Cryptography-Digest Digest #418, Volume #10 Fri, 15 Oct 99 23:13:03 EDT
Contents:
Re: "Risks of Relying on Cryptography," Oct 99 CACM "Inside Risks" column ("Roger
Schlafly")
Re: He is back...new "improved" code ("Belldandy")
detecting backdoor in prime generator (Anton Stiglic)
Re: PHT (Mok-Kong Shen)
Re: "Risks of Relying on Cryptography," Oct 99 CACM "Inside Risks" column ("Roger
Schlafly")
Re: "Risks of Relying on Cryptography," Oct 99 CACM "Inside Risks" column (Mok-Kong
Shen)
Re: Six out of six for Kerckhoffs (John Savard)
Re: He is back...new "improved" code (John Savard)
ElGamal Signatures & Encryption (Terry Cumming)
Re: How many prime numbers? (jerome)
Re: Bernstein and letting the court write (or rewrite) laws (Sundial Services)
Re: He is back...new "improved" code ("Belldandy")
Re: RSA Algorithm ("Rich Ankney")
Re: ElGamal Signatures & Encryption (DJohn37050)
Re: where to put the trust ([EMAIL PROTECTED])
Re: where to put the trust ([EMAIL PROTECTED])
Re: Bernstein and letting the court write (or rewrite) laws (Johnny Bravo)
Re: classifying algorithms ("Joseph Ashwood")
Off topic ("rosi")
Re: "Risks of Relying on Cryptography," Oct 99 CACM "Inside Risks" column
([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Subject: Re: "Risks of Relying on Cryptography," Oct 99 CACM "Inside Risks" column
Date: Fri, 15 Oct 1999 12:38:13 -0700
Brian Gladman <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> > There are probably also people who will not trust AES as is, and use
> > triple-AES. If NIST sanctioned triple-AES, they'd use triple-triple-AES.
> > That's fine, but it is pretty useless for NIST to try to accommodate
them
>
> No-one is asking for this AFAIK. I have a high level of trust in the AES
> process but since I have a lot at stake I want a fall back position in
case
> things go wrong.
No, you are asking for a triple-AES solution because you don't
trust AES. Perhaps your special needs justify it. That's fine, but
I don't know why you'd want to burden everyone else with an
overly complex AES when you are not going to trust it anyway.
------------------------------
From: "Belldandy" <[EMAIL PROTECTED]>
Subject: Re: He is back...new "improved" code
Date: Fri, 15 Oct 1999 16:21:47 -0500
I'm new with encryption, so please correct me if i'm mistaken. You might
want to "test" him.
Like what is the reason for non-punctuation. Did he use that as a standard
approach, or there is something to do with punctuation. Maybe it's because
his encryption can only store letter.
How confident is he of how strong is his encryption. If he is hella
confident, then by the assumption that he is stupid and given that he hides
the algorithm, he might use a conversion table with the key as a shifter.
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: detecting backdoor in prime generator
Date: Fri, 15 Oct 1999 17:21:26 -0400
Does someone remember the ref to an article talking about
detecting prime generators (or n = pq generators) that have
a backdoor?
Thanks in advance...
Anton
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: PHT
Date: Fri, 15 Oct 1999 23:24:27 +0200
John Savard wrote:
>
> Wojciech Laskowski <[EMAIL PROTECTED]> wrote, in part:
>
> >Who tell me something about Pseudo-Hadamard Transform? I need know basic
> >of PHT. Maybe somebody knows any reference to this subject?
>
> It's not something complicated.
>
> Take x and y. The Pseudo-Hadamard Transform of (x,y) is (x+y, x+2y).
> It's just meant to combine the two numbers in a way that looks a bit
> like a real transform. It's only used in the block cipher SAFER as far
> as I know.
Can someone tell why it is called pseudo-Hadamard transform? It
seems to be quite different from the (true) Hadamard transform.
So what is 'pseudo' here actually?
M. K. Shen
------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Subject: Re: "Risks of Relying on Cryptography," Oct 99 CACM "Inside Risks" column
Date: Fri, 15 Oct 1999 13:41:02 -0700
Trevor Jackson, III <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> By this reasoning we should only use telephones and avoid fax and email
channels?
> After all it would reduce the tooling costs, right?
