Cryptography-Digest Digest #292, Volume #11 Thu, 9 Mar 00 23:13:01 EST
Contents:
Re: Universal Language (Jim Gillogly)
Re: Free-MAC mode (Wei Dai)
encrypting to unknown public key? (David A Molnar)
Re: TEA analysis (Raphael Phan Chung Wei)
Re: Crypto Patents: Us, European and International. (Bill Unruh)
Re: Crypto Patents: Us, European and International. (Bill Unruh)
Re: Crypto Patents: Us, European and International. (Bill Unruh)
Birthday paradox (Raphael Phan Chung Wei)
Re: SHA-1 and Patents confusion with Hitachi (Bill Unruh)
Re: Crypto Patents: Us, European and International. (Tony L. Svanstrom)
Re: encrypting to unknown public key? (David A. Wagner)
Re: Actually, I have a sign "Be Aware of Dog" on the garage door of the house,
where I am living .. it is a lie .. (Red Herring)
----------------------------------------------------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Universal Language
Date: Fri, 10 Mar 2000 01:19:19 +0000
Jim Gillogly wrote:
> Still, I had it from Jerry Pournelle's lips that he <knew> Heinlein
> had started from Loglan with the idea [for the language in "Gulf"]...
> and he wasn't all <that> many sheets to the wind at the time. I
> agree that there wasn't a perfect mapping between real Loglan and
> Kettle-Belly Baldwin's language (yes, <that> Baldwin).
Bzzzt. I take it all back. Mea culpa (and Jerry's culpa). "Gulf"
was published in 1949, long before the Loglan roll-out in a 1960
Scientific American article. Heinlein could have been influenced
by Sapir and Whorf, but not by James Cooke Brown... at least not
for <that> book. I found the later mention of Loglan in The Moon
is a Harsh Mistress unconvincing, but at least it indicated he was
still following the literature.
To try to pull back a little sci.crypt relevance, the language Lincos
mentioned by Doug Gwyn was of interest to cryptographers not because
of its ability to disguise language, but the opposite: it was an attempt
to make language as plain as possible to someone who didn't know it. In
this way it was working on the opposite problem to cryptography, and thus
might be considered to help illuminate some of the relevant issues.
(What will be most helpful to an alien trying to understand this stuff?
OK, let's suppress it in our secret communication system.)
--
Jim Gillogly
19 Rethe S.R. 2000, 01:11
12.19.7.0.9, 13 Muluc 17 Kayab, Ninth Lord of Night
------------------------------
From: Wei Dai <[EMAIL PROTECTED]>
Subject: Re: Free-MAC mode
Date: Thu, 9 Mar 2000 17:28:56 -0800
In article <8a94th$gjc$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
> When the check-block is public, there are truncation attacks.
>
> To forge a message M, set M' = M||B||S, where B is the fixed block
> used to check integrity and S is any suffix you like. Obtain the
> MAC'ed encryption of M' to get ciphertext C'; then truncate C' to the
> length of M||B. Since -- in your mode -- the encryption of the prefix
> is the same as the prefix of the encryption, the result will be a
> valid encryption of the message M, as desired. This is an integrity
> failure which shows that the MAC is not secure, when the check-block
> is public.
The other attack I posted also depends on the check-block being public,
but there is a similar left-truncation attack if the check-block is not
public, but x_0 is public (assuming y_0 is the IV). It looks like both
x_0 and the check-block need to be part of the key.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: encrypting to unknown public key?
Date: 10 Mar 2000 01:48:58 GMT
We have blind signatures, in which we can sign something without knowing
what it is. Has anyone seen a notion of public-key "blind encryption" in
this sense:
Every public key PK in the system can be turned into a "blinded" public
key BK by the use of some blinding function B which takes as inputs a
blinding factor F and the public key.
so BK = B(PK,F)
We then have these properties for the cryptosystem :
* The blinding function can be evaluated efficiently without
knowledge of the secret key SK. So anyone can create a blinded
version of a public key they posess.
* The encryption function E() takes as input a message M and
any blinded public key BK or the original public key PK.
On these inputs it computes a ciphertext C which can be
decrypted by the decryption function in conjunction with a
secret key SK. SK is static and independent of whatever value
of BK or blinding factor F is used.
So we have
C = E(BK, M)
and M = D(SK, C) for all BK used to encrypt C.
* It is infeasible to determine PK from BK without knowledge
of F or access to a decryption oracle.
