Cryptography-Digest Digest #936, Volume #13 Sun, 18 Mar 01 18:13:00 EST
Contents:
Re: IDEAL ENGLISH TEXT RIJNDAEL ENCRYPTION (Mok-Kong Shen)
Re: SSL secured servers and TEMPEST ("Lyalc")
Re: RSA (Gregory G Rose)
Re: Algebraic 1024-bit block cipher (Gregory G Rose)
Re: Latin Squares ("Kostadin Bajalcaliev")
Bacon's cryptography? ("bookburn")
Re: IDEAL ENGLISH TEXT RIJNDAEL ENCRYPTION (Nicol So)
Re: IDEAL ENGLISH TEXT RIJNDAEL ENCRYPTION (Tim Tyler)
Re: Random and RSA (Joe H. Acker)
Re: Latin Squares (Mok-Kong Shen)
Re: IDEAL ENGLISH TEXT RIJNDAEL ENCRYPTION (amateur)
Re: How to eliminate redondancy? ("Trevor L. Jackson, III")
Re: qrpff-New DVD decryption code ("Trevor L. Jackson, III")
Re: Bacon's cryptography? (Mok-Kong Shen)
Re: How to eliminate redondancy? ("Trevor L. Jackson, III")
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: IDEAL ENGLISH TEXT RIJNDAEL ENCRYPTION
Date: Sun, 18 Mar 2001 21:37:43 +0100
"SCOTT19U.ZIP_GUY" wrote:
>
> Get a list of allowed english words. The words are of the
> form of the spellings plus a space. Only one case allowed
> upper or lower.
> list has the word followed by weighted occurace in english.
>
> A computer program takes the list and makes a huffman tree
> or we usee a weigthed PPM tree ala Matt timmermans compressor
> code.
>
> When a message is to be encoded only the dictionary words are
> allowed. When the compression takes place it is fully bijective
> to a 8-bit byte binary file. Then you encrypt useing your
> favorite block cipher.
>
> Whan an attacker tries a wrong key it will always decrypt to
> a valid message full of english words.
Your Huffman tree for words is just one kind of coding.
Thus you are applying a codebook before encryption.
A simpler alternative is to assign binary numbers to the
words (assuming the size of the dictionary is 2^m, the
numbers all have m bits). One first translates the words
to the numbers and then encrpyts. If the wrong key is
used to decrypt, then one gets wrong numbers leading
to wrong words (yet valid words). One problem of using
a dictionary, though, is that one doesn't have e.g.
plurals of nouns, etc.
M. K. Shen
------------------------------
From: "Lyalc" <[EMAIL PROTECTED]>
Subject: Re: SSL secured servers and TEMPEST
Date: Mon, 19 Mar 2001 07:40:50 +1100
indeed.
The target signals are are by previous definition, very low amplitude. In
the same spectrum there are many much higher powered transmitters, for TV,
radio, police, taxi, mobile phone et al.
So the VCR receivers need to cope with recording amplitudes variations of
more than 120db. Most VCR tapes only has about 30-60 db dynamic range, i
think.
And the VCR hardware is not designed for this large a dynamic signal range.
So special, non-distorting amplitude clipping units need to be built for the
VCR inputs (filters attenuate all signals more or less equally - we don't
want to attenuate the low amplitude signals at all).
And so far we haven't even tried to split the different frequency bands,
align the noise floor amplitudes across all the VCRs, create a time/phase
alignment process for the VCR, or split out the antenna amplifier output
into 400 feed points.
Yet we end up with a truck full of VCR units, requiring 20kW of power to
drive (400 x 50w per VCR), neglecting cooling, that will capture 3 hours of
doubtful data. And we need to repeat this process 24 hrs/day for maybe 3-10
weeks to get enough data to theoretically workable data.
This is a not practical attack, IMHO.
Lyal
those who know me have no need of my name wrote in message ...
><[EMAIL PROTECTED]> divulged:
>>
>>May calculation was as follows: a Video Signal has about 5 MHz of
>>Bandwith. Just split that 2 GHz signal into 2000/5=400 5 MHz bands,
>>transform them into the 0..5 MHz base band and then you "just" need
>>400 VCRs to store the signal.
