Cryptography-Digest Digest #578, Volume #10 Wed, 17 Nov 99 00:13:03 EST
Contents:
Re: AES cyphers leak information like sieves ("Peter K. Boucher")
Re: Proposal: Inexpensive Method of "True Random Data" Generation (Coen Visser)
Re: Proposal: Inexpensive Method of "True Random Data" Generation (Coen Visser)
Re: Codebook examples on Web? ([EMAIL PROTECTED])
Re: weak ciphers and their usage (David Wagner)
Re: Proposal: Inexpensive Method of "True Random Data" Generation (hack)
Re: AES cyphers leak information like sieves (SCOTT19U.ZIP_GUY)
Re: weak ciphers and their usage (SCOTT19U.ZIP_GUY)
Re: New Scottish Crypto System (albert)
NSA should do a cryptoanalysis of AES (albert)
Re: AES cyphers leak information like sieves (Bill Unruh)
Re: AES cyphers leak information like sieves (Tim Tyler)
Re: AES cyphers leak information like sieves (wtshaw)
Re: Scientific Progress and the NSA (Tim Tyler)
Re: NSA should do a cryptoanalysis of AES
Re: NSA should do a cryptoanalysis of AES (Phunda Mental)
Re: New Scottish Crypto System
----------------------------------------------------------------------------
Date: Tue, 16 Nov 1999 15:39:55 -0700
From: "Peter K. Boucher" <[EMAIL PROTECTED]>
Subject: Re: AES cyphers leak information like sieves
Tim Tyler wrote:
[snip]
> I don't understand. Surely...
That's your problem right there. You come in here and presume to
lecture people without understanding what you're talking about.
I recommend more reading and less expounding on your part.
--
Peter
------------------------------
From: Coen Visser <[EMAIL PROTECTED]>
Crossposted-To: sci.math,sci.misc,sci.physics
Subject: Re: Proposal: Inexpensive Method of "True Random Data" Generation
Date: Tue, 16 Nov 1999 22:55:57 +0000
James Felling wrote:
> My argument with you is that since K-Complexity is only valid in refrence to a chosen
> language, the only way we can class things as random is relative to that chosen
>language.
> Now given strings X and Y,
> It is comparitively trivial to chose languages such that complexity(X) in L and
> complexity(Y) in L have any relationship that we wishthis is true even if X and Y
>are sets
> of strings -- we can arbitrarily dictate the realtion between any two finite
>collections of
> strings by apropriately choosing our language.
You are absolutely right. For finite collections
of strings we can dictate the relation depending
on the choice of representation language. I was
thinking about the total set of strings which dwarfs
any finite set we like to meddle with. But this is
all academic and doesn't contribute anything to the
discusion. So rather than try to defend my point
I agree with you.
Regards,
Coen Visser
------------------------------
From: Coen Visser <[EMAIL PROTECTED]>
Crossposted-To: sci.math,sci.misc,sci.physics
Subject: Re: Proposal: Inexpensive Method of "True Random Data" Generation
Date: Tue, 16 Nov 1999 23:25:56 +0000
[EMAIL PROTECTED] wrote:
> Coen Visser wrote:
> > I would think that
> > Kolmogorov complexity is properly defined on finite
> > strings: the upperbound of C(Sn) with Sn the "0"-string
> > of length n is log(n).
> But the issue is whether an individual finite
> string is compressible. In this case n has one
> value so C(Sn) and log(n) are constants. The
> inequality asserts the vacuous fact that two
> constants differ by at most a constant.
In another post on the subject I wrestled with James Felling
(he won the match). You can say that an individual string
is compressible when you fix a representation
language/UTM. But for any specific string (or finite
set of strings) an opponent can choose another representation
in which this is not the case. This is of course not the most
interesting part of Kolmogorov complexity because the actual
values are not computable anyway.
Regards,
Coen Visser
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Codebook examples on Web?
Date: 16 Nov 1999 23:55:53 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Savard) wrote:
> You were extremely fortunate. Dare I ask if you needed to take out a
> second mortgage?
It cost UKP 7.50 - $11 or so!
It was one of a tranche of crypto documents. One, a cryptologic dictionary
was marked as US Army/Navy 'top secret cream' (1946). The NSA happily
declassified it and its on sale at Aegean Park Press.
Any thoughts on the 'codebooks revisited' item?
Keith
http://www.cix.co.uk/~klockstone
------------------------
'Unwise a grave for Arthur'
-- The Black Book of Carmarthen
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: weak ciphers and their usage
Date: 16 Nov 1999 16:48:51 -0800
In article <80simv$ksc$[EMAIL PROTECTED]>,
Tom St Denis <[EMAIL PROTECTED]> wrote:
> Ok I actually see what David Scott is saying. I can be thought. If I
> send a different message with say only a part near the ending changing
> it won't change the entire file [ciphertext] and this can be used in an
> attack.
