Cryptography-Digest Digest #537, Volume #14 Wed, 6 Jun 01 17:13:01 EDT
Contents:
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen)
Re: AES question (Tom McCune)
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen)
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler)
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen)
Re: AES question ("Joseph Ashwood")
Re: AES question (Mok-Kong Shen)
Re: Def'n of bijection ([EMAIL PROTECTED])
Re: Def'n of bijection (Mok-Kong Shen)
Re: Def'n of bijection ([EMAIL PROTECTED])
Re: And the FBI, too (Re: National Security Nightmare?) (Matthew Montchalin)
Re: Def'n of bijection (Tim Tyler)
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler)
Re: Def'n of bijection (John Myre)
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler)
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler)
Re: Def'n of bijection ([EMAIL PROTECTED])
Re: Def'n of bijection (SCOTT19U.ZIP_GUY)
Re: Best, Strongest Algorithm (gone from any reasonable topic)
([EMAIL PROTECTED])
Re: RSA's new Factoring Challenges: $200,000 prize. (my be repeat) ("Michael Brown")
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Date: Wed, 06 Jun 2001 20:25:50 +0200
Tim Tyler wrote:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> : Tim Tyler wrote:
> :> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> :> : You probably question whether such usage leads to
> :> : Shannon's perfect security which, as you said, is claimed
> :> : to be a property of OTP. However, I don't see where in the
> :> : literature about OTP (in connection with perfect security)
> :> : the length enters into the argumentation, i.e. plays a role
> :> : in the proof.
> :>
> :> I also think that it's not mentioned. I beleive it is common to
> :> consider the domain where all plaintexts are the same length -
> :> perhaps in order to get the "perfect secrecy" result.
> :>
> :> : My memory of Shannon's paper is no good, but I don't think that he
> :> : considered the length of the messages.
> :>
> :> I don't think it was mentioned either - all the messages were the same
> :> length in the system in question.
>
> : From what you said, I don't think it is valid to consider
> : that the constant length of messages underlies the
> : proof of Shannon (unless one can demonstrate the
> : contrary).
>
> Without such an assumption, there's no proof of perfect secrecy,
> because the system doesn't exhibit it.
My admittedly now poor memory of Shannon's argument is
roughly the following: Given a message of n bits. If
it is xored with a perfect random source, then each
of the possible 2^n sequences could result as ciphertext.
Hence the a-posteriori probabability of (the content)
of the message is the same as its a-priori probability.
Now this is general for 'any' n. It certainly has no
implication to the effact that, after sending a message
of a certain length, the next following message should
have the same n. Otherwise, given an OTP sequnce of
m bits (m can usually be very large), one could have
asked the question of which size (particular, fixed,
constant n) of messages one is allowed to send with
that resource in order that the perfect security
according to Shannon could be achieved, in issue which
seems to be apparently absurd.
M. K. Shen
------------------------------
From: Tom McCune <[EMAIL PROTECTED]>
Subject: Re: AES question
Date: Wed, 06 Jun 2001 18:36:39 GMT
In article <3b1e561c$[EMAIL PROTECTED]>, "ajd" <[EMAIL PROTECTED]> wrote:
>
>Hi All,
>
>I was wandering about the algorithms that were nominated for the Advanced
>Encryption Standard, it seems obvious that Rijndael will be used a lot as it
>is the replacement for 3DES, but what about the other finalists. Does anyone
>know of any companies using TwoFish, RC6, Mars, or Serpent in products.
>Would they be used in addition to or instead of the older algorithms like
>IDEA, RC4, RC5 etc.
The current PGP versions (7.0.1 and above) include AES and Twofish (both 256
bit), and also retain usage of IDEA, CAST5, and Triple DES.
Tom McCune
My PGP Page & FAQ: http://www.McCune.cc
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Date: Wed, 06 Jun 2001 20:37:54 +0200
Tim Tyler wrote:
>
> Tim Tyler <[EMAIL PROTECTED]> wrote:
> : Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> : : From what you said, I don't think it is valid to consider
> : : that the constant length of messages underlies the
> : : proof of Shannon (unless one can demonstrate the
> : : contrary).
>
> : Without such an assumption, there's no proof of perfect secrecy,
> : because the system doesn't exhibit it.
