Cryptography-Digest Digest #927, Volume #11 Fri, 2 Jun 00 22:13:01 EDT
Contents:
Why WEP (Tome')
OT patent protection (was: Contest rule proposal ) ("Trevor L. Jackson, III")
Re: DVD encryption secure? -- any FAQ on it (David A. Wagner)
Re: Contest rule proposal ("Trevor L. Jackson, III")
Re: Cipher design a fading field? (David A. Wagner)
Re: Contest rule proposal ("Trevor L. Jackson, III")
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May (Your Name)
Re: otp breaktrough !!!!!!!!!!!!! ("Axel Lindholm")
Re: TC3 Update (tomstd)
Re: Powers of s-boxes and other functions (Jim Steuert)
Re: No-Key Encryption (John Savard)
Re: Powers of s-boxes and other functions (tomstd)
Re: Cipher design a fading field? (Mark Wooding)
Re: Contest rule proposal (Mark Wooding)
Re: XTR (was: any public-key algorithm) ("Paulo S. L. M. Barreto")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Tome')
Subject: Why WEP
Date: Thu, 01 Jun 2000 14:40:21 GMT
Someone know why wep supply only a wire equivalent privacy. How can i
say that the privacy supplied by wep is equivalent to the privacy
supplied by a wired lan?
RC4 is very strong stream cipher but in the wep implentation use a
24bit IV.
Is the resyncronization the weak point of the protocol?
comments, opinions etc
Tom�
------------------------------
Date: Fri, 02 Jun 2000 19:33:22 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: OT patent protection (was: Contest rule proposal )
Mark Wooding wrote:
> Let's pretend that you have a pint of beer. (If you don't like beer,
> substitute something else you do like. Alcohol content and general
> liquidity are unnecessary for the argument.) If I take your pint away
> and drink it, then you'll become upset because you no longer have your
> delightful beverage, which you paid good money for. That's fine and
> reasonable.
>
> Let's say I have a gadget which can duplicate pints of beer, and I use
> it to take a copy of your pint. You've lost nothing in this process
> that I can see. The world is exactly the same except that I now have a
> pint too. Who's done harm here, and to whom?
You are ignoring a critical word: incentive. The benefits patents provide to
their owner are an incentive to produce new and better technology (beer). If
everyone has a right to copy the best beer available, there's no economic
incentive for anyone to improve the stuff. If no one improves it we'll be
stuck the status quo forever.
This is exactly the reasons patent systems are created -- to motivate
inventors. For a treatment of the benefits of patent systems read some Rand.
For a treatment of the negative effects of lack of patent systems read the
industrial history of the USSR, it's sad.
In beer, you happen to have picked a historically interesting example. It
seems that the only thing the barbarians in the northwest of Europe wanted from
the Romans was beer. The trade in that commodity is said to have motivated the
civilization of the tribes, and laid the foundation of the western democracies.
So, if the barbarians could have copied the Roman's beer, we wouldn't be here.
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: DVD encryption secure? -- any FAQ on it
Date: 2 Jun 2000 16:19:32 -0700
In article <8h9ba6$cds$[EMAIL PROTECTED]>,
Bryan Olson <[EMAIL PROTECTED]> wrote:
> What I mean is that having the bunch of bits - the easy part
> of the copying process - is not sufficient. You have to
> create media that looks like a legit DVD. It is not the
> case that if one can read a DVD one can make a (working)
> bit-for-bit copy.
Sure it is. It may require hardware -- special hardware
to press a master, etc. -- and it may require money, but
it's the same process as used to mass-manufacture DVD's
(and almost the same process as used to mass-manufacture
or mass-pirate CD's, I'm told). There are no secrets
involved, no codebreaking required. Bits is bits.
Sure, you can't go to a website and download the software
to do bit-for-bit copies. It's not a software attack.
Consequently, we don't expect Joe Sixpack to be doing bit-for-bit
copies in his basement. But it would be foolish to expect
that the criminals interested in mass piracy will be stopped
by the requirements for DVD-pressing equipment.
> But in my
> many hours if research (=surfing) on the subject, I have not
> even heard anyone report success in making working
> bit-for-bit copies of protected DVD's.
Nor would I expect you to have, but I don't think that makes it
reasonable to conclude that bit-for-bit copying doesn't go on.
Would you expect the mass pirates in, say, China (or whereever)
to boast on a website that they are making illegal copies of DVD's
using bit-for-bit techniques? I wouldn't. At best, we might see
only the tip of the iceberg; at worst, we might not see anything,
even if widespread copying is going on.
> If someone thinks that nothing
> stops them from making bit-for-bit DVD copies, would it be
> too much to ask that they actually do so before telling us
> how easy it is?
Well, in a word, yes!
