Cryptography-Digest Digest #117, Volume #12 Tue, 27 Jun 00 15:13:00 EDT
Contents:
Re: Quantum computing (Tim Tyler)
Re: Thoughts on "Cracking" of Genetic Code (Roger Schlafly)
Re: Quantum computing (Roger Schlafly)
Re: Idea or 3DES (David A Molnar)
Re: Variability of chaining modes of block ciphers (Shawn Willden)
Re: Weight of Digital Signatures (Rex Stewart)
Re: TEA question ("Adam Durana")
Re: Variability of chaining modes of block ciphers (Mok-Kong Shen)
Re: Variability of chaining modes of block ciphers (Mok-Kong Shen)
Re: TEA question ([EMAIL PROTECTED])
Re: Thoughts on "Cracking" of Genetic Code ("Adam Durana")
----------------------------------------------------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Quantum computing
Reply-To: [EMAIL PROTECTED]
Date: Tue, 27 Jun 2000 17:39:44 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
: Roger Schlafly wrote:
:> Maybe I'm in the minority, but I don't think we'll see any
:> quantum computers without some big theoretical and technological
:> breakthroughs.
: There is a kind of "critical mass" that will occur when enough
: error correction can be accrued along with the noisy qubits.
Hmm.
I wonder what the take of advocates on the idea that quantum computers
will never exceed a relatively small volume of space/time - because the
problems encountered in insulating them from their environment grow too
rapidly as their space/time volume increases - is these days.
Penrose cited gravity as a force that transmits influence from the QC to
the observer - and causes decoherence as a direct result. *If* this
force is large enough to cause problems, I believe there's no known
way of "defending" against this - short of having the observer (or the
computer) travelling near the speed of light ;-)
We may be able to get above the scale where interference fringes are
located by undergraduates - but there /may/ be severe limits on how
much further it is possible to go.
The idea that coherence at significant scales and for significant
periods will be rather difficult to obtain appears to be holding
up well so far anyway :-|
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Namaste.
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: Thoughts on "Cracking" of Genetic Code
Date: Tue, 27 Jun 2000 11:15:46 -0700
Information System wrote:
> I am interested in the reaction of others to the
> wording of news stories that state that the genetic code has
> been "cracked," drawing comparisons to a cryptographic
> solution. As I understand it, what has been accomplished is
> the compilation, in crypto terms, of a complete and possibly
> accurate transcription of the ciphertext. This is a
> beginning, but hardly a "cracking."
You have a point, but it is a genetic code and no one is
claiming that it is a cryptographic code. So a crack need not
be a crypto crack.
I believe that the work back in the 1950s (Crick, Watson, etc)
that found the molecular formula for the links in DNA was also
referred to as cracking the genetic code. No doubt many more
breakthrus will also be labelled that way.
Even in crypto terminology, the word "crack" is often used for
an attack that falls far short of always decoding the system.
> As a continuation of the
> original thought, my other question is to ask if anyone has any
> thoughts on the potential or actual applications of
> cryptanalytic techniques to the decoding of DNA in the sense
> of decoding meaning from existing sequences, or even encoding
> desired messages to create desired results.
There are portions of DNA that appear useless, and it has been
suggested that they are error correcting codes. Possibly even
using finite fields.
There are some sci-fi plots that use messages encoded in DNA.
Eg, the recent Mission To Mars movie.
