Cryptography-Digest Digest #281, Volume #10 Mon, 20 Sep 99 16:13:04 EDT
Contents:
Re: Okay "experts," how do you do it? (John Savard)
Re: Comments on ECC ("Joseph Ashwood")
Re: Okay "experts," how do you do it? ("Joseph Ashwood")
Re: some information theory (SCOTT19U.ZIP_GUY)
Re: Yarrow: a problem -- am I imagining it? (Eric Lee Green)
Re: Ritter's paper (Mok-Kong Shen)
Re: Which of these books are better ? (Anton Stiglic)
Re: (US) Administration Updates Encryption Export Policy (SCOTT19U.ZIP_GUY)
Re: Okay "experts," how do you do it? ("Trevor Jackson, III")
Re: Glossary of undefineable crypto terms (was Re: Ritter's paper) (Patrick Juola)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Okay "experts," how do you do it?
Date: Mon, 20 Sep 1999 18:00:17 GMT
Sundial Services <[EMAIL PROTECTED]> wrote, in part:
>Fighting this notion of human supremacy as long as I can, :-), and for
>the sake of argument :-) :-), I submit again the contrarian question...
>exactly WHAT is it that we are learning?
>Is it simply an issue that we don't have an effective way to represent
>the cipher in a way that the computer can be made to test it? I
>question this, because nearly all ciphers these days are computer
>functions. The computer does the encipherment; why can't the computer
>readily test the quality of the encipherment? If humans alone can do
>this testing then... "why? why? why??"
>C'mon, gentlebeings, play along.> ;-)
Computers are good at doing arithmetic, and "doing the encipherment"
is just doing arithmetic.
Pattern recognition is much harder.
Of course some elementary statistical tests on ciphertext can be
easily computerized, but it's trivial to design a cipher system to
pass those tests, and passing them doesn't imply security.
Studying a cipher design, and finding flaws unique to that design,
requires real thought. Original thought isn't something easily
computerizable; what cryptanalysts do is similar to what
mathematicians do, and computers aren't in danger of replacing _them_
any time soon either.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Comments on ECC
Date: Mon, 20 Sep 1999 10:53:55 -0700
[snip]
> Especially when one considers the source of the quoted
> statement (the "A" in RSA), it should be taken with a grain of salt, as
ECC is
> an algorithmic competitor to RSA and is "stronger, shorter, faster, etc."
[snip]
Actually having spent a significant amount of time discussing cryptography
in general, and public-key cryptography in particular, with Adleman, I have
confidence in his abilities and lack of his ego getting in the way of his
judgement. He has even been known to tell his classes that he believes that
the factoring problem will fall, and take RSA with it. I will admit that he
did say that he wasn't sure if he'd live long enough to see it fall, but
then again I'm not even truly convinced that the factoring problem will
completely fall. While Adleman may not have built the reputation of Rivest
in the cryptographic field, he is in his own right a relatively unbiased
individual, and I will gladly say that if he has his doubts about ECC, then
I will need to see proof (not simply speculation) to the contrary.
Joseph
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Okay "experts," how do you do it?
Date: Mon, 20 Sep 1999 11:29:48 -0700
I propose this as sort of a step in the right direction (towards a good test
box).
We simply implement every know break, and use them to create a fuzzy value
(floating point unmber [0,1]) indicating the assuredness of the security of
the design. While this could in no way help us with something as powerful as
the AES candidates, it would eliminate a large number of ciphers that are
insecure, and would allow the examination of new methods to progress to a
developmental stae instead of simlpy having to go over old ground over and
over. I'm sure that with our combined knowledge we would be able to develop
a series of tests that would test for the known varients of Slide, Linear,
Differential, etc tests, and we could expand it as more information becomes
available. Who knows maybe it'll help us actually do something useful with
our lives instead of all of us trying to use a Slide attack on Scott19
(whether or not it works, the point remains that having 100's of people
doing the same thing is wasted effort), also given these fuzzy values we
could optimize our attack knowing where the holes are likely to be, if there
are any. That means that at any given time there would exist a computer
program capable of near state of the art cryptanalysis, something absolutely
vital in order for us to eliminate poor ciphers, and be fairly assured that
a given cipher would not be beaten by an rank amatuer.
