Cryptography-Digest Digest #219, Volume #13 Sat, 25 Nov 00 03:13:00 EST
Contents:
Re: PLEASE DON'T HELP Re: How to find celebrity ("Alex Chacha")
Re: RSA funny stuff (Shawn Willden)
Re: A Simple Voting Procedure (David Schwartz)
Re: A Simple Voting Procedure (David Schwartz)
Re: A Simple Voting Procedure (David Schwartz)
Re: A Simple Voting Procedure (Darren New)
Re: RSA funny stuff (John Savard)
Re: hash-breaking question (Dido Sevilla)
Re: A Simple Voting Procedure (David Schwartz)
Re: hash-breaking question (David Schwartz)
Re: Entropy paradox (Scott Craver)
Death of Richard Ankney (Jason Canon)
does faster FPU and large cache improve en/decryption speed? (dave)
Re: Random function ("Douglas A. Gwyn")
Re: voting through pgp (David A Molnar)
----------------------------------------------------------------------------
From: "Alex Chacha" <[EMAIL PROTECTED]>
Subject: Re: PLEASE DON'T HELP Re: How to find celebrity
Date: Fri, 24 Nov 2000 17:25:02 -0800
"David A Molnar" <[EMAIL PROTECTED]> wrote in message
news:8vjcsf$466$[EMAIL PROTECTED]...
> Paul Crowley <[EMAIL PROTECTED]> wrote:
> > I wouldn't mind so much if the slightest effort had gone into attacking
> > the problems before asking for help, but it's clear that the homework
> > question has been read off the assignment and typed into the browser
> > without ever passing through the brain.
> Is there a way to build problem set problems such that they have some kind
> of "tracing" properties? It seems that there will always be an attack
> from semantics - if a student understands the problem, he or she can write
> out and post an equivalent problem. Maybe we don't care about that,
> though, on the grounds that at least it's better than cut and paste?
It would be even more entertaining to give the answer which has a tracing
property that the instructor would then suspect is not the answer of the
student. Sort of like doing 2+2 via for(s=0,i=0;i<1;++i) s+=2; It would be
obvious that if a student is asked the problem (of 2+2), they are not
capable of producing a simplfication of a much more complex solution.
------------------------------
From: Shawn Willden <[EMAIL PROTECTED]>
Subject: Re: RSA funny stuff
Date: Fri, 24 Nov 2000 18:56:30 -0700
Tom St Denis wrote:
> hehehehe... as if people honestly believe a little logo means it's
> secure... hahahaha
I think the presense or absence of familiar and "trusted" logos and icons
is all most people have to go on when evaluating security. For the average
user, the establishment of a truly trustworthy logo (meaning one whose use
is carefully controlled, and which is applied only to products that have
passed rigorous security analyses) would be a very good thing.
Shawn.
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: A Simple Voting Procedure
Date: Fri, 24 Nov 2000 18:31:24 -0800
"Trevor L. Jackson, III" wrote:
> If you consider the behavior of a voter whose vote was not counted correctly (the
> problem for which this proposal is a purported solution) against the behavior of a
> voter who wishes to invalidate the legitimacy of the election would will find them
> identical.
>
> That similarity is a Bad Thing.
*sigh* Has anyone been following this thread? I wasn't advocating this
scheme. It's sole purpose was to demonstrate that a scheme could have
property 1 and not have property 2.
DS
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: A Simple Voting Procedure
Date: Fri, 24 Nov 2000 18:33:16 -0800
Darren New wrote:
>
> David Schwartz wrote:
> > Actually, this argument is even incorrect. Suppose P1 requires the use
> > of some code number that was given to me but that I could forget.
> > Someone can point a gun at my head and demand that I "Do P1", but if I
> > never recorded my receipt or destroyed it, I still can't do it.
>
> If you can't prove it to the dictator, then you can't prove it to the judge.
