Cryptography-Digest Digest #666, Volume #10 Thu, 2 Dec 99 17:13:01 EST
Contents:
Re: Why Aren't Virtual Dice Adequate? (John Savard)
Re: newbie question (John Savard)
Re: Random Noise Encryption Buffs (Look Here) (Mattias Wecksten)
Re: Quantum Computers and Weather Forecasting (Uncle Al)
Re: Noise Encryption (Mattias Wecksten)
Re: Elliptic Curve Public-Key Cryptography ("Michael Scott")
Re: NSA should do a cryptoanalysis of AES ("Brian Gladman")
Re: The Code Book - Part 4 ("Scott Williamson")
Re: dictionary (drickel)
Re: Quantum Computers and Weather Forecasting (Joseph Bartlo)
crypto faculty position (Christof Paar)
Re: smartcard idea? (Shawn Willden)
Re: High Speed (1GBit/s) 3DES Processor (Shawn Willden)
Re: smartcard idea? (Shawn Willden)
Re: Use of two separate 40 bit encryption schemes (Shawn Willden)
Re: Quantum Computers and Weather Forecasting (John Bailey)
Is there an analog of Shor's algorithm for elliptic functions? (John Bailey)
Microsoft Crypto API ([EMAIL PROTECTED])
Re: crypto faculty position >> What is the $ range for the positions
([EMAIL PROTECTED])
Re: Quantum Computers and PGP et al. (Greg)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (John Savard)
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Date: Thu, 02 Dec 1999 19:29:33 GMT
[EMAIL PROTECTED] (Guy Macon) wrote, in part:
>Good info! I have a clueless newbie question about something that
>I found while reading the above:
>| "Nor does even a theoretical one time pad imply unconditional security:
>| Consider A sending the same message to B and C, using, of course, two
>| different pads. Now, suppose the Opponents can acquire plaintext from
>| B and intercept the ciphertext to C. If the system is using the usual
>| additive combiner, the Opponents can reconstruct the pad between A
>| and C. Now they can send C any message they want, and encipher it
>| under the correct pad. And C will never question such a message,
>| since everyone knows that a one time pad provides "absolute" security
>| as long as the pad is kept secure. Note that both A and C have done
>| this, and they are the only ones who had that pad."
>It seems that the attacker needs to also have to know that A sent
>the same message to B and C. Knowing B's plaintext and knowing
>that B and C got the same message resolves to knowing C's plaintext.
>I see no way that a man in the middle attacker can know whether or
>not A sent the same message to B and C.
The attacker can't know that for sure. But such an active attack is
still possible: it is at least _possible_ that, if two messages of the
same length are involved, this has happened. If this is done, either
the false message is inserted, or C will simply recieve undecodable
nonsense. (The idea is that the _chance_ of both messages being the
same is MUCH greater than the chance of a particular message guessed
at random.)
The idea is that B and C belong to the same side, but B is secretly
one of your spies. It can be refined by leaving header fields in C's
message alone. (Imagine B, C, D, E, F, G, H... and B and D are both
your spies, and they have on previous occasions both recieved
identical messages, but on their own OTPs.)
While not disproving the security properties the OTP does have, it
shows that there is still a possibility of attack that can very easily
be overlooked - and has been overlooked, as I haven't seen this
mentioned anywhere else - *an OTP does not provide perfect
authentication of any message sent to more than one recipient*.
John Savard (jsavard<at>ecn<dot>ab<dot>ca)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: newbie question
Date: Thu, 02 Dec 1999 19:32:43 GMT
Kyle Hayes <[EMAIL PROTECTED]> wrote, in part:
>but I can't figure out how to use the Crypto API to
>get the actual binary string of the key (it is a session key).
It is *intended* that you cannot access that, since the Crypto API is
intended to _prevent_ interoperable use of any cryptographic software
that isn't signed by Microsoft.
This ensures that non-US customers cannot make use of encryption
software with a key size over 40 bits in connection with exportable
software that allows, through the Crypto API, the use of encryption
_within the terms of the U.S. export laws_.
