Cryptography-Digest Digest #683, Volume #10 Sat, 4 Dec 99 23:13:01 EST
Contents:
Re: Why Aren't Virtual Dice Adequate? (Tim Tyler)
Re: NSA should do a cryptoanalysis of AES (Tim Tyler)
Re: Any negative comments about Peekboo >> How to verify that promised algorithms
are included (Dmitriy Morozov)
Re: Why Aren't Virtual Dice Adequate? ("r.e.s.")
Re: Random Noise Encryption Buffs (Look Here) (Brian Chase)
Re: Why Aren't Virtual Dice Adequate? (Scott Nelson)
Re: Simpson's Paradox and Quantum Entanglement (Brian Chase)
Re: Distribution of intelligence in the crypto field (David A Molnar)
Re: Elliptic Curve Public-Key Cryptography (DJohn37050)
Re: What part of 'You need the key to know' don't you people get? (Brian Chase)
Re: What part of 'You need the key to know' don't you people get? (Brian Chase)
Re: Any negative comments about Peekboo >> How to verify that promised algorithms
are included (Steve K)
Re: more about the random number generator (William Rowden)
Re: Quantum Computers and Weather Forecasting (Joseph Bartlo)
Re: Quantum Computers and Weather Forecasting (Joseph Bartlo)
----------------------------------------------------------------------------
Crossposted-To: sci.math
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Why Aren't Virtual Dice Adequate?
Reply-To: [EMAIL PROTECTED]
Date: Sun, 5 Dec 1999 00:14:48 GMT
In sci.crypt Trevor Jackson, III <[EMAIL PROTECTED]> wrote:
: if such an attack were mounted against a fielded system, authentication is
: the least of the attendant problems. Anyone who can obtain the plaintext
: of a OTP message is not going to betray that capability by forging a
: message to an alternate recipient. [...]
They /might/ do, if they know that they obtained the message they have by
a one-off set of circumstances, or if they think it is the last message,
or they believe that the forgery will not be detected, or if the risk of
discovery is worth the benefits the altered message it may bring.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Never call a man a fool. Instead, borrow from him.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: NSA should do a cryptoanalysis of AES
Reply-To: [EMAIL PROTECTED]
Date: Sun, 5 Dec 1999 00:31:38 GMT
wtshaw <[EMAIL PROTECTED]> wrote:
: In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
:> Iron bars are also expensive. If iron bars were free, and no more hassle
:> to lock and unlock than an ordinary door, I'm sure more people would use
:> them, even if the attack they are protecting against (a lockpicking
:> attack) are not known to be common.
: Iron bars are cheap, and ugly.
OK. I guess the problems are that they can't be unlocked from the
outside, they refuse to work as a latch, and are more effort than
necessary to lock, and aren't terribly child-friendly.
Consequently, as a minimum, you likely need a secure keyed lock as well.
Goodness knows where this leaves the analogy ;-)
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Microsoft announces EDLIN for windows.
------------------------------
From: [EMAIL PROTECTED] (Dmitriy Morozov)
Crossposted-To: alt.security.pgp
Subject: Re: Any negative comments about Peekboo >> How to verify that promised
algorithms are included
Date: Sun, 05 Dec 1999 00:44:07 GMT
Thanks for the response, Steve. I appreciate the link.
--
Dmitriy Morozov
[EMAIL PROTECTED]
[EMAIL PROTECTED] (Steve K) wrote:
>I think many of these questions are answered by the observation that
>Peekboo is under active development; Tom has solicited help in both
>software development and cryptanalysis, on the Peekboo e-list.
>
>For loads o' info on Peekboo's development to date, log in at
>
>http://www.egroups.com/register?url=/vote%3flistname%3dpeekboo%26m%3d1
>
>
>While it is certainly intended to work securely as is, Peekboo is
>still under development. Tom has indicated a willingness to add
>developers to the Peekboo project, to make the source code easier to
>port across OS platforms, and to aid and abet cryptanalysis efforts.
>
>Of course this is just what I have read, and I can't speak for Tom.
