Cryptography-Digest Digest #728, Volume #9 Wed, 16 Jun 99 18:13:04 EDT
Contents:
Re: OTP is it really ugly to use or not? (sb5309)
Re: NIST annouces set of Elliptic Curves (Medical Electronics Lab)
Re: SLIDE ATTACK & large state SYSTEMS (SCOTT19U.ZIP_GUY)
Re: Kryptos article (John Savard)
Phone scrambler : what encryption used ? (sb5309)
Re: signal to noise ratio ([EMAIL PROTECTED])
Re: the student paradox (SCOTT19U.ZIP_GUY)
Re: OTP is it really ugly to use or not? (FO)
Re: the student paradox ("Mr. X")
Re: DES lifetime (was: being burnt by the NSA) (Jerry Coffin)
Re: DES and BPANN (Patrick Juola)
Re: the student paradox (John Savard)
Re: the student paradox ([EMAIL PROTECTED])
Re: "Breaking" a cipher ([EMAIL PROTECTED])
Re: the student paradox (SCOTT19U.ZIP_GUY)
Re: Phone scrambler : what encryption used ? ([EMAIL PROTECTED])
Re: the student paradox ("Steven Alexander")
Re: the student paradox ("Steven Alexander")
----------------------------------------------------------------------------
From: sb5309 <[EMAIL PROTECTED]>
Subject: Re: OTP is it really ugly to use or not?
Date: Thu, 17 Jun 1999 01:37:33 +0800
What do you mean by the "right software" ?
>
>
> I think OTP's are a lot more useful and secure than people
> think and with 6 Gig disks costing a little more than $100
> these days it means that with the right software you have a
> very fast very secure solution for many applications.
>
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: NIST annouces set of Elliptic Curves
Date: Wed, 16 Jun 1999 12:49:41 -0500
DJohn37050 wrote:
>
> The curves annouced by NIST fall into 3 classes:
> 1. Random curves over a prime order field (Fp).
> 2. Random curves over a field of characteristic 2 with a prime power (F2**p).
> 3. Koblitz curves (binary anomalous curves) over a field of characteristic 2
> with a prime power (F2**p).
>
> Some interesting observations:
> 1. Curves over both prime fields and characteristic 2 fields are included.
> 2. There are no curves over a field of characteristic 2 with a composite power
> (F2**m, with m composite).
> 3. Koblitz curves are included.
> Don Johnson
Thanks Don. It certainly adds a nice stamp
of approval.
There are 2 formats, ascii and postscript.
The postscript form has a lot of explanation,
the ascii is just the curve data.
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: SLIDE ATTACK & large state SYSTEMS
Date: Wed, 16 Jun 1999 18:56:42 GMT
In article <7k894j$k77$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>In article <7k6df4$1fqu$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
>> But this does not change or effect the comments that
>> I wrote. For truely large key systems similar to the type
>> I mentioned the number of false slide pairs would increase
>> and the attack would not be reasonable. But I will take
>> your word that a Blowfish type of algorithm would be
>> susceptable to such an attack. I also think your defination
>> of a large key system is much smaller than mine. I am
>> not sure mine is large enough and the effective key lenght
>> is over a million bytes. (not bits) Though it is true I thought
>> you worked on ciphers of only a few hundred bits. Have you
>> actaully tested the attack out on the above blowfish or just
>> assumed it based on smaller models that it would take this
>> many steps. What do you do if the key system is large and
>> you have false slide pairs. In that you think they are correct
>> but they are not. Or have you even looked into this area since
>> they would not be common in the ciphers you tend to deal
>> with.
>
>You have to be joking right? Large keys do not make strong ciphers. I
>could re-write your cipher (the 16-bit one) to use 128-bit keys and be
>just as practically secure as your million bit keys...
>
No tommy I am not joking. I am not sure why I bother to anwser you.
