Cryptography-Digest Digest #637
Cryptography-Digest Digest #637, Volume #14 Mon, 18 Jun 01 04:13:01 EDT Contents: Re: Is ECB truly more secure than CBC? (Tim Tyler) Earpster AES: Updated Link (James Wyatt) Re: Is ECB truly more secure than CBC? (David Wagner) Re: Anyone Heard of Churning (David Wagner) Re: FIPS 140-1 test (Mark Wooding) Re: Single-cycle sbox question (Benjamin Goldberg) Re: 4 more inducted into NSA Hall of Honor (John A. Malley) Re: Single-cycle sbox question (SCOTT19U.ZIP_GUY) Re: Single-cycle sbox question (Benjamin Goldberg) Re: CipherText E-mail encryption (Bryan Olson) New Directions in Cryptography (David Hopwood) Re: SSL/TLS compression methods??? (Bryan Olson) Re: New Directions in Cryptography (Nomen Nescio) Speed of Hardware Encryption/Decryption (S Hanks) Re: Speed of Hardware Encryption/Decryption (Bob Deblier) Re: Speed of Hardware Encryption/Decryption (Paul Rubin) Re: Speed of Hardware Encryption/Decryption (Panu H) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Is ECB truly more secure than CBC? Reply-To: [EMAIL PROTECTED] Date: Sun, 17 Jun 2001 22:21:38 GMT David Wagner [EMAIL PROTECTED] wrote: : Tim Tyler wrote: :* Protocol can't cope with it - e.g.: : Multiple recipients, with new keys from a pad at midnight every night. : I don't understand. I was talking about the case where there's an existing protocol - and you can't redesign it to include your key manipulations - since that would create incompatibilities with the existing clients. :* Recipient or sender is an embedded device - with no PRF handy. : If you can't handle a PRF, you can't handle encryption. Yes sorry - I thought you were referring to a hash. On reflection even if you had been, this objection would still be likely to be superfluous. -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: James Wyatt [EMAIL PROTECTED] Subject: Earpster AES: Updated Link Date: Sun, 17 Jun 2001 22:40:41 GMT It has come to my attention that Yahoo does not like when you use their briefcase feature to provide software. I only have about 1000 download off of Download.com and they shut me down. So, if anyone would like to download a simple DOS based Rijndael program with source code you can find it at: http://www.geocities.com/jrwyatt79/Earpster.zip. Also, let me know what you think. I'm just a poor IS student and Earpster is the first program I have written that is of any use. Peace, Jim -- From: [EMAIL PROTECTED] (David Wagner) Subject: Re: Is ECB truly more secure than CBC? Date: Sun, 17 Jun 2001 23:01:53 + (UTC) Tim Tyler wrote: I was talking about the case where there's an existing protocol - and you can't redesign it to include your key manipulations - since that would create incompatibilities with the existing clients. Ok. I assumed we were talking about a design question. If it's an existing protocol, it seems unlikely that you'll have any choice about whether to use ECB or CBC mode, since changing the mode of operation would also create incompatibility. -- From: [EMAIL PROTECTED] (David Wagner) Subject: Re: Anyone Heard of Churning Date: Sun, 17 Jun 2001 23:05:29 + (UTC) Stephen Thomas wrote: Apparently, ATM Passive Optical Networks (APONs) have standardized on an encryption algorithm refered to as churning. Does anyone know anything about this? No clue. The pointers you gave didn't give enough information to evaluate it (although it looked like it might be a weak form of substitution cipher on bytes; if this is correct, it would be trivially insecure). -- From: [EMAIL PROTECTED] (Mark Wooding) Subject: Re: FIPS 140-1 test Date: 18 Jun 2001 02:15:02 GMT Peter Gutmann [EMAIL PROTECTED] wrote: As a followup question, has anyone ever looked at doing the tests which require an FPU in an (admittedly approximate) integer-only way? There are some embedded systems which don't do FP-maths too well. My Catacomb library has draft-FIPS 140-2 tests in integers-only. It's a very simple transformation to make on the bounds, and doesn't compromise accuracy. (I have the FIPS 140-1 tests in my CVS repository...) I don't have an integer-only version of Maurer's test, unfortunately. ;-) -- [mdw] -- From: Benjamin Goldberg [EMAIL PROTECTED] Subject: Re: Single-cycle sbox question Date: Sun, 17 Jun 2001 23:53:47 -0400 Henrick Hellström wrote: See http://www.streamsec.com/createsc.asp The proof is incuded. I suppose that's where you got the idea in the first place. No, I got the idea to create single-cycle sboxes in this manner from the key schedule of the LJA1 cipher, which predates your code significantly. And I'm sure that he got his code from somewhere else. Don't try to steal credit from others. If you are using key data
Cryptography-Digest Digest #639
Cryptography-Digest Digest #639, Volume #14 Mon, 18 Jun 01 14:13:01 EDT Contents: Re: Is ECB truly more secure than CBC? (John Myre) Re: Is ECB truly more secure than CBC? (John Myre) Re: My auction protocol (AY) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, (Douglas A. Gwyn) Re: Any good Crypto Books? (Ross Anderson) Re: Help on GF(2^N) (Mark Wooding) Re: Bizzare Cryptanalysis (Mark Wooding) Re: Help on GF(2^N) (Jakob Jonsson) XOR256 encryption/decryption method (George Anescu) Re: quadratic functions (Tom St Denis) Re: BigNum Question (Tom St Denis) Re: XOR256 encryption/decryption method (Tom St Denis) Re: Is ECB truly more secure than CBC? (Tom St Denis) Re: SHA2 PRNG. (Tom St Denis) Re: Help with error correction (63,48) code (Mike Rosing) Re: Bizzare Cryptanalysis (Simon Johnson) Counter mode, the better way to do it? (Julian Morrison) Re: Counter mode, the better way to do it? (Tom St Denis) Re: Bizzare Cryptanalysis (Simon Johnson) From: John Myre [EMAIL PROTECTED] Subject: Re: Is ECB truly more secure than CBC? Date: Mon, 18 Jun 2001 09:46:26 -0600 Tom St Denis wrote: snip If you look at what these YAPL (Yet Another Programming Language) provide, typically more often than not it's a self-righteous need to feel proud of re-inventing the wheel. snip Pot calling the kettle black, I'd say. JM -- From: John Myre [EMAIL PROTECTED] Subject: Re: Is ECB truly more secure than CBC? Date: Mon, 18 Jun 2001 09:59:56 -0600 Paul Pires wrote: snip I apologies if I have offended both to you and the OP. No apology needed (for me, anyway; I won't ask for the OP). Now that that is out of the way, I did read it differently than you and perceived a disparaging tone that you did not. I felt his characterization was misleading. He could have just posted Joe's words and asked for comment but he set it up in a biased fashion. No trouble, to each his own. And of course, I could be biased, too. presenting himself as a cryptography expert. That wasn't clear from the referenced post. Perhaps not, but I think it is reasonable to conclude that Joe has posted several times, with various specific opinions. In a non-crypto group, it would be easy to take such posts as implicit claims to competence. he offers an argument as to why ECB mode should be supported in addition to CBC! Mr. Ashwood made no such recommendation. I think he did, actually. Although I can't remember exactly, so perhaps it was somewhere else. Should someone who supports the use of ECB mode be considered an expert in a forum where not everyone is knowledgeable about cryptography? It is very worrisome what form the standard will end up taking when this is what passes for expert cryptographic advice. passes for expert cryptographic advice. That's disparaging. Yeah. If I were Joe, I guess I'd take offense. As far as the, Take Prozac part goes, it was working a bit too hard at being cute. I didn't mean to suggest that he was mentally ill, just that it was a little hysterical. Perhaps a different pharmaceutical would have worked better. Upon reflection, I'm in a grumpy mood and it was a cheap shot. Have I used up my quota yet? :) You're *way* behind certain others, in both grumpiness and cheap shots. Just don't forget to take, uh, never mind. JM -- From: AY [EMAIL PROTECTED] Subject: Re: My auction protocol Date: Mon, 18 Jun 2001 17:06:37 +0100 How would the user know that this information was correct? Couldn't the auction server record dummy bids in an attempt to push up the price? This idea is explored in The Cocaine Auction Protocol by Ross Anderson. Thanks for this. Yes I have read Ross Anderson's paper. I think this operates at two levels. First of all the auction server cannot insert dummy bids by prtending to be a registered user because the bid message is signed by the bidder, and the keypair is generated by the client side software. It is assumed that the auction server receives the correct public (verification) key to users during registration, i.e. no man in the middle attacks. But at another level, there is nothing to stop the auction server to generate a keypair and register itself to the system. I think this is hard to avoid if not impossible, but there's always a chance that the server will become a winner which might be an disincentive for them to do so. Similarly it's hard to stop the seller himself registering as another user to push up price, or he could simply ask his brother to do so. It's hard to avoid in traditional physical auctions as well, therefore I will not attempt to solve this problem, at least not now. One point I'm not sure whether is clear my original post is that there are three auction entities: the seller, the server and the bidder, like eBay, where
Cryptography-Digest Digest #641
Cryptography-Digest Digest #641, Volume #14 Mon, 18 Jun 01 17:13:00 EDT Contents: Re: Counter mode, the better way to do it? (Tim Tyler) Re: Is ECB truly more secure than CBC? (David Wagner) Re: SHA2 PRNG. (Tom St Denis) Re: survey (Mok-Kong Shen) Q: XML-security (Mok-Kong Shen) Re: survey (Benjamin Goldberg) Re: survey (Mok-Kong Shen) Re: Counter mode, the better way to do it? (Tom St Denis) Re: computationally impossible and cryptographic hashs (Benjamin Goldberg) Re: XOR256 encryption/decryption method (Tim Tyler) Sorry, I didn't know that was considered spam ([EMAIL PROTECTED]) Re: Single-cycle sbox question (Henrick Hellström) Re: decorrelated bitsliced cipher (Benjamin Goldberg) Re: decorrelated bitsliced cipher (Tom St Denis) Re: Single-cycle sbox question (Henrick Hellström) Re: Single-cycle sbox question (Tom St Denis) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Counter mode, the better way to do it? Reply-To: [EMAIL PROTECTED] Date: Mon, 18 Jun 2001 20:04:56 GMT Tom St Denis [EMAIL PROTECTED] wrote: : Julian Morrison [EMAIL PROTECTED] wrote in message : Two approaches I've seen to doing CNT mode for Rijndael: : - use the raw count, say a 32 bit unsigned int in one quad of bytes and : the 12 remaining bytes as 0x00. [...] : : - feed the count through a scrambling function first, such as MD5. : : Which is safer and better? : In a good cipher.neither. I presume that use of a hash would help eliminate the CTR mode proviso that you change keys before you've transmitted sqrt(2^blocksize) blocks. Note also that use of two cryptographic primitives might be seen as slowing things down somewhat. As Tom says, if your cypher's OK, there's no need to worry about the known plaintext. However if you *do* want to avoid it, you could do something like instead of adding 1, add an odd constant with roughly the same number of 1 and 0 bits set in it, and rather than padding with 0s, duplicate the counter across the block size. These are not expensive operations to perform - in contrast to hashing - which has a large cost. -- __ |im |yler http://rockz.co.uk/ http://alife.co.uk/ http://atoms.org.uk/ -- From: [EMAIL PROTECTED] (David Wagner) Subject: Re: Is ECB truly more secure than CBC? Date: Mon, 18 Jun 2001 20:14:02 + (UTC) Joseph Ashwood wrote: For encryption it's a bit more difficult, and will require feeding the oracle the same value a large number of times, at least enough to find a collision of values, call the original value A and the collicion A', call the value following A B, and the value following A' B'. If B==B' it was CBC. With CBC, all bets are off once you get near the birthday bound (once you encrypt enough blocks to find a collision, i.e., near 2^32 blocks with a 64-bit block cipher). The theorems only promise security if the number of blocks encrypted is low enough that no collision is likely. So, there is no contradiction. -- From: Tom St Denis [EMAIL PROTECTED] Subject: Re: SHA2 PRNG. Date: Mon, 18 Jun 2001 20:15:04 GMT Cristiano [EMAIL PROTECTED] wrote in message news:9glm23$739$[EMAIL PROTECTED]... Tom St Denis [EMAIL PROTECTED] ha scritto: . Cristiano [EMAIL PROTECTED] wrote in message . news:9gknsa$rr0$[EMAIL PROTECTED]... . Tom St Denis wrote: . Cristiano [EMAIL PROTECTED] wrote in message . news:9gj15m$fan$[EMAIL PROTECTED]... .Tom St Denis [EMAIL PROTECTED] ha scritto: . . Cristiano [EMAIL PROTECTED] wrote in message . news:9gimtg$d4d$[EMAIL PROTECTED]... .Now I changed the generator in this way: .1) I fill a 256 bits vector with 8 pseudorandom 32 bits numbers; . . Careful here. You should typically bring in more bits then you put out. . This is because you want to make sure the amount of entropy comming in . is . sufficient. Let's say you bring in 256 bits from say the mouse . co-ordinates . [the lsbs]. But there is a huge skew of say p=0.95 for 1 in the lsb, . this . means your 256 bits has only -256 * log2(0.95) = 19 bits of real . entropy. . You would need 3460 bits to get your 256 bits of entropy. . . Is there any empirical method that allows me to calculate how much do bits . need? . . Typically with bits you can do say an 10-th order adaptive predictor. I.e . given the past 10 bits, what is more likely to come? . . If your data is truly random it will be 0.5/0.5 either way. So you train . the model on your data [you will need a lot of data, say 50,000 bits at . least] then for each new bit you add the entropy. If for example you have . 01 0, given the ten bits 01 you look up in the model which . is more likely to occur 0 or 1. Let's say P(1) = 0.95, then we know that . only -log2(0.95)=0.07 bits were added to the output. I am a bit confused. I don't understand
Cryptography-Digest Digest #643
Cryptography-Digest Digest #643, Volume #14 Mon, 18 Jun 01 19:13:00 EDT
Contents:
About Principia Mathematica (long) (Mok-Kong Shen)
Re: BigNum Question (Tim Tyler)
Cypherus encryption software (Andrew Palumbo)
Re: Counter mode, the better way to do it? (Julian Morrison)
Re: Counter mode, the better way to do it? (Tom St Denis)
Re: Counter mode, the better way to do it? (Julian Morrison)
Re: Counter mode, the better way to do it? (Tom St Denis)
Re: About Principia Mathematica (long) (Fred W. Helenius)
Re: About Principia Mathematica (long) (Karl Forsberg)
Re: Cypherus encryption software (Paul Rubin)
Re: Is ECB truly more secure than CBC? (David Hopwood)
Re: Cypherus encryption software (Tom St Denis)
Re: Is ECB truly more secure than CBC? (Tom St Denis)
Re: Is ECB truly more secure than CBC? (Tom St Denis)
Re: Counter mode, the better way to do it? (Julian Morrison)
Re: Help on GF(2^N) (Simon Johnson)
Re: Help on GF(2^N) (Tom St Denis)
Re: Counter mode, the better way to do it? (Tom St Denis)
Re: Cypherus encryption software (Joseph Ashwood)
From: Mok-Kong Shen [EMAIL PROTECTED]
Crossposted-To: sci.math
Subject: About Principia Mathematica (long)
Date: Tue, 19 Jun 2001 00:07:41 +0200
In connection with a recent discussion in sci.crypt, I obtained
some seemingly radically different opinions or facts on the
readability of Whitehead and Russell's Principia Mathematica,
a book which I till the present have only heard talking about
but never even actually seen. On the one extreme there was
a regular in sci.crypt reporting that he had read most of that
book while yet in high school. On the other extreme there was
an acquaintance of mine claiming that most graduate students
in math attempting to read that book would be coming up against
a stone wall ('beissen auf Granit').
Fascinated thus by this huge disparity of opinions/facts, I
undertook to collect certain matters concerning the book which
appear to be of some general interest:
(1) Availability.
Currently the Cambridge University Press offers the full
version at $595.00 and an abridged version at $52.95.
Big public libraries are likely to have the full version
(e.g. the library of Deutsches Museum in Munich).
A company selling rare books offers on the internet the
first edition (666+772+491 pages) for $45,000.00, while
another offers the second edition (674+742+491 pages) for
3500 pounds.
(2) Contents of the book.
(Source: http://www.illc.uva.nl/~seop/archives/fall2000/
entries/principia-mathematica/)
Principia Mathematica appeared in three volumes which
together are divided into six parts. Volume 1 begins with
a lengthy Introduction containing sections entitled
Preliminary Explanations of Ideas and Notations, The
Theory of Logical Types and Incomplete Symbols. It also
contains Part I, entitled Mathematical Logic, which
contains sections on The Theory of Deduction, Theory of
Apparent Variables, Classes and Relations, Logic of
Relations, and Products and Sums of Classes; and Part II,
entitled Prolegomena to Cardinal Arithmetic, which
contains sections on Unit Classes and Couples, Sub-
Classes, Sub-Relations, and Relative Types, One-Many,
Many-One and One-One Relations, Selections, and
Inductive Relations.
Volume 2 begins with a Prefatory Statement of Symbolic
Conventions. It then continues with Part III, entitled
Cardinal Arithmetic, which itself contains sections on
Definition and Logical Properties of Cardinal Numbers,
Addition, Multiplication and Exponentiation, and Finite
and Infinite; Part IV, entitled Relation-Arithmetic,
which contains sections on Ordinal Similarity and Relation-
Numbers, Addition of Relations, and the Product of Two
Relations, The Principle of First Differences, and the
Multiplication and Exponentiation of Relations, and
Arithmetic of Relation-Numbers; and the first half of
Part V, entitled Series, which contains sections on
General Theory of Series, On Sections, Segments,
Stretches, and Derivatives, and On Convergence, and the
Limits of Functions.
Volume 3 continues Part V with sections on Well-Ordered
Series, Finite and Infinite Series and Ordinals, and
Compact Series, Rational Series, and Continuous Series.
It also contains Part VI, entitled Quantity, which itself
contains sections on Generalization of Number, Vector-
Families, Measurement, and Cyclic Families.
A fourth volume, on geometry, was planned but never
completed. Even so, the book remains one of the great
scientific documents of the twentieth century.
(3) Excerpts from diverse web pages about the book.
A. (Source: http://www.andrews.edu/~calkins/math/biograph/
biowhite.htm)
This
Cryptography-Digest Digest #633
Cryptography-Digest Digest #633, Volume #14 Sun, 17 Jun 01 06:13:00 EDT Contents: Re: IV (David Wagner) Re: Is ECB truly more secure than CBC? (David Wagner) Re: Is ECB truly more secure than CBC? (David Wagner) Re: Tom's base64 code (was Re: CipherText E-mail encryption) (Tom St Denis) Re: Order of encryption and authentication (David Hopwood) Re: Tom's base64 code (was Re: CipherText E-mail encryption) (David Hopwood) Re: Is ECB truly more secure than CBC? (SCOTT19U.ZIP_GUY) Re: Tell me could this one-way function be somewhat secure (wtshaw) Re: Tom's base64 code (was Re: CipherText E-mail encryption) (SCOTT19U.ZIP_GUY) Re: IV (SCOTT19U.ZIP_GUY) Re: Is ECB truly more secure than CBC? (SCOTT19U.ZIP_GUY) Re: integration question (Roger Fleming) Re: Order of encryption and authentication (lcs Mixmaster Remailer) Re: Is ECB truly more secure than CBC? (Tim Tyler) Re: Uniciyt distance and compression for AES ([EMAIL PROTECTED]) From: [EMAIL PROTECTED] (David Wagner) Subject: Re: IV Date: Sun, 17 Jun 2001 02:15:48 + (UTC) Tim Tyler wrote: I think your summary says something different to the theorem - something that is stronger - and is not actually supported by the theorem at all. Quite possibly! It _is_ a summary, after all, so it is impossible to include all the nuances. It's a judgement call which nuances are important enough to mention and which ones aren't. While I agree that there might be some rare cases where CTR mode is less secure than CBC mode, I claim that (1) these are rare and unimportant, (2) the difference between the two modes will still be quite small, and (3) in such scenarios even CBC mode is unlikely to be completely satisfactory anyway. There are plenty of other examples, too. For instance, you could note that taking the last block of the ciphertext forms a somewhat better MAC if you use CBC mode than if you use CTR mode. Does this mean that we should consider CBC mode significantly more secure than CTR mode? No, I don't think so. -- From: [EMAIL PROTECTED] (David Wagner) Subject: Re: Is ECB truly more secure than CBC? Date: Sun, 17 Jun 2001 02:19:10 + (UTC) lcs Mixmaster Remailer wrote: It appears that none of the classical chaining modes provide non- malleability. [...] Nevertheless it is an important property, as the recent Czech attack on PGP showed. [...] The usual way of achieving effective non-malleability is with another layer of protection, either a signature or a MAC. I believe the XML encryption standard does include the option of using a MAC, although it is not required. Right. In my opinion, anywhere that you use encryption, you should always include a MAC, too, as a matter of good design. There are many subtle ways that systems have been broken when they did not follow this rule of thumb (see Bellovin's cut-and-paste attacks on IPSEC, or reaction attacks on WEP, or ...). -- From: [EMAIL PROTECTED] (David Wagner) Subject: Re: Is ECB truly more secure than CBC? Date: Sun, 17 Jun 2001 02:20:56 + (UTC) Actually, CTR mode is a little _harder_ to use correctly than CBC mode, because the consequences of inadvertently reusing an IV in CTR mode are much more severe than the consequences of reusing an IV in CBC mode. I would argue that it is an interesting open problem how to design modes of operation that have the desirable features of CTR mode (parallelizable, extremely simple) yet have better robustness. -- From: Tom St Denis [EMAIL PROTECTED] Subject: Re: Tom's base64 code (was Re: CipherText E-mail encryption) Date: Sun, 17 Jun 2001 02:24:13 GMT SCOTT19U.ZIP_GUY [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... [EMAIL PROTECTED] (David Hopwood) wrote in [EMAIL PROTECTED]: -BEGIN PGP SIGNED MESSAGE- Tom St Denis wrote: /* Does base64 encoding decoding */ [snip] No it doesn't. base64 is the name of the algorithm in RFC 2045: - you use a different character set from base64, - base64 handles arbitrary length inputs; your code does zero-padding of the input, - base64 specifies that the output is padded to a multiple of 4 octets with '=' characters; your code does not, - base64 is consistently big-endian; you read the input into y in big-endian order, and then write it out in little-endian order. Dave its a trival matter to clean base64 up. So that it could really be base64. Why do they add the = symbol. It kind of takes away the beauty of it. It not that hard to convert from any binary file to true base64 if one likes one could easy convert any binary file to a true base64 with a fixed line length. It would be a hell of a lot cleaner. And if people have a heart on for 64 plus the = symbol why not go to base65. Because 65 does not divide a power of two. And I agree that the output
Cryptography-Digest Digest #635
Cryptography-Digest Digest #635, Volume #14 Sun, 17 Jun 01 14:13:01 EDT
Contents:
Re: The 94 cycle 64-bit block cipher :-) (Simon Johnson)
Re: The 94 cycle 64-bit block cipher :-) (Tom St Denis)
Good book to read (Tom St Denis)
Re: The 94 cycle 64-bit block cipher :-) (Fat Phil)
Re: Tell me could this one-way function be somewhat secure (wtshaw)
Re: The 94 cycle 64-bit block cipher :-) (Tom St Denis)
Re: Is ECB truly more secure than CBC? (Mark Wooding)
Re: best encryption? (wtshaw)
Re: Bizzare Cryptanalysis (wtshaw)
Re: FIPS-140 statistical test for any length of bits? (DJohn37050)
SHA2 PRNG. (Cristiano)
Re: integration question (Robert J. Kolker)
Re: Bizzare Cryptanalysis (Robert J. Kolker)
Re: Bizzare Cryptanalysis (Robert J. Kolker)
Re: SHA2 PRNG. (Tom St Denis)
Re: Bizzare Cryptanalysis (Tom St Denis)
Still having no luck :( (Total Annihilation)
Re: How good is steganography in the real world? (Robert J. Kolker)
Re: integration question (Douglas A. Gwyn)
Re: Still having no luck :( (Tom St Denis)
Re: Bizzare Cryptanalysis (Douglas A. Gwyn)
Re: How good is steganography in the real world? (SCOTT19U.ZIP_GUY)
4 more inducted into NSA Hall of Honor (Douglas A. Gwyn)
Re: Bizzare Cryptanalysis (Robert J. Kolker)
From: Simon Johnson [EMAIL PROTECTED]
Subject: Re: The 94 cycle 64-bit block cipher :-)
Date: Sun, 17 Jun 2001 15:08:39 +0100
Simon Johnson [EMAIL PROTECTED] wrote in message
news:9gibhj$t27$[EMAIL PROTECTED]...
Phil Carmody [EMAIL PROTECTED] wrote in
message
news:[EMAIL PROTECTED]...
Tom St Denis wrote:
Well I feel honoured that you are archiving my stuff :-) Feel free to
download/repost/edit/whatever anything on my site. You can take my
source
and redistribute it if you want. (That's the point of sharing ya know
:-0).
Sharing is good. Readers contributing back is even better.
I would appreciate comments on my upcomming ideas though. Even if you
don't
have something rigorous more than oh neat. It's nice to just hear
from
others.
Upcoming? Hmmm, I'd rather rewind the clock a few months if I may :-)
I'm curious about your 3-hash actually.
for (r = 16; r SIZE; r++) {
t = W[r - 3] ^ W[r - 8] ^ W[r - 14] ^ W[r - 16] ^ r ^
0x9E379B93ul;
W[r] = (t 1ul) | (t 31ul);
}
The ^r seems to be added to add a little more non-linearity, an the
^0x9E379B93ul seems to add some noise to those cases over-populated with
zeros.
However, the ^r only touches the bottom 7 bits (or thereabouts)
Assuming x86 has a nice fast integer multiply, wouldn't
^(r*0x9E379B93ul)
do a better job, potentially touching all bits?
I'm also curious - why aren't the well-known CRC algorithms used as
hashes? Is it that they aren't one-way? (they look reversable, but I've
not studied them closely). Or is it just that they are too short, and if
they were make longer they'd take too long to actually get all the bits
mixed up? (so would be useless for a short message)
Phil
There reversible. CRC's AFIAK are based on inversion in GF(2^w)/p(x).
Inversion can be reversed. :) (the choice of the field is speed related
IRRC)
Simon.
This is wrong as Tom has pointed out... Touché
(there is a big lag in time on my ISP)
It should be division in GF(2^w)/p(x), sorry..Still reversible, so not a
one-way hash.
--
From: Tom St Denis [EMAIL PROTECTED]
Subject: Re: The 94 cycle 64-bit block cipher :-)
Date: Sun, 17 Jun 2001 14:25:07 GMT
Simon Johnson [EMAIL PROTECTED] wrote in message
news:9gidkh$22n$[EMAIL PROTECTED]...
This is wrong as Tom has pointed out... Touché
(there is a big lag in time on my ISP)
It should be division in GF(2^w)/p(x), sorry..Still reversible, so not a
one-way hash.
This is wrong too. 457 mod 257 = 200, but I would hardly see a method of
going from 200 to 457 [without adding a variable].
Typically CRCs are one-way but not collision resistent since they are
linear.
Tom
--
From: Tom St Denis [EMAIL PROTECTED]
Subject: Good book to read
Date: Sun, 17 Jun 2001 14:32:30 GMT
A good book on coding theory
Coding and Information Theory by Richard W. Hamming. I found a copy in my
College library [along with Numerical recipes in C and applied_calculus].
It covers alot of Shannons work as well as Hammings work. For the most part
it is not too hard to follow, some of it is above my head but that's ok.
--
Tom St Denis
---
http://tomstdenis.home.dhs.org
--
From: Fat Phil [EMAIL PROTECTED]
Subject: Re: The 94 cycle 64-bit block cipher :-)
Date: Sun, 17 Jun 2001 17:36:07 +0300
Tom St Denis wrote:
Simon Johnson [EMAIL PROTECTED] wrote in message
news:9gibhj$t27$[EMAIL PROTECTED]...
There reversible. CRC's AFIAK are based on inversion in GF(2^w)/p(x).
Inversion can be
Cryptography-Digest Digest #636
Cryptography-Digest Digest #636, Volume #14 Sun, 17 Jun 01 18:13:01 EDT Contents: Re: 4 more inducted into NSA Hall of Honor (SCOTT19U.ZIP_GUY) Re: 3 trip encryption Exchange (John Savard) Re: SRP, PAK-R, Augmented EKE, and Kaliski-Ford Described on Web Site (John Savard) Re: SHA2 PRNG. (Cristiano) Compact CAST style sboxes? (Tom St Denis) Re: SHA2 PRNG. (Tom St Denis) Re: Bizzare Cryptanalysis ([EMAIL PROTECTED]) Re: Bizzare Cryptanalysis (Tom St Denis) Re: Bizzare Cryptanalysis (Simon Johnson) Re: Notion of perfect secrecy (Simon Johnson) Re: Bizzare Cryptanalysis ([EMAIL PROTECTED]) Re: Notion of perfect secrecy ([EMAIL PROTECTED]) Re: Good book to read (Fritz Schneider) Re: Good book to read (Tom St Denis) Re: Is ECB truly more secure than CBC? (David Wagner) Re: Good book to read (Joe Peschel) From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: 4 more inducted into NSA Hall of Honor Date: 17 Jun 2001 18:04:37 GMT [EMAIL PROTECTED] (Douglas A. Gwyn) wrote in [EMAIL PROTECTED]: The Hall of Honor occupies one wall of the National Cryptologic Museum. There was an induction ceremony Thursday for 4 more awardees (3 of whom are still alive and attended the ceremony, the 4th being represented by family). Read about the Hall at http://www.nsa.gov/honor/index.html I checked it out. Some looked familar but then again its usually high profile managers that pat each other on the back. Don't forget I worked for Sam for 26 years. I remember some of our managers getting major prises we use to head out to J'D's have a few beers and laugh about it. I think the truth of matter is most managers have a big load of BS and in fact know very little about the field they manage. At least modern managers. It would be far more interesting to know about the real people behind the advances. I'm sure they must have some beer drinking women chasing guys that do the real work. Or at least they must have had some when real work was being done. David A. Scott -- SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE OLD VERSIOM http://www.jim.com/jamesd/Kong/scott19u.zip My website http://members.nbci.com/ecil/index.htm My crypto code http://radiusnet.net/crypto/archive/scott/ MY Compression Page http://members.nbci.com/ecil/compress.htm **TO EMAIL ME drop the roman five ** Disclaimer:I am in no way responsible for any of the statements made in the above text. For all I know I might be drugged. As a famous person once said any cryptograhic system is only as strong as its weakest link -- From: [EMAIL PROTECTED] (John Savard) Subject: Re: 3 trip encryption Exchange Date: Sun, 17 Jun 2001 18:21:37 GMT On Mon, 11 Jun 2001 22:17:39 GMT, Yaron Oren-Pines [EMAIL PROTECTED] wrote, in part: Thanks for the reply. Is this an encryption protocol that cannot be cracked? If it was cracked, by whom and when Massey-Omura, the specific case of the Shamir three-pass protocol noted, is secure basically for the same reason RSA and/or Diffie-Hellman are secure. The only problem with the three-pass protocol is that it doesn't allow you to achieve public-key-like results with any algorithms that are more like conventional encryption algorithms than public-key algorithms, as far as is currently known; this is what some people hope for, when hearing about the protocol. John Savard http://home.ecn.ab.ca/~jsavard/frhome.htm -- From: [EMAIL PROTECTED] (John Savard) Subject: Re: SRP, PAK-R, Augmented EKE, and Kaliski-Ford Described on Web Site Date: Sun, 17 Jun 2001 18:27:13 GMT On Sat, 16 Jun 2001 19:06:01 GMT, [EMAIL PROTECTED] (John Savard) wrote, in part: I also included my own wretchedly elaborate protocol, previously described here - with one additional correction, of course. The 'additional correction' was replacing UVERIFY by H(UVERIFY) in the password table on the computational host. This didn't add any security, since an attacker could obtain UVERIFY by impersonating the host. So I removed that correction again, but thought about how I could achieve the result I wanted - to bring UVERIFY more centrally into the protocol, because it was constructed to depend on a lot of things very intimately, and thus provide good security. As it was, the protocol was secure, but because the host computer got its random key value, HR back, and UVERIFY could really be dispensed with. In explaining the other protocols, though, I noted that Augmented EKE showed a useful technique for the kind of proof I wanted. So I modified UVERIFY so that it depended on a quantity even the security server didn't have, and used it as a Diffie-Hellman private key. The host computer then only needs to store the corresponding public key in its password file, and then my protocol makes a bit more sense. John Savard http://home.ecn.ab.ca/~jsavard/frhome.htm -- From: Cristiano
Cryptography-Digest Digest #623
Cryptography-Digest Digest #623, Volume #14 Sat, 16 Jun 01 06:13:00 EDT Contents: Re: Tell me could this one-way function be somewhat secure (Tim Tyler) Re: IV (Tim Tyler) Re: IV (David Wagner) Re: Is ECB truly more secure than CBC? (Tim Tyler) Re: Diffusion limits in block ciphers (Tim Tyler) Re: Is ECB truly more secure than CBC? (Tim Tyler) Re: IV (Tim Tyler) Re: Is ECB truly more secure than CBC? (Nomen Nescio) Re: Is ECB truly more secure than CBC? (David Wagner) Re: IV (David Wagner) Re: integration question (Paul Rubin) Re: Simple Crypto II, the public key... (Fat Phil) Re: Tell me could this one-way function be somewhat secure (Marko Lavikainen) Re: Simple Crypto II, the public key... (Fat Phil) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Tell me could this one-way function be somewhat secure Reply-To: [EMAIL PROTECTED] Date: Sat, 16 Jun 2001 06:01:25 GMT wtshaw [EMAIL PROTECTED] wrote: : In article [EMAIL PROTECTED], [EMAIL PROTECTED] wrote: : Marko Lavikainen [EMAIL PROTECTED] wrote: : : I was wondering that when using hash-function, there is always a change for : : collision. So, could not one use, say, two hash functions with different : : properties. [...] : : That's much the same as increasing the size of the hash. You'll still get : collisions - but not so frequently. : Actually, you might not... [...] Well, you *will* if you hash material with more entropy that the width of the combined hash. A scarcity of source material appears to be why Marko's example failed to demonstrate this. -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: IV Reply-To: [EMAIL PROTECTED] Date: Sat, 16 Jun 2001 06:08:25 GMT David Wagner [EMAIL PROTECTED] wrote: : Mark Currie wrote: :how does CTR compare with CBC from a security perspective ? : They're both secure for secrecy, if the underlying block cipher is secure. : (Maybe I didn't understand the question.) No. Did you read my posts surrounding (mainly following) the comment by Mark Wooding on this thread? There I explain the problem with CTR mode, and why it is /not/ proven to be as secure as the underlying block cypher. The output from the cypher in CTR mode is proved to be secure (for secrecy) on the assumption that the block cypher is secure. However that is *not* the same proposition as CTR mode being secure (for secrecy) - since the problem with CTR mode does not involve predicting the encrypted output in the first place. -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: [EMAIL PROTECTED] (David Wagner) Subject: Re: IV Date: Sat, 16 Jun 2001 06:24:03 + (UTC) Are you talking about the fact that CTR mode doesn't conceal the length of the plaintext? Few modes do. If you need to conceal the length of the plaintext, then you're going to need to add additional machinery. This is true whether you're using CTR more or CBC mode: CBC mode also leaks substantial information about plaintext lengths, too. -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Is ECB truly more secure than CBC? Reply-To: [EMAIL PROTECTED] Date: Sat, 16 Jun 2001 06:19:19 GMT David Wagner [EMAIL PROTECTED] wrote: : Joseph Ashwood wrote: :I could easily argue that the simple fact that no key recovery attack exists :on ECB mode (outside of brute force) makes for a very powerful argument in :the situations where the key is more valuable than the information. : How can the key be more valuable than the information it is used to : protect, in a properly designed system? The only reason I can see to : introduce a key is to protect some information, and so exposure of a : key is only problematic because it can defeat that protection [...] I think it can be possible for the key to have significant value - perhaps greater than the message. This would be in a system where previous messages of greater value had been sent, and where the transmitter cannot be certain that exposure of keys does not leak information about previous keys. You might argue that such a system was not properly designed. However, if you want to be /certain/ that no leakage of information from keys occurs, then it may be that no properly designed systems exist, for lack of a perfect RNG. If the key is of too great a value, you should not send the message - but instead hide the key under your bed. However it appears that there may be cases where sending the message may be justified, if it is felt that the chance of a key-recovery attack is low. -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Diffusion limits in block ciphers Reply-To: [EMAIL PROTECTED] Date: Sat, 16 Jun
Cryptography-Digest Digest #627
Cryptography-Digest Digest #627, Volume #14 Sat, 16 Jun 01 09:13:00 EDT Contents: Cryptography FAQ (06/10: Public Key Cryptography) ([EMAIL PROTECTED]) Cryptography FAQ (07/10: Digital Signatures) ([EMAIL PROTECTED]) Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers Subject: Cryptography FAQ (06/10: Public Key Cryptography) From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: 16 Jun 2001 12:28:05 GMT Archive-name: cryptography-faq/part06 Last-modified: 94/06/07 This is the sixth of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read the first part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in the last part. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto, sci.answers, and news.answers every 21 days. Contents: 6.1. What is public-key cryptography? 6.2. How does public-key cryptography solve cryptography's Catch-22? 6.3. What is the role of the `trapdoor function' in public key schemes? 6.4. What is the role of the `session key' in public key schemes? 6.5. What's RSA? 6.6. Is RSA secure? 6.7. What's the difference between the RSA and Diffie-Hellman schemes? 6.8. What is `authentication' and the `key distribution problem'? 6.9. How fast can people factor numbers? 6.10. What about other public-key cryptosystems? 6.11. What is the `RSA Factoring Challenge?' 6.1. What is public-key cryptography? In a classic cryptosystem, we have encryption functions E_K and decryption functions D_K such that D_K(E_K(P)) = P for any plaintext P. In a public-key cryptosystem, E_K can be easily computed from some ``public key'' X which in turn is computed from K. X is published, so that anyone can encrypt messages. If decryption D_K cannot be easily computed from public key X without knowledge of private key K, but readily with knowledge of K, then only the person who generated K can decrypt messages. That's the essence of public-key cryptography, introduced by Diffie and Hellman in 1976. This document describes only the rudiments of public key cryptography. There is an extensive literature on security models for public-key cryptography, applications of public-key cryptography, other applications of the mathematical technology behind public-key cryptography, and so on; consult the references at the end for more refined and thorough presentations. 6.2. How does public-key cryptography solve cryptography's Catch-22? In a classic cryptosystem, if you want your friends to be able to send secret messages to you, you have to make sure nobody other than them sees the key K. In a public-key cryptosystem, you just publish X, and you don't have to worry about spies. Hence public key cryptography `solves' one of the most vexing problems of all prior cryptography: the necessity of establishing a secure channel for the exchange of the key. To establish a secure channel one uses cryptography, but private key cryptography requires a secure channel! In resolving the dilemma, public key cryptography has been considered by many to be a `revolutionary technology,' representing a breakthrough that makes routine communication encryption practical and potentially ubiquitous. 6.3. What is the role of the `trapdoor function' in public key schemes? Intrinsic to public key cryptography is a `trapdoor function' D_K with the properties that computation in one direction (encryption, E_K) is easy and in the other is virtually impossible (attack, determining P from encryption E_K(P) and public key X). Furthermore, it has the special property that the reversal of the computation (decryption, D_K) is again tractable if the private key K is known. 6.4. What is the role of the `session key' in public key schemes? In virtually all public key systems, the encryption and decryption times are very lengthy compared to other block-oriented algorithms such as DES for equivalent data sizes. Therefore in most implementations of public-key systems, a temporary, random `session key' of much smaller length than the message is generated for each message and alone encrypted by the public key algorithm. The message is actually encrypted using a faster private key algorithm with the session key. At the receiver side, the session key is decrypted using the public-key algorithms and the recovered `plaintext' key is used to decrypt the message. The session key approach blurs the distinction between `keys' and `messages' -- in the scheme, the message includes the key, and the key itself is treated as an encryptable `message'.
Cryptography-Digest Digest #629
Cryptography-Digest Digest #629, Volume #14 Sat, 16 Jun 01 09:13:00 EDT Contents: Cryptography FAQ (10/10: References) ([EMAIL PROTECTED]) Re: IV (Tim Tyler) Re: CipherText E-mail encryption (Prichard, Chuck) New Classical Cryptography Website (Caesum) Re: CipherText E-mail encryption (Prichard, Chuck) Re: CipherText E-mail encryption (Tom St Denis) Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers Subject: Cryptography FAQ (10/10: References) From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: 16 Jun 2001 12:28:07 GMT Archive-name: cryptography-faq/part10 Last-modified: 94/06/13 This is the tenth of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read the first part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in this part. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto, sci.answers, and news.answers every 21 days. Contents 10.1. Books on history and classical methods 10.2. Books on modern methods 10.3. Survey articles 10.4. Reference articles 10.5. Journals, conference proceedings 10.6. Other 10.7. How may one obtain copies of FIPS and ANSI standards cited herein? 10.8. Electronic sources 10.9. RFCs (available from [FTPRF]) 10.10. Related newsgroups 10.1. Books on history and classical methods [FRIE1] Lambros D. Callimahos, William F. Friedman, Military Cryptanalytics. Aegean Park Press, ?. [DEA85] Cipher A. Deavours Louis Kruh, Machine Cryptography and Modern Cryptanalysis. Artech House, 610 Washington St., Dedham, MA 02026, 1985. [FRIE2] William F. Friedman, Solving German Codes in World War I. Aegean Park Press, ?. [GAI44] H. Gaines, Cryptanalysis, a study of ciphers and their solution. Dover Publications, 1944. [HIN00] F.H.Hinsley, et al., British Intelligence in the Second World War. Cambridge University Press. (vol's 1, 2, 3a, 3b 4, so far). XXX Years and authors, fix XXX [HOD83] Andrew Hodges, Alan Turing: The Enigma. Burnett Books Ltd., 1983 [KAH91] David Kahn, Seizing the Enigma. Houghton Mifflin, 1991. [KAH67] D. Kahn, The Codebreakers. Macmillan Publishing, 1967. [history] [The abridged paperback edition left out most technical details; the original hardcover edition is recommended.] [KOZ84] W. Kozaczuk, Enigma. University Publications of America, 1984 [KUL76] S. Kullback, Statistical Methods in Cryptanalysis. Aegean Park Press, 1976. [SIN66] A. Sinkov, Elementary Cryptanalysis. Math. Assoc. Am. 1966. [WEL82] Gordon Welchman, The Hut Six Story. McGraw-Hill, 1982. [YARDL] Herbert O. Yardley, The American Black Chamber. Aegean Park Press, ?. 10.2. Books on modern methods [BEK82] H. Beker, F. Piper, Cipher Systems. Wiley, 1982. [BRA88] G. Brassard, Modern Cryptology: a tutorial. Spinger-Verlag, 1988. [DEN82] D. Denning, Cryptography and Data Security. Addison-Wesley Publishing Company, 1982. [KOB89] N. Koblitz, A course in number theory and cryptography. Springer-Verlag, 1987. [KON81] A. Konheim, Cryptography: a primer. Wiley, 1981. [MEY82] C. Meyer and S. Matyas, Cryptography: A new dimension in computer security. Wiley, 1982. [PAT87] Wayne Patterson, Mathematical Cryptology for Computer Scientists and Mathematicians. Rowman Littlefield, 1987. [PFL89] C. Pfleeger, Security in Computing. Prentice-Hall, 1989. [PRI84] W. Price, D. Davies, Security for computer networks. Wiley, 1984. [RUE86] R. Rueppel, Design and Analysis of Stream Ciphers. Springer-Verlag, 1986. [SAL90] A. Saloma, Public-key cryptography. Springer-Verlag, 1990. [SCH94] B. Schneier, Applied Cryptography. John Wiley Sons, 1994. [errata avbl from [EMAIL PROTECTED]] [WEL88] D. Welsh, Codes and Cryptography. Claredon Press, 1988. 10.3. Survey articles [ANG83] D. Angluin, D. Lichtenstein, Provable Security in Crypto- systems: a survey. Yale University, Department of Computer Science, #288, 1983. [BET90] T. Beth, Algorithm engineering for public key algorithms. IEEE Selected Areas of Communication, 1(4), 458--466, 1990. [DAV83] M. Davio, J. Goethals, Elements of cryptology. in Secure Digital Communications, G. Longo ed., 1--57, 1983. [DIF79] W. Diffie, M. Hellman, Privacy and Authentication: An introduction to cryptography. IEEE proceedings, 67(3), 397--427, 1979. [DIF88] W. Diffie, The first ten years of public key cryptography. IEEE proceedings, 76(5), 560--577,
Cryptography-Digest Digest #626
Cryptography-Digest Digest #626, Volume #14 Sat, 16 Jun 01 09:13:00 EDT
Contents:
Cryptography FAQ (05/10: Product Ciphers) ([EMAIL PROTECTED])
Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers
Subject: Cryptography FAQ (05/10: Product Ciphers)
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: 16 Jun 2001 12:28:05 GMT
Archive-name: cryptography-faq/part05
Last-modified: 94/06/07
This is the fifth of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read the first part before the rest.
We don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.
The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu
as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography
FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto,
sci.answers, and news.answers every 21 days.
Contents:
5.1. What is a product cipher?
5.2. What makes a product cipher secure?
5.3. What are some group-theoretic properties of product ciphers?
5.4. What can be proven about the security of a product cipher?
5.5. How are block ciphers used to encrypt data longer than the block size?
5.6. Can symmetric block ciphers be used for message authentication?
5.7. What exactly is DES?
5.8. What is triple DES?
5.9. What is differential cryptanalysis?
5.10. How was NSA involved in the design of DES?
5.11. Is DES available in software?
5.12. Is DES available in hardware?
5.13. Can DES be used to protect classified information?
5.14. What are ECB, CBC, CFB, OFB, and PCBC encryption?
5.1. What is a product cipher?
A product cipher is a block cipher that iterates several weak
operations such as substitution, transposition, modular
addition/multiplication, and linear transformation. (A ``block
cipher'' just means a cipher that encrypts a block of data---8 bytes,
say---all at once, then goes on to the next block.) The notion of
product ciphers is due to Shannon [SHA49]. Examples of modern
product ciphers include LUCIFER [SOR84], DES [NBS77], SP-networks
[KAM78], LOKI [BRO90], FEAL [SHI84], PES [LAI90], Khufu and Khafre
[ME91a]. The so-called Feistel ciphers are a class of product
ciphers which operate on one half of the ciphertext at each round,
and then swap the ciphertext halves after each round. LUCIFER,
DES, LOKI, and FEAL are examples of Feistel ciphers.
The following table compares the main parameters of several product
ciphers:
cipher | block length | key bits | number of rounds
LUCIFER 128 12816
DES 645616
LOKI 646416
FEAL 64 1282^x, x = 5
PES 64 128 8
5.2. What makes a product cipher secure?
Nobody knows how to prove mathematically that a product cipher is
completely secure. So in practice one begins by demonstrating that the
cipher ``looks highly random''. For example, the cipher must be
nonlinear, and it must produce ciphertext which functionally depends
on every bit of the plaintext and the key. Meyer [MEY78] has shown
that at least 5 rounds of DES are required to guarantee such a
dependence. In this sense a product cipher should act as a ``mixing''
function which combines the plaintext, key, and ciphertext in a
complex nonlinear fashion.
The fixed per-round substitutions of the product cipher are
referred to as S-boxes. For example, LUCIFER has 2 S-boxes, and DES
has 8 S-boxes. The nonlinearity of a product cipher reduces to a
careful design of these S-boxes. A list of partial design criteria
for the S-boxes of DES, which apply to S-boxes in general, may be
found in Brown [BRO89] and Brickell et al. [BRI86].
5.3. What are some group-theoretic properties of product ciphers?
Let E be a product cipher that maps N-bit blocks to N-bit blocks.
Let E_K(X) be the encryption of X under key K. Then, for any fixed K,
the map sending X to E_K(X) is a permutation of the set of N-bit
blocks. Denote this permutation by P_K. The set of all N-bit
permutations is called the symmetric group and is written S_{2^N}.
The collection of all these permutations P_K, where K ranges over all
possible keys, is denoted E(S_{2^N}). If E were a random mapping from
plaintexts to ciphertexts then we would expect E(S_{2^N}) to generate
a large subset of S_{2^N}.
Coppersmith and Grossman [COP74] have shown that a very simple
product cipher can generate the alternating group A_{2^N} given a
sufficient number of rounds. (The alternating group is half of the
symmetric group: it consists of all ``even'' permutations, i.e., all
permutations which can be written as an even number of
Cryptography-Digest Digest #624
Cryptography-Digest Digest #624, Volume #14 Sat, 16 Jun 01 09:13:00 EDT
Contents:
Re: CipherText E-mail encryption (Bryan Olson)
Re: CipherText E-mail encryption (Tom St Denis)
Re: Simple Crypto II, the public key... (Tom St Denis)
Re: IV (Tom St Denis)
Re: CipherText E-mail encryption (Bryan Olson)
Re: Any good Crypto Books? (M.S. Bob)
Re: man in the middle question (M.S. Bob)
Re: Is ECB truly more secure than CBC? (Tim Tyler)
Re: man in the middle question (Tom St Denis)
Re: Is ECB truly more secure than CBC? (Tim Tyler)
Re: IV (Tim Tyler)
Re: CipherText E-mail encryption (Bryan Olson)
Re: CipherText E-mail encryption (Tom St Denis)
Cryptography FAQ (01/10: Overview) ([EMAIL PROTECTED])
From: Bryan Olson [EMAIL PROTECTED]
Subject: Re: CipherText E-mail encryption
Date: Sat, 16 Jun 2001 03:20:58 -0700
Tom St Denis wrote:
My base64 encoder from my CDLL package [which has not be released]
/* base64 encode */
void EXP base64_encode(const unsigned char *input, long inlen,
unsigned char *output, long *outlen)
{
long x, i;
unsigned long y;
*outlen = 0;
for (x = 0; x inlen; ) {
for (y = i = 0; (i 3) (x inlen); i++)
y = (y8) | input[x++];
/* shift as required */
if (i != 3) y = (8 * (3 - i));
output[(*outlen)++] = code[y63]; y=6;
output[(*outlen)++] = code[y63]; y=6;
output[(*outlen)++] = code[y63]; y=6;
output[(*outlen)++] = code[y63];
}
output[(*outlen)++] = 0;
}
This runs very very quickly.
It may be fast, but it's un-decodable. For example, the
string of one zero octet, the string of two zero octets, and
the string of three zero octets all encode to the same
output.
There are already too many algorithms in use for
binary-to-character encoding. I recommend the standard
base-64 encoding from RFC 2045.
--Bryan
--
From: Tom St Denis [EMAIL PROTECTED]
Subject: Re: CipherText E-mail encryption
Date: Sat, 16 Jun 2001 10:46:34 GMT
Bryan Olson [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]...
