Cryptography-Digest Digest #321, Volume #12 Mon, 31 Jul 00 16:13:01 EDT
Contents:
Re: How secure is Pegwit? (Mike Rosing)
Re: Pegwit - "Weak" ECC with GF(2^m), m composite? (Mike Rosing)
Re: Kovlitz curves questions (Mike Rosing)
Re: Proving continued possession of a file (David Hopwood)
Re: Is Kong strong? ("Joseph Ashwood")
Re: Reference to a public key technique in NYTimes ("Joseph Ashwood")
Re: Kovlitz curves questions (Roger Schlafly)
Re: Elliptic Curves encryption (Roger Schlafly)
Re: Elliptic Curves encryption (Shawn Willden)
Re: Elliptic Curves encryption (Terry Ritter)
Re: Elliptic Curves encryption (Terry Ritter)
----------------------------------------------------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp
Subject: Re: How secure is Pegwit?
Date: Mon, 31 Jul 2000 13:05:33 -0500
Mike Rosing wrote:
>
> Ed Suominen wrote:
> > 1. Pegwit uses GF(2^255) elliptic curve encryption. This is a strong
> > type of encryption (it does not use 2^m composite curves) that is
> > roughly equivalent to the 128 bit symmetric key encryption of PGP. It
> > has the advantage of a short (256 bit) key that is not much longer
> > than the 160 bit fingerprint of a DH/DSS PGP key.
>
> Actually, 255 = 5*51, so it's subject to Smart's attack. From Paullo's
> web page:
> Briefly, if m = kd then the elliptic discrete logarithm problem can be solved
> in time O(2^(k*(2 + epsilon))) instead of O(2^kd/2).
> So d=5, k=51, it's more like 102 bits of security instead of 127. If
> d=51 and k=5, it ain't secure :-)
Argh. 51 = 3*17, so this is 3*5*17 and the security goes as O(2^34 + ...).
I think this isn't considered secure anymore, although I haven't found
Nigel's write up anywhere yet. Pick a different field size!
>
> Patience, persistence, truth,
> Dr. mike
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: Pegwit - "Weak" ECC with GF(2^m), m composite?
Date: Mon, 31 Jul 2000 13:14:40 -0500
John Myre wrote:
> For pegwit, m = 255. So I think k = 17, and d = 15.
> So instead of O(2^127) we get O(2^34).
>
> (I haven't read Smart's paper, so I don't know what
> choice we have for k and d; it could only get worse
> if, say, we can choose k=3 and d=85.)
I haven't found it yet either. My bet is it's a composite:
O(2^34 + 2^10 + 2^6). The larger term dominates in any case,
so I think the largest prime factor is the security limit.
Patience, persistence, truth,
Dr. mike
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: Kovlitz curves questions
Date: Mon, 31 Jul 2000 13:27:04 -0500
Sergio Arrojo wrote:
>
> Could somebody give me a definition (please rather clear than cryptic) of
> "Koblitz Curves"?
> Why are there appropiate to avoid the recently discovered attack to curves
> char. 2 with m composite?
> Do they have anything to do with anomalous curves (since I ve heard they are
> called also "anomalous binary curves")?
Back in 1991 Koblitz wrote a paper "CM curves with Good Cryptographic Properties".
He described specific curves, and since about 1995 these have been called
Koblitz curves. They have also been called "anomalous binary curves", but
"anomalous" applies to lots of other curves too, some of which have been
found useless for crypto. For example, anomalous curves over GF(p) are broken.
To avoid confusion, and to honor a really smart dude, I prefer the term
Koblitz Curves.
A few months ago Nigel Smart from HP Labs in the UK sent out a warning that
he had discovered a way to reduce a composite curve discrete log problem
from GF(2^m) which takes O(2^m/2) steps to solve, to O(2^2k) steps, where
m = d*k. This has been rumored for years, but now the proof seems about ready
for print. (If anybody has a copy of that paper, I'd love to see it!)
Patience, persistence, truth,
Dr. mike
------------------------------
Date: Mon, 31 Jul 2000 13:35:46 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Proving continued possession of a file
=====BEGIN PGP SIGNED MESSAGE=====
[EMAIL PROTECTED] wrote:
> It is possible to greatly reduce Bob's computation by partitioning
> the file into blocks of, say, 1000 bits each, and defining:
>
> x_i = ith block of 1000 bits within the file
> y_i = concatenate(i, x_i)
> M = y_1 * y_2 * y_3 * ...
