Cryptography-Digest Digest #213, Volume #14 Mon, 23 Apr 01 05:13:01 EDT
Contents:
Re: OTP WAS BROKEN!!! ("Douglas A. Gwyn")
Re: patent this and patent that ("Ben Hamilton")
Re: XOR TextBox Freeware: Very Lousy. (David Formosa (aka ? the Platypus))
Re: XOR TextBox Freeware: Very Lousy. (David Formosa (aka ? the Platypus))
Re: OTP WAS BROKEN!!! ("Scott Fluhrer")
Re: research on polymorphic crypto/Best Possible Privacy? (David Formosa (aka ? the
Platypus))
Re: C code for GF mults (Jyrki Lahtonen)
Re: patent this and patent that (Dennis Ritchie)
Re: C code for GF mults ("Brian Gladman")
Re: C code for GF mults ("Brian Gladman")
Re: MS OSs "swap" file: total breach of computer security. (Anthony Stephen Szopa)
Re: XOR TextBox Freeware: Very Lousy. (Anthony Stephen Szopa)
Re: OTP WAS BROKEN!!! (Michael Oestergaard Pedersen)
Re: 1024bit RSA keys. how safe are they? ("Roger Schlafly")
Re: No base64 ("Jack Lindso")
Re: patent this and patent that ("Roger Schlafly")
----------------------------------------------------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Mon, 23 Apr 2001 05:07:39 GMT
Scott Fluhrer wrote:
> Wrong. "K1 being random implies K1 xor K'(1) being random" is a true
> statement only if K1 and K'(1) are independent in a probabilistic
> sense, and here they are not.
I admire your patience in wading through the long argument to find
a specific fatal error in the reasoning. I didn't bother with it
because of sloppy use of terminology such as "random", combined
with having already seen much clearer and more convincing proofs
of the opposite.
------------------------------
From: "Ben Hamilton" <[EMAIL PROTECTED]>
Subject: Re: patent this and patent that
Date: Mon, 23 Apr 2001 15:35:22 +1000
reply below...
"David Hopwood" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> > Expand on the knowledge that is there. Read the patents, understand
them,
> Have you actually ever tried to do that? Patents are not written to be
> understandable. There is no comparison between the intelligibility of
> a paper describing an idea (even a badly written paper!) and a
> corresponding patent.
I have read the patents actually. They are a resource that shouldn't be
overlooked. I don't mean that you should only use patents as a source of
prior knowledge or inspiration. They are just another source of knowledge
that you can utilize. They can work for and against you. as someone once
said "you don't have to like the system, you just have to make it work for
you"
>Also, the search facilities available for patents
> are totally inadequate; despite the severe limitations of web search
> engines, a web search will typically give more useful information than a
> patent search, at least in the field of computer science.
I agree, the search facilities arn't that good, they could be better.
> > figure out how to get around them, make them invalid, find a method
> > that is better. Isn't that the inventor/invovator method? (one of).
> No. Innovation in computer science proceeds despite patents, not by
> reading and improving on them
hmm.... (one of) was the point i think. The product I've been working on the
last two years was the result of our own observations and knowledge gained
from the IT industry. We found that reading some patents allowed us to
abandon certain thoughts and take up others. quite helpful.
Innovation and Invention occurs because someone sees a need/want and does
something to change it. The knowledge that they draw on merely helps them
achieve the vision they see in their head.
ben hamilton
------------------------------
Crossposted-To: talk.politics.crypto,alt.hacker
From: [EMAIL PROTECTED] (David Formosa (aka ? the Platypus))
Subject: Re: XOR TextBox Freeware: Very Lousy.
Reply-To: [EMAIL PROTECTED]
Date: Mon, 23 Apr 2001 05:30:32 GMT
On Sun, 22 Apr 2001 01:52:27 -0700, Anthony Stephen Szopa
<[EMAIL PROTECTED]> wrote:
> Bodo Eggert wrote:
[...]
> OAP-L3 can generate trillions of random numbers with a key of only
> a few thousand bytes and with a security level of several thousand
> bits. A longer key and you get a higher bit security level.
A general question is there a theorical limmit that a phydorandom
number generator can output before it becomes predictable? Now
clearly if the generator will cycle if the output is greater than
2^(n+1) - 1 where n is the number of bits used to store the generators
state.
However if the number of bits in the key is always doing to be smaller
then the number of bits in the output so not all possable sequences
are going to be represented. How long will it be before this
diffrences from a true random sequence generator allows you to
distingish the pydorandom algorythum, how long before it diffrences
allow you to distingish the key?
--
Please excuse my spelling as I suffer from agraphia. See
http://dformosa.zeta.org.au/~dformosa/Spelling.html to find out more.
Free the Memes.