>
> I looked up what Bruce Schneier has to say about perfect secrecy in
> A.C.
>
> He says this:
>
> ``There is such a thing as a cryptosystem that achives perfect secrecy:
> a cryptosystem in which the cyphertext tields no possible information
> about the plaintext (except possibly its length).''
>
> He goes on to give Shannon's theory that perfect secrecy is only possible
> if the number of possible keys in the cryptosystem is equal to the number
> of possible messages.
There I suppose you have given a wrong interpretation.
What 'the number of possible keys is equal to the number
of possible messages' means is in my opinion the following:
Given a plaintext of n bits and a segment of n bits taken
from a perfect source (a part of a long OTP sequence at
hand), one does an xor to get the ciphertext of n bits.
Now since the source is perfect, the segment of n bits
can be any of the 2^n possible ones, this is 'the number
of possible keys'. The number of possible messages
for a size of n bits is also 2^n. Hence these are equal.
Thus the opponent gains no information. But there is no
constraint at all to the effect that all 'successive'
messages are to be of the 'same' length (having the same n).
If the next message has m (m!=n) bits, the 'same' argument
of security applies.
M. K. Shen
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Reply-To: [EMAIL PROTECTED]
Date: Wed, 6 Jun 2001 18:36:16 GMT
Tim Tyler <[EMAIL PROTECTED]> wrote:
: I looked up what Bruce Schneier has to say about perfect secrecy in
: A.C.
: He says this:
: ``There is such a thing as a cryptosystem that achives perfect secrecy:
: a cryptosystem in which the cyphertext tields no possible information
: about the plaintext (except possibly its length).''
: He goes on to give Shannon's theory that perfect secrecy is only possible
: if the number of possible keys in the cryptosystem is equal to the number
: of possible messages.
: IMO, Shannon has it right [...]
The indications seem to suggest that Shannon's definition was good -
in that he didn't place any restrictions on the possible plaintexts.
For example, there's this:
``The first definition of information-theoretic secrecy was given by
Shannon, the founder of information theory. It is called perfect secrecy
and means by definition that the plaintext is statistically independent
of the encrypted data. This is equivalent to saying that the enemy
cryptanalyst can do no better than guessing the plaintext without
knowledge of the encrypted data, no matter how much time and computing
power is used.''
- http://www.inf.ethz.ch/department/TI/um/research/keydemo/Background.html
There's no mention of the plaintexts and cyphertexts necessarily being the
same length there.
However I would be interested to learn /exactly/ what Shannon himself wrote.
Alas I don't have a copy of Shannon and Weaver's "Mathematical Theory of
Communication" to hand :-|
--
__________
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Date: Wed, 06 Jun 2001 20:55:09 +0200
Tim Tyler wrote:
>
[snip]
> There's no mention of the plaintexts and cyphertexts necessarily being the
> same length there.
One normally considers OTP being used simply with xor, so
the length of plaintext and ciphertext are the same. But
this isn't the point we were arguing. We were arguing
whether all 'successive' messages sent (the sequence of
messages sent from the sender to the receiver) are to be
of the 'same' length.
M. K. Shen
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: AES question
Date: Wed, 6 Jun 2001 11:34:04 -0700
Currently I am aware of the XML ENC standard (pending) supporting AES, but
it doesn't as specified support much else (I was out voted). PGP uses
Rijndael/AES and also Twofish in the latest version. SSL and TLS both have
pending additions to the cipher suite to support AES, and I know of at least
one installation that has Twofish as well. There was a rumor a while back
that the next version of the SecurID token (not the card) might use RC6
instead of the current hash. They are still all new technology so they
haven't been brought heavily into play yet (we did too good of a job pushing
3DES).
Joe
"ajd" <[EMAIL PROTECTED]> wrote in message
news:3b1e561c$[EMAIL PROTECTED]...
>
> Hi All,
>
> I was wandering about the algorithms that were nominated for the Advanced
> Encryption Standard, it seems obvious that Rijndael will be used a lot as
it
> is the replacement for 3DES, but what about the other finalists. Does
anyone
> know of any companies using TwoFish, RC6, Mars, or Serpent in products.
> Would they be used in addition to or instead of the older algorithms like
> IDEA, RC4, RC5 etc.
