Cryptography-Digest Digest #475, Volume #14 Wed, 30 May 01 05:13:01 EDT
Contents:
Re: Uniciyt distance and compression for AES (wtshaw)
Re: To prove PGP can easily be misused... (wtshaw)
Re: Uniciyt distance and compression for AES (SCOTT19U.ZIP_GUY)
Re: Card Games (David A Molnar)
Re: Stream Cipher combiners (Pascal Junod)
Re: Euroean commision will recommend all citizens to use encryption in (Lassi
=?iso-8859-1?Q?Hippel=E4inen?=)
Re: Best, Strongest Algorithm (Benjamin Goldberg)
Re: Uniciyt distance and compression for AES (SCOTT19U.ZIP_GUY)
Good place to start? ("The archgimP")
Re: Stream Cipher combiners (Nigel Smart)
Re: Cookie encryption (Paul Rubin)
Re: Good place to start? (Paul Rubin)
Re: crypt analysis of rar archive encryption (Benjamin Goldberg)
Re: Discrete Log question (Mark Wooding)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Uniciyt distance and compression for AES
Date: Tue, 29 May 2001 22:20:11 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> [EMAIL PROTECTED] (wtshaw) wrote in <jgfunj-2905011338570001@dial-244-
> 083.itexas.net>:
> >
> >Yes, redundancy is an far more individually determined quality than you
> >think. Language can be highly personalized. Language that is static is
> >dead.
>
> By that measure I think my stuff could be harfer tocompress since
> I don't spell very well. But this again I tend to use there for all
> there since I think its dumb to spell it differently when its said
> the same so may it would compress better that others.
> i wonder if based on use net posts the NSA has a different statistyical
> model for each of us.
>
QSL, OM
--
Suppose California quit sending food back East.
Would Gerorge be ready to barter with energy?
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: To prove PGP can easily be misused...
Date: Tue, 29 May 2001 22:32:03 -0600
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
> wtshaw wrote:
> >
>
> > I don't know about you, but I vote, get some people fired, and actively
> > campaign against those who abuse office. Yes, I do help to change
> > things. There are always more alternatives than to be a sheeple.
>
> I don't know the record of your activities in that respect.
> Presumably though the 'objects' (in cases of success) were
> not at the higher level of the political ladder (the
> highest, let me remark, being the chief of the government).
> Or is my conjecture wrong?
>
> M. K. Shen
You might be very surprised, I know I am now and then. Points well made
penetrate deeply, or elevate themselves to limits that dwarf their
sources. There are those that like to dismiss anything they don't like
and disregard those who they don't want to hear, but their mission is an
exercise in futile deafness when reason is against them. Take the truth,
run with it; it's a good steed. Occasionally, I pick a nag, but that's my
fault when I get thrown.
You are rather well known yourself, rather favorably. I have spoken with
more people than I can easily count who know of you. Your dignified
manner is easy to see and more acceptable that mine and some others. The
secret code to defame you would be to mention your tidy dress, but you are
an apparent gentleman as Scott and I aren't, but we choose to be what we
are. Meanwhile, we hope that our best intensions are all far more
similar than not and that the likes of political sneakabouts will know
that they are beaten in a clinch.
--
Suppose California quit sending food back East.
Would Gerorge be ready to barter with energy?
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Uniciyt distance and compression for AES
Date: 30 May 2001 03:32:04 GMT
[EMAIL PROTECTED] wrote in <[EMAIL PROTECTED]>:
>wtshaw wrote:
>>
>> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>>
>> > Simply put, redundancy is a feature of the language. You can't change
>> > the redundancy without changing the language. Without changing the
>> > redundancy you can't change the unicity distance (assuming no
>> > change in the entropy of the keyspace).
>> >
>> > Am I overlooking something?
>>
>> Yes, redundancy is an far more individually determined quality than you
>> think. Language can be highly personalized. Language that is static is
>> dead.
>[snip]
>
>
>Ok, but sooner or later you will have to re-create the original message
>in
>the original language so you can read it, execute it, view it, listen to
>it,
>compile it, whatever. If you can decompress in order
>to recover the original message in it's original language (and its
>original redundancy),
>why can't the cryptanalysis do the same thing, assuming he knows
>what compression was used?
