Cryptography-Digest Digest #485, Volume #14 Thu, 31 May 01 18:13:00 EDT
Contents:
Re: Diffusion limits in block ciphers ([EMAIL PROTECTED])
Re: Uniciyt distance and compression for AES (SCOTT19U.ZIP_GUY)
Re: National Security Nightmare? ("M.S. Bob")
Re: Diffusion limits in block ciphers ([EMAIL PROTECTED])
Re: crypt education (SCOTT19U.ZIP_GUY)
Re: Diffusion limits in block ciphers (SCOTT19U.ZIP_GUY)
Re: Quantum Computers with relation to factoring and BBS (ArY)
Re: Medical data confidentiality on network comms ("Harris Georgiou")
Is RSA suitable for DSA? ("Uros Podlogar")
Re: Medical data confidentiality on network comms (Dimitri Maziuk)
Re: Quantum Computers with relation to factoring and BBS (Nicholas Hopper)
Re: And the FBI, too (Re: National Security Nightmare?) (Matthew Montchalin)
Re: Good crypto or just good enough? ("Paul Pires")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Diffusion limits in block ciphers
Date: Thu, 31 May 2001 11:21:11 -0800
David Wagner wrote:
>
> >For an n-bit block cipher, plaintext bits 0 through n-1 can only affect
> >ciphertext bits 0 through n-1. Input changes in one block have
> >absolutely no effect on the outputs of other blocks.
>
> I don't really understand what you mean by the latter sentence.
> Diffusion between blocks is outside of the domain of the block cipher;
> that's the responsibility of the chaining mode. And good chaining modes
> (e.g., CBC, CFB, ...) do ensure sufficient diffusion to stop attacks.
I'll have to go read up on chaining modes before I can answer. I've
heard of the ECB mode and I think a certain chaining mode can be
used to create a pseudo-random number generator but that's the extent
of my understanding. Does the chaining mode cause interaction
between blocks in any way?
What I meant by the latter sentence is that a block cipher operates
only on a n-bit portion of the entire message, so the diffusion only
occurs within those n-bits. Apparently this isn't a problem but
I don't understand why. Intuitively it seems that a hypothetical
block cipher with a block length, N, equal to the entire message length
would have better strength than using the same block cipher algorithm to
encrypt
the message in n bit chunks where n<<N.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Uniciyt distance and compression for AES
Date: 31 May 2001 20:19:09 GMT
[EMAIL PROTECTED] wrote in <[EMAIL PROTECTED]>:
>
>Where does Shannon discuss compression in detail? I did a quick flip
>through
>his "Comm. Theory of Secrecy Systems" and only found a passing reference
>to
>compression. If memory serves, he doesn't discuss it in "A Mathematical
>Theory of Comm. Systems" either.
>
>I would be interested in reading any research he did on compression.
>As far as I'm concerned, Shannon was "the man" (and not just because
>of his secrecy system theory).
>
I don't have the papers readily avialable but I think it was in
his Comm paper where he discusses enropy and he calls it H.
But I am sure others know exactly where it is. I confuses idea
security and perfect secure definations and someone pointed to out.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: "M.S. Bob" <[EMAIL PROTECTED]>
Subject: Re: National Security Nightmare?
Date: Thu, 31 May 2001 21:23:22 +0100
Paul Rubin wrote:
>
> [EMAIL PROTECTED] (John Hairell) writes:
> > NSA employees are not prohibited from stating where they work, but
> > it's far easier for them to say they work for the Department of
> > Defense to avoid questions.
>
> Some NSA people at a crypto conference I went to a few years ago said
> that, up to a few years prior to that, they were required to say
> "Dept. of Defense" rather than NSA, but the requirement had recently
> been relaxed. Nowadays there are NSA people crypto conferences (hi!)
> who have "<name>, National Security Agency" printed on their
> conferences badges, and they mix in just fine with everyone else, give
> presentations, etc. I believe their presentations have to be cleared
> before they can be given to the "public", but that's all behind the
> scenes.
I have heard senior UK Ministry of Defence official mention that his
presentations had been approved (he mentioned that a slide had to be
removed for a recent forum). In the UK, ex-GCHQ staff members (a reader
of sci.crypt :) seem able to "broadly hint" at their former employment,
though they are still restricted by their Official Secrets Act. Which is
still concealing some W.W.II cryptographic work of the Brits, hinted
exists by a member who worked on Colossus.
