Cryptography-Digest Digest #472, Volume #12 Fri, 18 Aug 00 03:13:01 EDT
Contents:
Re: OTP using BBS generator? (David Hopwood)
Re: OTP using BBS generator? (David Hopwood)
Bytes, octets, chars, and characters (David Hopwood)
Re: OTP using BBS generator? (David Hopwood)
Re: 1-time pad is not secure... (Guy Macon)
Re: 1-time pad is not secure... (Guy Macon)
Re: Unauthorized Cancel Messages (Guy Macon)
Re: 1-time pad is not secure... (Guy Macon)
Win2k encryption (Mack)
Re: OTP using BBS generator? (Mok-Kong Shen)
Re: Best AES candidates ?? (Mack)
Re: How to design a new *secure* network protocol from scratch? (Anders Thulin)
----------------------------------------------------------------------------
Date: Fri, 18 Aug 2000 02:45:36 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: OTP using BBS generator?
=====BEGIN PGP SIGNED MESSAGE=====
Terry Ritter wrote:
> Thus, if we want the comfort of "unpredictable" instead of "almost
> always unpredictable," we need to additionally avoid short cycles.
Avoiding short cycles still gets you "almost always unpredictable" [*],
not "always unpredictable". Moreover, "always unpredictable" is not
necessary and was never claimed.
[*] where "almost always" means "except with negligable probability".
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOZyVFzkCAxeYt5gVAQHazwf/RtA1Hd5Ycp4diKCTSHIKHN/IB5LAjhA6
fySjAY0Lg8QtIQXErhJns4UwBarjpJNbEIqmzeFuOotRV1bNL6oiO+Th1nvi0M4M
WVUlWcYYXfXavz/LYzkNCYMRN9A8WDeKFfxhGyuC7YxVsYI1RMwgUbTsJqV4A/+s
yPixGxP9TqbwIf3f2rbRghdiKEt63qu+sUKcH9lmFx65DnA4/CMdMtcTPJEchmjj
IJkvQVzpZUzcfcoZ4ylLZfM6sM1DmhtZA8rXdRKUTnCeV5zk2DCmYCkwQKNuR+6K
pEEBoDdamFthaWm59zYOkbkpuFIXKkJpZa624J3RPCh7R/q5ZJ9Dmg==
=h17m
=====END PGP SIGNATURE=====
------------------------------
Date: Fri, 18 Aug 2000 02:54:21 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: OTP using BBS generator?
=====BEGIN PGP SIGNED MESSAGE=====
Tim Tyler wrote:
> Another issue might be that rejecting short cycles appears to
> decrease the size of the keyspace. Has anyone yet proposed that rejecting
> these seeds is a cause of loss of strength? ;-)
I thought about that, and concluded that it doesn't. (An amusing proof is to
use the fact that the short cycle checks have no effect except with negligable
probability :-)
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOZyXBzkCAxeYt5gVAQHKVAgAl/yqQwAP1GmG2G3yoquW8uJOvefYdMFj
W8fKARvtLQNV0ju+axRU9RJfY1V8Ysq/GTjXzD0TBlMjbu5YKab+/IhDHxdnsXqK
770koD1Jj/OjHMayPpUR5p0ulTd6uD90HK3ep+Z3IslYYDadAoluDp61vBY031E8
Q+IdK8T0MNBKCSyoKY65mrl2XkPGdWjXcoHNjmupHfK87kDeiwnGl+lO2oIVZeFT
uFVfUv8XHxJDT4oEulQDuF3N0BPtO2s/vmd34LCxvkk5owS+gKcWeba2WfWEw4ki
6u9/egmvP6l9JLdYPt3eEebp6nKmvv8pkHFDqcIza+DhUAS9daPlow==
=5Amf
=====END PGP SIGNATURE=====
------------------------------
Date: Fri, 18 Aug 2000 03:59:04 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Crossposted-To: comp.lang.c
Subject: Bytes, octets, chars, and characters
=====BEGIN PGP SIGNED MESSAGE=====
Gergo Barany wrote:
> Michael Will <[EMAIL PROTECTED]> wrote:
> > Gergo Barany wrote:
> >
> > >No, a char is always one byte in C.
Yes, according to the definition of 'byte' in the C specs (although it's
not guaranteed to be the same size as whatever the documentation for the
target processor calls a byte).
[snip]
> And to show that this is not just crazy C programmers talking, see
> this (admittedly non-normative) quote from the Jargon File:
>
> byte /bi:t/ n.
>
> [techspeak] A unit of memory or data equal to the amount used to
> represent one character;
But, this definition is wrong, because C 'char' != character in general.
It's very common for 1, 2, 4, or variable numbers of octets or bytes to
be used to represent a character (both in C programs, the terminology
used in the C specs notwithstanding, and in other contexts). The use of
the word "character" to mean anything other than a unit of text (such as
a symbol, letter, etc., or possibly a control code), should be strenuously
resisted; characters are *not* units of storage.
