Cryptography-Digest Digest #232, Volume #14 Wed, 25 Apr 01 16:13:01 EDT
Contents:
Re: OTP WAS BROKEN!!! ("Mark G Wolf")
Re: OTP WAS BROKEN!!! ("Tony T. Warnock")
Re: Censorship Threat at Information Hiding Workshop (John Myre)
What Is the Quality of Randomness? ("Mark G Wolf")
Improvement to GOST? ("John L. Allen")
Re: Improvement to GOST? ("Tom St Denis")
Re: What Is the Quality of Randomness? ("Tom St Denis")
Key scheduling of block cipher (Mok-Kong Shen)
Re: What Is the Quality of Randomness? ("Mark G Wolf")
Re: What Is the Quality of Randomness? ("Tom St Denis")
Re: Key scheduling of block cipher ("Tom St Denis")
Re: 1024bit RSA keys. how safe are they? ("Brian Hetrick")
Re: What Is the Quality of Randomness? ("Mark G Wolf")
Re: What Is the Quality of Randomness? ("Tom St Denis")
Re: Key scheduling of block cipher (Mok-Kong Shen)
Re: SHA PRNG ("Sam Simpson")
Re: Censorship Threat at Information Hiding Workshop (Terry Ritter)
Re: What Is the Quality of Randomness? (Terry Ritter)
Re: OTP WAS BROKEN!!! ("Tony T. Warnock")
Re: Key scheduling of block cipher ("Tom St Denis")
Re: OTP breaking strategy (newbie)
Re: OTP breaking strategy (newbie)
Re: OTP breaking strategy ("Tom St Denis")
Re: OTP breaking strategy ("Tom St Denis")
----------------------------------------------------------------------------
From: "Mark G Wolf" <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Wed, 25 Apr 2001 13:15:26 -0500
> statistics of k are uniform, C1 and C2 are also have uniform statistics.
P1-P2
> will not have uniform statistics and thus be detected. It's easy to
unscramble
> the combination of two plaintexts.
(Playing the devil's advocate) Exactly what statistics are you referring
to?
------------------------------
From: "Tony T. Warnock" <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Wed, 25 Apr 2001 12:17:42 -0600
Reply-To: [EMAIL PROTECTED]
newbie wrote:
> And how many solutions could solve P Xor P' = C Xor C'?
>
> "Tony T. Warnock" wrote:
> >
> > The basic idea is that even without knowing the key, you can remove it.
> > Thus you are left with a combination of two plaintexts which is easy to
> > decrypt.
Generally about one. Notice that P.XOR.P' combines two plaintexts which have
plaintext-like structure.
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: Wed, 25 Apr 2001 12:27:47 -0600
I think you and I are in fairly close agreement. I'm
hoping that David will respond to my query about terminology,
in spite of the fact that it is, as you say, OT as far as the
original issue goes. It's still interesting.
JM
Paul Pires wrote:
<snip>
> To get back to the original thread, Felten et. al. This is an outrageous
> affront but it has nothing to do copyright or patent. This evil act has
> somehow been turned into another example of why intellectual property
> is bad bad bad. "Look what these guy's are doing to poor old Fenton".
<snip>
Seconded. Doug Gwyn noted that the early pirates (whether
considered heroes or criminals) could take some responsibility
for the escalation we've seen. While true, the comment did
redirect the discussion, and begs for objections.
JM
------------------------------
From: "Mark G Wolf" <[EMAIL PROTECTED]>
Subject: What Is the Quality of Randomness?
Date: Wed, 25 Apr 2001 13:33:56 -0500
You guys are a great source of inspiration, so I ask you, what is the
quality of randomness?
If I go to my local random super-center in town can I buy a better quality
of randomness, and will it cost more? Since I don't know much about the
quality of randomness I hate to get cheated by a less than honest or
knowledgeable sales person. Can you folks help by giving me some basic
pointers in what to look for?
------------------------------
From: "John L. Allen" <[EMAIL PROTECTED]>
Subject: Improvement to GOST?
