Cryptography-Digest Digest #381, Volume #10 Sat, 9 Oct 99 17:13:03 EDT
Contents:
Re: Ritter's paper (Tim Tyler)
Re: Ritter's paper (Tim Tyler)
Re: Ritter's paper ("Trevor Jackson, III")
Re: Block encryption with variable keys (Mok-Kong Shen)
Re: Q: AI (Mok-Kong Shen)
Re: US Crypto Policy: free speech? (John M. Gamble)
Re: radioactive random number generator (jjlarkin)
Re: RSA-512 Broken by Israelis (Bill Unruh)
Re: Is 128 bits safe in the (far) future? (SCOTT19U.ZIP_GUY)
Re: Is 128 bits safe in the (far) future? ("Trevor Jackson, III")
Re: radioactive random number generator (SCOTT19U.ZIP_GUY)
----------------------------------------------------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Ritter's paper
Reply-To: [EMAIL PROTECTED]
Date: Sat, 9 Oct 1999 14:28:45 GMT
Trevor Jackson, III <[EMAIL PROTECTED]> wrote:
: PRNG-based ciphers are considered insecure for two reasons. 1) The potential
: unknown of the initial state is, in principle, reduced by half for each bit
: of output generated.
The potential unknown of the initial state is surely reduced by at most
one bit for each bit of output generated. I presume that is what you
meant by a "half"?
: 2) In practice, we have methods of detemining the initial
: state given the necessary number of bits of output, e.g., Berklecamp-Massey.
So there's no such thing as a cryptographically-secure random number
generator?
Surely some generators are easier to crack than others... and some of them
are /extremely/ difficult to crack.
I see no reason in principle why a PRNG-based cypher should be weak.
Certain PRNG-based stream cyphers have one or two problems associated with
the fact that they make no attempt to "smear" the information present in
each letter spatially across a number of letters in the cyphertext - but
this is not a weakness of using random numbers per se.
: Note that #1 above applies to all modern ciphers given a known plaintext.
: The discovery of a new attack upon a cipher is the discovery of a practical
: method of untangling the initial state given some amount of output > the
: amount of key. By this line of reasoning we could define the "efficiency"
: of an attack as the ratio of the number of bits of output required over the
: number of bits of state to be discovered.
This "efficiency" is an interesting quantity. However, I don't think it
corresponds closely to how hard a cypher is to crack. In some cases,
where lots of cyphertext is available, it will probably not be very
relevant to "strength".
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Tend to the molehills and the mountains will look after themselves.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Ritter's paper
Reply-To: [EMAIL PROTECTED]
Date: Sat, 9 Oct 1999 14:43:42 GMT
Trevor Jackson, III <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> Trevor Jackson, III <[EMAIL PROTECTED]> wrote:
:> : Tim Tyler wrote:
:> :> Trevor Jackson, III <[EMAIL PROTECTED]> wrote:
:> :> : Tim Tyler wrote:
:> :> :> "Strength: ability to resist breaks and cracks"?
:> :>
:> :> : Yeah. But how to you measure it? What are the units of
:> :> : "ability to resist breaks"?
:> :>
:> :> It seems to me that probably the best units in which to measure
:> :> this are monetary ones.
:>
:> : Ahem. The ultimate in subjective standards. "The value of a thing is
:> : what that thing will bring".
[snip]
:> : Do you believe that it is possible to have an efficient market in crypto
:> : strength?
:>
:> I believe it's possible to have an efficient market in crypyanalyisis.
:>
:> Strength /is/ a selling feature of cyphers, but it's not very easy for
:> customers to tell the wheat from the chaff.
: We seemed to agreed above that it's not easy, or even possible, for
: experts to tell the wheat from the chaff. Since there is no rational
: basis for comparison, how can the market be described as efficient?
: Everyone is equally ignorant?
It's not quite as bad as all that. The agents have /some/ information.
They can look at past performance of the vendors. They can try to break
the codes themselves. They can sometimes look at the history and
development of the products they buy and see who else uses them.
I wouldn't argue that the market is very "efficient" - but it works
well enough for the cost of breaking a cypher to reflect its strength to a
certain extent.
: It appears to me that _claims_ of strength are a selling feature. But
: strength per se cannot be a selling feature because we cannot measure it.
