Cryptography-Digest Digest #192, Volume #9 Sat, 6 Mar 99 00:13:02 EST
Contents:
Re: Testing Algorithms [moving off-topic] (Doggmatic)
Re: RNGs ("Trevor Jackson, III")
my algorithm (document) ([EMAIL PROTECTED])
Re: My Algorithm ([EMAIL PROTECTED])
Re: Scramdisk - paranoia (HyperReal-Anon)
Re: An export question... ("Tom")
Re: An export question... ("Tom")
Re: Key equivocation does not define unicity, was Re: Unicity of English, was Re:
New high-security 56-bit DES: Less-DES ([EMAIL PROTECTED])
Re: My Algorithm ([EMAIL PROTECTED])
Re: Intel/Microsoft ID (Patrick Thomas)
Bits, for a change (wtshaw)
----------------------------------------------------------------------------
From: Doggmatic <[EMAIL PROTECTED]>
Subject: Re: Testing Algorithms [moving off-topic]
Date: Fri, 05 Mar 1999 21:36:55 GMT
In article <7bonge$81b$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Patrick Juola) wrote:
> In article <7bn566$b44$[EMAIL PROTECTED]>,
> Doggmatic <[EMAIL PROTECTED]> wrote:
> >In article <7b70cj$1li$[EMAIL PROTECTED]>,
> > [EMAIL PROTECTED] (Patrick Juola) wrote:
> >> In article <7b6tmq$ojt$[EMAIL PROTECTED]>,
> >> Doggmatic <[EMAIL PROTECTED]> wrote:
> >>
> >> >But I will look up this "reversible computing." For such a
> >> >great idea researched 30 years ago, you think I'd have my Free-Energy
> >> >computer by now.
> >>
> >> I'll build one for you. Just buy me a frictionless surface.
> >[snip]
[snip my previous condescension]
> >accepted that there is no such thing as a "frictionless surface" in this
> >universe. Here is where you can correct me if I'm wrong. I know that
> >theoretically you can have smoother and smoother surfaces, but I thought that
> >a frictionless surface is a physical impossiblilty, which is why I've also
> >wondered about why "parasitic losses" were mention as if they are
> >inconsequential.
>
> Because "parasitic losses" are the sort of things that engineers are
> really good at reducing as technology improves. Look at the amount
> of waste heat and waste power that a vacuum tube uses when compared
> with an identically functioning IC transistor.
>
> > If the ideal cannot be reached, which is my current belief,
> >then why even mention it, since this thread was originally about tractable
> >solutions and not impossible ideal solutions.
>
> Because what is tractable in fifty years will be a hell of a lot closer
> to the ideal than what's tractable today. And you don't have any idea
> how much closer.
>
> -kitten
Okay .. we'll play your game. Sample program:
Time equals 0; <--- some arbitrary number Friction of surface equals 10;
<-- some random number beginning of a loop { time advances by 50 years;
engineers reduce friction of surface by a factor of ten so new Friction of
surface now equals old Friction of surface divided by 10; Tell me what the
new Friction of surface is; } end of loop...repeat loop only until Friction
of surface equals 0 then stop; Tell me how many years have passed;
Let me know when you've found the answer. There's a dfference between
"closer to zero" and "equal to zero."
___/Mike ...two legs good, four legs bad? ... Why conform?
__/. | For my next trick, WATCH as this humble mouse breaks
\-__ \___ Windows at the mere press of a button.
\ Hey! Where are we going, and why am I in this handbasket?
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
Date: Fri, 05 Mar 1999 17:11:42 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: RNGs
Apres cela, le deluge!
*PLEASE* look in dejanews for the last 6-7 weeks for the terms Random, RNG,
TRNG, and test/testing.
[EMAIL PROTECTED] wrote:
> hello all,
>
> i have been searching for material on cryptographically secure RNGs. I am
> trying to find answers to questions.