Tom St Denis wrote:
My base64 encoder from my CDLL package [which has not be released]
/* base64 encode */
void EXP base64_encode(const unsigned char *input, long inlen,
unsigned char *output, long *outlen)
{
long x, i;
unsigned long y;
*outlen = 0;
for (x = 0; x inlen; ) {
for (y = i = 0; (i 3) (x inlen); i++)
y = (y8) | input[x++];
/* shift as required */
if (i != 3) y = (8 * (3 - i));
output[(*outlen)++] = code[y63]; y=6;
output[(*outlen)++] = code[y63]; y=6;
output[(*outlen)++] = code[y63]; y=6;
output[(*outlen)++] = code[y63];
}
output[(*outlen)++] = 0;
}
This runs very very quickly.
It may be fast, but it's un-decodable. For example, the
string of one zero octet, the string of two zero octets, and
the string of three zero octets all encode to the same
output.
That's funny since I have tested this routine and it does decode properly
There are already too many algorithms in use for
binary-to-character encoding. I recommend the standard
base-64 encoding from RFC 2045.
Yes, but this is just a bloody example of how todo it semi fast.
Tom
--
From: Tom St Denis [EMAIL PROTECTED]
Subject: Re: Simple Crypto II, the public key...
Date: Sat, 16 Jun 2001 10:50:49 GMT
Fat Phil [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]...
snip badly formed post
Run this code. If you get anything but 0's as output I will donate my
earthly possesions to you.
#include stdio.h
int main(void)
{
unsigned a, b, x;
b = 13;
for (x = 0; x 15; x++) {
a = b * x;
a = ((a8)+a)255;
a = a - ((b*x)%255);
printf(%u\n, a);
}
return 0;
}
--
From: Tom St Denis [EMAIL PROTECTED]
Subject: Re: IV
Date: Sat, 16 Jun 2001 10:55:04 GMT
Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]...
David Wagner [EMAIL PROTECTED] wrote:
: Are you talking about the fact that CTR mode doesn't conceal the length
: of the plaintext?
Yes.
: Few modes do.
Indeed - though some are better than others.
: If you need to conceal the length of the plaintext, then you're going
: to need to add additional machinery. This is true whether you're using
: CTR more or CBC mode: CBC mode also leaks substantial information about
: plaintext lengths, too.
CTR mode leaks more - al *lot* more - in the case of 8-bit plaintexts,
it can be be equivalent to leaking 248 bits from a 256-bit key - a huge
loss of key material.
We've been through this. No it doesn't leak 256-8 bits of the key material.
Yes there will be that many keys that are
Cryptography-Digest Digest #628
Cryptography-Digest Digest #628, Volume #14 Sat, 16 Jun 01 09:13:00 EDT Contents: Cryptography FAQ (08/10: Technical Miscellany) ([EMAIL PROTECTED]) Cryptography FAQ (09/10: Other Miscellany) ([EMAIL PROTECTED]) Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers Subject: Cryptography FAQ (08/10: Technical Miscellany) From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: 16 Jun 2001 12:28:06 GMT Archive-name: cryptography-faq/part08 Last-modified: 94/01/25 This is the eighth of ten parts of the sci.crypt FAQ. The parts are mostly independent, but you should read the first part before the rest. We don't have the time to send out missing parts by mail, so don't ask. Notes such as ``[KAH67]'' refer to the reference list in the last part. The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto, sci.answers, and news.answers every 21 days. Contents 8.1. How do I recover from lost passwords in WordPerfect? 8.2. How do I break a Vigenere (repeated-key) cipher? 8.3. How do I send encrypted mail under UNIX? [PGP, RIPEM, PEM, ...] 8.4. Is the UNIX crypt command secure? 8.5. How do I use compression with encryption? 8.6. Is there an unbreakable cipher? 8.7. What does ``random'' mean in cryptography? 8.8. What is the unicity point (a.k.a. unicity distance)? 8.9. What is key management and why is it important? 8.10. Can I use pseudo-random or chaotic numbers as a key stream? 8.11. What is the correct frequency list for English letters? 8.12. What is the Enigma? 8.13. How do I shuffle cards? 8.14. Can I foil S/W pirates by encrypting my CD-ROM? 8.15. Can you do automatic cryptanalysis of simple ciphers? 8.16. What is the coding system used by VCR+? 8.1. How do I recover from lost passwords in WordPerfect? WordPerfect encryption has been shown to be very easy to break. The method uses XOR with two repeating key streams: a typed password and a byte-wide counter initialized to 1+the password length. Full descriptions are given in Bennett [BEN87] and Bergen and Caelli [BER91]. Chris Galas writes: ``Someone awhile back was looking for a way to decrypt WordPerfect document files and I think I have a solution. There is a software company named: Accessdata (87 East 600 South, Orem, UT 84058), 1-800-658-5199 that has a software package that will decrypt any WordPerfect, Lotus 1-2-3, Quatro-Pro, MS Excel and Paradox files. The cost of the package is $185. Steep prices, but if you think your pw key is less than 10 characters, (or 10 char) give them a call and ask for the free demo disk. The demo disk will decrypt files that have a 10 char or less pw key.'' Bruce Schneier says the phone number for AccessData is 801-224-6970. 8.2. How do I break a Vigenere (repeated-key) cipher? A repeated-key cipher, where the ciphertext is something like the plaintext xor KEYKEYKEYKEY (and so on), is called a Vigenere cipher. If the key is not too long and the plaintext is in English, do the following: 1. Discover the length of the key by counting coincidences. (See Gaines [GAI44], Sinkov [SIN66].) Trying each displacement of the ciphertext against itself, count those bytes which are equal. If the two ciphertext portions have used the same key, something over 6% of the bytes will be equal. If they have used different keys, then less than 0.4% will be equal (assuming random 8-bit bytes of key covering normal ASCII text). The smallest displacement which indicates an equal key is the length of the repeated key. 2. Shift the text by that length and XOR it with itself. This removes the key and leaves you with text XORed with itself. Since English has about 1 bit of real information per byte, 2 streams of text XORed together has 2 bits of info per 8-bit byte, providing plenty of redundancy for choosing a unique decryption. (And in fact one stream of text XORed with itself has just 1 bit per byte.) If the key is short, it might be even easier to treat this as a standard polyalphabetic substitution. All the old cryptanalysis texts show how to break those. It's possible with those methods, in the hands of an expert, if there's only ten times as much text as key. See, for example, Gaines [GAI44], Sinkov [SIN66]. 8.3. How do I send encrypted mail under UNIX? [PGP, RIPEM, PEM, ...] Here's one popular method, using the des command: cat file | compress | des private_key | uuencode | mail Meanwhile, there is a de jure Internet standard in the works called PEM (Privacy Enhanced Mail). It is described in RFCs 1421 through 1424. To join the PEM mailing list, contact [EMAIL PROTECTED] There is a beta version of PEM being tested at the time of this writing. There are also two
Cryptography-Digest Digest #630
Cryptography-Digest Digest #630, Volume #14 Sat, 16 Jun 01 12:13:01 EDT Contents: Re: Tell me could this one-way function be somewhat secure (wtshaw) Re: hello? (wtshaw) SSL/TLS compression methods??? (Ricardo) Re: Tell me could this one-way function be somewhat secure (Tim Tyler) Re: taking your PC in for repair? WARNING: What will they find? (nemo outis) Re: CipherText E-mail encryption (Prichard, Chuck) Re: Is ECB truly more secure than CBC? (John Savard) correlation immunity question (Tom St Denis) Re: SSL/TLS compression methods??? (Erwann ABALEA) Re: Is ECB truly more secure than CBC? (SCOTT19U.ZIP_GUY) Re: FIPS 140-1 test (Peter Gutmann) Re: Is ECB truly more secure than CBC? (Tom St Denis) Re: Bow before your new master (Harris Georgiou) Re: CipherText E-mail encryption (Prichard, Chuck) Re: Is ECB truly more secure than CBC? (David Hopwood) Help with error correction (63,48) code (Alexander Popov) From: [EMAIL PROTECTED] (wtshaw) Subject: Re: Tell me could this one-way function be somewhat secure Date: Sat, 16 Jun 2001 07:01:12 -0600 In article [EMAIL PROTECTED], [EMAIL PROTECTED] wrote: Well, you *will* if you hash material with more entropy that the width of the combined hash. A scarcity of source material appears to be why Marko's example failed to demonstrate this. -- But, anyone should know that brief input that is extrapolated into a longer so-called hash is merely an exercise in super-redundancy and low if not marginal security. And, using a fixed hash with outputs much shorter than the input guarantees a generous surplus of collisions. There is no short cut to using a pleasantly long and obscure input string and a suitable function that can handle it in its length. I suggest that two less intelligent hashes can do wonders if combined, one which closely tracks the size of the input in output, and some wildly different hash, perhaps more of a digest, to cut effective collisions way down. -- In trying to get meaning from the TmV-OK saga, remember that those who do not learn from history are apt to repeat it. -- From: [EMAIL PROTECTED] (wtshaw) Subject: Re: hello? Date: Sat, 16 Jun 2001 07:16:46 -0600 In article [EMAIL PROTECTED], [EMAIL PROTECTED] wrote: Tom St Denis There is just too much of you around this board. Never is it so when someone pursues an intellectual passion to learn and expand what all might know. In spite of ups and downs, as crypto is why many are here, the rest of life can often merely be a distraction. The field deals with the supreme essence of ultimate knowledge, knowing what others cannot, and preserving uniqueness, preserving individual superiority in a personal kingdom. If boredno, the true zealot is never bored as defeat directs one to realization and can spur activity in new directions. -- In trying to get meaning from the TmV-OK saga, remember that those who do not learn from history are apt to repeat it. -- From: Ricardo [EMAIL PROTECTED] Subject: SSL/TLS compression methods??? Date: Sat, 16 Jun 2001 15:49:35 +0200 Hi, 1) Does anyone know which compression methods are used in SSLv3 and TLSv1? (I only know two: gzip and zip) 2) For each compression-method values are used in the handshake-messages from the client and the server. Has anyone got an idea which value belongs to which compression- method? (In the book of E.Rescorla SSL and TLS, Designing and Building Secure Systems and in the drafts of Netscape nothing was said about which compression and which values are used for the compressions.) Thx. -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Tell me could this one-way function be somewhat secure Reply-To: [EMAIL PROTECTED] Date: Sat, 16 Jun 2001 13:44:55 GMT wtshaw [EMAIL PROTECTED] wrote: : In article [EMAIL PROTECTED], [EMAIL PROTECTED] wrote: : Well, you *will* if you hash material with more entropy that the width of : the combined hash. A scarcity of source material appears to be why : Marko's example failed to demonstrate this. : But, anyone should know that brief input that is extrapolated into a : longer so-called hash is merely an exercise in super-redundancy and low if : not marginal security. Does anyone know that? : I suggest that two less intelligent hashes can do wonders if combined, one : which closely tracks the size of the input in output, and some wildly : different hash, perhaps more of a digest, to cut effective collisions way : down. It sounds like you would create collisions in the former by considering plaintexts of the same size. Then you only have the latter less intelligent hash to deal with. I think I'd rather take an ordinary hash of their combined size. -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ --
Cryptography-Digest Digest #631
Cryptography-Digest Digest #631, Volume #14 Sat, 16 Jun 01 17:13:01 EDT Contents: Re: CipherText E-mail encryption (Prichard, Chuck) Re: taking your PC in for repair? WARNING: What will they find? (Loki) Re: Tell me could this one-way function be somewhat secure (Bill Unruh) Re: FIPS 140-1 test (Tim Tyler) Re: Comp Results: Thomas Boschloo FAILS to prove himself, as everyone expected all along... (Anonymous) Re: Is ECB truly more secure than CBC? (Tim Tyler) SRP, PAK-R, Augmented EKE, and Kaliski-Ford Described on Web Site (John Savard) Re: Is ECB truly more secure than CBC? (Tom St Denis) Re: Is ECB truly more secure than CBC? (lcs Mixmaster Remailer) Re: Is ECB truly more secure than CBC? (Tom St Denis) Re: Is ECB truly more secure than CBC? (SCOTT19U.ZIP_GUY) From: Prichard, Chuck [EMAIL PROTECTED] Subject: Re: CipherText E-mail encryption Date: Sat, 16 Jun 2001 16:44:27 GMT I wonder how big the payoffs are whenever a company like CipherText has to look the other way in these cases. - -- From: Loki *@*.org Crossposted-To: alt.privacy,alt.security.pgp,alt.security.scramdisk,alt.privacy.anon-server Subject: Re: taking your PC in for repair? WARNING: What will they find? Date: Sat, 16 Jun 2001 17:40:11 GMT In article [EMAIL PROTECTED], [EMAIL PROTECTED] says... : P.Dulles wrote: : : In article [EMAIL PROTECTED], [EMAIL PROTECTED] : says... : : P.Dulles wrote: : : SNIP : : : : add : : : : 12. What does EE do to twart Proxies and remote monitoring software? : : Excellent point. But they won't answer. I also forgot to mention that : a trojan could also be installed on your system by your boss or the : police, and they can retrieve all files that way. : : For that matter, EE could *be* a trojan. How do we know it isn't? Well, we don't. EE (Andy) absolutely refuses to provide any independant testing or verification of his claims, and we have already shot down most of them. However, I do believe in being fair, and I have found no indications of trojan-like behavior or suddenly hidden files on my machine or for that matter, anything else that would indicate the product to be malicious. I'm not a code-cruncher, so I can't say whether or not there is a back door. I will willingly admit that I think it is a good disk utility; I take serious exception to their pricing, claims, and marketing. For $40, it was a good - if suspect - product. For $150 anyone who buys it should see a doctor. -- Loki The Truth about Evidence Eliminator: http://badtux.org/eric/editorial/scumbags.html http://www.radsoft.net/resources/software/reviews/ee/07.htm -- From: [EMAIL PROTECTED] (Bill Unruh) Subject: Re: Tell me could this one-way function be somewhat secure Date: 16 Jun 2001 18:25:48 GMT In 9gf9lk$181$[EMAIL PROTECTED] Marko Lavikainen [EMAIL PROTECTED] writes: ] That's much the same as increasing the size of the hash. You'll still get ] collisions - but not so frequently. ]I was wondering the same. But I still don't know if it is the same thing. ]There must be collisions, at least if there is no size limit for a document, ]but still if the properties of the hash functions are such that they work ]slightly differently. ]For instance, if one would use the size of the document as one variable, the ]hashvalues would grow at different rate as the size of the document grows. ]So, in one way even it is not compeletely true, to find false document, ]which satisfies both hashvalues, the document would be extremely huge, say ]10Gb. ]What I mean is that the hash values goes around and around as document grows ]but they never get same value before the document is inpractically long. Uh, no. There are too many long documents. The probability is that you will get a collision every time the document size increases by the length of the hash. Given a document of length N and a hash of length n, then the number of other documents with collisions with that same length N is 2^(N-n). Ie, for say a 128 bit hash (16 bytes,) a 1kB document ( 1000 characters, or 150 words) the number of documents with the same hash and the same size would be about 2^(8000-128) which is a goodly number. -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: FIPS 140-1 test Reply-To: [EMAIL PROTECTED] Date: Sat, 16 Jun 2001 18:23:33 GMT Peter Gutmann [EMAIL PROTECTED] wrote: : As a followup question, has anyone ever looked at doing the tests which : require an FPU in an (admittedly approximate) integer-only way? There are : some embedded systems which don't do FP-maths too well. I'm always after more integer-friendly randomness tests. Chi-squared, entropy, serial correlation, monte-carlo PI - *many* tests seem to use FP. -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
Cryptography-Digest Digest #632
Cryptography-Digest Digest #632, Volume #14 Sat, 16 Jun 01 22:13:01 EDT
Contents:
Re: taking your PC in for repair? WARNING: What will they find? (Ron)
Re: Is ECB truly more secure than CBC? (Tim Tyler)
Re: CipherText E-mail encryption (Fat Phil)
Re: CipherText E-mail encryption (Tom St Denis)
Re: Is ECB truly more secure than CBC? (Nomen Nescio)
Tom's base64 code (was Re: CipherText E-mail encryption) (David Hopwood)
Re: CipherText E-mail encryption (Fat Phil)
Re: Tom's base64 code (was Re: CipherText E-mail encryption) (Tom St Denis)
quadratic functions (Tom St Denis)
Re: Tom's base64 code (was Re: CipherText E-mail encryption) (SCOTT19U.ZIP_GUY)
Order of encryption and authentication (David Hopwood)
Re: Is ECB truly more secure than CBC? (David Wagner)
Re: Is ECB truly more secure than CBC? (David Wagner)
From: Ron [EMAIL PROTECTED]
Crossposted-To:
alt.privacy,alt.security.pgp,alt.security.scramdisk,alt.privacy.anon-server
Subject: Re: taking your PC in for repair? WARNING: What will they find?
Date: Sat, 16 Jun 2001 18:06:52 -0400
Loki *@*.org wrote in message
news:MPG.159564308da6d859896a0@news-server...
However, I do believe in being fair, and I have found no indications
of
trojan-like behavior or suddenly hidden files on my machine or for
that
matter, anything else that would indicate the product to be
malicious.
I'm not a code-cruncher, so I can't say whether or not there is a
back
door. I will willingly admit that I think it is a good disk utility;
I
take serious exception to their pricing, claims, and marketing. For
$40, it was a good - if suspect - product. For $150 anyone who buys
it
should see a doctor.
--
Loki
TDS doesn't pick it up, so I doubt it's a trojan. I use Quick Clean
only, Eraser does the rest. I agree that it's a good DISK UTILITY for
$40. I paid the $80, but ah well. No way for $150 though.
R
--
From: Tim Tyler [EMAIL PROTECTED]
Subject: Re: Is ECB truly more secure than CBC?
Reply-To: [EMAIL PROTECTED]
Date: Sat, 16 Jun 2001 22:03:04 GMT
lcs Mixmaster Remailer [EMAIL PROTECTED] wrote:
: As the paper you cite points out (also the June 6 paper by Hugo
: Krawczyk from the eprint archives at http://eprint.iacr.org/curr/), the
: MAC should be done after encryption.
: This is perhaps somewhat counter-intuitive; instinctively one might think
: it safest to hide everything within the encryption envelope, including
: the MAC. But the emerging consensus definitely seems to be the opposite
: [...]
Schneier lists several reasons for *not* doing this on A.C. p. 41:
If you sign a document, it suggests you have at least looed at it.
If you sign the envelope, you might never have seen the document.
If you sign the envelope, someone can remove your signature and add
their own.
Also, if you sign the envelope everyone can see who signed it.
There are some advantages to signing outside encryption - but the
disadvantages seem pretty overwhelming.
--
__
|im |yler http://rockz.co.uk/ http://alife.co.uk/ http://atoms.org.uk/
--
From: Fat Phil [EMAIL PROTECTED]
Subject: Re: CipherText E-mail encryption
Date: Sun, 17 Jun 2001 01:32:13 +0300
Tom St Denis wrote:
/* base64 encode */
void EXP base64_encode(const unsigned char *input, long inlen,
unsigned char *output, long *outlen)
{
long x, i;
unsigned long y;
*outlen = 0;
for (x = 0; x inlen; ) {
for (y = i = 0; (i 3) (x inlen); i++)
y = (y8) | input[x++];
The bytes are in y in the order 'blank 1st 2nd 3rd'
/* shift as required */
if (i != 3) y = (8 * (3 - i));
output[(*outlen)++] = code[y63]; y=6;
but you output the lowest bits from the 3rd input byte first?
Woh!
output[(*outlen)++] = code[y63]; y=6;
output[(*outlen)++] = code[y63]; y=6;
output[(*outlen)++] = code[y63];
}
output[(*outlen)++] = 0;
}
What is the problem with the code you are noting? Maybe I am just not
seeing it.
The problem is that outlen always gets incremented by 4 in the x loop.
It's can't distinguish a trailing input block of 1 byte from 2 bytes or
3.
It always outputs 4 bytes.
The 'woh!' comment indicates why this is not a simple 1-line fix.
Something more like
void EXP base64_encode(const unsigned char *input, long inlen,
unsigned char *output, long *outlen)
{
unsigned int bufbits=0;
unsigned int buflen=0;
long outbytes=0;
while(inlen0)
{
if(buflen6) { bufbits|=(*input++)buflen; buflen+=8; --inlen; }
output[outbytes++]=code[bufbits63];
butbits=6;
buflen-=6;
}
if(buflen) output[outbytes++]=code[bufbits63];
output[outbytes++]='\0';
*outlen=outbytes;
}
might do the trick. I've written it
Cryptography-Digest Digest #615
Cryptography-Digest Digest #615, Volume #14 Fri, 15 Jun 01 03:13:01 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Paul Pires) Re: HELP WITH RSA ENCRYPTION/DECRYPTION INCLUDING GARNER CRT ALGORITHM (Boyd Roberts) Re: CipherText E-mail encryption (Prichard, Chuck) Re: curious about MD3 (Boyd Roberts) Re: HELP WITH RSA ENCRYPTION/DECRYPTION INCLUDING GARNER CRT ALGORITHM (Tom St Denis) Re: Yarrow PRNG (Mark Wooding) Re: HELP WITH RSA ENCRYPTION/DECRYPTION INCLUDING GARNER CRT ALGORITHM (Boyd Roberts) Re: Alice and Bob Speak MooJoo (Robert J. Kolker) Re: CipherText E-mail encryption (Prichard, Chuck) Re: Diffusion limits in block ciphers (Tim Tyler) Re: Alice and Bob Speak MooJoo (John A. Malley) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Mok-Kong Shen) Re: CipherText E-mail encryption ([EMAIL PROTECTED]) Re: Alice and Bob Speak MooJoo (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Mok-Kong Shen) From: Paul Pires [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY Date: Thu, 14 Jun 2001 18:54:54 -0700 Mok-Kong Shen [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... [EMAIL PROTECTED] wrote: Mok-Kong Shen [EMAIL PROTECTED] writes: I was not changing the subject, i.e. diverting to something else. You were talking of the possiblity of 'proving' I am not lying (or the opposite). That's not in the slightest what I was talking about. I was contrasting two situations: (1) You use a OTP. I have your ciphertexts. Given a binary file purporting to be the key, can I verify that it *is* the key? Answer: NEVER. No theoretical means exists for establishing that the key is the key. No matter how ``sure'' I feel that it is the key: even if I kidnapped you, and found the key tatooed on your butt. (2) You us a PK system. I have your ciphertexts. Given a binary file purporting to be the key, can I verify that it *is* the key? Answer: yes, always, with 100% certainty. System #1 is secure IN AN INFORMATION THEORETIC SENSE. System #2 may be secure, but it is NOT secure in an information-theoretic sense. That's because you 'define' the security that way. But consider what the difference is. In the first case, you don't know 'for sure' whether the deciphered result is actually the plaintext. You have uncertainty. In the second case, you don't know 'for sure' (I hope I had clearly explained that, we could discuss in the other case) whether the key pair is actually mine. Again you have uncertainty. Yes, the uncertainty is of different nature, but it is there in both cases. I was attempting to show that a proof in the absolute sense, as far as that topic goes is in practice not possible. Unfortunately, you're full of beans. If I get your private key, I *can* be 100% certain that it is *the* key to *the* messages in my posession, period. Yes, you might try to fool me by living a double life, and hoping I'm reading only messages which are a ``blind''. That's got nothing to do with *cryptographic* security, which is what I was talking about. My point is that I can deny that the public key is mine... You're completely ignoring that practical cryptanalysis happens in a context. In other words, you COULD make that claim...but then you'd have to explain why gigabytes of data encrypted with that key were sent to you...any why your secretary thought it was your key...and why I sent you a message in that key saying ``Wear a big lizard on your head so I can recognize you. --Mok's #1 spy'' and for some reason you turned up with a lizard on your head... Don't confuse cryptographic issues with human engineering, traffic analysis, psychology, religion, philosophy or anything else. It only annoys people who are willing to discuss crypto with you. Yes, the gigabytes extremely highly strenthen your belief, but it is nonetheless not a proof in the absolute sense (or a proof in the mathematical sense). You should really back up and take a deep breath here. You can deny anything and there is no absolute proof. Lack of absolute proof is not a proof that a denial is valid. A denial is judged on it's own merits. Take the private key example. Sure no one can prove that it is your key (I think). They would have to prove that there was no key that could also decrypt everything you have to prove it absolutely. But they can establish with a statistical certainty that it was in fact your key. In the otherexample OTP where Len has a ciphertext and what he thinks is your key can he prove it with any certainty? No, Not without having knowledge of what the corresponding plaintext was since you can claim a different plaintext (of the same length) and produce a different key
Cryptography-Digest Digest #616
Cryptography-Digest Digest #616, Volume #14 Fri, 15 Jun 01 09:13:01 EDT Contents: Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack,(Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Tim Tyler) NIST Rng Test Software (Unix) (Brice) Re: Alice and Bob Speak MooJoo (Roger Fleming) Re: Alice and Bob Speak MooJoo (Roger Fleming) Re: Algorithm take 3 - LONG (was : Re: RSA's new Factoring Challenges: $200,000 prize. (my be repeat)) (Michael Brown) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, andLarge Primes ([EMAIL PROTECTED]) Re: NIST Rng Test Software (Unix) (Henrick Hellström) Re: Algorithm take 3 - LONG (was : Re: RSA's new Factoring Challenges: $200,000 prize. (my be repeat)) (The Scarlet Manuka) hello? (Tom St Denis) Re: hello? (S Degen) Re: hello? (Tom St Denis) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, (Mok-Kong Shen) Re: Alice and Bob Speak MooJoo (Robert J. Kolker) Re: Looking for Mitsuru Matsui paper (Pascal Junod) Re: Looking for Mitsuru Matsui paper (Tom St Denis) From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, Date: Fri, 15 Jun 2001 09:10:32 +0200 [EMAIL PROTECTED] wrote: Mok-Kong Shen [EMAIL PROTECTED] writes: I wrote: Mok-Kong Shen [EMAIL PROTECTED] writes: As I said, a logical model is wrong, if it is not consistent. The stuff did by the two authors is not wrong in the mathematical sense... But a book is wrong, if it fails to accomplish its goal. RW wanted a complete mathematical theory--but such a thing is provably impossible. Well, take an example. FLT has been finally proved. Before that many books on FLT, giving some interesting (correct) results, have been published, e.g. one by Ribenboim, though none of these contain a proof of FLT (excepting 'partial proofs'). Do you simply call all these books 'wrong'? They were working on a problem which was solvable--or at least, not known to be unsolvable. Of course they weren't ``wrong''. On the other hand, if somebody decided to devote 500 pages to a theory intended to culminate in a proof of the continuum hypothesis, then it's fair to say that the entire project is wrong. Even if interesting and publishable results are proven along the way. I suppose you were questioning the intelligence quotient of Whitehead and Russell. I couldn't argue against you, since I have no knowledge on that. Note however you are looking from today's view, where mathematics has advanced much beyond the timepoint where the book was written. We know that one is afterwards always much much much more clever in all situations, not only in math. I am not very sure that you yourself wouldn't have fallen into the same trap, if you had lived in the time period of these authors. Every proof in the book must be correct (even though I haven't touch that book), since it apparently is a recognized literature. Are you tetched? Recognized literature is generally riddled with errors. One should assume that RW contains many errors... ...I meant that what the two authors had done could not be called wrong simply because they were unable to achieve the goal that they had set for themselves. Don't you mean ``Because nobody, from now till hell freezes over, will *ever* achieve the goal, because it is impossible?'' See the above. Once you know better, the situation changes. When you know something is impossible, you wouldn't try. But what if you don't YET know? Do you have the ability of clairvoyance? Goedel destroyed Hilbert's dream, but that's by far no reason to consider Hilbert an idiot. Science always advances by sort of trial and error, isn't it? Their whole program was wrong. That doesn't make them idiots, bad fathers, or rotten human beings. It just means that their whole program was wrong. Get a grip. In my response to Gwyn, I said that their goal (programme) was wrong, but the stuff is correct mathematically, there being, excepting some eventually present small errors, no faults in the mathematical sense (i.e. errors in the sense of invalid deductions). I had from the beginning of the discussions stressed that the stuff in the book is correct mathematically, no more nor less, and repeatedly said that their goal was wrong and hence not achieved. But Gwyn seemed to continually ignore that. M. K. Shen = http://home.t-online.de/home/mok-kong.shen -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY Reply-To: [EMAIL PROTECTED] Date: Fri, 15 Jun 2001 07:36:52 GMT Mok-Kong Shen [EMAIL PROTECTED] wrote: : Yes, it is always o.k. to make definitions. I recall in : this connection a famous
Cryptography-Digest Digest #617
Cryptography-Digest Digest #617, Volume #14 Fri, 15 Jun 01 13:13:01 EDT Contents: Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes ([EMAIL PROTECTED]) Re: NIST Rng Test Software (Unix) (Mok-Kong Shen) Re: HELP WITH RSA ENCRYPTION/DECRYPTION INCLUDING GARNER CRT ALGORITHM (cohalloran) Re: HELP WITH RSA ENCRYPTION/DECRYPTION INCLUDING GARNER CRT ALGORITHM (Tom St Denis) Re: HELP WITH RSA ENCRYPTION/DECRYPTION INCLUDING GARNER CRT ALGORITHM (Erwann ABALEA) Re: National Security Nightmare? (Charles Lyttle) Re: Diffusion limits in block ciphers (Mark Wooding) Re: Alice and Bob Speak MooJoo (Douglas A. Gwyn) Re: Substitution Humor! (Thierry Falissard) Re: HELP WITH RSA ENCRYPTION/DECRYPTION INCLUDING GARNER CRT ALGORITHM (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (wtshaw) Re: hello? (wtshaw) Re: CipherText E-mail encryption (Prichard, Chuck) Re: CipherText E-mail encryption (Prichard, Chuck) Those 8x32's I made !!! (Tom St Denis) Re: CipherText E-mail encryption (Tom St Denis) Re: ENCRYPTION TYPE - UNKNOWN! :( (Douglas A. Gwyn) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, (Douglas A. Gwyn) Re: Substitution Humor! (Douglas A. Gwyn) Re: CipherText E-mail encryption (Prichard, Chuck) Re: CipherText E-mail encryption (Tom St Denis) Re: Avoiding RSA padding altogether? (David Hopwood) Subject: Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes From: [EMAIL PROTECTED] Date: 15 Jun 2001 09:20:09 -0400 Mok-Kong Shen [EMAIL PROTECTED] writes: I am not a mathematician, let alone a logician. But from what I know it seems to be true that one has learned that the route taken by the two authors is a dead end only (or mainly) 'through' the very knowledge of their failure. And once we know it was a failure, we make a note of the fact, and don't bother reading that work anymore. But we still sincerely love Russel and Whitehead as people. Does that make you feel better? BTW, you must know better as mathematician of how to currently best learn the foundations of arithmatics. Yes. To learn arithmetic, go to school. Len. -- It's always difficult to imagine the effects of a free market when you've never tried one. -- Dan Bernstein -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: NIST Rng Test Software (Unix) Date: Fri, 15 Jun 2001 15:15:04 +0200 Brice wrote: I have now given up on compiling the NIST Rng test software on a PC running Windows and i have reverted to a Unix machine. I have managed to compile the code without any problems but i am not getting the same results as those given by NIST when i run the test software on the test samples. Does anyone know of any bugs in the code ? Has anyone got some executable under Unix that they could maybe send me? Why not communicate with the NIST people? M. K. Shen -- From: [EMAIL PROTECTED] (cohalloran) Subject: Re: HELP WITH RSA ENCRYPTION/DECRYPTION INCLUDING GARNER CRT ALGORITHM Date: Fri, 15 Jun 2001 14:24:07 GMT On Fri, 15 Jun 2001 02:09:01 GMT, Tom St Denis [EMAIL PROTECTED] wrote: Boyd Roberts [EMAIL PROTECTED] wrote in message news:9gbqdk$da1$[EMAIL PROTECTED]... tE! [EMAIL PROTECTED] a écrit dans le message news: [EMAIL PROTECTED] tom st denis sucks. who gives a about his crap comments anyway ? was '' encoded with a OTP? are you trying to say crap or fuck? or that other _terrible_ f word: frog toad, of course, is the correct term. [with apologies to _the league of gentleman_] Why would frog be terrible? You must be french. -- From: Tom St Denis [EMAIL PROTECTED] Subject: Re: HELP WITH RSA ENCRYPTION/DECRYPTION INCLUDING GARNER CRT ALGORITHM Date: Fri, 15 Jun 2001 14:34:28 GMT cohalloran [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... On Fri, 15 Jun 2001 02:09:01 GMT, Tom St Denis [EMAIL PROTECTED] wrote: Boyd Roberts [EMAIL PROTECTED] wrote in message news:9gbqdk$da1$[EMAIL PROTECTED]... tE! [EMAIL PROTECTED] a écrit dans le message news: [EMAIL PROTECTED] tom st denis sucks. who gives a about his crap comments anyway ? was '' encoded with a OTP? are you trying to say crap or fuck? or that other _terrible_ f word: frog toad, of course, is the correct term. [with apologies to _the league of gentleman_] Why would frog be terrible? You must be french. Nope. I think this is a vastly inappropriate topic. I can think off the top of my head two French cryptographers. [Vaudenay and Pascal, well I dunno if Pascal is french but afaik Vaudenay is]. Tom -- From: Erwann ABALEA [EMAIL PROTECTED] Subject: Re: HELP WITH
Cryptography-Digest Digest #618
Cryptography-Digest Digest #618, Volume #14 Fri, 15 Jun 01 15:13:00 EDT Contents: Re: survey (Ichinin) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, andLarge Primes (Stefek Zaba) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack,(Mok-Kong Shen) integration question (Tom St Denis) Re: integration question (Robert J. Kolker) Re: integration question (Tom St Denis) Re: integration question (Paul Rubin) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, (Mok-Kong Shen) Re: integration question (Mok-Kong Shen) Re: integration question (Tom St Denis) Re: integration question (Tom St Denis) Re: CipherText E-mail encryption (Joseph Ashwood) Re: Algorithm take 3 - LONG (was : Re: RSA's new Factoring Challenges: $200,000 prize. (my be repeat)) (Joseph Ashwood) Re: CipherText E-mail encryption (Joseph Ashwood) Tell me could this one-way function be somewhat secure (Marko Lavikainen) Re: Simple Crypto II, the public key... (Fat Phil) Re: Simple Crypto II, the public key... (Tom St Denis) Re: Tell me could this one-way function be somewhat secure (Tom St Denis) From: Ichinin [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: Re: survey Date: Sun, 10 Jun 2001 08:56:00 +0200 Sam Yorko wrote: I (and everybody in the WLAN 802.11 community) would be very interested in something like this. With the amazing number of attacks against RC4 being published, What amasing number of attacks against RC4? I know only these: - The specific implementation of WEP. http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html - Some specific attacks against SSL and the PRNG. http://www.achtung.com/crypto/rc4.html#Algorithm_Analysis - Equivalent keys in RC4. we would welcome a better solution for encryption of the data stream. Sam I think there are alot of solutions to protect data going over 802.11, If i am not mistaking: - Certicom was working on some ECC kit for Pocket PC's a while ago. - I *think* WinCE systems have support for MSCapi. I know that there are other systems that do not ship with WinCE, but take for instance a Dos Batch terminal (i saw that your NNTP host was Symbol.com :o); one could write a DH plugin for those. Sure, It is always better if the hardware did the encryption, but one a flaw is found in hardcoded stuff, all the hardware have to be replaced or updated, then software sounds like a more dynamic choise as software can easily be distributed to the clients. Best regards, Ichinin -- From: [EMAIL PROTECTED] (Stefek Zaba) Subject: Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes Date: 15 Jun 2001 17:11:02 GMT In sci.crypt, [EMAIL PROTECTED] wrote: Are you tetched? Recognized literature is generally riddled with errors. One should assume that RW contains many errors--even if they are all fixable. So what? Once you've gone to the trouble of reading and understanding it, where has it gotten you? Hopefully, a deeper understanding of computability, and the upsetting (to the tidy-minded) connection between completeness and decideability - at a rather deeper level than browsing through Goedel, Escher, Bach could get you :-) Stefek -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, Date: Fri, 15 Jun 2001 19:26:18 +0200 [EMAIL PROTECTED] wrote: Mok-Kong Shen [EMAIL PROTECTED] writes: I am not a mathematician, let alone a logician. But from what I know it seems to be true that one has learned that the route taken by the two authors is a dead end only (or mainly) 'through' the very knowledge of their failure. And once we know it was a failure, we make a note of the fact, and don't bother reading that work anymore. But we still sincerely love Russel and Whitehead as people. Does that make you feel better? Whether we bother to read that book (I certainly wouldn't do, because I guess it would be much too difficult for me with my poor math knowledge and also because of time availability) was never the point of a bit heated debate between Gwyn and me, though. I wonder thus why you think this issue is relavant for discussion or mention here. BTW, you must know better as mathematician of how to currently best learn the foundations of arithmatics. Yes. To learn arithmetic, go to school. I am very surprised to hear this from the mouth of a mathematician. Maybe much has changed in the course of time or the education is rather different in different places of the world. Anyway, in the undergraduate analysis course I had taken (for non-mathematicians) long time ago, the foundations of arithmetics did occupied a few hours or the prof's time and we had even a couple of questions on an excercise sheet. M. K.
Cryptography-Digest Digest #619
Cryptography-Digest Digest #619, Volume #14 Fri, 15 Jun 01 18:13:00 EDT Contents: Any good Crypto Books? (Jeff Potts) Re: The 94 cycle cipher (Fat Phil) Re: Any good Crypto Books? (Tom St Denis) Re: Any good Crypto Books? (John Savard) Re: CipherText E-mail encryption (Prichard, Chuck) Re: CipherText E-mail encryption (Joseph Ashwood) Re: CipherText E-mail encryption (Tom St Denis) Re: integration question (John Myre) Re: CipherText E-mail encryption (Prichard, Chuck) Re: integration question (Paul Rubin) Re: Substitution Humor! (Boyd Roberts) Re: CipherText E-mail encryption (Boyd Roberts) Re: integration question (Tom St Denis) Re: integration question (Boyd Roberts) Re: integration question (Fat Phil) Re: integration question (Tom St Denis) Re: integration question (Robert J. Kolker) Re: survey (Joseph Ashwood) Is ECB truly more secure than CBC? (lcs Mixmaster Remailer) Re: Is ECB truly more secure than CBC? (Tom St Denis) Re: Is ECB truly more secure than CBC? (Paul Pires) Re: HELP WITH RSA ENCRYPTION/DECRYPTION INCLUDING GARNER CRT ALGORITHM (Boyd Roberts) Re: CipherText E-mail encryption (Prichard, Chuck) Re: Is ECB truly more secure than CBC? (SCOTT19U.ZIP_GUY) From: [EMAIL PROTECTED] (Jeff Potts) Subject: Any good Crypto Books? Date: 15 Jun 2001 12:15:54 -0700 I'm trying to get a better understanding of Cryptography and it's uses within Security. I did a search for Cryptography books and there seems to be few out there. One named Applied Cryptography, seemed to be more directed only to software developers. There was another one I saw named RSA's Official Guide to Cryptography, that seemed to cover a great number of topics, not only Cryptography, but security protocols as well. I guess my question is, has anyone read either of these? If so, which would be best to learn Cryptography and Security Protocols? Or would one look at completely different books? -Jeff -- From: Fat Phil [EMAIL PROTECTED] Subject: Re: The 94 cycle cipher Date: Fri, 15 Jun 2001 22:05:47 +0300 Tom St Denis wrote: Phil Carmody wrote: You're computation bound so that the above probably has little or no real effect on an out-of-order processor. However I'm sure that you could trivially do two blocks in almost the same time as you do 1! Remember that there are 32x32-32 multiply instructions in the 386 with any register as the destination. That's only IMUL IIRC. YRC :-) Phil -- From: Tom St Denis [EMAIL PROTECTED] Subject: Re: Any good Crypto Books? Date: Fri, 15 Jun 2001 19:17:43 GMT Jeff Potts [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... I'm trying to get a better understanding of Cryptography and it's uses within Security. I did a search for Cryptography books and there seems to be few out there. One named Applied Cryptography, seemed to be more directed only to software developers. There was another one I saw named RSA's Official Guide to Cryptography, that seemed to cover a great number of topics, not only Cryptography, but security protocols as well. I guess my question is, has anyone read either of these? If so, which would be best to learn Cryptography and Security Protocols? Or would one look at completely different books? Both Applied Crypto and the Handbook of Applied Crypto touch on the theoretical side of crypto. They are good books, references, etc... Hmm books on actual cryptosystems? I dunno. It's not a popular topic. [not buzzward compliant!] Tom -- From: [EMAIL PROTECTED] (John Savard) Subject: Re: Any good Crypto Books? Date: Fri, 15 Jun 2001 19:20:37 GMT On 15 Jun 2001 12:15:54 -0700, [EMAIL PROTECTED] (Jeff Potts) wrote, in part: One named Applied Cryptography, seemed to be more directed only to software developers. Many people have read this one, and it's generally considered to be one of the best all around, since it has a lot of information in it. It depends on what you are looking for, though. John Savard http://home.ecn.ab.ca/~jsavard/frhome.htm -- From: Prichard, Chuck [EMAIL PROTECTED] Subject: Re: CipherText E-mail encryption Date: Fri, 15 Jun 2001 19:24:01 GMT It could be that the lookup method uses the if case then structure without an exit if resolved. This method could be improved using a more direct hash referencing method. I'll bet it can be improved immensely. -C. Prichard -- From: Joseph Ashwood [EMAIL PROTECTED] Subject: Re: CipherText E-mail encryption Date: Fri, 15 Jun 2001 12:21:37 -0700 Actually I would second Tom's suggestion. VB is extremely slow for performing operations that don't land on what Microsoft considers basic lines. This most likely means that they coded a Base-64 encoder that very quickly encodes plain text files, but rely on
Cryptography-Digest Digest #620
Cryptography-Digest Digest #620, Volume #14 Fri, 15 Jun 01 20:13:01 EDT Contents: Re: CipherText E-mail encryption (Tom St Denis) Re: Is ECB truly more secure than CBC? (Joseph Ashwood) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, (Douglas A. Gwyn) Re: integration question (Douglas A. Gwyn) Re: Is ECB truly more secure than CBC? (Joseph Ashwood) Re: Is ECB truly more secure than CBC? (John Myre) Re: Brute-forcing RC4 (David Wagner) Fwd from the Math Forum (math-teach) (Kirby Urner) Re: IV (David Wagner) Re: fast CTR like ciphers? (David Wagner) Re: integration question (Fat Phil) Re: Is ECB truly more secure than CBC? (David Wagner) Re: integration question (Tom St Denis) Re: Simple Crypto II, the public key... (Fat Phil) Re: Tell me could this one-way function be somewhat secure (Tim Tyler) Re: Simple Crypto II, the public key... (Tom St Denis) Re: IV (SCOTT19U.ZIP_GUY) Re: Is ECB truly more secure than CBC? (SCOTT19U.ZIP_GUY) Re: Is ECB truly more secure than CBC? (Boyd Roberts) Re: Fwd from the Math Forum (math-teach) (Boyd Roberts) From: Tom St Denis [EMAIL PROTECTED] Subject: Re: CipherText E-mail encryption Date: Fri, 15 Jun 2001 22:03:07 GMT Prichard, Chuck [EMAIL PROTECTED] wrote in message news:2uvW6.1206$[EMAIL PROTECTED]... Because of the problems associated with keeping the config options simple, it is decided to use an approach that relies on a user's own security measure as the ultimate assurance of data privacy. It can be made an option in a future release, but to introduce the easily configurable product its important to offer encryption of the user configurable HDD preference and contacts information. By requiring both a password and key to login, I doubt the product will be popular at all. Agreed. But if its not secure what's the point? You seem to be a salesman more than a cryptographer. Sure we would love magic crypto where I don't have to keep a physical device or password in my head. But there is NO solution. All security is based on two things. The conjecture that a cipher is a secure as the key and the assumption that the keyspace is too large to brute force. To simply say ah, well just remove the key and all is ok is crazy. There are other solutions. Such as Magnetic Cards with passwords. You have to keep it with you but you don't have to memorize anything. A company in ottawa has a USB device [and they think they are original... HA!] which does the same thing. The age of passwords is comming to a end ,but personal entropy is here to stay. Tom -- From: Joseph Ashwood [EMAIL PROTECTED] Subject: Re: Is ECB truly more secure than CBC? Date: Fri, 15 Jun 2001 14:49:23 -0700 I will openly acknowledge that this is one and the same Joseph Ashwood. Although I would have rather that the anonymous didn't post my work e-mail address, I'd rather keep that account fairly clean of outside influence. Now I will address the OP subject question. No ECB is not more secure than CBC, nor is CBC more secure than ECB. The difference in security comes from what type of attack is being protected against. For the post I made to XML Enc I made the implicit assumption that the key was more valuable than the message, an assumption that may or may not be true. If you assume that the content of the message is as important as the key, then CBC is clearly more secure, but if the key is more important than the message (e.g. the key will be used more than once) then ECB offers some advantage. It's a matter of usage, and factors outside the most common assumptions rather severely influencing the security of the system. Joe -- From: Douglas A. Gwyn [EMAIL PROTECTED] Subject: Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, Date: Fri, 15 Jun 2001 21:23:42 GMT [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Mok-Kong Shen wrote: ... (I guess I definitely wouldn't be able to understand that kind of math AT ALL before entering university. For it concerns some deeper stuffs than the common predicate calculus, I presume, ... A feature of PM is that in principle you don't need other math to read it. That doesn't mean it's easy to read ... ... and in mathematics there is sort of general desire of founding stuffs on as low a level as possible, ... Actually, a working mathematician doesn't want to proceed that way, because it's excruciatingly dull and unenlightening. The primary purpose of this sort of low-level work is to make sure that the higher levels
Cryptography-Digest Digest #608
Cryptography-Digest Digest #608, Volume #14 Thu, 14 Jun 01 04:13:01 EDT Contents: Re: Sophie-Germain Primes for sale (Ben Hamilton) Re: Alice and Bob Speak MooJoo (Paul Pires) Re: Yarrow PRNG (Anton Stiglic) Re: Alice and Bob Speak MooJoo (Robert J. Kolker) Re: Timer chip (Anton Stiglic) Re: Looking for Mitsuru Matsui paper (Scheidsrechter) Re: Alice and Bob Speak MooJoo (Paul Pires) Re: Looking for Mitsuru Matsui paper (Tom St Denis) Re: Yarrow PRNG (Eric Lee Green) Re: Yarrow PRNG (Eric Lee Green) Re: Alice and Bob Speak MooJoo ([EMAIL PROTECTED]) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (wtshaw) Re: Alice and Bob Speak MooJoo (Paul Pires) Re: Alice and Bob Speak MooJoo (John A. Malley) Re: Uniciyt distance and compression for AES ([EMAIL PROTECTED]) Re: When the signer is trusted do birthdays matter? (Jakob Jonsson) From: Ben Hamilton [EMAIL PROTECTED] Subject: Re: Sophie-Germain Primes for sale Date: Thu, 14 Jun 2001 10:15:33 +1000 Nice link, thanks, Ben Hamilton Anton Stiglic [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Just go to google, type Sophie Germain Prime, the first hit you get will be: http://www.utm.edu/research/primes/glossary/SophieGermainPrime.html read the definition of Sophie Germain Prime. -- From: Paul Pires [EMAIL PROTECTED] Subject: Re: Alice and Bob Speak MooJoo Date: Wed, 13 Jun 2001 17:11:41 -0700 Robert J. Kolker [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... David A Molnar wrote: I think the issue here is in the model, then. Normally we say Eve has access only to the communication between Alice and Bob. As you point out, given these assumptions about language, this means Eve gets noise as long as she cannot observe Alice and Bob's referents. How would Eve know whether A/B are discussing the weather, the stockmarket or the war de jour? Is Eve in a position to force a topic of discussion on A/B. If so, some kind of referrent could be teased out, otherwise no. Is there any thing corresponding to the chosen plaintext attack here? I don't think so. The outside world could force a topic which would be known to Eve and provocative enough that Eve could guess that AB were commenting on it. An 8.7 earthquake might elicit a short message between Alice and Bob which Eve could guess was the equivalent of Holy S**T Batman!!! In the case of the Navajo Code Talkers, the Japanese who were evesdropping on their communication had some idea of what the Code Talkers were talking about, but were unable to tease out any specific words and meanings. snip That case was even more complicated. The Navajo language is a not technological language and to suit wartime needs the talkers got together and agreed on easily remembered euphemisms for technical terms so there was actually a three way conversion going on. (4 for the japanese) American war tech jargon euphemism Navajo back. The poor japanese needed to compensate for the know cultural difference between American and Japanese and the unknown culture of Navaho. A culture that brought us the concept of walking in beauty and one which sees cyclic wheels rather than begining to end paths. It must have mucked their (The Japanese interceptors) brains up pretty badly. Paul -- From: Anton Stiglic [EMAIL PROTECTED] Subject: Re: Yarrow PRNG Date: Wed, 13 Jun 2001 20:11:57 -0400 [EMAIL PROTECTED] wrote: Anton, thanks for the inputs ... do you have a version of Yarrow that is not dependent on SSL? It would be nice to have one that is standalone, that one can incorporate into other apps. Maybe someone else does, we don't. You can always go and write your own hash function and block cipher functionality to get what you want. I think the code only includes openssl/des.h and openssl/sha.h (and other block ciphers and hash functions, depending on what you want, but you only need one of each). Also, does the link given below include the latest Yarrow paper? It just includes a link to the site on counterpane that has the Yarrow paper that was used. --Anton -- From: Robert J. Kolker [EMAIL PROTECTED] Subject: Re: Alice and Bob Speak MooJoo Date: Wed, 13 Jun 2001 20:20:02 -0400 Paul Pires wrote: It must have mucked their (The Japanese interceptors) brains up pretty badly. Precisely! Ignorance (of the language) is bliss for the users of that language. The interesting thing about the MooJoo scenario is the Alice and Bob are conversing in the clear. Bob Kolker -- From: Anton Stiglic [EMAIL PROTECTED] Subject: Re: Timer chip Date: Wed, 13 Jun 2001 20:22:59 -0400 This works with my red-hat linux: #ifndef _TIMER_H #define _TIMER_H #define TICKS 45000.0 /* replace this by your CPU speed */ /***
Cryptography-Digest Digest #609
Cryptography-Digest Digest #609, Volume #14 Thu, 14 Jun 01 08:13:00 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Mok-Kong Shen) Re: Yarrow PRNG (Tim Tyler) Re: FIPS 140-1 test (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Mok-Kong Shen) Re: Uniciyt distance and compression for AES (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY ([EMAIL PROTECTED]) Re: Alice and Bob Speak MooJoo ([EMAIL PROTECTED]) Academic Position (Nigel Smart) Re: RNG (Janne Tuukkanen) Re: RNG (Tom St Denis) Re: Problem in Twofish (Philip G. Boys) From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY Date: Thu, 14 Jun 2001 10:28:07 +0200 [EMAIL PROTECTED] wrote: [snip] No. In an information-theoretic sense, the plaintext you hand me is useless. I am forced to consider the possibility that you are lying, and there is NO PROOF that you are NOT lying. If the cipher was a OTP, you can give me the plaintext AND the key, and I STILL can't be sure you aren't lying to me--even if you swear on your grandmother's grave. I think that I misunderstood you. I am confused. Could you please give a description of a scenario (a sequence of events) such that an opponent could absolutely prove that I am not lying in ANY sense? (Note that elsewhere, e.g. in certification for PK, we don't have an 'aboslute' guarantee of security and we have to have some trust.) M. K. Shen M. K. Shen -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Yarrow PRNG Reply-To: [EMAIL PROTECTED] Date: Thu, 14 Jun 2001 08:26:13 GMT Eric Lee Green [EMAIL PROTECTED] wrote: : On Wed, 13 Jun 2001 14:51:09 GMT, Tim Tyler [EMAIL PROTECTED] wrote: :[If you] need to slap a hash function over the outputs the question :arises as to why you didn't put it at the heart of the algorithm :in the first place. : So you like the design of the Linux /dev/urandom ? I think having a hash function at the heart of a PRNG is going to be better than outputting much unadulterated block cypher output. I've read some criticism of /dev/urandom. Apparently it generally shares an entropy pool with /dev/random - so using the former can cause the latter to block rather unnecessarily. Then there's the use of MD5 - which is no longer regarded as a good one-way hash function, because of the techniques for finding collisions in it. While this is probably of low relevance to a PRNG, I'd rather have something with no known flaws in it. -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: FIPS 140-1 test Reply-To: [EMAIL PROTECTED] Date: Thu, 14 Jun 2001 08:28:48 GMT Dobs [EMAIL PROTECTED] wrote: : I am looking for source code of FIPS 140-1 statistical test for randomness : which is used for high security application (that's what was written in : Handbook of Applied Cryptography:) It's at: http://quartus.net/files/Misc/ Docs at: http://www.cerberussystems.com/INFOSEC/stds/fip140-1.htm -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY Date: Thu, 14 Jun 2001 10:53:03 +0200 wtshaw wrote: Mok-Kong Shen[EMAIL PROTECTED] wrote: Mark Wooding wrote: Mok-Kong Shen [EMAIL PROTECTED] wrote: But measures should have adquate (intuitionally reasonable) interpretations, I suppose. If a security measure says 0 security, then one would 'very naturally' think that that means no protection at all, isn't it? This is why we have different notions of security. There is a difference between the information-theoretic security provided by the one-time pad (and perfect secret-sharing systems) and the computational security provided (by assumption) by most commonly-used symmetric and asymmetric ciphers. The problem is whether one has a 'common' measure of security that could be applied to all sorts of encryptions. Note that some ciphers are outside of both of these categories. The strength of them ranges from stupidly simple to GOK. There is no and can't be one common measure of security. Without repeating them, I had to create that which some saidcould not be, a way to variously describe comparitive security of different ciphers in several ways. I can't ignore Shannon, even as he did not cover all the relative factors and did not know and therefore could not include new aspects of recent ciphers in his thinking. I suppose that discussions long ago in the group have already established that there is no scientifically rigorous and practically applicable
Cryptography-Digest Digest #610
Cryptography-Digest Digest #610, Volume #14 Thu, 14 Jun 01 13:13:01 EDT Contents: Re: National Security Nightmare? (Derek Bell) Re: Alice and Bob Speak MooJoo (Robert J. Kolker) Re: RSA's new Factoring Challenges: $200,000 prize. (Chris Card) Re: When the signer is trusted do birthdays matter? (Phil Carmody) Re: help non-elephant encryption (Nicholas Sheppard) Re: Knapsack security??? Ahhuh (Jakob Jonsson) Re: Yarrow PRNG (Mark Wooding) Re: Alice and Bob Speak MooJoo ([EMAIL PROTECTED]) Re: The 94 cycle 64-bit block cipher :-) (Mark Wooding) ENCRYPTION TYPE - UNKNOWN! :( (Total Annihilation) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY ([EMAIL PROTECTED]) Re: Uniciyt distance and compression for AES ([EMAIL PROTECTED]) Re: Alice and Bob Speak MooJoo (Douglas A. Gwyn) From: Derek Bell [EMAIL PROTECTED] Subject: Re: National Security Nightmare? Date: 14 Jun 2001 13:24:35 +0100 Douglas A. Gwyn [EMAIL PROTECTED] wrote: : Another example of French Academy meddling was allowing : the use of pipeline but requiring a change in its : pronunciation to pee-pleen. This was an embarrassment : to French pipeliners. IIRC, Monsieur Alain Toubon was a minister who supported this kind of nonsense - his opponents nicknamed him Mister Allgood in response. Derek -- Derek Bell [EMAIL PROTECTED]|Usenet is a strange place. WWW: http://www.maths.tcd.ie/~dbell/index.html| - Dennis M Ritchie, PGP: http://www.maths.tcd.ie/~dbell/key.asc | 29 July 1999. | -- From: Robert J. Kolker [EMAIL PROTECTED] Subject: Re: Alice and Bob Speak MooJoo Date: Thu, 14 Jun 2001 08:56:03 -0400 John A. Malley wrote: What Eve gets is not _noise_ in the electrical engineering/communications systems point of view, though. Eve detects correlations between portions of the stream of signal over time. She'll detect similar or identical modulations of signal characteristics (amplitudes of frequencies, phases of frequencies ) in different portions of the stream of signal over time. Time-varying modulation of signal characteristics is indicative of communication between intelligent creatures. Eve can learn a lot about the meaning of the signal from their responses with respect to the context dictated by events common to Alice, Bob and her. She can correlate events, the signal patterns following immediately after the events and any observable actions of Alice or Bob and assign a rough meaning to the patterns. There are no observable actions of Alice and Bob other than the communications. In the absence of a shared referrent, Eve is up the creek. Now let us assume, Eve does something like the chosen plaintext attack. Eve creates events which she * hopes * Alice and Bob will referrence in their communications. Let us assume, arguendo, that Alice and Bob oblige Eve in this regard. The best Eve can come up with is some good guesses pertaining to nouns, the names of thing things and events. Is this is enough to understand the communication? No. What about adjectives and adverbs. How does one convey to a child, the concept of pretty or bad except by ostention (initially anyway)? In the absence of the Pointing Finger no human child can learn his first language. The only possible crib that Eve has with regard to MooJoo is a shared cultural experience. If Alice and Bob had totally foreign cultural outlooks and artificats, Eve would not have a chance to figuare out what A/B are saying to each other. Let me give you a homely example. You are on a bus, train or plane and there is a Japanese coupule sitting nearby having a conversation in Japanese. Assuming you are not a nihonophone, how could you possible decode the conversation by passive listening? Answer. You can't. To learn Japanese you must * interact * some how with Japanese speaks to get the basic referrents (things and their names). What is wrong with the following scenario found in just about any sci fi movie made in the 1950-s. We learned your Earth Languages from your * radio * broadcasts.. Bob Kolker -- From: [EMAIL PROTECTED] (Chris Card) Subject: Re: RSA's new Factoring Challenges: $200,000 prize. Date: 14 Jun 2001 06:11:36 -0700 Peter Trei [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... RSA Security, has revamped its Factoring Challenges. Prizes now start at US$10,000 (factorization of a 576 bit modulus) I've been running a polynomial selection for RSA576, and I've got quite a good one - anyone got a spare Cray big enough to do the matrix reduction step? I don't see any point starting sieving if the matrix is likely to be too big to handle. Chris -- From: Phil
Cryptography-Digest Digest #613
Cryptography-Digest Digest #613, Volume #14 Thu, 14 Jun 01 19:13:01 EDT
Contents:
Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Mok-Kong Shen)
Re: Substitution Humor! (stanislav shalunov)
Re: CipherText E-mail encryption (Joseph Ashwood)
Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY
([EMAIL PROTECTED])
Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, andLarge
Primes ([EMAIL PROTECTED])
Re: survey (Mok-Kong Shen)
Re: Break on Schneiers first proposed self-study cipher (Sam Yorko)
Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, (Mok-Kong Shen)
Re: RNG (Andrew E. Schulman)
Re: BigNum Question (AY)
Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Mok-Kong Shen)
Re: CipherText E-mail encryption (Prichard, Chuck)
Re: survey (Joseph Ashwood)
Re: Break on Schneiers first proposed self-study cipher (Tom St Denis)
Re: CipherText E-mail encryption (Prichard, Chuck)
Re: CipherText E-mail encryption (Tom St Denis)
Re: survey (Joseph Ashwood)
From: Mok-Kong Shen [EMAIL PROTECTED]
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY
Date: Thu, 14 Jun 2001 23:14:44 +0200
[EMAIL PROTECTED] wrote:
Mok-Kong Shen [EMAIL PROTECTED] writes:
[EMAIL PROTECTED] wrote:
...there's one thing you can't lie about, period: the question
``Does this private key go with that public key?'' You can't fool me,
because I can verify (i.e., ``absolutely prove'') it for myself.