The claims are not always totally without content. Although customers
can rarely measure strength directly, there are some clues available.
A proof that a code is "as strong as factoring" provides useful
information about the circumstances under which the code is likely to
fail, for example.
:> :> "Time" and "certainty" may also figure in the equation - but are probably
:> :> secondary characteristics most of the time.
:>
:> : Let's see, the two characteristics that crypto customers are paying
:> : for are secondary?
:>
:> Secondary to money.
:>
:> If you have a code and want it cracked, the time period involved for the
:> crack is often a secondary consideration to the total cost.
: Here we disagree, Most of the time there is a time constraint related to the
: lifetime of the information.
Yes.
: Obtaining the protected information after its usefulness has decayed
: to zero means that time is a primary issue. Also, for the crack to be
: the preferred method, the time period usually has to be shorter than any
: other method of obtaining the information, even cheaper methods.
I largely agree - however the cost of breaking a cypher does generally
reflect the time specified by the "customer" as being available. Time
and money are partly dependent variables - a cypher which needs to be
cracked quickly will cost more to crack.
In this sense the (monetary) strength of a cypher depends on the type of
information it is expected to be containing.
As you say, if breaking the cypher is not the best way of obtaining the
information, the cypher is "strong enough".
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
So, it's you again.
------------------------------
Date: Sat, 09 Oct 1999 11:07:06 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Ritter's paper
Tim Tyler wrote:
> Trevor Jackson, III <[EMAIL PROTECTED]> wrote:
>
> : PRNG-based ciphers are considered insecure for two reasons. 1) The potential
> : unknown of the initial state is, in principle, reduced by half for each bit
> : of output generated.
>
> The potential unknown of the initial state is surely reduced by at most
> one bit for each bit of output generated. I presume that is what you
> meant by a "half"?
Of course. Half of the possible initial states are ruled out. Note that this is
not the same as saying one bit less because the latter implies that you know
something about one of the initial state bits, which is invalid.
>
>
> : 2) In practice, we have methods of detemining the initial
> : state given the necessary number of bits of output, e.g., Berklecamp-Massey.
>
> So there's no such thing as a cryptographically-secure random number
> generator?
What definitiont are you using for cryptographically secure? Remember that this
thread was discussing what crypto "strength" means.
If you mean hard to solve mentally, lots of them.
If you mean hard to solve with pencil and paper, a few less, but still plenty
If you mean today-with-one-PC, still lots of them, but amateur efforts probably
excluded
If you mean 10-years-with-2-acres-of-computers, you can probably find several with
some research effort
If you mean age-of-the-universe search times, they exist but they also may shrink
when thoroughly analyzed
If you mean provably just as hard as something thought to be very very hard yes:
BBS
If you mean theoretically unbreakable, there are none..
>
>
> Surely some generators are easier to crack than others... and some of them
> are /extremely/ difficult to crack.
>
> I see no reason in principle why a PRNG-based cypher should be weak.
In practice true, but getting less so as time goes on. In theory false.
>
>
> Certain PRNG-based stream cyphers have one or two problems associated with
> the fact that they make no attempt to "smear" the information present in
> each letter spatially across a number of letters in the cyphertext - but
> this is not a weakness of using random numbers per se.
The central point is that, in theory, any PRNG has a limited amount of state. As
the PRNG operates it discloses that state. Once you have output >= state you can
only have one possible state that generated that output. It's analogous to the of
unicity point of a cipher. The initial state is completely determined by the
output.
Finding the initial state given the output can be difficult in practice, but it
cannot be made impossible.
>
>
> : Note that #1 above applies to all modern ciphers given a known plaintext.
> : The discovery of a new attack upon a cipher is the discovery of a practical
> : method of untangling the initial state given some amount of output > the
> : amount of key. By this line of reasoning we could define the "efficiency"
> : of an attack as the ratio of the number of bits of output required over the
> : number of bits of state to be discovered.
>
> This "efficiency" is an interesting quantity. However, I don't think it
> corresponds closely to how hard a cypher is to crack. In some cases,
> where lots of cyphertext is available, it will probably not be very
> relevant to "strength".
