Cryptography-Digest Digest #939, Volume #13 Mon, 19 Mar 01 07:13:01 EST
Contents:
can a remailer send a message to multiple people? (Incognito)
Re: Defenses Against Compromising Emanations of the Private Key (Frank Gerlach)
Re: One-time Pad really unbreakable? ("Douglas A. Gwyn")
Re: Idea ("Douglas A. Gwyn")
Re: primes for Blum Blum Shub generator (Risto Kuusela)
Are prime numbers illegal ? (Bob C.)
[OT] Why Nazis are evil (Benjamin Goldberg)
Re: primes for BBS (Benjamin Goldberg)
Re: Are prime numbers illegal ? (Mok-Kong Shen)
Re: SSL secured servers and TEMPEST (Mark Currie)
Re: One-time Pad really unbreakable? (Tim Tyler)
OTP unbreakable? ("Tom St Denis")
Re: IDEAL ENGLISH TEXT RIJNDAEL ENCRYPTION (Tim Tyler)
Re: Security of IAPM, alone. (Benjamin Goldberg)
Re: How to eliminate redondancy? (Benjamin Goldberg)
----------------------------------------------------------------------------
From: Incognito <[EMAIL PROTECTED]>
Subject: can a remailer send a message to multiple people?
Date: Mon, 19 Mar 2001 08:46:13 GMT
Can I use the mixmaster 2.0.3 to send a message anonymously to more
than one person? Thanks.
M.
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Subject: Re: Defenses Against Compromising Emanations of the Private Key
Date: Mon, 19 Mar 2001 09:42:37 +0100
Lyalc wrote:
>
>
> If we now which SSL key is targetted, then the rest iof us can reast easy
> for a while. Maybe the cheaper option is to set up a mailing list to report
> anyone seeing several alrge trucks, antenna and portable generators outside
> their workplace
Oh, in Germany we call this "Nato Excercise" :-)
> Using multiple temporary certificates is no real answer, if this threat is
> real. It merely moves the attack to the intermediate or root CA keys, not
> the server keys.
aha, you are saying the CA is signing hundreds of certificates per second ? You
have a point, but it can (and is coincidentially) adressed by using the root key
very seldomly.
> I suggest more reading - a lot more - on radio theory, emanations, and EMI
> (electro-magnetic interference) to check these theories are worthwhile
> approaches.
Instead of suggesting that I do not have a clue, maybe you could critizie my
reasoning in detail.
> Hint - look at the thermal noise floor for the bandwidth and temperature you
> are using for the source and receiving equipment. Basically, no signal
> under that power amplitude can be recovered, from memory.
And that is why OTDRs (Optical Time Domain Reflectormeters) cannot look below
the noise floor when detecting cracks in fiber cables ?? Actually they do. They
greatly improve performance by shooting laser flashes into the fiber millions of
times and averaging the response. I do not see why this is impossible with other
repeating signals. They are btw. not doing simple averaging, but sophisticated
correlation and pulse encoding.
What we simply do not know is the noise floor of the receiving antenna. A lot
can be done by a superconducting first amplification stage, which clearly
produces most noise.
The often heard argument that the noise generated by nearby equipment will
contribute to security is also overstated. Look at CRTs: Assume you directional
antenna receives 100 monitors. That is just an reduction of SNR of 20dB
(assuming equal power levels). Also, I would argue that the tapes containing the
emanations of those 100 monitors allow you to tune into every single screen,
because every oscillator will have a slightly different frequency ! Of course,
you will have to find a way of tracking oscillator frequency drift..
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: One-time Pad really unbreakable?
Date: Mon, 19 Mar 2001 08:51:55 GMT
Tim Tyler wrote:
> ... Are you not prepared to entertain even the teeniest,
> tiniest possibility that you might be wrong?