Isn't it that the existence of the so-called trust centers is because
of the need of proving whether a public key actually belongs to me?
But you keep changing the subject. Knowing that I'm dealing with *you*
and not with Dr. Evil is separate from the cryptanalysis of your
messages. In practical situations I know who I'm dealing with; I've
spied on the Mokkian diplomats; I've subverted the parlourmaid of Mok,
the King of all Mokkia; I've located your transmitters deep in the heart
of Mok-Kongs-burg, the capital city; and I've found copies of your public
key in radio rooms on captured Mokkian subs.
So denying your identity isn't going to fool me. The only interesting
question is, ``Do I now have the private key which unlocks the messages
we've intercepted?'' An absolute proof, one way or the other, is not
hard.
BTW, establishing identity only connects an individual to a body of
messages. The body of messages have an ``identity'' of their own; they
were all produced with one public key. And the private key can be
verified with certainty. So the only missing puzzle piece is the owner
of the key. If I can pin any single message on you, then I can pin all
of them on you--unless you can convince a jury that your private key was
stolen before the messages were written.
The same applies to guns used in multiple crimes, fingerprints left by
an unknown suspect, or--in the case of Timothy McVeigh--a prepaid phone
card.
I was not changing the subject, i.e. diverting to something
else. You were talking of the possiblity of 'proving'
I am not lying (or the opposite). I was attempting to
show that a proof in the absolute sense, as far as
that topic goes is in practice not possible. Note that
I understand a proof to be different from merely having
very very high confidence on a matter.
Yes, if someone hands over to you the private key (he
stole it from me or employed a very huge computer),
then you can check that that private key corresponds
to the public key. But you can't yet 'link' that to me
in the absolute sense. I am referring here to your claim
that there is no way I can lie about that ('that' means
'the private key is mine'). My point is that I can deny
that the public key is mine, which renders the question
of whether the private key is mine effectively a
non-issue.
M. K. Shen
--
From: stanislav shalunov [EMAIL PROTECTED]
Subject: Re: Substitution Humor!
Date: 14 Jun 2001 17:17:58 -0400
Here's the original: http://www.netfunny.com/rhf/jokes/87/2094.10.html
--
Stanislav Shalunov http://www.internet2.edu/~shalunov/
All revolutions are bloody. The October Revolution was bloodless,
but it was only the beginning. -- Dmitri Volkogonov
--
From: Joseph Ashwood [EMAIL PROTECTED]
Subject: Re: CipherText E-mail encryption
Date: Thu, 14 Jun 2001 14:21:40 -0700
Prichard, Chuck [EMAIL PROTECTED] wrote in message
news:Vj8W6.1145$[EMAIL PROTECTED]...
Its a demonstration.
So a completely fatal flaw makes a good demonstration? You are clearly not
as intelligent as you would have us think in these matters.
The feature is planned for implementation in a commercial release.
Oh Gee Golly, more useless crypto for sale. You have never properly
documented the algorithm. You have never
Cryptography-Digest Digest #602
Cryptography-Digest Digest #602, Volume #14 Wed, 13 Jun 01 06:13:01 EDT
Contents:
IQ Test - The Answer (IQTaste)
Re: Simple Crypto II, the public key... (Vincent Quesnoit)
Re: Some questions on GSM and 3G (Dave)
Re: Free Triple DES Source code is needed. (Paul Schlyter)
Re: Free Triple DES Source code is needed. (Paul Schlyter)
Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and (Mok-Kong
Shen)
Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Mok-Kong Shen)
Re: Alice and Bob Speak MooJoo (David A Molnar)
Re: Alice and Bob Speak MooJoo (Phil Carmody)
Re: Free Triple DES Source code is needed. (Tom St Denis)
Re: Sophie-Germain Primes for sale (Tom St Denis)
Re: Alice and Bob Speak MooJoo (Phil Carmody)
Re: Sophie-Germain Primes for sale (Tom St Denis)
From: [EMAIL PROTECTED] (IQTaste)
Date: 13 Jun 2001 04:47:33 GMT
Subject: IQ Test - The Answer
http://www.geocities.com/iq516/
--
From: Vincent Quesnoit [EMAIL PROTECTED]
Subject: Re: Simple Crypto II, the public key...
Date: Wed, 13 Jun 2001 07:40:32 +0200
Reply-To: [EMAIL PROTECTED]
The modpow function can be greatly improved by use of repeated squaring
instead of simple multiplications, this woulreduce the number of
operation to a maximum of 2*log(exponent).
int mod_pow(int ch, int exp, int modulo)
{
int i, result,power;
result = 1;
power = ch;
while (exp !=0){
if ((exp 1)==1) {
result = (result * Power) % modulo;
}
Power = (Power *Power)% modulo;
exp =1;
}
return result;
}
HTH,
Vincent
Fat Phil a écrit :
[EMAIL PROTECTED] wrote:
Phil Carmody [EMAIL PROTECTED] wrote:
: OK, is there an asymmetric equivalent to the symmetric
: while(c=getchar()!=EOF) putchar(c^k);
Okay, I know this is really simplistic, but it does work.
[SNIP]
Both programs are basically just RSA.
[SNIP]
Thanks, nice, short, simple. Real simple.
I'd wield C99's long longs at it, to get pq=64bits for improved
delusion of security! :-)
I'm scratching my head as we speak, and I intend to throw something
together which is not much more complicated code-wise, but much more
secure...
I'm thinking ElGamal... I'm thinking of chosing P so that I can cheat
when it comes to mod operations...
Phil
--
Crossposted-To: alt.privacy
Subject: Re: Some questions on GSM and 3G
From: [EMAIL PROTECTED] (Dave)
Date: Wed, 13 Jun 2001 06:52:27 GMT
Boyd Roberts [EMAIL PROTECTED] wrote in
9g6mcc$i2n$[EMAIL PROTECTED]:
what's the bet that 3G will just die? all it seems to be
is a revenue generator for governments who control spectrum
resources and licencing.
You should know that yourself.
Do you any use for it?
Not for serious data transmission; not storage and display not big
enough.So the internet isn't a serious use. Do you wish to be spammed
by businesses? Who is going to pay?
Would your friends use it?
Its an overhyped technology that isn't ready, and invention waitng for
a use.
--
--
From: [EMAIL PROTECTED] (Paul Schlyter)
Subject: Re: Free Triple DES Source code is needed.
Date: 12 Jun 2001 02:22:22 +0200
In article qj9V6.87861$[EMAIL PROTECTED],
Tom St Denis [EMAIL PROTECTED] wrote:
Sam Yorko [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]...
Tom St Denis wrote:
[EMAIL PROTECTED] wrote in message
news:rhlI6.389$[EMAIL PROTECTED]...
Hi;
I have looked every where on the web to find a Free C/C++ Source Code
implementation of Triple-DES.
I have found some, but it either has a damaged zip or tar file.
Can some one help me please? Where can I find the Triple DES source
code?
Not to be picky but look harder. It's not hard to find FTP's that have
tons of source code.
Second what is this C/C++ thing you talk about? It's C *OR* C++ not
both.
That's like saying I eat apple-pears instead i eat apples and/or
pears.
The combo is non-existant.
Tom
Obviously you've never eaten fruit cocktail...
We have projects where we are compiling C and C++ source modules, and
then linking them into a single executable
Yes, but you compile the C++ parts with a C++ compiler and C parts with
a C compiler.
That's like saying I use a C/C++/ASM compiler since some of the object code
comes from assembly written routines (i.e crt0 in GCC).
C++ compilers and C compilers aren't as separate as you seem to
believe. Today most C++ compilers are also able to compile C
programs as C programs (no C++ name mangling of externals; C instead
of C++ scope rules, etc).
Yet some care must be taken when linking C modules and C++ modules
into the same executable: main() usually resides in a C++ module,
and C++ code usually calls C code but rarely the other way around.
Yet it is much much
Cryptography-Digest Digest #603
Cryptography-Digest Digest #603, Volume #14 Wed, 13 Jun 01 08:13:01 EDT
Contents:
Re: The 94 cycle 64-bit block cipher :-) (Phil Carmody)
Re: Uniciyt distance and compression for AES ([EMAIL PROTECTED])
Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY
([EMAIL PROTECTED])
Re: help non-elephant encryption (Nicholas Sheppard)
Re: Yarrow PRNG (Mark Wooding)
Re: help non-elephant encryption ([EMAIL PROTECTED])
Re: One last bijection question (Mark Wooding)
Re: Simple Crypto II, the public key... (Phil Carmody)
Re: Timer chip (Harris Georgiou)
Re: Uniciyt distance and compression for AES ([EMAIL PROTECTED])
Re: One last bijection question ([EMAIL PROTECTED])
Re: Simple Crypto II, the public key... (Phil Carmody)
Re: Simple Crypto II, the public key... (Phil Carmody)
Re: Sophie-Germain Primes for sale (Phil Carmody)
Re: Yarrow PRNG (Tim Tyler)
From: Phil Carmody [EMAIL PROTECTED]
Subject: Re: The 94 cycle 64-bit block cipher :-)
Date: Wed, 13 Jun 2001 10:26:05 GMT
Tom St Denis wrote:
Well I feel honoured that you are archiving my stuff :-) Feel free to
download/repost/edit/whatever anything on my site. You can take my source
and redistribute it if you want. (That's the point of sharing ya know :-0).
Sharing is good. Readers contributing back is even better.
I would appreciate comments on my upcomming ideas though. Even if you don't
have something rigorous more than oh neat. It's nice to just hear from
others.
Upcoming? Hmmm, I'd rather rewind the clock a few months if I may :-)
I'm curious about your 3-hash actually.
for (r = 16; r SIZE; r++) {
t = W[r - 3] ^ W[r - 8] ^ W[r - 14] ^ W[r - 16] ^ r ^
0x9E379B93ul;
W[r] = (t 1ul) | (t 31ul);
}
The ^r seems to be added to add a little more non-linearity, an the
^0x9E379B93ul seems to add some noise to those cases over-populated with
zeros.
However, the ^r only touches the bottom 7 bits (or thereabouts)
Assuming x86 has a nice fast integer multiply, wouldn't
^(r*0x9E379B93ul)
do a better job, potentially touching all bits?
I'm also curious - why aren't the well-known CRC algorithms used as
hashes? Is it that they aren't one-way? (they look reversable, but I've
not studied them closely). Or is it just that they are too short, and if
they were make longer they'd take too long to actually get all the bits
mixed up? (so would be useless for a short message)
Phil
--
From: [EMAIL PROTECTED]
Subject: Re: Uniciyt distance and compression for AES
Date: Wed, 13 Jun 2001 01:32:55 -0800
Tim Tyler wrote:
[EMAIL PROTECTED] wrote:
: Tim Tyler wrote:
: [EMAIL PROTECTED] wrote:
[snip]
:
: : What isn't clear to me is how a compression algorithm can be intelligent
: : enough to distinguish meaningful from meaningless inputs (although
: : it would be easier if the compression algorithm knew the input language).
:
: Compression algorithms need to do no such thing in order
: for the unicity distance to be increased.
:
: All they really need to do is compress plausible-looking messages
: on average - and face it - if they didn't do that, it would be hard
: to justify calling them compressors in the context of the target data.
I worked through an example that indicates that this isn't true. Whether
or not the redundancy is reduced depends on how many meaningless
messages
that the compressor compresses. I don't think it's sufficient to say
that the compressor increases the unicity distance just because is
compresses more meaningful messages than meaningless messages.
: Someone is going to have to a better job of explaining this before I can
: buy it.
: The explanation should be simple:
: n_o = H(k)/d where n_o = unicity distance, H(k) is keyspace entropy
: and d = redundancy = r_o - r_n and r_o = r_n if all possible
: messages are meaningful.
: Explain how compression effectively reduces the redundancy (i.e. even if
: I am able to decompress decryptions before determining whether or not
: the key is spurious) if both meaningful and meaningless messages are
: compressed. H(k) is assumed constant so the only way to increase n_o is
: to decrease d . So to show that compression increases unicity distance,
: one has to show that compression effectively reduces the redundancy d.
That's what compression *does*. It makes files shorter, increasing
the entropy per bit (entropy remains the same, number of bits in
message decreases). When entropy-per-bit goes up, redundancy goes down.
I think the entropy refers to the entropy of the message space, which
would be affected if the number of bits decreases because the message
space would become smaller.
: I don't see how compression can reduce d unless it filters out
: meaningless messages.
I'm not sure what filter out might mean in the context of lossless
Cryptography-Digest Digest #604
Cryptography-Digest Digest #604, Volume #14 Wed, 13 Jun 01 10:13:00 EDT Contents: Re: Special promotion: White-Hat Security Arsenal at 40% off on (Phil Carmody) Re: Sophie-Germain Primes for sale (Mark Wooding) Beginner's Question (Jschutkeker) Re: IV (Mark Wooding) Re: Uniciyt distance and compression for AES (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Mark Wooding) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Mark Wooding) Re: Uniciyt distance and compression for AES (Tim Tyler) Re: Alice and Bob Speak MooJoo (Robert J. Kolker) Re: Yarrow PRNG (Eric Lee Green) Re: differential cryptanalysis with a new twist? (Mika R S Kojo) From: Phil Carmody [EMAIL PROTECTED] Crossposted-To: alt.security,comp.security.misc Subject: Re: Special promotion: White-Hat Security Arsenal at 40% off on Date: Wed, 13 Jun 2001 12:23:41 GMT Avi Rubin wrote: This book is currently being featured at a special 40% discount on Amazon.com, for a limited time. http://www.amazon.com/exec/obidos/tg/feature/-/175767/102-9130054-3732109 White-Hat Security Arsenal: Tackling the Threats - with a foreword by Bill Cheswick Paperback - 384 pages (June, 2001) Addison-Wesley ISBN: 0-201-71114-1 See http://white-hat.org/ for detailed information. Amazon page: http://www.amazon.com/exec/obidos/ASIN/0201711141 Addison Wesley page: http://cseng.aw.com/book/0,3828,0201711141,00.html Feel free to forward this message to any people/mailing lists who may be interested. Avi Rubin From http://cseng.aw.com/book/0,3828,0201711141,00.html - White-Hat Security Arsenal ups the ante for the good guys in the arms race against computer-based crime. Like a barrage of cruise missiles, Avi's excellent book attains air superiority by leveraging smarts and advanced GPS technology to zero in on critical targets. Intended to educate and inform information security professionals with a no-nonsense, hold-the-hype approach to security, this book is a critical weapon for modern information warriors. If you wear a white hat and are on the good guys' team, buy this book. Don't go into battle without it! --Gary McGraw, Ph.D., CTO, Cigital I'm curious what no-nonsense and hold-the-hype mean after reading that quote. I'm not trying to be disrespectful to the book or the author, I'm just saying that I will certainly wait until I have seen another (independent) review. Preferably a review with better leveraged smarts. Phil -- From: [EMAIL PROTECTED] (Mark Wooding) Subject: Re: Sophie-Germain Primes for sale Date: 13 Jun 2001 12:22:10 GMT Tom St Denis [EMAIL PROTECTED] wrote: David Hopwood wrote: Tom St Denis wrote: A SG prime is of the form p = 2q + 1, where q itself is prime and of course p mod 4 = 3. No. It's not two weeks since I last corrected you on this (message ID [EMAIL PROTECTED]). If p = 2q + 1 for p and q both prime, then q is a Germain prime, and p is a safe prime. Also it is not part of the definition that p = 3 (mod 4) (counterexample: p = 5, q = 2, although admittedly that is the only counterexample). Ok. Well if you checked the numbers you would realize they are all 3 mod 4. Learn to read. The correction is that, when p = 2 q + 1 with p and q prime, it's *q* which is the Sophie Germain prime. We in the crypto community call p a `safe' prime, though I don't believe it has a name among general mathematicians. You're right that if q is odd then p = 2 q + 1 = 3 (mod 4). That's why David said that 5 is the only safe prime not congruent to 3 (mod 4). When I said and of course p mod 4 = 3 I meant of course I made them such that ..., although I can see how that could have been misleading. You couldn't have made nontrivial safe primes to have any other residue mod 4. -- [mdw] -- From: [EMAIL PROTECTED] (Jschutkeker) Date: 13 Jun 2001 12:51:44 GMT Subject: Beginner's Question This may be a naive question, but I just finished reading Frederick Bauer's badly written book, Decrypted Secrets and it gave me an idea. Has anybody ever tried a cryptanalytic technique based on exhaustion by linguistic particles? If so, could you provide me some references so I can see what's been done and how well it works? Thanks, JS -- From: [EMAIL PROTECTED] (Mark Wooding) Subject: Re: IV Date: 13 Jun 2001 13:10:12 GMT Tim Tyler [EMAIL PROTECTED] wrote: Not really. We've already discussed weaknesses in CTR mode when cyphertexts are small. The idea that CTR mode is as secure as the underlying block cypher is essentially a myth - despite the supposed proof to this effect - because of this. I think you've misunderstood the security notions behind the proof. The notion used is the `real-or-random' test. It works like
Cryptography-Digest Digest #605
Cryptography-Digest Digest #605, Volume #14 Wed, 13 Jun 01 13:13:01 EDT
Contents:
Re: IV (Tim Tyler)
Re: IV (Volker Hetzer)
Re: Yarrow PRNG (Mark Wooding)
Re: IV (Tim Tyler)
Re: The 94 cycle cipher (Phil Carmody)
Re: Yarrow PRNG (Tim Tyler)
Re: IV (Volker Hetzer)
Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Mok-Kong Shen)
Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Mok-Kong Shen)
Re: IV (Tim Tyler)
Re: One last bijection question (Mok-Kong Shen)
Re: When the signer is trusted do birthdays matter? (Phil Carmody)
Re: IV (Volker Hetzer)
Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY
([EMAIL PROTECTED])
Re: Notion of perfect secrecy (Mark Wooding)
From: Tim Tyler [EMAIL PROTECTED]
Subject: Re: IV
Reply-To: [EMAIL PROTECTED]
Date: Wed, 13 Jun 2001 14:18:39 GMT
Mark Wooding [EMAIL PROTECTED] wrote:
: Tim Tyler [EMAIL PROTECTED] wrote:
: Not really. We've already discussed weaknesses in CTR mode when
: cyphertexts are small. The idea that CTR mode is as secure as the
: underlying block cypher is essentially a myth - despite the supposed
: proof to this effect - because of this.
: I think you've misunderstood the security notions behind the proof.
I don't think so.
I have no argument with the proof - just with people subsequently claiming
that it proved that use of CTR mode (as propsed by Wagner et al as an AES
standard chaining mode) is as secure as the block cypher involved.
In listing CTR mode advantages they say things like:
``Messages of arbitrary bitlength. Unlike other common modes of
operation, handling messages of arbitrary bitlength is made trivial. No
bits are wasted in doing this---the ciphertext C is of the same length
as the plaintext M. [...]''
...and...
``security of CTRmode encryption. See [2], which shows that the concrete
security bounds one gets for CTRmode encryption, using a block cipher,
are no worse than what one gets for CBC encryption. (Indeed there are
approaches to get better security bounds with CTRmode encryption than
with CBC mode, though these do not directly use the block cipher E).''
This is twaddle - you can't have it both ways.
CTR mode security sucks in the example of (say) 8 bit cyphertexts.
The message space is reduced town to one of 256 possible plaintexts.
This is *hugely* worse than the block cypher in CBC mode with some
padding scheme or another.
To claim that CTR mode securtity is proven no worse than CBC mode
on the basis of the fact that the CTR-mode stream is proven hard
to distinguish from a random one (assuming there's no break in the
underlying block cypher) is utter nonsense.
--
__
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
--
From: Volker Hetzer [EMAIL PROTECTED]
Subject: Re: IV
Date: Wed, 13 Jun 2001 16:30:59 +0200
Tim Tyler wrote:
CTR mode security sucks in the example of (say) 8 bit cyphertexts.
The message space is reduced town to one of 256 possible plaintexts.
This is *hugely* worse than the block cypher in CBC mode with some
padding scheme or another.
To claim that CTR mode securtity is proven no worse than CBC mode
on the basis of the fact that the CTR-mode stream is proven hard
to distinguish from a random one (assuming there's no break in the
underlying block cypher) is utter nonsense.
If you compare short messages you should either do what other modes do, namely
padding to a comparable plaintext size (i.e. one block of the underlying block
cipher) or use an 8 bit block cipher for cbc.
Greetings!
Volker
--
They laughed at Galileo. They laughed at Copernicus. They laughed at
Columbus. But remember, they also laughed at Bozo the Clown.
--
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Yarrow PRNG
Date: 13 Jun 2001 14:41:56 GMT
Eric Lee Green [EMAIL PROTECTED] wrote:
1. Can this lead to a possible attack? E.g., if someone knows that a
ciphersystem is obtaining key data and challenges via Yarrow, does this
in any way compromise the security of the ciphersystem?
In theory, yes, it weakens systems a little. In practice, the
difference is negligible. For example, suppose that you're trying to
guess a 128-bit key for some `perfect' cipher, but you know that the key
was generated using Yarrow-160. You `only' need to search 2^{128} -
2^{64} keys -- that's a whole 2^{64} fewer than if you didn't know
Yarrow had been used. (2^{64} is a tiddly tiny number compared to
2^{128}.)
2. Could this have been fixed by the simple step of adding yet another
SHA-1 to the algorithm, at the output, to further stir the values
being given to the user?
Possibly. This isn't really the `right fix', though. It adds a load of
complexity and makes it slower and harder to analyse.
-- [mdw]
--
From:
Cryptography-Digest Digest #606
Cryptography-Digest Digest #606, Volume #14 Wed, 13 Jun 01 16:13:00 EDT
Contents:
Re: Simple Crypto II, the public key... (Mark Wooding)
?? (Mykhailo Lyubich)
Re: The 94 cycle 64-bit block cipher :-) (Tom St Denis)
Re: OTP WAS BROKEN!!! (Tim Tyler)
Re: Simple Crypto II, the public key... (Tom St Denis)
Re: Sophie-Germain Primes for sale (Tom St Denis)
Re: Uniciyt distance and compression for AES ([EMAIL PROTECTED])
Re: The 94 cycle cipher (Tom St Denis)
Looking for Mitsuru Matsui paper (Tom St Denis)
Re: Uniciyt distance and compression for AES ([EMAIL PROTECTED])
Re: IV (Cristiano)
Re: Sophie-Germain Primes for sale (John Savard)
Re: Alice and Bob Speak MooJoo (David A Molnar)
Re: Sophie-Germain Primes for sale (Joseph Ashwood)
Re: Sophie-Germain Primes for sale (Tom St Denis)
Re: fast CTR like ciphers? (jlcooke)
Re: curious about MD3 (jlcooke)
Re: Simple Crypto II, the public key... (Fat Phil)
Re: curious about MD3 (Tom St Denis)
Re: Uniciyt distance and compression for AES (SCOTT19U.ZIP_GUY)
Re: IV (SCOTT19U.ZIP_GUY)
Re: ?? (jlcooke)
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Simple Crypto II, the public key...
Date: 13 Jun 2001 17:21:21 GMT
Phil Carmody [EMAIL PROTECTED] wrote:
Vincent Quesnoit wrote:
int mod_pow(int ch, int exp, int modulo)
{
int i, result,power;
result = 1;
power = ch;
while (exp !=0){
if ((exp 1)==1) {
result = (result * Power) % modulo;
}
Power = (Power *Power)% modulo;
exp =1;
}
return result;
}
I'm a 'right-to-left' man myself.
Good, because the algorithm above is right-to-left.
I'm a left-to-right man. The basic algorithms are very similar in terms
of efficiency, but right-to-left is the end of the road, whereas there
are all sorts of clever things you can do with left-to-right (sliding
window exponentiation, simultaneous exponentiation...)
-- [mdw]
--
From: Mykhailo Lyubich [EMAIL PROTECTED]
Subject: ??
Date: Wed, 13 Jun 2001 19:28:54 +0200
Hi,
is this list suitable to post a protocol description/question?
--
Mykhailo Lyubich
--
From: Tom St Denis [EMAIL PROTECTED]
Subject: Re: The 94 cycle 64-bit block cipher :-)
Date: Wed, 13 Jun 2001 17:29:16 GMT
Phil Carmody wrote:
Tom St Denis wrote:
Well I feel honoured that you are archiving my stuff :-) Feel free to
download/repost/edit/whatever anything on my site. You can take my source
and redistribute it if you want. (That's the point of sharing ya know :-0).
Sharing is good. Readers contributing back is even better.
I would appreciate comments on my upcomming ideas though. Even if you don't
have something rigorous more than oh neat. It's nice to just hear from
others.
Upcoming? Hmmm, I'd rather rewind the clock a few months if I may :-)
I'm curious about your 3-hash actually.
for (r = 16; r SIZE; r++) {
t = W[r - 3] ^ W[r - 8] ^ W[r - 14] ^ W[r - 16] ^ r ^
0x9E379B93ul;
W[r] = (t 1ul) | (t 31ul);
}
The ^r seems to be added to add a little more non-linearity, an the
^0x9E379B93ul seems to add some noise to those cases over-populated with
zeros.
However, the ^r only touches the bottom 7 bits (or thereabouts)
Assuming x86 has a nice fast integer multiply, wouldn't
^(r*0x9E379B93ul)
do a better job, potentially touching all bits?
Yes it would. I used ^r for speed. Admittedly I stole that scheme from
Serpent. The ^r is actually not required at all.
I'm also curious - why aren't the well-known CRC algorithms used as
hashes? Is it that they aren't one-way? (they look reversable, but I've
not studied them closely). Or is it just that they are too short, and if
they were make longer they'd take too long to actually get all the bits
mixed up? (so would be useless for a short message)
CRC's typically are only 32-bits wide. A collision can be found with
2^16 CRCs
Tom
--
From: Tim Tyler [EMAIL PROTECTED]
Subject: Re: OTP WAS BROKEN!!!
Reply-To: [EMAIL PROTECTED]
Date: Wed, 13 Jun 2001 16:56:23 GMT
Jim D [EMAIL PROTECTED] wrote:
: Charles Lyttle [EMAIL PROTECTED] wrote:
:The second biggest problem with OTP is that it is very
:difficult to get a large quantity of true random numbers.
: Doesn't have to be. Need only be random enough so the cryptanalyst
: can't/is unlikely to be able to predict the next key byte.
That depends on what the cryptanalyst is tring to do. If he's tring to
read a message from scratch - maybe. If he's trying to reject the
possibility tha a message represents a given plaintext, a slight bias
can be enough to help him out.
--
__
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
--
From: Tom St
Cryptography-Digest Digest #607
Cryptography-Digest Digest #607, Volume #14 Wed, 13 Jun 01 20:13:01 EDT Contents: Re: Kernaugh maps (try #2) (Sam Yorko) Re: shifts are slow? (Bob Jenkins) Re: Alice and Bob Speak MooJoo (Robert J. Kolker) Re: Uniciyt distance and compression for AES (Tim Tyler) Re: IV (Tim Tyler) Re: IV (Tim Tyler) Re: Yarrow PRNG (Tim Tyler) FIPS 140-1 test (Dobs) RNG (Dobs) Re: RNG (SCOTT19U.ZIP_GUY) Re: Sophie-Germain Primes for sale (Anton Stiglic) From: Sam Yorko [EMAIL PROTECTED] Subject: Re: Kernaugh maps (try #2) Date: Wed, 13 Jun 2001 13:23:25 -0800 Jeffrey Walton wrote: : So the Kernaugh map is just a way to : optimize the expressions for where a 1 occurs in the table? I find it easier and less error prone than reducing by hand. As jlcooke stated, it can be bone with min terms (0s) also. Also, this method only works for 4 inputs (possibly 6 if you can do this with a cube - that would be impressive, but not impossible). Actually, I had to do 5 and 6 inputs in college. What you do is to split each of the squares in the table into two or four pieces using diagonal lines. Then, you have to be real careful in making the circles. It's a real pain, but can be done -- From: [EMAIL PROTECTED] (Bob Jenkins) Subject: Re: shifts are slow? Date: 13 Jun 2001 13:29:56 -0700 Niels J=?ISO-8859-1?B?+A==?=rgen Kruse [EMAIL PROTECTED] wrote in message news:xhJU6.173$[EMAIL PROTECTED]... I artiklen [EMAIL PROTECTED] , [EMAIL PROTECTED] (Bob Jenkins) skrev: My old model of the world had +-^|~ take 1 cycle, tab[] take 2, if() take 5 if it guesses wrong, * take 10, and / take 20. That's apparently no longer close to reality. What is the new reality? This depends very much on the CPU. For the PPC7450, the timings are (latency,throughput): +-^|~ (1,1) (except arithmetic right shift and other oddities) tab[], int/vector(3,1) tab[], floating point(4,1) (distance from L1 to FP register file is larger than to int and vector r. files) mispredict6 (minimum) 32*8 bit(3,1) 32*16 bit(3,1) 32*32 bit(4,2) /(23,23) These are the latencies as far as forwarding is concerned. Getting condition codes ready take another cycle. What was your old world? Pentium MMX? I believe load is 3 cycle latency on Pentium III. My old model was a gestalt of many chips from about 1992. Those timings on multiplication look very good. I should look into replacing shifts with multiplications. I suppose I should investigate tab[] too. -- From: Robert J. Kolker [EMAIL PROTECTED] Subject: Re: Alice and Bob Speak MooJoo Date: Wed, 13 Jun 2001 17:07:27 -0400 David A Molnar wrote: I think the issue here is in the model, then. Normally we say Eve has access only to the communication between Alice and Bob. As you point out, given these assumptions about language, this means Eve gets noise as long as she cannot observe Alice and Bob's referents. How would Eve know whether A/B are discussing the weather, the stockmarket or the war de jour? Is Eve in a position to force a topic of discussion on A/B. If so, some kind of referrent could be teased out, otherwise no. Is there any thing corresponding to the chosen plaintext attack here? I don't think so. In the case of the Navajo Code Talkers, the Japanese who were evesdropping on their communication had some idea of what the Code Talkers were talking about, but were unable to tease out any specific words and meanings. If the Navajo Code talk had a lot of synonyms then the frequency analysis would fail, as the synonyms would serve as homophones. Except in the real world, Eve may observe some referents of Alice and Bob. Troop movements, stock prices, whatever. Alice and Bob have to talk about *something*, since the claim is that all language must refer to *something*. So is this something accessible to Eve in the real world or is it not? The nature of eavesdropping is there is no ostention. We learn our first language with the aid of a pointing finger. This method of indicating the referrent non-verbally is completely lacking when all Eve can do is listen to a conversation but not * see * what is being referred to. If it is accessible, then Eve can learn to speak MooJoo. If it is not accessible, then what's the point of Eve observing Alice and Bob? They won't affect her anyway; any effect they might have would create a referent which would allow Eve to start learning MooJoo. My point exactly. Alice and Bob will have a secure conversation. So the model of Eve having access only to Alice and Bob's talk seems possibly too restrictive to be useful
Cryptography-Digest Digest #594
Cryptography-Digest Digest #594, Volume #14 Tue, 12 Jun 01 09:13:01 EDT Contents: Re: The 94 cycle 64-bit block cipher :-) (Phil Carmody) Re: One last bijection question (Nicol So) Re: One last bijection question ([EMAIL PROTECTED]) Re: One last bijection question (Nicol So) Re: IV ([EMAIL PROTECTED]) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Tim Tyler) Re: One last bijection question ([EMAIL PROTECTED]) Re: BigNum Question (Tim Tyler) Re: Any Informed Opinions? (Dirk Bruere) Re: IV (SCOTT19U.ZIP_GUY) Re: 3 trip encryption Exchange (SCOTT19U.ZIP_GUY) Re: help non-elephant encryption-URL.. (Jeffrey Williams) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY LONG (Tim Tyler) From: Phil Carmody [EMAIL PROTECTED] Subject: Re: The 94 cycle 64-bit block cipher :-) Date: Tue, 12 Jun 2001 10:13:07 GMT Tom St Denis wrote: Just for fun. (Hey if this works it could be the fastest, simplest block cipher). I used the quadratic function x(2x + 1) modulo 2^32 as the round function. It has one nasty differential which is a difference in the high bit goes to a difference in the high bit with a prob of 1. The rest of the differentials are fairly low bounded by as far as I can tell 2^-16. (I'm extrapolating from the case of W=8 where the highest is 16/256. Since we are four times bigger we get (16/256)^4 = 65536/2^32. To avoid this nasty one I used a cyclic rotate left by five bits. Now the trail has a much lower probability (from the W=8 case it's zero). So we get two rounds for free (first and last). Given 6 rounds we have a bounded prob of (2^-16)^6 = 2^-96 which means most likely differential analysis won't break the cipher with eight rounds. Of course take heed and remember this is a toy cipher design. It's still fairly neat that 8 rounds will run in 94 cycles (11.75 cycles per byte). I want to see about mixing in a PHT with two quadratics :-) Sounds interesting, even if it doesn't have the strength that others have. You often post your stories here, but I rarely see you post code. As someone near the bottom of the learning curve of crypto (I understand pure maths, just not how to apply it), maybe you'd like to post your code for encrypt and decrypt using the above algorithm, so I can get a feel for how it works (how do you decrypt??) Your above round function takes 0-0, for reference, which seems less than optimal. Phil -- From: Nicol So [EMAIL PROTECTED] Subject: Re: One last bijection question Date: Tue, 12 Jun 2001 06:16:57 -0400 Reply-To: see.signature Mark Wooding wrote: Nicol So [EMAIL PROTECTED] wrote: A comment on the terminology: the range of a function f is the image of the domain under f. The codomain of a function is a (not necessarily proper) superset of its range. This isn't the terminology I'm familiar with. I've always used the terms `range' and `image' to mean what you're calling the `codomain' and `range' respectively. I think these names were standard in the UK when I learned this stuff. I've done a little digging. Apparently both conventions are used even in the UK (based on the UK academic sites I've visited). -- Nicol So, CISSP Disclaimer: Views expressed here are casual comments and should not be relied upon as the basis for decisions of consequence. -- Subject: Re: One last bijection question From: [EMAIL PROTECTED] Date: 12 Jun 2001 06:37:42 -0400 Douglas A. Gwyn [EMAIL PROTECTED] writes: [EMAIL PROTECTED] wrote: Note that the range is uniquely determined, having specified f(). Well, no, it is the image of the domain and therefore depends on the domain. You probably assumed that a function is packaged with a specific domain, but there s no logical necessity for that. If you haven't specified the domain, you haven't specified f. One may restrict f to smaller domains, or extend f to larger domains--but having picked, the range is fixed. Len. -- Negotiating with one's self seldom produces a barroom brawl. -- Warren Buffett, 1985 -- From: Nicol So [EMAIL PROTECTED] Subject: Re: One last bijection question Date: Tue, 12 Jun 2001 06:38:33 -0400 Reply-To: see.signature Douglas A. Gwyn wrote: [EMAIL PROTECTED] wrote: Note that the range is uniquely determined, having specified f(). ... You probably assumed that a function is packaged with a specific domain, but there s no logical necessity for that. In most of the formal definitions of function I've seen, especially those in more recent publications, the domain and codomain are indeed part of the specification of a function. Based on that viewpoint, a function and a restriction of it are distinct functions. Not only that, two functions are considered distinct if they have
Cryptography-Digest Digest #595
Cryptography-Digest Digest #595, Volume #14 Tue, 12 Jun 01 12:13:01 EDT Contents: Simple Crypto II, the public key... (Phil Carmody) Re: One last bijection question (Mok-Kong Shen) Lookup table for DH's prime P? (quequ) Re: One last bijection question (Mok-Kong Shen) Re: Alice and Bob Speak MooJoo (Robert J. Kolker) Re: Alice and Bob Speak MooJoo (Robert J. Kolker) Re: Alice and Bob Speak MooJoo (Robert J. Kolker) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Mok-Kong Shen) Re: differential cryptanalysis with a new twist? (Mika R S Kojo) Re: Best, Strongest Algorithm (gone from any reasonable topic) - (Mok-Kong Shen) Yarrow PRNG ([EMAIL PROTECTED]) Re: Alice and Bob Speak MooJoo ([EMAIL PROTECTED]) Re: Free Triple DES Source code is needed. (pink aka Chr. Boesgaard) Re: Anyone Heard of Churning (Tim Tyler) Re: IV (Tim Tyler) Re: Simple Crypto II, the public key... ([EMAIL PROTECTED]) Re: IV (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (SCOTT19U.ZIP_GUY) Re: IV ([EMAIL PROTECTED]) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY ([EMAIL PROTECTED]) Re: Yarrow PRNG (Anton Stiglic) Re: Lookup table for DH's prime P? (Anton Stiglic) From: Phil Carmody [EMAIL PROTECTED] Subject: Simple Crypto II, the public key... Date: Tue, 12 Jun 2001 13:21:15 GMT OK, is there an asymmetric equivalent to the symmetric while(c=getchar()!=EOF) putchar(c^k); I'm talking _real entry level_ algorithms, codable to a competant programmer, but without requiring numerics smarts or an external crypto library? Is the only option out there 32-bit RSA? (No don't laugh - I'm comparing this to a Caeser cyper remember.) OK, I hope this doesn't start a long rant, all I want is a simple opinion... If I can ask you Egon Ronays to compare the kebab found in the kitchen bin with the pizza slice found down the side of the sofa: Which is worth the effort more - security through obscurity or the trivially disassembable 32/64bit RSA? Views on the food question only accepted if accompanied by a view on the crypto. :-) Phil -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: One last bijection question Date: Tue, 12 Jun 2001 15:24:55 +0200 Mark Wooding wrote: You can't read. I said that I was taught to use the word `range' in the sense in which Nicol used the word `*co*domain'. Indeed a big blunder of mine. M. K. Shen -- From: quequ [EMAIL PROTECTED] Subject: Lookup table for DH's prime P? Date: Tue, 12 Jun 2001 15:31:19 +0200 Hi, I'm still working on an implementation of DH algorithm and have a new little question: in DH protocol the 1024bit prime P and the generator G are public values, it's right? In this case can I use a lookup table for P (with 1000-2000 germain primes, for example) and a fixed generator G (G = 4)?? This seems to be a very fast solution, because P take some minutes to generate on my machine (K7-500), but is this a safe way to follow? thanks to all quequ -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: One last bijection question Date: Tue, 12 Jun 2001 15:57:53 +0200 Mark Wooding wrote: Mok-Kong Shen [EMAIL PROTECTED] wrote: These terms are explained in most textbooks on algebra, I suppose. BTW, in terminology questions, I find it mostly very practical to take a good dictionary/encyclopedia of math. The reason we're in this mess is that different books give different definitions. I suggest that, to avoid confusion in present discussions, we avoid the ambiguous term `range' and stick to `codomain' and `image'. Could you please cite one book where the word 'image' thoroughly replaces 'range' or where the word 'range' would lead to ambiguity? In the book L. E. Sigler, Algebra, Springer-Verlag, the terms used are codomain and range. In the book H. L. Royden, Real Analysis, Prentice Hall, there is range (codomain is not mentioned) and there is a term image that means what is mapped to by a subset of the domain. So, if these two book are a little bit representative (I don't know, I just happen to have them), then use of 'image' as replacement for 'range' doesn't seem to be supported, I am afraid. (This is only a layman's argument, I am not a mathematician.) M. K. Shen -- From: Robert J. Kolker [EMAIL PROTECTED] Subject: Re: Alice and Bob Speak MooJoo Date: Tue, 12 Jun 2001 10:06:59 -0400 Douglas A. Gwyn wrote: Boyd Roberts wrote: Tom St Denis [EMAIL PROTECTED] a écrit: How would a blind person learn to speak? verbal feedback. it's a bootstrap problem. Note that Helen Keller learned to communicate despite being deaf, dumb, and blind. But it wasn't easy. 1. Keller was not always blind and deaf. I think she was rendered so
Cryptography-Digest Digest #596
Cryptography-Digest Digest #596, Volume #14 Tue, 12 Jun 01 14:13:01 EDT
Contents:
Timer chip (HyperCube)
Re: Simple Crypto II, the public key... (Anton Stiglic)
Re: BigNum Question (Harris Georgiou)
Re: Alice and Bob Speak MooJoo (Zonn)
Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Tim Tyler)
Re: Discrete Logarithm (Douglas A. Gwyn)
Re: Humor, I Must be a Threat to National Security (Douglas A. Gwyn)
Re: Publication violation notice (Douglas A. Gwyn)
Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and (Douglas
A. Gwyn)
Re: Free Triple DES Source code is needed. (Mark Wooding)
Re: Lookup table for DH's prime P? (Mark Wooding)
Re: Alice and Bob Speak MooJoo ([EMAIL PROTECTED])
Re: IV (Tim Tyler)
Re: One last bijection question (Tim Tyler)
Re: Lookup table for DH's prime P? (Mark Wooding)
Re: IV ([EMAIL PROTECTED])
Re: Lookup table for DH's prime P? (Neil Couture)
Re: Timer chip (Paul Rubin)
Re: National Security Nightmare? (Jim D)
Date: Tue, 12 Jun 2001 18:19:41 +0200
From: HyperCube [EMAIL PROTECTED]
Subject: Timer chip
Hi folks, I heard there's a way to directly access the processor's or
board's timer chip by reading out a special register or memory address.
This bypasses the common timer interrupt and should give a resolution in
times of nano-seconds(!?), of course well suited for random number
generation. Does anybody know how it is done (I mean how it is really
done, in detail)? Thanks a lot.
--
From: Anton Stiglic [EMAIL PROTECTED]
Subject: Re: Simple Crypto II, the public key...
Date: Tue, 12 Jun 2001 12:24:25 -0400
Phil Carmody wrote:
OK, is there an asymmetric equivalent to the symmetric
while(c=getchar()!=EOF) putchar(c^k);
Do you want something that is secure, or just something you
can do in a while loop, encrypting little chunks at a time?
If you want something secure, you can look at Goldwasser-Micali
probabilistic encryption scheme, it works like this:
choose two large primes, compute n = p*q (like in RSA).
Choose a pseudo-sqaure, y, mod n. y is a pseudo-square mod n
if Legender symbol (y,n) = 1 but y is a non-quadratic residue.
See Handbook of Applied crypto for algorithms to compute the
Lengender symbol given the factorization of n.
This is the end of the complicated part.
n, y is the public key, private key is the factors of n.
To encrypt a message m, represent it in binary m[1]m[2]...m[t]
Then:
for (i = 1; i = t; i++) {
Pick random x \in [1, n];
if (m[i] == 1) {
c[i] = y*x^2 % n;
}
else {
c[i] = x^2 % n;
}
}
return the array c;
Of course, you can transform the above into an algo that encryptes
char by char using getchar...
