Cryptography-Digest Digest #553, Volume #14 Thu, 7 Jun 01 15:13:00 EDT
Contents:
Re: Notion of perfect secrecy (Tim Tyler)
Re: Notion of perfect secrecy (Tim Tyler)
Re: CBC variant (John Savard)
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler)
Re: Best, Strongest Algorithm (gone from any reasonable topic)
([EMAIL PROTECTED])
Alice and Bob Speak MooJoo ("Robert J. Kolker")
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler)
Re: Notion of perfect secrecy ("Paul Pires")
Re: CBC variant (John Savard)
Re: Knapsack security??? Ah....huh (John Bailey)
Re: Best, Strongest Algorithm (gone from any reasonable topic) ("Tom St Denis")
Re: Best, Strongest Algorithm (gone from any reasonable topic) ("Tom St Denis")
Re: Best, Strongest Algorithm (gone from any reasonable topic) ("Tom St Denis")
Re: Notion of perfect secrecy ("Tom St Denis")
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tim Tyler)
better yet, perfect secrecy => who cares? ("Tom St Denis")
----------------------------------------------------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Notion of perfect secrecy
Reply-To: [EMAIL PROTECTED]
Date: Thu, 7 Jun 2001 18:05:56 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
: "Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
:> Tom St Denis <[EMAIL PROTECTED]> wrote:
:> : "Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
:> :> Tom St Denis <[EMAIL PROTECTED]> wrote:
:> : In his model WHO, WHEN, LENGTH were not the information he wanted to
:> protect.
:>
:> "Who" and "when" are not modelled by Shannon. However length /is/
:> information that relates to the identity of the plaintext
:> (except in the case where all possible plaintexts are the same length)
:> and *is* covered by Shannon's definition of perfect secrecy.
: No they are not.
Yes it is - read Shannon's definition of perfect secrecy.
: When will you realize that the contents of the message are
: what an OTP protects. So if the contents are random than an OTP is
: perfectly secure.
An OTP doesn't have perfect secrecy - the cyphertext leaks information
about the length of the plaintext.
If you don't believe me, just read the definition of perfect secrecy.
:> : You're really mocking the dead here. I sincerely hope you are some
:> : 12yr kid trying to get a rise out of people, otherwise I wonder how you
:> : did in College challenging all your profs without listening to their
:> : proofs... No offense Tim but you have a lot of growing up todo. Even
:> : if you are 76 yrs old you're an immature brat as far as I am concerned.
:>
:> Sorry you feel that way Tom. It seems this is the thanks I get for
:> pointing out your errors. Maybe I won't bother in the future.
: So far it seems #[sci.crypt] vs #[scott, tim].
: I don't think it's my errors....
You never do - but it almost always is.
"Unicity distance", "bijection", "ctr mode", "perfect secrecy" - it
seems to be just one thing after another these days in a long stream
of mistakes ;-/
--
__________
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Notion of perfect secrecy
Reply-To: [EMAIL PROTECTED]
Date: Thu, 7 Jun 2001 18:15:53 GMT
Paul Pires <[EMAIL PROTECTED]> wrote:
: Tim Tyler <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
:> Perfect secrecy says that knowledge of the cyphertext must not allow the
:> space of possible plaintexts to be narrowed down at all.
: The space of the possible plaintexts hasn't been narrowed down
: by the application of the OTP. This narrowing is a characteristic
: of the message, not the method.
Yes indeed.
: By this logic no system could have perfect secrecy since that would
: require the method to have control over the composition of all possible
: messages before encryption.
No system can have perfect secrecy and deal with an infinite set of finite
messages.
However perfect secrecy if you are only dealing with a finite set of
messages is possible, and perfect secrecy is possible with ininite sets
of messages as well, as demonstreated in Shannon's original paper.
: Nothing is leaked that was not already plain. No compromise has occured by
: the application of the OTP. It is perfect without the constraint you
: are proposing.
That doesn't seem to make any sense. The length of the message is leaked
to the attacker. What are you talking about?
: This is one clear piece stable ground in a murky field. One thing you can
: know. I don't see how this complex distinction you are proposing aids
: in understanding or what it gets you from a practical sense.
I don't know what distinction you're talking about here :-|
: OTP's can leak the message length. As Tom pointed out, they also can
: leak the point in time, the relative sequence of messages, the sender
: and reciever. These and other issues can be dealt with by protocol,
: seperate from OTP if they are worrysome. Dealing with them (or
: not) does not modify underlying proof of secrecy of the OTP.