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: Quantum computing
Date: Tue, 27 Jun 2000 11:20:22 -0700
Tim Tyler wrote:
> Penrose cited gravity as a force that transmits influence from the QC to
> the observer - and causes decoherence as a direct result. *If* this
> force is large enough to cause problems, I believe there's no known
> way of "defending" against this - short of having the observer (or the
> computer) travelling near the speed of light ;-)
That's right. If someone like that turns out to be true, it may be
physically impossible to build a quantum computer. The whole subject
is just extremely speculative based on current knowledge.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Idea or 3DES
Date: 27 Jun 2000 18:01:50 GMT
Mark Wooding <[EMAIL PROTECTED]> wrote:
> Boris Kazak <[EMAIL PROTECTED]> wrote:
>> Practically even lovelier: loading numbers into registers tests them
>> against =0 condition,
> Only on some processors: the ARM in particular doesn't do this, so
> that's an extra comparison to do.
there's no load and set flags instruction ? hmm. that's a shame. I know
that you can use movs to set flags, but that doesn't much help (unless
for somereason movs rN, rN is faster than a compare).
>> 16-bit multiplication yields the 32-bit product, thereafter adding
>> together LSW, MSW and eventual carry finishes the job. With careful
>> planning - 5-7 register instructions (2 loads, one branch, one mult,
>> one add, one adc, one unload).
> I think it was the branch I was particularly objecting to. That's not a
> pleasant thing to have to do.
on the ARM, you avoid the branch by using conditional instructions,
can't you?
-dmolnar
------------------------------
Date: Tue, 27 Jun 2000 12:33:23 -0600
From: Shawn Willden <[EMAIL PROTECTED]>
Subject: Re: Variability of chaining modes of block ciphers
Mok-Kong Shen wrote:
> > I suspect that it can't exist. Indeed, I suspect that, if we know our
> > adversary's capabilities that accurately, we probably don't need
> > cryptography at all, because we can determine a communication channel
> > which is already secure against him.
>
> If you know the computer of the opponent, then you can calculate
> the time for brute forcing.
Can you? I think you can only calculate the maximum or average time, not the
time it will take to brute force a given message. A better way to analyze
this scenario is: Given a certain amount of computational power, there is a
probability p(t) that the attacker can discover the key for a given message
in time t.
Call the useful lifetime of the message T. You're assuming, then, that p(T)
is large, maybe p(T) = 1. Choosing among n chaining modes at best reduces
the probability to p(T)/n.
Can you be so certain that p(T) is an unacceptable risk, but p(T)/n is okay?
Remember than n is small. Also remember that T is often hard to quantify a
priori.
You keep referring to the situation in which the addition of a few key bits
pushes the job of brute-forcing over some threshold which demarks what the
attacker can or cannot do, but no such threshold exists, at least with
respect to brute-force keyspace searches.
The "threshold" is yours. Specifically, your level of acceptable risk; a
notion that is notoriously hard to quantify precisely.
To summarize, adding n key bits is useful when:
1. The attacker's capabilities are known (p(t))
2. The user's acceptable level of risk (R) is known
3. The lifetime (T) of the message is known
4. p(T) > R >= p(T)/2^n
It's hard to imagine a scenario in which the imprecision of p(t), R and T
don't swamp the risk interval created by a small n.
Shawn.
------------------------------
From: Rex Stewart <[EMAIL PROTECTED]>
Subject: Re: Weight of Digital Signatures
Date: Tue, 27 Jun 2000 18:32:52 GMT
I have seen some pretty effective duress detections
systems, but they all assumed the user was well
trained and somewhat disciplined.
In the real world, people are uninformed enough to
provide their credit card numbers to telemarketers
who call them, and their passwords to people posing
as security professionals over the phone.
For that reason, I unfortunately must agree with you.
--
Rex Stewart
PGP Print 9526288F3D0C292D 783D3AB640C2416A
In article <gYR55.23649$[EMAIL PROTECTED]>,
"Lyalc" <[EMAIL PROTECTED]> wrote:
> A 'signed-under-protest bit' might be meaningless in practical terms.
>
> The intent is, I believe, to allow the system to respond to the user
as if
> the the signature was entirely normal, but to not effect the requested
> action.
> This only works if the relying party never provides any feedback to
third
> parties; consider:
> - a bank funds transfer means a third party account is increased
> - a sniffer on the line may allow the transmitted data to be verified
by the
> attacker/coercer, under some electronic signature schemes
> - A system logon will have to allow read and write access
>
> Any attacker who doesn't check these actions are valid by using a
second,
> independent source (perhaps by wireless data, phone, etc) is a bit
stupid.