> Hence, you lose the "P1 and not P2" quality. Instead, you're supposing
> there's a "(P1 and P2) or (not P1 and not P2), at my choice" quality. Now,
> that may be sufficient, but that wasn't the requirement stated.
>
> Mr Bond, we're now going to torture you. If you prove you voted for me,
> we'll release you. If you prove you voted for my opponent, we'll let you
> die. If you can't prove either, we'll just keep torturing.
This can happen in *ANY* voting scheme. Even with current paper
schemes, a dictator can demand that you prove you voted a particular way
and if you don't or can't he can torture you. This has nothing to do
with the properties of any scheme. In fact, this could happen even in a
scheme where it's impossible to prove you voted any way under any
circumstances. If someone wants to torture you no matter what, no
cryptographic scheme will stop them.
DS
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: A Simple Voting Procedure
Date: Fri, 24 Nov 2000 18:34:46 -0800
Dan Oetting wrote:
> An Even Simpler Voting Procedure:
>
> 1. Each voter privately enters a vote in the system.
> 2. At the end of the voting period the system prints the totals.
>
> P1 is satisfied by the voter witnessing his own act of voting.
>
> P2 is not satisfied because no one else has witnessed the act of voting
> and there is no record of how an individual voted.
>
> -- Dan Oetting
I would argue that P1 is not satisfied because a vote could get lost in
the process, say if the results from one particular machine are not
tallied into the final count. The point of P1 is that the voter can
track his vote from where he cast it all the way to its place in the
final results.
DS
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Subject: Re: A Simple Voting Procedure
Date: Sat, 25 Nov 2000 02:49:29 GMT
David Schwartz wrote:
> This can happen in *ANY* voting scheme.
Not really. The dictator cannot torture you until you prove who you voted
for in the current scheme, because there's no way to prove right now.
In any case, by focussing on the example, you've managed to avoid actually
answering the point I made, which is that you cannot have P1 and avoid P2 at
the same time. You must chose whether to have both or whether to have
neither. That may be sufficient, but it's not what was requested.
--
Darren New / Senior MTS & Free Radical / Invisible Worlds Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
Both democracy and capitalism are attempts to make
greed and selfishness work for the greater good.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: RSA funny stuff
Date: Sat, 25 Nov 2000 02:49:34 GMT
On Fri, 24 Nov 2000 12:16:40 GMT, Tom St Denis <[EMAIL PROTECTED]>
wrote, in part:
>hehehehe... as if people honestly believe a little logo means it's
>secure... hahahaha
While people don't believe that, it is true that using a secure
algorithm isn't everything. An implementation can have problems too.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Dido Sevilla <[EMAIL PROTECTED]>
Subject: Re: hash-breaking question
Date: Sat, 25 Nov 2000 11:22:33 +0800
[EMAIL PROTECTED] wrote:
>
> I have a question regarding the security of cryptographic hash
> functions such as SHA-1.
>
> If I hash a secret value X and a known salt value Y with cryptographic
> hash algorithm H, and then I hash X and a known salt value Z with H,
> can the known values H(X|Y), Y, H(X|Z), and Z be used by an attacker to
> efficiently recover the secret value X?
>
You still need to be able to "reverse" H, or find collisions for H. Any
hash function worth its salt (pardon the pun) should be designed to
resist such attacks. Having the hash values for X with two different
(and known) salt values will certainly narrow the search for which of
these collisions are actually X, but won't make it any easier to get
these collisions in the first place...
--
Rafael R. Sevilla <[EMAIL PROTECTED]> +63 (2) 4342217
ICSM-F Development Team, UP Diliman +63 (917) 4458925
OpenPGP Key ID: 0x0E8CE481
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: A Simple Voting Procedure
Date: Fri, 24 Nov 2000 19:37:10 -0800
Darren New wrote:
>
> David Schwartz wrote:
> > This can happen in *ANY* voting scheme.
>
> Not really. The dictator cannot torture you until you prove who you voted
> for in the current scheme, because there's no way to prove right now.