Canadians seem to be also fairly low-key but do tell untrusted parties
such as myself, about their position, though I believe they normally
identity themselves to the general public as Dept National Defence - I
think for less questions, or they also have a civilian government job
title.
Part of that is IMHO the "protection" role that these military
intelligence agencies want to promote in a positive light to the public.
Particularly the open cryptology and computer security communities where
cooperation could benefit both parties.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Diffusion limits in block ciphers
Date: Thu, 31 May 2001 11:39:52 -0800
David Wagner wrote:
>
> >For an n-bit block cipher, plaintext bits 0 through n-1 can only affect
> >ciphertext bits 0 through n-1. Input changes in one block have
> >absolutely no effect on the outputs of other blocks.
>
> I don't really understand what you mean by the latter sentence.
> Diffusion between blocks is outside of the domain of the block cipher;
> that's the responsibility of the chaining mode. And good chaining modes
> (e.g., CBC, CFB, ...) do ensure sufficient diffusion to stop attacks.
I took a look a chaining and that pretty much answers my question.
Thanks.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: crypt education
Date: 31 May 2001 20:31:52 GMT
[EMAIL PROTECTED] (Matt) wrote in <[EMAIL PROTECTED]>:
>Greetings, all,
>
>I'm considering go back to college for a double major in computer
>science and mathematics. I've had a lot of schooling, but never
>finished a degree. I'm very interested in cryptography and security and
>am looking for recommendations on what types of classes will best help
>me understand the field. The math I've already had included calculus,
>differential equations, math modeling, statistics, and systems
>engineering of the queueing/least-path/cpm type. My computer experience
>includes some programming I've picked up on my own and network
>administration work.
>
>I appreciate any comments and hope this is an appropriate topic for this
>group.
It depends where you want to break into the field. If you have no morals
and can live a lie easily the best educataion would be there at the NSA.
If you wnat to be publicly known you should follow one of those like
Mr BS and then maybe you can get promoted into the club when you follow
the common footsteps. The first way is one where you learn the most
about crypto. The second way you would get more public glory but
most likely learn little about real crypto. There is a third way you
would learn somewhere in between what the first two paths offer.
Read what the macericks are doing like Me and Ritter and also what
the public so called crypto gods do. But in this last approcah you
will not make money so you have to be satistfeid at least knowing
that you followed an honest path. Oops also check what wtshaw is doing
he has lots of great ideas too.
Read books like the code breaker. the pusszle palce cyprto is highly
politized so you have to be very careful. Always remember there is
a billion dollar semi secret organization the NSA to try to make
you go down the false path. Thats why option one is the best if that
is your major interest.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Diffusion limits in block ciphers
Date: 31 May 2001 20:41:32 GMT
[EMAIL PROTECTED] (David Wagner) wrote in
<9f66u3$2rc8$[EMAIL PROTECTED]>:
>>For an n-bit block cipher, plaintext bits 0 through n-1 can only affect
>>ciphertext bits 0 through n-1. Input changes in one block have
>>absolutely no effect on the outputs of other blocks.
>
>I don't really understand what you mean by the latter sentence.
>Diffusion between blocks is outside of the domain of the block cipher;
>that's the responsibility of the chaining mode. And good chaining modes
>(e.g., CBC, CFB, ...) do ensure sufficient diffusion to stop attacks.
>
Actaully the three letter mode chaining methods kind of suck at
haveing sufficient diffusion to stop attacks. Shannon has shown
that its far better to have infinite error diffusion in chainning.
But modern crypto is not about protecting data. Its more about
deceving one so that when your mail is read you have this nice
warm feeling of security. As an easy check encrypt a message
with CBC or what ever replace the middle one third of the file
with all zeors. Then decrypt the file. guess what only the
middle third of file is unreadable and one or two blocks of the
last third. By even this simple test one can see things like CBC
suck at provinding sufficent diffusion. But most on this form will
try to hold you hand and say its safe.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: ArY <[EMAIL PROTECTED]>
Subject: Re: Quantum Computers with relation to factoring and BBS
Date: Thu, 31 May 2001 21:56:17 +0100
> But since there is a polynomial-time algorithm for extracting a
> nontrivial factor of a number n if and only if there is a polynomial-
> time algorithm for solving the decision problem, we don't actually have
> a problem here.
