Cryptography-Digest Digest #532
Cryptography-Digest Digest #532, Volume #14 Wed, 6 Jun 01 03:13:01 EDT Contents: Re: Medical data confidentiality on network comms (wtshaw) Re: practical birthday paradox issues (Dirk Bruere) Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel) Bow before your new master (Brent K Kohler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Medical data confidentiality on network comms (Richard D. Latham) Re: practical birthday paradox issues (Richard D. Latham) Re: And the FBI, too (Re: National Security Nightmare?) (Paul Crowley) Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel) Re: PRP = PRF (TRUNCATE) (Gregory G Rose) Re: Bow before your new master (Mike S.) Re: fast CTR like ciphers? (Scott Fluhrer) Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P. Dulles / AKA Loki) (Eric Lee Green) From: [EMAIL PROTECTED] (wtshaw) Crossposted-To: comp.security.misc Subject: Re: Medical data confidentiality on network comms Date: Tue, 05 Jun 2001 20:39:43 -0600 In article [EMAIL PROTECTED], Mok-Kong Shen [EMAIL PROTECTED] wrote: ... An emergency doctor may need some data while the patient isn't in a position to give authorization and the like. Once he gets that, it's difficult to prevent him to secretly use it in illegal ways. It's basically a trust that the patients have on the doctors in general. Note also that there are other persons that help them, e.g. the nurses etc. It would be extremely costly to absolutely block possibility of leaking of informations in all situations, if that were technically possible at all. Thus an ideal tight protection is imfeasible in my humble view. There are on the other hand ethical committees of organizations of doctors which deal with cases where some of them behave in bad ways. That takes care of the issues like the one you mentioned about publishing, if I don't err. M. K. Shen Patients should support ethical doctors as well. While it is difficult for them to openly punish those that aren't, with better communications, those tempted to be up to no good should fear people finding out who did what to whom and when. -- Sign for the White House lawn: WARNING! Irresponsible Parents Live Here. -- From: Dirk Bruere [EMAIL PROTECTED] Subject: Re: practical birthday paradox issues Date: Mon, 4 Jun 2001 03:58:18 +0100 Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Scott Fluhrer [EMAIL PROTECTED] wrote: [finding birthday collisions] : But, you say, isn't doing all that infeasible? Yes, at current technology, : it is, and that is why NSA settled for 160 bits output for SHA-1... If the same rationale applies to SHA-256, SHA-384 and SHA-512 [http://csrc.nist.gov/cryptval/shs.html] I fear there may have been some hardware breakthroughs behind closed doors ;-) One might make a guess at h/w capability given that the old WW2 custom electromech system was roughly as powerful as a Pentium 100MHz. Dirk -- From: [EMAIL PROTECTED] (JPeschel) Date: 06 Jun 2001 03:16:23 GMT Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Tim Tyler [EMAIL PROTECTED] writes, in part: JPeschel [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] writes, in part: :OTPs do *not* have perfect secrecy if messages can be of varying lengths :and the plaintexts and cyphertexts are of equal lengths. : I don't follow this. It sounds as if you are re-defining an OTP. What don't you follow about it? I'm talking about a system involving a one-time random key stream, XORing it with the plaintext, and producing a cyphertext the same length as the plaintext. That's an OTP and its secrecy is perfect. I am claiming that the result does not have perfect secrecy - assuming a reasonable space of variable length files as possible messages. What you've written immediately above suggests an addiotional property for an OPT that leads me to believe you are re-defining OTPs. This is the system Tom is calling a OTP. He uses it by analogy with CTR mode to claim that CTR mode is proven secure with small plaintexts. Tom, I think, was using the accepted definition. I don't much mind what name is given to the system I described. I'm not trying to redefine anything. -- Names are important; otherwise no one will have a clue what you're talking about. If you insist upon an additional property that an OTP must possess, you are re-defining it, and I am not sure why, or to what pupose. Joe __ Joe Peschel D.O.E. SysWorks http://members.aol.com/jpeschel/index.htm __ -- From: Brent K Kohler [EMAIL PROTECTED] Subject: Bow before your new
Cryptography-Digest Digest #533
Cryptography-Digest Digest #533, Volume #14 Wed, 6 Jun 01 09:13:01 EDT Contents: Re: function notation (injection, bijection, etc..) one last time (Mok-Kong Shen) Re: function notation (injection, bijection, etc..) one last time (Mok-Kong Shen) Re: Def'n of bijection (Tim Tyler) Re: Bow before your new master (Paul Burke) Re: Def'n of bijection (Tim Tyler) cheksum on keyfile (Gisli Sigurdsson) Re: CTR mode, BICOM, and hiding plaintext length (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mark Wooding) Re: fast CTR like ciphers? (Tom St Denis) Re: function notation (injection, bijection, etc..) one last time (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mark Wooding) Re: cheksum on keyfile (Mats Kindahl) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Def'n of bijection (Tim Tyler) Re: Bow before your new master (Robert Strand) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: function notation (injection, bijection, etc..) one last time Date: Wed, 06 Jun 2001 09:44:14 +0200 Tom St Denis wrote: It seems each time I ask people feud over terminology. Let me try again :-) [snip] Please don't misunderstand me but I think that for such questions it is best to consult a textbook on algebra. You would certainly find plenty of them in your local library. The one that I happen to have at hand and I find to be quite good is: L. E. Sieger, Algebra. Springer-Verlag. M. K. Shen -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: function notation (injection, bijection, etc..) one last time Date: Wed, 06 Jun 2001 09:57:46 +0200 Mok-Kong Shen wrote: L. E. Sieger, Algebra. Springer-Verlag. Shame, I have often typo. The name is Sigler. M. K. Shen -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Def'n of bijection Reply-To: [EMAIL PROTECTED] Date: Wed, 6 Jun 2001 08:13:06 GMT [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] writes: : [EMAIL PROTECTED] wrote: :: In other words, you are hoping that false positives are more likely. [...] :: ...some result in that direction is needed for BICOM to provide :: any benefit at all. You don't seem to realize that any such result :: is needed. : : This result seems unnecessary to me because I see it as being : rather obvious. : Ah! It's true, because it's obvious! Why didn't I see that before! Well, it's obvious to *me*. I accept that doesn't necessarily mean that it's obvious to everyone else. Thus my explanations. : This issue is *central* to any