Cryptography-Digest Digest #59, Volume #11 Sun, 6 Feb 00 15:13:01 EST
Contents:
Re: NIST, AES at RSA conference (Terry Ritter)
Re: RE ("Roger Schlafly")
Re: NIST, AES at RSA conference (Terry Ritter)
Re: NIST, AES at RSA conference (Terry Ritter)
Re: permission to do crypto research (wtshaw)
Re: ("C. Prichard")
Re: permission to do crypto research (David Wagner)
Re: RE ("C. Prichard")
Re: Scaleable Key Permutation Feature to be Added to CipherText (wtshaw)
Combining LFSR's (Ben Curley)
Re: permission to do crypto research (Glenn Larsson)
Re: ("C. Prichard")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: NIST, AES at RSA conference
Date: Sun, 06 Feb 2000 18:13:20 GMT
On 6 Feb 2000 12:20:07 -0000, in
<[EMAIL PROTECTED]>, in sci.crypt Paul Crowley
<[EMAIL PROTECTED]> wrote:
>[EMAIL PROTECTED] (Terry Ritter) writes:
>> In practice, I think we all know that a cipher which cannot be
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>> attacked in the most favorable ways is in some sense "stronger" than
>> it would otherwise be.
>[snip]
>> "Everybody thinks so," is not reasoning.
>
>And here lies the crux of the argument. We haven't proven the
>strength of our ciphers, and you haven't proven the strength of your
>multiple encryption schemes. You're relying on just the reasoning you
>accuse us of.
I dispute that. You have taken my words out of context and
misrepresented my position; while the words are similar, their meaning
is not.
"We all know" that if the most favorable attack cannot be applied,
only less favorable attacks remain. This form of "we all know" is
simple logic and is based on facts and logical consequences. It means
that I expect the reader to bring some minimal context to the
statement.
In contrast, "everybody thinks so," by itself, has no basis in fact or
logic.
>If we had practical and provably secure ciphers, we would of course be
>crazy not to use them. Since we don't, we have to rely on the
>guesswork you deride.
Nonsense.
We can agree that there are no -- and probably *can* be no -- provable
ciphers. But that does not mean that we must accept what we have. It
does not mean that there is no point in attempting to protect against
possible problems, or reduce their effects, even though the resulting
system is no more provably strong than the original.
Such reasoning can be seen as a form of mathematical fallacy which is
often presented in early algebra, the "equality" of two infinities:
True, a cipher has infinite possibilities for failure, and true, a
multi-cipher also has infinite possibilities for failure, but it is
false that those two infinities are equal.
We can improve our situation by requiring opponents to use non-optimal
attacks or simultaneously attack multiple ciphers, and by reducing the
amount of plaintext under any one cipher.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,misc.int-property,misc.legal.computing
Subject: Re: RE
Date: Sun, 6 Feb 2000 10:30:09 -0800
C. Prichard <[EMAIL PROTECTED]> wrote in message
news:%cin4.357$[EMAIL PROTECTED]...
>So assuming you want to RE Windows for the purpose of your encryption
research to find out how the program does something. If the encryption
method actually has nothing to do with copyright protection of 'Windows'
itself, then the law would not be applicable.
RE = reverse engineer
I am not sure about this. MS might argue that its copyright interest in
Windows
is not just to keep the bits on the disk from being copied. It also has
integrity
rights that keep purchasers from manipulating the code in unauthorized way.
Eg, it stops Compaq and HP from altering the startup screen. So MS might
claim that poking into Windows internals threatens its copyright protection.
>The context of DVD/CSS encryption is however quite different. It seems that
the law is specifically pertaining to the distribution medium of copyright
materials. By examining the embedded algorithm in the DVD player, you are
able to explain possible contexts that allow you to examine code. I'm
guessing that you may legally even go so far as to explain your cause in
terms of wanting to "see pictures and hear sound" using your own
implementation of hardware and software. But when you become intent on
distribution of your product that circumvents the copyright protection of
the DVD/CSS distribution format, your previous work becomes tainted in the
eyes of the law.
Yes, but the Hollywood folks seems less concerned with copying the DVD
disk, and more concerned with licensing the DVD players. Ie, they know
they cannot control copying the disk, but think that they can use the
copyright law to prevent unauthorized player equipment.