John Savard (jsavard<at>ecn<dot>ab<dot>ca)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Mattias Wecksten <[EMAIL PROTECTED]>
Subject: Re: Random Noise Encryption Buffs (Look Here)
Date: Thu, 02 Dec 1999 20:43:14 +0100
I hope I enter this thread at the right point.
I started to get curious about why this conversaion spun off at all?
When using a OTP the key-randomness is not critical.
Transfering the key is.
MvH M WxX
* Suddenly I realized that it was possible to create a secure system for use on any
free web server at all, only using JAVAScript and an off-line compiler *
------------------------------
From: Uncle Al <[EMAIL PROTECTED]>
Crossposted-To: sci.physics,sci.geo.meteorology
Subject: Re: Quantum Computers and Weather Forecasting
Date: Thu, 02 Dec 1999 19:46:29 GMT
John Savard wrote:
>
> Quantum computers potentially offer the possibility of performing a
> computation in parallel for an enormous number of different
> combinations of input parameters, and then producing a result for only
> one such combination if that combination produces a result that meets
> certain criteria.
>
> This may be useful to extend the range and accuracy of weather
> forecasting.
[snip]
Don't be silly. There is no conceivable reduction to practice. If
there were, the loud and dangerous charlatans of economics would be
creaming in their jeans - as in Wall Street.
--
Uncle Al
http://www.mazepath.com/uncleal/
http://www.ultra.net.au/~wisby/uncleal/
http://www.guyy.demon.co.uk/uncleal/
(Toxic URLs! Unsafe for children and most mammals)
"Quis custodiet ipsos custodes?" The Net!
------------------------------
From: Mattias Wecksten <[EMAIL PROTECTED]>
Subject: Re: Noise Encryption
Date: Thu, 02 Dec 1999 20:48:10 +0100
Cross-posting a little...
I hope I enter this thread at the right point.
I started to get curious about why this conversaion spun off at all?
When using a OTP the key-randomness is not critical (btw. OTP=sequre).
Transfering the key is.
MvH M WxX
* Suddenly I realized that it was possible to create a secure system for use on
any
free web server at all, only using JAVAScript and an off-line compiler *
------------------------------
From: "Michael Scott" <[EMAIL PROTECTED]>
Subject: Re: Elliptic Curve Public-Key Cryptography
Date: Thu, 2 Dec 1999 20:02:21 -0000
DJohn37050 <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Let me clarify.
>...
> I said I had seen a performance sheet at least a year ago where ECC
>163-bit was more like the performance of 17 bit exponent RSA 1024 bit
>key. (ballpark). I know this info was presented at a PKS conference a
>few years back.
>
This rather surprising claim is made in
http://www.certicom.com/ecc/wecc4.htm
Mike Scott
> ... snip .....
> I do not think it is dishonest to report a data point that one has seen.
This
> is all I did, I did not create it or test it. People can disregard it or
> discount it, regardless.
> Don Johnson
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: NSA should do a cryptoanalysis of AES
Date: Thu, 2 Dec 1999 20:32:51 -0000
Jim Gillogly <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Keith A Monahan wrote:
> > My concern is that if they DID break one of the algorithms and
> > didn't tell us(or NIST) about it. I don't know how likely that
> > is, but it is certainly a possible case.
> >
> > It wouldn't be _as_ bad as if the NSA broke it, told us about it,
> > but didn't tell us how. That would still keep me wondering, but
> > at least we'd know the cipher isn't secure. Even without telling
> > us how they did it, we might be able to draw some conclusions about
> > ciphers of that same nature.
>
> If they say they broke it and demonstrate that they can break an
> arbitrary challenge, then I agree that's useful information. If
> they say they have an attack that reduces a 128-bit keyspace to
> a 70-bit keyspace, I'd want to see the attack before making a
> decision to eliminate the candidate. Sorry if this appears paranoid,
> but we must always remember that NSA has two responsibilities: to
> read traffic, and to protect US infrastructure (mainly military).
