Cryptography-Digest Digest #450, Volume #12 Tue, 15 Aug 00 13:13:00 EDT
Contents:
Re: Crypto Related Professional Attitude (James Felling)
Re: Crypto Related Professional Attitude (James Felling)
Re: OTP using BBS generator? (Mark Wooding)
Re: Impossible Differentials of TC5 (James Felling)
Re: Impossible Differentials of TC5 (tomstd)
Re: Not really random numbers (James Felling)
Re: OTP using BBS generator? (Terry Ritter)
Re: What is up with Intel? (Anthony Stephen Szopa)
Re: New quantum computer - any details? (Stanley Chow)
Re: Car Radio Code Encryption. ("Tomas Rosa")
Re: OTP using BBS generator? (Terry Ritter)
Re: OTP using BBS generator? (Mark Wooding)
Re: Not really random numbers (Anthony Stephen Szopa)
Best Enigma Book ("David C. Barber")
Re: New quantum computer - any details? ("Ed Suominen")
Re: 1-time pad is not secure... (Darren New)
Re: Unauthorized Cancel Messages (Darren New)
----------------------------------------------------------------------------
From: James Felling <[EMAIL PROTECTED]>
Subject: Re: Crypto Related Professional Attitude
Date: Tue, 15 Aug 2000 10:14:53 -0500
> <snip>
>
> What have I done that is so deserving of being shunned?
>
> Am I that stupid, mean or pompus?
>
> What did I do wrong?
>
> Tom
>
> -----------------------------------------------------------
>
> Got questions? Get answers over the phone at Keen.com.
> Up to 100 minutes free!
> http://www.keen.com
It is not a personal thing.
There are alot of cranks here -- if you think about it, you can probably
think of at least a few names. When a BNC( big name cryptographer) hits
the board they are a giant crank magnet, and frankly that discourages
their participation.
------------------------------
From: James Felling <[EMAIL PROTECTED]>
Subject: Re: Crypto Related Professional Attitude
Date: Tue, 15 Aug 2000 10:32:42 -0500
> <snip>
>
> Kill file?
He tried that, but if cranks can use hotmail, etc, and "rotate" out of
peoples kill files. It is easier to leave someon's kill file than it is
to continually screen cranks.
>
> <snip>
>
> Well for starters the break on TC5. I don't get how it actually
> works, but noone seemed to help there... I know it takes time
> but if you say something like "I broke your cipher using ..."
> you had better be able to explain it.\
Anyone who claims a break should HAVE to expalin it, otherwise it isn't
a break.
>
>
> >I think we have some serious minds in the above list that
> really do
> >justice to topics discussed on sci.crypt.
> >
> >> No offense but you claim to be active in crypto,
> >> and honest you
> >> guys know way more then most of us (including me).
> >> So why not
> >> post from time to time excluding posts to plug your papers?
> >>
> >> It seems like there are alot of arrogant professionals in the
> >> world.
> >
> >Looking at some of your previous posts, perhaps they could turn
> it
> >around and call you an arrogant newbie. Some of your
> questioning
> >of "those more experienced" has been impolite at best...
>
> I admit when I was new to this group I was a bit rude, but since
> a few months I think I have been rather helpfull and onkey.
Yep. Most of the time I really enjoy your postings, they are
interesting, on topic, and seem to be well thought out, though on
occasion you have a tendency to react in a more hostile manner than
perhaps the situation merits.
> <snip>
>
> This is what I am talking about. You pompous jerk, as if I
> don't do other things in my life but post to sci.crypt. Sure I
> am not running a university but posting here only takes a few
> mins a day.
For me my posting / reading takes me about 1-2 hrs/ day, and email takes
annother hour or so, and then I work 8 hours a day, sleep 8 hours a day,
eating is about 2 hours a day, and my wife/family gets the rest of my
time ( 3-4 hours a day). I am not a terribly busy man, I don't have
anywhere near the responsibilities or work load that the big names do.
I can aford the time to post and more importantly the time to keep up on
threads. THey may have the time to post, but get a week behind or so,
and catching up is nigh impossible.
(P.S. Calling people "jerks" or otherwise insulting them does nothing
but rob your position of credibility. Discuss the issues at hand, and
avoid personal attacks -- it makes the argument flow better)
>
>
> Also why don't those dudes post here to discuss their findings?
> Instead they just plug their work once and a while. Wow they
> SPAM this group that's nice.
