Cryptography-Digest Digest #925, Volume #12 Sat, 14 Oct 00 15:13:01 EDT
Contents:
Re: Why trust root CAs ? (Larry Kilgallen)
Re: Public Key Algorithms and Analysis (Albert Yang)
Re: Rijndael implementations (Richard Heathfield)
Re: Why trust root CAs ? (Anne & Lynn Wheeler)
Re: Is it trivial for NSA to crack these ciphers? (John Savard)
Re: Is it trivial for NSA to crack these ciphers? (John Savard)
Re: block-cipher silly question? (John Savard)
Re: Why trust root CAs ? (Anne & Lynn Wheeler)
Re: block-cipher silly question? (Richard Heathfield)
Re: FTL Computation ("Paul Lutus")
Re: naval code books were "weighted" (Sundial Services)
Re: block-cipher silly question? (David Wagner)
Re: NIST Random Generator Test Suite Results ("Cristiano")
Re: Why trust root CAs ? (Greggy)
Re: What is meant by non-Linear... ("Stephen M. Gardner")
Re: What is meant by non-Linear... ("Stephen M. Gardner")
Re: Why trust root CAs ? (Vernon Schryver)
Re: What is meant by non-Linear... ("Stephen M. Gardner")
Re: Is it trivial for NSA to crack these ciphers? ("Paul Pires")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Larry Kilgallen)
Subject: Re: Why trust root CAs ?
Date: 14 Oct 2000 11:37:15 -0500
In article <8s96vb$8f7$[EMAIL PROTECTED]>, Greggy <[EMAIL PROTECTED]> writes:
> In article <[EMAIL PROTECTED]>,
> Paul Rubin <[EMAIL PROTECTED]> wrote:
>> Greggy <[EMAIL PROTECTED]> writes:
>> > But you missed the real problem with CAs. Can Verisign answer the
>> > following for you:
>> >
>> > Can you prove none of your employees took a bribe and provided me
> with
>> > a bad cert?
>>
>> How is it *possible* to do that in a way that you couldn't detect
> instantly?
>
> Okay, bad question. Let me rephrase. Can you prove none of your
> employees took a bribe and provided a thief with a signed certificate
> with his public key instead of mine allowing him to act as a man in the
> middle?
You can "prove" the unlikelyhood of this by requiring that all
certification actions be only at the agreement of multiple employees
who do not have a close working relationship, are monitored by video
cameras, undergo rigorous background checks, are required not to admit
who their employer is other than as required by law, etc. etc.
By the way, the CA will charge more for the "high security" version.
------------------------------
From: Albert Yang <[EMAIL PROTECTED]>
Subject: Re: Public Key Algorithms and Analysis
Date: Sat, 14 Oct 2000 14:48:19 GMT
David CopperSmith wrote up a paper about attacks on RSA when the "e" is
3. That chucks about 75% of the keyspace. Of course, if your pubkey is
1024 bits, that would mean an effective strength of 1021 bits still, not
too bad...
Search under the counterpanes big library trouff, under coppersmith, and
you should find it...
Just got done with a ECDSA project. Certicom has quite a bit of
whitepapers on the subject of ECC, ECDSA, EC in general.
Cheers.
Albert
------------------------------
Date: Sat, 14 Oct 2000 15:53:01 +0100
From: Richard Heathfield <[EMAIL PROTECTED]>
Subject: Re: Rijndael implementations
Tim Tyler wrote:
>
> Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> : Tim Tyler wrote:
>
> :> "Byte" should mean "octet"
>
> : It didn't mean that in the first place, and only a parochial
> : view of computing based on limited exposure to the gamut of
> : possibilities would allow anyone to think what you suggest.
>
> Whoa - that sounds dreadful ;-)
Why? Did you not understand it?
>
> Meanings change, *including* those of technical terms that attain popular
> usage.
Changing the meaning of a word is not only unnecessary and costly, but
rather silly if you don't provide a new word for what the old word used
to mean.