> If the (now broken) DVD protection system was not a copy
> protection mechanism at all, how come it prevented so many
> people from making copies?
I wouldn't go that far. I would say that it is a pretty sloppy
design, for a copy protection mechanism. It is ridiculous to
expect copy protection when you've got software players. And
then, on top of that, the DVD system goes and uses some horribly
broken cryptography.
On the other hand, as a player control and monopoly-enforcing
mechanism, it is an almost barely plausible design, if we ignore
for a moment that they're using an utterly broken stream cipher.
------------------------------
Date: Fri, 02 Jun 2000 19:40:40 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Contest rule proposal
"David A. Wagner" wrote:
> In article <ArTZ4.44287$[EMAIL PROTECTED]>,
> Paul Pires <[EMAIL PROTECTED]> wrote:
> > Mike Rosing <[EMAIL PROTECTED]> wrote:
> > > I would think that any use for purposes of the contest should be easy
> > > to grant. It does not interfere with the *use* of the patent in any
> > > application, for which the patent holder wants to get paid.
> >
> > You don't need a grant.
>
> Not true, actually. As Mark Wooding has pointed out, you can't test
> attacks (e.g., implement them) without implementing the cipher, and by
> law, you're not allowed to implement a patented cipher without a grant.
I believe this is a considerable overstatement. Even the statement it is
granted for the purpose of discussion the conclusions do not follow because
submission of a cipher to a cryptanalysis contest by the inventor is
presumptive evidence of a grant of permission from the inventor for the
analysts to perform analysis.
Let's not take this to silly extremes.
>
>
> You probably can't even implement parts of it, so forget your calculations
> of the difference table for the S-boxes, for instance.
>
> Since the whole *point* of the cipher contest is to practice analysis,
> I can't see any reason to accept ciphers where analysis is prohibited.
It's not prohibited.
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: Cipher design a fading field?
Date: 2 Jun 2000 16:27:16 -0700
In article <8h9c1b$cuv$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
> it appears that designing a strong block cipher is quite easy.
Sure. Anyone can design a strong block cipher. Just throw a gazillion
rounds at it, don't make any stupid mistakes, and it's probably secure.
The real trick is to design a strong block cipher that has good performance.
After all, if it's too slow, many people won't use it, and it doesn't matter
how strong your cipher is if it's not used.
At this point you might ask whether the performance of today's ciphers,
e.g. the AES, are adequate. The answer is, apparently not yet: practitioners
still want much better performance than the best we know how to give them
today. Maybe when we can give them encryption bandwidth that is higher
than memory and I/O bandwidths, we'll have this problem licked, but until
then, we're a long way from being to declare victory.
So, is cipher design obsolete? I say no. I say, we've still got a long
way to go on the performance side. And, we've got a long way to go on
assurance: How do we minimize the risk that our cipher gets broken?
------------------------------
Date: Fri, 02 Jun 2000 19:42:04 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Contest rule proposal
Andru Luvisi wrote:
> "Paul Pires" <[EMAIL PROTECTED]> writes:
> [snip]
> > An inventor has no legal standing or remedies from someone who is using
> > information in a patent in any way unless they commercialize it.
> [snip]
>
> I stronly suspect this is incorrect. If it were true, wouldn't that
> mean that patents would not effect the authors of Free Software, only
> those who sell it or use it commercially?
If you are making and distributing products, even for free, you are assumed to
benefit from the process. That benefit accrues to the owner of the patent
even if it is non-monetary.
------------------------------
From: [EMAIL PROTECTED] (Your Name)
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Fri, 02 Jun 2000 23:58:43 GMT
On Fri, 02 Jun 2000 17:48:03 GMT, [EMAIL PROTECTED]
(Jim) wrote:
>On Thu, 1 Jun 2000 19:52:30 +0100, "Scotty" <[EMAIL PROTECTED]> wrote:
>
>>Think about it, unknown to you, a friend whom you communicate with
>>regularly, is arrested in a drugs bust. The police turn up and want your
>>keys to decrypt all your communications. How will that look to a jury if you
>>forget your keys? The police can say you have been in regular communication
>>with a known drug dealer and they suspect your trips abroad have been used
>>to import drugs etc. On the 'balance of probability' it looks already as if
>>you're guilty of refusing a reasonable request to hand over your keys.
>
>And if you've been into drug-dealing in a big way, the two years
>in jail is cheap at the price...
My fascist-communist-totalitarian government (U.S.), labels anyone
who possesses a tiny amount of "drugs" as a "major trafficker". It is
very good for the prison industrial complex and the government
licensed drug monopoly.
--Rich Eramian aka freeman at shore dot net
------------------------------
From: "Axel Lindholm" <[EMAIL PROTECTED]>
Subject: Re: otp breaktrough !!!!!!!!!!!!!