Nonsense. If you use a fresh, random IV for every message---as every
good cryptographer knows is crucial---this isn't a problem. This is
thoroughly covered in Schneier's _Applied Cryptography_ (and the newsgroup
FAQ, if I recall correctly).
The problem is not with the block chaining modes---the problem is with
people's (mis)understanding of them.
------------------------------
From: [EMAIL PROTECTED] (hack)
Crossposted-To: sci.math,sci.misc,sci.physics
Subject: Re: Proposal: Inexpensive Method of "True Random Data" Generation
Date: 17 Nov 1999 01:00:35 GMT
In article <[EMAIL PROTECTED]>,
James Felling <[EMAIL PROTECTED]> wrote:
>
>
>john baez wrote:
>
>> In article <[EMAIL PROTECTED]>, Coen Visser <[EMAIL PROTECTED]> wrote:
>> >I only know of
>> >Kolmogorov complexity in the context of infinite sets of
>> >strings.
>>
>> Hey, now you're saying it again! So I'll repeat my remark:
>> the Kolmogorov complexity of a single string is well-defined
>> once you fix a language: it's the length of the shortest
>> program that prints out that string. (There are probably
>> other definitions floating around too, but anyway, this is
>> a definition that applies to a single finite-length string.)
>
>However, the big issue is fixing a language. True given set of strings X, X
>can be compressed to a very tiny size( as few bits as is necessary to enumerate
>all of its members. Such degenerate cases do not really help. In addition such
>randomness measures are RELATIVE TO THE LANGUAGE BEING USED. One cannot say
>this string has Kolmogorov complexity K, one MUST say it has complexity K
>relative to language L.
>
>Thus while this is a useful definition of random, it is a less than useful tool,
>as by choosing apropriate L, a string X may be assigned any level of complexity
>of representation from this string is string #0 of aour pool o' strings to this
>string is representable in L, with k bits, to this string is not finitely
>representable in language L.
>
>I think Kolmogorov complexity is a useful thing, but as it is so very sensitive
>to the representational language, it is a weak tool for the quantification of
>randomness. In fact I have some doubt as whether there is a way it can be used
>to label a single string that has any meaning beyond L.
>
I think one can go a step further, and say that K-C incompressibility is
applicable to single strings of SUFFICIENT LENGTH.
To do this, we include the size of the UTM (Universal Turing Machine)
encoding in the compressed size. In this model, strings shorter than
what it takes to encode a UTM cannot be compressed -- but for long strings,
the variability due to representation languages can be hidden behind the
length threshold.
As stated, this is no more precise than the Church-Turing thesis, since we
cannot really capture the notion of "any representation". But I think one
can use the rather explicit encodings shown by Chaitin to get a reasonable
estimate of this length threshold in bits, and make incompressibility of
longer strings as believable as the C-T thesis.
In any case, this approach closes the loophole of hiding shortcuts for some
particular strings in the UTM. It's also in the spirit of "self-extracting
programs" that has been mentioned in this thread.
Michel.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: AES cyphers leak information like sieves
Date: Wed, 17 Nov 1999 02:06:57 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>DJohn37050 <[EMAIL PROTECTED]> wrote:
>
>: This is known as the self-syncronizing property of CBC mode. You only lose 2
>: blocks due to a bit flip. Check it out if you do not believe it.
>
>OK, then - I'll look it up.
It is well known back in the morsecode days one needed a way to
get back in synch. Today it called error correcting and all the 3 letter
ways of chaining have this "feature" but the only people who can really
use the feature today are those breaking codes. The system protocol
of the internet should keep your messages intact. It is foolish in todays
world to have these features part of encrption. The only reason it is still
there is inertia of the public crypto community and the fact the NSA
likes people to use these old ways of chaining blocks.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website NOT FOR WIMPS
http://members.xoom.com/ecil/index.htm
Scott rejected paper for the ACM
http://members.xoom.com/ecil/dspaper.htm
Scott famous Compression Page WIMPS allowed
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: weak ciphers and their usage
Date: Wed, 17 Nov 1999 02:24:12 GMT
In article <80su1j$lgk$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David Wagner) wrote:
>In article <80simv$ksc$[EMAIL PROTECTED]>,
>Tom St Denis <[EMAIL PROTECTED]> wrote:
>> Ok I actually see what David Scott is saying. I can be thought. If I
>> send a different message with say only a part near the ending changing
>> it won't change the entire file [ciphertext] and this can be used in an
>> attack.
