Cryptography-Digest Digest #661, Volume #10 Thu, 2 Dec 99 02:13:01 EST
Contents:
Re: more about the random number generator (NFN NMI L.)
Re: What part of 'You need the key to know' don't you people get? (Johnny Bravo)
Re: Why Aren't Virtual Dice Adequate? (fungus)
Re: NSA should do a cryptoanalysis of AES (Johnny Bravo)
Re: NSA should do a cryptoanalysis of AES ("Trevor Jackson, III")
Re: What part of 'You need the key to know' don't you people get? ("Douglas A. Gwyn")
Re: What part of 'You need the key to know' don't you people get? ("Douglas A. Gwyn")
Re: Decyption proof cellphones in Europe? [x3] ("Douglas A. Gwyn")
Re: brute force versus scalable repeated hashing ("Douglas A. Gwyn")
Re: The Code Book - Part 4 ("Douglas A. Gwyn")
Re: Elliptic Curve Public-Key Cryptography (DJohn37050)
Re: Some feedback from the USA --- my story is real .. ("Douglas A. Gwyn")
Re: Encrypting short blocks ("Douglas A. Gwyn")
Re: Paradise shills?? ("Douglas A. Gwyn")
Re: VIC cipher strength? (UBCHI2)
Re: digraph frequencies ("r.e.s.")
Re: Elliptic Curve Public-Key Cryptography (David A Molnar)
Re: VIC cipher strength? ("r.e.s.")
Re: The $10,000.00 contesta (Johnny Bravo)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (NFN NMI L.)
Subject: Re: more about the random number generator
Date: 02 Dec 1999 01:22:18 GMT
<<So a string
of 95 million bits can be compressed to a TM-representation with
just 6 states.>>
What's that machine look like? And the 5 state machine that prints 1000-odd
states? At least the 4 state busy beaver is precisely known...
Wow! My long .sig returns!
-*---*-------
S.T.L. (NFN NMI L. also) -===> [EMAIL PROTECTED] <===- 2^6972593 - 1 IS PRIME!
Quotations: http://quote.cjb.net Main site: http://137.tsx.org F00FC7C8 MOO!
"Xihribz! Peymwsiz xihribz! Qssetv cse bqy qiftrz!" e^(i*Pi)+1=0 Mail block
is gone, but will return if I'm bombed again. It was an easy fix. Address is
correct as-is. Giving the correct address is COURTEOUS; junk gets in anyway.
Join the Great Internet Mersenne Prime Search at http://entropia.com/ips/ My
.sig is even shorter, and contains 3046 bits of entropy including next line:
-*---*-------
Card-holding member of the Dark Legion of Cantorians, People for the Ethical
Treatment of Digital Tierran Organisms, the Holy Order of the Catenary, the
Great SRian Conspiracy, the Triple-Sigma Club, the Polycarbonate Syndicate,
the Union of Quantum Mechanics, the Roll-Your-Own Crypto Alliance, the
Church of the New Epoch, and the Organization for the Advocation of
Two-Letter Acronyms (OATLA)
Avid watcher of "World's Most Terrifying Causality Violations", "When Kaons
Decay: World's Most Amazing CP Symmetry Breaking Caught On [Magnetic] Tape",
"World's Scariest Warp Accidents", "When Renormalization Fails", "World's
Most Energetic Cosmic Rays", and "When Tidal Forces Attack: Caught on Tape"
Patiently awaiting the launch of Gravity Probe B and the discovery of M39
Physics Commandment #27: Laziness Increases With Time.
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Subject: Re: What part of 'You need the key to know' don't you people get?
Date: Wed, 01 Dec 1999 21:24:40 GMT
On Wed, 01 Dec 1999 13:48:36 -0600, [EMAIL PROTECTED] (wtshaw) wrote:
>> The burden of proof is on the claimant. If has a point to make, it
>> is up to him to prove he is right, it is not up to us to prove him
>> wrong.
>>
>Well, you might be well liked in a class on legalities, but, science makes
>no demand, merely that the evidence speaks for itself, whatever the
>source.
Vague claims without testable, repeatable evidence to back them up
are not science. They make good pseudoscience though, as regularly
shown over in talk.origins.
>A *good* scientist willing reveals everything if part of the evidense he
>exposes is against him. There is no expectation regarding his feelings as
>long as the data is there.
But tossing out a theory, and saying "That is the truth, prove me
wrong or admit I'm right." is not science by any stretch of the
imagination.