If you're going to shanghai 'byte' as a synonym for 'octet', what do you
propose to call what /I/ still call a byte?
>
> Consider the term "gender". This is a linguistic term relating to
> the classification of nouns and pronouns in languages such as French.
> However, it has widely been used as a term to refer to the sex of
> individuals, without use of the broader term, "sex". A few (e.g.
> Richard Dawkins) lament this theft - but it is now by far the more
> common usage.
Not amongst grammarians or linguists, I suspect.
>
> I think the popular term and the term that refers to 8-bits should
> intersect - since clumps of 8 bits are cetainly common and show little
> sign of going away.
Except on processors where such clumps don't exist, of course.
>
> Since nobody's likely to start calling all unicode characters "bytes"
> at this point,
Why not? There's no reason why someone couldn't put together a machine
with a native 16-bit Unicode character set - in which case, the natural
size for a byte on that machine would be 16 bits.
> the original meaning looks like it will go
> (or perhaps I should say has gone) severely bankrupt.
Amongst "all-the-world-is-a-PC-running-Windows" people, perhaps. But
it's a big world out there.
--
Richard Heathfield
"Usenet is a strange place." - Dennis M Ritchie, 29 July 1999.
C FAQ: http://www.eskimo.com/~scs/C-faq/top.html
66 K&R Answers: http://users.powernet.co.uk/eton/kandr2/index.html (31
to go)
------------------------------
Subject: Re: Why trust root CAs ?
Reply-To: Anne & Lynn Wheeler <[EMAIL PROTECTED]>
From: Anne & Lynn Wheeler <[EMAIL PROTECTED]>
Date: Sat, 14 Oct 2000 14:59:59 GMT
David Schwartz <[EMAIL PROTECTED]> writes:
> I think you'll find that if you do this, you recreate the PKI. First,
> you'll want a central repository of whose key is whose. Second, you'll
> want one place to go to revoke a key should it be compromised. And so
> on.
you just don't need a certificate based PKI ... you go with an online,
real-time PKI.
The paradigm for the certificate model PKI was the offline email case
between parties that had no prior relationship and/or knowledge of
each other (i.e. connect to the network, download email, disconnect,
read email ... and perform various actions as specified by the email,
even tho you had no prior knowledge of &/or relationship with the
person sending the email).
--
Anne & Lynn Wheeler | [EMAIL PROTECTED]
http://www.garlic.com/~lynn/
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Is it trivial for NSA to crack these ciphers?
Date: Sat, 14 Oct 2000 14:53:05 GMT
On Fri, 13 Oct 2000 11:55:45 -0500, "Stephen M. Gardner"
<[EMAIL PROTECTED]> wrote, in part:
>For some reason people seem to attribute wizard-like powers to these agencies.
>Modern algorithms are subjected to public scrutiny in an
>environment where the secret agencies have no advantage
>(public disclosure of algorithms and attacks). With modern
>cryptography the NSA is no better off than anyone else.
The fallacy in this reasoning is obvious. The NSA does not publicly
disclose its attacks. And it has been around long enough to have
accumulated quite an arsenal of them.
Hence, it is quite possible it knows of ways to attack DES or Rijndael
that are beyond anything known to the public.
Whether what it knows is sufficient to effectively break these
algorithms is quite another matter, and there are sound reasons to
suspect that it might not. However, nothing is stopping people from
taking additional precautions.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Is it trivial for NSA to crack these ciphers?
Date: Sat, 14 Oct 2000 14:57:37 GMT
On 14 Oct 2000 03:20:04 -0000, lcs Mixmaster Remailer
<[EMAIL PROTECTED]> wrote, in part:
>Is it a political statement to say that if these ciphers aren't good enough
>for NSA, they're not good enough for me?