(because clearly you can just encrypt something, then try
to decrypt it using the decryption oracle)
* The blinding function B() "looks random" - it should be
infeasible to guess any other BK or any other F given one
(BK, F) pair. It should be infeasible to create another BK
or another F given only BK but not the original PK.
I was playing around with RSA very briefly - trying something like
multiplying the modulus by a random prime and then seeing if I could
adapt e somehow. Didn't work.
Anyone seen anything like this before?
Thanks much,
-David Molnar
------------------------------
Date: Fri, 10 Mar 2000 10:03:55 +0800
From: Raphael Phan Chung Wei <[EMAIL PROTECTED]>
Subject: Re: TEA analysis
Dear Matt,
> >I learned a lot about block ciphers by looking at TEA
> ><URL:http://vader.brad.ac.uk/tea.html>, but at Crypto '97 I
> >was given the impression that this has been broken.. Is this
Thank you for your reply. So far the papers that I have managed to find related
to analysis of TEA are the original papers by the authors D Wheeler and R
Needham and also Related-Key Cryptanalysis of 3-WAY......RC2 and TEA by J Kelsey
et al.
I wonder if there are any other papers...
--
Regards,
Raphael Phan
Faculty of Engineering
Cyberjaya Campus
Multimedia University
+603-83125314
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Crypto Patents: Us, European and International.
Date: 10 Mar 2000 02:54:42 GMT
In <[EMAIL PROTECTED]> Glenn Larsson <[EMAIL PROTECTED]> writes:
>My current encryption algorithm is "tip-toeing" around
>areas that COULD be covered by some patents, So - I have
>some questions about patents.
See a good patent lawyer, not the newsnet.
>1.
>- What KINDS of commercial patents are there that affect
>crypto or rather "mathmatical algorithms" ? I know that
There are no patents on any mathematical algorithms. There are patents
on the use of those algorithms to accomplish certain ends. For example
you can take all of the powers modulo any function you want, in any
product you have, as long as the purpose is not to encrypt something, by
using powers modulo a composite number. You can use powers modulo a
composite number to generate random numbers if you wish. As far as I
know that is not patented.
>NSA and it's "international collegues" organisations have
>priority power at their individual patent offices.
???
>2.
>- What WIDE-ASPECT (as in covering too much) patents exits
>today that block the progress of cryptographic research or
>deployment?
??? Any patent blocks something. What is "too much"?
>3.
>- How do GATT and software patents work together?
?? patents are laws of individual countries. Individual countries may
agree to honour certain patents from super organisations ( eg the
European countries and European patents) but that is entirely up to the
national government.
>4.
>- Anyone have a link to a search engine for European patents?
>(like the one at www.patents.ibm.com)
>In Sweden, the current legislation does NOT approve software
>patents, the patent law clearly states that ONLY copyright
>will be awarded to software products, but a patent engineer
>told me that everything could be "loosening up" and software
>patents could be on the way.
>The Swedish patent law (1967:837,paragraph 1) cannot approve
>ONLY mathmatical algorithms as patentable, it (according to
No patent law that I know of can patent mathematical algorithms and I
strongly doubt that any ever will. Just as you cannot patent words or
sentences or ideas.
>the patent engineer i spoke to) also have to have a physical
>or a graspable "technical effect" and have "uniqueness".
Yes, the use of an algorithm can be patented, just as bending wire in a
certain way can be patented (paper clips), although wire per se or
bending per se cannot be.
>(In spite of this, there are some algorithm/software patents
>in Sweden, could be from earlier legislation or something.)
>- What's the situation on the planet - Any direct thoughts or
>insights?
planet? These are national laws and you have to ask nation by nation.
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Crypto Patents: Us, European and International.
Date: 10 Mar 2000 03:04:54 GMT
In <8a9efr$9ud$[EMAIL PROTECTED]> [EMAIL PROTECTED] writes:
>2. In many cases and for many purposes copyright protection might be more
>effective. Patents may protect a method. Copyrights protect results of
>intellectual processes, viewed as contextually dependent conceptual
>integers.
No copyrights protect the explicit expression of an idea.
>For example: I would violate the IDEA U.S. patent (but probably not the IDEA
>copyright) if I implemented the IDEA algorithm, called it something else and
>marketed my implementation in the USA. I would probably not violate that
No, you would violate the patent in either case. And you would violate
the copyright in neither case, unless you copied someone elses
expression of the IDEA algorithm.