Best Wishes,
Johnny Bravo
------------------------------
From: fungus <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Date: Thu, 02 Dec 1999 02:37:30 +0100
Bennett Standeven wrote:
>
> On Thu, 25 Nov 1999, Tim Tyler wrote:
>
> > In sci.crypt John Savard <[EMAIL PROTECTED]> wrote:
> >
> > : However, in practice, random numbers derived from throwing dice or
> > : flipping coins are adequate for producing secure one-time-pads.
> >
> > Really? How do you judge how secure they are?
> >
> > What coins, or dice would you recommend using - and what manufacturing
> > process produced them?
>
> Casino dice should do nicely.
Any dice/coins should do if you change them around.
eg. Throw a die then flip a coin the number of times shown
on the die, outputting that many bits. Toss another coin
twice to decide whether to swap the coin/die for another
one in the set.
You can complicate this as much as you want to, a bit like
cascading shift register generators. I don't think there
will be any exploitable bias in the output of a system with
several coins/dice.
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Subject: Re: NSA should do a cryptoanalysis of AES
Date: Wed, 01 Dec 1999 21:36:05 GMT
On Wed, 01 Dec 1999 14:46:09 GMT, [EMAIL PROTECTED]
(SCOTT19U.ZIP_GUY) wrote:
> Do you really think that if the NSA broke a method that the public
>finds safe that it would be eliminated from the AES selection.
In a word, "Yes." Because if they can break it, someone else can
break it as well. The United States is less than 1/20 of the world's
population. I doubt anyone would be so arrogant as to assume that
they can so something that the other 5.73 billion people of the world
cannot. And given that some of these countries don't have to account
to the people for dollars spent they could easily afford to pay up to
1000 times what we pay the NSA every year.
Since our banks are going to be using this to protect our entire
economic system, a catastrophic break of AES could very well mean the
loss of hundreds of billions of dollars and possibly the destruction
of our entire economy. I doubt the NSA is willing to risk the
destruction of the United States just so they can read your email.
If they really care they have plenty of other means to get your key.
After all, how many of us are using TEMPST shielded computer equipment
at home, regularly inspect both hardware and software for tampering,
and sweep the room with the computer in it for monitoring devices.
Johnny Bravo
------------------------------
Date: Wed, 01 Dec 1999 22:18:29 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: NSA should do a cryptoanalysis of AES
Bruce Schneier wrote:
> On Wed, 01 Dec 1999 19:53:18 +0000, Jim Gillogly <[EMAIL PROTECTED]> wrote:
> >Note also that even this information wouldn't tell you whether the
> >other four candidates each had an attack that would bring its
> >complexity down even lower than the hypothetically broken one.
>
> Which is the problem.
>
> If you don't trust the NSA (or, trust that they will behave
> maliciously), then there is nothing they can say that can convince you
> that they cannot break something. If you trust them, or trust the
> public process enough to ignore them, then you have an easier time.
>
> It's a pity, really. The United States has an enormous amount of
> cryptographic expertise in the NSA, and they have played the political
> game so badly that we can't use their expertise to its maximum
> effectiveness.
To be fair the circumstances are not all the fault of the agency. One could
say that they have been played _with_, politically, to the detriment of the
nation and presumably the world.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: What part of 'You need the key to know' don't you people get?
Date: Thu, 02 Dec 1999 03:30:04 GMT
Brian Chase wrote:
> I think what I'm finding most disturbing, if not just outright disgusting,
> is how quickly disregarded are Scott's challenges to the conventions of
> the cryptology community. Sure he's an asshole, but as a community is it
> not true that we don't conclusively know how secure the contemporary
> algorithms are?
Neither does D.Scott! The main problem with his arguments is that
he asserts weaknesses in everybody's encryption schemes except his,
but doesn't *demonstrate* the weaknesses. When he claims, for
example, that CBC itself creates exploitable weaknesses, yet there
happen to be solid mathematical papers demonstrating that CBC used
with a *strong* block cipher is not substantially weaker than the
block cipher by itself, it is incumbent on *him* to prove his claim,
or at least to exhibit an error in the previous work that proved the
opposite. That's not only standard professional practice, it's
plain common sense. Since he doesn't make a convincing case,
preferring to curse and challenge the integrity of anyone who
disagrees with him, it is not surprising that he is being almost
entirely ignored by the professional community.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: What part of 'You need the key to know' don't you people get?