> If you're going to accept their help uncritically, you'd better
> know which side of the house is giving it to you. There's no
> question that they could provide valuable insight on the candidates;
> the only question is how they can convey it credibly.
As others have said, those that distrust NSA are not going to be swayed by
their arguments but for those of us who believe that they are a force for
good in respect of the strength of cryptographic algorithms would consider
what they have to say very seriously. I also believe that they should say
something and I don't see much reason why they should not do so this time
round.
In retrospect, all the ***covert*** actions that NSA took on DES improved
the algorithm and it is not obvious why they would behave differently now.
The US is the most advanced 'information economy' in the world and this
means that the US has more to loose than anyone if AES turns out to be weak.
And this also allows those of us outside the US to trust AES since we are in
a sort of 'Mutually Assured Destruction (MAD) situation' where any NSA
action to bring us down would bring the US down as well.
NSA did reduce the key length of DES from 64 to 56 bits and many thought
that this was so that they could break it but I very much doubt this. Given
the technology available at the time, and their 'volume' cracking needs, I
cannot see that this conclusion stands up under retrospective scrutiny.
Although I do not know the answer here, I suspect what it might be. My
guess is that NSA were breaking much poorer algorithms than DES at the time
and desperately needed a way of convincing their targets not to move to DES.
The key length reduction, leaving people to draw the (wrong) conclusions,
was a masterful bit of psychological warfare that did exactly this.
As a result of this brilliant deception I suspect that NSA targets went on
using broken algorithms for years even though a great algorithm - DES - was
right in front of their very eyes. And the fact that DES was strong and yet
seemed to outsiders to be weak provided a rare occasion in which the good
guys were able to 'have their cake and eat it' by being able to use DES for
true protection while ensuring that the bad guys were far too suspicious of
it to ever contemplate its use.
And another crucial aspect of keeping DES away from the 'bad guys' was that
of never being seen to use it for anything 'serious' even though it was
perfectly capable of meeting such needs (i.e. steps to avoid a MAD inference
by their targets).
I can only congratulate those who developed and implemented this plan
(assuming that I am right). To do this, to succeed, and yet not to be able
to tell anyone about it must be a truly terrible fate!
But this is all in the past and circumstances now require a different
approach. Anyone who thinks that NSA will get at information in future by
breaking such algorithms (rather than their implementations) has not
understood the closing of the cryptographic knowledge gap between the open
and closed worlds.
The sad fact is that computer security is many orders of magnitude less
effective than algorithmic security and this will increasingly mean that
there is little point in climbing almost infinitely high walls when there
are plenty of gaping holes to exploit (i.e. I agree with Bruce Schneier's
previous comments here).
Brian Gladman
------------------------------
From: "Scott Williamson" <[EMAIL PROTECTED]>
Subject: Re: The Code Book - Part 4
Date: Thu, 2 Dec 1999 09:47:07 -0000
Try reading the poetic works of Charles Baudelaire.
Andreas wrote in message <[EMAIL PROTECTED]>...
>Because I can't speak that language (french) after I had decoded it I
>can't get the keyword from the text. Anyone who can help with
>translation?
Scott
------------------------------
From: drickel <[EMAIL PROTECTED]>
Subject: Re: dictionary
Date: Thu, 02 Dec 1999 13:06:46 -0800
In article <825npb$app$[EMAIL PROTECTED]>, "Olaf Dokter"
<[EMAIL PROTECTED]> wrote:
> hello !
> i am searching dictionaries to download, because i want to write a
> programm
> which generates my own statistics about letter-frequencies and so.
> the
> preffered languages are german and english
> thank you
> olaf dokter
Sorry, no help, but getting letter frequencies from dictionaries is
probably a bad idea--it could give pretty skewed statistics (for one
thing, dictionaries typically only list unusual conjugations or
declensions, so you'll be missing all the normal ones. But the main
problem is that you really need to multiply each entry by its frequency
of use, and there's no information about that).
