Cryptography-Digest Digest #684, Volume #10 Sun, 5 Dec 99 02:13:01 EST
Contents:
Re: Quantum Computers and Weather Forecasting (Joseph Bartlo)
Re: Why Aren't Virtual Dice Adequate? ("Douglas A. Gwyn")
Re: NSA should do a cryptoanalysis of AES ("Douglas A. Gwyn")
Re: Why Aren't Virtual Dice Adequate? (Johnny Bravo)
Re: NSA should do a cryptoanalysis of AES, What Pi has taught us ("Douglas A. Gwyn")
Re: NSA should do a cryptoanalysis of AES ("Douglas A. Gwyn")
Re: Random Noise Encryption Buffs (Look Here) ("Douglas A. Gwyn")
Re: Distribution of intelligence in the crypto field ("Douglas A. Gwyn")
--- sci.crypt charter: read before you post (weekly notice) (D. J. Bernstein)
Re: Why Aren't Virtual Dice Adequate? (Scott Nelson)
Re: What part of 'You need the key to know' don't you people get? ("Douglas A. Gwyn")
Re: Why Aren't Virtual Dice Adequate? ("Trevor Jackson, III")
Re: more about the random number generator ("Douglas A. Gwyn")
Re: Why Aren't Virtual Dice Adequate? ("r.e.s.")
Re: Why Aren't Virtual Dice Adequate? ("r.e.s.")
Re: Quantum Computers and Weather Forecasting ("Trevor Jackson, III")
Re: 1 round Defeats Enigma attacks (Mike Field)
Re: Encrypting short blocks (Volker Hetzer)
Help ([EMAIL PROTECTED])
Re: more about the random number generator (Brian Chase)
Re: 1 round Defeats Enigma attacks (JTong1995)
Re: more about the random number generator (Brian Chase)
----------------------------------------------------------------------------
From: Joseph Bartlo <[EMAIL PROTECTED]>
Crossposted-To: sci.physics,sci.geo.meteorology
Subject: Re: Quantum Computers and Weather Forecasting
Date: Sat, 04 Dec 1999 23:15:37 -0500
Another correction <colon>
Joseph Bartlo wrote :
> I doubt as a meteorologist (quality of which I won't likewise minimize
Should be <colon>
I doubt as a meteorologist (quality of which I won<apostrophy>t likewise
minimize
Geez <dash> this game of trying to confuse other people can be tough
<dot><dot><dot>
Joseph
http<colon><forward slash><forward slash>www<dot>voicenet<dot>com
<foward slash><tilda>jbartlo
[EMAIL PROTECTED]
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Date: Sun, 05 Dec 1999 05:19:18 GMT
Scott Nelson wrote:
> He can't read the message, but he knows it's his
> deposit transaction so he modifies the byte
> corresponing to the most significant digit
> of his deposit, and passes the modified message on to
> the main office. Then he goes to the main office
> and withdraws all the money he just "deposited."
That's why such transactions should include a secure hash
(message digest) or other means of authentication.
It again points out a vulnerability of Key Generator systems,
which I've mentioned before. You really ought not to use a
cryptosystem that allows recovery of the key via known PT.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: NSA should do a cryptoanalysis of AES
Date: Sun, 05 Dec 1999 05:25:01 GMT
"Douglas A. Gwyn" wrote:
> ... Similarly for one-on-one compression, which at
> best foils brute-force key searching, which should not be
> feasible for any good system anyway.
I should point out that this was specifically addressing the
"one-on-one" aspect; precompression in general does foil more
sophisticated cryptanalytic attacks by reducing the statistical
clues that might otherwise "shine through" the encryption.
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Date: Sun, 05 Dec 1999 00:28:00 GMT
On Sun, 05 Dec 1999 02:22:39 GMT, [EMAIL PROTECTED] (Scott Nelson)
wrote:
>Mallet opens an account at Second National Bank,
>which sends branch transactions encrypted with OTP.
>He deposits a tiny amount of cash in a branch office,
>and intercepts the next message sent to the main office.
>He can't read the message, but he knows it's his
>deposit transaction so he modifies the byte
>corresponing to the most significant digit
>of his deposit, and passes the modified message on to
>the main office. Then he goes to the main office
>and withdraws all the money he just "deposited."
The main office reads the message digest at the end of the message,
notices that the message has an error and sends a message back to the
branch office to retransmit the message.
Mr Mallet goes to the main office and withdraws all his money, the
exact same amount he started with. They apologize that they aren't
meeting his banking needs and wish him a nice day.