>
>it may be that consumer vcr's aren't the optimum recording devices.
>
>--
>okay, have a sig then
------------------------------
From: [EMAIL PROTECTED] (Gregory G Rose)
Subject: Re: RSA
Date: 18 Mar 2001 12:51:26 -0800
In article <[EMAIL PROTECTED]>,
Mike Rosing <[EMAIL PROTECTED]> wrote:
>Joost van der Meer wrote:
>> I've got to make an assignment for school about the RSA encryption system. I
>> want to write a example, but I can't calculate the private key D. Is there
>> anybody who can give me a whole example (prime numbers ( P&Q) and exponents
>> (e&d) ???
>
>Since all you need is an example, pick numbers you can work with on a calculator.
>For P and Q, choose 2 primes less than 300 (or whatever you feel like). Pick
>e = 3 (a sort of standard value, for your example it's fine). Then the hard
>part is finding d. You need e*d = 1 mod (P-1)*(Q-1). You can either brute force
>it (*very* time consuming) or you can go thru Euclid's algorithm to find the
>value of d. Since P and Q are calculator sized, that won't take you too long.
Brute force is hard if you try out D values, but
easy if you try out P and Q values or multiples of
(P-1)(Q-1). For example...
I take the largest primes less than 300, which
are 283 and 293 (one minute using the unix
"factor" utility counting down from 299).
Choose e == 3.
Rewriting the equation, we are looking for an
integer solution to d = (k(P-1)(Q-1) - 1) / 3 for
some small k.
Now, unfortunately (P-1)(Q-1) is 82344 which is divisible by 3,
so there's no such k or d. From here you have two
choices: choose a new prime (noting that 282 is
the one that's divisible by three). Two out of
three choices will on average be good.
Alternatively, note that 82344 is one less than a
multiple of 5! If you use e == 5, then 16469 is
good for d...
Elapsed time (including typing) 7 minutes.
Greg.
--
Greg Rose INTERNET: [EMAIL PROTECTED]
Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199
Level 3, 230 Victoria Road, http://people.qualcomm.com/ggr/
Gladesville NSW 2111 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
------------------------------
From: [EMAIL PROTECTED] (Gregory G Rose)
Crossposted-To:
alt.computer.security,alt.security,alt.security.pgp,comp.security.misc,de.comp.security.firewall,de.comp.security.misc
Subject: Re: Algebraic 1024-bit block cipher
Date: 18 Mar 2001 13:07:56 -0800
In article <Irns6.50038$[EMAIL PROTECTED]>,
Tom St Denis <[EMAIL PROTECTED]> wrote:
>Right off the bat. What the heck does "group with order 65536" mean. Do
>you mean a multiplicative sub-group of GF(65537) where your base is
>primitive?
There is a perfectly good group of order 2^16,
namely GF(2^16), whose elements are polynomials
with binary coefficients of degree less than 16,
where the polynomial "0" is the additive identity,
where the polynomial "1" is the multiplicative
identity, where addition is mod-2 addition of the
corresponding coefficients (XOR when they are implemented as bit
vectors), and multiplication is polynomial
multiplication reduced modulo an irreducible
degree-16 binary polynomial.
However he does say that he doesn't use XOR, so I
agree that both postings (his and yours) may be
ill-considered. I'll let other people comment on
mine. :-)
Greg.
--
Greg Rose INTERNET: [EMAIL PROTECTED]
Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199
Level 3, 230 Victoria Road, http://people.qualcomm.com/ggr/
Gladesville NSW 2111 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
------------------------------
From: "Kostadin Bajalcaliev" <[EMAIL PROTECTED]>
Subject: Re: Latin Squares
Date: Sun, 18 Mar 2001 22:16:25 +0100
here is a link to an extensive study of Latine Sqares and their
cryptographic use.
http://ii.pmf.ukim.edu.mk/crypto
KB
MarinaP wrote in message <992i2g$ij7$[EMAIL PROTECTED]>...
>Hi,
>I am not a crypto specialist, so I hope somebody here can help me.
>Latin Squares are known to be widely used in cryptography.