Decryption is:
for (i = 1; i = t; i++) {
e = Legender Symbol (c[i], n)
/* there exist algorithms to compute the above,
given knowledge of the factorization of n */
if (e == 1) {
m[i] = 0;
}
else {
m[i] = 1;
}
}
return the array m;
--Anton
--
From: Harris Georgiou [EMAIL PROTECTED]
Subject: Re: BigNum Question
Date: Tue, 12 Jun 2001 15:55:36 +0300
Ï Tim Tyler [EMAIL PROTECTED] Ýãñáøå óôï ìÞíõìá óõæÞôçóçò:
[EMAIL PROTECTED]
Harris Georgiou [EMAIL PROTECTED] wrote:
: Ï Tim Tyler [EMAIL PROTECTED] Ýãñáøå óôï ìÞíõìá óõæÞôçóçò:
If there's a problem with Java's cryptography stuff, it seems to be that
these classes are immutable, so there's no way of deleting objects - you
can only null them, and wait for the garbage collector to clean
up afterwards.
Not true. Of course garbage collector is there to free the programmer of
several boring lines of cleanup code, but there are always functions to
actually delete any object on call. Try Runtime.gc() and destroy() and
delete() methods in various objects.
--
Harris
- 'Malo e lelei ki he pongipongi!'
--
From: Zonn [EMAIL PROTECTED]
Subject: Re: Alice and Bob Speak MooJoo
Date: Tue, 12 Jun 2001 16:39:42 GMT
On Tue, 12 Jun 2001 10:06:59 -0400, in sci.crypt, Robert J. Kolker
[EMAIL PROTECTED] wrote:
Douglas A. Gwyn wrote:
Boyd Roberts wrote:
Tom St Denis [EMAIL PROTECTED] a écrit:
How would a blind person learn to speak?
verbal feedback. it's a bootstrap problem.
Note that Helen Keller learned to communicate despite
being deaf, dumb, and blind. But it wasn't easy.
1. Keller was not always blind and deaf. I think she
was rendered so by an acute bout with scarlet
fever or measles.
2. She learned to speak through her remaining spatial
sense, i.e. her sense of touch.
3. Helen Keller could in no sense of the word be considered dumb. (Refer to #2
above.)
-Zonn
--
Cryptography-Digest Digest #597
Cryptography-Digest Digest #597, Volume #14 Tue, 12 Jun 01 16:13:00 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (David Hopwood) Re: National Security Nightmare? (Bill Unruh) Re: Publication violation notice (Bill Unruh) Re: Publication violation notice (Roger Schlafly) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Mok-Kong Shen) Re: help non-elephant encryption (Joseph Ashwood) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Mok-Kong Shen) Re: Free Triple DES Source code is needed. (Douglas A. Gwyn) Re: One last bijection question (Douglas A. Gwyn) Re: National Security Nightmare? (Douglas A. Gwyn) Re: IV (Cristiano) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and (Mok-Kong Shen) Re: IV (Cristiano) Re: One last bijection question (Mok-Kong Shen) Re: Yarrow PRNG ([EMAIL PROTECTED]) Date: Tue, 12 Jun 2001 16:46:41 +0100 From: David Hopwood [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) =BEGIN PGP SIGNED MESSAGE= Dennis Ritchie wrote: Section 10. Perfect Secrecy Let us suppose the possible messages are finite in number M1, ..., Mn and that these are enciphered into the possible cryptgrams E1, ... En by E = TiM [Ti is the transformation performed on the i-th message] No, i here is the key. (See figure 5 for a confirmation of that.) - -- David Hopwood [EMAIL PROTECTED] Home page PGP public key: http://www.users.zetnet.co.uk/hopwood/ RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01 Nothing in this message is intended to be legally binding. If I revoke a public key but refuse to specify why, it is because the private key has been seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip =BEGIN PGP SIGNATURE= Version: 2.6.3i Charset: noconv iQEVAwUBOyYVkDkCAxeYt5gVAQHkewf8Dylby6iQRPy9pkPq1v3Zof8/PBaKKDaQ pHCokYyJokwctmLoYNJ1arv5VZck7JynN+gW9zui39tGp5XC/8JJAAMMual5P9Fs y3Zl9Dx3kZ+t+JpRK7JCMPnlbeLAm7zP6nK6cVrleYljWHGjfoUVrJSbbLLxGfsN q1g2tVzfPL8mwEXiZSchN3Omfg04NAeKpfKmNueUXcKpeK6t9vIWWapqtt5bJ9IE oO77K5b9vtjlNAjTxso/l8eW2e28y0wDyDn3NOYhLC1lZmV/qtZEHBPqHQ+knL5m jW2FuG+AyXHH7iAbEvaBtEzUfi1Vl7UoxkYIoctW20ZoH5MFynGTFQ== =x5u1 =END PGP SIGNATURE= -- From: [EMAIL PROTECTED] (Bill Unruh) Subject: Re: National Security Nightmare? Date: 12 Jun 2001 18:28:12 GMT In [EMAIL PROTECTED] [EMAIL PROTECTED] (Jim D) writes: ]On Tue, 12 Jun 2001 02:34:48 +0200, Boyd Roberts [EMAIL PROTECTED] ]wrote: ]Mok-Kong Shen [EMAIL PROTECTED] a ecrit dans le message news: ][EMAIL PROTECTED] ] In France I heard that there is a national instute ] that decides authoritatively on language issues of French. ] ]yes, you are referring to L'Academie Francaise. ] ]what a waste of space. here is two of the more recent ]and totally stupid rulings they made: ] ]CD - cede ][e]mail - mel ] ]both CD and mail had been in current use for years. ]In America, maybe. It's just that, like me, they object ]to their language being polluted by Americanisms. In the world. ] Is there a similar one for the English world? ]There ought to be. In the UK at least. For a language most of which is the result of pollution by a huge variety of other languages, such a proposal would be funny. Get rid of the words curry, or chutney. Abandon the words like beef and pork. Where would you like the line drawn? Celtic only for Britain-- oops they were also outsiders bringing in their polluting words-- get rid of the word Britain. -- From: [EMAIL PROTECTED] (Bill Unruh) Subject: Re: Publication violation notice Date: 12 Jun 2001 18:34:08 GMT In [EMAIL PROTECTED] Douglas A. Gwyn [EMAIL PROTECTED] writes: ]Paul Rubin wrote: ] someone tried to send a chess openings book to a prisoner, and the ] prison refused delivery because it contained code throughout. ]Not surprising. Censors in general (e.g. postal censors during ]wartime) have to have some such policy, because it is in fact ]easy enough to encrypt messages within such schemes, and the ]censors don't have the resources to try to analyze the material ]closely enough to ensure that nothing is hidden within. ]In the case of a printed book from a well-known publisher, ]there is less chance of this than in a privately printed copy, ]but policies like this one tend to err on the side of caution. No, they err on the side of stupidity. -- From: Roger Schlafly [EMAIL PROTECTED] Subject: Re: Publication violation notice Date: Tue, 12 Jun 2001 17:32:54 GMT Douglas A. Gwyn [EMAIL PROTECTED] wrote in message news:[EMAIL
Cryptography-Digest Digest #599
Cryptography-Digest Digest #599, Volume #14 Tue, 12 Jun 01 19:13:00 EDT Contents: Re: Humor, I Must be a Threat to National Security (SCOTT19U.ZIP_GUY) Sophie-Germain Primes for sale (Tom St Denis) Re: IV (Tim Tyler) Re: IV (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Tim Tyler) Re: Mantin-Shamir's RC4 distinguisher paper and RC4 *student* paper (Itsik Mantin) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Mok-Kong Shen) Re: The 94 cycle 64-bit block cipher :-) (Fat Phil) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Mok-Kong Shen) Special promotion: White-Hat Security Arsenal at 40% off on Amazon.com (Avi Rubin) Re: The 94 cycle 64-bit block cipher :-) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Mok-Kong Shen) The 94 cycle cipher (Tom St Denis) Re: Simple Crypto II, the public key... (Fat Phil) Re: Simple Crypto II, the public key... (Fat Phil) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and (Douglas A. Gwyn) Re: Humor, I Must be a Threat to National Security (Douglas A. Gwyn) Re: EXCELLENT NEW WEB BOARD!! CHECK IT OUT :) (Paul Pires) Re: Simple Crypto II, the public key... (Tom St Denis) Re: Publication violation notice (The Nameless Horror) From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Crossposted-To: comp.security.misc Subject: Re: Humor, I Must be a Threat to National Security Date: 12 Jun 2001 20:57:30 GMT [EMAIL PROTECTED] (Douglas A. Gwyn) wrote in [EMAIL PROTECTED]: SCOTT19U.ZIP_GUY wrote: ... I don't see why you where not hired but it may mean your to honest or you may not have matched the religion of the ones who you interviewed with. Its possible they had a quota for women at the time you applied. Most likely, the available positions had more qualified applicants. From the tone of some of Boney's narrative, I suspect they are glad they didn't hire him.. Having worked for the government. I noticed in the old days qualifications meant a lot. But then we had a cold war we needed to win. In the later years qualifications didn't mean squat. It was better if you meet the right politically correct quota. David A. Scott -- SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE OLD VERSIOM http://www.jim.com/jamesd/Kong/scott19u.zip My website http://members.nbci.com/ecil/index.htm My crypto code http://radiusnet.net/crypto/archive/scott/ MY Compression Page http://members.nbci.com/ecil/compress.htm **NOTE FOR EMAIL drop the roman five *** Disclaimer:I am in no way responsible for any of the statements made in the above text. For all I know I might be drugged or something.. No I'm not paranoid. You all think I'm paranoid, don't you! -- From: Tom St Denis [EMAIL PROTECTED] Subject: Sophie-Germain Primes for sale Date: Tue, 12 Jun 2001 21:19:54 GMT Made you look. No seriously *free* SG primes are at my website http://tomstdenis.home.dhs.org/primes.txt A SG prime is of the form p = 2q + 1, where q itself is prime and of course p mod 4 = 3. They are useful for DH and other DLP quests. Since they are SG all bases (other than trivial ones) generate a group of order q which for some of the primes is huge. How to read the list? (size in bits) p==digits so (1024) p==1460030136858689905633918046800667131280181317311313833593791824930185113 6348768360708424001573886964262443996309806738655987368721064584308025706111 6036949438982968995332694598033744487708557681139725773222031612812763129935 3164025680222964658192849043699670677857470257248695463297505596077769310893 41764287 Is a 1024 bit SG prime. I am building up the list with larger and large primes. And yes FYI I live a very sheltered life. -- Tom St Denis --- http://tomstdenis.home.dhs.org -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: IV Reply-To: [EMAIL PROTECTED] Date: Tue, 12 Jun 2001 21:18:16 GMT Cristiano [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] wrote: : Cristiano [EMAIL PROTECTED] wrote: : : I want to encrypt a file of L bytes with a block cipher in CBC mode : : (like RC6 or Rijndael). : : For speed reasons I read N bytes at time (N1024) and then I encrypt : : this block. : : Every N bytes I use the IV to XORing the firsts 16 bytes of plain text. : : Is there some weakness in this way? : Very possibly. If I understand correctly, you are using the same IV and : the same key - effectively starting again every N bytes, in order to : get speed (through parallelism?). [...] : That means identical plaintexts (at those offsets) will result in : identical cyphertexts. : Yes. [...] could you tell me if is there any weakness in my method? The fact that identical plaintext blocks (every N bytes)
Cryptography-Digest Digest #600
Cryptography-Digest Digest #600, Volume #14 Tue, 12 Jun 01 21:13:00 EDT Contents: Re: Sophie-Germain Primes for sale (The Nameless Horror) When the signer is trusted do birthdays matter? (Fat Phil) Better 8x32's sboxes (Tom St Denis) Re: When the signer is trusted do birthdays matter? (Paul Rubin) Re: Alice and Bob Speak MooJoo (Robert J. Kolker) Re: Prime Directive was _Re: National Security Nightmare? (John Savard) Re: Simple Crypto II, the public key... (John Savard) alternative linear prob? (Tom St Denis) Re: Humor, I Must be a Threat to National Security (SCOTT19U.ZIP_GUY) Who can help me crack this encryption (Terrence Koeman) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY ([EMAIL PROTECTED]) Re: help non-elephant encryption (Gregory G Rose) Re: Simple Crypto II, the public key... (Tom St Denis) Re: Alice and Bob Speak MooJoo (Tom St Denis) Re: Alice and Bob Speak MooJoo (Robert J. Kolker) From: [EMAIL PROTECTED] (The Nameless Horror) Subject: Re: Sophie-Germain Primes for sale Date: Tue, 12 Jun 2001 23:11:02 GMT On Tue, 12 Jun 2001 21:19:54 GMT, Tom St Denis [EMAIL PROTECTED] wrote: And yes FYI I live a very sheltered life. There are worse things than leading a sheltered life. Another poster to this newsgroup has, for some reason, chosen to enlighten us about his experiences in the state of Nevada. Upon coming across some historical information in a web search, I was tempted to retort, were he to mention that sort of thing again, that we would hardly be interested in hearing about it unless his encounter had been with Teri Wiegel at the Moonlight Bunny. I was surprised, though, in doing a Google/Deja search, to discover that at least one of his encounters was at that very facility, although with someone less famous: Kulani. However, further searching disclosed that she had recieved a couple of very favorable reviews, so at least said poster has good taste. -- From: Fat Phil [EMAIL PROTECTED] Subject: When the signer is trusted do birthdays matter? Date: Wed, 13 Jun 2001 02:06:25 +0300 I understand the birthday coincidence problem. (i.e. only ~22 random people is enough for a 50/50 chance of a birthday coincidence). However, if your document _originator_and_signer_ is Trusted Trent, and signatures are done on the document hash, then why do you need to consider the birthday attack. He's not going to be creating many documents in order to try to find two that hash together? In fact being a single person/company, he's only going to be releasing 'small' numbers of documents (few/day, say). Does that mean that in this situation hashes only need to be half as wide as one would normally recommend as they don't need to consider the birthday problem? Or have I missed something? Phil -- From: Tom St Denis [EMAIL PROTECTED] Subject: Better 8x32's sboxes Date: Tue, 12 Jun 2001 23:23:17 GMT I was thinking about making slightly better 8x32's (actually it was a bolt of the obvious). Use the inversion in GF(2^32)/p(x) instead. Basically we fix three of the inputs for the four 8x32's as in X11 X12 X13 X X21 X22 X X24 X31 X X33 X34 X X42 X43 X44 Where no row has identical fixed values. (i.e X11 != X21, X11 != X31, etc...). Each row is one 8x32 sbox and X is the variable input. The entire set of four 8x32 sboxes would be defined by the 12 fixed bytes and the polynomial. Ideally the 12 bytes would be picked wrt to the polynomial such that a change in any fixed byte will have an output that differs in as many output bytes as possible. That way the # of active sboxes is maximized. If the initial condition that all 12 bytes are different is observed then all four sboxes will have unique values and not be vulnerable to Vaudenays attack on Blowfish. (If I understand correctly his attack is based on finding a \Delta x \rightarrow \Delta 0 differential). Of course each 8x32 sbox will have a DPmax of 4/256. My question is, how do I find the LPmax? Obviously I could change the walsh transform todo an 8-bit input mask and 32-bit output mask, that would require 2^48 work though... Now I know the DPmax just because of the way differentials work. I.e for any input difference the output difference occurs at most four times. Thus 4/256 is the max. With linear analysis any input parity leads to an output parity with a bias of 2^16 (from 0, or 2^-16 as an LPmax). However, for some inputs a parity of zero or one is guaranteed based on the fixed values. Hence a truncated linear attack (i.e must only maintain the parity of the 8 variable bits). Any insight? -- Tom St Denis --- http://tomstdenis.home.dhs.org -- From: Paul Rubin [EMAIL PROTECTED] Subject: Re: When the signer is trusted do birthdays matter? Date: 12 Jun 2001 16:27:56 -0700 Fat Phil [EMAIL PROTECTED]
Cryptography-Digest Digest #577
Cryptography-Digest Digest #577, Volume #14 Sun, 10 Jun 01 08:13:01 EDT Contents: Re: Algorithms (BenZen) Re: Knapsack security??? Ahhuh (rosi) Re: cubing modulo 2^w - 1 as a design primitive? (Peter L. Montgomery) Re: Uniciyt distance and compression for AES ([EMAIL PROTECTED]) Re: Algorithms (Sam Simpson) Jacobian projective coordinates (himanee) Let Win2000 use Diffie-Hellman during KeyExchange (Ricardo) Re: Algorithms (Tom St Denis) Re: shifts are slow? (Niels J=?ISO-8859-1?B?+A==?=rgen Kruse) Re: shifts are slow? (Tom St Denis) From: BenZen [EMAIL PROTECTED] Subject: Re: Algorithms Date: Sat, 9 Jun 2001 06:58:33 -0400 Tom St Denis wrote in message _XcU6.61619$[EMAIL PROTECTED]... Sam Simpson [EMAIL PROTECTED] wrote in message news:wEcU6.20648$[EMAIL PROTECTED]... Out of interest Tom, what did you think of the Koblitz text? Last time we 'spoke' about it you had ordered but not received it. I got it around May 5th. I have read through it (neat book). Some of the math I don't get yet, but it's well laid out and a really good review of number theory. Tom Which text ? * Algebraic Aspects of Cryptography , N. Koblitz, Springer 1998 * P-adic Numbers, p-adic Analysis and Zeta-Functions, (2nd edn.) N. Koblitz, Graduate Text 54, Springer 1996. * A Course in Number Theory and Cryptography, N. Koblitz, Graduate Texts in Mathematics 114, 2nd Edition, Springer 1994 * Introduction to Elliptic Curves and Modular Forms, N. Koblitz, Springer Graduate Text 97, 2nd Edition 1993 * P-adic Analysis, A Short Course on Recent Work, N. Koblitz, LMS Lectures Notes 46, CUP 1980 Regards, Just Lurking. Ben -- From: rosi [EMAIL PROTECTED] Subject: Re: Knapsack security??? Ahhuh Date: Sun, 10 Jun 2001 02:18:28 -0400 John Bailey wrote in message [EMAIL PROTECTED]... On Fri, 8 Jun 2001 00:21:58 -0400, rosi [EMAIL PROTECTED] wrote: [snip] So, is it a go? Answer for you (sorrily arbitrarily). No. I think it is only fair that I give you enough information on what is ahead. I have some simple stuff, from which I would like to see if certain things are as trivial as I seem to see. So I give the best shot I can fire and would like you to help me. I will put forth two quite non-technical questions, which do not require definitive answers (or in other words, what answers come back is not that important). There is one technical issue I would appreciate it if you could share your thoughts with us, but that is not really expected. It is up to you. The issue is to prove from what I give you that P != NP. (Hope you are still in your chair if you were:). Checked, I am still in mine) Would it help if we used Rojas' papers as a common ground of understanding? http://arXiv.org/find/math/1/au:+rojas/0/1/0/1998/0/1 Not 100% sure. Forgive me for taking a perhaps pretty accurate guess. The answer to your question is : NO. It will not help at all. There does not seem to be any common ground for us on the papers at all. I did not read the papers themselves. From the titles I took the guess that the papers can only be quite remotely related, 'related' even in a very loose sense. Bennett gates and non-linear quantum gates might be closer (though I know virtually nothing about that discipline, but would be very interested in considering that aspect more thoroughly in private). Even those, from my understanding now, changes no situation here. THE issue is, IMHO, settled. Please do not be alarmed. It should be simple. Ideas about both the two questions and the P!=NP issue can be formed in your head by simply staring at a construction I give you for a few minutes. I am not saying that you may come up with all the boring details of a proof after reading and thinking about it for a few minutes. I mean that you can get the sense of it. If you are heading off in the direction of complexity theory, I don't think its productive. To me the issue is far simpler. Standard format knapsack systems have been shown sufficiently suspect that nothing commercial is likely to be trusted. NTRU may have gone one of False. Nothing has ever shown anything sufficient to me in that regard. True possibly if I do not count. Uncertain because of the informal vague nature of the statement which renders its semantics a 'what?'. two ways. 1) they may have found a basis (excuse the pun) on which a knapsack or sparse diophantine system can be made secure OR 2) they just hide the knapsack formal equivalence. If the latter, I hope this isn't regarded as an attack on their business. If the former, it would be useful to understand the underlying source of the improvement because other parallel approaches might yield something useful as well. Given Rojas' (and certailnly others) work, it should not be hard to find a one way function which would require solving
Cryptography-Digest Digest #578
Cryptography-Digest Digest #578, Volume #14 Sun, 10 Jun 01 11:13:01 EDT Contents: BBS question (Tom St Denis) Re: BBS question (Tom St Denis) Re: cubing modulo 2^w - 1 as a design primitive? (Mok-Kong Shen) Re: cubing modulo 2^w - 1 as a design primitive? (SCOTT19U.ZIP_GUY) Re: cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) Re: cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) Re: cubing modulo 2^w - 1 as a design primitive? (Mok-Kong Shen) Re: Shannon's definition of perfect secrecy (Tim Tyler) Re: cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) Re: Shannon's definition of perfect secrecy (Tom St Denis) Re: Shannon's definition of perfect secrecy (Mok-Kong Shen) Re: cubing modulo 2^w - 1 as a design primitive? (Mok-Kong Shen) Re: cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) Re: cubing modulo 2^w - 1 as a design primitive? (Mok-Kong Shen) Re: cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) From: Tom St Denis [EMAIL PROTECTED] Subject: BBS question Date: Sun, 10 Jun 2001 13:08:01 GMT Nobody quite answered my original question. Let's suppose you have a blum integer (say N=7x11=77). If we pick a seed such as X=4 we get 4, 16, 25, 9, 4 as the outputs... Now for the funny part 4^2 + 16^2 + 25^2 + 9^2 = 4+16+25+9 (mod 77). So far whenever I find the cycle the sum of squares is equal to the sum of their roots. Is that universally true or just for the 6 or so cases I have tried? -- Tom St Denis --- http://tomstdenis.home.dhs.org -- From: Tom St Denis [EMAIL PROTECTED] Subject: Re: BBS question Date: Sun, 10 Jun 2001 13:08:54 GMT Tom St Denis [EMAIL PROTECTED] wrote in message news:RiKU6.76438$[EMAIL PROTECTED]... Nobody quite answered my original question. Let's suppose you have a blum integer (say N=7x11=77). If we pick a seed such as X=4 we get 4, 16, 25, 9, 4 as the outputs... Now for the funny part 4^2 + 16^2 + 25^2 + 9^2 = 4+16+25+9 (mod 77). Arrg... Nevermind, I know why. Tom -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: cubing modulo 2^w - 1 as a design primitive? Date: Sun, 10 Jun 2001 15:30:40 +0200 Tom St Denis wrote: Tom St Denis [EMAIL PROTECTED] wrote: I was cheating on what? Sorry to be honest I kinda skim your posts. You kinda write in one long unbroken chunk. (When you're at a computer as long as I shouldn't be it looks like a mess). The book info. W.R.Scott, Professor of Mathematics, The university of Utah, Group Theory, Dover Publications Inc, New York. ISBN 0-486-65377-3 Something I want to add. It's not a bad book as far as correctness goes. Heck I can only read the first 20 pages. It's just a very bad text to LEARN from. It has a math equation to word ratio of 100:1... Cheating on what? Here is what in the thread 'Best, Strongest Algorithm (gone from any reasonable topic)' you posted on Fri, 08 Jun 2001 21:24:35 +0200: I find often the biggest problem with math papers/discussions is the lack of a good language to discuss it in. For example, my book on Group Theory I got (From Dover) only has 13 words in the entire text. The rest is vague human egyptian art work that future archeologists will look at and say this means fire, and that's water, and This can obvioulsy never be true, or else there would be an immense scandal about the publisher Dover that has a good name and whose scientific books have always been of good quality, even though to a large part outdated. (BTW, I am myself in posssesion of a Dover book on group theory!) And what you responded above is demonstrating clearly and unambigiously that you lied. (But I did intentionally give you opportunities to correct your statements in more gentle ways which you didn't take up.) Now everyone of the group clearly know who you actually are. Note you were not posting on 1st April, nor were you in a group talk.joke. Telling the untruth on oneday and accusing someone else (I think it was Scott whom you were attacking) on the very next day to be a liar, is something I consider to be really too much. We cannot let the atmosphere of the group deteriorate like that. The current atmosphere is already poor (e.g. with posts asking simple math questions which definitely properply belong to sci.math) enough in my opinion to be able to attract more people to participate in the group. M. K. Shen -- From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: cubing modulo 2^w - 1 as a design primitive? Date: 10 Jun 2001 13:47:48 GMT [EMAIL PROTECTED] (Mok-Kong Shen) wrote in [EMAIL PROTECTED]: Tom St Denis wrote: And what you responded above is demonstrating clearly and unambigiously that you lied. (But I did intentionally give you opportunities to correct
Cryptography-Digest Digest #579
Cryptography-Digest Digest #579, Volume #14 Sun, 10 Jun 01 12:13:01 EDT Contents: Re: Shannon's definition of perfect secrecy (SCOTT19U.ZIP_GUY) Re: cubing modulo 2^w - 1 as a design primitive? (Mok-Kong Shen) Re: cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) Re: OTP WAS BROKEN!!! (Charles Lyttle) Re: Shannon's definition of perfect secrecy (Mok-Kong Shen) Re: cubing modulo 2^w - 1 as a design primitive? (Mok-Kong Shen) Re: cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) Re: cubing modulo 2^w - 1 as a design primitive? (Mok-Kong Shen) Re: cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) Re: cubing modulo 2^w - 1 as a design primitive? (Mok-Kong Shen) From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: Shannon's definition of perfect secrecy Date: 10 Jun 2001 14:49:31 GMT [EMAIL PROTECTED] (Mok-Kong Shen) wrote in 3B238460.FFA3DD4A@t- online.de: I consider the 'practical' situations. There can never be possible to send an infinite stream, even till eternity. What we can do is to put a sufficiently number of messages together and send the concatenation. That avoids to a very good extent the finding of the boundaries between the messages by the opponent. If one has only a single message at hand and cannot wait till other messages arrive to be sent together, then one has to pad. But normally this isn't the case, as far as I am aware. For one usually have quite an amount of messages of different True its obvious if one understands the concept of perfect security. That any anything that gets closes to it would be better. So if one cant wait for several messages to creat a long messages made of several small one great. If one has only one messages and there seems to be no more in the que. Send it with padding. So do you see the best situation is to always send an encrypted message of the same size. If you have low prioity messages you could even send them last and if message filled wait till next day to send rest or if big and low priority spread it out over many messages. interspered by short high priotity messages. But keeping each transmitted message to the same size. David A. Scott -- SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE OLD VERSIOM http://www.jim.com/jamesd/Kong/scott19u.zip My website http://members.nbci.com/ecil/index.htm My crypto code http://radiusnet.net/crypto/archive/scott/ MY Compression Page http://members.nbci.com/ecil/compress.htm **NOTE FOR EMAIL drop the roman five *** Disclaimer:I am in no way responsible for any of the statements made in the above text. For all I know I might be drugged or something.. No I'm not paranoid. You all think I'm paranoid, don't you! -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: cubing modulo 2^w - 1 as a design primitive? Date: Sun, 10 Jun 2001 16:54:37 +0200 Tom St Denis wrote: Mok-Kong Shen [EMAIL PROTECTED] wrote: Tom St Denis wrote: Mok-Kong Shen [EMAIL PROTECTED] wrote: Tom St Denis wrote: Mok-Kong Shen [EMAIL PROTECTED] wrote: Tom St Denis wrote: Mok-Kong Shen [EMAIL PROTECTED] wrote: you posted on Fri, 08 Jun 2001 21:24:35 +0200: I find often the biggest problem with math papers/discussions is the lack of a good language to discuss it in. For example, my book on Group Theory I got (From Dover) only has 13 words in the entire text. The rest is vague human egyptian art work that future archeologists will look at and say this means fire, and that's water, and This can obvioulsy never be true, or else there would be an immense scandal about the publisher Dover that has a good name and whose scientific books have always been of good quality, even though to a large part outdated. (BTW, I am myself in posssesion of a Dover book on group theory!) I never said the book is bad. I said it's bad to learn from. It's not a good text IMHO. Koblitz's Course in Number ... is a good text because it involves english :-) What are you talking about here in view of the quote I gave about your earlier post above?? Read once again your own words that you had written!! When I posted the details of the book I posted a followup to my own post. I'm allowed to modify my statements. If you still think the book is better as fire starter material then you have to realize you are basing this on my opionion of the text not fact. Sorry for the confusion if any. What did you post to modify your statements BEFORE I asked (challenged) you for the third time to post the title and author name of the book?? And what 'details', excepting that you now
Cryptography-Digest Digest #580
Cryptography-Digest Digest #580, Volume #14 Sun, 10 Jun 01 13:13:01 EDT Contents: Re: cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) Re: cubing modulo 2^w - 1 as a design primitive? (Mok-Kong Shen) Re: cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) Re: cubing modulo 2^w - 1 as a design primitive? (Mok-Kong Shen) Re: cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) Re: cubing modulo 2^w - 1 as a design primitive? (Mok-Kong Shen) Re: cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) Re: cubing modulo 2^w - 1 as a design primitive? (David Hopwood) From: Tom St Denis [EMAIL PROTECTED] Subject: Re: cubing modulo 2^w - 1 as a design primitive? Date: Sun, 10 Jun 2001 15:50:47 GMT Mok-Kong Shen [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Tom St Denis wrote: Mok-Kong Shen [EMAIL PROTECTED] wrote: Look at http://tomstdenis.home.dhs.org/dover_book.jpg Tell me how useful [as a learning text] that would be for someone with limited time (i.e a lifespan) I don't have the time, nor the interest (in view of the what I know about you through the current issue) to access your web page. Sorry. Wow, and you call me a liar. When I try to show how boring this text really is you don't even look. Are you related to DS? Before you can convince others here with simple sentences why there are only 13 scientifically relevent words in that book (you can quote these and show in addtion, say, a paragraph which is in your opinion scientific non-sense, don't you?) why should anyone take any trouble to access your web page at all? It was not a literal joke. There is structure to the text, I'm just saying it's not an interesting read. Why can't you leave it at that? tom -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: cubing modulo 2^w - 1 as a design primitive? Date: Sun, 10 Jun 2001 17:53:46 +0200 Tom St Denis wrote: Mok-Kong Shen [EMAIL PROTECTED] wrote: Tom St Denis wrote: Mok-Kong Shen [EMAIL PROTECTED] wrote: Look at http://tomstdenis.home.dhs.org/dover_book.jpg Tell me how useful [as a learning text] that would be for someone with limited time (i.e a lifespan) I don't have the time, nor the interest (in view of the what I know about you through the current issue) to access your web page. Sorry. Wow, and you call me a liar. When I try to show how boring this text really is you don't even look. Are you related to DS? Before you can convince others here with simple sentences why there are only 13 scientifically relevent words in that book (you can quote these and show in addtion, say, a paragraph which is in your opinion scientific non-sense, don't you?) why should anyone take any trouble to access your web page at all? It was not a literal joke. There is structure to the text, I'm just saying it's not an interesting read. Why can't you leave it at that? Because I consider it very important that intentionally spreading untruth should stop in our group. M. K. Shen -- From: Tom St Denis [EMAIL PROTECTED] Subject: Re: cubing modulo 2^w - 1 as a design primitive? Date: Sun, 10 Jun 2001 15:59:18 GMT Mok-Kong Shen [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Tom St Denis wrote: Mok-Kong Shen [EMAIL PROTECTED] wrote: Tom St Denis wrote: Mok-Kong Shen [EMAIL PROTECTED] wrote: Look at http://tomstdenis.home.dhs.org/dover_book.jpg Tell me how useful [as a learning text] that would be for someone with limited time (i.e a lifespan) I don't have the time, nor the interest (in view of the what I know about you through the current issue) to access your web page. Sorry. Wow, and you call me a liar. When I try to show how boring this text really is you don't even look. Are you related to DS? Before you can convince others here with simple sentences why there are only 13 scientifically relevent words in that book (you can quote these and show in addtion, say, a paragraph which is in your opinion scientific non-sense, don't you?) why should anyone take any trouble to access your web page at all? It was not a literal joke. There is structure to the text, I'm just saying it's not an interesting read. Why can't you leave it at that? Because I consider it very important that intentionally spreading untruth should stop in our group. What untruth? The book really doesn't interest me. That's not a lie! Tom -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: cubing modulo 2^w - 1 as a design primitive? Date: Sun, 10 Jun 2001 18:02:02 +0200 Tom St Denis wrote: Mok-Kong Shen
Cryptography-Digest Digest #582
Cryptography-Digest Digest #582, Volume #14 Sun, 10 Jun 01 19:13:01 EDT
Contents:
Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (John A.
Malley)
From: John A. Malley [EMAIL PROTECTED]
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY
Date: Sun, 10 Jun 2001 16:01:26 -0700
Mok-Kong Shen wrote:
I unfortunately don't have the paper easily available.
Could you kindly quote just one sentence in it showing
that the message length does enter into Shannon's argument
in a significant way?
I thought I did with the quote on infinite symbol streams out of a
Markov source. Shannon divides his exposition on perfect secrecy into
two parts - one part dealing with a finite set of messages and the other
part dealing with a message source with an infinite number of messages.
See Part II Theoretical Secrecy, Sections 9, 10 of Shannon's paper for
more.
The paper is on-line, in pages scanned and posted as PDF files, at
http://www3.edgenet.net/dcowley/docs.html
(Thank you, Mad Cow.)
I also think that it's not mentioned. I beleive it is common to
consider the domain where all plaintexts are the same length -
perhaps in order to get the perfect secrecy result.
: My memory of Shannon's paper is no good, but I don't think that he
: considered the length of the messages.
I don't think it was mentioned either - all the messages were the same
length in the system in question.
Just a comment - the messages in a finite set do NOT need to be of the
same length for the cipher to achieve perfect secrecy. Shannon
considered the uncertainty of the set of messages regardless of their
lengths but each message is finite. However, he was clear that the
messages in the set were not infinite in length. They are all finite.
[...]
The length of any finite sequence passing between us tell nothing to Eve
that she doesn't already know. Eve knows the Markov process. She knows
the Markov process will generate an infinite sequence of symbols. She
knows the statistics of substrings that might appear.
Interception of any portion of the infinite sequence of symbols
generated by the Markov process and enciphered with perfect secrecy
using an OTP tells Eve nothing more than what she already knew about the
Markov process.
I don't fully understand the sentence 'The length ..
she doesn't already know.' Does the length of the message
belong to what she already knows (before getting the
message)? Further, does the length play a role in
the security? (My interpretation of your sentence
would be 'no', but this would seem to contradict what
you wrote at the beginning of this post where you said
that the length enters into the argument of Shannon.)
The length of the messages matters only in the sense of comparing
perfect secrecy for a finite set of messages verses perfect secrecy for
an infinite number of messages from a message source modeled as a
suitable Markov process.
The remainder of this post describes
1) perfect secrecy for a finite set of messages and considers their bit
lengths,
2) perfect secrecy for an infinite number of messages from a source
modeled as a suitable Markov process and considers their bit lengths,
3) why it's possible to implement a cipher with perfect secrecy that
XORs a binary key string with a binary message string, BUT, XORing a
binary string uniformly at random with a binary message string of the
same length does *NOT* always result in a cipher with perfect secrecy!!!
Very interesting explanation, too. Builds on 1) and 2).
1) PERFECT SECRECY FOR A FINITE SET OF MESSAGES
Let a finite set {m1, m2, m3, m4} = M, the set of messages. P(m_i) is
the probability of occurrence of the ith message. The sum of P(m_i) over
i = 1 to |M| is 1. For example, let P(m1) = 1/2, P(m2) = 1/4, P(m3) =
1/8 and P(m4) = 1/8. The uncertainty of the message source M is given by
- [ P(m1)*log(P(m1)) + P(m2)*log(P(m2)) + P(m3)*log(P(m3)) +
P(m4)*log(P(m4))] =
- [ 1/2 * -1 + 1/4 * -2 + 1/8 * -3 + 1/8 * -3 ] = 1.75 bits.
A cipher with perfect secrecy for the finite set M requires as many
cryptograms as messages. Let the finite set {c1, c2, c3, c4} = E, the
set of cryptograms.
A cipher with perfect secrecy for the finite set M requires a finite set
of keys K with uncertainty equal to or greater than the uncertainty of M
and with the keys equiprobable. The uncertainty of K must equal or
exceed 1.75 bits. Let the uncertainty of K = 2 bits. Then let {k1, k2,
k3, k4} = K with each key value equally probable, so P(k1) = P(k2) =
P(k3) = P(k4) = 1/4.
For perfect secrecy, each key selects a map taking each m_i to a
distinct c_j for each k_l value. So in this example:
k1 selects this mapping:
m1 - c1
m2 - c2
m3 - c3
m4 - c4
k2 selects this mapping:
m1 - c2
m2 - c3
m3 - c4
m4 - c1
k3 selects this mapping:
m1 - c3
m2
Cryptography-Digest Digest #583
Cryptography-Digest Digest #583, Volume #14 Sun, 10 Jun 01 23:13:01 EDT Contents: Re: Hehehe I found out who David Scott is (Boyd Roberts) Re: cubing modulo 2^w - 1 as a design primitive? (Boris Kazak) Re: National Security Nightmare? (Boyd Roberts) Re: National Security Nightmare? ([EMAIL PROTECTED]) Re: National Security Nightmare? (Boyd Roberts) Re: Uniciyt distance and compression for AES (Boyd Roberts) Re: Alice and Bob Speak MooJoo (Douglas A. Gwyn) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and (Douglas A. Gwyn) Re: Alice and Bob Speak MooJoo (Boyd Roberts) Re: Alice and Bob Speak MooJoo (Boyd Roberts) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY LONG (John Savard) Re: cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) Re: National Security Nightmare? (JPeschel) Re: National Security Nightmare? (Tom St Denis) Re: National Security Nightmare? (JPeschel) Re: Uniciyt distance and compression for AES (Tom St Denis) Re: National Security Nightmare? ([EMAIL PROTECTED]) Re: National Security Nightmare? (JPeschel) Re: National Security Nightmare? (Boyd Roberts) Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY LONG (SCOTT19U.ZIP_GUY) Re: National Security Nightmare? (JPeschel) From: Boyd Roberts [EMAIL PROTECTED] Subject: Re: Hehehe I found out who David Scott is Date: Mon, 11 Jun 2001 01:51:38 +0200 well after not reading the group for about two years the french expression: plus ça change, plus la même chose springs to mind. same slaughtering of the english language complete with the obligatory set of 6 steak knives... oops, no, i mean scottbroken-version + n.zip 'encryption'. what a package. free at sci.crypt or an ftp site near you. -- From: Boris Kazak [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: Re: cubing modulo 2^w - 1 as a design primitive? Date: Sun, 10 Jun 2001 23:57:20 GMT Tom St Denis wrote: I thought if p is your modulus, the order is at most a multiple of p-1? How do you explain it being a bijection for p=255? Tom === Cubing (and modular multiplication in general) can be a bijection when the multiplier and the modulus are mutually prime. In this case the multiplicative inverse exists, and the operation can be reversed. In case of a composite modulus (e.g. 255) the multiplicative inverses do not exist for numbers that have common factors with the modulus. So, for example 31^3 mod 255 will be a bijection, but 30^3 mod 255 will not, because 30 does not have a multiplicative inverse mod 255. Best wishes BNK -- From: Boyd Roberts [EMAIL PROTECTED] Subject: Re: National Security Nightmare? Date: Mon, 11 Jun 2001 02:18:36 +0200 Tom St Denis [EMAIL PROTECTED] a écrit dans le message news: is8U6.60161$[EMAIL PROTECTED] So it is in fact A plethora of people is here since it's only one plethora? the word 'people' forces you to use 'are'. -- Subject: Re: National Security Nightmare? From: [EMAIL PROTECTED] Date: 10 Jun 2001 20:27:24 -0400 Boyd Roberts [EMAIL PROTECTED] writes: Tom St Denis a écrit: So it is in fact A plethora of people is here since it's only one plethora? the word 'people' forces you to use 'are'. Incorrect. ``A plethora is here.'' ``Really? What sort of plethora?'' ``A plethora of people.'' Len. -- We [hackesses] about our lives like most human beings, maybe even a little better. Or in your case, a little dumber. -- Phrack Magazine -- From: Boyd Roberts [EMAIL PROTECTED] Subject: Re: National Security Nightmare? Date: Mon, 11 Jun 2001 02:29:30 +0200 JPeschel [EMAIL PROTECTED] a écrit dans le message news: [EMAIL PROTECTED] Nope, if you want to use the passive voice, the verb should be is. the passive is used to indicate an event but not who did it: s/he got flamed it uses the past participle, and is not influenced by the verb. Here is a way you can see that for yourself. Open MS-Word, or any word processor that can check formal English grammar. Make sure the options are set to check formal English. Now type: A bunch of nuts are claiming it means one thing. Word will suggest: A bunch of nuts is or Bunches of nuts are as the proper replacement. i'd hardly class word a reference for english grammar. But Dave wrote, as I said before, A bunch of nuts claim it means one thing..., which is correct. He cast the beginning of his sentence in the active voice, so there is no are or is needed in this instance. it's active because it says who's doing/did it. passive/active does not change the singular/plural choice of the verb. -- From: Boyd Roberts [EMAIL PROTECTED] Subject: Re: Uniciyt
Cryptography-Digest Digest #572
Cryptography-Digest Digest #572, Volume #14 Sat, 9 Jun 01 05:13:01 EDT
Contents:
Shannon's definition of perfect secrecy (David Hopwood)
Re: Shannon's definition of perfect secrecy (SCOTT19U.ZIP_GUY)
Re: OTP WAS BROKEN!!! (Paul Pires)
Re: Alice and Bob Speak MooJoo (Neil Couture)
Re: Bow before your new master (Wander)
Re: National Security Nightmare? (JPeschel)
Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and (Mok-Kong
Shen)
Re: Rip Van Winkle (Mok-Kong Shen)
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler)
Date: Sat, 09 Jun 2001 02:04:39 +0100
From: David Hopwood [EMAIL PROTECTED]
Subject: Shannon's definition of perfect secrecy
=BEGIN PGP SIGNED MESSAGE=
Tim Tyler wrote:
My main concern is with the definition and usage of the term
perfect secrecy - I'd like to see what Shannon wrote,
whether his proof relates to what he wrote, and whether others
have followed his usage properly.
This is from the scanned copy of Communication Theory of Secrecy Systems
at http://www3.edgenet.net/dcowley/docs.html (the pages numbered 679 to
683). It's compilable LaTeX.
\documentclass[a4paper,11pt]{llncs} \def\Mod{{\rm Mod\ }}
\def\log{\:{\rm log}\:} \def\K{\hspace{2em}\raisebox{1ex}{$K$}}
\def\h{\hline\vspace{-2ex}\\} \def\s{\hspace{1em}}
\begin{document} \setcounter{section}{9} \setcounter{theorem}{5}
Excerpt from ``Communication Theory of Secrecy Systems by Claude Shannon,
in the Bell System Technical Journal, Vol 28, October 1949, pages 656--715.
% Section 10
\section{Perfect Secrecy}
Let us suppose the possible messages are finite in number $M_1, \cdots, M_n$
and have {\em a priori} probabilities $P(M_1), \cdots, P(M_n)$, and that
these are enciphered into the possible cryptograms $E_1, \cdots, E_m$ by
\[
E = T_i M.
\]
The cryptanalyst intercepts a particular $E$ and can then calculate, in
principle at least, the {\em a posteriori} probabilities for the various
messages, $P_E(M)$. It is natural to define {\em perfect secrecy} by the
condition that, for all $E$ the {\em a posteriori} probabilities are equal
to the {\em a priori} probabilities independently of the values of these.
In this case, intercepting the message has given the cryptanalyst no
information.\footnote[9]
{
A purist might object that the enemy has obtained some information in
that he knows a message was sent. This may be answered by having among
the messages a ``blank corresponding to ``no message. If no message
is originated the blank is enciphered and sent as a cryptogram.
Then even this modicum of remaining information is eliminated.
}
Any action of his which depends on the information contained in the
cryptogram cannot be altered, for all of his probabilities as to what the
cryptogram contains remain unchanged. On the other hand, if the condition
is {\em not} satisfied there will exist situations in which the enemy has
certain {\em a priori} probabilities, and certain key and message choices
may occur for which the enemy's probabilities do change. This in turn may
affect his actions and thus perfect secrecy has not been obtained. Hence
the definition given is necessarily required by our intuitive ideas of
what perfect secrecy should mean.
A necessary and sufficient condition for perfect secrecy can be found as
follows: We have by Bayes' theorem
\[
P_E(M) = \frac{P(M) P_M(E)}
% ---
{P(E)}
\]
in which:
\begin{tabular}{rcp{0.75\textwidth}}
$ P(M)$ = {\em a priori} probability of message $M$. \\
$P_M(E)$ = conditional probability of cryptogram $E$ if message
$M$ is chosen i.e. the sum of the probabilities of all
keys which produce cryptogram $E$ from message $M$.\\
$ P(E)$ = probability of obtaining cryptogram $E$ from any cause.\\
$P_E(M)$ = {\em a posteriori} probability of message $M$ if
cryptogram $E$ is intercepted.
\end{tabular}
For perfect secrecy $P_E(M)$ must equal $P(M)$ for all $E$ and all $M$.
Hence either $P(M) = 0$, a solution that must be excluded since we demand
the equality independent of the values of $P(M)$, or
\[
P_E(M) = P(M)
\]
and we have perfect secrecy. Thus we have the result:
% Theorem 6
\begin{theorem}
A necessary and sufficient condition for perfect secrecy is that
\[
P_M(E) = P(E)
\]
for all $M$ and $E$. That is, $P_M(E)$ must be independent of $M$.
\end{theorem}
Stated another way, the total probability of all keys that transform $M_i$
into a given cryptogram $E$ is equal to that of all keys transforming $M_j$
into the same $E$, for all $M_i, M_j$ and $E$.
