Cryptography-Digest Digest #935, Volume #11 Sun, 4 Jun 00 05:13:00 EDT
Contents:
Re: DVD encryption secure? -- any FAQ on it (Guy Macon)
Rivest's Multi-Grade Crypto (tomstd)
Re: DVD encryption secure? -- any FAQ on it (Guy Macon)
Re: DVD encryption secure? -- any FAQ on it (Guy Macon)
Re: Cipher design a fading field? ("Trevor L. Jackson, III")
Re: OT patent protection ("Trevor L. Jackson, III")
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May ("Scotty")
Re: Cipher design a fading field? ("Douglas A. Gwyn")
Re: Is OTP unbreakable?/Station-Station ("Douglas A. Gwyn")
Re: Quantum computers ("Douglas A. Gwyn")
Re: Concerning UK publishes "impossible" decryption law ("Douglas A. Gwyn")
Re: Self Shrinking LFSR (Forrest Johnson)
Re: Self Shrinking LFSR (Forrest Johnson)
Re: Pollard's algorithm for computing discrete logs (Scott Contini)
Re: No-Key Encryption (John Savard)
slfsr.c ([EMAIL PROTECTED])
Re: Cipher design a fading field? (John Savard)
Re: Good ways to test. (Mok-Kong Shen)
Re: Cipher design a fading field? (Mok-Kong Shen)
Re: Cipher design a fading field? (Mok-Kong Shen)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: DVD encryption secure? -- any FAQ on it
Date: 03 Jun 2000 21:33:16 EDT
A bit of background: I was, until recently, an engineer with the
worlds largest DVD and CD producer. I designed mastering and
replication equipment, including an entire DVD-RAM/DVD-RW production
line.
David A. Wagner wrote:
>Actually, I'm told that the DVD
>pressing process was specially designed so that CD-pressing equipment
>could be used to press DVD's with little modifications. One
>consequence is that criminals already in the CD-piracy business
>may find it relatively straightforward to expand into DVD-piracy.
Actually, make that a s**tload of modifications. You have to make
the pits half as wide and half as long, make two half-thickness
discs that you must bond together with an adhesive that is one
half wavelength of red light thick, etc, etc...
>> The larger problem is the one I noted: consumer equipment
>> will not _write_ the reserved areas. Modifying consumer
>> drives to write exact copies of CSS encoded DVDs is hard
>> enough that no such modifications are known to be available.
>
>Yes, that's my understanding, too.
The writable DVD format wars aren't over yet. In my opinion,
any recordable DVD that doesn't allow unlimited copying like we
have with CR-R will die the death of the DAT tape (available, but
a total failure as a mainstream consumer technology.
It is also my opinion that high definition TV now has enough
of a head start to kill all DVD's (stamped and writable) within
the next ten years. The as-yet-not-invented winner will still
play CDs and DVDs, of course, so your investment in media won't
be wasted like what happened with phonograph records.
------------------------------
Subject: Rivest's Multi-Grade Crypto
From: tomstd <[EMAIL PROTECTED]>
Date: Sat, 03 Jun 2000 18:37:01 -0700
In [1] Rivest presents an alternative to key escrow
called "Multi-Grade" Cryptography where each key is composed of
two parts, essentially K = (n0, n1). The symmetric key has an
effective length of n = n0 + n1. 'n1' is considered fixed for a
specific time, and n0 changes per message. In his paper he
describes a 68/48 scheme where n0=48,n1=68 and the total key
size is 116 bits. Each message has a fixed header composed of
C=Ek1(P) (for a known P) where k1 is the n1-bit key. The idea
is that law enforcement could brute force k1 and then find k0
for each message with under 2^116 work.
The problem with the scheme is that if anyone else could perform
the brute force of k1 then they too could read the messages with
the same ease as law enforcement.
Unless I am mistaken his scheme won't work for that very
reason. The only solution is to make k0 bigger and physicially
hand over k1, which defeates the purpose of encryption right?
