Cryptography-Digest Digest #229, Volume #14 Wed, 25 Apr 01 07:13:01 EDT
Contents:
Re: OTP WAS BROKEN!!! ("Trevor L. Jackson, III")
Re: Censorship Threat at Information Hiding Workshop ("Trevor L. Jackson, III")
Re: XOR TextBox Freeware: Very Lousy. (Anthony Stephen Szopa)
Re: Delta patching of encrypted data (Benjamin Goldberg)
Re: Censorship Threat at Information Hiding Workshop (David Wagner)
Re: Delta patching of encrypted data (David Wagner)
Re: XOR TextBox Freeware: Very Lousy. (David Formosa (aka ? the Platypus))
Re: Wolf's Secure Channel Theorem (David Formosa (aka ? the Platypus))
Re: XOR TextBox Freeware: Very Lousy. (Eric Lemar)
Re: OTP breaking strategy (David Formosa (aka ? the Platypus))
Re: OTP WAS BROKEN!!! (Volker Hetzer)
Re: OTP WAS BROKEN!!! (Volker Hetzer)
Re: Censorship Threat at Information Hiding Workshop (Mok-Kong Shen)
Re: 1024bit RSA keys. how safe are they? (Volker Hetzer)
Re: effects of mistaken *partial* reuse of a OTP? (Jim Gillogly)
RSA 2001 ("ajd")
Re: RSA 2001 (Quisquater)
Re: Security proof for Steak ("Henrick Hellstr�m")
Re: RSA 2001 (Volker Hetzer)
----------------------------------------------------------------------------
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Wed, 25 Apr 2001 03:38:16 GMT
nugatory wrote:
> newbie wrote:
> >
> > OTP was broken!
> > It is not a joke.
>
> There's an interesting but underappreciated
> class of problems: minimal-length proofs. When
> I was in college, I watched a really excellent physicist
> write down at the top of a piece of 8.5x11 notebook
> paper the statement that the speed of light is constant
> in all inertial frames. The challenge was to find a
> convincing argument that got to E=mc^2 at the bottom of
> the same sheet of paper.
>
> So here's a challenge: What is the shortest possible
> argument that will convince an intelligent layman
> that an OTP cannot broken (as long as the "one-time" part
> is honored)? It should be *much* shorter than a
> derivation of E=mc^2.
Convincing a layman requires a definition of "can/can't be broken" that
invokes the concept of theoretical security. Perhaps the shortest
useful comment is a pointer to Shannon's definition.
------------------------------
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: Wed, 25 Apr 2001 03:50:01 GMT
David Wagner wrote:
> Paul Pires wrote:
> >As Donald Nash pointed out,
> >copyright theft is the stealing of ones labors or services that one has secured
> >their rights to.
>
> Once again, this is a misleading metaphor. Theft of physical property
> deprives the owner of the property. "Theft" of intellectual property
> may deprive the owner of the chance to get paid for another copy of the
> IP, but doesn't deprive the owner of the original good. Using the word
> "theft" to refer to uncompensated copying of IP may be effective rhetoric
> when trying to sway the public with soundbites, but to the better-informed
> it is likely to simply come off as deceptive or disingenuous. As always,
> whoever establishes their metaphor in the public eyes is in a good position
> to get their favorite laws passed, but such metaphors can be deceiving.
By this line of reasoning it is impossible to steal an idea. But it seems reasonable
to infer the reality of that act by the existing of the common idiom for a stolen
idea/invention/etc. In specific niches we use specialized terms, such a plagiarism,
but they are derived from the concept of property and the violation of the property
principle called theft.
The cost of the duplication is irrelevant to the possessory rights of the property
owner. Exclusivity often has value. That value is lost (taken) by the act of
duplication. Of course one can take Stallman's position and deny the possibility of
intellectual property. It appears TStD routinely makes this mistake.
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Subject: Re: XOR TextBox Freeware: Very Lousy.