SInce you really don't seem interested in learning. There is not much
that does guarantee a stong cipher. But all else considered key length
is one measure of strength. But yes one can design a million key cipher
as weak as a good 128 bit key cipher. But it is obviuos you can't understand
that.
>A 32768 bit key is really large, there are
>1.41546103104495478900155302774e+9864
>Possible keys. Even in the 128 bit key there are
>3.4028236692093846346337460743177e+38
>possible keys...
Just because 2**128 is a large number is no guarantee of safety.
>
>Of course a 32768-bit blowfish key can be compromised in 2^64 effort so
>that's why they don't advertise it that way. Plus where do you get
>32768 bits of random bits?
As in PGP the really big key is caluclated very very infrequently and key
itself is portected with a short password. But then you should know that.
>
>You have to remember that large keys do not always equal good
>security. If you can get thru that then you will be set. Besides a
>million byte key would require a million random bytes, not just
>inaccesible bytes. Each byte has to be truely (or highly) random.
>That's why 'SHORT' keys are better, and by short I mean >= 64 bits.
>
Sorry but you goofed Short keys are not better. But if you feel they
are you can use a method like mine with 128 bit keys as I have explained
many many times. But then again you don't read and don't seem interested
in actaully learning.
One problem with a short key cipher like many in use it is hard to expand
the key size because there reachs a point where one can't guarantess that
each key actually results in a completely different mapping. At least one like
mine where there the space of 19 bit single cycle transfoms is used. It is
easier to go down in key size and use a subset since I started at the largest
key and easier to work down in size than up in size. But you may need a
broader understanding of mathematics to understand that.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Kryptos article
Date: Wed, 16 Jun 1999 17:16:47 GMT
Jim Gillogly <[EMAIL PROTECTED]> wrote, in part:
>I think it is keyed rather than
>a OTP because in one of the old articles Sanborn, the sculptor, says
>the mysterious envelope delivered to the Director of Central Intelligence
>contains the keys to the sculpture, and that with those the DCI could
>decrypt it easily.
Although I think you're right, since there would seem no point in
putting an OTP-encrypted message on such a sculpture, I fear that many
would quibble with the specific reason you've given: one certainly
*can* put the key to an OTP-encrypted message in an envelope, and such
a message can be decrypted easily with that key just like any other
encrypted message.
John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/crypto.htm
------------------------------
From: sb5309 <[EMAIL PROTECTED]>
Subject: Phone scrambler : what encryption used ?
Date: Thu, 17 Jun 1999 01:47:39 +0800
I have been to a few phone scrambler web pages; they don't talk
algorithms. They say, look, this is the device just take it !
Could you give me a hint ? Thanks.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: signal to noise ratio
Date: Wed, 16 Jun 1999 17:55:54 GMT
So, the s/n ratio is related to the Walsh transform?
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: the student paradox
Date: Wed, 16 Jun 1999 19:04:56 GMT
In article <7k8m2j$7nd$[EMAIL PROTECTED]>, "Mike Murray"
<[EMAIL PROTECTED]> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Tom,
>
> Good thought... I'm a student, and a beginner in cryptography, and
>I have to say that I've had some fabulous ideas that "reinvented the
>wheel" after I looked at them (either that, or, after some looking at
>them, I realized that it was a bad idea in the first place).
>However, the one thing that I do have to say is that I'm incredibly
>frustrated with the fact that, as people "settle into accepted
>academia (or lines of thought)", that they lose the curiosity and
>thirst to find new ideas that they had as a beginner. Even in my
>computer science courses, I always find myself looking for ways to
>improve on what I'm told about... I find that many of my classmates,
>however, are content to simply accept what they're told, and use it in
>a stock fashion.
>
> That's my thoughts for the day...
>
> Mike
The problem is Mike the experts have such a line of bull that people
who try to expand the area get but down rather quickly. The guy who found
the uclers cure is an execellent example. In the field of scince there are
many examples of this effect. The guy who invented the rebreathing tanks
for divers tried to give the idea to the navy but no one belived him at the
time since they spent untold millions and the experts couldn't build one
the list goes on and on.
