Cryptography-Digest Digest #272, Volume #12 Sun, 23 Jul 00 06:13:00 EDT
Contents:
Re: Crypto jokes? (potentially OT) (David A Molnar)
Re: Random Appearance (Future Beacon)
Re: RC4-- repetition length? ("Joseph Ashwood")
Re: Random Appearance ("Joseph Ashwood")
Re: PGP US Versions Broken,no good?? (Sundial Services)
Re: Question Regarding Encrypting CD-ROM -RW Disks (Sundial Services)
Re: RC4-- repetition length? ("Scott Fluhrer")
Re: Random Appearance ("Douglas A. Gwyn")
Re: Random Appearance ("Douglas A. Gwyn")
Re: Crypto jokes? (potentially OT) ("Douglas A. Gwyn")
Re: Random Appearance (Mack)
Re: 8 bit block ciphers (Mack)
Re: 8 bit block ciphers ("Douglas A. Gwyn")
Re: 8 bit block ciphers (Mack)
Re: freely obtainable on the internet?? ([EMAIL PROTECTED])
Re[2]: freely obtainable on the internet?? ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Crypto jokes? (potentially OT)
Date: 23 Jul 2000 01:45:40 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> Steve Meyer wrote:
>> How about claim by BBC television producer that English spy ageny
>> discovered public key cryptography. Probably in joke that one must
>> attend IACR conference to appreciate.
> I didn't understand your joke. Is it that you really are unaware
> that nonsecret-key encryption had in fact been invented before RSA?
> (However, it wasn't much exploited.)
This is just a guess, but he may be referring to a talk at CRYPTO '99
which covered (among other things) "who should REALLY get the credit
for inventing public key cryptography?"
As I recall, the proposal was to consider crypto research as proceeding
in two "parallel universes," the classified and unclassified. In the
classified universe, Clifford Cocks & company discovered non-secret
encryption first and Diffie & Hellman are just a footnote. In the
unclassified universe, Diffie & Hellman are the true progenitors (and
Merkle, RSA, etc. are their prophets) and Cocks simply merits a footnote.
The humor comes from the fact that the original suggestion touches on this
whole controversy, which seems to be considered quite important and
certainly can raise high emotion. No idea how it relates to Feyabend's
argument or experience (I barely know who he is, unfortunately).
Hope this doesn't get me disbarred from attending future IACR conferences.
-David
------------------------------
From: Future Beacon <[EMAIL PROTECTED]>
Subject: Re: Random Appearance
Date: Sat, 22 Jul 2000 22:57:44 -0400
On Sat, 22 Jul 2000, Douglas A. Gwyn wrote:
> Future Beacon wrote:
> > ... I am thinking that a dense message that
> > wastes no characters might seem orderly but not be the oder which
> > is the intended message.
>
> That's not possible, assuming you mean that for any PT of length N,
> the CT has length N, and every CT exhibits some given pattern.
.
.
.
I believe that it is possible. Winograd, at least 20 years ago, at
MIT programmed a computer to form English sentences that were not
predictable by the human correspondent. He had to understand
grammar and logic very formally and well to do it. This kind of
thing is covered in the subject of artificial reasoning. These
kinds of achievements prompted me to try to form arbitrary English
sentences from a string of random numbers. I am convinced that it
is possible.
If that is possible, then one could used whatever kind of encryption
you like and take the resultant cipher text and convert it to a
sequence of plausible English sentences (they may not make sense
together, or they could with greater effort).
Compactness is could actually be better than one-to-one if you limit
vocabulary in certain ways. It requires many things - not the least
of which is a spelling dictionary that is sorted by grammatical
function and that numbers the words and is shared by the sender and
receiver.
So, if you are a linguist, a mathematician, and a programmer, you
have at least one way to keep from getting bored.
If you don't want to study linguistics and you can settle for only
half of your messages being so disguised, you can send messages from
public sources that are off of you subject and decode them with
material sent at different times.
I wouldn't be surprised if there were a hundred ways. We've hardly
started.
Jim Trek
Future Beacon Technology
http://eznet.net/~progress
[EMAIL PROTECTED]
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: RC4-- repetition length?
Date: Sat, 22 Jul 2000 20:23:52 -0700
Well to make a potentially long summary quite short:
1) RC4 is good for a few megabytes of data, but starts
getting fairly bad around a gigabyte, very bad around 2
gigabytes, probably breakable around 16 gigabytes.