Date: Tue, 24 Apr 2001 21:16:07 -0700
David Schwartz wrote:
>
> "David Formosa (aka ? the Platypus)" wrote:
>
> > > In any realistic application, the XOR function is
> > > crackable. Generally,
> > > you attack the means of distributing the OTP. The big flaw in XOR is it
> > > shifts the burden of keeping the cipher secure from the cipher itself to
> > > the user.
>
> > Isn't this the rule of good crypto? All streanth should be in the
> > key?
>
> Then why use any crypto at all? If you had a way to distribute and
> secure a key that was the same length and sensitivity as the plaintext,
> just call the plaintext the key and send all zeroes over the unsecured
> channel.
>
> DS
Gee, you sure got us on that one. We are befuddled.
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Delta patching of encrypted data
Date: Wed, 25 Apr 2001 06:18:56 GMT
David Wagner wrote:
>
> Benjamin Goldberg wrote:
> >That depends on what kind of PFB chaining you use. Suppose that you
> >hash the key and the prior 8 bytes of pt to get the next byte of
> >keystream. If there are two positions in the file with the same
> >plaintext, then there will be two positions in the file with the same
> >ciphertext -- however, the actual *contents* of the ciphertext will
> >not be directly revealed, just that they are the same. Further, the
> >first differing byte (ie, one past the end of the strings we are
> >looking at) will be revealed in that we can know the XOR of the two
> >plaintext bytes.
>
> Yes, and if it is a block-oriented PFB, then it's not just the
> subsequent byte, it's the subsequent block, usually 64 or 128 bits or
> so.
That's a big if -- considering that the OP wants to be able to create
delta-patches of ciphertext. You can do that with byte-oriented, but
not block oriented.
> Although the xor of two 64-bit or 128-bit plaintexts does not always
> reveal both plaintexts, I would expect that it will leak information
> frequently enough that this is not a good property.
And how much information is leaked from the xor of a pair of one-byte
plaintexts? Some, but not much. Probably not enough for us to worry,
since it isn't happening all that often.
--
Sometimes the journey *is* its own reward--but not when you're trying to
get to the bathroom in time.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: 25 Apr 2001 07:17:49 GMT
Trevor L. Jackson, III wrote:
>By this line of reasoning it is impossible to steal an idea.
Well, I'd say that "theft" is a poor word to use when referring to
duplicating intellectual property. Taking language that refers to
physical property and using it to refer to intellectual property just
leads to confusion and poorly-reasoned arguments.
If you have an observation about intellectual property that you think
is compelling and that is stated in terms of "theft", I suggest trying
the following: replace the word "theft" with "uncompensated copying"
(or whatever you like) and see if it affects how persuasive you find
the argument. If you find the result less compelling after the change,
that might be because the word "theft" carried some emotional weight
that misled you into making a fallacious argument.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Delta patching of encrypted data
Date: 25 Apr 2001 07:19:18 GMT
Benjamin Goldberg wrote:
>And how much information is leaked from the xor of a pair of one-byte
>plaintexts? Some, but not much.
Agreed. Yes, I too think this is much less of an issue for one-byte blocks
than for 16-byte blocks. You're right: Thank you.
------------------------------
From: [EMAIL PROTECTED] (David Formosa (aka ? the Platypus))
Subject: Re: XOR TextBox Freeware: Very Lousy.
Reply-To: [EMAIL PROTECTED]
Date: Wed, 25 Apr 2001 07:49:28 GMT
On Tue, 24 Apr 2001 14:12:29 -0700, David Schwartz <[EMAIL PROTECTED]> wrote:
>
> "David Formosa (aka ? the Platypus)" wrote:
[...]
>> Isn't this the rule of good crypto? All streanth should be in the
>> key?
>
> Then why use any crypto at all? If you had a way to distribute and
> secure a key that was the same length and sensitivity as the plaintext,
> just call the plaintext the key and send all zeroes over the unsecured
> channel.
Because the timeing might be diffrent. Ship the pads months ahead
send the data when needed.
--
Please excuse my spelling as I suffer from agraphia. See
http://dformosa.zeta.org.au/~dformosa/Spelling.html to find out more.
Free the Memes.
