Cryptography-Digest Digest #22, Volume #12 Tue, 13 Jun 00 21:13:01 EDT
Contents:
Re: Cryptographic voting ("Trevor L. Jackson, III")
Re: Session key transmission ("Lyalc")
Re: My lastest paper on Block Ciphers ("Brian Gladman")
Re: Cipher design a fading field? ("Trevor L. Jackson, III")
Re: Updated: Evidence Eliminator Dis-Information Center (Includes info on false SPAM
accusations) (Dave Howe)
Re: Random sboxes... real info (zapzing)
Re: Can we say addicted? (Tim Tyler)
Re: Random sboxes... real info (Tim Tyler)
Re: Cipher design a fading field? (John Savard)
Re: quantum cryptography at nytimes.com (Tim Tyler)
----------------------------------------------------------------------------
Date: Tue, 13 Jun 2000 18:51:22 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Cryptographic voting
zapzing wrote:
> In article <8i4i9u$bit$[EMAIL PROTECTED]>,
> Greg <[EMAIL PROTECTED]> wrote:
> >
> > > > Tyranny is kept at bay by guns and will. Our government
> > > > knows we have the guns, but they don't know if we have
> > > > the will. Nor do we.
> > > > The only lawful gun law on the books- the second amendment.
> > >
> > > Personally I think cryptography works better than
> > > guns. for a gun to work you first must know
> > > *who* to shoot. Then you have to be there with
> > > your gun, get him before he gets you ...
> > > All very messy.
> >
> > But the tyrant with a gun can stop you from using your PC.
>
> If any government tries to stop people
> from using PCs they will only accomplish
> the economic collapse of their country.
> After that, the country will be invaded
> by hopefully more reasonable people.
Would that your claims were true. But they are not. They are the product of
fairy tales.
Due to the passing of the dictator/megalomanic/tyrant, the Syrian situation is
getting a bit of scrutiny. How oppressive is a country in which you'd be
arrested for owning a cellular phone? How much economic cost is there to the
law against credit cards? How backward is a country that forbids any internet
access?
There are "merely" one of the major players in the mideast.
The only true solution is to fertilize the Syrian tree of liberty. You can't
do that with PCs.
------------------------------
From: "Lyalc" <[EMAIL PROTECTED]>
Subject: Re: Session key transmission
Date: Wed, 14 Jun 2000 08:48:33 +1000
This is a discussion about transmission.
Each party relies upon the other the keep the keys, used for transmission
security, secure. If either party fails to do that, the transmission link
is no longer as secure.
Whether the keys are public or private, the risk of key exposure is the
same - just different key names (private or symmetric).
Using these transmission keys, symmetric or otherwise, for other non
transmission functions (e.g. disk file encryption) is simply foolish when
this external trust aspect exists.
Lyal
jkauffman wrote in message <[EMAIL PROTECTED]>...
>In article <[EMAIL PROTECTED]>, Mok-Kong Shen
><[EMAIL PROTECTED]> wrote:
>> Certainly, if the communication partners have no way of
>> obtaining a shared secret key, then using public key is
>> a necessity. Suppose, however, they have a secret key.
>> Then
>> they can use that as a master key to create the
>> session key
>> when it is needed through encrypting a random number
>> with
>> an algorithm (the same as used to encrypt the message
>> proper
>> or a different one) and prefix the random number to the
>> ciphertext (obtained with the session key). The
>> receiver first
>> uses the random number to get the session key and then
>> decrypts the ciphertext. In that way, the risk of the
>> master
>> key being compromised would be the same as that for the
>> private key, I suppose. (On the other hand, I can see
>> an
>> essential advantage of the public key in case n
>> persons need
>> to communicate with one another, since only n private
>> keys
>> need be kept secret, while there are n(n-1) secret keys
>> (n(n-1)/2 different ones) with symmetric cryptography.)
>> Thanks for you help in advance.
>> M. K. Shen
>
>This is still less secure than the public/private key
>solution because two parties need to hold a secret key, as
>opposed to the pki solution where only one party holds its
>private key. From the point of view of party A who wants to
>protect their data, having to share a key with party B is a
>clear risk. How can A trust B to keep the key secret in the
>long term?
>
>
>* Sent from AltaVista http://www.altavista.com Where you can also find
related Web Pages, Images, Audios, Videos, News, and Shopping. Smart is
Beautiful
------------------------------
Reply-To: "Brian Gladman" <[EMAIL PROTECTED]>
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: My lastest paper on Block Ciphers
Date: Tue, 13 Jun 2000 23:47:46 +0100
"Paul Koning" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> tomstd wrote:
> >
> > I have just finished the Draft of my latest paper. It's called
> >
> > "On Cryptographically Strong F Functions"
> >
> > And is available (sorry) only in Word97 format at
>
> You're going to find it much easier to get people interested
> in looking at things if you post PDF files. Or even PS files.
