Cryptography-Digest Digest #240, Volume #14 Thu, 26 Apr 01 13:13:01 EDT
Contents:
Re: First analysis of first cipher ("Tom St Denis")
Re: OTP WAS BROKEN!!! (Lou Grinzo)
Re: What Is the Quality of Randomness? ("Mark G Wolf")
Re: What Is the Quality of Randomness? ("Mark G Wolf")
Re: There Is No Unbreakable Crypto (David Wagner)
Re: What Is the Quality of Randomness? (" Mark G Wolf")
Re: Censorship Threat at Information Hiding Workshop ("Roger Schlafly")
Re: Black & white .gifs? (wtshaw)
Re: What Is the Quality of Randomness? ("Tom St Denis")
Re: Censorship Threat at Information Hiding Workshop (John Myre)
Re: What Is the Quality of Randomness? ("Brian Gladman")
Re: Key scheduling of block cipher (Doug Kuhlman)
Re: Censorship Threat at Information Hiding Workshop (Terry Ritter)
Quantum Crypto ("Jack Lindso")
Re: Censorship Threat at Information Hiding Workshop (Darren New)
----------------------------------------------------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: First analysis of first cipher
Date: Thu, 26 Apr 2001 14:11:19 GMT
<[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Tom St Denis wrote:
> >
>
> [snip]
>
>
>
> > Decorrelation doesn't have todo with auto-correlation functions on
spatially
> > sample data (etc...). In crypto it can be used to reduce a connection
from
> > point A to point B. Vaudenay showed for example, how decorrelation can
be
> > used to hinder differential and linear cryptanalysis (and it's quite
trivial
> > actually). Galois Field multiplication (with a characteristic of two)
can
> > be used for example to kill first order GF(2) attacks like dif and
linear
> > analysis.
> >
>
> I found the Vaudenay paper. Thanks.
Just look up LASEC on the web. His (and others) papers are there.
Tom
------------------------------
From: [EMAIL PROTECTED] (Lou Grinzo)
Subject: Re: OTP WAS BROKEN!!!
Date: Thu, 26 Apr 2001 14:54:05 GMT
In general, I hate ignoring people, but if newbie keeps
arguing and won't even demonstrate to demonstrate his/her
technique, then I agreee that it's the only sane thing
to do.
Lou
In article <KDVF6.65217$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
>
> "Lou Grinzo" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > I think this discussion could really use a completely worked
> > out example. I suggest the following: Someone post a piece
> > of English prose encrypted with a OTP, and you crack it, and
> > then show us the exact technique you used, step by step. Once
> > you post your results, the person who created the encrypted
> > message will post the original plaintext and the key.
> >
> > I'll volunteer to generate and post an encrypted message of a
> > few hundred bytes. Are you willing to go along with the
> > experiment?
> >
> > (Everyone reading this--please note that I'm NOT framing this
> > as a "challenge" or anything similar. I'm simply suggesting
> > this as a way to cut through a lot of the discussion, which
> > seems to be going in circles at this point.)
>
> There has already been a few "stop the retard newbie" fake challenges (I
> posted one of them). He won't learn, I suggest just ignore Newbie from now
> on, until he/she learns.
>
> Tom
>
>
>
------------------------------
From: "Mark G Wolf" <[EMAIL PROTECTED]>
Subject: Re: What Is the Quality of Randomness?
Date: Thu, 26 Apr 2001 10:51:26 -0500
> Take your original OTP bit stream and divide it into 8-bit units and count
> the number of each of the bytes that result. In other words create 256
> buckets numbered 0 to 255, put the bytes from the bit stream into their
> appropriate buckets and count how many there are in each bucket at the
end.
>
> Now add a stream of 'A's - decimal 65 - to this bit stream and count the
> output bytes again in the same way.
>
> What happens is that any byte that originally went into bucket 0 now goes
> into bucket 65, bytes that went into bucket 1 now go into bucket 66 and so
> on. So all that the xoring of the 'A's has done is to shift the numbers
on
> each of the buckets without changing the number of bytes they contain.
And
> because the statistics depend on the counts and not on the bucket labels
> this means that the statistics will be identical.
>
> It turns out that, provided the OTP bitstream is from a truly uniformly
> distributed random variable, the statistics of the stream added to it will
> not change this.
>
> You can think of this another way by asking if it is possible to devise a
> stream to add to the OTP that will change its statistics.
