Cryptography-Digest Digest #459, Volume #10 Thu, 28 Oct 99 00:13:04 EDT
Contents:
Re: use of US export restricted library (Paul Koning)
Re: There could be *some* truth to it (Tim Tyler)
Re: some information theory (very long plus 72K attchmt) (Tim Tyler)
Re: This compression argument must end now (Tim Tyler)
Re: Modern secret writing (ca314159)
Re: do you consider this secure ? (Bill Unruh)
Re: Note on Feistel Ciphers ([EMAIL PROTECTED])
Re: OAP-L3: How Do You Spell S-H-A-R-E-W-A-R-E ("Trevor Jackson, III")
Re: do you consider this secure ? ([EMAIL PROTECTED])
Re: the ACM full of Dolts? (SCOTT19U.ZIP_GUY)
Re: Unbiased One to One Compression (SCOTT19U.ZIP_GUY)
----------------------------------------------------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: use of US export restricted library
Date: Wed, 27 Oct 1999 17:52:36 -0400
Sven Gohlke wrote:
>
> "jh" <[EMAIL PROTECTED]> writes:
>
> >I am living outside US/ Canada.
> >If I write a program which uses US export restricted crypto libraries that
> >have been exported in some way to my country and then I would like to sell
> >the program in US and other countries is there any problem?
>
> Not, if You are not a Citizen of USA, Canada, Australia or any other
> country which have restrictions on crypto export.
>
> (especially, if You are german, You are supported by the german government
> to use and spread cryptographic products)
That's incorrect.
If you use US made crypto components, the result may also be subject
to US restrictions. (Yes, I know that's screwy. Don't blame me,
I don't say it makes sense, I'm just passing along the information.)
If the US stuff you're using is less than 10% of the total, no problem.
If less than 25% of the total, problem only if the result goes to a
small list of countries (like Cuba). More than 25%, you're subject to
US rules on your product.
paul
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: There could be *some* truth to it
Reply-To: [EMAIL PROTECTED]
Date: Wed, 27 Oct 1999 23:36:22 GMT
Anton Stiglic <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> Anton Stiglic <[EMAIL PROTECTED]> wrote:
:> The attacker /can/ find out information about the key
:> exchange - *if* he is lucky. If he polarises all his filters the right
:> way he can getall the bits of the key (and some extra). By bugging the
:> telephone call between the parties he can verify that his polarisations
:> were accurate and learn which of the bits sent are to be used for
:> encrypting the main message. He has the key, and confirmation that his
:> key is correct.
:>
:> This is not the first time I've tried to explain this to you. If you
:> doubt the conclusion, /please/ try to pin down where you think my mistake
:> lies, so I don't have to go through this tedious explanation again.
: I know of this attack, but it's a far fetched attack.
Indeed.
: Do you know the probability of this possibly happening [?]
I do.
:> : The advantage of quantum key-exchange, do, is that it is unconditionaly
:> : secure [...]
:>
:> Nope. It is less secure than a OTP to eavsdroppers. [snip]
:>
:> : it does have a probability of error (which can be made exponentialy small).
:>
:> ...which is *never* zero. If this chance event crops up, the arracker can
:> read the message, know he has it correct *and* remian undetected.
: In practice, no cryptosystem has zero probability of error, just du to
: the error that arise because of the physical communication or processing
: technology.
Indeed. Of course you want to minisise the security problems in the
crypto-system itself, where possible.
: This is why *I* personaly feel safe with a probability of error of something
: like 2^(-20) (any machine or comunication channel will err with greater
: probability).
: Would you argue with this?
You probably know better than I do when you feel safe ;-)
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Because I could not stop for Death he kindly stopped for me.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: some information theory (very long plus 72K attchmt)
Reply-To: [EMAIL PROTECTED]
Date: Wed, 27 Oct 1999 23:29:07 GMT
Anton Stiglic <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> Anton Stiglic <[EMAIL PROTECTED]> wrote:
:> : Tim Tyler wrote:
:> :> Notice that the discussion up to this point related to "Comp(P)"
:> :> (singular).
:> :>
:> :> I was attempting to discuss the statistical properties of bits in an
:> :> *individual* compressed message, given a message chosen from the set of
:> :> potential inputs at random. It was my claim that such compressed files
:> :> approach being indistinguishable from random bitstrings, as the
:> :> compression gets better and better.
:> :>
:> :> If you choose the same message and compress it several times, and
:> :> concatenate the results I completely agree that the resuls need no
:> :> longer be apparently random.
:>
:> : Yes, I beleive this was the source of confusion on both of our sides.
:>
:> Unfortunately, it appears the confusion continues ;-/
: No, listen to me, I'm talking about viewing it in a Mathematical model,
: as the known general attacks on RSA do right now. What attacks am I
: talking about, attacks that are based on things like:
: -factoring,
: -multiplicative property (Denning)
: -cycling attacks (Simmons and Norris)
: -commun modulus attacks.