Tom
[1] "Multi-Grade Cryptography", Ronald L. Rivest
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: DVD encryption secure? -- any FAQ on it
Date: 03 Jun 2000 21:47:30 EDT
Bryan Olson wrote:
>
>Incidentally, I have two computers that can play DVD movies,
>three computer DVD drives, two PCI DVD decoders, several
>working versions of three software players and a set-top DVD
>player. I've defeated Macrovision everywhere and region
>coding on the computers. I've modified hardware, firmware
>and software. I've de-CSS'ed and played the result from a
>hard-drive. I've made bit-for bit copies of CD's. But in my
>many hours if research (=surfing) on the subject, I have not
>even heard anyone report success in making working
>bit-for-bit copies of protected DVD's.
I have.
Of course, I cheated. I used a factory that produces DVDs.
Those who aren't engineers in DVD production plants have all
failed.
>If the (now broken) DVD protection system was not a copy
>protection mechanism at all, how come it prevented so many
>people from making copies?
The problems that prevent copying are be there whether or not
the encryption is applied. Those of us in the indusry know that
it was never a serious antipiracy technique.
>If someone thinks that nothing
>stops them from making bit-for-bit DVD copies, would it be
>too much to ask that they actually do so before telling us
>how easy it is?
Here is why NO copy protection scheme will stop the pirate
with a factory: I can capture any pattern that anyone can put
on a CD or DVD and make a copy that isn't just bit for bit
the same, but *pit* for *pit* the same, including holographs,
embedded images, etc.
If you want to know why you can't copy a DVD, just look at who
owns the content, then look at who owns the factories that make
the players. Emlightenment will follow.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: DVD encryption secure? -- any FAQ on it
Date: 03 Jun 2000 22:00:10 EDT
David A. Wagner wrote:
>
>
>In article <8h9ba6$cds$[EMAIL PROTECTED]>,
>Bryan Olson <[EMAIL PROTECTED]> wrote:
>> What I mean is that having the bunch of bits - the easy part
>> of the copying process - is not sufficient. You have to
>> create media that looks like a legit DVD. It is not the
>> case that if one can read a DVD one can make a (working)
>> bit-for-bit copy.
>
>Sure it is. It may require hardware -- special hardware
>to press a master, etc. -- and it may require money, but
>it's the same process as used to mass-manufacture DVD's
>(and almost the same process as used to mass-manufacture
>or mass-pirate CD's, I'm told). There are no secrets
>involved, no codebreaking required. Bits is bits.
>
>Sure, you can't go to a website and download the software
>to do bit-for-bit copies. It's not a software attack.
>Consequently, we don't expect Joe Sixpack to be doing bit-for-bit
>copies in his basement. But it would be foolish to expect
>that the criminals interested in mass piracy will be stopped
>by the requirements for DVD-pressing equipment.
Exactly correct. And you can quote me as a recognized expert.
>> If the (now broken) DVD protection system was not a copy
>> protection mechanism at all, how come it prevented so many
>> people from making copies?
>
>I wouldn't go that far. I would say that it is a pretty sloppy
>design, for a copy protection mechanism. It is ridiculous to
>expect copy protection when you've got software players.
Crytography is useless when you can by the key for $100.
To think that even putting the key in silicon will change
this is wishful thinking. DVD Encryption was never even
presented to us as a copy protection scheme.
>And then, on top of that, the DVD system goes and uses some
>horribly broken cryptography.
And I know why. It's the pointy haired boss effect. Microsoft
(who I believe is behind all of this) wasn't able to get the
people who made the format to do a good job.
>On the other hand, as a player control and monopoly-enforcing
>mechanism, it is an almost barely plausible design, if we ignore
>for a moment that they're using an utterly broken stream cipher.
When they first presented the format to us, they made it sound
like the encryption was a digital signature, just like those tiny
numbers you find stamped into the plasic on every CD and DVD
(details available if anyone is interested). Would anyone care
to comment on the scheme's suitability for this purpose?
------------------------------
Date: Sat, 03 Jun 2000 22:18:32 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Cipher design a fading field?
Benjamin Goldberg wrote:
> Mok-Kong Shen wrote:
> >
> > tomstd wrote:
> >
> > > To quite the contrary the AES ciphers are faster and more secure
> > > then DES. So your idea of fast != secure is invalid.
> >
> > There are more issues involved than is apparent. One has also to
> > take technological advances into consideration. A modern airplane
> > is, for example, considerably more secure than a vessel of the 18th
> > century.
>
> We're talking about software, not hardware... The AES algorithms are
> faster than DES even when run on the same machinery. If I use RC6
> on a machine that DES was designed for, RC6 will still be faster
> and more secure than a DES cipher of the same keylength.