You might have better luck looking at some on-line fiction, although
you'll have to be careful with that as well.
david rickel
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: Joseph Bartlo <[EMAIL PROTECTED]>
Crossposted-To: sci.physics,sci.geo.meteorology
Subject: Re: Quantum Computers and Weather Forecasting
Date: Thu, 02 Dec 1999 16:15:58 -0500
John Savard wrote:
{...
> Perhaps there is a mathematical technique possible that avoids such
> extravagance, by working with the state of the weather several days
> ago, and incrementally updating missing parts of the atmospheric state
> in response to forecast errors. The principle would be the same: to
> use the depth of available atmospheric data in time to substitute for
> the lack of detail in our knowledge of the state of the atmosphere at
> any one moment.
My initial comment is that although an interesting concept, I think the
entire system must be considered, as do any intelligent modifications
on it. What does your concept say about a person dropping dry ice in
a cloud & causing rain ? Or dare I say with the risk of extreme criticism
of people in the group who evidently feel this is completely impossible,
that possibly from another being with far greater capabilities ?
If you are talking about a *perfect* forecast, even if a butterfly flapping
its wings disturbed the weather 2 weeks later a *known way*, you'd still
have to know when & where it'd flap its wings :)
Perhaps I'll have more comments after reading & correcting your site.
Well, I am probably kidding about the latter ;)
Joseph
------------------------------
From: Christof Paar <[EMAIL PROTECTED]>
Subject: crypto faculty position
Date: Thu, 2 Dec 1999 16:10:16 -0500
Worcester Polytechnic Institute
Faculty Positions
Department of Mathematical Sciences
The Mathematical Sciences Department of Worcester Polytechnic
Institute (WPI) invites applications for two faculty positions to
begin in the fall of 2000. An earned Ph.D. or equivalent degree is
required. A successful candidate must be able to contribute
strongly to both the department's research activities and its
innovative, project-based educational programs.
The first position will probably be at the assistant professor
level, but exceptionally well qualified candidates may be
considered for appointments at higher rank. Cryptography and
applied discrete mathematics are of particular interest. Other
areas of interest include, but are not limited to, operations
research, optimization, and financial mathematics.
The second position is not restricted in rank and is targeted for
a senior hire, although exceptional junior candidates will be
considered. The ideal candidate will have outstanding research
accomplishments or potential in computational mathematics,
high-performance and parallel computing, and applications, and
will be able to provide leadership in strategic development of
these areas in the department and the university.
WPI is a private and highly selective technological university
with an enrollment of 2700 undergraduates and about 1000 full- and
part-time graduate students. Worcester, New England's second
largest city, offers ready access to the diverse cultural and
recreational resources of the region together with opportunities
for urban, suburban or rural lifestyles.
The Mathematical Sciences Department has 24 full-time faculty and
supports a PhD program and MS programs in applied mathematics and
applied statistics, as well as a full undergraduate program. For
additional information about the Mathematical Sciences Department
and WPI, see http://www.wpi.edu/+math.
Qualified applicants should send a detailed curriculum vitae, a
brief statement of their specific teaching and research
objectives, and the names of four references with mail/email
addresses and telephone/fax numbers to Search Committee,
Mathematical Sciences Department, WPI, 100 Institute Rd.
Worcester, MA 01609-2280, USA.
Applicants will be considered on a continuing basis beginning
January 1, 2000 until the positions are filled.
WPI offers a smoke-free environment. To enrich education through
diversity, WPI is an affirmative action, equal opportunity
employer.
------------------------------
Date: Thu, 02 Dec 1999 14:25:46 -0700
From: Shawn Willden <[EMAIL PROTECTED]>
Subject: Re: smartcard idea?
Craig Inglis wrote:
> This is just a move back to the traditional approach where
> the smartcard holds sensitive information.
> My original suggestion had the benefits that you could have
> complete trust in the system because you controlled the
> interface and the card didnt store any private information and
> therefore would be immune to any form of attack even if stolen
> taken apart or whatever. You dont have to worry about things
> like "bogus ATMs" at all since they would never work :-)
I maintain that the simpler and cheaper "traditional "scheme
provides nearly all of the benefit at much less cost and
complexity.