: If you have ever dealt with RSA or ElGamal, you would understand the
: model to which I am refering to.
: Please do not reply by saying "but it's not prooven that an attack on
: statistical language bindings for RSA don't exist", or something in
: this way, I'm talking about the model I view, and alot of other
: cryptographers view.
You /say/ you're disagreeing with me, yet your reply appears to bear
little relation to the subject we've discussed so far.
Do you think compressing files makes them harder to distinguish from
random data streams, by statistical tests? Or by analysis?
You seem to be saying that compressing files doesn't make them more
"random" in some sense related to cryptography.
*I*'m talking about "random" in the sense of consecutive bits having no
discernable pattern.
I'm using random in the sense that a random string is an incompressible one.
I'm using "random" in the sense of the Chaitin/Kolmogorov definition of
randomness.
If *you* are using the word to mean something completely different then
that's fine - but you need to spell out what /you/ mean by "random" before
we can usefully communicate any further on the matter.
At a *guess* you're talking about "random" in a sense connected with
guessing the probability of each type of file occurring.
I *conjecture* the point you're trying to raise is that if the original
files have frequency distribution X and the compressed files /also/ have
frequency distribution X (and X is non-uniform), then the compressed files
are not random - because if they /were/, their frequency distribution
would be different - and flat.
I'm not sure how this notion is very applicable in the case where you
only have one file to look at - but that's my best guess.
I /still/ fail to see the relevance of your discussing stream cyphers and
block cyphers to any of this ;-(
: Your replies are starting to get anoing, I feel you just like to argue
: for the sake of arguing.
Well, I'm not trying to do that.
However, I would certainly encourage others to killfile the thread if
their only interest is in cryptography.
I predict the thread will have practically zero content as far as gleaning
useful cryptological insights goes.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Night fell on the face of the sheep.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: This compression argument must end now
Reply-To: [EMAIL PROTECTED]
Date: Wed, 27 Oct 1999 23:45:21 GMT
Anton Stiglic <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> Anton Stiglic <[EMAIL PROTECTED]> wrote:
:> : Tim Tyler wrote:
:> :> Steven Alexander <[EMAIL PROTECTED]> wrote:
[compression before encryption]
:> :> : However, it will not make a known plaintext attack anymore difficult.
:> :>
:> :> No. This is false. This is the /third/ time someone has raised this
:> :> point - so perhaps it should get into the one-on-one FAQ.
:>
:> : As I have obseved, Mr. Tyler is talking about stream ciphers.
:>
:> You /may/ have observed it, but I didn't notice fast enough to correct
:> your notion.
:>
:> Mr Tyler is *not* talking about stream cyphers. His comments refer to
:> pretty much *any* type on cypher system [snip "except..."]
:>
:> : If your cipher is a stream cipher, then an attacker gets less ciphertext
:> : for sur (and the entropy of the source, which spits out bits, is greater
:> : if you use compression).
:>
:> Block cyphers too. It really makes no difference at all.
:>
:> [block/stream]
:>
:> : It's important to distinguish the two cases, is the attacker getting
:> : encryption of chunks of the message, or an encryption of the whole
:> : message.
:>
:> I see no distinction worth mentioning in the context of this discussion.
: If you were working on attacks on RSA, or ElGamal, based on mathematical
: principals like FACTORING, Discret log problem, homomorphic property
: of RSA, commun modulus of RSA, small exponents of RSA, big step giant
: step algo's, etc..., etc... I think you would addapt the view I mentioned.
Which view - that compressing fials to make a plaintext attack more
difficult due to the attacker having less cyphertext - or that compressing
before encrypting helps with stream cyphers, and not with block cyphers?
My changing my mind on either of these points is pretty fantastically
unlikely. They're delusions, fantasies, false thoughts, wrong, incorrect.
: There is no good reason to discard this model for encryption schemes such
: as the public key schemes that exist today. Furthermore, I would say that it
: would be foolish to take on the other model for attacking such schemes.
What model are you talking about?
I understand that some of our disagreements may be communication problems
caused by English not being your first language. However, your posts
appear to assume some sort of telepathic qualities on the part of your
readers. You need to explain what you are talking about. If you refer
to a model, a model needs to have been previously mentioned, or nobody
will know what on Earth you mean.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
"Better late than never" should apply to returning books too.
------------------------------
From: ca314159 <[EMAIL PROTECTED]>
Subject: Re: Modern secret writing
Date: Thu, 28 Oct 1999 01:27:34 GMT
Mok-Kong Shen wrote:
>
> One natural method of secret communication that is known since
> ancient time is to write in an extremely small area such that the
> adversary barely notices. The technique is also known to have been
> exploited in WWII. It is hence no big surprise, though nonetheless
> very interesting, to know that one can now already write in
> nanometer scale. In the article
>
> S. Hong et al., Multiple Ink Nanolithography: Toward a
> Multiple-Pen Nano-Plotter. Science 286 (1999) 523-525.