>
> If any of the simple tests above fails, the attacker/coercer knows the
> victim is attempting to fool them, with increased potential for
consequences
> to the victim.
>
> In the end, it seems there may be almost no worthwhile benefits from a
> 'signed-under-protest bit'
>
> Comments?
>
> Lyal
>
> Trevor L. Jackson, III wrote in message
<[EMAIL PROTECTED]>...
> >Lyalc wrote:
> >
> >> I know we are close to discussing legal issues, but
> >> the motive behind the signing is important (e.g. coercion
repudiates an
> >> otherwise genuine signature). Electronically, we can't really
detect or
> >> cater to these sorts of situations - yet.
> >
> >Are you supposing a signed-under-protest bit?
> >
> >>
> >> One day, the rule makers will decide how to handle these ambiguous
> >> situations.
> >> In the meantime, we all play elelctronic signatures "by ear"
> >> Lyal
> >>
> >> Robert Stonehouse wrote in message
> >> <[EMAIL PROTECTED]>...
> >> >Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> >> >>Robert Stonehouse wrote:
> >> >>> [EMAIL PROTECTED] (John Savard) wrote:
> >> >>> ...
> >> >>> >A law that makes a digital signature "just as binding as one
in
> ink",
> >> >>> >when it is so much easier to break into someone's house and
read
> their
> >> >>> >hard drive than forge their signature perfectly makes ordinary
> people
> >> >>> >much more vulnerable to forgery than before.
> >> >>> ...
> >> >>> The thing that makes an ink signature binding is the fact that
it
> >> >>> was written by the right person. If your bank pays out on a
forged
> >> >>> cheque, saying 'Well, it was a perfect forgery' won't help
the bank
> >> >>> at all. The bank has to make it good to you.
> >> >>>
> >> >>> It is hard to imagine how any law authorising digital
signatures can
> >> >>> preserve that protection for bank customers and others who sign
> >> >>> documents.
> >> >>
> >> >>But a cheque forgery has to be ascertained by experts who have to
> >> >>use judgements and, I believe, don't always have 'absolute'
certainty.
> >> >>So I guess that some parallel mechanism could function.
> >> >
> >> >Not necessarily. There can be other ways of showing you didn't
sign
> >> >the document apart from an examination of the document. What
matters
> >> >is whether you signed it or not.
> >> >
> >> >The terms of electronic transactions mostly say that, if the bank
> >> >gets a transaction that satisfies the conditions, it can pay. That
> >> >is, the electronic details are final.
> >> >[EMAIL PROTECTED]
> >
>
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Adam Durana" <[EMAIL PROTECTED]>
Subject: Re: TEA question
Date: Tue, 27 Jun 2000 14:27:35 -0400
> yes..
> but if you choose different number it anyway should be 32 bit number
> so you cant use 1569234 - its too small - only 21 bit (1569234 == 0x17f1d2
== 101111111000110110010 )
You can put 1569234 into a 32-bit variable and that would work just fine.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Variability of chaining modes of block ciphers
Date: Tue, 27 Jun 2000 21:01:09 +0200
Mark Wooding wrote:
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> > Mark Wooding wrote:
> > > Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> > > > Scott Fluhrer wrote:
> >
> > [snip]
> >
> > > > You are distorting the discussion context. We are discussing the
> > > > possibilities to obtain some improvements upon a given cipher with
> > > > some chaining modes, not discussing using two or more ciphers.
> > >
> > > I think that Scott is trying to say that if you're not happy with your
> > > cipher's security, you're best off preprocessing with another cipher
> > > rather than playing with fancy chaining modes.
> >
> > That's right. Hence my answer to him.
>
> But your answer doesn't address his point.