It is important to understand that the secrets on the card
have little significant value. The key that the card uses
to authenticate itself to the ATM does not have much value,
because it can only be used to authenticate that one card.
In fact, it is in the card holder's best interest that the
contained key remain secret.
Likewise, the key used to authenticate the ATM to the card
can be made card-specific.
Regarding bogus ATMs, even without the LED they can be made
not to work, with a small amount of card holder training.
If
card holders can be taught that they should not enter their
PIN until the ATM displays their name (or some other
personal
info), and cards refuse to divulge the information until the
ATM has authenticated correctly, it will be impossible to
make an ATM that will be able to collect cards and PINs.
Under this approach some ATMs can be made to operate
off-line,
as well, which has significant value in some environments.
Of course, this does require that the ATM devices contain
secrets which really must be kept.
Finally, the fact of the matter is that none of this is
going
to happen unless fraud rates increase dramatically.
Currently
it's cheaper just to eat the fraud than to deploy the
necessary
hardware and software. Vigorous prosecution has proven to
be
quite effective at keeping the fraud low.
Shawn.
------------------------------
Date: Thu, 02 Dec 1999 14:26:13 -0700
From: Shawn Willden <[EMAIL PROTECTED]>
Crossposted-To: comp.dcom.vpn,comp.security.firewalls
Subject: Re: High Speed (1GBit/s) 3DES Processor
Chris Eilbeck wrote:
> Or you could just download and use my DES core and use it three times
> in series to achieve more than 1.7GBps in a big Xilinx FPGA.
> See http://www.yordas.demon.co.uk/crypto
Cool. Any idea how your core would perform with many key
changes? The applications I work with typically don't
encrypt
more than a few kilobytes of data with a given key, but a
relatively high-throughput device (on the order of 10MBps)
that could use a new derived key for each 3-4KB "packet"
would
have value. The first 16 bytes of each packet is a seed
value
used to derive the key for the packet, so there would
actually
be two key changes per packet.
On second thought, in practice, the key derivation step
would
probably be done in a host security module (which is capable
of performing it fast enough, especially since no key
changes
are requrired) in order to keep the master key secret, so
the
high-speed engine would only need to perform one key
schedule
operation per packet.
Shawn.
------------------------------
Date: Thu, 02 Dec 1999 14:26:23 -0700
From: Shawn Willden <[EMAIL PROTECTED]>
Subject: Re: smartcard idea?
[EMAIL PROTECTED] wrote:
> Your LED docking could be a LOT cleaner and more trouble free than
> magnetic stripes or electrical contact pin connections.
I wasn't suggesting the LED would be used for communication
with the ATM,
just with the user. Using it instead of electrical contacts
would mean the
card would have to contain its own power source (e.g. a
battery) which isn't
currently feasible, AFAIK.
Shawn.
------------------------------
Date: Thu, 02 Dec 1999 14:26:30 -0700
From: Shawn Willden <[EMAIL PROTECTED]>
Subject: Re: Use of two separate 40 bit encryption schemes
"tony.pattison" wrote:
> as I do not live in the land of the free, I'm not permitted to have
> more than 40 bit DES (I don't know why not, perhaps if we had it,
> we'd start asking for our colonies back ^_^). As this is pitifully
> inadequate, I'm thinking of encrypting the data in my packets (again
> 40 bit encryption) before I send them out over my 40 bit DES
> encrypted lines.
>
> Would I get the equivilant of 80 bit encryption doing this, or would
> it be less (the paket headers are not being encrypted by the first
> encryption)?
Nope. As other posters have noted, you would get the
equivalent of 41 bit
encryption. Even if you double-encrypted your packets
before transmitting
them, a meet-in-the-middle attack reduces the effective
strength of that
double encryption to 41 bits. However, if you
triple-encrypt your packets
with 40-bit DES before transmitting them, you can get 80-bit
strength (you
can use either two or three 40-bit keys, but if you use two
keys, make
sure to alternate their usage). You can then ignore the
encryption during
transmission, as it doesn't add anything significant.