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOZymPDkCAxeYt5gVAQGKTAf+PniRu5MiuhfuRWlETqDQkUtJZC6zurwo
MC/WoisrbxLCMrZSH39RPV4SF8DAFueWAVJtf302AiRSkYIIG7//QC5XgzM3ayNp
cPmzo+N62FFEnxh+egixU4o+RLJKt1z6Iu9uqqi07Bdr/xkROyGEZfwSm7NKU9Vf
OYi+va6znM1z60LfF5zR8/iYjieFv2P76K8p/wv36bGptCEcXgb7owmSHHmvbbkE
acQmbnuolwmFwjti8gmhId787sRx5IrgeU8wcD8ZTv6hYssRTZ7efM3Ag7Z9wpW3
CRPIIQ0F4HhBEF1nkVgU5v868cpkVPJv0/5s9R2C1oWg6X9JZwUw0w==
=qPRy
=====END PGP SIGNATURE=====
------------------------------
Date: Fri, 18 Aug 2000 05:31:54 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: OTP using BBS generator?
=====BEGIN PGP SIGNED MESSAGE=====
Mok-Kong Shen wrote:
> Mark Wooding wrote:
> > Firstly: in 1984, Vazirani and Vazirani showed that predicting the
> > output of the x^2 mod N generator reduced to factoring n. Since
> > traversing a cycle evidently permits prediction of the generator's
> > output, it must therefore also reduce to factoring n.
>
> Sorry, doesn't this result of Vazirani and Vazirani conflict
> with the sentence 'There is no proven reduction in the other
> direction' above,
No. We have the following reductions:
predicting_BBS
^ |
| |
v v
IFP -----> QRA
where ---> means "polynomially reduces to", IFP is the Integer Factorisation
Problem, and all three problems are taken to be over the same distribution
of moduli. This is all perfectly consistent; it means that the QRA could in
principle be easier than predicting BBS or factoring.
> > Then see my own work, elsewhere in this group, about efficient choice of
> > parameters for ensuring large period for the parity sequence.
>
> I hope that this efficient choice does not result in severe
> reduction of the space of N.
If the distribution from which factors are chosen is changed, then the
assumption needed to prove security is that the IFP is hard for this
distribution of factors (or moduli). In general, that could be either
easier or harder than the IFP when factors are chosen as random primes.
I don't see any reason in practice why constructing N in the way described
in Mark Wooding's post would be expected to result in any weakness, provided
t_1 is large enough (at least 2^128). Since it chooses p-1 and q-1 to be
of special form, the "p-1" factoring method needs to be considered, but
AFAICS that method will require O(t_1) work in this case, which should be
OK.
OTOH, I don't think that the cycle length issue is a good motivation for
choosing factors of special form (either the method using Lim-Lee primes,
or the "special primes" defined in the BBS paper).
> > > The theorem concerns unpredictability to the left. Why 'to the left'
> > > and not 'to the right'? Does the one implies the other or is 'to the
> > > right' of no use in practice?
Yao's theorem (referenced in the BBS paper) can be used to show that
unpredictability to the left implies that the generator passes every
probabilistic polynomial-time test (and hence is unpredictable to the
right).
[...]
> > > The paper employs the term 'probabilistic poly-time statistical
> > > test'. Is this a theoretical concept like the Kolmogorov complexity or
> > > does there exist a conrete implementation of such a test or at least a
> > > practically realizable specification of it?
> >
> > It's the name for a (large) class of statistical tests. It does what it
> > says on the tin.
>
> But to be meaningful one needs to know what that large class of tests is,
Roughly speaking, it means "any" possible poly-time test. Such a test
corresponds to a way of feasibly predicting the generator; if there are no
such tests (as the paper proves, under the QRA), then the generator output
is indistinguishable from random.
[Note that the above paragraph is somewhat imprecise, for mathematical
rigour, refer to the "Theory and Applications of Trapdoor Functions" paper
by Yao that is referenced by BBS.]
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOZy7NDkCAxeYt5gVAQE3zQf9H3AqXKD58uXUWrJlG2SZ57udAE5KTT3b
sZ8EVNALk/3pxXa83fM0+5Pq1MvYyx1ejyqWfPojf0td3uAK1MdaHvTbN4KZTj0P
C1Qr78hfA3nJf1dv/exy8zJANu4cmuiYGMYFT4Lo/K99MU4WC7mRu71ISdTtOBF7
Hb7mhHNQ0oTnfz5oJAAoyNX8ZrCOOTl7re4TozQaFip5AKIaNUe4x1FlVY/JCHQZ
gu9UPlEmhwPKHiB+LqnWtWJ8sYGll/7E1ejVURLMlYGDGUdElePWy3n0UgKxoI29
uUh0oeSJxrron/dS4E041N4GRhfBu3anTn8+wcdUA+cY7zv856lRlw==
=4fT9
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: 1-time pad is not secure...
Date: 18 Aug 2000 04:49:10 GMT
Tim Tyler wrote:
>To *ignore* these (as, for example Bruce Scheiner does in AC when he
>writes "Beleive it or not there's a perfect encryption scheme." - p.15,
>2nd ed.) is not sensible.