------------------------------
Crossposted-To: talk.politics.crypto,alt.hacker
From: [EMAIL PROTECTED] (David Formosa (aka ? the Platypus))
Subject: Re: XOR TextBox Freeware: Very Lousy.
Reply-To: [EMAIL PROTECTED]
Date: Mon, 23 Apr 2001 05:33:29 GMT
On Tue, 17 Apr 2001 22:32:03 -0700, David Schwartz
<[EMAIL PROTECTED]> wrote:
> In any realistic application, the XOR function is
> crackable. Generally,
> you attack the means of distributing the OTP. The big flaw in XOR is it
> shifts the burden of keeping the cipher secure from the cipher itself to
> the user.
Isn't this the rule of good crypto? All streanth should be in the
key?
--
Please excuse my spelling as I suffer from agraphia. See
http://dformosa.zeta.org.au/~dformosa/Spelling.html to find out more.
Free the Memes.
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Sun, 22 Apr 2001 22:56:19 -0700
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Scott Fluhrer wrote:
> > Wrong. "K1 being random implies K1 xor K'(1) being random" is a true
> > statement only if K1 and K'(1) are independent in a probabilistic
> > sense, and here they are not.
>
> I admire your patience in wading through the long argument to find
> a specific fatal error in the reasoning. I didn't bother with it
> because of sloppy use of terminology such as "random", combined
> with having already seen much clearer and more convincing proofs
> of the opposite.
Well, he did bring up a semi-valid complaint -- no one was pointing out the
specific problem he had, only that he was attempting to solve an impossible
problem. So, I grit my teeth, waded through it, and found where he went
wrong.
And yes, "wading" was definitely the appropriate term here...
--
poncho
------------------------------
From: [EMAIL PROTECTED] (David Formosa (aka ? the Platypus))
Subject: Re: research on polymorphic crypto/Best Possible Privacy?
Reply-To: [EMAIL PROTECTED]
Date: Mon, 23 Apr 2001 06:12:01 GMT
On Sun, 22 Apr 2001 16:36:59 -0700, Shea J. Hawes <[EMAIL PROTECTED]>
wrote:
> I'm looking for research that anyone may have done regarding the product
> Best Possible Privacy. The underlying technology is described as a
> polymorphic encryption scheme. There is a description of the algorithm
> at www.identification.de/crypto/descript.html with a related site
> selling the product at www.ciphers.de/bpp.
>From the first look it seems that there is no gauronty that there
instruction blocks will generate a strong confusion source. Infact
given that a week pydorandom generator is more probable then a strong
one I think your more likely to get a week system by this method.
--
Please excuse my spelling as I suffer from agraphia. See
http://dformosa.zeta.org.au/~dformosa/Spelling.html to find out more.
Free the Memes.
------------------------------
Date: Mon, 23 Apr 2001 09:19:06 +0300
From: Jyrki Lahtonen <[EMAIL PROTECTED]>
Subject: Re: C code for GF mults
Brian Gladman wrote:
>
> "Mike Rosing" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > Jyrki Lahtonen wrote:
> > > Define elements x_i recursively as follows:
>
> Hi Mike,
>
> > > x_0=1, and
> > >
> > > for i>0 let x_i be a root of the equation
> > >
> > > T^2+x_{i-1}T+1=0 (*)
> > >
> > > It is relatively straightforward to see that x_k then generates
> > > (but is not primitive by a long shot) the field GF(2^(2^k)).
> > > If memory serves me right, it even generates a normal base.
> >
> I don't think so since each iteration doubles the number of bits. SInce x_0
> is 1 bit wide x_1 is 2 bits wide, not 4 bits wide. It is x_2 that is 4 bits
> wide. Hence x_k is 2^k bits wide and hence represents field elements in
> GF(2^(2^k)).
This is exactly right
>
> Since x_0 = 1, we have
> > a very simple quadratic, but to solve it in GF(anything) we need
> > pick (anything) first. Depending on what we pick, how do we know
> > it's always 4 bits?
>
> I think the idea is that of simple field extension. That is, if a quadratic
> in a field has no solution in this field (it is irreducible if F), a new
> field can be defined with elements Ax + B where A and B are each elements of
> the original field and x is a root of the irreducible quadratic. Since A
> and B are each n bits wide the representation of elements in the extended
> field (A,B) - is 2n bits wide.
>
> This is the same principle by which reals are extended to complex numbers -
> by having two real numbers and the root 'i' of x^2+1=0 so that c = (x,y) = x
> + i y. Such field extensions will be covered in any standard book on finite
> fields or abstract algebra (the one I use is 'Introduction to Finite Fileds
> and Their Applications' by Lidl and Niederreiter, CUP).
I second this. There is another book by Lidl and Pilz, where they put an
emphasis on computer implementations of the finite fields. Don't
remember the
title, sorry.
