Cryptography-Digest Digest #489, Volume #11 Tue, 4 Apr 00 22:13:01 EDT
Contents:
Re: time-lock crypto (Tom St Denis)
Re: Encryption strength proportional to encrypted message length? (David Hopwood)
Re: Encryption strength proportional to encrypted message length? (David Hopwood)
Re: time-lock crypto (Amily Nerko)
Re: Magnetic Remenance on hard drives. (was: Re: Evidence Eliminator - Who is trying
to silence our program? It's not working...) (Bill Unruh)
Re: Q: Entropy (Bryan Olson)
Re: Q: Entropy (Bryan Olson)
Re: Encryption strength proportional to encrypted message length?
([EMAIL PROTECTED])
Extended Euclidean Algo ("Simon Brown")
Extended Euclidean Algo ("Simon Brown")
Re: OAP-L3: Semester 1 / Class #1 All are invited. (DMc)
Re: time-lock crypto (Tom St Denis)
Re: Magnetic Remenance on hard drives. (Alan Gottschald)
Re: new Echelon article ("Charles R. Lyttle")
Re: Test Posting - Please ignore ("Randy Given")
----------------------------------------------------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: time-lock crypto
Date: Tue, 04 Apr 2000 23:28:05 GMT
Doh I broke my own scheme. That sucks. Let's assume we have
p = large prime
n = q - isqrt(pq)
Then you need only search 'n' diff values of 'n' to solve for 'q'. That
is, if 0 < n < 2^40, we need to test only upto 2^40. And it's simpler
to todo 2^40 trial solutions like so
1. guess n
2. get a = n + isqrt(pq)
3. If a divides pq, you win :)
As longs as these three steps are not slower then one interation of
Alg.C, my time-lock method is broken. Worse, this solution can be
parallelized. So m machines make it m times faster.
if for 'm' machines using Alg.C is still faster then all is not lost.
Note that Alg.C is simply addition and subtraction, whereas the above
attack requires division. So if Alg.C is n times faster then above
where n > m, my time lock crypto works.
Tom
------------------------------
Date: Tue, 04 Apr 2000 22:16:33 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Encryption strength proportional to encrypted message length?
=====BEGIN PGP SIGNED MESSAGE=====
[EMAIL PROTECTED] wrote:
> Is the Encryption (Public/Private Key) strength proportional
> to the encrypted message length???
No.
> I think about this:
>
> Two party exchange a message (XML). I want a 3rd party VALIDATE
> the message structure (with a DTD) without know the message content.
One way is to define a compressed encoding of XML such that the
decoding of an arbitrary string of bytes is guaranteed to be well-
formed (easy) and valid according to that DTD (harder). Then
encrypt the encoded form.
Using a third party seems an awfully complicated way of doing things,
and increases the number of ways the system can be attacked. Why
can't the party that decrypts the message do the validation, and just
ignore the message if it fails?
> I can realize this by only encrypted the content.
Of course this gives away the structure, which for a typical XML
document, is giving away a lot.
> But, my question is: is it easier to decrypt a lot of small strings
> than a big string???
No. You can decrypt the small strings in parallel, but you could also
decrypt the big string in parallel if you used a suitable block cipher
mode. There is no significant difference in the total amount of work
needed, if the number of blocks is the same.
- --
David Hopwood <[EMAIL PROTECTED]>
PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOOpbWzkCAxeYt5gVAQHlzgf/RI5rz9CR8Q5zjLvfSs0+Nxn7yXRz6N85
x09TYG3mEOeNEKdK3C01SW9cq4ioQx7HbHHqvnxaom/ZLHLqMj0yo5ztRiCh0aXo
8vwF+tFsTGe0DWx0Ks0+K29ACmdx3m/6ukEE9vzUcJ7gPMkBoNEITCBZDcV6X+te
WTkX9FrI917JDQWi1RVRS1lFDDU2jVc5R+TCsjOB49Z9aAbxK733XFsbytKFBRxZ
W6NOQms/Q04Si71cJKyKIs3OHmOvvJ7Ll3jN9ZM+6rcy39w4AxZsUXVeMnY42gk1
DzCNuWjlSbZRwEMQm5La8rm+RIfoqn5CyvAILSoyDuczwZLOz5bLkQ==
=OIgr
=====END PGP SIGNATURE=====
------------------------------
Date: Tue, 04 Apr 2000 22:32:14 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Encryption strength proportional to encrypted message length?
