Cryptography-Digest Digest #874, Volume #13 Mon, 12 Mar 01 17:13:01 EST
Contents:
Re: Potential of machine translation techniques? (Frank Gerlach)
Re: Popularity of AES (John Savard)
Re: => FBI easily cracks encryption ...? (Bart Bailey)
Re: Super strong crypto (Mok-Kong Shen)
Re: New unbreakable code from Rabin? ("Simon Johnson")
Re: Quantum Computing & Key Sizes ("Simon Johnson")
Re: arbitrary-precision arithmetic ("Cristiano")
Re: OverWrite: best wipe software? (Mok-Kong Shen)
Re: Digital enveloppe ("Simon Johnson")
Re: New unbreakable code from Rabin? (Mok-Kong Shen)
Re: Potential of machine translation techniques? (Mok-Kong Shen)
Re: OverWrite: best wipe software? ("Simon Johnson")
Re: Zero Knowledge Proof (SCOTT19U.ZIP_GUY)
Re: Noninvertible encryption ("Simon Johnson")
Re: Potential of machine translation techniques? (Mok-Kong Shen)
----------------------------------------------------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Subject: Re: Potential of machine translation techniques?
Date: Mon, 12 Mar 2001 21:35:09 +0100
JCA wrote:
> In article <[EMAIL PROTECTED]>, "Mok-Kong Shen"
> <[EMAIL PROTECTED]> wrote:
>
> >
> > Now that machine translation of natural languages has reached a fairly
> > advanced state,
>
> I guess the keyphrase here is "fairly advanced". Lacking as they do any
> understanding of what they are translating, automatic translators do a
> pitiful job when compared to a human.
yes, but if the japanese had some assistance from good machine translation tools,
they might have had less trouble with the "indian code". For example, a piece of
software could model grammar and assist an analyst by checking a hypothetical
translation in a lot of intercepted contexts. Software was instrumental in
deciphering ancient scripts from egypt and babylon.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Popularity of AES
Date: Mon, 12 Mar 2001 19:36:15 GMT
On 12 Mar 2001 18:06:28 GMT, [EMAIL PROTECTED] (Dan Hargrove)
wrote, in part:
>AES is included with the new version of PGP. There must be some
>specifications for it.
The Rijndael algorithm, which is publicly known, has been selected.
But the final official standard is not yet ready, so it isn't really
legitimate to term a Rijndael implementation an AES implementation,
that's all.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Bart Bailey <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,talk.politics.crypto
Subject: Re: => FBI easily cracks encryption ...?
Date: Mon, 12 Mar 2001 11:42:36 -0800
SCOTT19U.ZIP_GUY wrote:
> <~~~>
>
> What logistcis? He could have left his public PGP key among
> some of his many drops. You only need to do it once. Also when
> they gave him cash or diamonds they could have given him theres.
> It really isn't rocket science.
He could have just ran an add in a publication for , lets say a dodge
diplomat, and the name used would be the one assigned to the key on a common
keyserver. No physical contact necessary.
~~Bart~~
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Super strong crypto
Date: Mon, 12 Mar 2001 21:34:08 +0100
"Douglas A. Gwyn" wrote:
>
> Mok-Kong Shen wrote:
> > "Douglas A. Gwyn" wrote:
> > > Mok-Kong Shen wrote:
> > > > I am afraid to define and qualtify 'propagation of
> > > > information' is a task that is practically imfeasible in
> > > > the rigorous sense (which a formal treatment requires),
> > > > otherwise one could as well also decide whether a given
> > > > bit source is perfectly random.
> > > I don't understand your reasoning at all.
> > Sorry, I had a typo: 'qualify' should read 'quantify'. Is
> > that clear to you now?
>
> No, that didn't bother me. But I don't follow your reasoning.
> How would a theory of information propagation through a system
> allow one to decide whether a given bit source is perfectly
> random? That doesn't seem right to me.
May I quote myself from my response to a follow-up of
Joe H. Acker:
My point is essentially the following: If one can define and
quantify 'propagation of information' (rigorously), then
one must be able to measure the information content in
an arbitrarily given bit sequence in exact terms. If one
could do that, then one could also decide whether a given
bit source is perfectly random, for in case of perfect
randomness the information content of that source must be
exactly zero. Now the question is whether one could have
such a rigorous measure in practice. My guess is no.
M. K. Shen
------------------------------
From: "Simon Johnson" <[EMAIL PROTECTED]>
Subject: Re: New unbreakable code from Rabin?
