Cryptography-Digest Digest #402, Volume #11 Thu, 23 Mar 00 15:13:01 EST
Contents:
Re: root mod a prime? (Mike Rosing)
Re: Open source or not. (Was: Re: Planet Poker Claims...) (Mike Caro)
Re: Opinions? (Darren New)
Re: Open source or not. (Was: Re: Planet Poker Claims...) (Mike Caro)
Re: Gray Code like (Mike Rosing)
Re: NIST publishes AES3 papers (DJohn37050)
Re: Applied Zero Knowledge Proof ([EMAIL PROTECTED])
Re: Improvement on Von Neumann compensator? (Mike Rosing)
Re: avoid man-in-the-middle known plaintext attack using a stream cipher ("Scott
Fluhrer")
Code Book : 5th stage ("Isabelle")
Re: Factoring Large Numbers - I think I figured it out! ("Douglas A. Gwyn")
bigfloat works (kinda) (Mike Rosing)
Re: Opinions? ("Douglas A. Gwyn")
Re: More weapons for Mallory against Quantum Encryption ("Douglas A. Gwyn")
Re: Do you think I'm ready? What do I need? ("Douglas A. Gwyn")
Re: Do you think I'm ready? What do I need? ("Douglas A. Gwyn")
Re: Open source or not. (Was: Re: Planet Poker Claims...) ("Trevor L. Jackson, III")
Re: Open source or not. (Was: Re: Planet Poker Claims...) ("Trevor L. Jackson, III")
Re: Open source or not. (Was: Re: Planet Poker Claims...) (A. Prock)
Re: Open source or not. (Was: Re: Planet Poker Claims...) (A. Prock)
----------------------------------------------------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: root mod a prime?
Date: Thu, 23 Mar 2000 12:17:34 -0600
Tom St Denis wrote:
> I have maple, but I am new to that as well. So that looks like german to
> me. Any just plain english documents on it?
Try "square roots mod p" on your search, maybe you'll find something.
> is picking a point on the curve for the above purposes similar to picking a
> primitive generator [GF(p)] in that the order of that point must be large,
> or to say
>
> (n + 1)B = B, for n > (a^2), where 'a' is the least ammount of work you want
> the attacker to perform?
Yup. The security is proportional to the square root of the largest
prime
factor of the order of the curve, and you maximize the work by selecting
a point which has that order.
> How does one find such a point? How does one estimate [or find] the order
> of a point along a curve?
Good crypto curves have order r*p where r is small and p is a big prime.
Pick a point at random and multiply by r. If the result is not the
point
at infinity, then the result has order p. You can check that a point
has
a given order by multiplying it by the order you expect it to have and
see if you get the point at infinity.
Finding the order of a curve is a lot harder. I'm still working on it
:-)
Patience, persistence, truth,
Dr. mike
------------------------------
From: Mike Caro <[EMAIL PROTECTED]>
Crossposted-To: rec.gambling.poker
Subject: Re: Open source or not. (Was: Re: Planet Poker Claims...)
Date: Thu, 23 Mar 2000 18:24:47 GMT
On Thu, 23 Mar 2000 15:41:50 GMT, Eric Lee Green <[EMAIL PROTECTED]>
wrote:
>"Tony L. Svanstrom" wrote:
>>
>> Mike Caro <[EMAIL PROTECTED]> wrote:
>>
>> > I would have no objection to Planet Poker making their random number
>> > algorithms public. There are two arguments about that, though. One is that
>> > publishing the inner workings of the pseudo-random shuffles invites people
>> > to try to decipher the logic. While I know the methods used and don't
>> > think people would have much success, you've got to admit that publishing
>> > gives scoundrels some minor advantage over not publishing.
>
>I admit nothing of the sort.
>
>See David Wagner's reverse engineering of the (closed source) Netscape PRNG at
>http://www.cs.berkeley.edu/~daw/papers/ for a classic example of how a "bad
>guy" would go about reverse-engineering something. We're lucky that in this
>case a "good guy" got to the ball first, otherwise we would have had a MAJOR
>melt-down in e-commerce as people made "secure" connections that weren't...
Your message is a cross-post, so I won't reply further, except right
now. What y'all are claiming is just plain wrong in this particular
case -- although it has general merit. There are powerful easy
examples that can illustrate that you'd sometimes be safer not
divulging things.
I teach that in order to see the truth, you often need to take things
to extremes. In this case, it is very clear that in both extremes (a
very poor algorithm and a very complex one) it might be better to shut
up.
