Cryptography-Digest Digest #875, Volume #11 Sat, 27 May 00 23:13:00 EDT
Contents:
Re: Crypto patentability ("Paul Pires")
Storin update (Mark Wooding)
Re: Best crypto if encrypted AND plain text are known (and small) ? (zapzing)
Re: Crypto patentability ("Paul Pires")
Re: Another sci.crypt Cipher (tomstd)
Re: Another sci.crypt Cipher (tomstd)
Onefish -- TC2 (tomstd)
Re: Self Shrinking LFSR (tomstd)
Re: Destructive crypting ([EMAIL PROTECTED])
Re: Matrix key distribution? ("Michael Brown")
Re: Matrix key distribution? ("Michael Brown")
----------------------------------------------------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Crypto patentability
Date: Sat, 27 May 2000 17:59:19 -0700
Bill Unruh <[EMAIL PROTECTED]> wrote in message
news:8gnij5$3ds$[EMAIL PROTECTED]...
> In <ZWJW4.42912$[EMAIL PROTECTED]> "Paul Pires"
<[EMAIL PROTECTED]> writes:
>
> ]> The problem is that to prove invalidity requires a court case, a very
> ]> long, very expensive court case if the patent holder has deep pockets.
>
> ]No, not really. you don't sue some one if you think their patent is bad,
you
> ]infringe and win the suit for infringement the inventor brings. Of
course,
> ]if you knowingly infringe and loose it's trebil damages.
>
> You are saying the same thing. Who brings the suit does not matter. It
> is a very long, very expensive court case if the patent holder has ddep
> pockets. And the onus is on you to prove invalidity.
No and yes. I am not saying the same thing. It sounded as if you meant that
if there was an existing patent, you had to go to court i.e. infringement =
lawsuit. I pointed out that infringemnt = opportunity for inventor to bring
suit. If he looks at your arguments he probably won't (assuming they are
valid). If you have done this indefensibly, you deserve to be sued.
Yes, the onus is on you to prove inalidness (invalidity?) maybe that too.
> ]> Most people or companies are not up to that even if the patent is
> ]> patently invalid. It is thus crucial that the patent office do a good
> ]> job in assigning patents.
>
> ]This is our disagreement. I've been there and I think they do a pretty
good
> ]job now. I think the job is a whole lot tougher than you think.
>
> Disagreement? You feel it is not important that the patent office do a
> good job?
You know my feelings? how much do I owe you?
I said I thought they are doing a good job now. This is the reason, and not
a "feeling", for my lack of panic and outrage. Yes, we dissagree. Is that
hard for you to agree with? Ever watch Monty Python?
"That isn't an argument!"
"Yes it is!"
"No it isn't""
"Then why are we arguing?"
"Were not arguing!"
"Yes we are!"
>
>
> ]>
> ]> The whole purpose of patents was to encourage the publication of the
> ]> patented material, rather than have people try to keep it secret with
> ]> trade secrecy laws. In the case of software, it is hard to keep stuff
> ]> secret anyway-- it is too easy to disassemble the stuff if you really
> ]> want to know. This removes a big reason why patents exist at all.
> ]> They were never intended as a "reward" for invention.
>
> ]I Stongly disagree and I believe history supports it. You don't get a
patent
> ]for disclosing a good Idea, it must be invention. Invention (Or more
likely
> ]the personal investment in the developement of it) is clearly being
rewarded
> ]with a monopoly for a period of time. after that the invention can never
be
> ]patented again by any one.
>
> ?? What is your disagreement?
See Monty above:
Look, we're both wrong in an absolute sense.
Except that the wrong part of your assertion has been snipped out.
If ((Invention == true) && (full disclosure == true) && ((Invention !=
prior art)) = True
-AND-
a whole bunch of cash invested with no gaurantee then you might have a
patent.
The only exemption from the invention requirement was made by the Supreme
Court for Edison and it was confined to "long sought and known as
advantageous and yet not achieved". This was for the light bulb. No, Edison
did not invent it. Another urban myth bites the dust.
Kids, don't try this one at home. The USPTO still doesn't like it and you
too will have to take it to the Supreme Court.
Beurocrats burned have a long memory.
> It is not the invention that is rewarded. You can invent stuff and keep
> it secret and you will NOT get a monopoly. It is not the invention that
> is rewarded, it is the publication through the patent. It is only the
> publication of non trivial or new stuff as well, yes.
