Cryptography-Digest Digest #142, Volume #14 Sat, 14 Apr 01 18:13:01 EDT
Contents:
Re: Dynamic Substitution Question (Terry Ritter)
Re: patent issue (Terry Ritter)
Re: LFSR Security (David Wagner)
MS OSs "swap" file: total breach of computer security. (Anthony Stephen Szopa)
Re: please comment (Terry Ritter)
Re: NSA is funding stegano detection (Niels Provos)
Re: _"Good" school in Cryptography ("was" I got accepted) (Carsten Eilers)
Re: Concerning US.A.4979832 (Terry Ritter)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Dynamic Substitution Question
Date: Sat, 14 Apr 2001 20:43:38 GMT
On Tue, 10 Apr 2001 03:25:43 GMT, in
<[EMAIL PROTECTED]>, in sci.crypt
[EMAIL PROTECTED] (John Savard) wrote:
>[...]
>Anything that involves operations on the individual entries of a
>substitution table, particularly if it could lead to that table
>containing either any bijection or any table at all with valid
>entries, as a means of creating the changed permutation, seems to be,
>as far as I can tell, novel with the two exceptions of the Phillips
>cipher and the MacLaren-Marsaglia ("Algorithm M") pseudorandom number
>generator.
>[...]
>What I *don't* know - and would find interesting - is if the two
>exceptions are sufficient to narrow the valid scope of the patent
>closer to the "preferred embodiment", or if it covers ciphers that
>involve any type of dynamic S-box.
The so-called "Phillips" system is the topic of Chapter XIX in Gaines,
titled: "Polyalphabetic Encipherment Applied by Groups." I see keyed
substitution and "polyalphabetic," but I don't see "dynamic" at all:
the tables are prepared, then ciphering occurs without changing
anything in the tables. The table contents are not changed in
response to the input values, and I see no "confusion source" to
enable DynSub combining.
So, as far as I can see, the "Phillips" system is not even close.
With respect to Algorithm M, we already have a legal decision, and
that comes from people far more knowledgeable and concerned with the
laws and PTO rules (MPEP) than any of us:
Algorithm M is "Knuth II-speak" for MacLaren-Marsaglia, and that art
was cited by the applicant; it was part of the patent examination.
The patent and all claims were approved in the context of that art.
In a true legal sense and with low probability of reversal, we already
*know* there is no conflict with "Algorithm M." That having been
decided, the continued drumbeat that something might have been
overlooked is more sad than enlightening.
>For example, does Bruce Schneier's
>Solitare conflict with the Dynamic Substitution patent?
By "conflict," perhaps you mean: "Did Schneier, after reading the
Dynamic Substitution patent, create and publish a Dynamic Substitution
cipher without even referencing the originator of the underlying
technology?"
But if the point is intended to be a general comment on intellectual
integrity, surely even the most base outcome would be no particular
surprise nowadays. And, otherwise, why would I care? How much
traffic do we suppose actually passes through that cipher?
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: patent issue
Date: Sat, 14 Apr 2001 20:44:56 GMT
On Tue, 10 Apr 2001 05:32:39 GMT, in
<[EMAIL PROTECTED]>, in
sci.crypt Paul Crowley <[EMAIL PROTECTED]> wrote:
>[EMAIL PROTECTED] (John Savard) writes:
>> More to the point: why shouldn't people who can invent useful stuff do
>> *that* as their day job, instead of in their spare time from an
>> ordinary job? That way, there will be a lot more useful stuff getting
>> invented.
>
>Fortunately not everyone who has research as their day job has to
>patent what they do. Patented cryptographic technology is largely
>useless; crypto is all about communication, which is all about
>standards, but standards have to work to avoid any patents out there
>if they are to be widely implemented and used.
On the contrary, cryptosystems are inherently about *non* generality;
in fact, we use keys to specifically assure that.
There is no need for standardized ciphers since we can deliver whole
ciphers almost as easily as keys.
>In general, if you invent and patent crypto technology as your day
>job, then your day job is to find exciting new avenues of research,
>then close them off, burn them down and salt the ground so no-one else
>can explore there or use it for seventeen years or more. It's a
>destructive occupation, rather than a constructive one.
Oh, please. When did any patent prevent you from exploring new
ground? In fact you have some nerve: the US patent does not apply to
you anyway.
