Cryptography-Digest Digest #611, Volume #11 Sun, 23 Apr 00 04:13:02 EDT
Contents:
Re: Security of iterated ciphers (was Re: OAP-L3) ("Joseph Ashwood")
Re: Tutorial on text encryption ("Joseph Ashwood")
Re: (MERCY) Overcomming the slack used by IV's ("Joseph Ashwood")
Re: The Illusion of Security ("Joseph Ashwood")
Re: OAP-L3: Secure, but WAY more dificult to use than other equally ("Trevor L.
Jackson, III")
Re: The Illusion of Security (Sean Glazier)
Re: The Illusion of Security (David A Molnar)
Re: The Illusion of Security (John Savard)
quantum computation FAQ? (David A Molnar)
Re: The Illusion of Security (John Savard)
Re: The Illusion of Security ("Joseph Ashwood")
Re: The Illusion of Security (Mike Kent)
Re: Szopa: troll or snake-oil salesman? (Boris Kazak)
Re: The Illusion of Security (Terry Ritter)
Re: The Illusion of Security (Terry Ritter)
Re: The Illusion of Security (Terry Ritter)
----------------------------------------------------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Security of iterated ciphers (was Re: OAP-L3)
Date: Sat, 22 Apr 2000 19:32:02 -0700
> My apologies for poor terminology and vagueness. I snaped
that one off in a
> real hurry(and on a sugar and caffine buzz!). What I
meant is that given a
> round function F which is not a group and not "near" a
group. then applying
> F(k1, F(k2, F(k3, ........F(kn,M) ....))) with independent
ki's will
> eventually aproach something like a secure algorithim.
This is an old chestnut
> that I have heard from more than a few others in the field
that I echoed
> without a proper level of explanation.( and qualification)
Except that it is trivially provable that if the function F
has a bounded output range, it must have group properties
after k iterations, where k is the space of the output.
Since he has yet to fully reveal his functions we cannot
determine at what point they will exhibit group tendancies.
Given 3000 characters, the output space of F would have to
be at least 2^24000. That's a very large space for something
to not have any further weaknesses that would create closer
group tendancies.
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Tutorial on text encryption
Date: Sat, 22 Apr 2000 19:34:38 -0700
Except it's non-invertable.
> ??? This cipher is VERY secure... :-))))
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: (MERCY) Overcomming the slack used by IV's
Date: Sat, 22 Apr 2000 19:38:47 -0700
Because if you expand the sector number, you simply cannot
run a defragmenter that doesn't know all your keys.
Joe
> However why can't
> you just expand the sector number to the size of the
block?
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: The Illusion of Security
Date: Sat, 22 Apr 2000 19:48:22 -0700
> This is pure garbage.
On what grounds. My statements are effectively:
1) We cannot know the abosulte security of a cipher
2) We cannot yet put a lower bound on the security above 0
3) We cannot determine if we have found the best attack
against a cipher
4) Ritter has said all these in different ways.
5) It is almost certain that in 25 years we will have better
attacks against whatever is chosen for AES
6) That you should not misrepresent the state of the art by
saying something is secure (which implies proof of some
kind, beyond anecdotal)
7) That by following Ritter's arguments closely you can help
prevent finding your understood security reduced to 0
8) the steps required to increase your odds of security are
not obvious to many people (I can show you many programs
that anecdotally prove this statement)
Everything else was clearly stated as conjecture, not as
fact.
>We can measure the security of a cipher right
> now. Are our measurements definative? No.
Ok, give me the lower bound of the security of DES? Even
approximations.
>
> We can tell when a cipher is obviously or subtly flawed
(DES, FEAl, RC5,
> Blowfish, CAST, 3-WAY, IDEA, RC2, RC6, Twofish,
Serpent..... all have
> detected problems). But is it conclusive? No really.
Just like any
> statistiscal test is not the final answer.
It gives us an absolute upper bound on the security, but we
still do not have a lower bound. Your conclusion based on
this was that the alternative is to throw all our ciphers
away. you have once again not seen all the possibilities,
you can increase the probability that the actual lower bound
of security is above 0 by doing various things.
Joe
------------------------------
Date: Sat, 22 Apr 2000 23:10:57 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: OAP-L3: Secure, but WAY more dificult to use than other equally
Guy Macon wrote:
> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Tom St Denis) wrote:
> >
> >
> >
> >lordcow77 wrote:
> >>
> >> In article <[EMAIL PROTECTED]>, Anthony Stephen
> >> Szopa <[EMAIL PROTECTED]> wrote:
> >> >I just put you in my permanent kill file then I read this.
