Cryptography-Digest Digest #998, Volume #8 Fri, 29 Jan 99 13:13:03 EST
Contents:
Re: Foiling 56-bit export limitations: example with 70-bit DES (wtshaw)
Re: Strong cryptography: the many ways we can trust a key (Mok-Kong Shen)
Grokking crypto randomness (was Re: Random numbers from a sound card?
([EMAIL PROTECTED])
Re: Smaller RC6 (handWave)
Re: Random numbers generator and Pentium III (Patrick Juola)
Re: Spread Spectrum (wtshaw)
Re: Question on key lengths (wtshaw)
Re: Random numbers generator and Pentium III (Patrick Juola)
Re: Foiling 56-bit export limitations: example with 70-bit DES
([EMAIL PROTECTED])
Re: Who will win in AES contest ?? ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Foiling 56-bit export limitations: example with 70-bit DES
Date: Fri, 29 Jan 1999 09:20:53 -0600
In article <78sh1l$hhh$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>
> DES is not a random cipher over more than 64-bits (one block).
But, it does not dictate what you can do to the data before you give it a
block of bits to deal with. There are many ways to deliver a block of
bits that are already transformed from recognizable text, so you would
have to solve enough blocks for the solution of what came before, which
could be many, many blocks.
The error that is so tempting is in trying to do the other layers too much
like DES itself, rather than going in another direction altogether.
Indeed, it would not take very much of a complication to leverage
significant increases is effective keylength.
--
A much too common philosophy:
It's no fun to have power....unless you can abuse it.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Strong cryptography: the many ways we can trust a key
Date: Fri, 29 Jan 1999 17:13:24 +0100
[EMAIL PROTECTED] wrote:
>
>
> But, what happens if Wassenaar changes and restricts this method?
>
> The proposed method depends on Ignorance -- no one has ever been able to limit
> Ignorance ;-) You cannot limit what is not known.
The last sentence is excellant! (Big dictators would however forbit
'ignorance'. Those who don't aclaim their doctrines must sit down
and learn by heart their holy books. :-)
M. K. Shen
------------------------------
From: [EMAIL PROTECTED]
Subject: Grokking crypto randomness (was Re: Random numbers from a sound card?
Date: Fri, 29 Jan 1999 14:46:12 GMT
[EMAIL PROTECTED] wrote:
> A year ago I came onto sci.crypt with ill-formed notions of
> crypto-grade randomness. After what seemed like a thousand posts from
> many participants, the truth emerged.
On the theme of effective educational strategies for giving a feeling
for cryptorandomness, I'll suggest the following
> Keep in mind that many PRNGs pass statistical tests.
This is the key point. Consider the following facts. Reconcile them.
1. Raw digitized noise will NOT pass these tests, but
2. Mindlessly (e.g., parity) distilled, digitized noise WILL pass these tests.
Ok, makes sense so far. But:
3. A 10megabyte number generated by running a block cipher on the numbers
0,1,2,3,4,... WILL pass every finite test for randomness around.
(CAVEAT: IFF you knew the key that you initialized the cipher with, the
sequence would be clear. Spooks take note.)
The 10 meg file would *not* pass a randomness test IF AND ONLY IF the
randomness test happened to decrypt the file with the right key first. But
there are lots of keys to try, and you have to be looking for them.
(Also, if your sample size was large enough for the block-cipher PRNG, the
sequence would repeat and a randomness test *would* flag it, even without
knowing the key or the algorithm. But this takes too long, for block
ciphers with large block sizes.)
> Numbers don't "look" crypto-random.
Face it, they do, even if its not valid :-)
10110100 looks a lot more random than 11110000 because the human eye counts
the digraphs and finds a nonuniform distribution in the latter. And for a
large enough sample, it'll almost always be right. Similarly with Diehard:
a random 10 megabyte block of all ones would be *highly* suspicious even if
possible.
You can probe this (and other perceptions of structure, e.g., perturbed 2-D
lattices of points) experimentally, but then its psychology, or signal
detection theory. Its related to texture perception; there's a reason for it.
"Properly done science is a sort of masochistic game where one beats
one's head against a wall until it falls down, and then goes in search
of another wall." --Steven Vogel
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: handWave <[EMAIL PROTECTED]>
Subject: Re: Smaller RC6
Date: Fri, 29 Jan 1999 08:34:40 -1000
Fabrice Noilhan wrote:
>
> According to handWave <[EMAIL PROTECTED]>:
> > The RC6 candidate for the Advanced Encryption Standard can use small
> > parameters for smart cards. RC6-w/r/b can use w=32 bit words, r=4 rounds,
> > and b=10 byte keys. It may use cipher block chaining so the small block
> > size does not leave it vulnerable to adversaries accumulating a
> > dictionary of 4 billion words. After 4 rounds, the mixing is nearly
> > ideal. The 80 bit key is good enough for rock and roll.