>
> Now M isn't the file itself any more, but a simple function
> of it.
... but Bob (if I can get it right this time :-) only has to store M,
not the message.
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOYVyljkCAxeYt5gVAQFktgf6ApOgZJs9ChKhgHVyj8SaZhBMNNEsxDji
Xt2lcZf+3s/GKxkbUWs7v3Iwl2ExywHY/TOGd7CU83R2Lrk2huOnABgIMBEHW1eL
X37UsLsMNl6xDyBK/b9CB3iNJWuuN894d3WztwHEZrUB7CmfEjM/UlMftjaLAlUD
VImJGmBgu/MjH5/Cg3CIDNobqk7HNb585WAGyZIIvpmHH2OjG3Ie+qATX2IO9Pno
lBMgiQAkacoyUW5Kj1m7VRZz11708saxaoLTNqil6BEyhRa+aOLwFaI7GoWRK8Rh
pzJrKc5v56uli21xU+UNyPRqNQqo0AHsWDYp8hWDbesff/DdxxUlmA==
=P4D1
=====END PGP SIGNATURE=====
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Is Kong strong?
Date: Mon, 31 Jul 2000 11:41:54 -0700
The math behind it seems to be fairly standard issue (no advantage over any
other), the only difference is in the placement of the public key, which is
placed at the head of the signature. This poses a problem from the identity
standpoint, and is something that the webpage steps very lightly around, you
can't sign a public key in Kong, that means that you can only link otherwise
anonymous messages to one and other, but not to an identity. For anonymous
signatures I'd say it's quite good, but if you wish to use it for
identification, and non-repudiation, it will not be suitable, and hence your
statement about the legally bindingness of electronic signatures is a
triviality (since you can only prove that someone signed it, but not who).
Joe
"William Rowden" <[EMAIL PROTECTED]> wrote in message
news:8ltb9v$fn5$[EMAIL PROTECTED]...
> Has there been any external peer review of Crypto Kong
> (http://www.jim.com/jamesd/Kong)? I'd like to see that, so I'm asking
> those who post to sci.crypt for their opinion. What is the best known
> attack on the algorithms? Has anyone looked at the source code for
> the implementation?
>
> I became interested after seeing "--digsig" signatures on a mailing
> list recently. Kong appears to be an easy-to-use digital signature
> system (that can also do encryption). Using ECC, it has a smaller key
> size than RSA (or whatever we'll call it when the patent expires), and
> consequently it includes the public key in the signature.
>
> I searched the sci.crypt archives for a thread on Kong, but didn't
> find one. The search was complicated somewhat by posts from
> M. K. Shen. :-)
>
> If no known attack on Kong is better than brute force (or if those
> attacks take a long time), I might recommend it to friends who are
> reluctant to use something as "complicated" as PGP. Now that
> "electronic" signatures are binding in the US, it would be nice if
> *digital* signatures became more common. I'm afraid of a
> proliferation of "Click Here to Agree" buttons. That's another topic,
> however.
> --
> -William
> NEW key: http://www.eskimo.com/~rowdenw/pgp/rowdenw.asc until 2001-02-01
> Fingerprint: B6E5 9732 3464 97C8 2B70 A031 6BF6 9E5C 16B5 C400
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Reference to a public key technique in NYTimes
Date: Mon, 31 Jul 2000 11:47:15 -0700
You forget, that's a first generation attack, a better generation attack
could happen by trapping the raw data coming out of the decryption engine
(this will be released for windows right?), from the conversion to a format
is a simple matter. Also they have certainly not defeats the most basic
method of getting MP3s, recording the CD into the computer, so why bother.
Joe
"Gordon Walker" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> On Sun, 30 Jul 2000 06:53:12 -0400, Johnny Bravo <[EMAIL PROTECTED]>
> wrote:
>
> >>minute song could be scrambled into 180 different codes; anyone
> >>taking the time to break a single code would be rewarded with only one
> >>second of music.
> >
> > And it only took one second to think of a way to bypass six years of
> >"research".
> >
> > Play music, record music as it gets sent to speakers. The software
> >needed for this is already around, I've used it to record a broadcast
> >channel playing through WinAmp.