Date: Mon, 12 Mar 2001 20:52:26 -0800
Mok-Kong Shen <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> "Douglas A. Gwyn wrote:
> >
> > Under certain reasonable assumptions, a scheme such as Rabin's
> > does provide "unbreakability", suitably defined. (Whether it is
> > practical is a separate matter.) The proof is as valid as the
> > proof of perfect secrecy for OTP, which I saw in another thread
> > you also take issue with. I've pointed out before that such
> > skepticism (in the formal philosophical sense) logically entails
> > rejecting all knowledge about anything, and therefore is not
> > *practical*. It is *very* important in practice to know such
> > properties of various systems, as a guide toward implementing
> > better security. Even though real-world systems are epsilon
> > away from 100% perfect, if epslion is small enough the system
> > will be good enough to rely upon to meet our actual goals.
>
> I agree with your second to last sentence but have a little
> bit difficulty with your last sentence. In the case of
> OTP, there seems to be no rigorous method to define and
> measure that epsilon, not to say what max. epsilon one
> should use in a concrete situation. Thus, after applying a
> certain number of statistical tests, one is more or less
> left to employ one's subjectivity (or in other words,
> guesses) to decide whether a bit sequence is good enough
> to be used in the way a theoretical OTP is used.
>
> M. K. Shen
Well any sequence can be used, provided its created in a real random fashion
(which is allowed by physics). Statistical testing these random generations
is pointless, in fact if you reject pads based on statistical testing you
actually damage the security of the OTP because you effectively reduce the
size of the key-space making some decryption's slightly more likely than
others, and therefore reducing the strength of new construction to less than
perfect.
Simon.
------------------------------
From: "Simon Johnson" <[EMAIL PROTECTED]>
Subject: Re: Quantum Computing & Key Sizes
Date: Mon, 12 Mar 2001 21:04:42 -0800
Tom McCune <[EMAIL PROTECTED]> wrote in message
news:akUq6.241176$[EMAIL PROTECTED]...
> In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
>
> >> Does this suggest that the newer PGP symmetric algorithm options of 256
> >> Twofish and AES, would be sufficient (they are twice the key lengths of
the
> >> 128 bit symmetric algorithms used by PGP at the time of that writing)?
> >
> >Yes, even with a QC it should take 2^128 work to break a 256 bit AES
> >key.
> >
> >> At least one of the papers submitted to NIST during the AES selection
> >> process suggested that brute force attacking these 256 bit algorithms
would
> >> be equivalent to factoring a 15000 bit RSA key. So if these 256 bit
> >> algorithms would withstand Quantum Computing, wouldn't that also
suggest
> >> that a 15k RSA or DH key would also withstand that attack?
> >
> >These kinds of equivalence calculations require making assumptions on
> >the type of attack used against the public key algorithm. Quantum
> >computers would provide for different kinds of attacks and so the
> >equivalence would not hold.
>
> Are these different kinds of attack theoretical possibilities only at this
> point, or are there good reasons to believe they are probable? Any
> reasonable implication as to how key sizes with such newly available
attacks
> would relate to current attacks? Such as 16k QC (new attack) equating to
4k
> "conventional" attacking? I hope that question makes sense.
>
> >> Using currently available official PGP public key sizes, would such
Quantum
> >> Computing attacking have a significant time difference in factoring a
2048
> >> bit key, instead of a 4096 bit key?
> >
> >Shor's algorithm for RSA factoring using a quantum computer takes time
> >proportional to the third power of the modulus size. So the 4096 key
> >would take 8 times longer than a 2048 bit key, which would take 8
> >times longer than a 1024 bit key, and so on. Of course you need twice
> >as big a quantum computer to handle twice as long a modulus, and that
> >might also slow things down if more time was needed for error
> >correction, etc.
>
> I should have phrased that better. Would this be a matter of breaking a
> 2048 bit key in an hour, and a 4096 bit key in 8 hours, or more like
> breaking a 2048 bit key in a week, and a 4096 bit key in 2 months?
>
> I greatly appreciate your quick, sincere, and informative reply. I can't
> believe Tom couldn't tell this is a sincere inquiry.
To be honest, QC probably wouldn't make much of a difference to public-key
cryptography. All that would happen is this size of the modulo would be
increased.... computation time for signining documents etc... would be
unchanged because the speed of computation would have also increased
(obviously)
Simon.