>
> You have only decreased the number of rounds and the key length. It is
> noted in the AES submission paper that there are attacks up to 16 rounds
> which explains that they chose 20 rounds. And with 4 rounds, it should
> be easy to have an attack faster than exhaustive search... even for
> smart cards, we want the algorithm to be secure (speed comes second)!
>
> Fabrice
"Attacks" is not as convincing a phrase as "it is broken". What attack?
Do they need 2^47 credit card transactions to "attack" it? Do they need
2^47 plaintexts and 2^47 ciphertexts to get the key? If that is the kind
of attack to which you refer, then you can attack for any practical
scenario of smart card use, and not get the key for the lifetime of the
card holder.
Also I want to make a correction: I intended to use a 32 bit "block" made
of four 8 bit "words". RC6 always uses four words of length w bits. So
the correction is w=8 bits.
Vigourous handWaving ended.
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Random numbers generator and Pentium III
Date: 29 Jan 1999 10:55:10 -0500
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>Patrick Juola wrote:
>>
>> In article <[EMAIL PROTECTED]>,
>> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>> >R. Knauer wrote:
>> >>
>> >
>> >> It is called "crypto-grade" to distinguish it from the other kinds of
>> >> randomness that confuse this discussion.
>> >>
>> >> You do know the difference, don't you?
>> >
>> >Unless there are scientific tests to determine the 'crypto-grade'
>> >in terms of figure of merits or the like in quantifiable terms
>> >nobody (exepting perhaps you) will be able to know the difference!
>>
>> The belief that to be knowledge something must be objectively
>> quantifiable is not science, but scientism.
>
>But at least in natural sciences theories have to be supported
>by experiments and experiments are based on measurements.
But experiments and measurements do not necessarily result in
*proof* in any sort of formal sense, nor in a characterization of
causes.
A biologist may reliably believe that a certain class of mushrooms is poisonous
without either being able to state *why* it's poisonous or being able
to exactly characterize the class of non-poisonous mushrooms. He may
also believe that another class is harmless, again, without knowing
the chemical reason.
He also may not know what chemical tests could be performed to determine
if a given mushroom specimen were poisonous. Furthermore, he may not
know that all mushrooms of a given class are poisonous for the same
chemical reason, nor that all mushrooms *not* of that class are
harmless.
You could say that if one mushroom is poisonous and another
is not, then there must be "scientific tests to determine [the
harmlessness]... in quantifiable terms" on the basis of chemical assay.
You would also be very wrong, very foolish, and quite possibly very
dead.
-kitten
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Spread Spectrum
Date: Fri, 29 Jan 1999 10:48:10 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> On Thu, 28 Jan 1999 23:33:52 -0600, [EMAIL PROTECTED] (wtshaw) wrote:
>
> >In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
wrote:
> >
> >> On Thu, 28 Jan 1999 15:31:24 -0600, [EMAIL PROTECTED] (wtshaw) wrote:
> >>
> >> >In article <[EMAIL PROTECTED]>,
> >[EMAIL PROTECTED] wrote:
> >> >
> >> >> Title is The Bug Book and publisher is
> >> >> Paladin Press in Boulder Colorado.
> >> >>
> >> >That sounds like an old title, in fact I believe that I have volumes 1, 2,
> >> >and 3, and it is about some early integrated circuits, not exactly what
> >> >you have in mind. It might be a good idea to check title archives or you
> >> >may be adding to someone's confusion.
> >>
> >> New edition of old book, but there never was more than one 'volume'.
I was correct, by the way, as The Bug Book, I, II, and III, do now sit on
my desk, being retrieved from the archives. The authors of I and II are
P. Rony and D. Larson, and J. Titus was added to The Bug Book III. These
fourth editions were published by Southern Printing in Blacksburg,
Virginia, the Publisher be listed as E & L Instruments, Inc., Derby,
Connecticut, and I would consider them as more in the classic realm than a
pile of redundant routine technical information from a manufacturer.
> >>
> >
> >Someone did give a URL. It all depends if you want the original speech
> >characteristics or will settle for something like good synthesized
> >speech. Taking digital to analog takes some smoothing integrator circuits
> >to knock the corners of of the stepped waves, so to speak. The oldest and
> >simplest way is with a series of parallel filters with darlington stages
> >to allow good recovery from the LC circuits.
> >> >--
>
> Quality of speech is not important other than that it can be
> recognized as speech; understood.
>
> As to the electronics, I somewhat understand DAC and ADC, Schmidt
> triggers, Darlington pairs, etc, but this is too technical for the
> book.