Other than the larger key space, how did you conclude that RC6 is more secure
than DES?
------------------------------
Date: Sat, 03 Jun 2000 22:19:31 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: OT patent protection
Tim Tyler wrote:
> Trevor L. Jackson, III <[EMAIL PROTECTED]> wrote:
>
> : For a treatment of the negative effects of lack of patent systems read the
> : industrial history of the USSR, it's sad. [...]
>
> Many other factors were involved there, though.
True. But lack of incentive for innovation was a material factor.
------------------------------
From: "Scotty" <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Sun, 4 Jun 2000 00:16:36 +0100
Jim wrote in message <[EMAIL PROTECTED]>...
>On Thu, 1 Jun 2000 19:52:30 +0100, "Scotty" <[EMAIL PROTECTED]>
wrote:
>
>>Think about it, unknown to you, a friend whom you communicate with
>>regularly, is arrested in a drugs bust. The police turn up and want your
>>keys to decrypt all your communications. How will that look to a jury if
you
>>forget your keys? The police can say you have been in regular
communication
>>with a known drug dealer and they suspect your trips abroad have been used
>>to import drugs etc. On the 'balance of probability' it looks already as
if
>>you're guilty of refusing a reasonable request to hand over your keys.
>
>And if you've been into drug-dealing in a big way, the two years
>in jail is cheap at the price...
>
And if you have genuinely forgotten you password its a very heavy price.
This is a law directed against every innocent person who knowingly or
otherwise receives an email from a known criminal. It could be wrongly
addressed to you, using someone else's public key, you may be completely
unable to decrypt it, it makes no difference, it's enough to jail you.
Saying you don't have the key, wont work - it would just be your word
against the police and who would a jury believe?
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Cipher design a fading field?
Date: Sun, 04 Jun 2000 04:03:12 GMT
[EMAIL PROTECTED] wrote:
> That being said, is cipher design an obsolete enterprise?
> If a group of amateurs can design a strong cipher then
> certainly governments can.
(a) It has not been demonstrated that a group of amateurs can
in fact design a truly "strong" cipher.
(b) I wish that the amateurs would quit inventing a plethora
of new encryption schemes until they have figured out how to
defeat the existing ones. This may be relevant to your thesis.
> Will AES be the -final- cipher?
Of course not. It won't even be the final encipherment
scheme that somebody eventually figures out how to crack.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Is OTP unbreakable?/Station-Station
Date: Sun, 04 Jun 2000 04:04:33 GMT
Greg wrote:
> Not if there was a continuous stream of noise to confuse where the
> messages began.
No, that's only a weak subterfuge that we could defeat without
much more effort than needed to crack the message anyway.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Quantum computers
Date: Sun, 04 Jun 2000 04:07:23 GMT
DrArm wrote:
> Is it true that NSA has a quantum computer for codebraking?
I think you mean "codebreaking".
It is highly unlikely that any such device has yet reached
such a practical stage of development.
Of course, even if it had, it would not be a magic wand to
wave at all kinds of "codes" (ciphers, actually), but would
rather be specialized for certain tasks such as factoring.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Concerning UK publishes "impossible" decryption law
Date: Sun, 04 Jun 2000 04:11:40 GMT
"John G. Otto" wrote:
> DES, single, double or triple was designed to allow governments
> to crack it.
Although it was expected that the original DES would eventually
be crackable with sufficient effort if the need arose, 3DES was
invented (not by the government!) solely as a way to build
DES-compatible systems using longer keys, to make cracking far
less feasible.
------------------------------
From: Forrest Johnson <[EMAIL PROTECTED]>
Subject: Re: Self Shrinking LFSR
Date: 4 Jun 2000 04:12:20 GMT
In article <[EMAIL PROTECTED]> Scott Nelson,
[EMAIL PROTECTED] writes:
>>If anyone just wants tap sequences, that site also has lists of all
>>maximal length tap sequences for registers up to 24 bits plus 2, 4, and 6
>>tap ML sequences for 25 to 32 bits. I'm working on a list of dense (half
>>the bits or more involved) sequences for the latter -- maybe a couple
>>more weeks.
>
>It may take a /bit/ longer than a couple of weeks to brute
>force the dense 32 bit ML sequences.