Date: Wed, 25 Apr 2001 18:01:29 GMT
I've been playing with the GOST block algorithm. As we all know, one of
its main features is the transformation of a 32-bit word by applying a
different permutation to each of the 8 4-bit pieces. It does this via 8
secret (or key-dependent) 16-element sboxes. I was thinking that it
would be easy to treat each of these sboxes as an rc4-style sbox and
swap a pair of elements in a different sbox after encrypting each
block. So, each of the 8 sboxes would have its own (i,j) and after the
first block is encrypted, sbox0 would be permuted thusly: i0++;
j0+=sbox0[i0]; swap sbox0[i0], sbox[j0]. After block two is encrypted,
sbox1 would be permuted, etc. This seems like it would be much stronger
that plain old GOST, making it have aspects of a stream cipher.
Comments?
John.
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Improvement to GOST?
Date: Wed, 25 Apr 2001 18:53:08 GMT
"John L. Allen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> I've been playing with the GOST block algorithm. As we all know, one of
> its main features is the transformation of a 32-bit word by applying a
> different permutation to each of the 8 4-bit pieces. It does this via 8
> secret (or key-dependent) 16-element sboxes. I was thinking that it
> would be easy to treat each of these sboxes as an rc4-style sbox and
> swap a pair of elements in a different sbox after encrypting each
> block. So, each of the 8 sboxes would have its own (i,j) and after the
> first block is encrypted, sbox0 would be permuted thusly: i0++;
> j0+=sbox0[i0]; swap sbox0[i0], sbox[j0]. After block two is encrypted,
> sbox1 would be permuted, etc. This seems like it would be much stronger
> that plain old GOST, making it have aspects of a stream cipher.
> Comments?
Problems. You can't seek with that. With block ciphers you can encrypt in
counter mode so you can seek etc. You have to receive the blocks in order
too.
Another problem. It's slower. The sboxes are typically fixed and known
(despite AC2 claims) because it's faster that way. It's often better to
pick good known boxes then to randomly pick em.
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: What Is the Quality of Randomness?
Date: Wed, 25 Apr 2001 18:53:46 GMT
"Mark G Wolf" <[EMAIL PROTECTED]> wrote in message
news:9c75cb$7538$[EMAIL PROTECTED]...
> You guys are a great source of inspiration, so I ask you, what is the
> quality of randomness?
>
> If I go to my local random super-center in town can I buy a better quality
> of randomness, and will it cost more? Since I don't know much about the
> quality of randomness I hate to get cheated by a less than honest or
> knowledgeable sales person. Can you folks help by giving me some basic
> pointers in what to look for?
Randomness is just a POV topic. If I make a bit say c=0 if that's random
from your point of view it must be random for all intents and purposes.
Tom
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Key scheduling of block cipher
Date: Wed, 25 Apr 2001 21:05:39 +0200
I like to re-raise an issue that I mentioned in a discussion
of a thread of the group quite a time back.
A block cipher commonly employs for its n rounds n subkeys
that are derived from a user supplied key in some manner.
One can apparently do simple modifications in two ways:
(1) change the order of the subkeys for the rounds, (2) xor
the subkeys with some secret random bit sequences. (These
modifications could be altered independent of the change
of the proper keys.)
Are there any negative impacts of such modifications to
the security of the cipher? It seems that at least brute-
forcing is rendered more difficult thereby.
M. K. Shen
=========================
http://home.t-online.de/home/mok-kong.shen
------------------------------
From: "Mark G Wolf" <[EMAIL PROTECTED]>
Subject: Re: What Is the Quality of Randomness?
Date: Wed, 25 Apr 2001 14:05:11 -0500
> Randomness is just a POV topic. If I make a bit say c=0 if that's random
> from your point of view it must be random for all intents and purposes.
No, doesn't there have to be more than one object before you can call
something a random... "occurrence"? In fact how many objects does there
have to be before we can decide on a randomness? Is 010 more or less random
than 110 ?
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: What Is the Quality of Randomness?