> see also 389-391.
>
> there is shown that one can write with strokes that are only
> 15 nm wide and that in a few colours. A paragraph of Feynman's
> speech was written in an area just one-thousandth the size of a
> pinhead.
>
> I guess that the technique is yet fairly expensive. With time
> the cost will certainly come down. Then crypto software manufacturers
> will be able, I believe, to use that technique to export strong
> crypto in very secure (because escaping from the eyes of the
> competitors) and legal (because being in 'printed form') manner.
> The bureaucrats wanting to suppress the same being exploited
> by criminals would be forced to install sophisticated equipments
> at all the customs and minutely examine every surface on materials
> carried in the luggages of travellers at the resolution of
> one-thousandth the size of a pinhead. I predict that this will
> entail a big boom of the industry that manufactures such special
> detecting equipments and that current crypto regulations and
> the crypto clauses in the Wassenaar Arrangements probably have
> to be proportinately tightened up in order to be effective at all.
>
Scanning tunneling microscopes for messages written in
atoms. IBM site has a picture of "IBM" spelled out in atoms.
http://ink.yahoo.com/bin/query?p=STM+images&hc=0&hs=1
You just have to know where to look.
Sometimes it's also important to know when to look.
If they ever made gravitational wormholes that would make
an interesting way of sending messages, just specify the
place and time to send it. :)
Wormholes seem to have alot in common with quantum tunneling
and quantum entanglement in this sense.
But has the Voynich manuscript or genetic codes been decoded yet ?
Seems there are still many simpler alternatives.
Camoflage is a tough business even nature doesn't always win at.
http://www.bestweb.net/~ca314159/comm.htm
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: do you consider this secure ?
Date: 28 Oct 1999 01:38:44 GMT
In <[EMAIL PROTECTED]> [EMAIL PROTECTED] (Lincoln Yeoh) writes:
]On 27 Oct 1999 06:01:35 GMT, [EMAIL PROTECTED] (Bill Unruh) wrote:
]>Depends on what you mean by "nice deifiniton of security". Some people
]>include in this the fact that the ecryption algorithm is kept secret.
]>Then your proposal is clearly not secure. However the usual definitionis
]Why should his proposal be "clearly not secure" just because the encryption
]algorithm is kept secret?
]Sounds strange to me.
Under some people's definition of security keeping the algorithm secret
is part of that definition. He is announcing his algorithm. Thus under
that definition it is insecure. I clearly think that is a silly
definition, but he has never told us what his definition is.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Note on Feistel Ciphers
Date: Thu, 28 Oct 1999 01:41:10 GMT
John Savard wrote:
> [EMAIL PROTECTED] wrote, in part:
>
> >We have zero practical evidence in favor of adding
> >the permutation and now some theory indicating
> >that problems fixable by permutations are not
> >characteristic of Feistel ciphers.
>
> Well, this is informative. From your previous posting, I had no way to
> know that the alternating group of permutations was "easy" or
> "natural" to achieve by a Feistel round structure.
It certainly can't be easy, by Feistel rounds or
any other method. There are (2^64)!/2 even
permutations on 64-bit blocks, so even naming
each requires the names to grow intractably long.
> The fact that it
> was merely _possible_ to achieve doesn't necessarily imply that the
> space of ciphers reached by simple Feistel round structures wouldn't
> be enriched by bringing in bit permutations as a primitive.
Inducing an arbitrary bit-permutation is, of
course, much easier.
> >If "perhaps when" and "might be easier" are the
> >level of justification we're looking for, then we
> >should each be able to write a hundred posts a day
> >proposing adding some kind of operation to some
> >class of cipher.
>
> Hopefully, now I have clarified myself: I am not claiming that
> bringing in bit permutations _is_ necessary, I was just noting that
> the claim that they were _not_ useful was not justified - on the same
> rigorous basis you are seeking to justify their inclusion.
Then are we agreed that adding bit-permutations to
the Feistel structure has no particular justification?
My point from the start was that the "constant
separation" does not really exist.
> A cipher like SAFER performs operations on the whole block somewhat
> analogous to those the f-function of a Feistel cipher performs on half
> of the block. If larger block sizes bring in valuable complexity, that
> is a potential ground for concern (but, of course, SAFER is under the
> restriction that its operations must be invertible).
Once could just as logically complain about SAFER
separating the bytes of the block as Feistel ciphers
separating the halves.
--Bryan
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Date: Wed, 27 Oct 1999 22:13:14 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: OAP-L3: How Do You Spell S-H-A-R-E-W-A-R-E
This kind of message is identical to SPAM. Why do you bother bothering us
with it?