>
To be sure. I meant a list of *some* dense sequences for each register
length in addition to the 2, 4, and 6 tap sequences already listed.
------------------------------
From: Forrest Johnson <[EMAIL PROTECTED]>
Subject: Re: Self Shrinking LFSR
Date: 4 Jun 2000 04:31:33 GMT
In article <[EMAIL PROTECTED]> Scott Nelson,
[EMAIL PROTECTED] writes:
>You may be right.
>I've been unable to locate a definitive reference for
>the meanings of primitive and irreducible, so can nether confirm
>nor deny it. However, it's clear that to be maximal
>length a polynomial must be both primitive and irreducible.
>
It looks like you're not alone. I checked on <
http://mathworld.wolfram.com/IrreduciblePolynomial.html> and they give a
test for irreducible polynomials while claiming it's a test for
primitives. (I sent them email last week about it, but so far no
response.)
>>You also stated that "Approximately 1/16 of the chosen polys are maximal
>>length". I might be tripping over the term "chosen", but there are 2048
>>max length polynomials (out of 65535 possible) for a 16 bit LFSR. Maybe
>>your program restricts the choice of polynomials to test to a subset of
>>that 65535 and that's where the 1/16 comes from.
>>
>There are only 32768 16 bit values with the high bit set.
>The other 32768 values aren't properly 16 bit LFSR's, but if
>one included them, then there would be more than 2048 that work.
>
I found the reference I was looking for. The Euler Totient function can
be used to predict the number of maximal length polynomials for an n bit
LFSR:
NumMaxPoly = EulerPhi[2^n - 1]/n
Golomb has a list of the number of maximal length polys in his book, plus
there's one at:
<
http://www.research.att.com/cgi-bin/access.cgi/as/njas/sequences/eisA.c
i?Anum=011260>
All of these (the function, your reckoning, and the two lists) come out
to 2048 for a 16 bit LFSR.
------------------------------
From: [EMAIL PROTECTED] (Scott Contini)
Subject: Re: Pollard's algorithm for computing discrete logs
Date: 4 Jun 2000 06:04:12 GMT
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
>
>Scott Contini wrote:
>
>> See "Speeding up Pollard's Rho Method for Computing Discrete Logarithms"
>> by Edlyn Teske.
>
>In which journal is that?
>
>M. K. Shen
>
Not sure which journal it appeared in, but it is available from her
homepage:
http://www.cacr.math.uwaterloo.ca/~eteske/
Scott
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: No-Key Encryption
Date: Sun, 04 Jun 2000 07:24:49 GMT
On Sun, 04 Jun 2000 00:43:35 +0200, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote, in part:
>I suppose one has to assume that the operator '*' takes different TYPES
>of operands on the left and right. Then your argument can go through.
>Otherwise, if two data items are of the same data type, then everywhere
>the one item is used can (by definition!) be occupied by the other and
>there can be no further 'distinctions'
All we know about * is that it is associative, that there exists some
way to invert M*A to obtain M, and M*A*B = M*B*A for all M, A, B. Yes,
its arguments on both sides come from the same domain.
If there is a way to use associativity to get from M*A*B = M*B*A to
A*B = B*A, I would like to see it. I could not come up with a rigorous
proof of that. Associativity does mean, though, as I _was_ able to
show, that one can find Q*A and Q*B for any Q, which is close enough
to finding A and B to make me feel it is unlikely that any associative
* will be secure.
Although we don't know that (M*A*B)/(M*A) is equal to B, we do know
that Q*M*(A*B) = Q*(A*B)*M = (Q*A)*B*M = (Q*A)*M*B, which can then be
divided by M*B to yield Q*A for any Q. One can only use the given
facts, not make any assumptions.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/
------------------------------
From: [EMAIL PROTECTED]
Subject: slfsr.c
Date: Sun, 04 Jun 2000 07:35:54 GMT
thanks tomstd for this program and
your contribution in crypto
your prog pass diehard test ...
slfsr 64 bits is easy to crack
(predict) the sequence ???
same question for more bit 128 etc...
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Cipher design a fading field?
Date: Sun, 04 Jun 2000 08:13:26 GMT
On Sun, 04 Jun 2000 04:03:12 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
wrote, in part:
>[EMAIL PROTECTED] wrote:
>> That being said, is cipher design an obsolete enterprise?