Now there must be as many $E$'s as there are $M$'s since, for a fixed $i$,
$T_i$ gives a one-to-one
Cryptography-Digest Digest #573
Cryptography-Digest Digest #573, Volume #14 Sat, 9 Jun 01 09:13:01 EDT Contents: Re: Shannon's definition of perfect secrecy (Tim Tyler) Re: Anyone Heard of Churning (Tim Tyler) Re: Algorithms (Vance Gloster) Re: Uniciyt distance and compression for AES ([EMAIL PROTECTED]) Re: Alice and Bob Speak MooJoo ([EMAIL PROTECTED]) Hex notation (Adam O'Brien) Re: Alice and Bob Speak MooJoo (Quisquater) Re: Uniciyt distance and compression for AES (SCOTT19U.ZIP_GUY) Re: Uniciyt distance and compression for AES (Andreas Gunnarsson) Re: Hex notation (Nicol So) Differential cryptanalysis (Adam O'Brien) Re: Uniciyt distance and compression for AES (Tom St Denis) Re: Differential cryptanalysis (Tom St Denis) Re: Uniciyt distance and compression for AES (Tom St Denis) Re: cubing modulo 2^w - 1 as a design primitive? (Mark Wooding) Re: Hex notation (Mathew Hendry) Re: Uniciyt distance and compression for AES (SCOTT19U.ZIP_GUY) Re: practical birthday paradox issues (Johnny Bravo) Mantin-Shamir's RC4 distinguisher paper and RC4 *student* paper (Michael Lee) Re: cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) Re: Mantin-Shamir's RC4 distinguisher paper and RC4 *student* paper (Scott Fluhrer) Re: Hex notation (Tim Tyler) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Shannon's definition of perfect secrecy Reply-To: [EMAIL PROTECTED] Date: Sat, 9 Jun 2001 09:00:04 GMT David Hopwood [EMAIL PROTECTED] wrote: : Tim Tyler wrote: : My main concern is with the definition and usage of the term : perfect secrecy - I'd like to see what Shannon wrote, : whether his proof relates to what he wrote, and whether others : have followed his usage properly. : This is from the scanned copy of Communication Theory of Secrecy Systems : at http://www3.edgenet.net/dcowley/docs.html Thanks for that URL - and for the text. I didn't know this was available online. : Several things are clear from this: [...] : - Nowhere does the paper say that the key length and message length of :a perfect system are the same [...] They don't need to be. : - The footnote about traffic analysis suggests sending blank messages, :which obviously requires the ciphertext distribution for blank messages :to be the same as for normal messages [...] Yes - if perfect secrecy is to be maintained ;-) : ...but [Shannon] is also supposed to have proved that the (conventional?) : OTP has [perfect secrecy], which it does not. I'll resolve the apparent : friction between these ideas by reading his actual words and proof. : He only mentions the Vernam cipher (i.e. OTP) for the case of potentially : infinite length streams, and for a definition of perfect secrecy adapted : to that case. [...] Yes - he doesn't deal with the conventional OTP on finite files in the passage you quote. -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Anyone Heard of Churning Reply-To: [EMAIL PROTECTED] Date: Sat, 9 Jun 2001 09:34:55 GMT Stephen Thomas [EMAIL PROTECTED] wrote: : [This didn't get a response in sci.crypt.research, so I thought I'd try here.] : Apparently, ATM Passive Optical Networks (APONs) have standardized on : an encryption algorithm refered to as churning. Does anyone know : anything about this? Especially details on the algorithm. (FWIW, PONs : are shared media networks like cable modems.) : The only references I can find are: : APON uses a 24-bit key churning mechanism : Churning is a memoryless transformation of one byte to a : different byte A superficial search suggests that the churning of keys is somtimes used as a generic term for the passing of a key through a one-way hash function, or similar. That doesn't square with Churning is a memoryless transformation of one byte to a different byte - but that apparently comes from a marketing document. -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Vance Gloster [EMAIL PROTECTED] Subject: Re: Algorithms Date: Sat, 9 Jun 2001 03:17:22 -0700 Joseph Ashwood [EMAIL PROTECTED] wrote: Well if you want the algorithms for Digital Signatures, there are 3 of them in FIPS 186-2, those are a good beginning, you can them compare these to NSS (from NTRU www.ntru.com), various PKCS1 versions, ACE Sign, ESIGN, FLASH, QUARTZ, SFLASH (all 5 available from If you are researching digital signatures, you need to take a look at the X.509 standard. Vance Gloster One should never listen. To listen is a sign of [EMAIL PROTECTED] indifference to one's hearers. -Oscar Wilde http://www.vancesoft.com/vmghome -- From: [EMAIL PROTECTED] Subject: Re: Uniciyt distance and compression for AES Date: Sat, 09 Jun 2001 01:36:49 -0800 Tim Tyler
Cryptography-Digest Digest #574
Cryptography-Digest Digest #574, Volume #14 Sat, 9 Jun 01 12:13:01 EDT Contents: Re: National Security Nightmare? (Tim Tyler) Re: National Security Nightmare? (Tim Tyler) Re: Uniciyt distance and compression for AES ([EMAIL PROTECTED]) Re: Uniciyt distance and compression for AES ([EMAIL PROTECTED]) Re: Uniciyt distance and compression for AES ([EMAIL PROTECTED]) Re: cubing modulo 2^w - 1 as a design primitive? (Peter L. Montgomery) Re: cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) Re: Uniciyt distance and compression for AES (SCOTT19U.ZIP_GUY) Re: Uniciyt distance and compression for AES (SCOTT19U.ZIP_GUY) Re: Uniciyt distance and compression for AES (SCOTT19U.ZIP_GUY) Re: Brute-forcing RC4 (Charles Lyttle) Re: OTP WAS BROKEN!!! (Charles Lyttle) Re: Uniciyt distance and compression for AES ([EMAIL PROTECTED]) Re: Uniciyt distance and compression for AES ([EMAIL PROTECTED]) Re: Uniciyt distance and compression for AES (Tom St Denis) Re: cubing modulo 2^w - 1 as a design primitive? (Mika R S Kojo) Re: cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: National Security Nightmare? Reply-To: [EMAIL PROTECTED] Date: Sat, 9 Jun 2001 13:05:09 GMT David Wagner [EMAIL PROTECTED] wrote: : In particular, I couldn't find any prohibition against the GCHQ : backdoor, i.e., a gentleman's agreement between the NSA and GCHQ to : spy on each other's citizens and swap intercepts. If it is the : policy of the NSA that such conduct is forbidden, how can I tell? I believe GCHQ does not need to go to any such lengths if it wants to spy on UK citizens. The NSA gets other things (besides info on US citizens) from the UK - things like the MenWith Hill Station - from which they can conveniently spy on the rest of Europe. No doubt the UK gets something out of it all. It seems likely that the NSA has various desirable bargaining chips to play with. -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: National Security Nightmare? Reply-To: [EMAIL PROTECTED] Date: Sat, 9 Jun 2001 13:16:02 GMT JPeschel [EMAIL PROTECTED] wrote: : John Myre [EMAIL PROTECTED] writes: :JPeschel wrote: : No, Phil, the English of Americans and the British is one language. :Barely. : Barely? How so? There are at least a few irritating differences. These irk me whenever I use programming languages written by Americans - because they don't seem to know how to spell things like colour properly ;-) -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- Subject: Re: Uniciyt distance and compression for AES From: [EMAIL PROTECTED] Date: 09 Jun 2001 09:49:17 -0400 [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) writes: Actaully your quite wrong there is not needed to reject meaningless messages by compression. What compression does is to make a large set of files smaller. Actually, it makes a *tiny* set of files smaller--so tiny as to be practically nonexistent. It makes a similarly tiny set of files *much* larger. The vast majority of files are barely changed in size--they may stay the same, get slightly larger, or get slightly smaller. Yes if it redues redunacy in messages yes many meaningless ones will be resduced to. So what. But the very fact of reducing it in your target set increase the density of those messages. From practically zero to practically zero. It may ``increase'' the density, but not enough to make a difference. (Unless extremely careful effort is devoted to exactly that outcome.) Len. -- Frugal Tip #58: Make people give you money at gunpoint. But do it in a nice way so they won't feel bad about the experience overall. -- Subject: Re: Uniciyt distance and compression for AES From: [EMAIL PROTECTED] Date: 09 Jun 2001 09:55:23 -0400 Tom St Denis [EMAIL PROTECTED] writes: Typically random ASCII messages will not compress much if any at all. One would expect them to compress by about 12.5% at least, since every eighth bit is known to be zero. Which isn't ``hardly any'', but is still quite a bit less than English text. What I don't get is why do you think brute force is [impossible] or [very hard]? I can still guess the key, I can still try to decompress and I can still check for proper ASCII and english digrams. Bingo! For messages of realistic (and still very small) size, the likelihood of a false positive is essentially zero--unless some specific property of the codec ensures otherwise. Which requires proof. For example if I see PQ or MZ etc in the plaintext I can be sure I've most likely guessed the key wrong. Note that random padding can help defeat such statistical analysis--but all that does is increase the work. It changes the
Cryptography-Digest Digest #575
Cryptography-Digest Digest #575, Volume #14 Sat, 9 Jun 01 14:13:01 EDT Contents: where can I find information about DES? (doublemc) Re: Shannon's definition of perfect secrecy (Mok-Kong Shen) Re: where can I find information about DES? (Mok-Kong Shen) Re: Uniciyt distance and compression for AES (SCOTT19U.ZIP_GUY) Re: cubing modulo 2^w - 1 as a design primitive? (Mok-Kong Shen) Re: Uniciyt distance and compression for AES (Tom St Denis) Re: cubing modulo 2^w - 1 as a design primitive? (Mark Wooding) Re: Shannon's definition of perfect secrecy (SCOTT19U.ZIP_GUY) Re: where can I find information about DES? (Robert J. Kolker) Re: where can I find information about DES? (Robert J. Kolker) Re: cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) Re: cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) Re: Hex notation (Paul Schlyter) Re: Shannon's definition of perfect secrecy (John Savard) Re: cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) Re: Simple C crypto (Sam Simpson) Re: Simple C crypto (Sam Simpson) Re: Shannon's definition of perfect secrecy (SCOTT19U.ZIP_GUY) Re: Simple C crypto (Tom St Denis) RC5 test vector (Cristiano) Re: RC5 test vector (Tom St Denis) From: doublemc [EMAIL PROTECTED] Subject: where can I find information about DES? Date: Sat, 09 Jun 2001 16:20:37 GMT Hi everybody!. I´m searching information about DES. Can you help me to find it? Thank you. -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Shannon's definition of perfect secrecy Date: Sat, 09 Jun 2001 18:27:33 +0200 Tim Tyler wrote: [snip] Yes - he doesn't deal with the conventional OTP on finite files in the passage you quote. After having followed part of this thread, I am still not very clear about the current status of the debate over the conventional OTP (which is the case of more practical significance than the case of infinite stream in my humble view). Is it correct to say that Shannon's paper doesn't deal with the conventional OTP and hence he has not proved the perfect security of the conventional OTP (and hence some of the literatures seem to be a bit problematic on the issue)? If yes, is the conventional OTP perfectly secure or not and how to rigorously prove that in the positive case? Thanks. M. K. Shen -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: where can I find information about DES? Date: Sat, 09 Jun 2001 18:31:27 +0200 doublemc wrote: I´m searching information about DES. If you are not unconditionally needing the original standard document, look it up in the commonly recommended textbooks (Stinson, Schneier, Menezes et al., etc.) or do a search over the internet. M. K. Shen -- From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: Uniciyt distance and compression for AES Date: 9 Jun 2001 16:36:08 GMT [EMAIL PROTECTED] (Tom St Denis) wrote in hirU6.69324$[EMAIL PROTECTED]: Also to drag the dead around (like he does to David Wagner) he once said he found a short cut attack on RC5 that would reduce the keyspace to nothing. I wonder what came of that? He hasn't won the RC5 64 challenge yet so I guess he's a BS'ing liar (as he would put it). AS you can tell Tom is full of shit. When did I say something about short cut attack on RC5 that would reduce the keyspace to nothing. Or are you just blowing smoke out your ass as usual. I guess I could can aruging with Tom as usual. But its really a waste of time. You can belive his distorted lies of you wish. I for one think the only sane thing is to put him back in my kill file for another month. Since arguing with him is totally unproductive. David A. Scott -- SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE OLD VERSIOM http://www.jim.com/jamesd/Kong/scott19u.zip My website http://members.nbci.com/ecil/index.htm My crypto code http://radiusnet.net/crypto/archive/scott/ MY Compression Page http://members.nbci.com/ecil/compress.htm **NOTE FOR EMAIL drop the roman five *** Disclaimer:I am in no way responsible for any of the statements made in the above text. For all I know I might be drugged or something.. No I'm not paranoid. You all think I'm paranoid, don't you! -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: cubing modulo 2^w - 1 as a design primitive? Date: Sat, 09 Jun 2001 18:40:00 +0200 Tom St Denis wrote: Mark Wooding [EMAIL PROTECTED] wrote: Tom St Denis [EMAIL PROTECTED] wrote: It is a bijection since 3 does not divide the order for w=32 or w=64. It's a bijection in Z/(2^w - 1)Z. Unfortunately, we're probably actually working in Z/(2^w)Z. As a result, the mapping is biased, noninjective and nonsurjective. I can't see an attack against sixteen rounds, but that doesn't mean there isn't one. It lacks one
Cryptography-Digest Digest #576
Cryptography-Digest Digest #576, Volume #14 Sat, 9 Jun 01 21:13:01 EDT Contents: Re: Differential cryptanalysis (Adam O'Brien) Re: National Security Nightmare? (Jim D) Re: National Security Nightmare? (Jim D) Re: OTP WAS BROKEN!!! (Jim D) Re: Differential cryptanalysis (Tom St Denis) Re: Brute-forcing RC4 (Ichinin) Re: Any Informed Opinions? (Jeffrey Walton) Re: Uniciyt distance and compression for AES ([EMAIL PROTECTED]) Encryption based password validation system? (phallen) Re: Encryption based password validation system? (Tom St Denis) Re: Encryption based password validation system? ([EMAIL PROTECTED]) Re: Shannon's definition of perfect secrecy (Mok-Kong Shen) Re: cubing modulo 2^w - 1 as a design primitive? (Mok-Kong Shen) Re: cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) Re: cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) From: Adam O'Brien [EMAIL PROTECTED] Subject: Re: Differential cryptanalysis Date: Sat, 09 Jun 2001 18:55:39 GMT Sorry Tom I don't understand still. What do A,B and x refer to and how do they relate to Sio and Sii in Table 5. Adam Tom St Denis [EMAIL PROTECTED] wrote in message news:RAoU6.68230$[EMAIL PROTECTED]... Adam O'Brien [EMAIL PROTECTED] wrote in message news:0voU6.24565$[EMAIL PROTECTED]... I'm reading Biham and Shamir's paper, Differential Cryptanalysis of DES-like cryptosystems. I can understand how to derive Table 5. Can anyone help? Simple. You could how many times A = sbox[x] xor sbox[x xor B] For all A,B,x in the domain of the sbox i.e s = 0 for x = 0 to N-1 do if A = sbox[x] xor sbox[x xor B] s = s + 1 If you can support the memory you can write the code as for A = 0 to N-1 do for B = 0 to N-1 do for x = 0 to N-1 do dt[B][sbox[x] xor sbox[x xor A]] += 1 (where a += 1 means a = a + 1) Tom -- From: [EMAIL PROTECTED] (Jim D) Subject: Re: National Security Nightmare? Date: Sat, 09 Jun 2001 18:58:18 GMT Reply-To: Jim D On Sat, 09 Jun 2001 00:41:19 GMT, Tom St Denis [EMAIL PROTECTED] wrote: Jim D [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... On Fri, 08 Jun 2001 17:01:09 GMT, Tom St Denis [EMAIL PROTECTED] wrote: A bunch of people is wrong. Doesn't sound right since it is more than one person who is wrong. There's only one bunch. Yeah I agree the original is grammatically correct, it just doesn't sound right. Quite so. 'the police have...', '...the government have...' is what you usually hear. Gramatically wrong, but acceptably so. -- __ Posted by Jim D. Propino tibi salutem ! jim @sideband.fsnet.co.uk dynastic @cwcom.net ___ -- From: [EMAIL PROTECTED] (Jim D) Subject: Re: National Security Nightmare? Date: Sat, 09 Jun 2001 18:58:19 GMT Reply-To: Jim D On Sat, 9 Jun 2001 13:05:09 GMT, Tim Tyler [EMAIL PROTECTED] wrote: David Wagner [EMAIL PROTECTED] wrote: : In particular, I couldn't find any prohibition against the GCHQ : backdoor, i.e., a gentleman's agreement between the NSA and GCHQ to : spy on each other's citizens and swap intercepts. If it is the : policy of the NSA that such conduct is forbidden, how can I tell? I believe GCHQ does not need to go to any such lengths if it wants to spy on UK citizens. GCHQ does not do so. Believe me. They have other things to waste our money on. Spying on UK citizens is done by the lying, blackmailing, murdering outfit known as the Security Services (ex MI5). -- __ Posted by Jim D. Propino tibi salutem ! jim @sideband.fsnet.co.uk dynastic @cwcom.net ___ -- From: [EMAIL PROTECTED] (Jim D) Subject: Re: OTP WAS BROKEN!!! Date: Sat, 09 Jun 2001 18:58:20 GMT Reply-To: Jim D On Sat, 09 Jun 2001 14:51:51 GMT, Charles Lyttle [EMAIL PROTECTED] wrote: Al wrote: Interesting... Your replies seem to suggest that you think there is some merit in what newbie says... OTP is indistinguishable from completely randomly generated numbers, even seemingly random typing of the upper row of numbers. This could be any message shifted out mod 26, thats the point of this OTP thread. Do you guys get out much? But your message wasn't completely randomly generated numbers, as Paul demonstrated. The second biggest problem with OTP is that it is very difficult to get a large quantity of true random numbers. Doesn't have to be. Need only be random enough so the cryptanalyst can't/is unlikely to be able to predict the next key byte. -- __ Posted by Jim D. Propino tibi salutem ! jim @sideband.fsnet.co.uk dynastic @cwcom.net ___ -- From: Tom St Denis [EMAIL
Cryptography-Digest Digest #561
Cryptography-Digest Digest #561, Volume #14 Fri, 8 Jun 01 03:13:01 EDT Contents: Re: Humor, I Must be a Threat to National Security (Miguel Cruz) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: DES not a group proof (JPeschel) Re: And the FBI, too (Re: National Security Nightmare?) (Paul Crowley) Re: Simple C crypto (Samuel Paik) Re: Simple C crypto (Samuel Paik) Re: DES not a group proof (John A. Malley) Re: And the FBI, too (Re: National Security Nightmare?) (Paul Rubin) Re: DES not a group proof (Paul Rubin) Re: Some questions on GSM and 3G (Gregory G Rose) Re: DES not a group proof (Paul Rubin) Re: What is a skeleton book? (John Savard) Re: DES not a group proof (Gregory G Rose) Crossposted-To: comp.security.misc Subject: Re: Humor, I Must be a Threat to National Security From: Miguel Cruz [EMAIL PROTECTED] Date: Fri, 08 Jun 2001 05:13:02 GMT David G. Boney [EMAIL PROTECTED] wrote: My frustrations with trying to find a job in government service are summarized in an essay I have posted that is titled, I Must be a Threat to National Security. I have also placed my rejection letters from the CIA and NSA on-line. http://www.seas.gwu.edu/~dboney/security.html Please forgive my bluntness: If those three innocuous rejection letters are enough to make you go off on a web/usenet rant about the government and the evil they do and conspiracies against you, then I can only assume you have at least a slight predisposition for this sort of behavior. Assuming, then, that your qualifications were a match with their requirements and they had someone go out and ask some questions, my guess is that this issue would come out early and they would decide dealing with you wasn't worth their trouble. For future reference, though, I will point out that the screening process for most government positions takes some time to master. Your application is generally reviewed by someone who has very little familiarity with the subject matter of the position. This person sits all day long reading through applications for a number of different jobs, scanning them for matches against lists of required and eliminating factors. If you don't have the required factors, you're in the bin. You have an eliminating factor, you're in the bin. So, if my earlier presumptuous guess about your having left a trail of paranoid rants through your prior academic and work careers is off the mark, here are a couple of tips should you choose to continue your quest for government work: 1) Go read all the books your library has about applying to government jobs. 2) Don't send out 7 or 8 applications and think you can sit back and watch the offers roll in. These places post positions constantly, and they receive bags full of applications. This is not the little furniture shop down the road. When you've sent out 100, then you're on your way. When you get the process down (completed OF-612 in Word/Acrobat, a full array of KSA snippets in store), the applications shouldn't take more than a few minutes each. Your biggest worry should be postage. 3) Call the contact person listed in the position announcement and ask for advice on why you were rejected. Be polite and friendly; just explain that you're trying to improve your chances in the future. 4) If anything in your application sounded even remotely like your web site, then get a friend to proofread for tone and overall intelligibility. The web site reads like you hired the Unabomber to ghostwrite, and paid him in vodka. miguel -- Hit The Road! Photos and tales from around the world: http://travel.u.nu -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Fri, 8 Jun 2001 05:03:57 GMT Tom St Denis [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... : Tom St Denis [EMAIL PROTECTED] wrote: : : Tim Tyler [EMAIL PROTECTED] wrote in message : : Tom St Denis [EMAIL PROTECTED] wrote: : : : Tim Tyler [EMAIL PROTECTED] wrote in message : : : Tom St Denis [EMAIL PROTECTED] wrote: : : : : Tim Tyler [EMAIL PROTECTED] wrote in message : : Well, strictly speaking it seems likely that nothing can encrypt an : : infinite plaintext because the universe will burn out while it tries. : : : : That aside, memory does not stop stream cyphers from encrypting large : : messages, since the stream doe snot need to be stored all at once. : : Why would you think otherwise? : : : Because a finite state machine can only be in a finite number of states. : : Why do you need to have more than a million states to act as a stream : cypher on long messages? : If you reuse the PRNG output (replace PRNG with stream cipher if you will) : then
Cryptography-Digest Digest #560
Cryptography-Digest Digest #560, Volume #14 Fri, 8 Jun 01 01:13:00 EDT Contents: Re: Any Informed Opinions? (Bob Silverman) Re: Knapsack security??? Ahhuh (rosi) Re: Any Informed Opinions? (Jeffrey Walton) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes (sisi jojo) What is a skeleton book? (John A. Malley) Re: Best, Strongest Algorithm (gone from any reasonable topic) (John A. Malley) Re: Notion of perfect secrecy (SCOTT19U.ZIP_GUY) Re: Simple C crypto (Dirk Bruere) Re: Any Informed Opinions? (Dirk Bruere) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes (SCOTT19U.ZIP_GUY) Re: MD5 for random number generation? (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: What is a skeleton book? (Robert J. Kolker) Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel) From: [EMAIL PROTECTED] (Bob Silverman) Subject: Re: Any Informed Opinions? Date: 7 Jun 2001 20:04:03 -0700 Robert J. Kolker [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Does anyone have informed opinions on what influence quantum computing will have on cryptography and cryptanalysis? I have such an opinion. Qbits are alive and real. It remains to be seen if genuine computers can be made from them. You just stated my opinion. Does anyone remember when wafers were going to be a panacea to technology limitations? Ditto for Josephson Junctions or Room temperature superconductors or Gallium Arsenide?? -- From: rosi [EMAIL PROTECTED] Subject: Re: Knapsack security??? Ahhuh Date: Fri, 8 Jun 2001 00:21:58 -0400 Dear John, Thank you for the reply. I will perhaps never know why you think I am taunting you. But if you do, whether it is really due to me, I apologize. Merc42 asked in pretty general terms about the knapsack problem and you seem eager to know. I offered to share information. Is this fair? First, I do not know how far we can go. The requirement for basic knowledge will still apply. Without that, we can get stuck anywhere. So, is it a go? I think it is only fair that I give you enough information on what is ahead. I have some simple stuff, from which I would like to see if certain things are as trivial as I seem to see. So I give the best shot I can fire and would like you to help me. I will put forth two quite non-technical questions, which do not require definitive answers (or in other words, what answers come back is not that important). There is one technical issue I would appreciate it if you could share your thoughts with us, but that is not really expected. It is up to you. The issue is to prove from what I give you that P != NP. (Hope you are still in your chair if you were:). Checked, I am still in mine) Please do not be alarmed. It should be simple. Ideas about both the two questions and the P!=NP issue can be formed in your head by simply staring at a construction I give you for a few minutes. I am not saying that you may come up with all the boring details of a proof after reading and thinking about it for a few minutes. I mean that you can get the sense of it. So you now may see that I am not in NTRU, not just because I have nothing to do with NTRU. What I want is to complete the sentence about THE whole issue and put a small fullstop to it. Simple enough? I caution that I am not interested in other way of proving this time and you may not use the material on P!=NP for the past couple of years (should there have been any). Of course, you can prove (or even disprove) P!=NP in any way, but I am only interested in a result from the construction I give you. You may comment on other related things and virtually anything that you feel relevant. Clear? If you need, I can help in a very limited way, such as telling you the few alphabetical letters summing up a proof. There are more than one way to prove, I believe. As long as a proof is based on the construction, you can use any technique. I think, I can go even more specific on the two questions. I will give you two statements about the construction. Both are lies, obvious lies. What I want you to help is to comment on the two lies. In particular, I hope you point out why they are lies and more interestingly, in my opinion, is that you see that even they are lies, they are practically valid. (Be aware, that I did not say that a proof will have such kind of lies, or any lies, in it) You do not have to say what I expect you to say.
Cryptography-Digest Digest #562
Cryptography-Digest Digest #562, Volume #14 Fri, 8 Jun 01 05:13:00 EDT Contents: Re: DES not a group proof (David A Molnar) Algorithms (abhijeet) Re: Brute-forcing RC4 (S Degen) Re: Simple C crypto (Nicol So) Re: Def'n of bijection (Tim Tyler) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and (Mok-Kong Shen) Re: Some questions on GSM and 3G (Mok-Kong Shen) Re: DES not a group proof (Pascal Junod) Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Re: Def'n of bijection ([EMAIL PROTECTED]) Re: Def'n of bijection (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Def'n of bijection ([EMAIL PROTECTED]) Re: Def'n of bijection (Tim Tyler) From: David A Molnar [EMAIL PROTECTED] Subject: Re: DES not a group proof Date: 8 Jun 2001 07:13:37 GMT JPeschel [EMAIL PROTECTED] wrote: bucks and it appears to be a book and a CD. The on-line review, however, says the CD isn't easily readable. Has anyone here actually seen the product? I picked up what must have been one of the first copies. It's a godsend when trying to find papers like this. Every paper available in PDF format, most of them from scans of the original. Some of the earlier volumes are difficult to read onscreen, but I've never had any problem reading the printed versions. (I always print everything out anyway; better to mark the margins). It's a bargain at the price. Especially if you don't have a well-equipped library nearby. -David -- From: [EMAIL PROTECTED] (abhijeet) Subject: Algorithms Date: 8 Jun 2001 00:33:01 -0700 Hi, I am writing my thesis on cryptography in Digital signature. Can anyone suggest me of any book or paper where I can get the full C or C++ code for the algorithms. thanking you regards -- From: S Degen [EMAIL PROTECTED] Subject: Re: Brute-forcing RC4 Date: Fri, 08 Jun 2001 09:36:53 +0200 Scott Fluhrer wrote: S Degen [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Howmuch time would it take to brute-force a 40 bit RC4 key? (Ofcourse depending on the processor-speed, but lets say a PIII 500) This is the case: You have a 128 bit (ASCII) text, and the encyphered version of it. This version is encyphered with a 64 bit secret key, but of those 64 bits, 24 bits are known. (Leaving 40 unkown bits) I would like to know how long it would approximately take to calculate the 40 bit secret key. Would you mind very much if I asked what system you were attacking? Ofcourse not, dear sir. I am relating to the encryption of data in a Wireless LAN. The 802.11 protocol has a 'mode' where the server uses an encryption challenge to authorize a client. Both the server and the client have the same secret key. The server sends the client a plaintext challenge (unencrypted) and the client sends the encrypted challenge back, including the Initialisation Vector used. The server checks if the key that the client used is the correct key. The key used for encryption is 64 bits, but the (known) IV is 24 bits. This leaves 40 bits of the key unknown, but with the plaintext and encrypted challenge available, it should be possible to figure out the key. -- poncho -- From: Nicol So [EMAIL PROTECTED] Subject: Re: Simple C crypto Date: Fri, 08 Jun 2001 03:41:17 -0400 Reply-To: see.signature Dirk Bruere wrote: Why even bother with crypto? Just xor the file with 0xAA. Quite likely a variant of that will be used, unless there is some almost-as-simple and stronger alternative. Hence my inquiry. If you're willing to even consider simple obfuscation scheme like XOR'ing with 0xAA, you can do better by XOR'ing the text to be obfuscated with a pseudorandom sequence generated by the random() library function of your development tool. Typically you can control the pseudorandom sequence by specifying the seed. This is very simple to explain to a programmer/coder, although it provides little security in a real sense. However, that seems to be what you're looking for. -- Nicol So, CISSP // paranoid 'at' engineer 'dot' com Disclaimer: Views expressed here are casual comments and should not be relied upon as the basis for decisions of consequence. -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Def'n of bijection Reply-To: [EMAIL PROTECTED] Date: Fri, 8 Jun 2001 07:39:23 GMT [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] writes: : [EMAIL PROTECTED] wrote: :: Um, it's a mathematical term, Tim. A statement is vacuously true when :: it cannot possibly be false. In other words, the statement contains :: no information. : : I guess you think Fermat's Last Theorem is vacuous, then. It's negation : is known to be an impossiblity, after all. : No. Read it again:
Cryptography-Digest Digest #563
Cryptography-Digest Digest #563, Volume #14 Fri, 8 Jun 01 06:13:00 EDT
Contents:
Re: Best, Strongest Algorithm (gone from any reasonable topic)
([EMAIL PROTECTED])
Re: Def'n of bijection (Tim Tyler)
Re: Knapsack security??? Ahhuh (Jakob Jonsson)
Re: Simple C crypto (Sergei Lewis)
Re: Def'n of bijection ([EMAIL PROTECTED])
Re: Def'n of bijection ([EMAIL PROTECTED])
Re: Def'n of bijection (Tim Tyler)
Algorithm take 3 - LONG (was : Re: RSA's new Factoring Challenges: $200,000 prize.
(my be repeat)) (Michael Brown)
Re: Def'n of bijection (Tim Tyler)
Re: Some questions on GSM and 3G (Erwann ABALEA)
Re: Def'n of bijection ([EMAIL PROTECTED])
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
From: [EMAIL PROTECTED]
Date: 08 Jun 2001 05:12:05 -0400
Mok-Kong Shen [EMAIL PROTECTED] writes:
Tom St Denis wrote:
What's your thesis on? Mind sending me a copy?
Unless you are a 'collectioner' by nature, I wouldn't
in your (and my own) place access thesis in math, for these
are invariably virtually 'undigestable' by non-mathematicians.
Mok is probably right, though I'm flattered. It's in PDE, specifically
quasiconformal analysis, and has nothing to do with cryptography. (But
if you want a pdf, email me and I'll send it to you.)
Len.
--
Frugal Tip #17:
Visit the Ford Foundation while disguised as a large, charitable
organization.
--
From: Tim Tyler [EMAIL PROTECTED]
Subject: Re: Def'n of bijection
Reply-To: [EMAIL PROTECTED]
Date: Fri, 8 Jun 2001 09:04:44 GMT
[EMAIL PROTECTED] wrote:
: Tim Tyler [EMAIL PROTECTED] writes:
: According to you a statement is vacuously true when it cannot possibly be
: false.
: No. [...]
Well, that *is* what you wrote - my statement above was correct.
: An implication is vacuously true if it's premise cannot possibly be
: true.
So how does that apply to Fermat's last theorem?
x^n + y^n = z^n has a non-zero integer solution for x, y and z when n 2
...cannot /possibly/ be true - it has been *proven* to be false.
So - according to both of your own definitions - it is vacuously true.
It seems that being vacuously true (with your definition of the term) is
nothing to be ashamed of.
--
__
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
--
From: Jakob Jonsson [EMAIL PROTECTED]
Subject: Re: Knapsack security??? Ahhuh
Date: Fri, 8 Jun 2001 11:14:38 +0200
Diophantine encryption for public key encoding
http://www.frontiernet.net/~jmb184/interests/sci.crypt/numerical_encryption.
html
In this last one, an encrypted message e = r*h + m*k where e is the
encrypted message, r is a random number, h and k are public key
values, and m is the encrypted message (number) m is recovered by
computing m = e*g mod p mod q where g, p, and q are calculated from
the private keys.
This scheme doesn't look terribly secure to me. If q divides p, then we may
decrypt messages as follows. We assume that h and k have no divisors in
common. Multiply e with the inverse k' of k modulo h and compute modulo h:
e*k' == r*h*k' + m*k*k' == m (mod h).
Since q divides p, we have that h = q*k mod p is a multiple of q and hence
larger than m. Thus m is recovered using (h,h) instead of (p,q).
If q does not divide p, then the expression m+q*r must not exceed p (if it
does, (m+q*r) mod p mod q won't be equal to m). We may assume that k and h
are relatively prime. Select q' such that q' is as small as possible but
larger than the largest allowed value on m. Define
p' = k*q'-h.
Then
(k^{-1} mod p')*e == k^{-1}*r*h + m == k^{-1}*r*k*q' + m == r*q' + m (mod
p').
From this expression we will be able to recover m unless r*q'+m is larger
than p'. However, the correct private key (p,q) satisfies r*q+m p. If
r*q'+m=p', then
k-h/q' = p'/q' = m/q' + r m/q' + p/q - m/q.
Now the correct private key (p,q) satisfies t*p = k*q-h for some integer t
(h == k*q (mod p)). In particular, p/q = k-h/q . Hence we obtain
k - h/q' m/q' + p/q - m/q = m/q' + k - h/q - m/q == (h+m)/q (h+m)/q'.
This is a contradiction, because q' was minimal. Thus (r*q'+m) mod p' mod q'
= m.
This scheme does not seem to have anything in common with the NTRU scheme.
Jakob
--
From: Sergei Lewis [EMAIL PROTECTED]
Subject: Re: Simple C crypto
Date: Fri, 08 Jun 2001 10:28:17 +0100
I'm looking for a simple algorithm to code text that is pretty difficult to
break for an amateur without custom s/w.
I had thought of something like (say) a 16 bit number, to be XORed with
chars, and then this shifted each time it is re-used.
Looking around the thread, you don't actually care about people
*reading* the messages - you just don't want any of them *altered*
easily.
Ideally, you want copies of the messages to be encrypted with the public
key of someone you trust as they are created by the
Cryptography-Digest Digest #564
Cryptography-Digest Digest #564, Volume #14 Fri, 8 Jun 01 07:13:00 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Vincent Quesnoit) Re: Algorithms (Tom St Denis) Re: MD5 for random number generation? (Tom St Denis) Re: Notion of perfect secrecy (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Simple C crypto (Tom St Denis) Re: Simple C crypto (Tom St Denis) Re: Simple C crypto (Tom St Denis) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes (Tom St Denis) Re: RSA's new Factoring Challenges: $200,000 prize. (Michael Brown) Re: Simple C crypto (Michael Brown) From: Vincent Quesnoit [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Fri, 08 Jun 2001 11:29:17 +0200 Reply-To: [EMAIL PROTECTED] Tim Tyler a écrit : Mok-Kong Shen [EMAIL PROTECTED] wrote: : I was referring to the following that you wrote previously: :Yes it is. Consider BICOM for example. It can map a :8 bit cyphertext to one of some 2^128 plaintexts - :considerably more than your figure of 2^8. : Does the 2^128 come from using a 128 bit key for the : AES in it and there are 2^128 possible keys for AES? Yes. I am puzzled, I thought AES was a block cypher which could not produce a cypher text smaller than its own blocksize. Do you mean that AES can decrypt one byte and produce a 16 byte output ? -- From: Tom St Denis [EMAIL PROTECTED] Subject: Re: Algorithms Date: Fri, 08 Jun 2001 10:37:25 GMT abhijeet [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Hi, I am writing my thesis on cryptography in Digital signature. Can anyone suggest me of any book or paper where I can get the full C or C++ code for the algorithms. thanking you regards What algorithms? Get Applied Cryptography -- Bruce Schneier Handbook of Applied Crypto -- CRC Press A Course in Number Theory and Cryptography -- Neal Koblitz and you will be all set -- From: Tom St Denis [EMAIL PROTECTED] Subject: Re: MD5 for random number generation? Date: Fri, 08 Jun 2001 10:39:43 GMT Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Tom St Denis [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... : Tom St Denis [EMAIL PROTECTED] wrote: : : Tim Tyler [EMAIL PROTECTED] wrote in message : : Tom St Denis [EMAIL PROTECTED] wrote: : : : Toby Sharp wrote: : : : I've heard of people using MD5 for random number generation. But, : : : as far as I can tell, MD5 is a one-way hash algorithm. How is : : : this used for random numbers? [...] : : : : Yeah, you have to make sure though, that your PRNG is forward and : : : backwards safe. [...] : : : So you could just use : : : : : H[i] = HASH(SEED || i) : : : : : Which is essentially a CTR mode of operation. : : : : It looks like you're thinking of state compromises that don't affect : : SEED. : : : : If you think SEED might also be compromised, backward secrecy is : : hardly possible (without a source of entropy anyway) - and the : : second equation offers no forward secrecy. : : : Here's a tip. Give some thought to what you post. : : : No PRNG is ever secure if the initial seed is compromised. The seed is : : what determines the PRNG output... : : Security in the face of state compromise is a very important part of : what forward secrecy in RNGs is all about. : Yes. And my PRNG I proposed is forward secure. : H[i] = HASH(SEED || I) : Suppose you guess H[i], how do you get H[i+1] or H[i-1]? You don't. However, say someone breaks into your office and wanders out with i and SEED. With this information they have access to all the past outputs of the RNG. This is known as a backtracking attack - and can be of significance if the RNG is used for key generation - since you don't want numerous past keys to be compromised by a single lapse of security on some future date. Backtracking attacks can be prevented - they are not inherent in all PRNGs. Which is why (if you well I dunno, ... er ... um READ MY ENTIRE POST) would have found that I said you should reset the seed whenever you make a new key. That way wandering into the office to get SEED will be a useless venture. : As for backward secrecy - this is (as I mentioned) impossible in a PRNG : whose state has been compromised. However, the OP never mentioned PRNGs. : Are you sure? Read the
Cryptography-Digest Digest #565
Cryptography-Digest Digest #565, Volume #14 Fri, 8 Jun 01 08:13:01 EDT Contents: Re: MD5 for random number generation? (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: MD5 for random number generation? (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Some questions on GSM and 3G (Arturo) Re: Some questions on GSM and 3G (Arturo) Re: National Security Nightmare? (Derek Bell) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: MD5 for random number generation? Reply-To: [EMAIL PROTECTED] Date: Fri, 8 Jun 2001 11:11:52 GMT Tom St Denis [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... : Tom St Denis [EMAIL PROTECTED] wrote: : : Tim Tyler [EMAIL PROTECTED] wrote in message : : Tom St Denis [EMAIL PROTECTED] wrote: : : : No PRNG is ever secure if the initial seed is compromised. The seed : : : is what determines the PRNG output... : : : : Security in the face of state compromise is a very important part of : : what forward secrecy in RNGs is all about. : : : Yes. And my PRNG I proposed is forward secure. : : : H[i] = HASH(SEED || I) : : : Suppose you guess H[i], how do you get H[i+1] or H[i-1]? : : You don't. : : However, say someone breaks into your office and wanders out with i and : SEED. : : With this information they have access to all the past outputs of the RNG. : : This is known as a backtracking attack - and can be of significance if : the RNG is used for key generation - since you don't want numerous past : keys to be compromised by a single lapse of security on some future date. : : Backtracking attacks can be prevented - they are not inherent in all : PRNGs. : Which is why (if you well I dunno, ... er ... um READ MY ENTIRE POST) would : have found that I said you should reset the seed whenever you make a new : key. That way wandering into the office to get SEED will be a useless : venture. A commendable approach - if you have lots of suitable seed material to hand. : : As for backward secrecy - this is (as I mentioned) impossible in a PRNG : : whose state has been compromised. However, the OP never mentioned : : PRNGs. : : : Are you sure? Read the subject line! : : I see an R, an N and a G there - but can see no sign of a P. : : While concealing the forward evolution of a PRNG is impossible in the face : of state compromise, this is not true of other types of random number : generator. : Um MD5 for RNG. The OP is a newbie and used the wrong term. MD5 cannot be : used to make an RNG at all. I don't know about MD5 - but SHA-1 can be (and has been) used to make a RNG: See Yarrow: http://www.counterpane.com/yarrow.html -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Fri, 8 Jun 2001 11:26:16 GMT Vincent Quesnoit [EMAIL PROTECTED] wrote: : Tim Tyler a écrit : : Mok-Kong Shen [EMAIL PROTECTED] wrote: : : : I was referring to the following that you wrote previously: : : :Yes it is. Consider BICOM for example. It can map a : :8 bit cyphertext to one of some 2^128 plaintexts - : :considerably more than your figure of 2^8. : : : Does the 2^128 come from using a 128 bit key for the : : AES in it and there are 2^128 possible keys for AES? : : Yes. : I am puzzled, I thought AES was a block cypher which could not produce a : cypher text smaller than its own blocksize. Do you mean that AES can : decrypt one byte and produce a 16 byte output ? Yes. I composed an extensive reply to Mark Wooding on that question. He asked: Now I'm very confused. You can't get a one-byte ciphertext out of a 128-bit block cipher in CBC mode. There's nowhere to put an IV, for one thing. I replied with the following: Firstly, Rijndael doesn't use an random IV. It uses a fixed one which is (I believe) wired into the algorithm. In order to disguise the first blocks of the message it uses a whitening step, which preprocesses the plaintext by appling unkeyed diffusion to the first few K of the plaintext - not /quite/ the same as an IV - but good enough for many purposes. Now, about how BICOM gets a 1-byte output from Rijndael output while remaining invertible and bijective: I won't describe how it /actually/ does it (though see the end of the post) - but instead I'll tell a simplified story that indicates how it is possible. First the set of all byte
Cryptography-Digest Digest #566
Cryptography-Digest Digest #566, Volume #14 Fri, 8 Jun 01 10:13:00 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mark Wooding) Re: National Security Nightmare? (SCOTT19U.ZIP_GUY) Re: National Security Nightmare? (Tom St Denis) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes (Mark Wooding) Re: AES question (Mark Wooding) Re: RSA's new Factoring Challenges: $200,000 prize. (Sergei Lewis) Re: RSA's new Factoring Challenges: $200,000 prize. (Sergei Lewis) Re: DES not a group proof (DJohn37050) Hehehe I found out who David Scott is (Tom St Denis) Re: OTP WAS BROKEN!!! (Al) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: 8 Jun 2001 12:07:30 GMT [EMAIL PROTECTED] (Vincent Quesnoit) wrote in [EMAIL PROTECTED]: I am puzzled, I thought AES was a block cypher which could not produce a cypher text smaller than its own blocksize. Do you mean that AES can decrypt one byte and produce a 16 byte output ? yes if its in a program like BICOM David A. Scott -- SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE OLD VERSIOM http://www.jim.com/jamesd/Kong/scott19u.zip My website http://members.nbci.com/ecil/index.htm My crypto code http://radiusnet.net/crypto/archive/scott/ MY Compression Page http://members.nbci.com/ecil/compress.htm **NOTE FOR EMAIL drop the roman five *** Disclaimer:I am in no way responsible for any of the statements made in the above text. For all I know I might be drugged or something.. No I'm not paranoid. You all think I'm paranoid, don't you! -- From: Tom St Denis [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Fri, 08 Jun 2001 12:17:30 GMT SCOTT19U.ZIP_GUY [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... [EMAIL PROTECTED] (Vincent Quesnoit) wrote in [EMAIL PROTECTED]: I am puzzled, I thought AES was a block cypher which could not produce a cypher text smaller than its own blocksize. Do you mean that AES can decrypt one byte and produce a 16 byte output ? yes if its in a program like BICOM Or in a chaining mode. tom -- From: [EMAIL PROTECTED] (Mark Wooding) Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: 8 Jun 2001 12:33:47 GMT Tim Tyler [EMAIL PROTECTED] wrote: Firstly, Rijndael doesn't use an random IV. It uses a fixed one which is (I believe) wired into the algorithm. [pedantry] Rijndael is a block cipher; it says nothing about an IV. IVs are chaining mode concepts. CBC mode has an IV. In order to disguise the first blocks of the message it uses a whitening step, which preprocesses the plaintext by appling unkeyed diffusion to the first few K of the plaintext - not /quite/ the same as an IV - but good enough for many purposes. No. This can't be secure in the real-or-random model, since encrypting equal plaintexts yields equal ciphertexts. -- [mdw] -- From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: National Security Nightmare? Date: 8 Jun 2001 12:26:29 GMT [EMAIL PROTECTED] (Derek Bell) wrote in 9fqf73$1okm$[EMAIL PROTECTED]: Douglas A. Gwyn [EMAIL PROTECTED] wrote: : Well, if there is a UFO cover-up, they have also managed to hide : it from people with *very* extensive access to intelligence archives. Amusingly enough, some UFO fanatics have claimed the Dundee Society worked on UFOs! Derek Why is it so interesting. I old friend of mine who worked for the CIA. Swore that only the Roswell story was try. The rest is false. The government is helping to spread fase UFO stories to exicite the UFO fanatics so they will not know the truth and to keep the common man unaware what happened at Roswell. The more crazy the story the more hyped up the fanatics are and the less likely the public will belive the small parts that are true. Well if there true at all that is since I'm not even 100 persent sure of roswell though my CIA friend was. It could even be simialar to this long winded discussion about what perfect security is. A bunch of nuts claim it means one thing so as to keep people from knowing or thinking about things that would lead to better crypto. So there seems to be a effort to destroy Shannons concept of perfect secrecy. They foolishly think if one has a set of several messags of various lengths. One only needs to
Cryptography-Digest Digest #567
Cryptography-Digest Digest #567, Volume #14 Fri, 8 Jun 01 13:13:01 EDT Contents: Re: Brute-forcing RC4 (David Wagner) Re: Hehehe I found out who David Scott is (John Savard) CATS 2002 CFP (James Harland) Re: Simple C crypto (Jan Panteltje) Re: Notion of perfect secrecy (Mark Wooding) Re: National Security Nightmare? (Phil Carmody) Re: DES not a group proof (Patrick Aland) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Alice and Bob Speak MooJoo (Niklas Frykholm) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Hehehe I found out who David Scott is (Mark Wooding) Re: National Security Nightmare? (JPeschel) Re: Hehehe I found out who David Scott is (Tom St Denis) Re: National Security Nightmare? (Tom St Denis) Re: Brute-forcing RC4 (Ichinin) From: [EMAIL PROTECTED] (David Wagner) Subject: Re: Brute-forcing RC4 Date: Fri, 8 Jun 2001 14:29:34 + (UTC) If you want to break WEP encryption, there are many ways to do so without recovering the RC4 key. (You can see the paper to be presented at MOBICOM 2001 for some discussion, for instance.) Alternatively, if for some reason it is crucial to recover the RC4 key, it seems likely to dramatically speed up the 40-bit search by exploiting flaws in WEP. All the WEP cards that I've seen start their IV off at 0 when they are reset, and count up incrementally from there. Moreover, known plaintext is often available in the form of DHCP Discover messages, etc. (see Arbaugh's work). Therefore, you could use Hellman's time-space tradeoff (precomputed with an IV of 0 or some other small number) to greatly reduce the cost of cryptanalysis, if you wanted to recover more than one RC4 key. I believe one can expect to break each RC4 key with only 2^27 work per key and 2^26 storage, after a one-time 2^40 precomputation. Of course, these remarks apply only to the 40-bit version of WEP; to break 104-bit WEP, you'll want the non-key-recovery attacks in the MOBICOM paper. -- From: [EMAIL PROTECTED] (John Savard) Subject: Re: Hehehe I found out who David Scott is Date: Fri, 08 Jun 2001 14:33:41 GMT On Fri, 08 Jun 2001 13:30:06 GMT, Tom St Denis [EMAIL PROTECTED] wrote, in part: http://www.timecube.com/ Note how Gene Ray writes just like David Scott. hehehehe No, this Gene Ray has much more difficulty in functioning than David Scott does. It is hard even to figure out what this Gene Ray is talking about. Each of us only experiences one day in 24 hours; as far as people in other longitudes experiencing, in the same 24-hour period, a day that begins and ends differently, that's true enough, but there are 24 different days, not four of them. And that's only a convention due to Standard Time as well - the number is really infinite. One could imagine a large country, straddling the International Date Line, and using it's own calendar, where it is the same day across the country, and these names - say in a 7-day week - might be called by a set of different names. So in one half of the country, Ogbak might be called Tuesday by us, and in the other half, Wednesday. This would be a different day, then. Anyways, isn't Time Cube a trademark for some kind of alarm clock radio? He will probably have to move to a new URL. John Savard http://home.ecn.ab.ca/~jsavard/frhome.htm -- Crossposted-To: comp.theory,sci.logic Subject: CATS 2002 CFP From: [EMAIL PROTECTED] (James Harland) Date: 9 Jun 2001 00:47:59 +1100 CALL FOR PAPERS Computing: The Australasian Theory Symposium (CATS) 2002 Monash University, Melbourne, Australia January 28th to February 1st, 2002 Deadline August 3rd, 2001 Computing: The Australasian Theory Symposium (CATS) is the premier theoretical computer science conference in Australasia. It is held annually as part of the Australasian Computer Science Week (ACSW). CATS 2002 will be the eighth in the series. The symposium will consist of invited speakers and research paper presentations. Date and location CATS 2002 will be held during the Australasian Computer Science Week. ACSW 2002 will take place at Monash University, Melbourne, Victoria, Australia, from 28th January to 1st February, 2002. Scope CATS covers all aspects of theoretical computer science. Some representative, but not exclusive, topics include the following: o logic, reasoning and verification o formal specification techniques and program semantics o formal development methods, program refinement, synthesis and transformation o concurrent, parallel and distributed system theory o algorithms and data structures o complexity and computability o automata, number and category theory o tools for automated reasoning, and
Cryptography-Digest Digest #568
Cryptography-Digest Digest #568, Volume #14 Fri, 8 Jun 01 15:13:01 EDT Contents: Re: National Security Nightmare? ([EMAIL PROTECTED]) Re: National Security Nightmare? (JPeschel) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Brute-forcing RC4 (David Wagner) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and (Mok-Kong Shen) Re: Brute-forcing RC4 (Tom St Denis) Re: National Security Nightmare? (Tom St Denis) Re: Brute-forcing RC4 (Paul Rubin) Re: National Security Nightmare? (JPeschel) Re: National Security Nightmare? (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Douglas A. Gwyn) Re: Def'n of bijection (Douglas A. Gwyn) Re: Def'n of bijection (Douglas A. Gwyn) Rip Van Winkle (Tom St Denis) Re: Brute-forcing RC4 (David Wagner) Subject: Re: National Security Nightmare? From: [EMAIL PROTECTED] Date: 08 Jun 2001 13:43:03 -0400 Tom St Denis [EMAIL PROTECTED] writes: I don't know where you are going with this but it is ARE A bunch of people is wrong. Doesn't sound right since it is more than one person who is wrong. No, it doesn't sound right--but it is grammatically correct. ``of people'' is an adjective phrase modifying ``bunch''. Just try it by omitting the adjective phrase: ``A bunch are wrong.'' vs ``A bunch is wrong.'' ``The whole group of you are wrong.'' vs ``The whole group are wrong.'' In the second example, the first sentence sounds right, while the second sounds completely wrong. Admittedly, ``bunch'' by common usage screams to be treated as a plural, when preceded by the indefinite article. ``A bunch is wrong'' doesn't sound right, but ``The bunch is wrong'' is obviously correct. That's because ``a bunch'' is identical in meaning and usage to ``some'' or ``many''--at least to Americans-- and both of those are plural. Len. -- It's the fundamental responsibility of an MTA to bounce any message that it can't deliver. -- Dan Bernstein, author of qmail -- From: [EMAIL PROTECTED] (JPeschel) Date: 08 Jun 2001 17:44:48 GMT Subject: Re: National Security Nightmare? Tom St Denis [EMAIL PROTECTED] writes: JPeschel [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Phil Carmody [EMAIL PROTECTED] writes: Tom St Denis wrote: SCOTT19U.ZIP_GUY [EMAIL PROTECTED] wrote in message what perfect security is. A bunch of nuts claim it means one thing A bunch of nuts *ARE* Let he who is without blame cast the first stone. American and English may be mutually understood, but that does not mean they are the same language. I belive that the term for uncountable and uncounted groups is 'mass nouns'. The English and Amricans have different, both correct, priorities when judging the singularity or plurality of these entities. The logic is as follows: _A_ bunch (of what just happen to be nuts) _is_ singluar. (many, I guess you could call them a bunch,) _nuts_ are plural. I have to favour the former, personally. However, for some mass nouns _it really doesn't matter at all_, as long as you're not internally inconsistant. Some words provide more confusion than others, such as 'committee'. No, Phil, the English of Americans and the British is one language. There are a few differences in spelling, punctuation, and, naturally, in idiom and dialect, but, other than a few different sentence constructions, that's about it. I agree with you that A bunch is singular: noun-verb agreement. But Dave wrote: A bunch of nuts claim it means one thing... This is also correct. It is written in the present tense and it uses the preferable active, rather than the passive, voice. I don't know where you are going with this but it is ARE A bunch of people is wrong. Doesn't sound right since it is more than one person who is wrong. A list of primes is odd etc... Nope, if you want to use the passive voice, the verb should be is. Here is a way you can see that for yourself. Open MS-Word, or any word processor that can check formal English grammar. Make sure the options are set to check formal English. Now type: A bunch of nuts are claiming it means one thing. Word will suggest: A bunch of nuts is or Bunches of nuts are as the proper replacement. But Dave wrote, as I said before, A bunch of nuts claim it means one thing..., which is correct. He cast the beginning of his sentence in the active voice, so there is no are or is needed in this instance. I am not really sure why I'm bothering with this other than I enjoy writing and get paid for it. On the other hand, I'm afraid I'm one of the nuts he was talking about. :-) Joe __ Joe Peschel D.O.E. SysWorks
Cryptography-Digest Digest #569
Cryptography-Digest Digest #569, Volume #14 Fri, 8 Jun 01 16:13:01 EDT
Contents:
Re: National Security Nightmare? (nemo outis)
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen)
Re: Def'n of bijection (Douglas A. Gwyn)
Re: practical birthday paradox issues (Douglas A. Gwyn)
Re: Def'n of bijection ([EMAIL PROTECTED])
Re: National Security Nightmare? (John Myre)
Re: National Security Nightmare? (Douglas A. Gwyn)
Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and (Douglas A.
Gwyn)
Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and (Douglas A.
Gwyn)
Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and (Douglas A.
Gwyn)
Re: Notion of perfect secrecy (Douglas A. Gwyn)
Re: shifts are slow? (Douglas A. Gwyn)
Prime Directive was _Re: National Security Nightmare? (Dramar Ankalle)
Re: Def'n of bijection (Mok-Kong Shen)
From: [EMAIL PROTECTED] (nemo outis)
Subject: Re: National Security Nightmare?
Date: Fri, 08 Jun 2001 19:17:24 GMT
As a pedant and sciolist I should point out that it's Let *him* who is
without blame cast the first stone.
:-)
Regards,
In article [EMAIL PROTECTED], Phil Carmody
[EMAIL PROTECTED] wrote:
..snip...
Let he who is without blame cast the first stone.
..snip...
--
From: Mok-Kong Shen [EMAIL PROTECTED]
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Date: Fri, 08 Jun 2001 21:24:35 +0200
Tom St Denis wrote:
Not to be a naive kid but I doubt even PhD math types could read a thesis
and understand it in one pass.
I find often the biggest problem with math papers/discussions is the lack of
a good language to discuss it in. For example, my book on Group Theory I
got (From Dover) only has 13 words in the entire text. The rest is vague
human egyptian art work that future archeologists will look at and say this
means fire, and that's water, and
For example, look at some of the papers by Vaudenay. Typically he goes
overboard when trying to say the simplest thing. The benefits of
decorrelation in GF(2^w) wrt to diff/linear analysis can be summed up with
two simple proofs. Yet he brings in all these wierd symbols like
||A||^d_{oo}, etc..