All knowledge is contextual. In the context of overwhelming
evidence from quantum mechanics, I have *no doubt* that there
exists an inherently unpredictable element to behavior at the
fundamental level that is not explainable in terms of ordinary
uncertainty about the precise parameters of the system state.
I would readily change my mind if you could explain the phase
of the system state in classical terms. If one works out the
math it is evident that the observed behavior is not compatible
with any (classical) statistical situation. Whatever might
"explain" quantum randomness, it cannot be overcome by
supplementing one's detailed knowledge about the system state.
As to the "long history of controversy over the issue", again
I have studied that much longer than you, with an open mind,
and I have confidence in my understanding of this issue.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Idea
Date: Mon, 19 Mar 2001 09:02:50 GMT
"SCOTT19U.ZIP_GUY" wrote:
> I hate it when people think it is necessiary to prove one
> is qualified to do something.
Trammell put it wrong. What he should have said was, why
should I waste my time responding to your challenge cipher,
when I am sure that you won't learn much from my breaking it?
Indeed, earlier I started to respond about its cryptanalysis,
but after typing up quite a lot, it occurred to me that a
better response would be no response.
My original advice for the novice, to go gain an education
in the basics rather than ask others to spend their time
straightening out his basic misperceptions, still holds.
------------------------------
From: Risto Kuusela <[EMAIL PROTECTED]>
Subject: Re: primes for Blum Blum Shub generator
Date: Mon, 19 Mar 2001 09:29:17 GMT
Tom St Denis wrote:
>
> "Risto Kuusela" <[EMAIL PROTECTED]> wrote in message
>
> > Not quite so. It is only proven that ability to predict BBS will
> > imply ability to factor BBS modulus, but it is not known if the
> > converse is true. So according to present knowledge primes don't
> > have to secret, only "seed" value x (unless I have missed some
> > recent results).
>
> Nope I am right. Given "y = x^2 mod pq" finding 'x' from 'y' is provably as
> hard as factoring. Thus my claim.
>
Looks like you are not using BBS-generator properly. If you
output the whole 'y' then it would be easy to predict next bits
even without knowing factors 'p' and 'q'. Yes, next you would
output 'y^2' would you? And I can certainly compute that.
In BBS you output only LSB of 'y' at each round (or loglog(n) of
them). This is why predicting BBS is not same as computing square
root of 'y'. In [1] they claim proving that predicting BBS is "as
hard as factoring", but it looks me that they actually prove it
only "at least as hard as factoring". Thus my claim.
Risto
[1] Vazirani & Vazirani: Efficient and Secure Pseudo-Random
Number Generation, CRYPTO 84.
------------------------------
From: Bob C. <[EMAIL PROTECTED]>
Subject: Are prime numbers illegal ?
Date: Mon, 19 Mar 2001 03:59:05 -0600
>From the article at:
http://www.utm.edu/research/primes/glossary/Illegal.html
A DVD (Digital Versatile Disk) can store much more information than a
CD, for this reason they are often used to store movies. To prevent
copying, these movies are protected by CSS (Content Scramble System) a
proprietary code licensed to DVD player manufacturers.
Soon after DVD's were encrypted, code to decrypt them (called DeCSS)
appeared on the internet (October 1999). This code is now available in
many forms (see the Gallery linked below). The shortest versions of
the code take well under 600 key strokes.
The Motion Picture Association of America recently sued to stop
distribution of this code under the Digital Millennium Copyright Act.
There are many interesting issues involved in this case, for example,
is code a protect form of free speech? The court's Memorandum Order
(linked below) provides a nice summary.
So what has this all to do with prime numbers? At first glance:
nothing. But everything stored on a computer, including poems,
pictures, spreadsheets and programs, are stored as a sequence of
binary bits--so they are simply numbers. Phil Carmody decided to make
a version of DeCSS which was a prime number.
First Carmody took the original anonymous version of the DeCSS C-code
and gzip'ed it (a standard UNIX program for making files smaller).