Sure there is. You sneak a camera into the voting room with you and
photograph yourself voting.
> In any case, by focussing on the example, you've managed to avoid actually
> answering the point I made, which is that you cannot have P1 and avoid P2 at
> the same time. You must chose whether to have both or whether to have
> neither. That may be sufficient, but it's not what was requested.
No, you can have P1 and not P2. You can keep your GUID but claim that
you haven't. Nobody would have any way to tell whether a GUID that you
did give them was yours, so it's no different than you swearing that you
voted a particular way, which is possible in any system. You can never
prove to anyone that you voted any particular way (which is fine, since
you *know* you voted and it's nobody else's business). And you can also
be 100% sure your vote was counted.
DS
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: hash-breaking question
Date: Fri, 24 Nov 2000 19:38:33 -0800
[EMAIL PROTECTED] wrote:
>
> I have a question regarding the security of cryptographic hash
> functions such as SHA-1.
>
> If I hash a secret value X and a known salt value Y with cryptographic
> hash algorithm H, and then I hash X and a known salt value Z with H,
> can the known values H(X|Y), Y, H(X|Z), and Z be used by an attacker to
> efficiently recover the secret value X?
No, but it would provide the attacker a simple test to determine
whether a particular string is in fact X. So if X is small, he can brute
force it.
DS
------------------------------
From: [EMAIL PROTECTED] (Scott Craver)
Subject: Re: Entropy paradox
Date: 25 Nov 2000 03:48:23 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>>
>Well, as discussed some time ago, BBS depends on the validity
>of some assumptions and the security is certainly not the
>same as the theoretical OTP. (Provable security is in fact
>often a loose terminology.)
That's not a problem; we can make those assumptions
for the purpose of this discussion. However, I was
raising a more semantic issue: it is the generator
that may be "provably" secure, not a bit string u.
>As mentioned elsewhere, the 'problem' is a practical one.
>Suppose we can't brute force the BBS (given a large m and
>a good construction, this is certainly achievable), then
>the output of it is as good as a perfectly random one (if
>such can be known to exist) for our purpose and can hence
>be accorded full entropy ('subjective' entropy in the term
>of Matt Timmermans).
Okay, but once you start using _that_ definition
consistently, the paradox again vanishes. Only
if you use both at once will you get a problem.
Consider: with this practical notion of entropy,
what is so paradoxical of getting more information
out than you put in? That's only impossible with
the usual definition. Take your definition, and
see if the Data Processing Inequality can still
be proven---THEN you'd have a paradox.
If we are very pessimistic about eventual human
ability to determine the seed for a pseudo-random
string, you could imagine combining a bunch of
irrational numbers in some way, and taking the
output bits in binary (maybe processed some more,
to throw people even more off the trail.) The
binary expansion of e*sqrt(153)^pi, with all the
bits thrown out whose position is not a prime number.
Say. Now you have an _infinite_ bit string. It
is thus easy to imagine, if entropy has a practical
definition, that you can pull infinitely much
of it from nowhere.
>M. K. Shen
-S
------------------------------
From: [EMAIL PROTECTED] (Jason Canon)
Subject: Death of Richard Ankney
Date: Sat, 25 Nov 2000 04:30:02 GMT
Greetings,
Rich Ankney was a regular reader, and occasional poster,
to this newsgroup. Enclosed, is a message I received
about him.
Jason
******************************************************************
All:
I'm sure I've inadvertently left out of this address list some of
Rich's friends and work associates who would like to receive this
message, so please pass this on.
As some of you might have heard, Richard Ankney passed very suddenly
this last sunday night. It was a freak accident - he tripped going
down his stairs and fell hard into the metal part of the heavy-duty
vacuum he always kept at the bottom of his stairs for convenience. He
was fine beforehand, and was just going downstairs for some extra
bedding. If only he'd hit the drywall instead... It happened very
quickly and he died very quickly; neither his friends who called 911
nor the paramedics who arrived quickly could save him.