Just because a OTP allows a bit flipping attack doesn't mean you
can't protect against it via other means without reducing the security
of the OTP.
Best Wishes,
Johnny Bravo
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: NSA should do a cryptoanalysis of AES, What Pi has taught us
Date: Sun, 05 Dec 1999 05:38:33 GMT
albert wrote:
> ... As soon as you think of an idea that is revolutionary, somewhere
> else in the world, someone at the same moment has thought of the
> same thing. It happened with Calculus, with key whitening etc. ...
Just because it occurs occasionally, doesn't mean that it always
occurs.
> If this holds true for crypto, then anytime the NSA thinks up an
> attack, someone in the public sector will think of the same attack
> as well.
NSA and company (IDA/CRD etc.) invented many cryptanalytic
methods, dating back several decades in some cases, that
haven't yet been reinvented on the outside.
> If we know that the NSA broke an algorithm, it would be in their
> best interest to share that information; because as much resources
> as they have, they cannot beat distributed knowledge.
Bzzzt! Wrong! Thank you for playing.
> From WWII this is what I learned: It took the world banning together
> to defeat Germany; it shows that it takes quite a huge amount of
> resources to compete with someone who is bent on a certain task; as
> in Axis vs. Allies. So it would take quite a bit of public resources
> combined to equal that of the NSA. But as shown by WWII, it can be
> done.
What would be the coordinating agency? Your analogy is weak.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: NSA should do a cryptoanalysis of AES
Date: Sun, 05 Dec 1999 05:49:00 GMT
Tim Tyler wrote:
> Iron bars are also expensive.
Don't stretch the analogy. The point was that adding security
to an already safe-enough area is a waste of effort and resources.
D.Scott asked for my opinion of why people were not paying much
attention to his ideas, and I explained why I thought that was so
(apart from their reaction to his style, which is another factor).
I don't want to enter into interminable debate on this. I've
already said I think there is technical merit in some of his ideas.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Random Noise Encryption Buffs (Look Here)
Date: Sun, 05 Dec 1999 05:57:18 GMT
Tim Tyler wrote:
> Whereas your position appears to be based on faith in the existence of
> genuine randomness in subatomic behaviour, and in our ability to
> magnify this up to a macroscopic scale, without distorting it at all.
Do you know about SQUIDs? Photomultipliers? Etc.?
Why are you wasting bandwidth arguing about quantum effects
when you don't understand the subject? Go learn it first!
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Distribution of intelligence in the crypto field
Date: Sun, 05 Dec 1999 06:03:17 GMT
David A Molnar wrote:
> You would expect the NSA to ask the "father of combinatorics" to
> work on their problems, wouldn't you ?
Yeah, but he really ought not to be listing his clearances on a
public forum. For one thing, it makes him a target for anyone
who might want to exploit his access to nuclear and other
sensitive material, terrorists for example.
------------------------------
From: [EMAIL PROTECTED] (D. J. Bernstein)
Crossposted-To: talk.politics.crypto
Subject: --- sci.crypt charter: read before you post (weekly notice)
Date: 5 Dec 1999 06:00:06 GMT
sci.crypt Different methods of data en/decryption.
sci.crypt.research Cryptography, cryptanalysis, and related issues.
talk.politics.crypto The relation between cryptography and government.
The Cryptography FAQ is posted to sci.crypt and talk.politics.crypto
every three weeks. You should read it before posting to either group.
A common myth is that sci.crypt is USENET's catch-all crypto newsgroup.
It is not. It is reserved for discussion of the _science_ of cryptology,
including cryptography, cryptanalysis, and related topics such as
one-way hash functions.
Use talk.politics.crypto for the _politics_ of cryptography, including
Clipper, Digital Telephony, NSA, RSADSI, the distribution of RC4, and
export controls.
What if you want to post an article which is neither pure science nor
pure politics? Go for talk.politics.crypto. Political discussions are
naturally free-ranging, and can easily include scientific articles. But
sci.crypt is much more limited: it has no room for politics.
It's appropriate to post (or at least cross-post) Clipper discussions to
alt.privacy.clipper, which should become talk.politics.crypto.clipper at
some point.
There are now several PGP newsgroups. Try comp.security.pgp.resources if
you want to find PGP, c.s.pgp.tech if you want to set it up and use it,
and c.s.pgp.discuss for other PGP-related questions.
Questions about microfilm and smuggling and other non-cryptographic
``spy stuff'' don't belong in sci.crypt. Try alt.security.
Other relevant newsgroups: misc.legal.computing, comp.org.eff.talk,
comp.org.cpsr.talk, alt.politics.org.nsa, comp.patents, sci.math,
comp.compression, comp.security.misc.
