Cryptography-Digest Digest #336, Volume #10 Thu, 30 Sep 99 04:13:04 EDT
Contents:
Re: NEMA, Swiss cipher machine
Re: Irish schoolgirl wins European Young Scientist Award ("Adam Durana")
Re: Ritter's paper
Re: review of peekboo please? (Tom St Denis)
Re: ECC97 Challenge Solved ("Douglas A. Gwyn")
Re: Glossary of undefineable crypto terms (was Re: Ritter's paper) (Scott Fluhrer)
Re: Q: Burrows-Wheeler transform (SCOTT19U.ZIP_GUY)
Re: msg for Dave Scott ("Douglas A. Gwyn")
Re: factoring with quadratic sieve (Clifford Stern)
Re: About differential cryptanalysis.... (Hideo Shimizu)
Re: More Comments on ECC ("Douglas A. Gwyn")
Re: Relating cyrptology to factoring? ("Douglas A. Gwyn")
Re: RSA-512: Weizmann Institute: London Times ([EMAIL PROTECTED])
Re: msg for Dave Scott ("Douglas A. Gwyn")
Re: Schrodinger's Cat and *really* good compression ("Douglas A. Gwyn")
Re: Comments on ECC ("Douglas A. Gwyn")
Re: Perfect Shuffle Algorithm? ("Douglas A. Gwyn")
Re: msg for Dave Scott (Jerry Coffin)
Re: Schrodinger's Cat and *really* good compression ("Douglas A. Gwyn")
Re: NEMA, Swiss cipher machine (Frode Weierud)
Re: msg for Dave Scott (JPeschel)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: NEMA, Swiss cipher machine
Date: 30 Sep 99 03:20:28 GMT
Douglas A. Gwyn ([EMAIL PROTECTED]) wrote:
: [EMAIL PROTECTED] wrote:
: > that would mean that the wheel/rotor distinction does not exist in the
: > original German, ...
: Standard practice is that a "rotor" is a rotating component,
: or an electrical analogue of one (e.g. a circular shift register),
: and a "wired rotor" is an Enigma-like rotor.
Well, though, I hope you see my point. Many books about cryptography use
the term 'rotor machine' for a wired rotor machine, such as the Hebern
machine or the Enigma. Enough that I think that this usage must be
regarded as standard.
But occasionally, in less well-researched sources, you will see a Hagelin
lug and pin machine, or a Lorenz Schlusselzusatz, described as a 'rotor
machine', and I think that this needs to be avoided: and one way to help
to avoid it is simply to avoid the use of the word 'rotor' to describe,
when discussing a cipher machine, any kind of gear, cam, or pinwheel, or
indeed any other item but a _wired_ rotor.
John Savard
------------------------------
From: "Adam Durana" <[EMAIL PROTECTED]>
Subject: Re: Irish schoolgirl wins European Young Scientist Award
Date: Wed, 29 Sep 1999 23:47:39 -0400
I thought she just came up with some precomputed values which made RSA
faster. I think I remember what she did having something to do with
matrices.
T.P Harte <[EMAIL PROTECTED]> wrote in message
news:7str0b$n11$[EMAIL PROTECTED]...
> Did anyone read the news that the schoolgirl who came up with
> an algorithm as secure as RSA but faster---or something supposedly
> similar---won the European Young Scientist of the Year award?
>
> I remember that there were several threads on this issue when it first hit
the
> news circa last January, but I lost track....
>
> What was the outcome of all this? Presumably the algorithm was shown to be
> bona fide...or rather hasn't been shown to be readily crackable yet?
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: Ritter's paper
Date: 30 Sep 99 03:38:21 GMT
Johnny Bravo ([EMAIL PROTECTED]) wrote:
: On Wed, 29 Sep 1999 15:10:22 GMT, [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
: wrote:
: > I thought I would anwser this last question for you. The AES contest
: >is about finding a WEAK method so that it can be used for all encryption
: >in all aplications.
: Please post your proof that the AES candidates are weak. You can start with
: the ones who were accepted into the second round, since by your logic the strong
: ones would have been discarded first. Take all the screens you need.
Actually, he is *half* right.