> PDF files you can do easily, though it may cost you a small
> sum to get the needed software. (Or perhaps not anymore?).
> PS you can do with Word at no charge, just install the PostScript
> printer driver.
I use MS Word and, as you suggest, it is easy to output in postscript by
insalling a postscript printer driver. Ghostscript can then be used to
convert from PS to PDF format using its 'pdfwrite' driver. So its not
difficult to get from Word to PDF for free. I have not tried to convert
equation editor maths by this route however.
Brian Gladman
------------------------------
Date: Tue, 13 Jun 2000 19:27:41 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Cipher design a fading field?
"Douglas A. Gwyn" wrote:
> Tim Tyler wrote:
> > Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> > : Actually the programs involved don't have to be very large.
> > : Chaitin has a rather small one for his specialized version of LISP.
> > They *have* to be potentially unboundedly large for the halting problem to
> > exist.
>
> Nope.
>
> > If the size of the program is constrained, a halting determination program
> > could be written which enumerates all programs of that size or shorter and
> > lists whether they halt or not.
>
> It "lists" them how?
Turing programs can be written as input to a UTM. Such inputs are a sequence of
ones and zeros, so they are an integer. The list is ordered by the respective
integer values.
>
>
> > I cannot myself envisage a proof of security for a cypher system.
> > This personal incredulity is by no means conclusive evidence - but
> > I am pretty certain that no such proof currently exists for any cypher
> > system, at least without making use of un-physical assumptions.
>
> That is an argument from ignorance (no insult intended), which doesn't
> prove anything. It may be that such proofs exist in places you haven't
> looked. (In fact there are even some *published* papers on systems with
> guaranteed security, although I haven't studied them enough to have an
> opinion on theor validity. But they *do* exist.)
There's considerable slipperiness in the definition of "system", so varying
opinions and positions are a predictable circumstance.
>
>
> > The basic problem is that it is not possible to realistically place bounds
> > on the capabilities of our opponents.
>
> Sure it is. It is fairly safe to assume that they are constrained by
> the laws of physics, by the principles of information theory, etc.
Yes, but there is a difference between the laws of physics and our understanding
of those laws. Our opponents are not constrained by our understanding of those
laws. There are a lot of open questions that could open holes that are not
normally considered threats.
> > We can be pretty sure that they can't violate the laws of physics -
> > but we are also pretty certain that we do not know what the laws of
> > physics actually are ...
>
> That is the argument from skepticism, which is worthless. In fact we
> know a *lot* about the physical principles involved with the way the
> world operates, even if there is not a single unifying theory that
> satisfactorily interrelates everything we know.
This statement is timeless. You could have made it 26 years ago, or any
multiple thereof for as far back as 500 years. Is there any reason to believe
that the growth in our understanding of the universe will stop in the near
future? Given the number and character of the existing set of open questions,
probably not. Any serious increase in our knowledge offers an opportunity for
weaknesses to be revealed. This condition isn't expected to change. Ever.
> > Assuming that your opponents have a particular weakness is unlikely to
> > convince the sceptic.
>
> Skepticism is inherently a philosophical dead end.
"Reasonable men accommodate themselves to circumstances. Unreasonable men
accommodate circumstances to themselves. Thus all progress is due to
unreasonable men." -- B. Franklin
Skepticism would seem to be a necessary attribute of the unreasonableness
required to drive scientific discovery.
------------------------------
From: Dave Howe <DHowe@hawkswing>
Crossposted-To:
alt.security.pgp,comp.security.firewalls,alt.privacy.anon-server,alt.privacy
Subject: Re: Updated: Evidence Eliminator Dis-Information Center (Includes info on
false SPAM accusations)
Date: Wed, 14 Jun 2000 01:17:17 +0100
Reply-To: DHowe@get_email_from_sig
In our last episode (<alt.security.pgp>[Mon, 12 Jun 2000 17:34:29
-0700]), tomstd <[EMAIL PROTECTED]> said :
>Does tom care? Nope sorry.
Good :+)
>If you want to confront SPAM don't SPAM the newsgroup. Just
>contact the people DIRECTLY and tell them to shut their yappers.
Well, that is 50/50 - if you are maligned in public you can either
answer in public or do a Godfery :+)
>By playing the victim you are trying to draw attention to your
>super-duper wondersoftware. Which as I may remind the group is
>NOT FREE and is CLOSED SOURCE.