I don't think that's true, if I understand you correctly. Given n, one
can decide its primality by finding (or failing to find) Riemann and
Fermat witnesses in p-time, assuming Extended Riemann Hypothesis. This
solves the decision problem in P time, so this problem IS in P (assuming
ERH). However those witnesses don't tell you what the factors are, and I
can see no obvious way using the algorithm polynomial number of times
would tell me what the factors are, given a composite n. (Perhaps you
could explain what you meant by "use binary search"?)
In summary, primality testing IS in P (assuming ERH), but finding
factors of large composits is not known to be in FP, I think is the
current state of affairs.
Just a note: for those who don't know already, when talking about
polynomial time algorithms, it's important to note that we are talking
about polynomial in *the length* of the input. So if the input is 1024,
the length of input is 10 = log2(1024), so a p-time algorithm should run
in O(10^k) steps, where k is some positive integer.
AY
------------------------------
From: "Harris Georgiou" <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc
Subject: Re: Medical data confidentiality on network comms
Date: Fri, 1 Jun 2001 00:43:34 +0300
� wtshaw <[EMAIL PROTECTED]> ������ ��� ������ ���������:
[EMAIL PROTECTED]
> In article <9f5te9$rg8$[EMAIL PROTECTED]>, "Niels Ferguson"
> <[EMAIL PROTECTED]> wrote:
> >
> This is not a meaningful line of logic. A copy can be copied or tapped as
> transfered. Once access is obtained, there is surely no realistic means
> of tracking where it might go. The nature of digital information is that
> it does not act like paper or outdated related thinking.
Not entirely true. If the medical data are kept in a well controlled manner
(even in case of distributed DBs), then there is always the possibility of
time-limited key-controlled access. To ensure that the access is copy-proof
one has to impose strict regulations and politics on hardware (i.e. not
using any hardcopies or removable storage), as long as the medical care
system can afford the cost of such infrastructure. And of course, encryption
& decryption can be always a click away (but not in case of paper).
> A patient's records should be controlled by the patient and doctor
> involved. All access should require original and revokable permission.
> Data bases are only justified when individual patient identification is
> forbidden. Otherwise, use is an invasion of privacy, no buts about it, no
> tolerance given, and woe be to those who trangress the doctor-patient
> relationship.
Still the original problem remains the same. As long as anyone can make
photocopies (hardcopies) or backups (digital copies) of sensitive data,
there is always the possibility of unauthorized use some time in the future.
--
Harris
- 'Malo e lelei ki he pongipongi!'
------------------------------
From: "Uros Podlogar" <[EMAIL PROTECTED]>
Subject: Is RSA suitable for DSA?
Date: Thu, 31 May 2001 23:48:39 +0200
I would like to encrypt registration code. In registration code will be
basic information about registration and software that he or she is
registering. This would be usually string no longer than 15 or 20 bytes.
First I thought that I could use RSA algorithm. The good thing is that I can
encrypt registration code with my private key software that I will be
registering with this code will use public key. Nobody can find out my
private key with debugging registered software and I can easily check
integrity of registration code.
But three things are bothering me:
1. If I would use short keys, my code will be broken easily. But if I will
use long key and encrypt my short data, encrypted message will be long and
not usable as a registration code.
2. I would use same private and public key for all keys where message
contents (that I am encrypting) is easily to predict. Is in this case any
easier to break encrypted message.
3. In replies to my last question one mentioned that I should use good
random number generator. I would generate one public and one private key. I
will have public key inside my software and because of that I can not change
private key. Because of that I will use random generator only once and its
quality is not that important.
If someone knows how registration codes are usually encrypted, please let me
know.
Thank you for your help.
Bye
Uros
------------------------------
From: [EMAIL PROTECTED] (Dimitri Maziuk)
Crossposted-To: comp.security.misc
Subject: Re: Medical data confidentiality on network comms
Date: 31 May 2001 21:45:08 GMT
Reply-To: [EMAIL PROTECTED]
On Thu, 31 May 2001 12:39:54 -0600, wtshaw wrote:
> In article <9f5te9$rg8$[EMAIL PROTECTED]>, "Niels Ferguson"
><[EMAIL PROTECTED]> wrote:
>>
>> Many problems can be solved by having a system in which people have
>> access, but _every_ access is reported to the patient in question. This
>> requires some low-level authentication to know who was accessing the
>> data. It is probably good enough to stop most of the abuse. Certainly
>> in the US with its class-action lawsuits a tracking system would deter
>> systematic illegal use of medical data. If the abuse of the data is legal,
>> you don't need a technical solution but a political one.