Date: Sat, 3 Jun 2000 02:00:31 +0200
did what? figured out how xor works? successfully installed w95?
"analyser" <[EMAIL PROTECTED]> wrote in message
news:Oftw3V$y$GA.303@net025s...
> analyser did it again !!!!!!!!!!!!
>
> it works......
>
>
>
>
------------------------------
Subject: Re: TC3 Update
From: tomstd <[EMAIL PROTECTED]>
Date: Fri, 02 Jun 2000 17:12:37 -0700
I fixed a bug in the key schedule and added a post-whiten step.
It's at http://www.tomstdenis.com/tc3.c
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: Jim Steuert <[EMAIL PROTECTED]>
Subject: Re: Powers of s-boxes and other functions
Date: Fri, 02 Jun 2000 20:54:57 -0400
Reply-To: Jim, Steuert
Thanks, Tom
I will look up Cauchy Theory. Your sboxgen.c is great, I've downloaded every
copy, although I haven't really played with it as much as I'd like to. What I am
more
interested in, though, is the theory behind it. Your paper at your web site is
great,
but doesn't go into some of your latest stuff, like why is x^-1 mod a primitive
poly
in GF(2^x) is good, or stuff like Single Cycle. Why is single cycle a good
thing?
I've already learned a lot from your sbox writeup (and Terry Ritter's also),
but
it seems like there is a lot of lore to be learned, and I for one would be
delighted
if you could explain this stuff in more detail. Perhaps you could write a book
on s-boxes? In the process of explaining it to us, I'll bet you could come up
with a lot of original ideas. I for one would greatly appreciate more detailed
explanations in your creative programmer's style. That is why I liked Bruce
Schneier's
classic book. (At my last job, everyone had a copy, and talked about it)
Thanks,
Jim Steuert
tomstd wrote:
> In article <[EMAIL PROTECTED]>, Jim Steuert
> <[EMAIL PROTECTED]> wrote:
> >
> >
> >> tomstd wrote:
> >>
> >> Words of caution. Permutation polynomials form terrible
> sboxes.
> >
> >Hi Tom again,
> > But even small s-boxes can make excellent permutations for
> iterating.
> >In my previous reply I showed that they can be easily composed
> to
> >form powers, and thus iterate huge counts in logarithmic time.
> >
> > They can also be made to have very long cycles. If an s-box
> has several
> >cycles internal to it (as in a->b, b->c, c->d, d->a) or in
> permutation cycle
> >notation, ( ...(abcd)...) and each internal cycle is of a
> different prime
> >length,
> >then the entire s-box will not cycle until the product of those
> primes.
> >As an mxm s-box has 2^m inputs, then the requirement is that
> the sum
> >of those primes add up to less that 2^m. Which makes for a very
> long
> >cycle for easily designed s-boxes.
> > Tom, did the composition cycle length ever come up in your
> study of
> >s-boxes?
>
> Yea, in Sboxgen you can choose to make single cycle sboxes, but
> I find they are rare... about 1/3 of a % of all 8x8 sboxes are
> single cycle...
>
> You will also want to look at fixed points when you look at the
> disjoint cycles.
>
> Of course it is possible to take several shorter length cycles
> and join them into a permutation (Cauchy Theory) but don't ask
> how. I can't think right now...
>
> Tom
>
> * Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
> The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: No-Key Encryption
Date: Sat, 03 Jun 2000 00:54:03 GMT
On Fri, 02 Jun 2000 22:52:04 +0200, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote, in part:
>I see there could be a bigger misunderstanding between us. An
>operator '*' is commutative if A*B=B*A for any A and B. This is
>the standard definition of commutativity of operators, if I don't err.
It certainly is.
But M*A*B = M*B*A for all M,A,B does not necessarily imply that A*B =
B*A for all A,B.
I gave an example: perhaps M*Q = M*(-Q) for all M,Q, and A*B = -(B*A)
for all A,B. (For example, A*B might be |A| - |B|, although that
operator is not associative.)
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/
------------------------------
Subject: Re: Powers of s-boxes and other functions
From: tomstd <[EMAIL PROTECTED]>
Date: Fri, 02 Jun 2000 18:28:41 -0700
In article <[EMAIL PROTECTED]>, Jim Steuert
<[EMAIL PROTECTED]> wrote:
>Thanks, Tom
> I will look up Cauchy Theory. Your sboxgen.c is great, I've
downloaded every
>copy, although I haven't really played with it as much as I'd
like to. What I am
>more
>interested in, though, is the theory behind it. Your paper at
your web site is
>great,
>but doesn't go into some of your latest stuff, like why is x^-1
mod a primitive
>poly
>in GF(2^x) is good, or stuff like Single Cycle. Why is single
cycle a good
>thing?