=====BEGIN PGP SIGNED MESSAGE=====
[EMAIL PROTECTED] wrote:
> In article <O8oG4.36889$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] wrote:
> > I may be overly dense this morning but I can't think of any way to
> > validate a docuent instance without the tags. Are you planing on
> > encrypting only the data between them?
> >
> > If so, then yes, this is _alot_ weaker than encrypting the longer
> > document. Not because the strings are shorter, but because you have
> > access to so much info about the structure of the plaintext.
>
> I disagree. Information about the structure of the plaintext is bound
> to eventually leak out anyway, and when it does a long encrypted
> message (which includes the tags) will be vulnerable to a known plain
> text attack - simply because the tags are known.
I disagree strongly. It's sensible not to assume that the structure is
unknown, but that's very different from assuming that it is always
"bound to eventually leak out anyway", and therefore shouldn't be
encrypted. If the possibility of parts of a data stream being known
were a valid argument for leaving those parts in the clear, you'd end
up not encrypting anything.
A general rule of thumb is to encrypt everything that can be encrypted,
and to use a cipher that is designed to resist known (and chosen) plaintext
attack, and has been extensively analysed under that attack model.
- --
David Hopwood <[EMAIL PROTECTED]>
PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOOpfIzkCAxeYt5gVAQETogf/dSvHqZ1aNHKoM4LvnNEmzjaJi3bF1AqI
gpUWtm4hHav1nrcAG/5nIfFdd58iDHu7Gi3U3CWXsf6vW0z+MnE2QRVbPB/di7Za
F4gh7Z9aXMLsHACpNNXfHUCI0YmI6ljLHIl1uergY+yhx2XkHrrDCZvO21bbbYNo
HvB8P6eLgmjvh9nJaoSbXFppWV/cBPeiq6j8yaLcxLqMueEvb8EfHZtn+hbLxUrT
7f07wJPuHVjtoUEm9OyCkYlYfC50zba6I9XvGjXN4FkEdEI9qN3N4GTO95EGVF80
oHzBfpsLWTnZ0aYiTeOPH2cKZMzJepLNceFelaytrju+ZWAcSzZb6A==
=tlDu
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (Amily Nerko)
Subject: Re: time-lock crypto
Date: Tue, 04 Apr 2000 23:59:13 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
>Here's another idea for time-lock crypto.
Do you have an example application in mind, either real or imagined, for
this? In what situation would this be useful, where you couldn't just wait
until the time comes and release the information or key then.
--
"Amily Nerko" is actually 1286 504397 <[EMAIL PROTECTED]>.
01234 56789 <- Use this key to decode my email address and name.
Play Five by Five Poker at http://www.5X5poker.com.
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Crossposted-To: alt.privacy,alt.security.pgp
Subject: Re: Magnetic Remenance on hard drives. (was: Re: Evidence Eliminator - Who is
trying to silence our program? It's not working...)
Date: 5 Apr 2000 00:16:34 GMT
>Thor Arne Johansen <[EMAIL PROTECTED]> wrote:
>>I would challenge anyone to produce evidence that overwritten data, can
>>be recovered. There seem to be some sort of consensus that reading
>>overwritten data can easily be recovered. Most of the descriptions on
>>how to do this is quasi-science at the best, and mindless techno-ranting
>>at the worst.
It is not easy. But is is not "techno-ranting"
a) disk drive heads do not follow the same location on the track each
time. There are areas of the written track that the erase head and
rewrite head miss.
b) hysterisis means that the magnetisation of a 1 written over a 0 is
slightly different from a 1 written over a 1, which can be used. None of
this is easy. All require dismantling the drive and carefully studying
the magnetisation of the different parts of the drive. There is a
difference between easy and possible.
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: Q: Entropy
Date: Wed, 05 Apr 2000 00:07:57 GMT
Mok-Kong Shen wrote:
> Bryan Olson wrote:
> >
> > Mok-Kong Shen wrote:
> > > Given an arbitrary (finite) bit sequence, how does one actually
> > > go about in practice to determine the entropy it contains?