claims of increased security for BICOM. Note that it applies to any compression program, not just BICOM. : Therefore, it needs proof, not handwaving. : And the idea doesn't even ``seem'' obvious, because of one fact you : keep ignoring: even if BICOM gives a bijection of binary files to : itself, almost all preimages under BICOM are not in fact plausible : messages. Well, if they were it would be really, really obvious - rather than just obvious. : There is no a priori reason to believe that potential decrypts will be : rich in plausible messages; [...] ...except for the fact that compression makes target files smaller, while increasing the lengths of other files, thus making their density at small output sizes greater. : indeed it seems rather unlikely. Well, you *you*, maybe. : You seem to accept already that an optimal compressor is likely to : make rejecting keys practically impossible. [...] : No I don't, because it's completely false. :-( : It might sometimes prove true, but only by coincidence: if the quantity : of encrypted information turns out to be close to the quantity of key : material, then security may be very high. You can use a three bit key and compress huge files. If all decompressions look like plausible messages it will be hard for an attacker to tell which one was intended. -- __ |im |yler http://rockz.co.uk/ http://alife.co.uk/ http://atoms.org.uk/ -- From: Paul Burke [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Crossposted-To: alt.drugs.pot,sci.electronics.design,sci.electronics.repair,sci.environment Subject: Re: Bow before your new master Date: Wed, 06 Jun 2001 08:23:22 + Mike S. wrote: if you take into account the on-purpose attempts at sounding redneck and inflaming readers. I for one am against discrimination based on neck colour. Smash cervicism! Paul Burke -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Def'n of bijection Reply-To: [EMAIL PROTECTED] Date:
Cryptography-Digest Digest #534
Cryptography-Digest Digest #534, Volume #14 Wed, 6 Jun 01 10:13:01 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: PRP = PRF (TRUNCATE) (Nicol So) Re: PRP = PRF (TRUNCATE) (Nicol So) Re: function notation (injection, bijection, etc..) one last time ([EMAIL PROTECTED]) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Def'n of bijection (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P.(John Myre) Re: Are RS codes a type of PRF? (Niels Ferguson) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Wed, 6 Jun 2001 12:32:18 GMT Tom St Denis [EMAIL PROTECTED] wrote: : SCOTT19U.ZIP_GUY [EMAIL PROTECTED] wrote in message : [EMAIL PROTECTED] (Tom St Denis) wrote in : SCOTT19U.ZIP_GUY [EMAIL PROTECTED] wrote in message : Tell what little get a third party to encrypt using your ctr : mod a one cipher text output file. I will guess the input. I may : be wrong. Then you get to guess the input to a one byte output : file encrypted with BICOM. If you miss I guess again. And we : keep doing this till one gets it right. I am willing to put : a thousand bucks on this. On second thought you go first. : Do you feel secure enough to really bet. I doubt it. : As long as all messages are uniformly probable you win. [...] : It's still uniformly distributed... so again I win. So, would you like to take that bet? Or not? -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Nicol So [EMAIL PROTECTED] Subject: Re: PRP = PRF (TRUNCATE) Date: Wed, 06 Jun 2001 08:48:12 -0400 Reply-To: see.signature Gregory G Rose wrote: A PRP (by definition) produces every output value in its range once, and only once, if you enumerate the possible inputs. Now ignore for a moment that a PRF need not have a restricted domain, and assume the same set of 2^N inputs (N-bit inputs and outputs). Then *on average* each output appears once. But if the PRF is for real, approximately 1/e of the outputs won't appear at all, and some will appear multiple times. (If I recall correctly, the number of occurrences of a particular value is poisson distributed, but don't hold me to that...) This difference still applies as you truncate the output of a PRP. For example, take the silly case where you just drop one bit. Now each output value appears exactly twice for a PRP, and on average twice for a PRF, but sometimes *more* than twice. As soon as you notice a value appear three times, you know that it was a truncated PRF. Conversely, based on the expected distribution of outputs, when you have enough inputs and have *not* seen a distribution anomaly, you know you were truncating a PRP, not a PRF. What you said is true, but it doesn't mean that you can efficiently tell whether a truncated PRF is a truncated PRP. If that were possible, you could turn it into an efficient test for telling whether a PRF is a PRP. As you scale up the scheme, it will be more and more difficult to detect the statistical anomaly caused by collisions in a non-PRF PRP. Asymptotically, no efficient computer can tell whether a PRF is a PRP significantly better than blind guessing. -- Nicol So, CISSP // paranoid 'at' engineer 'dot' com Disclaimer: Views expressed here are casual comments and should not be relied upon as the basis for decisions of consequence. -- From: Nicol So [EMAIL PROTECTED] Subject: Re: PRP = PRF (TRUNCATE) Date: Wed, 06 Jun 2001 08:51:58 -0400 Reply-To: see.signature Nicol So wrote: What you said is true, but it doesn't mean that you can efficiently tell whether a truncated PRF is a truncated PRP. If that were possible, you could turn it into an efficient test for telling whether a PRF is a PRP. As you scale up the scheme, it will be more and more difficult to detect the statistical anomaly caused by collisions in a non-PRF PRP. ^^^ Typo. What I meant was a PRF which is not a permutation. Asymptotically, no efficient computer can tell whether a PRF is a PRP significantly better than blind guessing. -- Nicol So, CISSP // paranoid 'at' engineer 'dot' com Disclaimer: Views expressed here are casual comments and should not be relied upon as the basis for decisions of
Cryptography-Digest Digest #535