In crypto one very weak link is the way block ciphers are chained. I have
been advocating various all or nothing chaining methods like what is in
scott19u but every one said it was use less then I here that Ron R of
RSA comes up with an all or nothing encryption idea. Guess who will
get the credit.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (FO)
Subject: Re: OTP is it really ugly to use or not?
Date: 16 Jun 1999 18:31:00 GMT
sb5309 ([EMAIL PROTECTED]) wrote:
: What do you mean by the "right software" ?
: >
: >
: > I think OTP's are a lot more useful and secure than people
: > think and with 6 Gig disks costing a little more than $100
: > these days it means that with the right software you have a
: > very fast very secure solution for many applications.
: >
I think so too. But I would rather burn it on CD-ROM's.
About right software, having all that key material laying around -
perhaps it would be proper to protect the one time pad by encrypting
it in some way. But then it would be no safer than the encrypting method.
But it is not a terrible idea
I am sorry for the blank posting.
- f0n
------------------------------
From: "Mr. X" <[EMAIL PROTECTED]>
Subject: Re: the student paradox
Date: Wed, 16 Jun 1999 12:36:46 -0700
[EMAIL PROTECTED] wrote:
> When most people start cryptography or any computer science course they
> have many ideas on how things are done (how to encrypt data, how to
> compress, how to sort, how to...). Many of the ideas are naive to
> experts. As the student learns more however they have less ideas and
> settle into accepted academia (or lines of thought).
Unfortunately this is all too true - not just for crypto but for many
fields.
In heavily rule based fields, like mathematics, it's been accepted for
oh, maybe 200 years that most mathematicians do almost all their
innovation before 35. Now, one would hope that you know more at 50 than
you did at 25 but, as you said, thinking becomes so constrained that new
ideas rarely appear, and revolutionary ones almost never come from
'experts' - and guess who's usually in charge?
X
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: DES lifetime (was: being burnt by the NSA)
Date: Wed, 16 Jun 1999 12:45:52 -0600
In article <7k7s36$g9d$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
[ ... ]
> > > Wrong. It appears on pages 1-2, where the standard says
[ ... ]
> FIPS 46, 1977 January 15. You can find it reprinted in
> Meyer & Matyas /Cryptography, A New Dimension in Data Security/
> 1982, and some other places.
Do you see the problem here? You say "the standard says" when you're
really referring to something that hasn't been a standard for over a
decade.
> Note that FIPS 46-2 is dated 1993 December 30. It did not
> exist at the time in question.
What time in question? "The standard says" is present tense, so the
only conclusion one can reasonably draw about "the time in question"
is that it's the present time. At the present time, the standard does
not say anything of the sort, and it hasn't for some time.
> > IF it actually said that, you might have some point. It provably does
> > NOT say what you've claimed, rendering your entire point invalid.
>
> You did look up _a_ standard, so I suppose we've seen worse
> scholarship here on sci.crypt.
No, I looked up _the_ standard. You looked up something that hasn't
been a standard for years, then referred to it in present tense as the
standard. Yes, we've seen worse scholarship here on sci.crypt --
your's being an obvious example.
> I expect you'll need some time to check that out, but given how
> you SHOUTED your conclusions based on the 1993 standard, will you
> be willing to report what you find either way?
Sure. It doesn't even take very long for me to find that if you were
referring to something that hasn't been a standard years, that you
should have said something like "in 1977, the standard said" rather
than "the standard says." As-is, your statement is simply false.
There's not much more to the situation than that.
You've been blaming the NSA for the way the DES was written in 1977.
The NSA had neither control over, nor even official input into, DES
until 1987. If you want to display scholarship, do a bit of research
into the first version of the standard after the NSA had input, and
see whether it matches the 1977 standard or the 1993 standard. This
might give some insight into whether the NSA influenced the decision
to make DES an option rather than a mandatory requirement.