I actually don't know off hand why x^-1 sboxes are non-linear.
But I do know they fail SAC and are therefore not ideal sboxes
otherwise.
As for single cycle, it may prove usefull, I dunno, it's just
afeature I have there..
> I've already learned a lot from your sbox writeup (and Terry
Ritter's also),
>but
>it seems like there is a lot of lore to be learned, and I for
one would be
>delighted
>if you could explain this stuff in more detail. Perhaps you
could write a book
>on s-boxes? In the process of explaining it to us, I'll bet you
could come up
>with a lot of original ideas. I for one would greatly
appreciate more detailed
>explanations in your creative programmer's style. That is why
I liked Bruce
>Schneier's
>classic book. (At my last job, everyone had a copy, and talked
about it)
Terry has a lot of good info on linear testing, but little
otherwise I think. I will update my website when time permits,
note however it's not really my own info, just my
take/regurgation of what I have read.
I still want to discuss xor-pairs on my website...
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Cipher design a fading field?
Date: 2 Jun 2000 23:30:21 GMT
[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> Given the results of the cipher contest, it appears that designing a
> strong block cipher is quite easy. Some 7 or 8 ciphers remain
> unattacked on the contest site. Even assuming that all of the ciphers
> have some weakness, it seems that finding a -practical- weakness is
> very difficult.
I don't think we can be putting in enough effort. Every now and then
someone throws in a really weak cipher, just to make sure that
everyone's awake, and it gets shredded very rapidly, but analysing
strongish ciphers is hard work, and it needs patience.
I'm particularly surprised that more headway hasn't been made against my
own effort, Storin, yet. [As an aside, I can see an attack which breaks
3 rounds with a pair of chosen plaintexts and 2^{96} effort, using the
truncated differential I noted before and guessing the final round key.
After that, everything becomes too horrible for me to cope with. Has
anyone got any linear cryptanalysis of Storin yet, by the way?]
> Why else is a new cipher required? Will AES be the -final- cipher?
Block sizes and key lengths will probably march upwards as Moore's Law
continues inexorably. I think the most interesting thing about most of
the AES candidates is how they handled diffusion across the larger block
size, without affecting speed even on low-end platforms. I suspect that
this problem will become harder as block sizes increase further.
I also suspect that more attention ought to be focussed on other useful
primitives. Hash functions, in particular, seem to be lagging behind.
Ever faster stream ciphers will be useful.
Public key crypto appears to be stuck in a number-theoretic rut. We
have RSA, and a bunch of discrete log systems over a variety of fields,
and there are little tweaks to make things smaller and faster, but it
all feels a bit tired.
And of course there's protocol and system design to do. We have
protocols like SSL and IPsec, but they're not particularly elegant. (I
also have objections to BER and DER as ways of representing anything,
but that's a different rant.)
> I study crypto as a fascinating hobby and will continue to do so. My
> question is mostly aimed at commericial/military/government
> requirements.
I suspect that what will happen is that whichever cipher becomes AES
will generate new types of attacks and cipher proposals, much as DES
(eventually) led to differential and linear cryptanalysis, and more
advanced tools were invented for attacking new variants resistant to the
old methods.
It may take a while: differential cryptanalysis took about 13 years to
appear in public after DES was released into the world. Be patient.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Contest rule proposal
Date: 2 Jun 2000 23:35:05 GMT
Terry Ritter <[EMAIL PROTECTED]> wrote:
>
> On 2 Jun 2000 22:14:27 GMT, in <[EMAIL PROTECTED]>, in
> sci.crypt [EMAIL PROTECTED] (Mark Wooding) wrote:
>
> >In fact, I'd go as far as to suggest that, while DES is a block cipher,
> >DES-ECB (which maintains no extra state) is a stream cipher.
>
> I agree. It is certainly streaming the block.
No. Not *the* block: the *sequence* of blocks which form the data to be
enciphered. ECB is a degenerate case, I'll admit, but once you look at
it as a way to use a keyed permutation to encrypt an arbitarily-sized
chunk of data my categorization may appear slightly more logical. Or
maybe it won't and I'm just wrong and tired.
-- [mdw]
------------------------------
Date: Fri, 02 Jun 2000 23:06:47 -0300
From: "Paulo S. L. M. Barreto" <[EMAIL PROTECTED]>
Subject: Re: XTR (was: any public-key algorithm)
Mark Wooding wrote:
[snip]
> Microsoft's cryptographic stuff uses F_4 by default;
Try to use any RSA exponent 32 or more bits long and Windows will tell
you the modulus length is zero (even though it's displayed in its
entirety). The circumstances under which I found this out were most
embarrassing :-(
Paulo Barreto.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