Rich loved humor of all sorts; I suspect that after he got over being
mad at himself for his unexpected departure, he would have said that
it was amusing that he was killed by a vacuum standing innocently in
the same place for many years. But this is not a joke. Rich leaves two
brainy great kids who are now wishing they could just wake up from
this bad dream. The world makes no sense right now, and it will not be
the same without his sharp intellect and humorous, good-hearted,
very special personality.
We are all lucky to have known his friendship, intelligence, and the
pleasure of working with him. The technical working groups that Rich
actively participated in includes PKIX, SMIME, FPKI, X9F1-9, and
ASTM. Rich thought very highly of you all and he just loved working
with you.
I think a memorial fund for his childrens' education is likely to be
set up by the family; I'll keep you informed when arrangements have
been settled.
Helen, his ex-wife and mother of his children, has provided the
following information about the funeral arrangements:
"Please forward this information to anyone else who is interested:
Visitation - Sunday, November 26 - 3:00 - 5:00 p.m.
Reith, Rohrer & Ehret Funeral Home - Goshen, Indiana
(219) 533 - 9547
Mass - Monday, November 27 - 9:30 a.m.
St. John the Evangelist Catholic Church
Goshen, Indiana
Burial - Fairview Cemetery - Mishawaka, Indiana (219) 255-2523
A number of people (his friends, associates, and Washington DC-metro
area family) have expressed strong interest in getting together to do
a memorial service sometime after thanksgiving, so that we can all
share whatever we feel moved to share about having known Rich.
Also, if anyone is interested in writing down a sentence, paragraph or
page of the things you would like to share and/or have his family know
and remember, please do so... I was thinking that if anyone did, we
could collect them for the family to keep; this would be a remembrance
of Rich as the multifaceted unique individual he was, who touched so
many lives and helped to create the shape of so many technical issues
as well.
If you are interested in either the memorial event or jotting anything
down, please let me know. His other friends and I will be in touch
with the family both here and in Indiana.
I may be reached at this email: [EMAIL PROTECTED]
(please be sure to leave your name and phone):
Alternately, his friend Kent Reeve may be contacted as well. He can
be reached at [EMAIL PROTECTED]
Tina Fox
------------------------------
From: dave <[EMAIL PROTECTED]>
Crossposted-To: comp.security.pgp,comp.security.pgp.tech
Subject: does faster FPU and large cache improve en/decryption speed?
Date: Fri, 24 Nov 2000 00:27:38 +0100
If yes, to what extent? Is this very different from CPU to CPU and algo
to algo? Are there any commercial CPU's which are generally more
suitable for encryption? I'm mostly thinking about symmetric encryption
of large files.
thanks, Dave
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Random function
Date: Sat, 25 Nov 2000 02:17:25 -0500
Piotr P. Karwasz wrote:
> If you take y=tan(x) and apply this function many times the result seems
> unpredictable. Is it true?
Of course not; it can be "predicted" by iterating the
function that same finite number of times.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: voting through pgp
Date: 25 Nov 2000 04:59:21 GMT
Trevor L. Jackson, III <[EMAIL PROTECTED]> wrote:
>> we'd have to make sure that the results didn't leak until
>> after the close of the polls. This might be difficult.
> IMHO "calling" the election is the expression of an opinion rather than fact.
> Reporting the votes tallied so far would be reporting facts. If the news
> media avoided reporting opinions and reported only the facts then their
> reports would tend to _increase_ the turnout in the precincts still open
> rather than discouraging it.
OK. I assumed that we would want to keep the voting totals secret until
after the election is over. You are right to point out that if counting
is instantaenous, then there is no technical reason why that should be
so and it may be preferable to have fact over misinformation.
> An active ballot can provide an unambiguous summary display of the
votes to be > cast. When the voter executes the commit action the votes
are not subject to > further interpretation by any agency, including the
voter, election officials, > or courts.