------------------------------
From: "Cristiano" <[EMAIL PROTECTED]>
Subject: Re: arbitrary-precision arithmetic
Date: Mon, 12 Mar 2001 22:08:28 +0100
> > prime order of 160 bits). These are the times (in seconds):
> > vlong LIP miracl
> > ECKEP 8,684 0,748 0,033 (each user)
> > ECES 4,307 0,258 0,017 (encryption)
> > ECES 2,182 0,139 0,009 (decryption)
>
> Looks like miracl is pretty damn fast, but I'm curious... I've read that
> there's a way (called "projective coordinates" or somesuch) of
> tranforming (x,y) into (x,y,z) which allows removal of all divisions but
> the last, in return for doing a few extra multiplications, which in turn
> results in a much faster point multiplication algorithm.
>
> Since, as far as I can recall, lip does not have built in ec math, I
> feel I have to ask whether or not you used projective coordinates in
> your tests. Considering how long divisions normally take, I would
> expect that this gives a very large speedup... it might make enough of a
> diffference that lip would be close in speed to miracl.
LIP is a very good package (it has many functions); but, as you recall, it
doesn't have elliptic curve and the C++ support.
My implementation of elliptic curve with LIP is highly optimized (but is not
the best): the add and doubling are performed in the same routine of
multiplication using built-in montgomery reduction (to avoid monty
initializzation every time).
With miracl and affine coordinates (instead of projective coordinates) the
speed is about 1/3:
ECKEP 0,109 (each user)
ECES 0,055 (encryption)
ECES 0,028 (decryption)
I think that the real advantage with miracl is the asm routine for
multiplication of two words and that a word (in a 32 bits platform) is 32
bits (instead of 30 of LIP).
Cristiano
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To: alt.hacker
Subject: Re: OverWrite: best wipe software?
Date: Mon, 12 Mar 2001 22:16:34 +0100
William Hugh Murray wrote:
>
> Mok-Kong Shen wrote:
>
> > Benjamin Goldberg wrote:
> > >
> > [snip]
> > > If I've got data on a floppy, and I want it securely erased, I copy the
> > > stuff I want to save to a new floppy, and burn the old one. Floppies
> > > are cheap. The cost of buying new floppies is lower than the security
> > > risk of downloading binaries from your website.
> >
> > Removable media, since they are now all quite cheap, should
> > be physically destroyed for preventing recovery. For hard
> > disk drives there are firms specialized in recovering deleted
> > data.
>
> Yes, there are but hard drives are cheap too. The first hard drive I ever
> purchased cost me $3K- for 10Megs. The first one I ever sold was thousands
> of dollars per meg and was the size of a refrigerator. Today I can buy
> 100Gigs for the same price with a computer thrown in. How cheap must a drive
> be for one to recommend its destruction? Seems to me we have passed the
> threshold. If the value of the residual data is so high that someone might
> be willing to pay a lab to recover it, then a few whacks with a sledgehammer
> or running it over once or twice with one's SUV seems like a good
> investment. Make the calculation in terms of the replacement cost of the
> drive, not its original purchase price.
My guess of the practical situations is that there isn't
a continuous curve relating importance of data to cost
and measure of protection, i.e. either a normal deletion
and some protection of accessibility to the hardware is
sufficient or one must really very effectively ensure
infeasibility of recovery. One history coming to my mind
of cases of the second kind is one where the law
enforcement seized the hard disk of someone in Germany
that had deleted files concerning tax relevant data
involving a very huge sum. The drive was sent to a firm
specialized in recovery to work on. In such cases the
overwriting needs to be very good, if it is to serve the
intended purpose at all. (The history happened to end well
for the person concerned, for the drive got lost on postal
way, misteriously -- by chance or perhaps not.)
I conjecture that with a really effective program (i.e.
one that the maintenance and repair people use and that
can address all sectors of the disk) to overwrite a dozen
or more times with differing bit patterns would render
recovery beyond the capability of current technology. But,
of course, physically destroying the hard drives certainly
provides more confidence for the user and, as you pointed
out, could well be afordable at current hardware prices.
M. K. Shen
------------------------------
From: "Simon Johnson" <[EMAIL PROTECTED]>
Subject: Re: Digital enveloppe
Date: Mon, 12 Mar 2001 21:24:06 -0800
br <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> I'm not talking about my system. My idea is secure as OTP.
Hrm, you stated in a previous post that the messages are encrypted 128-bit
key block algorithm.
So, saying your idea is as secure as the OTP is wrong. The algorithm's
key-space can be exhaustivly searched to find a correct decryption. The same
can be done with an OTP but rather than finding a single valid decryption
(as is (usually) the case with block ciphers) you'd generate every
concievable decryption. Even attempting to claim the security of your
system is equal to that of the OTP places you in a state of true,
unforgivable sin.
> So my idea is different.
> Only the recipient can read the message whitout any knowlege or pin or
> password.
I'd like to see how this works, thanks?
> He has just to download my software.