The AES candidate ciphers are very strong ciphers; if I enciphered a
message in any of them - even the ones proven to have flaws, such as
MAGENTA, or LOKI 97, or FROG - and offered a prize to someone who could
crack it, the prize would probably not be claimed.
They are well-crafted, and designed by some of the finest cryptographic
minds ... in the open academic community.
But no, I'm not saying that what's wrong with the AES candidate ciphers is
that they're not designed by the NSA.
A 56-bit key, and (more theoretically) a 64-bit blocksize are weak.
A 256-bit key, and a 128-bit blocksize are certainly much better. And if
the key size or block size were made much bigger, that would limit in what
circumstances the cipher could be used.
But at least in some applications, such as enciphering text on a PC - say,
for E-mail - there is little reason to limit oneself to such a short key,
or such a small block size! It makes sense not to allow such a large key
or block size for the AES competition, since with such parameters it would
be too easy to make something that is - or seems - secure...
but once the advanced design principles needed to attain security under
such restrictive circumstances are elucidated...
well, for _practical_ use, why fail to take advantage of the maximum
security your computer's power can give you?
And it's certainly true that *none* of the AES candidate ciphers even has
a nonlinearly key-dependent S-box with even 65,536 entries, never mind
524,288 entries!
This is why I say that he is _half_ right. Although the AES candidates are
excellent ciphers, the fact that they are, in terms of their key size and
block size, merely one step beyond DES, rather than two or three steps
beyond (say 256 bit block size, keys of 1,024, 2,048, and 4,096 bits)
could make some people nervous. Regardless of whether there's any _real_
justification for such nervousness (and in a world where, understandably,
the *best* cryptanalytic knowlege around is tightly under wraps, it's hard
to be sure there isn't).
John Savard
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: review of peekboo please?
Date: Thu, 30 Sep 1999 02:55:14 GMT
In article <[EMAIL PROTECTED]>,
Medical Electronics Lab <[EMAIL PROTECTED]> wrote:
> Tom St Denis wrote:
> >
> > Anything I could make more user attractive?
>
> A couple things for me would be nice: knowing something is
> running (a blinking box in a corner someplace during key
> gen for example) and which keys I've got set up for the
> clipboard (like "my key" and "their key" windows on the
> main screen box).
>
> I think working from the clipboard is very nice, but it's
> hard to tell when something has been done or not. Some way
> to mark that there's new data in the clipboard, or stale
> data might be nice. Not sure it's possible tho.
Your first two points
1) Activity message
2) Active keys
are good ideas. The third is moot since you can use 'auto-crypt' if you send
a lot of messages.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: ECC97 Challenge Solved
Date: Wed, 29 Sep 1999 14:59:15 GMT
"Trevor Jackson, III" wrote:
> The new Professor starts his weekly math 856 seminar, the one with 11 nouns
> and 29 adjectives in the title, by writing a short equation on the black
> board. He then starts the lecture by pointing to the fomula and saying "It
> is OBVIOUS that ...", whereupon he pauses, studies the formula for a while,
> and walks out of the classroom. The students wait patiently, not wanting
> to do anything that would risk their participation in the prestigious
> class.
> Thirty-five minutes later the professor returns, walks up to the podium and
> resumes the lecture; " I was right. It is OBVIOUS that...."
There are sometimes specific names attached to that urban legend.
One of my favorite stories concerns Dirac. Reportedly, after he
gave a presentation at a seminar, he stated that he would now be
happy to answer questions from the audience. One member said:
"Professor Dirac, I don't see how you derived that [specific]
equation.", to which Dirac replied "That is not a question. Next?"
------------------------------
From: Scott Fluhrer <[EMAIL PROTECTED]>
Subject: Re: Glossary of undefineable crypto terms (was Re: Ritter's paper)
Date: Thu, 30 Sep 1999 04:10:02 GMT
In article <[EMAIL PROTECTED]>,
"Trevor Jackson, III" <[EMAIL PROTECTED]> wrote:
>jerome wrote:
>
>> On 24 Sep 1999 12:28:31 -0400, Patrick Juola wrote:
>> [snip]
>> > On the other hand, there's no *proof* that the OTP is impervious
>> > to the ouija board attack.
