Cryptography-Digest Digest #629, Volume #12 Thu, 7 Sep 00 12:13:01 EDT
Contents:
Re: Losing AES Candidates Could Be a Good Bet? (Zulfikar Ramzan)
Re: our features ("Detonate")
Re: Free Upgrade PGP Personal Privacy 6.5.8 - how? ([EMAIL PROTECTED])
Re: Ciphertext Randomness/Statistical Tests (Tim Tyler)
Re: 1-time pad is not secure... ("Joel Dobrzelewski")
Re: Losing AES Candidates Could Be a Good Bet? (wtshaw)
Re: Ciphertext Randomness/Statistical Tests (Benjamin Goldberg)
Re: RSA Patent Dead Today (Kent Briggs)
Re: Losing AES Candidates Could Be a Good Bet? (James Felling)
Re: Losing AES Candidates Could Be a Good Bet? (John Myre)
Re: Losing AES Candidates Could Be a Good Bet? (John Myre)
Re: 1-time pad is not secure... ([EMAIL PROTECTED])
Re: Ciphertext Randomness/Statistical Tests (Tim Tyler)
Re: Ciphertext Randomness/Statistical Tests (John Myre)
----------------------------------------------------------------------------
Date: Thu, 07 Sep 2000 07:47:44 -0400
From: Zulfikar Ramzan <[EMAIL PROTECTED]>
Subject: Re: Losing AES Candidates Could Be a Good Bet?
Another argument that supports this same viewpoint is that the AES seems to be
judged on a variety of criteria -- besides just security, speed and efficiency of
implementation on a variety of platforms are a concern. So, while the AES winner
might be strong with respect to a number of distinct criteria, it's not clear that
the AES winner will be the "most secure."
For example, let's consider the case of Rijndael versus Serpent. At the moment,
Rijndael performs especially well on a variety of platforms, and is a popular
choice for the AES. At the same time, Serpent is slower, but it definitely has a
bigger security margin than Rijndael given the current state of the art in
cryptanalysis. In particular, I believe that seven rounds of the 128-bit version
of Rijndael have been attacked, and up to eight rounds of the 192 and 256 bit
versions have been attacked. The 128-bit Rijndel has 10 rounds total, and the
196-bit and 256-bit versions are 12 and 14 rounds respectively. [see the paper by
Ferguson, Kelsey, Lucks, Schneier, Stay, Wagner, and Whiting at FSE2000]
The 256-bit version of Serpent, on the other hand, has been attacked up to six
rounds [see a paper by Kohno, Kelsey, and Schneier from AES 3]. Serpent has 32
rounds.
These attacks are all academic.
>From what's currently known, Serpent has a much much bigger security margin than
Rijndael, yet at the same time Rijndael was significantly more popular than
Serpent according to a poll taken at the last AES conference. Rijndael has a very
elegant, and yet simple design.
The AES decision could go a number of ways -- from what I gathered at the last
AES conference, Rijndael has at least as good a chance to be chosen as any of the
other algorithms, even though it has one of the lowest security margins among the
finalists.
Zully.
"David C. Barber" wrote:
>
> I was wondering if a losing AES candidate might prove a better security bet.
> Consider:
>
> None of the AES finalists is too weak, given the scrutiny that all have
> survived to get to this point.
>
> The winning candidate will continue to be subjected to analysis and attack
> for years to come, while the also-rans will likely quickly drop off the
> radar screens of most people.
>
> Call it: Security Through Lack of Interest. :^)
>
> *David Barber*
--
--Zully
=======
Zulfikar Ramzan (AKA Zully)
Laboratory for Computer Science, MIT
NE43-311, (617) 253-2345
http://theory.lcs.mit.edu/~zulfikar/homepage.html
------------------------------
Reply-To: "Detonate" <[EMAIL PROTECTED]>
From: "Detonate" <[EMAIL PROTECTED]>
Subject: Re: our features
Date: Thu, 7 Sep 2000 19:50:30 +0800
How the hell can you say you exercise a zero-tolerance spam policy when the
message itself is troll spam? How dumb do you think sci.crypt people are?
(dont answer that)
> We exercise a zero-tolerance Spam policy and will keep ALL your details
> completely confidential (as specified in Terms & Conditions).
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: Free Upgrade PGP Personal Privacy 6.5.8 - how?
Date: Thu, 07 Sep 2000 12:04:35 GMT
In article <jjtherrien-8DF129.01245107092000@news>,
[snipped]
> ______________
>
> NAI announced present owners could get a free upgrade to PGP Personal
> Privacy 6.5.8, however we would have to get it from McAfee. Well,
what
> I expected from previous experience happened.
>
> I submitted my request to <[EMAIL PROTECTED]>, and McAfee
replied
> that I can get a free download [PGPfreeware] from "www.pgpi.org" --
the
> usual nonsense!!!