It sounds to me like you can't bear the thought that any research you
do might benefit someone with a patent. So your "exploration" is not
really to seek knowledge, nor is it to benefit society, but instead is
to benefit you personally in the way you want. That's childish even
beyond the obvious "sour grapes" involved.
Dynamic Substitution has already been essentially free for the past
decade. Over half the patent lifetime has passed, so there has been
ample opportunity to inquire, experiment and develop, an opportunity
which was generally ignored. It may be that enforcement would do more
for Dynamic Substitution technology than anything academia has done
over a decade.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Crossposted-To: sci.crypt.random-numbers
Subject: Re: LFSR Security
Date: 14 Apr 2001 20:55:03 GMT
Nathan E. Banks wrote:
>> [...] Berlekamp-Massey [...]
>
>Is there an explanation anywhere that's a bit more straightforward than
>the one in Handbook of Applied Cryptography?
Not that I know of. It's deep magical stuff for me too.
Still, here's something that might help. Berlekamp-Massey applies
even when the taps are unknown, but let's take the simpler case where
the taps are known. Suppose our register is n bits long, and we have
n bits of known keystream, call it z. Let k be the initial state of
the register. Then we can write z as a linear function of k. In
particular, there is a matrix M so that z = Mk. Note that M depends
only on the taps of the LFSR, so we can write it down. Then we can
use Gaussian elimination to compute the inverse M^{-1} of M, and the
equation k = M^{-1} z will allow us to recover k from z. This shows
how to break a LFSR where the taps are known.
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.hacker
Subject: MS OSs "swap" file: total breach of computer security.
Date: Sat, 14 Apr 2001 13:55:38 -0700
MS OSs "swap" file: total breach of computer security.
Unbelievable.
For me, the "swap" file implementation in MS OSs is proof positive
that MS is in a conspiracy to control OUR information (and all of
US by implication) and is most probably cooperating with the
government in this regard. MS is intentionally placing our right
to privacy at risk.
It also tells me that this Justice Dept. anti-trust case against MS
may be nothing but a political charade.
A computer user must have total discretionary control over certain
aspects of OS implementation such as the activation, use, and
access to a "swap" file.
The only discretion one has at this time is to NOT use any leaky MS
security sieve of an OS.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: please comment
Date: Sat, 14 Apr 2001 20:57:13 GMT
On Sat, 14 Apr 2001 11:20:14 -0700, in
<Wy0C6.8681$[EMAIL PROTECTED]>, in sci.crypt
"Paul Pires" <[EMAIL PROTECTED]> wrote:
>Yechuri <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>> Actually what I was hoping for was is a reference to any published material
>> like a book or an article in a magazine where this has been described.
>>
>> I saw a post recently on this newsgroup that said that even an idea was
>> actually being used by many people, unless it was published in a magazine or
>> book anybody can patent it and start charging a fee for it's use
That doesn't sound right. Perhaps you misinterpreted the post --
unfortunately, you did not reference it in detail.
However, an already-granted patent may start requiring a fee for use,
even if many people have been using it for some time.
>If it were only so easy.
>
>Rumor and reference to comments made in this news group are very
>bad advice on patents. Dabblers with an agenda, free code avengers
>and well meaning but inexperienced folk. (I'm in there somewhere).
You sure are.
>Having said that: (there might be special cases and exceptions to
>the following).
>
>1, Only the inventor has a right to file a patent not just the first person to file on
>a concept they found or learned somewhere.
Right in general, except that the correct term here is not "the"
inventor, but rather "an" inventor.
If an earlier inventor does not "move toward" and apply for a patent,
he or she gives up the patent right. And if that inventor also does
not publish the invention, he or she does not establish prior art.
This is the usual case for "trade secrecy," and in this case a later
inventor then may apply for and receive a patent, and may apply the
granted patent against the earlier inventor.
Since many people prefer trade secrecy to patents in cryptography, I
think that situation is fairly common.
>2, Prior art. No it is not limited to publishing. Any thing that gets it known
>in the art is prior art. Publications are easiest to track but a sale to the public
>where such sale discloses the process or idea to such an extent that one
>reasonably skilled in the art can build from it is also prior art. There are others.
Right, prior art which anticipates an invention does not *have* to be
a publication. In general, though, prior art *is* published; anything
else is the special case.
As far as I know, the test is whether an ordinary worker in the field
has been taught how to practice the invention. Just seeing a result
on a screen does not do that.