Ok. First I was speaking of 7-bit ASCII, but 8-bits is fine too. I agree
that throughout the WHOLE pad every 8-bit group will have an equal
probability, namely 1/256; and XORing the same 8-bit pattern will just
simply "rearrange" where those 8-bit groups are, BUT, what about the sub
groups. For example, let's take a fictitious character that has an "ASCII"
representation of 00001111. Now let me do the same thing by just encrypting
a string of this same character. So I take 000011110000111100001111... and
XOR with my uniformly distributed random pad. Now if I started from the
"beginning" and took 8-bits at a time your same argument would apply. Each
8-bit grouping would have an equal probability of 1/256 so XORing with
00001111 nonstop would just rearrange where those 8-bit groups are. But
what if I take 4-bit groupings, starting from the "beginning". Now each
"original" 4-bit grouping would have an equal probability of 1/16, but after
XORing with my alternating 0000 and 1111 what would you get? 1/2 of the
time you would leave the bits unchanged, and 1/2 of the time you would
"flip" the bits, BUT, you would be doing it in a very predictable periodic
way. Now this is a very exaggerated condition, but nonetheless valid and
applicable.
>
> In order to bias the statistics you need to change either more '1's into
> '0's without changing '0's or more '0's into '1's without changing '1's.
> But, in order to know whether to xor with a '0' or a '1' bit in order to
do
> this, you need to be able to predict the next bit in the stream and since
it
> is random you cannot do this.
>
> > It wouldn't yield anything really useful in terms of decrypting it, but
of
> > course it wouldn't be a very useful message either. However, a long
real
> > message could yield enough information to at least give the number of
each
> > letter in the message.
>
> Not true I am afraid.
>
> Brian Gladman
>
>
>
------------------------------
From: "Mark G Wolf" <[EMAIL PROTECTED]>
Subject: Re: What Is the Quality of Randomness?
Date: Thu, 26 Apr 2001 11:03:28 -0500
Ok. First I was speaking of 7-bit ASCII, but 8-bits is fine too. I agree
that throughout the WHOLE pad every 8-bit group will have an equal
probability, namely 1/256; and XORing the same 8-bit pattern will just
simply "rearrange" where those 8-bit groups are, BUT, what about the sub
groups. For example, let's take a fictitious character that has an "ASCII"
representation of 00001111. Now let me do the same thing by just encrypting
a string of this same character. So I take 000011110000111100001111... and
XOR with my uniformly distributed random pad. Now if I started from the
"beginning" and took 8-bits at a time your same argument would apply. Each
8-bit grouping would have an equal probability of 1/256 so XORing with
00001111 nonstop would just rearrange where those 8-bit groups are. But
what if I take 4-bit groupings, starting from the "beginning". Now each
"original" 4-bit grouping would have an equal probability of 1/16, but after
XORing with my alternating 0000 and 1111 what would you get? 1/2 of the
time you would leave the bits unchanged, and 1/2 of the time you would
"flip" the bits, BUT, you would be doing it in a very predictable periodic
way. Now this is a very exaggerated condition, but nonetheless valid and
applicable.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: There Is No Unbreakable Crypto
Date: 26 Apr 2001 16:07:30 GMT
Benjamin Goldberg wrote:
>David Wagner wrote:
>>
>> Mok-Kong Shen wrote:
>> >I continue to think, as said in another post, that this
>> >means one can generate from, say, 128 random bits, a
>> >secure bit string of infinite length, which seems to
>> >be very counter-intuitive.
>>
>> Well, not infinite: only polynomial length, and only _if_
>> you have a secure, length-doubling PRG. But yes, it's a
>> marvelous, counter-intuitive, beautiful result.
>
>I don't suppose you could give a tiny demonstration, perhaps using an 8
>bit key.
No, because it's not secure with an 8 bit key. But with a 128 bit key...
>What size is possible? You say, polynomial length... what kind of poly?
polynomial in the security parameter. In other words, with
a k-bit key and a PRG that is secure against all attacks that
take poly(k) time, you can generate stretch the k-bit truly
random key to poly(k) bits of pseudorandom keystream.
------------------------------
From: " Mark G Wolf" <[EMAIL PROTECTED]>
Subject: Re: What Is the Quality of Randomness?