>
> thanks
> andrew
>
>
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: AES question
Date: Wed, 06 Jun 2001 21:19:14 +0200
Joseph Ashwood wrote:
>
> Currently I am aware of the XML ENC standard (pending) supporting AES, but
> it doesn't as specified support much else (I was out voted). PGP uses
> Rijndael/AES and also Twofish in the latest version. SSL and TLS both have
> pending additions to the cipher suite to support AES, and I know of at least
> one installation that has Twofish as well. There was a rumor a while back
> that the next version of the SecurID token (not the card) might use RC6
> instead of the current hash. They are still all new technology so they
> haven't been brought heavily into play yet (we did too good of a job pushing
> 3DES).
What is 'ENC' please? BTW, isn't it that in a mobile
communication standard an algorithm originated in
Japan would be used instead of AES? Does anyone know
the reason why?
M. K. Shen
------------------------------
Subject: Re: Def'n of bijection
From: [EMAIL PROTECTED]
Date: 06 Jun 2001 15:27:35 -0400
Tim Tyler <[EMAIL PROTECTED]> writes:
>
> However there are *excellent* reasons for thinking that potential decrypts
> will be richer in plausble messages than they would be if compression had
> not been employed. That is what was actually claimed.
That statement is vacuously true. Any non-negative number is >= 0. But the
probability of false positives is still probably ~0...so your ``maybe''
isn't actually interesting.
(Note I'm giving you the benefit of the doubt here: that by ``richer''
you mean ``no poorer''. If you really mean ``strictly richer'', then
you are not justified in making the statement without proof.)
> The messages that the compressor compresses will get smaller,
> while other files are made larger.
You seem to believe that compression is magic. *Some* files will get
smaller, and *some* will get larger--but you haven't proven that *real*
messages get smaller, while *non* messages get larger. (Hint: most
messages probably get smaller--but lots of non-messages also get smaller.
Gobs and gobs of them. Examples can be generated autmomatically, by the
gigabyte.)
Len.
--
Soros couldn't bear to see others make money in the technology sector
without him, and he got killed.
-- Charlie Munger, 2000
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Def'n of bijection
Date: Wed, 06 Jun 2001 21:42:01 +0200
[EMAIL PROTECTED] wrote:
>
> Tim Tyler <[EMAIL PROTECTED]> writes:
> >
[snip]
> > The messages that the compressor compresses will get smaller,
> > while other files are made larger.
>
> You seem to believe that compression is magic. *Some* files will get
> smaller, and *some* will get larger--but you haven't proven that *real*
> messages get smaller, while *non* messages get larger. (Hint: most
> messages probably get smaller--but lots of non-messages also get smaller.
> Gobs and gobs of them. Examples can be generated autmomatically, by the
> gigabyte.)
I suppose it is true that, given a compression algorithm,
it is alway possible to find sequences that it expands,
instead of shortens.
M. K. Shen
------------------------------
Subject: Re: Def'n of bijection
From: [EMAIL PROTECTED]
Date: 06 Jun 2001 15:51:58 -0400
Mok-Kong Shen <[EMAIL PROTECTED]> writes:
>
> I suppose it is true that, given a compression algorithm,
> it is alway possible to find sequences that it expands,
> instead of shortens.
Correct. There must be files that expand--or at least, that don't
shrink. If every compressed file shrunk by at least one bit, then the
result could be compressed again, and again, until you've shrunk it
down to one bit.
Len.
--
Every program contains at least one bug, and can be shortened by at least
one instruction. By induction, every program can be reduced to a single
instruction which doesn't work.
------------------------------
From: Matthew Montchalin <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,us.misc
Subject: Re: And the FBI, too (Re: National Security Nightmare?)
Date: Wed, 6 Jun 2001 12:59:20 -0700
On Wed, 6 Jun 2001, Paul Crowley wrote:
|His badge read "Paul Timmel, National Security Agency", and the
|attenders list gave his address as Ft Meade and his email address
|as [EMAIL PROTECTED] You could probably phone Ft Meade and ask
|to be put through to him.
I bet they get really p.o.'d when hackers play switchboard games
to copy en route, re-route, or just plain intercept calls made to
Ft Meade, huh? How does an ordinary person know that the person
answering the phone is Paul Timmel?
|Others wore badges that read just "NSA" or "Department of Defence".
|NSA employees have been openly attending crypto conferences wearing
|similar delegate badges for decades.