>>
>> i was just wondering what a ouija board attack ?
>
>Also Known As the Karnak Atack. You hold the cipher text up to your
>forehead and guess the plaintext. There is no possible cryptologic
>defense against someone who can guess your message.
However, with OTP, there is no way of verifying that your guess is
right (other than, I suppose, calling the psychic pals network)
--
poncho
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Q: Burrows-Wheeler transform
Date: Thu, 30 Sep 1999 05:01:54 GMT
In article <[EMAIL PROTECTED]>, Mok-Kong Shen <[EMAIL PROTECTED]>
wrote:
>While compression is, as far as I am aware, generally regarded
>as orthogonal to encryption, it is nontheless an aid to information
>security, I suppose. Recently I read somewhere a claim that the
>Burrows-Wheeler transform is a better compression technique than
>Huffman or arithmetic encoding. Could some person having knowledge
>and experience with that say whether this is true and whether the
>advantage passes on to encryption? (Could it be that it is slower?)
>
>Thanks in advance.
>
>M. K. Shen
>----------------------
>http://home.t-online.de/home/mok-kong.shen
For text it is a very good cmpression. However due to the nature
of the BWT I think that it would be hard to write a "one to one" compress
for it. It was the second compression method I looked at and have yet
to make progress making it one to one. So if you use it. Most of the
time a wrong key is guessed in an attacke it will not uncompress.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: msg for Dave Scott
Date: Wed, 29 Sep 1999 15:02:04 GMT
Tom St Denis wrote:
> Ok name one popular symmetric algorithm that can be solved
> without using brute force?
Where did "popular" come from? If it was publicly known
to be readily crackable, a cryptosystem wouldn't be likely
to be "popular", would it?
In fact the history of crytpology is full of examples of
symmetric ciphers that were cracked much more efficiently
than by a brute-force key search.
------------------------------
From: [EMAIL PROTECTED] (Clifford Stern)
Crossposted-To: sci.math
Subject: Re: factoring with quadratic sieve
Date: Thu, 30 Sep 1999 04:49:49 GMT
On 28 Sep 1999 01:13:03 GMT, [EMAIL PROTECTED] (jerome) wrote:
>hi
>
>i would like to know how to choose the number of elements in the factor base.
>possibly automatically.
>
> thanks
factor.exe from Shamus Software does it automatically for numbers up to
82 digits (and extending partially into the 83-digit range). Perhaps you
can obtain the answer to your question by studying the source code. The
following is taken from the output when executed without an argument on
the DOS command line:
Freeware from Shamus Software, Dublin, Ireland
Full C source code and MIRACL multiprecision library available
Email to [EMAIL PROTECTED] for details
Web page http://indigo.ie/~mscott
Source code from ftp://ftp.compapp.dcu.ie/pub/crypto/miracl.zip
Clifford Stern
[EMAIL PROTECTED]
------------------------------
From: Hideo Shimizu <[EMAIL PROTECTED]>
Subject: Re: About differential cryptanalysis....
Date: Thu, 30 Sep 1999 14:17:56 +0900
You can find detail at Stinson's book
H. Shimizu, TAO
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: More Comments on ECC
Date: Wed, 29 Sep 1999 15:39:14 GMT
Medical Electronics Lab wrote:
> I also concur with Harley's sentiment (from the 4k-associates PR):
> >"We are now close to the 112-bit limitation that many Western
> >governments impose on exportable ECC software via the Wassenaar
> >Agreement." said Mr. Harley. "Our repeated successes are
> >demonstrating that such short keys offer a wholly inadequate level of
> >security. ...
While I oppose crypto export restrictions, the quotation
exaggerates. A 15-bit margin of safety against the best known
attack using massive resources is hardly "a wholly inadequate
level of security". It would be better to describe it as
"marginal" and "of concern" (the idea being that the margin
might not be enough to protect against several more years of
continued evolution of such techniques and increasing
availability of computing resources).
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Relating cyrptology to factoring?
Date: Wed, 29 Sep 1999 15:42:27 GMT
wtshaw wrote:
> Still, forever and always, a poor choice of names.