Indeed - a suspicious person would suspect both accusors and pious "EE
Support" are the same person, Spamming under the cover of an assumed
argument. In any case, Alt.Security.PGP definitely isn't the right
forum.
in fact, looking at the MASSIVE crosspost list :-
sci.crypt
======
Nope, it's erasor software, not crypo. Inappropriate group
alt.security.pgp
==========
Doesn't relate to PGP or similar cryptography software - wrong group
comp.security.firewalls
===============
Must have missed the option where you could switch EE into firewall
mode - nope, there isn't one. wrong group.
alt.privacy.anon-server
===============
Must have missed... no, not bothering even typing that. Wrong group
alt.privacy
=======
well, it SORT of helps privacy. MAYBE borderline for this group (I
wouldn't know, as i don't subscribe. anyone from AP like to comment?
>My advice (this comming from a kid, so you can just close your
>mind right now)
Don't feel singled out - I am sure they can close their minds
regardless of your age.
>is to IGNORE the other peoples derogatory
>remarks and DISCUSS the merits of your software OBJECTIVELY by
hell no - if they did that, people might realise they have tacked a
registry-cleaner onto an otherwise ordinary freespace-and-cache-wiper.
Still haven't checked to see if it bothers really wiping the registry
(by either wiping the free space within the registry with direct file
accesses, or by rebuilding the registry then secure-wiping the old one
/ backups.
>making your source OPEN SOURCE.
Not needed - peer review doesn't have to mean that you post source to
the internet - just that you offer accredited researchers (if they are
interested) a copy of the code to inspect on the understanding that
their comments are available to post, but the code isn't
------------------------------
From: zapzing <[EMAIL PROTECTED]>
Subject: Re: Random sboxes... real info
Date: Wed, 14 Jun 2000 00:06:49 GMT
In article <[EMAIL PROTECTED]>,
tomstd <[EMAIL PROTECTED]> wrote:
>
> Have you checked out my preliminary results? Partially ideal
> 8x8 sboxes are about 1 in a million, and I have yet to find
> fully idea 8x8 sboxes.
This is Sooo beating a dead horse, but here it
goes anyway. You are only studying sboxes
"under a microscope" not "in the wild".
LPmax and DPmax are great and I'm sure they
can give as good an estimate as any of how
good an sbox is relative to other sboxes, but
key dependent sboxes are quite different in
that Linear and differential cryptography cannot
be done in the normal way.
Also your own experiments have verified that
when sboxes are combined (as in a feistel)
the results are often not predictable by
the LPmax and DPmax measures you are using.
--
If you know about a retail source of
inexpensive DES chips, please let
me know, thanks.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Can we say addicted?
Reply-To: [EMAIL PROTECTED]
Date: Wed, 14 Jun 2000 00:05:23 GMT
Mike Rosing <[EMAIL PROTECTED]> wrote:
: http://www.terracom.net/~eresrch/float/rho3.png [...]
: I'll put it up once I figure out how. You don't need drugs to be
: addicted to math, but some of them don't hurt the view :-)
Bah! After this, I was expecting hardcore psychedelic action. Instead it
looks like you've been tripping out in a Patrick Moore lecture ;-)
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Namaste.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Random sboxes... real info
Reply-To: [EMAIL PROTECTED]
Date: Tue, 13 Jun 2000 23:54:47 GMT
tomstd <[EMAIL PROTECTED]> wrote:
: You're not seeing the big picture. By making a cipher more
: structured (i.e designed by an algorithm) you can actually make
: the output *more* random.
Well, you can't make it more random than the ideal totally random
permutation that block cypher designers attempt to emulate.
All practical designs are much *less* random than this - they have
structure. However, they have the redeeming feature of being small,
and fast, which a huge 128-bit permutation certainly isn't. Provided the
structure is hard for an attacker to detect, nobody notices it's there.
: Consider differential cryptanalysis. The whole point of this
: attack is to distinguish the permutation from random.
So at last you agree that a block cypher should approximate a random
permutation?
Where does this leave your argument that small s-boxes should be
designed like large s-boxes (i.e. block cyphers). Since the latter
should be as near as possible to random permutations, your own
argument seems to imply that the smaller should as well.
Yet this is rthe reverse of your own conclusion - that random
constructions are sub-optimal.
: If you pick a random 128x128 sbox for example (suppose it could be
: done) and there was a differential that needed only 16
: plaintexts to identify... [...]
Then that would be a fantastic miracle.