The same methodology could be used to build ciphers of a certain style,
giving us the availability of a staggeringly huge number of ciphers with the
same security characteristics. The down side is that if a flaw is found in
the entire class of ciphers (say Feistel ciphers) then they must all be
discarded, but with the speed that they could then be created (perhaps
hundreds or thousands a day) the lost ciphers would not be a big issue.
Joseph
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: some information theory
Date: Mon, 20 Sep 1999 19:49:20 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote:
>
>: One should use comprssion that does not add information to the message
>: that an attacker could use. One way to guarantee no information is added
>: is to use a compression/decompression method that is "one to one".
>: As I have stated many times it is easy to check for this property.
>: And I have at my site the ONLY compression method that
>: uses method. But I am looking for others. IF you know of ANY
>: let me know. [...]
>
>I have looked for other such compressors... but without success.
>
>I don't know if you're the first person to identify the need for
>such a compression program, and to actually produce one, but
>congratulations anyway ;-)
Thank You it is not often I get congrats. It was my interest in PGP
that made me first look in this direction. I noticed that very little at
least in the Open literature was done on this topic. I am sure that the
NSA has looked at this extensively but not sure if any of their compression
methods are in the open available to the public.
You folks are probabily lucky my english writting skill is so bad. I would
have worked for the NSA years ago when I applied but they most likely tossed
out the forms. But this is the right palce to discuss this topic what confuses
me is the lack of intelligent discussion on this topic here. Why Bruce and
David W. stay away from this area which should be obvious to some one
of there suppossed stature is beyond me. Even there inability to understand
C should not hinder them in this discussion.
Actually that is what I did in my former jobs. They get impossible porblems
and I make up methods to do them. I have fixed code in so many systems
that I don't even know what I have worked on. Or what the so called theoritc
paper prodcedures are to do it. One project I worked on was a project where
more features was needed I said I wasn't familar with the project or the
device. When I got invovled I found it was something I coded years before
so in a few days I easily added all the new stuff in. I like fixing code and
writting methods. I never have written encryption at work and was never
cleared for crypto. So what I do here is on my own. I have found breaks
in several systems at work but no one really cared even if I had a fix.
The biggest system that I broke was one of the easyest. It was a S2K
system someone was accused of ginving a password away. They claimed
they had "experts" (univac guys with suits and ties) look at it. And that
it was impossible to break. Well I got a test S2K set of files and broke
the system in less than a day. The bosses where not happy since that
was not the offical result wanted. But later when the company that sold
the S2K crap to the governemnt forgot to disable time bombs so that it
would stop working. Management had me fix the crap since I edited raw
unavic assemble code to get around the dam problems the contractors
put in the software. But my skills as a univac system programer
where not needed for Y2K (Y2K not the same as S2K) though
I did apply at CSC at my former bosses suggestion. So I feel the
US governemnt is only paying lip service to fixing Y2K problems
and I do speak with authority on that subject what fixes they are
doing are "windowing" which only shoves the porblem of a few more
years making the problem worse instead of actually fixing the dam
code.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Subject: Re: Yarrow: a problem -- am I imagining it?
Date: Mon, 20 Sep 1999 12:07:40 -0700
Mark Wooding wrote:
>
> Yarrow seems to be a rather clever design. But there's something that's
> been nagging me about it for a while.
>
> The actual output bits are generated by a block cipher in counter mode.
> A property of counter mode is that you don't get a repeat in the output
> until you've been through every possible counter value. Thus, for any
> two adjacent output blocks $O_i$ and $O_{i + 1}$,
>
> P(O_i = O_{i + 1}) = 0
>
> i.e., they'll always be different. This isn't what I'd expect from a
> random source.