>
> 1. what are the properties of cryptogrphically secure RNGs.
> 2. what are the (and if there are) tests for such RNGs.
>
> Any pointers/books/URLs are helpful..
>
> Thanks,
>
> Sachin.
>
> -----------== Posted via Deja News, The Discussion Network ==----------
> http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED]
Subject: my algorithm (document)
Date: Fri, 05 Mar 1999 22:40:55 GMT
I wrote a small and simple text document to accompany it. I plan to update
the text. I am still new (*please remember that*) so as I learn more I will
update it. The basic algorithm is described. I would like to go more into
depth of my algorithm.
Tom
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: My Algorithm
Date: Fri, 05 Mar 1999 22:05:06 GMT
<snip, cause the dejanews window wraps to 70 and it looks messy>
Well thanks for your reply I will post a small text file describing my
algorithm. I am new to this scene so I am not sure what attacks you may use
on it. I will explain the code in snippets (the Code I posted is ok and
clear, but not the best for explaining).
Well stay tuned. I hope to have the paper done tonight (well a draft of it)
Tom
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
Date: 6 Mar 1999 03:30:05 -0000
From: HyperReal-Anon <[EMAIL PROTECTED]>
Subject: Re: Scramdisk - paranoia
Crossposted-To: comp.security.pgp.discuss,alt.security.pgp
On 5 Mar 1999 09:40:49 -0600 [EMAIL PROTECTED] (Aman) wrote:
>On Thu, 04 Mar 1999 18:56:38 -0800, David Sternlight
><[EMAIL PROTECTED]> wrote:
>>Aaargh! That's the defensive cry of many an inexperienced
>>software support person--"well, it doesn't happen on my machine."
>Perhaps that is correct. When I get a 'proper customer support'
>request... This chap was making comments, and so was I.
I was (and am) *not* asking for customer support; I haven't done what I
could to isolate the problem at my end yet. I think Ed Stone's
response about Tabworks "mounting" disks is almost certainly correct,
and it doesn't cause serious problems. The cold reboot didn't happen
the last two times I restarted my confuser; so I don't expect or ask
for "software support"; I was looking for comments from other users who
might have experienced the same thing in an attempt to isolate the
problem myself.
>The more serious problems I had were resolved by *actually* getting
>hold of the hardware and software items that revealed them, and then
>fixing bugs in my code, and working around some inconsistencies, and
>downright lies... Now we seem to be left with a very minor and elusive
>list of complaints. Tens of thousands of machines are running SD
>without any trouble.
I'm certainly going to continue to use it.
>If those people left wish to ship their particular hardware over to
>me, I would be only too glad to be of service.
No, I don't think that's worth it. But by discussing glitches here we
users with overloaded confusers and wierd software might be able to
figure out what's causing it. If I figure it out, and it has something
to do with ScramDisk, *then* I'll ask the authors for help.
>Perhaps Mr Sternlight is competent enough to fix all the Win95/98 bugs
>for me...
My Chaplain told me many years ago when I was asking for something or
other,
"I'm in sales, not production :-)"
------------------------------
From: "Tom" <[EMAIL PROTECTED]>
Subject: Re: An export question...
Date: 6 Mar 1999 02:55:22 GMT
wtshaw <[EMAIL PROTECTED]> wrote in article
<[EMAIL PROTECTED]>...
> In article <01be66fe$c1f2e540$0100000a@oemuser>, "Tom"
> <[EMAIL PROTECTED]> wrote:
> I take you words as an being an objective and accurate evalution of fog
> that exists. Remember, most all the official noise is made by
individuals
> who personaly haven't the least technical clue about these matters at
all,
> and so their words consequently are in the form of noise emminating from
a
> heated void, and they wish you would join them in their ignorance, thank
> you very much.