>
>
> ]>It was purely a
> ]> very mercinary bargain-- you tell us what you have done, and we give
you
> ]> a monopoly for X years. Whether patents on software serve that
purpose--
> ]> ie whetehr the public gets a good deal out of such patents-- is highly
> ]> debatable. Thus so is allowing patents of software.
> ]>
> ]> Copyright is similar. Copyright is another bargain-- you write or
> ]> produce something, we will give you a monopoly on copying that
something
> ]> for X years ( where x is like 75 years or life+50) Again this makes
> ]> almost no sense with software. Software copyright should last a max of
5
> ]> yers, and then only if the source code is published. Otherwise that
> ]> monopoly should be granted. Many companies have become enamoured of the
> ]> soviet system, where the government granted monopoly rights to friends.
> ]> While good for the friends, it was not good for the society. Similarly
> ]> here.
>
> ]Companies don't like to pay to use patents from individuals. Because of
> ]patents the little guy has won quite often. I did. Look up the story of
> ]George Eastman vrs a parish priest named Goodwin I think. He is the
patent
> ]holder on the process of using celluloid as a film base. George (The
third
> ]richest man in the country at the time) fought and fumed and stalled and
> ]tricked and ultimately paid him 5 million dollars (This was in the
1890's).
> ]a tidy sum. The evil tool patent in the hands of the rapacious
industrialist
> ]is an urban myth.
>
> Uh, that last part was a comment on copyright, not patents. But whether
> individuals or companies get the most benefit is irrelevant. The
> monopoly is granted for a reason, not as a charity on the part of the
> government to randomly reward people, whether poor or rich ( and far
> more patents protect the monopoly of the rich than the poor).
>
> What is important is that patent and copyright law are tradeoffs--
> monopolies are valuable, and should be granted only if they benefit the
> people. And the time of the monopoly should only be as long as
> necessary to achieve that benefit.
I think we have resolved that neither thinks the other has a clue about what
is really happening. Let's agree to disagree and drop this before we both
(Rightly) get flamed for being way OFF topic. Thanks for the adrenaline, it
was fun.
Paul
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Storin update
Date: 28 May 2000 01:17:03 GMT
I've made a few of changes to my Storin package. The paper has had some
bugs fixed, and so have some of the supporting programs. The cipher
itself remains the same.
Changes in Storin 1.0.1:
* I've updated the paper to fix some bugs, to forbid keys longer than
672 bits, and to mention some of the analysis given in sci.crypt.
* The `diffan' program supplied had a massive bug in it (it was using
AND as its notion of input difference!). I'm still kicking myself
for not spotting it earlier. It now shows some differential
characteristics through the matrix. Its output may be useful to
someone cryptanalyzing the cipher. Overall, I'm quite impressed by
the high Hamming weight of the output differences it comes up with.
I'm not resubmitting this as a `tweak', because I've not actually
changed the algorithm. If you want to see the new package, you can
visit http://www.excessus.demon.co.uk/crypto/ and fetch it from
there.
Thanks to everyone who's given their time to analyze Storin so far.
-- [mdw]
------------------------------
From: zapzing <[EMAIL PROTECTED]>
Subject: Re: Best crypto if encrypted AND plain text are known (and small) ?
Date: Sun, 28 May 2000 01:05:55 GMT
In article <8gp8rh$fji$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (TheGame) wrote:
> In article <[EMAIL PROTECTED]>, "Thomas M. Sommers"
<[EMAIL PROTECTED]> wrote:
> >TheGame wrote:
> >>
> >> Hi,
> >>
> >> Sorry for this basic question, but I'm wondering what the best
algorithm
> >> would be to encrypt and decrypt a user name (e.g. 'fred'). The goal
would
> >> be to give 'fred' his encrypted username as a cookie, and to be
able to
> >> get back the original username 'fred' when decrypting the cookie.
> >>
> >> Obviously, it should not be possible for anyone else to claim to be
'fred',
> >> even by having thousands of plaintext and encrypted usernames to
> >> try and figure out the key...
> >
> >A Bad Guy wouldn't need to figure out your system to impersonate
fred.
> >All he would have to do is steal fred's cookie file, or snoop the
> >encrypted user name from the network.
>
> Indeed, I know this scheme is less than fool-proof - it's not meant to
be :)
> But at least I'd like the basic encryption to be somewhat stronger
than
> what any script kiddie could crack in an hour...