Suppose we call the resulting number k. By Dirichlet's theorem on
primes in arithmetic progression, we know that for each fixed integer
b relatively prime to k, there are infinitely many primes ak+b.
For technical reasons, if we choose a to be a power of 256 larger than
b, the resulting number can still be unzipped to get the original
file. This means there are infinitely many prime numbers which yield
the same code. These include: k*256^2+2083 and k*256^211+99. At the
time these were found they both were large enough to fit on the list
of largest known primes (because of the method of proof).
If distributing code is illegal, and these numbers contain the code,
does that make these number illegal?
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: [OT] Why Nazis are evil
Date: Mon, 19 Mar 2001 10:15:19 GMT
Paul Schlyter wrote:
>
> In article <[EMAIL PROTECTED]>,
> Benjamin Goldberg <[EMAIL PROTECTED]> wrote:
>
> > The problem with bringing up Nazis, is that *they* didn't believe
> > that what they did was unethical or immoral. In fact, if you were
> > to accept one single premise -- that anyone who isn't a male aryan
> > isn't a person -- you would consider everything they did to be
> > perfectly reasonable. Further, and possibly more importantly wrt
> > your argument, the way they acted towards those who they *did*
> > consider persons, was as moral and as ethical as you or I would act
> > towards each other. The only thing that made them evil was their
> > perception and treatment of non-aryans as non-persons.
>
> So you're claiming that it's perfectly OK to torture a creature as
> long as it's not a human?
Torturing animals makes people less emotionally disinclined to hurt
humans, therefor it's wrong to torture animals. But ignoring the
emotional changes it produces... if you had mice in your house, would
you have any qualms about getting rid of them? Even if the only traps
you had were the wood-wire-spring ones, which sometimes don't kill, but
might result in a lingering death for the rodent? Also, how do you feel
about testing makeup on animals?
--
The difference between theory and practice is that in theory, theory and
practice are identical, but in practice, they are not.
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: primes for BBS
Date: Mon, 19 Mar 2001 10:51:13 GMT
Ok, I was dumb, but I have an excuse... look at the time of day that I
posted :)
--
The difference between theory and practice is that in theory, theory and
practice are identical, but in practice, they are not.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Are prime numbers illegal ?
Date: Mon, 19 Mar 2001 11:56:58 +0100
"Bob C." wrote:
[snip]
> If distributing code is illegal, and these numbers contain the code,
> does that make these number illegal?
If I understand right, the scheme uses a prime a*k+b instead
of k (with a and b public, so that the user can get k). But
why does one need a prime? Wouldn't a composite a*k do
as well?
I know too little about law. But I suppose that the court
consisers the 'intention'. If the intention to violate
the copyright act is fairly clear, then that would be a
violation. Otherwise, ANY transformation would do.
Note that even k itself, being gzip of the C code,
is NOT the C code that is the actual tool to break CSS.
M. K. Shen
------------------------------
Subject: Re: SSL secured servers and TEMPEST
From: [EMAIL PROTECTED] (Mark Currie)
Date: 19 Mar 2001 11:01:42 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
>
>those who know me have no need of my name wrote:
>
>> <[EMAIL PROTECTED]> divulged:
>>
>> > -are there any key usage policies *in use* to make this kind of
>> >attack impossible (such as temporary certificates signed with the
>> >"master" certificate of the site) ?
>>
>> typically ssl accelerators are loaded with the private key. so the
>> accelerator uses the key itself, it isn't transferred for each session
>> setup.
>
>The emanations of the "accelerator" is what we were writing about.
>
>
You say that you may be able to record these accelerator emanations on VCR's
in a previous thread, but the private key word movement/handling at this level
may be happening at clock frequencies of several 100Mhz. Now assuming that you
can pick out the "blips" when private key operations occur (as you mention in
previous threads, will the VCR bandwith allow you to extract data at several
100 Mhz ? bearing in mind that the data bits are switched in parallel (word
read/writes). Perhaps I am looking at it in the wrong way ? I do admit that I
am not an RF expert.