If Yarrow were a random number generator, you are correct that this
would be a failure. However, it is not. It is a mechanism for generating
unpredictable cryptographic keys. The non-repeating property is thus a
useful property.
--
Eric Lee Green http://members.tripod.com/e_l_green
mail: [EMAIL PROTECTED]
There Is No Conspiracy
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Ritter's paper
Date: Mon, 20 Sep 1999 21:00:17 +0200
Terry Ritter wrote:
>
> Whether you think I like to design parameterized families of ciphers
> mostly depends upon what you call a parameter: I do argue for the use
> of scalable ciphers, which would certainly be parameterized in size,
> but specifically *not* parameterized in ways which would change their
> operation. I do point out that many new cipher constructions simply
> have not been considered by academics, which is a loss for all of us,
> not just me.
I think that a general parametirized cipher by definition can have
sizes (block sizes, key lengths, table sizes), round numbers and
operations (statically or dynamically determined) selected by
parameter values entered by the users. Limiting parametrization to
sizes or a size is excluding benefits that may accrue from other
parametrization dimensions. Parametrization delivers a least a part
of the advantages of using multiple ciphers, for the analyst has to
figure out the parameter values for attacking the cipher effectively,
i.e. his work load is increased. Parametrization allows a cipher to
adapt to advances in technology that become available to the analyst,
e.g. faster processor chips, and thus promises a longer useful
service life of the cipher. That's why I have never yet understood
why parametrization is not favoured in the AES project.
In passing, I want to point out that both parametrization and
multiple ciphers can be subsumed by a concept of obtaining strength
that I like to term as the principle of variability. Due to
variability, the analyst has not a 'constant' target to deal with.
Consequently he needs more resources.
Concerning opinions given in a number of follow-ups in this thread,
I like to say that my understanding of Mr. Ritter's paper is
advocating for more openess to new ideas in the field of cipher
designs. His few sentences about patents may be arguable, but that's
not the major message of his paper in my view. (In fact, I disagree
that breaking a patented cipher necessarily means infringement of
the patent. For it is e.g. at least conceivable that one could under
circumstances compute the key of a block cipher without actually
implementing the patented cipher as such and use it. And if a
employee of a company having a license is capable engough to break
a patented cipher, there is certainly no infringement of the patent
and there is no cost involved for the analyst.) Mr. Ritter stressed
the advantage of using multiple ciphers (which tends to be ignored
by the common users due to standardization efforts -- here using the
forthcoming AES finalist as the single cipher) which in my humble
opinion is evidently true. It is to be noted that using multiple
ciphers does not mean deliberately seeking to use a combination of
the poorer ciphers. It is an implicit assumption that the choice of
the component ciphers is done with the usual care appropriate for
the applications at hand. I don't see any reason why, for example,
I shouldn't do multiple encipherment with the future finalist of AES
and some of the candidates of AES that fail to be chosen as the
finalist, excepting that there is probably some processing speed
disadvantage.
In future one has probably on the one side to leave part of the
current state of affairs exactly as it is, i.e. having the best
academic cryptographers of the world continue to have their efforts
concentrated on the analyst of one single cipher, namely the
finalist of AES (if for no other reason than because it is their
personal freedom to choose what they like to research), while on
the other side it is, I believe, sensible and important for those
who do not share the view of relying on a single standard cipher
to continue to attempt to bring forth novel designs and to propagate
the major points of Mr. Ritter's paper to the public so that these
can be well informed even if they decide to stay always with the
'golden' cipher for whatever reasons they have.
As an aside, there is one thing that I haven't yet fully understood
till present. There are people who praise the use of a cipher (DES)
that has withstood long long years of heavily done cracking efforts
of the best of the profession. The same best cryptographers are
there for dealing with AES. But on the first day when the AES
finalist gets applied in the public, there will not yet be that
amount of man years of analysis spent on it as compared to what
DES has received up till now. So wouldn't it be sensible that there
be a transition period where 3DES (since single DES is known to
be weak relative to current state of technology) and the finalist
of AES co-exist as the 'standard' cipher?