>
> So, I might pose the question in a different way:
>
> Is a computer and software, such as Fast Fourier Analysis required to
> extract recognizable speech from a DSSS transmission or is this
> possible in real time using a wideband receiver with filters, DAC's or
> whatever in the front end, or is it a combination of both?
It seems that you would have a preference for types of certain types of
technical information for the book rather than wanting to dumb it down all
together.
>
> Intercept the signal, and feed it into the computer through some kind
> of signal acquisition card? Audio from the radio or discriminator
> output?
The key word is *demodulate* the signal into a stream of data that can be
handled by a computer. It might, in your current terminology be called a
signal acquisition card, but more likely will be in a limited number of
devices buried somewhere on a board with something else, and it might not
even be in the audio range at all.
You could use mathematical means of recovering wave forms, but that is
only one means. It would seem that the more passive the circuits are
computationally, the more efficient it would be since the human brain is
capable of some of the integration.
I would suggest that the most efficient means of transfering voice to a
listener, when you don't care about recognizing the original speaker is to
use voice recognition, send efficient phoneme information, and generate
acceptable speech from that.
Trying to put everything into real words for transmission is probably best
replaced by doing one less step at each end and communicating in a set
representing the real range of spoken speech elements in a suitable based
set. Just like colors in pictures, you would need to determine the
resolution of the voice to be delivered, certainly many more than 26
elements. I bet the VR people have a ready number in mind.
>
> I appreciate the responses but they are over my head; I don't know the
> basics well enough.
>
> Thanx again...
>
> M L Shannon
--
A much too common philosophy:
It's no fun to have power....unless you can abuse it.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Question on key lengths
Date: Fri, 29 Jan 1999 10:48:35 -0600
In article <[EMAIL PROTECTED]>, Brett W <[EMAIL PROTECTED]>
wrote:
>
> This may sound stupid, but is there any particular reason we have key
> lengths that are a power or multiple of 2. Is it for efficiency, beauty
> (there seems to be something elegant with 1024, 2048 etc) or that
> something restricts it to being like this?
>
A number is a number is different from another number. All numbers are
elegant, considering the alternative. Zero was a hard concept to develop,
so it came last, and we really did need it.
Keys can be based on any information unit, or not. Historically, keys
were in characters or digits, the alphabets varying in length throughout
the world, so the bases of the keys did also, each base defining a size of
information unit, more appropriately not an integer power of some other
base.
This means that bases 16, 64 are reduced to bits, being powers of two, and
bases 9, 27, and 81 are still reduced to trits, being powers of three, and
digits are still digits, all basic information units, amongst others.
Bacon, in a rather inefficient system, introduced a bit-like key where
individual letters were encrypted in five bits. Not too long ago, I did
an algorithm that is similiar, but used 27 characters and is based on
trits, and a "bit" more efficient then one using 26 letters, or whatever
number of characters he had to work with. So much for history.
Computers make things easier. I don't go with the idea given current
memory and processor speeds that we need worry too much about making
things always easier for binary computers, but there is good reason to
consider it advantageous to do so when throughput is a major factor. For
unprejudicial thinking, in which all numbers have status, the computer is
a facilitator in the quest to understand more mathematical relationships,
not a reason to restrict such thinking to one particular unit of
information.
It is said that people want yes or no answers, but the truth is that you
will also get: I don't know, I don't understand, it is not as simple as
that, give me a third choice, I mean to decide not but have not. If we
include all those other options, then we would need base 7, using hepits
as an information unit to describe the anwer to the question to be more
accurate.
So it is with numbers, where limiting choices can mean biasing the
information that we retain, two not being a very natural base at all for
humans, or how would you like to rate girls as zeros or ones; there being
a need for a greater scale. Even 1 to 10, which is digit based. Females
may say that this is too simplistic since they should not be so rated;
they might be right. Consider that many encourage such ratings if it is
thought that they would be graduated to the one status rather then falling
to a zero in a binary system, putting them in the same classification as
the eights, nines, or tens. I hope this speaks to you.
Now, to keys: there are different types of keys, not always random
selections of characters from a set. 0110010011111010 might be
convenient to you, but it had better be written as 68FA if you want to
remember it, binary not being the most memorable system. Here we select
another set for "convenience."
And, there are keys that are permutations, different orders of a so many
elements, from a set, or the entire set itself. These are no less of
importance than the above, although they may not be clearly converted to
the above. I would consider N! as a meaningful, and certainly elegant,
means of representing a number of keys.
And, information units can be mathematically converted from one size to
another, the larger the base involved, the greater the size of the unit
involved. So,we find that one trit is equal to 1.5849625 bits, showing
that all things are not cleanly reduced to integer quantities of bits.
