Cryptography-Digest Digest #771, Volume #12 Mon, 25 Sep 00 15:13:00 EDT
Contents:
Re: Why is TwoFish better than Blowfish? (Paul Schlyter)
Re: Big CRC polynomials? ("Kasper Pedersen")
Letter substitution decoder (mls)
Re: Software patents are evil. (Jerry Coffin)
Re: Software patents are evil. (Jerry Coffin)
Re: CDMA tracking (was Re: GSM tracking) (mls)
Re: 128-bit Secure LFSR ("Cristiano")
Re: What am I missing? ("Joseph Ashwood")
sigh, AES (dbt)
Re: Tying Up Loose Ends - Correction (Bryan Olson)
Re: sigh, AES (Quisquater)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Paul Schlyter)
Subject: Re: Why is TwoFish better than Blowfish?
Date: 25 Sep 2000 19:08:05 +0200
In article <[EMAIL PROTECTED]>,
SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] (Runu Knips) wrote in
> <[EMAIL PROTECTED]>:
>
>>Tom St Denis wrote:
>>> In article <[EMAIL PROTECTED]>,
>>> Albert Yang <[EMAIL PROTECTED]> wrote:
>>>> "David C. Barber" wrote:
>>>>> TwoFish is newer, and I would think better, than BlowFish (unless
>>>>> the AES requirements required a worse cipher), but I've never see
>>>>> n a list of reasons just why.
>>
>>In fact, the main reason why Twofish is better than Blowfish is NOT
>>improved security. Blowfish is a pc cipher, and Twofish is a general
>>cipher. Twofish offers key agility, while Blowfish doesn't. Twofish
>>can be implemented in relatively slow resource environments, while
>>Blowfish always require >4KB of key schedule data.
>
> Having known people who know the man who designed blow fish or
> two fish leads me to believe both ciphers are most likely broken by
> the NSA before they were introduced to the public. At least these
> are my feelings about these fishy ciphers. It seems like NSA humour
> to give both ciphers FISHY names.
> But since the idea of a cipher is security. It is plain stupid to
> say Twofish is better than Blowfish becasue Blowfish is a PC cipher.
> If one has a PC and is sending messages to someone with a PC then why
> use a cipher that could becasue of its ability to be run on many machines
> would ecpoxe it to more attacks.
If you don't want the cipher to be exposed, you should definitely not
implement it on PC's, since they are around everywhere. The number of
PC's in the world is only somewhat smaller than the number of computers
of any kind.....
Also: designing a piece of software to be non-portable is generally
not a good idea.
> Even if they algoritmically had
> the same level security which can't be proved anyway.
--
================================================================
Paul Schlyter, Swedish Amateur Astronomer's Society (SAAF)
Grev Turegatan 40, S-114 38 Stockholm, SWEDEN
e-mail: pausch at saaf dot se or paul.schlyter at ausys dot se
WWW: http://hotel04.ausys.se/pausch http://welcome.to/pausch
------------------------------
From: "Kasper Pedersen" <[EMAIL PROTECTED]>
Subject: Re: Big CRC polynomials?
Date: Mon, 25 Sep 2000 20:23:35 +0200
"Scott Fluhrer" <[EMAIL PROTECTED]> wrote in message
news:8qnm41$a56$[EMAIL PROTECTED]...
> Errr, no. As I demonstrated on another thread (I'll restate the proof if
> you're interested), no CRC-like algorithm that has a finite output, and
> works on arbitrarily long inputs can catch all 2 bit errors.
"will always catch n errors within a window of length m"
I did not state that m could be arbitrarily large. Of course, when your
message size (specifically the size of the payload that can contain errors)
exceeds m of the chosen polynomia, you're in the weeds.
Again: A properly chosen example polynomia can detect 2 errors within a 64
bit window with 100% certainty, and any number of errors within an 8 bit
window.
A bytewise XOR sum can detect any number of errors within a 8 bit window
too, but not always 2 errors within a 64 bit window.
I DO NOT claim that any CRC will catch all 2 bit errors in an arbitrarily
sized window.
/Kasper
------------------------------
From: mls
Subject: Letter substitution decoder
Date: Mon, 25 Sep 2000 18:34:24 GMT
No, not Captain Marvel, but am looking for a program that will try all
possible letter substitution combinations, with small library of
plaintext for matching. Maybe even in BASIC.