>
He can do the same thing. Its just that if proper compression
used two things occur. One is what you noticed you need smaller
amounts of cipher text that when decompressed go to longer
strings So it might seem like you need less cipher text. And
we assume the attacker has the compression and decompression routines.
Until Shannon no one knew for sure if compression a good idea becasue
of what you noticed. But there is a second effect from compression
and that affect is that compression since it reduces entropy per
bit in a file. When one compresses and exaimes the results for
testing all the possible keys. The number of valid look messages
increase. This increase in the number of message means one needs
to look at longer and long sequences to reject the large number
of message. Shannon was the one to prove this second effect out
weight the first so that compression is good.
But if one looks at the math behind the prood he really is
assuming bijective compression. Sonething that is seldom used.
In fact compression as commonly used may not increase the number
of false messages since the compressions are not bijective this
is what i am trying to point out. In fact compression used in
encryption is so bad that may times only one key will work
if only one key workd that key makes the unicity distance zero.
That still does mean on a normal computer it easy to break
time wise. But it shows that it can be broken, Its best to use
methods that don't provide enough information for a break.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Card Games
Date: 30 May 2001 05:23:30 GMT
lcs Mixmaster Remailer <[EMAIL PROTECTED]> wrote:
> http://citeseer.nj.nec.com/150998.html points to a recent paper on
> "Mental Poker" which also contains a good set of links to earlier work
> on the problem.
> Anyone know of any implementations of these protocols?
www.math.tau.ac.il/~eyaleran/java_project/design.html
gives an implementation report for one mental poker protocol - though not
the one specified in the paper you cited.
-David
------------------------------
Date: Wed, 30 May 2001 08:23:09 +0200
From: Pascal Junod <[EMAIL PROTECTED]>
Subject: Re: Stream Cipher combiners
On Tue, 29 May 2001, Tom St Denis wrote:
> All I wanted to say is The multiplicative sub-group of integers modulo n.
> Perhaps I should write my math in english more often :-)
>
> Err.
>
> Ok so what is the correct notation? Z/nZ?
This notation suggests (and is often used) to denote the _additive_ group
of integers modulo n.
For the multiplicative group of integers modulo n, I suggest Z_n^*.
A+
Pascal
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* Pascal Junod, [EMAIL PROTECTED] *
* Security and Cryptography Laboratory (LASEC) *
* INF 240, EPFL, CH-1015 Lausanne, Switzerland ++41 (0)21 693 76 17 *
* Place de la Gare 12, CH-1020 Renens ++41 (0)79 617 28 57 *
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------
From: Lassi =?iso-8859-1?Q?Hippel=E4inen?= <[EMAIL PROTECTED]>
Subject: Re: Euroean commision will recommend all citizens to use encryption in
Date: Wed, 30 May 2001 06:32:13 GMT
Harris Georgiou wrote:
...
> Since encryption can be used on public scale only for e-mail and computer
> comms (using any of the freeware packages), then PKI is not really a
> problem, since all these packages work quite well over the Internet for many
> years now (take PGP for example).
But PGP *has* a PKI of its own...
> The real problem is that if they admit that encryption should be used then
> it has to be applied even for cellphones or normal telephones.
That's the problem. When 3G phones roll out in a serious manner, there
will be gazillions of mobile computers, connecting from volatile
addresses. PKI will be needed to authenticate the users, no matter if it
is done in IP or application layer.
IESG just recently rejected the proposal to use IPSec AH, in order to
authenticate Mobile IPv6 Binding Updates. One argument was that there is
no PKI in sight that could handle the load.
-- Lassi
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm
Date: Wed, 30 May 2001 03:47:50 -0400
Tim Tyler wrote:
>
> Tom St Denis <[EMAIL PROTECTED]> wrote:
> : "Tim Tyler" <[EMAIL PROTECTED]> wrote in <news:[EMAIL PROTECTED]>...
> :> : Yes, Bicom provides other things such as "bijectiveness" (which
> :> : is the entirely wrong word when talking about a block cipher).