------------------------------
From: [EMAIL PROTECTED] (David Formosa (aka ? the Platypus))
Subject: Re: Wolf's Secure Channel Theorem
Reply-To: [EMAIL PROTECTED]
Date: Wed, 25 Apr 2001 08:06:56 GMT
On Tue, 24 Apr 2001 09:26:54 -0500, Mark G Wolf <[EMAIL PROTECTED]> wrote:
>> Your conjecture is wrong.
>>
>> Proof: Cut the wire!
>
> There are no wires in information space. Humans certainly need a physical
> medium for communication exchange, but having a secure channel and
> communicating over that channel are two different things.
I would argue that being vunrable to a denial of service attack (which
cutting the wire is an example) means the system is insecure to some
degrey.
--
Please excuse my spelling as I suffer from agraphia. See
http://dformosa.zeta.org.au/~dformosa/Spelling.html to find out more.
Free the Memes.
------------------------------
From: Eric Lemar <[EMAIL PROTECTED]>
Subject: Re: XOR TextBox Freeware: Very Lousy.
Date: Wed, 25 Apr 2001 08:15:53 GMT
David Schwartz <[EMAIL PROTECTED]> wrote:
> Then why use any crypto at all? If you had a way to distribute and
> secure a key that was the same length and sensitivity as the plaintext,
> just call the plaintext the key and send all zeroes over the unsecured
> channel.
At least 3 reasons I see:
1) Main/obvious reason: You send the pad ahead using some SLOW
mechanism(guy with a briefcase) and then send the cyphertext using a much
faster but insecure chanel.
2) If you have a secure channel going from the desired receiver -> the
transmitter but not vice versa, the receiver can send the key along the
secure channel, and an insecure channel can then be used to send the
resultant cyphertext in the other direction.
3) You actually DON'T need a secure channel for transmitting the key. You
only need a channel where the person who will be encrypting using the key
knows whether or not the key was intercepted. Keys that were intercepted
can then simply be discarded and not used. Note that even though such a
channel is sufficient for sending key data(modulo possible denial of
service), it can't securely transmit plaintext.
eric
---------------------------
Eric Lemar
[EMAIL PROTECTED] http://www.cs.washington.edu/homes/elemar
------------------------------
From: [EMAIL PROTECTED] (David Formosa (aka ? the Platypus))
Subject: Re: OTP breaking strategy
Reply-To: [EMAIL PROTECTED]
Date: Wed, 25 Apr 2001 08:30:59 GMT
On Tue, 24 Apr 2001 19:23:46 GMT, Milton G. Webb <[EMAIL PROTECTED]> wrote:
> Tony T. Warnock ([EMAIL PROTECTED]) wrote:
[...]
>>The randomness of quantum mechanics is quite different. It's intrinsic
>>to a system's behavior.
>
> So they say.
No they have quite nice proofs that it is random and not dependent on
some hidden verabable. But since it isn't my field I can't tell you
anything about it.
--
Please excuse my spelling as I suffer from agraphia. See
http://dformosa.zeta.org.au/~dformosa/Spelling.html to find out more.
Free the Memes.
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Wed, 25 Apr 2001 10:51:48 +0200
newbie wrote:
>
> I'm just trying to present ideas.
You do more than that. You refuse to accept criticism of your ideas.
> Do not forget that I'm newbie.
You do not behave like one.
> I'm just to exploit extra-information and other tricks to try to reduce
> the number of possibilities.
It's not about the "number of possibilities". It's about gaining
information helps you learning something *new* off the encrypted message,
i.e. something you did not know before, given thew context you got.
> I tried selecting by degree of randomness.
> I tried by introducing the "context" factor to select.
> I tried by simulating re-susing the key.
> All did not work.
Of course not.
> Only guessing what the sender wrote, using extra-information, could
> work.
That's equivalent to bug the sender's room in oder to gain the contents
of the message before it was encrypted.
> This option has no sense.
Exactly.
> My objective is to find a way to give to some messages more weight than
> others.
You cannot do this by using the encrypted message, except its length.