Date: Thu, 02 Dec 1999 03:34:14 GMT
wtshaw wrote:
> [EMAIL PROTECTED] (Johnny Bravo) wrote:
> > The burden of proof is on the claimant. If has a point to make,
> > it is up to him to prove he is right, it is not up to us to prove
> > him wrong.
> Well, you might be well liked in a class on legalities, but, ...
Johnny Bravo is right and you are wrong. If scientists had to take
seriously every crackpot claim, they'd never have time to make any
real progress. It is a simple matter of practicality that the
proponent of a new idea that challenges established knowledge needs
to make a *convincing* case for his idea, so that at least some
scientists will be motivated to look into it.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Decyption proof cellphones in Europe? [x3]
Date: Thu, 02 Dec 1999 04:10:27 GMT
Bruce Schneier wrote:
> This sounds like an audio summary of Seymour Hersh's excellent New
> Yorker article on the same topic, which can be found at:
> http://cryptome.org/nsa-hersh.htm
Like most such articles, some points were accurate, some were
wrong, and most were somewhere in between. The most accurate
and relevant one was:
"The agency was not allowed to keep the funds it had
saved by reducing manpower and drastically cutting
overseas stations."
In fact, there have always been new challenges facing SIGINT,
and there has been a fair degree of success in meeting them;
however, currently there is such a budget crunch that new
development is being sacrificed in order to maintain (for the
moment) existing production, despite DIRNSA's statement that
the opposite should occur. It should be obvious that this
does not bode well for the future.
A problem I've noted before is that middle management tends
to ignore the policy guidance established at the very top,
so when DIRNSA (past or present) tries to implement a
significant change in the way business is done, the effect
is weakened as it filters through levels of management.
This seems to be inherent in a bureaucracy, and the only
really effective way I know of to fix it is to eliminate
some of the levels of management. Without Congressional
support it would be nearly impossible to accomplish that.
However, the more political the process becomes, the bigger
the mess that results, usually.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc
Subject: Re: brute force versus scalable repeated hashing
Date: Thu, 02 Dec 1999 04:13:22 GMT
Tim Wood wrote:
> You must however appreciate how easy it is to misrepresent someone
> by changing the position of even one word ;-) or leaving out ...
It's the responsibility of the redactor to ensure that the meaning
is not significantly altered when abridging the quoted text.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: The Code Book - Part 4
Date: Thu, 02 Dec 1999 04:15:26 GMT
Andreas wrote:
> Because I can't speak that language (french) after I had decoded it I
> can't get the keyword from the text.
Speaking of that, I was annoyed that the Latin PT wasn't a very good
rendition of the original.
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: Elliptic Curve Public-Key Cryptography
Date: 02 Dec 1999 04:20:13 GMT
Regarding RW being shown to be equivalent to factoring, as shown by the recent
breaks of ISO 9796 formatting, what this often means is that an attack that
allows for ONE RSA signature forgery, totally breaks RW, as one RW signature
forgery can be used to factor the RW modulus.
That is, having RW equivalent to factoring seems to mean that a break in RW
will often be a total break. Some advantage.
Don Johnson
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Some feedback from the USA --- my story is real ..
Date: Thu, 02 Dec 1999 04:20:19 GMT
"Markku J. Saarelainen" wrote:
> ... they indeed violated the Economic Espionage Act of 1996. So
> the U.S. companies ARE actively violating this Act. What else can
> I tell you about doing the business in the U.S.A - and what can I
> conclude about the United States of America ... ?
One cannot conclude any generality from an isolated observation.
What you should have done was take your evidence to a lawyer and
pursued the transgressors in court. Assuming that there was a
real transgression and that you're not imagining it all, which
from previous posts of yours seems to me like a real possibility.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Encrypting short blocks
Date: Thu, 02 Dec 1999 04:26:09 GMT
Markus Peuhkuri wrote:
> Is there an encyprion algorithm that can be used for short
> blocks (variable from ~10 to 24 bits) _and_ the result is same
> length as original data.
Yes, most binary-oriented stream ciphers have that property.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Paradise shills??
Date: Thu, 02 Dec 1999 04:27:42 GMT
James Felling wrote:
> I am not very familiar with the "Berkley" PRNG mentioned ...
My guess is they mean the one that eventually appeared in the
Berkeley Software Distribution of UNIX.
------------------------------
From: [EMAIL PROTECTED] (UBCHI2)
Subject: Re: VIC cipher strength?