------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Date: Sat, 4 Dec 1999 17:02:13 -0800
"Guy Macon" <[EMAIL PROTECTED]> wrote ...
: [EMAIL PROTECTED] (r.e.s.) wrote:
: >The point under discusssion in the thread is that a "pure OTP" is
: >*not* secure when used to send identical plaintext to two different
NOTE^^^^^^^^^^^^^^^^^^^
: >recipients, because it may compromise the key of one of them. Any
: >addition or change to the OTP, serving to remedy this, will result
: >in something other than a "pure OTP".
:
: I must be missing something here (probably a lack on my part).
: Let's say that A uses pure OTP to send identical plaintext to B and C.
: A has a large random pad labeled [A->B] and another labeled [A->C].
: B has an identical copy of pad [A->B] that was securely transfered.
: C has an identical copy of pad [A->C] that was securely transfered.
: ATTACKER can monitor or modify all communication between A, B, and C.
: ATTACKER knows everything except the acyual values of the pads or
: the plaintext. Given these assumptions, ATTACKER cannot decode the
: plaintext or insert his own message and have it correctly decoded.
:
: Now let's say that ATTACKER finds out what the plaintext is before
: it is sent to B (maybe from A, maybe from C). Under *any* crypto
: system he will have "decoded" the message to B. In the case of
: pure OTP he can stop the real message to B and insert his own.
:
: Knowing this, A never sends identical messages.
It would be smart of him not to, but the scenario asked about
earlier in the thread, and the only one I've been discussing
in this exchange, is one in which he does so (perhaps through
some trickery by an agent?).
--
r.e.s.
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Brian Chase)
Subject: Re: Random Noise Encryption Buffs (Look Here)
Date: Sun, 5 Dec 1999 01:26:28 GMT
In article <[EMAIL PROTECTED]>,
Trevor Jackson, III <[EMAIL PROTECTED]> wrote:
> Anthropologists have observed that all societies have processes that are
> based on the "urge to explain". These urges are supposed to be the
> source of religious institutions and of "natural philosophy". It's not
> hard to use the same desire for understanding to explain why people
> might resist admitting the inexplicable, unsolvable, or unpredictable
> into their world view.
If there's no true randomness though, then there's nothing which isn't
predestined. Therefore, there is no free will. Me, I'd much rather live
in Universe where there are unpredictable things, because that means
there's some hope that I can make my own choices. :-)
I also sort of like the idea that all atoms are in all of their possible
states until they're observed. I like to think this translates into our
universe being in an infinite number of states all at once.
-brian.
--
--- Brian Chase | [EMAIL PROTECTED] | http://world.std.com/~bdc/ -----
"The Net treats censorship as damage and routes around it."
-- John Gilmore
------------------------------
From: [EMAIL PROTECTED] (Scott Nelson)
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Reply-To: [EMAIL PROTECTED]
Date: Sun, 05 Dec 1999 02:22:39 GMT
On Sat, 4 Dec 1999, "r.e.s." <[EMAIL PROTECTED]> wrote:
>"Guy Macon" <[EMAIL PROTECTED]> wrote ...
>: [EMAIL PROTECTED] (r.e.s.) wrote:
>: >The point under discusssion in the thread is that a "pure OTP" is
>: >*not* secure when used to send identical plaintext to two different
> NOTE^^^^^^^^^^^^^^^^^^^
>: >recipients, because it may compromise the key of one of them. Any
>: >addition or change to the OTP, serving to remedy this, will result
>: >in something other than a "pure OTP".
>:
>: I must be missing something here (probably a lack on my part).
>: Let's say that A uses pure OTP to send identical plaintext to B and C.
>: A has a large random pad labeled [A->B] and another labeled [A->C].
>: B has an identical copy of pad [A->B] that was securely transfered.
>: C has an identical copy of pad [A->C] that was securely transfered.
>: ATTACKER can monitor or modify all communication between A, B, and C.
>: ATTACKER knows everything except the acyual values of the pads or
>: the plaintext. Given these assumptions, ATTACKER cannot decode the
>: plaintext or insert his own message and have it correctly decoded.