Actually, the full names are "symmetric-key cryptosystem"
and "asymmetric-key cryptosystem", but these are often
shortened in discussions among knowledgeable parties.
There are other names that can be used, e.g. "secret-key"
vs. "public-key", but there are opportunities for
confusion there, also.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: RSA-512: Weizmann Institute: London Times
Date: 30 Sep 1999 01:56:45 -0400
Kem <[EMAIL PROTECTED]> wrote:
> Could you send the HTML address of this article. thx.
Well, not without giving my registration number away! (the Times is free
but requires registration and the URL I use includes my registration
number).
One can register at the URL: "http://www.the-times.co.uk"
Every Wednesday they have an interface (computer/internet) section.
The article appears in yesterdays (29 Sept. 1999) issue.
(in the interface section)
>From the main page (or on most of the pages) there is a link to the
LIBRARY or RESOURCES.
On the library page you can read back issues.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: msg for Dave Scott
Date: Wed, 29 Sep 1999 15:04:16 GMT
> >you can argue that caesar cypher isn't popular
JPeschel wrote:
> I suppose you could, but take a look at the crypto puzzles in many Sunday
> newspapers.
Actually, those are general simple substitution ciphers,
not Caesar ciphers. (There is a difference.)
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Schrodinger's Cat and *really* good compression
Date: Wed, 29 Sep 1999 15:33:19 GMT
Lamont Granquist wrote:
> "Douglas A. Gwyn" <[EMAIL PROTECTED]> writes:
> >Remeber, Penrose was taken in by Searle's "Chinese box" argument.
> No he wasn't. Penrose didn't use that argument at all.
At least I read the book!
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Comments on ECC
Date: Wed, 29 Sep 1999 15:21:25 GMT
Jerry Coffin wrote:
> ... OTOH, I think it's likely that if it's proven
> that P=NP, it'll most likely be by solving an NP-complete problem in
> polynomial time in a deterministic fashion.
Maybe there will be such a fortuitous accident, or maybe not.
It is often the case that somebody thinks up a wonderful
algorithm for a problem before there is any real theory to
guide the invention. However, after all this time, with
the wonderful algorithms being limited to heuristic
approximate solution, it seems *un*likely to me.
On the other hand, much of the early work in computability
made more use of "existence proofs", e.g. the intractibility
of the Halting Problem. It was existence proof I had in
mind when being pessimistic about the practical import of
a proof of NP=P.
We won't know until we see the definitive proof one way
or the other..
------------------------------
Crossposted-To: sci.stat.math,sci.math
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Perfect Shuffle Algorithm?
Date: Wed, 29 Sep 1999 15:10:46 GMT
Scott Nelson wrote:
> Although finding the LCM isn't exactly easy, ...
Actually it *is* easy, at least apart from potential
overflow issues. LCM of a set can be computed recursively
using LCM for just two operands, and there is a simple
connection between LCM and GCD; we should all know
Euclid's algorithm for computing GCD of two operands.
Another method is to produce the prime factors of each
of the set, at which point the prime factors of the LCM
are pretty evident.
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: msg for Dave Scott
Date: Thu, 30 Sep 1999 01:18:12 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> Tom St Denis wrote:
> > Ok name one popular symmetric algorithm that can be solved
> > without using brute force?
>
> Where did "popular" come from? If it was publicly known
> to be readily crackable, a cryptosystem wouldn't be likely
> to be "popular", would it?
Hmmm...I guess it depends on how you define "popular." There are
certainly a LOT of people who write programs using encryption that's
readily crackable. Most of their web sites contain all manner of rave
reviews, and many of them seem to sell quite a few copies of their
garbage.
> In fact the history of crytpology is full of examples of
> symmetric ciphers that were cracked much more efficiently
> than by a brute-force key search.
'Tis true. In fact it's only in the last 30 years or so that most of
us have had access to ciphers that weren't broken with substantially
less effort than a brute-force attack. OTOH, at the present time
there are quite a few choices of ciphers that aren't effective
attacks, or at least if there are, they're not publicly known.
There's certainly a decided contrast between the current situation
and, for example, the one Leo Marks outlines in his book. They had
people's lives depending on ciphers they knew were a joke. Now we
have people concerned whether PGP provides sufficient protection for
their message about who they danced with last night...