While I think that one could do a bit better than the popular
standards, either by combining them with stream ciphers, or by using
something a bit larger and more complicated -
check out Quadibloc VIII, for example -
but if somehow it could be seen that the AES was all the cipher anyone
would ever need, would the NSA suddenly abandon all efforts to design
ciphers of its own? Might they not feel a need to justify and hold on
to that part of their budget? Might they not need some easy, fun work
for burned-out cryptanalysts?
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: block-cipher silly question?
Date: Sat, 14 Oct 2000 14:48:07 GMT
On Sat, 14 Oct 2000 12:46:13 GMT, N. Weicher <[EMAIL PROTECTED]> wrote,
in part:
>A stream cipher would imply some sort of feedback. I was looking for
>something that did not rely on that.
Do you mean a stream cipher that is not an autokey?
A true block cipher with an 8-bit block would be a monalphabetic
substitution on a 256-character alphabet. That could not be secure.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
Subject: Re: Why trust root CAs ?
Reply-To: Anne & Lynn Wheeler <[EMAIL PROTECTED]>
From: Anne & Lynn Wheeler <[EMAIL PROTECTED]>
Date: Sat, 14 Oct 2000 15:04:01 GMT
[EMAIL PROTECTED] writes:
> On Sat, 14 Oct 2000 19:43:28 +1000, "Lyalc" <[EMAIL PROTECTED]>
> wrote:
>
> >If you replace Public Key with Password, this models works just as well, and
> >works today, at zero incremental cost.
>
> Scheme outlined has advantages over passwords which may justify the
> incremental costs. EG:
> - a password is inherently less secure since it relies on keeping the
> password secret, and yet password is known to all entities/devices for
> which you use that password. A public key can be put on a bill board
> without lessening security.
> - using a public key approach allows enables encryption of data unique
> to the user, increasing security.
> - the use of a device to handle the registration and authentication
> simplifies the process from the point of view of the end user and
> obviates the need to handle, remember and keep secure multiple
> passwords.
replacing a password registerd in an account record with a public key,
the public key part of the protocol is the same whether the private
key is stored in a password protected software file, a hardware token
w/o any activiation, a hardware token with PIN activation, or a
hardware token with biometric activation, or a hardware token with
both PIN & biometric activation.
the public key part of the protocol is the same whether the consumer
registers the same public key with one location or the same public key
with 15 locations. In the case of multiple public key registration,
one might be the bank and another might be the consumer's ISP. Using a
common public key at both an ISP and the bank ... doesn't have the
downside of somebody at the ISP doing fraudulent transactions at the
bank.
deploying a common public key protocol would give the consumer a great
deal of freedom and choice as to the level of security and integrity
that they would like to use (software files, different tokens at
different integrity levels, activation, etc)
The PIN/biometric activation ... as opposed to authorization is an
issue. In the case of flowing an authorization PIN/password ... which
might get compromized, it is realitively easy to get a new
PIN/password. Biometric authorization in an open environment is much
harder to deal with (effectively biometric authorization is a complex
PIN/password that the person doesn't have to remember). In the case of
biometric authorization compromize, it is much harder to issue a new
body part. It is also harder to make sure that a unique body part is
used for each entity that the consumer wishes to authenticate with.
--
Anne & Lynn Wheeler | [EMAIL PROTECTED]
http://www.garlic.com/~lynn/
------------------------------
Date: Sat, 14 Oct 2000 16:04:32 +0100
From: Richard Heathfield <[EMAIL PROTECTED]>
Subject: Re: block-cipher silly question?
David Schwartz wrote:
>
> "N. Weicher" wrote:
>
> > I hope this isn't too silly a question to ask, but is there such a
> > thing as a credible block cipher that works on a single-byte block?
>
> Usually we would call such a thing a stream cipher.
What if the machine has 64-bit bytes? Would you still call it a stream
cipher then?
<snip>
--
Richard Heathfield
"Usenet is a strange place." - Dennis M Ritchie, 29 July 1999.
