Cryptography-Digest Digest #594, Volume #10 Fri, 19 Nov 99 22:13:03 EST
Contents:
Re: What part of 'You need the key to know' don't you people get? (Johnny Bravo)
Re: Modified DH - ok? ([EMAIL PROTECTED])
Re: AES cyphers leak information like sieves (wtshaw)
Is this "legal"??? Export concept presented (albert)
Re: AES cyphers leak information like sieves (Tim Tyler)
Re: AES cyphers leak information like sieves (Tim Tyler)
Re: AES cyphers leak information like sieves (Tim Tyler)
Re: AES cyphers leak information like sieves (Tim Tyler)
Re: Simpson's Paradox and Quantum Entanglement (Andy Spragg)
Re: AES cyphers leak information like sieves (Jerry Coffin)
Re: Distribution of intelligence in the crypto field (albert)
Re: Simpson's Paradox and Quantum Entanglement ("karl malbrain")
Re: GT-1 Consortium (David A Molnar)
Re: What part of 'You need the key to know' don't you people get? (Johnny Bravo)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Subject: Re: What part of 'You need the key to know' don't you people get?
Date: Fri, 19 Nov 1999 17:36:16 GMT
On Fri, 19 Nov 1999 15:23:02 GMT, [EMAIL PROTECTED]
(SCOTT19U.ZIP_GUY) wrote:
> You asshole he messed his math up and admitted it so shut the fuck up.
His math was correct, he stated that 28 wheels with 26 positions
each had more than 2^128 states. The fact that you still can't figure
it out speaks volumes for your mathematical ability.
>The argument really is over wheather one just considers the starting postions
>of 3 or more fixed wheels as the key. Or if the actuall order of the
>characters on the wheels should count as part of the key. I prefer to count
>the wheel types possible it seems you and tom only want to use fixed wheels.
That's because the Enigma did use fixed wheels, we were talking
about what the Enigma actually was, not a hypothetical system that
never existed.
>Which greatly reduce the key space. But face it one is simulating the engima
>the order of characters on the wheels would be part of the key space.
Since the order of characters on the wheels is fixed and cannot be
changed by the users, then you are not simulating the Enigma if you
allow the users to change the wiring on the wheels. If you do, you
are no longer talking about Enigma, but some hypothetical variant that
was never used.
Johnny Bravo
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Modified DH - ok?
Date: Fri, 19 Nov 1999 22:42:46 GMT
[EMAIL PROTECTED] wrote:
> May i propose a change:
>
> PtoQ <-- (P + (P * N)) mod M
> QtoP <-- (Q + (Q * N)) mod M
That's the same as your first scheme, exept you're
using (N+1) in plance of N.
> With this, i (errare humanum est) am unable to calculate P from Mr
> Shimizu's
> recommendation.
Since you replaced N by N+1 in the scheme, do the
same in the attack.
[...]
> (P.S: Sorry for continuing on with this, but probably more people than
> me
> need this kind of thing so it can be implemented in on low end
> languages.
I expect you would enjoy more success in learning
to implement large-integer modular exponentiation
in a low-level programming language than you'll
have in inventing a new public-key cipher. The
latter seems to be several million times harder
than the former.
--Bryan
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: AES cyphers leak information like sieves
Date: Fri, 19 Nov 1999 17:07:05 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> wtshaw <[EMAIL PROTECTED]> wrote:
>
> : Where length is flexable, only the last block might be short.
>
> Where length is completely flexible, there's no need for any block
> to be short.
I meant short as in the last block might be shorter than the others, not
incomplete.
>
> I understand that not everyone thinks that the technical problems with
> variable length blocks have been resolved, and not everyone agrees that
> larger block sizes are better today. However - in principle - larger
> blocks (not necessarily with accompanying larger keys) seem to me to be a
> good idea.
Having the ability for huge blocks cuts the overhead in the GVA. With
overshuffled ciphers, this would be a killer, but I have no problems with
blocks over 1000 bits. The bigger the blocks can be, the fewer of them
that are needed.
--
A site of interest: www.echelonwatch.org
------------------------------
From: albert <[EMAIL PROTECTED]>
Subject: Is this "legal"??? Export concept presented
Date: Fri, 19 Nov 1999 14:48:42 -0800
Algorithms such as RC6 are parameterized.