Mark
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: One-time Pad really unbreakable?
Reply-To: [EMAIL PROTECTED]
Date: Mon, 19 Mar 2001 11:09:23 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> ... Are you not prepared to entertain even the teeniest,
:> tiniest possibility that you might be wrong?
: All knowledge is contextual. In the context of overwhelming
: evidence from quantum mechanics, I have *no doubt* that there
: exists an inherently unpredictable element to behavior at the
: fundamental level that is not explainable in terms of ordinary
: uncertainty about the precise parameters of the system state.
: I would readily change my mind if you could explain the phase
: of the system state in classical terms. [...]
Well, there are *many* possible classical explanations for what's
happening:
One is that this is a study - of Douglas A. Gwyn - under computer
simulation. An elaborate model of your intellect has been built, which
gives you the impression of being in the 21st century. In fact this
model is not even terribly detailed, and achieves most of its effects by
simulating the impression of complexity via your short term memory.
On any occasions when you encounter inconsistencies in the model,
it is adjusted, re-run, and all trace of the original experience deleted.
The model is really very poor - but it's good enough for study purposes.
Now, your knowledge of quantum mechanics doesn't actually reflect
anything real. It's a fairy story. Experiments you read about have
never been performed. Most of your memories of performing experiments
are simple forgeries.
This is a classical model, which appears to explain your observations.
: If one works out the math it is evident that the observed behavior is
: not compatible with any (classical) statistical situation. Whatever
: might "explain" quantum randomness, it cannot be overcome by
: supplementing one's detailed knowledge about the system state.
When you say "classical" does that include the idea of "local"?
Historically there have been observations that appear to preculude
*local* explanations of what is happening.
Of course, whether the universe is local has nothing to do with whether
it's fundamenttally unpredictable.
The locality results often seem to be presented in such a way that
they seem to rule out explanations that rely on local deterministic
interactions (which they do if they are right) - but this has no
effect on models - such as those of David Bohm - which are based on
hidden variables that are non-local.
Non-local interactions could - in principle produce practically *any*
observable universe. Imagine the universe as a HLUT - precalculated
"offline" by an elaborate Turing-complete machine, with all the particle
positions worked out. Such a model is totally classical. In it, our
knowledge of the state of the system is limited by our ignorance of the
state, and not by any fundamental randomness - since there is none.
That universe could be our universe - there is absolutely no reason why
they should be distinguishable to us.
--
__________
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: OTP unbreakable?
Date: Mon, 19 Mar 2001 11:22:37 GMT
Is the OTP really really really really really unbreakable?
hehehehe
How many times are people gonna ask this.... ARRG
Tom
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: IDEAL ENGLISH TEXT RIJNDAEL ENCRYPTION
Reply-To: [EMAIL PROTECTED]
Date: Mon, 19 Mar 2001 11:26:34 GMT
Nicol So <[EMAIL PROTECTED]> wrote:
: "SCOTT19U.ZIP_GUY" wrote:
: (3) A compression (encoding) scheme in which arbitrary strings are
: encodings decodes to a natural language is *not* a robust means to
: confuse the adversary.
: For the present discussion, (3) is the most relevant.
[snip]
: Even if perfect compression of English based on context is achieved, an
: adversary with access to side-channels can still recognize redundancy in
: perfectly compressed messages--something *information-theoretically
: impossible* for a decompressor that doesn't have access to the
: side-channels.
[...]
: The bottom line: (1) Characterizing messages from a source as valid
: English sentences is insufficient to achieve perfect compression; with
: enough message blocks, the accumulated residual redundancy will allow an
: adversary to discern valid decrypts from invalid ones.
...*sometimes*.