Assumes that the text to be decrypted is simple substitution and not
one time pad.
Anyone know of such an .exe? (Oakland is down, winfiles has
nothing...)
Thanx,
m shannon
mls at fusionsites dot com
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: Software patents are evil.
Date: Mon, 25 Sep 2000 12:30:36 -0600
In article <8qlr47$5j7$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
> In <[EMAIL PROTECTED]> Darren New <[EMAIL PROTECTED]> writes:
>
> >Then you need to read my post again. We were selling the product for three
> >years. Then someone else applied for a patent, and it was cheaper to license
> >than fight. That, I would say, is broken.
>
> Yes. On the other hand you could also have just kept selling, daring the
> other person to take you to court. The problem is that that remedy,
> court action, is often worse than the damage, even if successful.
> It would be nice if there were a bureacratic way of challenging a patent
> befor having to take it to court. Ie, get the patent office to
> reconsider.
The US Congress seems to have thought the same thing would be a
really good idea -- so good, in fact, that sections 301 and 302 of
Title 35 are devoted to allowing "Any person at any time" to cite
prior art that applies to a particular patent. Section 301 allows
you to simply get your citation added to the patent's paperwork,
where it's easy for anybody else to find it. Section 302 allows you
to request the PTO to reexamine the patent in light of the prior art
you're citing. You DO have to pay a fee when/if you request that a
patent be reexamined, but it's basically a nuisance fee to keep
people from doing it without any reason -- I.e. something like
hundreds of dollars, not tens of thousands or anything like that.
There's also a provision that any "small business" (as defined by the
small business act) can get a 50% discount on essentially all fees
paid to the patent office; granted, there are businesses so small
that even if they only have to pay a couple of hundred dollars, it's
going to hurt them, but it's _very_ hard for me to believe that this
would really be more expensive than simply licensing the patent.
The problem, of course, is that in the situation he talked about,
this _probably_ doesn't make any real difference. He talked about
somebody else applying for the patent three years after they were
selling the product. If that's really the case, and they threatened
a lawsuit, about all they'd have to do is attach a mildly edited copy
of the lawsuit, where the patent holder says the product is the same
as what's patented, and proof that they were selling it three years
before.
I doubt that's what really happened though: what I suspect really
happened is that the person applied for the patent BEFORE they were
selling the product, and it took around three years for the patent
application to be processed. They infringed on the patent for three
years without knowing about it, and when the patent was issued, the
patent holder put them on notice. After examining things, the
company's attorneys undoubtedly realized that there was no way they
could win, but to put a good face on things, they made noises about
it being too expensive to fight rather than admitting that they's
simply been stealing something (albeit unknowingly) all along.
> I have heard of a situation in which a member of a standards body then
> went out and got a patent on the protocol discussed in the standards
> meeting.
I've heard at least allegations of such things happening (and don't
get me wrong: I'm not saying I think the allegations are wrong, only
unproven). There's no question that somebody who's dishonest can at
least attempt to manipulate the system in various ways, but keep in
mind that they really ARE already illegal. One of the most basic
requirements to get a patent is to sign a document swearing that you
invented this thing, and to the best of your knowledge it's new and
original. If that's false, then the applicant is committing fraud.
One of the big problems here (at least IMO) is that it's just a bit
too easy for a company to look at the downside of being caught making
a fraudulent patent application (rather small) vs. the potential
payoff if they can license the patent (often VERY large) and decide
the attempt is worth it. In theory the individual applicant could be
prosecuted for fraud, where the potential downside (prison time) is
much larger, but in reality it's often pretty easy for somebody who
knows how to do something to "lead" somebody else to invent the same
thing. At that point the underling signs the patent application and
honestly believes the invention IS original.
I think it comes down to one fact: any law we (as in "humans") make
is going to have some flaws, and be open to manipulation by
unscrupulous people. When we can find a reasonable way to ensure
against that, great, but even when/if we can't it doesn't mean we
need to throw the baby out with the bath water, and eliminate all
laws that can't be perfectly and completely enforced.
--
Later,
Jerry.
The Universe is a figment of its own imagination.
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: Software patents are evil.
Date: Mon, 25 Sep 2000 12:30:40 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> Jerry Coffin wrote:
> > Please actually READ what I say before you call it nonsense. Take
> > particular note of the fact that I said "valid patent."