When they put in fax and email standards, they didn't deliberately
introduce incompatible formats for diversity purposes.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: "Risks of Relying on Cryptography," Oct 99 CACM "Inside Risks" column
Date: Fri, 15 Oct 1999 23:29:56 +0200
Roger Schlafly wrote:
>
> No, you are asking for a triple-AES solution because you don't
> trust AES. Perhaps your special needs justify it. That's fine, but
> I don't know why you'd want to burden everyone else with an
> overly complex AES when you are not going to trust it anyway.
Triple DES standard doesn't burden those that use single DES,
as far as I am aware.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Six out of six for Kerckhoffs
Date: Fri, 15 Oct 1999 21:44:13 GMT
[EMAIL PROTECTED] () wrote, in part:
>And this started me thinking about the hierarchy of keys and key-exchange
>keys. This has resulted in my adding a bit to the section on "Military Key
>Management" ... and what I've added is starting to sound a bit like the
>croaking chorus from "The Frogs" of Aristophanes.
Brekekekekek ko-ax ko-ax, which my discussion of (Key-Exchange
Key)-Exchange Keys, having the acronym KEKEK, and above sounded
like...
>(As for cheerful facts about the square of the hypotenuse, you'll find
>them on
my little page about infinity...
and there are no Gilbert and Sullivan fans in this newsgroup?
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: He is back...new "improved" code
Date: Fri, 15 Oct 1999 21:47:45 GMT
"Belldandy" <[EMAIL PROTECTED]> wrote, in part:
>can you tell us about his last algorithm? that can be a good place to start.
Ah, a fan of the Japanese comic Oh! My Goddess! ... Belldandy being
the title character, and her sisters being Urd and Skuld (two of the
Norns...).
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Terry Cumming <[EMAIL PROTECTED]>
Subject: ElGamal Signatures & Encryption
Date: Fri, 15 Oct 1999 22:21:32 GMT
Why can't one use El Gamal encryption for digital signatures, i.e. why
is there a separate algorithm for signing? Could I not like RSA just
hash a message, then encrypt it with one key. I would need the other key
to decrypt.
Why also (similar reason?) can't DSA be used for encryption, just
signing?
Thank you.
Terry Cumming
------------------------------
From: [EMAIL PROTECTED] (jerome)
Subject: Re: How many prime numbers?
Reply-To: [EMAIL PROTECTED]
Date: Fri, 15 Oct 1999 22:27:50 GMT
On Fri, 15 Oct 1999 19:57:38 GMT, Tim Tyler wrote:
>
>The log formula was long though to be an overestimate - but it was
>subsequently discovered that it dipped beneath the actual frequency of the
>primes at some large figure - I presume this point was the one being
>referred to.
>
i think i have seen a reference explaining that it goes above
and below the actual number an infinite number of time.
in memory serves it has been prooved.
i will check if i can find where i read that. just to be sure
i don't "dream"
------------------------------
Date: Fri, 15 Oct 1999 15:56:32 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Crossposted-To: talk.politics.crypto
Subject: Re: Bernstein and letting the court write (or rewrite) laws
I dunno... I've always felt a little funny about the Bernstein case,
because essentially he's asking the Circuit Court to write or rewrite
American law -- and in a way the Court "fell for it" because of course
that was precisely what Bernstein intended to happen all along. He set
up the whole situation for the purpose of creating this legal decision.
I don't mean to start any flame war here, but I guess I do feel that the
place to create law and policy is the Congress and in the Executive
branch, not the Judiciary. It's an age-old problem of course, inherent
in our system of "checks and balances," which system is deliberately
designed that it be so! But cryptography was hardly on the Framer's
minds when they drafted the Amendment. I'm not sure the present
situation does us any favor, or any good, by pitting a few dozen (very
precious) words against the whole of U.S. Encryption policy.
Ours is not the rule of kings, nor of councils made of kings.
The root cause of the problem is clearly that the U.S. policy and laws
do need to be revised. E-commerce makes that very clear. But is the
right way to effect those changes, to simply line lawyers' pockets? I'm
not so sure.
I guess it's like the way that I feel about all of what Phil-Z did, so
many years ago now. Maybe he was an agent of change; maybe he was
simply a little ahead of what would have happened anyway. Did he engage
in a justified "act of civil disobedience" or did he cost the taxpayers
a lot of money, ignore the value of the lawmaking process, and in the
end, accomplish nothing at all? :-/
Is Bernstein's court case actually the reason why export-laws are
possibly about to be changed, or is he just wasting our time and public
money?