: (2) It is possible that an adversary is in a superior position
: knowledge-wise than the intended recipient (because of side-channels),
: so even perfect compression may not be sufficient. This last point has
: robustness implications as you cannot control what side-information
: your adversary may or may not be able to learn.
So your point is that there's no such thing as perfection in compression -
and even if there were, it wouldn't be enough to reliably deprive an
analyst of knowledge about whether his decrypts are correct?
While we can imagine some cases where side channel information is not
available to the attacker - when the opponent cannot use real-world
information about the contents of a message to verify his decryptions (at
least until it is too late) - these will not be the rule.
I think the idea is not to achive perfection, but rather to head in its
general direction. Better compression takes long messages closer to the
unicity distance, and decreases the ability of arrackers to verify
their decryptions.
The more this can be done the merrier - but it does not matter that
it may not be practical (or possible) to do it to the extent where
the attacker can never unambiguously identify correct decrypts.
--
__________
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Security of IAPM, alone.
Date: Mon, 19 Mar 2001 11:40:50 GMT
David Wagner wrote:
>
> Benjamin Goldberg wrote:
> >The IAPM chaining mode can be described as follows:
> >w(x) = E(k0, iv0 + x) (for x = 0..log2(messagelength))
> >s(i) = XOR-sum of a subset of w, selected with binary_greycode(i)
> >ct[i] = s(i) XOR E(k1, s(i) XOR pt[i])
> >
> >I'm curious. How secure is this scheme if k1 is fixed, perhaps at 0?
>
> Great question!
>
> I'm not sure, but I _think_ it might be quite secure,
> if we assume E(k1, .) behaves like a random permutation when
> k1 is fixed. The analogy to the Even-Mansour construction (which
> does have a proof of security) is quite intriguing.
Two papers to read are:
"A Construction of a Cipher From a Single Pseudorandom Permutation" by
(1991) Shimon Even and Yishay Mansour:
http://citeseer.nj.nec.com/even91construction.html
and
"Limitations of the Even-Mansour Construction" (1992) by Joan Daemen:
http://citeseer.nj.nec.com/daemen92limitation.html
The Evan Mansour construction is as follows:
ct[i] = k0 XOR F( k1 XOR pt[i] )
Where k0 and k1 are two independent keys, and F is a permutation.
Daemon shows a known-plaintext attack (using two plaintext pairs) on the
Even Mansour Construction which halves the keyspace. However, since any
two s(i) values are pairwise independent, this particular attack doesn't
work.
However, this does not mean that other attacks don't exist. I see two
problems with comparing reduced IAPM with Evan-Mansour:
(1) Where E-M has k0 and k1, reduced IAPM has s(i) and s(i) (ie, the
same value twice). This might produce an even better attack than
Daemen.
(2) Even though each s(i) is pairwise independent, if we consider a
chosen plaintext attack, on three values of i, such that s(a)=s(b)^s(c),
something like Daemon's attack might be possible.
Weakness (1) might be avoided by using two different s sequences.
Weakness (2) might be avoided by replacing s(i) with s(i+k2 % N), where
N is at least the length of the message, and k2 is a randomly chosen
number in the range 0..(N-1) -- one could possibly choose N=2^128.
A third weakness is that s(0)=0, but this can be trivially avoided. In
normal IAPM, where k1 is not fixed, it's not a weakness at all.
--
The difference between theory and practice is that in theory, theory and
practice are identical, but in practice, they are not.
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: How to eliminate redondancy?
Date: Mon, 19 Mar 2001 11:59:13 GMT
If a transformation is simultaneously one to one and onto, then it is a
bijection. If a transformation and its inverse are bijections, and
their range and domain are identical, then the transformation and it's
inverse are both permutations.
Joe prefers a compressor which is a bijection. Scott, your compressors
are permutations. Since permutations are bijections, your compressors
are a subset of the type of compressor Joe prefers.
--
The difference between theory and practice is that in theory, theory and
practice are identical, but in practice, they are not.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