But just about anyone could make badges that say the same thing.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Def'n of bijection
Reply-To: [EMAIL PROTECTED]
Date: Wed, 6 Jun 2001 20:05:02 GMT
[EMAIL PROTECTED] wrote:
: Tim Tyler <[EMAIL PROTECTED]> writes:
:> However there are *excellent* reasons for thinking that potential decrypts
:> will be richer in plausble messages than they would be if compression had
:> not been employed. That is what was actually claimed.
: That statement is vacuously true.
Well, I'm glad to hear that you agree that it's true - but sorry to hear
that you think it is vacuous.
: Any non-negative number is >= 0. But the probability of false positives
: is still probably ~0...so your ``maybe'' isn't actually interesting.
What are you talking about? Is this ">= 0" some sort of analogy?
I didn't say "maybe" above. What are you talking about?
: (Note I'm giving you the benefit of the doubt here: that by ``richer''
: you mean ``no poorer''.
I mean that potential decrypts are likely to be richer in possible
plaintexts than if they were uncompressed.
Sometimes they will be richer, sometimes equal, and sometimes
poorer, depending on the vagarities of whicjh messages are selected
under the possible keys - but on average there will be more
plausible messages.
:> The messages that the compressor compresses will get smaller,
:> while other files are made larger.
: You seem to believe that compression is magic. *Some* files will get
: smaller, and *some* will get larger--but you haven't proven that *real*
: messages get smaller, while *non* messages get larger.
Well, I explicitly stated that the compressor had to be targetted at the
data.
If the compressor is actually an "expander" for the target messages,
and those messages don't get smaller then all bets are off.
This doesn't make compression "magic". There are plemnty of general
purpose compressors out there that will deal handily with many types
of data - including things like text files.
The premise that the compressor actually compresses the data is not very
demanding, unless you're fond of sending completely random-looking
messages.
: (Hint: most messages probably get smaller--but lots of non-messages
: also get smaller. Gobs and gobs of them. Examples can be generated
: autmomatically, by the gigabyte.)
Of course. However the messages are what we're interested in.
If *they* get smaller, that's all that's needed. It doesn't matter what
else gets smaller as well.
*Anything* that gets smaller will have their frequency in
possible decrypts increased.
--
__________
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Reply-To: [EMAIL PROTECTED]
Date: Wed, 6 Jun 2001 20:11:16 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> There's no mention of the plaintexts and cyphertexts necessarily being the
:> same length there.
: One normally considers OTP being used simply with xor, so
: the length of plaintext and ciphertext are the same. But
: this isn't the point we were arguing. We were arguing
: whether all 'successive' messages sent (the sequence of
: messages sent from the sender to the receiver) are to be
: of the 'same' length.
I think we're agreed that this is not the case.
I think you're asking about this as a consequence my discussing whether
the proof considers the size of possible plaintexts to be fixed.
I only mean fixed for /that/ message, not necessarily fixed for any
subsequent messages. The whole idea of "subsequent messages" seems
irrelevant to the discussion of perfect secrecy.
In an OTP the length of the plaintext happens to be fixed, once the
cyphertext is known - but this is not a fundamental feature of
cryptosystems.
Given a cyphertext of length n, in general you cannot assume that the
plaintext will have length n.
--
__________
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Def'n of bijection
Date: Wed, 06 Jun 2001 14:20:44 -0600
[EMAIL PROTECTED] wrote:
<snip>
> If every compressed file shrunk by at least one bit, then the
> result could be compressed again, and again, until you've shrunk it
> down to one bit.
<snip>
And then compress once more...
JM
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Reply-To: [EMAIL PROTECTED]
Date: Wed, 6 Jun 2001 20:25:02 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> Tim Tyler <[EMAIL PROTECTED]> wrote:
:> : Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
:> : : From what you said, I don't think it is valid to consider
:> : : that the constant length of messages underlies the
:> : : proof of Shannon (unless one can demonstrate the
:> : : contrary).
:>
:> : Without such an assumption, there's no proof of perfect secrecy,
:> : because the system doesn't exhibit it.
:>
:> I looked up what Bruce Schneier has to say about perfect secrecy in
:> A.C.