> >
> > Remember that entropy is defined by probability. Given
> > a finite bit sequence but not a probability space,
> > there is no such thing as the entropy of the sequence.
>
> A further question: Does a normal English message have entropy?
The answer is exactly the same as above. A message
has entropy within a probability space of possible
messages. The answer will not change if the message
is English, French, a random bit stream, or the order
of cards in a deck.
> Presumably yes. Now if I change some words but retain the
> grammatical structures, does the new (artificial) message (that
> is not quite common) have a larger/smaller entropy? Or is it
> rather the case that one has no exact methodology to deal
> with that issue?
Vague issues do not give rise to exact methods.
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: Q: Entropy
Date: Wed, 05 Apr 2000 00:35:43 GMT
Mok-Kong Shen wrote:
>
> After reflecting a bit more about tossing a perfect coin, I
> believe there is a paradox whose explanation I don't yet know.
> If a perfect coin is tossed n times, it generates a bit
> sequence of length n. How much entropy should I ascribe to
> that sequence? Note that the result is one of the binary numbers
> in the interval 0 to 2^n-1. Each of these numbers has an equal
> chance of turning up in my experiment. Suppose by chance I get
> the number 0, i.e. all n bits are 0. Should I still consider the
> sequence to have some entropy and, in particular, the same
> entropy as a sequence having an apparently fairly random pattern
> of 0 and 1? Thanks.
Once more: the information in a particular message text,
measured in entropy, is not a property of the text alone,
but of the text with its probability.
The reason for apparent paradox is that there are two
different probabilities at work: Given a perfect random bit
source the probability of n bits of output being the
all-zero string is 2^(-n). Given that a sci.crypt post
names some specific value as possible output from a perfect
random bit generator, the probability of that value being
the all zero string is (roughly) 0.93.
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Encryption strength proportional to encrypted message length?
Date: 5 Apr 2000 00:51:36 GMT
In a previous article, David Hopwood <[EMAIL PROTECTED]> writes:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>[EMAIL PROTECTED] wrote:
>> I disagree. Information about the structure of the plaintext is bound
>> to eventually leak out anyway, and when it does a long encrypted
>> message (which includes the tags) will be vulnerable to a known plain
>> text attack - simply because the tags are known.
>
>I disagree strongly. It's sensible not to assume that the structure is
>unknown, but that's very different from assuming that it is always
>"bound to eventually leak out anyway", and therefore shouldn't be
>encrypted. If the possibility of parts of a data stream being known
>were a valid argument for leaving those parts in the clear, you'd end
>up not encrypting anything.
Well, it is not necessarily a bad thing to encrypt nothing. Encryption (a)
takes time, and (b) increases the risks, if even remotely, of a key recovery
attack. Only encrypt what you need to protect. But of course you have to
balance these considerations.
>A general rule of thumb is to encrypt everything that can be encrypted,
>and to use a cipher that is designed to resist known (and chosen) plaintext
>attack, and has been extensively analysed under that attack model.
You sound like a physician who prescribes antibioticum as a cure for
everything. Such prescriptions are prone to lead to huge problems with multi
resistent bacteria.
----- Posted via NewsOne.Net: Free Usenet News via the Web -----
----- http://newsone.net/ -- Discussions on every subject. -----
NewsOne.Net prohibits users from posting spam. If this or other posts
made through NewsOne.Net violate posting guidelines, email [EMAIL PROTECTED]
------------------------------
From: "Simon Brown" <[EMAIL PROTECTED]>
Subject: Extended Euclidean Algo
Date: Wed, 05 Apr 2000 01:41:21 +0000
Hi can some one give me a hand here
I've been playing with Pate Williams Code from The handbook of Applied
Crypto. I'm trying to calculate d for a RSA decrypt and I'm getting the
value of Phi -1 not Phi + 1. Thats Phi as in (P-1)(Q-1). It's probably
something silly but I can't seem to work it out
Thanks
Simon
------------------------------
From: "Simon Brown" <[EMAIL PROTECTED]>
Subject: Extended Euclidean Algo
Date: Wed, 05 Apr 2000 01:39:07 +0000
Hi can some one give me a hand here
I've been playing with Pate Williams Code from The handbook of Applied
Crypto. I'm trying to calculate d for a RSA decrypt and I'm getting the
value of Phi -1 not Phi + 1. Thats Phi as in (P-1)(Q-1). It's probably
something silly but I can't seem to work it out
Thanks
Simon
------------------------------
From: DMc <[EMAIL PROTECTED]>
Subject: Re: OAP-L3: Semester 1 / Class #1 All are invited.