> >>
> >> Hello?!?! If he were in your killfile, you wouldn't even see his
> >> message. If your understanding of how to use simple newsreader
> >> software is so defective (or you're just a blustering liar), how
> >> can it be expected that your cryptography software is any better.
> >
> >Not to be irrevelant but for someone that pulls apart my language you
> >should have said "cryptographic software" not "cryptography software"..
>
> I have seen software that is cryptographic here, but some of the
> software here is just cryptic.
Some of the current threads ought to be submitted to "Tales from the Crypt"
>
>
> >Hehehe, I am just joking around.
> >
> >Tom
>
> Me too.
>
> Guy
------------------------------
From: Sean Glazier <[EMAIL PROTECTED]>
Subject: Re: The Illusion of Security
Date: Sat, 22 Apr 2000 23:25:38 -0400
Actually I think this guy is a *troll* he is talking about a classical
solution to classical encrypted systems.
That said he does have a point. I read a recent edition of my IEEE
computer subscription. In it it had the work scientist are doing with
quantum computers. Pick up the book the fabric of reality for a detail
explanation of how they work. There are working versions of a four qubit
computers currently. They are in the early stages. once higher qubits
computers are introduced they will be able to crack key via a brute force
attack in a relatively few cycles.
However there is a system that is built for the military that uses the
properties of inference and what is dubbed as quantum encoding. It works
over short distances right now, but it is uncrackable since the encoding
cannot be observed with out destroying the communication link. Quite nice
when you think of it. Impractical for all but military Command and control
applications.
Since I don't think that we will be buying quantum computers in the near
future from comp usa, the encryption schemes are, for now, at least safe
from every one except governments who have the money to spend on these
devices. However there is no such thing as security. Eventually someone
could decrypt the information. Its a question of how long the info has to
be secret.
Bill Unruh wrote:
> In <8dnjit$3eh$[EMAIL PROTECTED]> [EMAIL PROTECTED] writes:
>
> ]All Product ciphers based on DES and the Feistel Network can be broken
> ]without an Exhaustive Key Search.....
>
> Fine. Here is a DES encoded text-- encoded with uuencode
>
> Name: d.uu
> d Type: unspecified type (application/octet-stream)
> Encoding: x-uuencode
>
> Here is the plaintext
> This is a test of your decryption ability
>
> What is the key?
>
> ]The secret lies in the Non Linear F Function...This can be decomposed
> ]into Algebraic Linear Primitives...and the Key can be recovered
> ]relatively easily...The Backdoor Function...
>
> Do it.
>
> ]The illusion that the Strength of an Algorithm is in the Key length is
> ]just that...an illusion....with detailed knowlage of the algorithm,
> ]Algebraic decomposition is possible with no significant computing
> ]power requirements...
>
> Sometimes.
>
> ]This is the biggest disinformation in history...all Public
> ]Product Ciphers are week and vulnerable...
>
> Prove it.
>
> ]Public Key systems based on Large Primes are also breakable without an
> ]exhaustive key search....
>
> ]It has been calculated that a 500 bit RSA key will take 20 seconds to
> ]break on a supercomputer......
>
> By whom?
> (Note if you are saying that 500 bit public key is not the same as 500
> bit private key, welcome to the club which most people with even a
> rudimentary knowledge of public key crypto have had since the 70's.)
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: The Illusion of Security
Date: 23 Apr 2000 03:49:43 GMT
Sean Glazier <[EMAIL PROTECTED]> wrote:
> explanation of how they work. There are working versions of a four qubit
> computers currently. They are in the early stages. once higher qubits
> computers are introduced they will be able to crack key via a brute force
> attack in a relatively few cycles.
A 7-qubit computer was recently announced. I think an experimental
verification of Shor's algorithm may not be far behind. Diet_NSA
probably knows more about this than I do, though...
This is no criticism of you, but an observation : "how powerful is
quantum computing??" seems to be a frequently asked question. Maybe it
needs a FAQ?
Thanks,
-David
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: The Illusion of Security
Date: Sun, 23 Apr 2000 04:32:38 GMT
On Sun, 23 Apr 2000 00:34:50 GMT, [EMAIL PROTECTED] (Terry Ritter) wrote,
in part:
>In the end, we cannot trust the ciphers we use, no matter who has made
>or approved them. Doing the same as everybody else just makes us part
>of the most obvious and rewarding target. To improve our situation,
>we must do something beyond what conventional cryptography recommends.