Anthony Stephen Szopa wrote:
> Tom St Denis wrote:
>
> > In article <[EMAIL PROTECTED]>,
> > [EMAIL PROTECTED] wrote:
> > > You don't have to buy anything to evaluate the software: it is
> > > shareware.
> > >
> > > Anyone who is a crypto consultant worth his / her salt should keep
> > > abreast of
> > > all developments in the field of crypto.
> >
> > And would know selling crypto to the masses is a worthless pursuit...
> >
> > >
> > > OAP-L3 is a significant contribution to the field.
> > >
> >
> > Why?
> >
> > Tom
> >
> > Sent via Deja.com http://www.deja.com/
> > Before you buy.
>
> Get the shareware.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: do you consider this secure ?
Date: Thu, 28 Oct 1999 01:56:14 GMT
David A Molnar wrote:
>
>
> Take your favorite public key cryptosystem C which satisfies some nice
> definition of security.
>
> Create a new scheme C' like this :
>
> Key generation : unchanged
> Decryption : unchanged
> Encryption : Encrypts the message the same way, but appends a string
> containing the message "Hi, I was encrypted with
> <public key encrypting message> by <your name here>!"
> to the end of each and every ciphertext. Correct
> values for both, of course. :)
>
> Is C' secure? when would you say so, and when not?
The word "nice" is a little slippery, but I'd say
that for a definition of security for a PK
cryptosystem to be nice, it would have to allow
the attacker enough information to compute C'(x)
given any C(x). Thus C' doesn't give the attacker
anything new, so it's as secure as C.
--Bryan
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: the ACM full of Dolts?
Date: Thu, 28 Oct 1999 03:16:15 GMT
In article <[EMAIL PROTECTED]>, Anton Stiglic <[EMAIL PROTECTED]> wrote:
>>
>
>I'm glad to see you wrote your ideas on paper. I look forward to
>reading it!
>
>
>Anton
>
>
Actually I still don't have a printer so it is not on paper.
I edited an old ACM article which was in html so it is
just an html file. One of the critizisms was I was not
using ACM format which was a bunch of shit since I
edited a previous article they used so the format would
be OK.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Unbiased One to One Compression
Date: Thu, 28 Oct 1999 03:21:26 GMT
In article <[EMAIL PROTECTED]>, Mok-Kong Shen <[EMAIL PROTECTED]>
wrote:
>SCOTT19U.ZIP_GUY wrote:
>>
>
>> >A tiny remark: The one-to-one argument assumes that the analyst
>> >knows and hence uses the same compression scheme as the sender.
>> >How about weakening that assumption a bit? If one uses a dynamic
>> >Hoffman scheme, one can start out with an arbitrary initial frequency
>> >distribution. If this is hidden from the analyst, he doesn't know
>> >how to decompress/compress properly from the very beginning, let
>> >alone to examine the one-to-one property. Of course, this means
>> >one is effectively using more key bits. On the other hand, it does
>> >mean that one can now explicitly prefix the ciphertext with a
>> >length (in plaintext) giving the exact number of bits of the
>> >ciphertext, which could be useful for ensuring correct transmission.
>
>> Mok I have mentioned this before. If you have been reading you would
>> have noticed this possiblity. However I am trying to seperate compression
>> from encryption but it would be childs play to modify the compression
>> routines to do this. But it complicates the disscussion of compression
>> as a first pass to encryption. But if one has a close friend you could
>> easily do this. But I would still use compression in both directions
>> through the file so as to create an all or nothing effect. Note if one does
>> this you have an encryption method that is very nonstandard and uses
>> a much larger effective key than any of the short keyed AES methods.
>> A method like this would be unlikely to become stanard since the
>> governement is pushing shorter keyed systems so the NSA can keep
>> reading your mail and if people realized how compression programs
>> could be modifed to make for better crypto the cat would be out of the
>> bag and the NSA would have a much tougher job especially if they
>> used keyed one to one compression in series with even a weak AES
>> method.
>
>While I think that in principle one shouldn't count on any compression
>scheme to provide any essential strength (for these are not designed
>with the goal of an encryption scheme) making use of possibilities in
>compression to confound the analyst appears not to be a bad idea,
>I suppose. (It is cheap. So why shouldn't one neglect it, if it can
>help a little bit?) There is no issue of standard here: the adaptive
>Huffman is a well-known technique. The simplest way to obtain
>an initial frequency distribution is to prime the scheme with a piece
>of text, which can be changed according to certain schedule agreed
>upon by the communication partners. The analyst, who can't guess
>the distribution, can't start to decompress or compress. He must
>try quite a lot, which may render his work very time consuming or
>even futile.
>
>M. K. Shen
Yes your correct it may be a good idea and it is worth doing but
this thread was about pure compression as to being one to one or
not.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
