Cryptography-Digest Digest #282, Volume #10 Mon, 20 Sep 99 20:13:05 EDT
Contents:
Re: (US) Administration Updates Encryption Export Policy (Jerry Coffin)
Re: Glossary of undefineable crypto terms (was Re: Ritter's paper) (Mok-Kong Shen)
Re: Comments on ECC (DJohn37050)
Re: Schrodinger's Cat and *really* good compression (Lamont Granquist)
binary anomalous curves (NIST-recommended elliptic curves) (Alfred John Menezes)
Re: one time pad SOLUTION ([EMAIL PROTECTED])
Re: Yarrow: a problem -- am I imagining it? (Paul Koning)
Re: Glossary of undefineable crypto terms (was Re: Ritter's paper) (Mok-Kong Shen)
Re: Glossary of undefineable crypto terms (was Re: Ritter's paper) (Mok-Kong Shen)
Re: unix clippers that implement strong crypto. (SCOTT19U.ZIP_GUY)
Re: Exclusive Or (XOR) Knapsacks ([EMAIL PROTECTED])
Re: Yarrow: a problem -- am I imagining it? (jerome)
Re: Glossary of undefineable crypto terms (was Re: Ritter's paper) ("Joseph Ashwood")
Re: Exclusive Or (XOR) Knapsacks ([EMAIL PROTECTED])
Re: Exclusive Or (XOR) Knapsacks ([EMAIL PROTECTED])
Re: Okay "experts," how do you do it? (David A Molnar)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: (US) Administration Updates Encryption Export Policy
Date: Mon, 20 Sep 1999 13:09:04 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
[ ... ]
> The District Court in the Berstein case declared that the US BXA Regs were
> unconstitutional. This means they apply to every case and every one: past,
> present, and future.
>
> UNCONSTITUTIONAL
Wrong. First of all, a District Court's decision is only considered
precedential inside that district, not in other districts. If another
district court chooses to, it can take the other district's decision
as guidance, but there's definitely NO obligation for it to follow
that guidance.
Second, the case is still open to appeal. It's possible that the
decision could be reversed on appeal.
Third, the primary reason for finding the regulations unconstitutional
was the lack of ability to appeal a decision. The same basic
regulations on export itself could apparently be made constitutional
simply by providing a better process for appealing a decision.
Finally, note that the Bernstein case revolved around the use of
source code as a method of communication between people, so there was
a restriction on the right to free speech. If, for example, you write
source code like Dave Scott's, which nobody can read, that argument
obviously goes out the window. To export source code in accordance
with this decision, you could be called upon to prove that the
_primary_ reason for using source code was simply to provide an
unambiguous method of communicating with another person. If the
primary reason for the source code is to provide for a computer to
take certain actions, it's unlikely that this decision would apply.
Of course, I'm not an attorney, so any serious questions about this
should be taken to an attorney, and particularly one who's experienced
in this particular area. To do otherwise is to place yourself in
considerably jeopardy of being prosecuted at the very least. If you
seen that cost of legal defense, you'll quickly realize that simply
being prosecuted (even if you win) can be extremely damaging all by
itself.
--
Later,
Jerry.
The Universe is a figment of its own imagination.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Glossary of undefineable crypto terms (was Re: Ritter's paper)
Date: Mon, 20 Sep 1999 21:01:46 +0200
Douglas A. Gwyn wrote:
>
> provably secure: adj. (said of a cryptosystem) - Capable of being
> shown, using accepted mathematical standards of proof, to possess
> some specified property that meets a generally accepted criterion
> for suitability in applying the system to some specified security
> function (such as privacy, authentication, nonrepudiation, etc.).
Probably problematical is 'a generally accepted criterion', for
the very existence of this has yet to be established.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: Comments on ECC
Date: 20 Sep 1999 20:14:20 GMT
Factoring and finite field discrete log are ALREADY subexponential. Do you
perhaps mean Polynomial?
ECC known best general method is fully exponential. For black box groups, it
has been proven (whatever that means) that solving is exponential. So it seems
that ANY progress on attacking ECC will be based on structure of the group. A
few weak special cases have been found and are easily excluded from
cryptographic consideration.