>
> But it's not a direct digital copy, you're adding a trip out through
> the A/D converter and back in through the D/A. Granted, for a format
> like MP3 this degradation probably isn't noticeable but it still isn't
> the exact copy possible with unprotected digital recordings.
> --
> Gordon Walker
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: Kovlitz curves questions
Date: Mon, 31 Jul 2000 12:22:36 -0700
Mike Rosing wrote:
> A few months ago Nigel Smart from HP Labs in the UK sent out a warning that
> he had discovered a way to reduce a composite curve discrete log problem
> from GF(2^m) which takes O(2^m/2) steps to solve, to O(2^2k) steps, where
> m = d*k. This has been rumored for years, but now the proof seems about ready
> for print. (If anybody has a copy of that paper, I'd love to see it!)
He warned that there *might* be a reduction. I don't believe
that he knows how to do it. Others have tried to make this
reduction and failed.
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: Elliptic Curves encryption
Date: Mon, 31 Jul 2000 12:27:27 -0700
Steve Weis wrote:
> Which techniques have you had the most improvement with? It sounds like
> you have mainly worked in GF(2^n). Have you seen an advantage over GF(p)
> and GF(p^m)?
GF(2^n) has some technical advantages in hardware. However, those
advantages translate into disadvantages in software.
------------------------------
Subject: Re: Elliptic Curves encryption
From: Shawn Willden <[EMAIL PROTECTED]>
Date: 31 Jul 2000 13:32:27 -0600
"Ed Suominen" <[EMAIL PROTECTED]> writes:
> "Greg" <[EMAIL PROTECTED]> wrote in message
> news:8lu1vi$ugk$[EMAIL PROTECTED]...
> > > In my experience with ECC over GF(p) or GF(2^n), it has slower
> > > verfication performance vs. RSA by an order of magnitude. ECC
> > > has shown faster signing performance and appears to scale to
> > > larger key lengths much better.
> Couldn't slower verification performance actually be considered a
> benefit, since it would slow down a brute force attack?
Only if brute force is possible. If it is, you need longer keys.
Shawn.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Elliptic Curves encryption
Date: Mon, 31 Jul 2000 19:37:52 GMT
On Sat, 29 Jul 2000 13:08:49 -0600, in
<[EMAIL PROTECTED]>, in sci.crypt Jerry
Coffin <[EMAIL PROTECTED]> wrote:
>In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
>
>[ ... ]
>
>> >OTOH, in most cases we can at least do the proof-like thing
>> >of classifying things into what we have to assume, and what we can
>> >prove based on those assumptions. Better yet, it comes as little
>> >suprise when one of those assumptions IS proven.
>>
>> It probably comes as a nice surprise to the guy who does it, and the
>> result is a nasty surprise to a user who loses information, but you
>> will get no surprise at all until the guy decides to tell you, and
>> that will never happen.
>
>That's highly doubtful -- most of the assumptions I'm talking about
>are NOT things that are likely to be found first by a cryptanalyst.
>Most proofs about rings, fields, etc., are found by mathematicians
>and openly published.
Alas, "most proofs . . . are openly published" is an assertion beyond
your possible knowledge. We don't know what is done in secret, so we
can't make a comparison.
That is the same sort of logic error as asserting that PK is strong
absent a true proof of strength: we can't know, and we can't just
assume what others have or have not done in secret.
NSA is one of the world's largest employers of mathematicians. If
math really is generated by university professors who publish, why
*does* NSA employ all those mathematicians? And do we see an amount
of open publication consistent with that amount of work?
Assumptions *are* the issue, because they are the link between
theories of dreams and reality.
>> >With symmetric algorithms we usually can't do that except under one
>> >assumption, which is that no better attack than those currently known
>> >will ever exist.
>>
>> There certainly can be, and generally is, a lot more detail to
>> symmetric cipher reasoning than that. Most symmetric ciphers have a
>> logical basis in mathematics, if only set theory and finite fields.
>> Why should it be possible to prove strength in one area of math and
>> not another?
>
>I never said it should or shouldn't be possible. At the same time,
>the few times I've seen symmetric algorithms with which any sort of
>proof was associated AT ALL, it has NOT been a proof of a minimal
>computation complexity of a solution or anything close to that.
Of course there is no proof of strength for secret key ciphers. That
should come as no surprise, since there are no acceptable proofs of
strength for *any* practical cipher, including PK. If there were, we
would all be fools to be using anything else, wouldn't we?