:>
:> He says this:
:>
:> ``There is such a thing as a cryptosystem that achives perfect secrecy:
:> a cryptosystem in which the cyphertext tields no possible information
:> about the plaintext (except possibly its length).''
:>
:> He goes on to give Shannon's theory that perfect secrecy is only possible
:> if the number of possible keys in the cryptosystem is equal to the number
:> of possible messages.
: There I suppose you have given a wrong interpretation.
: What 'the number of possible keys is equal to the number
: of possible messages' means is in my opinion the following:
: Given a plaintext of n bits and a segment of n bits taken
: from a perfect source (a part of a long OTP sequence at
: hand), one does an xor to get the ciphertext of n bits.
: Now since the source is perfect, the segment of n bits
: can be any of the 2^n possible ones, this is 'the number
: of possible keys'. The number of possible messages
: for a size of n bits is also 2^n.
...but why only consider the possible messages of size 2^n?
This is a tiny subset of the messages that could have been transmitted.
The obvious answer is that we can eliminate most messages on a-priori
grounds, since we have the cyphertext and we know that it is an OTP
encryption. However, this is highly undesirable - based on a simple
examination of the cyphertext, we can reject loads of possible messages.
: Hence these are equal. Thus the opponent gains no information.
The opponent has gained the information that the plaintext is
of length n. Just by looking at the cyphertext, this was not
known. As soon as the cryptomechanism is revealed as well,
huge numbers of possible plaintexts can be rejected.
: But there is no constraint at all to the effect that all 'successive'
: messages are to be of the 'same' length (having the same n). [...]
"Successive messages" has nothing to do with anything.
The whole argument for perfect secrecy can be made with reference to
a single particular message.
It seems the question hinges on what you consider to be possible messages:
I think all possible messages should be considered.
Others seem to think that only plaintext messages of the length of the
cyphertext should be considered.
--
__________
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Reply-To: [EMAIL PROTECTED]
Date: Wed, 6 Jun 2001 20:28:18 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
:> : Tim Tyler wrote:
:> :> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
:> :> : You probably question whether such usage leads to
:> :> : Shannon's perfect security which, as you said, is claimed
:> :> : to be a property of OTP. However, I don't see where in the
:> :> : literature about OTP [...] the length enters into the
:> :> : argumentation, i.e. plays a role in the proof.
:> :>
:> :> I also think that it's not mentioned. I beleive it is common to
:> :> consider the domain where all plaintexts are the same length -
:> :> perhaps in order to get the "perfect secrecy" result.
:> :>
:> :> : My memory of Shannon's paper is no good, but I don't think that he
:> :> : considered the length of the messages.
:> :>
:> :> I don't think it was mentioned either - all the messages were the same
:> :> length in the system in question.
:>
:> : From what you said, I don't think it is valid to consider
:> : that the constant length of messages underlies the
:> : proof of Shannon (unless one can demonstrate the
:> : contrary).
:>
:> Without such an assumption, there's no proof of perfect secrecy,
:> because the system doesn't exhibit it.
: My admittedly now poor memory of Shannon's argument is
: roughly the following: Given a message of n bits. [...]
Yes, I'm familiar with the form of the argument.
The message length is thought to be fixed - and only
plaintexts of that length are considered to be possible.
: If it is xored with a perfect random source, then each
: of the possible 2^n sequences could result as ciphertext.
: Hence the a-posteriori probabability of (the content)
: of the message is the same as its a-priori probability.
In an OTP if you are given a cyphertext of length n there
are only 2^n possible plaintexts.
However this is not true of cypher-systems in general -
in some cyphersystems a message might represent any
possible plaintext.
If the plaintext is not restricted to be the same
length as the cyphertext then there may be far more
than 2^n possible plaintexts - and consequently a
key of greater size than 2^n would be necessary to
properly obscure them.
: Now this is general for 'any' n. It certainly has no
: implication to the effact that, after sending a message
: of a certain length, the next following message should
: have the same n.
I certainly never meant to imply anything like that.