Whenever I find that my reasoning in an area where I am not an expert
leads me to the conclusion that standard textbooks on the subject are
wrong, I take the possibility that it is my reasoning that is wrong
much more seriously than yoy seem to. You should think about that.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: 1-time pad is not secure...
Date: 18 Aug 2000 04:50:53 GMT
Douglas A. Gwyn wrote:
>
>Guy Macon wrote:
>
>> Douglas A. Gwyn wrote:
>>
>> >Guy Macon wrote:
>>
>> >> I was just responding to his comment that
>> >> he wishes that it was on the Internet ...
>>
>> >I didn't say that.
>>
>> From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
>> Date: 11 Aug 2000 00:00:00 GMT
>> I haven't had time to set up a Web site. Whenever I get
>> a round tuit, that will be one of the things I'll include.
>
>So? I didn't say that I wish it were on the Internet,
>I said that maybe some day it will be.
You aren't fooling anyone, you know.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Unauthorized Cancel Messages
Date: 18 Aug 2000 04:58:57 GMT
Ron B. wrote:
>Yes, you are right. However, I did contact support and discover that my
>"assumption" was wrong. I then notified the group of my error (see posting
>you quoted).
Of course you did. One only needs to look at the history of your posts
to see that you are polite and interesting to read.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: 1-time pad is not secure...
Date: 18 Aug 2000 05:04:50 GMT
Tim Tyler wrote:
>
>Sniggerfardimungus <ronb.cc@usu@edu> wrote:
>
>: In article <[EMAIL PROTECTED]>, Tim Tyler <[EMAIL PROTECTED]> writes:
>
>:> ``There is a branch of theology that seems to be influencing people
>:> who don't know the root source of the ideas they hold.''
>:>
>:> This looks more like psychoanalysis than memetics to me.
>:>
>:> Also, there's no need to patronise me. I'm quite aware of the
>:> similarities and differences between psychoanalysis and memetics.
>
>: Evidently you don't. [...]
>
>Blah, blah, blah...
*** PLONK! ***
Ah. Much better.
------------------------------
From: [EMAIL PROTECTED] (Mack)
Subject: Win2k encryption
Date: 18 Aug 2000 05:38:19 GMT
It is my understanding that each
user has a key for each file encrypted under
his public key. That way people can give
others access to a file. I am not trying
to get into the access mechanism itself.
If I don't understand that part correctly let me
know.
Is my understanding that Win2k uses DES as
its symetric algorithm correct? And if so does it
use regular DES, DES-CBC, DES-CBF, 3DES-EDE?
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: OTP using BBS generator?
Date: Fri, 18 Aug 2000 07:52:34 +0200
David Hopwood wrote:
>
[snip]
> OTOH, I don't think that the cycle length issue is a good motivation for
> choosing factors of special form (either the method using Lim-Lee primes,
> or the "special primes" defined in the BBS paper).
Thank you very much for providing very clear answers to my
questions. I believe that I have now almost understood the
whole issue of BBS (though not the details of math in it),
excepting one question posted previously and a literature
pointer:
(1) If the main theorem does not involve cycle length
and has firmly established the security issue, why
does one (in particular BBS) have to bother to consider
subsequently the cycle length question at all?
(2) Which paper of Lim-Lie is the one referred to?
Thanks.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Mack)
Subject: Re: Best AES candidates ??
Date: 18 Aug 2000 06:05:22 GMT
>>> But which should my last choices be ???
>> Other block ciphers with interesting performance are:
>> * Blowfish. (The predecessor to Twofish. It's also
>> easy to implement and hard to get wrong.)
>>
>> * Square. (The predecessor to Rijndael.
>> It's very fast, and has a wonderfully elegant design.
>> There are security worries, though. :-( )
>> -- [mdw]
>
>
>This is the second time someone has mentioned possible security problems
>with the Square cipher. Could you provide more detail , or give an online
>reference ?
>
>Vic
>
>--
>Email : [EMAIL PROTECTED]
>Decode email address thus :
>1=v,2=i,3=c,4=d,5=r,6=a,7=s,8=t,2=i,9=k
>
>
>
I think that the concern has to do with impossible differentials
try looking at the literature on CRYPTON. FSE 99 maybe.
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: Anders Thulin <[EMAIL PROTECTED]>
Subject: Re: How to design a new *secure* network protocol from scratch?
Date: Fri, 18 Aug 2000 06:24:55 GMT
proton wrote:
> Now what im trying to figure out is the smartest and most
> secure way of authenticating each end with eachother and
> establishing an encrypted session.
Why start from scratch? Is everything else worthless or unsuitable
for the purpose?
Why not start by reading up on the protocols already designed: such
as IPsec, TSL, SSH, etc., and go on from there?
--
Anders Thulin [EMAIL PROTECTED] 040-10 50 63
Telia Prosoft AB, Hj�lmaregatan 3B, 212 19 Malm�, Sweden
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