Methods could be very complex and not require good random number
generators to be virtually undecipherable. They could also be based on
elaborate combinations of analog measurements and sophisticated
pseudo-random generation. The levels of intrigue could be thousands
deep or infinitely deep. Would it be beneficial, in that case, to
divulge when what happens within the process?
Before you jump in with the sci.crypt newsgroup urge (and my own
natural instinct) to answer "yes," really, really think about it.
Think about it not from a standpoint of unraveling the secrets, but in
the context of what you'd do under those circumstances if you wanted
to make sure nobody robbed your store next month.
As I've said elsewhere, I haven't actually taken a position on whether
disclosure would be better or worse in the case of online poker. I'm
only saying that the arguments for disclosure are not as clear as some
have supposed.
I do not think online poker is perfectly safe. I've said so often. You
need to use caution whenever you play poker. I have said that I'm more
likely to trust online dealing from honest management than real-world
dealing, but there's always a danger in either case. Usually, I feel
secure in either environment. Fortunately, online poker management has
the additional luxury of being able to scour databases of hands played
and cards folded in search of players who have either colluded or
otherwise taken advantage of the system. This additional type of
safeguard is not available in real-world casinos. There are also some
disadvantages to online play.
I appreciate you and others for your excellent and stimulating points
of view. I will visit sci.crypt in the future, although I will only
lurk. Your discussions go into areas of encryption that are not within
my current expertise (although the specific aspects we've been
discussing are).
Straight Flushes,
Mike Caro
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Opinions?
Date: Thu, 23 Mar 2000 18:25:04 GMT
[EMAIL PROTECTED] wrote:
> By this statements, you're reducing the notion of randomness to
> predictability. However, there's a theoretical difference. If, as an
> experiment of thought, a time machine had been invented, we would be able
> to predict the time when one single atom decays by traveling forward in
> time and observing it.
No. You would then have to travel *back* again in order for it to be a
prediction. For this to be a valid thought experiment, you'd have to propose
how you would do that.
Heck, anyone can travel *forward* in time.
--
Darren New / Senior MTS / Invisible Worlds Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
There is no safety in disarming only the fearful.
------------------------------
From: Mike Caro <[EMAIL PROTECTED]>
Crossposted-To: rec.gambling.poker
Subject: Re: Open source or not. (Was: Re: Planet Poker Claims...)
Date: Thu, 23 Mar 2000 18:26:23 GMT
On Thu, 23 Mar 2000 17:09:48 +0100, [EMAIL PROTECTED] (Tony L.
Svanstrom) wrote:
>Mike Caro <[EMAIL PROTECTED]> wrote:
>
>> It is my policy not to respond to messages that were posted to more
>> than one newsgroup. But since you're a contributor in good standing at
>> rec.gambling.poker,
>
>Thank you, there are two reasons for me to include crypto-related NGs
>every now and then. First of all, I feel that it will be good for poker
>if people working with such things become more active when it comes to
>on-line poker-related matters; the second reason is something I think I
>shouldn't openly admit... I'm just very pro-open source when it comes
>to security and I knew the people in sci.crypt would be "on my side". ;)
>
>> I will tell you that I had nothing whatsoever to do with developing any of
>> the algorithms that Planet Poker uses to generate pseudo-random numbers.
>
>I didn't think that you'd designed it, I asked how much crypto-related
>programming you've done simply because you said this:
>
>> > > While I know the methods used and don't think people would have much
>> > > success,
>
>Just wanted to know if you had a background within a related field.
>
>> > > you've got to admit that publishing gives scoundrels some minor
>> > > advantage over not publishing.
>
>Nope, I don't, and not many would agree with you.
>
>
> /Tony
Tony --
Please see my response to Eric Lee Green in this thread.
Straight Flushes,
Mike Caro
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: Gray Code like
Date: Thu, 23 Mar 2000 12:27:06 -0600
[EMAIL PROTECTED] wrote:
> The only codeword that can preceed 000 in a code like this is of course
> 100 (a 1 shifted in from the left) since shifting in a 0 would give
> exactly the same code word (000) again. Using up code word 100 somewhere
> else would be impossible in this way of encoding.
>
> The goal of this is _not_ to use this as a generator of code words if
> your only aim is to produce all possible symbol combinations. The goal
> in the example is to produce a code such that a cyclic stack of _only_ 8
> bits will describe the complete selection of codewords and their
> relative distances. The chain
>
> 010
> 0 1
> 011
>
> is thus enough to describe all codewords.
>
> Many thanks to Vincent for pointing me in the correct direction with
> this. Codes like these are indeed based on deBruijn sequences. Thanks!
OK, I guess I don't get it. Nothing new with that :-) When you figure
out what they are, give us a summary!