>
> Well, I'd assume that "valid patent" means "a patent passed by the patent
> office that has not yet been sucessfully disputed." If you mean "should
> have been issued" when you say "valid", then you're using terms differently
> from any business, court, or legal system I've encountered.
I'm using "valid" to mean...well, um...I can't think of a much better
word than "valid." You're apparently using it to mean "not having
been _proven_ to be invalid" or something like that. I'm using it to
mean exactly what it means: really and truly valid. Not dealing with
a legal (or logical) proof of validity or lack thereof, but what we'd
get from the all-knowing oracle if we could ask whether a particular
patent was valid or not. After considering all evidence (whether
known to the patent office or not), etc., it could say, "Yes, this
patent really is valid according to current law" or "No, it's really
not valid."
> Then you need to read my post again. We were selling the product for three
> years. Then someone else applied for a patent, and it was cheaper to license
> than fight. That, I would say, is broken.
I _really_ doubt that this is true. If they honestly applied for the
patent three years after you were selling the patented invention,
then fighting it would be REALLY cheap.
You'd take THEIR assertion that your product was the same as the
patented invention, you'd attach proof that you'd sold the product
three years prior to their applying for the patent, and submit them
both to the PTO with a request for reexamination under section 302 of
the patent code. Total cost to you would be typically come out to a
few thousand dollars, MOST of it in time to draft and proof-read
letters and such.
I'd guess that the patent was _granted_ rather than applied for,
three years after you started selling the product. That's about the
length of time it _typically_ takes the patent office to grant a
patent, so chances are the patent-holder invented whatever it is
around the time you started to sell it, or perhaps somewhat before
you did. In that case, fighting the patent really WOULD be expensive
at best, and probably a losing battle at worst, for the simple reason
that his patent probably really was valid, and you'd simply been
stealing somebody else's invention for years, even if you weren't
aware of it at the time.
> I think if the only patents that got issued were for actually innovative
> stuff (like RSA, say), then it would certainly be much less painful.
The law requires that the invention be original, non-obvious and
novel. Admittedly, the PTO seems (at least at times) to have rather
low thresholds for what they believe is novel and non-obvious, but
that's not an indictment of patent law, only of how it's executed.
I think the major problems are NOT with patent law, but the patent
office. I think it would be pretty easy to make things a lot better
too: simply raise the fees for patent application and maintenance,
though probably with greater provisions for reduced fees for people
who really can't afford the increase (e.g. an individual applying for
a patent would pay no more than, say, 1% of his annual income).
A sufficient increase in fees would encourage companies to only
patent worthwhile inventions. The increased revenue to the PTO would
allow them to hire more and better-qualified patent examiners as well
as improving automation and computerization to allow better searching
of prior art. The ultimate result would be to remove (or at least
drastically reduce) most of the problems while retaining the majority
of the good points of the current system.
--
Later,
Jerry.
The Universe is a figment of its own imagination.
------------------------------
From: mls
Subject: Re: CDMA tracking (was Re: GSM tracking)
Date: Mon, 25 Sep 2000 18:44:41 GMT
Unless things have changed since I was involved in this, a phone,
cell, analog, digital, CDMA, TDMA, whatever isn't transmitting
anything if power is (in fact) removed. Ergo it is not communicating
on the reverse data channel, so the cellsite equipment has no record
of it being "on the air".
Interesting, though, that some phones can, and have been modified so
they can be activated by remote (if power applied) so disable the
speaker and display while activating the microphone.
A handy surveillance device with no range limitations...
mls at fusionsites dot com
On Thu, 21 Sep 2000 21:44:41 -0600, Jerry Coffin <[EMAIL PROTECTED]>
wrote:
>In article <[EMAIL PROTECTED]>, roger_95073@my-
>dejanews.com says...
>
>[ ... ]
>
>> What if I (accdentally or deliberately) disconnected the battery
>> in Vegas, and then reconnected when I got home. Then the phone
>> would report that I had been in Vegas?
>
>I'd have to look back to be sure -- the phone I was looking at has
>both volatile and non-volatile memory. Offhand, I don't remember
>which of these this particular data is stored in. Obviously enough,
>if it's stored in the volatile memory, then removing all power will
>destroy the contents, but if it's in the non-volatile memory,
>removing power won't. As I said, I honestly don't remember which it
>gets stored in though.