[snip]
--
__________
|im |yler Can you escape the Rockz? - http://rockz.co.uk/
------------------------------
Subject: Re: Def'n of bijection
From: [EMAIL PROTECTED]
Date: 06 Jun 2001 16:35:40 -0400
Tim Tyler <[EMAIL PROTECTED]> writes:
>[EMAIL PROTECTED] wrote:
>: Tim Tyler <[EMAIL PROTECTED]> writes:
>:> ...there are *excellent* reasons for thinking that potential decrypts
>:> will be richer in plausble messages than they would be if compression
>:> had not been employed...
>
>: That statement is vacuously true.
>
> Well, I'm glad to hear that you agree that it's true - but sorry to hear
> that you think it is vacuous.
Um, it's a mathematical term, Tim. A statement is vacuously true when it
cannot possibly be false. In other words, the statement contains no
information. Like ``I expect a grade between A and F.'' Or, ``either I'm
sick, or I'm not.''
>: Any non-negative number is >= 0. But the probability of false positives
>: is still probably ~0...so your ``maybe'' isn't actually interesting.
>
> What are you talking about? Is this ">= 0" some sort of analogy?
> I didn't say "maybe" above. What are you talking about?
Sigh. If no compression is performed, then the likelihood of false
positive decryptions is for most practical purposes zero. Since a
likelihood is a non-negative number, *everything* is at least as
likely as that. In particular, the likelihood of false positive
decrypts is at least as high when compression is performed. But so is
the likelihood of anything. So is the likelihood of monkeys flying out
of my butt.
However, you haven't actually exhibited any interested circumstances
where the likelihood of false positives *is provably* larger than
zero. Until you do that, you are not justified in saying BICOM
helps. You are only justified in saying it doesn't hurt.
> ...the messages are what we're interested in. If *they* get smaller,
> that's all that's needed. It doesn't matter what else gets smaller
> as well.
To prove that false decrypts are more likely when BICOM is used, you
must prove that preimages of smallish files are more likely to be real
(or real-looking) messages. Since lots of non-messages also get smaller,
there is no reason to suppose that *plausible* preimages are strictly more
likely with BICOM than without it.
The most one can say is that they're certainly no LESS likely--but that
statement is not interesting: it's vacuously true, since it's impossible
for *anything* to have likelihood less than zero.
Len.
--
As I said before, it's funny how you keep talking about standards
compliance when you can't even get the basics right.
-- Dan Bernstein
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Def'n of bijection
Date: 6 Jun 2001 20:19:17 GMT
[EMAIL PROTECTED] (Douglas A. Gwyn) wrote in <[EMAIL PROTECTED]>:
>"SCOTT19U.ZIP_GUY" wrote:
>> It just that the cipher text output is what is the
>> easiest to get and where bijective compression helps the
>> most. Bijective compression defintely makes ciphertext
>> only attacks much harder.
>
>I agree with this. The next obvious question is whether
>the same is just as true for *any* old compression scheme.
>I think it's evident that a 2-phase (forward;backward)
>compression has a theoretical edge over forward-only
>compression in this application.
>
I agree.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
From: [EMAIL PROTECTED]
Date: 06 Jun 2001 16:45:41 -0400
Tim Tyler <[EMAIL PROTECTED]> writes:
>
> ...but why only consider the possible messages of size 2^n? This is
> a tiny subset of the messages that could have been transmitted.
Right! That's why ``perfect secrecy'' is only attainable if the ciphertext
is longer than *any* possible plaintext. All messages must have infinite
length.
That's why in fact perfect secrecy has been proven impossible, and there
is no such thing as a OTP.
Len.
--
Frugal Tip #37:
Check your old financial records and see if you might have accidentally
bought some Berkshire Hathaway stock 30 years ago.
------------------------------
From: "Michael Brown" <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: RSA's new Factoring Challenges: $200,000 prize. (my be repeat)
Date: Thu, 7 Jun 2001 08:57:13 +1200
"Bob Silverman" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "Michael Brown" <[EMAIL PROTECTED]> wrote in message
> >
> > First, go read my page at http://odin.prohosting.com/~dakkor/rsa
>
> I did. Your web site is pseudo-mathematical gibberish. You have not
> presented an algorithm.
It's not really a mathematical method, so I can't describe it in mathematical
terms. However, if you could elaborate a bit more on "gibberish", I will try to
be more exact. And also, what is the correct definition of an algorithm? Would
method be a better word to use?
Michael
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
