Cryptography-Digest Digest #100, Volume #14 Sat, 7 Apr 01 06:13:00 EDT
Contents:
Re: Data dependent arcfour via sbox feedback (Terry Ritter)
[NEWS] Potty-trained Thomas J. Boschloo given for adoption (Boschloo Tales)
[LOST AND FOUND] Brain cell belonging to Thomas J. Boschloo (Boschloo Tales)
Re: rc4 without sbox swapping/updating (Mok-Kong Shen)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Data dependent arcfour via sbox feedback
Date: Sat, 07 Apr 2001 09:05:02 GMT
On Sat, 07 Apr 2001 06:24:00 GMT, in <4oyz6.6$4G.143@interramp>, in
sci.crypt "nospam"@"nonsuch.org" ("Bryan Olson") wrote:
>In article <[EMAIL PROTECTED]>, Terry Ritter wrote:
>>
>>On Wed, 04 Apr 2001 19:53:09 -0700, in
>><[EMAIL PROTECTED]>, in sci.crypt Bryan Olson
>><[EMAIL PROTECTED]> wrote:
>>
>>>Bryan Olson wrote:
>>>> > Terry Ritter wrote:
>>>
>>>> > >The "second data source" is modified by said "result data" before use,
>>>> > >but no part of the claims excludes that possibility.
>>>> >
>>>> > The word "source" excludes the possibility. The sequence of
>>>> > y values is in fact a _product_ of the substitution process,
>>>> > not a source. If unclear of the interpretation of "source",
>>>> > just read the background and look at the diagrams in the
>>>> > patent.
>>>
>>>> Any sequence of data values is "a source." We can see this
>>>> throughout the patent, including: "A first data source and
>>>> a second data source are combined into a complex
>>>> intermediate form or result. . . ." Note the lack of
>>>> description about the "ultimate" origin of any data sequence
>>>> treated as a "source."
>>>
>>>It may be any sequence of values, but it must be a source,
>>>not a product. Neither does the ultimate origin matter;
>>>just that it comes in from the outside.
>>
>>The ultimate origin is of course outside *the* *combiner*, but not
>>necessarily outside the system containing the combiner.
>
>The source in question is produced _from_ the table as the
>"combiner" updates it.
That's fine with me. The Dynamic Substitution claims place no
limitations on the source of these values.
>>When you present a system which is more than just the combiner, I am
>>free to select what signals there are and try to match them to a
>>claim. You don't get to decide what signals I select. You can add
>>whatever you want around an invention in an attempt to obscure which
>>parts actually constitute the invention, but the invention is still
>>there somewhere, and I get to find it.
>
>Exactly. The sequence _you_ chose depends upon the dynamic
>update of the table. It is necessarily a function of the
>combiner, and cannot be outside.
I have no idea what your point may be. The claims do not specify a
particular origin for the sequences.
>>>> But, if you don't like the word "source," perhaps you would
>>>> prefer the word "value": [...]
>>>
>>>Which is not the word in the claim at issue.
>>
>>It only takes one claim. Any claim counts.
>
>The one you had cited is claim 1. If you want to instead go
>through claim 15, note that it's not only a "value" it's an
>"input value". Claim 15 also states one output, and if you
>use that value for the output, the cipher cannot function.
I *think* the intent here is to recall an argument made earlier that
"the cipher" has an XOR combiner, so "the" combiner obviously is not
DynSub. Here you say the combiner is defined to have an "output
value," so a cipher which uses DynSub must be prohibited in doing
anything more with that value, and if it does, the DynSub mechanism
ceases to read on claim 15.
But the Dynamic Substitution patent does not define "a cipher," it
defines a combiner (and extractor). When a combiner is a subset of
the cipher, its "output value" may be inside the cipher, and in this
case it is. I don't see a problem.
>>>[...]
>>>> > doesn't the following
>>>> > algorithm fulfill the description from claim 1? How about
>>>> > claims 2, 7 and 8?
>>>> >
>>>> > Assume a (pseudo) random data source S
>>>> >
>>>> > initialize T[0..k-1] to hold 0..k-1
>>>> > for i in 0..k-2
>>>> > j = S.next() scaled/shifted to be in i..k-1
>>>> > output T[j]
>>>> > swap(T[i], T[j])
>>>
>>>> I'm not happy with any mechanism claimed to be Dynamic
>>>> Substitution being inherently limited to a sequence of a
>>>> particular length.
>>>
>>>Didn't you recently write:
>>>
>>>| The appropriate way to check for infringement is to take
>>>| the actual words from a claim and try to fit them to the
>>>| design being checked.