>
> The point is that you're using the wrong fix. The right fix is a good
> cipher. Use one.
You snipped out what Scott Fluhrer worte and then provided the wrong
argument. Here is what he wrote before my sentences quoted above:
And even if that's not a concern, it'd be a shame to blow off a good boss
with one quirk. Alternative strategy: implement the amateur crypto
design,
but preprocess the plaintext just a bit, so of like a "prewhitening"
phase.
For example, pass it through Rijndael first. (1/2 :-)
He gave even an example to pass the plaintext to Rijndel to preprocess
and then to the cipher that one has at hand. So there are TWO ciphers
in his argument! (Whether it is sensible to do that is not the point here.)
And I was answering exactly to that point of Scott Fluhrer.
> > > I suspect that it can't exist. Indeed, I suspect that, if we know our
> > > adversary's capabilities that accurately, we probably don't need
> > > cryptography at all, because we can determine a communication channel
> > > which is already secure against him.
> >
> > If you know the computer of the opponent, then you can calculate the
> > time for brute forcing.
>
> Ahhh! I see your problem. Have you learned nothing from the years
> you've been reading sci.crypt? Brute force is not the only way to
> attack ciphers!
Again you missed what Scott Fluhrer and I was discussing. The point at
issue was his questioning whether there could be a case at all where one
can fairly accurately estimate the opponent's capability. I answered that
there can be (though rare) cases where one has information of the power
of his computer and that he is using brute force. Please read the relevant
discussions between Scott Fluhrer and I, before you simply jump in,
ignoring the stuffs we were discussing.
> > What do you mean by 'determine a communication channel'?
>
> I mean, you can decide upon some way of communicating which is not
> vulnerable to attack from your adversary, since you know his
> capabilities so accurately.
>
> > Suppose the messages are to be transmitted via certain public
> > providers. What are you going to 'determine'?
>
> That there's a better idea than using that method of communication?
>
Sorry, I don't yet understand. Let me quote what you wrote in full:
I suspect that it can't exist. Indeed, I suspect that, if we know our
adversary's capabilities that accurately, we probably don't need
cryptography at all, because we can determine a communication channel
which is already secure against him.
Let's say the premise is satisfied, i.e. we know our adversary's capabilities
accurately. You conclusion is 'we can determine a communication
channel which is already secure against him'. Now you said above that
we can find a communication channel that is not vernulrable to his attack.
Is that right? But that isn't relevant in most cases that are pertinent here.
Suppose (by our premise) we know what computer he has and suppose
we know his only method is brute force and so we can determine how
many keys he can try in a unit of time. What has this data to do with the
communication channel? Do you mean that if he can very fast try the
keys then we should find a channel that he can't tap or what? But I was
exactly countering to this point by saying that, if the messages are to be
trasmitted through public providers, then you have practically no means
of securely preventing his taping. Well, you could 'determine' (in your
mind) a better secure channel that would have solved the problem, but
you can't in reality get it in this case!
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Variability of chaining modes of block ciphers
Date: Tue, 27 Jun 2000 21:01:19 +0200
Mark Wooding wrote:
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> > I don't understand you. If you use brute force and there is a chaining
> > value that is unknown but that is xored to the plaintext block, what
> > are you going to do?
>
> Who said anything about brute force?
I said, of course. But note that 'brute force' is in an if-clause. Now let
me restore what has been snipped in this connection:
I wrote:
I personally don't like the common CBC, since all the chaining
values are known to the analyst.
You wrote:
This doesn't matter because the cipher resists key-recovery
attacks. The chaining mode is there to hide the block structure,
*not* to provide resistance to cryptanalysis.
You were again ignoring my repeatedly made point that it IS a basic
assumption of my article that the cipher at hand is NOT strong
enough and you claimed that the cipher resists key-recovery attacks.