>
> > In the complex plane, T = (-1 +/- sqrt(-3))/2. This lies on the
> > unit circle at 45 degrees, so it's the 4th root of unity. Is that
> > how you figure the field size?
This would be the third root of unity.
> >
> > Is T always the 2^k th root of unity if you use the 2^(k-1) root as
> > a coefficient? Pretty cool :-)
Almost, x_k will be a root of unity of order (2^2^(k-1))+1. More or less
the
only problem is to show that the equatioin (*) is irreducible over
GF(2^(2^(i-1))). Given that, the only conjugate (over the previous
field)
of x_k is its inverse x_k^(-1), as the product of the two roots of (*)
is obviously 1. But the conjugate is always x_k^(2^(2^(k-1)).
>
> I believe that there will also be an explanation along the lines you suggest
> in terms of the n'th roots of unity. These roots can be expressed in terms
> of finite fields (the cyclotomic fields) as well as in terms of complex
> numbers. The relationship between the n'th roots of unity expressed in
> terms of complex numbers and in terms of finite fields is itself an
> interesting aspect of the subject.
>
> Brian Gladman
--
Jyrki Lahtonen, docent
Department of Mathematics,
University of Turku,
FIN-20014 Turku, Finland
http://users.utu.fi/lahtonen
tel: (02) 333 6014
------------------------------
From: Dennis Ritchie <[EMAIL PROTECTED]>
Subject: Re: patent this and patent that
Date: Mon, 23 Apr 2001 07:13:51 +0000
Ben Hamilton wrote (in part reacting to the >> material):
...
> > Have you actually ever tried to do that? Patents are not written to be
> > understandable. There is no comparison between the intelligibility of
> > a paper describing an idea (even a badly written paper!) and a
> > corresponding patent.
...
>
> I agree, the search facilities arn't that good, they could be better.
> ... The product I've been working on the
> last two years was the result of our own observations and knowledge gained
> from the IT industry. We found that reading some patents allowed us to
> abandon certain thoughts and take up others. quite helpful.
I observe with interest the paper by the Princeton group about
their analysis of the RIAA's "Hack DMCI" challenge regarding the removal
of digital watermarking of music. The situation was
discussed on /. last week. The mutterings of a lawyer and some version
of the paper itself are at
http://cryptome.org/sdmi-attack.htm
The immediate relevance to the topic is this snippet from the paper
("Reading between the lines: Lessons from the SMDI Challenge"
by Craver et al.):
"It was at this point that we considered a patent search, knowing
enough about the data hiding method that we could look for specific
search terms, and we were pleased to discover that this particular
scheme appears to be listed as an
alternative embodiment in US patent number 05940135,
awarded to Aris corporation, now part of Verance [5].
This provided us with little more detail than we had
already discovered, but confirmed that we were on the right track,
as well as providing the probable identity of the company
which developed the scheme. It also spurred no small amount of
discussion of the validity of Kerckhoffs's criterion, the
driving principle in security that one must not rely upon the
obscurity of an algorithm.
This is, surely, doubly true when the algorithm is patented."
Dennis
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: C code for GF mults
Date: Mon, 23 Apr 2001 08:37:55 +0100
"Jyrki Lahtonen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Brian Gladman wrote:
> >
[snip]
> > > In the complex plane, T = (-1 +/- sqrt(-3))/2. This lies on the
> > > unit circle at 45 degrees, so it's the 4th root of unity. Is that
> > > how you figure the field size?
> This would be the third root of unity.
> > >
> > > Is T always the 2^k th root of unity if you use the 2^(k-1) root as
> > > a coefficient? Pretty cool :-)
> Almost, x_k will be a root of unity of order (2^2^(k-1))+1. More or less
> the
> only problem is to show that the equatioin (*) is irreducible over
> GF(2^(2^(i-1))). Given that, the only conjugate (over the previous
> field)
> of x_k is its inverse x_k^(-1), as the product of the two roots of (*)
> is obviously 1. But the conjugate is always x_k^(2^(2^(k-1)).
> >
[snip]
Thanks for the additional detail - I was worried about this aspect of the
field extension but assumed that it must be ok.
I suspect that Conway's method of multiplication is equivalent to the use of
this method for field extension but I have not yet looked at this again
since I saw your formulation.
Brian Gladman
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: C code for GF mults
Date: Mon, 23 Apr 2001 08:43:22 +0100
"Jyrki Lahtonen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Brian Gladman wrote:
[snip]
> I second this. There is another book by Lidl and Pilz, where they put an
> emphasis on computer implementations of the finite fields. Don't
> remember the
> title, sorry.
Applied Abstract Algebra, R. Lidl & G. Pilz, Springer-Verlag New York, ISBN
0387982906
Brian Gladman
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.hacker
Subject: Re: MS OSs "swap" file: total breach of computer security.