C FAQ: http://www.eskimo.com/~scs/C-faq/top.html
66 K&R Answers: http://users.powernet.co.uk/eton/kandr2/index.html (31
to go)
------------------------------
From: "Paul Lutus" <[EMAIL PROTECTED]>
Crossposted-To: sci.astro,sci.physics.relativity,sci.math
Subject: Re: FTL Computation
Date: Sat, 14 Oct 2000 15:57:04 GMT
ca314159 <[EMAIL PROTECTED]> wrote in message
news:8s9i0g$etp$[EMAIL PROTECTED]...
> Having fun, usually means, going alittle nuts;
> is there no fun left in science ? And whether
> one thinks the twin paradox, particle-wave duality,
> Schrodinger's dead and alive cat (they really knew
> how to have fun with science back then) are nutty
> ideas or valid conjectures, depends on your
> subjective attitude often more than the measurements.
I had previously suggested that you were discussing New Age Physics instead
of the kind one can verify or defend with reasonable argument. This only
proves it.
Each of the topics you used as examples are backed up by both theory and
observation. None of them depend on one's "attitude."
This says it all:
" ...depends on your subjective attitude often more than the measurements."
In physics, the measurements are more important than your attitude. In
superstition, the reverse.
Your post contains not one word of physics. It uncritically mixes concepts
having nothing on common (quantum and FTL, as just one example), it argues
about how things "ought to be" rather than how science describes them. It is
sci-fi, not sci. There is a reason "sci" is part of the three newsgroup
names you have arbitrarily chosen -- that is our topic.
On reading your argument about how real science isn't any fun, one can't
help wondering why you are posting to a science newsgroup.
Now that you have abandoned the original topic entirely, now that you are no
longer even pretending to be discussing physics, please move your fluffy
discussion to an appropriate New Age newsgroup.
--
Paul Lutus
www.arachnoid.com
------------------------------
Date: Sat, 14 Oct 2000 09:48:09 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: naval code books were "weighted"
Which also explains why German cipher clerks were so grouchy .. they
weren't allowed to drink coffee. ("Oops...")
>Jim wrote:
> Germany's Enigma cipher key material was printed with ink which
> would run and blur on contact with water, and printed on absorbent
> paper to help the process along.
>
==================================================================
Sundial Services :: Scottsdale, AZ (USA) :: (480) 946-8259
mailto:[EMAIL PROTECTED] (PGP public key available.)
> Fast(!), automatic table-repair with two clicks of the mouse!
> ChimneySweep(R): "Click click, it's fixed!" {tm}
> http://www.sundialservices.com/products/chimneysweep
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: block-cipher silly question?
Date: 14 Oct 2000 17:41:41 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
N. Weicher wrote:
>I hope this isn't too silly a question to ask, but is there such a
>thing as a credible block cipher that works on a single-byte block?
Sure there is.
Now as for security, well, that's a different story: Any such beast
must be trivially insecure, precisely because of the small block size.
Why don't you tell us what you wanted it for, and maybe we can figure
out whether there's a better solution?
------------------------------
From: "Cristiano" <[EMAIL PROTECTED]>
Subject: Re: NIST Random Generator Test Suite Results
Date: Sat, 14 Oct 2000 19:38:43 +0200
> : Cristiano wrote:
>
> :> I use this C routine (**warning** UBYTE is unsigned long):
>
> : Gee, you're going to upset Tom St.Denis and Tim Tyler.
>
> Indeed. I demand the offending identifier be renamed forthwith! ;-)
I don't understand but thanks to Jason I found a good prog so the "offending
identifier" don't exists any longer. :-)
Cristiano
------------------------------
From: Greggy <[EMAIL PROTECTED]>
Subject: Re: Why trust root CAs ?
Date: Sat, 14 Oct 2000 17:44:05 GMT
Only on that one PC.
> So who do you then exchange information with a mocodium of trust?
> Only your bank, and that portion of the population who also trust
your bank.
> Result = 1 Island of Isolation.