2) The average-case repetition length of RC4 is extremely
long, the worst-case repetition length is still quite large,
the best-case repetition length is nearly astronomical
3) If you're going to use RC4 make sure you throw away the
first several outputs
4) Designing your own stream cipher is probably a fool's
pursuit
There may be more things that show up later in the
conversation, but that's the basic sumary to now.
Joe
"Guy Macon" <[EMAIL PROTECTED]> wrote in message
news:8ldejt$[EMAIL PROTECTED]...
>
> I have a request.
>
> There are a lot of folks like me who are interested in
ciphersaber
> ( http://www.ciphersaber.gurus.com ) but are a bity shy of
the horsepower
> to tell the good arguments in this thread from the bad.
Could one of
> the experts post a practical summary when this discussion
is complete?
> Thanks in advance.
>
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Random Appearance
Date: Sat, 22 Jul 2000 20:30:44 -0700
> They are either like OTPs or they are subject
> to known plaintext attacks. OTPs are immune to known
plaintext
> attacks and the even tougher chosen plaintext attacks.
That's not correct. OTP's are subject to known-plaintext
attacks, based on whether or not they are built of
particulate that is subject to known-plaintext attacks (XOR
is trivially subject). Against a chosen plaintext attack, an
OTP will have exactly the behavior of a (optimal)
known-plaintext attack, if for no other reason than the fact
that it can be reduced to a known plaintext situation.
Joe
------------------------------
Date: Sat, 22 Jul 2000 21:14:24 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Crossposted-To: alt.security.pgp
Subject: Re: PGP US Versions Broken,no good??
Frankly, I doubt that there is very much in the way of commercial (i.e.
non-classified) encryption that the NSA cannot break. If it were
otherwise, I'd be having some serious questions about what all that tax
money is being spent for.
But let's face it -- is an agency like that going to be decrypting
everything out there that is encrypted, just for their jollies or just
because they can? Not bloody likely. And even so, does that really
alter the effectiveness of PGP for -your- applications that require the
use of crypto? Just how stringent ARE your cryptographic requirements?
There are millions of encrypted messages sent each day, just like there
are tens of millions of doorknobs. Those messages, like those
doorknobs, may or may not withstand a concerted, knowledgeable,
determined attack by a professional -- but they serve their purpose none
the less. They effectively prevent theft or compromise of the content
of the area they are meant to protect, simply by making it more cost
effective for the thief to go somewhere else, and simply by making the
content of the area "not readily apparent."
>jungle wrote:
>
> see comments inside text ...
>
> "Edward A. Falk" wrote:
> >
> > > I've heard from a few people(one who is a
> > > programer of encryption software) that the
> > > US versions of PGP(6.5.3 etc) are broken,
> > > no good and the US gov. can break them
> > > because these versions are made so they
> > > can be broken so the gov. can read anything
> > > encrypted by the US versions. Could just be
> > > an urban myth but I 've dumped my 6.5.3 for
> > > 6.5.1i(international)(supposedly safe)
> >
> > This needs to be reposted from time to time:
> >
> > For the record, the number of times an allegation of a back door
> > [in PGP] has been made in this newsgroup is about eleventy-zillion.
> > The total amount of evidence produced to back it up is Zip-Squat
> > (sorry about the mathematical jargon, there).
> > -- Andrew Spring
> >
> > Here are my own comments: I down-loaded an international version
> > of pgp 5 a couple years ago and was unable to even compile it
> > without first fixing a large number of glaring bugs in the source
> > code.
>
> compiler related ?
> or
> program functionality related ?
>
> the difference is enormous ...
>
> > When the source code won't even compile, you can pretty much bet
> > that it hasn't undergone any kind of security review.
>
> yes & no ...
> the source code MUST tell what compiler to use to create same PGP executable as
> the one available for download ...
>
> > I would not trust *any* pgpi version unless it's had a thorough
> > going over by someone I trust, and the source code has been signed
>
> very valid ...
> source code MUST be signed by NAI key ...
>
> > (with a signature I can verify under 2.6.2)
>
> to use v262 for verification is not relevant ...
> starting from v262, any newer PGP will do it to ...
>
> > Without verification, if you think the international version of
> > pgp is any more trustworthy than the official version, you're badly
> > mistaken.