Date: Thu, 26 Apr 2001 11:18:47 -0500
Ok. First I was speaking of 7-bit ASCII, but 8-bits is fine too. I agree
that throughout the WHOLE pad every 8-bit group will have an equal
probability, namely 1/256; and XORing the same 8-bit pattern will just
simply "rearrange" where those 8-bit groups are, BUT, what about the sub
groups. For example, let's take a fictitious character that has an "ASCII"
representation of 00001111. Now let me do the same thing by just encrypting
a string of this same character. So I take 000011110000111100001111... and
XOR with my uniformly distributed random pad. Now if I started from the
"beginning" and took 8-bits at a time your same argument would apply. Each
8-bit grouping would have an equal probability of 1/256 so XORing with
00001111 nonstop would just rearrange where those 8-bit groups are. But
what if I take 4-bit groupings, starting from the "beginning". Now each
"original" 4-bit grouping would have an equal probability of 1/16, but after
XORing with my alternating 0000 and 1111 what would you get? 1/2 of the
time you would leave the bits unchanged, and 1/2 of the time you would
"flip" the bits, BUT, you would be doing it in a very predictable periodic
way. Now this is a very exaggerated condition, but nonetheless valid and
applicable.
------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: Thu, 26 Apr 2001 15:22:58 GMT
"Gerhard Wesp" <[EMAIL PROTECTED]> wrote in message
news:9c8vnv$45a$[EMAIL PROTECTED]...
> In article <[EMAIL PROTECTED]>, Terry Ritter <[EMAIL PROTECTED]>
wrote:
> >From classic times, writers have sold their work to an audience of
> >individuals.
> Can you supply evidence/references supporting this claim?
> I'm not sure either, but I think some time before Gutenberg it was
> not uncommon for monks to spend most of their time copying books.
> I should think that the idea of Intellectual Property is a relatively
> new one.
> Perhaps a historian could comment on this?
It was a new idea when the US constitution was written 210 years ago,
but I wouldn't call it new anymore.
The idea that copyright infringement should be a criminal offense is
relatively new. In the US, it started only about 10 years ago. Only
about 2 years ago did it become illegal to publish circumvention info.
Today, some legitimate crypto research was withdrawn from a
conference because of RIAA threats. The info is here:
http://cryptome.org/sdmi-attack.htm
A lot of people didn't believe that the DMCA would stifle security
research. This is proof.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Black & white .gifs?
Date: Thu, 26 Apr 2001 09:58:29 -0600
In article <[EMAIL PROTECTED]>, Benjamin Goldberg
<[EMAIL PROTECTED]> wrote:
> Again we see how stego is generally vulnerable to active attacks.
>
radiofreetexas.com/wts/pix/BWpenta.GIF is a picture of the pentagon in
black and white pixels. There are several ways that this simple image can
contain encrypted information stegnographically. However, steog may
productively use obscurity, the best methods rely on not telling how it is
done so even the presence of extra information is not tipped.
--
Nafta, etc.? No way Jose.
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: What Is the Quality of Randomness?
Date: Thu, 26 Apr 2001 16:32:48 GMT
" Mark G Wolf" <[EMAIL PROTECTED]> wrote in message
news:9c9hr7$2g8i$[EMAIL PROTECTED]...
> Ok. First I was speaking of 7-bit ASCII, but 8-bits is fine too. I agree
> that throughout the WHOLE pad every 8-bit group will have an equal
> probability, namely 1/256; and XORing the same 8-bit pattern will just
> simply "rearrange" where those 8-bit groups are, BUT, what about the sub
> groups. For example, let's take a fictitious character that has an
"ASCII"
> representation of 00001111. Now let me do the same thing by just
encrypting
> a string of this same character. So I take 000011110000111100001111...
and
> XOR with my uniformly distributed random pad. Now if I started from the
> "beginning" and took 8-bits at a time your same argument would apply.
Each
> 8-bit grouping would have an equal probability of 1/256 so XORing with
> 00001111 nonstop would just rearrange where those 8-bit groups are. But
> what if I take 4-bit groupings, starting from the "beginning". Now each
> "original" 4-bit grouping would have an equal probability of 1/16, but
after
> XORing with my alternating 0000 and 1111 what would you get? 1/2 of the
> time you would leave the bits unchanged, and 1/2 of the time you would
> "flip" the bits, BUT, you would be doing it in a very predictable periodic
> way. Now this is a very exaggerated condition, but nonetheless valid and
> applicable.
