Cryptography-Digest Digest #515, Volume #12 Wed, 23 Aug 00 13:13:00 EDT
Contents:
Re: SHA-2 name rumors (Kent Briggs)
rsasecurity or Certicom? ("Sergio Arrojo")
Re: My unprovability madness. (Nathan the Great)
Re: Questions about stream cipher (Mark Wooding)
Re: An interesting cryptographic problem (Richard D. Latham)
Re: Crypto Coprocessor on Javacard ("Tomas Rosa")
Re: What is required of "salt"? (John Myre)
Re: The DeCSS ruling and the big shots (Will Janoschka)
Re: rsasecurity or Certicom? (Doug Kuhlman)
Re: Questions about stream cipher ([EMAIL PROTECTED])
Re: rsasecurity or Certicom? ([EMAIL PROTECTED])
Re: My unprovability madness. ("Adam Russell")
Re: Comment from Hardware Experts Please ("Douglas A. Gwyn")
Re: 1-time pad is not secure... ("Douglas A. Gwyn")
Re: help needed to break KRYPTOS ("Douglas A. Gwyn")
Re: Hidden Markov Models on web site! (Mok-Kong Shen)
Re: On pseudo-random permutation (Mok-Kong Shen)
Re: The DeCSS ruling ("Douglas A. Gwyn")
Re: On pseudo-random permutation (Mok-Kong Shen)
Re: Steganography vs. Security through Obscurity (Mok-Kong Shen)
----------------------------------------------------------------------------
From: Kent Briggs <[EMAIL PROTECTED]>
Subject: Re: SHA-2 name rumors
Date: Wed, 23 Aug 2000 14:21:20 GMT
"S. T. L." wrote:
> SHA-1 provides 160 bits; isn't that enough?
Hash functions make convenient password crunchers and with the new AES standard
allowing key sizes up to 256 bits, it would nice to have a corresponding hash
function of that size.
--
Kent Briggs, [EMAIL PROTECTED]
Briggs Softworks, http://www.briggsoft.com
------------------------------
From: "Sergio Arrojo" <[EMAIL PROTECTED]>
Subject: rsasecurity or Certicom?
Date: Wed, 23 Aug 2000 16:32:27 +0200
Reply-To: "Sergio Arrojo" <[EMAIL PROTECTED]>
Hi
my company is about to buy a software package to implement ECC for
smart-cards. We are deciding between various offers: the package from
Certicom, rsasecurity, Cryptovision (from Germany) and MIRACL. We actually
don t know whether the quality difference is so big as the price difference
is. Could somebody give us a reasoned recommendation, or at least a path to
follow in order to decide which Software to buy.
Thanks
Sergio Arrojo
------------------------------
From: [EMAIL PROTECTED] (Nathan the Great)
Crossposted-To: sci.math,sci.physics
Subject: Re: My unprovability madness.
Date: Wed, 23 Aug 2000 14:40:35 GMT
On Wed, 23 Aug 2000 00:06:49 +0200, "denis-feldmann"
<[EMAIL PROTECTED]> wrote:
>
>Future Beacon <[EMAIL PROTECTED]> a �crit dans le message :
>[EMAIL PROTECTED]
>> The axiom of infinity is not the only axiom that might be
>> thrown out to avoid the theorem's conclusion,
>
>This is really interesting, but only goes to show your
>deep ignorance of the subject.
Denis, Jim said conclusions are not independent of the axioms.
Strangly, it seems like you disagree.
Here are some Non-standard logics that might interest you:
Combinatory logic:
Logics that replace variables with functions in order
to clarify intuitive operations on variables such as
substitution. Systems of arithmetic built from combinatory
logic can contain all partial recursive functions and
avoid Godel incompleteness.
Constructive logic:
Logics in which a wff is true iff it is provable. Therefore,
undecidable truths (like Godel's G) are ruled out by
definition.
