Cryptography-Digest Digest #547
Cryptography-Digest Digest #547, Volume #14 Thu, 7 Jun 01 08:13:00 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler) Re: Notion of perfect secrecy (Tim Tyler) Re: shifts are slow? (Tim Tyler) Re: Best, Strongest Algorithm (gone from any reasonable topic) ([EMAIL PROTECTED]) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen) From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Thu, 7 Jun 2001 10:58:12 GMT Tom St Denis [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... : JPeschel [EMAIL PROTECTED] wrote: : perfect secrecy is defined by requiring of a system after a : cyptogram is intercepted by the enemy the a posteriori probabilites : of this cryptogram representing various messages be identaically the : same as the a priori probabilites of the same message before the : interception. : : If the length of the plaintext is revealed by the cyphertext, this : condition does not hold. : How? [...] It is obvious how the length of the plaintext is revealed by the cyphertext. The length of the plaintext is the same as the length of the cyphertext. : If you have an 8-bit ciphertext all 256 plaintexts are equally : probable. That follows this distribution. I am not considering a system with only 256 possible plaintexts. That's a toy system, with no practical use. : You're idea of security only works if your cipher can produce infinite : length ciphertexts. Not so. Finite plaintexts can produce perfect secrecy. : (of course your idea of security is vastly flawed) How so, pray tell? : I would hate to use 1.7 x 10^55 bytes of ram to send a 10 byte message : home No - that is not correct. You could send a 10 byte message home while retaining prefect secrecty - assuming a genuinely random shared key was available. -- __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Tim Tyler [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Reply-To: [EMAIL PROTECTED] Date: Thu, 7 Jun 2001 11:15:08 GMT Tom St Denis [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... : The opponent knows more about the plaintext after observing the : cyphertext than he knew before he saw it - namely the length. : : The violates perfect secrecy. : Only if the message is determined by the length. No. Regardless of what the message is, in fact - provided that messages of more than one length are transmitted. : Oui or Non. The length will not determine the message. It won't distinguish between those two particular messages anyway. Are those the only possible messages in the system? : Or if you just pad the bloody thing to a multiple of say 64 bytes. [...] Still not enough for perfect secrecy :-( : Even still people won't use an OTP to encrypt single byte messages. The argument that an OTP does not have perfect secrect does not depend on single byte messages in any way. I beleive Scott mentioned two and three byte messages as an example. Any discussion about one-byte messages seems to be a hangover from the CTR mode discussion. : Traffic analysis information is indeed often present - : but we are talking about once a message exists, does : the attacker gain anything by looking at the cyphertext. : : That's what the definition of perfect secrecy talks about. : No [...] Yes. Look it up. Or read the posted definitions in this thread. : perfect secrecy is defined as having no ability to tell one plaintext : from another. Since telling one plaintext from another is normally a trivial operation, that statement is nonsense if taken literally. What you probably mean is that the attacker has no ability to distinguish between enctyptions of different plaintexts given only a single cyphertext to work on - which is an equivalent formulation to the one I gave above. : Who cares if you know the entire set of plaintexts [...] Well, knowledge of the entire set of plaintexts is better than nothing at all. However I've not mentioned that subject AFAICS - I believe you've just raised it for the first time in this thread. : Perfect secrecy applies to encryption devices. Time of : message transmission etc is considered to be outside its scope. : : A conventional OTP, that preserves message
Cryptography-Digest Digest #547
Cryptography-Digest Digest #547, Volume #13 Thu, 25 Jan 01 06:13:00 EST
Contents:
Re: Snake Oil (Anthony Stephen Szopa)
Re: Some Enigma Questions -- 150*10^18 settings? (Frode Weierud)
Re: Dynamic Transposition Revisited (long) (Terry Ritter)
Re: Creating a self extracting encrypted exe? ("Vladimir Katalov")
Re: Secure game highscore server (Niklas Frykholm)
Re: Barrett Modular Reduction with large x (Bryan Olson)
Re: Dynamic Transposition Revisited (long) (Mok-Kong Shen)
Re: Cryptographic Camouflage (Mok-Kong Shen)
Re: Echelon in Asia. (Arturo)
Re: Snake Oil (Richard Heathfield)
From: Anthony Stephen Szopa [EMAIL PROTECTED]
Crossposted-To: or.politics,talk.politics.crypto,misc.survivalism
Subject: Re: Snake Oil
Date: Wed, 24 Jan 2001 23:54:02 -0800
Paul Rubin wrote:
Anthony Stephen Szopa [EMAIL PROTECTED] writes:
Take my encryption software. Give it a go. Prove to us you can
break it. Give us your most tenuous reasonable explanation on how you
would go about it.