>
>
>
>
------------------------------
From: "bookburn" <[EMAIL PROTECTED]>
Subject: Bacon's cryptography?
Date: Sun, 18 Mar 2001 12:33:53 -0800
I read a couple books years ago about history of cryptography and
remember that Francis Bacon developed a study of cryptography that has
been used in classrooms as textbook. Looking for such a tomb in
encyclopedias and on the Net doesn't identify such a work, though.
Can anyone suggest where Bacon's writing on cryptography are brought
together systematically? bookburn
------------------------------
From: Nicol So <[EMAIL PROTECTED]>
Subject: Re: IDEAL ENGLISH TEXT RIJNDAEL ENCRYPTION
Date: Sun, 18 Mar 2001 17:05:23 -0500
Reply-To: see.signature
"SCOTT19U.ZIP_GUY" wrote:
>
> Whan an attacker tries a wrong key it will always decrypt to
> a valid message full of english words.
I understand that you're a proponent of compression schemes in which
arbitrary bit strings are valid encodings (or valid encodings of
sentences in some source language). I've considered compression schemes
like that before and came to several conclusions.
(1) Regardless of whether arbitrary bit strings are decodable, a good
compression scheme generally removes many possibly useful patterns in
the source language.
(2) Compression improves utilization of bandwidth.
(3) A compression (encoding) scheme in which arbitrary strings are
encodings decodes to a natural language is *not* a robust means to
confuse the adversary.
For the present discussion, (3) is the most relevant.
As I have explained in another thread, achievable compression ratio is
dependent on a prior knowledge of the properties of the message source.
Characterizing messages from a source as valid English sentences
represents only one degree of approximate knowledge; better predictive
power (and hence compression ratio) can be achieved with more precise
knowledge of the distribution of sentences based on the *context*. To
see this, just look at some arbitrarily generated syntactic English
sentences; the vast majority are non-sensical despite being
syntactically correct. Even when individual sentences in a passage are
grammatical, they don't look plausible if each one is on an unrelated
subject. Even if all the sentences seem coherent, they still look
implausible if they contradict each other or if they contradict known
facts.
It would take an extraordinarily intelligent compressor to assign
codewords adaptively so that the most probable ideas to be expressed
will be assigned the shortest codewords. It is far from clear how this
can be done mechanically yet reliably.
Even if perfect compression of English based on context is achieved, an
adversary with access to side-channels can still recognize redundancy in
perfectly compressed messages--something *information-theoretically
impossible* for a decompressor that doesn't have access to the
side-channels.
For a general purpose communication mechanism, you want to allow
arbitrary messages to be sent. That means the set of support for the
input message distribution is the set of all possible strings, not just
valid English sentences. You can think of escape sequences in codes as
an example means to achieve this goal.
The bottom line: (1) Characterizing messages from a source as valid
English sentences is insufficient to achieve perfect compression; with
enough message blocks, the accumulated residual redundancy will allow an
adversary to discern valid decrypts from invalid ones. (2) It is
possible that an adversary is in a superior position knowledge-wise than
the intended recipient (because of side-channels), so even perfect
compression may not be sufficient. This last point has robustness
implications as you cannot control what side-information your adversary
may or may not be able to learn.
--
Nicol So, CISSP // paranoid 'at' engineer 'dot' com
Disclaimer: Views expressed here are casual comments and should
not be relied upon as the basis for decisions of consequence.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: IDEAL ENGLISH TEXT RIJNDAEL ENCRYPTION
Reply-To: [EMAIL PROTECTED]
Date: Sun, 18 Mar 2001 22:07:47 GMT
Joe H. Acker <[EMAIL PROTECTED]> wrote:
: SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote:
: I like your idea as well. Getting wordlists should be no problem, there
: are plenty of them available on the Net as well as tools for joining
: them into larger ones (search for "wordlist").
For example: http://wordlists.security-on.net/download.html
However, I think most wordlists are targetted towards password cracking,
crossword solvers and other non-compression applications. Compression has
some unique requirements. I think it's probably best to write a program
to analyse lots of target text.
: I think "hidden Markov models" is another keyword you might want
: to watch out for.
A huge HMM might - in principle - offer better compression of English than
a big wordlist.