Surely it is beyond dispute that there is no proof of strength for any
practical cipher.
Surely it is beyond dispute that a "proof" based on unproven
assumptions can produce no information about fact. A "proof" is a
mere manipulation of symbols until the assumptions are shown true.
And until a proof is complete, there is no way to know how "close" the
part we have actually is. It may *not* be close at all. It may not
even be finishable.
>In
>most cases it's been a proof that given some set of assumptions the
>algorithm was as strong as some other algorithm, but in most cases
>there was little to support even a vague notion of the minimum
>complexity of solving either one.
It certainly is true that the current crop of secret key block ciphers
-- mostly designed by "publishing academics," by the way -- are not
designed for proof. Most are not scalable, which prevents us from
realizing the design in a tiny cipher which could be deeply examined
experimentally.
Even though RSA is widely lauded and *is* scalable, our "publishing
academics" apparently have seen insufficient advantage to follow that
model. But there is advantage, and since that is not being exploited,
we have to believe that our publishing academics have yet to get with
the program. Academics can't blame industry or amateurs for this.
>One of the most obvious examples is the proof about CBC -- it proves
>that using CBC is essentially as strong as the underlying cipher and
>does so quite effectively. Unfortunately, in most cases we have
>absolutely NO idea of whether about a minimum complexity in a
>solution of the underlying cipher.
Right. Just like PK. And the overriding issue in this discussion is
your unwarranted belief in the strength of PK, based on incomplete
manipulations which you choose to call "proof." But it doesn't matter
what you or anyone else calls it, there is nothing which shows that
cryptographic strength is fact.
>> >I'm prepared to believe that a statement about (for example) lack of
>> >smoothness on an elliptical curve MIGHT be true even though nobody's
>> >presently proven it. By contrast, I'm completely certain that better
>> >attacks on most symmetric ciphers WILL be invented. IOW, the
>> >assumptions in one case MIGHT be correct, while I'm completely
>> >convinced of the falsehood of the assumptions in the other case.
>>
>> So, basically, you are willing to *believe* that one form of
>> cryptography -- and only that form -- is capable of strength.
>
>This is a _gross_ mischaracterization of what I said, and it's not
>even close to anything I believe. You're an intelligent enough
>person that I'm hard put to believe you could read what I wrote and
>draw that as an honest conclusion.
I'm sorry if I mischaracterized your thoughts, but the best way to
verify understanding is to describe what has been said in different
words. On the other hand, I fail to see where my characterization
differed from your words, which are right above:
* You set up one case where you think strength "MIGHT" exist.
* Then you address the other case where you are absolutely sure that
the current strength does *not* exist.
* Then I characterize your words as a preference for a particular form
of cryptography based on your (insupportable) belief of strength.
That would seem to be factual analysis, not mischaracterization. With
exactly which part do you disagree?
>> Interesting. What possible basis can one possibly have for imagining
>> that the field is bicameral in this way? Shall we imagine that number
>> theory is "better" than field theory, or mappings?
>
>Not at all. We shall believe that at least the "proofs" I've seen of
>symmetric algorithms were a LOT weaker than the "proofs" I've seen of
>PK algorithms.
That whole assertion is confused: There can be no "weaker" proofs
when no proofs at all force us to conclude strength.
Part of the problem in this sort of discussion is the use of the word
"proof" in two different ways:
One meaning of "proof" is a proven result, a proven fact. This is the
logically forced conclusion based upon logical consequences of
original facts. A proof of strength is the ultimate cryptographic
goal; we do not have that for any practical cipher.
The more casual meaning of "proof" is "correct mathematical
manipulation." This is the action of proof without the result. It
means: "Given these assumptions, what would be the consequences?"
But manipulation -- even correct manipulation -- has nothing to do
with fact. A better and classic word to describe this situation is
"theory," not "proof."
We can tell that cryptography is not a science because we have
incomplete proofs widely being taken as something they clearly are
not: an "almost" proof of result. But something else is strange about
this: If the assumptions are so obviously believable and acceptable,
why is it that they cannot be proven?
When something we think is obviously believable and acceptable cannot
be proven, we are almost compelled to believe that the assumptions are
not nearly so benign and trivial as they at first may appear. The
very fact they exist as statements which are believable yet cannot be
proven as fact means they are logic wolves in sheep's clothing. This
should be very disturbing to everyone.