Which looks neat, but doesn't mean anything to me. (I know ||A|| means
normal form, but what normal form means is beyond me).
In my MDFC paper I proved in about 1/2 a page that pair-wise decorrelation
in GF(2^w) leads to functions immune to differential and linear analysis.
[N.B His papers go far into more formal notions of randomness which is why
he uses the funny notation. But to simply prove immunity to 1st order
attacks you don't need such a lengthly paper]
I remember we had discussed over similar topics in the
past. Different books are written for people with different
'pre-knowledge' (my term). Thus not everything is explained
in all details and with all rigor, it being assumed that
the (intended) readers already know stuffs above a
certain level. Certainly, there are differences in the
writing capabilities of the authors. Some are good
pedagogically, i.e. good teachers, others less so.
But I would be very careful in criticizing textbooks
written by academics or papers in respected journals
as vague, imprecise etc. etc. For it is the current
tradition that these are well peer-reviewed. Further,
common textbooks (those that sell en mass) are subjected
to a selection process (in the Darwinian sense) so the
probability of having very poor quality such books on
the market is not very likely. If I have acquired
enough knowledge in a scientific field and am able to
read a lot of books with ease and then discover (on
looking back) that a certain book is really poorly or
carelessly written (with respect to the class of readers
that I am sure that the book is intended), I would
eventually venture to express my critiques, but not
before that time point. Of course, that's my personal
'philosophy', you may have yours that is quite different.
You said that some authors are explaining too much, i.e.
with unnecessary details. But this is probably because
you have known more in that particular point than the
average reader that the authors have in mind. For one
who doesn't have that 'pre-knowledge', one would be very
grateful to the authors for easing their way of capturing
the stuff with these details. There are literatures of
diverse levels. If you find one class too easy/simplistic
for you, switch to a higer class. Sometimes one has to
switch in the reverse direction. (At least this is often
my personal experience.) This is analogous to what I knew
in school education when I was young. (I have no
knowledge of the current systems.) At that time pupils
that were exceptionally good were allowed to jump
classes. Transfers in the reverse direction
Cryptography-Digest Digest #570
Cryptography-Digest Digest #570, Volume #14 Fri, 8 Jun 01 21:13:00 EDT Contents: Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and (Mok-Kong Shen) Re: Alice and Bob Speak MooJoo (Douglas A. Gwyn) Re: new NSA/echelon rant (Douglas A. Gwyn) Re: new NSA/echelon rant (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Any Informed Opinions? (Douglas A. Gwyn) Re: Any Informed Opinions? (Douglas A. Gwyn) Re: Hehehe I found out who David Scott is (Douglas A. Gwyn) Re: National Security Nightmare? (Douglas A. Gwyn) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and (Douglas A. Gwyn) Re: Algorithms (Joseph Ashwood) Re: Algorithms (Sam Simpson) Re: Algorithms (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: National Security Nightmare? (SCOTT19U.ZIP_GUY) cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) Re: National Security Nightmare? (Jim D) Re: National Security Nightmare? (Jim D) Re: Hehehe I found out who David Scott is ([EMAIL PROTECTED]) Re: National Security Nightmare? (Tom St Denis) Re: new NSA/echelon rant ([EMAIL PROTECTED]) Re: Alice and Bob Speak MooJoo (Robert J. Kolker) Re: cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Date: Fri, 08 Jun 2001 22:11:09 +0200 Douglas A. Gwyn wrote: Mark Wooding wrote: Joseph Ashwood [EMAIL PROTECTED] wrote: Take a simpler problem 1+1=2, ... it takes a doctorate in mathematics, and a few hundred pages of very intricate math to prove it without assuming things. I don't have such a doctorate, but... What other meaning of the symbol `2' did you have in mind that might conflict with it being the value formed by adding the multiplicative identity of the ring of integers to itself? (Proof that 1 + 1 is not equal to 0 or 1, the two integers actually named in the integer axioms, is immediate from the properties of the ordering on integers, so a separate symbol is justified.) I think Joseph overstated the case, but usually 2 is defined as the successor of 1, and connecting that with addition is tedious when successor is not defined in terms of addition. More accurate would have been Every schoolchild learns mathematical 'facts' that he can't even come close to proving rigorously. Indeed, many such facts turn out to be false, or at best misleadingly expressed. As I pointed out, Joseph Ashwood was referring to the proof in Principia Mathematica. I have no personal knowledge of that celebrated work, but basically what Ashwood wrote was told to me by several persons who have studied math. M. K. Shen -- From: Douglas A. Gwyn [EMAIL PROTECTED] Subject: Re: Alice and Bob Speak MooJoo Date: Fri, 8 Jun 2001 19:49:31 GMT Robert J. Kolker wrote: Then all their plaintexts would be perfectly secure. No crypto necessary at all. Not so. There is enough common (cultural) context to infer some things by analyzing the plaintexts, and language is largely constrained by innate properties of our brains. Theoretical linguists can tell you more about this. -- From: Douglas A. Gwyn [EMAIL PROTECTED] Subject: Re: new NSA/echelon rant Date: Fri, 8 Jun 2001 19:57:26 GMT V.Z. Nuri wrote: the idea is to get the most closeminded denunciation of the idea possible to show it in contrast with new information about echelon/carnivore/CIA datamining capabilities. useful propaganda. Useless propaganda. You have a set agenda and are not seeking truth, just the worst possible presentation of the opposite point of view in order to trick people into supporting you. -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: new NSA/echelon rant Date: Fri, 08 Jun 2001 22:41:34 +0200 Douglas A. Gwyn wrote: V.Z. Nuri wrote: the idea is to get the most closeminded denunciation of the idea possible to show it in contrast with new information about echelon/carnivore/CIA datamining capabilities. useful propaganda. Useless propaganda. You have a set agenda and are not seeking truth, just the worst possible presentation of the opposite point of view in order to trick people into supporting you. As time goes on, I increasingly doubt whether truth could be found in the world, excepting in such abstract and exact natural sciences like math. Very long ago, while learning English, I read Bacon's essay 'On Truth' but at that time I didn't capture much of its meaning. M. K. Shen -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone
Cryptography-Digest Digest #571
Cryptography-Digest Digest #571, Volume #14 Sat, 9 Jun 01 00:13:00 EDT Contents: Re: Alice and Bob Speak MooJoo ([EMAIL PROTECTED]) Re: cubing modulo 2^w - 1 as a design primitive? (Tom St Denis) Re: Knapsack security??? Ahhuh (John Bailey) Re: Knapsack security??? Ahhuh (John Bailey) Anyone Heard of Churning (Stephen Thomas) Re: Alice and Bob Speak MooJoo (Robert J. Kolker) Re: Alice and Bob Speak MooJoo ([EMAIL PROTECTED]) Re: Alice and Bob Speak MooJoo (SCOTT19U.ZIP_GUY) The 94 cycle 64-bit block cipher :-) (Tom St Denis) Re: The 94 cycle 64-bit block cipher :-) (Scott Fluhrer) Re: Simple C crypto (Paul Schlyter) Subject: Re: Alice and Bob Speak MooJoo From: [EMAIL PROTECTED] Date: 08 Jun 2001 21:33:51 -0400 Robert J. Kolker [EMAIL PROTECTED] writes: Douglas A. Gwyn wrote: Not so. There is enough common (cultural) context to infer some things by analyzing the plaintexts... The common context is ostention. The pointing finger...You can't start of defining basic words with other words, else an infinite regress follows. Granted--but given time and a large enough corpus, there is sufficient basis to make surprising progress. Something like this: 1. Catalog individual phonemes (and attempt to classify as words). That's not hard; statistical analysis will identify a great many words. 2. Transcribe messages and build an online concordance. 3. Notice repeating patterns, such as: the word koch-ba'a crops up an awful lot when supply convoys are on the move; the word tlu-upicha occurs only in naval messages; etc. 4. Notice that the words moor-tahr and tuhnka seem to crop up an awful lot. Conjecture that the Navajo don't have words for mortar and tank. Recall that a person can understand the gist of a conversation with astonishingly small vocabulary. Travellers' phrasebooks actually do serve a useful purpose. If there were no Rosetta Stone Egyptian hieroglyphs would be opaque to us. Perhaps--but if we were able to observe living Egyptians in action, we would eventually get the idea. Of course, whether that's practical in wartime or not is a separate question. There are other weaknesses to this idea, which I mentioned before: (1) if there are no native speakers, then the cost of teaching the language is high. (2) If there are dictionaries, then a stolen dictionary == a stolen codebook. (3) If a unit loses its Orawanee Eskimo radioman, it must communicate in the clear. Len. -- Frugal Tip #22: Get free refills. -- From: Tom St Denis [EMAIL PROTECTED] Subject: Re: cubing modulo 2^w - 1 as a design primitive? Date: Sat, 09 Jun 2001 01:47:07 GMT Tom St Denis [EMAIL PROTECTED] wrote in message news:H5eU6.62238$[EMAIL PROTECTED]... I was wondering if anyone ever considered cubing modulo 2^w - 1 as a design primitive? Even more nonlinear and lower DPmax is f(x) = (x(x+x+1) mod 2^w)^3 mod (2^w - 1) With W=8 the DPmax is 12/256. With W=32 it takes 11 cycles to compute (on my Athlon) Any comments? Tom -- From: [EMAIL PROTECTED] (John Bailey) Subject: Re: Knapsack security??? Ahhuh Date: Sat, 09 Jun 2001 01:59:41 GMT On Fri, 8 Jun 2001 00:21:58 -0400, rosi [EMAIL PROTECTED] wrote: Dear John, Thank you for the reply. I will perhaps never know why you think I am taunting you. But if you do, whether it is really due to me, I apologize. Merc42 asked in pretty general terms about the knapsack problem and you seem eager to know. I offered to share information. Is this fair? First, I do not know how far we can go. The requirement for basic knowledge will still apply. Without that, we can get stuck anywhere. So, is it a go? I think it is only fair that I give you enough information on what is ahead. I have some simple stuff, from which I would like to see if certain things are as trivial as I seem to see. So I give the best shot I can fire and would like you to help me. I will put forth two quite non-technical questions, which do not require definitive answers (or in other words, what answers come back is not that important). There is one technical issue I would appreciate it if you could share your thoughts with us, but that is not really expected. It is up to you. The issue is to prove from what I give you that P != NP. (Hope you are still in your chair if you were:). Checked, I am still in mine) Would it help if we used Rojas' papers as a common ground of understanding? http://arXiv.org/find/math/1/au:+rojas/0/1/0/1998/0/1 Please do not be alarmed. It should be simple. Ideas about both the two questions and the P!=NP issue can be formed in your head by simply staring at a construction I give you for a few minutes. I am not saying that you may come up with all the boring details of a proof after reading and thinking about it for a few minutes. I mean that you can get the sense of
Cryptography-Digest Digest #545
Cryptography-Digest Digest #545, Volume #14 Thu, 7 Jun 01 06:13:00 EDT Contents: Re: Is this a weakness in RSA key generation? (Scott Fluhrer) Re: fast CTR like ciphers? (Volker Hetzer) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Notion of perfect secrecy (Jeffrey Walton) Humor, I Must be a Threat to National Security (David G. Boney) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: AES question ([EMAIL PROTECTED] (=?iso-8859-1?q?=D8yvind?=) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Notion of perfect secrecy (Tom St Denis) Re: Humor, I Must be a Threat to National Security (Chaotic) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Def'n of bijection (Mark Wooding) From: Scott Fluhrer [EMAIL PROTECTED] Subject: Re: Is this a weakness in RSA key generation? Date: Wed, 6 Jun 2001 23:21:26 -0700 Bill Unruh [EMAIL PROTECTED] wrote in message news:9fh2l5$6si$[EMAIL PROTECTED]... In [EMAIL PROTECTED] [EMAIL PROTECTED] (Mark Borgerding) writes: ]I found that pgp 2.6.2 may sometimes generate a private exponent n ]that does not entirely match the RSA spec (as I know it) ]An RSA private exponent d ]1) d*e = 1 , mod (p-1)*(q-1) ]which implies ]2) d*e = 1 , mod (p-1) ]3) d*e = 1 , mod (q-1) ]pgp seems to occasionally generate a key that satisfies 23, but not ]1. ]I know that stmt #1 implies 23, but the reverse is not true. ]My question is: is this something to worry about? What effect would Yes. It will not work. You will not be able to decrypt anything. It won't??? Would you please do me the favor of finding a p, q, d, e, x s.t. p, q prime p != q d*e = 1 mod (p-1) d*e = 1 mod (q-1) ((x**e)**d) != x mod pq If, as you say, it will not work, it should be pretty trivial to find such a quintuplet. -- poncho -- From: Volker Hetzer [EMAIL PROTECTED] Subject: Re: fast CTR like ciphers? Date: Thu, 07 Jun 2001 09:48:45 +0200 Tim Tyler wrote: Volker Hetzer [EMAIL PROTECTED] wrote: : Tim Tyler wrote: [fast primitive for CTR mode] : My understanding is that what this application requires is a PRF - not a : block cypher. : Well, in that case the attacker can distinguish the message stream from : a random stream. What - if a PRF is used to generate it? No, if a block cipher (i.e. a prp) was used to generate it. While I believe it's customary to describe any system where there's a faster attack than brute force as being broken, I don't think this case is much of a concern if the opponent is one's little sister. That's the academic definition. However, if there's a fixed, known and proven reduction from one property (distinguishable from a random stream) to a property you want to avoid (guessing the key or decrypting a message) you can check your numbers and then decide wheather this particular attack is of relevance to your application. As it happens, this prp/prf stuff is IMHO only relevant if you either want to use the ctr mode as a prng or go over so much of the counter space that known-plaintext attacks or attacks based on the set of remaining blocks become possible. Remember, if you look at a fibre optics ocean cable, something like 80-130Gbit/s, we're talking about 2^62 bit per year. (Hoping I got the numbers right here.) This is still a quarter of the amount of data you need to distinguish, lets say AES-CTR from a random stream, much less get to work on predicting the next block. In this case, the conclusion would be that the speed advantage of CTR is much more important than an attack that only works if the lifetime of the key exceeds the lifetime of the cable by a ridiculously large number of years. Greetings! Volker -- They laughed at Galileo. They laughed at Copernicus. They laughed at Columbus. But remember, they also laughed at Bozo the Clown. -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Thu, 07 Jun 2001 10:29:05 +0200 SCOTT19U.ZIP_GUY wrote: [EMAIL PROTECTED] (Mok-Kong Shen) wrote: I would have to read what Shannon wrote in more detail to say how what this thread is about relates to what he wrote. Actually its Tommy and Mok that need to read up. My main concern is with the definition and usage of the term perfect secrecy - I'd like to see what Shannon wrote,
Cryptography-Digest Digest #546
Cryptography-Digest Digest #546, Volume #14 Thu, 7 Jun 01 07:13:01 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mark Wooding) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Humor, I Must be a Threat to National Security (Tom St Denis) Re: Notion of perfect secrecy (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Notion of perfect secrecy (Tim Tyler) Re: Notion of perfect secrecy (Tom St Denis) Re: shifts are slow? (Tim Tyler) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes (Mark Wooding) Re: Notion of perfect secrecy (Tim Tyler) Re: shifts are slow? (Tom St Denis) Re: Evidence Eliminator works great. Beware anybody who claims it doesn't work (propaganda) (John Niven) Re: Def'n of bijection (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Notion of perfect secrecy (Tom St Denis) MD5 for random number generation? (Toby Sharp) Re: Notion of perfect secrecy (Tim Tyler) From: [EMAIL PROTECTED] (Mark Wooding) Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: 7 Jun 2001 09:40:31 GMT Tim Tyler [EMAIL PROTECTED] wrote: That uses Rijndael in CBC mode. Now I'm very confused. You can't get a one-byte ciphertext out of a 128-bit block cipher in CBC mode. There's nowhere to put an IV, for one thing. -- [mdw] -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Thu, 7 Jun 2001 09:30:22 GMT Mok-Kong Shen [EMAIL PROTECTED] wrote: : SCOTT19U.ZIP_GUY wrote: : [EMAIL PROTECTED] (Mok-Kong Shen) wrote: : Meanwhile I believe that the following is correct about : the issue: The OTP processing only guarantees that the : particular work that is performed doesn't give the opponent : any (more) information. It doesn't exclude however the : existence of other processing that could reduce the : information that he could otherwise have about the message. [snip] :No perfect security means what it says see my : other posts where I quote Shannon directly. : I know Shannon's definition. Tell me, why my view above : contradicts that in terms of a-priori and a-posteriori : probability. You say: ``The OTP processing only guarantees that the particular work that is performed doesn't give the opponent any (more) information.'' OTP processing gives the opponent information about the length of the plaintext. Before he looked at the cyphertext, he did not have this information. That violates Shannon's perfect secrecy. -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Tom St Denis [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Thu, 07 Jun 2001 09:45:29 GMT Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Mok-Kong Shen [EMAIL PROTECTED] wrote: : Meanwhile I believe that the following is correct about : the issue: The OTP processing only guarantees that the : particular work that is performed doesn't give the opponent : any (more) information. The opponent knows more about the plaintext after observing the cyphertext than he knew before he saw it - namely the length. The violates perfect secrecy. Only if the message is determined by the length. Oui or Non. The length will not determine the message. Or if you just pad the bloody thing to a multiple of say 64 bytes. Even still people won't use an OTP to encrypt single byte messages. : It doesn't exclude however the existence of other processing : that could reduce the information that he could otherwise : have about the message. As a special example, if any : message is sent from my home, the opponent knows that : some person is present there (or at least someone has : programmed my computer to undertake that action) at : the particular time point. (That could mean under : circumstances quite a lot, e.g. when for months no : message had ever been sent.) No encryption : scheme, however 'perfect', could deprive him from : obtaining that knowledge. On the other hand, I could : manage to send the message from another place, in which : case he wouldn't have that information. Thus in a sense : the word 'perfect' in 'perfect security' is only to be : understood as one of terminology (definition) only and : does not have the common connotation of 'perfection' : (the ideal, the absolute best). Traffic analysis information is indeed often present - but we are talking about once a message exists, does the attacker gain anything by looking at the cyphertext. That's what the
Cryptography-Digest Digest #547
Cryptography-Digest Digest #547, Volume #14 Thu, 7 Jun 01 08:13:00 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Notion of perfect secrecy (Tim Tyler) Re: shifts are slow? (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Thu, 7 Jun 2001 10:58:12 GMT Tom St Denis [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... : JPeschel [EMAIL PROTECTED] wrote: : perfect secrecy is defined by requiring of a system after a : cyptogram is intercepted by the enemy the a posteriori probabilites : of this cryptogram representing various messages be identaically the : same as the a priori probabilites of the same message before the : interception. : : If the length of the plaintext is revealed by the cyphertext, this : condition does not hold. : How? [...] It is obvious how the length of the plaintext is revealed by the cyphertext. The length of the plaintext is the same as the length of the cyphertext. : If you have an 8-bit ciphertext all 256 plaintexts are equally : probable. That follows this distribution. I am not considering a system with only 256 possible plaintexts. That's a toy system, with no practical use. : You're idea of security only works if your cipher can produce infinite : length ciphertexts. Not so. Finite plaintexts can produce perfect secrecy. : (of course your idea of security is vastly flawed) How so, pray tell? : I would hate to use 1.7 x 10^55 bytes of ram to send a 10 byte message : home No - that is not correct. You could send a 10 byte message home while retaining prefect secrecty - assuming a genuinely random shared key was available. -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Thu, 7 Jun 2001 11:15:08 GMT Tom St Denis [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... : The opponent knows more about the plaintext after observing the : cyphertext than he knew before he saw it - namely the length. : : The violates perfect secrecy. : Only if the message is determined by the length. No. Regardless of what the message is, in fact - provided that messages of more than one length are transmitted. : Oui or Non. The length will not determine the message. It won't distinguish between those two particular messages anyway. Are those the only possible messages in the system? : Or if you just pad the bloody thing to a multiple of say 64 bytes. [...] Still not enough for perfect secrecy :-( : Even still people won't use an OTP to encrypt single byte messages. The argument that an OTP does not have perfect secrect does not depend on single byte messages in any way. I beleive Scott mentioned two and three byte messages as an example. Any discussion about one-byte messages seems to be a hangover from the CTR mode discussion. : Traffic analysis information is indeed often present - : but we are talking about once a message exists, does : the attacker gain anything by looking at the cyphertext. : : That's what the definition of perfect secrecy talks about. : No [...] Yes. Look it up. Or read the posted definitions in this thread. : perfect secrecy is defined as having no ability to tell one plaintext : from another. Since telling one plaintext from another is normally a trivial operation, that statement is nonsense if taken literally. What you probably mean is that the attacker has no ability to distinguish between enctyptions of different plaintexts given only a single cyphertext to work on - which is an equivalent formulation to the one I gave above. : Who cares if you know the entire set of plaintexts [...] Well, knowledge of the entire set of plaintexts is better than nothing at all. However I've not mentioned that subject AFAICS - I believe you've just raised it for the first time in this thread. : Perfect secrecy applies to encryption devices. Time of : message transmission etc is considered to be outside its scope. : : A conventional OTP, that preserves message
Cryptography-Digest Digest #548
Cryptography-Digest Digest #548, Volume #14 Thu, 7 Jun 01 10:13:00 EDT Contents: Re: Is this a weakness in RSA key generation? (Bodo Moeller) Re: shifts are slow? (Jeffrey Williams) Re: Brute-forcing RC4 (S Degen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Humor, I Must be a Threat to National Security (Tom Gutnick) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Notion of perfect secrecy (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) From: [EMAIL PROTECTED] (Bodo Moeller) Subject: Re: Is this a weakness in RSA key generation? Date: 7 Jun 2001 12:19:00 GMT Bill Unruh [EMAIL PROTECTED]: [EMAIL PROTECTED] (Mark Borgerding): I found that pgp 2.6.2 may sometimes generate a private exponent n that does not entirely match the RSA spec (as I know it) 1) d*e = 1 , mod (p-1)*(q-1) 2) d*e = 1 , mod (p-1) 3) d*e = 1 , mod (q-1) pgp seems to occasionally generate a key that satisfies 23, but not 1. I know that stmt #1 implies 23, but the reverse is not true. My question is: is this something to worry about? What effect would Yes. It will not work. You will not be able to decrypt anything. Wrong, such keys will work perfectly. There is no requirement that d*e == 1 (mod (p-1)(q-1)). It is only necessary that d*e == 1 (mod lcm(p-1, q-1)), which is exactly equivalent to 23 above. (To prove that RSA decryption works in this case, consider decryption mod p and mod q and apply the Chinese Remainder Theorem. Most RSA decryption implementations use the CRT anyway, and in that case only d mod p-1 and d mod q-1 are actually used -- the exact choice of d does not matter at all.) -- Bodo Möller [EMAIL PROTECTED] PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html * TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt * Tel. +49-6151-16-6628, Fax +49-6151-16-6036 -- From: Jeffrey Williams [EMAIL PROTECTED] Subject: Re: shifts are slow? Date: Thu, 07 Jun 2001 07:35:02 -0500 IIRC, the original poster was talking about a P4, not a unique selection of hardwired gates. Before pipelined processors, shifts were frequently faster than adds and almost always faster than multiplies (or divides). Pipelining instructions can (and almost certainly will) change some of our known facts about programming. If you really want to optimize your program for a given processor, you really need to spend some time studying the data book for that processor. It should contain lots of information about the relative speeds of instructions. Note that figuring things out to an optimal level is not easy when dealing with a pipelined processor as there are all kinds of options which will affect the relative speed of an instruction. Realistically, given the speed of today's processors, and the insanely low cost per MIP, MOST OF THE TIME, you'd be better off writing your program in a high-level language and using an optimizing compiler which can take full advantage of the target processor. Yes, if you really know the target processor well, you could probably hand code the program to be faster, but that if is huge. Very few people will know a target processor well enough to be a good optimizing compiler. More to the point, given the rate at which new processors are introduced, it becomes much more difficult to find people who can beat the optimizing compiler. Jeff Tom St Denis wrote: Joseph Ashwood [EMAIL PROTECTED] wrote in message news:euGrY4t7AHA.277@cpmsnbbsa07... The new reality is the same. It's just that for a register to shift it needs to make use of itself as a shift register, so in a single clock bit 30 moves to 31, 29-30, 28-29, 27-26 . . . 1-2, 0-1. In order to shift by X takes X clocks. Also because we have gotten to such high frequencies and This is so wrong. I can shift a 512-bit register 211 bits in one cycle. (Just re-wire the outputs). snip Boolean operations like AND,OR,XOR,NOT can take one cycle since you just apply all the logic in parallel. So if 1 AND takes 1 cycle 32 ANDs should take 1 cycle too. You get a bit of delay to synchronize the bits but generally that's low. Tom -- From: S Degen [EMAIL PROTECTED] Subject: Re: Brute-forcing RC4 Date: Thu, 07
Cryptography-Digest Digest #551
Cryptography-Digest Digest #551, Volume #14 Thu, 7 Jun 01 13:13:01 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Notion of perfect secrecy (Paul Pires) Re: Notion of perfect secrecy ([EMAIL PROTECTED]) Re: Notion of perfect secrecy (John Savard) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Humor, I Must be a Threat to National Security (Douglas Hurst) Re: shifts are slow? (Tom St Denis) Re: MD5 for random number generation? (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: OTP WAS BROKEN!!! (Paul Pires) Re: Humor, I Must be a Threat to National Security (Chaotic) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) From: [EMAIL PROTECTED] Date: 07 Jun 2001 12:19:24 -0400 Tim Tyler [EMAIL PROTECTED] writes: OK - so can you identify one bit in that stream which is *not* significant? Everything after the final ``1''. Just read what he does with those bits: he throws them out. Len. -- The Yanomamo Indians employ only three numbers: one, two, and more than two. Maybe their time will come. -- Warren Buffett, 1979 -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Thu, 07 Jun 2001 18:20:52 +0200 Tim Tyler wrote: Mok-Kong Shen [EMAIL PROTECTED] wrote: : Tim Tyler wrote: : Traffic analysis information is indeed often present - : but we are talking about once a message exists, does : the attacker gain anything by looking at the cyphertext. : : That's what the definition of perfect secrecy talks about. : : Perfect secrecy applies to encryption devices. Time of : message transmission etc is considered to be outside its scope. : : A conventional OTP, [...] does not : have Shannon's perfect secrecy property. : I am not of the opinion that size is 'inherently' different : from time etc. in the present context. Well, you should be. Length is a property that can be used to distingush between elements of the set of possible plaintexts - while time cannot be so used. Why not? I could well agree with my partner that if a mail (of any innocent content) is sent between 9 and 10 o'clock it means one thing while between 10 and 11 o'clock it means the opposite. At least one bit can be transmitted that way. (More could be done by more sophisticated agreement.) M. K. Shen -- From: Paul Pires [EMAIL PROTECTED] Subject: Re: Notion of perfect secrecy Date: Thu, 7 Jun 2001 09:22:11 -0700 Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Tom St Denis [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... : The OTP leaks information about the length of the plaintext. : : This is a clear security hazzard, and it may be necessary : to take stops to prevent this information being used by the attacker. : : Also, it violates Shannon's perfect secrecy (which is what this : thread is about). : : The OTP that is proven perfectly secure is in a system where only : plaintexts of a given length are possibilities. That is not the : OTP as commonly used. : By your logic the TIME you send the message leaks just as much information : as the LENGTH of the message. : Can BICOM go back in TIME to send the message? : Also WHO is sending the message leaks info too ...etc.. Perfect secrecy is a property of a device that translates between plaintext and cyphertext. It asks what information about the plaintext is present in the cyphertext. Traffic analysis information is outside the scope of perfect secrecy as Shannon defined it. : Shannon was looking at the OTP in an abstract model where the a priori (what : exactly does that mean)... er... previous known distribution of messages : cannot be used to solve the system. I believe a priori translates roughly as before knowledge, if that helps. This isn't about previous messages. Simple knowledge of the cyphertext and the machinery it was encrypted with is enough to reveal information about the plaintext. Previous messages have nothing to do with it. : Let's say you have a 13 byte OTP message where the plaintext was in ASCII. : Obviously you can rule out OTPs that would lead to non-ascii stuff. If you : know it's english you can eliminate OTPs that lead to non-english text. Out : of the possible 2^104 possible OTP pads
Cryptography-Digest Digest #550
Cryptography-Digest Digest #550, Volume #14 Thu, 7 Jun 01 13:13:01 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (John A. Malley) Re: Def'n of bijection (Paul Pires) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: OTP WAS BROKEN!!! (Tim Tyler) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and (Phil Carmody) Re: OTP WAS BROKEN!!! (Robert J. Kolker) Re: practical birthday paradox issues (Phil Carmody) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Thu, 7 Jun 2001 15:09:19 GMT [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] writes: : [EMAIL PROTECTED] wrote: :: Tim Tyler [EMAIL PROTECTED] writes: :: Tom St Denis [EMAIL PROTECTED] wrote: ::: Or if you just pad the bloody thing to a multiple of say 64 bytes. [...] :: :: Still not enough for perfect secrecy :-( :: :: Right--no matter what ``a multiple'' means. : : That's correct - so long as no restraints are placed on the set of : possible plaintexts. : Exactly. So why do you keep switching premises? Specifically: : 1. When somebody says, ``OTP on padded messages gives (Tim Tyler's :definition of) perfect secrecy,'' you reply, ``No, because no :amount of padding is enough.'' In other words, you assume that the :space of plaintexts is infinite. : 2. When somebody replies, ``Okay: if the space of messages is infinite, :then (your definition of) perfect secrecy is impossible to achieve.'' :You reply, ``No, because the space of messages is actually finite.'' :(Or alternately, ``...has cardinality 2 in my universe.'') You dare to misquote me in the course of misrepresenting my postion. You misquote yourself as well to distort things still further - but I guess that's your privelidge. We can talk again when you have learned to put quotation marks around stuff people have actually said. -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: John A. Malley [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Thu, 07 Jun 2001 08:18:08 -0700 Tim Tyler wrote: : You probably question whether such usage leads to : Shannon's perfect security which, as you said, is claimed : to be a property of OTP. However, I don't see where in the : literature about OTP (in connection with perfect security) : the length enters into the argumentation, i.e. plays a role : in the proof. Shannon's paper Communications Theory of Secrecy Systems addresses this. Perfect secrecy is a property of the OTP (i.e. the Vernam cipher specifically cited in that paper) AND message length DOES enter into the argument. However, using an OTP is NOT required for perfect secrecy when the set of messages is finite. :-) I also think that it's not mentioned. I beleive it is common to consider the domain where all plaintexts are the same length - perhaps in order to get the perfect secrecy result. : My memory of Shannon's paper is no good, but I don't think that he : considered the length of the messages. I don't think it was mentioned either - all the messages were the same length in the system in question. -- Shannon's important paper on cipher systems carefully considers the length of the messages. Shannon shows the OTP is NOT required for a finite set of messages to give perfect secrecy. (I've posted on this before, given examples of such ciphers, just search google or drop me a note by email for more specific examples. :-) ) The OTP is required for message sources with an infinite number of messages. From page 682 of Communications Theory of Secrecy Systems, C. E. Shannon, Bell System Technical Journal, pp. 656-715, 1949: The situation [perfect secrecy] is somewhat more complicated if the number of messages is infinite. Suppose, for example, that they are generated as infinite sequences of letters by a suitable Markov process. It is clear that no finite key will give perfect secrecy. We suppose, then, that the key source generates key in the same manner, that is, as an infinite sequence of symbols. Suppose further that only a certain length of L_k is needed to encipher and decipher a length L_m of message. Let the logarithm of the number of letters in the message alphabet be R_m
Cryptography-Digest Digest #552
Cryptography-Digest Digest #552, Volume #14 Thu, 7 Jun 01 14:13:00 EDT Contents: Re: Notion of perfect secrecy (Tom St Denis) CBC variant Re: Notion of perfect secrecy (Tim Tyler) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes (Tom St Denis) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes (Tom St Denis) Re: OTP WAS BROKEN!!! (Paul Pires) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes ([EMAIL PROTECTED]) Re: Humor, I Must be a Threat to National Security (Dimitri Maziuk) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Medical data confidentiality on network comms (wtshaw) Re: Medical data confidentiality on network comms (wtshaw) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) From: Tom St Denis [EMAIL PROTECTED] Subject: Re: Notion of perfect secrecy Date: Thu, 07 Jun 2001 17:11:44 GMT Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Tom St Denis [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... : Tom St Denis [EMAIL PROTECTED] wrote: : : Typically the MEANING of the message is not stored in the length. : Shannon refers to *any* information about the identity of the plaintext. : : For perfect secrecy, observation of the cyphertext should make no : difference to the attacker. : : This is not the case if he was unaware of the length of the plaintext : before observing it - and he knows that the length of the cyphertext : matches that of the plaintext. : You don't understand his results that's all. [...] My understanding is fine thanks. : In his model WHO, WHEN, LENGTH were not the information he wanted to protect. Who and when are not modelled by Shannon. However length /is/ information that relates to the identity of the plaintext (except in the case where all possible plaintexts are the same length) and *is* covered by Shannon's definition of perfect secrecy. No they are not. When will you realize that the contents of the message are what an OTP protects. So if the contents are random than an OTP is perfectly secure. : You're really mocking the dead here. I sincerely hope you are some : 12yr kid trying to get a rise out of people, otherwise I wonder how you : did in College challenging all your profs without listening to their : proofs... No offense Tim but you have a lot of growing up todo. Even : if you are 76 yrs old you're an immature brat as far as I am concerned. Sorry you feel that way Tom. It seems this is the thanks I get for pointing out your errors. Maybe I won't bother in the future. So far it seems #[sci.crypt] vs #[scott, tim]. I don't think it's my errors : Anyways this is all OT. You started this thread about perfect secrecy - which incidentally is not off topic at all. Your rants are not on topic. Tom -- From: [EMAIL PROTECTED] Subject: CBC variant Date: Thu, 7 Jun 2001 13:07:09 -0400 Hi, We know that methods used to inject feedback into a small block cipher, such as CBC, have known-ciphertext attacks against them, like what Vaudenay posted here. I propose a variant of CBC that requires 2 extra block-width XORS and 1 extra encryption per block. (shown here in plain English) (1) Cipher(block n) in CBC is E(block n XOR block n-1), so I propose an extra step like this: (2) XOR block n using a block constant (the constant evolves like the round constant in TEA)* (a) Encrypt the sum. (b) Xor the sum onto block n-1 like a mask. *Note that (2) and (2)(a) are discarded. (The block is not actually double encrypted.) As stated, this needs just two xors and one encryption (same key) in addition to regular CBC. Can anyone find faults in it? If worth anything, use freely ;) Thanks, thecode -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Notion of perfect secrecy Reply-To: [EMAIL PROTECTED] Date: Thu, 7 Jun 2001 17:04:04 GMT [EMAIL PROTECTED] wrote: : *IF* I know that the message must be one of k known plaintexts, each : having different lengths, then I can use the length to deduce which : plaintext is being sent. : Note further, however, that this properly belongs to traffic analysis: : I already knew what the message said; [...] Not according yo what you said - you said I know that the message must be one of k known plaintexts. All cryptanalysis involves analysis of the
Cryptography-Digest Digest #553
Cryptography-Digest Digest #553, Volume #14 Thu, 7 Jun 01 15:13:00 EDT Contents: Re: Notion of perfect secrecy (Tim Tyler) Re: Notion of perfect secrecy (Tim Tyler) Re: CBC variant (John Savard) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Alice and Bob Speak MooJoo (Robert J. Kolker) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Notion of perfect secrecy (Paul Pires) Re: CBC variant (John Savard) Re: Knapsack security??? Ahhuh (John Bailey) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Notion of perfect secrecy (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) better yet, perfect secrecy = who cares? (Tom St Denis) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Notion of perfect secrecy Reply-To: [EMAIL PROTECTED] Date: Thu, 7 Jun 2001 18:05:56 GMT Tom St Denis [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... : Tom St Denis [EMAIL PROTECTED] wrote: : : Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... : : Tom St Denis [EMAIL PROTECTED] wrote: : : In his model WHO, WHEN, LENGTH were not the information he wanted to : protect. : : Who and when are not modelled by Shannon. However length /is/ : information that relates to the identity of the plaintext : (except in the case where all possible plaintexts are the same length) : and *is* covered by Shannon's definition of perfect secrecy. : No they are not. Yes it is - read Shannon's definition of perfect secrecy. : When will you realize that the contents of the message are : what an OTP protects. So if the contents are random than an OTP is : perfectly secure. An OTP doesn't have perfect secrecy - the cyphertext leaks information about the length of the plaintext. If you don't believe me, just read the definition of perfect secrecy. : : You're really mocking the dead here. I sincerely hope you are some : : 12yr kid trying to get a rise out of people, otherwise I wonder how you : : did in College challenging all your profs without listening to their : : proofs... No offense Tim but you have a lot of growing up todo. Even : : if you are 76 yrs old you're an immature brat as far as I am concerned. : : Sorry you feel that way Tom. It seems this is the thanks I get for : pointing out your errors. Maybe I won't bother in the future. : So far it seems #[sci.crypt] vs #[scott, tim]. : I don't think it's my errors You never do - but it almost always is. Unicity distance, bijection, ctr mode, perfect secrecy - it seems to be just one thing after another these days in a long stream of mistakes ;-/ -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Notion of perfect secrecy Reply-To: [EMAIL PROTECTED] Date: Thu, 7 Jun 2001 18:15:53 GMT Paul Pires [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... : Perfect secrecy says that knowledge of the cyphertext must not allow the : space of possible plaintexts to be narrowed down at all. : The space of the possible plaintexts hasn't been narrowed down : by the application of the OTP. This narrowing is a characteristic : of the message, not the method. Yes indeed. : By this logic no system could have perfect secrecy since that would : require the method to have control over the composition of all possible : messages before encryption. No system can have perfect secrecy and deal with an infinite set of finite messages. However perfect secrecy if you are only dealing with a finite set of messages is possible, and perfect secrecy is possible with ininite sets of messages as well, as demonstreated in Shannon's original paper. : Nothing is leaked that was not already plain. No compromise has occured by : the application of the OTP. It is perfect without the constraint you : are proposing. That doesn't seem to make any sense. The length of the message is leaked to the attacker. What are you talking about? : This is one clear piece stable ground in a murky field. One thing you can : know. I don't see how this complex distinction you are proposing aids : in understanding or what it gets you from a practical sense. I don't know what distinction you're talking about here :-| : OTP's can leak the message length. As Tom pointed out, they also can : leak the point in time, the relative sequence of messages, the sender : and reciever. These and other issues can be dealt with by protocol, :
Cryptography-Digest Digest #554
Cryptography-Digest Digest #554, Volume #14 Thu, 7 Jun 01 16:13:00 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Re: shifts are slow? (Bob Jenkins) Re: Alice and Bob Speak MooJoo ([EMAIL PROTECTED]) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: shifts are slow? ([EMAIL PROTECTED]) Re: MD5 for random number generation? (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Re: MD5 for random number generation? (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Alice and Bob Speak MooJoo (Janne Tuukkanen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: RSA's new Factoring Challenges: $200,000 prize. (my be repeat) (Joseph Ashwood) new NSA/echelon rant (V.Z. Nuri) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Thu, 7 Jun 2001 18:54:57 GMT Tom St Denis [EMAIL PROTECTED] wrote: : I fail to see how knowing the length of the plaintext reveals any : information contained within the plaintext. It lets you rule out plaintexts that were previously possible, and give them a probability of zero. Shannon states that for perfect secrecy the cyphertext must not give *any* clues to the plaintext. Not no clues apart from the length, but no clues at all. : You fail to solve even the most trivial of examples I pose. Hardly suprising is it? I told you that it was obvious to everyone that such examples were impossible to solve uniquely. Why do you not tire of repeatedly presenting them? -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Thu, 7 Jun 2001 18:57:10 GMT [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] writes: : OK - so can you identify one bit in that stream which is *not* : significant? : Everything after the final ``1''. Which bit is that? You don't know where the final 1 is, if you ignore some of the bits, now do you? So all bits *are* significant. -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) From: [EMAIL PROTECTED] Date: 07 Jun 2001 15:06:16 -0400 Tom St Denis [EMAIL PROTECTED] writes: [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Tim Tyler [EMAIL PROTECTED] writes: Those points indicate that the chance of getting a false positive in the system you describe are small. As in, ``you're better off waiting for the sun to burn out and the universe to collapse, than waiting for false positives.'' Yes, correct; I guess you could call that ``small''. You're wrong too. In an OTP like system, it's not that guessing the message is hard or improbable. It's that it's IMPOSSIBLE. Don't lose track Tom--I wasn't talking about OTP. I offered a reasonable (though extremely ballpark) estimate of the likelihood of plausible (or ``false positive'') decryptions when no compression is used. I then suggested approximately HOW MUCH MORE common BICOM would have to make the plausible files before it actually translates into false positive decryptions more often than, say, having our sun burn out. The estimate (1) gives strong reasons to doubt that BICOM has *any* practical benefit, apart from making decryption take a little longer (and the usual benefits of compression), and (2) gives Tim T. some idea what he would have to prove, in order to substantiate his claims for BICOM. ``It's obvious, because there are just lots and lots of...'' doesn't actually mean diddly. Are we all together now? Len. -- The ``attack'' that Warfield mentions was not a qmail problem; it was a fraudulent marketing stunt by the Postfix author. -- Dan Bernstein -- From: [EMAIL PROTECTED] (Bob Jenkins) Subject: Re: shifts are slow? Date: 7 Jun 2001 12:11:00 -0700 Jeffrey Williams [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Realistically, given the speed of today's processors, and the insanely low cost per MIP,
Cryptography-Digest Digest #557
Cryptography-Digest Digest #557, Volume #14 Thu, 7 Jun 01 19:13:01 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Notion of perfect secrecy (SCOTT19U.ZIP_GUY) Re: Notion of perfect secrecy (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel) Re: Def'n of bijection (Henrick Hellström) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: about DH parameters germain primes (Anton Stiglic) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: shifts are slow? (Joseph Ashwood) Re: Alice and Bob Speak MooJoo (Joseph Ashwood) Re: Simple C crypto (Joseph Ashwood) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Thu, 7 Jun 2001 21:27:56 GMT [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] writes: : [EMAIL PROTECTED] wrote: :: Tim Tyler [EMAIL PROTECTED] writes: :: My claim is that the chances of collisions are generally greater if :: compression has been employed than if not. :: :: You are wrong to say ``generally greater''; you have not proven that :: they actually are greater. You can only say they are ``no less''. : : ...the net effect is that they will be more frequent. : You don't have any idea what the net effect will be. So you falsely claim. : If you have a fishtank and all the fish swim towards one end, the : chances of finding fish at that end will be generally greater. : : Sometimes if you look by the castle you will find greater, fewer or : an equal number of fish in its neighbourhood - but *on average* the : density of fish at that end of the tank will be greater. : : The fish are plausible plaintexts. The tank represents files : sorted by size. Files at the end of the tank are shorter than ones : further away. The directional swimming of the fish represents : compression. : GLORY, GLORY HALELUJAH! NOW I GET IT! Please, please, write this up and : submit it to the Acta Mathematica, will you? You must be Isaac Newton : reborn! I assume you didn't understand :-( I figure that makes you a lost cause. If you didn't understand that simplified explanation, there's really not much hope of you ever grasping it. : Did you miss my 129 bit message? : If that's not the only message you send, then we're NOT dealing with : only 129 bits; we're dealing with all the bits you encrypted with that : key. No - not if there are multiple messages and key per message. : On the other hand, if you DID send only 129 bits with a 128-bit : key, and then throw the key away--but DIDN'T use a one-time pad, then : you're an idiot. How so? Say I have a cyphermachine that already uses BICOM. You're telling me I should scrap that, build a new machine, send copies of it to everyone who I want to communicate with - all just for sending short messages with? Wouldn't that represent a lot of rather pointless work? How many cyphersystems are you familiar with that use a conventional cypher for long messages and an OTP for short ones? ... A 256 bit message might have very few collisions with a 128 bit key. It /might/ even encrypt to a unique plaintext. On the other hand a 129-bit message will yield a cyphertext will decrypt to (almost) every *possible* message - a set that may well include a very large number of plausible-looking messages. This is a concrete case where compression would often increase the density of plausible-looking decrypts by orders of magnitude. -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: Notion of perfect secrecy Date: 7 Jun 2001 21:32:03 GMT [EMAIL PROTECTED] (Tom St Denis) wrote in kBOT6.51452$[EMAIL PROTECTED]: Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Tom St Denis [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] wrote in message : news:[EMAIL PROTECTED]... : Tom St Denis [EMAIL PROTECTED] wrote: : : Typically the MEANING of the message is not stored in the length. : Shannon refers to *any* information about the identity of the plaintext. : : For perfect secrecy, observation of the cyphertext should make no : difference to the attacker. : : This is not the case if he was unaware of the length of the
Cryptography-Digest Digest #556
Cryptography-Digest Digest #556, Volume #14 Thu, 7 Jun 01 18:13:01 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: MD5 for random number generation? (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel) Re: Brute-forcing RC4 (Joseph Ashwood) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Brute-forcing RC4 (Ichinin) Any Informed Opinions? (Robert J. Kolker) Re: Alice and Bob Speak MooJoo (Ichinin) Re: MD5 for random number generation? (Tom St Denis) Re: Alice and Bob Speak MooJoo (Robert J. Kolker) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) From: [EMAIL PROTECTED] Date: 07 Jun 2001 16:48:45 -0400 Tim Tyler [EMAIL PROTECTED] writes: [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] writes: : : My claim is that the chances of collisions are generally greater if : compression has been employed than if not. : : You are wrong to say ``generally greater''; you have not proven that : they actually are greater. You can only say they are ``no less''. ...the net effect is that they will be more frequent. You don't have any idea what the net effect will be. In fact, I gave a fairly thorough explanation why the net effect is almost certainly no such thing. You need to *prove* that the ``net effect'' will be what you say. If you have a fishtank and all the fish swim towards one end, the chances of finding fish at that end will be generally greater. Sometimes if you look by the castle you will find greater, fewer or an equal number of fish in its neighbourhood - but *on average* the density of fish at that end of the tank will be greater. The fish are plausible plaintexts. The tank represents files sorted by size. Files at the end of the tank are shorter than ones further away. The directional swimming of the fish represents compression. GLORY, GLORY HALELUJAH! NOW I GET IT! Please, please, write this up and submit it to the Acta Mathematica, will you? You must be Isaac Newton reborn! Question: If there are 50 billion billion eels, and 2000 guppies, and they all start in one end of the tank--which is 45,000 light-years long, when can I expect to catch a guppy at the far end of the tank? Translation: You keep using words like ``some'' or ``a lot'' or ``greater than'' or ``better'' without any attempt whatsoever to verify that the hypothetical ``improvement'' will *ever* affect an attacker. Did you miss my 129 bit message? If that's not the only message you send, then we're NOT dealing with only 129 bits; we're dealing with all the bits you encrypted with that key. On the other hand, if you DID send only 129 bits with a 128-bit key, and then throw the key away--but DIDN'T use a one-time pad, then you're an idiot. : Bottom line: ``All BICOM gives you, assuming its correctness, is an : increase in the work required to brute-force the key.'' If that's your bottom line then I have to say your panties are showing. Didn't you used to date Ludwig Plutonium? Len. -- Performance speculation is bad. Performance hypocrisy is much worse. -- Dan Bernstein -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Thu, 7 Jun 2001 20:44:35 GMT John Myre [EMAIL PROTECTED] wrote: : Tim Tyler wrote: : I see. You think you know better how to explain how Matt Timmermans : compressor operates than Matt Timmermans himself. : Where does that come from? http://www3.sympatico.ca/mtimmerm/bicom/bicom.html : On the whole, Len's posts are more convincing to me than : yours are. [...] Well, this isn't a popularity contest - this is a scientific forum. Is there anything specific you don't agree with? : He may be wrong, but he's not an idiot. [...] I don't believe I've called him an idiot to date. He has some technical knowledge - but he has now made rather a lot of mistakes. Entropy, perfect secrecy, compression - he seems to have an innacurate view about everything :-| The posts of his that /really/ rub me up the wrong way are the ones where he misquotes me - or where he snipped what I
Cryptography-Digest Digest #555
Cryptography-Digest Digest #555, Volume #14 Thu, 7 Jun 01 17:13:00 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (John Myre) Re: Notion of perfect secrecy (Tim Tyler) Re: better yet, perfect secrecy = who cares? (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: better yet, perfect secrecy = who cares? (Tom St Denis) Simple C crypto (Dirk Bruere) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Alice and Bob Speak MooJoo (Robert J. Kolker) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: 7 Jun 2001 19:49:37 GMT [EMAIL PROTECTED] (John A. Malley) wrote in [EMAIL PROTECTED]: Tim Tyler wrote: : You probably question whether such usage leads to : Shannon's perfect security which, as you said, is claimed : to be a property of OTP. However, I don't see where in the : literature about OTP (in connection with perfect security) : the length enters into the argumentation, i.e. plays a role : in the proof. Shannon's paper Communications Theory of Secrecy Systems addresses this. Perfect secrecy is a property of the OTP (i.e. the Vernam cipher specifically cited in that paper) AND message length DOES enter into the argument. However, using an OTP is NOT required for perfect secrecy when the set of messages is finite. :-) I also think that it's not mentioned. I beleive it is common to consider the domain where all plaintexts are the same length - perhaps in order to get the perfect secrecy result. : My memory of Shannon's paper is no good, but I don't think that he : considered the length of the messages. I don't think it was mentioned either - all the messages were the same length in the system in question. -- Shannon's important paper on cipher systems carefully considers the length of the messages. Shannon shows the OTP is NOT required for a finite set of messages to give perfect secrecy. (I've posted on this before, given examples of such ciphers, just search google or drop me a note by email for more specific examples. :-) ) The OTP is required for message sources with an infinite number of messages. From page 682 of Communications Theory of Secrecy Systems, C. E. Shannon, Bell System Technical Journal, pp. 656-715, 1949: The situation [perfect secrecy] is somewhat more complicated if the number of messages is infinite. Suppose, for example, that they are generated as infinite sequences of letters by a suitable Markov process. UNforutunutely your missed most of the paper. We are taking about the simple system where you have a fintie number of messaages. Of versus lengths. And since for perfect security you can't have more than one residue class. If one used an OTP that only encrypts to the end of the message actaully sent. You have imediatly form a series of different residue classes based on input message length. THerefore usuing it that way would not be perfect security. Try taking another look. David A. Scott -- SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE OLD VERSIOM http://www.jim.com/jamesd/Kong/scott19u.zip My website http://members.nbci.com/ecil/index.htm My crypto code http://radiusnet.net/crypto/archive/scott/ MY Compression Page http://members.nbci.com/ecil/compress.htm **NOTE FOR EMAIL drop the roman five *** Disclaimer:I am in no way responsible for any of the statements made in the above text. For all I know I might be drugged or something.. No I'm not paranoid. You all think I'm paranoid, don't you! -- From: John Myre [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Thu, 07 Jun 2001 14:01:18 -0600 Tim Tyler wrote: snip I see. You think you know better how to explain how Matt Timmermans compressor operates than Matt Timmermans himself. snip Where does that come from? Matt isn't posting, you are. On the whole, Len's posts are more
Cryptography-Digest Digest #559
Cryptography-Digest Digest #559, Volume #14 Thu, 7 Jun 01 23:13:01 EDT Contents: Re: Simple C crypto (Tom St Denis) Re: Alice and Bob Speak MooJoo (Robert J. Kolker) Re: Alice and Bob Speak MooJoo (Tom St Denis) Re: Brute-forcing RC4 (Scott Fluhrer) Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Re: Brute-forcing RC4 (Tom St Denis) Re: Simple C crypto (Boyd Roberts) Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Re: CBC variant (Scott Fluhrer) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Brute-forcing RC4 (Scott Fluhrer) Re: Brute-forcing RC4 (Tom St Denis) Re: Alice and Bob Speak MooJoo (Robert J. Kolker) Re: Simple C crypto (Dirk Bruere) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes (sisi jojo) Re: Simple C crypto (Dirk Bruere) Re: Brute-forcing RC4 (Scott Fluhrer) Re: Simple C crypto (Tom St Denis) Re: Any Informed Opinions? (Dirk Bruere) Re: Simple C crypto (Dirk Bruere) Re: Simple C crypto (Tom St Denis) From: Tom St Denis [EMAIL PROTECTED] Subject: Re: Simple C crypto Date: Fri, 08 Jun 2001 00:56:36 GMT Dirk Bruere [EMAIL PROTECTED] wrote in message news:6OUT6.19530$[EMAIL PROTECTED]... Tom St Denis [EMAIL PROTECTED] wrote in message news:xITT6.52725$[EMAIL PROTECTED]... The requirement is for text comments (for example) to be written to a file along with data. We simply don't want people to get into the file to read and/or alter the text. We're not talking about professional hackers or the NSA, just (say) lab technicians who use the equipment. Detecting alteration of the text is something else. So, no freeware solution to such a simple problem? There are tons of public domain crypto tools (tools = algorithms). Whether your a competent enough cryptographer to use them is another question. I don't have to be a competent crypographer if someone else has done the work. I use other peoples programs to do jobs so I don't have to write them myself, or even know how they work. Am I supposed to be able to code .jpg before I can embed a picture viewer? There is more to crypto then just using a cipher. just like there is more to a codec then a library to output jpg. However, unlike outputting a jpg, errors in crypto can be more than just annoying. They can be fatal errors. For example, if you default to 0.99 quality in your JPG library that's annoying. If you default to 16-bit symmetric keys that's useless! Also if your application that you distribute can read these magically encoded files then so can anyone else. This is a re-hash of the CSS/SDMI/etc designs. Here's a tip, they don't work. The files are output from a data logger, we just don't want people casually changing the data. I rather doubt the ability and motivation of normal users to reverse engineer the application to determine the crypo method in order to change the comments in a file. If they are that keen then they will have faked the whole thing from start to finish. The algorithm is not in a file viewer they will have access to, unless, of course, they do that reverse engineering. They can encode a comment (if it is theirs), but not decode anything. All I am looking for is something that will require a few hours of work by a competent engineer with the right tools to break. That is the level of deterrence required. The problem with this (as many and espesicially Schneier have pointed out) is that it only takes ONE person to break your program ONCE. Then it's all down hill. Who cares if it takes them 3 days. Once they complete the task ONCE they will FOREVER. If you application is based on secrets like passwords or what have not just use a cipher like Blowfish in CTR mode to encode the files. Alterations will show up in the plaintext but if you need more assurance append a hash of the pre-image to the plaintext. That should stop all attacks on the math. At that point it's upto physical and password security. Done a search on Blowfish, but could not find any code. If its more than about 100 lines of C then I'm not interested. I just need a key of length N, and two functions #include encryption.h CString Encrypt( Cstring ) CString Decrypt( Cstring ) something as simple as that to drop into existing code. Then don't ask here. If you are not willing to do the job right why are you asking others for help? Tom -- From: Robert J. Kolker [EMAIL PROTECTED] Subject: Re: Alice and Bob Speak MooJoo Date: Thu, 07 Jun 2001 20:58:33 -0400 Joseph Ashwood wrote: required a few years. To prove this consider the fact that a human baby learns to speak without having prior knowledge of any language Babies learn their first language by ostensible
Cryptography-Digest Digest #558