Cryptography-Digest Digest #535, Volume #14 Wed, 6 Jun 01 12:13:01 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes (Bob Silverman) Re: Def'n of bijection (Tim Tyler) Re: Definition of 'key' (Bob Silverman) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Brute-forcing RC4 (S Degen) Re: fast CTR like ciphers? (Tim Tyler) Re: fast CTR like ciphers? (Volker Hetzer) Factoring via BBS cycle length (Tom St Denis) Re: Brute-forcing RC4 (Ichinin) Re: Def'n of bijection (Mok-Kong Shen) Re: fast CTR like ciphers? (Tim Tyler) Re: Medical data confidentiality on network comms (Barry Margolin) Re: Def'n of bijection (Douglas A. Gwyn) Re: Def'n of bijection (Douglas A. Gwyn) Re: Def'n of bijection (Douglas A. Gwyn) Re: Def'n of bijection (Douglas A. Gwyn) Re: function notation (injection, bijection, etc..) one last time (Robert J. Kolker) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Medical data confidentiality on network comms (Mok-Kong Shen) Re: Def'n of bijection ([EMAIL PROTECTED]) From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: 6 Jun 2001 14:07:27 GMT [EMAIL PROTECTED] (Mok-Kong Shen) wrote in 3B1E3235.89950379@t- online.de: SCOTT19U.ZIP_GUY wrote: [snip] If the defination is true. Then for the set of message to be encrypted. The key has to be as long as the longest message. If a shorter cipher text is sent then you have learned that the longest message was not sent. That is information about secret message. It violates Shanons defination. I have a dumb question: If I have a short message to send and the key is longer, what should I do? Need I pad it to the length of the key and send that longer stuff? Thanks. M. K. Shen Its not a dumb question. Most of the time you don't need perfect security. But if you have a wide mix of messages I would try to pad in a bijective way to some minimum size. However being secure and perfectly secure are two different things. ANd in general if you have a short message less than the key it most likely can't be solved for. All that may be required for safety is that many keys lead to a false solution. All perdect security really does is give zero information. But just like an OTP is not practical in most cases. Sending long encrypted messages is not pratical either. It is just somthing to think about. For example if your ecnrypting an an anwser to a yes no question some one asked. And it is known you will answer yes or no it would be foolish to use somthing as weak as AES in CTR mode where file length does not change. Since attacker would know XQ is no while RTG is yes. David A. Scott -- SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE OLD VERSIOM http://www.jim.com/jamesd/Kong/scott19u.zip My website http://members.nbci.com/ecil/index.htm My crypto code http://radiusnet.net/crypto/archive/scott/ MY Compression Page http://members.nbci.com/ecil/compress.htm **NOTE FOR EMAIL drop the roman five *** Disclaimer:I am in no way responsible for any of the statements made in the above text. For all I know I might be drugged or something.. No I'm not paranoid. You all think I'm paranoid, don't you! -- From: [EMAIL PROTECTED] (Bob Silverman) Subject: Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes Date: 6 Jun 2001 07:10:53 -0700 Tom St Denis [EMAIL PROTECTED] wrote in message news:XRcT6.38998$[EMAIL PROTECTED]... sisi jojo [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Joseph Ashwood [EMAIL PROTECTED] wrote in message news:ebvtZ6S7AHA.201@cpmsnbbsa09.. I don't have much time to write long messages today. But here's my answer Maybe the approach is wrong. That's why nobody can solve it. You go through years of education to learn the wrong approach, which is proven to be not useful. That's something funny about our education system. If you want a problem to be solved, show it to a kid and let him develop an answer fresh from the beginning. Replying to sisijojo: You need a certain minimal background and mathematical maturity before tackling hard problems. You need experience in knowing what works and what doesn't work. The idea that some naiive kid will pop out of nowhere and solve a hard problem BECAUSE HE HAS NOT LEARNED THE WRONG APPROACH is ludicrous. It also takes sophistication to know when elementary approaches to a problem can never work. For example, consider attempts (by amateurs) to prove FLT by considering the equation mod p, for one or more primes p, then attempting to draw conclusions about the equation over Q from deductions about the equation mod
Cryptography-Digest Digest #536
Cryptography-Digest Digest #536, Volume #14 Wed, 6 Jun 01 14:13:01 EDT Contents: AES question (ajd) Re: function notation (injection, bijection, etc..) one last time (Douglas A. Gwyn) Re: Def'n of bijection (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: AES question (Mok-Kong Shen) Re: Def'n of bijection (Douglas A. Gwyn) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Def'n of bijection (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Knapsack security??? Ahhuh (Al) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Factoring via BBS cycle length (Anton Stiglic) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: practical birthday paradox issues (Dirk Bruere) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) From: ajd [EMAIL PROTECTED] Subject: AES question Date: Wed, 6 Jun 2001 17:14:47 +0100 Hi All, I was wandering about the algorithms that were nominated for the Advanced Encryption Standard, it seems obvious that Rijndael will be used a lot as it is the replacement for 3DES, but what about the other finalists. Does anyone know of any companies using TwoFish, RC6, Mars, or Serpent in products. Would they be used in addition to or instead of the older algorithms like IDEA, RC4, RC5 etc. thanks andrew -- From: Douglas A. Gwyn [EMAIL PROTECTED] Subject: Re: function notation (injection, bijection, etc..) one last time Date: Wed, 6 Jun 2001 15:55:53 GMT [EMAIL PROTECTED] wrote: No offense, but these are the first terms a person *ever* learns when studying about functions. Their definitions are *not* subject to debate, and they are almost always stated in exactly the same way. ... Len gave a nice summary of the standard definitions. Part of the problem seems to be that *learning* requires more than mere memorization of standard definitions. For example, the standard approach is unnecessarily asymmetric in use of A and B; a more general development would define a relation as a specific set of ordered pairs (a,b) with a in A and b in B, and a function as a relation that has additional constraints; with such an approach, A would not be the domain of the function, but the analogue in the input set of the concept of codomain, i.e. a set that contains the domain. Definitions would have to be adjusted to fit this new model, and the fact that the domain and codomain were not analogous would be worrisome. The standard definitions evolved from originally less precise usage, and exploring the history would show where the emphasis on certain aspects came from. ... I believe that ``dual'' here really means ``dual'' in a category-theoretic sense, but it's been too long; ... I think it's right. Diagrams somewhat like those used in category theory often help the student to understand these concepts. It is particularly useful to draw the sets as clouds and mark limits of (simply connected) subsets, with arrows showing the mapping action of the function from one cloud to another. (Note: the inhabitants of separate clouds come from different planets and speak totally different languages.) I would hope that there are textbooks that do a good job of this, but from my experience with current public education in math I have my doubts. -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Def'n of bijection Reply-To: [EMAIL PROTECTED] Date: Wed, 6 Jun 2001 16:16:43 GMT Douglas A. Gwyn [EMAIL PROTECTED] wrote: : [EMAIL