Normally, software is sold as object code and does not disclose to the
ordinary worker in the field how to make and practice the invention.
And digital hardware is sold as a complex system which does not
disclose the invention in pretty much the same way.
>3, It must be non-obvious and "inventive". There are many descriptions of this
>requirement but they are all negative definitions, A shopping list of what is not
>commonly an invention.
>
>4, Crypto is a new and obscure field. What is and isn't prior art, and what it means
>or doesn't, of working embodiments versus wild theory and conjecture is not well
>known to those in the business let alone the examiners at the PTO.
That's just ignorant nonsense: Crypto has been the subject of patents
since at least 1861. Lee de Forest got one in 1908, Hebern got three
in 1914 and six in 1915, Vernam got one 1919, and there are many
others in that same time frame. DES was covered by Feistel patents.
The modern art is much, much larger, and is well represented by
granted patents. There are thousands of crypto patents, and the
principle examples are very well known to the examiners at the PTO.
>Got a match??? Before anyone burns me with flames for that last point, one should
>consider
>what an outsider would make of the combined works of Whitfield Diffie, Tom St Denis,
>David Wagner, Anthony Steven Szopa, M. K. Shen, David Scott and a few others from an
>ecclectic cross section.
If and when art is published on the net which does anticipate a
later-patented invention, I am sure we will hear about it. But I
think for one to actually call something an invention, one must do
more than simply handwave; it is necessary to reduce the idea to
practice, and to teach the idea as well.
Hopefully, the PTO does require anticipating prior art to be more than
a few handwave comments, for anybody can *say* anything. The test is
in the doing, and in the teaching. But if the test is met, I
personally think that net publication can be considered "publication."
>We are so eager to rail against the process or the participants that we fail to see
>the obvious.
>There is no ultimate arbitrator for this art. If I make an automotive transmission
>component
>that cannot be shown to actually do what I claim then I have not met my obligation to
>"teach"
>and deserve no patent.
Nonsense. Goals are not the same thing as patent "claims."
Inventions which do not meet their ultimate goals are patented all the
time, and deserve their patents, for whatever it may be worth. The
PTO is not the arbiter of whether the ultimate result meets the goals.
The PTO only decides whether an application meets the legal
requirements for a patent. If nobody wants to use the patent, fine.
>It is quite easy in this example to formulate such logical test. How do you
>test a crypto system or method and determine that nothing in it does or can do as is
>claimed?
Again, "goals" are not patent "claims."
>How to tell if a variation of a common concept does produce unanticipated and
>noteworthy
>results?
That is directly addressed in a patent application.
>It's not as easy as some folks would like it to be.
Patents in general are not "easy" at all. What is "easy" is to poorly
interpret things which one does not know.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Niels Provos)
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: NSA is funding stegano detection
Date: 14 Apr 2001 21:00:41 GMT
On 7 Apr 2001 19:31:39 GMT, SCOTT19U.ZIP_GUY wrote:
> I am not so sure its easy to detect. One can easily make a file
>the length of bytes to match the number of LSB in a picture. All
>you do is replace the set there with your set. If you take the
>pictures your self and if resolution low. They can't prove the
>picture has been modifed if they don't have the orginal.
Taking the picture yourself and revealing the original is a first
good step. Just embedding all your data in the LSB is problematic,
and probably easy to detect. There has been some research in that
area. I wrote two related papers which you can find at
http://www.citi.umich.edu/u/provos/cv.html
You might want to check out OutGuess, http://www.outguess.org/
I am also going to release a utility soon that wlll detect
various steganographic schemes for images.
--
Niels Provos <[EMAIL PROTECTED]> finger [EMAIL PROTECTED] for pgp info
"Gravity is the soul of weight." - Anonymous.
------------------------------
From: [EMAIL PROTECTED] (Carsten Eilers)
Subject: Re: _"Good" school in Cryptography ("was" I got accepted)
Date: Sat, 14 Apr 2001 23:08:01 +0200
Claus N�veke <[EMAIL PROTECTED]> wrote:
> Are there "good" Cryptography-schools in Germany?
I personally know Birgit Pfitzmann, Uni Saarbr�cken
<http://www-krypt.cs.uni-sb.de/>, and Andreas Pfitzmann, TU Dresden.