Don Johnson
------------------------------
From: [EMAIL PROTECTED] (Lamont Granquist)
Subject: Re: Schrodinger's Cat and *really* good compression
Date: 20 Sep 1999 19:46:18 GMT
[EMAIL PROTECTED] (Patrick Juola) writes:
>In article <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
>>And here we come to Schrodinger's cat. One of the interpretations of
>>quantum mechanics held that a superposed quantum state did not resolve
>>itself into one state until it was exposed to the gaze of a *human
>>observer*.
>
>Your tense is admirably correct. One of the interpretations *held*; I
>believe it has since been disproved by experiment. It's easily possible
>to set up a mechanism to collaps the wave function -- for example, taking
>a photograph of the result of a dual-slit experiment. You could, of course,
>argue that the image on the paper doesn't exist until looked at by a
>human observer.... but the point still remains that you can expose
>your film (automatically), disassemble the equipment, automatically
>develop the film, and still get a meaningful image on the film.
You can also do something like this N times, and then automatically collect
statistics on those N times, and while you can never know if the
wave-function has *really* collapsed unless you go back and look at all the
raw data, for all practical purposes it makes no difference. You don't
need a human (sentient, conscious) observer shoved inside of a quantum
computer to make it work.
--
Lamont Granquist ([EMAIL PROTECTED])
ICBM: 47 39'23"N 122 18'19"W
------------------------------
From: [EMAIL PROTECTED] (Alfred John Menezes)
Crossposted-To: sci.crypt.research
Subject: binary anomalous curves (NIST-recommended elliptic curves)
Date: 20 Sep 1999 20:54:41 -0000
FYI: Jerry Solinas of NSA has released an update/revision of his
Crypto '97 paper on binary anamolous elliptic curves (also known
as Koblitz curves). These curves are among those that were recently
recommended for US Federal government use by NIST. The revised paper
is available from www.cacr.math.uwaterloo.ca under "Technical Reports".
- Alfred
==========================================================================
| Alfred Menezes | Email: [EMAIL PROTECTED] |
| Department of C&O | Phone: (519) 888-4567 x6934 |
| University of Waterloo| Web page: www.cacr.math.uwaterloo.ca/~ajmeneze |
| Waterloo, Ontario | Web page for Handbook of Applied Cryptography: |
| Canada N2L 3G1 | www.cacr.math.uwaterloo.ca/hac/ |
| Centre for Applied Cryptographic Research: www.cacr.math.uwaterloo.ca |
==========================================================================
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: one time pad SOLUTION
Date: Mon, 20 Sep 1999 21:51:09 GMT
Thanks to everyone who helped me with this assignment. The solution is
below:
M1
And you, my father, there on the sad height,
Curse, bless, me now with your fierce tears, I pray.
Do not go gentle into that good night.
Rage, rage against the dying of the light.
--Dylan Thomas
M2
I shall be telling this with a sigh
Somewhere ages and ages hence: Two roads diverged in a
wood, and I- -
I took the one less travelled by, And that has made all the difference.
-R. Frost
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: Yarrow: a problem -- am I imagining it?
Date: Mon, 20 Sep 1999 17:30:55 -0400
Mark Wooding wrote:
>
> Yarrow seems to be a rather clever design. But there's something that's
> been nagging me about it for a while.
>
> The actual output bits are generated by a block cipher in counter mode.
> A property of counter mode is that you don't get a repeat in the output
> until you've been through every possible counter value. Thus, for any
> two adjacent output blocks $O_i$ and $O_{i + 1}$,
>
> P(O_i = O_{i + 1}) = 0
>
> i.e., they'll always be different. This isn't what I'd expect from a
> random source. In fact, if the cipher block size is N bits, I'd expect
>
> P(O_i = O_{i + 1}) = 2^{-N}
I remember getting into a long debate with someone about a year
ago on this very topic. It wasn't very conclusive. What I got out
of it is:
1. Yes, that's true.
2. So what?
In other words, yes, you can use this property to distinguish a PRNG
from an RNG. That doesn't mean it is a weakness. Nothing I heard
back then convinced me that there is any problem here. It's merely
an interesting amusing property.