PROTECTED] wrote: : And the idea doesn't even ``seem'' obvious, because of one fact you : keep ignoring: even if BICOM gives a bijection of binary files to : itself, almost all preimages under BICOM are not in fact plausible : messages. There is no a priori reason to believe that potential : decrypts will be rich in plausible messages; indeed it seems rather : unlikely. : It *is* unlikely. [...] However there are *excellent* reasons for thinking that potential decrypts will be richer in plausble messages than they would be if compression had not been employed. That is what was actually claimed. Compression *increases* the probability that decrypting will yield a plausible looking message. The messages that the compressor compresses will get smaller, while other files are made larger. As a direct consequence of this, the proportion of files of any given size that decompress to plausible-looking messages increases. This assumes that the plausible messages are in the set that the compressor compresses, of course. If this is not true, then the compressor would be better described as an expander. : General-purpose compressors don't : prefer one possible plaintext over another. They compress some sorts
Cryptography-Digest Digest #537
Cryptography-Digest Digest #537, Volume #14 Wed, 6 Jun 01 17:13:01 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: AES question (Tom McCune) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: AES question (Joseph Ashwood) Re: AES question (Mok-Kong Shen) Re: Def'n of bijection ([EMAIL PROTECTED]) Re: Def'n of bijection (Mok-Kong Shen) Re: Def'n of bijection ([EMAIL PROTECTED]) Re: And the FBI, too (Re: National Security Nightmare?) (Matthew Montchalin) Re: Def'n of bijection (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Def'n of bijection (John Myre) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Def'n of bijection ([EMAIL PROTECTED]) Re: Def'n of bijection (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Re: RSA's new Factoring Challenges: $200,000 prize. (my be repeat) (Michael Brown) From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Wed, 06 Jun 2001 20:25:50 +0200 Tim Tyler wrote: Mok-Kong Shen [EMAIL PROTECTED] wrote: : Tim Tyler wrote: : Mok-Kong Shen [EMAIL PROTECTED] wrote: : : You probably question whether such usage leads to : : Shannon's perfect security which, as you said, is claimed : : to be a property of OTP. However, I don't see where in the : : literature about OTP (in connection with perfect security) : : the length enters into the argumentation, i.e. plays a role : : in the proof. : : I also think that it's not mentioned. I beleive it is common to : consider the domain where all plaintexts are the same length - : perhaps in order to get the perfect secrecy result. : : : My memory of Shannon's paper is no good, but I don't think that he : : considered the length of the messages. : : I don't think it was mentioned either - all the messages were the same : length in the system in question. : From what you said, I don't think it is valid to consider : that the constant length of messages underlies the : proof of Shannon (unless one can demonstrate the : contrary). Without such an assumption, there's no proof of perfect secrecy, because the system doesn't exhibit it. My admittedly now poor memory of Shannon's argument is roughly the following: Given a message of n bits. If it is xored with a perfect random source, then each of the possible 2^n sequences could result as ciphertext. Hence the a-posteriori probabability of (the content) of the message is the same as its a-priori probability. Now this is general for 'any' n. It certainly has no implication to the effact that, after sending a message of a certain length, the next following message should have the same n. Otherwise, given an OTP sequnce of m bits (m can usually be very large), one could have asked the question of which size (particular, fixed, constant n) of messages one is allowed to send with that resource in order that the perfect security according to Shannon could be achieved, in issue which seems to be apparently absurd. M. K. Shen -- From: Tom McCune [EMAIL PROTECTED] Subject: Re: AES question Date: Wed, 06 Jun 2001 18:36:39 GMT In article 3b1e561c$[EMAIL PROTECTED], ajd [EMAIL PROTECTED] wrote: Hi All, I was wandering about the algorithms that were nominated for the Advanced Encryption Standard, it seems obvious that Rijndael will be used a lot as it is the replacement for 3DES, but what about the other finalists. Does anyone know of any companies using TwoFish, RC6, Mars, or Serpent in products. Would they be used in addition to or instead of the older algorithms like IDEA, RC4, RC5 etc. The current PGP versions (7.0.1 and above) include AES and Twofish (both 256 bit), and also retain usage of IDEA, CAST5, and Triple DES. Tom McCune My PGP Page FAQ: http://www.McCune.cc -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Wed, 06 Jun 2001 20:37:54 +0200 Tim Tyler wrote: Tim Tyler [EMAIL PROTECTED] wrote: : Mok-Kong Shen [EMAIL PROTECTED] wrote: : : From what you said, I don't think it is valid to consider : : that the constant length of messages underlies the : : proof of Shannon (unless one can demonstrate the : : contrary). : Without such an assumption, there's no proof of perfect secrecy, : because the system doesn't exhibit it. I looked up what Bruce Schneier has to say about perfect secrecy in A.C. He
Cryptography-Digest Digest #538
Cryptography-Digest Digest #538, Volume #14 Wed, 6 Jun 01 18:13:00 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Factoring via BBS cycle length (Tom St Denis) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes (Tom St Denis) Re: Def'n of bijection (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Def'n of bijection (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Def'n of bijection (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Wed, 6 Jun 2001 20:45:49 GMT To illustrate my point, here's a system that does better at concealing information about the plaintext from an attacker with cyphertext and full knowledge of the algorithm employed than a conventional One Time Pad manages. Convert the plaintext from a 8-bit granular file to a 64-bit granular file using one of David's bijections between these sets. Then encrypt with a conventional OTP. The result is much the same - except that many plaintexts that were previously distinguishable on length grounds are now effectively indistinguishable. Given a cyphertext representing a particular plaintext, the attacker's uncertainty about the possible plaintexts increases, as the file length will (typically) increase, and thus so will the length of the key. Would anyone still refer to a One Time Pad as offering perfect protection of one's secrets after reading this? -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Wed, 06 Jun 2001 22:54:41 +0200 Tim Tyler wrote: ...but why only consider the possible messages of size 2^n? This is a tiny