Intuitionistic logic:
Propositional logics (and their predicate logic extensions)
in which neither "p v ~p" nor "~~p -> p" are provable. They
accept disjunctions A v B as theorems only if one of the
disjuncts is separately provable: i.e. if either A or B.
They have the same rules of inference as classical logic.
Propositional connectives are undefined primitives.
Therefore, proofs by contradiction (like Godel's) are not
allowed.
>Does the names of Tarski (or Chaitin) evoke something to you?
Yes, nausea. :-(
>Have you ever read any serious proof of G�del theorem?
http://www.ddc.net/ygg/etext/godel/godel3.htm
ON FORMALLY UNDECIDABLE PROPOSITIONS
OF PRINCIPIA MATHEMATICA AND RELATED
SYSTEMS 11
by Kurt G�del, Vienna
>Where on earth have you seen the axiom of infinity there
>(or in Peano axiom, or in the Principia you are so found
>(and so proud) of citing)?
First, Godel's theory is derived using PM's axioms.
Second, Whitehead & Russell freely admit that AOI is one
of the underlying assumptions in PM.
Third, Peano introduces the Axiom of Infinity as follows:
PA#5 (Induction):
Let there be a set N of natural numbers,
with the following properties:
I. 1 belongs to N.
II. If x belongs to N then so does x'.
Then N contains all the natural numbers.
Using unrestricted comprehsion, Peano's 5th axiom "Let
there be a set N..." is equivelent to Cantor's Axiom
of Infinity. But, I ask, how I you be sure there
really is a set N such that... ?
Unrestricted comprehension (or abstraction) axiom was
originally introduced by Georg Cantor, the axiom states
that any predicate expression, P(x), which contains x as
a free variable, will determine a set whose members are
exactly those objects which satisfy P(x). The axiom gives
form to the intuition that any coherent condition may be
used to determine a set.
Nathan the Great
Age 12
====== Posted via Newsfeeds.Com, Uncensored Usenet News ======
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
======= Over 80,000 Newsgroups = 16 Different Servers! ======
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Questions about stream cipher
Date: 23 Aug 2000 14:46:27 GMT
[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> Depends on how you use the index. If you have a HD with 4kb clusters
> you can seek to any cluster by using using the LBA as the index into
> SEAL. That my friend is seeking.
No, it's not an index into SEAL; it's an index into something else
constructed using SEAL as a subcomponent. There's a difference.
[Snipped irrelevant analogy to disks.]
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Richard D. Latham)
Subject: Re: An interesting cryptographic problem
Date: 23 Aug 2000 09:57:05 -0500
[EMAIL PROTECTED] (Mark Currie) writes:
> Relying purely on access control mechanisms can often be problematic. A
> stronger method would be to encrypt the info in the database using a key
> derived from the user name and password (Kup). This method is a basic file
> encryption method. If there is shared database info, then one could create an
> additional user record which consists of a shared key encrypted using Kup. The
> shared key can be decrypted by the user and used to access shared database
> info.
>
> This is a very basic method, and it also may not be practical for you, but I
> merely wanted to show that by encrypting the data, you can provide much
> stronger access control.
>
> Mark
>
The problem with encrypting the data stored in the repository is that,
from a business perspective, "we put it in a database to make it easy
to find" :-)
IOWs, the business value derived from the existence of the data comes
from being able to aggregrate pieces of it together, when the data
comes from different users/places.
So, if each user encrypts their rows with their own key, other users
can't use that data, and if the DBM encrypts the data, well, first of
all, you're back to square one <sigh>, and #2, AFAIK, fast indexing
methods that preserve the "natural ordering" of the data, yet allow
the indexes to also be encrypted don't exist.
--
#include <disclaimer.std> /* I don't speak for IBM ... */
/* Heck, I don't even speak for myself */
/* Don't believe me ? Ask my wife :-) */
Richard D. Latham [EMAIL PROTECTED]
------------------------------
From: "Tomas Rosa" <[EMAIL PROTECTED]>
Subject: Re: Crypto Coprocessor on Javacard
Date: Wed, 23 Aug 2000 12:35:34 +0200
snip
> >The GPK400 takes 1.4 seconds for verifying a 1024 bit RSA signature.