And, permuted keys are not naturally going to be in bits either. If you
need bits, you can get an equivalent number of bits, or trits, or digits,
or other, depending on your little heart's desire. I find the range of
mathematics a more elegant of things to consider than be snared into one
line of thinking.
--
A much too common philosophy:
It's no fun to have power....unless you can abuse it.
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Random numbers generator and Pentium III
Date: 29 Jan 1999 10:07:36 -0500
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>R. Knauer wrote:
>>
>
>> It is called "crypto-grade" to distinguish it from the other kinds of
>> randomness that confuse this discussion.
>>
>> You do know the difference, don't you?
>
>Unless there are scientific tests to determine the 'crypto-grade'
>in terms of figure of merits or the like in quantifiable terms
>nobody (exepting perhaps you) will be able to know the difference!
The belief that to be knowledge something must be objectively
quantifiable is not science, but scientism.
-kitten
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Foiling 56-bit export limitations: example with 70-bit DES
Date: Fri, 29 Jan 1999 14:36:38 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (wtshaw) wrote:
> In article <78qr6s$4mj$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
wrote:
>
> > In article <[EMAIL PROTECTED]>,
> > [EMAIL PROTECTED] (wtshaw) wrote:
> > > In article <78mv0l$oih$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> > wrote:
> > >
> >
> > > > It is a mistake in the literature to consider DES unicity to be 20
> bytes (3
> > > > blocks of DES) for compressed English. The formula is simply not valid
in
> > > > that range as proved in the paper.
> > > >
> > > You need not be hamstrung with simple ASCII as the source for your bits,
> > > as you could generate them from something else than base 128, which is
> > > about the poorest one to encrypt text directly from that there is.
> > > -
> >
> > But, for DES, unicity can never be larger than 8 bytes -- one DES block --
> > unless you use absolutely random bits, which would then be absolutely
useless
> > to send anything different than noise ...
> >
> You are still thinking in one linear dimension.
I believe it is a bit hard to know what I am thinking ;-), but I think I was
not clear enough. It is not a question of "multidimensional thinking" -- it
is a basic property of DES -- it enciphers ***one*** block at a time and any
two enciphered blocks have absolutely zero interaction during their
respective encipherments. This creates each ciphertext block as a separate
statistical ensemble. Thus:
DES is not a random cipher over more than 64-bits (one block).
In fact, my exposition shows more. It shows that:
DES is a random cipher *at most* over 56-bits.
Since the "random cipher" assumption is basic to the unicity formula derived
by Shannon, using that formula for more than one DES block is not granted.
Please see item 3.A in http://www.mcg.org.br/nrdes.htm
Cheers,
Ed Gerck
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Who will win in AES contest ??
Date: Fri, 29 Jan 1999 17:58:25 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Hironobu Suzuki) wrote:
>
> >>>>> "Bruce" == Bruce Schneier <[EMAIL PROTECTED]> writes:
> In article <[EMAIL PROTECTED]> [EMAIL PROTECTED] (Bruce
Schneier) writes:
> Bruce> Yes. But we tried to combine ultraconservative with
> Bruce> performance.
>
> I think it's very difficult to compare between serpent and twofish
> because serpent has more rounds than twofish. It means serpent is
> stronger than twofish. I guess if serpent's rounds become shrink,
> serpent is fast as well as twofish (and serpent is strong as well as
> twofish). But I appreciate serpent's philosophy that cipher should be
> stronger and should have safety margin than we thought.
I like your attempt at Englsh but the fact is when comparing
2 differnt ciphers one can not judge strength on the basis
that each has a different number of rounds. However it is
possible the Serpent designers in there mind added extra rounds
above what they felt safe. While the fishy people filling more
confident in there analysis of there method did not add as many
extra rounds for what they in there own minds felt safe.
> When I wrote my Linux cipher file system (*1) with AES (serpent), I
> read both C source codes which were submitted AES candidate. Serpent's
> bit slice technic is beautiful. That's way, I like it :-)
>
> (*1) GPL style public domain and full source code (serpent included)
> available from URL http://www.pp.iij4u.or.jp/~h2np
>
> --hironobu
Sir I have a lot of respect for rhe Japanese mind set and if
you could look at scott16u or scott19u and tell me your comments
I would like to see them. The scott16u is available though FTP
all over the world. The scott19u is not available on public
servers outside the US yet. The NSA is trying to keep source
code from being deported except what it wants. SO in some ways
the whole AES thing is a joke becasue the source code for them
and SKIPJACK is appearntly exportable. But if you are smart
you or a friend I am sure can find a way to get a copy.
David Scott
P.S. you guys and the germans make the best beer
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
http://members.xoom.com/ecil/index.htm
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