>
>Nonsense. If you use a fresh, random IV for every message---as every
>good cryptographer knows is crucial---this isn't a problem. This is
>thoroughly covered in Schneier's _Applied Cryptography_ (and the newsgroup
>FAQ, if I recall correctly).
>
>The problem is not with the block chaining modes---the problem is with
>people's (mis)understanding of them.
Nonsense Dave just as you lack the ability to understand the complexites
of my code. You seem to lack a basic understand of what common chaining does.
Here is something you can do with a crappy AES type of encryption with your
secret IV. Take a long file and encrypt it. Cut off the front third and last
third of the file. Know if a good cryptographer like me or better in case
your not good enough to handle it. Is given the middle thrid of file with the
cipher and key but not the IV the center third of file can be recovered easily
but if you do the same thing with scott16u or scott19u or any AES cipher
using Wrapped PCBC the infromation can not be recovered. The fact is with
normal chaining the information is localized very close to where it is in the
original file.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website NOT FOR WIMPS
http://members.xoom.com/ecil/index.htm
Scott rejected paper for the ACM
http://members.xoom.com/ecil/dspaper.htm
Scott famous Compression Page WIMPS allowed
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
------------------------------
From: albert <[EMAIL PROTECTED]>
Subject: Re: New Scottish Crypto System
Date: Tue, 16 Nov 1999 17:23:45 -0800
http://cryptome.org/flannery-cp.htm
Has details.
Albert
Gordon Talge wrote:
> I saw a few months ago on CNN a report about a Scottish
> high school girl that invented a new, and reportedly good
> crypto system using elementary number theory. I was wondering
> if anyone knows about this new system.
>
> -- Gordon
>
> --
> ,,,
> (. .)
> +-----------------------ooO-(_)-Ooo----------------------+
> | Gordon Talge WB6YKK e-mail: [EMAIL PROTECTED] |
> | QTH: Loma Linda, CA Lat. N 34� 03.1' |
> | United States of America Long. W 117� 15.2' |
> +--------------------------------------------------------+
------------------------------
From: albert <[EMAIL PROTECTED]>
Subject: NSA should do a cryptoanalysis of AES
Date: Tue, 16 Nov 1999 17:30:31 -0800
I see that NSA has not entered a candidate for AES. I assume it's
because they don't want to give away some secrets they have. What
secrets? My conspiracy theories...
Suppose the NSA has found a way to break feistel ciphers, and SP
style ones. So what would that mean? That would mean that their
algorithm would be based on something totally different, to combat that
kind of attack, just like before Serpent came out, we all knew that
Eli's entry would almost certainly be resistant against differential
attacks. That is why Bruce says good crypto analysists make good cipher
writers, because they will design ciphers that are resistant to their
own attacks, so the better the attacker, the more resistant their
algorithms (generally).
BUT, they should post a thorough analysis of the AES candidates. We'd
like to see what our tax-dollar funded crypto-think tanks have come up
with in terms of attacks and analysis.
Do you think the reason they aren't giving an analysis is because they
can break all the second round candidates and so they aren't going to
say anything about it? I personally don't, but it's a thought...
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: AES cyphers leak information like sieves
Date: 17 Nov 1999 01:37:44 GMT
In <[EMAIL PROTECTED]> Tim Tyler <[EMAIL PROTECTED]> writes:
>Block chaining strikes me as a crude hack, though. It only propagates
>information through the file in one direction, and will /still/ expose
>some weaknesses at random if repeated blocks and repeated data should
>coincide by chance.
How? That "chance" is 1/ 10^64. I can live with that! Plus that info is
not of much use.
This "flaw " does not require anything but a "crude hack " to fix. Why
do you want a more complex fix, when this also has the advantage of
error robustness.
>The use of a proper diffusion technique would avoid this ever happening.
And would destroy error robustness as well.
So, if you are really so concerned. run the text through a stream cypher
first and then through your block cypher. It need not even be a
cryptographically strong stream cypher. And if you are really worried,
give it a different period than the block cypher period. This "weakness"
is so trivial to fix by a whole host of techniques.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: AES cyphers leak information like sieves
Reply-To: [EMAIL PROTECTED]
Date: Wed, 17 Nov 1999 01:33:42 GMT
John Savard <[EMAIL PROTECTED]> wrote:
: Tim Tyler <[EMAIL PROTECTED]> wrote, in part:
:>I don't understand. Surely block chaining propagates information forward
:>through the message in an unbounded manner?
: Yes, it does propagate information [...] if we change the message at
: the beginning, everything changes all the way through, because
: information indeed keeps getting propagated[.]