>If, for example, there is a proof that TwoFish cannot
>be solved with less than a specified amount of work, subject to some
>assumptions that look reasonable even though they're unproven, then
>that would put it in the same general category as most PK algorithms.
A proof based upon unproven assumptions is not a "general category,"
it is just an unfinished hope.
There is no strength distinction between such a proof and no proof --
because neither proves the truth of the desired goal of strength.
>The basis I see for looking at the two in different lights is that I
>have not seen such proofs for symmetric algorithms and I have seen
>them for PK algorithms. Right now I'm assuming that's a reflection
>on what's available, but I'll openly admit that it _could_ simply be
>a reflection of what I have and haven't read.
No, you have not seen strength proofs for PK algorithms. You may have
seen assertions, based on questionable assumptions. Apparently you
have accepted this work-in-progress as a final result. But the issue
is strength, not math manipulation. All the work and all the
so-called "proofs" still give us no result on PK strength, just like
there is no result for secret key ciphers. Why would you think
otherwise?
>> Math is math, but is more complicated necessarily "better." I don't
>> think so, and in fact, I think that's backward. More complicated
>> means that somebody only has to be smarter to see something others do
>> not, and there is always somebody smarter. In contrast, very
>> low-level things like substitutions can be deeply understood by almost
>> everyone.
>
>What makes you think that group theory (to use one of your examples)
>is fundamentally a lot simpler part of math than number theory?
While claiming no expertise at all, I have studied both; in my
experience, number theory has more unexpected and strange
consequences. It is easy to use group theory with a restricted range
of objects and operations which can be fully understood. The use of
large composites is not a similarly restricted area.
Perhaps a better distinction is that, in most work, discrete groups
are not the source of secret key strength, but rather are a way to mix
or expand that strength. The strength issue often rests in tables,
which are mappings, but the strength is in the construction and
exposure, not groupiness per se. In contrast, PK strength rests on
the very structure of a system of primeness and not-primeness which I
believe to not be deeply understood.
>IMO, by the time you get to a real algorithm with any real security,
>symmetric algorithms are generally a LOT more difficult to understand
>than PK algorithms.
I disagree. We can convince ourselves that we "understand" PK, when
what we really understand may be just the surface of PK. Until we
understand PK deeply, we will not understand how complex it really is.
Then and only then can we start to compare it to complex systems
composed of elements which can be understood deeply today.
>Just for example, if I wanted to convince a bank management committee
>that IDEA is secure enough for their purposes, about the ONLY thing I
>could say that I'd be reasonably sure they'd understand would be to
>say that a lot of really smart people have studied it for a long time
>and been unable to even come very close to breaking it.
>
>With RSA, things would be completely different: I'd simply show how
>much more difficult it is to factor a number than to find a couple of
>primes and multiply them together.
And thus we have a real problem: We have something which *appears* to
be simple and obvious, yet somehow exceeds our ability to prove it as
fact. That would seem to be a disturbing contradiction.
There is something fundamentally wrong about the situation: If we
can't prove something, we do *not* know it. And how can we think
something is obviously correct if it cannot be proven?
And if we do not *know* a system to be strong, why would we ever
consider saying that we do to lay persons who can have no idea of the
pitfalls of cryptography? Should things go wrong, such a statement by
a professional could be actionable. Normally we expect to see full
and open disclosure in any transaction unless the other side has their
own expertise.
I suggest that a cryptographic professional has a positive *duty* to
point out to lay persons that both PK and secret key ciphers lack
proofs of strength, and that either or both may fail in use without
prior warning, without notice, and indeed without any testable effect
at all. We know when a washing machine is broken, but we probably
don't know when a cipher is broken, even though we use the same word
to describe both.
>In short, the fundamental concept of security in RSA is a LOT simpler
>to understand than the fundamental concept of security in most
>symmetric ciphers. In both cases, proofs of much of anything are
>likely to be _considerably_ more complex and well beyond what the
>average user cares to understand, but again the concepts involved in
>a proof using number theory don't strike me as being fundamentally
>more complex: e.g. I think I could explain the concept of smoothness
>to an average non-mathematician fairly quickly and easily. If there
>was a hard part, it would probably be explaining why such a simple
>concept even deserved a name of its own...
>
>--
> Later,
> Jerry.
>
>The universe is a figment of its own imagination.