The original proof of perfect secrecy for the OTP did not deal with finite
messages. It dealt with infinite streams.
There /is/ no proof of perfect secrecy for the conventional OTP (which
deals with variable length finite messages) since it doesn't exhibit it.
--
__________
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: CBC variant
Date: Thu, 07 Jun 2001 18:29:54 GMT
On Thu, 7 Jun 2001 13:07:09 -0400, <[EMAIL PROTECTED]> wrote, in
part:
>As stated, this needs just two xors and one encryption (same key) in
>addition to regular CBC.
Well, if you're using two encryptions with the same key to encrypt a
block, you're working twice as hard for no gain in security (except to
correct a small flaw in CBC). There must be a faster way to do that.
John Savard
http://home.ecn.ab.ca/~jsavard/frhome.htm
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Reply-To: [EMAIL PROTECTED]
Date: Thu, 7 Jun 2001 18:30:48 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
: "Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
:> Tom St Denis <[EMAIL PROTECTED]> wrote:
:> : "Tim Tyler" <[EMAIL PROTECTED]> wrote in message
:> :> JPeschel <[EMAIL PROTECTED]> wrote:
:> :> "perfect secrecy is defined by requiring of a system after a
:> :> cyptogram is intercepted by the enemy the a posteriori probabilites
:> :> of this cryptogram representing various messages be identaically the
:> :> same as the a priori probabilites of the same message before the
:> :> interception."
:> :>
:> :> If the length of the plaintext is revealed by the cyphertext, this
:> :> condition does not hold.
:>
:> : How? [...]
:>
:> It is obvious how the length of the plaintext is revealed by the
:> cyphertext.
:>
:> The length of the plaintext is the same as the length of the cyphertext.
: How does the length give you information about the message outside of the
: length? [...]
That is not what was claimed.
It *might* do this - see Scott's "Yes"/"No" example for a case of it doing
so - but usually it won't.
:> : If you have an 8-bit ciphertext all 256 plaintexts are equally
:> : probable. That follows this distribution.
:>
:> I am not considering a system with only 256 possible plaintexts.
:> That's a toy system, with no practical use.
: I disagree. RC4 only has 256 possible plaintexts and it's not a TOY cipher.
RC4 is a stream cypher - where the notion of plaintext/cyphertext pairs
is not very meaningful unless you talk about whole messages. If I were
to count the number of plaintexts RC4 accepts I would say it was infinite.
We are talking about an *OTP*. An OTP with only 256 possible
plaintexts is a toy system, with no practical use.
:> : You're idea of security only works if your cipher can produce infinite
:> : length ciphertexts.
:>
:> Not so. Finite plaintexts can produce perfect secrecy.
: Not so.
More erroneous statemnts by Tom. Will he never give up?
: According to you the length must be unbounded (i.e unknown) for
: perfect security.
What? where did I say that?
[...]
: If I cannot know the length of the plaintext then the length must be within
: 0,1...oo
: Thus, you must be prepared to send infinite length ciphertexts.
Only if you are dealing with an infinite set of finite files.
Perfect secrect is possible with either:
* Infinite streams (see Shannon's proof) or...
* A finite number of plaintexts.
It is *not* true that my "idea of security only works if your cipher can
produce infinite length ciphertexts."
You can get Shannon's perfect secrecy just fine - if you are prepared to
confine your possible messages to a finite set.
--
__________
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
From: [EMAIL PROTECTED]
Date: 07 Jun 2001 14:39:55 -0400
Tim Tyler <[EMAIL PROTECTED]> writes:
>
> Those points indicate that the chance of getting a false positive in the
> system you describe are small.
As in, ``you're better off waiting for the sun to burn out and the universe
to collapse, than waiting for false positives.'' Yes, correct; I guess you
could call that ``small''.
> My claim is that the chances of collisions are generally greater if
> compression has been employed than if not.
You are wrong to say ``generally greater''; you have not proven that they
actually are greater. You can only say they are ``no less''. Since in
English ``generally greater'' permits ``possibly equal'', I'll give it
to you. But with that proviso, you've actually said nothing of interest.
> I also claim that there are systems where the chances of collisions
> arising are high.