>>>
>>>What you are happy with doesn't enter into it. Why do you
>>>not apply the same standard here that you stated previously?
>>
>>As far as I can see, the standard is the same.
>
>From "actual words from a claim" to what you are happy with
>is a huge change.
Fine. So what?
I started out this endless river of text by pointing out that the
interpretation of an issued patent is a *legal* issue, not a technical
one, and you responded to that with something deliberately intended to
have me address the technical issues -- under those conditions.
However, not being a patent attorney, not being fully conversant with
all law, PTO rules, and especially case decisions, I simply cannot
provide an authoritative interpretation to close calls. The closer
one gets to trying to be close to DynSub without actually reading on
the Dynamic Substitution patent, the more risk there will be in any
technical decision. People can avoid that risk by not trying to use
Dynamic Substitution without licensing Dynamic Substitution, and it's
as simple as that.
When the issue becomes so tight that I can't deliver a high
probability answer, I am quite naturally unhappy. The outcome might
go either way. The actual answer to something like that might have to
come from a court decision, and different cases might even produce
different results.
>>The body of the patent is used as a dictionary to interpret the
>>meaning of words used in the claims. I have quoted several times
>>where it does not support your interpretations.
>
>You have quoted such zero times. I never said it couldn't
>be used to combine confusion sequences, or the various
>things you cited.
*I* have to follow and respond to -- what? -- 8 or 10 different
threads, and I am not going to necessarily put every quote in every
thread. If you don't read all I write, you are going to miss out. If
you want to keep talking, you have to do at least as much homework as
me, and you are behind.
Now, I have thought about this some, and I am now much happier with
the idea that this is a peculiar and stilted form of Dynamic
Substitution. That doesn't make it so, that is just my opinion. But
if somebody really wants to know whether such a design reads on the
patent, I think it does.
However, the real purpose of the exercise was for you to present code
that is almost like some very well known code, and for me to say,
"Yes, that is Dynamic Substitution," so that you can ridicule anything
which is that close to what is commonly known.
Ridicule away: As soon as you modify Shuffle to include an output, it
is no longer Shuffle. Nor is it obvious from where one should take
the output -- unless one is deliberately trying to emulate Dynamic
Substitution. Nor would one expect any real combiner to be used with
such a limited and predicable input sequence. Nevertheless, with two
inputs, one output, table, permutation; it probably should be seen as
a form of Dynamic Substitution.
>>>> It is implied throughout the patent body that there is no such
>>>> limitation.
>>>
>>>What text from claim 1 implies that? How about claims 2, 7
>>>and 8? Didn't you also write:
>>
>>It doesn't matter. Any one claim counts. It is only necessary for
>>all aspects of any one claim to be satisfied for a design to read on
>>the claim.
>
>Agreed. But you have no such claim.
Claim 1.
I don't even know what any of this refers to anymore, and I have
looked back through the quotes and gotten remarkably little help. So
I *think* this is about whether the claim 1 covers RNG combining and
maybe also the question of table invertibility.
Much has been said about this on other threads:
First, generally speaking, only the things particularly specified in a
claim must be present for the design to read on the claim. Here is
claim 1, yet again:
"
1. A mechanism for combining a first data source and a second data
source into result data, including:
(a) substitution means for translating values from said first
data source into said result data or substitute values, and
(b) change means, at least responsive to some aspect of said
second data source, for permuting or re-arranging a plurality of the
translations or substitute values within said substitution means,
potentially after every substitution operation.
"
Here we have a "first data source" and a "second data source," neither
of which is specified to necessarily be plaintext data. The correct
interpretation of this is a logical "don't care": it may be or may not
be.
Here we have "substitution means" but we do not have, for example,
"invertible substitution means" or "non-invertible substitution
means." The correct interpretation of this is also a logical "don't
care": it may be or may not be.
Anyone who questions the meaning of terms in the claims is referred
back to the specification for clarification. With respect to
combining RNG sources and non-invertible tables, we have:
"The combiner can also be used to combine two pseudo-random confusion
streams into a more-complex confusion stream. In this case,
extraction may be unnecessary and so the combiner substitution tables
need not be invertible. Thus, the translation changes need not be
limited to permutations."
"Another use for a dynamic substitution combiner would be to combine
two different pseudo-random sources. This would generate a
more-complex pseudo-random combination, and would also help protect
both input sources from analysis better than the simple exclusive-OR
combiner generally used. In this case, an extractor would generally
be unnecessary, since the same combined result could be reproduced by
generating the original pseudo-random sources and combining them."