>
>--
> Later,
> Jerry.
>
>The Universe is a figment of its own imagination.
------------------------------
From: "Cristiano" <[EMAIL PROTECTED]>
Subject: Re: 128-bit Secure LFSR
Date: Mon, 25 Sep 2000 20:38:14 +0200
Why do you use this (in pseudo code):
> if (m[0] & 1) { m^=feed<<1; r=1; }
> else r = 0;
> m[0] = (m[0]>>1)|(m[1]<<31);
> m[1] = (m[1]>>1)|(m[2]<<31);
> m[2] = (m[2]>>1)|(m[3]<<31);
> m[3] = (m[3]>>1)|(r<<31);
> return r;
and not:
if(m &1) { m=(m>>1)^feed; r=1; }
else { m>>=1; r=0; }
return r;
This is only a question not an advice!
Your generator is also cryptographically secure?
Cristiano
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: What am I missing?
Date: Mon, 25 Sep 2000 11:40:12 -0700
I am not in a position to make use of this idea at the moment, and I won't
be until after the award period is over, so I'm going to publish it, and if
it works, I hope someone will be kind. I am placing it in this thread
because it very much applies to SDMI, and the difficulty in creating a
watermark that can survive an attacker that is highly determined. The idea
is thus:
Take the Stream S, seperate it by frequency (use low/high pass filtering at
various frequencies) into several S[i] (where i goes from 0 to N). Using a
good random number generator create a small random shift of the substreams
S[i], call these T[i]. Generate a new stream T, which technically still has
the watermark data (it should simply be illegible), by summing the
substreams T[i]. I can see no immediate way that a watermark could survive
this.
Joe
------------------------------
From: [EMAIL PROTECTED] (dbt)
Subject: sigh, AES
Date: Mon, 25 Sep 2000 18:56:39 GMT
Any news? Wasn't it supposed to be released by now?
Is there a good place to go to keep up AES news?
--
David Terrell | "Instead of plodding through the equivalent of
Prime Minister, NebCorp | literary Xanax, the pregeeks go for sci-fi and
[EMAIL PROTECTED] | fantasy: LSD in book form." - Benjy Feen,
http://wwn.nebcorp.com | http://www.monkeybagel.com/ "Origins of Sysadmins"
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: Tying Up Loose Ends - Correction
Date: Mon, 25 Sep 2000 18:46:06 GMT
Tim Tyler wrote:
> Bryan Olson wrote:
> : With no attack better than exhaustive
> : search you have no way to rapidly eliminate any large class of keys.
>
> You might well have a method that works much faster than decrypting
> blocks and analysing the plaintext for known characteristics.
> The latter might require a number of blocks and take a non-trivial
> volume of processing.
Yes, you can work on reducing that constant. The mistake is
pretending it does something to the keyspace. The lower
bound on the work for exhaustive search increases
exponentially in the size of the key.
> : The problem is a conceptual error and cannot be fixed by adjusting
> : terminology.
>
> I don't think so - the issue appears to be purely terminological.
No. The effect of the keyspace is still there. If I give
you a thousand bits of Blowfish (448-bit key) ciphertext and
corresponding plaintext, what's the "effective keyspace"?
> : A trial decryption with one candidate key takes some minimum
constant
> : time. That time, multiplied by the number of effective keys puts a
> : lower bound on the time for exhaustive search.
>
> Generally speaking the idea that to get the total time required, you
need
> to multiply the time taken for a single decrypt by the number of keys
is a
> potentially serious conceptual error.
Processor time of course.
> This aside, you may gain the ability to reject a key after
> decrypting a single block. The ability to do so would speed
> things up.
Again, that's attacking the constant factor. Then you run
into the exponential brick wall and more redundancy or known
plaintext is no further help. The exponential is the effect
of the keyspace.
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Quisquater <[EMAIL PROTECTED]>
Subject: Re: sigh, AES
Date: Mon, 25 Sep 2000 21:13:38 +0200
See
http://csrc.nist.gov/encryption/aes/
Recent Announcements
September 13, 2000 - NIST is still on track to announce its proposed
selection for the AES in late summer / early fall. HOWEVER, a specific date
for the announcement has NOT been set at this time. When a date has been
selected, it will be indicated here, to give the public as much advance
notice as possible.
See also http://www.cryptonessie.org
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