Hollywood would like to say, "this movie is available at Blockbuster
and is licensed for viewing on Windows, but not on Linux" and use
copyright law to enforce such licenses. Hollywood appears to have
had this sort of thing in mind when it lobbied thru the recent law on
circumvention.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: NIST, AES at RSA conference
Date: Sun, 06 Feb 2000 18:33:25 GMT
On Sun, 06 Feb 2000 08:25:23 GMT, in <[EMAIL PROTECTED]>, in
sci.crypt "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
>Terry Ritter wrote:
>> ... I think the obvious measure of strength is the time and
>> effort required to take ciphertext to plaintext.
>
>If you mean, for the intended recipient who possesses the key,
>then that's not an accuracte measure of resistance to enemy
>cryptanalysis.
No, and it is not intended to be. But it *is* an accurate measure of
the strength which the ciphertext presents to the recipient. By
placing the normal use of ciphers in the range of strengths which a
single cipher presents in various situations, I think we are better
equipped to discuss ranges of strengths, which previously have been
contracted to the minimum value.
I claim that we are better off by understanding the reality that there
is no one strength for everybody, and the strength found by our
academics is not the same as the strength perceived by a well-financed
and well-motivated group of cryptanalysts who operate in secret.
>If you mean, for the enemy cryptanalyst, that
>depends on the cryptanalyst's available intercepts and
>ancillary information (including probable plaintext), his
>cleverness, skill, and luck; presumably to be a useful measure
>it would have to be the *minimum* effort required under some
>controlled conditions, but that is not usually known.
I dispute that the measure of strength must be the minimum of all
possible measures.
While I have previously used the overall minimum as the definition of
strength, we have struggled with that for years, and in my opinion
have gotten very little from it. I propose that we *change* the way
we think about strength to have the measure better reflect the reality
we encounter. That reality is *contextual*: Strength does depend
upon the cleverness of the opponents, and, indeed, whether or not they
have a key.
I claim that thinking of "strength" as "the current contextual effort
involved in transforming ciphertext back to plaintext" is a better
measure than thinking of strength as an overall minimum which we can
never know. But we can of course still talk about the minimum
strength, where that is useful.
>If you
>mean, for the cryptanalyst using the best generally known
>attacks, that reminds me of the joke about the fellow who was
>searching the curb near a streetlight at night for his car
>keys, which he had dropped down the block (but the light was
>better near the streetlight) -- or the exhaust emissions
>standards for perfectly innocuous compounds that we happen to
>have good tests for.
I mean that if the best we can do is search under the light, it is
quite likely that the key-loss process is strong -- to us.
When I say "strength is contextual" I mean simply what we already know
but have been somewhat constrained in saying.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: NIST, AES at RSA conference
Date: Sun, 06 Feb 2000 18:42:27 GMT
On Fri, 4 Feb 2000 16:45:17 -0000, in <eZXhEK3b$GA.315@cpmsnbbsa02>,
in sci.crypt "Joseph Ashwood" <[EMAIL PROTECTED]> wrote:
>> Yes, sure, but Terry Ritter claimed that multiple
>ciphering is
>> strictly *stronger* (i.e., >, not just >=). Such a claim
>is, as far
>> as I can see so far, unsupported.
>
>Actually the statement that it is strictly stronger can be
>easily contradicted, using XOR (eXclusive-OR), where
>regardless of the keys chosen multiple encipherment is
>strictly equivalent to a single encipherment with the XOR of
>the keys.
First of all, only a one-time-pad (OTP) acts like that. And while I
suppose one could say that using a second pad adds zero strength
because strength is already infinite, I find all that difficult to
relate that to a discussion of real systems like AES.
The OTP is like a "perfect secrecy" stream cipher in which any
confusion sequence is possible. But *real* stream ciphers are
*constrained* to the sequences they produce from particular keys. So
it is not generally true that the XOR of two keyed sequences will also
be a keyed sequence, so that argument fails in practice.
In practical systems, multiple ciphering *is* strictly stronger than a
single cipher. For strength (S) measured in the time and effort to
take ciphertext to plaintext, with two ciphers (1, 2), we have
strengths (S1, S2).
Note: Even when we have the correct key, a cipher takes some time to
function. Thus, ciphertext has *some* strength, even if the opponents
can break the cipher, or even if they know the key. Indeed, strength
is contextual, depending upon the opponents, what they know, and what
their resources are, and we not only *do* not but also *can* not know
what those strength values are. The same ciphers can have different
strengths to different opponents.
Since each cipher transforms its "plaintext" to ciphertext, we expect
each to contribute strength. For the two block ciphers in sequence,
we expect the strength of the resulting "cipher 3" to be more than S1,
which we can write as S3 = S1 + S2. (In some cases we can expect the
"addition" of a second cipher to prevent a known attack on the first.