"The same mechanism can function with either data or confusion values
on either input, depending on the goals of the designer. Two confusion
sources might be combined to make a more complex result, and even two
data sources might be combined for some reason.
"If the combiner substitution is made invertible (that is, containing
no duplicated values), it may be changed by re-ordering (permutation)
in any way and still remain invertible. Thus, an inverse substitution
can be used to decipher data enciphered by the combiner, and can keep
up with the changing substitution by changing in an inverse way.
"But if the combiner result need not be deciphered, as in the case of
combining two confusion sources into a more-complex result, then no
inverse substitution is necessary."
>>Dependent claims further restrict the claim upon which they depend.
>>In this way, dependent claim 2 thus further restricts independent
>>claim 1.
>
>Of course.
>
>> The reason for this is to accommodate newly-found prior art
>>which may invalidate the most inclusive (independent) claim. If that
>>happens, one or more of the more restrictive (dependent) claims may
>>survive. Dependent claims otherwise have little use, other than
>>demonstrating various possibilities to the examiner and reader.
>
>I guess I most agree. I think stating the more specific
>versions are also important, either in the claims or
>elsewhere, so that others cannot patent them.
>
>>That is straightforward patent interpretation.
>
>Agreed. That's why I noted the more specific claims.
>
>>>| When we check for patent infringement, we don't look at the
>>>| whole description and then just somehow form an impression
>>>| one way or the other. Instead, we try to match the specific
>>>| words of each requirement, phrase by phrase, with the design
>>>| being checked,
>>>
>>>If we do that, we see it matches at least as well as the
>>>algorithm you argued to match.
>>
>>I have no idea what that statement means.
>
>I mean we can go through and show that the claim "fits" at
>least as closely as the operations from RC4/proposal did.
Go through what? What are you talking about? Is this still about
modified Shuffle? Fine. I think you crossed the line. The line is
very narrow there. Try to avoid doing that.
With respect to what was called modified RC4, I previously did go
through that statement-by-statement and showed my interpretation of
how it did read on claim 1.
>>If your implication is that shuffling constitutes prior art, it should
>>be quite clear that shuffling was not considered to be any sort of
>>combiner -- let alone a cryptographic combiner -- prior to my
>>publications on Dynamic Substitution.
>
>Exactly. And RC4/modification is also not a combiner, though
>it does have one. That combiner is XOR, not dynamic substitution.
As best I can recall -- and I may have posted 20 or 30 articles since
then -- I think it is best described a stream cipher which contains a
Dynamic Substitution structure inside.
I have absolutely no idea what the fact that the enciphering combiner
is XOR and not Dynamic Substitution could possibly mean to you. Do
you find some statement somewhere that a system using Dynamic
Substitution must encipher data using Dynamic Substitution, and has no
other option? The system has two combiners, one of which is Dynamic
Substitution. Talking about the XOR is just beside the point.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
Date: 7 Apr 2001 09:12:09 -0000
From: [EMAIL PROTECTED] (Boschloo Tales)
Subject: [NEWS] Potty-trained Thomas J. Boschloo given for adoption
Crossposted-To: alt.privacy.anon-server,alt.security-pgp
Well
it was trained ...
but I didn't say it learned its lesson ...
Beware your plants and carpets
Not returnable
===============================================
HISTORY:
That Boschloo bozo is a clown and a troll who has been looming around for nearly a
year.
Don't mistake a "regular" (troll) with a knowledgeable person: that self-proclaimed
"security expert" is not even a remailer user. In the past, he proved himself unable
to check a PGP signature, and got ridicule from every single technical topic he wanted
to talk about.
Besides false or inaccurate or misleading technical misinformation, his posts are
about his avowed mental illness, or for bashing remops or real freedom fighters: he
likes to quarrel with every one, and stir shit. Sometimes, it is even pure delirium
(when he misses his pills?)
One of his last actions was to stage a hoax about his own suicide, just to try to grab
some sympathy, after he had been exposed as a troll and technically incompetent.
The worst being his teasing of Script-Kiddie until it triggered a new flood on apas.
Of course, he refuses to apologize.
Actually, the level of contempt he shows for remailer users:
they don't give their names, while he does
that can't do anything against him, without giving their names
is in no way different from what is displayed by Pangborn, Burnore and the like
Ignore him completely, killfile him, respect others' killfiles
KILLFILE:
To put him in your killfile, put "Author: Boschloo"
That will make disappear both him and people who warn about him
If you want to tell him to buzz off, or warn about him,
use a nickname containing "Boschloo" (Boschloo Hater, Boschloo Sucks,...)
to accomodate such killfile for "regulars", and still warn newbies
COURAGE:
Boschloo is getting _no_ answer from apas any more.