Here's the sci.crypt.research charter: ``The discussion of cryptography,
cryptanalysis, and related issues, in a more civilised environment than
is currently provided by sci.crypt.'' If you want to submit something to
the moderators, try [EMAIL PROTECTED]
---Dan
------------------------------
From: [EMAIL PROTECTED] (Scott Nelson)
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Reply-To: [EMAIL PROTECTED]
Date: Sun, 05 Dec 1999 06:15:14 GMT
On Sun, 05 Dec 1999, [EMAIL PROTECTED] (Johnny Bravo) wrote:
>On Sun, 05 Dec 1999 02:22:39 GMT, [EMAIL PROTECTED] (Scott Nelson)
>wrote:
>
>>Mallet opens an account at Second National Bank,
>>which sends branch transactions encrypted with OTP.
>>He deposits a tiny amount of cash in a branch office,
>>and intercepts the next message sent to the main office.
>>He can't read the message, but he knows it's his
>>deposit transaction so he modifies the byte
>>corresponing to the most significant digit
>>of his deposit, and passes the modified message on to
>>the main office. Then he goes to the main office
>>and withdraws all the money he just "deposited."
>
> The main office reads the message digest at the end of the message,
>notices that the message has an error and sends a message back to the
>branch office to retransmit the message.
> Mr Mallet goes to the main office and withdraws all his money, the
>exact same amount he started with. They apologize that they aren't
>meeting his banking needs and wish him a nice day.
> Just because a OTP allows a bit flipping attack doesn't mean you
>can't protect against it via other means without reducing the security
>of the OTP.
>
Careful, unless that message digest includes some never
transmitted bits, Mallet can construct a new one.
The real problem is, since Mallet knows the plain-text,
he can recover the One Time Pad key bits used to send "his" message.
With the key, he can spoof any message he likes.
This is a fundamental weakness of many stream ciphers,
including the One Time Pad.
Scott Nelson <[EMAIL PROTECTED]>
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: What part of 'You need the key to know' don't you people get?
Date: Sun, 05 Dec 1999 06:18:13 GMT
Brian Chase wrote:
> I'll have to agree with you here. It is Scott's responsibility to
> prove there are grave weaknesses in the current block ciphers. My
> intuition is that he's right, so you could also argue that I should
> try to prove their weakeness too.
D.Scott has in fact made some (not necessarily original) relevant
observations, but they tend to be obscured by the less desirable
elements of his postings, in particular his ranting at those who
do not place the same degree of importance on those points.
I would urge less name calling and more effort at education.
> Actually, I think the whole field of cryptology becomes a lot more
> interesting if you just assume that the NSA or the Chinese
> Government or whomever has already broken all the block based
> ciphers... or even all computationally hard ciphers.
It wasn't the case last year, when I was doing research in the
area, and I think it is safe to assume it isn't the case now.
> This pretty much leaves you with OTP and trying to come up with
> ingenious ways to implement it securely.
On the scale that encryption is needed, that simply is impossible.
Heck, people couldn't even do it on a very limited basis previously.
> If quantum computing becomes a reality, all this mathematically
> hard stuff we're dealing with now is sort of a waste of time right?
No. At worst, it would accelerate the existing trend to somewhat
longer keys and (sometimes) different algorithms.
Also, that's a very big "if".
------------------------------
Date: Sun, 05 Dec 1999 01:27:56 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Guy Macon wrote:
> In article <82bpkh$398$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (r.e.s.)
>wrote:
>
> >The point under discusssion in the thread is that a "pure OTP" is
> >*not* secure when used to send identical plaintext to two different
> >recipients, because it may compromise the key of one of them. Any
> >addition or change to the OTP, serving to remedy this, will result
> >in something other than a "pure OTP".
>
> I must be missing something here (probably a lack on my part).
>
> Let's say that A uses pure OTP to send identical plaintext to B and C.
>
> A has a large random pad labeled [A->B] and another labeled [A->C].
>
> B has an identical copy of pad [A->B] that was securely transfered.
>
> C has an identical copy of pad [A->C] that was securely transfered.
>
> ATTACKER can monitor or modify all communication between A, B, and C.
>
> ATTACKER knows everything except the acyual values of the pads or
> the plaintext.
>
> Given these assumptions, ATTACKER cannot decode the plaintext or
> insert his own message and have it correctly decoded.
>
> Now let's say that ATTACKER finds out what the plaintext is before
> it is sent to B (maybe from A, maybe from C). Under *any* crypto
> system he will have "decoded" the message to B. In the case of
> pure OTP he can stop the real message to B and insert his own.