On the other hand, "following the herd" does have the real advantage
that one is using a cipher that has been studied - so at least we know
it is not vulnerable to attacks _already publicly known_. In general,
doing something _else_ doesn't even give us that level of assurance;
there is way too much snake oil out there, and the average person
intending to use cryptography is not able to tell the bad from the
good at this level.
One _can_ go beyond conventional cryptography while still using it,
for example, by a cascade of ciphers including one of the academic
favorites. I agree with you that this kind of thing is a good idea.
But I also see why calls for a more open-minded approach to cipher
choice are looked upon with great skepticism.
John Savard (teneerf <-)
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: quantum computation FAQ?
Date: 23 Apr 2000 04:13:02 GMT
It seems that there are some frequently asked questions about quantum
computation which pop up in this newsgroup.
I've drafted an outline of a possible FAQ which follows this message.
Comments appreciated. Everything from "we don't need no steenkin' FAQ"
to "it's been done before and done better" to "you're not qualified to
write it" to specific comments on formatting, addition or deletion of
questions, and so on.
==========================================
QUANTUM COMPUTATION and CRYPTOGRAPHY FAQ
========================================
draft : 23 April 2000
not for definitive answers or settling bar bets,
and especially not for making security decisions.
it doesn't even have answers yet.
CONTENTS :
==========
PRELIMINARY QUESTIONS :
=======================
"I hear quantum computers are going to break all crypto?"
"What makes quantum computers so powerful?"
"Is it true that quantum computers can do *all possible
operations at once* and then spit out the answer?"
"How does quantum cryptography relate to quantum computing?
Are they the same thing?"
THEORETICAL QUESTIONS :
=======================
"What can you solve quickly with a quantum computer?"
"What is Grover's Algorithm?"
"What is Shor's Algorithm?"
"What's the difference between Shor and Grover?"
"Can quantum computers solve any problem in NP in poly time?"
"What about cryptosystems which are NP-complete?"
PRACTICAL QUESTIONS :
=====================
"How big does a quantum computer need to be before it can break
a cryptosystem?"
"What's the largest quantum computer yet built?"
"How long will it take to build bigger ones?"
"Could somebody have built a bigger quantum computer and kept
it secret from the rest of the world?"
LEARNING MORE QUESTIONS :
=========================
"What's the best introduction to quantum computing..."
"...at a popular science level?"
"...at a physics undergrad level?"
"...at a computer science undergrad level?"
"...at a 'start-doing-research' level?"
"Where do I find out more about..."
"...basic math I need to understand this stuff?"
"...computational complexity?"
"...quantum mechanics?"
"...tutorials on quantum computing?"
"...recent results in quantum computing?"
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: The Illusion of Security
Date: Sun, 23 Apr 2000 04:38:34 GMT
On Sun, 23 Apr 2000 02:22:55 GMT, [EMAIL PROTECTED] (Terry Ritter) wrote,
in part:
>I have not suggested that we "throw away all current symmetric
>ciphers." As far as I can tell you made that up. Using asymmetric
>ciphers would not change the basic problem.
In my opinion, it would probably make the problem much worse, but it
still wouldn't be quite as bad as you appear to be claiming it is.
Yes, we can't prove a cipher to be secure.
But in virtually all civilian applications of cryptography, the
vulnerability to attacks other than cryptanalysis is so great that,
after using something of the Triple-DES or AES class for encryption,
spending more time and effort on that part of security, rather than
going where the real problems are, is a waste of time. But people are
even *less* disposed to do the other things required for security than
they are to use decent ciphers.
Thus, I'm not surprised at all that reputable security experts tend to
dismiss concerns about the security of today's high-standard ciphers.
In an abstract, absolute sense, that may not be right; but in the real
world, it is indeed appropriate.
John Savard (teneerf <-)
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: The Illusion of Security
Date: Sat, 22 Apr 2000 22:41:35 -0700
I have stated this before, and I will state it again. There
has been no proof of the randomness of anything, let alone
the randomness of a quantum link. Without a proof of
randomness, the proof of OTP is invalid, without the proof
of OTP the security there is no proof of security available.
If I am wrong, please give a reference.
There are also more instances where quantum computing is
simply inapplicable, then there are ones where it is
applicable.
This is not a questioning of you, it is a comment on the
astounding amount of misinformation that has abounded about
quantum cryptography.