>
> Tom
>
> -----------------------------------------------------------
>
> Got questions? Get answers over the phone at Keen.com.
> Up to 100 minutes free!
> http://www.keen.com
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: OTP using BBS generator?
Date: 15 Aug 2000 15:06:47 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> I that case, I wonder, since one is using the LSB, what is the sense
> of disputing long vs. short cycles. (We have NO idea at all of the
> probability of getting cycles of LSB of any given magnitudes. Is that
> right?)
We know that finding cycles *of the LSB* is no easier than factoring!
> > No. The proof of unpredictability is a two-step thing:
> >
> > * firstly, it shows that, if you can predict a BBS generator with
> > probability 1/2 + \epsilon then you can also decide quadratic
> > residuosity with probability 1/2 + \epsilon;
> >
> > * and secondly, it gives a simple algorithm for `amplifying' advantage
> > in deciding quadratic residuosity so that small biases can be used
> > to efficiently solve QRP completely, in expected polynomial time.
>
> Does that refer to the LSB?
Yes.
> I guess that this is certainly the case. But then how can it be that
> there is a 'gap' mentioned above without causing any consequneces in
> the proof of the unpredictablity of LSB? Note what I wrote in
> parentheses.
Either finding such cycles, either by accident or malice, is neglibly
difficult, or factoring is surprisingly easy. There is no `gap'.
> Again, what is then the sense of arguing about long vs. short
> cycles?
The `don't check' people know that checking is redundant because we have
the reduction to factoring which says that prediction is impractical for
large n.
Terry doesn't agree, but doesn't have any analysis of LSB period to back
him up.
> So it means that you only need to prove the unpredictability and the
> statistical perfectness 'automatically' follows. Is that correct?
Yes. Strictly, *any* advantage in predicting the output of a BBS
generator is a polynomially-amplifiable advantage in solving a problem
we assume is hard.
> A tiny toy example of mine indicates, however, that LSB of BBS could
> have poor statistical properties, though unfortunately the size of the
> example doesn't allow much to be said concretely/strongly.
That's because your modulus is too small. Your test is (and cannot be)
polynomial time, and allows you to factor the toy modulus. But we know
that's easy anyway, so the test tells us nothing new.
-- [mdw]
------------------------------
From: James Felling <[EMAIL PROTECTED]>
Subject: Re: Impossible Differentials of TC5
Date: Tue, 15 Aug 2000 10:40:45 -0500
> <snip>
Impossible differentials do NOT "FIND KEYS" they allow one to eliminate
possible keys. This process will eventually result in all keys but the
correct one being eliminated.
------------------------------
Subject: Re: Impossible Differentials of TC5
From: tomstd <[EMAIL PROTECTED]>
Date: Tue, 15 Aug 2000 09:12:51 -0700
James Felling <[EMAIL PROTECTED]> wrote:
>> <snip>
>
>Impossible differentials do NOT "FIND KEYS" they allow one to
eliminate
>possible keys. This process will eventually result in all keys
but the
>correct one being eliminated.
Ok still at some point you must attack the 64/32/16 bit
feistels. I want to know how you do that please.
Tom
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: James Felling <[EMAIL PROTECTED]>
Subject: Re: Not really random numbers
Date: Tue, 15 Aug 2000 11:30:21 -0500
Anthony Stephen Szopa wrote:
> James Felling wrote:
> >
> > Anthony Stephen Szopa wrote:
> >
> > > Jamie wrote:
> > > >
> > > > In the UK pre-Pay phone cards are big business... you buy a card, reveal a
> > > > number, key the number to a phone system and you have so much talk time. I
> > > > am working on an application in a simmilar field...and ofcourse the issue of
> > > > generating these numbers has come up once again. I need ideas for a number
> > > > generator that satisfy the following contidions:
> > > >
> > > > 1 The magnitude of the generated numbers can be specified, 2^30, 2^35,
> > > > 2^40... 2^90
> > > >
> > > > 2 The period must be greater then 2^^20
> > > > (So numbers generated dont repeat)
> > > >
> > > > 3a Given a short fragment of the sequence it must be difficult to deduce the
> > > > next number in sequence
> > > > 3b Given one number it must be unlikely that another number is both close in
> > > > value and close in position in the sequence
> > > > (vague but I guess I mean that a "hacker" wont succed randomly guessing the
> > > > next number)
> > > >
> > > > 4 The sequence must be re-startable.