Then there is Prof. Pommerening at the Uni Mainz
<http://www.uni-mainz.de/~pommeren/>.
I'm sure there are more, try the SIRENE Homepage (Sicherheit In REchner
NEtzen) <http://www.semper.org/sirene/>
Regards
Carsten
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Concerning US.A.4979832
Date: Sat, 14 Apr 2001 21:15:17 GMT
On Mon, 9 Apr 2001 22:54:07 -0700, in
<CexA6.196$[EMAIL PROTECTED]>, in sci.crypt "B. E. Busby"
<[EMAIL PROTECTED]> wrote:
>Two things come to mind reading the claims --
>
>1) They're in "means plus function" format which has the
> (at least in current practice) effect of narrowing the claims
> to the means taught in the disclosure; and
There certainly is some hubub. Anyone can look into it by searching
for "means plus function" at www.google.com
One of the most recent examples is:
http://www.kilstock.com/site/print/detail?Article_Id=590
"
Finally, in the past few weeks, Judge Randall R. Rader, writing the
opinion for the panels in Al-Site Corp. v. VSI Int'l Inc., 1999 U.S.
App. LEXIS 5802 (Mar. 30) and Rodime PLC v. Seagate Tech. Inc., 1999
U.S. App. LEXIS 7220 (Apr. 13), summarized the test developed by the
precedents discussed above to determine when a claim limitation is to
be interpreted under the regime set forth by � 112, 6. If the word
"means" appears in a claim element in combination with a function, it
is presumed to be a means-plus-function element to which � 112, 6
applies. Al-Site at *14-15; Rodime at *17-18.
However, if either of two conditions is not satisfied, this
presumption is overcome. Rodime at *18. If a claim element uses the
word "means" but recites no function corresponding to the means, that
element will not be construed pursuant to � 112, 6. Id. Similarly,
even if a limitation containing the word "means" recites a function,
if it also recites sufficient structure or material for performing
that function, � 112, 6 will not apply. Id.
Judge Rader noted that the Federal Circuit's case law does not require
an exhaustive recitation of structure to remove a claim limitation
from the purview of � 112, 6. Id. at * 24. Instead, the claim need
only recite "sufficient structure to perform entirely the claimed
function." Id.
"
In the case of the Dynamic Substitution patent, I view "substitution
means" as a description of the complete structure needed to perform
the substitution function: the substitution table as described in the
specification. The original intent was to cover tables specifically
implemented in ways to try to get around a limitation of "tables."
>2) There's no prosecution history here (an expensive thing to
> buy unless you're seriously considering licensing the patent),
> but the recent Festo decision has had the claims-narrowing
> effect of precluding the use of the Doctrine of Equivalents
> in reading claims that were amended to overcome issues
> of patentability.
I don't know enough to even respond to that.
I suppose the result possibly might bear on the idea of creating a
"table" out of a mass of apparently-distinct equations. But I
continue to believe that if something acts like a table it will be
seen as a table in the PTO and in the courts. Protecting against that
sort of thing is, of course, why we have the phrase "substitution
means" in the first place.
>That said, my guess is the scope covers lookup tables wherein
>entry swapping is performed in order to dynamically change the
>mapping function.
That would seem to be all it needs to be. It would disallow the use
of whole block ciphers as "substitution means," but that is not
something I wanted anyway.
On the other hand, perhaps you could comment on the main areas of
controversy:
* whether the claims cover combining two RNG streams,
* whether an "input" to Dynamic Substitution can be taken from the
dynamic substitution table itself,
* whether the claims assume the table to be invertible, and
* whether "Algorithm M" (ironically, prior art actually described in
the patent itself and examined prior to allowance) limits the claims.
>This ain't advice, but it's worth every penny you paid for it!
Yup, same here.
>"Terry Ritter" <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
><snippage...>
>>
>> As I recall, in the USPTO there is a later patent line which includes
>> the words "dynamic substitution," but those words describe a clearly
>> different mechanism.
>>
>> And even if later US patents have further developed my form of Dynamic
>> Substitution, manufacturers and users will need a license from me to
>> practice such an invention.
>>
>> Since I am not aware of any other "dynamic substitution" patent in the
>> original sense, or of any other patents which bear on this invention,
>> perhaps you could reference what you do mean.
Note the unusual situation of an odd lack of disagreement with the
quoted statements.
Again, I am aware of no prior art which anticipates the invention.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