>
> Knowing this, A never sends identical messages. A is already padding
> the messages to obscure the length, so he just randomly chooses how
> much of the padding to put in front or behind. A should get the
> random number for this from a small section of his pad, which is never
> used again, so that B knows where to snip. This is still pure OTP,
> but never has the problem described because identical plaintext is
> never sent to two different recipients.
>
> Thinking about this, It seems that just adding an extra space character
> between two words somewhere in the message to either A or B would stop
> this particular attack. Everything after the space would be garbage
> if ATTACKER fails to guess where the space was added. In real life I
> would use the random amount of prepadding method and encrypt the whole
> thing with PGP, but it seems that trivial changes to the plaintext are
> enough to stop the attack you describe.
>
It need not be this complex. The sender is using up his pad as he enciphers the
message to
each recipient. To authenticate each message he appends a signature to each
plaintext. The
signature can be any shared secret. The S (signature size) bits of pad following the
portion just consumed will suffice. The sender enciphers the signature as part of the
plaintext. On receipt of the message the receiver deciphers the plaintext normally,
and
compares the last S bits of the message to the next S bits of pad. If they match the
message is authentic.
Pad usage is identical at both ends: P bits for the plaintext and 2*S bits for the
signature.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: more about the random number generator
Date: Sun, 05 Dec 1999 06:26:31 GMT
William Rowden wrote:
> In article <8284e7$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (Guy Macon) wrote:
> > If a random string has one of all possible values, there is a
> > very tiny chance that it will randomly come up with all zeros
> > or all ones.
> Isn't there a difference between a random *source* and an
> incompressible *string*? (Douglas A. Gwyn, are you following this
> thread?)
I'm sort of skimming over it. I think most of the talk about
randomness has been wasted effort, due to imprecision and failure
to distinguish among the several ways of categorizing randomness.
A precise, if not necessarily helpful, answer to the question:
A random process designed to produce a uniform bit stream with no
statistical bias of any order, will not avoid generating a run of
all 0s or all 1s, which will occur with the expected frequency.
(2^-N probability of all-0s, for a blind sample of length N.)
------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Date: Sat, 4 Dec 1999 22:27:09 -0800
Several postings earlier, I (r.e.s.) wrote:
: >In practice, though, who would use a "pure OTP" without
: >further strengthening? (Even if the OTP is theoretically
: >"unbreakable", it seems appropriate to say that any
: >OTP *implementation* can, in practice, be relatively
: >strong or weak.)
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote ...
: Scott Nelson wrote:
: > He can't read the message, but he knows it's his
: > deposit transaction so he modifies the byte
: > corresponing to the most significant digit
: > of his deposit, and passes the modified message on to
: > the main office. Then he goes to the main office
: > and withdraws all the money he just "deposited."
:
: That's why such transactions should include a secure hash
: (message digest) or other means of authentication.
:
: It again points out a vulnerability of Key Generator systems,
: which I've mentioned before. You really ought not to use a
: cryptosystem that allows recovery of the key via known PT.
Exactly. That's an example of the strengthening I had in mind.
--
r.e.s.
[EMAIL PROTECTED]
------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Date: Sat, 4 Dec 1999 22:23:15 -0800
"Johnny Bravo" <[EMAIL PROTECTED]> wrote ...
[...]
: Just because a OTP allows a bit flipping attack doesn't mean you
: can't protect against it via other means without reducing the security
: of the OTP.
The fact that it needs "extra protection" is what I call a weakness.
Also, the "OTP-plus-protection" is no longer an OTP *alone*, but is
an example of what I meant when I said in my first post to this part
of the thread:
: >In practice, though, who would use a "pure OTP" without
: >further strengthening? (Even if the OTP is theoretically
: >"unbreakable", it seems appropriate to say that any
: >OTP *implementation* can, in practice, be relatively
: >strong or weak.)
--
r.e.s.
[EMAIL PROTECTED]
------------------------------
Date: Sun, 05 Dec 1999 01:37:04 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: sci.physics,sci.geo.meteorology
Subject: Re: Quantum Computers and Weather Forecasting
Apostrophe is spelled that way.