Right now, every indication is that the problems you've cited were
fixed after the NSA got involved. Will you be willing to report back
when/if you find even more evidence that the NSA may have actually
fixed the problems rather than causing them as you've said?
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: DES and BPANN
Date: 16 Jun 1999 09:24:52 -0400
In article <[EMAIL PROTECTED]>,
James Pate Williams, Jr. <[EMAIL PROTECTED]> wrote:
>On Tue, 15 Jun 1999 08:08:37 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
>wrote:
>
>>The big difference is that the XOR function is vastly simpler than
>>the BPANN, but the DES encryption function is sufficiently complex
>>that any "learning" process which does not model the actual DES
>>structure fairly closely doesn't have an appreciable chance of
>>converging to a *correct* model.
>
>Conjectures are all well and good, but without a theoretical or
>experimental basis they are merely guesses shrewd or otherwise.
To the best of my knowledge, there have been no published attempts,
successful or unsuccessful, to apply neural networks to the cryptanalysis
of DES.
On the other hand, there are also good theoretical reasons why
this is unlikely to be successful; the error surface is too
rough and ``random''; for any finite training set, the number of
local minima is huge.
So you are of course correct that the statement ``NNs won't be
successful at cryptanalyzing DES'' is merely a conjecture. So is
the statement ``kitten won't discover warp drive by midafternoon.''
-kitten
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: the student paradox
Date: Wed, 16 Jun 1999 21:21:09 GMT
"Mike Murray" <[EMAIL PROTECTED]> wrote, in part:
>However, the one thing that I do have to say is that I'm incredibly
>frustrated with the fact that, as people "settle into accepted
>academia (or lines of thought)", that they lose the curiosity and
>thirst to find new ideas that they had as a beginner.
If more people had the sense and tact to realize that, while they are
beginners, their own ideas probably won't be too useful, and thus:
- advanced any new idea in a tentative way,
- asked questions, rather than proclaiming conclusions,
- tried to learn more on their own about their own ideas,
they'd run into fewer discouraging experiences of being told their
ideas are silly and not to waste everyone's time.
The accepted lines of thought have a lot going for them: but that
doesn't mean new ideas - especially ideas from people with the right
background in existing practice - aren't valuable and needed.
John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/crypto.htm
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: the student paradox
Date: Wed, 16 Jun 1999 20:23:00 GMT
In article <7k8m2j$7nd$[EMAIL PROTECTED]>,
"Mike Murray" <[EMAIL PROTECTED]> wrote:
> Good thought... I'm a student, and a beginner in cryptography, and
> I have to say that I've had some fabulous ideas that "reinvented the
> wheel" after I looked at them (either that, or, after some looking at
> them, I realized that it was a bad idea in the first place).
> However, the one thing that I do have to say is that I'm incredibly
> frustrated with the fact that, as people "settle into accepted
> academia (or lines of thought)", that they lose the curiosity and
> thirst to find new ideas that they had as a beginner. Even in my
> computer science courses, I always find myself looking for ways to
> improve on what I'm told about... I find that many of my classmates,
> however, are content to simply accept what they're told, and use it in
> a stock fashion.
I agree with you, which is why I made the post. I do however agree
that starting with previous academia is not a bad idea, but if you want
to invent/create a new idea you should start from scratch. I think we
must serparate inventions from products. I would for exmaple use SHA-
1/Blowfish for a file encryptor, but not use Blowfish for the basis of
a new algorithm...
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: "Breaking" a cipher
Date: Wed, 16 Jun 1999 20:31:13 GMT
In article <7k8og1$4q3$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Paul Schlyter) wrote:
> With one exception: the OTP (One-Time Pad). Even if you actually had
> the time and resources to search through the entire key space of an
> OTP cipher, the result would tell you nothing you didn't already
> know. All you'd get would be a huge collection of all possible texts
> with the same length as the ciphertext -- how would you figure out
> which one would be the correct one?