: However if you make a 128x128 sbox which is dependent solely on
: the userkey and is made from a structured algorithm, you can
: hopefully resist these statistical attacks.
You're practically bound to do so *less* well than if you used a genuinely
random permutation. The whole point of these construction methods is to
attempt to produce something which is indistinguishable from a random
permutation. You don't usually end up with something better. In fact,
you almost always end up with something worse - but you hope that
the difference between your construction and the random one can't be
detected and exploited by an analyst.
: The whole point of showing off the random sboxes is to show that
: random permutations are hardly ideal. That's why we have block
: ciphers designed to be resistant to these attacks.
This still sounds very confused. Can you confirm that you've grasped
that a block cypher is intended to be indistinguishable from a random
permutation of its inputs?
Random permutations *are* the practical ideal, when considering the big
picture of the final block cypher.
The question of whether to use random or optimised 8x8 s-boxes as
construction components is a completely different one to this.
: Each block ciphers keyspace defines a subset of all permutations that are
: resistant to these attacks. They are hardly random [...]
Though if they /were/ random, that would be as good as they could
realistically hope to get.
Random permutations will no-doubt prove to be far *more* resistant to
attacks than any of the block cyphers available today.
Random permutations would make really, *really* strong cyphers.
Alas, we can't use them since they take too much space to build and run
too slowly.
Instead we try to approximate them. We don't try to find subsets of the
set of all random permutations which are resistant to attacks - since
99.999999999% of random permutations are incredibly strong.
We have (AFAIK) no practical construction techniques which can avoid the
weak ones - and no practical tests which could identify them - and
/even/ if we did, it would really hardly be worth the bother of using them
- since weak random 128-bit permutations are so few in number.
I think you need to disabuse yourself of the notion that block cyphers are
somehow better than a random permutation of their inputs. They are not.
Rather they are probably *all* significantly worse. IMO, if we don't
today have attacks that exploit the difference, that's a reflection on our
lack of analytic abilities, rather than a sign of actually reaching block
cypher security nirvana.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Moneypenny.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Cipher design a fading field?
Date: Wed, 14 Jun 2000 00:30:59 GMT
On Tue, 13 Jun 2000 21:21:52 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
wrote, in part:
>Tim Tyler wrote:
>> If the size of the program is constrained, a halting determination program
>> could be written which enumerates all programs of that size or shorter and
>> lists whether they halt or not.
>It "lists" them how?
Well, if the size of the RAM available to a program is limited, not
just the size of the program itself, then a program with N bits of
storage available to it can have only 2^N distinct states. Hence, if
it doesn't halt after 2^N instructions, it is proven that it will
never halt.
A program that is quite short could indeed implement a slow algorithm
for trying to find, say, a counterexample to the Goldbach conjecture.
But the proof of the halting problem being insoluble depends on one
being able to write a program that checks to see if other programs
halt. To prove that no such program can exist, one has to be able to
write big programs: otherwise, one has just proven that the program
can't be small.
I think, when searching to find whether it was Turing or someone later
who came up with the proof I recited, I came across the LISP program
you mentioned. It is illustrative - it shows that a program, trivially
trying to check if a program will halt by running it, gets into
trouble if it tries to run a copy of itself. That is true, but it
isn't directly involved in the proof: a program trying to do the much
more difficult *opposite* task is what is being discussed.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: quantum cryptography at nytimes.com
Reply-To: [EMAIL PROTECTED]
Date: Wed, 14 Jun 2000 00:17:19 GMT
Roger Schlafly <[EMAIL PROTECTED]> wrote:
:> See http://www.nytimes.com/library/magazine/home/20000611mag-code.html
: IMO, the usual bogus hype.
: Unprecedented secrecy and security -- two commodities that are
: increasingly rare in a world dominated by the free flow of
: information. For futurists, the development of quantum cryptography
: is a kind of cosmic victory for personal privacy.
Sure looks that way. It seems to me that QC seems to be getting an
unrealistic image. Practically all the security claims I see for it a
re bogus. Only rarely so I see the authentication issue in "the phone
line" discussed - and I've never seen anyone else raise the issue of the
security of the random stream. Without these elements being considered,
the security claims made for it are simply wrong.
[snip banking application]
: So they want to use quantum crypto to generate a random key,
: and then use it as a pure OTP. Dumb idea, and it will never
: happen. Banks would be better of sticking with (single) DES.
Hmm. *Perhaps* if the banks are in orbit, something like this /might/
happen eventually. I must say I find it hard to imagine QC replacing
very much conventional encryption anytime soon.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ VIPAR GAMMA GUPPY.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