We live in such interesting times, where so many of our assumptions and
ideas are just being swept away, that it's hard to know how much is our
doing and how much is simply the tide. When the U.S. military dreamed
up GPS they were thinking about missiles ... not using the same system
to locate manhole covers, buried lines, and even the cellular telephones
of people who are making 911 calls. When the U.S. military dreamed up a
lot of encryption policy they were thinking about missiles too.
[And mind you, we still have to think about missiles. We just have to
include manhole covers into the picture too, somehow.]
Is this cryptographic revolution actually our doing? Or was all of the
changes that the cypherpunks hungered for all these years "simply
inevitable, after all?"
No flames, please. It is an interesting question, I think. I hope it
prompts relevant and interesting replies.
------------------------------
From: "Belldandy" <[EMAIL PROTECTED]>
Subject: Re: He is back...new "improved" code
Date: Fri, 15 Oct 1999 18:03:30 -0500
nice to know that someone recognize it :)
> Ah, a fan of the Japanese comic Oh! My Goddess! ... Belldandy being
> the title character, and her sisters being Urd and Skuld (two of the
> Norns...).
------------------------------
From: "Rich Ankney" <[EMAIL PROTECTED]>
Subject: Re: RSA Algorithm
Date: Fri, 15 Oct 1999 19:17:29 -0400
Judging from the meeting this week, he's still doing it big time,
I think...
DJohn37050 wrote in message
<[EMAIL PROTECTED]>...
>Bob, I think you have done factoring more than just in 1984. (typo?)
>Don Johnson
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: ElGamal Signatures & Encryption
Date: 15 Oct 1999 23:38:30 GMT
For DSA, the public key does not look like the private key. For RSA it does.
Don Johnson
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: where to put the trust
Date: Sat, 16 Oct 1999 00:08:34 GMT
[EMAIL PROTECTED] wrote:
> I think what we need do is first accept reality for what it
> is, and then see if we cannot mitigate the situation with
> new approaches and protocols. My suggestions are well known
> (3-level multiciphering, independent keys, ciphers changing
> frequently by automatic negotiation).
>
> If someone knows something better, let's hear about it.
A three-level cipher is a special case of a cipher.
Three-level ciphers have no more provable security
than single ciphers.
The per-message change makes the problem worse. It
leaves a lower chance of exposing everything, but
a higher chance of exposing something. This is
worse because of the diminishing returns to the
attacker - the first one percent is much more
valuable than the last few percent.
I do agree we have too few ciphers and need more,
specifically we need more _public_ key ciphers.
We have scores of secret-key ciphers and new ones
are easy to design. I suspect the sci.crypt
obsession with symmetric ciphers is precisely
because they are so easy to build.
--Bryan
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: where to put the trust
Date: Sat, 16 Oct 1999 00:07:49 GMT
[EMAIL PROTECTED] wrote:
> I think what we need do is first accept reality for what it
> is, and then see if we cannot mitigate the situation with
> new approaches and protocols. My suggestions are well known
> (3-level multiciphering, independent keys, ciphers changing
> frequently by automatic negotiation).
>
> If someone knows something better, let's hear about it.
A three-level cipher is a special case of a cipher.
Three-level ciphers have no more provable security
than single ciphers.
The per-message change makes the problem worse. It
leaves a lower chance of exposing everything, but
a higher chance of exposing something. This is
worse because of the diminishing returns to the
attacker - the first one percent is much more
valuable than the last few percent.
I do agree we have too few ciphers and need more,
specifically we need more _public_ key ciphers.
We have scores of secret-key ciphers and new ones
are easy to design. I suspect the sci.crypt
obsession with symmetric ciphers is precisely
because they are so easy to build.
--Bryan
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Crossposted-To: talk.politics.crypto
Subject: Re: Bernstein and letting the court write (or rewrite) laws
Date: Fri, 15 Oct 1999 20:35:16 GMT
On Fri, 15 Oct 1999 15:56:32 -0700, Sundial Services <[EMAIL PROTECTED]>
wrote:
>I dunno... I've always felt a little funny about the Bernstein case,
>because essentially he's asking the Circuit Court to write or rewrite
>American law
Why is that making you feel funny, that is the purpose of the Judiciary
Branch, to determine if laws are constitutional or not. Or do you think that
no matter what, the law is the law, no matter how many rights it violates.
>-- and in a way the Court "fell for it" because of course
>that was precisely what Bernstein intended to happen all along. He set
>up the whole situation for the purpose of creating this legal decision.
How else are the going to hear the case if the case never goes to court.