40bit crypto algorithms are exportable.
So what if I export code that is RC6 as 32 bit key, 32 bit block, and 1
round? Would it them be considered exportable??? Since it's
parameterized, then I can email it to someone, and they can in turn
change it to 128bits.
I think crypto policies are a joke, especially when you can export
Bruce's Applied Crypto book, which contains code in the back..
Albert
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: AES cyphers leak information like sieves
Reply-To: [EMAIL PROTECTED]
Date: Fri, 19 Nov 1999 23:05:17 GMT
John Savard <[EMAIL PROTECTED]> wrote:
: [EMAIL PROTECTED] (David Wagner) wrote, in part:
:>(The idea of compressing before encrypting isn't new. Neither is the
:>idea of all-or-nothing-style encryption algorithms which diffuse bits
:>through the entire ciphertext and plaintext. Those were the only two
:>that I heard from him.)
: He does have a third idea, which also may not be terribly original.
: The basic principle of Scott16 and company is that they use _really_
: large key-dependent S-boxes. Blowfish uses giant key-dependent S-boxes
: with 256 entries; Scott16's S-boxes have 2^16, or 65,536 entries, and
: Scott19's S-boxes have 2^19 entries.
...and perhaps another idea - the notion that compression for use with
encryption should have a property (which he calls one-on-one) in order
to circumvent particular types of attack on the surrounding encryption.
David has build what seems to be the first one-on-one compression program.
I don't know enough history to say how original all of his his ideas are,
but I know that they appear to encounter much resistance whenever they get
mentioned on sci.crypt. The resistance appears to me to be much greater
than the ideas deserve on their own merits.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
You'll never get dizzy doing a good turn.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: AES cyphers leak information like sieves
Reply-To: [EMAIL PROTECTED]
Date: Fri, 19 Nov 1999 23:58:19 GMT
wtshaw <[EMAIL PROTECTED]> wrote:
: In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
:> I /presume/ you refer to The Grandview Algorithm - as described at:
:> http://radiofreetexas.com/wts/gva.htm
:>
:> After looking at this, I observe that it /appears/ to have the same
:> characteristic that is being criticised here, that there's almost a 1-1
:> relationship between between the cyphertext and the plaintext.
:>
:> I've only given the system a cursory look, but it /appears/ to me that
:> the consequences of an error in a single letter will /usually/ affect
:> three adjacent letters in the plaintext (and there's a small chance that
:> they will destroy the message totally?).
: Only if the error is in the first few letters of a block are the results
: traumatic. Otherwise, each error is seen as a single character typo.
Yes, this was my first thought. I could hardly believe there was no
diffusion between letters at all, though - so I invented some ;-|
: The type of leaking discussed earlier is no problem with the GVA [...]
You refer to the leak that I initially referred to when the so-called
"Electronic Cookbook" modes of block cyphers are used?
Apparently such modes are rarely used for anything serious anyway.
:> Most of the time, I'd rather have better security than error recovery -
:> since typically I plan to compress my messages - and compression and
:> error-recovery are not good bedfellows.
:
: If the leaking problem mentioned does not exist with the GVA, then how is
: it less secure?
I am not in a good position to comment on the weaknesses or otherwise
of your GVA system. I know that Thomas Jefferson's cypher was pretty
secure for its time - and that your system certainly appears to offer
better security than it did.
The system relies on large "random" tables of permutations of the
alphabet. You do not appear to specify how these tables should be
generated.
It appears to me that one /potential/ source of weaknessees may lie
in the manner in which these tables are generated - which does not
seem to be covered in the description you offer.
I'm arguing that /if/ some types of weakness are discovered, a
failure to diffuse the plaintext information through the file
will be likely to make things worse.
*If* there is no weakness in the first place, this argument lacks force -
but who can say with any certainty that their cypher is lacks weaknesses?
You can undoubtedly have strength without diffusion. However diffusion
appears to me to increase whetever strength is already there.
In cases where security is more important than having an error-recovery
mechanism inside the encryption (rather than layered on top of it), I
believe you should generally use a diffuser.