Generally, those are the same systems in which OTP is the obvious way to
go. (In particular, if the plaintext exceeds 1KB for a 128-bit key, then
my estimates apply. So if my estimates don't apply, you are apparently
using one key per message, on average.)
> Yes there are systems where the chances of collisions are low - so what?
So what? Specifically: *THE* system I've described above is *THE*
system w.r.t. which you claim BICOM provides a genuine increase in
secrecy--namely, English messages up to 1K in size.
By the above estimates, the ``improvement'' is so small that any
benefit is unlikely to ever materialize even ONCE in practice, between
now and the heat death of the universe.
You might as well hope that the enemy accidentally tunnels into the sun.
(That also might happen, you know! A quantum guy can tell you the chances.)
> : Your problem boils down to this: you haven't the faintest idea what
> : ``lots'' means--and in the three uses above, ``lots'' varies by
> : thousands of orders of magnitude.
>
> Compression increases the chances of trial decrypts producing plausible
> messages by increasing the unicity distance of the overall system.
>From 1/2^15000 to 1/2^12000? Even if true, so the heck what? You need
to prove that it increases the chances of false positives by enough to
*actually matter*, which means from 1 in 2^15000 to about 1 in 2^15,
or about 4000 orders of magnitude (actually, 1 in 128 is nearer what you
need). Not only haven't you done so, you aren't ever going to either.
Bottom line: ``All BICOM gives you, assuming its correctness, is an
increase in the work required to brute-force the key.''
Len.
--
I defy him to quote even a single example of an ``obvious error'' in
anything I've ever written.
-- Dan Bernstein
------------------------------
From: "Robert J. Kolker" <[EMAIL PROTECTED]>
Subject: Alice and Bob Speak MooJoo
Date: Thu, 07 Jun 2001 14:43:47 -0400
Suppose Alice and Bob share a language
(herein called MooJoo) which is spoken
or read by no others.
Then all their plaintexts would be perfectly
secure. No crypto necessary at all.
Which leads to the question, why hasn't MooJoo
been invented? It sure would solve a lot of
problems in private communications;
Bob Kolker
Something like MooJoo was emplyed by
the Native American code speakers during
WW2. The enemy did not have a prayer
of figuring out what was going on.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Reply-To: [EMAIL PROTECTED]
Date: Thu, 7 Jun 2001 18:35:31 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
: "Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
:> Tom St Denis <[EMAIL PROTECTED]> wrote:
:> : By your argument [other systems] can't possibly be secure now because I
:> : know that you sent a message at 7:15am.
:>
:> That doesn't violate the definition of perfect secrecy.
:>
:> Perfect secrecy is considered to be a property of a cryptosystem - i.e.
:> a device for translating between plaintexts and cyphertexts.
:>
:> The time of message transmission is outside the scope of the definition.
: I don't think you can have it both ways.
I'm not having anything "both ways" AFAICS.
: For example, the timing of the messages may be more important. Let's say I
: want to find out when Hacker-Bob is breaking into an account. I don't care
: about the data, I just want to know when.
: In this case "perfect secrecy" is lost.
No - not by Shannon's definition of perfect secrecy.
Just to clarify things - are you using Shannon's definition
of this term, Tom? Or are you making up your own terminology?
: Shannon was talking from an information theoretic standpoint. Not some
: esoteric view. If you have M possible messages and the prob of any one
: message being the correct one is 1/M, then shannon (and any finite student)
: would conclude you have perfect secrecy from a math related attack.
Yes indeed. That is not under dispute.
--
__________
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Notion of perfect secrecy
Date: Thu, 7 Jun 2001 11:42:43 -0700
Is this a subtle failing of usenet?
replies stitched to the wrong posts?
I've been waiting patiently for an answer to my
question. I even followed this concept from thread
to thread. I went out on a limb and stated it more
forcefully. I get an answer and it is actually a reply
to someone elses post?
Woe is me...
Paul
Tim Tyler <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> [EMAIL PROTECTED] wrote:
>
> : *IF* I know that the message must be one of k known plaintexts, each
> : having different lengths, then I can use the length to deduce which
> : plaintext is being sent.
>
> : Note further, however, that this properly belongs to traffic analysis:
> : I already knew what the message said; [...]
>
> Not according yo what you said - you said "I know that the
> message must be one of k known plaintexts".