Or do you just talk about snake oil having never known what it really
is?
That's another standard whine of the snake oil salesman, saying "how
can you know it's bad unless you try it?". Of course, you have to
expend your own resources / risk your own health in order to try it,
with no compensation from the salesman if (as you suspected) the
product is no good. In typical cases the salesman even wants you to
pay for the product before you can test it, though that may not be
going on here. In either case, the salesman is claiming you're remiss
unless you're willing to work for him for free. It's not an
impressive argument.
Anthony: you are not offering to let people test your cipher under the
same conditions that 3DES can be tested. Specifically, 3DES protects
millions of dollars of live traffic every day, so it's worth that much
for someone to be able to crack it.
How many million dollars are you offering to anyone who cracks your
cipher? That's the test that 3DES passes every day, that you have not
offered to submit your cipher to.
After all, some of us are professionals here. That means if we do
cryptography for someone, we expect to get PAID for it.
Speaking of money( at least indirectly):
If you can believe that I did indeed invent the anti-piracy protocol
basis upon which MS is now touting as their latest "innovation"
while almost certainly having no legally defensible or legally
enforceable rights to it, what does this say about MS taking
advantage of probably most of the major software producers by
having them sign non disclosure agreements and possibly even
signing contracts to commit to exclusive usage of MSs anti-piracy
"innovation" all the while MS knew that their "partners" didn't have
a clue about me?
I bet they have been chuckling quite a bit about it.
I can already begin to hear the drone of masses of computer software
company stockholders gnashing their teeth.
"Tai Chi is just a path;
it is not the way."-- ASS 2001
--
From: [EMAIL PROTECTED] (Frode Weierud)
Subject: Re: Some Enigma Questions -- 150*10^18 settings?
Date: 25 Jan 2001 08:34:33 GMT
Reply-To: [EMAIL PROTECTED]
wint [EMAIL PROTECTED] writes:
How is the "150 million trillion" (150 * 10^6 * 10^12 = 1.5*10^20)
computed? My math gives a much lower number -- too low to be
correct. Here goes.
Three rotors, with 26 letters:
26*26*26 = 17,576 starting positions
Three rotors selected from 5:
5*4*3 = 60 rotor choices
Plugboard with 13 wire pairs (26/2, wild guess here):
13! = 6.2 billion ways to plug in the wires (wow!)
This is where the error is. First of all the "150 million trillion"
is calculated using 10 Steckers which gives a greater value for the
possible Stecker combinations than 13. Actually 11 Steckers give the
maximum number of combinations.
The way to compute this value is first to select the number of
Stecker plugs that 10 Stecker connections will use. One Stecker connection
will occupy 2 plugs, 10 Stecker will occupy 20 and s Stecker will occupy
2s. These 2s plugs can be selected from a total of 26 plugs which gives:
(26) 26!
( ) =
(2s) (2s)! * (26-2s)!
Within this selected group of plugs the first Stecker end can select
any of the 2s plugs the other end has a choice of (2s-1), the second
Stecker has a choice of (2s-3) plugs to complete the connection, third
Stecker (2s-5) etc.
The total expression will then be:
(26) 26!
( ) * (2s-1) * (2s-3) * (2s-5) * ... * 1 =
(2s)(2s)! * s! * 2^s
Using this formula the number of combinations for 10 Steckers will be
about 1.5 * 10^14 which, if you divide with your
Cryptography-Digest Digest #547
Cryptography-Digest Digest #547, Volume #12 Sun, 27 Aug 00 06:13:00 EDT
Contents:
Re: PGP Bug: A note from Ralf Senderek (Jonathan Thornburg)
Re: What is required of "salt"? (those who know me have no need of my name)
Re: PGP Bug: A note from Ralf Senderek ("Michel Bouissou")
Re: PGP Bug: A note from Ralf Senderek ("David Sternlight")
RSA Cryptography Today FAQ (1/1) ([EMAIL PROTECTED])
Re: SHA-1 program, wrongo ! (those who know me have no need of my name)
PGP ADK Bug: What we expect from N.A.I. ("Michel Bouissou")
Re: Steganography question ("Harris Georgiou")
Re: PRNG Test Theory (Mok-Kong Shen)
Re: stegonographic overuse (David Blackman)
Re: PGP ADK Bug: What we expect from N.A.I. (John Berger)
Re: 320-bit Block Cipher (Mack)
Re: You _DONT_ want a quantum computer. (John Bailey)
From: [EMAIL PROTECTED] (Jonathan Thornburg)
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: PGP Bug: A note from Ralf Senderek
Date: 27 Aug 2000 09:21:35 +0200
In article 8o9hbi$s5t$[EMAIL PROTECTED],
Harald Milz [EMAIL PROTECTED] pointed out the irony of a poster
quoting Ralf Senderek's advice to
"Use PGP-classic in a reliably secure environment."
in a message with a pgp 6.5.8 signature block.