You missed the point. You cannot *break* a OTP that's part of the
definition...
The point is searching the key space is not a break, it's a solution.
If I gave you the single equation
2a + 3b = 5
You could find an infinite amount of values, but none are solutions,
but if I gave you
2a + 3b = 11
4a - 3b = -5
You could find that
6a = 6
a = 1
Therefore b must equal 3. This is a solution. The same idea holds for
a block cipher where
E(k, a) = x
Only one value of k will result in D(k, x) = a, this is a solution not
a break...
Enough of this, time to watch cartoons :)
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: the student paradox
Date: Wed, 16 Jun 1999 21:47:36 GMT
In article <[EMAIL PROTECTED]>, Jim Gillogly <[EMAIL PROTECTED]> wrote:
>"SCOTT19U.ZIP_GUY" wrote:
>> scott19u but every one said it was use less then I here that Ron R of
>> RSA comes up with an all or nothing encryption idea. Guess who will
>> get the credit.
>
>His paper was in 1997. When was yours? Are you claiming priority
>for the PCBC chaining method, which was used in Kerberos?
>
I code was written before 97 and the chaining that was uses in Kerberos
was a one pass chaining and not wrapped. It had problems in that if
blocks sent out of order only a small portion corrupted much like with
the other nonerror propagating modes of chaining. If you want to see what
I do look at scott19u or scott16u there are different though most people
are to lazy to look at the code. One thing I doubt Kerberos had was a
chaining method that requires the unchaining to be done in the reverse order.
Most weak chaining methods are described in a way that the chaining is done
in the forward direction and the unchaining during decryption is done in the
same direction. The way I chose to do it that helps keep it more secure is
that the unchaining is done in the opposite directions. Actually when Ron
coined in the press the "all or nothing encryption" expression some one
noticed that what he called all or nothing encryption lacked some of the
properties that I felt where needed before such a label woulf be attached so
they are not exactly the same. For details refer ot back posts.
You can check but I that Paul attack was back in 1996 but you will have
to ask him.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Phone scrambler : what encryption used ?
Date: Wed, 16 Jun 1999 20:47:31 GMT
In article <[EMAIL PROTECTED]>,
sb5309 <[EMAIL PROTECTED]> wrote:
> I have been to a few phone scrambler web pages; they don't talk
> algorithms. They say, look, this is the device just take it !
>
> Could you give me a hint ? Thanks.
Well PGPfone uses Blowfish with DH to make session keys. Most handheld
phones use simple LFSR based stream ciphers (CMEA/ORYX). You would have
to consult the manufacture to see what standard they are using. Too
bad most of those standards are not set my specialists... :(
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Steven Alexander" <[EMAIL PROTECTED]>
Subject: Re: the student paradox
Date: Wed, 16 Jun 1999 14:50:37 -0700
Your code reads like shit. I have an easier time reading disassembled win32
programs.
-steven
>If you want to see what I do look at scott19u or scott16u there are
different though most people
>are to lazy to look at the code.
------------------------------
From: "Steven Alexander" <[EMAIL PROTECTED]>
Subject: Re: the student paradox
Date: Wed, 16 Jun 1999 15:04:11 -0700
I'm not sure that people have less ideas as their knowledge increases. I
think that instead they discount a lot of their own ideas based on their own
ideas before sharing them.
I first became interested in cryptography a couple of years ago. When I
started out I had a lot of ideas. I'm still not an "expert" but I still
have the same amount of ideas. However, I am now able to discount most of
my ideas by evaluating them myself.
I do agree that in any science be it cryptography, physics, biology, etc.
that a students line of thinking becomes more centered toward what is known
to be the current state of the art. The student then tries to extend this.
This has the drawback that it takes longer for someone to discover ideas
that are far removed from the current state of the art. However, it also
restricts students from proposing ideas that have been disproved over and
over again.
I'm not saying that this is better or worse than any other way, just
reflecting on it a bit.
my $.02
-steven
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