A belief in strength which somehow just cannot be proven has a sad
history as old as cryptography itself. One might well be excused for
thinking that confronting a belief in strength should be the first and
deepest lesson in any serious cryptographic education.
I suggest that a wiser approach is to take a pro-active security
stance, to assume that every cipher is breakable, and take steps to
reduce unnecessary exposure and otherwise minimize -- not eliminate --
the consequences of loss.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Elliptic Curves encryption
Date: Mon, 31 Jul 2000 19:38:05 GMT
On Mon, 31 Jul 2000 12:12:32 -0500, in
<[EMAIL PROTECTED]>, in sci.crypt Mike Rosing
<[EMAIL PROTECTED]> wrote:
>Terry Ritter wrote:
>> Nope: Facts exist independent of belief. Convincing someone is not
>> relevant to reality.
>
>And belief exists independent of facts. Convincing people of things
>is all there is to "reality". Advertising comes to mind...
>
>> The Russian text is no doubt conveying a typical wry cynicism.
>
>Yeah, pretty necessary for survival anywhere now.
Perhaps wry cynicism is necessary; I seem to have picked some up,
although it doesn't seem to be helping much. But it is not Science.
Facts need no belief, no propaganda, no agreement, no popularity.
There is no vote on facts. Facts are there if you don't like them
just as much as if you do. Any argument which implies correctness
because many experts believe such a thing is a false argument. Facts
don't care about experts or belief.
>> I will believe a mathematical proof, if I can understand it, because I
>> will have no choice. There are, however, many supposed "proofs" which
>> I do not accept because they are only proofs if one accepts certain
>> assumptions which I do not accept.
>>
>> We are no doubt supposed to believe that our opponents are limited to
>> making the same assumptions our side is willing to make.
>
>Like Don said, different assumptions lead to different fields of
>mathematics. If there's an assumption you don't like, that's fine.
>If I want to assume that 2 parralel lines meet, I'm not doing
>Euclidian math anymore, I might be doing Lobechevskian math. That you
>don't accept the proofs is consistent with the translated russian words.
Only in theoretical math can we say that two systems with different
assumptions are equally valid. Cryptography is certainly not
theoretical math. To use the results (which do seem to get mentioned
over and over again), we must first validate the assumptions; we must
show the assumptions are fact, not dreams. Currently, we are using
dreams and calling that Science.
>What makes math interesting is the ability to relate different fields
>with each other. Mapping from one set of assumptions to another makes
>life complicated, and keeping track of which assumption is valid where
>gets confusing. To me, it makes "proof" even more confusing.
>
>> Well, that's an interesting assertion. But where is your proof?
>>
>> In reality, you have no idea what math has been discovered. You just
>> know that it hasn't been disclosed; that is, that *you* don't know
>> about it. Thus, we see a vast chasm between what you actually do
>> know, and what you claim to know. That is a serious problem for any
>> discussion about cipher strength.
>
>Agreed. There may be a race of creatures only 20 light years away who
>are laughing their heads off. They know how to build quantum computers,
>and have found algorithms for everything we have that are poly-time.
Actually, there may be a race of mathematicians in a far-off fort who
also are laughing their heads off. Or maybe just one clever guy who
runs an organization to exploit exposed information. The point is
that not knowing is just not knowing, not an implication that greater
expertise than we know has arrived in saucers from The Greys.
>I also agree that discussing cipher strength is a lot of hand waving.
>Even so, we can get a rough idea on what it takes to crack various
>PK ciphers here on earth with present technology, and build a certain
>level of security which will force our opponents to pay large sums of
>money to circumvent.
Nope: We can't know how much security we need, because we don't know
how much we have. Unless and until there is a complete proof of
strength with provably factual assumptions, we don't know that there
aren't far simpler ways to expose the data than we presently know.
>Spys are always cheaper than hardware, so discussion of cipher strength
>is kind of silly anyway.
Bribery may be cheaper, but it can be revealed, and that might be
worse, especially if the owners start feeding false information.
There is a pleasant sort of untraceability to cracking ciphertext.
>It is still a practical excersise to determine
>how much it costs to implement a cipher and how much it *might* cost
>an opponent to attack it. When the attack price is over twice the
>price of a spy, it should be good enough.
The idea of planning on the basis of potentially invalid information
and expecting valid results seems very strange to me.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