Joseph Bartlo wrote:
> Another correction <colon>
>
> Joseph Bartlo wrote :
>
> > I doubt as a meteorologist (quality of which I won't likewise minimize
>
> Should be <colon>
>
> I doubt as a meteorologist (quality of which I won<apostrophy>t likewise
> minimize
>
> Geez <dash> this game of trying to confuse other people can be tough
> <dot><dot><dot>
>
> Joseph
>
> http<colon><forward slash><forward slash>www<dot>voicenet<dot>com
> <foward slash><tilda>jbartlo
>
> [EMAIL PROTECTED]
------------------------------
From: Mike Field <[EMAIL PROTECTED]>
Subject: Re: 1 round Defeats Enigma attacks
Date: Mon, 06 Dec 1999 08:40:38 +1300
UBCHI2 wrote:
> If you use 1 round of transposition to superencipher an enigma encryption, you
> immediately counter the use of cribs, kisses and bombes. The weakness of the
> rotor machines is that they leave each character in the same order as in the
> plaintext.
I don't understand this.... transposition will just alter the order 26*26*26
rotor substitutions will be applied to each character. Assuming that the
transposition is known, it is no harder than if it is un-transposed.
If it is unknown then there is at most only 2^(length of transposition)
posibilities to try, and a firm crib would give away the transposition anyway...
Mike
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: Encrypting short blocks
Date: Fri, 03 Dec 1999 15:40:58 +0000
Markus Peuhkuri wrote:
> I'm not sure, but aren't the stream ciphers basicly OTPs where
> the "OTP" is generated depending on the key?
No, it's the other way around. An OTP is a stream cipher with no
feedback
and rather stringent requirements on the key.
> And if I use same
> pad for different plaintexts, by guessing/knowing one or some
> of plaintexts, all encrypted data can be decrypted without
> knowing key?
Yes. However, that's a property of all stream ciphers. So, you have to
be more careful when designing a system that uses a stream cipher.
Greetings!
Volker
--
Hi! I'm a signature virus! Copy me into your signature file to help me
spread!
------------------------------
From: [EMAIL PROTECTED]
Subject: Help
Date: Sun, 05 Dec 1999 06:37:42 GMT
Can anyone tell me where to get info on working with/editing headers?
Thanks,
Stopal
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Brian Chase)
Subject: Re: more about the random number generator
Date: Sun, 5 Dec 1999 06:53:51 GMT
In article <822gd8$[EMAIL PROTECTED]>,
Guy Macon <[EMAIL PROTECTED]> wrote:
>Last night I wrote a lossless compression routine that runs fast and packs
>over a megabyte of data into a single bit. I have a minor bug somewhere
>in the decode routine, but I am sure that I will have it fully debugged
>by this time tomorrow...
Well, you can squish any arbitrary length string of all 1's or all 0's
into a single bit which describes the bit type, but you also need to
record the length of the string in order to recreate the original string.
This implies a certain amount of additional bits must be present in order
for your compressed representation to truly be lossless. :-)
-brian.
--
--- Brian Chase | [EMAIL PROTECTED] | http://world.std.com/~bdc/ -----
I have always been here. I like taffy. -- K.
------------------------------
From: [EMAIL PROTECTED] (JTong1995)
Subject: Re: 1 round Defeats Enigma attacks
Date: 05 Dec 1999 06:57:52 GMT
Actually, against a brute force attack, a transposition increases the
complexity by n factorial, where n is the number of ciphertext units in the
message. So for a 210 letter Enigma message, superenciphering using a random
transposition will increase the number of total possible combinations that must
be tried by 210(!). Using a non-pattern transposition also stops the
cryptanalyist from placing messages in depth (a key attack against, say, an
aperiodic, numerically keyed system). Bauer, in his book, Decrypted Secrets,
predicts that in the future, transpositions will become the dominant method of
encryption because of it's strength against the brute force attack...
Jeffrey Tong [EMAIL PROTECTED]<Jeffrey Tong>
PGP 5 Key available for download at WWW.PGP.COM Key ID: BFF6BFC1
Fingerprint: 6B29 1A18 A89A CB54 90B9 BEA3 E3F0 7FFE BFF6 BFC1
------------------------------
From: [EMAIL PROTECTED] (Brian Chase)
Subject: Re: more about the random number generator
Date: Sun, 5 Dec 1999 07:08:01 GMT
In article <[EMAIL PROTECTED]>, CLSV <[EMAIL PROTECTED]> wrote:
>> Brian Chase wrote:
>> > Could you use optimally compressed data
>> > sets as sources for random numbers?
>
>That would be nice, however optimal compression can not be computed
>in reasonable time.
Hey, I didn't say it would be *practical* :-) I'm just trying to wire a
couple different groups of my synapses together.
-brian.
--
--- Brian Chase | [EMAIL PROTECTED] | http://world.std.com/~bdc/ -----
I have always been here. I like taffy. -- K.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