The relationship between the rulebook and common sense is often a thin
one... trouble is that the rule book has the force of law behind it so I
try to be careful not to step on too much of the fine print. :)
> Meanwhile, keep writing. If you can find a secure site to distribute
your
> stuff, go that way to at least get it out to some.
It's pretty tempting to write crypto applications these days with all the
available source code on the net. The real rub is to use a freeware crypto
component that was generously offered by someone outside the US, build on
it and then be unable to return the improvements to the original author!
Goodies can come in but nothing of value can leave... hopefully this will
change in the not too distant future.
Tom
------------------------------
From: "Tom" <[EMAIL PROTECTED]>
Subject: Re: An export question...
Date: 5 Mar 1999 23:16:48 GMT
Kent Briggs <[EMAIL PROTECTED]> wrote in article
<[EMAIL PROTECTED]>...
> Tom wrote:
>
>> What I've been unable to determine
> > is if MD5 or any other strong hash is exportable from the US without a
BXA
> > review....
> The way I understand it (I've been through the review process several
times) is
> that you only need a review (i.e. a mass market license exception TSU) if
the
> end-user can use your software to encrypt data. Hashing for the purposes
of
> checksums and digital signatures do not fall in this category.
This was pretty much my understanding too from the information I did manage
to sift through. It's reassuring to hear it confirmed from someone who has
actually been through the process... thanks very much. I have an associate
who has also been through the process via his business and he clarified
that encryption algorithms, no matter how trivial, have to be cleared with
BXA for export... but even he wasn't sure about hash algorithms
As a precident, I believe that some of the US based BSD projects also
export MD5 as part of their user authentication and login packages... so I
guess this supports that a secure hash can be exported, even in source
form, without a review. Still, I wonder why the SHA-1 spec contains the
"export restrictions may apply" clause. Perhaps it's just FUD. :)
Thanks for the response,
Tom
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Key equivocation does not define unicity, was Re: Unicity of English, was
Re: New high-security 56-bit DES: Less-DES
Date: Sat, 06 Mar 1999 00:30:18 GMT
[EMAIL PROTECTED] wrote:
> [EMAIL PROTECTED] wrote:
> It is NOT key equivocation that defines unicity. This is one of your
> recurring misconceptions. You are mistakenly taking **one** of the cases
> calculated by Shannon where key equivocation was close to message
> equivocation for one cipher ...to stand for all cases.
It is the case Shannon uses to define unicity distance. He
refers, as you noted, to _both_ curves approaching zero.
Perhaps some other opinions would help:
The unicity distance is the smallest N such that H_C(K) is
0; that is, it is the least amount of ciphertext needed to
uniquely determine the key.
[Denning, Dorothy E. /Cryptography and Data Security/,
Addison-Wesley 1982 (reprinted with corrections, Jan 1983),
page 25.]
Definition 2.7 The unicity distance of a cryptosystem is
defined to be the value of n, denoted n_0, at which the
expected number of spurious keys becomes zero; i.e., the
average amount of ciphertext required for an opponent to
be able to uniquely compute the key, given enough computing
time.
[Stinson, Douglas R. /Cryptography Theory and Practice/,
CRC Press, 1995, page 63.]
7.6.9 Definition The /unicity distance/ of a cipher is the
minimum amount of ciphertext (number of characters) required
to allow a computationally unlimited adversary to recover
the unique encryption key.
[Menezes, Alfred J., Paul C. van Oorschot and Scott A.
Vanstone, /Handbook of Applied Cryptography/, CRC Press
1997, page 246.]
> I understand this was perhaps also caused by the fact that you could not see
> (as you declared, but they have been there for 50 years in that same paper)
> the message equivocation curve in Fig. 7
It's not on Fig. 7. See:
http://www3.edgenet.net/dcowley/shannon/shannon19.jpg
> neither did you see "message
> equivocation" mentioned one line before Fig.7, nor one line after Fig. 7 --
Of course I saw it there. In my previous post I specifically agreed
with those lines.