>
> yes, big mistake ...
--
==================================================================
Sundial Services :: Scottsdale, AZ (USA) :: (480) 946-8259
mailto:[EMAIL PROTECTED] (PGP public key available.)
> Fast(!), automatic table-repair with two clicks of the mouse!
> ChimneySweep(R): "Click click, it's fixed!" {tm}
> http://www.sundialservices.com/products/chimneysweep
------------------------------
Date: Sat, 22 Jul 2000 21:16:33 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Question Regarding Encrypting CD-ROM -RW Disks
:-) If the information on your hard-drive is that sensitive, that
someone would work that damned hard to recover it, then "they'll find a
way to put you in jail anyway." ;-)
>jungle wrote:
>
> Greg wrote:
> ==========
> > The point
>
> your point will not protect your data "in a hurry" against AGENCIES work ...
>
> > I am making is that with my notebook, and others like it
> > I am sure, if you had to destroy the HD in a hurry, you could simply
> > slide it out and go at it with a sledge hammer.
>
> hammer is not destroying data but ONLY DRIVE ...
> you need to understand the difference ...
>
> > These drives are
> > tiny, thin, and very susceptible to any pressure on their top surface.
>
> what above has to do with destroying magnetic data ?
> ANSWER : almost nothing ...
--
==================================================================
Sundial Services :: Scottsdale, AZ (USA) :: (480) 946-8259
mailto:[EMAIL PROTECTED] (PGP public key available.)
> Fast(!), automatic table-repair with two clicks of the mouse!
> ChimneySweep(R): "Click click, it's fixed!" {tm}
> http://www.sundialservices.com/products/chimneysweep
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: RC4-- repetition length?
Date: Sat, 22 Jul 2000 23:03:40 -0700
Joseph Ashwood <[EMAIL PROTECTED]> wrote in message
news:ukkqsZF9$GA.279@cpmsnbbsa07...
> Well to make a potentially long summary quite short:
> 1) RC4 is good for a few megabytes of data, but starts
> getting fairly bad around a gigabyte, very bad around 2
> gigabytes, probably breakable around 16 gigabytes.
If by breakable, you mean "distinguishable from random", that's correct. If
by breakable, you mean "you can rederive the key, or guess another portion
of the keystream", well, you really should clue in the rest of us on how to
do that...
> 4) Designing your own stream cipher is probably a fool's
> pursuit
Well, perhaps true, but I don't remember anyone claiming that upthread :-)
--
poncho
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Random Appearance
Date: Sun, 23 Jul 2000 02:23:48 -0400
Joseph Ashwood wrote:
> That's not correct. OTP's are subject to known-plaintext
> attacks, ...
No, they are not, since the only plaintext that is "recovered"
is exactly the plaintext that was already known. The point
being that "One-Time Pad" in such a context means the
theoretically secure system, not a potentially flawed
attempt at implementation of such a system.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Random Appearance
Date: Sun, 23 Jul 2000 02:26:39 -0400
Future Beacon wrote:
> I am convinced that it is possible.
Basic information theory says otherwise.
For your notion to work, the input plaintext would have to
be restricted to a selection from a limited set, not a
completely general message of length N.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Crypto jokes? (potentially OT)
Date: Sun, 23 Jul 2000 02:38:39 -0400
David A Molnar wrote:
> As I recall, the proposal was to consider crypto research as
> proceeding in two "parallel universes," the classified and
> unclassified. In the classified universe, Clifford Cocks &
> company discovered non-secret encryption first and Diffie &
> Hellman are just a footnote. In the unclassified universe,
> Diffie & Hellman are the true progenitors (and Merkle, RSA,
> etc. are their prophets) and Cocks simply merits a footnote.
I still don't get the joke, but to respond:
The idea that when an idea is independently discovered by
multiple researchers, the first one to reach print gets all
the credit has always been screwy. It leads to such things
as a graduate student having to start his thesis work all
over because his independent work is no longer considered
"original research" and thus does not qualify for a degree.
So long as everybody is convinced that the researchers did
work independently and were not aware of each other's work,
in a rational world they should share credit for the invention.
The main question is whether the earlier work was partially
"leaked" and the later work was inspired by that information,
in which case only the earlier work is the true innovation.