>patent if I implemented IDEA, adjusted it slightly, and still called it "the
>IDEA-cipher". In such case, I would however violate the IDEA copyright,
>virtually regardless of the extent of my adjustments.
Certainly not. YOu would violate the copyright only if you copied the
expression of someone else's implimentation of IDEA. If you showed that
you derived that expression yourself without reference to anyone else's
expression, you would not violate the copyright even if yours was word
for word the same as theirs. (Of course convincing a court that you had
not copied it in that case would be a difficult task, but it would be
possible).
>(Note: There are different opinions regarding the extent to which algorithms
>may be protected by copyright. I argue that such protection exists, just as
ideas cannot be copyright. Only expressions of ideas. Someone else
expressing the same idea differently has not copied, and does not fall
under copyright restrictions. Copyright controls COPYING, not anything
else.
>well, and in a closely related sense, as a one line poem is protected by
>copyright. You might say or write the sentence of the poem without violating
No it need not be. If you can show that that one line poem is the only
way of expressing that idea, then copyright fails. (of course the courts
would interpret what the idea was fairly broadly so proving it was the
only way would be difficult.)
>the copyright, but not in public if the context makes it obvious that you are
>quoting that line.)
Actually if that one line poem was copyrightable, then your quoting the
whole of that poem would probably run you afoul of copyright. Copying a
substantial part of a copyright work does not fall under the fair use
doctrine.
>One might also ask oneself why anyone would like to market an implementation
>of IDEA without calling it IDEA... It seems like an odd marketing strategy.
>;-)
RC4 vs ARC4--- Trademark law which is yet another area distinct from
copyright or patent..
>Conclusion: Patenting a cipher will at most protect you from being ripped of
>by your partners at an early stage of development.
No. patenting a cypher will prevent anyone from using that technique to
encrypt without agreement from you. Of course youhave to sue and recover
damages. Patent law is in large civil, not criminal law.
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Crypto Patents: Us, European and International.
Date: 10 Mar 2000 03:07:05 GMT
In <[EMAIL PROTECTED]> [EMAIL PROTECTED] (Terry Ritter) writes:
>On 10 Mar 2000 00:09:31 GMT, in <8a9efr$9ud$[EMAIL PROTECTED]>, in
>sci.crypt [EMAIL PROTECTED] wrote:
>>1. A patent is not always necessary. If you make your findings public noone
>>else will be able to patent any closely related algorithm.
>This is, of course, only true if "you" are the first one to publish
>the idea, or apply for the patent. "You" can give up your rights, but
>you cannot give up the rights of others.
No. Prior art invalidates all subsequent patent rights. Thus you, by
making something public and thus prior art extinguish everyone else's
right to patent that thing. Thus you can "give up the rights of others".
------------------------------
Date: Fri, 10 Mar 2000 11:13:53 +0800
From: Raphael Phan Chung Wei <[EMAIL PROTECTED]>
Subject: Birthday paradox
We come across the term birthday paradox when we go through literature
on cryptanalysis.
It states that for example in a room of 23 persons, the probability of
any two persons having the same birthdate is about 1/2. Now how do we
apply that to the search for matches in block ciphers?
--
Regards,
Raphael Phan
Faculty of Engineering
Cyberjaya Campus
Multimedia University
+603-83125314
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: SHA-1 and Patents confusion with Hitachi
Date: 10 Mar 2000 03:21:09 GMT
In <8a93nl$4ds$[EMAIL PROTECTED]> Benjamin Gittins
<[EMAIL PROTECTED]>
writes:
]"
]If IEEE adopts a standard on the above RIPEMD-160, RIPEMD-128 and SHA-1
]hash functions, Hitachi Ltd. is willing to grant non-exclusive, non-
]transferable licenses on fair, reasonable and non-discriminatory terms
]and conditions under any of its patent rights, under which it has the
]free right to grant licenses and to the extent necessary to comply with
]this standard, to any party which has submitted or will submit an
]equivalent undertaking with respect to this standard.
]"
Just for the record, I also grant the same. I also do the same for gene
sequencing, cloning, and rocketry.
]Now, does this mean
] 1 ) Hitachi claims patents on SHA-1?
The statment makes no such claim.
] 2 ) That royalties are due, for an algorithim made freely available by
]its authors?
The statement makes no such claim.
] 3 ) Is this patent actively enforced?
ditto.
] 4 ) What are these said dues we must pay to ceaser?