That still doesn't make the output any less random.
if you have a PRNG that outputs four bit words (uniformly), then you xor all
outputs with 0101, the output will still be uniform.
I suggest you write some programs to tally the results and test it yourself.
Try
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
int main(void)
{
int tallies[16], x;
/* setup our magic PRNG */
srand(time(NULL));
/* clear the tallies */
for (x = 0; x < 16; x++)
tallies[x] = 0;
/* let's tally 8192 outputs */
for (x = 0; x < 8192; x++)
++tallies[(rand() ^ 0x0003) & 0x000F];
/* display the tallies */
for (x = 0; x < 16; x++)
printf("%02d: 1/%f\n", x, 8192.0 / (double)tallies[x]);
return 0;
}
Where I xor all 4 bit words with 0011.
Tom
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: Thu, 26 Apr 2001 10:23:35 -0600
David Wagner wrote:
<snip>
> Yes, but: If we can imagine some distance metric d(.,.),
> then I will claim
> d(theft of money, copyright infringement)
> >> d(theft of money, theft of toys)
> This metric is surely subjective, but I argue that it is there.
Subjective, indeed. I still say that the comparison above
depends on cases. Sometimes the theft of money and copyright
infringement are both merely matters to be put right by
restitution, while the toy theft could be in a different
category altogether, due to emotional factors for the child.
> In other words, there might be some cases where the word
> "theft" is misleading even when we're talking about child's toys,
> but such cases are rarer for toys than for intellectual property.
I will stipulate (:)) that it can be misleading to use the
word "theft" in some cases. I will even agree, for the sake
of argument, that it is more common to misuse the term when
dealing with IP than in other cases.
<snip a lot>
> The problem comes when new laws are being justified on the basis
> that some types of conduct that aren't currently illegal should
> nonetheless be viewed as "stealing" and thus should be made illegal.
> In other words, if this is how you choose to use the word "stealing",
> it's not necessarily a justification for why some actions should
> be made illegal in the first place. It is a good idea to watch
> out for circularity.
Ah. I agree violently. If someone misuses copyrighted material
in a way which is already defined by law to be criminal, then
*and only then* is it correct to call it theft. It isn't theft
just because the producer of some data wants money for it. And
emotional arguments are a terrible basis for new law.
I think my disagreement with you is that I believe it to be
just as incorrect to state generically that "theft" is a bad
word to use in copyright cases, because intellectual property
is different in character from physical property. I think it
is more productive to examine what ought to be regarded as
property, under what conditions.
For example, when you take physical property away from someone,
is it always stealing? Not if they have no right to it. Perhaps
it belongs to someone else. Perhaps they didn't pay their taxes.
Reasonable people can disagree about what intellectual property
rights ought to exist, under what conditions. It's only wrong
to try to obfuscate the issue through debating tricks. I will
agree with you that people will call something "theft" when it
is incorrect, as just such a debating trick. I will disagree
with you that "theft" is always the wrong word when dealing with
intellectual property; I think that sometimes it is apropos.
JM
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: What Is the Quality of Randomness?
Date: Thu, 26 Apr 2001 17:44:02 +0100
"Mark G Wolf" <[EMAIL PROTECTED]> wrote in message
news:9c9g82$290o$[EMAIL PROTECTED]...
> > Take your original OTP bit stream and divide it into 8-bit units and
count
> > the number of each of the bytes that result. In other words create 256
> > buckets numbered 0 to 255, put the bytes from the bit stream into their
> > appropriate buckets and count how many there are in each bucket at the
> end.
[snip]
> Ok. First I was speaking of 7-bit ASCII, but 8-bits is fine too. I agree
> that throughout the WHOLE pad every 8-bit group will have an equal
> probability, namely 1/256; and XORing the same 8-bit pattern will just
> simply "rearrange" where those 8-bit groups are, BUT, what about the sub
> groups. For example, let's take a fictitious character that has an
"ASCII"
> representation of 00001111. Now let me do the same thing by just
encrypting
> a string of this same character. So I take 000011110000111100001111...
and
> XOR with my uniformly distributed random pad. Now if I started from the
> "beginning" and took 8-bits at a time your same argument would apply.