Date: Mon, 23 Apr 2001 00:45:57 -0700
"Trevor L. Jackson, III" wrote:
>
> Anthony Stephen Szopa wrote:
>
> > wtshaw wrote:
> > >
> > ><snip>
> >
> > I do not plan to signal what my solution is but when it is ready you
> > will be satisfied with my approach.
>
> Paraphrase: "Zat his un Order, und ve haf veys to deal vis zose who disobey Orders."
Veddy intaresting.
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Subject: Re: XOR TextBox Freeware: Very Lousy.
Date: Mon, 23 Apr 2001 00:49:21 -0700
"Douglas A. Gwyn" wrote:
>
> Anthony Stephen Szopa wrote:
> > Read the US Patent Office definition of a OTP.
>
> I rather doubt that they have an "official" definition.
> Please give a reference to it.
>
> > And by the way, does it matter to a cracker whether or not the random
> > number files used to XOR messages were from a genuine OTP or from an
> > unreproducable group of random number files?
>
> Because in the former case (only), cryptanalysis is demonstrably
> infeasible.
You are only able to make this distinction because we have given the
distinction in our situation.
But if the cracker cannot make this distinction then any distinction
does not exist and cryptanalysis is equally demonstrably infeasible.
------------------------------
From: Michael Oestergaard Pedersen <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Mon, 23 Apr 2001 10:05:41 +0200
> If I reuse twice OTP you can break it for sure.
One Time Pad = Used only once
------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Subject: Re: 1024bit RSA keys. how safe are they?
Date: Mon, 23 Apr 2001 06:59:50 GMT
"George T." <[EMAIL PROTECTED]> wrote in message
news:9c0956$ph0$[EMAIL PROTECTED]...
> Does anyone has idea how safe RSA 1024 bit keys are? Are they safe enough
to
> be used for encrypting credit card information, travelling over the
internet
> and or residing on servers (email) for more than 24 hours.
Sure. You could even use 512-bit encryption. Those who steal credit
card info are very unlikely to bother trying to crack 512-bit RSA.
(There are too many other methods that are easier.)
------------------------------
From: "Jack Lindso" <[EMAIL PROTECTED]>
Subject: Re: No base64
Date: Mon, 23 Apr 2001 10:42:03 +0200
Sorry I didn't notice the base64 thingy once again, I'm all left hands.
Here it is again :
I realize that this function is quite amateurish and probably lacks in
design, still
thou I would like to hear your comments on it.
It's a hash function of 32 bit ( ... yes I know), the important thing is
design, optimization
isn't (not now anyways).
*. There is a key of 64 bits (QWord).
[1a]. Take the text, append to it its length.
[2a]. Pad the text till it reaches a length which can be divided into QWords
(e.g. 16 chars).
[1b]. Take each (char's asci) * (it's position in the text)
[2b]. Then XOR [1b] with the partial value of the key.
[1c]. Split the result of [2b] into an Array of DWords.
[2c]. XOR all the blocks (block1 ^ block2 ^ block3 etc.), while every even
block is
reversed ($ae34 --> $43ea).
3c. The result is a DWord (... yes I know).
It would help me allot if you could tell me what you think of it.
Cheers.
--
Anticipating the future is all about envisioning the Infinity.
http://www.atstep.com
====================================================
------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Subject: Re: patent this and patent that
Date: Mon, 23 Apr 2001 07:58:15 GMT
"Dennis Ritchie" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> I observe with interest the paper by the Princeton group about
> their analysis of the RIAA's "Hack DMCI" challenge regarding the removal
> of digital watermarking of music. The situation was
> discussed on /. last week. The mutterings of a lawyer and some version
> of the paper itself are at
> http://cryptome.org/sdmi-attack.htm
The RIAA lawyer letter is amusing -- it threatens legal action if some
academics reveal what they learned in the SDMI Public Challenge.
And yes, they shouldn't be patenting something and then trying to keep
it trade secret.
> The immediate relevance to the topic is this snippet from the paper
> ("Reading between the lines: Lessons from the SMDI Challenge"
> by Craver et al.):
>
> "It was at this point that we considered a patent search, knowing
> enough about the data hiding method that we could look for specific
> search terms, and we were pleased to discover that this particular
> scheme appears to be listed as an
> alternative embodiment in US patent number 05940135,
> awarded to Aris corporation, now part of Verance [5].
> This provided us with little more detail than we had
> already discovered, but confirmed that we were on the right track,
> as well as providing the probable identity of the company
> which developed the scheme. It also spurred no small amount of
> discussion of the validity of Kerckhoffs's criterion, the
> driving principle in security that one must not rely upon the
> obscurity of an algorithm.
> This is, surely, doubly true when the algorithm is patented."
>
> Dennis
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