> :>
> :> BICOM is not a block cypher.
>
> : I realize that. But when talking about ciphers (say in the same
> : sentence) saying "non-bijective" is a bad idea.
>
> "Most types of padding used in association with modern cyphers result
> in a non-bijective map between the space of possible plaintexts and
> the space of possible cyphertexts."
And how is a bijective map an advantage in this case? Doesn't it imply
that two identical plaintexts enciphered under the same key will result
in the exact same ciphertexts?
It seems to me that the bicom chaining mode has to be one which somehow
works without padding (in any ordinary sense of the word padding) for it
to have the properties claimed.
--
The longer a man is wrong, the surer he is that he's right.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Uniciyt distance and compression for AES
Date: 30 May 2001 06:16:18 GMT
[EMAIL PROTECTED] wrote in <[EMAIL PROTECTED]>:
>
>I'll have to think about this more before I comment. I'm not
>familiar with "bijective compression".
Well no one is very familare with real "bijective compression"
but if you go to my site I have pointers to Matts. As far as
I know and have done many seaches on the net. The big boys still
think foolishly that you need with some sort of count field or
a specail space for a one time symbol in an arithmetic compressor
to mark end of file. All these methods are wastful. Full bijective
arithmetic and huffman and RLE are all possible. Basically an
easy test for a bijective compressor is take any file text jpg
random or what. decompress it and then compress it back. If the
file is the same then it most likely a bijective compressor.
Matt BICOM is the most advanced bijective compressor to date
its a PPM compressor.
There even papers on the net from the nintyes talking about
the EOF problem in Arithmetic as if it impossible to do the
endings easily. Ask Wagner since the big boys have access to
papers I assume one of them we soon pretend to have discovered it
but Matt was first with bijective arithmetic I was first with
huffman.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: "The archgimP" <althalus@excitedotcom>
Subject: Good place to start?
Date: Wed, 30 May 2001 08:46:05 +0100
Hi;
I've not been to this NG before; but I just finished reading 'Crypto' by
Steven Levy and I think I;ve been bitten by the bug;
I've known about the science of cryptography for a long time.. my dad used
to be quite into it; and he taught me some of the principles of
public/private key exchanges; factor-driven one-way encryption methods -
that kind of thing; however I now really want to learn more....
I have considerable programming experience (started on the trusty zx80, heh)
and I'm now looking to tip my hat in the direction of encryption/decryptrion
algorithm implementation...
Since finishing 'Crypto' I've been scouring the web for all the 'old' papers
by rivest, diffie, et cetera and found some interesting reading so far and
so my question is two-fold:
Are there any 'Faqs' for this NG which could help me get started?
and
Are there any good 'suggested reading' lists for catching up with some of
the more recent developments...
(Actually, I'd also like to know if it's true that the UK govt is currently
trying to implement a key escrow system, but that's more for political
reasons..;o)
Hope I can help out in some way,
Many Thanks in advance,
--The archgimP
------------------------------
From: Nigel Smart <[EMAIL PROTECTED]>
Subject: Re: Stream Cipher combiners
Date: Wed, 30 May 2001 07:49:17 GMT
Pascal Junod wrote:
>
> On Tue, 29 May 2001, Tom St Denis wrote:
>
> > All I wanted to say is The multiplicative sub-group of integers modulo n.
> > Perhaps I should write my math in english more often :-)
> >
> > Err.
> >
> > Ok so what is the correct notation? Z/nZ?
>
> This notation suggests (and is often used) to denote the _additive_ group
> of integers modulo n.
>
> For the multiplicative group of integers modulo n, I suggest Z_n^*.
>
> A+
>
There is a distinct confusion here between what Math generally people do
and what CS/Engineers do. Rather like the sqrt(-1) being i or j depending
on where you come from. Neither is wrong/right just a matter of taste....
Z/nZ is always "Integers modulo n under addition"
(Z/nZ)^* is what "Math" people would use for the group of
"Integers modulo n under multiplication"
Z_n is either
The integers modulo n under addition
or
The n-adic integers when n is a prime.