>>
... A copy can be copied or tapped as
> transfered. Once access is obtained, there is surely no realistic means
> of tracking where it might go. The nature of digital information is that
> it does not act like paper or outdated related thinking.
>
> A patient's records should be controlled by the patient and doctor
> involved. All access should require original and revokable permission.
Well, hope you never find yourself unconscious in ER where they have to
wake you up to get that "original and revokable permissions", and they can't
do that without checking your medical records first. Otherwise (if ER surgeon
is the "doctor involved"), I don't see how your system is different from the
one where "people have access, but every access is reported to the patient".
I don't think by "people" Niels meant "anybody" -- from context I'd say he
meant "doctor involved".
And I don't see what that has to do with unauthorized "copying or tapping
in transit".
> Data bases are only justified when individual patient identification is
> forbidden. Otherwise, use is an invasion of privacy, no buts about it, no
> tolerance given, and woe be to those who trangress the doctor-patient
> relationship.
Huh?
> This is not a meaningful line of logic.
Aaah, I see.
Dima
--
E-mail dmaziuk at bmrb dot wisc dot edu (@work) or at crosswinds dot net (@home)
http://www.bmrb.wisc.edu/descript/gpgkey.dmaziuk.ascii -- GnuPG 1.0.4 public key
I'm going to exit now since you don't want me to replace the printcap. If you
change your mind later, run -- magicfilter config script
------------------------------
From: Nicholas Hopper <[EMAIL PROTECTED]>
Subject: Re: Quantum Computers with relation to factoring and BBS
Date: Thu, 31 May 2001 17:57:47 -0400
On Thu, 31 May 2001, ArY wrote:
> > But since there is a polynomial-time algorithm for extracting a
> > nontrivial factor of a number n if and only if there is a polynomial-
> > time algorithm for solving the decision problem, we don't actually have
> > a problem here.
>
> I don't think that's true, if I understand you correctly. Given n, one
> can decide its primality by finding (or failing to find) Riemann and
> Fermat witnesses in p-time, assuming Extended Riemann Hypothesis. This
> solves the decision problem in P time, so this problem IS in P (assuming
> ERH). However those witnesses don't tell you what the factors are, and I
> can see no obvious way using the algorithm polynomial number of times
> would tell me what the factors are, given a composite n. (Perhaps you
> could explain what you meant by "use binary search"?)
The usual "related decision problem" for factoring is the language
FACTOR = {(n, k) : there exists p st k <= p < n and p | n}
>From this definition it should be clear that an algorithm for factoring
n will give a method to decide membership in FACTOR; and that combined
with binary search (over k), an algorithm to decide FACTOR can be used to
find a non-trivial factor of n.
Note that this is not the language COMPOSITES, which is the complement of
PRIMES. As you note, ERH => PRIMES is in P => COMPOSITES is in P.
> In summary, primality testing IS in P (assuming ERH), but finding
> factors of large composits is not known to be in FP, I think is the
> current state of affairs.
>
> Just a note: for those who don't know already, when talking about
> polynomial time algorithms, it's important to note that we are talking
> about polynomial in *the length* of the input. So if the input is 1024,
> the length of input is 10 = log2(1024), so a p-time algorithm should run
> in O(10^k) steps, where k is some positive integer.
>
> AY
>
>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Nicholas J. Hopper
Ph.D. Student in Computer Science
Carnegie Mellon University
------------------------------
From: Matthew Montchalin <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,us.misc
Subject: Re: And the FBI, too (Re: National Security Nightmare?)
Date: Thu, 31 May 2001 15:05:55 -0700
On 31 May 2001, Bob Silverman wrote:
|Matthew Montchalin <[EMAIL PROTECTED]> wrote in message
|news:<[EMAIL PROTECTED]>...
|> On Wed, 30 May 2001, Sam Yorko wrote:
|> |I guess what I really meant is if someone confronted me with an NSA
|> |badge, how in the world could I verify this?
|
|Call Ft. Meade. You will be connected to an operator there. He/She
|will ask you for a name. If the person is an employee, you will be
|connected.
But how does one agency decide if any given individual is from
another agency?
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Good crypto or just good enough?
Date: Thu, 31 May 2001 15:05:19 -0700
John Myre <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Paul Pires wrote:
> <snip>
> > What is the true cost of labor at
> > the expense of judgement?
> <snip>
>
> Many might find comp.risks interesting in that regard.
>
> (It's moderated, basically a newsletter with collected
> stories.)
Thank You, I'll check it out.
Paul
>
> JM
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