>
> I have repeated the request, explaining to them the difference
between
> the two (to the people I bought it from!!?!&?%) -- with a copy to
NAI. I
> have not as yet received a reply to my second request.
>
> *** Has any one been able to get the free copy we are owed to upgrade
to
I'm curious as to why you would think you are "owed" something. While
some minor software upgrades are generally provided at no charge, seems
to me that's at the good will of the publisher....not because someone
is owed something...
> PGP Personal Privacy 6.5.8? If so please tell us how? Details
please.
>
> *** Are others trying to or about to try to get the free upgrade? We
> should perhaps all get together on this, and try to solve this
problem
> once and for all.
>
> I am really fed up with the bureaucratic run-around and confusion
inside
> NAI and McAfee on this. NAI should solve the problem with McAfee
before
> telling us to get it from there, and provide us with the name of
someone
> in McAfee who understands the problem and their telephone number
(email
> address, fax number, or whatever).
>
> It is not up to the paying customers to solve their internal
problems -
> and they obviously do have serious ones. The onus to provide
upgrades
> (especially for correcting serious errors like this one) lies
normally
> with the developer (NAI), rather than a reseller (McAfee). The
> developer should at least verify that the upgrade is indeed available.
>
> If they had the good sense of issuing registration numbers for retail
> commercial software (as other developers do, including shareware
> authors), we would not have this type of problem.
>
> As every shareware author does, they could just post the upgrade on
the
> Web, and only those with a valid registration number would be able to
> use those downloads without paying.
>
> Or simply ask people for their registration number when they try to
> download. Problem solved.
>
> Cheers,
>
> Jacques
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Ciphertext Randomness/Statistical Tests
Reply-To: [EMAIL PROTECTED]
Date: Thu, 7 Sep 2000 12:02:24 GMT
SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote:
: [EMAIL PROTECTED] (Tim Tyler) wrote in <[EMAIL PROTECTED]>:
:>From http://www.faqs.org/faqs/cryptography-faq/part03/
:>
:>``A strong cryptosystem will certainly produce ciphertext which appears
:> random to all standard statistical tests [...]
[...]
:>The FAQ appears to be mistaken on this point.
: It is not the only thing that the FAQ is wrong about.
I see it presents much the same dubious idea again in "part 8":
``if a compression algorithm succeeds in finding a pattern to compress out
of an encryption's output, then a flaw in that algorithm has been found.''
This ain't necessarily so.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Namaste.
------------------------------
From: "Joel Dobrzelewski" <[EMAIL PROTECTED]>
Subject: Re: 1-time pad is not secure...
Date: Thu, 7 Sep 2000 08:33:52 -0400
Joel Dobrzelewski:
> : Tim, I really should thank you for continually acknowledging our group,
> : even though I know you have some reservations about certain aspects.
I'm sorry - this came out wrong. What I meant to say was, "I should
thank you for continually acknowledging our group DESPITE having
reservations about some aspects." Anyway, I hope you get my meaning:
"Thanks."
Tim Tyler:
> I have no objection to the notion that the idea that space/time are
> discrete and finite.
>
> What I have problems with is the "everything happens" model.
> Although such a model can't be refuted, that appears mainly to be
> because it doesn't appear to be a testable scientific theory, and
> makes no concrete predictions.
Yes, that's true. I'm not sure how to avoid that. Maybe a different
approach is needed.
> This is certainly interesting reading material for me. The
> information on the web pages does not appear to be sufficient for a
> proper evaluation of the ideas. I'll have to look at it in more
> detail before commenting - and any such comments are not going to
> appear in this forum.
Ok, great. As I said before, I don't fully understand them. I simply
do not have sufficient background to know if these papers are
groundbreaking, nothing new, or crackpot science. I'd be curious to
hear what you think.
My apologies for taking up space in the sci.crypt newsgroup.
Thanks for your comments,
Joel
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Losing AES Candidates Could Be a Good Bet?
Date: Thu, 07 Sep 2000 06:25:56 -0600
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote:
> "SCOTT19U.ZIP_GUY" wrote:
> > Becasue they most likely would have never gotten in front of the
> > public unless the NSA precieved them as weak.
>
> So, how many of the original AES submissions were suppressed
> by the NSA, anyway? And one wonders by what mechanism, since
> NIST was running the show.
>From personal and casual conversations, I get the reasoned impression from
the NIST principals that all submissions that met the initial criteria
were revealed. There was just insufficient time for good analysis as a
basis of acceptance. The few rejected failed to meet general
requirements. Surely, other potential candidates were not even submitted
from the public.
I am more concerned that a better government alternative was withheld
because while the cattle call would tend to reveal the state of the art in
private sectors, any government plums likely would be reserved to
non-public knowledge.