--
__________
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
From: [EMAIL PROTECTED] (Joe H. Acker)
Subject: Re: Random and RSA
Date: Sun, 18 Mar 2001 23:16:45 +0100
John Myre <[EMAIL PROTECTED]> wrote:
> "Douglas A. Gwyn" wrote:
> <snip>
> > You might as well say:
> > man = human and woman = human, so man = woman.
>
> I forget, what's the name of that particular form of
> logical error?
It's sometimes called 'Fallacy of the Undistributed Middle'. Note that
strictly taken, the above formulation is not a logical fallacy, because
the premises are wrong anyway. Here is a nice sample of the
undistributed middle taken from http://www.datanation.com/fallacies/
"All Russians were revolutionists, and all anarchists were
revolutionist, therefore, all anarchists were Russians."
Regards,
Erich
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Latin Squares
Date: Sun, 18 Mar 2001 23:17:39 +0100
Kostadin Bajalcaliev write:
>
> here is a link to an extensive study of Latine Sqares and their
> cryptographic use.
>
> http://ii.pmf.ukim.edu.mk/crypto
Do you mean the Reports section (not in English) or the
Archive section? If in the second, which paper(s) are
the ones relevant to latin squares? Thanks.
M. K. Shen
------------------------------
From: amateur <[EMAIL PROTECTED]>
Subject: Re: IDEAL ENGLISH TEXT RIJNDAEL ENCRYPTION
Date: Sun, 18 Mar 2001 17:37:30 -0400
Why my idea about crypting the bits before encryption was rejected?
I don't understand why?
If for every bit (0) I assign one category and the other one (1) and I
choose randomly the values, it's than hard if not impossible to decrypt.
John Savard wrote:
>
> On Sun, 18 Mar 2001 14:21:06 -0400, amateur <[EMAIL PROTECTED]> wrote, in
> part:
>
> >Why are you talking about plain-text? Is not a cryptanalisis above the
> >plain-text?
> >Someone can help me?
>
> Yes, cryptanalysis works on the ciphertext, which is later than the
> plaintext.
>
> But if the plaintext was just perfectly random bits, the cipher could
> not be solved, because there would be no way to say which solutions
> are good.
>
> So cryptanalysis, when working on the ciphertext, still needs to know
> something about the plaintext to work towards finding out the key -
> and the rest of the plaintext.
>
> If the plaintext is well compressed, there is less known about the
> plaintext, so the cryptanalyst has much less to work with in the case
> where _known_ plaintext is not available.
>
> John Savard
> http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: How to eliminate redondancy?
Date: Sun, 18 Mar 2001 22:48:41 GMT
Nicol So wrote:
> "Trevor L. Jackson, III" wrote:
> >
> > "Douglas A. Gwyn" wrote:
> >
> > > "Trevor L. Jackson, III" wrote:
> > > > Given a highly redundant plaintext one can eliminate the redundancy
> > > > by masking with a good PRNG.
> > >
> > > I guess at this point we ought to ask what people mean by "redundancy".
> > > To me, that scheme doesn't reduce redundancy by more than the bits in
> > > the PRNG parameters. It does make it more "latent", however.
> >
> > The same complaint can be leveled against any lossless transform.
>
> That's not true. Lossless compression works exactly by reducing the
> redundancy in the representation of information.
>
> The per-symbol redundancy of a source is the difference between: (1) the
> maximum per-symbol entropy possible based on the alphabet, and (2) the
> actual (average) per-symbol entropy of the source.
>
> The information content of a stream of symbols is what the receiver
> cannot predict a priori, w.r.t. to the best possible (predictive)
> receiver. There is no limitation on the computing power of the
> hypothetical receiver, and it can have any a priori knowledge about (the
> statistical properties) of the source (but not about the individual
> sequences of symbols that the source emits).
>
> Redundancy is about the density of information in a representation
> scheme.
>
> From an information-theoretic viewpoint, masking plaintext using a PRNG
> does not change its redundancy. What it does change is what would be a
> best possible encoder. The best encoder in this case will have knowledge
> about the PRNG & its parameters (in order to encode efficiently). The
> masking has no effect on the size of the information representation.