> > > >
> > > > 5 No need for an even distribution or anything like that.
> > > >
> > > > My starting point was an algorithm like
> > > >
> > > > Nn+1=(P1*Nn+P2) mod P3
> > > >
> > > > P1,2,3 are primes P3 determining the magnitude of the numbers generated
> > > >
> > > > Nn+1 the next number in the sequence
> > > >
> > > > But this seems to be full of holes.
> > > >
> > > > any ideas on an algo ?
> > >
> > > Go to http://www.ciphile.com and download OAR-L3: Original
> > > Absolutely Random - Level3 random number generator shareware
> > > software.
> > >
> > > Go to the Downloads Currently Available web page and download the
> > > software directly. You will be able to generate more random numbers
> > > than you could conceivably ever need.
> > >
> > > If used according to recommendations there is practicably no chance
> > > anyone will be able to duplicate your random numbers.
> > >
> > > If you think you could use this software commercially, email me.
> > >
> > > A.S.
> >
> > Unless you have a desire for keysetup to take a truly ridiculous amount of time (
> > realisticly obtaining a the level of internal randomness you desire is possible,
> > but this will take aproximately 1/2 to 1 full hour of your time per keysetup)
> > OAP/OAR are not worth your while, and are in all probability slower than an
> > optimized BBS generator.
>
> This reply post has a glimmer of intelligence within it.
>
> It may take an hour or even more to generate a suitable initial
> encryption data file key using OAP-L3 that will be used to generate
> the initial (and secure) encryption Data FILE.
>
> (You need to be familiar with the software and how it generates its
> random numbers to understand this process. Also consider that with
> each subsequent generation of an encryption data file from a previous
> encryption data file, the complete key continues to become longer
> and longer (and increasingly more secure) since it builds on the
> previous key(s).)
>
> But once you do so, a subsequent encryption Data FILE can be
> generated from this now secure initial encryption Data FILE, and any
> other subsequent encryption Data FILES can be generated from the
> previously generated encryption Data FILE, thus each subsequent
> encryption Data FILE after this initial one will be much less time
> consuming to generate.
I must state this. Files of this nature can be manufactured by other PRNG's. They
will be manufactured as quickly if not more so, and as securely, if not more so. May I
suggest an apropriately tweaked RC4, or BBS for your use. The issue is it will take ~1
hour of operator time to start generating good data with your mechanism, and it will
also take more than a bit of time after that to actually generate the numbers. OTOH,
it will take 1 minute to setup a good RC4 generator, and it will have generated a
reasonable quantity of data( equivalent to your files) in under a half hour.( I think
the fact that it takes less of MY time, and is done before OAP/OAR gets started is a
HUGE advantage.) BBS is slower, but substantially more secure. It will probably take
5 minutes of my time to setup, and generate an amount of data sulficient to be useful
in several hours. This is speed wise compeditive with your system, and is going to be
more secure than your system in general.
>
>
> The current implementation requires that you generate all your OTP
> files before you encrypt. You could generate many many gigabytes of
> random data files and store them while your computer is not being
> used for anything else, such as while you are sleeping.
Ummm... given you are using a stream cypher compare it with other stream cyphers -- the
big issue is speed of generation.
>
>
> As far as speed of encryption goes, the actual encryption may
> actually be the fastest of any encryption software. It only
> involves XORing the original data file with the random number files.
> Since the random number files have already been generated this
> process is quite fast.
RC4, BBS, and all others when saved to files encrypt just as fast as your method -- The
issue for the user is forufold
1) how much of my( the user) time do I wish to invest. (ideally as little as possible)
2)how much computer time do I wish to invest (ideally as little as possible)
3) how much space on my machine/ the remote machine do I want to use for this, (
ideally as little as posssible)
4) How long is key data going to be lurking in an available form in my/remote PC. (
ideally for as short a period as possible)
versus RC4 you lose on all 4 points.
versus BBS you lose on points 1,3,4 and cannot deliver security with an equivalent
degree of confidence.
You have a second rate stream cypher -- it is slower than most BLOCK algroithims. I
admit that using large "random files" will give a speed enhancement, but they add
secondary points of attack to your algorithim, and any other stream cypher, and most
block cyphers can do the same trick faster.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: OTP using BBS generator?