--
A Pangram(corrected, needed a G):
Vexed xenophobes fear crypto's jazzy, quaint workings.
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Ciphertext Randomness/Statistical Tests
Date: Thu, 07 Sep 2000 13:51:22 GMT
Tim Tyler wrote:
[snip]
> I see it presents much the same dubious idea again in "part 8":
>
> ``if a compression algorithm succeeds in finding a pattern to compress
> out of an encryption's output, then a flaw in that algorithm has
> been found.''
>
> This ain't necessarily so.
Assuming we have a sufficiently long plaintext, and a cipher whose
output length is it's input length plus a small constant (like an IV),
then, there should be no recognizable patterns in the ciphertext.
While it's certainly true that if you take a ciphertext, and insert a 0
between every other byte, it will be no less secure, and will be
compressible, this is NOT what the faq was taking about.
--
... perfection has been reached not when there is nothing left to
add, but when there is nothing left to take away. (from RFC 1925)
------------------------------
From: Kent Briggs <[EMAIL PROTECTED]>
Subject: Re: RSA Patent Dead Today
Date: Thu, 07 Sep 2000 14:20:17 GMT
John Savard wrote:
> On 06 Sep 2000 16:04:50 +0100, Shellac
> <[EMAIL PROTECTED]> wrote, in part:
>
> >FWIW, I reckon they did this to spoil parties arranged for the 20th
> >;-)
>
> *My* guess is that, because even the second edition of Bruce
> Schneier's super-popular book, Applied Cryptography, was published
> before the changes in the patent law that extended their patent a few
> weeks till the 20th of September
I don't think the 1995 change in the patent law affected the RSA patent
because the original Grant Date+17 years was already longer than the
Applied For Date+20 years. The Diffie-Hellman patent was extended by a
few months because of the change, however.
--
Kent Briggs, [EMAIL PROTECTED]
Briggs Softworks, http://www.briggsoft.com
------------------------------
From: James Felling <[EMAIL PROTECTED]>
Subject: Re: Losing AES Candidates Could Be a Good Bet?
Date: Thu, 07 Sep 2000 09:17:55 -0500
In addition, if one runs an AES cypher in a wraped CBC mode( It would not
be difficult to write this) one gains most if not all of the practical
advantages of the ScottXu cyphers.
[EMAIL PROTECTED] wrote:
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> > [EMAIL PROTECTED] (David C. Barber) wrote in
> <8p6c2h$1pl$[EMAIL PROTECTED]>:
> >
> > >I was wondering if a losing AES candidate might prove a better
> security
> > >bet. Consider:
> > >
> > >None of the AES finalists is too weak, given the scrutiny that all
> have
> > >survived to get to this point.
> > >
> > >The winning candidate will continue to be subjected to analysis and
> > >attack for years to come, while the also-rans will likely quickly
> drop
> > >off the radar screens of most people.
> > >
> > >Call it: Security Through Lack of Interest. :^)
> > >
> > > *David Barber*
> > >
> > >
> > >
> >
> > Actually the losing candidates would most likely be a bad beat.
> > Becasue they most likely would have never gotten in front of the
> > public unless the NSA precieved them as weak. You are correct
> > that the so called winning candidate we be subjected to analysis
> > which may see the light of public some day. But I feel is is only
> > makes sense to use something other than any of the AES candiates
> > if you want security.
> > One of the main problems with any of the methods is the small
> > key size and the small block size. If you want more security
> > with your files you should use methods capable of treating the
> > whole file as a single block. If you are forced to use such
> > weak methods as the AES candidates. You can at least compress with
> > a bijective compressor and then reverse the byte order and run
> > through a bijective compressor again. The resulting file could be
> > encrypted with some small block size encryption method. Since if
> > done correctly the enemy would ve forced to a least to do a whole
> > pass through the file to test any key.
>
> Duh I'm the captain, my name is David.
>
> Now that you have ranted for about two years (that I know of) about the
> NSA and the stupid small key ciphers would you care to indulge us in
> anything remotely like PROOF of these claims.
>
> Of course I could use Scottu19 which has already been attacked by the
> NSA, but that would be stupid.
>
> Tom
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Losing AES Candidates Could Be a Good Bet?
Date: Thu, 07 Sep 2000 08:26:25 -0600
Mok-Kong Shen wrote:
<snip>
> I suppose one could learn something from each of a number
> of AES candidates, not only the finalists.
<snip>
I suppose one might, if one knew what one were doing and one
were willing to actually work at it.
JM
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Losing AES Candidates Could Be a Good Bet?
Date: Thu, 07 Sep 2000 08:22:56 -0600
"Douglas A. Gwyn" wrote:
>
> "SCOTT19U.ZIP_GUY" wrote:
> > Becasue they most likely would have never gotten in front of the
> > public unless the NSA precieved them as weak.