He has to crosspost to various newsgroups to try to grab some attention.
In a few months, it will be gone.
------------------------------
Date: 7 Apr 2001 09:12:42 -0000
From: [EMAIL PROTECTED] (Boschloo Tales)
Subject: [LOST AND FOUND] Brain cell belonging to Thomas J. Boschloo
Crossposted-To: alt.privacy.anon-server,alt.security-pgp
Did somebody find Thomas J. Boschloo's brain cell?
It has been reported missing since
... well ...
a few years ?
birth ?
===============================================
HISTORY:
That Boschloo bozo is a clown and a troll who has been looming around for nearly a
year.
Don't mistake a "regular" (troll) with a knowledgeable person: that self-proclaimed
"security expert" is not even a remailer user. In the past, he proved himself unable
to check a PGP signature, and got ridicule from every single technical topic he wanted
to talk about.
Besides false or inaccurate or misleading technical misinformation, his posts are
about his avowed mental illness, or for bashing remops or real freedom fighters: he
likes to quarrel with every one, and stir shit. Sometimes, it is even pure delirium
(when he misses his pills?)
One of his last actions was to stage a hoax about his own suicide, just to try to grab
some sympathy, after he had been exposed as a troll and technically incompetent.
The worst being his teasing of Script-Kiddie until it triggered a new flood on apas.
Of course, he refuses to apologize.
Actually, the level of contempt he shows for remailer users:
they don't give their names, while he does
that can't do anything against him, without giving their names
is in no way different from what is displayed by Pangborn, Burnore and the like
Ignore him completely, killfile him, respect others' killfiles
KILLFILE:
To put him in your killfile, put "Author: Boschloo"
That will make disappear both him and people who warn about him
If you want to tell him to buzz off, or warn about him,
use a nickname containing "Boschloo" (Boschloo Hater, Boschloo Sucks,...)
to accomodate such killfile for "regulars", and still warn newbies
COURAGE:
Boschloo is getting _no_ answer from apas any more.
He has to crosspost to various newsgroups to try to grab some attention.
In a few months, it will be gone.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: rc4 without sbox swapping/updating
Date: Sat, 07 Apr 2001 11:30:46 +0200
Terry Ritter wrote:
>
[snip]
> No, "the claim" sets *no* conditions on the content of the table, and
> that is the point. It is also correct. Here is the text for yet
> another time:
>
> "
> 1. A mechanism for combining a first data source and a second data
> source into result data, including:
>
> (a) substitution means for translating values from said first
> data source into said result data or substitute values, and
>
> (b) change means, at least responsive to some aspect of said
> second data source, for permuting or re-arranging a plurality of the
> translations or substitute values within said substitution means,
> potentially after every substitution operation.
> "
After looking at what Benjamin Goldberg argued with you
and in view of my own discussion with you on the topic
of feedback control, I like to make another attempt to
(hopefully) contribute a bit to the clarification of the
purely technical issue, i.e. not the 'formal legal' issue
which may be to some extent dependent on the examiner
of PTO, the patent lawyers and the judges in court in
case of an actual legal process. (I don't think that
such would ever occur with your patent. So we are in some
sense playing theaters here for the purpose of advancing
our own scientific knowledge.)
Let's take for argumentation purposes the case where the
encryption units are characters (or bytes) and so in
each step one feeds a plaintext character p_i and a
key character k_i to a piece of code to obtain a
ciphertext character c_i. Assuming that a polyalphebetical
substitution is being done, then DS means that, with the
processing of each p_i, some column or columns of the
substitution table gets modified (being dependent on
p_i and/or c_i). This modification of the table is what's
normally called a change of state, isn't it? Grouping p_i
and k_i together, we see that the substitution table can
be regarded to be a mechanism that in each processing
step gets the input (p_i, k_i), changes its state and
outputs c_i. Isn't that a case of what is known in CS as
the finite state machines? We note that FSMs are commonly
implemented in code as tables. Hence DS is just an
implementation of FSM in the well-known way, isn't it?
>From this view, I guess that the novelty of DS must and
can only lie in certain 'particular' (explicitly given
and shown to be especially beneficial to the crypto)
novel way or ways of modification of the content of the
substitution table and cannot lie in the (general and
prior art) concept of modification (as such) of the
table (of the implementation) of a FSM. What are these
'particularities'? Could you say something in concrete
terms? Am I missing something in the above? Thanks.
M. K. Shen
==========================
http://home.t-online.de/home/mok-kong.shen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