Each
> 8-bit grouping would have an equal probability of 1/256 so XORing with
> 00001111 nonstop would just rearrange where those 8-bit groups are. But
> what if I take 4-bit groupings, starting from the "beginning". Now each
> "original" 4-bit grouping would have an equal probability of 1/16, but
after
> XORing with my alternating 0000 and 1111 what would you get? 1/2 of the
> time you would leave the bits unchanged, and 1/2 of the time you would
> "flip" the bits, BUT, you would be doing it in a very predictable periodic
> way. Now this is a very exaggerated condition, but nonetheless valid and
> applicable.
This makes no difference to the statistics.
Divide the original OTP into two bit streams by taking every other group of
4 bits. Provided the original OTP is uniformly distributed, these two
half-length OTPs will also be uniformly distributed. One of these pads will
now be applied to the top 4-bits of each of your bytes and the other to the
bottom 4-bits.
Now take groups of 4 bits in each of these two pads and consider what
happens when we count their frequency using 16 buckets numbered 0 to 15.
Adding a 4-bit constant value will not change their statistics - it simply
rearranges the bucket labels as before.
When a bitstream represents a uniformly distributed random boolean variable,
xoring with a second independent random bitstream will produce a uniformly
distributed output irrespective of the statistical distribution of the
second bitstream.
Which is precisely why the OTP is a theoretically perfect encryption
system - it removes all the statistical properties of the text it is used to
encrypt.
Brian Gladman
------------------------------
From: Doug Kuhlman <[EMAIL PROTECTED]>
Subject: Re: Key scheduling of block cipher
Date: Thu, 26 Apr 2001 11:23:15 -0500
Joseph Ashwood wrote:
>
> Depending on the cipher it may severly weaken it. Just as an example many
> ciphers leak a portion of the last round key, this is just a fact of life,
> and non-threatening provided you have a good key schedule.
>
Would you elaborate on that last sentence, please? I mean, which
ciphers leak that, how, and why?
Doug
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: Thu, 26 Apr 2001 16:53:45 GMT
On Wed, 25 Apr 2001 21:23:28 -0700, in
<[EMAIL PROTECTED]>, in sci.crypt Bryan Olson
<[EMAIL PROTECTED]> wrote:
>"Donald L. Nash" wrote:
>>
>> Bill Unruh wrote:
>>
>> >It is not theft. Theft is depriving someone of some good.
No, theft is commonly understood as simply taking without right or
permission.
>[...]
>Can anyone cite where what is called "intellectual property
>law" actually defines covered works as property, or
>violations as theft?
The dictionary first definitions:
Theft -- the act or an instance of stealing
Steal -- to take without right or permission
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: "Jack Lindso" <[EMAIL PROTECTED]>
Subject: Quantum Crypto
Date: Thu, 26 Apr 2001 20:00:44 +0200
An article about QC, entanglement of photons and its implications on
cryptography.
A secure channel (by wolf's theorem) ???
A perfect medium to convey OTP ?
http://www.feedmag.com/templates/default.php3?a_id=1697
--
Anticipating the future is all about envisioning the Infinity.
http://www.atstep.com
====================================================
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: Thu, 26 Apr 2001 17:03:18 GMT
And the other thing to remember is that the basic problem is economic.
Namely, that creating a copy of "intellectual property" is trivially
inexpensive compared to creating the original. Few would pay the full cost
of creating intellectual property. Those who do buy custom software.
The question of "theft of service" is interesting. You're not stealing the
TV shows from the cable company, because the cable company doesn't own them.
Certainly if you tap into the advertising-supported commercial channels that
you'd normally be able to get over the air except for the invention of cable
TV you'd not reasonably be "stealing" the signal. What you're stealing,
again, is the tremendously high cost of building the infrastructure that's
normally charged to users a month at a time. Getting the cable strung thru
the neighborhood is expensive. Putting one more TV on the cable is cheap.
The same with phone service. Back in '90s or so, it cost the baby bells an
average of $1000 to install each phone line. Actually completing each call
once the lines were installed and provisioned was relatively cheap. Would
you trade $1000 for the first phone call to get $0.02 cents per phone call
after that, or would you rather pay $15/month until the line was paid off?
Same problem.
What's my point? Only that this debate is going to go on and on forever, as
long as there's economic situations where making a copy of something is so
much cheaper than making the original that an average consumer can afford to
make a copy. If folks understand where this problem comes from, the words
used to describe it are less important.
--
Darren New / Senior MTS & Free Radical / Invisible Worlds Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
schedule.c:7: warning: assignment makes calendar_week
from programmer_week without a cast.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