> However, you come here for tens of messages and parade that ignorance in
> public. You cannot be excused for that behavior since even for you it would
> have been a lot less time consuming if you had just read the f. paper!
[...]
Not worthy of comment.
> Referring to the equations for conditional message entropy and conditional key
> entropy, I wrote:
> > > Again, just looking at the two (correct) equations should convince anyone
> > > versed in high-school math that they are independent. If you are still not
> > > convinced, I cannot help further.
> > On page 661 of Shannon's CTOSS we read,
> >
> > If M is the message, K the key, and E the enciphered
> > message, or cryptogram, we have
> > E = f(M,K)
> > that is E is a function of M and K.
> >
> > So instead of just looking at the equations, we should
> > study the paper and understand them.
>
> you extrapolate far too much.
>
> > Knowing that E is a
> > function of M and K, we don't expect H_E(M) and H_E(K) to
> > be independent.
>
> Which is your error -- since f is not fixed at all.
In E=f(M,K), f is the cipher. Equivocation is calculated under
the assumption that f is a given, known to the attacker.
we shall assume that /the enemy knows the system being used/.
That is, he knows the family of transformations T, and the
probabilities of choosing various keys.
[Shannon, CTOSS page 662, emphasis in original]
> A general definition of unicity for random ciphers f (ie, Shannon's) MUST BE
> valid for *any* (ie, different) random cipher. Thus, it MUST consider He(M)
> and He(K) behavior to be *independent* from one cipher f to another f'.
That f is known and E=f(M,K) is not just for the random cipher.
In the random cipher context, it means that the adversary is
given the mapping from keys to permutations.
> So, it is not correct to say, as you expressed:
>
> BO> Shannon say that the unicity point has been reached when the
> BO> key equivocation drops negligibly far from zero.
>
> because it is NOT key equivocation that defines unicity and Shannon has made
> that very clear, but you have not read it.
I disagree with the first part, and I know the last part is false.
> This exercise and my previous replies in the archives will also answer all
> your other questions below, that I snipped but are also in the archives.
The archives show that you do not respond to the serious
errors and other problems with your paper.
More than once I have asked how you can justify your claim
that the unicity (distance) of DES with English is three
characters. The attack you present after making that claim
requires 16 intercepted letters, which supports the figure
you quote from Schneier but claim is incorrect. How does the
adversary get near zero equivocation with three intercepted
letters?
Worse than the technical errors is the false assertion in your
paper at
http://www.mcg.org.br/unicity.htm
| Shannon [Sha49] defined "unicity distance" (hereafter, "n")
| as the least amount of plaintext which can be uniquely
| deciphered from the corresponding ciphertext -- given
| unbounded resources by the attacker.
Even if you believe your concept of unicity is essentially the
same as Shannon's, that does not justify claiming your definition
is in Shannon's paper. This is especially serious because you
criticize the literature based on the definition you claim to be
Shannon's.
| It is important to note, as the literature has also not been
| very neat in this regard, that unicity is always referred to
| the plaintext. However, it may also be applied to indicate
| the least amount of ciphertext which needs to be intercepted
Denning, Stinson, and Menezes et. al. state that unicity
distance is an amount of ciphertext. You say it's plaintext
and cite Shannon as saying it's plaintext. Shannon says no
such thing. The part after "However it may also be applied"
is much closer to Shannon's usage. It's hard to excuse the
paper's definition as poor paraphrasing when the paper makes
this point that depends specifically on the falsehood of the
citation.
There's a perfectly reasonable and honest way to make your
argument: cite Shannon's actual usage and argue that it may
also be applied the way you use it. Currently the paper has
it the other way around which is not true.
--Bryan
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: My Algorithm
Date: Fri, 05 Mar 1999 23:48:06 GMT
In article <7bos33$oh2$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Would this group be more responsive to analyzing my algorithm if I provided a
> small paper on it?
I doubt it. How many methods have you cryptanalyzed?