Joe
------------------------------
From: Mike Kent <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: The Illusion of Security
Date: Sun, 23 Apr 2000 06:32:50 GMT
Joseph Ashwood wrote:
> ... There has been no proof of the randomness of anything,
Just to get things clear ... what counts as random, and what
counts as proof?
> If I am wrong, please give a reference.
Hard to tell if you are right or wrong without a clear
understanding of what you're claiming.
// Mike Kent
------------------------------
From: Boris Kazak <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Szopa: troll or snake-oil salesman?
Date: Sun, 23 Apr 2000 06:34:53 GMT
Konstantin Berdichevsky wrote:
>
> I have just one linguistic comment:
>
> Anthony Steven Szopa abbreviates as "ASS".
> At the same time, "Szopa" means exactly this - in Russian.
>
==========
� ������ ��������������� ����������� - �� ������ ������� ���
�������������� ����� ���������� �������ӻ, ��� ��� ����������
������ �� ������� �������ӻ, ������� ���� �� ����������...
� � ������ ������������ ������ � ������ �������� �� ������� �����.
����� ���������� �����
====================
> It can be pure coincidence, for sure...
> Regards,
> --
> Konstantin Berdichevsky
> "Everything is what it is: liberty is liberty,
> not equality or fairness or justice or culture or human happiness or a
> quiet conscience".
> Sir Isaiah Berlin.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: The Illusion of Security
Date: Sun, 23 Apr 2000 07:15:11 GMT
On Sun, 23 Apr 2000 02:30:31 GMT, in <[EMAIL PROTECTED]>,
in sci.crypt Tom St Denis <[EMAIL PROTECTED]> wrote:
>Terry Ritter wrote:
>> >True 100 years from now (or 50, or 25) AES may become weaker then
>> >conjectured, but for now we can assume that AES will be secure and not
>> >the point of attack.
>>
>> First, AES cannot "become weaker;" any particular design will not
>> change through time. So if AES would be weaker in 100 years, it is
>> weaker *now*. It is only "our" knowledge that may change. But *our*
>> knowledge is *not* the same as our opponents' knowledge, and that is
>> the problem. We simply have no basis for assuming that our opponents
>> have the same limitations we do. Personally, I expect that some of
>> our unknown opponents are far more accomplished than any academic we
>> know.
>
>That's the thing, a cipher is only insecure if we know it is.
*Our* knowledge has nothing to do with it. It is our opponents'
knowledge which defines insecurity.
If all we have to do to keep a cipher strong is to not break it and
not hear about breaking it, I see no reason why we would ever have any
weak ciphers at all. Good cryptography is not about pretense; it is
about actually confronting informed opponents and winning, despite
their best efforts.
>If
>99.99999% of all the people on earth cannot break a cipher, then I will
>use it. Them's the facts. Cuz I really only want to use a cipher to
>keep people like you, and the rest of the group from snooping in my
>email, etc.. If only one person in this world can read my private email
>(other then the intentends) good for him/her.
>
>> Simply *assuming* that AES is secure is unwarranted, and encouraging
>> others to believe this is actually *deceptive*, unless of course you
>> have evidence to back up your claim. But there is no such evidence.
>> You can assume whatever you want, but there is no scientific basis for
>> it. That is not reality, and that is not being realistic.
>> >The alternative of course is to ditch all symmetric ciphers, send all
>> >information as plaintext and say "this is the best we can do".
>>
>> That would be *your* alternative. I would not suggest that, and I
>> have described whole ranges of more appropriate alternatives.
>
>Such as, in your point of view no prng is secure, therefor we are back
>to the OTP...
"In my point of view," I do suspect that no PRNG can be *provably*
secure. After considerable experience, I now expect to always find
some sort of assumption which prevents a full security proof.
Nor do I accept the conventional wisdom that any practical OTP is
absolutely secure. In my view, the only provably secure OTP is the
one we think about and never use. As soon as we start to use
something like an OTP, it no longer has the provable characteristics
we thought it would have.
But my whole here is not that any cipher can be insecure, but that we
have options beyond the security of the cipher per se; that is, beyond
what we cannot hope to prove. We can take other actions to improve
even our horrible situation.
>> >While your point of view is appropriate your attitude is not.
>> >Tom
>>
>> My attitude? You mean like addressing uncomfortable reality instead
>> of insisting that it does not exist, or that we can't do anything
>> about it anyway? Well, yes, I guess my "attitude" would be
>> uncomfortable if you assume that the conventional wisdom knows best,
>> and all that society needs to know has been properly addressed by
>> academics. But in this case it does not take very much insight to see
>> that such an assumption is appallingly, obviously and massively false.