>:
>: Now let's say that ATTACKER finds out what the plaintext is before
>: it is sent to B (maybe from A, maybe from C). Under *any* crypto
>: system he will have "decoded" the message to B. In the case of
>: pure OTP he can stop the real message to B and insert his own.
>:
>: Knowing this, A never sends identical messages.
>
>It would be smart of him not to, but the scenario asked about
>earlier in the thread, and the only one I've been discussing
>in this exchange, is one in which he does so (perhaps through
>some trickery by an agent?).
That two identical messages scenario has been bothering
me for a while now. How about this one:
Mallet opens an account at Second National Bank,
which sends branch transactions encrypted with OTP.
He deposits a tiny amount of cash in a branch office,
and intercepts the next message sent to the main office.
He can't read the message, but he knows it's his
deposit transaction so he modifies the byte
corresponing to the most significant digit
of his deposit, and passes the modified message on to
the main office. Then he goes to the main office
and withdraws all the money he just "deposited."
Scott Nelson <[EMAIL PROTECTED]>
------------------------------
Crossposted-To: comp.ai.fuzzy,sci.physics,sci.math
From: [EMAIL PROTECTED] (Brian Chase)
Subject: Re: Simpson's Paradox and Quantum Entanglement
Date: Sun, 5 Dec 1999 02:21:43 GMT
In article <[EMAIL PROTECTED]>,
John R Ramsden <[EMAIL PROTECTED]> wrote:
>"Bob Greer" <[EMAIL PROTECTED]> wrote:
>> karl malbrain wrote in message ...
>> > Simpson's description of VINGH as a SUBJECTIVE/OBJECTIVE problem -- WHO is
>> > trying to change ownership of WHAT property for their SINGULAR benefit.
>> > HISTORY is a MAJORITY subject.
>> "I love Big Brother."
> Imagine what he must sound like talking! I picture him thumping the
> table at each uppercase word.
^
with his head
-brian.
--
--- Brian Chase | [EMAIL PROTECTED] | http://world.std.com/~bdc/ -----
"The Net treats censorship as damage and routes around it."
-- John Gilmore
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Distribution of intelligence in the crypto field
Date: 5 Dec 1999 02:09:41 GMT
CLSV <[EMAIL PROTECTED]> wrote:
> A strange bit of information from the CV of
> Gian-Carlo Rota:
You would expect the NSA to ask the "father of combinatorics" to
work on their problems, wouldn't you ?
> http://www-math.mit.edu/~rota/cv.txt
> Security Clearances:
> Top Secret Clearance (Air Force) 1969-1971.
> Q - Clearance (DOE), 1966-.
> SI - Clearance (NSA), 1981-.
> Regards,
> CLSV
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: Elliptic Curve Public-Key Cryptography
Date: 05 Dec 1999 02:46:00 GMT
>Subject: Re: Elliptic Curve Public-Key Cryptography
>From: [EMAIL PROTECTED] (Bodo Moeller)
>Date: Sat, 04 December 1999 05:29 PM EST
>Message-id: <82c4kc$3ts$[EMAIL PROTECTED]>
>
>DJohn37050 <[EMAIL PROTECTED]>:
>
>> [...] When e = 3, one knows half the bits of the private exponent.
>> This does not allow an attack by itself, but could be used to
>> synchronize a power attack, for example.
>> [...] If the private key is encrypted using a symmetric cipher,
>> this means I give the adversary some known plaintext/ciphertext
>> pairs, this is undesirable.
>
>There is no need to store d or to use it for decryption; using the
>Chinese Remainder Theorem, all you need is the factors p, q
>and d's residues modulo p - 1 and modulo q - 1.
>Many implementations keep d around with the rationale that it can be
>computed from the other numbers, anyway; if the known plaintext in the
>upper part of d is considered a problem, then it's an implementation
>problem, not an inherent problem of small-exponent RSA.
>
The point is not that it cannot be addressed or maybe is already inadvertantly
addressed.