It does not even claim such dues are owing. It just says that if Hitachi
has any such patent claims that then it will license them.
]similar issue with RIPEMED-160 by its authors.
]http://grouper.ieee.org/groups/1363/letters/Bosselaers.txt
]??????
]Hitachi Patents: in the U.S.
]US4982429: Encipher method and decipher method
]http://www.patents.ibm.com/details?pn=US04982429__
]US5103479: Encipher method and decipher method
]http://www.patents.ibm.com/details?pn=US05103479__
]Abstract:
]There are provided an encipher method of enciphering message data made
]by a microcomputer or the like at a high speed by using encipher keys
]which have previously been stored in a smart card or the like and a
]decipher method of deciphering the ciphertext made by the encipher
]method at a high speed by using the encipher keys. The encipher method
]and the decipher method are suitable for, particularly, a 32-bit
]microcomputer and include a process expressed by the function Rot2 i(x)
](i=2, 3, 4) in each process. Rot2 i(x) is the process to circular shift
]a data train x of 32 bits to the left or right by 2i bits (i=2, 3, 4).
I would wait for the court case, if it ever occurs. To claim to patent
any algorithm just because it rotates bits would be invalidated by the Ceasar
cypher, 2000 years ago, where elements were rotated in a circular
fashion N elements to the right or left. That this is a two letter
alphabet and Cesaer's was a 24(?) makes no difference. This is
ludicrous.
------------------------------
From: [EMAIL PROTECTED] (Tony L. Svanstrom)
Subject: Re: Crypto Patents: Us, European and International.
Date: Fri, 10 Mar 2000 04:27:12 +0100
Glenn Larsson <[EMAIL PROTECTED]> wrote:
> My current encryption algorithm is "tip-toeing" around areas that COULD be
> covered by some patents, So - I have some questions about patents.
What you need is a NDA and a patent-lawyer.
/Tony
PS Enklast �r att du sl�pper den fri och s�ljer en SDK...
--
/\___/\ Who would you like to read your messages today? /\___/\
\_@ @_/ Protect your privacy: <http://www.pgpi.com/> \_@ @_/
--oOO-(_)-OOo---------------------------------------------oOO-(_)-OOo--
DSS: 0x9363F1DB, Fp: 6EA2 618F 6D21 91D3 2D82 78A6 647F F247 9363 F1DB
---���---���-----------------------------------------------���---���---
\O/ \O/ �1999 <http://www.svanstrom.com/?ref=news> \O/ \O/
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: encrypting to unknown public key?
Date: 9 Mar 2000 18:54:25 -0800
On first glance, this looks like it may be related to proxy signatures.
Have you checked out Blaze and Strauss's work on the subject?
It also seems that a basic Diffie-Hellman (or El Gamal) encryption scheme
can perhaps be adapted to your requirements. In the usual version of
such a scheme, we fix a global generator g, and A's public key is g^{x_A}.
I suggest that each party should choose their own generator g_A randomly,
and publish (g_A, g_A^{x_A}) as their public key. The encryption of a
message m is (g_A^r, E((g_A^{x_A})^r, m)) where E() is some combining
function (multiplication in El Gamal, but a symmetric-key cryptosystem is
probably better.) Then a public key (u,v) may be blinded by choosing b
at random and letting the blinded public key be (u^b,v^b). Assuming that
we work in a prime-order group where discrete log is hard and the
Decisional Diffie-Hellman problem is infeasible, everything should be
secure, I think.
------------------------------
From: [EMAIL PROTECTED] (Red Herring)
Crossposted-To:
alt.politics.org.cia,soc.culture.russian,soc.culture.nordic,soc.culture.israel,soc.culture.europe
Subject: Re: Actually, I have a sign "Be Aware of Dog" on the garage door of the
house, where I am living .. it is a lie ..
Date: Fri, 10 Mar 2000 03:56:03 GMT
On Thu, 09 Mar 2000 08:04:12 -0700, "Tony T. Warnock"
<[EMAIL PROTECTED]> wrote:
>Outsider wrote:
>
>>
>> If you want a good sign, place a sign that says the following on
>> your front and back doors.
>>
>> ===============================
>> Trespassers will be shot.
>> Survivors will be shot again.
>>
>> (picture of gun)
>>
>> ===============================
>
>I once saw a similar sign that said: "Trespassers will be shot. Survivors
>will be held for ransom."
A sign on my front door says:
"We don't call 911 here.".
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