It was his right to have the Judiciary settle this dispute between himself
and the government about a matter of law.
>I don't mean to start any flame war here, but I guess I do feel that the
>place to create law and policy is the Congress and in the Executive
>branch, not the Judiciary. It's an age-old problem of course, inherent
>in our system of "checks and balances," which system is deliberately
>designed that it be so! But cryptography was hardly on the Framer's
>minds when they drafted the Amendment.
I doubt that television, radio, or the internet was on their minds either, do
you think that the above mediums do not deserve any protection because
they weren't invented in the late 1700s? Many of the current religions did not
exist then, do they deserve the protection of the first amendment?
There is no problem with checks and balances, this is how the system
was designed to work from the very start. No one is asking the Judiciary to
create a new law, they are being asked to rule if an existing law violates
Constitutional rights. This is their job, why does it make you uneasy that
they are doing it.
>I'm not sure the present
>situation does us any favor, or any good, by pitting a few dozen (very
>precious) words against the whole of U.S. Encryption policy.
You can't legislate away rights. Just because the US Government thinks it is
a good idea, doesn't mean it is legal and proper.
>I guess it's like the way that I feel about all of what Phil-Z did, so
>many years ago now.
He wrote a computer program, what problem do you have with this?
>Maybe he was an agent of change; maybe he was
>simply a little ahead of what would have happened anyway. Did he engage
>in a justified "act of civil disobedience" or did he cost the taxpayers
>a lot of money, ignore the value of the lawmaking process, and in the
>end, accomplish nothing at all? :-/
Phil do nothing wrong. That a vindictive government exceeded their authority
in an effort to punish him does not make Phil the wrongdoer here.
>We live in such interesting times, where so many of our assumptions and
>ideas are just being swept away, that it's hard to know how much is our
>doing and how much is simply the tide.
You seem to imply that we are not in control, we are creating the waves.
There is no mystical outside force that changes things.
>When the U.S. military dreamed
>up GPS they were thinking about missiles ... not using the same system
>to locate manhole covers, buried lines, and even the cellular telephones
>of people who are making 911 calls. When the U.S. military dreamed up a
>lot of encryption policy they were thinking about missiles too.
However the US Government seems to think that all the good crypto that exists
in the world must somehow all be in the United States. Blocking export of
something that is just as available outside the borders seems a bit stupid.
>[And mind you, we still have to think about missiles. We just have to
>include manhole covers into the picture too, somehow.]
There is no evidence that US crypto is somehow special or superior to non-US
crypto. Blocking export of something that exists all over the world for free is
only hurting US economic interests.
Johnny Bravo
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: classifying algorithms
Date: Fri, 15 Oct 1999 17:53:14 -0700
> In particular a stream cipher could depend on p merely to use
> its length, as for any key-stream generator (e.g. RC4).
Yes, but I see no reason to limit it in such a way, simply because RC4 is
currently the most well known, doesn't mean that someone couldn't build a
stream cipher by storing the first block of plaintext in a seperate buffer,
taking the key, and using it to perform an operation on the plaintext, then
outputting the permuted block (removing it from the data to be enciphered),
setting the stored data as the key, and beginning again. I don't think it
would be intelligent to do, but I feel it should be called a stream cipher.
> By your definition, most block cipher modes (OFB, CFB, CBC) are
> actually stream ciphers; only ECB is really still a block cipher.
> Does this seem reasonable?
Seems reasonable to me. As soon as you begin altering the next step based on
a prior step, I feel safe in going beyond the bounds of calling it a block
cipher, perhaps a term like Complex (or Extended) Block Cipher would be
applicable, but I think it would just confuse the issue.
Of course calling it a stream cipher may not be wholly appropriate, because
of further restrictions that might be placed on stream ciphers, but without
adding classes of ciphers, or creating a gradient between block and stream
(also a possibility, although the descriptions would become generally more
difficult), I don't see a solution to the problem.
Perhaps we just have too few categories, maybe we need to treat them as
classes, with subclasses. Something like the generic Block/Stream, then
under Block we've got Strict Block/Feedback Enhanced, then Feistel//////etc,
then down to actual names, with a great number of ciphers being in multiple
categories. And something similar under stream, of course there really
aren't enough stream ciphers to begin building a good taxonomy of them, at
least not yet, but it seems like every undereducated person feels the need
to design their own block cipher.
Joseph
------------------------------
From: "rosi" <[EMAIL PROTECTED]>
Subject: Off topic
Date: Fri, 15 Oct 1999 20:51:33 -0400
Hideo Shimizu wrote in message <[EMAIL PROTECTED]>...