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Schrodinger's Cat and *really* good compression
Date: Wed, 29 Sep 1999 15:31:41 GMT
Mok-Kong Shen wrote:
> I read that the practical functioning of quantum computing depends
> on a certain quantity termed 'decoherence time' having a not too small
> value. When the experimenter in the Schroedinger experiment opens
> the box and looks into it, his brain circuits need some finite time
> to do the appropriate switching in order to be able to see the
> objects inside the box. I guess this neuro-chemical/electrical
> time of the 'thought' or 'non-thougt' (actual) cat experiment is
> then what corresponds to (or perhaps actually IS) the decoherence
> time.
Whether it is or isn't (and the neurological actions in the brain
are not particularly quantum-mechanical), quantum computing is based
on quantum theory, not the other way around. Schroedinger's cat
example is part of the philosophic history of quantum theory in
general, in particular the question of what constitutes a
"measurement" or a "collapse of the wavefunction". There are
good answers to these issues, but not along the lines you are
going.
It is my layman's humble (maybe entirely nonsensical) view
> that Schroedinger's cat is of the same genre as the twin paradox,
> both are very famous, genious and both are totally confusing man's
> mind in unnecessary ways. Fortunately we don't have such stuffs in
> cryptology, excepting perhaps (I am not quite sure either way)
> in some remote sense the ideal OTP.
There is nothing "totally confusing" about these. The twin
paradox is very real, and has been demonstrated by atomic clocks
(one of them brought back from a satellite). The fact that there
is no universal "time" background, only local time and connections
between events involving space-time paths, is fundamental and not
particularly confusing. Schroedinger's cat example simply points
out a problem in the conventional (Copenhagen) interpretation of
quantum theory; its only psychological effect should be to make one
look for a better way to interpret the theory. And there is
nothing confusing about the ideal one-time pad system; it is
easy to understand why it has a certain security property.
------------------------------
From: [EMAIL PROTECTED] (Frode Weierud)
Subject: Re: NEMA, Swiss cipher machine
Date: 30 Sep 1999 07:14:52 GMT
Reply-To: [EMAIL PROTECTED]
[EMAIL PROTECTED] () writes:
>Well, though, I hope you see my point. Many books about cryptography use
>the term 'rotor machine' for a wired rotor machine, such as the Hebern
>machine or the Enigma. Enough that I think that this usage must be
>regarded as standard.
>But occasionally, in less well-researched sources, you will see a Hagelin
>lug and pin machine, or a Lorenz Schlusselzusatz, described as a 'rotor
>machine', and I think that this needs to be avoided: and one way to help
>to avoid it is simply to avoid the use of the word 'rotor' to describe,
>when discussing a cipher machine, any kind of gear, cam, or pinwheel, or
>indeed any other item but a _wired_ rotor.
I fully agree with this. In our recent historical treatment of the Enigma
machine we have adopted the British or Bletchley Park (GCCS) term of
"wired wheel". The rotor or wired rotor term was introduced by the
American cryptographic services and I suppose it originate with Friedman.
The same goes for the "reflector" which BP called Umkehrwalze using the
German terminology. Actually they often misspelled Umkehrwalze as
`Umkehrwalz'.
However, after the war the terms rotor and reflector became more common
and the `wired' specifier was largely omitted resulting in the confusion
of terminology we often see today. Therefore, as John says, the only accepted
usage of rotor in a cipher machine context would be for wired rotors or
wheels. All other machines using wheels should be described as using
pinwheels, code wheel etc. Hopefully, there will be less confusion this
way.
Frode
--
Frode Weierud Phone : +41 22 7674794
CERN, SL, CH-1211 Geneva 23, Fax : +41 22 7679185
Switzerland E-mail : [EMAIL PROTECTED]
WWW : home.cern.ch/~frode
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: msg for Dave Scott
Date: 30 Sep 1999 07:54:15 GMT
"Douglas A. Gwyn" <[EMAIL PROTECTED]> writes:
>Actually, those are general simple substitution ciphers,
>not Caesar ciphers.
Yup, you're right.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