> --
> __________
> |im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
>
> Tend to the molehills and the mountains will look after themselves.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Block encryption with variable keys
Date: Sat, 09 Oct 1999 17:13:24 +0200
Richard Parker wrote:
>
> I think one has to be careful when constructing a cryptosystem that
> encrypts using a block cipher which is re-keyed from a PRNG. This
> construction appears to make the system more resistant to adaptive
> chosen-plaintext attacks like differential and linear cryptanalysis,
> but I think it makes related-key attacks more practical.
>
> While most modern block ciphers are specifically designed to be secure
> against adaptive chosen-plaintext attacks, often less attention is
> paid to making their key schedule resistant to related-key attacks.
> I would recommend that if you are going to frequently re-key a block
> cipher from a PRNG that you either choose a block cipher with an
> especially strong key schedule or use a very strong cryptographic
> PRNG.
I agree with you that the PRNG needs to be selected with care,
otherwise it might constitute the Archilles heel of the system.
Fortunately, obtaining strong PRNGs and employing long seeds, if
necessary, isn't a big problem nowadays in my humble opinion.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Q: AI
Date: Sat, 09 Oct 1999 17:24:33 +0200
Tom St Denis wrote:
>
> In which side? Cryptanalysis or actual protection? It has already been
> developed in a limited sense such as the linear attack on DES. When you
> think about it any program is AI, it's not sentient so to one degree it's not
> a life form. But if you think about it, any program can perceive and make
> decisions based on what it knows.
I said cryptology, which includes both sides. Your concept of AI
is definitely not shared by the majority in computer science.
M. K. Shen
> Tom
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
From: [EMAIL PROTECTED] (John M. Gamble)
Subject: Re: US Crypto Policy: free speech?
Date: 9 Oct 1999 17:36:17 GMT
In article <[EMAIL PROTECTED]>,
Medical Electronics Lab <[EMAIL PROTECTED]> wrote:
>entropy wrote:
>> I'm aware that U.S. laws consider strong crypto algorithms a
>> munition, and thus regulate their export. However, when these
>> algorithms (source code) are printed, it is protected as free speech,
>> so it can be freely exported.
>>
>> Would the same be true for other, conventional munitions? If I
>> printed out the schematics of an F-16 fighter jet, or an advanced
>> machine gun, would that also be protected under free speech, and thus
>> exportable? Is this only true for non-classified munitions?
>
>It depends on where the schematics came from. Many such things
>are "born secret", meaning they were developed in a US government
>lab and given to a manufacturer who has signed an agreement not
>to release the info because it's covered by national security laws.
>If the schematics are in the public domain, then yes, you can
>export the plans on paper. If they are supposedly "secret", then
>no, you can't.
>
>There is one case where the US government can stop free speech.
>This is under the Atomic Energy Act of 1954 which makes all
>descriptions of nuclear weapons "born secret", no matter who thinks
>of it or where. There was a case here in Madison where a local
>(communist type) magazine was going to print an article describing
>nuclear weapons in some detail. The feds told them they couldn't
[***Just a marker for a later comment***]
>and it started to go thru the court process, before the article was
>printed! A lot of shenanigans ensued on both sides, and finally the
>magazine went and printed it anyway. So the case became moot and
>forgotten. The AEA of '54 still stands, but it'll never be
>enforced (I hope!).
>
>At this point, the feds won't touch anything on paper. Paper is
>a pretty slow transmission mechanism, so they are working hard
>at maintaining some control over electronic discourse. Both
>Junger and Bernstien are attacking that front, so it should be
>interesting over the next year or so to see how that all works out.
>In any event, descriptions of weapons that are created secret
>remain secret and any dissemination method will get you into
>deep doo-doo.
>
>(I think the name of that magazine is the Progressive, and it
>may still be in print)
It's still in print, it's national, not local, and it's not
Communist, unless you are D. St*******t, in which case it is
because all left-wing, liberal publications are. (Note for
the irony-impaired, that was irony).
It happened in 1978. Article written by Howard Morland, to
demonstrate that you could research publicly available
documents to determine the inner workings of an H-bomb.
(It wasn't a blueprint, but it was a technical description,
at least, as technical as a techniphobic magazine as The
Progressive can get).
And, i think the Justice Department dropped the case before
publication, not after. Probably because the publicly-available
aspect of the information was a significant barrier to making
their case.