Date: Wed, 25 Apr 2001 19:11:19 GMT
"Mark G Wolf" <[EMAIL PROTECTED]> wrote in message
news:9c776u$4qp6$[EMAIL PROTECTED]...
> > Randomness is just a POV topic. If I make a bit say c=0 if that's
random
> > from your point of view it must be random for all intents and purposes.
>
> No, doesn't there have to be more than one object before you can call
> something a random... "occurrence"? In fact how many objects does there
> have to be before we can decide on a randomness? Is 010 more or less
random
> than 110 ?
010 is only more random then 110 if 110 occurs more frequently.
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Key scheduling of block cipher
Date: Wed, 25 Apr 2001 19:12:35 GMT
"Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
> I like to re-raise an issue that I mentioned in a discussion
> of a thread of the group quite a time back.
>
> A block cipher commonly employs for its n rounds n subkeys
> that are derived from a user supplied key in some manner.
> One can apparently do simple modifications in two ways:
> (1) change the order of the subkeys for the rounds, (2) xor
> the subkeys with some secret random bit sequences. (These
> modifications could be altered independent of the change
> of the proper keys.)
>
> Are there any negative impacts of such modifications to
> the security of the cipher? It seems that at least brute-
> forcing is rendered more difficult thereby.
It's still key material. If you have N W-bit subkeys and their order is
secret... well you can still guess em in 2^(NW) steps regardless of order.
If you xor them then ... well you can still guess them with 2^(NW) steps..
Tom
------------------------------
From: "Brian Hetrick" <[EMAIL PROTECTED]>
Subject: Re: 1024bit RSA keys. how safe are they?
Date: Wed, 25 Apr 2001 19:13:44 GMT
"Paul Schlyter" wrote ...
> "Brute-forcing" a key is trying all possible key values until you
> eventually find the correct key. But you don't brute-force RSA
> keys, instead you factor the modulus of the key, and once you know
> the factors it's trivial to compute the secret exponent from the
> public exponent.
>
> Factoring an RSA key, even with a naive factoring algorithm, is many
> order of magnutudes faster than brute-forcing the key, i.e. trying
> all possible key values until you find the right key.
>
> Factoring an RSA key also needs no plaintext-ciphertext pair. If
> you brute-force a key, you do need a plaintext-ciphertext pair.
>
> Therefore RSA keys are never brute-forced -- they're factored.
I hadn't realized "brute force" had such a specific meaning. I had
understood "brute force" to mean recovery of the key through a search
process, as opposed to "breaking" the encryption through finding a
reversal of the algorithm.
I would consider RSA broken, for example, if the available public key
information were sufficient to reasonably quickly recover p and q.
For example, if p+q were known, p and q could be recovered trivially.
However, _some_ information about p+q is known -- in particular, e is
known to be relatively prime to (p-1)(q-1) = pq - (p+q) + 1. It's a
long way from that to breaking RSA, but perhaps some modular
arithmetic equivalent to Bairstow's method is known and applicable.
Recovering p and q through straightforward factoring of pq would, in
my mind, be a brute force solution to recovering the key, as it is
"merely" a search process.
On the other hand, I'm always ready to learn, so thank you for the
correction.
------------------------------
From: "Mark G Wolf" <[EMAIL PROTECTED]>
Subject: Re: What Is the Quality of Randomness?
Date: Wed, 25 Apr 2001 14:14:58 -0500
> 010 is only more random then 110 if 110 occurs more frequently.
In or with respect to what? How about 011 and 110, which is more random?
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: What Is the Quality of Randomness?
Date: Wed, 25 Apr 2001 19:18:25 GMT
"Mark G Wolf" <[EMAIL PROTECTED]> wrote in message
news:9c77p8$15ie$[EMAIL PROTECTED]...
> > 010 is only more random then 110 if 110 occurs more frequently.
>
> In or with respect to what? How about 011 and 110, which is more random?
Your question is nonsense. For example 1 is not less random than 0 if they
occur with equal probability.
May I suggest you take a class in finite or combinatorics?