>
> Lossless compression, on the other hand, reduces redundancy because it
> makes the information representation more "compact".
>
> I suspect that looking at redundancy from an information-theoretic
> viewpoint was not what you had in mind. Maybe you're thinking about the
> *apparent* redundancy as seen by an adversary, which has limitations on
> computing power and a priori knowledge, and is *not* the theoretically
> best encoder of the masked plaintext stream.
Now we're getting out into the wild parts of the forest.
I'll not waste a lot of time on rebutting the individual statements, but merely
observe that the final statement is false. The phrase "theoretically best
encoder of the masked plaintext stream" can only exist in the context of the
weighted message space.
Now, for extra credit, what do you think the OP, br, meant when he asked the
original question? Did he mean apparent (a metric applicable to a single
message) or "latent" (a metric applicable only to a sample of a weighted
message space)?
Obviously I thought he meant the former, and that is the context in which my
reply makes sense. Note also that PRNG masking is a form of lossless
compression (with zero efficiency), so the distinction you constructed is not
really applicable.
------------------------------
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: qrpff-New DVD decryption code
Date: Sun, 18 Mar 2001 22:57:07 GMT
"Joe H. Acker" wrote:
> Paul Crowley <[EMAIL PROTECTED]> wrote:
>
> > [EMAIL PROTECTED] (Joe H. Acker) writes:
> > > > How do you define moral or ethics? If it is what most people do,
> > > > than copying of music is probably not theft.
> > >
> > > My God! It is *of course NOT* what most people do! As a German like you,
> > > I hate to bring this example, but do you believe that in the 3rd Reich
> > > in Nazi German what most people did was moral or ethical behavior?
> >
> > http://www.tuxedo.org/~esr/jargon/html/entry/Godwin's-Law.html
>
> Yes, I'm really sorry having brought up that example and would like to
> apologize for partizipating in such an OT thread. Instead of my example,
> take any majority's view you don't agree with. If the majority decides
> what is right or wrong, then you're always wrong if you don't agree with
> the majority. All I wanted to say is that this view about moral is quite
> premature and senseless.
It is worse than that. Considering the effect of majority voting on legal
systems implies that, in a democracy, voting is immoral. Attempting to impose
ones views upon others by force, or seize their property by force is generally
but not universally regarded as immoral. If your neighbors all voted to donate
your salary to neighborhood improvement, it would be immoral. If they manage to
convince the rest of the town/county/state/country to agree, the actions are
still immoral.
Since any government vote is an exercise of force, participation on the vote is
the same as participation in the ensuing actions. Thus the act of voting is as
immoral as the act of oppressing or stealing from others.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Bacon's cryptography?
Date: Sun, 18 Mar 2001 23:59:01 +0100
bookburn wrote:
>
> I read a couple books years ago about history of cryptography and
> remember that Francis Bacon developed a study of cryptography that has
> been used in classrooms as textbook. Looking for such a tomb in
> encyclopedias and on the Net doesn't identify such a work, though.
> Can anyone suggest where Bacon's writing on cryptography are brought
> together systematically? bookburn
Are there really treatises on the history of cryptography
(excepting books like Kahn's The Codebreakers and some
textbooks that deal with quite an amount of historical
ciphers)? I doubt that any specific collection of Bacon's
writings about cryptography has been used in comparatively
modern times as learning materials in classrooms of any
academic institutions. (Public courses on cryptography
are fairly recent in the syllabuses of universities.) On
the other hand, there are (presumably) complete collections
of all writings of Bacon, if I don't err.
M. K. Shen
------------------------------
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: How to eliminate redondancy?
Date: Sun, 18 Mar 2001 23:03:33 GMT
"Douglas A. Gwyn" wrote:
> "Trevor L. Jackson, III" wrote:
> > There is no sensible purpose to further teminology dispute.
>
> It wasn't a terminology dispute. Compression does reduce
> redundancy; "masking" with a PRNG has relatively little
> effect on redundancy.
Of course it does. Masking moves redundancy to the "latent" state by
your own description.
Neither compression nor masking make much difference (except in volume
of text) to modern ciphers, while both may strengthen older ciphers
vulnerable to statistical correlation.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