And risk the chance of you infecting us with some virus? No thanks i'd like
source please.
> My idea seems to be not clear.
Since we have no idea what your idea is, this statement would be correct.
Simon.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: New unbreakable code from Rabin?
Date: Mon, 12 Mar 2001 22:22:57 +0100
Simon Johnson wrote:
>
> Well any sequence can be used, provided its created in a real random fashion
> (which is allowed by physics). Statistical testing these random generations
> is pointless, in fact if you reject pads based on statistical testing you
> actually damage the security of the OTP because you effectively reduce the
> size of the key-space making some decryption's slightly more likely than
> others, and therefore reducing the strength of new construction to less than
> perfect.
I suppose you have at least to guard against hardware
failures that can happen and one is back to the issue of
tests.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Potential of machine translation techniques?
Date: Mon, 12 Mar 2001 22:33:55 +0100
"Joe H. Acker" wrote:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> > An arbitrary bijective mapping of D1 to D2 can be effected
> > by doing a pseudo-random permutation of D2 (that originally
> > correspond 1-1 to D1) using a PRNG seeded by a secret 'key'.
> > Does that answers your questions?
>
> Not entirely. I was thinking about that but I don't know how to do it.
> Suppose I use a 128 bit block cipher as PRNG but only have 2^16 entries
> in my dictionary. How do I map from the 128 bit to 16 bit without
> collisions? Is it safe to just use the first 16 bit of the PRNG output?
> In practise, I have an arbitrary size dictionary that always has less
> entries than the 128 bit output can address. How would this be solved?
>
> BTW, you could create a context-free grammar for your artificial
> language pseudo-randomly based on a key as well...
The way I would use is to divide the integer from the
PRNG by the maximum of its range, obtaining a real-valued
number in [0, 1), then apply the algorithm of Dustenfeld
to perform pseudo-random permutation in the range of the
dictionary. (If the dictionary is very large, the computing
cost might force one to do some compromise, i.e. accepting
a less well done permutation somehow, I suppose.)
M. K. Shen
------------------------------
From: "Simon Johnson" <[EMAIL PROTECTED]>
Crossposted-To: alt.hacker
Subject: Re: OverWrite: best wipe software?
Date: Mon, 12 Mar 2001 21:42:02 -0800
Anthony Stephen Szopa <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Benjamin Goldberg wrote:
> >
> > Anthony Stephen Szopa wrote:
> > [snip]
> > > In addition to the prior instructions here are the new
> > > recommendations and facilities. What have I forgotten?
> > >
> > > "NOTE: For best results this program should be used only with
> > > Windows OSs and there should be no other programs running while this
> > > program is running. Maximum security from using this software
> > > results when overwriting files that are stored on 1.44MB floppy disks.
> > > Therefore, your most sensitive files should be written directly to
> > > 1.44MB floppy disks if you must be as absolutely sure as possible
> > > that this data is as nearly impossible as possible to recover once
> > > overwritten using this software. SCSI hard drives are not
> > > recommended. Nor are compressed drives. I use this software to
> > > overwrite files on my own IDE hard drives.
> >
> > Bwahahahahaha! Now that you finally figured out that there's no way,
> > using purely portable code (the stdio library), to do what you
> > originally wanted to do with hdds, you added a disclaimer limiting your
> > software's usage to only those cases in which it works, id est, the ones
> > where we don't need your software anyway.
> >
> > If I've got data on a floppy, and I want it securely erased, I copy the
> > stuff I want to save to a new floppy, and burn the old one. Floppies
> > are cheap. The cost of buying new floppies is lower than the security
> > risk of downloading binaries from your website.
> >
> > --
> > The difference between theory and practice is that in theory, theory and
> > practice are identical, but in practice, they are not.
>
>
>
> Do I detect anguish under this evasion?
>
> I told you that if you dedicate a partition of about 18,144,000
> bytes on your hard drive, for example, let's call it drive H:\, that
> you can be assured of overwriting any data you write there with
> OverWrite if you follow my recommendations.
>
> For instance, write 14 files of dummy data of about 1,296,000 bytes
> each to H:\ thus filling it up completely. Then delete, say the 7th
> file. (This is a restricted example to highlight my contention.)
> Write any sensitive data to this newly freed space in H:\ and perform
> any processing you like there within this free space on H:\.
>
> When you want to subsequently overwrite this data using Ciphile
> Software's OverWrite Utility, then delete any file(s) in this free
> space. Now delete the 6th and 8th dummy data files which bound both
> sides of this space. Now write a file of 3,888,000 bytes in this
> free space. This should completely overwrite this newly freed space
> that includes the original free space from the deletion of the 7th
> dummy file originally. Now use OverWrite to overwrite this
> 3,888,000 byte file. Overwriting a file of this size should be
> larger than any hardware cache in your system so it will force a
> flush and therefore a write to disk.