Tom
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Key scheduling of block cipher
Date: Wed, 25 Apr 2001 21:17:20 +0200
Tom St Denis wrote:
>
> It's still key material. If you have N W-bit subkeys and their order is
> secret... well you can still guess em in 2^(NW) steps regardless of order.
>
> If you xor them then ... well you can still guess them with 2^(NW) steps..
My question was about negative impacts, i.e. whether
the modifications could render the cipher weaker than
the original and whether it generally means more strength.
M. K. Shen
------------------------------
From: "Sam Simpson" <[EMAIL PROTECTED]>
Subject: Re: SHA PRNG
Date: Wed, 25 Apr 2001 20:17:32 +0100
http://www.cs.auckland.ac.nz/~pgut001/pubs/thesis.html
--
Regards,
Sam
http://www.scramdisk.clara.net/
Tom St Denis <[EMAIL PROTECTED]> wrote in message
news:ukCF6.55664$[EMAIL PROTECTED]...
>
> "Peter Gutmann" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > "Dobs" <[EMAIL PROTECTED]> writes:
> >
> > >Perhaps You know where can I find on the web the description of SHA
PRNG
> or
> > >the source code for it ( I mean not for SHA but SHA prng :) where this
> > >algotithm is used :.
> > >1. Make up a random string R and a binary counter C
> > >2. Get T = HASH(R || C)
> > >3. Increment C
> > >4. Output T and goto 2 as required.
> >
> > This PRNG isn't very good, see Bob Baldwin's analysis of the BSAFE 3.x
> PRNG in
> > an RSA labs bulletin dating from late 1998 (available from the RSA labs
> web
> > site) where he analyses this type of PRNG and explains why BSAFE doesn't
> use
> > it. The PRNG above is the one used in AC2, I comment on it (and many
> other
> > PRNGs, eg PGP 2.x, PGP 5.x, ssh, SSleay, Capstone, etc etc) in my paper
on
> > (believe it or not :-) PRNGs, linked from
> > http://www.cs.auckland.ac.nz/~pgut001/thesis/.
>
> 4-oh-4 on your page dude...
>
> Can you give us a synopsis of why it's bad first? Just wondering.
>
> Tom
>
>
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: Wed, 25 Apr 2001 19:32:12 GMT
On 25 Apr 2001 07:17:49 GMT, in <9c5tmt$e9r$[EMAIL PROTECTED]>, in
sci.crypt [EMAIL PROTECTED] (David Wagner) wrote:
>Trevor L. Jackson, III wrote:
>>By this line of reasoning it is impossible to steal an idea.
>
>Well, I'd say that "theft" is a poor word to use when referring to
>duplicating intellectual property. Taking language that refers to
>physical property and using it to refer to intellectual property just
>leads to confusion and poorly-reasoned arguments.
If you don't like the word "theft" because you think it biased,
presumably you have a better word in mind. But what would that word
be? And if there is no word without bias, perhaps the wording is not
the problem. Maybe the real problem is that there is no easy way to
describe theft as not-theft.
The worth of individual creation is not in some sort of static
self-applause, where the worth is the thing itself. Instead, the
worth of intellectual property is in the dynamic transfer of that work
to others, and what they are willing to pay for that transfer.
>From classic times, writers have sold their work to an audience of
individuals. When that audience receives that same work in other ways
-- even if others just give it away -- the market for the original
work is reduced. If that is not "stealing" worth from the
intellectual property owner, what is it?
>If you have an observation about intellectual property that you think
>is compelling and that is stated in terms of "theft", I suggest trying
>the following: replace the word "theft" with "uncompensated copying"
>(or whatever you like) and see if it affects how persuasive you find
>the argument. If you find the result less compelling after the change,
>that might be because the word "theft" carried some emotional weight
>that misled you into making a fallacious argument.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: What Is the Quality of Randomness?
Date: Wed, 25 Apr 2001 19:32:40 GMT
On Wed, 25 Apr 2001 13:33:56 -0500, in
<9c75cb$7538$[EMAIL PROTECTED]>, in sci.crypt "Mark G
Wolf" <[EMAIL PROTECTED]> wrote:
>You guys are a great source of inspiration, so I ask you, what is the
>quality of randomness?