M. K. Shen
============================
http://home.t-online.de/home/mok-kong.shen
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Which of these books are better ?
Date: Mon, 20 Sep 1999 15:21:06 -0400
>
> JaeYong Kim ([EMAIL PROTECTED]) wrote:
> : for both conceptional understanding and mathematical understanding..
> : 1. Applied Cryptography, Bruce Schneier
> : 2. Handbook of Applied cryptography, Menezes et al
> : 3. Cryptography: Theory and Practice, Stinson
1. is good *reference* for the practical part of crypto, some chapters can also
be read as a story book.
2. is excellent an excellent *reference* for the theoretical part, giving some
practical implementation advice
3. is an excellent introduction, this book is to be read like a story. I used it
in a crypto class I took.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: (US) Administration Updates Encryption Export Policy
Date: Mon, 20 Sep 1999 20:48:48 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Jerry
Coffin) wrote:
>In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
>says...
>
>[ ... ]
>
>> The District Court in the Berstein case declared that the US BXA Regs were
>> unconstitutional. This means they apply to every case and every one: past,
>> present, and future.
>>
>> UNCONSTITUTIONAL
>
>Wrong. First of all, a District Court's decision is only considered
>precedential inside that district, not in other districts. If another
>district court chooses to, it can take the other district's decision
>as guidance, but there's definitely NO obligation for it to follow
>that guidance.
>
>Second, the case is still open to appeal. It's possible that the
>decision could be reversed on appeal.
>
>Third, the primary reason for finding the regulations unconstitutional
>was the lack of ability to appeal a decision. The same basic
>regulations on export itself could apparently be made constitutional
>simply by providing a better process for appealing a decision.
>
>Finally, note that the Bernstein case revolved around the use of
>source code as a method of communication between people, so there was
>a restriction on the right to free speech. If, for example, you write
>source code like Dave Scott's, which nobody can read, that argument
>obviously goes out the window. To export source code in accordance
>with this decision, you could be called upon to prove that the
>_primary_ reason for using source code was simply to provide an
>unambiguous method of communicating with another person. If the
>primary reason for the source code is to provide for a computer to
>take certain actions, it's unlikely that this decision would apply.
Actaully I think it can be read very easily. And C is good way to
comunicate ideas. The reason that some of the Crypto Gods say
it is to hard for them to understand is just laziness on there part.
Source code like mine is a good way to communicate ideas. IF
one has trouble understanding it they can write small portion of the
code and test it them selves.
The source code was not in English and then turned into specail
source code for a computer. The thinking was done trying to use
C as the vechile much as one does when they use english to think
about something. To say it not from my mind is to say a german
story writter is not allowed to write in german since he is only
free in the US if he thinks in English word terms.
>
>Of course, I'm not an attorney, so any serious questions about this
>should be taken to an attorney, and particularly one who's experienced
>in this particular area. To do otherwise is to place yourself in
>considerably jeopardy of being prosecuted at the very least. If you
>seen that cost of legal defense, you'll quickly realize that simply
>being prosecuted (even if you win) can be extremely damaging all by
>itself.
>
Yes I see your point. It is better to slowly lose all ones freedoms to
an oppressive government that to ever risk standing up for what one thinks
is right. After all they alwasy go after the other group not yours. The point
is. If enough people don't stand up for there freedoms. Then there soon will
be no freedoms to stand up for.
I think misguided thoughts like yours lead to the bombing in Oklahoma.
The bombing was wrong no doubt about it. I know it was wrong. But there
are distrubed individuals that used the illegal immoral buthery of the
women and childred at WACO as an excuse to do the bombing in Oklahoma.