Sounds like a good idea. Of course the active ballot had better damn
well be bug free...
> You probably didn't have elected officials removed from office for election
> fraud. Florida did. The deposed Mayor of Miami secured a position with a
> political party as the person responsible for the absentee ballots that he has
> used to cheat in his election. C.f., a recent post in this ng by Paul Pires.
Wow. We just have the Mob. (*had* the Mob).
I think the point still stands, though -- if people are being turned
away from the polls or "disqualified" from voting based on bogus
reasons, the fact that the voting machine is electronic is irrelevant.
>> * Recounts by machine are less reliable than recounts by
>> hand.
> What units are you using for reliability? I suspect machine tallies are more
> repeatable than human tallies. I suspect this repeatability is a foundation
> for accuracy and thus trust.
Sorry, I should have said "are perceived to be less reliable."
I was also going by figures of 2%-5% error for machine voting which I've
heard from news reports. This is why candidates (claim) to be asking for
hand recounts, after all.
I agree that repeatability is key. Repeatability strikes me as the
potential big win for an automated system, as long as there is some kind
of "hand recount" which can get the same results.
That is, if the counting procedures of the computer system are called
into question, there must be some "manual" way of re-doing the count.
Because anything automated can have charges of "tampering" or "bugs"
mounted against it. So there have to be at least two separate ways of
counting...and ideally they'll all match.
> Feedback to the voter that enables the ballot interpretation to occur prior to
> the voter exiting the voting booth seems to be key in eliminating the voter
> confusion and ballot interpretation issues.
I like this idea of an active ballot. I think we have to be careful
though, about two things
* bug-freeness of the active ballot mechanism. resistance to
corruption. also resistance to misinterpretation. These are
software engineering, computer security, and user interface
design problems.
* the finalize step -- make very sure that people understand
that it is final. and make sure that it cannot be appealed
because of "problems with the machine." and also how do we
know a voter really did finalize a ballot?
> Electronic processing might close the temporal gap that attends absentee and
> overseas ballots. Consider a ballot transport system designed around secure
> comm protocols that allowed a person to submit their ballot to an out-of-state
> or overseas polling booth within the normal voting hours on election day. The
> booth would cryptographically secure the contents of the ballot for immediate
> delivery to the home-state election counting mechanism. POst offices could
> offer the facility.
I was thinking about this. For the military it could piggyback on the
existing communications channels they have...but I don't know anything
about the suitability of such channels for this purpose. Outside the
millitary, it's a tossup. Not everywhere has network connectivity.
I used to live in Saudi Arabia; they had a few BITNET connections,
an (expensive) X.25 network, and that was about it for years.
Maybe this will change or satellites will rescue us. It looks like an
engineering challenge. Which means it may not happen immediately.
One potential problem - currently only a limited number of absentee
ballots are mailed abroad for expatriates and millitary personnel.
What if we accidentally implement a system in which these remote
terminals can be used to vote an unbounded number of times?
What happens when the Republic of Foo freedom fighters silently
break into the embassy and use its terminal to cast 938 votes in
Florida?
> Is crypto up to providing the security equivalent to a postmarked and signed
> hardcopy document? In the minds of the voters?
You know, I have to think about that.
> To pick on an eminent authority, B. Silverman has communication
> issues with a
> non-trivial fraction of the posters in this forum. Imagine
> the conversation
> given an audience of ancient Floridians. Perhaps the present systems is not
> as bad as some alternatives.
I appreciate the humor, but I doubt that B. Silverman will be the one
explaining future voting schemes to the Florida or any other electorate.
(Though I should let him speak for his own intentions).
It seems more likely to me that if we were to go down this route, we
would find (or train) a small legion of people to explain the new voting
scheme. Look at the public education effort surrounding the Census and
the new dollar coin. These people would no doubt acquire proficiency in
explaining the voting scheme to ancient Floridians.
Either that or the change would just happen and only a few people will
notice.
-David
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