Randomness is the uncertainty in the quality you measure.
>If I go to my local random super-center in town can I buy a better quality
>of randomness, and will it cost more?
Randomness is worse to the extent that it is predictable. Testing
various prediction possibilities without success can lead to more
confidence that the result actually is unpredictable. Basing results
on fundamentally unpredictable quantities may lead to even more
confidence.
>Since I don't know much about the
>quality of randomness I hate to get cheated by a less than honest or
>knowledgeable sales person. Can you folks help by giving me some basic
>pointers in what to look for?
Tests may expose non-randomness, but non-randomness may exist which
any number of tests cannot expose. We cannot even conclude that any
predictability which may exist is small; even after extensive testing,
it is possible that a supposedly-random sequence may be absolutely
predictable indefinitely. Accordingly, this is an issue of art, as
well as science.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: "Tony T. Warnock" <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Wed, 25 Apr 2001 13:42:26 -0600
Reply-To: [EMAIL PROTECTED]
Mark G Wolf wrote:
> > statistics of k are uniform, C1 and C2 are also have uniform statistics.
> P1-P2
> > will not have uniform statistics and thus be detected. It's easy to
> unscramble
> > the combination of two plaintexts.
>
> (Playing the devil's advocate) Exactly what statistics are you referring
> to?
The incidence of coincidence comes to mind. Also, the distribution of a
combination of two plaintexts is not uniform.
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Key scheduling of block cipher
Date: Wed, 25 Apr 2001 19:48:29 GMT
"Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> Tom St Denis wrote:
> >
>
> > It's still key material. If you have N W-bit subkeys and their order is
> > secret... well you can still guess em in 2^(NW) steps regardless of
order.
> >
> > If you xor them then ... well you can still guess them with 2^(NW)
steps..
>
> My question was about negative impacts, i.e. whether
> the modifications could render the cipher weaker than
> the original and whether it generally means more strength.
Well I don't get it, are you taking a scheduled key and then xoring new
material in?
Tom
------------------------------
From: newbie <[EMAIL PROTECTED]>
Subject: Re: OTP breaking strategy
Date: Wed, 25 Apr 2001 15:50:45 -0300
I hate someone who does not know he is stupid.
If someone does not know that he is stupid, his totally and indefinitely
ignorant.
Stupid one.
Tom St Denis wrote:
>
> "newbie" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > you have declared yourself of infinite knowledge on
> > the subject of randomness
> >
> > I NEVER SAID THAT!!!!
> > WHERE DID YOU SEE THAT STATEMENT????????
> > I HATE LYERS!!!!!
>
> I HATE IGNORANT BOOBS.
>
> Tom
------------------------------
From: newbie <[EMAIL PROTECTED]>
Subject: Re: OTP breaking strategy
Date: Wed, 25 Apr 2001 15:53:09 -0300
You have to read more books about politeness and be less arrogant.
Arrogance in the sure way to be stupid forever.
Tom St Denis wrote:
>
> "newbie" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > Are you Amazone's shareholder? :)))
>
> Why can't you take this serious? Oh I know because your a joke!
>
> Geez... get a grip.... must control fist of death....
>
> Seriously "newbie" stop being a shifthead and read some books or backposts
> or something. I remember my first posts were "wow look at my cool wierd
> stream cipher". Then David Wagner told me off and I learnt a bit... (well
> he didn't tell me off but he did say "what the heck are you on foo").
>
> Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: OTP breaking strategy
Date: Wed, 25 Apr 2001 20:02:43 GMT
"newbie" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> I hate someone who does not know he is stupid.
> If someone does not know that he is stupid, his totally and indefinitely
> ignorant.
>
> Stupid one.
Ok.
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: OTP breaking strategy
Date: Wed, 25 Apr 2001 20:02:58 GMT
"newbie" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> You have to read more books about politeness and be less arrogant.
> Arrogance in the sure way to be stupid forever.
Ok.
Tom
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