Another similar irony: During much of the US government's prosecution
of Phil Zimmermann, CERT (funded by the US government) included in each
CERT advisory text such as the following:
Using encryption
We strongly urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
http://www.cert.org/CERT_PGP.key
--
-- Jonathan Thornburg [EMAIL PROTECTED]
http://www.thp.univie.ac.at/~jthorn/home.html
Universitaet Wien (Vienna, Austria) / Institut fuer Theoretische Physik
Seen on usenet (dueling .signature quotes):
#1: "If we're not supposed to eat animals, why are they made of meat?"
#2: "If we're not supposed to eat people, why are they made of meat?"
--
From: [EMAIL PROTECTED] (those who know me have no need of my name)
Subject: Re: What is required of "salt"?
Date: Sun, 27 Aug 2000 07:38:57 GMT
[EMAIL PROTECTED] divulged:
The advantage of using username+servername [as the salt] is
that those values need to be entered (known) anyway.
and is exactly why they shouldn't be used.
--
okay, have a sig then
--
From: "Michel Bouissou" [EMAIL PROTECTED]
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: PGP Bug: A note from Ralf Senderek
Date: Sun, 27 Aug 2000 09:43:35 +0200
=BEGIN PGP SIGNED MESSAGE=
Hash: SHA1
"Harald Milz" [EMAIL PROTECTED] a écrit dans le message news:
8o9hbi$s5t$[EMAIL PROTECTED]
-BEGIN PGP PUBLIC KEY BLOCK-
Version: PGPfreeware 6.5.8 for non-commercial use
http://www.pgp.com Comment: Corrigez le bug PGP ADK. Installez
PGP 6.5.8 ou plus recent.
Is it just me, or is that ironic?
Let me clarify a point:
Ralf Senderek used PGP 2.6.3ia to sign his post, as his signature
shows:
-BEGIN PGP SIGNATURE-
Version: 2.6.3ia
Charset: noconv
I added myself his public key to the end of the post, as I clearly
state it in the post, to help readers check Ralf's signature.
I (and not Ralf) was using PGP 6.5.8 that I was evaluating, and that
is why Ralf's public key, which I extracted from my own public
keyring, shows a 6.5.8 version stamp. This comes from me, not from
Ralf.
Sorry if this has leaded some of you to wrong conclusions.
[EMAIL PROTECTED]
=BEGIN PGP SIGNATURE=
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com
Comment: Corrigez le bug PGP ADK. Installez PGP 6.5.8 ou plus recent.
iQA/AwUBOai4l47YarFcK+6PEQKT4wCgns5+q8tnn9JZ9RrEhdj+8PWAGIYAoODh
5hslgwfGIQQ0LY+P9+dTKAhV
=cbPk
=END PGP SIGNATURE=
--
From: "David Sternlight" [EMAIL PROTECTED]
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: PGP Bug: A note from Ralf Senderek
Date: Sun, 27 Aug 2000 07:46:26 GMT
"Harald Milz" [EMAIL PROTECTED] wrote in message
news:8o9hbi$s5t$[EMAIL PROTECTED]...
In comp.security.pgp.discuss Michel Bouissou [EMAIL PROTECTED] wrote:
"Use PGP-classic in a reliably secure environment." That would be my
advice if I had 49 characters left on the telegram.
Ralf Senderek
...
-BEGIN PGP PUBLIC KEY BLOCK-
Version: PGPfreeware 6.5.8 for non-commercial use http://www.pgp.com
Comment: Corrigez le bug PGP ADK. Installez PGP 6.5.8 ou plus recent.
Is it just me, or is that ironic?
What's ironic is the signature below:
--
"50 million potential S/Mime users can't be wrong But they can all be
stupid!"