Cryptography-Digest Digest #558, Volume #14 Thu, 7 Jun 01 21:13:01 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Simple C crypto (Dirk Bruere) Re: Notion of perfect secrecy (Jeffrey Walton) Re: Notion of perfect secrecy (Boyd Roberts) Re: Simple C crypto (Tom St Denis) Re: Notion of perfect secrecy (John Savard) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes (David Wagner) Re: PRP = PRF (TRUNCATE) (David Wagner) Re: Any Informed Opinions? (Jeffrey Walton) Re: Medical data confidentiality on network comms (David Wagner) Re: PRP = PRF (TRUNCATE) (Tom St Denis) Re: Some questions on GSM and 3G (David Wagner) Re: Simple C crypto (Dirk Bruere) Re: DES not a group proof (David Wagner) Re: MD5 for random number generation? (David Wagner) Re: CBC variant (David Wagner) Re: DES not a group proof (Patrick Aland) Re: Simple C crypto (Joseph Ashwood) Re: Alice and Bob Speak MooJoo (Robert J. Kolker) From: Tom St Denis [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Thu, 07 Jun 2001 22:27:12 GMT SCOTT19U.ZIP_GUY [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... [EMAIL PROTECTED] (JPeschel) wrote in [EMAIL PROTECTED]: Tim Tyler [EMAIL PROTECTED] writes, in part: If you nitpick the examples without actually attacking the basic point, we will only find other ones. Tim, we appears to only you and maybe Dave. :-) You posted an example where you thought it was obvious that a two-character encrypted response meant no, and three letters meant yes. I pointed out that it isn't neccesarily so. You might as well flip a coin. Off hand I would say you have not seen many proofs or tests of theorms. You don't understand that it perfectly valid to define a system that contains 2 messages 'YES and NO. To reject it saying you want to do somthing else is irrelivent. I gave a model and showed zero security. I don't care if you have other models since it only takes one failure to prove something is wrong. By your logic RSA is an insecure system completely since it is possible to make and use 32-bit primes. Just because you mis-used an OTP doesn't make the OTP non-secure. Typically if your situation calls for a boolean you dont send the ascii YES or ascii NO. If you had a three letter call code you would use 3 ascii bytes. Tom -- From: Tom St Denis [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Thu, 07 Jun 2001 22:29:33 GMT Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Tom St Denis [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... : Tom St Denis [EMAIL PROTECTED] wrote: : : Perhaps if you defined your threat model this would make sense. Why in : : your world is knowing the length of the message a threat? : : See David's Yes/No example. : What 1/0? [...] No. Where the attacker has a priori knowledge that the message is going to be either yes or no - but doesn't know which. That's just a contrived example of how to not use an OTP. Obviously in this case the two messages are vastly different. If your system calls for sending booleans send bits not ASCII words. I mean seriously, outside of a contrived example an OTP is perfectly secure. By this logic RSA is insecure because a naive user can make 32-bit primes, or RC6 is insecure because you can supply 16-bit keys, or CTR mode is insecure because you could have THEANSWERISYES and NO as texts, or BICOM is insecure because the user could just forget to supply a key at all... or... Making contrived ways to break something is not only pointless but futile. It proves nothing. Tom -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Fri, 08 Jun 2001 00:26:38 +0200 SCOTT19U.ZIP_GUY wrote: [EMAIL PROTECTED] (Mok-Kong Shen) wrote in 3B1FBAF6.1DD02E47@t- online.de: SCOTT19U.ZIP_GUY wrote: [EMAIL PROTECTED] (Tim Tyler) wrote in [EMAIL PROTECTED]: Mok-Kong Shen [EMAIL PROTECTED] wrote: snap... To see how a particular 8 bit cyphertext could map to more than 256 different plaintexts, just get an 8 bit cyphertext, decrypt it with BICOM under a number of keys. You will see *many* different plaintexts come out - not just 256. Mok likes to talk but getting him to actually do anthing is quite impossible. He would rather say its impossible than actually check it out. A lot like TOMMY. Sometimes I think He and Tommy are not real
Cryptography-Digest Digest #532
Cryptography-Digest Digest #532, Volume #14 Wed, 6 Jun 01 03:13:01 EDT Contents: Re: Medical data confidentiality on network comms (wtshaw) Re: practical birthday paradox issues (Dirk Bruere) Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel) Bow before your new master (Brent K Kohler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Medical data confidentiality on network comms (Richard D. Latham) Re: practical birthday paradox issues (Richard D. Latham) Re: And the FBI, too (Re: National Security Nightmare?) (Paul Crowley) Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel) Re: PRP = PRF (TRUNCATE) (Gregory G Rose) Re: Bow before your new master (Mike S.) Re: fast CTR like ciphers? (Scott Fluhrer) Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P. Dulles / AKA Loki) (Eric Lee Green) From: [EMAIL PROTECTED] (wtshaw) Crossposted-To: comp.security.misc Subject: Re: Medical data confidentiality on network comms Date: Tue, 05 Jun 2001 20:39:43 -0600 In article [EMAIL PROTECTED], Mok-Kong Shen [EMAIL PROTECTED] wrote: ... An emergency doctor may need some data while the patient isn't in a position to give authorization and the like. Once he gets that, it's difficult to prevent him to secretly use it in illegal ways. It's basically a trust that the patients have on the doctors in general. Note also that there are other persons that help them, e.g. the nurses etc. It would be extremely costly to absolutely block possibility of leaking of informations in all situations, if that were technically possible at all. Thus an ideal tight protection is imfeasible in my humble view. There are on the other hand ethical committees of organizations of doctors which deal with cases where some of them behave in bad ways. That takes care of the issues like the one you mentioned about publishing, if I don't err. M. K. Shen Patients should support ethical doctors as well. While it is difficult for them to openly punish those that aren't, with better communications, those tempted to be up to no good should fear people finding out who did what to whom and when. -- Sign for the White House lawn: WARNING! Irresponsible Parents Live Here. -- From: Dirk Bruere [EMAIL PROTECTED] Subject: Re: practical birthday paradox issues Date: Mon, 4 Jun 2001 03:58:18 +0100 Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Scott Fluhrer [EMAIL PROTECTED] wrote: [finding birthday collisions] : But, you say, isn't doing all that infeasible? Yes, at current technology, : it is, and that is why NSA settled for 160 bits output for SHA-1... If the same rationale applies to SHA-256, SHA-384 and SHA-512 [http://csrc.nist.gov/cryptval/shs.html] I fear there may have been some hardware breakthroughs behind closed doors ;-) One might make a guess at h/w capability given that the old WW2 custom electromech system was roughly as powerful as a Pentium 100MHz. Dirk -- From: [EMAIL PROTECTED] (JPeschel) Date: 06 Jun 2001 03:16:23 GMT Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Tim Tyler [EMAIL PROTECTED] writes, in part: JPeschel [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] writes, in part: :OTPs do *not* have perfect secrecy if messages can be of varying lengths :and the plaintexts and cyphertexts are of equal lengths. : I don't follow this. It sounds as if you are re-defining an OTP. What don't you follow about it? I'm talking about a system involving a one-time random key stream, XORing it with the plaintext, and producing a cyphertext the same length as the plaintext. That's an OTP and its secrecy is perfect. I am claiming that the result does not have perfect secrecy - assuming a reasonable space of variable length files as possible messages. What you've written immediately above suggests an addiotional property for an OPT that leads me to believe you are re-defining OTPs. This is the system Tom is calling a OTP. He uses it by analogy with CTR mode to claim that CTR mode is proven secure with small plaintexts. Tom, I think, was using the accepted definition. I don't much mind what name is given to the system I described. I'm not trying to redefine anything. -- Names are important; otherwise no one will have a clue what you're talking about. If you insist upon an additional property that an OTP must possess, you are re-defining it, and I am not sure why, or to what pupose. Joe __ Joe Peschel D.O.E. SysWorks http://members.aol.com/jpeschel/index.htm __ -- From: Brent K Kohler [EMAIL PROTECTED] Subject: Bow before your new
Cryptography-Digest Digest #533
Cryptography-Digest Digest #533, Volume #14 Wed, 6 Jun 01 09:13:01 EDT Contents: Re: function notation (injection, bijection, etc..) one last time (Mok-Kong Shen) Re: function notation (injection, bijection, etc..) one last time (Mok-Kong Shen) Re: Def'n of bijection (Tim Tyler) Re: Bow before your new master (Paul Burke) Re: Def'n of bijection (Tim Tyler) cheksum on keyfile (Gisli Sigurdsson) Re: CTR mode, BICOM, and hiding plaintext length (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mark Wooding) Re: fast CTR like ciphers? (Tom St Denis) Re: function notation (injection, bijection, etc..) one last time (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mark Wooding) Re: cheksum on keyfile (Mats Kindahl) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Def'n of bijection (Tim Tyler) Re: Bow before your new master (Robert Strand) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: function notation (injection, bijection, etc..) one last time Date: Wed, 06 Jun 2001 09:44:14 +0200 Tom St Denis wrote: It seems each time I ask people feud over terminology. Let me try again :-) [snip] Please don't misunderstand me but I think that for such questions it is best to consult a textbook on algebra. You would certainly find plenty of them in your local library. The one that I happen to have at hand and I find to be quite good is: L. E. Sieger, Algebra. Springer-Verlag. M. K. Shen -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: function notation (injection, bijection, etc..) one last time Date: Wed, 06 Jun 2001 09:57:46 +0200 Mok-Kong Shen wrote: L. E. Sieger, Algebra. Springer-Verlag. Shame, I have often typo. The name is Sigler. M. K. Shen -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Def'n of bijection Reply-To: [EMAIL PROTECTED] Date: Wed, 6 Jun 2001 08:13:06 GMT [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] writes: : [EMAIL PROTECTED] wrote: :: In other words, you are hoping that false positives are more likely. [...] :: ...some result in that direction is needed for BICOM to provide :: any benefit at all. You don't seem to realize that any such result :: is needed. : : This result seems unnecessary to me because I see it as being : rather obvious. : Ah! It's true, because it's obvious! Why didn't I see that before! Well, it's obvious to *me*. I accept that doesn't necessarily mean that it's obvious to everyone else. Thus my explanations. : This issue is *central* to any claims of increased security for BICOM. Note that it applies to any compression program, not just BICOM. : Therefore, it needs proof, not handwaving. : And the idea doesn't even ``seem'' obvious, because of one fact you : keep ignoring: even if BICOM gives a bijection of binary files to : itself, almost all preimages under BICOM are not in fact plausible : messages. Well, if they were it would be really, really obvious - rather than just obvious. : There is no a priori reason to believe that potential decrypts will be : rich in plausible messages; [...] ...except for the fact that compression makes target files smaller, while increasing the lengths of other files, thus making their density at small output sizes greater. : indeed it seems rather unlikely. Well, you *you*, maybe. : You seem to accept already that an optimal compressor is likely to : make rejecting keys practically impossible. [...] : No I don't, because it's completely false. :-( : It might sometimes prove true, but only by coincidence: if the quantity : of encrypted information turns out to be close to the quantity of key : material, then security may be very high. You can use a three bit key and compress huge files. If all decompressions look like plausible messages it will be hard for an attacker to tell which one was intended. -- __ |im |yler http://rockz.co.uk/ http://alife.co.uk/ http://atoms.org.uk/ -- From: Paul Burke [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Crossposted-To: alt.drugs.pot,sci.electronics.design,sci.electronics.repair,sci.environment Subject: Re: Bow before your new master Date: Wed, 06 Jun 2001 08:23:22 + Mike S. wrote: if you take into account the on-purpose attempts at sounding redneck and inflaming readers. I for one am against discrimination based on neck colour. Smash cervicism! Paul Burke -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Def'n of bijection Reply-To: [EMAIL PROTECTED] Date:
Cryptography-Digest Digest #534
Cryptography-Digest Digest #534, Volume #14 Wed, 6 Jun 01 10:13:01 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: PRP = PRF (TRUNCATE) (Nicol So) Re: PRP = PRF (TRUNCATE) (Nicol So) Re: function notation (injection, bijection, etc..) one last time ([EMAIL PROTECTED]) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Def'n of bijection (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P.(John Myre) Re: Are RS codes a type of PRF? (Niels Ferguson) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Wed, 6 Jun 2001 12:32:18 GMT Tom St Denis [EMAIL PROTECTED] wrote: : SCOTT19U.ZIP_GUY [EMAIL PROTECTED] wrote in message : [EMAIL PROTECTED] (Tom St Denis) wrote in : SCOTT19U.ZIP_GUY [EMAIL PROTECTED] wrote in message : Tell what little get a third party to encrypt using your ctr : mod a one cipher text output file. I will guess the input. I may : be wrong. Then you get to guess the input to a one byte output : file encrypted with BICOM. If you miss I guess again. And we : keep doing this till one gets it right. I am willing to put : a thousand bucks on this. On second thought you go first. : Do you feel secure enough to really bet. I doubt it. : As long as all messages are uniformly probable you win. [...] : It's still uniformly distributed... so again I win. So, would you like to take that bet? Or not? -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Nicol So [EMAIL PROTECTED] Subject: Re: PRP = PRF (TRUNCATE) Date: Wed, 06 Jun 2001 08:48:12 -0400 Reply-To: see.signature Gregory G Rose wrote: A PRP (by definition) produces every output value in its range once, and only once, if you enumerate the possible inputs. Now ignore for a moment that a PRF need not have a restricted domain, and assume the same set of 2^N inputs (N-bit inputs and outputs). Then *on average* each output appears once. But if the PRF is for real, approximately 1/e of the outputs won't appear at all, and some will appear multiple times. (If I recall correctly, the number of occurrences of a particular value is poisson distributed, but don't hold me to that...) This difference still applies as you truncate the output of a PRP. For example, take the silly case where you just drop one bit. Now each output value appears exactly twice for a PRP, and on average twice for a PRF, but sometimes *more* than twice. As soon as you notice a value appear three times, you know that it was a truncated PRF. Conversely, based on the expected distribution of outputs, when you have enough inputs and have *not* seen a distribution anomaly, you know you were truncating a PRP, not a PRF. What you said is true, but it doesn't mean that you can efficiently tell whether a truncated PRF is a truncated PRP. If that were possible, you could turn it into an efficient test for telling whether a PRF is a PRP. As you scale up the scheme, it will be more and more difficult to detect the statistical anomaly caused by collisions in a non-PRF PRP. Asymptotically, no efficient computer can tell whether a PRF is a PRP significantly better than blind guessing. -- Nicol So, CISSP // paranoid 'at' engineer 'dot' com Disclaimer: Views expressed here are casual comments and should not be relied upon as the basis for decisions of consequence. -- From: Nicol So [EMAIL PROTECTED] Subject: Re: PRP = PRF (TRUNCATE) Date: Wed, 06 Jun 2001 08:51:58 -0400 Reply-To: see.signature Nicol So wrote: What you said is true, but it doesn't mean that you can efficiently tell whether a truncated PRF is a truncated PRP. If that were possible, you could turn it into an efficient test for telling whether a PRF is a PRP. As you scale up the scheme, it will be more and more difficult to detect the statistical anomaly caused by collisions in a non-PRF PRP. ^^^ Typo. What I meant was a PRF which is not a permutation. Asymptotically, no efficient computer can tell whether a PRF is a PRP significantly better than blind guessing. -- Nicol So, CISSP // paranoid 'at' engineer 'dot' com Disclaimer: Views expressed here are casual comments and should not be relied upon as the basis for decisions of
Cryptography-Digest Digest #535
Cryptography-Digest Digest #535, Volume #14 Wed, 6 Jun 01 12:13:01 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes (Bob Silverman) Re: Def'n of bijection (Tim Tyler) Re: Definition of 'key' (Bob Silverman) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Brute-forcing RC4 (S Degen) Re: fast CTR like ciphers? (Tim Tyler) Re: fast CTR like ciphers? (Volker Hetzer) Factoring via BBS cycle length (Tom St Denis) Re: Brute-forcing RC4 (Ichinin) Re: Def'n of bijection (Mok-Kong Shen) Re: fast CTR like ciphers? (Tim Tyler) Re: Medical data confidentiality on network comms (Barry Margolin) Re: Def'n of bijection (Douglas A. Gwyn) Re: Def'n of bijection (Douglas A. Gwyn) Re: Def'n of bijection (Douglas A. Gwyn) Re: Def'n of bijection (Douglas A. Gwyn) Re: function notation (injection, bijection, etc..) one last time (Robert J. Kolker) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Medical data confidentiality on network comms (Mok-Kong Shen) Re: Def'n of bijection ([EMAIL PROTECTED]) From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: 6 Jun 2001 14:07:27 GMT [EMAIL PROTECTED] (Mok-Kong Shen) wrote in 3B1E3235.89950379@t- online.de: SCOTT19U.ZIP_GUY wrote: [snip] If the defination is true. Then for the set of message to be encrypted. The key has to be as long as the longest message. If a shorter cipher text is sent then you have learned that the longest message was not sent. That is information about secret message. It violates Shanons defination. I have a dumb question: If I have a short message to send and the key is longer, what should I do? Need I pad it to the length of the key and send that longer stuff? Thanks. M. K. Shen Its not a dumb question. Most of the time you don't need perfect security. But if you have a wide mix of messages I would try to pad in a bijective way to some minimum size. However being secure and perfectly secure are two different things. ANd in general if you have a short message less than the key it most likely can't be solved for. All that may be required for safety is that many keys lead to a false solution. All perdect security really does is give zero information. But just like an OTP is not practical in most cases. Sending long encrypted messages is not pratical either. It is just somthing to think about. For example if your ecnrypting an an anwser to a yes no question some one asked. And it is known you will answer yes or no it would be foolish to use somthing as weak as AES in CTR mode where file length does not change. Since attacker would know XQ is no while RTG is yes. David A. Scott -- SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE OLD VERSIOM http://www.jim.com/jamesd/Kong/scott19u.zip My website http://members.nbci.com/ecil/index.htm My crypto code http://radiusnet.net/crypto/archive/scott/ MY Compression Page http://members.nbci.com/ecil/compress.htm **NOTE FOR EMAIL drop the roman five *** Disclaimer:I am in no way responsible for any of the statements made in the above text. For all I know I might be drugged or something.. No I'm not paranoid. You all think I'm paranoid, don't you! -- From: [EMAIL PROTECTED] (Bob Silverman) Subject: Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes Date: 6 Jun 2001 07:10:53 -0700 Tom St Denis [EMAIL PROTECTED] wrote in message news:XRcT6.38998$[EMAIL PROTECTED]... sisi jojo [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Joseph Ashwood [EMAIL PROTECTED] wrote in message news:ebvtZ6S7AHA.201@cpmsnbbsa09.. I don't have much time to write long messages today. But here's my answer Maybe the approach is wrong. That's why nobody can solve it. You go through years of education to learn the wrong approach, which is proven to be not useful. That's something funny about our education system. If you want a problem to be solved, show it to a kid and let him develop an answer fresh from the beginning. Replying to sisijojo: You need a certain minimal background and mathematical maturity before tackling hard problems. You need experience in knowing what works and what doesn't work. The idea that some naiive kid will pop out of nowhere and solve a hard problem BECAUSE HE HAS NOT LEARNED THE WRONG APPROACH is ludicrous. It also takes sophistication to know when elementary approaches to a problem can never work. For example, consider attempts (by amateurs) to prove FLT by considering the equation mod p, for one or more primes p, then attempting to draw conclusions about the equation over Q from deductions about the equation mod
Cryptography-Digest Digest #536
Cryptography-Digest Digest #536, Volume #14 Wed, 6 Jun 01 14:13:01 EDT Contents: AES question (ajd) Re: function notation (injection, bijection, etc..) one last time (Douglas A. Gwyn) Re: Def'n of bijection (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: AES question (Mok-Kong Shen) Re: Def'n of bijection (Douglas A. Gwyn) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Def'n of bijection (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Knapsack security??? Ahhuh (Al) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Factoring via BBS cycle length (Anton Stiglic) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: practical birthday paradox issues (Dirk Bruere) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) From: ajd [EMAIL PROTECTED] Subject: AES question Date: Wed, 6 Jun 2001 17:14:47 +0100 Hi All, I was wandering about the algorithms that were nominated for the Advanced Encryption Standard, it seems obvious that Rijndael will be used a lot as it is the replacement for 3DES, but what about the other finalists. Does anyone know of any companies using TwoFish, RC6, Mars, or Serpent in products. Would they be used in addition to or instead of the older algorithms like IDEA, RC4, RC5 etc. thanks andrew -- From: Douglas A. Gwyn [EMAIL PROTECTED] Subject: Re: function notation (injection, bijection, etc..) one last time Date: Wed, 6 Jun 2001 15:55:53 GMT [EMAIL PROTECTED] wrote: No offense, but these are the first terms a person *ever* learns when studying about functions. Their definitions are *not* subject to debate, and they are almost always stated in exactly the same way. ... Len gave a nice summary of the standard definitions. Part of the problem seems to be that *learning* requires more than mere memorization of standard definitions. For example, the standard approach is unnecessarily asymmetric in use of A and B; a more general development would define a relation as a specific set of ordered pairs (a,b) with a in A and b in B, and a function as a relation that has additional constraints; with such an approach, A would not be the domain of the function, but the analogue in the input set of the concept of codomain, i.e. a set that contains the domain. Definitions would have to be adjusted to fit this new model, and the fact that the domain and codomain were not analogous would be worrisome. The standard definitions evolved from originally less precise usage, and exploring the history would show where the emphasis on certain aspects came from. ... I believe that ``dual'' here really means ``dual'' in a category-theoretic sense, but it's been too long; ... I think it's right. Diagrams somewhat like those used in category theory often help the student to understand these concepts. It is particularly useful to draw the sets as clouds and mark limits of (simply connected) subsets, with arrows showing the mapping action of the function from one cloud to another. (Note: the inhabitants of separate clouds come from different planets and speak totally different languages.) I would hope that there are textbooks that do a good job of this, but from my experience with current public education in math I have my doubts. -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Def'n of bijection Reply-To: [EMAIL PROTECTED] Date: Wed, 6 Jun 2001 16:16:43 GMT Douglas A. Gwyn [EMAIL PROTECTED] wrote: : [EMAIL PROTECTED] wrote: : And the idea doesn't even ``seem'' obvious, because of one fact you : keep ignoring: even if BICOM gives a bijection of binary files to : itself, almost all preimages under BICOM are not in fact plausible : messages. There is no a priori reason to believe that potential : decrypts will be rich in plausible messages; indeed it seems rather : unlikely. : It *is* unlikely. [...] However there are *excellent* reasons for thinking that potential decrypts will be richer in plausble messages than they would be if compression had not been employed. That is what was actually claimed. Compression *increases* the probability that decrypting will yield a plausible looking message. The messages that the compressor compresses will get smaller, while other files are made larger. As a direct consequence of this, the proportion of files of any given size that decompress to plausible-looking messages increases. This assumes that the plausible messages are in the set that the compressor compresses, of course. If this is not true, then the compressor would be better described as an expander. : General-purpose compressors don't : prefer one possible plaintext over another. They compress some sorts
Cryptography-Digest Digest #537
Cryptography-Digest Digest #537, Volume #14 Wed, 6 Jun 01 17:13:01 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: AES question (Tom McCune) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: AES question (Joseph Ashwood) Re: AES question (Mok-Kong Shen) Re: Def'n of bijection ([EMAIL PROTECTED]) Re: Def'n of bijection (Mok-Kong Shen) Re: Def'n of bijection ([EMAIL PROTECTED]) Re: And the FBI, too (Re: National Security Nightmare?) (Matthew Montchalin) Re: Def'n of bijection (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Def'n of bijection (John Myre) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Def'n of bijection ([EMAIL PROTECTED]) Re: Def'n of bijection (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Re: RSA's new Factoring Challenges: $200,000 prize. (my be repeat) (Michael Brown) From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Wed, 06 Jun 2001 20:25:50 +0200 Tim Tyler wrote: Mok-Kong Shen [EMAIL PROTECTED] wrote: : Tim Tyler wrote: : Mok-Kong Shen [EMAIL PROTECTED] wrote: : : You probably question whether such usage leads to : : Shannon's perfect security which, as you said, is claimed : : to be a property of OTP. However, I don't see where in the : : literature about OTP (in connection with perfect security) : : the length enters into the argumentation, i.e. plays a role : : in the proof. : : I also think that it's not mentioned. I beleive it is common to : consider the domain where all plaintexts are the same length - : perhaps in order to get the perfect secrecy result. : : : My memory of Shannon's paper is no good, but I don't think that he : : considered the length of the messages. : : I don't think it was mentioned either - all the messages were the same : length in the system in question. : From what you said, I don't think it is valid to consider : that the constant length of messages underlies the : proof of Shannon (unless one can demonstrate the : contrary). Without such an assumption, there's no proof of perfect secrecy, because the system doesn't exhibit it. My admittedly now poor memory of Shannon's argument is roughly the following: Given a message of n bits. If it is xored with a perfect random source, then each of the possible 2^n sequences could result as ciphertext. Hence the a-posteriori probabability of (the content) of the message is the same as its a-priori probability. Now this is general for 'any' n. It certainly has no implication to the effact that, after sending a message of a certain length, the next following message should have the same n. Otherwise, given an OTP sequnce of m bits (m can usually be very large), one could have asked the question of which size (particular, fixed, constant n) of messages one is allowed to send with that resource in order that the perfect security according to Shannon could be achieved, in issue which seems to be apparently absurd. M. K. Shen -- From: Tom McCune [EMAIL PROTECTED] Subject: Re: AES question Date: Wed, 06 Jun 2001 18:36:39 GMT In article 3b1e561c$[EMAIL PROTECTED], ajd [EMAIL PROTECTED] wrote: Hi All, I was wandering about the algorithms that were nominated for the Advanced Encryption Standard, it seems obvious that Rijndael will be used a lot as it is the replacement for 3DES, but what about the other finalists. Does anyone know of any companies using TwoFish, RC6, Mars, or Serpent in products. Would they be used in addition to or instead of the older algorithms like IDEA, RC4, RC5 etc. The current PGP versions (7.0.1 and above) include AES and Twofish (both 256 bit), and also retain usage of IDEA, CAST5, and Triple DES. Tom McCune My PGP Page FAQ: http://www.McCune.cc -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Wed, 06 Jun 2001 20:37:54 +0200 Tim Tyler wrote: Tim Tyler [EMAIL PROTECTED] wrote: : Mok-Kong Shen [EMAIL PROTECTED] wrote: : : From what you said, I don't think it is valid to consider : : that the constant length of messages underlies the : : proof of Shannon (unless one can demonstrate the : : contrary). : Without such an assumption, there's no proof of perfect secrecy, : because the system doesn't exhibit it. I looked up what Bruce Schneier has to say about perfect secrecy in A.C. He
Cryptography-Digest Digest #538
Cryptography-Digest Digest #538, Volume #14 Wed, 6 Jun 01 18:13:00 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Factoring via BBS cycle length (Tom St Denis) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes (Tom St Denis) Re: Def'n of bijection (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Def'n of bijection (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Def'n of bijection (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Wed, 6 Jun 2001 20:45:49 GMT To illustrate my point, here's a system that does better at concealing information about the plaintext from an attacker with cyphertext and full knowledge of the algorithm employed than a conventional One Time Pad manages. Convert the plaintext from a 8-bit granular file to a 64-bit granular file using one of David's bijections between these sets. Then encrypt with a conventional OTP. The result is much the same - except that many plaintexts that were previously distinguishable on length grounds are now effectively indistinguishable. Given a cyphertext representing a particular plaintext, the attacker's uncertainty about the possible plaintexts increases, as the file length will (typically) increase, and thus so will the length of the key. Would anyone still refer to a One Time Pad as offering perfect protection of one's secrets after reading this? -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Wed, 06 Jun 2001 22:54:41 +0200 Tim Tyler wrote: ...but why only consider the possible messages of size 2^n? This is a tiny subset of the messages that could have been transmitted. The obvious answer is that we can eliminate most messages on a-priori grounds, since we have the cyphertext and we know that it is an OTP encryption. However, this is highly undesirable - based on a simple examination of the cyphertext, we can reject loads of possible messages. I don't understand. A given ciphertext has a certain size, say n bits. The number of all possible (different) informations that could be transmitted from the sender to the receiver with that is limited by 2^n. And with an OTP one can in fact securely transmit any one of these possible messages. Or am I missing something? : Hence these are equal. Thus the opponent gains no information. The opponent has gained the information that the plaintext is of length n. Just by looking at the cyphertext, this was not known. As soon as the cryptomechanism is revealed as well, huge numbers of possible plaintexts can be rejected. What is that information that he can gain from the fact that the plaintext is of length n in the general case (excepting contrived ones)? Can he know a single bit of the plaintext from that? M. K. Shen -- From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: 6 Jun 2001 20:44:48 GMT [EMAIL PROTECTED] (Tim Tyler) wrote in [EMAIL PROTECTED]: I looked up what Bruce Schneier has to say about perfect secrecy in A.C. He says this: ``There is such a thing as a cryptosystem that achives perfect secrecy: a cryptosystem in which the cyphertext tields no possible information about the plaintext (except possibly its length).'' He goes on to give Shannon's theory that perfect secrecy is only possible if the number of possible keys in the cryptosystem is equal to the number of possible messages. IMO, Shannon has it right - while Bruce seems a bit uncertain about whether the length is included or not. No wonder people are confused. Shannon was an expert and then Mr BS comes along and do to his lack of knowledge. At least to the level of Shannon he types it wrong and then others get
Cryptography-Digest Digest #541
Cryptography-Digest Digest #541, Volume #14 Wed, 6 Jun 01 19:13:01 EDT Contents: Crypto Survey May 2001 by Markku J. Saarelainen (Mark J S) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel) From: [EMAIL PROTECTED] (Mark J S) Subject: Crypto Survey May 2001 by Markku J. Saarelainen Date: 6 Jun 2001 15:57:58 -0700 CRYPTO SURVEY MAY 2001 Cryptographic Survey, May 2001, Markku J. Saarelainen Email: [EMAIL PROTECTED] A SUMMARY CONCLUSION: The major societal development since the 1st and 2nd crypto surveys in 1996 and 1997 has been the removal of many regulatory barriers for open trading of cryptographic products in the North America and globally. In addition, the number of cryptographic applications and component implementations has increased, while at the same time the variety of different types of solutions has risen. This does not necessarily mean the wider use of encryption in businesses and personal activities. Many same or similar behavioral barriers for the effective utilization of many security solutions still exist limiting the protection of communications, data storage and networking. In addition, the lack of the interoperability between solutions from different suppliers tends to decrease the number of effective cryptography users worldwide. It is clear that the awareness for encrypted communication and protected information activities has increased, while necessary regulatory changes for protecting entities from security vulnerabilities has enabled cryptographic product suppliers to satisfy market requirements in the U.S.A., in the North America and globally. However, regulatory and cultural differences exist from one nation or region to another creating a global unbalanced situation of the security use, which has the reducing effect on security practices and policy implementations of any global entity in different regions. This impacts on the interoperability of units of global entities. It is likely that there shall be greater competing drives in the information technology market place between different security strategies and approaches from different software and hardware product and security suppliers. QUESTION 1. In your opinion, what are the 5-10 most significant applications of encryption technologies currently in commercial enterprises? 1. HTTP over SSL (aka HTTPS) / SSL for credit card processing / SSL / Web-activity privacy (SSL) 2. IPsec 3. RSA Secure ID (maybe) 4. Online Credit Card Processing Financial Transfers 5. VPNs / Virtual Private Networks for widely distributed offices / VPN for remote access to Intranet 6. Email encryption (via PGP/GPG or SMIME) / Encrypted Messages / Email Privacy 7. Digital signing authentication of messages 8. Consensus and voting software (not now but give it 5 years) 9. Encrypted file systems for sensitive data 10. Signing software for installation 11. Signing email messages to show official authority 12. Wireless local area network encryption 13. Password protection/access control 14. Data protection 15. Session protection (VPN's) 16. Authentication and authorization / Customer authentication (e.g. PIN checking) 17. Securing B2B file exchange 18. PKI 19. Remote secure teleworking 20. Digital signatures 21. Time-stamping QUESTION 2. In your opinion, what are 5-10 main barriers currently that may prevent the successful implementation and utilization of encryption technologies in commercial enterprises? 1. Ignorance of risks prevents purchase 2. Dishonest portrayal of product (i.e.: false security claims and blatant product holes in end-to-end protection) promotes distrust in the whole industry 3. Most products are a waste of time because they are not a comprehensive solution - e.g.: why bother using PGP when there is nothing in any NAI products to protect against back-office-style electronic eavesdropping attacks? 4. Many people do not care about cryptography and/or security products 5. Having lived happily without serious protection for a long while, most customers believe there is no point retrofitting an expensive solution for a problem they do not have (and many of them are probably right...) 6. Lack of knowledge by decision-maker 7. Low knowledge level of users 8. Lack of knowledge by computer scientists 9. Lack of complete standards (S/MIME to be extended, ...) 10. Cost 11. It is too hard to use / complexity / Not transparent enough and made user hard to use. 12. Difficult and complex
Cryptography-Digest Digest #540
Cryptography-Digest Digest #540, Volume #14 Wed, 6 Jun 01 19:13:01 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Thu, 07 Jun 2001 00:43:54 +0200 SCOTT19U.ZIP_GUY wrote: Well it can leak information. I thought I gve the example that you never anwsered. Suppose someone asks you a question of the type where you are known to anwser yes or no. ( Its a made up example you reall can't anwser yes or no to anything just go with it for a minute). You could encrypt with a TOMMY style OTP and send QW but if you did I would know its a NO or you sould send a TRU in wish case I would know its a YES. SO you have zero secruity. Or you could use a longer pad like 4 letters. And send WSHS for no and JSKS for yes in which case I would not know what you sent. Or you could compress it and send 1 bit. If you actaully want more securoty since you may on rare occastions not give a yes or no. IN that case you real need a very long pad. But the length of all messages should be the same if you want perfect security It can be less and still secure if you use a different size. But it won't be perfectly secure unless it is as long as your longest message. Oh, in some cases whether one sends a messages at all could leak information, isn't it? If a message goes out e.g. from my home, that means some person is there. Are we considering such stuffs? I already mentioned in a previous post that, unless there is something that links the length to the content of the message, the argument holds. Note that Shannon's perfect security implies that the efficiency of the transforming a 'given' bit sequence of n bits is so good that from the ciphertext the opponent cannot get more information than he 'already' knows otherwise (e.g. from the length or from the time of sending, or from the particular station that sends it, etc.). If he already knows that a message of two bytes means 'NO', then any system of encryption is as bad as any other, in fact useless. But is that any argument against OTP as such? If a 'bijective' system transforms 'NO' to 4 bits and 'YES' to 5 bits, doesn't the same thing happen? M. K. Shen -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Wed, 6 Jun 2001 22:28:58 GMT Mok-Kong Shen [EMAIL PROTECTED] wrote: : Tim Tyler wrote: : Mok-Kong Shen [EMAIL PROTECTED] wrote: : : But if you have an OTP (a perfect one), you 'need' not : : pad anything, for you already have perfect security : : for the secret you want to communicate. : : The attacker can tell how long the plaintext is just byy looking at the : cyphertext. He can eliminate vast numbers of possible plaintexts : by a cursory examination. How is this perfect. : So you are refuting Shannon, aren't you?? I would have to read what Shannon wrote in more detail to say how what this thread is about relates to what he wrote. My main concern is with the definition and usage of the term perfect secrecy - I'd like to see what Shannon wrote, whether his proof relates to what he wrote, and whether others have followed his usage properly. That OTP's leak length information - and thus fail to conceal plaintexts properly is rather well known - indeed most other cyphers do this as well. Tom (and other posters) seem to have got the idea that the ordinary OTP is actually perfect at concealing information about the plaintext, given the cyphertext. That does /seem/ to be what Shannon said: ``The first definition of information-theoretic secrecy was given by Shannon, the founder of information theory. It is called perfect secrecy and means by definition that the plaintext is statistically independent of the encrypted data. This is equivalent to saying that the enemy cryptanalyst can do no better than guessing the plaintext without knowledge of the encrypted data, no matter how much time and computing power is used.'' - http://www.inf.ethz.ch/department/TI/um/research/keydemo/Background.html ...but he is also supposed to have proved that the (conventional?) OTP has this property, which it does not. I'll resolve the apparent friction between these ideas by reading his actual words and proof. I'm curious to learn the historical roots of the (clearly mistaken) idea that conventional OTPs are perfect in this way. Is Shannon responsible? ...or those who came after him? -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- ** FOR YOUR REFERENCE ** The service address, to which questions about the list itself and requests
Cryptography-Digest Digest #539
Cryptography-Digest Digest #539, Volume #14 Wed, 6 Jun 01 19:13:01 EDT Contents: Re: Def'n of bijection (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: RSA's new Factoring Challenges: $200,000 prize. (my be repeat) (Joseph Ashwood) Re: AES question (Joseph Ashwood) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: AES question (Joseph Ashwood) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) shifts are slow? (Bob Jenkins) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Def'n of bijection Reply-To: [EMAIL PROTECTED] Date: Wed, 6 Jun 2001 21:36:02 GMT [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] writes: :[EMAIL PROTECTED] wrote: :: Tim Tyler [EMAIL PROTECTED] writes: :: ...there are *excellent* reasons for thinking that potential decrypts :: will be richer in plausble messages than they would be if compression :: had not been employed... : :: That statement is vacuously true. : : Well, I'm glad to hear that you agree that it's true - but sorry to hear : that you think it is vacuous. : Um, it's a mathematical term, Tim. A statement is vacuously true when it : cannot possibly be false. In other words, the statement contains no : information. I guess you think Fermat's Last Theorem is vacuous, then. It's negation is known to be an impossiblity, after all. :: Any non-negative number is = 0. But the probability of false positives :: is still probably ~0...so your ``maybe'' isn't actually interesting. : : What are you talking about? Is this = 0 some sort of analogy? : I didn't say maybe above. What are you talking about? : Sigh. If no compression is performed, then the likelihood of false : positive decryptions is for most practical purposes zero. What?!?! How on earth you you figure that out?!?! : However, you haven't actually exhibited any interested circumstances : where the likelihood of false positives *is provably* larger than : zero. Um, plaintext: 129 bits. Key 128 bits. What on earth can you possibly be talking about? : ...the messages are what we're interested in. If *they* get smaller, : that's all that's needed. It doesn't matter what else gets smaller : as well. : To prove that false decrypts are more likely when BICOM is used, you : must prove that preimages of smallish files are more likely to be real : (or real-looking) messages. Since lots of non-messages also get smaller, : there is no reason to suppose that *plausible* preimages are strictly more : likely with BICOM than without it. *Everything* that's made smaller is more likely to turn up in possible decrypts. Messages, junk, everything. That some junk is made smaller doesn't affect the fact that the messages shrink, and are thus going to have a greater density at the small file end of the spectrum than they did before. Think of files as in bins, with the bins being labelled with file lengths (only files of that length may go into that bin). Compression takes plausible messages and moves them (and perhaps lots of other stuff) into smaller-numbered bins, while moing other files the other way. Now the question is, do you wind up with more messages in bins numbered n than there were before this operation was performed. That answer is of *course* you do. It's blinking obvious that you do! Are you now going to quibble that I haven't proved that a non-zero number of files have actually crossed a particular n/n+1 bin boundary? ;-) : The most one can say is that they're certainly no LESS likely [...] That's not the most one can say. I've repeatedly said a lot more - and I'm correct in doing so. -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Wed, 6 Jun 2001 21:38:41 GMT Mok-Kong Shen [EMAIL PROTECTED] wrote: : Nobody 'pads' anything on using OTP, as far as I understand : the literature. The OTP sequence is used just like, say, : a Scotch tape. If the next message is n bits, you cut : out n bits from that, no more no less, do an xor and : send the stuff. If the following message
Cryptography-Digest Digest #542
Cryptography-Digest Digest #542, Volume #14 Wed, 6 Jun 01 20:13:00 EDT Contents: Re: shifts are slow? (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: RSA's new Factoring Challenges: $200,000 prize. (my be repeat) (John Myre) Re: shifts are slow? (Joseph Ashwood) Re: Medical data confidentiality on network comms (Roger Schlafly) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Joseph Ashwood) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: shifts are slow? (Tom St Denis) From: Tom St Denis [EMAIL PROTECTED] Subject: Re: shifts are slow? Date: Wed, 06 Jun 2001 23:08:36 GMT Bob Jenkins [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... I've been talking to people trying to optimize assembly for the P4. They say there is a shift penalty. What is more, they claim that shifts are necessarily slower than addition or xor. Wire length is starting to matter more than gate count. I asked, do you mean that the low bits of x and y in x+y are closer together than the low and high bits of x? They said yes. The registers are interleaved that way. Perhaps they could do shifts by 2 or 3, or maybe 4, in the same time as addition, but more than that is inherently slower. My old model of the world had +-^|~ take 1 cycle, tab[] take 2, if() take 5 if it guesses wrong, * take 10, and / take 20. That's apparently no longer close to reality. What is the new reality? Depends on if they are done in the ALU directly or not. In the Athlon afaik a shift and rotate can be done in 1/2 time (1 cycle latency, 2 cycle throughput) i.e ROL EAX,3 ADD EBX,ECX MOV EDX,EAX Will not stall since ROL is completed by the end. Tom -- From: Tom St Denis [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Wed, 06 Jun 2001 23:09:11 GMT [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Tim Tyler [EMAIL PROTECTED] writes: ...but why only consider the possible messages of size 2^n? This is a tiny subset of the messages that could have been transmitted. Right! That's why ``perfect secrecy'' is only attainable if the ciphertext is longer than *any* possible plaintext. All messages must have infinite length. That's why in fact perfect secrecy has been proven impossible, and there is no such thing as a OTP. Len. You're a loon. Tom -- From: John Myre [EMAIL PROTECTED] Crossposted-To: sci.math Subject: Re: RSA's new Factoring Challenges: $200,000 prize. (my be repeat) Date: Wed, 06 Jun 2001 17:09:35 -0600 (Re algorithm) For the OP: The really important parts of the definition are that the steps are unambiguously defined, and can actually be done. So steps like pick a fratzle number (a name I just made up), or use the last integer (obviously not possible) aren't allowed. It's partly a problem in communication, since unambiguous depends on mutual understanding. But it's also important to recognize when the instructions are clear, and when they are more like hand-waving. To Joe: I'm not sure what you meant by a finite number of steps. The usual formal definition of algorithm includes the requirement that the method always halts - is that what you meant? The example you gave does not meet this requirement. (Hint: what does it do if the battery is already dead?) (BTW, I find it amusing that the halting problem shows that it is not algorithmically possible to decide what programs are algorithms...) JM -- From: Joseph Ashwood [EMAIL PROTECTED] Subject: Re: shifts are slow? Date: Wed, 6 Jun 2001 16:07:26 -0700 The new reality is the same. It's just that for a register to shift it needs to make use of itself as a shift register, so in a single clock bit 30 moves to 31, 29-30, 28-29, 27-26 . . . 1-2, 0-1. In order to shift by X takes X clocks. Also because we have gotten to such high frequencies and such deep pipelines addition now takes multiple clocks but commonly you can get a througput of 1 add/clock. Basic binary operations ^|~ still take one clock (although it may take longer due to the pipeline). It gets worse when you
Cryptography-Digest Digest #543
Cryptography-Digest Digest #543, Volume #14 Wed, 6 Jun 01 22:13:00 EDT Contents: Re: How good is steganography in the real world? ([EMAIL PROTECTED]) DES not a group proof (Patrick Aland) Re: Quantum Computers with relation to factoring and BBS (rosi) Re: Knapsack security??? Ahhuh (rosi) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Notion of perfect secrecy (Tom St Denis) From: [EMAIL PROTECTED] Crossposted-To: comp.security.misc,talk.politics.crypto Subject: Re: How good is steganography in the real world? Date: Thu, 07 Jun 2001 00:15:12 GMT On 8 Apr 2001 08:24:07 +0200, [EMAIL PROTECTED] (Paul Schlyter) wrote: In article [EMAIL PROTECTED], SCOTT19U.ZIP_GUY [EMAIL PROTECTED] wrote: Another thought. We still have alot of people out of work here you could hire some Navahos. And just let them communicate messages to and from IRAQ. It worked in WWII. Yes, it worked in WWII because back then hardly anyone knew Navaho except the Navaho's themselves. And the situation was similar for most other Native American languages. However, this success of Navaho encryption during WWII spawned an interest in Native American langauges among linguists, and since then these langages have been investigated more than ever before. Therefore today Navaho encryption will be much less secure than it was during WWII. == snip Navaho was chosen for two reasons. One was its obscurity. The second is that it has many strange phonemes, and can only be spoken properly by somebody that learned it as a small child. This meant that spoofing was not possible, as all the receivers would instantly detect any fake message. -- From: [EMAIL PROTECTED] (Patrick Aland) Subject: DES not a group proof Date: 6 Jun 2001 17:17:53 -0700 Anyone got a link to the proof from Crypto '92 that showed that DES is not a group? The links I seem to be finding are either dead or simply reference it. Thanks. -- From: rosi [EMAIL PROTECTED] Subject: Re: Quantum Computers with relation to factoring and BBS Date: Wed, 6 Jun 2001 22:42:31 -0400 Your repeating that Bob is correct seems to suggest that I stated that he was not? No, no. I said he had not erred. It might be better if you had said that I had said that Bob was correct. I should take his comments seriously? Why not? I was DAMN serious!!! (and do not excuse my language). Way too serious. Let's do it lightly. Crypto is perhaps the only discipline where you can work and have fun! Let me tell you a story. There was this scientist (maybe fake as he himself suggested) giving advice to one in another discipline for which the scientist had limited respect. He told the girl to first carry out the experiment which some one else performed and for which she was to change conditions to see the effect, and then actually change the circumstances to compare results. The girl was all excited and went back to her great professor. A lot of people may already know this story and may feel bored if I go on, so I just skip the end of the story. Now you can also do several simple experiments, or you can take the results given to you by others and trust them. You can ask: is it in NP? and you can change the question in form (only in form) with the spirit still carried in the questions, such as: is it in P? These I think are simple enough. Then you may apply other things, such as the 'sutra' you quoted from somewhere. Try to see if the thing you really want to know by asking the questions would still be there after the applications. Don't recite any more, just go and perform the simple experiments. Reciting is by all means good means of doing scientific work. But that is just one of the many ways. And thanks for the recitation about NP's full text. I, quite unlike Bob, am not prone to giving advice. Bob may come next and tell you to read books. I, a lot of times, think that may not be necessary. I can often focus just on the things you know (well, if you say it, you must know it. logical?) Whether you read more is your cake of the day. But I am sure of one thing. Next time around, when you assign probablistic uncertainty to a well-defined, unambiguous definition, you will do a much better job. You are still not bored with this NP stuff? :) I think it may be appropriate that we now draw such a small fullstop as to encompass all the 'bubbles' making up the universe, so small that we can not see it. Thanks. --- (My Signature) Nicol So wrote in message [EMAIL PROTECTED]... rosi wrote: Bob Silverman wrote in message [EMAIL PROTECTED]... [EMAIL PROTECTED] (Bill Unruh) wrote in message news:9eu1ke$njh$[EMAIL PROTECTED]... In 9etv2h$4pn$[EMAIL PROTECTED]
Cryptography-Digest Digest #544
Cryptography-Digest Digest #544, Volume #14 Thu, 7 Jun 01 01:13:00 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel) Re: OTP WAS BROKEN!!! (Gordon Burditt) Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Re: Notion of perfect secrecy (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Def'n of bijection ([EMAIL PROTECTED]) Re: OTP WAS BROKEN!!! ([EMAIL PROTECTED]) Re: Bow before your new master (John Fields) Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel) Re: RSA's new Factoring Challenges: $200,000 prize. (my be repeat) (Michael Brown) Re: RSA's new Factoring Challenges: $200,000 prize. (Michael Brown) Re: Notion of perfect secrecy (Neil Couture) From: [EMAIL PROTECTED] (JPeschel) Date: 07 Jun 2001 02:25:48 GMT Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) writes, in part: You should read Shannon's article Communication Theory of Secrecy Systems it was in the Bell systems technical Journal. Yes, I know the paper, have read it, and am re-reading it. He talks about making the key as small as possible. I think we can assume that means as long as the plaintext. That doesn't mean that the size of the key and the size of the pad need to be the same. Keys are taken from the pad. When the pad is used up it's time to generate another pad with more keys. Each key, so far as i can tell from Shannon, must be the length of the plaintext. Point me to where Shannon says that the length of the plaintext must be kept secret. Joe __ Joe Peschel D.O.E. SysWorks http://members.aol.com/jpeschel/index.htm __ -- From: [EMAIL PROTECTED] (Gordon Burditt) Subject: Re: OTP WAS BROKEN!!! Date: 7 Jun 2001 02:28:54 GMT Why if you re-use the key twice, OTP becomes less secure? If you re-use the key, it's NOT a OTP. I'm newbie and I want an answer with few samples. Let us suppose that you can trick the opposition into sending something that you know, encrypted with the OTP. Perhaps you even get to select it. For example, your ambassador gives their ambassador (at their embassy in your country) a long-winded proposed treaty for extraditing spammers and emergency shutdown of open spam relays by nuclear air attacks. They will relay it to their government using the OTP via radio (so you can intercept it). You know the text of the treaty will appear somewhere in one of the messages sent in the next day or so. You can use this to create a relatively limited list of pieces of possible keys. Now, if the key is used ONCE, you have some of the keying material which will never be used again. Whoop de doo! You already know what was encrypted with that portion of the key; that was how you computed it in the first place. This gives you no useful information about other encrypted messages. If the key is used MORE THAN ONCE, you can take the possible keys, slide them along other messages, and compute possible plaintexts from this. IF you get a sensible-looking plaintext, you now have a much-better-than-random-guess probability that this is the correct key, being re-used. I tried to solve the probleme, using the same key, I found (2*n) possible solutions for a ciphertext of bit-length equal to n. How is it possible to recover the plaintext? Assume that the text of the treaty is 100Kbits, and that 10Mbits of messages were sent in the time window when the treaty was likely sent. Sliding the key along the text of messages sent yields 10M - 100K possible keys. This is a heck of a lot less than the possible values of keys used to send the treaty, 2**100K. Now, assuming the key will be re-used the next day, and that 10Mbits of traffic are sent then, you have (10M-100K)**2 combinations of possible keys and places to start using them. This is less than 2**48, which is a heck of a lot less than 2**10. Gordon L. Burditt -- Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) From: [EMAIL PROTECTED] Date: 06 Jun 2001 22:40:09 -0400 Tom St Denis [EMAIL PROTECTED] writes: [EMAIL PROTECTED] wrote in message Tim Tyler [EMAIL PROTECTED] writes: ...but why only consider the possible messages of size 2^n? This is a tiny subset of the messages that could have been transmitted. Right! That's why ``perfect secrecy'' is only attainable if the ciphertext is longer than *any* possible plaintext. All messages must have infinite length. You're a loon. That's not nice! Anyway, your sarcasm detector must be busted. Len. -- From: [EMAIL
Cryptography-Digest Digest #522
Cryptography-Digest Digest #522, Volume #14 Tue, 5 Jun 01 09:13:01 EDT Contents: Re: about DH parameters germain primes (Tom St Denis) Re: Def'n of bijection (Tom St Denis) Re: BBS implementation (Tom St Denis) Sophie Germaine Benefits for DH (Tom St Denis) Re: PRP vs PRF (was Luby-Rackoff Theorems) (Tom St Denis) Some questions on GSM and 3G (Arturo) Re: 2,2-multipermutation? (Tom St Denis) Re: 2,2-multipermutation? (Tom St Denis) Re: about DH parameters germain primes (Mark Wooding) PRP = PRF (TRUNCATE) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: WEB PAGES (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) White-Hat Security Arsenal http://white-hat.org/ (New book) (Avi Rubin) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Def'n of bijection (Tim Tyler) Re: Def'n of bijection (Tim Tyler) Re: RSA's new Factoring Challenges: $200,000 prize. (my be repeat) (Bob Silverman) Re: Sophie Germaine Benefits for DH (Mark Wooding) From: Tom St Denis [EMAIL PROTECTED] Subject: Re: about DH parameters germain primes Date: Tue, 05 Jun 2001 08:47:39 GMT Mark Wooding [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... quequ [EMAIL PROTECTED] wrote: If p, (p-1)/2 both prime, then you can just use any g you please [other than 0, 1, and -1], and you'll get a very large order [at least (p-1)/2] It's right? Yes, it's right. I've tried a 1024bit germain prime P and the generator G set to (P-1)/2. Are these good parameters? (P - 1)/2 is a bit big. This won't affect security, but it can affect performance in some cases. In your case, I'd choose G = 4, which definitely has order (P - 1)/2. At least this way you know exactly what you're getting. On the other hand, I don't really believe in Sophie-Germain primes. They take too long to generate, and I don't see any practical advantage over Lim-Lee primes. Something that bugs me When you do (g^x)^y mod p, is g^x consider a new base wrt to the group the entire operation generates or is it simply g^xy mod p. Like if p=257, g=45, x=17,y=33 we get (g^x) mod p equal to 103, (103^33) mod 257 equal to 167 In the second step is 103 considered a new base? I'm thinking of an example where (g^x mod p) results in a base that generates a small group, for effect suppose g^x mod p = -1. Then -1^y mod p will be 1 or -1 depending on the lsb right? Well with a SG prime this cannot happen (well the -1 and 1 can occur). All bases will generate a huge group. That's one possible benefit? Tom -- From: Tom St Denis [EMAIL PROTECTED] Subject: Re: Def'n of bijection Date: Tue, 05 Jun 2001 08:49:33 GMT JPeschel [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Tom St Denis [EMAIL PROTECTED] writes, in part: If you're a regular you should know to read what I say with a grain of salt. I.e be cautious because I tend to make mistakes. Espescially with math notation I haven't formally learnt yet. Reviewing, from time to time, the first few chapters from Menezes's book might be a good way to reinforce the notation. Beats being corrected. Good tip. Menezes's book is? HAC? Tom -- From: Tom St Denis [EMAIL PROTECTED] Subject: Re: BBS implementation Date: Tue, 05 Jun 2001 08:50:48 GMT Mark Wooding [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: How do I know it is not on a short or degenerate cycle? Because if it is, you've managed to factor the modulus. As I understand it, if you know the length of the cycle you only know factors of (p-1)(q-1) right? Tom -- From: Tom St Denis [EMAIL PROTECTED] Subject: Sophie Germaine Benefits for DH Date: Tue, 05 Jun 2001 09:35:20 GMT A question was raised whether Lim-Lee primes were better in terms of ease of generation and securtity versus a Sophie Germaine Prime. So we get our terminology all straight a Lim-Lee (LL) prime is one where it has several huge prime factors, a Sophie-Germaine (SG) prime is a prime of the form 2p + 1 where p itself is prime. As a contrived example I chose p=257, g=45. This isn't a LL or SG but shows off the point I started on earlier. Suppose we have one key x=66, the resulting base 45^66 mod 257 = 239 will only generate a group of 128 elements. While this is a contrived example a similar effect is possible with LL and SG primes. In an LL prime for example
Cryptography-Digest Digest #523
Cryptography-Digest Digest #523, Volume #14 Tue, 5 Jun 01 11:13:01 EDT
Contents:
Re: Def'n of bijection (Tim Tyler)
Re: about DH parameters germain primes (Bob Silverman)
Re: Def'n of bijection ([EMAIL PROTECTED])
Re: Keyed hash functions (Tim Tyler)
Re: Def'n of bijection ([EMAIL PROTECTED])
Re: Def'n of bijection (SCOTT19U.ZIP_GUY)
Re: Def'n of bijection (Tim Tyler)
Re: Def'n of bijection (Tim Tyler)
Re: Def'n of bijection ([EMAIL PROTECTED])
Re: PRP = PRF (TRUNCATE) (Scott Fluhrer)
Re: Def'n of bijection ([EMAIL PROTECTED])
From: Tim Tyler [EMAIL PROTECTED]
Subject: Re: Def'n of bijection
Reply-To: [EMAIL PROTECTED]
Date: Tue, 5 Jun 2001 13:00:06 GMT
Tom St Denis [EMAIL PROTECTED] wrote:
: JPeschel [EMAIL PROTECTED] wrote in message
: Reviewing, from time to time, the first few chapters from Menezes's book
: might be a good way to reinforce the notation. Beats being corrected.