So the second cipher may increase overall strength in a way that is
not an arithmetic function of the strength of either cipher. Here we
ignore that and choose a representative minimum.)
Now, to say that *no* strength improvement occurs from using cipher 2
after cipher 1 is to say that S2 = 0. But that cannot be:
Strength is a measure of time or effort involved in deciphering;
simply deciphering with the correct key involves some time or effort.
Thus, any real cipher will have some non-zero strength.
Only the identity transformation takes no time to interpret, and
finding any real cipher 2 in such a state is less likely than simply
choosing the deciphering key at random. But even the "strong" cipher
has the weakness that opponents *might* choose the deciphering key at
random; we don't call that a "weakness" because the idea is
unreasonable, just like finding the identity transformation from
cipher 2. So claiming that cipher 2 might be the identity
transformation is just unreasonable.
What about S2 being negative? Sure, if we assume cipher 2 to be the
inverse of cipher 1. But if 1 and 2 are independent ciphers with
independent keys, the possibility that 2 will be the inverse of 1 is
again less likely than choosing the deciphering key at random. That
is not an attack strategy, and it is not a reasonable weakness.
So the only reasonable interpretation is that S2 > 0 in all real
cases, so S3 > S1 in all real cases, and multiple ciphering *is*
strictly stronger than a single cipher.
In practice, we expect much more than a tiny strength increase from
multi-ciphering, but this strength comes from preventing attacks (such
as known-plaintext and defined-plaintext) which the opponents would
otherwise apply. Then we need to discuss the probability that an
unknown more-efficient attack would require known-plaintext or
defined-plaintext, but I would guess that such a probability would be
pretty high.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Crossposted-To: talk.politics.crypto,misc.int-property,misc.legal.computing
Subject: Re: permission to do crypto research
Date: Sun, 06 Feb 2000 12:01:50 -0600
In article <87k55g$i5o$[EMAIL PROTECTED]>, "Roger Schlafly"
<[EMAIL PROTECTED]> wrote:
> According to US copyright law on "circumvention of copyright
> protection systems" (17 US 1201), certain encryption research
> is permissable only if "the person made a good faith effort to
> obtain authorization before the circumvention".
>
> Now I know the law is silly, but does anyone have experience
> with authorization requests? Eg, if you write to Microsoft
> and ask for permission to hack Windows for research
> purposes, what does Microsoft say? Has anyone asked for
> permission to crack DVD/CSS encryption?
>
> The law also tries to distinguish whether a published crack
> advances research or facillitates infringement. Does anyone
> know of this distinction being drawn in a practical situation?
> (Some of these issues will arise in the NY DeCSS case.)
You simply structure the quiery appropriately, like "Let me know if you
have any objection my studying how such and such program works."
No comment, then you have the freedom to study how everything works,
including using any tools to assist you in that pursuit. Any other
ambigious response will be something you can hang your hat on. A blanket
NO would be easily recognized as unreasonable since all users need to know
something about how a program/system works.
What we see is industry trying to revive a dead fish, but do not play
their game with a baited breath; learn all you can with the abilities that
you have. Be prepared to play stupid; that is how the big guys do it in a
bind.
--
A big-endian and a little-endian have been spotted sitting at a
campfire nibling on bytes and pointing at each other as they
argued about who got hit with the most errors.
------------------------------
From: "C. Prichard" <[EMAIL PROTECTED]>
Subject: Re:
Date: Sun, 06 Feb 2000 18:29:23 GMT
I guess the purported information is probably true.
The FBI only recently aquired a digital eavesdropping device for tapping =
a subscriber premise modem connection. Some hackers who were taking CC =
numbers were prosecuted with the evidence about a year ago. The report =
expressed that the FBI was satisfied with the initial results from use =
of the new device.
I suspect that they are working on something similar for use with major =
routers, but that has its share of design problems, and is on a totally =
different scale. The law prevents wiretapping, but not monitoring of the =
airwaves. I would think that its illegal to monitor all the information =
sent through a major router.
Recently a router failure in Minneapolis resulted in loss of internet =
service for a large portion of Minnesota.
//
The reason for a new method of 'watermarking' software was supposedly in =
part that it would make it easier to catch copyright material as it is =
sent through the digital transmission system. It seems pretty obvious =
that it might be possible to unravel the scheme, and create altered =
watermarks that mess with the detection system as well as allow the use =
of the copyrighted works.
I wonder what type of filterring is being planned. That the world is =
turning to a much heavier reliance on airwaves again in the near future, =
probably works in favor of the NSA.