Date: 02 Dec 1999 05:37:24 GMT
It is easy enough to figure out the y coordinates of a straddling checkerboard.
You simply look for repititions of one digit between 1-9. The often repeated
part is probably one part of the y coordinate..
It's true you don't know the length, but you can make some pretty good guesses.
The Vic Cipher security, in my mind comes from the scrambling of the
straddling checkerboard encryption.
Thus my view that the 10 digit number could be replaced with a simpler, faster
and equally secure method for determining the checkerboard coordinates without
compromising the cipher.
------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Subject: Re: digraph frequencies
Date: Wed, 1 Dec 1999 21:54:45 -0800
The stats for Dickens' _A Tale of Two Cities_
(586,747 letters) are at
http://www.arachnaut.org/archive/freq.html
(includes digraph & other data)
--
r.e.s.
[EMAIL PROTECTED]
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Elliptic Curve Public-Key Cryptography
Date: 2 Dec 1999 05:37:52 GMT
DJohn37050 <[EMAIL PROTECTED]> wrote:
> That is, having RW equivalent to factoring seems to mean that a break in RW
> will often be a total break. Some advantage.
One more reason to actually read proofs. :-)
Personally, I think the question "is RSA with e=3 equivalent to
factoring?" is very interesting. It's overshadowed in my mind
by the practical attacks already mentioned in this thread.
Fortunately we have OAEP as a good padding scheme to make these
attacks go away.
Unfortunately, OAEP is "only" proved to resist such attacks in the random
oracle model. So how do you evaluate the random oracle assumption
vs. "RSA not equivalent to factoring" ? Do you care? How to weigh them,
and why with one more than the other?
I guess a next question ask is whether analagous attacks exist
for "elliptic curve cryptography", or more generally whether "elliptic
curve cryptography" is suspectible to things like chosen-ciphertext
attacks. unfortunately this is nonsense without specifying the exact
scheme which uses elliptic curves first.
Are there "elliptic curve" systems for which chosen-ciphertext attacks
are known ? (or chosen-message attacks?) I'm sorry if this is a stupid
question; I should know more about EC. In particular, if it doesn't make
sense to ask about EC schemes distinctly, because I can just "drop in" EC
mult for modular mult, that'd be neat to know.
Is there anything like Dan Boneh's "Twenty Years of Attacks on RSA"
available for elliptic curve crypto yet ?
In any case, it seems that trying to compare cryptosystems (by which I
mean the primitive, the padding scheme, and maybe the protocol) by what
assumptions they require becomes very murky very quickly. At the same
time, it's as least as important to consider as questions of key length.
Thanks,
-David Molnar
------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Subject: Re: VIC cipher strength?
Date: Wed, 1 Dec 1999 22:45:36 -0800
I ("res") wrote:
The critical 10 digits serve to generate a "key sequence"
of digits used to key not only the straddling checkerboard,
but also two transpositions. Those three stages (viz.,
substitution via straddling checkerboard, followed by the
two different transpositions), seem to be the essence of
the cipher.
"UBCHI2" <[EMAIL PROTECTED]> replied:
[...]
: The Vic Cipher security, in my mind comes from the
: scrambling of the straddling checkerboard encryption.
:
: Thus my view that the 10 digit number could be replaced
: with a simpler, faster and equally secure method for
: determining the checkerboard coordinates without
: compromising the cipher.
The 50-digit "key sequence" generated from the critical
10 digits is needed in order to key all three stages.
(I don't see that it matters too much exactly which part
of that sequence is used to key which stage, as long as
they all get keyed.)
The three stages of the cipher are complimentary.
The straddled checkerboard with keyed coordinates produces
"confusion" by substitution, while the two different types
of transposition (with keying of both the table-width and
the column-order) produce "diffusion". It seems obvious
that together they are vastly stronger than any one stage
alone.
--
r.e.s.
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Subject: Re: The $10,000.00 contesta
Date: Thu, 02 Dec 1999 02:04:43 GMT
On Thu, 02 Dec 1999 00:47:33 GMT, [EMAIL PROTECTED] (Bruce
Schneier) wrote:
>Thanks.
>
>It would be cool if someone could turn this into an attack.
>
>Bruce
Wow, that's a hell of a lot of curiosity for you. You'd be happy
seeing a successful attack on Twofish! This is probably just in the
general sense that any successful attack on the final five would
probably have to be something really new or we would have seen it by
now, if it has to happen may it happen to one of the other four.
<grin>
Best Wishes,
Johnny Bravo
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