Date: Tue, 15 Aug 2000 16:47:36 GMT
On 15 Aug 2000 12:16:43 GMT, in <[EMAIL PROTECTED]>,
in sci.crypt [EMAIL PROTECTED] (Mark Wooding) wrote:
>Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>[...]
>> (3) Does the 'check' being disputed really prevent a certian
>> lower bound of the cycle lengths of the LSB sequences
>> (not the direct output of the congruence relation) of
>> being inadvertently 'under-run' or does the check only
>> do that in a probabilistic sense (i.e. with certain
>> probability not equal to 1)? What is that lower bound
>> actually (in relation to p and q)?
>
>It doesn't do anything of the kind.
That's a wrong answer: The construction as described in BB&S first
guarantees that cycles of a given length must exist, and then shows
how to check that x0 is on such a cycle. The check is thus absolute
proof that a short cycle has not been selected.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Subject: Re: What is up with Intel?
Date: Tue, 15 Aug 2000 09:46:52 -0700
tomstd wrote:
>
> On page four of the IntelRNG.pdf from cryptography.com they said
> intel is patentning the von neuman rejector i.e with [0,0] and
> [1,1] output nothing, output 0 for [1,0] and 1 for [0,1] which
> hopefully lowers bias towards any given bit.
>
> This idea is what 50 years old? How on earth can Intel patent
> it?
>
> Tom
>
> -----------------------------------------------------------
>
> Got questions? Get answers over the phone at Keen.com.
> Up to 100 minutes free!
> http://www.keen.com
There is a criteria where you can patent an old idea if it is for
a new use.
For instance, someone may have patented aspirin again because they
found that by feeding it to pigs, the pigs showed significant gains
in weight. More weight more pork more meat more food more sales
more money more profit, etc.
This is an example of a new use.
------------------------------
From: Stanley Chow <[EMAIL PROTECTED]>
Subject: Re: New quantum computer - any details?
Date: Tue, 15 Aug 2000 16:53:46 GMT
There is (a little) more detail at
http://live.altavista.com/e?efi=980&ei=2087325&ern=y
Stanley Chow wrote:
>
> According to "The Register", see
> http://www.theregister.co.uk/content/1/12589.html there is a new
> 5 bit quantum computer. Any details? I could not find anything on
> the IBM site.
--
Stanley Chow VP Engineering [EMAIL PROTECTED]
Cloakware Corp (613) 271-9446 x 223
------------------------------
From: "Tomas Rosa" <[EMAIL PROTECTED]>
Subject: Re: Car Radio Code Encryption.
Date: Tue, 15 Aug 2000 10:33:02 +0200
"No Name" <[EMAIL PROTECTED]> wrote in message
news:Jc$D$[EMAIL PROTECTED]...
> Hi,
> I have an encryption problem as follows.
>
> A sequence of four number digits is converted to a sequence of two hex
> bytes.
>
> For example, 1737 is converted to 69AB
> That is the first byte is hex69 and the second byte is hexAB
>
> I know that isn't much to go on but thats all I have.
snip
If you have an access to the oracle which for four digit number challenge x
= (abcd) gives you the response as y = E(x) = (efgh) than simple try all
those x's from x = (0000) to x = (9999) until you see the desired output
value y = (3A0D). Than the actual value of x will be just want you want to
know.
This kind of problem (due to the small input space and probably easy access
to the oracle described above) doesn't deserve any deeper analysis.
Tom
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: OTP using BBS generator?
Date: Tue, 15 Aug 2000 16:55:17 GMT
On 15 Aug 2000 15:06:47 GMT, in <[EMAIL PROTECTED]>,
in sci.crypt [EMAIL PROTECTED] (Mark Wooding) wrote:
>Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>[...]
>> Again, what is then the sense of arguing about long vs. short
>> cycles?
>
>The `don't check' people know that checking is redundant because we have
>the reduction to factoring which says that prediction is impractical for
>large n.
>
>Terry doesn't agree, but doesn't have any analysis of LSB period to back
>him up.
I would say that I do have such an analysis, and it does back me up:
If we use the BB&S construction, we are *guaranteed* not to use a
short cycle. If we don't, then we are just very, very *unlikely* to
use a short cycle. To me, the distinction is the essence of what we
want from a proof of strength. If we were willing to accept a little
weakness here and there, it seems unlikely that we would have much
interest in cryptographic proof.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: OTP using BBS generator?