Z_n^* is either
The group of integers modulo n under multiplication
or
The n-adic integers whose inverses are also n-adic integers
So to avoid confusion people with a number theory background usually use
(Z/nZ)^*
rather than
Z_n^*
for the RSA group for example.
BTW The n-adic integers do have applications in crypto so this is not
just an academic point
Yours
Nigel
--
Dr Nigel P. Smart | Phone: +44 (0)117 954 5163
Computer Science Department, | Fax: +44 (0)117 954 5208
Woodland Road, | Email: [EMAIL PROTECTED]
University of Bristol, BS8 1UB, UK | URL: http://www.cs.bris.ac.uk/~nigel/
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: Cookie encryption
Date: 30 May 2001 01:07:01 -0700
Chenghuai Lu <[EMAIL PROTECTED]> writes:
> I see some websites use encrypted cookies. They claim that it will
> protect our privacy. What is their point? Why need cookie encryption?
To stop the cookies from revealing private info about the user.
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: Good place to start?
Date: 30 May 2001 01:08:29 -0700
"The archgimP" <althalus@excitedotcom> writes:
> Are there any 'Faqs' for this NG which could help me get started?
Yes, the sci.crypt FAQ (in 10 parts) is excellent. It gets posted here
every few weeks. You might find it on sci.answers.
> Are there any good 'suggested reading' lists for catching up with some of
> the more recent developments...
You could start with: Applied Cryptography, by Bruce Schneier (the standard
reference for this newsgroup); and Security Engineering, by Ross Anderson
(less specifically about cryptography, but more stuff about the UK legal
situation and so forth).
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: crypt analysis of rar archive encryption
Date: Wed, 30 May 2001 04:35:53 -0400
Erwin Molendijk wrote:
>
> Hello,
>
> To master the workings of encryption I'm doing various analysis of
> (weaker) encryption methods.
That is the best way to learn about cryptanalysis.
> At this moment I'm looking at the encryption method used by the Rar
> archiver. To my knowlidge there is no known attach to the method used
> by this archiver.
If there's no known attack, then it's probably not something which a
newcomer to the field should start off on. I would suggest you attack
FEAL-4 first using linear analysis, then differential analysis. Then
attack FEAL-8.
There do already exist attacks on FEAL, so of course it's highly likely
that you will only find something others already know -- this is how you
would check your work. If you come up with an attack, and *don't* find
it in the publications, then it's possible you have something new! If
so, kudos to you, maybe you can publish.
After trying yourself on the kiddy slope try to break a reduced-round
versions of other well-known ciphers, but ones which are believed to be
secure when all the rounds are used. For example, see if you can find
an attack against 8-round DES. Again, there exist such attacks, and
it's likely all you'll do is rediscover something others already know
of, but the point here is to learn, not *really* to create new attacks.
> If needed I can post the C source of the encryption routine.
>
> I only have a vage theoratical approach, which is probably not realy
> feasible.
>
> Does anyone have more information on this specific encryption method
> used by Rar?
If noone's made attacks, assume [for now] that it's secure. Attack it
after you've practiced easier stuff. You wouldn't try to ski down death
mountain until you'd mastered all the easier slopes, would you?
> I'm interested in everything, also more theoratical attacks like
> plain-text-attack.
Known-plaintext is not considered a "theoretical" attack... when
analysing a system, we *always* assume that the attacker can get some
known plaintext. An attack is call a "theoretical" one when the amount
of work required is still larger than feasable, but is less than
exponential in the size of the key -- for example, an attack taking
2**120 work against a cipher with a 128 bit key is a theoretical attack
-- it would takes less work than brute force (which would be 2**128),
but still more than we can do in any reasonable amount of time.
--
The longer a man is wrong, the surer he is that he's right.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Discrete Log question
Date: 30 May 2001 09:00:30 GMT
Lon Willett <[EMAIL PROTECTED]> wrote:
> Let Q = (P-1)/2. Q is a large prime. If P mod 6 is 1, then 3|Q (a
> contradiction). So P mod 6 must be 5. Therefore Q mod 3 is 2. So
> phi(P-1) = Q-1 is indivisible by 3 (Q-1 mod 3 = 1).
Of course, you're right.
-- [mdw]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