Error recovery is not always useful for many types of files with built-in
compression anyway. With JPEGs, etc it is not easy to recover gracefully
from point errors, since it is in the nature of the data to magnify
any faults that occur, during the process of decompression. This /may/ be
irrelevant - or it may be critical, depending on the appliction.
You can still get good error correction by intelligently employing the
transmission protocols. I believe the cases where this is insufficient
are now rare - and are becoming rarer as communication fidelity improves.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Only users lose drugs.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: AES cyphers leak information like sieves
Reply-To: [EMAIL PROTECTED]
Date: Fri, 19 Nov 1999 23:40:24 GMT
Volker Hetzer <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> I would say that (at least in the case of CBC mode chaining) it does
:> change the security. The failure to distribute the information in the
:> plaintext throughout the cyphertext allows types of analysis which would
:> otherwise be impossible. For example, a partial plaintext may offer
:> complete knowledge about a number of blocks of cyphertext. This would
:> never happen if proper diffusion had taken place - unless the entire
:> plaintext were known.
: Okay, let's try a different approach:
: Assume CBC.
OK.
: Assume, the best way to find the key, given a plaintext/ciphertext pair
: is brute forcing the underlying block cipher.
Why on earth would I want to assume such a thing?
The only systems conceivable to me that /definitely/ have this property
consist of huge permutation tables (one for each key) that define the
permutation of each possible block in the cyphertext, with tables of
random numbers that have been dictated to me by God himself, who
personally assures me of their high entropy content.
This seems rather fantastic to me.
: Assume, you've got knowledge of the first block (the IV).
: Now, does this knowledge help you to find an attack better than brute
: force on the first message block?
If I've *already* /assumed/ that there's no attack better than brute
force, then there's not going to be any attack better than brute force,
now - is there?
My issue lies with your premises, which I don't grant you ;-(
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Work harder! Millions on welfare depend on you.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: AES cyphers leak information like sieves
Reply-To: [EMAIL PROTECTED]
Date: Sat, 20 Nov 1999 00:20:07 GMT
John Savard <[EMAIL PROTECTED]> wrote:
[snip]
: But there is also the minor matter of the work factor. This has to be
: taken into account, unless you are worried about God breaking your
: codes.
: But it is _one_ thing to say: "The NSA might have bigger computers
: than we think, so we should use longer keys, and fancier codes, than
: we think we really need" (that I'll happily agree with) and it is
: quite another to say that the NSA must, necessarily, posess computers
: with power greater even than that of the largest quantum computers we
: can imagine, and therefore ciphers with mere 256-bit keys are, not
: possibly, but certainly, badly insecure.
Did I say that?
IIRC, the nearest I came to this claim was that if you had data with
regularities on the same scale as your block size, then you would need
to be careful that you did not get a repeated block.
Experience teaches me I need to point out at this point that I'm talking
about the mode of block cyphers where a whole block of repeated plaintext
leads directly to repeated cyphertext. If you mix encypherment by blocks
with other bits and pieces, you can easily avoid this.
: Sweeping claims - and claims that are utterly fantastic in nature -
: will produce a predictable response. Saying "Hey, you know, a PC can
: encrypt with a 1,024 byte symmetric key really easily, and so one
: might as well be on the safe side, what with computers getting bigger
: so quickly" is one thing;
For what it's worth I would be unlikely to advocate increasing the key
size. AFAICS, without intelligent design, increased key-size does not
necessarily lead to much greater security, anyway - unless:
A) the key is small enough to apply brute force, or...
B) the size of the key is an appreciable fraction of the size of the
messages it encrypts.
My interest is /mainly/ in getting the maximum bangs for a given key size.
If people want to use short keys for some reason, I can respect that.
: [...] but saying "You're an idiot if you think the NSA can't
: brute-force 256 bits" will just get you laughed at.
I certainly never said the section you placed quotation marks around.
Nor do I beleive a brute force search of a 256-bit keyspace is remotely
practical. Not for me, not for you, and not for the NSA.
Your idea of my views in this area seems somewhat straw-like ;-|
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
You may not realise it - but this is a subliminal one-liner.