subset of the messages that could have been transmitted. The obvious answer is that we can eliminate most messages on a-priori grounds, since we have the cyphertext and we know that it is an OTP encryption. However, this is highly undesirable - based on a simple examination of the cyphertext, we can reject loads of possible messages. I don't understand. A given ciphertext has a certain size, say n bits. The number of all possible (different) informations that could be transmitted from the sender to the receiver with that is limited by 2^n. And with an OTP one can in fact securely transmit any one of these possible messages. Or am I missing something? : Hence these are equal. Thus the opponent gains no information. The opponent has gained the information that the plaintext is of length n. Just by looking at the cyphertext, this was not known. As soon as the cryptomechanism is revealed as well, huge numbers of possible plaintexts can be rejected. What is that information that he can gain from the fact that the plaintext is of length n in the general case (excepting contrived ones)? Can he know a single bit of the plaintext from that? M. K. Shen -- From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: 6 Jun 2001 20:44:48 GMT [EMAIL PROTECTED] (Tim Tyler) wrote in [EMAIL PROTECTED]: I looked up what Bruce Schneier has to say about perfect secrecy in A.C. He says this: ``There is such a thing as a cryptosystem that achives perfect secrecy: a cryptosystem in which the cyphertext tields no possible information about the plaintext (except possibly its length).'' He goes on to give Shannon's theory that perfect secrecy is only possible if the number of possible keys in the cryptosystem is equal to the number of possible messages. IMO, Shannon has it right - while Bruce seems a bit uncertain about whether the length is included or not. No wonder people are confused. Shannon was an expert and then Mr BS comes along and do to his lack of knowledge. At least to the level of Shannon he types it wrong and then others get
Cryptography-Digest Digest #541
Cryptography-Digest Digest #541, Volume #14 Wed, 6 Jun 01 19:13:01 EDT Contents: Crypto Survey May 2001 by Markku J. Saarelainen (Mark J S) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel) From: [EMAIL PROTECTED] (Mark J S) Subject: Crypto Survey May 2001 by Markku J. Saarelainen Date: 6 Jun 2001 15:57:58 -0700 CRYPTO SURVEY MAY 2001 Cryptographic Survey, May 2001, Markku J. Saarelainen Email: [EMAIL PROTECTED] A SUMMARY CONCLUSION: The major societal development since the 1st and 2nd crypto surveys in 1996 and 1997 has been the removal of many regulatory barriers for open trading of cryptographic products in the North America and globally. In addition, the number of cryptographic applications and component implementations has increased, while at the same time the variety of different types of solutions has risen. This does not necessarily mean the wider use of encryption in businesses and personal activities. Many same or similar behavioral barriers for the effective utilization of many security solutions still exist limiting the protection of communications, data storage and networking. In addition, the lack of the interoperability between solutions from different suppliers tends to decrease the number of effective cryptography users worldwide. It is clear that the awareness for encrypted communication and protected information activities has increased, while necessary regulatory changes for protecting entities from security vulnerabilities has enabled cryptographic product suppliers to satisfy market requirements in the U.S.A., in the North America and globally. However, regulatory and cultural differences exist from one nation or region to another creating a global unbalanced situation of the security use, which has the reducing effect on security practices and policy implementations of any global entity in different regions. This impacts on the interoperability of units of global entities. It is likely that there shall be greater competing drives in the information technology market place between different security strategies and approaches from different software and hardware product and security suppliers. QUESTION 1. In your opinion, what are the 5-10 most significant applications of encryption technologies currently in commercial enterprises? 1. HTTP over SSL (aka HTTPS) / SSL for credit card processing / SSL / Web-activity privacy (SSL) 2. IPsec 3. RSA Secure ID (maybe) 4. Online Credit Card Processing Financial Transfers 5. VPNs / Virtual Private Networks for widely distributed offices / VPN for remote access to Intranet 6. Email encryption (via PGP/GPG or SMIME) / Encrypted Messages / Email Privacy 7. Digital signing authentication of messages 8. Consensus and voting software (not now but give it 5 years) 9. Encrypted file systems for sensitive data 10. Signing software for installation 11. Signing email messages to show official authority 12. Wireless local area network encryption 13. Password protection/access control 14. Data protection 15. Session protection (VPN's) 16. Authentication and authorization / Customer authentication (e.g. PIN checking) 17. Securing B2B file exchange 18. PKI 19. Remote secure teleworking 20. Digital signatures 21. Time-stamping QUESTION 2. In your opinion, what are 5-10 main barriers currently that may prevent the successful implementation and utilization of encryption technologies in commercial enterprises? 1. Ignorance of risks prevents purchase 2. Dishonest portrayal of product (i.e.: false security claims and blatant product holes in end-to-end protection) promotes distrust in the whole industry 3. Most products are a waste of time because they are not a comprehensive solution - e.g.: why bother using PGP when there is nothing in any NAI products to protect against back-office-style electronic eavesdropping attacks? 4. Many people do not care about cryptography and/or security products 5. Having lived happily without serious protection for a long while, most customers believe there is no point retrofitting an expensive solution for a problem they do not have (and many of them are probably right...) 6. Lack of knowledge by decision-maker 7. Low knowledge level of users 8. Lack of knowledge by computer scientists 9. Lack of complete standards (S/MIME to be extended, ...) 10. Cost 11. It is too hard to use / complexity / Not transparent enough and made user hard to use. 12. Difficult and complex
Cryptography-Digest Digest #540