Shawn.
------------------------------
From: [EMAIL PROTECTED] (John Bailey)
Crossposted-To: sci.physics,sci.geo.meteorology
Subject: Re: Quantum Computers and Weather Forecasting
Date: Thu, 02 Dec 1999 21:39:54 GMT
On Thu, 02 Dec 1999 18:48:01 GMT, [EMAIL PROTECTED] (John Savard)
wrote:
>Quantum computers potentially offer the possibility of performing a
>computation in parallel for an enormous number of different
>combinations of input parameters, and then producing a result for only
>one such combination if that combination produces a result that meets
>certain criteria.
You may have one helluva an idea
Couple this idea
http://www.chebucto.ns.ca/~bjarne/cbr/
which seeks to predict weather by matching circumstances known to have
occurred in the past,
with these ideas,
http://arXiv.org/find/quant-ph/1/au:+grover/0/1/0/all/0/1
which addressing finding matches quickly using quantum searches.
John
------------------------------
From: [EMAIL PROTECTED] (John Bailey)
Subject: Is there an analog of Shor's algorithm for elliptic functions?
Date: Thu, 02 Dec 1999 21:42:34 GMT
Given recent discussions of elliptic functions as an alternative basis
for public key cryptography,
Is there an equivalent of Shor's algorithm for elliptic functions?
John
------------------------------
From: [EMAIL PROTECTED]
Subject: Microsoft Crypto API
Date: Thu, 02 Dec 1999 21:35:48 GMT
Looking for help with a project dealing with the
Crypto API and Visual Basic, but prefer
discussions via email.
If you have experience with the Crypto API in a
VB environment, please respond via email.
Thank you,
Chris Webb
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: crypto faculty position >> What is the $ range for the positions
Date: Thu, 02 Dec 1999 16:55:24 -0500
What is the $ range for the positions offered ?
--
Thanks, Richard
===============================================
Christof Paar wrote:
> Worcester Polytechnic Institute
> Faculty Positions
> Department of Mathematical Sciences
>
> The first position will probably be at the assistant professor
> level, but exceptionally well qualified candidates may be
> considered for appointments at higher rank. Cryptography and
> applied discrete mathematics are of particular interest. Other
> areas of interest include, but are not limited to, operations
> research, optimization, and financial mathematics.
>
> The second position is not restricted in rank and is targeted for
> a senior hire, although exceptional junior candidates will be
> considered. The ideal candidate will have outstanding research
> accomplishments or potential in computational mathematics,
> high-performance and parallel computing, and applications, and
> will be able to provide leadership in strategic development of
> these areas in the department and the university.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,talk.politics.misc
Subject: Re: Quantum Computers and PGP et al.
Date: Thu, 02 Dec 1999 21:47:36 GMT
> > > Quantum computers, like nuclear fusion, language
> > > translation or artificial intelligence, may prove
> > > more difficult than originally anticipated.
> > I agree. But the reason I steer clear of IFP is due
> > to the large amounts of effort by many different groups
> > to develop a Quantum computer. No such specific threat
> > exists for ECDLP. And I suspect it will remain this way
> > for quite some time.
> A quantum computer can be used to solve the DLP over any group.
> Once we get quantum computers to work, we'll have a whole new
> game to play with crypto. Nice to know the field will never
> get boring eh? :-)
>
> It will be at least 20 years before quantum computers become
> useful in the laboratory. And it might be like fusion, "it'll
> work in 40 years" has been the mantra for about 60 now. The
> difference is that the tools needed to work on quantum computers
> are much cheaper than the tools needed for fusion reactors.
> In any event, there's no public key crypto system in existence
> today that will be useful when quantum computers work.
I have never heard this before. Would you say that DLP would be
as volunerable as IFP given a first real useful Q computer?
Or are there magnitudes difference of threat to each?
--
The only vote that you waste is the one you never wanted to make.
RICO- we were told it was a necessary surrender of our civil liberties.
Asset Forfeiture- the latest inevitable result of RICO.
http://www.ciphermax.com/book
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