If there is data that contradicts this I'd love to heard about it.
paul
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Glossary of undefineable crypto terms (was Re: Ritter's paper)
Date: Mon, 20 Sep 1999 22:52:40 +0200
Patrick Juola wrote:
>
> My question remains, however, for the hard-liners and wing-nuts.
> Why are you so willing to question the "expert" judgement of the
> people who work in the cryptographic field, while blissfully unaware
> of the *rest* of the ways in which your system can fail that are
> not even subject to proof? I don't need to crack your RSA modulus
> if I can read your secrets from your mind via tarot cards.
It is well known that a strong algorithm alone does not guarantee high
security, there being very much beside the algorithm to be taken
care of when applying it. As to mind reading, which is evidently
highly/entirely improssible because the energy involved is clearly
too weak to be able to communicate from mind to mind in any physically
plausible ways, it may be on the other hand of interest to note that
a group of German researchers have recently succeeded to let the
tapped brain potential to realize keyboard input to a computer.
The operator (the first being a patient whose arms can't move) must
however be trained to concentrate his minds in appropriate ways in
order to perform the job. The speed of the input is yet very low, but
it is thought that much improvements in the techniques can be achieved
in the future.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Glossary of undefineable crypto terms (was Re: Ritter's paper)
Date: Mon, 20 Sep 1999 23:44:38 +0200
Patrick Juola wrote:
>
> Actually, I think the "generally accepted criterion" has long
> been established; some problems are "generally accepted" to
> be hard -- factoring, discrete logarithm, and roll-your-own-NP-complete
> among them. Techniques of problem reduction have been formalized
> and accepted since at least (Cook, 1971). So it's generally accepted
> that a problem "as hard as" a "hard" problem is proven "hard."
>
> Of course, there are always a few hard-liners and wing-nuts out there
> who don't believe that a given problem is "hard" -- general acceptance
> doesn't mean and never has meant universal acceptance without a
> single exception or reservation. (It's "generally accepted" that
> the Moon landings occurred, too, despite the existence of the Flat
> Earth Society.)
How 'hard' are these REALLY? A citation from A. Salomaa says that
there are no provable lower bounds for the amount of work of
a cryptoanalyst analysing a public-key cryptosystem.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Crossposted-To: comp.security.unix
Subject: Re: unix clippers that implement strong crypto.
Date: Mon, 20 Sep 1999 23:51:06 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Terry Ritter) wrote:
>
>On Mon, 20 Sep 1999 17:45:11 GMT, in <7s5ob8$38i8$[EMAIL PROTECTED]>, in
>sci.crypt [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
>
>>In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Terry Ritter)
> wrote:
>>[...]
>> Since you say patents are a tool to protect "samll" companies. I would
>>like to know just what it cost to the nearest 3 figures. to hire a lawyer and
>>get a patent.
>
>It all depends. You want a patent lawyer to do it, but you still have
>to monitor what they do, which they generally find disturbing. You
>might get away with $5,000 or so, although it could be more, and you
>will spend a lot of time just teaching them the field. Hiring a
>lawyer is not the end of your involvement.
>
>>Since you have done this several times maybe you can give
>>a cash and time cost.
>
>It usually takes months to prepare an application, perhaps a year to
>get a first response which denies all claims (so that you are forced
>to provide written justification for each), perhaps 6 months after
>that for some approval, and maybe a year to get the patent published.
>But things may have changed.
>
>>You also did not anwser how many times you have
>>sued and sued and won with your patents. Or if any big company has
>>decided to challenge your small company in court.
>
>I did not answer because I simply do not discuss the details of my
>business operations. How can the answers possibly matter to you
>anyway?
>
>-
Thanks for anwsering. I wish you had the same pull as the other guy
does in Minisota. I quess you will have to write a book and act all
knowing.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Exclusive Or (XOR) Knapsacks
Date: Mon, 20 Sep 1999 22:07:25 GMT
Gary:
> >> Problem:
> >> Given an n bit number X and a set {B1,B2,...,Bn}
> >> of n bit numbers;is there a subset whose elements
> >> collectively XORed give X?