Date: Wed, 05 Apr 2000 01:13:09 GMT
On Tue, 04 Apr 2000 16:03:15 -0700, lordcow77
<[EMAIL PROTECTED]> wrote:
>In article <[EMAIL PROTECTED]>, DMc
><[EMAIL PROTECTED]> wrote:
>>>Not true; the nth iterate of a LCG can be calculated based
>>>solely on the seed value to the generator. Hint: think modular
>>>exponentiation.
>>>
>>This is the stuff that makes me crazy. Do what you say you can
>do and
>>maybe I will understand. An engineer made the same claim in a
>magazine
>>article several years ago, and he was not even close.
>>
>
>It's proven in _Seminumerical Algorithms_.
Is this "The Art of Computer Programming, Volume 2, Seminumerical
Algorithms" 1st, 2nd, or 3rd Edition by any chance? I have the 3rd.
Give me the page number(s) for this proof. I am VERY familiar with
pages 1 -> 193 in this book.
>http://www.iro.umontreal.ca/~lecuyer/papers.html has some papers
>on psuedorandom number generation in general. Pick up one of the
>survey papers.
>
I am also familiar with Professor L'Ecuyer's writings.
[EMAIL PROTECTED]
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: time-lock crypto
Date: Wed, 05 Apr 2000 01:22:13 GMT
Amily Nerko wrote:
>
> Tom St Denis <[EMAIL PROTECTED]> wrote:
>
> >Here's another idea for time-lock crypto.
>
> Do you have an example application in mind, either real or imagined, for
> this? In what situation would this be useful, where you couldn't just wait
> until the time comes and release the information or key then.
The idea of time-lock crypto is that you can release a puzzle now [say a
bid for an auction, or mortgage payments, etc.] and it takes a set
amount of time to solve. So if I have a top secret document I can
time-lock it for 50 years and even if I don't want to give it out in 50
years you can solve it then.
Realistically you have to work on the problem for 50 straight years
after I release the puzzle... :-(
At anyrate my method based on factoring is flawed.
Tom
------------------------------
From: net.netscape@agottschald (Alan Gottschald)
Crossposted-To: alt.privacy,alt.security.pgp
Subject: Re: Magnetic Remenance on hard drives.
Date: Wed, 05 Apr 2000 01:32:04 GMT
I like the emotion of this one, it really hits a warm spot in my
heart. I do remember nearly putting a peice of media through a wall
after a very trying day. But that was a long time ago. Trust me
removing the cover to a hard drive, spining it up, running the seek
diag and dropping some sand or kitty litter into it does just as good
job but the pyrotechnics look better and as you say the cold chisle is
so much more satisfying... :-)
Guess this should be cross posted to security, after all physical
security is the first step. :-)
"dlk" <[EMAIL PROTECTED]> wrote:
>The only problem with software solutions for this problem is the small but
>definite probability that it didn't work. If the data is truly that
>sensitive, nothing
>beats physical destruction: incineration and/or crushing the platters.
>
>Hard to read anything from a glob o' slag: A 'gas-ax' (oxy-acetylene
>torch) works wonders. Particularly if it has a cutting tip: heat 'em till
>they're cherry red then shoot the O2 to 'em - poof! platter & data are
>so much vapor.
>
>However, for drives that have given one some trouble in the past or
>contain software that one just loathes, you get some nice satisfaction from
>driving a cold chisel thru the !@#$ repeatedly with a hefty hammer...
>(just be sure and wear safety glasses: pieces-parts go everywhere!)