The point is that now you are getting into implementation details with a kicker
that says if you have d or implement using d, then they may be concerns, but
almost no one thinks of that. An adversary attacks a specific system with
specific quirks.
Don Johnson
------------------------------
From: [EMAIL PROTECTED] (Brian Chase)
Subject: Re: What part of 'You need the key to know' don't you people get?
Date: Sun, 5 Dec 1999 02:45:53 GMT
In article <[EMAIL PROTECTED]>,
wtshaw <[EMAIL PROTECTED]> wrote:
>In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Brian Chase) wrote:
>> I think it's true that there is no proof that it's easier to crack with
>> the additional blocks, but it's certainly not harder with more blocks.
>>
>Additional blocks mean more overhead, making things more difficult for the
>analyst, a precious goal. There is proof that additional blocks may be
>required for solving some ciphers, as a lesser amount maybe indeterminate.
Ah, yes. My use of "harder" is subjective. :-) I'd agree that performing
cryptanalysis using more blocks might very well require more time, so it's
possible that even though the additional blocks provide the necessary
information to crack the encryption, it may not be feasible to do so in
timely manner. That is one way a problem can be considered to be hard.
-brian.
--
--- Brian Chase | [EMAIL PROTECTED] | http://world.std.com/~bdc/ -----
"The Net treats censorship as damage and routes around it."
-- John Gilmore
------------------------------
From: [EMAIL PROTECTED] (Brian Chase)
Subject: Re: What part of 'You need the key to know' don't you people get?
Date: Sun, 5 Dec 1999 03:20:58 GMT
In article <[EMAIL PROTECTED]>,
Johnny Bravo <[EMAIL PROTECTED]> wrote:
>On Wed, 1 Dec 1999 07:35:03 GMT, [EMAIL PROTECTED] (Brian Chase)
>wrote:
>
>>I think what I'm finding most disturbing, if not just outright disgusting,
>>is how quickly disregarded are Scott's challenges to the conventions of
>>the cryptology community. Sure he's an asshole, but as a community is it
>>not true that we don't conclusively know how secure the contemporary
>>algorithms are?
>
> Correct, however walking into a community and calling everyone
>names, and insinuating that all the other people in the community are
>idiots but he alone knows the one true knowledge is not going to get
>you accepted in the community.
I guess I'm not arguing for his acceptance. He's not a friendly guy, but
I think mean crazy people can be highly intelligent. Scott certainly
insults a lot of people for reasons I can't even begin to understand. I'd
look at him as a competitor, an opponent, or even an outright enemy.
That model seemed to worked pretty well at motivating us when we were at
odds with Nazi Germany, and later the Soviet Union. I'm not intending to
quite put David Scott in the same category as either of those opponents,
but rather I'm just pointing out that working against someone is as viable
(if not more viable) of a way to make progress as working with someone.
I guess that depends on whether human nature is more fundamentally
competitive than it is cooperative.
>>You've got someone who's flying smack in the face of your beliefs and you
>>aren't challenging him by trying to prove he's wrong through mathematical
>>rigor.
>
> The burden of proof is on the claimant. If has a point to make, it
>is up to him to prove he is right, it is not up to us to prove him
>wrong.
I'll have to agree with you here. It is Scott's responsibility to prove
there are grave weaknesses in the current block ciphers. My intuition is
that he's right, so you could also argue that I should try to prove their
weakeness too. I guess I have some serious reading to get done. :-)
Actually, I think the whole field of cryptology becomes a lot more
interesting if you just assume that the NSA or the Chinese Government or
whomever has already broken all the block based ciphers... or even all
computationally hard ciphers. (Not that I believe that's true).
This pretty much leaves you with OTP and trying to come up with ingenious
ways to implement it securely. I mean, if we can figure out that along
with ways to create "OTP-equivalent" ciphers that address the varied
applications we have for encrypted data, wouldn't that sort of be the
ultimate solution? (Not that I believe this would be easy or even
entirely possible).
If quantum computing becomes a reality, all this mathematically hard stuff
we're dealing with now is sort of a waste of time right? Well, assuming
that you're trying to keep information secure from those people with
access to QC technology.