-C. Prichard
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Crossposted-To: talk.politics.crypto
Subject: Re: permission to do crypto research
Date: 6 Feb 2000 10:56:15 -0800
In article <87k55g$i5o$[EMAIL PROTECTED]>,
Roger Schlafly <[EMAIL PROTECTED]> wrote:
> According to US copyright law on "circumvention of copyright
> protection systems" (17 US 1201), certain encryption research
> is permissable only if "the person made a good faith effort to
> obtain authorization before the circumvention".
>
> Now I know the law is silly, but does anyone have experience
> with authorization requests? Eg, if you write to Microsoft
> and ask for permission to hack Windows for research
> purposes, what does Microsoft say? Has anyone asked for
> permission to crack DVD/CSS encryption?
>
> The law also tries to distinguish whether a published crack
> advances research or facillitates infringement. Does anyone
> know of this distinction being drawn in a practical situation?
> (Some of these issues will arise in the NY DeCSS case.)
>
To my knowledge, noone knows because this has never been tested before,
and the language is sufficiently vague to leave grave doubts. (Sure, plenty
of people will be glad to tell you their version of it -- but in the end,
it is the courts who will decide.)
As far as I can tell, the DeCSS cases are effectively writing the law --
so keep a close eye on them!
------------------------------
From: "C. Prichard" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,misc.int-property,misc.legal.computing
Subject: Re: RE
Date: Sun, 06 Feb 2000 18:35:44 GMT
Its my understanding that almost all laws are meant in a social context.
That is to say that they are not even intended to reach into your =
privacy. What you do in private is of no concern to the government =
(sometimes referred to as 'the people') regarding these laws whatsoever.
The line is drawn where there is something that you do socially like =
distribute information, or a product to others.
-C. Prichard
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Scaleable Key Permutation Feature to be Added to CipherText
Date: Sun, 06 Feb 2000 12:18:13 -0600
In article <fzgn4.347$[EMAIL PROTECTED]>, "C. Prichard"
<[EMAIL PROTECTED]> wrote:
> It has been determined that a new key-building feature can be added the =
> CipherText algorithm. It will be optionally used to dynamically scale =
> the primary key using its derived attribute value to accommodate =
> security requirements. With the feature, it will be possible to encrypt =
> a 1300 character message using a ten element key without a single =
> repetition of the applied cipher key. The feature is a natural =
> progression of earlier work on the algorithm. When combined, the work =
> possibly rates as a significant development in the field of cryptology.
>
Before you get too excited, let me remind you at least some of this is one
part of a key producing algorithm that I have been using for some time. I
do lots of things, but this IS one area I have posted on. Don't plan to
tell me that I cannot do what I did before you claimed a small portion of
it was part of your *original* idea. In as much as you may want to get
out of generic areas with details, you can't; you simply minimize the
value of anything that you might get a patent on.
Nor, don't do anything that something that looks like Dynamic Substitution
either, A Ritter Patent.
Go fish.
--
A big-endian and a little-endian have been spotted sitting at a
campfire nibling on bytes and pointing at each other as they
argued about who got hit with the most errors.
------------------------------
From: [EMAIL PROTECTED] (Ben Curley)
Subject: Combining LFSR's
Date: Sun, 06 Feb 2000 19:24:08 GMT
Hi all,
This is probably a stupid question, but here goes...
I am attempting to combine the output of two LFSR's to produce a repeatable
key stream when the start state of LFSR 1 is random. Is this even possible?
Thanks
Ben
------------------------------
From: Glenn Larsson <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Crossposted-To: talk.politics.crypto,misc.int-property,misc.legal.computing
Subject: Re: permission to do crypto research
Date: Sun, 06 Feb 2000 20:06:22 +0100
Roger Schlafly wrote:
<ALOT OF STUFF>
Hi.
Any Us security companies considering opening up in
Europe? You need freedom and i need a job :o)
Regards,
Glenn
(P.S: It smells like "security through stupidity")
_________________________________________________
Spammers will be reported to their government and
Internet Service Provider along with possible legal
reprocussions of violating the Swedish "Personal
Information Act" of 1998. (PUL 1998:204)
This is punishable by a fine or 6 month to 2 years
imprisonment (Paragraph 49)
------------------------------
From: "C. Prichard" <[EMAIL PROTECTED]>
Subject: Re:
Date: Sun, 06 Feb 2000 19:00:17 GMT
I prefer to think that a large number of NSA employees are infiltrating =
internet CHAT groups to intercept secret information as it is being =
exchanged.
-C. Prichard
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