> >
>
> The assymetry in the times suggests that the GPK400 has not been corrected
> for some of the more recent attacks on small public keys.
>
What kind of attack do you mean - could you point me to some papers?
thanks
Tom
> Mack
> Remove njunk123 from name to reply by e-mail
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: What is required of "salt"?
Date: Wed, 23 Aug 2000 09:16:19 -0600
"David A. Wagner" wrote:
<snip>
> The fundamental problem is that today's password systems were built
> under a threat model that is no longer relevant.
Granted.
> Today, if you send a password over the network in the clear, it *will*
> be captured by eavesdroppers; if you force users to pick passwords, they
> *will* pick low-entropy secrets.
Yes, and yes.
> Neither of these realities matches well
> with storing password hashes in a world-readable file
Indeed not!
> or in requiring
> passwords for network access to computer systems.
Hm. This reads as though when you say "passwords" you mean
only the technique you described above: storing password
hashes in a world-readable file. I certainly agree that such
a system is rarely appropriate.
> Once you figure out your threat model, you can talk about what is the
> right technology. But my claim is that the threat model that passwords
> were designed for is just so rarely seen today in computing that passwords
> are typically the wrong tool for the job.
I think I'll repeat from an earlier post: what are your
thoughts on the so-called "strong password methods" like
SRP? Do you include them when you say "passwords are
typically the wrong tool for the job"? Are user-memorized
secrets usually hopeless, regardless of the cryptography?
JM
------------------------------
From: [EMAIL PROTECTED] (Will Janoschka)
Subject: Re: The DeCSS ruling and the big shots
Date: Wed, 23 Aug 2000 15:32:16 GMT
On Tue, 22 Aug 2000 19:34:19, [EMAIL PROTECTED] wrote:
-snip-
>
> The issue isn't the decision, it's the DMCA itself. (And some other
> legislation passed about the same time). If it's not a law the public
> wants, then in either needs to be changed by lobbying congress, or
> successfully challenged on constitutional grounds. (Which won't happen
> until a bit through the appeals process)
>
> --
> Matt Gauthier <[EMAIL PROTECTED]>
Yes Matt you are so right. Has the Library of Congress decided
yet if the DVD copy protection is exempt from this law?
------------------------------
From: Doug Kuhlman <[EMAIL PROTECTED]>
Subject: Re: rsasecurity or Certicom?
Date: Wed, 23 Aug 2000 10:09:40 -0500
Sergio Arrojo wrote:
>
> Hi
>
> my company is about to buy a software package to implement ECC for
> smart-cards. We are deciding between various offers: the package from
> Certicom, rsasecurity, Cryptovision (from Germany) and MIRACL. We actually
> don t know whether the quality difference is so big as the price difference
> is. Could somebody give us a reasoned recommendation, or at least a path to
> follow in order to decide which Software to buy.
>
I'm afraid that's too little detail. What speed do you need? Do you
need/want sourcecode? What about RAM/ROM trade-offs?
You should get, from each provider, a list of things that includes (and
not necessarily limited to):
Initialization time
Key exchange time (DH)
Signing time
Verify time
RAM requirements
ROM requirements
Are you using fixed curves/random curves or what? Lots of issues here.
Maybe just asking yourself these questions will help define what you
need/want.
Good luck,
Doug
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Questions about stream cipher
Date: Wed, 23 Aug 2000 15:38:35 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Mark Wooding) wrote:
> [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> > Depends on how you use the index. If you have a HD with 4kb
clusters
> > you can seek to any cluster by using using the LBA as the index into
> > SEAL. That my friend is seeking.
>
> No, it's not an index into SEAL; it's an index into something else
> constructed using SEAL as a subcomponent. There's a difference.