>
> So, how many of the original AES submissions were suppressed
> by the NSA, anyway? And one wonders by what mechanism, since
> NIST was running the show.
Well, the NSA understands that David A. has the only strong
algorithm around, so they convinced NIST to define a long and
bureaucratic submission process, thereby preventing him from
submitting.
JM
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: 1-time pad is not secure...
Date: Thu, 07 Sep 2000 14:52:23 GMT
hi.. 2 things..1. Why is it that I am reading soc.religion.quaker,
but this thread from sci.crypt persists in there?
2. Thru devious links, I have gotten the CA stuff,
and also the physics world jobs postings..hmm- interesting serendipity,
and I do appreciate it. I will pass it on to my son, who has started as
a physics major (we will see if that lasts..) L. Wakefield
In article <8p81so$pje$[EMAIL PROTECTED]>,
"Joel Dobrzelewski" <[EMAIL PROTECTED]> wrote:
> Joel Dobrzelewski:
> > : Tim, I really should thank you for continually acknowledging our
group,
> > : even though I know you have some reservations about certain
aspects.
>
> I'm sorry - this came out wrong. What I meant to say was, "I should
> thank you for continually acknowledging our group DESPITE having
> reservations about some aspects." Anyway, I hope you get my meaning:
> "Thanks."
>
> Tim Tyler:
> > I have no objection to the notion that the idea that space/time are
> > discrete and finite.
> >
> > What I have problems with is the "everything happens" model.
> > Although such a model can't be refuted, that appears mainly to be
> > because it doesn't appear to be a testable scientific theory, and
> > makes no concrete predictions.
>
> Yes, that's true. I'm not sure how to avoid that. Maybe a different
> approach is needed.
>
> > This is certainly interesting reading material for me. The
> > information on the web pages does not appear to be sufficient for a
> > proper evaluation of the ideas. I'll have to look at it in more
> > detail before commenting - and any such comments are not going to
> > appear in this forum.
>
> Ok, great. As I said before, I don't fully understand them. I simply
> do not have sufficient background to know if these papers are
> groundbreaking, nothing new, or crackpot science. I'd be curious to
> hear what you think.
>
> My apologies for taking up space in the sci.crypt newsgroup.
>
> Thanks for your comments,
> Joel
>
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Ciphertext Randomness/Statistical Tests
Reply-To: [EMAIL PROTECTED]
Date: Thu, 7 Sep 2000 15:03:38 GMT
Benjamin Goldberg <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> I see it presents much the same dubious idea again in "part 8":
:>
:> ``if a compression algorithm succeeds in finding a pattern to compress
:> out of an encryption's output, then a flaw in that algorithm has
:> been found.''
:>
:> This ain't necessarily so.
: Assuming we have a sufficiently long plaintext, and a cipher whose
: output length is it's input length plus a small constant (like an IV),
: then, there should be no recognizable patterns in the ciphertext.
This doesn't appear to be correct, either: "steganographic" encryption
methods that transform English plaintexts into other English plaintexts
of the same length do not present any theoretical difficulties. Their use
may be preferred to a conventional cypher under some circumstances, since
their use conceals the very presence of a hidden message. [In practice
keeping the message the same length would be an unnecessary constraint to
apply under these circumstances.]
Such methods of encryption can perform very well in satisfing their
design constraints. To label them *all* as flawed seems misleading -
since they can perform better under some conditions than algorithms
that produce random-looking output.
: While it's certainly true that if you take a ciphertext, and insert a 0
: between every other byte, it will be no less secure, and will be
: compressible, this is NOT what the faq was taking about.
I don't know what the FAQ was trying to talk about.
All I can see is what the FAQ says - which appears to be incorrect.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Namaste.
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Ciphertext Randomness/Statistical Tests
Date: Thu, 07 Sep 2000 09:34:18 -0600
Benjamin Goldberg wrote:
<snip>
> Assuming we have a sufficiently long plaintext, and a cipher whose
> output length is it's input length plus a small constant (like an IV),
> then, there should be no recognizable patterns in the ciphertext.
Compress the input, then encrypt it, then add zeroes to (nearly)
match the original input length.
> While it's certainly true that if you take a ciphertext, and insert a 0
> between every other byte, it will be no less secure, and will be
> compressible, this is NOT what the faq was taking about.
Quite so. Indeed, the only counterexamples so far are to
add data which carries no plaintext information at all.
Nonetheless, the examples do show this: that it is nontrivial
to state the real requirement exactly. Indeed, I'm not sure
we know the real requirement exactly (or else we could do
better at proving security). The FAQ could probably cover
itself by calling the principle a rule of thumb, or something.
JM
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