Cryptography-Digest Digest #540, Volume #14 Wed, 6 Jun 01 19:13:01 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Thu, 07 Jun 2001 00:43:54 +0200 SCOTT19U.ZIP_GUY wrote: Well it can leak information. I thought I gve the example that you never anwsered. Suppose someone asks you a question of the type where you are known to anwser yes or no. ( Its a made up example you reall can't anwser yes or no to anything just go with it for a minute). You could encrypt with a TOMMY style OTP and send QW but if you did I would know its a NO or you sould send a TRU in wish case I would know its a YES. SO you have zero secruity. Or you could use a longer pad like 4 letters. And send WSHS for no and JSKS for yes in which case I would not know what you sent. Or you could compress it and send 1 bit. If you actaully want more securoty since you may on rare occastions not give a yes or no. IN that case you real need a very long pad. But the length of all messages should be the same if you want perfect security It can be less and still secure if you use a different size. But it won't be perfectly secure unless it is as long as your longest message. Oh, in some cases whether one sends a messages at all could leak information, isn't it? If a message goes out e.g. from my home, that means some person is there. Are we considering such stuffs? I already mentioned in a previous post that, unless there is something that links the length to the content of the message, the argument holds. Note that Shannon's perfect security implies that the efficiency of the transforming a 'given' bit sequence of n bits is so good that from the ciphertext the opponent cannot get more information than he 'already' knows otherwise (e.g. from the length or from the time of sending, or from the particular station that sends it, etc.). If he already knows that a message of two bytes means 'NO', then any system of encryption is as bad as any other, in fact useless. But is that any argument against OTP as such? If a 'bijective' system transforms 'NO' to 4 bits and 'YES' to 5 bits, doesn't the same thing happen? M. K. Shen -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Wed, 6 Jun 2001 22:28:58 GMT Mok-Kong Shen [EMAIL PROTECTED] wrote: : Tim Tyler wrote: : Mok-Kong Shen [EMAIL PROTECTED] wrote: : : But if you have an OTP (a perfect one), you 'need' not : : pad anything, for you already have perfect security : : for the secret you want to communicate. : : The attacker can tell how long the plaintext is just byy looking at the : cyphertext. He can eliminate vast numbers of possible plaintexts : by a cursory examination. How is this perfect. : So you are refuting Shannon, aren't you?? I would have to read what Shannon wrote in more detail to say how what this thread is about relates to what he wrote. My main concern is with the definition and usage of the term perfect secrecy - I'd like to see what Shannon wrote, whether his proof relates to what he wrote, and whether others have followed his usage properly. That OTP's leak length information - and thus fail to conceal plaintexts properly is rather well known - indeed most other cyphers do this as well. Tom (and other posters) seem to have got the idea that the ordinary OTP is actually perfect at concealing information about the plaintext, given the cyphertext. That does /seem/ to be what Shannon said: ``The first definition of information-theoretic secrecy was given by Shannon, the founder of information theory. It is called perfect secrecy and means by definition that the plaintext is statistically independent of the encrypted data. This is equivalent to saying that the enemy cryptanalyst can do no better than guessing the plaintext without knowledge of the encrypted data, no matter how much time and computing power is used.'' - http://www.inf.ethz.ch/department/TI/um/research/keydemo/Background.html ...but he is also supposed to have proved that the (conventional?) OTP has this property, which it does not. I'll resolve the apparent friction between these ideas by reading his actual words and proof. I'm curious to learn the historical roots of the (clearly mistaken) idea that conventional OTPs are perfect in this way. Is Shannon responsible? ...or those who came after him? -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- ** FOR YOUR REFERENCE ** The service address, to which questions about the list itself and requests
Cryptography-Digest Digest #539
Cryptography-Digest Digest #539, Volume #14 Wed, 6 Jun 01 19:13:01 EDT Contents: Re: Def'n of bijection (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: RSA's new Factoring Challenges: $200,000 prize. (my be repeat) (Joseph Ashwood) Re: AES question (Joseph Ashwood) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: AES question (Joseph Ashwood) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) shifts are slow? (Bob Jenkins) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Def'n of bijection Reply-To: [EMAIL PROTECTED] Date: Wed, 6 Jun 2001 21:36:02 GMT [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] writes: :[EMAIL PROTECTED] wrote: :: Tim Tyler [EMAIL PROTECTED] writes: :: ...there are *excellent* reasons for thinking that potential decrypts :: will be richer in plausble messages than they would be if compression :: had not been employed... : :: That statement is vacuously true. : : Well, I'm glad to hear that you agree that it's true - but sorry to hear : that you think it is vacuous. : Um, it's a mathematical term, Tim. A statement is vacuously true when it : cannot possibly be false. In other words, the statement contains no : information. I guess you think Fermat's Last Theorem is vacuous, then. It's negation is known to be an impossiblity, after all. :: Any non-negative number is = 0. But the probability of false positives :: is still probably ~0...so your ``maybe'' isn't actually interesting. : : What are you talking about? Is this = 0 some sort of analogy? : I didn't say maybe above. What are you talking about? : Sigh. If no compression is performed, then the likelihood of false : positive decryptions is for most practical purposes zero. What?!?! How on earth you you figure that out?!?! : However, you haven't actually exhibited any interested circumstances : where the likelihood of false positives *is provably* larger than : zero. Um, plaintext: 129 bits. Key 128 bits. What on earth can you possibly be talking about? : ...the messages are what we're interested in. If *they* get smaller, : that's all that's needed. It doesn't matter what else gets smaller : as well. : To prove that false decrypts are more likely when BICOM is used, you : must prove that preimages of smallish files are more likely to be real : (or real-looking) messages. Since lots of non-messages also get smaller, : there is no reason to suppose that *plausible* preimages are strictly more : likely with BICOM than without it. *Everything* that's made smaller is more likely to turn up in possible decrypts. Messages, junk, everything. That some junk is made smaller doesn't affect the fact that the messages shrink, and are thus going to have a greater density at the small file end of the spectrum than they did before. Think of files as in bins, with the bins being labelled with file lengths (only files of that length may go into that bin). Compression takes plausible messages and moves them (and perhaps lots of other stuff) into smaller-numbered bins, while moing other files the other way. Now the question is, do you wind up with more messages in bins numbered n than there were before this operation was performed. That answer is of *course* you do. It's blinking obvious that you do! Are you now going to quibble that I haven't proved that a non-zero number of files have actually crossed a particular n/n+1 bin boundary? ;-) : The most one can say is that they're certainly no LESS likely [...] That's not the most one can say. I've repeatedly said a lot more - and I'm correct in doing so. -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Wed, 6 Jun 2001 21:38:41 GMT Mok-Kong Shen [EMAIL PROTECTED] wrote: : Nobody 'pads' anything on using OTP, as far as I understand : the literature. The OTP sequence is used just like, say, : a Scotch tape. If the next message is n bits, you cut : out n bits from that, no more no less, do an xor and : send the stuff. If the following message