>
> [Snipped irrelevant analogy to disks.]
tomato, tomahto.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: rsasecurity or Certicom?
Date: Wed, 23 Aug 2000 15:39:46 GMT
In article <8o0n3t$ae$[EMAIL PROTECTED]>,
"Sergio Arrojo" <[EMAIL PROTECTED]> wrote:
> Hi
>
> my company is about to buy a software package to implement ECC for
> smart-cards. We are deciding between various offers: the package from
> Certicom, rsasecurity, Cryptovision (from Germany) and MIRACL. We
actually
> don t know whether the quality difference is so big as the price
difference
> is. Could somebody give us a reasoned recommendation, or at least a
path to
> follow in order to decide which Software to buy.
>
> Thanks
> Sergio Arrojo
Why not ask the companies yourself? If they can't explain the benefit
of their product, perhaps they are not worth using.
BTW you forgot "Entrust" on your list... but perhaps they don't sell
ECC products, I am not sure off hand
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Adam Russell" <[EMAIL PROTECTED]>
Crossposted-To: sci.math,sci.physics
Subject: Re: My unprovability madness.
Date: Wed, 23 Aug 2000 08:54:07 -0700
<other logic systems snipped>
> Constructive logic:
> Logics in which a wff is true iff it is provable. Therefore,
> undecidable truths (like Godel's G) are ruled out by
> definition.
So would an undecidable statement be false and it's negation also be false?
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Comment from Hardware Experts Please
Date: Wed, 23 Aug 2000 12:00:42 -0400
Guy Macon wrote:
> My first order estimation is that a good commercial DSP board would
> give you something on the order of a 10X increase in speed. It will
> cost a lot of money and use a lot of power, and would require a large
> software development effort.
Not necessarily. For under $1000 you can get a TI high-end DSP
development card (PCI) with complete development environment,
and its C compiler automatically makes excellent use of the DSP
hardware even before one starts manually tweaking the app.
You might also check out the Motorola AIM, which is designed
specifically to support (multi-channel independent) crypto
algorithms and has hardware specialized for such things.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: 1-time pad is not secure...
Date: Wed, 23 Aug 2000 12:10:13 -0400
Tim Tyler wrote:
> Even if events do not have predictable casuse, there's still weird
> faster-than-the-speed-of-light, non-local happenings going on.
To the contrary, one has to invoke such "non-physical"
ideas like FTL or nonlocal causation only if one
stubbornly *insists* on underlying predictability.
Physics has found it much more productive to give
up underlying predictability than to wreak utter
havoc in the area of causation.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: help needed to break KRYPTOS
Date: Wed, 23 Aug 2000 12:21:00 -0400
[EMAIL PROTECTED] wrote:
> > ...could indicate that the method of
> > encipherment involved as its last stage finding the
> > ciphertext character at some coordinates (determined
> > by key and plaintext) within a normal sequence A..Z.
> may you give me a very brief example of it ??
Key -> FRIE...
PT: CT:
K ABCD...
R BCDE...
Y CDEF...
P DEFG...
... ...
Enciphering plaintext PYR using key RIF yields ciphertext EEB.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Hidden Markov Models on web site!
Date: Tue, 22 Aug 2000 21:42:48 +0200
"Douglas A. Gwyn" wrote:
>
> Mok-Kong Shen wrote:
> > Can the HMM be used for predicting sequences?
>
> Sure. Baum-Welch-Eagon MLE can be thought of as "training"
> the model using that particular output string; then the
> model can be "run" to generate a synthetic output sequence
> with the same parameters that were fitted to the original
> actual data. If you preload the model state to match a
> particular (generally non-training) observed string, then
> when you run it it produces a MLE prediction for subsequent
> observations.