>
> In addition, I'd like to use some reversible encryption here, so all
> one-way hashes are out, and I'm a bit lost in the relative strengths
> of different algorithms for (very) small plaintexts like usernames
> (or credit card numbers, for that matter).
I, for one, would like to know why you
discount one way hashes as apossibility.
That's what Unix uses, right?
there are ways of avoiding collisions,
if that is what you are worried about.
--
If you know about a retail source of
inexpensive DES chips, please let
me know, thanks.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Crypto patentability
Date: Sat, 27 May 2000 18:31:48 -0700
I said goodbye prematurely. I have found something else to disagree with.
> What is important is that patent and copyright law are tradeoffs--
> monopolies are valuable, and should be granted only if they benefit the
> people. And the time of the monopoly should only be as long as
> necessary to achieve that benefit.
Invention is by definition an intuitive leap beyond normal expectations. How
do you know if an invention has merit so that you can grant it a fair
monopoly? A bargain must be fair to both parties, so what's a fair monopoly
to the inventor? Ask Whit Diffie if everybody slapped their foreheads and
said, "Gosh, that's a valuable invention". I bet far more said "An
intellectual curiosity with no application" "I don't think it will prove to
be secure or useful in the long run"
Well he didn't talk about it, he did it, and it got patented and it is now
public domain. Yes, it is inventors who provide this vast amount of
technology, available for free as public domain if your patient. They pay
for the privilege in most cases out of their own pockets.
And don't write back that Stanford paid for that one, he still paid his
dues.
Send him a dozen red roses my friend cause he earned em.
Paul
------------------------------
Subject: Re: Another sci.crypt Cipher
From: tomstd <[EMAIL PROTECTED]>
Date: Sat, 27 May 2000 18:38:17 -0700
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(Mark Wooding) wrote:
>tomstd <[EMAIL PROTECTED]> wrote:
>
>> Hmm, where can I find that? Is that in the FSE-RC2 that
floats
>> around?
>
>In his web pages seems like the best place to look. I think it
was
>there that I found it.
Will look.
>> So you grab the input differences from step #1 then feed it
through
>> all possible output differences to find output differences
with low
>> hw?
>
>I grind through each of your permuted S-boxes (the one you
supplied with
>your C source) and check to see if the output difference is
contained
>exactly within one byte. If it is then I remember it;
otherwise it's
>rejected. In my final structure, for each S-box and input
difference
>there's a linked list, sorted in descending probability order,
of nodes
>containing the output target S-box, the difference in that S-
box, and
>the probability of the characteristic. For the busting logic,
there's
>also an approximation of -10000 * log_2(p), because log_2
(6/256) isn't a
>nice number.
>
>It may be that it's a win to have more than one S-box active in
one
>round, because it lets you use higher-probability
characteristics in
>other rounds. That starts getting too complex to analyse
simply,
>though.
Ok I think I get it now... Your source does help a bit.
>> Just change the F function... :-)
>
>I wasn't actually using your F function before. I do now, and
I just
>applied it twice.
Not a bad idea.
>> It's a dirty hack but it does the job. It makes random
permutations
>> then checks to see if only two bits per byte goto another
byte. Then
>> I precompute the sbox and output it.
>
>I think that, at the very least, you need to choose your
permutation to
>limit the damage of low Hamming-weight output differences.
Also, you
>could optimize your S-box so that low weight output differences
were
>less probable than ones with high weight -- that'd help. I
think that
>David Wagner's suggestion of an MDS matrix multiply is a better
idea,
>though. It wouldn't quite be Onefish since the S-box isn't key-
>dependent, but it'd certainly give you better diffusion than a
simple
>bit-permutation.
At
http://www.tomstdenis.com/perm2.c
Is a version that uses a MDS applied to the sboxes instead. I
don't think the output is any better...I will test it using your
program.
>> BTW you can email your source to [EMAIL PROTECTED] I think if I
>> see what you are doing it will help.
>
>I've done that. By the way, it's not secret or anything, so if
anyone
>else wants it you can just ask me. Oh, it's not very pretty or
well-
>commented: I wrote it during a lunch break.
well it's impressive.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
Subject: Re: Another sci.crypt Cipher
From: tomstd <[EMAIL PROTECTED]>
Date: Sat, 27 May 2000 18:45:37 -0700
According to your application, three compositions of F are
enough to kill all single sbox characteristics... Wow that makes
it a bit slower... oh well.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
Subject: Onefish -- TC2
From: tomstd <[EMAIL PROTECTED]>
Date: Sat, 27 May 2000 18:48:55 -0700
I changed my TC1 cipher to use the same sboxes but to use a MDS
(properly stolen from Twofish) instead of a bit permutation.