>
> The whole CA concept is fundamentally flawed.
>
> Lyal
>
> Greggy wrote in message <8s8ro8$66$[EMAIL PROTECTED]>...
> >
> >> I don't think it was ever ment to prove anything. You have to
begin
> >> your root trust with something that YOU trust. You don't prove it,
> >you
> >> trust it. It proves the rest of the certificates for you. You
don't
> >> have to trust the others, but you do have to trust the root. To
that
> >I
> >> say, Why should I trust anyone other than my bank?
> >
> >Hey, what an idea - make my bank my root certificate and get rid of
all
> >the rest. I go down to the branch office and get their certificate
> >directly and install it as the only certificate on my machine. That
> >would be the only way it could work for me. More work, yes, but real
> >security because I know I have the right certificate. I don't have
to
> >trust anyone other than my bank.
> >
> >I'm going to try this on one of my machines I will set aside for
online
> >banking only. The others can browse away at other things as they
> >desire. What an idea...
> >
> >
> >Sent via Deja.com http://www.deja.com/
> >Before you buy.
>
>
--
If I were a cop, I would refuse to go on any no knock raid.
But then, I am not a cop for basically the same reasons.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Stephen M. Gardner" <[EMAIL PROTECTED]>
Subject: Re: What is meant by non-Linear...
Date: Sat, 14 Oct 2000 12:57:05 -0500
Bryan Olson wrote:
> Stephen M. Gardner wrote:
> [...]
> > A better definition might be a transformation T is linear if
> > T(x+y) = T(x) + T(y) and T(ax) = aT(x). The equation y = 2x over
> GF(3)
> > satisfies this criterion but doesn't lie on a line in a Cartesian
> > coordinate system.
>
> We should note that the variable "a" in the rule for multiplication
> T(ax) = aT(x)
> is restricted to some scaler (constant), unlike the "y" in the rule
> for addition. We do not, for example, require that T(x*x) = x*T(x).
Yup. Good point. I should have mentioned that.
--
Take a walk on the wild side: http://www.metronet.com/~gardner/
There is a road, no simple highway, between the dawn and the
dark of night. And if you go no one may follow. That path is
for your steps alone.
The Grateful Dead ("Ripple")
------------------------------
From: "Stephen M. Gardner" <[EMAIL PROTECTED]>
Subject: Re: What is meant by non-Linear...
Date: Sat, 14 Oct 2000 13:02:18 -0500
Mok-Kong Shen wrote:
> "Stephen M. Gardner" wrote:
> >
>
> > A better definition might be a transformation T is linear if T(x+y) = T(x) +
> > T(y) and T(ax) = aT(x). The equation y = 2x over GF(3) satisfies this
> > criterion but doesn't lie on a line in a Cartesian coordinate system.
>
> I understand this to mean that linearity is with respect
> to the ring. Now it follows that 'linearity' without
> qualification is fuzzy and hence 'non-linearity' without
> qualification is also (perhaps more) fuzzy. Or do I miss
> something?
Well, actually, definitions of a linear space require a field not a ring. If
the 'multiplication' isn't abelian and doesn't support an inverse then it's not a
very fun space to play in. ;-)
--
Take a walk on the wild side: http://www.metronet.com/~gardner/
There is a road, no simple highway, between the dawn and the
dark of night. And if you go no one may follow. That path is
for your steps alone.
The Grateful Dead ("Ripple")
------------------------------
From: [EMAIL PROTECTED] (Vernon Schryver)
Subject: Re: Why trust root CAs ?
Date: 14 Oct 2000 12:03:09 -0600
In article <8s8p7i$uhp$[EMAIL PROTECTED]>,
Greggy <[EMAIL PROTECTED]> wrote:
> ...
>> While you can trust the WSJ or your local
>> newspaper somewhat more than CAs repository
>> (how many keys could you improve by distributing
>> some unmarked cash?), it is a hassle to transfer
>> your bank's public key from a paper newspaper
>> into your browser compared to letting your
>> browser ask a CA.