>From what I read in this thread I got the (maybe wrong)
impression that the sequences dealt with are character
strings. Would HMM be powerful enough to deal with bit
strings (which are at a finer granularity) from some
not too bad PRNGs (to predict future output)? Thanks.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To: comp.programming
Subject: Re: On pseudo-random permutation
Date: Wed, 23 Aug 2000 09:42:14 +0200
Tim Tyler wrote:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> : Tim Tyler schrieb:
> :> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> :>
> :> I observe that you omit any form of detection of collisions between the
> :> first components of B. Without such a check the result does not form a
> :> truly unbiased random permutation (on the assumption that the RNG is
> :> good).
>
> : That collision is to be resolved by the sorting process.
> : One has to decide on a resolution rule, though.
>
> No resolution in the sort routine can possibly produce an unbiased
> sequence.
>
> You can see this by a counting arument, after observing that n! doesn't
> usually divide exactly into 2^(n * x) very well [x is the width of the
> RNG output in bits].
I am not yet convinced. You have to consider from a probabilistic
point of view, i.e. consider a large number of occurences
and the average effects. If A does not divide B, C*A can equal
to D*B.
M. K. Shen
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: The DeCSS ruling
Date: Wed, 23 Aug 2000 12:38:50 -0400
Jim Steuert wrote:
> What about just plain curiosity? Can that be a legal reason for
> reverse engineering?
Should it be? Suppose you're curious what's in somebody's
house -- should that be a legal excuse for entering without
permission?
Unfortunately this legal case seems to have involved both
a possible intent to cause malicious mischief or abet
criminal activity (theft), and the more intellectual issue
of right to attack cryptosystems. One way to look at the
latter is that the DVD vendors chose to use a difficult
puzzle (CSS) as their primary means of protecting their
rights to control use of their property. It's much like
depending on a lock to keep people out of one's house --
it keeps unskilled honest people out, but provides little
protection against skilled people and career criminals.
We use other means such as social and legal sanctions to
address the latter.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To: comp.programming
Subject: Re: On pseudo-random permutation
Date: Wed, 23 Aug 2000 19:14:38 +0200
Mok-Kong Shen wrote:
>
> Tim Tyler wrote:
> >
> > Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> > : Tim Tyler schrieb:
> > :> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> > :>
> > :> I observe that you omit any form of detection of collisions between the
> > :> first components of B. Without such a check the result does not form a
> > :> truly unbiased random permutation (on the assumption that the RNG is
> > :> good).
> >
> > : That collision is to be resolved by the sorting process.
> > : One has to decide on a resolution rule, though.
> >
> > No resolution in the sort routine can possibly produce an unbiased
> > sequence.
> >
> > You can see this by a counting arument, after observing that n! doesn't
> > usually divide exactly into 2^(n * x) very well [x is the width of the
> > RNG output in bits].
>
> I am not yet convinced. You have to consider from a probabilistic
> point of view, i.e. consider a large number of occurences
> and the average effects. If A does not divide B, C*A can equal
> to D*B.
If the collision resolution is chosen such that the first
element of the pair is always considered less than the
second, then indeed there is a bias. The effect is however
dependent on the chance of collision, which is practically
negligible when the space of the random numbers is large,
e.g. 32 bits. One can on the other hand use a random
choice rule to resolve collision, in which case no bias
can occur.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Steganography vs. Security through Obscurity
Date: Wed, 23 Aug 2000 19:15:02 +0200
[EMAIL PROTECTED] wrote:
>
> I maintained that one of the differences between the two is that
> strong cryptography doesn't need obscurity. However, every system
> I've seen for steganography requires some obscurity. If the algorithm
> is known, then the steganography can be defeated.
>
> In other words, security through obscurity is a requirement for
> steganography.
Strong cryptography doesn't need obscurity or else it
is (by definition) not strong. One commonly refers to
keeping the encryption algorithm secret as 'security
through obscurity' in context of cryptography in the
narrow sense (which excludes steganography).
Steganography attmepts to hide the presence of secret
informations and hence IS one form of 'security through
obscurity'.
M. K. Shen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