According to Mdw's program there are no differential chars
involving one sbox only per round.
It's at
http://www.tomstdenis.com/tc2.c
I will try to break this one, but if anyone notices a break,
please don't disclose it, just give a hint hint nudge nudge.
Thanks,
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
Subject: Re: Self Shrinking LFSR
From: tomstd <[EMAIL PROTECTED]>
Date: Sat, 27 May 2000 19:08:11 -0700
In article <[EMAIL PROTECTED]>, tomstd
<[EMAIL PROTECTED]> wrote:
>At http://www.tomstdenis.com/slfsr.c I have my implementation
>of a self-shrinking semi-dense 64 bit LFSR. The code is really
>compact, doesn't require any keysetup :)
>
>It outputs about 8mbit/sec on my K6 as compiled by DJGPP.
>
>Tom
The polynomial is wrong, I made a deg-63 by accident. I think I
need a deg-64...
I will post the change later.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Destructive crypting
Date: Sun, 28 May 2000 02:09:11 GMT
Problem with what you propose is that anyone can capture the hashed
password, and use that to impersonate the user. (AKA a replay attack)
So it is no more secure than sending password in clear text.
To be secure, you need some kind of challenge-response which is
session specific.
In simple terms, one approach is for the server to send a randomly
selected string of bytes as a session ID. The server one way hashes
the client password (from its passord register) with the session ID,
and the client also one way hashes password with the session ID and
sends the result to the server. The server compares the hashed output
from the client with its local result, and if they are identical, it
knows client must have been hashed it with the correct password.
Client is authenticated (ie logged on) and session ID is deleted.
Variation on this approach is required for user to change password.
Might be easiest to read up on Password Authentication Protocol and
Challenge Handshake Authentication Protocol as used over PPP on the
'net.
On 13 May 2000 21:47:49 GMT, [EMAIL PROTECTED] (Daniel
=?iso-8859-1?Q?=C5kerud?=) wrote:
>
>Hi ppl,
>
>I need to know of a good (worldwide accepted) one-way crypt algorithm (like
>the linux crypt()) that you can use in commercial applications. (Yes, i am
>willing to pay a license, if it doesn't cost _too_ much).
>
>(I will use it to send a password over tcp/ip)
>
>Thank you all!
>
>--
>
>
>
>Daniel �kerud
>Programvaruteknik, MAH
>Email: [EMAIL PROTECTED]
>Homepage: http://zilch.pvt.te.mah.se
>
>
>
>
------------------------------
From: "Michael Brown" <[EMAIL PROTECTED]>
Subject: Re: Matrix key distribution?
Date: Sun, 28 May 2000 02:14:21 GMT
Benjamin Goldberg <[EMAIL PROTECTED]> wrote in article
<[EMAIL PROTECTED]>...
> Perhaps this seems like a silly question, but what if matrix C isn't in
> any special format, but whose only property is that it's non-invertable?
For C to be singular either one (or more) row(s) has to be a combination of
the other rows or one (or more) column(s) have to be a multiple of the
other columns. The matrix C is based on the first idea with the second row
being a multiple, in this case m, of the first row. I suspect that is still
would be insecure if the matrix C used the other method though.
Michael Brown
------------------------------
From: "Michael Brown" <[EMAIL PROTECTED]>
Subject: Re: Matrix key distribution?
Date: Sun, 28 May 2000 02:19:48 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote in article
<[EMAIL PROTECTED]>...
> Basically, all that singularity does is reduce the rank, i.e. it
> is still a linear system with a (possibly) lower dimensionality.
That's sort of what I was basing my idea around, with the source matrix
having more information than the resulting matrix. The first way I triedto
do this was to use a 3x3 private * a 3x2 public. This means that it would
be impossible to figure out A from AP. The problem is that at the other
end, the other computer must end up with the same thing as the sending
computer, so I ran into problems with invalid multiplications and had to
resort to singular matricies. Maybe looking more at the original idea might
yield more (probably broken :) key exchange methods. Who knows.
Michael Brown
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