------------------------------
From: [EMAIL PROTECTED] (Mack)
Subject: Re: Random Appearance
Date: 23 Jul 2000 06:49:29 GMT
>Joseph Ashwood wrote:
>> That's not correct. OTP's are subject to known-plaintext
>> attacks, ...
>
>No, they are not, since the only plaintext that is "recovered"
>is exactly the plaintext that was already known. The point
>being that "One-Time Pad" in such a context means the
>theoretically secure system, not a potentially flawed
>attempt at implementation of such a system.
>
>
The code book systems to which I was refering are exactly
the same as OTP's. The pad may be reused at the risk of
a known plaintext attack. The words for messages are
compiled into a list each word has a different meaning.
These pads are usually only a couple of pages and then
compiled into a book. Different 'chapters' are used depending
on some information. This system was used during WW2
if I am not mistaken. Each 'chapter' is an OTP. If a chapter is
reused it is subject to known-plaintext attack . Of course if the
OTP is stolen it is also broken. In actual use pads were used
for a certain time period.
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: [EMAIL PROTECTED] (Mack)
Subject: Re: 8 bit block ciphers
Date: 23 Jul 2000 07:07:39 GMT
>Mack wrote:
>> Does anyone have any information on 8 bit block
>> ciphers? I don't mean simply shuffling an array.
>> And I am aware that it is simple to do a dictionary
>> attack. I am looking for methods that can be used
>> instead of array shuffling.
>
>It's not clear what you really want.
> ct = table[pt]; // general 8-bit transformation
>covers any 8-bit block cipher and is very efficient.
>The only issue is how to construct the 256 entries in
>the transformation table.
>
>
>
That is what I am looking for mathematical or encryption
methods of producing a 256 byte permutations.
No shuffling please.
I am aware of the method of inverting the polynomial multiplication
group GF(2^8). The reference is "Differentially uniform mappings for
cryptography" by Kaisa Nyberg. These are used in SQUARE.
In SQUARE these are altered by an afine transformation.
Does anyone have any similar construction methods or is
this new ground?
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: 8 bit block ciphers
Date: Sun, 23 Jul 2000 03:17:17 -0400
Mack wrote:
> That is what I am looking for mathematical or encryption
> methods of producing a 256 byte permutations.
> No shuffling please.
Since the mapping has to be invertible, it is necessarily
a permutation. Any method of generation would amount to
a "shuffling" of the sequence 0..255.
------------------------------
From: [EMAIL PROTECTED] (Mack)
Date: 23 Jul 2000 08:18:17 GMT
Subject: Re: 8 bit block ciphers
>Mack wrote:
>> That is what I am looking for mathematical or encryption
>> methods of producing a 256 byte permutations.
>> No shuffling please.
>
>Since the mapping has to be invertible, it is necessarily
>a permutation. Any method of generation would amount to
>a "shuffling" of the sequence 0..255.
>
>
I am looking for something that could be implemented without
having the entire table in memory. For example only using
32 bytes. This prevents shuffling from being useful.
I am looking for something that will take a 32 byte key
and convert it to an 8 bit permutation. The permutation
should have a good non-linearity, good avalanche and
a good differential table. It should also be invertable.
Methods that use fewer key bytes are acceptable.
Basically it has to be a good 8-bit encryption method.
Does anyone have something that fits the bill?
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: freely obtainable on the internet??
Date: Sun, 23 Jul 2000 08:58:01 GMT
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> Since what time are books not sold at bookstores and freely
> obtainable on the internet??
- Every good company first offers a product for an examination (for
free of course, otherwise who would try it?), and if a potential
customer really likes the product he/she pays for it. I may be
wrong, but I think that's how most of them work... the successful
ones.
Regards,
Yuri Margolin
http://flybum.hypermart.net
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re[2]: freely obtainable on the internet??
Date: Sun, 23 Jul 2000 09:11:38 GMT
As for a proof for what I just have said, here's what
Mark Wooding <[EMAIL PROTECTED]> shared with us:
========================================================
Three good recommendations. Note that the last of these is available
in PostScript and PDF format from
http://www.cacr.math.uwaterloo.ca/hac/. The authors pushed the
publishers until they were allowed to release the whole thing free of
charge. Then again, I've no regrets about paying full price for my
paper version.
========================================================
You see? it works! It's just a good business technology.
I think, I may buy that book also after glancing at it, you know
most people still prefer to read from paper.
Regards,
Yuri Margolin
http://flybum.hypermart.net
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