If you are asking me as a crypto researcher to analyze your algorithm
I will be happy to do so at my standard consulting rates.
>And why I think it is strong? If so I could write a small
> paper on it. Describing the algorithm, and why I think it's resistant to some
> attacks (ciphertext-only, plain/cipher text, chosen-ciphertext).
>
> I would really appreciate some analysis. I think it's somewhere between a
> stream coder and a OTP. I am new to encryption, I really don't know a whole
> lot.
So why should anyone take the time to analyze your result? Gieven that you
admit that you don't know the subject, why should anyone believe that you
know what you are doing? Why should anyone versed in the subject do so for
free? Especially if you expect to patent your idea. If you might profit
from it you have no right to expect experts to analyze your ideas for free.
When you ask for professional help in any field of endeavor you would
normally expect to pay for it. How much do you think the local golf pro
charges for lessons???
>But would like to learn.
This, of course, is always laudable. Have you tried reading some books
on the subject? Koblitz? Schneier? Konheim? (the best intro text to
cryptanalysis I have yet seen). I can recommend a number of good ones.
I will even be happy to answer questions you might have during your course
of study. Teaching, of course, is quite a bit different from reviewing a
(purported) product.
I would like to ask the following general question:
What is it that causes amateurs who admit they know nothing about a subject
to presume that:
(1) They can dive right in and start inventing valid new ideas? How can they
do so if they don't even know about old ideas? i.e. they admit their own
ignorance.
(2) They can waste the time of others by asking them to analyze their
'invention'? Especially when they have not done their background homework.
I mean no insult to this particular poster. I am speaking in general.
Noone who isn't versed in biochemistry and medicine would try to invent a
new drug. Why? Because they aren't qualified and they know it. But what is
it that makes people think they can invent something new in math or crypto
when they are aware that they as poorly qualified to do so as they are to
invent new drugs??????
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
Crossposted-To: talk.politics.crypto
Subject: Re: Intel/Microsoft ID
From: [EMAIL PROTECTED] (Patrick Thomas)
Date: Sat, 06 Mar 1999 04:29:39 GMT
"Roger Schlafly" <[EMAIL PROTECTED]> writes:
>Hmmm. NYTimes is free to everybody. You just have to
>register.
Am I the only one that finds this mildly ironic? :)
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Bits, for a change
Date: Fri, 05 Mar 1999 13:20:10 -0600
Continuing in the pursuit of applications that convert base 100, including
the common keyboard, to base X, I have finished the 15th program of the
series, Fairve 20, which transposes 20 bits derived from 3 characters of
input. Output is in 4 character groups, base 32.
A similiar earlier application,Winters transposed 6, and multiples of
that, digits, with accompanying block sizes. The structure of the
applications is sufficiently different so that default keys still produce
different results.
For Fairve, merely a name of an insiginificant location spotted on the map
northwest of Winters, the default keys are:
Subs(Fa): abcd efgh ijkl mnop qrst uvwx yz., ?/-=
Trans(Fa): abcde fghij klmno pqrst
With bits, it takes lots to represent a few characters. You might think
that having so many allows better encryption; well, it may, or it may
not...whether bits or something else, digits, trits, hexits, etc., it all
depends on what you do with them; which, in the case of Fairve is not very
much.
And due to the imperfect relationships between bases 2 and 10, there is an
extra hook to begin to attack ciphertext, but, when keys are so easily
changed, you never need produce anything but small quantities of outputin
any one key.
I see that there are many more applications that could be written merely
starting from base 100, but I think I have only two that I want to do left
starting at base 100. I do hereby apologize for their natures in
advance, but there has got to be some fun in all of this, and they still
can carry a lesson through.
After them, who knows, as there are many that can be done for specific
reasons, not a top priority around here, but some sort of a hobby that I
will not easily let get too dusty.
--
Truth is whole in the least of its parts.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