------------------------------
From: [EMAIL PROTECTED] (Andy Spragg)
Crossposted-To: comp.ai.fuzzy,sci.physics,sci.math
Subject: Re: Simpson's Paradox and Quantum Entanglement
Date: Sat, 20 Nov 1999 00:41:20 GMT
PoinT? PoinTS thrice, dear boy - with economy of words and at no extra
cost.
1) If YOU had a point (non-sequiturial incomprehensible
psychobabbulatory samples follow):
> Simpson's description of VINGH as a SUBJECTIVE/OBJECTIVE
> problem -- WHO is trying to change ownership of WHAT property
> for their SINGULAR benefit. HISTORY is a MAJORITY subject.
> You are just as bad as the original poster. Logically, EVERYTHING
> has SOMETHING to do with REALITY. Most people need help
> sorting out LIES from FICTION, or SUBJECTS from OBJECTS.
> It's a question of how much of the problem you're prepared and
> willing to deal with -- you can't just DECREE it away.
it wasn't obvious to anyone except you.
2) PEOPLE WHO LEAVE CAPS LOCK ON MIGHT BE JUST FORGETFUL OR STUPID -
PEOPLE who ALTERNATE between CAPS and SMALL letters ARE obviously
DOING it BY design RATHER than ACCIDENT. But it doesn't impress anyone
- garbage in capitals, garbage out capitals. Hence:
3) a little pun on your surname - do you know any French? I am
joculaly speculating whether the bizarre nature of your prose is
connected with cerebral illness.
Still, full marks for:
>> Did you learn the art of communication from Carl Sagan, the man WHO
>> put THE emphasis ON all THE wrong words?
>
>Sorry, I'm of absolutely NO help with this question. Karl M
Andy
On Thu, 18 Nov 1999 16:58:17 -0800, "karl malbrain" <[EMAIL PROTECTED]>
wrote:
>
>Andy Spragg <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>> Are you MALBRAIN by name, malbrain by NATURE, or WHAT? You're going to
>> damage your VOICE, alternately speaking and SHOUTING like that -
>> particularly when neither MODE seems to convey anything WORTHWHILE.
>
>Well, what exactly is your point? Yes, I have a name. No, I didn't
>personally choose it. Go ask someone in BELGIUM were it comes from or why,
>not me.
>
>> Did you learn the art of communication from Carl Sagan, the man WHO
>> put THE emphasis ON all THE wrong words?
>
>Sorry, I'm of absolutely NO help with this question. Karl M
>
>
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: AES cyphers leak information like sieves
Date: Fri, 19 Nov 1999 17:45:31 -0700
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
[ ... sorry to follow-up to my own post, but... ]
> He also advocates _extremely_ large, key-dependent S-boxes, and that
> the encryption be designed specifically so it does not give an
> attacker clues about the validity of a possible encryption.
That, of course, is pretty much universal. I meant to say that the
_compression_ be designed to avoid giving out clues about the
encryption.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: albert <[EMAIL PROTECTED]>
Subject: Re: Distribution of intelligence in the crypto field
Date: Fri, 19 Nov 1999 16:57:30 -0800
> I'll have to disagree with that: not that it isn't true, but it
> doesn't apply to the NSA. The people working there aren't trying to
> make Bill Gates rich, they're trying to keep their country safe from
> aggression. Thus, the NSA's purpose is one that can at least be seen
> by some of its staff as noble - so it does have more than money to
> work with.
>
>
So you are trying to tell me that the NSA has more "motivation" than Bill?
That's not the point though, the point is that intelligence is sparse as it
is. Crypto knowledge is even more rare. I don't think NSA has a Bletchley
Park they are growing, and even if they do, I would pit the greatest crypto
minds of the rest of the world against them and bet you'd come out pretty
equal.
Albert
------------------------------
Reply-To: "karl malbrain" <[EMAIL PROTECTED]>
From: "karl malbrain" <[EMAIL PROTECTED]>
Crossposted-To: comp.ai.fuzzy,sci.physics,sci.math
Subject: Re: Simpson's Paradox and Quantum Entanglement
Date: Fri, 19 Nov 1999 17:22:28 -0800
Andy Spragg <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> PoinT? PoinTS thrice, dear boy - with economy of words and at no extra
> cost.