> >>
> >> Can the general problem be solved easily?
David Wagner:
> >Yes. Gaussian elimination will solve it in O(n^3) time.
Gary:
> What if the matrix wasn't square?
> In particular if the number of elements were larger than the bit size.
Then there will be no solution or multiple solutions. In
any case, Gaussian elimination will resolve the question
quickly.
--Bryan
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (jerome)
Subject: Re: Yarrow: a problem -- am I imagining it?
Date: 20 Sep 1999 23:14:06 GMT
Reply-To: [EMAIL PROTECTED]
On Mon, 20 Sep 1999 12:07:40 -0700, Eric Lee Green wrote:
>
>If Yarrow were a random number generator, you are correct that this
>would be a failure. However, it is not. It is a mechanism for generating
>unpredictable cryptographic keys. The non-repeating property is thus a
>useful property.
if the non-repeating property is mandatory, it makes the output
more predictable, at least in theory.
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Glossary of undefineable crypto terms (was Re: Ritter's paper)
Date: Mon, 20 Sep 1999 15:53:05 -0700
[snip]
> How 'hard' are these REALLY? A citation from A. Salomaa says that
> there are no provable lower bounds for the amount of work of
> a cryptoanalyst analysing a public-key cryptosystem.
There can be no lower bounds or upper bounds placed on human cognition,
simply because we do not understand it. If you are talking about lower
bounds of the work necessary to break a public key, it is trivial to prove
that no common method could possibly drop below O(n), where n is the length
of the key, this is because you obviously must read the key before you can
break the key, outside of that I am not aware of any progress.
Joseph
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Exclusive Or (XOR) Knapsacks
Date: Mon, 20 Sep 1999 22:41:37 GMT
Gary wrote:
> Thanks for the comments guys.
Be careful. The comments ranged from the
correct answer in one-line, to post after post
of rambling garbage.
> I'm very interested by the differences between summation and XOR.
Then be sure to actually perform the Guassian
elimination procedure on some test cases.
> Could an XOR system be a candidate for an authentication
> system rather than a public cryptography system.
A good system might use XOR in places. But some
Guassian elimination exercises should disabuse
you of the notion that subset XOR is a one-way
function.
--Bryan
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Exclusive Or (XOR) Knapsacks
Date: Mon, 20 Sep 1999 22:52:58 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> David Wagner <[EMAIL PROTECTED]> wrote:
> : Gary <[EMAIL PROTECTED]> wrote:
>
> :> Problem:
> :> Given an n bit number X and a set {B1,B2,...,Bn} of n bit
numbers;is there a
> :> subset whose elements collectively XORed give X?
> :>
> :> Can the general problem be solved easily?
>
> : Yes. Gaussian elimination will solve it in O(n^3) time.
>
> ...assuming it has any solutions in the first place, that is.
Read the statement of the problem. For any given
case, the two possible solutions are "yes" and "no",
one of which must be correct.
--Bryan
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Okay "experts," how do you do it?
Date: 20 Sep 1999 23:05:57 GMT
[EMAIL PROTECTED] wrote:
> It depends on the area... I've refereed many, many papers, and don't
> think I've ever done one for a conference or journal that did
> "anonymous" refereeing. Since many of the crypto people come from my
> field (theoretical computer science) I'd bet that crypto papers are
> not anonymously refereed either.
OK. That's actually very interesting. Thank you for pointing that out!
> However, he said it's almost always obvious who the authors of papers
> are, even though the names are not attached (it seems like it would be
> particularly hard in systems, where people establish very unique
> testbeds -- referring to your setup is almost like putting a big sign
> on the paper as to where the work was done).
Hah. That makes sense.
I suppose even the topic being treated, and choice of notation, would
play the same role in crypto. There was a post here a while back when
someone picked up on the phrase "Type II basis" in a document issued by
NIST on elliptic curves; it was taken as an indication that Jerome Solinas
may have written it. It would be sort of interesting to know if mileage
varies for more "popular" subfields, like digital cash...although I'm not
sure if that discussion would stay on topic for sci.crypt.
-David
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