Cryptography-Digest Digest #542
Cryptography-Digest Digest #542, Volume #14 Wed, 6 Jun 01 20:13:00 EDT Contents: Re: shifts are slow? (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: RSA's new Factoring Challenges: $200,000 prize. (my be repeat) (John Myre) Re: shifts are slow? (Joseph Ashwood) Re: Medical data confidentiality on network comms (Roger Schlafly) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Joseph Ashwood) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: shifts are slow? (Tom St Denis) From: Tom St Denis [EMAIL PROTECTED] Subject: Re: shifts are slow? Date: Wed, 06 Jun 2001 23:08:36 GMT Bob Jenkins [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... I've been talking to people trying to optimize assembly for the P4. They say there is a shift penalty. What is more, they claim that shifts are necessarily slower than addition or xor. Wire length is starting to matter more than gate count. I asked, do you mean that the low bits of x and y in x+y are closer together than the low and high bits of x? They said yes. The registers are interleaved that way. Perhaps they could do shifts by 2 or 3, or maybe 4, in the same time as addition, but more than that is inherently slower. My old model of the world had +-^|~ take 1 cycle, tab[] take 2, if() take 5 if it guesses wrong, * take 10, and / take 20. That's apparently no longer close to reality. What is the new reality? Depends on if they are done in the ALU directly or not. In the Athlon afaik a shift and rotate can be done in 1/2 time (1 cycle latency, 2 cycle throughput) i.e ROL EAX,3 ADD EBX,ECX MOV EDX,EAX Will not stall since ROL is completed by the end. Tom -- From: Tom St Denis [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Wed, 06 Jun 2001 23:09:11 GMT [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Tim Tyler [EMAIL PROTECTED] writes: ...but why only consider the possible messages of size 2^n? This is a tiny subset of the messages that could have been transmitted. Right! That's why ``perfect secrecy'' is only attainable if the ciphertext is longer than *any* possible plaintext. All messages must have infinite length. That's why in fact perfect secrecy has been proven impossible, and there is no such thing as a OTP. Len. You're a loon. Tom -- From: John Myre [EMAIL PROTECTED] Crossposted-To: sci.math Subject: Re: RSA's new Factoring Challenges: $200,000 prize. (my be repeat) Date: Wed, 06 Jun 2001 17:09:35 -0600 (Re algorithm) For the OP: The really important parts of the definition are that the steps are unambiguously defined, and can actually be done. So steps like pick a fratzle number (a name I just made up), or use the last integer (obviously not possible) aren't allowed. It's partly a problem in communication, since unambiguous depends on mutual understanding. But it's also important to recognize when the instructions are clear, and when they are more like hand-waving. To Joe: I'm not sure what you meant by a finite number of steps. The usual formal definition of algorithm includes the requirement that the method always halts - is that what you meant? The example you gave does not meet this requirement. (Hint: what does it do if the battery is already dead?) (BTW, I find it amusing that the halting problem shows that it is not algorithmically possible to decide what programs are algorithms...) JM -- From: Joseph Ashwood [EMAIL PROTECTED] Subject: Re: shifts are slow? Date: Wed, 6 Jun 2001 16:07:26 -0700 The new reality is the same. It's just that for a register to shift it needs to make use of itself as a shift register, so in a single clock bit 30 moves to 31, 29-30, 28-29, 27-26 . . . 1-2, 0-1. In order to shift by X takes X clocks. Also because we have gotten to such high frequencies and such deep pipelines addition now takes multiple clocks but commonly you can get a througput of 1 add/clock. Basic binary operations ^|~ still take one clock (although it may take longer due to the pipeline). It gets worse when you
Cryptography-Digest Digest #543
Cryptography-Digest Digest #543, Volume #14 Wed, 6 Jun 01 22:13:00 EDT Contents: Re: How good is steganography in the real world? ([EMAIL PROTECTED]) DES not a group proof (Patrick Aland) Re: Quantum Computers with relation to factoring and BBS (rosi) Re: Knapsack security??? Ahhuh (rosi) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Notion of perfect secrecy (Tom St Denis) From: [EMAIL PROTECTED] Crossposted-To: comp.security.misc,talk.politics.crypto Subject: Re: How good is steganography in the real world? Date: Thu, 07 Jun 2001 00:15:12 GMT On 8 Apr 2001 08:24:07 +0200, [EMAIL PROTECTED] (Paul Schlyter) wrote: In article [EMAIL PROTECTED], SCOTT19U.ZIP_GUY [EMAIL PROTECTED] wrote: Another thought. We still have alot of people out of work here you could hire some Navahos. And just let them communicate messages to and from IRAQ. It worked in WWII. Yes, it worked in WWII because back then hardly anyone knew Navaho except the Navaho's themselves. And the situation was similar for most other Native American languages. However, this success of Navaho encryption during WWII spawned an interest in Native American langauges among linguists, and since then these langages have been investigated more than ever before. Therefore today Navaho encryption will be much less secure than it was during WWII. == snip Navaho was chosen for two reasons. One was its obscurity. The second is that it has many strange phonemes, and can only be spoken properly by somebody that learned it as a small child. This meant that spoofing was not possible, as all the receivers would instantly detect any fake message. -- From: [EMAIL PROTECTED] (Patrick Aland) Subject: DES not a group proof Date: 6 Jun 2001 17:17:53 -0700 Anyone got a link to the proof from Crypto '92 that showed that DES is not a group? The links I seem to be finding are either dead or simply reference it. Thanks. -- From: rosi [EMAIL PROTECTED] Subject: Re: Quantum Computers with relation to factoring and BBS Date: Wed, 6 Jun 2001 22:42:31 -0400 Your repeating that Bob