I think DK was a very bad person. But the coverup and lies left an open sore
for less stable individulas to take action. Especially when the FBI sends
there only publicised specialiest in shooting women who hold babies. Yes
lets right. He killed an unarmed woman holding a baby at Ruby Ridge and
then as a reward he gets sent to WACO. What the hell was the PR
department of the FBI thinking. Do they think that just because David K.
was a bad guy they don't need to be considered about carzies putting
2 and 2 together to get 4.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
Date: Mon, 20 Sep 1999 15:46:02 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Okay "experts," how do you do it?
Sundial Services wrote:
> Ahh yes, the NP-complete problem.
There is a difference between NP-complete (hard) and undecidable
(impossible). The former can be solved by application of an adequate amount
of calculation. It is hard because the amount of cauculation required goes
up rapidly as the size of the problem grows.
Undecidable problems can never be solved because they involve a
contradition. Like "This sentence is false" they often contain
level-crossing self references. In the case of an algorithm analyzing
another algorithm, the reult of applying it to itself is the essence of the
impossibility. Unless the algorithm is trivial, and no algorithm-analyzing
algorithm can be trivial, it will not be possible to get a sensible answer.
> Okay, then, "for-GET how it works." Let's look only at the input, the
> output, and the key. Let's pretend we cannot determine the algorithm.
>
> What is it about an algorithm's input and output that enables us to say
> that it is a "good" encryption algorithm? What is it about the
> algorithm's dependence upon its two inputs, 'p' and 'k', as realized in
> the output 'c', that makes the algorithm a "good" one or a "bad" one?
This may, in theory, be possible, but it doesn't go far enough for your
purposes. Consider that any set of metrics for imputing cipher strength on
the basis of p/k/c is going to have limits. As a cipher designer I* can
probably come up with a cipher that looks weak but is good, and worse, a
cipher that looks good, but is weak.
This means that once a set of guidelines or standard is established,
designers will quickly find ways to evade the guidelines in order to
confound their opponents.
There's probably deep connections with thermodynamics, entropy, etc here.
1) You can't win.
2) You can't break even.
3) You can't get out of the game.
*I in the metaphoric sense, I don't claim to be a cruptologist.
>
>
> > Patrick Juola wrote:
> >
> > > There OUGHT to be an objective test-bed that we can plug these
> > >algorithms into, to test them.
> >
> > Actually, it's much harder than you think to come up with an algorithm
> > for analyzing other algorithms. In point of fact, that's one of the
> > few things that's easy to prove *impossible* in computer science
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Glossary of undefineable crypto terms (was Re: Ritter's paper)
Date: 20 Sep 1999 15:33:59 -0400
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>Douglas A. Gwyn wrote:
>>
>> provably secure: adj. (said of a cryptosystem) - Capable of being
>> shown, using accepted mathematical standards of proof, to possess
>> some specified property that meets a generally accepted criterion
>> for suitability in applying the system to some specified security
>> function (such as privacy, authentication, nonrepudiation, etc.).
>
>Probably problematical is 'a generally accepted criterion', for
>the very existence of this has yet to be established.
Actually, I think the "generally accepted criterion" has long
been established; some problems are "generally accepted" to
be hard -- factoring, discrete logarithm, and roll-your-own-NP-complete
among them. Techniques of problem reduction have been formalized
and accepted since at least (Cook, 1971). So it's generally accepted
that a problem "as hard as" a "hard" problem is proven "hard."
Of course, there are always a few hard-liners and wing-nuts out there
who don't believe that a given problem is "hard" -- general acceptance
doesn't mean and never has meant universal acceptance without a
single exception or reservation. (It's "generally accepted" that
the Moon landings occurred, too, despite the existence of the Flat
Earth Society.)
My question remains, however, for the hard-liners and wing-nuts.
Why are you so willing to question the "expert" judgement of the
people who work in the cryptographic field, while blissfully unaware
of the *rest* of the ways in which your system can fail that are
not even subject to proof? I don't need to crack your RSA modulus
if I can read your secrets from your mind via tarot cards.
-kitten
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