>
>Some caution is warranted, but you have to work with what you are
>given. If I had to make a program to encrypt money transactions, I
>would rather use DES with it's 56 bit key then nothing. Likewise with
>the AES ciphers.
>
>> Conventional cryptography is built on a foundation of sand. Until the
>> ramifications of a contest against unknown and unknowable opponents
>> are addressed, there can be no deep understanding of what cryptography
>> means or what it can realistically provide. That would be distinctly
>> different from assuming a cipher is strong because everybody thinks it
>> must be.
>
>People don't just say "oh it looks strong". People attack it from every
>which angle and say this is the best we can do. Then others do
>similar. After 100s of people do similar we can assume it's most likely
>secure.
We can't define security by the number of people who have tried and
failed! Where do you get this stuff? All it takes is for one to
succeed and security is gone.
>Which is more probable though. Having 1000s of scientists test, probe
>and disect the cipher to find no real flaws, only to have a hidden group
>find the flaws? or that they didn't find anything because we won't find
>anything?
I think it is probable that hidden groups do contain substantial
expertise which is not available in the open literature. Given that,
is possible weakness all that improbable?
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: The Illusion of Security
Date: Sun, 23 Apr 2000 07:20:37 GMT
On Sun, 23 Apr 2000 04:38:34 GMT, in <[EMAIL PROTECTED]>,
in sci.crypt [EMAIL PROTECTED] (John Savard) wrote:
>On Sun, 23 Apr 2000 02:22:55 GMT, [EMAIL PROTECTED] (Terry Ritter) wrote,
>in part:
>
>>I have not suggested that we "throw away all current symmetric
>>ciphers." As far as I can tell you made that up. Using asymmetric
>>ciphers would not change the basic problem.
>
>In my opinion, it would probably make the problem much worse, but it
>still wouldn't be quite as bad as you appear to be claiming it is.
>
>Yes, we can't prove a cipher to be secure.
>
>But in virtually all civilian applications of cryptography, the
>vulnerability to attacks other than cryptanalysis is so great that,
>after using something of the Triple-DES or AES class for encryption,
>spending more time and effort on that part of security, rather than
>going where the real problems are, is a waste of time. But people are
>even *less* disposed to do the other things required for security than
>they are to use decent ciphers.
Once again we have the hidden assumption which I question: That you
know the cipher to be more secure than other insecurities in the
system. Now, you may think that, and you may believe that, and for
all I know everybody else does too, but neither you nor anybody else
actually *knows* that. That is an assumption for which there is no
evidence. It is a particularly comforting belief, and no more.
You do *not* know that there is no break which is easier than whatever
other weakness is in the system. But I suggest we make the rest of
the system hard instead of depending on it as an excuse to not worry
about cipher strength.
>Thus, I'm not surprised at all that reputable security experts tend to
>dismiss concerns about the security of today's high-standard ciphers.
>In an abstract, absolute sense, that may not be right; but in the real
>world, it is indeed appropriate.
Sorry, but that is *not* appropriate. That does *not* address the
cryptographic reality we confront. That attitude is just claims and
dreams.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: The Illusion of Security
Date: Sun, 23 Apr 2000 07:21:56 GMT
On Sun, 23 Apr 2000 04:32:38 GMT, in <[EMAIL PROTECTED]>,
in sci.crypt [EMAIL PROTECTED] (John Savard) wrote:
>On Sun, 23 Apr 2000 00:34:50 GMT, [EMAIL PROTECTED] (Terry Ritter) wrote,
>in part:
>
>>In the end, we cannot trust the ciphers we use, no matter who has made
>>or approved them. Doing the same as everybody else just makes us part
>>of the most obvious and rewarding target. To improve our situation,
>>we must do something beyond what conventional cryptography recommends.
>
>On the other hand, "following the herd" does have the real advantage
>that one is using a cipher that has been studied - so at least we know
>it is not vulnerable to attacks _already publicly known_.
True.
>In general,
>doing something _else_ doesn't even give us that level of assurance;
Also true.
>there is way too much snake oil out there, and the average person
>intending to use cryptography is not able to tell the bad from the
>good at this level.
>
>One _can_ go beyond conventional cryptography while still using it,
>for example, by a cascade of ciphers including one of the academic
>favorites. I agree with you that this kind of thing is a good idea.
>But I also see why calls for a more open-minded approach to cipher
>choice are looked upon with great skepticism.
Oddly, I do not.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