>> If a group of amateurs can design a strong cipher then
>> certainly governments can.
>(a) It has not been demonstrated that a group of amateurs can
>in fact design a truly "strong" cipher.
I wouldn't want to try decrypting something enciphered using Blowfish.
But you are right, although what 'has not been demonstrated' is very
nearly inherently impossible to demonstrate.
>(b) I wish that the amateurs would quit inventing a plethora
>of new encryption schemes until they have figured out how to
>defeat the existing ones. This may be relevant to your thesis.
But just because _they_ don't know how to crack the existing ones
doesn't mean...
>> Will AES be the -final- cipher?
>Of course not. It won't even be the final encipherment
>scheme that somebody eventually figures out how to crack.
that someone else might not. So, people who want security *now* might
well need something that has a chance of being better than what
exists.
I agree that cryptanalytic results are far more useful and important
than new cipher designs. But even if there is no known 'crack' for
DES, its fixed S-boxes, and its key schedule in which every bit is a
bit of the original key offer a potential for attack that many
'amateur' designs have foreclosed.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Good ways to test.
Date: Sun, 04 Jun 2000 10:30:43 +0200
tomstd wrote:
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> >tomstd wrote:
> >
> >> Freedom of thought has nothing todo with this. I am not
> trying
> >> to force my will on ya, I am telling you the truth.
> >>
> >
> >So you are the greatest philosopher of all time. What you say IS
> >truth. Philosophers of the past are apparently more humble.
>
> Oh stop being an idiot.
>
> Are you trying to tell me that no drug ever released as 'safe'
> has ever had a adverse side effect?
You are answering presently out of context. Did the lines quoted
above ever contain the word 'drug'??? Yes, previously you (not
I!) started to argue based on the issue of drugs and I answered to
your arguments. You employed those numerical figures. I said
these were not appropriate as materials for an analogy, because
there are not corresponding numerical measures in my opinion.
Anyway, you may be right or I may be right. Since, however, the
follow-up thereafter of yous started to go outside of the proper
stytle of scientific discussion in my personal view, I have attempted
to terminate that line of discussion in that I expressed my wish that
your arguments would be accepted by many people but that I
remain unconvinced. Wasn't that polite and fair enough on my part
to stop the dispute??? Now answer to the above: It was YOU
who wanted to TELL me something about drugs, not the reverse!!!
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Cipher design a fading field?
Date: Sun, 04 Jun 2000 10:57:45 +0200
Benjamin Goldberg wrote:
> Mok-Kong Shen wrote:
> >
> > tomstd wrote:
> >
> > > To quite the contrary the AES ciphers are faster and more secure
> > > then DES. So your idea of fast != secure is invalid.
> >
> > There are more issues involved than is apparent. One has also to
> > take technological advances into consideration. A modern airplane
> > is, for example, considerably more secure than a vessel of the 18th
> > century.
>
> We're talking about software, not hardware... The AES algorithms are
> faster than DES even when run on the same machinery. If I use RC6
> on a machine that DES was designed for, RC6 will still be faster
> and more secure than a DES cipher of the same keylength.
Perhaps what I wrote is indeed not clear enough. My point was that
one can't properly argue the speed vs security issue based on DES
(which is old) and AES (which is new), because there is a big time span
between these, during which the technology has much advanced. This
can be clearly seen through the case I indicated.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Cipher design a fading field?
Date: Sun, 04 Jun 2000 10:57:30 +0200
tomstd wrote:
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> >I must point out that your questions above don't have 'direct'
> >relationship to what I wrote. I way saying that if one wants a
> cipher
> >to be extremely economical in memory usage and also extremely
> >fast, then its strength understandably would be lower than a
> similarly
> >well designed cipher under relaxed (such) requirements. Isn't
> that
> >at least plausible and intuitively clear?
>
> I disagree again. I think if enough work is put into the cipher
> then you can have both compact and efficient ciphers that are
> also secure.
Two points:
1. How much is actually 'enough' (especially in context of cryptology)?
2. I assumed in my arguments that EQUAL expertise, energy, etc. are
invested to develop the two algorithms being compared, only that
the one has very stringent memory and performance requirments
while the other doesn't. (To see my point, one could take the
extreme hypothetical case of requiring an algorithm to fit in 200
bytes and yet compete with, say, DES.)
M. K. Shen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