>
[snip]
>Sorry for bad English.
But that is beautiful English! And Thanks.
--- (My Signature)
>
>Hideo Shimizu
>TAO, Japan
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: "Risks of Relying on Cryptography," Oct 99 CACM "Inside Risks" column
Date: Sat, 16 Oct 1999 01:23:21 GMT
Terry Ritter wrote:
> John Savard wrote:
> >It isn't the idea of having two or three AES winners that Bruce was
> >referring to, but the idea of relying on a system that is based on
the
> >principle that, since *no* cipher is proven secure, one needs
> >_thousands_ of ciphers, chosen at random by one's encryption
> >program...
>
> It seems odd to me that you know what is on Schneier's mind,
Isn't that what this reading and writing thing is all about?
> but your
> summary is wrong: If we could believe that any one cipher is forever
> unbreakable, we would need no more than that.
His summary was fine; your claim above is simply non responsive.
> Our problem is that
> there is no such evidence. We are ever so casually asked to risk the
> whole of our information society on mere opinion that, in a very real
> sense, can have no expertise behind it. Our experts simply cannot
> know what our opponents may do.
We are on shaky ground relying on the scientific method
to resolve mathematical questions, but so far it's the
best we have figured out how to do.
> We only add ciphers to reduce the risk inherent in the conventional
> wisdom. The advantage begins with the very first additional cipher.
In terms of provable, quantifiable, security, they are
tied at squat. No advantage there.
> To the extent that any one cipher is a risk, using two different
> ciphers in sequence tends to protect both. And when we use three
> different ciphers, then even if one is completely broken, the opponent
> still does not have known-plaintext for either of the other two.
Ah, _relative_ security. We have proofs of that.
> Beyond that, we can also increase the number of ciphers.
>
> Or perhaps you will offer a better alternative . . . .
The point is that the conventional wisdom is already
a better alternative than this per-message change of
ciphers.
> The point of having many "cipherings" is *not* to increase keyspace
> per se, but instead to give us the frequent opportunity to change from
> one ciphering to another, thus terminating any break which may have
> occurred.
And opening one where previously blocked.
> We do want to have enough cipherings so that we can support
> a few broken combinations which expose only a small fraction of our
> data. Probably thousands is enough.
A small chance of exposing all my plaintext is far
better than a large chance of exposing a small
portion. The many-cipher system offers a bad trade.
> But if we dynamically increase the working set of ciphers (explicitly
> avoiding any which are known weak, of course), we can force our
> opponents to support an extremely costly process of detection,
> acquisition and analysis for every new cipher. This is to our
> advantage.
The attacker can just go after the low-hanging fruit.
He gets a bigger advantage than we do. He can also
propose ciphers that he can break. How do you know
not to use them?
> >The use of multiple encryption, where at least one well-analyzed
> >cipher, like an AES finalist, is among those used, was sort of
> >grudgingly accepted as a possible supplement to the idea by its
> >advocate.
>
> Using a particular cipher necessarily reduces the number of different
> cipher stacks to the square of the number of ciphers, instead of the
> cube. This is some degree of loss, and the only reason to do it is if
> someone is convinced that a particular cipher is unbreakable. But
> there will be many different opinions about which particular cipher
> that should be. How much different is this from a random selection?
Very. It puts a lower limit on the strength of the
combinations. It protects us in the face of attacks
on the selection process - what we might call the
"chosen cipher" attack.
> First of all, we are discussing a security flaw at the heart of
> conventional cryptography. We do not pussyfoot around with serious
> public issues.
I don't know exactly what constitutes "pussyfooting", but
you continue to ignore the devastating flaws in the per
-message cipher choice.
> Also note that I have in the past presented various ideas at a
> somewhat lower key, only to see those ideas explicitly avoided by
> those many trust to provide a complete survey of cryptography. So
> I've "been there," and "done that."
Been where and done what? According to your posts, you've
been a crypto consultant over the years when DES, the only
real standard, was dying. How many of these hundred-cipher
systems have you built? How many are in use?
Those who are trusted have an obligation to avoid techniques
they believe are inferior.
> My experience is that those who
> support the conventional wisdom will avoid anything fundamentally new
> and disturbing at almost any cost.
A look at the course cryptography has taken since the
"New Directions" paper should disabuse one of the notion
that the field rejects new and disturbing ideas.
--Bryan
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