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: NIST publishes AES3 papers
Date: 23 Mar 2000 18:37:46 GMT
Here is the exact quote that each AES submitter agreed to:
"Should my submission be selected for inclusion in AES, I hereby agree not to
place any restrictions on the use of the algorithm intending it to be available
on a world-wide, non-exclusive, royalty-free basis."
It says nothing about being a sole winner or being in a set of winners. NIST
has always said there might be multiple winners and have not decided yet.
Don Johnson
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Applied Zero Knowledge Proof
Date: Thu, 23 Mar 2000 18:34:15 GMT
> >So, I need a way to prove the server I have that bio piece, without
showing
> >him what piece of information I have.
> >
> >Any ideas ?
>
> There's no need to mess with ZKP's. Just use a conventional
> challenge-response protocol with a conventional cipher.
The problem with challenge response methods is that you cannot
choose simply ANY kind of information (it must be primes, things like
that). The biometric that Nelson is trying to use is can be considered
as a random stream of bits.
We have developed a solution here, we will probably publish it soon
in the list.
Daniel.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: Improvement on Von Neumann compensator?
Date: Thu, 23 Mar 2000 12:33:33 -0600
John Savard wrote:
>
> [EMAIL PROTECTED] (Guy Macon) wrote, in part:
>
> >It has been suggested (and implemented by Intel) that a Von Neumann
> >compensator
>
> I'm feeling mischevious today. I'll throw out the suggestion that we
> should call it just a Neumann compensator. It's unfair to
> Austro-Hungarians to identify their ethnic origin, et cetera.
You forgot to add the smiley. You're in big trouble fella!!
:-)
Patience, persistence, truth,
Dr. mike
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: avoid man-in-the-middle known plaintext attack using a stream cipher
Date: Thu, 23 Mar 2000 10:52:19 -0800
Thanks, do you have a pointer to that paper?
David A. Wagner <[EMAIL PROTECTED]> wrote in message
news:8bcdfq$185$[EMAIL PROTECTED]...
> It looks like I'd better set the record straight.
>
> The following paper cryptanalyzes iaPCBC mode:
> Niels Ferguson, Doug Whiting, John Kelsey, David Wagner,
> ``Critical Weaknesses of iaPCBC''
> Please note that this is joint work (NOT just my work;
> nor am I even first author). Credit where credit is due,
> please.
>
> The above paper presents several observations on iaPCBC,
> but the most devastating one is that flipping a single
> bit in the ciphertext will not be detected, guaranteed.
> (so long as the bit you flip is not too close to the
> end of the ciphertext)
>
> Thus, iaPCBC is indeed subject to (existential) forgery
> attacks.
------------------------------
From: "Isabelle" <[EMAIL PROTECTED]>
Subject: Code Book : 5th stage
Date: Thu, 23 Mar 2000 20:25:03 +0100
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
I can't decode the 5th stage of the Simon Singh's Code Book : could
somebody help me ?
I just want to know if it is a binary operation or a coding from an
original text (as the "declaration of independance"))
Thanks
And apologize for my bad english
Isabelle (from France)
- --
Fabrice G�ly
Email : [EMAIL PROTECTED]
Site : http://perso.wanadoo.fr/gely
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBONphfiKwoU/TrdVuEQL4yQCgioSmRN+eXReGP1Sv2nEDcZTqGsIAnjNO
lpf5LMYdVqCTdSxEqq1U3vvy
=F3nC
=====END PGP SIGNATURE=====
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Factoring Large Numbers - I think I figured it out!
Date: Thu, 23 Mar 2000 18:28:08 GMT
Richard Anthony Hein wrote:
> Oh yeah, I forgot to mention that the method would have enabled us to solve
> for the 3 numbers which multiply to make a number as simply as 2 numbers,
> and at the same time. 4 and more would also eventually be possible ... if
> it would have worked. Or is this something that we are already able to do
> efficiently?
It doesn't much matter, because once one factor is known, division by
that factor is very fast, relatively speaking, so you just iterate
the factoring method. Compared to the cost of finding even *one*
(nontrivial) factor, the rest of that procedure is peanuts.
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: bigfloat works (kinda)
Date: Thu, 23 Mar 2000 13:35:26 -0600
It looks like the "bigfloat" stuff works
(http://www.terracom.net/~eresrch/float)
I tested it by computing the order of several Koblitz curves. I didn't
get correct answers for two curves, but the results are integers, so
it's
damn close. There may be some pretty subtle bugs in the way it detects
a carry in the multiply routine, or it may be blatently obvious to
anyone
who tries to read the code. If so, please let me know!