>
>Dave Keever
>
>
>
>
------------------------------
From: "Charles R. Lyttle" <[EMAIL PROTECTED]>
Crossposted-To:
alt.politics.org.cia,alt.politics.org.nsa,talk.politics.crypto,alt.journalism.print,alt.journalism.newspapers
Subject: Re: new Echelon article
Date: Wed, 05 Apr 2000 02:00:31 GMT
JimD wrote:
>
> On Tue, 04 Apr 2000 04:45:42 GMT, [EMAIL PROTECTED] wrote:
>
> >On Sat, 18 Mar 2000 20:28:20 GMT, [EMAIL PROTECTED] (JimD)
> >wrote:
> >
> >>On Sat, 18 Mar 2000 15:01:58 GMT, [EMAIL PROTECTED] wrote:
> >>
> >>>On Sat, 18 Mar 2000 09:33:08 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
> >>>wrote:
> >>>
> >>>>Jos Horikx wrote:
> >>>>> Another interesting echelon-article on:
> >>>>> http://cryptome.org/echelon-cia2.htm
> >>>>
> >>>>Thanks; that was a refreshing change from Duncan-Campbellism.
> >>>
> >>>Made even more interesting in that Mr. Woolsey is defending himself
> >>>and his methods of industrial espionage against accusations not yet
> >>>cast.
> >>>
> >>>Mr. Woolsey claims in that Wall Street Journal opinion that the EU
> >>>report accuses the CIA/NSA of using Echelon to steal technology from
> >>>non-U.S. companies. While I don't doubt that technology theft occurs,
> >>>the report by Duncan Campbell -- from my reading of it -- concerned
> >>>itself with asserting the U.S. might be using this eavesdropping
> >>>network to help specific companies _win contracts_.
> >>
> >>Well of course they do! Isn't '...the economic well-being of the
> >>United States.' part of the NSA's mission statement?
> >>
> >>They ALL do it...Britain, France, Germany, Israel, Russia, China...
> >>New focus to justify their existence post Cold-War, and it helps
> >>to maintain the funding.
> >>
> >>--
> >>Jim Dunnett.
> >>dynastic at cwcom.net
> >>Exiled in Somerset
> >>Right at the heart of England's BSE Industry.
> >
> >
> >Again, as I've noted, I haven't read the NSA's mission statement. But
> >... in the U.S., we have this thing called a Constitution, and the 5th
> >Amendment to the thing states:
> >
> >"No person shall be held to answer for a capital, or otherwise
> >infamous crime, unless on a presentment or indictment of a grand jury,
> >except in cases arising in the land or naval forces, or in the
> >militia, when in actual service in time of war or public danger; nor
> >shall any person be subject for the same offense to be twice put in
> >jeopardy of life or limb; nor shall be compelled in any criminal case
> >to be a witness against himself, nor be deprived of life, liberty, or
> >property, without due process of law; nor shall private property be
> >taken for public use, without just compensation."
> >
> >The pertinent section here is "No person shall be ... deprived of
> >life, liberty, or property, without due process of law."
> >
> >If the CIA/NSA are assisting specific U.S. corporations win contracts
> >overseas, as it appears they are via Commerce/SBA/State Depts., et al,
> >(or assisting those corporations obtain specific technology), they are
> >depriving other U.S. persons who work for competing companies of
> >property by preventing those persons and their companies from winning
> >the contracts themselves.
>
> That's an interesting slant. I wonder how they decide which companies
> are worthy of this intelligence?
>
The one who made the last biggest donation to the correct politician
re-election
compaign. The United States : the best government money can buy.
> If the following document is to believed, they ARE doing it:
>
> http://www.cyber-rights.org/interception/stoa/ic2kreport.htm#Report
>
> Section 5 - Comint & Economic Intelligence.
>
> --
> Jim Dunnett.
> dynastic at cwcom.net
>
> He who laughs last doesn't
> get the joke.
--
Russ Lyttle, PE
<http://www.flash.net/~lyttlec>
Thank you Melissa!
Not Powered by ActiveX
------------------------------
From: "Randy Given" <[EMAIL PROTECTED]>
Subject: Re: Test Posting - Please ignore
Date: Wed, 05 Apr 2000 02:01:19 GMT
> Test Posting - Please ignore
Please post test postings to <alt.test>.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