- Sam Simpson in comp.security.pgp.discuss
-
Cryptography-Digest Digest #547
Cryptography-Digest Digest #547, Volume #10 Thu, 11 Nov 99 17:13:03 EST
Contents:
Re: Compression: A ? for David Scott (Tim Tyler)
Re: S/MIME plug-in for Eudora? Strong Encryption ([EMAIL PROTECTED])
Re: The DVD Hack: What Next? (Lincoln Yeoh)
Re: Lenstra on key sizes (Medical Electronics Lab)
Re: Encryption Placement (Paul Koning)
Re: Compression: A ? for David Scott ("Douglas A. Gwyn")
Re: RC4 in Kremlin US version 2.21 can be cracked !! (Tom St Denis)
Re: Ultimate Crypto Protection? (Tom St Denis)
Re: Compression: A ? for David Scott (Tim Tyler)
Re: Proposal: Inexpensive Method of "True Random Data" Generation (Mike McCarty)
Re: Lenstra on key sizes (Bill McGonigle)
Re: Ultimate Crypto Protection? (HJS)
Re: What sort of noise should encrypted stuff look like? (Bill Unruh)
Re: What's gpg? PHILOSOPHY 101
Re: What's gpg? PHILOSOPHY 101
Re: S/MIME plug-in for Eudora? Strong Encryption (Doug McIntyre)
Re: Build your own one-on-one compressor (Mok-Kong Shen)
Re: For all lions --- (Mok-Kong Shen)
Re: Build your own one-on-one compressor (Mok-Kong Shen)
Re: Proposal: Inexpensive Method of "True Random Data" Generation (Mike McCarty)
real random number generator idea -- any criticisms? ([EMAIL PROTECTED])
From: Tim Tyler [EMAIL PROTECTED]
Subject: Re: Compression: A ? for David Scott
Reply-To: [EMAIL PROTECTED]
Date: Thu, 11 Nov 1999 17:59:54 GMT
Tom [EMAIL PROTECTED] wrote:
: On Tue, 9 Nov 1999 23:19:02 GMT, Tim Tyler [EMAIL PROTECTED] wrote:
:Tom [EMAIL PROTECTED] wrote:
:: (SCOTT19U.ZIP_GUY) wrote:
::In article [EMAIL PROTECTED], [EMAIL PROTECTED] wrote:
:: I think your actaully Tommy St Dennis since you don't seem to understand
::what is goin on. And seem not to actaully read the posts.
::
:: It's not a question of understanding, it's a question of believing any
:: of it.
:
:Hopefully, reason - rather than faith - will prove sufficient.
: I'd hope so, but that doesn't seem to be the case.
;-(
:: Again if you don't use o-o-o compression you open your self up
::to cipher only attacks. Do you understand this point before we go
::into other areas to explore.
::
:: The only cipher only attack that has been presented is a reduction in
:: the set of possible output files from standard compression, which is a
:: factor of the compression being non-perfect, not of it being non
:: o-o-o, and of irreversibility, and this also isn't a function of it's
:: being non o-o-o.
:
:"irreversible" and "non-o-o-o" are pretty much synonyms...?
:
: The o-o-o example is given as E(D(x)) = x, and D(E(y)) = y for any y
: or x, which is symmetrical. By reversible, I mean y=D(x) for any x,
: meaning that any x decompresses to something.
D(x) = x/2 (if x is even)
D(x) = 0 (if x is odd)
...is reversible by your definition of reversible.
However, AFAICS, *nobody* else would call this "reversible".
If something's reversible, you cen reverse it
No information is lost running in either direction.
Your definition doesn't appear to correspond with common usage.
:: Again, this o-o-o concept is not generally accepted, nor has it been
:: proven to be true.
:
:What exactly is your problem with it? It demonstrably prevents scertain types
:of security leak.
:
: Only argument has been against brute force, and that doesn't hold up.
This is because you've not been paying attention. The main point is
to eliminate clues that aid cryptanalysis. The argument does /not/ depend
on the possibility of a brute-force attack.
: I have no "problem" with it, except that it's being presented as fact
: when it doesn't appear to be at all.
:: If you were to claim that a compressor where y=Decompress(x), where x
:: can be any file, I'd agree it could be of some advantage. That's true
:: for o-o-o, but o-o-o isn't required.
:
:The property you mention is inadequate (or at least sub-optimal) from a
:security POV.
:
: Why not? [...]
It's trivial to create such a compressor. A wrapper around LZW compression
that suppresses errors and spits out the null file when it finds one would
qualify :-(
This has nothing to do with eliminating clues that aid cryptanalysis - and
completely misses the point ;-/
:o-o-o compression offers better protection than this.
: Why?
Because (for one thing) the decomp(X) = some Y for any X says nothing about
whether the analyst can use Comp(Decomp(X)) = X to detect invalid compressed
files.
The decomp(X) = some Y for any X property alone barely offers any protection at all.
I'm getting tired answering the same questions over and over again.
We need a one-on-one compression FAQ. Until this is available, see
http://www.alife.co.uk/securecompress/ for a basic introduction to
one-on-one compression.
--
__
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
I'm pink, therefore I spam.