The code is free for any purpose, so have fun.
Patience, persistence, truth,
Dr. mike
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Opinions?
Date: Thu, 23 Mar 2000 18:37:35 GMT
[EMAIL PROTECTED] wrote:
> At least from a standpoint of nowaday's science, it is absolutely
> impossible to positively prove (i.e. verify) that something is pure
> random. Even more funny, if an RNG happens to produce all complete
> volumes of Shakespeare's work translated into Hindi, this would not prove
> positively that the RNG in question does not produce "true" randomness.
> Any RNG based on radiactive decay might at any time produce Shakespeare's
> complete work and then continue to produce sequences that appear "more
> random".
The problem lies in attempting to claim 100% certainty.
What one *should* do is ascertain the *likelihood* of the hypothesis
based on the observations. There is a well-developed methodology
for this.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: More weapons for Mallory against Quantum Encryption
Date: Thu, 23 Mar 2000 18:41:52 GMT
[EMAIL PROTECTED] wrote:
> Based on measured error rates, strict upper
> bounds can be set on the possible amount of
> info known to an eavesdropper.
Indeed, I just finished listening to a seminar by one of
our researchers, Howard Brandt, who has published papers
on this topic. (He holds a patent on a particular design
of a receiver for such communication.)
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Do you think I'm ready? What do I need?
Date: Thu, 23 Mar 2000 18:58:21 GMT
RecilS wrote:
> Basically I'm 16years old with a very good working knowledge of programming
> (c++ or vb and some ASM). I'm in Algebra II at the moment but I'm studying
> calculus in my free time and use many more advanced functions for motion
> path functions and things of that nature.
I'm not sure what "more advanced functions" are (distributions?) nor
what "motion path functions" are, but probably these are irrelevant..
> I've come up with my own ciphers which invariably end up looking something
> like a Vernon variety, using unique sources for keys (translated images,
> etc), many of which are time-sensitive as well. I've got a good hold of
> communications (winsock mostly) and am now writing my own stenography
> utility.
> Do you think I should attempt higher-level algorithms before I've gotten
> into calculus or wait? I think I could handle it but there are alot of
> skills I'm missing
> Do you think that variations of the Vernon cipher using 'garbage' data are
> effective?
I think you must mean, Vernam cipher, commonly lumped with "one-time
pad".
For security, the key must be completely random (not generated by a
patterned process), as long as the data to be enciphered, used only one
time, and kept secret from any potential eavesdropper. The practical
difficulty lies in getting that amount of key material to *both* parties
in the (authorized) communication; since it is at least as lengthy as
the
data to be protected in such a communication, securely communicating it
to the communicants seems to result in a "vicious circle".
I don't think calculus as such will help you much with the discrete
algebra used in cryptology, although it has secondary uses and you need
to learn it.
One wonders what the *purpose* of your development of algorithms is.
If it is to produce a secure encryption system for practical use, I'd
say you're tackling it prematurely. If it's just part of a learning
process, fine, but you will learn more from trying to *break* the
system than from building it.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Do you think I'm ready? What do I need?
Date: Thu, 23 Mar 2000 19:00:57 GMT
Dan Day wrote:
> Q: "Can you play the guitar"?
> A: "I don't know -- I've never tried. Hand me a guitar and
> I'll find out."
> That attitude will take you farther in life than any amount of
> classroom time. In the trite slogan of a Nike commercial,
> "Just Do It". That applies to more than just sports.
I frankly think that we have far too many instances already
of people who don't know what they're doing going ahead and
"just doing". That includes musically incompetent guitar players.
------------------------------
Date: Thu, 23 Mar 2000 15:03:39 -0500
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: rec.gambling.poker
Subject: Re: Open source or not. (Was: Re: Planet Poker Claims...)
"Tony L. Svanstrom" wrote:
> Mike Caro <[EMAIL PROTECTED]> wrote:
>
> > It is my policy not to respond to messages that were posted to more
> > than one newsgroup. But since you're a contributor in good standing at
> > rec.gambling.poker,
>
> Thank you, there are two reasons for me to include crypto-related NGs
> every now and then. First of all, I feel that it will be good for poker
> if people working with such things become more active when it comes to
> on-line poker-related matters; the second reason is something I think I
> shouldn't openly admit... I'm just very pro-open source when it comes
> to security and I knew the people in sci.crypt would be "on my side". ;)
>
> > I will tell you that I had nothing whatsoever to do with developing any of
> > the algorithms that Planet Poker uses to generate pseudo-random numbers.