-brian.
--
--- Brian Chase | [EMAIL PROTECTED] | http://world.std.com/~bdc/ -----
"The Net treats censorship as damage and routes around it."
-- John Gilmore
------------------------------
From: [EMAIL PROTECTED] (Steve K)
Crossposted-To: alt.security.pgp
Subject: Re: Any negative comments about Peekboo >> How to verify that promised
algorithms are included
Date: Sun, 05 Dec 1999 03:33:52 GMT
On Sun, 05 Dec 1999 00:44:07 GMT, [EMAIL PROTECTED] (Dmitriy
Morozov) wrote:
>Thanks for the response, Steve. I appreciate the link.
Glad to help the good cause!
Steve K
---Continuing freedom of speech brought to you by---
http://www.eff.org/ http://www.epic.org/
http://www.cdt.org/
------------------------------
From: William Rowden <[EMAIL PROTECTED]>
Subject: Re: more about the random number generator
Date: Sun, 05 Dec 1999 03:25:08 GMT
In article <8284e7$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Guy Macon) wrote:
> If a random string has one of all possible values, there is a
> very tiny chance that it will randomly come up with all zeros
> or all ones.
Isn't there a difference between a random *source* and an
incompressible *string*? (Douglas A. Gwyn, are you following this
thread?)
--
-William
SPAM filtered; damages claimed for UCE according to RCW19.86
PGP key: http://www.eskimo.com/~rowdenw/pgp/rowdenw.asc until 2000-08-01
Fingerprint: FB4B E2CD 25AF 95E5 ADBB DA28 379D 47DB 599E 0B1A
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Joseph Bartlo <[EMAIL PROTECTED]>
Crossposted-To: sci.physics,sci.geo.meteorology
Subject: Re: Quantum Computers and Weather Forecasting
Date: Sat, 04 Dec 1999 23:03:22 -0500
John Savard wrote:
> My site doesn't really address the topic of this post, however I
> flatter myself to think that it _is_ an interesting site none the
> less.
I won't interfere with your attempt <at> minimizing your accomplishments
and interesting site then<dot> Though as I previously mentioned<comma>
I doubt as a meteorologist (quality of which I won't likewise minimize
<comma> though some people try extraordinarily hard doing so <dash> so
what does that imply <qusetion mark>) the potential value of the technique
presented<dot> Though we speak of state variables and the state equation
<comma> its consideration of a series of statistical states does not
adequately consider the dynamics causing evolution of such states<dot>
Lest you are unaware<comma> equations for modeling the atmosphere are
far from perfect<dot> You quantum physics types are so familiar with
measuring attributes of subatomic particles that you seemingly have
difficulty understanding that meteorologists sometimes do things like
neglect diabatic heating in a model or process in which it occurs, and
use crude parameterizations representing the effects of processes not
of molecular scale but that of (U<dot>S<dot>) state counties<dot>
Because of such<comma> though previous <and> initial states match well
<dot> different processes than that which caused those to match may
quite likely be responsible for future ones to match in both the
atmosphere <and> the model<dot>
Perhaps a good analogy for your technique's applicability to weather
forecasting is the following statement <colon>
Infinity is the numerical equivalent of thge physical speed of light<dot>
What do you think about that <question>
Yet don<apostrophy>t let this prevent you from pursuing the idea <dash>
my meteorological intuition is not good regarding this<dot>
Joseph
http://www.voicenet.com/~jbartlo
------------------------------
From: Joseph Bartlo <[EMAIL PROTECTED]>
Crossposted-To: sci.physics,sci.geo.meteorology
Subject: Re: Quantum Computers and Weather Forecasting
Date: Sat, 04 Dec 1999 23:07:24 -0500
Joseph Bartlo wrote:
> I won't interfere with your attempt <at> minimizing your accomplishments
Correction :
I won<apostrophy>t interfere with your attempt <at> minimizing your
accomplishments <smiley>
Joseph
http://www.voicenet.com/~jbartlo
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