>
>You are stating that ease of use is a good benefit. Ease of use is
>contrary to the concept of verification. Verification involves work.
"Verification" or authentication is not a boolean that you either have or
do not have. Like all other security related things, authentication is
a continuous variable. You can have a little or a lot, although it is
hard to have absolutely none and impossible to have absolute confidence.
Ease of use is valuable to increase security. Security machinery that is
too much trouble does not get used. If you make authentication too
painful, as it would be if people had to manually copy public keys from
newspaers into their browsers, then people would not use it. Never mind
the practicality of even the WSJ publishing only weekly the 50,000,000
public keys that the commercial CA's hope to start out with.
>You are putting the verification work back onto the shoulders of the
>CA. That means you are trusting them to verify it for you and then
>supply it in an electronic form so you don't have to verify it yourself.
Yes, that is true. It is also certainly true that the odds that someone
at the CA has been bribed or simply made a mistake to mess up a given
certificate are so very low that they're not worth worrying about.
Your liabilities should that happen are even less significant.
The reasons to laugh at Verisign's advertising matter only at those
outfits that Verisign wants to bill $400 or more per year.
>But if you won't bother to verify it, then why have it at all? What is
>the point of it?
>
>If ease of verification is important then I suggest the banks use ECC
>instead of RSA.
Any claim that any security is a boolean or that anything is either
completely secure or not worth bothering about is wrong. Security is not
black and white. Just as there are good and sufficient reasons using for
ciphers other than one time pads, there are good reasons to use a
commercial CA.
I think that worrying whether you have the right www.amazon.com is silly,
since your liability even for a stolen credit card number is trivial.
However, if you do want to worry about superduper crackers fooling your
DNS resolver and then spoofing Amazon's web site, then the commercial CA's
are convenient, useful, and far more than sufficient. On the other hand,
if you are wiring $100M to keep Amazon.com afloat for a little longer,
then I hope you use something more secure than a Verisign class 3
certificate.
If commercial certificates were practically free (both in money and
hassles) to those who must pay those $400/year bills, then they would be
worthwhile. As it stands, Verisign's fees for certificates are like
Verisign/NetworkSolution's supposed registry and registrar costs. It is
hard to see how to spend $35/year/domain to maintain that database, and
I can't see how $400 (or even Thawte's $200) does not mostly buy "piece
of mind for your customers" as opposed to anything related to technical
security.
In other words, I doubt it is a coincidence that there were complaints
about unsolicited bulk advertising email (spam) from both Verisign
and Network Solutions before they merged. I think those complaints
are clues about their common nature. They're more about marketing than
technical stuff.
Vernon Schryver [EMAIL PROTECTED]
------------------------------
From: "Stephen M. Gardner" <[EMAIL PROTECTED]>
Subject: Re: What is meant by non-Linear...
Date: Sat, 14 Oct 2000 13:27:32 -0500
==============5CFF69B24C85DAE053DD4FF7
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Tim Tyler wrote:
> Stephen M. Gardner wrote (in response to a post of mine):
>
> : The problem with your 'straight line' definition is that I don't think it
> : maps very intuitively to finite fields. [...]
>
> You have to think of the field as wrapped into a torus. Apart from that
> there seem to be no special problems.
I'm not talking about the fact that the field is finite per se. It is not a
question of just wrapping it around to avoid the fact that it doesn't fill the
plane. (As a matter of fact, it could be argued I think, that GF(3) sort of does
fill the plane anyway in that GF(3) is just Z3 with multiplication defined in the
usual way. All the integers are there in Z3, they just can be replaced for
convenience by the smallest element of each equivalence class defined by the
congruence). The thing I was trying to get at is that the points do not lie on a
line. Now if you're going to get all topological on me ;-) with some convoluted
torus then we are going to have to haggle about what a straight line even is in a
finite field mapped onto some screwball non-euclidean manifold. The most natural
definition I guess would be in terms of geodesics in the manifold onto which you
plot the points corresponding to the finite field. If the points aren't a subset
of the points along the geodesic then those finite field points aren't on a
"line". In any case, the "lies along a line" definition isn't so good when we are
talking finite fields.