>
> I didn't think that you'd designed it, I asked how much crypto-related
> programming you've done simply because you said this:
>
> > > > While I know the methods used and don't think people would have much
> > > > success,
>
> Just wanted to know if you had a background within a related field.
>
> > > > you've got to admit that publishing gives scoundrels some minor
> > > > advantage over not publishing.
>
> Nope, I don't, and not many would agree with you.
Anyone who believes in disclosure standards based on "need to know" would agree with
him. Theoretical security provisions are quite distinct from operational security
issues. And NTK is an elementary component of operational security.
------------------------------
Date: Thu, 23 Mar 2000 15:08:10 -0500
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: rec.gambling.poker
Subject: Re: Open source or not. (Was: Re: Planet Poker Claims...)
Eric Lee Green wrote:
> "Tony L. Svanstrom" wrote:
> >
> > Mike Caro <[EMAIL PROTECTED]> wrote:
> >
> > > I would have no objection to Planet Poker making their random number
> > > algorithms public. There are two arguments about that, though. One is that
> > > publishing the inner workings of the pseudo-random shuffles invites people
> > > to try to decipher the logic. While I know the methods used and don't
> > > think people would have much success, you've got to admit that publishing
> > > gives scoundrels some minor advantage over not publishing.
>
> I admit nothing of the sort.
>
> See David Wagner's reverse engineering of the (closed source) Netscape PRNG at
> http://www.cs.berkeley.edu/~daw/papers/ for a classic example of how a "bad
> guy" would go about reverse-engineering something. We're lucky that in this
> case a "good guy" got to the ball first, otherwise we would have had a MAJOR
> melt-down in e-commerce as people made "secure" connections that weren't...
But Open source is not the only mechanism by which one can obtain sufficient review to
guard against this kind of thing. Had netscape used any kind of sensible security
review the loophole would probably have been closed much earlier. Point is that open
source is the extreme end of a spectrum of possibilities. The other end is the
paranoia displayed by unsophisticated security users who think that any disclosure to
anyone will hurt them. Generally the truth lies somewhere in between the extrema. ;-)
------------------------------
From: [EMAIL PROTECTED] (A. Prock)
Crossposted-To: rec.gambling.poker
Subject: Re: Open source or not. (Was: Re: Planet Poker Claims...)
Date: 23 Mar 2000 20:02:19 GMT
According to Mike Caro <[EMAIL PROTECTED]>:
>On Thu, 23 Mar 2000 15:41:50 GMT, Eric Lee Green <[EMAIL PROTECTED]>
>wrote:
>>See David Wagner's reverse engineering of the (closed source) Netscape PRNG at
>>http://www.cs.berkeley.edu/~daw/papers/ for a classic example of how a "bad
>>guy" would go about reverse-engineering something. We're lucky that in this
>>case a "good guy" got to the ball first, otherwise we would have had a MAJOR
>>melt-down in e-commerce as people made "secure" connections that weren't...
>
>As I've said elsewhere, I haven't actually taken a position on whether
>disclosure would be better or worse in the case of online poker. I'm
>only saying that the arguments for disclosure are not as clear as some
>have supposed.
The simple truth is, with disclosure, while it may be easier to break
the algorithm, it adds a certain level of discourse and openness which
is GOOD for the game.
Going directly to the heart of the matter, Planet Poker, Paradise Poker,
and all of the other online poker rooms are asking us to play with
cards which we haven't seen shuffled. In a live game it would be analogous
to bringing out a new deck of cards each hand, which have been "shuffled"
in the back room somewhere, and dealing it "cold".
Would you play poker under these conditions?
- Andrew
------------------------------
From: [EMAIL PROTECTED] (A. Prock)
Crossposted-To: rec.gambling.poker
Subject: Re: Open source or not. (Was: Re: Planet Poker Claims...)
Date: 23 Mar 2000 20:06:49 GMT
According to A. Prock <[EMAIL PROTECTED]>:
>Going directly to the heart of the matter, Planet Poker, Paradise Poker,
>and all of the other online poker rooms are asking us to play with
>cards which we haven't seen shuffled. In a live game it would be analogous
>to bringing out a new deck of cards each hand, which have been "shuffled"
>in the back room somewhere, and dealing it "cold".
I may not have been clear here. What I'm trying to say is that the
online card rooms are asking us to play *without* knowing how the
deck was shuffled.
In a real card room we get to see how the deck is shuffled. Simply
knowing how the cards are mixed up is important. If a live dealer
hid the cards while they were being shuffled, we would be much more
suspicious.
Hiding the shuffling algorithm is the electronic equivalent of hiding
the cards when they are shuffled.
- Andrew
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