>
>Patience, persistence, truth,
You know, i never quote .sigs, but i just want to mention that
i really like yours.
-john
February 28 1997: Last day libraries could order catalogue cards
from the Library of Congress.
--
Pursuant to US Code, Title 47, Chapter 5, Subchapter II, '227,
any and all unsolicited commercial E-mail sent to this address
is subject to a download and archival fee in the amount of $500
US. E-mailing denotes acceptance of these terms.
------------------------------
From: jjlarkin <[EMAIL PROTECTED]>
Subject: Re: radioactive random number generator
Crossposted-To: sci.electronics.design,sci.electronics.equipment
Date: Sat, 09 Oct 1999 10:13:42 -0700
Harry,
some WWII-vintage radar jammers used a 931A photomulplier tube to
generate a random pulse train. In total darkness, PMTs generate lots of
noise as you crank their voltage up.
John
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: RSA-512 Broken by Israelis
Date: 9 Oct 1999 18:16:24 GMT
In <[EMAIL PROTECTED]> Tim Tyler <[EMAIL PROTECTED]> writes:
>Quantum cryptography isn't /completely/ secure. It's just /arbitrarily/
>secure.
>Reading the supposedly secure messages without discovery will always
>remain a *possibility*.
Not sure what you mean by this. It is a theorem that you cannot clone a
quantum state. Ie, if you read it, you destroy it, and cannot copy or
recreate it.
>You can't even communicate at all using only quantum cryptography, if
>someone insists on bugging the line. At least using public-key
>cryptography, you can still talk to you friend reasonably securely if
>someone is constantly listening in.
Well, some might see this as an advantage. You will know immediately if
someone is bugging the line. You can always send signals as standard
signals down the line if you really want to or need to (unless the enemy
has cut the line, in which case you cannot communicate even with public
key techniques.) I would think that know that you are being attacked is
an advantage, not a disadvantage.
IF (a big if) quantum computing becomes a reality, then you cannot use
public key ( well at least not DH or RSA. Elyptic curves are probably
still an open question) crypto at all securely. They quantum key
exchange becomes the only secure way of exchanging keys over a potentially
insecure line.
It is however also true that a quantum line needs to be a very secure
line to be used, and as such one could use that same secure line to
exchange keys in a normal manner. In this case the key advantage of
quantum exchange is precisely that it lets you know if the line really
is secure or not.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Is 128 bits safe in the (far) future?
Date: Sat, 09 Oct 1999 20:01:11 GMT
In article <7tns8n$ps0$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (John M. Gamble) wrote:
>In article <7tl8qf$32t4$[EMAIL PROTECTED]>,
>SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote:
>> There would be no need to keep such records secret since especailly
>>in a country like Britain one never really knows who fathered who. Look
>
>"Especially in a country like Britain..."?
>
> -john
>
>February 28 1997: Last day libraries could order catalogue cards
>from the Library of Congress.
The name was changed to protect the innocent its done all the
time.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
Date: Sat, 09 Oct 1999 15:22:58 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.pgp.discuss,alt.security.pgp
Subject: Re: Is 128 bits safe in the (far) future?
fungus wrote:
> "Trevor Jackson, III" wrote:
> > you have 1e33^3 processors per cubic meter, 1e16^3 meters per cubic
> > light year, and 1e10^3 cubic light years per observable universe.
>
> Ah... but you have to leave some room for Alica, Bob and Eve
> to live in, otherwise it's all a bit pointless.
1) The universe is expanding.2) The amount of space required for the
Milkyway is lost in the rounding.
;-)
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Crossposted-To: sci.electronics.design,sci.electronics.equipment
Subject: Re: radioactive random number generator
Date: Sat, 09 Oct 1999 20:19:02 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>
>
>"SCOTT19U.ZIP_GUY" wrote:
>>
>> But since Japan does such a bad job of manageing its nuclear resources
>> as the number of spills go up so will the background radioactiveity. The
>> counts will go up faster and faster so maybe you can use it after a while
>> for a random source of bits after all.
>
>I'm afraid I got 'told off' for making a similar 'tasteless' remark.
>Lucky neither of us mentioned Darwin Awards.
Lucky you didn't post the URL which is http://www.DarwinAwards.com/
then you really would have been told off even by me.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