is correct seems to suggest that I stated that he was not? No, no. I said he had not erred. It might be better if you had said that I had said that Bob was correct. I should take his comments seriously? Why not? I was DAMN serious!!! (and do not excuse my language). Way too serious. Let's do it lightly. Crypto is perhaps the only discipline where you can work and have fun! Let me tell you a story. There was this scientist (maybe fake as he himself suggested) giving advice to one in another discipline for which the scientist had limited respect. He told the girl to first carry out the experiment which some one else performed and for which she was to change conditions to see the effect, and then actually change the circumstances to compare results. The girl was all excited and went back to her great professor. A lot of people may already know this story and may feel bored if I go on, so I just skip the end of the story. Now you can also do several simple experiments, or you can take the results given to you by others and trust them. You can ask: is it in NP? and you can change the question in form (only in form) with the spirit still carried in the questions, such as: is it in P? These I think are simple enough. Then you may apply other things, such as the 'sutra' you quoted from somewhere. Try to see if the thing you really want to know by asking the questions would still be there after the applications. Don't recite any more, just go and perform the simple experiments. Reciting is by all means good means of doing scientific work. But that is just one of the many ways. And thanks for the recitation about NP's full text. I, quite unlike Bob, am not prone to giving advice. Bob may come next and tell you to read books. I, a lot of times, think that may not be necessary. I can often focus just on the things you know (well, if you say it, you must know it. logical?) Whether you read more is your cake of the day. But I am sure of one thing. Next time around, when you assign probablistic uncertainty to a well-defined, unambiguous definition, you will do a much better job. You are still not bored with this NP stuff? :) I think it may be appropriate that we now draw such a small fullstop as to encompass all the 'bubbles' making up the universe, so small that we can not see it. Thanks. --- (My Signature) Nicol So wrote in message [EMAIL PROTECTED]... rosi wrote: Bob Silverman wrote in message [EMAIL PROTECTED]... [EMAIL PROTECTED] (Bill Unruh) wrote in message news:9eu1ke$njh$[EMAIL PROTECTED]... In 9etv2h$4pn$[EMAIL PROTECTED]
Cryptography-Digest Digest #544
Cryptography-Digest Digest #544, Volume #14 Thu, 7 Jun 01 01:13:00 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel) Re: OTP WAS BROKEN!!! (Gordon Burditt) Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Re: Notion of perfect secrecy (SCOTT19U.ZIP_GUY) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Def'n of bijection ([EMAIL PROTECTED]) Re: OTP WAS BROKEN!!! ([EMAIL PROTECTED]) Re: Bow before your new master (John Fields) Re: Best, Strongest Algorithm (gone from any reasonable topic) (JPeschel) Re: RSA's new Factoring Challenges: $200,000 prize. (my be repeat) (Michael Brown) Re: RSA's new Factoring Challenges: $200,000 prize. (Michael Brown) Re: Notion of perfect secrecy (Neil Couture) From: [EMAIL PROTECTED] (JPeschel) Date: 07 Jun 2001 02:25:48 GMT Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) writes, in part: You should read Shannon's article Communication Theory of Secrecy Systems it was in the Bell systems technical Journal. Yes, I know the paper, have read it, and am re-reading it. He talks about making the key as small as possible. I think we can assume that means as long as the plaintext. That doesn't mean that the size of the key and the size of the pad need to be the same. Keys are taken from the pad. When the pad is used up it's time to generate another pad with more keys. Each key, so far as i can tell from Shannon, must be the length of the plaintext. Point me to where Shannon says that the length of the plaintext must be kept secret. Joe __ Joe Peschel D.O.E. SysWorks http://members.aol.com/jpeschel/index.htm __ -- From: [EMAIL PROTECTED] (Gordon Burditt) Subject: Re: OTP WAS BROKEN!!! Date: 7 Jun 2001 02:28:54 GMT Why if you re-use the key twice, OTP becomes less secure? If you re-use the key, it's NOT a OTP. I'm newbie and I want an answer with few samples. Let us suppose that you can trick the opposition into sending something that you know, encrypted with the OTP. Perhaps you even get to select it. For example, your ambassador gives their ambassador (at their embassy in your country) a long-winded proposed treaty for extraditing spammers and emergency shutdown of open spam relays by nuclear air attacks. They will relay it to their government using the OTP via radio (so you can intercept it). You know the text of the treaty will appear somewhere in one of the messages sent in the next day or so. You can use this to create a relatively limited list of pieces of possible keys. Now, if the key is used ONCE, you have some of the keying material which will never be used again. Whoop de doo! You already know what was encrypted with that portion of the key; that was how you computed it in the first place. This gives you no useful information about other encrypted messages. If the key is used MORE THAN ONCE, you can take the possible keys, slide them along other messages, and compute possible plaintexts from this. IF you get a sensible-looking plaintext, you now have a much-better-than-random-guess probability that this is the correct key, being re-used. I tried to solve the probleme, using the same key, I found (2*n) possible solutions for a ciphertext of bit-length equal to n. How is it possible to recover the plaintext? Assume that the text of the treaty is 100Kbits, and that 10Mbits of messages were sent in the time window when the treaty was likely sent. Sliding the key along the text of messages sent yields 10M - 100K possible keys. This is a heck of a lot less than the possible values of keys used to send the treaty, 2**100K. Now, assuming the key will be re-used the next day, and that 10Mbits of traffic are sent then, you have (10M-100K)**2 combinations of possible keys and places to start using them. This is less than 2**48, which is a heck of a lot less than 2**10. Gordon L. Burditt -- Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) From: [EMAIL PROTECTED] Date: 06 Jun 2001 22:40:09 -0400 Tom St Denis [EMAIL PROTECTED] writes: [EMAIL PROTECTED] wrote in message Tim Tyler [EMAIL PROTECTED] writes: ...but why only consider the possible messages of size 2^n? This is a tiny subset of the messages that could have been transmitted. Right! That's why ``perfect secrecy'' is only attainable if the ciphertext is longer than *any* possible plaintext. All messages must have infinite length. You're a loon. That's not nice! Anyway, your sarcasm detector must be busted. Len. -- From: [EMAIL