Date: 15 Aug 2000 16:54:32 GMT
Terry Ritter <[EMAIL PROTECTED]> wrote:
> That's a wrong answer: The construction as described in BB&S first
> guarantees that cycles of a given length must exist, and then shows
> how to check that x0 is on such a cycle. The check is thus absolute
> proof that a short cycle has not been selected.
No, it only shows the cycle length for the sequence <x_i>, not the
sequence of parity bits.
-- [mdw]
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Subject: Re: Not really random numbers
Date: Tue, 15 Aug 2000 09:53:24 -0700
Eric Lee Green wrote:
>
> Anthony Stephen Szopa wrote:
> > True: the software is deterministic once you give it truly random
> > input. If you know the truly random input you have the key and can
> > run the software and generate the same random numbers as the user.
> > Duuuhhh?
>
> Mr. Szopa, I don't think anybody quibbles on that point. On the other
> hand, there are various other attributes which are useful for a
> pseudo-random number generator: 1) Unpredictability. Given an output
> value or sequence of output values, for the generator, you cannot
> predict what the next output value will be. 2) Resistance to
> backtracking attacks. Given an output value or sequence of output
> values, you cannot predict what previous output values may have been. 3)
> Resistance to meet-in-the-middle attacks. Given two output sequences on
> either side of a unknown sequence of output values, you still have only
> a blind guess chance of guessing that unknown sequence of output values.
> There are more, but I think you are getting the picture -- it is not
> merely randomness that is desirable for the output of a cryptographic
> quality PRNG, it is *unpredictability*.
>
> A moron can create a pseudo-random number generator that passes basic
> statistical tests for randomness, and many morons have done so, some of
> whom even sell their snake oil to unsuspecting souls. Writing a good
> cryptographic-quality PRNG is not, however, easy -- I've done it myself
> in the past, after careful reading of the literature and careful
> examination of other cryptographic-quality PRNG's, and even after that
> hard work and research there are *still* some known attacks on my PRNG
> (though none that are fatal for my particular application -- they all
> require root access on the Unix box where my application is installed,
> and given that the whole point of the involved code is to prevent people
> from GETTING root access....).
>
> --
> Eric Lee Green There is No Conspiracy
> [EMAIL PROTECTED] http://www.badtux.org
I think it can be shown that OAP-L3 meets these three criteria.
------------------------------
From: "David C. Barber" <[EMAIL PROTECTED]>
Subject: Best Enigma Book
Date: Tue, 15 Aug 2000 09:56:20 -0700
What is the current best book on Enigma?
It would be nice if it is still in print. :^)
*David Barber*
------------------------------
From: "Ed Suominen" <[EMAIL PROTECTED]>
Subject: Re: New quantum computer - any details?
Date: Tue, 15 Aug 2000 10:05:20 -0700
"Stanley Chow" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> There is (a little) more detail at
> http://live.altavista.com/e?efi=980&ei=2087325&ern=y
Quote from the article:
"This phenomenon permits a quantum computer to have enormous power,
Chuang said. For certain types of calculations, like complex algorithms for
cryptography or searches -- a quantum computer using several hundred more
atoms in tandem would be able to perform billions of calculations at the
same
time."
Time for bigger keys or a switch to GF(p) ECC, methinks...
--
Ed Suominen
Registered Patent Agent
Web Site: http://eepatents.com
PGP Public Key: http://eepatents.com/key
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: 1-time pad is not secure...
Date: Tue, 15 Aug 2000 17:05:42 GMT
Tim Tyler wrote:
> Except that it doesn't say any such thing. Completely deterministic
> interpretations of quantum theory exist, namely - for example - the MWI.
Just out of curiousity, what determines which branchs "you" have taken in
the MWI? (By "you" I mean the person reading this post.) Isn't that where
the randomness is?
--
Darren New / Senior MTS & Free Radical / Invisible Worlds Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
"Do not install air conditioner in room with
inconvenient or hypnotic persons."
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Unauthorized Cancel Messages
Date: Tue, 15 Aug 2000 17:09:01 GMT
fvw wrote:
> Hmm, come to think of it, all these cases should
> really delete both entries in the group headers list as the bodies,
but not the References: headers in other messages in the same group, which
may be what causes this message too.
--
Darren New / Senior MTS & Free Radical / Invisible Worlds Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
"Do not install air conditioner in room with
inconvenient or hypnotic persons."
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