--
Take a walk on the wild side: http://www.metronet.com/~gardner/
There is a road, no simple highway, between the dawn and the
dark of night. And if you go no one may follow. That path is
for your steps alone.
The Grateful Dead ("Ripple")
==============5CFF69B24C85DAE053DD4FF7
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
Tim Tyler wrote:
<blockquote TYPE=CITE>Stephen M. Gardner wrote (in response to a post of
mine):
<p>: The problem with your 'straight line' definition
is that I don't think it
<br>: maps very intuitively to finite fields. [...]
<p>You have to think of the field as wrapped into a torus. Apart
from that
<br>there seem to be no special problems.</blockquote>
I'm not talking about the fact that the field is finite
per se. It is not a question of just wrapping it around to avoid the fact
that it doesn't fill the plane. (As a matter of fact, it could be argued
I think, that GF(3) sort of does fill the plane anyway in that GF(3) is
just <b>Z</b><sub>3</sub> with multiplication defined in the usual way.
All the integers are there in <b>Z</b><sub>3</sub>, they just can be replaced
for convenience by the smallest element of each equivalence class defined
by the congruence). The thing I was trying to get at is that the points
do not lie on a line. Now if you're going to get all topological
on me ;-) with some convoluted torus then we are going to have to haggle
about what a straight line even <b><i><u>is</u></i></b> in a finite field
mapped onto some screwball non-euclidean manifold. The most natural
definition I guess would be in terms of geodesics in the manifold onto
which you plot the points corresponding to the finite field. If the
points aren't a subset of the points along the geodesic then those finite
field points aren't on a "line". In any case, the "lies along
a line" definition isn't so good when we are talking finite fields.
<br>
<p>--
<br>Take a walk on the wild side: <A
HREF="http://www.metronet.com/~gardner/">http://www.metronet.com/~gardner/</A>
<p>There is a road, no simple highway, between the dawn and the
<br>dark of night. And if you go no one may follow. That path is
<br>for your steps alone.
<br> The Grateful Dead ("Ripple")
<br> </html>
==============5CFF69B24C85DAE053DD4FF7==
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Is it trivial for NSA to crack these ciphers?
Date: Sat, 14 Oct 2000 11:27:55 -0700
<snip>
> I suppose one could assert the "not invented here" philosophy
>as the primary reason the government uses secret ciphers to
>contain secret data. But no one disputes that there are genuine
>cryptography experts at Ft. Meade that believe their ciphers
>are the best and most secure in the world.
Why assume bad intent and godlike powers when a practical
reason exists. Public crypto thrives on disclosure. But, there's
no such thing as a free lunch. So, that confidence arrived at
by disclosure costs security. Twofish would be much harder
to deal with if no-one knew the algorithm.
Private crypto is further enhanced by secrecy. If you can
control both sides of the transaction and your goal is secrecy,
why would you find value in disclosing the method? Everybody
screams "But you can't expect an algorithm to remain secret"
For them it's a "so what?". They have the benefit of the extra
security until it is discovered. Where do they lose by keeping it
secret?
Sounds like an obvious practical strategy based upon their needs
and resources to me.
I bet they have a completely different security "culture" since
they live in a completely different world. Why suspect that they
have similar goals and beliefs as the "outside world"? They are
exposed to different knowledge and experience and are driven
by different objectives.
I suspect that they don't use standard ciphers because there is
no advantage for them. They are off in a different direction.
In asking what that direction might be consider this,
if conventionality and public scrutiny are minuses, why not
develop cipher agility. Fast parameterized rule based algo
construction with quantifiable security within practical bounds.
Paul
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