> I'm trying to find some trick to isolate a defined group of P's or K's
> to solve the problem.
You cannot. It's comparable to trying to find some "trick"
to overcome just a bit more friction in order to make that almost
finished perpetuum mobile work.
In fact, it's rather more difficult. We believe in the thermodynamic
laws only because we don't have any contrary experience. For the OTP
we've got a formal proof.
> I have a text and random sequence.
> How to distinguish between the two.
> That is the core of the problem.
You cannot do that.
Volker
--
They laughed at Galileo. They laughed at Copernicus. They laughed at
Columbus. But remember, they also laughed at Bozo the Clown.
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Wed, 25 Apr 2001 11:01:39 +0200
nugatory wrote:
>
> newbie wrote:
> >
> > OTP was broken!
> > It is not a joke.
>
> So here's a challenge: What is the shortest possible
> argument that will convince an intelligent layman
> that an OTP cannot broken (as long as the "one-time" part
> is honored)? It should be *much* shorter than a
> derivation of E=mc^2.
sci.crypt FAQ, question 4.4 .
28 Bytes. Will that do?
Greetings!
Volker
--
They laughed at Galileo. They laughed at Copernicus. They laughed at
Columbus. But remember, they also laughed at Bozo the Clown.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: Wed, 25 Apr 2001 10:52:12 +0200
"Trevor L. Jackson, III" wrote:
>
[snip]
> The cost of the duplication is irrelevant to the possessory rights of the property
> owner. Exclusivity often has value. That value is lost (taken) by the act of
> duplication. Of course one can take Stallman's position and deny the possibility of
> intellectual property. It appears TStD routinely makes this mistake.
I agree. Copying of software on sale without payment is
also theft. The same is with books, though copying a part
for scientific non-commercial purposes is generally allowed,
if I don't err. For intellectual property there is also
the issue of priority. A well-known case is that of Newton
and Leibniz about infinitesimal calculus.
M. K. Shen
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: 1024bit RSA keys. how safe are they?
Date: Wed, 25 Apr 2001 11:14:23 +0200
Bill Unruh wrote:
> Who is your enemy? Waht resources can they bring to bear? Are there
> other means of attack which would be far simpler than cracking the
> encryption? Are your keys properly protected? etc.
Just out of couriosity, what would today be regarded as long enough
for *any* eartly enemy if I wanted to keep a secret for 20 years?
(Simplification: This is just the prime factoring part. I'd rather
not discuss the nuke-proof-bunker-and-everything part, ok?)
Greetings!
Volker
--
They laughed at Galileo. They laughed at Copernicus. They laughed at
Columbus. But remember, they also laughed at Bozo the Clown.
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: effects of mistaken *partial* reuse of a OTP?
Date: Wed, 25 Apr 2001 02:05:37 -0700
[EMAIL PROTECTED] wrote:
>
> What is the impact on cryptanalysis where two different messages are
> enciphered with a portion of a OTP being mistakenly reused? Eg with
> two OTPs which due to a flaw in production perhaps, have a section in
> common (eg end of one repeated in beginning of next)?
>
> Is the effect simply that the attacker is able to recover those bits
> of the two messages which were encoded with the common section, but
> that the remainder of the two messages are impenetrable, because for
> these bits, the not-in-common bits of each OTP are genuinely one-time?
This is precisely the situation with the VENONA ciphers, 1940's traffic
cracked laboriously over the next couple of decades by NSA and its
predecessor over a couple of decades. They were able to determine
occasional overlaps and solve the overlapping pieces of each message.
Non-overlapping pieces (and whole messages) remain as impenetrable today
as when they were transmitted.
> If so then, in practical terms it is possible that mistaken reuse of a
> only a small number of bits (as a proportion of the total message/pad
> length) may be tolerable provided the message material recovered is
> insufficient for the attacker to understand the critical content of
> the meassages?
Perhaps, but how is the sender to know which bits are going to be
exposed? If random pieces of your most sensitive correspondence are
leaked, isn't it possible that the leaked pieces are important? Going
back to VENONA, enough was exposed about the Rosenbergs to establish
quite clearly (much more clearly than the evidence produced at their
trial) that they were traitors. Not enough was exposed about Alger
Hiss to demonstrate beyond reasonable doubt that he was a traitor.