: Good tip. Menezes's book is? HAC?
Very likely: HAC [http://cacr.math.uwaterloo.ca/hac/]
- by Alfred J. Menezes, Paul C. van Oorschot and Scott A. Vanstone
--
__
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
--
From: [EMAIL PROTECTED] (Bob Silverman)
Subject: Re: about DH parameters germain primes
Date: 5 Jun 2001 06:12:42 -0700
quequ [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]...
Hi, I've found this tip about Diffie-Hellman parameters:
If p, (p-1)/2 both prime, then you can just use any
g you please [other than 0, 1, and -1], and you'll
get a very large order [at least (p-1)/2]
It's right?
Ask yourself: what are the *possible* orders of the group?
0 is not in the group. The set {1,-1} forms a sub-group whose elements
have order 2 and whose index is (p-1)/2. What other sub-groups are there?
Look up Lagrange's Theorem.
--
Subject: Re: Def'n of bijection
From: [EMAIL PROTECTED]
Date: 05 Jun 2001 09:44:10 -0400
Tim Tyler [EMAIL PROTECTED] writes:
[EMAIL PROTECTED] wrote:
: He seems to be trying to create a scheme w.r.t. which every message
: of size n is the possible compression of a meaningful message.
Yes, this is essentially the idea David is aiming for.
Note, however, that I ``don't know what I'm talking about.''
Yes, achieved it for the domain of English language sentences is
probably an impractical goal. However, note that progress towards the
goal is itself worthwile.
Why? What does that goal buy us?
Even if you don't have perfect compression, good compression still
helps.
Good compression exists. Under various hypotheses, optimal compression
exists. What do you believe is lacking? And what do you think ``perfect
compression'' means?
If you can't make all the cyphertexts smaller than n decrypt to
correct-looking messages, increasing the proportion that do may
still be worthwhile.
Note that even OTP does not do this. All messages of size n are equally
likely as decrypts, but most possible decrypts are not meaningful. This
condition is essentially the best that can be hoped for, and in general
it requires that the keyspace be as large as the message space--i.e.,
that keys be as long as the message.
(Though I conjecture that this property can also be achieved if keys
are only as long as the compressed message. I.e., if keys contain
exactly as much entropy as the original message. But my observation is
probably trite; as a mathematician but a non-cryptologist, I further
conjecture that this is what the theorems on OTP actually say.)
Anyway, that seems to be the problem here: Scott (and some others) are
conflating the notions of ``compression'' with the desirable
properties of a OTP, and then expressing their confused ideas with
confusing language.
Len.
--
Frugal Tip #64:
Find a lucrative new use for mildew.
--
From: Tim Tyler [EMAIL PROTECTED]
Subject: Re: Keyed hash functions
Reply-To: [EMAIL PROTECTED]
Date: Tue, 5 Jun 2001 13:41:35 GMT
Mark Wooding [EMAIL PROTECTED] wrote:
: Tim Tyler [EMAIL PROTECTED] wrote:
: Are such keyed hash functions recognised as a primitive cryptographic
: type, distint from MACs?
: I believe that your idea of a `keyed hash' is attempting to capture what
: is usually referred to as a `pseudo-random function family'. A PRF
: family is suitable for use as a MAC. However, not all MACs are good
: PRFs. [...]
: I think there is a hope (rather than anything better informed) that
: HMAC with a decent hash function is a passable PRF. [...]
: [Note: I *don't* want to talk about hash(CTR|KEY) schemes]
: Very wise.
A helpful post - thanks.
FWIW, my final comment was intended to cover /all/ constructions involving
keying orthodox hash functions, /including/ things like HMAC.
I'd ideally like an aesthetically pleasing construction for generating a
keyed pseudo-random function - and the idea of repeatedly feeding
Cryptography-Digest Digest #524
Cryptography-Digest Digest #524, Volume #14 Tue, 5 Jun 01 13:13:00 EDT Contents: Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P. (Douglas A. Gwyn) Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P. Dulles / AKA Loki) (Scott Fluhrer) Re: Def'n of bijection (Tim Tyler) Re: Def'n of bijection (Tim Tyler) Re: Def'n of bijection (Douglas A. Gwyn) Re: BBS implementation (Mark Wooding) Re: Def'n of bijection (Douglas A. Gwyn) Re: National Security Nightmare? (Douglas A. Gwyn) Re: National Security Nightmare? (Douglas A. Gwyn) Re: Def'n of bijection (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Paul Pires) Re: Def'n of bijection (Mark Wooding) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mark Wooding) From: Douglas A. Gwyn [EMAIL PROTECTED] Subject: Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P. Date: Tue, 5 Jun 2001 14:51:42 GMT Tom St Denis wrote: Dave Howe [EMAIL PROTECTED] wrote... ... Tom St Denis [EMAIL PROTECTED] said : Take all primes and form a composite N. Add one to N. Now N is not divisible by any of the known primes. Thus N+1 is a new prime not in the list. or is divisible by a prime not in the original list That's not possible. Since we already have all consecutive primes... 3*5*7+1 = 106 106 is not divisible by any known prime (assume the only known primes are 3, 5, 7). ... We have been through this before, just a few months ago. The problem is that for purposes of the particular proof, prime is being given a hypothetical meaning that is not what it turns out to actually mean. This is okay, since all that the proof requires is for a contradiction to be produced. However, once the proof is established, we can see other contradictions; for example, N+1 is (sometimes) not a prime after all. If the proof is not carefully stated, then such other contradictions may get in the way of establishing the proof. It certainly confuses many people, who seem to believe that they will always obtain a prime when they add 1 to the product of all smaller primes. Smiley-proof: 2+1 = 3, prime 2*3+1 = 7, prime 2*3*5+1 = 31, prime 2*3*5*7+1 = 211, prime 2*3*5*7*11+1 = 2311, prime ... obviously it works :-) -- From: Scott Fluhrer [EMAIL PROTECTED] Crossposted-To: alt.privacy,alt.security,alt.security.pgp,alt.security.scramdisk,alt.privacy.anon-server Subject: Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P. Dulles / AKA Loki) Date: Tue, 5 Jun 2001 08:08:24 -0700 Kyle Paskewitz [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Tom - You've forgotten that 2 is also prime. If you take the product of any number of consecutive primes beginning with 2 (the first prime) and add 1, you will get another prime. E.G. 2*3 + 1 = 7 2*3*5 + 1 = 31 2*3*5*7 + 1 = 211 , etc... Really??? I was under the impression that: 2*3*5*7*11*13+1 = 30031 = 59*509 2*3*5*7*11*13*17+1 = 510511 = 19*97*277 2*3*5*7*11*13*17*19+1 = 9699691 = 347*27953 2*3*5*7*11*13*17*19*23+1 = 223092871 = 317*703763 weren't prime. I must be delusional, I suppose... -- poncho -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Def'n of bijection Reply-To: [EMAIL PROTECTED] Date: Tue, 5 Jun 2001 15:15:03 GMT [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] writes: : Yes. The case where the key is as large as the original message is not : where compression helps. : Smaller message == smaller key. Compression is a great way to economize : your OTP key material. It also helps with bandwidth - but it doesn't help with security. :: if keys contain exactly as much entropy as the original message...I :: further conjecture that this is what the theorems on OTP actually say. : : I don't think they mention the possibity of compression. : But I'll bet you a beer they mention entropy. I'm sure they do - but I doubt they discuss what you were talking about. : Loosely speaking, the best compression is the one for which ``bits in : output file'' equals ``bits of entropy in input file''. By the definition : of entropy, better (lossless) compression is impossible. And perfect : security can probably be achieved if ``bits of entropy in key'' equals : ``bits of entropy in message''. I wouldn't dispute any of that. :: Anyway, that seems to be the problem here: Scott (and some others) are :: conflating the notions of ``compression'' with the desirable :: properties of a OTP, and then expressing their confused ideas with :: confusing language. : : A bizarrely inaccurate representation of the situation IMO. AFAICS, : nobody is conflating the notions of ``compression'' with anything. : Then think carefully about it. With gzip, brute-forcing the key might : mean,
Cryptography-Digest Digest #525
Cryptography-Digest Digest #525, Volume #14 Tue, 5 Jun 01 15:13:00 EDT
Contents:
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mark Wooding)
Re: BBS implementation (Tom St Denis)
Re: BigNum Question (Harris Georgiou)
Re: PRP = PRF (TRUNCATE) (Tom St Denis)
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis)
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis)
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis)
Re: Def'n of bijection ([EMAIL PROTECTED])
Re: Def'n of bijection ([EMAIL PROTECTED])
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler)
Re: Def'n of bijection (Tim Tyler)
Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P. (Kyle Paskewitz)
Re: Def'n of bijection (Tim Tyler)
Re: Def'n of bijection (Tim Tyler)
Re: National Security Nightmare? (Mok-Kong Shen)
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler)
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Date: 5 Jun 2001 17:19:30 GMT
Tim Tyler [EMAIL PROTECTED] wrote:
DS And you never anwsered the FACT that a one byte ouput file
DS from CTR mode (though you have no working program) would imediately
DS lead an attacker to realize that the input file could only have
DS come from 1 of 256 possible messages. With BICOM you have many
DS many more messages. That alone makes it more secure. [...]
This is wrong. I assume here that the BICOM encryption scheme is
something along the lines of
B_k = E_k o C
where E_k is some conventional cipher (Rijndael using some bizarre
chaining mode, I think, but it doesn't matter) and C is some permutation
over finite bitstrings {0, 1}^* (called a compression -- this is
irrelevant here). If there is actually some unkeyed invertible
transformation following the encryption step then we can ignore that,
because it won't affect the cardinalities of any of the sets we're
interested in.
Consider the set of 8-bit strings {0, 1}^8. Since we expect a cipher to
be invertible, we must have |E_k^{-1}({0, 1}^8})| = |{0, 1}^8| = 256
(since otherwise we'd be unable to recover some distinct plaintexts by
decrypting). Now, since C is bijective, we must also have
|B_k^{-1}({0, 1}^8})| = 256
Hence, there are at most 256 possible plaintext messages for any
one-byte ciphertext. They might not all be one-byte long, but there are
at most 256 of them.
-- [mdw]
--
From: Tom St Denis [EMAIL PROTECTED]
Subject: Re: BBS implementation
Date: Tue, 05 Jun 2001 17:42:48 GMT
Mark Wooding [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]...
Tom St Denis [EMAIL PROTECTED] wrote:
As I understand it, if you know the length of the cycle you only know
factors of (p-1)(q-1) right?
I'm caught out.
If you can find short cycles with nonnegligible probability then you can
factor. Just falling over one by accident I believe has a nontrivial
probability of allowing you to factor given additional polynomial-time
effort, but won't automatically drop the factors out.
Depends. If your primes are SG primes then I think it will :-)
if you can do it repeatedly then yes you can factor.
Tom
--
From: Harris Georgiou [EMAIL PROTECTED]
Subject: Re: BigNum Question
Date: Tue, 5 Jun 2001 20:40:12 +0300
Ï Tim Tyler [EMAIL PROTECTED] Ýãñáøå óôï ìÞíõìá óõæÞôçóçò:
[EMAIL PROTECTED]
JGuru [EMAIL PROTECTED] wrote:
: George [EMAIL PROTECTED] wrote in message
: I'm trying to develop a program for Macintosh and I need to operate on
: very large numbers. What is the best BigNum library for Macintosh
where
: the source code is also available?
: Java has BigInteger and BigDecimal. As long as there is a JDK available
for
: your platform, you can write code that can run on any platform.
OS = 9 Java: http://www.apple.com/java/
OS XJava: http://www.apple.com/macosx/java2.html
The source code for BigInteger and BigDecimal is available.
The big number packages in JDK work quite well, they even have embedded
functions for most cryptosystem implementations (like secure random prime
number generator, modulo exponetials, etc) - I have actually implemented the
basic RSA encryption from scratch in less than 100 lines of code. The only
problem is that Java is slow and encryption using Java is even slower.
--
Harris
- 'Malo e lelei ki he pongipongi!'
--
From: Tom St Denis [EMAIL PROTECTED]
Subject: Re: PRP = PRF (TRUNCATE)
Date: Tue, 05 Jun 2001 17:46:49 GMT
Scott Fluhrer [EMAIL PROTECTED] wrote in message
news:9fisbo$ngc$[EMAIL PROTECTED]...
Tom St Denis [EMAIL PROTECTED] wrote in message
news:VC2T6.31386$[EMAIL PROTECTED]...
Reading the paper David pointed to a bit ago I see they have one way to
Cryptography-Digest Digest #527
Cryptography-Digest Digest #527, Volume #14 Tue, 5 Jun 01 17:13:01 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Def'n of bijection (SCOTT19U.ZIP_GUY) Re: Def'n of bijection (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: fast CTR like ciphers? (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (Anonymous) Re: Def'n of bijection (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: 5 Jun 2001 19:58:14 GMT [EMAIL PROTECTED] (Tim Tyler) wrote in [EMAIL PROTECTED]: Tim I think TOM is just trying to make ass out of himself The thread will go no where. He will only twist it. He can't even answser the simple fact theat if one used CTR mode so a one byte cipher text file decrypts to 256 messages. And one used BICOM where a one byte output file could represent thousands and thousands of possible input messages. He in this example doesn't know which case is more secure. If he can't comprehend the obvious why keep tryinig. He does not want to know the truth. He doesn't care. You can give a pig singing lessoons but his not going to learn. You just waste your time and the pigs. David A. Scott -- SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE OLD VERSIOM http://www.jim.com/jamesd/Kong/scott19u.zip My website http://members.nbci.com/ecil/index.htm My crypto code http://radiusnet.net/crypto/archive/scott/ MY Compression Page http://members.nbci.com/ecil/compress.htm **NOTE FOR EMAIL drop the roman five *** Disclaimer:I am in no way responsible for any of the statements made in the above text. For all I know I might be drugged or something.. No I'm not paranoid. You all think I'm paranoid, don't you! -- From: Tom St Denis [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Tue, 05 Jun 2001 20:25:06 GMT SCOTT19U.ZIP_GUY [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... [EMAIL PROTECTED] (Tim Tyler) wrote in [EMAIL PROTECTED]: Tim I think TOM is just trying to make ass out of himself The thread will go no where. He will only twist it. He can't even answser the simple fact theat if one used CTR mode so a one byte cipher text file decrypts to 256 messages. And one used BICOM where a one byte output file could represent thousands and thousands of possible input messages. He in this example doesn't know which case is more secure. If he can't comprehend the obvious why keep tryinig. He does not want to know the truth. He doesn't care. You can give a pig singing lessoons but his not going to learn. You just waste your time and the pigs. Funny. Why can't you answer any simple questions? Again. C = P + K mod 256 C = 55 What is P? Tom -- From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: 5 Jun 2001 20:13:38 GMT [EMAIL PROTECTED] (Tom St Denis) wrote in PQaT6.36859$[EMAIL PROTECTED]: SCOTT19U.ZIP_GUY [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... [EMAIL PROTECTED] (Mark Wooding) wrote in [EMAIL PROTECTED]: Hence, there are at most 256 possible plaintext messages for any one-byte ciphertext. They might not all be one-byte long, but there are at most 256 of them. -- [mdw] Sorry but you whole analysis is full of shit. Even you could sit down and test decrypt 300 keys to decrypt one one byte cipher text message. But like many you spout off shit thats wrong that you could easily test. But you have so much blind belied in your false Gods and false proof you don't even take the honest time to test it. Yes there are strong words but the simple fact is your full of it. Yes you can decrypt it. The problem is you won't know when you found the key. Try this. C = P + K mod 256 C = 56 What was P or K? In this case both P and K are decorrelated and C doesn't reveal P. Which is what the original argument was about. So what if you could guess P=23. There is no way to verify that's the right answer. Tom Tom are you retarded or what. You don't seem to know what the hell is going on. The first person who may not know better
Cryptography-Digest Digest #528
Cryptography-Digest Digest #528, Volume #14 Tue, 5 Jun 01 18:13:00 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) One last bijection question (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: One last bijection question ([EMAIL PROTECTED]) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel) Re: One last bijection question (Tom St Denis) Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P. Dulles / AKA Loki) (Keith) From: Tom St Denis [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Tue, 05 Jun 2001 21:10:44 GMT Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Tom St Denis [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... : Tom St Denis [EMAIL PROTECTED] wrote: : : Yes there will be equivalent keys but not enough to tell from random. : : Tell /what/ from random. : Tell the plaintext. [...] I can very likely tell a randomly chosen plaintext from the decrypt of an 1 byte cyphertext using CTR mode. Does the random plaintext have only 8 bits? If not, I can immediately distinguish them. Yes, but you are just brute forcing the key space. If you encode for example 384-bits (three AES blocks) in CTR mode you can most likely tell when you get the key right. However, getting the right key amounts to at least 2^127 work if the key is random. : [...] a cyphertext only having 256 possible decrypts is a : problem with the orthodox CTR mode. : It's not a problem. You're just not looking for the answer. AFAICS, your idea of an answer is one that isn't worth having ;-| : The truth is if the message has a prob of 1/256 and all outputs from the : cipher are equalprobable (i.e 1/256) then it's a provably secure for a : single byte only. Ah - you're sliding in that for a single byte only... As though we're discussing the trivial case of only 256 possible messages... Um yes that's what we were f$$$ talking about. For geez sakes stay on the same model! : Consider the cipher some simple like : C = P xor K : where we discard the 120 upper bits of C before xoring against the message. : Don't you agree this is just an OTP? Yes - it's very much like an OTP. (Hint it is an OTP) : Hence don't you agree it's provably secure? Of course it's not provably secure - unless you think only having 256 possible plaintexts out of the possible billions is something worthwhile. We're trying to stop the attacker getting information about the message. Giving him the length of the message on a plate is a terrible start. Why? Tell me how you can find K from C knowing the length? Just tell me why it's a problem. Tom -- From: Tom St Denis [EMAIL PROTECTED] Subject: One last bijection question Date: Tue, 05 Jun 2001 21:15:10 GMT Ok I thought bijections were when the codomain and domain are the same set. http://www.dictionary.com/cgi-bin/dict.pl?term=surjection Seems to support this thought. A function f : A - B is surjective or onto or a surjection if f A = B Don't A and B represent the domain/codomain sets respectively? I'm most likely wrong can someone explain this? The only other meaning I can find is that A and B are not the same set but can map back and forth. But isn't that an injection? Arrg! -- Tom St Denis --- http://tomstdenis.home.dhs.org -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Tue, 5 Jun 2001 21:12:05 GMT SCOTT19U.ZIP_GUY [EMAIL PROTECTED] wrote: : Tim I think TOM is just trying to make ass out of himself He seems to me to have been doing a lot of that recently: First the unicity distance, then the bijection, and now the CTR mode. I guess we just rub him up the wrong way - so that all of his conceptual problems come to the surface at once. : The thread will go no where. He will only twist it. He can't : even answser the simple fact theat if one used CTR mode so : a one byte cipher text file decrypts to 256 messages. And : one used BICOM where a one byte output file could represent : thousands and thousands of
Cryptography-Digest Digest #529
Cryptography-Digest Digest #529, Volume #14 Tue, 5 Jun 01 19:13:00 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: One last bijection question (Stanley Chow) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: One last bijection question (Tom St Denis) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes (sisi jojo) Re: One last bijection question (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (Tom St Denis) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: One last bijection question (Thorsten Holz) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Tue, 5 Jun 2001 21:45:49 GMT Tom St Denis [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... : Tom St Denis [EMAIL PROTECTED] wrote: : : Tim Tyler [EMAIL PROTECTED] wrote in message : : Which only gets us as far as an OTP - which has the *same* security : : problem as counter mode if messages are of varying lengths and : : the plaintexts and cyphertexts are of equal lengths. : : : What problem? : : Lack of perfect secrecy for a start. : Given your limited understanding of perfect secrecy this doesn't mean : much. My *WHAT*!??? How is my understanding limited? : : If all possible messages are uniformly distributed you have : : no advantage hence you can't tell which message is the real one. : : In the case under discussion being given the cyphertext gives a *big* : clue about the plaintext - namely its length. That is likely : to immediately rule out most plaintexts. : Oh yes, the real plaintext can't be trillion bytes long. So what? So all possible messages are *not* uniformly distributed, (given the cyphertext) - so there's *no* perfect secrecy, and your argument that the attacker has no advantage collapses. : : If all messages are uniformly distributed you can't find the real : : message. [...] : : ...but since some messages are longer than 8 bits, the possible plaintexts : are *not* uniformly represented by an 8-bit cyphertext. : : Some (the ones with 8 bits) have probability 1/256. All other plaintexts : have probability 0. That is not a uniform distribution. : Yes, but if you want to use math against me try using it right. the : messages 1 byte are not part of the set. They /are/ possible messages... : The plaintext is assumed to be a byte thus 0x123456 is not a member of : that set. *No*. The plaintext is *not* assumed to be a byte. We're talking about BICOM and CTR mode here. These can encrypt more than just single byte messages. Assuming the plaintext is a byte is a ridiculous, unphysical assumption. What is your basis for assuming this? -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: 5 Jun 2001 21:51:26 GMT [EMAIL PROTECTED] (Tim Tyler) wrote in [EMAIL PROTECTED]: SCOTT19U.ZIP_GUY [EMAIL PROTECTED] wrote: : Tim I think TOM is just trying to make ass out of himself He seems to me to have been doing a lot of that recently: First the unicity distance, then the bijection, and now the CTR mode. I guess we just rub him up the wrong way - so that all of his conceptual problems come to the surface at once. I think that he does not reason well. He knows that I think Wagner and Mr BS are pompous phonies. And I think he wishs to appear knowledgeable in there eyes so he just argues to try to look good with ever thinking about it. I think he wrong assumes Wagner would step in and correct his errors. But I am sure he is just laughing at the whole situation. Wagner does not want to say nice things about BICOM becasue it not a product from the crypto insiders club. He can't stand to see a ameutor come up with something. But I am sure the big boys will eventually steal the idea as there own and never give me or Matt any credit for it. : The thread will go no where. He will only twist it. He can't : even answser the simple fact theat if one used CTR mode so : a one byte cipher text file decrypts to 256 messages. And : one used BICOM where a one
Cryptography-Digest Digest #530
Cryptography-Digest Digest #530, Volume #14 Tue, 5 Jun 01 20:13:01 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: One last bijection question (Berton Allen Earnshaw) Are RS codes a type of PRF? (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) CTR mode, BICOM, and hiding plaintext length (David Hopwood) Re: BBS implementation (David Hopwood) Re: Def'n of bijection (David Hopwood) Lim-Lee vs safe primes for DH (David Hopwood) curious about MD3 (Tom St Denis) Re: Def'n of bijection ([EMAIL PROTECTED]) Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Re: One last bijection question (Douglas A. Gwyn) Re: CTR mode, BICOM, and hiding plaintext length (SCOTT19U.ZIP_GUY) Re: One last bijection question (Douglas A. Gwyn) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Tue, 5 Jun 2001 22:32:39 GMT Tom St Denis [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... : Tom St Denis [EMAIL PROTECTED] wrote: : : Tim Tyler [EMAIL PROTECTED] wrote in message : : Tom St Denis [EMAIL PROTECTED] wrote: : : : Tim Tyler [EMAIL PROTECTED] wrote in message : : : Tom St Denis [EMAIL PROTECTED] wrote: : : : : Yes there will be equivalent keys but not enough to tell from : : : : random. : : : : : : Tell /what/ from random. : : : : : Tell the plaintext. [...] : : : : I can very likely tell a randomly chosen plaintext from the decrypt of : : an 1 byte cyphertext using CTR mode. : : : : Does the random plaintext have only 8 bits? If not, I can immediately : : distinguish them. : : : Yes, but you are just brute forcing the key space. [...] : : Nope - just checking lengths. : WHY DOES THE LENGTH AUTOMATICALLY GIVE YOU THE MESSAGE? It doesn't. I never claimed it did. : : Ah - you're sliding in that for a single byte only... : : : : As though we're discussing the trivial case of only 256 possible : : messages... : : : Um yes that's what we were f$$$ talking about. For geez sakes stay on : : the same model! : : We are *not* discussing the case of 256 possible messages. Both BICOM and : CTR mode can encrypt *any* possible message. : : Given this wide distribution of possible messages, we are asking what : security is offered when encrypting a particular 8-bit message in BICOM : and CTR mode. : : BICOM with a 128 bit key maps it to one of 2^128 possible messages. : CTR mode maps it to one of 256 messages. : : The latter produces an 8-bit cyphertext with only 256 possible : interpretations. : : If you happened to know the message consisted entirely of space : characters, you could uniquely identify the message! : C = 88 5e f7 fe c1 78 f0 6d 61 c8 bc ac 3a a1 09 ae 12 6b 4e 46 58 : What is P? Apparently unable to produce any other coherent reply, Tom presents me with another of his idiotic challenges again :-( : : Of course it's not provably secure - unless you think only having 256 : : possible plaintexts out of the possible billions is something : : worthwhile. : : : : We're trying to stop the attacker getting information about the : : message. : : Giving him the length of the message on a plate is a terrible start. : : : Why? Tell me how you can find K from C knowing the length? : : : Just tell me why it's a problem. : : You go round and round in circles. I've responded in some detail to both : these questions already. : Well those are real questions. [...] Which - as I have stated - I have already replied to, at least once. -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Berton Allen Earnshaw [EMAIL PROTECTED] Subject: Re: One last bijection question Date: 05 Jun 2001 16:31:15 -0600 Just to clarify: the words 'bijection' and 'isomorphism' are not the same thing. An isomorphism must also preserve the operations of the two sets, while a bijection has no such requirement. For example, if (A,x) and (B,X) are both groups with x being the group-operation of A and X the group-operation of B, and if f : A-B is an isomorphism, then f is a bijection *and* for all y,z in A, f(y x z) = f(y) X f(z), i.e, f preserves the respective group-operations. -- Berton Earnshaw - [EMAIL PROTECTED] -- From: Tom St Denis [EMAIL PROTECTED] Subject: Are RS codes a type of PRF? Date: Tue, 05 Jun 2001 22:45:55 GMT As far as I can tell RS codes (Reed-Solomon) are form of error correction codes (???) that were (as an example) used in Twofish to map 8 bytes downto 4 bytes such that the distance is 5 bytes. So could we make a 8-byte Feistel by appending a 4 byte key to one half to make the 8 bytes then compute the RS code on it? Do the remaining unfixed four bytes form a permutation
Cryptography-Digest Digest #531
Cryptography-Digest Digest #531, Volume #14 Tue, 5 Jun 01 23:13:01 EDT Contents: Re: Def'n of bijection (SCOTT19U.ZIP_GUY) Re: PRP = PRF (TRUNCATE) (Scott Fluhrer) Re: One last bijection question (Nicol So) Re: fast CTR like ciphers? (Scott Fluhrer) Re: One last bijection question (Robert J. Kolker) Re: One last bijection question (Nicol So) Re: fast CTR like ciphers? (Tom St Denis) Re: Quantum Computers with relation to factoring and BBS (rosi) function notation (injection, bijection, etc..) one last time (Tom St Denis) Re: function notation (injection, bijection, etc..) one last time ([EMAIL PROTECTED]) Re: function notation (injection, bijection, etc..) one last time (Nicol So) Re: function notation (injection, bijection, etc..) one last time (Nicol So) Re: Quantum Computers with relation to factoring and BBS (Nicol So) Re: Knapsack security??? Ahhuh (rosi) Re: function notation (injection, bijection, etc..) one last time ([EMAIL PROTECTED]) Re: Medical data confidentiality on network comms (wtshaw) From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: Def'n of bijection Date: 5 Jun 2001 23:55:57 GMT [EMAIL PROTECTED] (David Hopwood) wrote in [EMAIL PROTECTED]: is indeed precisely why compression doesn't hinder an attacker in recognising plaintext. Compression cannot change the total entropy of the messages sent under a particular key: that is determined by the usage characteristics of the application. Once sufficient messages have But Dave even you should know something about Shannons theorys. If you compress you can increase the entropy per bit of the message by the very fact of compression. And you miss a big point. For many message with out comprssion they can be breakable becasue message is far greater than the Unicity distance. But that same message may be unbreakable with compression. Not only because it takes less cipher space but because the message may be less than the Unicity distance. However I admit for very long files its unlikely that the either message is shorter than the Unicity distance so if one could check all messages either with compression or without you would get the correct message. But you forget even yet another problem with modern ciphers the fact that error propagation is very low. That means if an attacker knows part of message. He need only attack the blocks where that portion of message is to obtain a break. With say bijective arithmetic compression if he knows what part of file is say half way down. The attacker needs to decrypt and uncompress everything up to and including that point to get a test case. It may be that with a known portion of plain text a fast way to break those blocks may be possible. With Arihtmetic compression even if you knew what the compressed plain text was. It would be very hard to decompress a middle portion of a file. As such its less likely that a simple math short cut could be used on that portion of the file. been sent under a given key, there will be enough information to brute-force it [*]. If we assume that the key size is fixed (i.e. not an OTP), then compression makes no significant difference to when this happens. Even though the distribution of decrypts will be a little closer to the distribution of meaningful messages than it would otherwise have been, in practice it will there will still only be one decrypt that is actually meaningful, and it will be easy to recognise that decrypt automatically, for message distributions that occur in real applications. Note that this is true even if codebooks are used, since the messages in a typical codebook don't have anywhere near equal probability of occurrance. [*] I know that David Scott handwaves about other attacks than brute-force. However, he hasn't put forward any coherent argument as to how bijective compression would help against such attacks. Note that cryptanalytic attacks against commonly used block ciphers generally require large amounts of *exact* known plaintext (at least). In plausible situations where exact known plaintext would be available - when data streams from multiple sources are encrypted under the same key, for example - then it would be available whether compressed or not. If one has the plaintext which I don't think Ben laden or terriost are likely to give. Yes either compression or no compression. You could figure out the key. As I have stated several times this compression encryption does nothing to stop a full dumb blind brute force seach if you have a plaintext file in and a cipher text file out and the time to do it. It just that the cipher text output is what is the easiest to get and where bijective compression helps the most. Bijective compression defintely makes ciphertext only attacks much harder. May I keep finding exceptions. But since hopefully a compressed file is
Cryptography-Digest Digest #515
Cryptography-Digest Digest #515, Volume #14 Mon, 4 Jun 01 14:13:00 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Def'n of bijection (Anton Stiglic) Re: Def'n of bijection (Tim Tyler) Re: National Security Nightmare? (Douglas A. Gwyn) Re: National Security Nightmare? (Douglas A. Gwyn) Re: Def'n of bijection (Douglas A. Gwyn) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Sv: Top Secret Crypto (Douglas A. Gwyn) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Mon, 4 Jun 2001 16:11:11 GMT I, Tim Tyler [EMAIL PROTECTED] wrote: : I read an rather eloquent defense of counter mode not very long ago: : http://www.cs.berkeley.edu/~daw/papers/ctr-aes00.ps : ``Comments to NIST Concerning AES-modes of Operations: CTR-mode Encryption'' : - Helger Lipmaa, Phillip Rogaway, and David Wagner'' They say something else which seems open to debate as well - though it strengthens their overall case, rather than weakening it. Under a section entitled: Perceived disadvantages of CTR mode they say: ``Successive blocks ctr and ctr + 1 usually have small Hamming difference. This has lead to the concern that an attacker can obtain many plaintext pairs with a known small plaintext difference, which would facilitate the differential cryptanalysis. However, this concern is only valid if the underlying cipher is differentially weak. It is not the responsibility of a mode of operation to try to compensate (likely without success) for weaknesses in the underlying block cipher; this concern should be addressed when designing the block cipher.'' Fair enough. However, ISTM that here a case is being made for relying on the underlying block cypher where it is not necessary to do so. A maximal period counter does not need to work by repeatedly adding 1 - there are other types of counter that work just as well. LFSRs are one candidate - probably a far superior condidate if you know you're going to be in hardware. Also, all the relevant properties of a +1 arithmetic counter appear to be present in a +n counter where n is relatively prime to the size of the counter. A +n counter with a reasonable spread of set bits in n avoids the low Hamming distance issue. Since you can use a counter which avoids the possible stigmata of all the high bits remaining fixed 99% of the time - and this has practically no cost - I see no good reason to shy away from doing so. -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Anton Stiglic [EMAIL PROTECTED] Subject: Re: Def'n of bijection Date: Mon, 04 Jun 2001 12:20:43 -0400 Yes. One property that does hold is that the cardinality of the sets are equal for finite sets. For sets with infinite many elements, other properties hold (like you can't have a bijection between an infinite enumerable set and an infinite non-enumerable set, like between the set of all natural numbers |N and that of the real numbers |R). --Anton [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] (John Savard) writes: [EMAIL PROTECTED] wrote, in part: Correct me if i am wrong but the whole point of the BICOM stuff was that all inputs map to an output and all elements on the output side map to an input. The point is, though, that in a bijection, the domain need not equal the range. Right--in other words, they need not be the same set. So Tom, you were abusing the equals sign when you said ``...from set A to set B, A=B?'' Of course, in most discussions one remarks something like, ``From now on, we won't bother to distinguish set A from it's image under the bijection.'' After making that remark, you've given yourself permission to abuse the equals sign (or the subset symbol, in the case of an injection). Tom, a bijection is also known as a ``one-to-one correspondence''. All a bijection really establishes is that two sets have the same cardinality. Len. -- We neglected the Noah principle: predicting rain doesn't count, building arks does. -- Warren Buffett, 1981 -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Def'n of bijection Reply-To: [EMAIL PROTECTED] Date: Mon, 4 Jun 2001 16:32:16 GMT SCOTT19U.ZIP_GUY [EMAIL PROTECTED] wrote: : see.signature (Nicol So) wrote in [EMAIL PROTECTED]: :Tom St Denis wrote: : That means it's invertible and closed right
Cryptography-Digest Digest #516
Cryptography-Digest Digest #516, Volume #14 Mon, 4 Jun 01 17:13:01 EDT Contents: Re: Knapsack security??? Ahhuh (John Bailey) Re: Diffusion limits in block ciphers (Tim Tyler) Re: Diffusion limits in block ciphers (Tom St Denis) Re: Def'n of bijection (John Savard) Re: WEB PAGES (SCOTT19U.ZIP_GUY) Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P. Dulles / AKA Loki) (Dave Howe) Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P. Dulles / AKA Loki) (Tom St Denis) Re: Def'n of bijection (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Dynamic Transposition Revisited Again (long) ([EMAIL PROTECTED]) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes (Joseph Ashwood) Re: Def'n of bijection ([EMAIL PROTECTED]) Re: National Security Nightmare? (SCOTT19U.ZIP_GUY) Re: WEB PAGES (SCOTT19U.ZIP_GUY) Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (Kyle Paskewitz) From: [EMAIL PROTECTED] (John Bailey) Subject: Re: Knapsack security??? Ahhuh Date: Mon, 04 Jun 2001 18:43:20 GMT On 3 Jun 2001 21:32:07 -0700, [EMAIL PROTECTED] (Merc42) wrote: I was wondering if there are any knapsack systems that are still secure. Any that don't use modular arithmatic to change the keys are of special interest to me. Furthermore, if anybody does know of any, could you please tell me some reference where i could learn more about them. As always, any help is appreciated... I wonder too. This post in January on this news group did not get any responses. (quoting myself) I was amazed to note that the NTRU Public Key method: (reference) Public key cryptosystem method and apparatus http://www.delphion.com/details?pn=US06081597__ is formally equivalent to a knapsack system. Referencing the last section of the NTRU tutorial http://www.ntru.com/technology/tutorials/pkcstutorial.htm e = r*h + m, where e is the encrypted message, h is a public key, r is randomly chosen and m is the message. The message m is recovered by finding f*e mod q mod p = m. In the NTRU case, e, r, h, m, and f are truncated polynomials whereas, in the cases mentioned at the beginning of this post, they would simply be large numbers. In either case, essentially the same modulo algebra applies, showing the recoverability of encrypted plaintext using private keys. Other knapsaci systems: A Comsat patent: Simple and effective public-key cryptosystem http://www.delphion.com/details?pn=US04306111__ and Diophantine encryption for public key encoding http://www.frontiernet.net/~jmb184/interests/sci.crypt/numerical_encryption.html In this last one, an encrypted message e = r*h + m*k where e is the encrypted message, r is a random number, h and k are public key values, and m is the encrypted message (number) m is recovered by computing m = e*g mod p mod q where g, p, and q are calculated from the private keys. Simplified knapsack systems are easily implemented and would provide a nice means for simple, numeric only public key tasks such as symmetric key exchange except they have a history of being ultimately breakable. Quoting A. M. Odlyzko of Bell Labs: The rise and fall of knapsack cryptosystems, http://www.research.att.com/~amo/doc/crypto.html Abstract: Cryptosystems based on the knapsack problem were among the first public key systems to be invented, and for a while were considered to be among the most promising. However, essentially all of the knapsack cryptosystems that have been proposed so far have been broken. These notes outline the basic constructions of these cryptosystems and attacks that have been developed on them. (end quote) Assuming the NTRU system has a new twist, are there also other unexploited avenues in which the formalism for simple modulo knapsacks might lead to interesting public key systems? An example of such a system might use digital Fourier Transforms (FFT) to form knapsacks, along lines paralleling NTRU's use of truncated polynomials. John Bailey -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Diffusion limits in block ciphers Reply-To: [EMAIL PROTECTED] Date: Mon, 4 Jun 2001 19:02:06 GMT Scott Fluhrer [EMAIL PROTECTED] wrote: : You are correct, everything being equal, larger blocks are better than : smaller ones. However, no matter what you diffuse the information over, the : diffusion really must be complete -- any partial diffusion [1] can give the : attacker clues about what the last few rounds look like, and that's a Very : Bad Thing. And, as the size of the block grows, it tends to get : increasingly difficult to maintain the amount of diffusion (without also : increasing the amount of time spent per bit encrypting), and hence in : practice, we tend to arrive at a compromise, where the block size is big : enough that we
Cryptography-Digest Digest #519
Cryptography-Digest Digest #519, Volume #14 Mon, 4 Jun 01 21:13:01 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Def'n of bijection (Tim Tyler) Re: Def'n of bijection (Tom St Denis) Re: Def'n of bijection ([EMAIL PROTECTED]) Re: Def'n of bijection ([EMAIL PROTECTED]) Re: Def'n of bijection (John Savard) Re: Def'n of bijection (Tom St Denis) Re: Def'n of bijection (Robert J. Kolker) Re: Def'n of bijection (Tom St Denis) Re: Def'n of bijection (SCOTT19U.ZIP_GUY) Re: Def'n of bijection (SCOTT19U.ZIP_GUY) Re: Def'n of bijection (SCOTT19U.ZIP_GUY) Re: about DH parameters germain primes (Gregory G Rose) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes (Gregory G Rose) From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: 4 Jun 2001 22:56:28 GMT [EMAIL PROTECTED] (Tom St Denis) wrote in L4US6.27321$[EMAIL PROTECTED]: Ideally for security, the cyphertext should contain no information that suggests any plaintext is more likely than any other (Shannon's perfect secrecy). yes I agree. If you have 256 states that's a prob of 1/256. Think about it. It must add up to 1 so 1/256 over 256 symbols is the lowest possible bound. (do the math) Here we a have a case where the cyphertext eliminates every possible plaintext *except* for 256. This is a *tiny* figure - and may well represent a massive gain in information on the part of the attacker upon observation of the cyphertext. Not really. Given a 8-bit message, if you can't tell it from any other 8-bit message with a prob higher then 1/256 then ou have no advantage. (Note if this bound is followed it's equivalent to an OTP) I think your suffering from a BRAIN FART. You seem to mistake what the 8-bit message real is. Bit thats no surprise you don't seem to learn anything. But if you use something so weak as CTR and you get one byte output. You seem to realize that is 1 of 256 possible input values for a single byte input. Each of the values could stand for a seperate messages. In the weak CTR case you have only 256 seperate message that could have been sent. Your being a complete ass on the use of a OTP. for any OTP system to have perfect security You need to use a pad that outputs a file of the length of the longest piece of information you need. That means for short messages you need the same size pad as for long messages. Your BRAIN FART has caused you to become stupid and not see that. If you have thoussnad of messags assinged to various lengths. And out of those message you assign 256 to be used in a one byte file for a one byte cipher text output you don't have anything close to perfect security. Your a fool to belive that reduceing a large set of possible messages to a pool of 256 makes no security difference. Your brain sees the comparasion of CTR to an OTP and then your brain FARTS and stops working. OK foolish child since 1 out of 256 makes zero security difference. At what number of messages do you stop worrying. If an attacker can limit it to two messages is that still not a security issue according to your brain. David A. Scott -- SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE OLD VERSIOM http://www.jim.com/jamesd/Kong/scott19u.zip My website http://members.nbci.com/ecil/index.htm My crypto code http://radiusnet.net/crypto/archive/scott/ MY Compression Page http://members.nbci.com/ecil/compress.htm **NOTE FOR EMAIL drop the roman five *** Disclaimer:I am in no way responsible for any of the statements made in the above text. For all I know I might be drugged or something.. No I'm not paranoid. You all think I'm paranoid, don't you! -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Def'n of bijection Reply-To: [EMAIL PROTECTED] Date: Mon, 4 Jun 2001 23:42:02 GMT Joseph Ashwood [EMAIL PROTECTED] wrote: : There are several variations on bijectivity that are used around here. The : most fundamental is the bijective term as it applies in generic computer : science [...] : Scott often places different restrictions, restrictions which make sense in : certain contexts but (like all of these) are inappropriate for some : situations. I will call this B-bijectivity for now. B-bijectivity requires : that Set A = Set B, this immediately implies |A| = |B|. Commonly Scott fixes : the Set A to be the set of all n-OCTET length files. That has nothing to do with bijectivity - as David Scott is well aware. Look, here is David Scott in sci.crypt on March 25, 2001: ``It maps all messages made up of only letters A-Z to ALL binary files you pick the number and values of bytes you want and when uncompressed it goes to files of A-Z and is BIJECTIVE.'' A bijection that's not a permutation. It seems David Scott does not restrict himself to