>
> 1) If YOU had a point (non-sequiturial incomprehensible
> psychobabbulatory samples follow):
(...)
> it wasn't obvious to anyone except you.
History belongs to the energetic, not to those seeking COHERENCE at the
expense of LEGALITY. The effect was the ORIGINAL poster LOCKING DOWN
DETERMINISM, historically. Where exactly are you GROUNDED???
> 2) PEOPLE WHO LEAVE CAPS LOCK ON MIGHT BE JUST FORGETFUL OR STUPID -
> PEOPLE who ALTERNATE between CAPS and SMALL letters ARE obviously
> DOING it BY design RATHER than ACCIDENT. But it doesn't impress anyone
> - garbage in capitals, garbage out capitals. Hence:
Sorry, you'll just have to live with it, now and for a time. If you're
really, really, patient, it will come around again for you to, hopefully,
make an intelligent CHOICE next time. That's what this thread is all
about -- SUBJECTIVE CHOICES.
> 3) a little pun on your surname - do you know any French? I am
> joculaly speculating whether the bizarre nature of your prose is
> connected with cerebral illness.
Well, I hope you're never, ever, near any ACTUAL people. Those of us who
aren't striving for VIRTUALITY would consider you DANGEROUS in a
face-to-face encounter, what with your OFF-HANDED DIAGNOSIS and all.
> Still, full marks for:
>
> >> Did you learn the art of communication from Carl Sagan, the man WHO
> >> put THE emphasis ON all THE wrong words?
> >
> >Sorry, I'm of absolutely NO help with this question. Karl M
Thanks, Karl M
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: GT-1 Consortium
Date: 20 Nov 1999 01:21:05 GMT
Michael Scott <[EMAIL PROTECTED]> wrote:
> Well there you have it from these "experts". Your 1024 bit PGP key can be
> factored in 4 milli-seconds...
Looks like someone screwed up in writing the ad copy. It happens (for
a while, the NTRU site claimed that "no one has ever tried to parallelize
lattice basis reduction algorithms" -- thankfully they've fixed that) and
doesn't say much for whomever wrote it. Even so, it could be the case that
the ad copy and the algorithm were designed by two different people.
I just wish they'd post their papers on the web site. Seriously. At least
references.
-David
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Subject: Re: What part of 'You need the key to know' don't you people get?
Date: Fri, 19 Nov 1999 20:33:11 GMT
On Sat, 20 Nov 1999 00:29:12 GMT, Tim Tyler <[EMAIL PROTECTED]> wrote:
>There are /many/ possible figures you can get for the keyspace of the
>Enigma machine, depending on which combination of components you consider
>to be part of the key.
>
>There were a number of different types of wheel employed over a period of
>time, with differing arrangements of letters. Do you count this? Or not?
I went over this in another recent message to the group. This had
nothing to do with any of the above. The original assertion was that
28 wheels in fixed positions with 26 states each had over 2^128 bits
of possible positions. This assertion is absolutely correct.
This was what was replied to
">Assuming 26 pins per wheel you need 28 wheels to match a 128-bit
>key. Did they have 28 wheels? I am not sure... did they?
<And the reply by DS>
are you a complete fool where did you get such a rediculus number.
Are you stuoid enough to think that the number 26 is a binary number.
You really are full of shit Mr Tom. Each wheel is a specail
arrangement of 26 characters and don't forget the plug borad in the
front of machine. "
My reply was solely directed at calling a person "rediculus"(sp),
"stuoid"(sp) and "full of shit" for stating something that is correct.
log2(26^28) is indeed the fewest number of 26 pin fixed wheels you
need to achieve at least 128 bits of possible states. If you are
taking the wheels in random order each time, you only need 17 of them
to reach 128 bits of state.
If you disagree with someone you figure out where they went wrong,
correct the mistake as you see it and maintain a civil tone. If
instead you just launch a personal attack that makes you look like a
complete idiot because you have no clue about what you are attacking
in front of the entire group, you can reasonably expect a serious
amount of flames to head your way.
Best Wishes,
Johnny Bravo
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