>
> To claim that my conclusions are wrong you have to argue that
> the original dummy file, the 7th, was not between the 6th and 8th.
> Or that the OS or hardware actually writes to another partition /
> drive as part of its optimizations.
hrm, i have no doubt that in the logical sense at least the file is
overwritten. The fact that the OS can no longer read the file doesn't mean
it can't be recovered however. This is the point in contention, I believe.
> Additionally you will have to support your claim that my observations
> of the hard drive LED are nothing more than a light indicating the
> passing of data perhaps to the hard drive cache when I have in fact
> observed that the hard drive heads not only move in association with
> the LED lighting up but a vigorous write operation is obviously
> taking place. If what you say is true why are the hard drive heads
> repositioning and writing to the hard drive if this is only an LED
> lighting up. What is going on here?
Your in windows, it does not cache the same way as linux/unix systems.
> I guess the bread and butter point I am making that OverWrite does
> work if used according to my recommendations on hard drives is too
> much for you or anyone else to handle so you go off on pathetic side
> tracks some of which I have conveniently provided you to amuse
> yourselves while you ponder the unthinkable: that Ciphile Software's
> OverWrite program damn well works!
I'm sure it works just fine, but its probably not doing what you want it to
do.
Simon.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Zero Knowledge Proof
Date: 12 Mar 2001 21:37:07 GMT
[EMAIL PROTECTED] (Richard Wash) wrote in
<[EMAIL PROTECTED]>:
>"Gustavo Brown" <alegus#QUIT_THIS#@adinet.com.uy> writes:
>
>> Hi:
>>
>> ��� Can you tell me where to find info about Zero Knowledge Proof,
>> and its relationship with Cryptography.
>>
>> What I need is some info concerning how Zero Knowledge Proof is used
>> within Cryptosystems, etc
>
>Zero Knowledge Proofs are a very interesting topic.
>
The problem with Zero Knowledge Crypto systems is that in
some senses they are extremely weak. They may be needed for
public key stuff. Where you exchange keys and a third party
can be watching.
But its called Zero Knowledge since it when you encrypt
with such a system. Zero knowledge other than the cipher text
is needed to break the system. It counts on key checking to
be slow. But if a key is found that works then the message
is broken. If you use systems that are NOT Zero Knowledge types
of systems such as scott19u. Then any key works and could lead
to a file that when renecrypted with tested key you get the
same file back. So the attacker needs more information about
the data encrypted to break it. Many crypto system like PGP
have a mode where you can skip the zero key part. But then
go on to do compression that again adds useable knowledge to
cipher text that allows keys to be checked. There are very
few crypto packages that handle compression and ecnryption
with out adding info to help break the system.
Matts BICOM is one of the few exceptions. And it use full
block CBC RIJNDAEL as the heart of the encryption process.
Guys if I made any errors correct me. Also I added messages to
AES modes forum to at least try to get padding modes with
ECB or CBC chaining that allow for encryption with less
leakage than the common poor ways in RFC 1423 and such.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: "Simon Johnson" <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Noninvertible encryption
Date: Mon, 12 Mar 2001 21:53:54 -0800
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "SCOTT19U.ZIP_GUY" wrote:
> > Who cares if its gibberish. You can say it was output from
> > a random number generator. If you give a key that works I think
> > its up to them to prove its false.
>
> I think it would be very easy to convince almost anyone that you
> didn't really go to all the trouble of encryption to secure gibberish.
Even saying its encrypted is a mistake... Say its an OTP that you haven't
distributed yet...
Simon.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Potential of machine translation techniques?
Date: Mon, 12 Mar 2001 22:55:53 +0100
JCA wrote:
>
> "Mok-Kong Shen"<[EMAIL PROTECTED]> wrote:
>
> >
> > Now that machine translation of natural languages has reached a fairly
> > advanced state,
>
> I guess the keyphrase here is "fairly advanced". Lacking as they do any
> understanding of what they are translating, automatic translators do a
> pitiful job when compared to a human.
Machine translation failed badly in its initial phase
(in the sixties or so), but currently it isn't that bad
as far as I am aware. EU has a project to translate documents
from/to member countries in their own languages, though I am
ignorant of its current state of progress. What I have in
mind is that, for sufficiently restricted universe of
discourse, which is likely to apply in some concrete
situations of secret communications, fidelity of results
seems to be an achievable goal with current state of the art.
M. K. Shen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