I was remaining on my assumption that the cipher is not strong (and
can, for example, be brute forced). Thus I exlained that in such an
example case unknown chaining values do help, because these obscure
the opponent in obtaining the plaintext that is needed to pinpoint the
right key. I must say that I find it surprising that you comment on an
article of mine but ignore the basic assumption underlying that. There
are two ways to properly give negative comments and critiques. One
is to say that the assumption is wrong/unrealistic and provide arguments
why that's so (one need then not to consider the rest of the article).The
other is to take the assumption for granted and find faults in the
arguments of the article. You are obviously doing neither in the one
nor in the other way.
> > (Your first sentence seems unclear. Do you mean that you already have
> > a strong enough cipher, so that any add-ons aren't necessary, or
> > what?)
>
> I mean that a good cipher, by *definition*, will resist attacks which
> recover the key (or, indeed, your plaintext), and that not using a good
> cipher is simply folly.
>
> I'm getting rather bored of this argument. Unless you have something
> new to add, I think I'll ignore it from now on.
You REPEATEDLY ignored my point that my original post is NOT
intended for cases where one already has a strong enough cipher (your
good cipher). I said many times that in such cases my article is useless.
Only in cases where (one thinks) one's cipher is not strong enough
(i.e. a not good enough cipher) can chaining modes, if appropriately
chosen, help and be of value. See also my answer above.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: TEA question
Date: Tue, 27 Jun 2000 18:48:21 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
Adam wrote:
> > yes..
> > but if you choose different number it anyway should be 32 bit number
> > so you cant use 1569234 - its too small - only 21 bit (1569234 == 0x17f1d2
> == 101111111000110110010 )
>
> You can put 1569234 into a 32-bit variable and that would work just fine.
realy? and if i put 5 into a 32-bit variable ? or even 1 or 0 ?
== <EOF> ==
Disastry http://i.am/disastry/
http://disastry.dhs.org/pgp.htm <-- PGP half-Plugin for Netscape
http://disastry.dhs.org/pegwit <-- Pegwit - simple alternative for PGP
remove .NOSPAM.NET for email reply
=====BEGIN PGP SIGNATURE=====
Version: Netscape PGP half-Plugin 0.14 by Disastry / PGPsdk v1.7.1
iQA/AwUBOVjazTBaTVEuJQxkEQLcvACg/MQZ21ehrlZRe+s2maq9V8D6Bq4An1Pn
+oNmLz55HCCV4IbfEkm0LWi7
=UsNd
=====END PGP SIGNATURE=====
------------------------------
From: "Adam Durana" <[EMAIL PROTECTED]>
Subject: Re: Thoughts on "Cracking" of Genetic Code
Date: Tue, 27 Jun 2000 14:42:11 -0400
"Information System" <[EMAIL PROTECTED]> wrote in message
news:8jaodm$[EMAIL PROTECTED]...
> I know that this is off the explicit subject of the
> group, but I am interested in the reaction of others to the
> wording of news stories that state that the genetic code has
> been "cracked," drawing comparisons to a cryptographic
> solution. As I understand it, what has been accomplished is
> the compilation, in crypto terms, of a complete and possibly
> accurate transcription of the ciphertext. This is a
> beginning, but hardly a "cracking."
To a non crypto savvy person they did crack it. And I would say 99% of the
world is not crypto savvy so why should the media get the terms right for
the other 1% of us. It is a little annoying but there are more important
things to worry about.
As a continuation of the
> original thought, my other question is to ask if anyone has any
> thoughts on the potential or actual applications of
> cryptanalytic techniques to the decoding of DNA in the sense
> of decoding meaning from existing sequences, or even encoding
> desired messages to create desired results.
I'm no expert on this subject but I believed they used one method
cryptanalysists do use. They would introduce a change into the DNA and see
how that affected the animal that was created from that DNA. So in a sense
they altered the plain text (DNA) just a bit then let nature do its work to
produce the cipher text (the living creature) and see what changes in the
cipher text resulted from the change in the plain text.
- Adam
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
