actually, an attacker of this sort wouldn't
>even have to wait for updates: He would likely be right there at the
>initiation of the system, offering up a whole load of neat-looking
>ciphers. It would require a big leap beyond the publically-known state
>of the art in cryptography to slip a trap door into a system like AES,
>which will be very closely examined by many people *and is expected to
>be really strong* - so any weakness that *is* found will immediately
>raise a red flag.
I think the exact same thing would be said for any cipher I would
suggest using.
>On the other hand, it would be relatively easy to
>slip many subtly spiked systems into Mr. Ritter's pool, since no one
>would look at them very closely
Again, it is a loss for all of us when academics who claim to study
cryptography do in fact generally restrict their attentions to small
steps around the area of old cryptography.
On the other hand, we do not use ciphers which we expect are weak on
their own, unless their weakness is simply not exposed in the
multiciphering configuration. We should not depend upon
multiciphering to shield them in unknown ways and make them stronger
than we already know.
>- and, besides, even if one, or many, of
>the "spikes" were found, how could you distinguish that from those
>ciphers just being weak because the person who proposed them wasn't
>quite as good at crypto as he thought?)
It is unnecessary to distinguish the motive for a cipher being bad: if
we know a cipher is bad, we don't use it. If we use it unknowingly,
it is at least in a multiciphering package with two other ciphers. I
would expect that just having one trick cipher in the stack is not
going to be much help in penetrating the other two.
Surely we can demand that the basic ciphering engines not expand data,
and thus allow no room for a secondary channel.
I expect that the current crypto gods would as widely publicize their
own opinions of usable ciphers as they do today. Many people would
take those recommendations, but others might have their own ideas.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