How much of your most important secrets are you willing to risk? If
you suspect you're at all likely to reuse your pad, it's time to
pick a new cipher.
--
Jim Gillogly
Mersday, 4 Thrimidge S.R. 2001, 08:56
12.19.8.3.0, 8 Ahau 18 Pop, Sixth Lord of Night
------------------------------
From: "ajd" <[EMAIL PROTECTED]>
Subject: RSA 2001
Date: Wed, 25 Apr 2001 11:00:32 +0100
Did anyone go? What were the highlights (in particuilar to the Chris Gaj
talk on fast FGPA designs)?
Andrew
------------------------------
From: Quisquater <[EMAIL PROTECTED]>
Subject: Re: RSA 2001
Date: Wed, 25 Apr 2001 12:40:34 +0200
ajd wrote:
>
> Did anyone go? What were the highlights (in particuilar to the Chris Gaj
> talk on fast FGPA designs)?
>
> Andrew
Very interesting talk and paper (see springer-verlag),
see http://www.appcluster05.com/images/123/crymon925.pdf
coming from http://www.rsaconference.com/rsa2001/index2.html
------------------------------
From: "Henrick Hellstr�m" <[EMAIL PROTECTED]>
Subject: Re: Security proof for Steak
Date: Wed, 25 Apr 2001 12:38:32 +0200
"Tom St Denis" <[EMAIL PROTECTED]> skrev i meddelandet
news:6TnF6.50080$[EMAIL PROTECTED]...
>
> "Henrick Hellstr�m" <[EMAIL PROTECTED]> wrote in message
> news:9c518o$kon$[EMAIL PROTECTED]...
> > Furthermore, your design would not really be an 8-byte block cipher,
> unless
> > you discarded the PCFB-mode-ish feedback too.
>
> It is. You make a feistel with a 4-byte round function. Hm.. that's
> 8-bytes if my math is sharp enough.
Where would you get the feedback from?
> > Lastly, you are right about the behavior of iterated MDS matrix
> transforms.
> > Actually, I think I just found an MDS matrix such that eight iterations
of
> > it would be equal to four iterations of the Steak MT matrix with fixed
> > S-boxes. But that just seems to add to the perception of the robustness
of
> > the present design.
>
> Right ok.
Actually, this property seems to be irrelevant. Regardless if the Steak
matrix or an MDS matrix is used, for each of the four bytes exactly one
column of the 4 by 256 dword matrix representation is zero in any of the
four output bytes. Hence, if you add random single cycle permutation sboxes
any one byte differential will in both cases result in any output
differential after at most four iterations.
(BTW, regarding what I wrote lastly in the previous post, what happens is
that the Steak matrix is equivalent to the TwoFish matrix, except that first
the columns and then the rows are permuted. The latter permutation has a
cycle structure that when iterated coincides with iterations of other
permutations. However, the iteration of the MDS matrix seems to have to be
wrapped in a rotation for this to work.)
--
Henrick Hellstr�m [EMAIL PROTECTED]
StreamSec HB http://www.streamsec.com
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: RSA 2001
Date: Wed, 25 Apr 2001 12:58:27 +0200
Quisquater wrote:
>
> ajd wrote:
> >
> > Did anyone go? What were the highlights (in particuilar to the Chris Gaj
> > talk on fast FGPA designs)?
> >
> > Andrew
>
> Very interesting talk and paper (see springer-verlag),
>
> see http://www.appcluster05.com/images/123/crymon925.pdf
Well, if I got it right, those guys simply put more
pipeline stages to shorten the combinational depth so that
the FPGA could run at greater clock frequency.
Balancing the combinational paths is the bread and butter
stuff for hardware designers, so nothing really exciting here.
Greetings!
Volker
--
They laughed at Galileo. They laughed at Copernicus. They laughed at
Columbus. But remember, they also laughed at Bozo the Clown.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