Cryptography-Digest Digest #547
Cryptography-Digest Digest #547, Volume #9 Thu, 13 May 99 20:13:01 EDT Contents: Re: Hello I am paper, please read me. ([EMAIL PROTECTED]) Review of "Cryptonomicon" (John A. Sidles) Re: Hello I am paper, please read me. ([EMAIL PROTECTED]) Re: Hello I am paper, please read me. (Jim Felling) Re: Hello I am paper, please read me. (David Wagner) Re: Thought question: why do public ciphers use only simple ops like shift and XOR? (Terry Ritter) Re: Fast random number generator -- Need C code for simulation (Terry Ritter) Re: Hello I am paper, please read me. (David Wagner) PGP 6.0/6.2 for Macintosh (Lee Kanner) Re: Thought question: why do public ciphers use only simple ops like shift and XOR? (Terry Ritter) Re: Random permutation (Bryan Olson) Re: Fast random number generator -- Need C code for simulation (Terry Ritter) Re: Fast random number generator ([EMAIL PROTECTED]) Re: Fast random number generator -- Need C code for simulation ([EMAIL PROTECTED]) From: [EMAIL PROTECTED] Subject: Re: Hello I am paper, please read me. Date: Thu, 13 May 1999 21:57:30 GMT snip But A() is not known at the start, so how do you solve that? i.e B(A(i)) But A() is not 0,1,2,3,...,255 it could be any N! deck. So how do you know that n = B(A(i)) and n = B(i) are true? Tom --== Sent via Deja.com http://www.deja.com/ ==-- ---Share what you know. Learn what you don't.--- -- From: [EMAIL PROTECTED] (John A. Sidles) Subject: Review of "Cryptonomicon" Date: 13 May 1999 22:20:54 GMT Dear sci.crypter's With Father's day coming up, I just thought I'd post a very favorable review of Neil Stephensen's new book 'Cryptonomicon'. 'Cryptonomicon' is sufficiently complicated that there are plenty of different ways to read it: for me it's a lengthy and very funny meditation on the love-hate relationship that we human beings have with information --- particularly our fondness for destroying, concealing, and obfuscating information, but also our (much less common) love of *creating* information. So if I had to summarize this book in a phrase, it would be: 'Catch 22' meets 'Goedel, Escher, Bach' and 'Gravity's Rainbow' On the other hand, you can also read 'Cryptonomicon' as a Tom Clancy novel, inspired by Eric Temple Bell's 'Men of Mathematics', and written in haste by Mr. Clancy during an acute febrile illness while watching reruns of 'World at War' on cable TV. Many readers of sci.crypt will either have a Father or be a Father, so either way, with Father's Day coming up, it's time to go to the bookstore. Happy information-processing --- John Sidles (PS: I do not know and have never met Mr. Stephensen ... I'm just a fan of his novels.) -- From: [EMAIL PROTECTED] Subject: Re: Hello I am paper, please read me. Date: Thu, 13 May 1999 22:28:15 GMT snip Since Deck A is used in numerical order A(1),, A(i),..., A(n) and A contains all values from 1 to n Not in any given order!!! let deck A' be a simple ordered deck. A'(i)=i, now construct B' as follows B'(i) =C(., i) Not true for N! - 1 cases!!! then B'(i) = B(A(i)). So I now have an isomorphic system to A,B and use it to conduct my stream generation. Same as above... The fact that there is even/odd paterns is not exploitable because after many shuffles the odd/even ness disapears, and is random. Since the chances of having a lsb of 1/0 has a probability of 1/2 you can't predict the even oddness. And since you don't know deck B you can't tell if deck A has even/odd, odd/even or etc.. Can you post more details please? BTW, I already know the key schedule stinks, and the shuffle algorithm could be better. Any ideas? Tom -- PGP public keys. SPARE key is for daily work, WORK key is for published work. The spare is at 'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at 'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first! --== Sent via Deja.com http://www.deja.com/ ==-- ---Share what you know. Learn what you don't.--- -- From: Jim Felling [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Subject: Re: Hello I am paper, please read me. Date: Thu, 13 May 1999 18:05:35 -0500 Please note that I am using A and B after the key setup phase is done. [EMAIL PROTECTED] wrote: snip Since Deck A is used in numerical order A(1),, A(i),..., A(n) and A contains all values from 1 to n Not in any given order!!! You are correct as to the fact that they are not in any given order, but they are USED in a specific order, as A is used as follows first A(1) is generated, then A(2) and so on. let deck A' be a simple ordered deck. A'(i)=i, now construct B' as follows B'(i) =C(., i) Please note that I am referring not to B, but to B' -- this is a definition. B'(i) = 0