: But if instead, there is a _transmission error_ with the original
: message, [...] then only two blocks are destroyed because for the
: first plaintext block, the ciphertext block is wrong, and for the second
: plaintext block, the previous ciphertext block is wrong. Since each
: ciphertext block is a function of the plaintext block and the previous
: ciphertext block, each plaintext block is a function of the ciphertext
: block and the previous ciphertext block. As long as those two ciphertext
: blocks are right, the rest of the message is irrelevant.
I see. Thanks for the very clear explanation.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
The more I learn about people, the more I like my cat.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: AES cyphers leak information like sieves
Date: Tue, 16 Nov 1999 20:53:14 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> David Wagner <[EMAIL PROTECTED]> wrote:
>
> : You seem to be confused. You write about flaws if a block cipher is
> : used without any chaining (what is typically known as ECB mode), but
> : those flaws are extremely well-known (taught in Crypto 101a). If you
> : use a block cipher properly, these issues don't come up.
>
> The use of block chaining certainly improves things. It is the employment
> of methods of diffusing information over a large area of the cyphertext
> that I am advocating.
>
> Block chaining strikes me as a crude hack, though. It only propagates
> information through the file in one direction, and will /still/ expose
> some weaknesses at random if repeated blocks and repeated data should
> coincide by chance.
>
> The use of a proper diffusion technique would avoid this ever happening.
It might, but whenever you tie too much of a message into an interlocking
structure, its survivability as information becomes more fragile. The
other extreme, having simple blocks is also bad. If this were such a one
dimensional problem defined as effective block size, it would appear that
there is not better answer, but it isn't and there is.
--
The circus elephant has lost its way.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Scientific Progress and the NSA
Reply-To: [EMAIL PROTECTED]
Date: Wed, 17 Nov 1999 02:04:26 GMT
David Boreham <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> Did you see the post relating to NSA developing telephone transcription?
:>
:> What commercial system is available which can do that?
: https://www.cybertranscriber.com/default.asp
: But...guess where that technology came from...
Hmm, according to the web page: ``The technology that Speech Machines
offers was created in exclusive collaboration with the Speech Research
Unit (SRU) of the United Kingdom's Defence Evaluation and Research Agency.
The SRU has been a recognized leader in the field of speech and pattern
processing for more than twenty years and employs 25 full-time
scientists.''
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
The internet is full, go away.
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: NSA should do a cryptoanalysis of AES
Date: 17 Nov 99 02:53:02 GMT
albert ([EMAIL PROTECTED]) wrote:
: Do you think the reason they aren't giving an analysis is because they
: can break all the second round candidates and so they aren't going to
: say anything about it? I personally don't, but it's a thought...
They have informed NIST that, as far as they are concerned, none of the
five finalists is too weak - but they are not saying more, presumably to
avoid giving away secrets about what they can break, and how it is done.
John Savard
------------------------------
From: Phunda Mental <[EMAIL PROTECTED]>
Subject: Re: NSA should do a cryptoanalysis of AES
Date: Wed, 17 Nov 1999 02:47:52 +0000
albert wrote:
> I see that NSA has not entered a candidate for AES. I assume it's
> because they don't want to give away some secrets they have. What
> secrets? My conspiracy theories...
Read up on the history of DES. NSA got burned there, they aren't
about to let that happen again.
> Do you think the reason they aren't giving an analysis is because they
> can break all the second round candidates and so they aren't going to
> say anything about it? I personally don't, but it's a thought...
I would not be surprised if NSA has a theoretical attack that is
faster than brute force against any or call of the candidates. They
certainly have the experience to construct such an attack.
However, I WOULD be surprised if such an attack means anything in
practice.
Lets face it, storing 2^112 bytes is absurd, let alone gathering that
much plaintext under one key .. it is basically impossible.. even if
a cipher is vulnerable to differential cryptanalysis, reading a message
in practice is not feasible.
NSA's intelligence gathering prowess does not stem from
cryptanalysis. Their power comes from technologies like TEMPEST,
and their ability to influence corporations to weaken their security
so that NSA can easily exploit it.
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: New Scottish Crypto System
Date: 17 Nov 99 02:55:26 GMT
Gordon Talge ([EMAIL PROTECTED]) wrote:
: I saw a few months ago on CNN a report about a Scottish
: high school girl that invented a new, and reportedly good
: crypto system using elementary number theory. I was wondering
: if anyone knows about this new system.
What, another one? First Sarah Flannery, of Blarney (County Cork), an
Irish high school girl, develops a cipher that, by using 2x2 matrices, can
achieve the results of RSA, but with only multiplication instead of
exponentiation...
and now you tell us that a high school girl from Scotland has followed in
her footsteps? These Celts are up to something!
John Savard
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