>
> All cryptanalysis involves analysis of the traffic.
> --
> __________
> |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: CBC variant
Date: Thu, 07 Jun 2001 18:45:58 GMT
On Thu, 7 Jun 2001 13:07:09 -0400, <[EMAIL PROTECTED]> wrote, in
part:
>As stated, this needs just two xors and one encryption (same key) in
>addition to regular CBC. Can anyone find faults in it? If worth
>anything, use freely ;)
Actually, I think you have come up with something brilliant, even so.
Let's suppose we tried to use two different keys.
One big problem with increasing the strength of a block cipher is that
most simple double-DES modes art no stronger than single-DES.
Let's suppose, for example, that this double-DES variant of CBC is
used:
encrypt the previous ciphertext block with key A.
XOR the result with the current plaintext block.
Encrypt with key B.
XOR the previous encryption result in again.
With chosen plaintext, one can still mount a differential attack on
the encryption with key B. It may need to be adaptive and use the
birthday attack, but it's still possible.
To fix this, what one would like is for the quantity being XORed in,
before and after the encryption with key B, to vary with each block in
a completely unknown fashion.
Since key A is unknown, and all we are looking for is to make the
strength of that cipher a full participant, one way of doing that
would be this:
Have a counter, with a starting value and increment that are both
secret and vary with each message. XOR the counter with the previous
plaintext before encrypting with key A.
Of course, the counter has to be randomized anew if the message is
longer than 2^64 blocks. (Actually, after 2^63 blocks, there's a known
difference, so one has to use a slightly better PRNG instead of a
plain counter.)
Monalphabetic byte substitution is another nice way to stop
differential attacks, and fast enough. But this is a useful spot to
hide a fast stream cipher.
John Savard
http://home.ecn.ab.ca/~jsavard/frhome.htm
------------------------------
From: [EMAIL PROTECTED] (John Bailey)
Subject: Re: Knapsack security??? Ah....huh
Date: Thu, 07 Jun 2001 18:48:12 GMT
On Wed, 6 Jun 2001 22:47:27 -0400, "rosi" <[EMAIL PROTECTED]> wrote:
>John & Merc,
>
> Are you serious? I am still waiting.
http://www.frontiernet.net/~jmb184/interests/sci.crypt/cracked/3_re_New_alg.txt
contains the analysis of a diophantine encryption sytem proposed by
Dan Smith that I reviewed the way I assume you are offering to do for
the NTRU system. The analysis responded to a post on sci.crypt of May
22, 1998 which is filed at:
http://www.frontiernet.net/~jmb184/interests/sci.crypt/cracked/1_re_New_alg.txt
Feel free to look at the other posts in the thread also filed there.
Some, but not all made the trip from Dejanews to Google.
If you can outline a comparable dissection, showing resonable
parallels between the NTRU system and a peer reviewed comparision
system, that would be great. Otherwise, don't taunt.
John
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Date: Thu, 07 Jun 2001 18:49:41 GMT
"Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Tom St Denis <[EMAIL PROTECTED]> wrote:
> : "Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> :> Tom St Denis <[EMAIL PROTECTED]> wrote:
> :> : "Tim Tyler" <[EMAIL PROTECTED]> wrote in message
> :> :> JPeschel <[EMAIL PROTECTED]> wrote:
>
> :> :> "perfect secrecy is defined by requiring of a system after a
> :> :> cyptogram is intercepted by the enemy the a posteriori probabilites
> :> :> of this cryptogram representing various messages be identaically
the
> :> :> same as the a priori probabilites of the same message before the
> :> :> interception."
> :> :>
> :> :> If the length of the plaintext is revealed by the cyphertext, this
> :> :> condition does not hold.
> :>
> :> : How? [...]
> :>
> :> It is obvious how the length of the plaintext is revealed by the
> :> cyphertext.
> :>
> :> The length of the plaintext is the same as the length of the
cyphertext.
>
> : How does the length give you information about the message outside of
the
> : length? [...]
>
> That is not what was claimed.
>
> It *might* do this - see Scott's "Yes"/"No" example for a case of it doing
> so - but usually it won't.
>
> :> : If you have an 8-bit ciphertext all 256 plaintexts are equally
> :> : probable. That follows this distribution.
> :>
> :> I am not considering a system with only 256 possible plaintexts.
> :> That's a toy system, with no practical use.
>
> : I disagree. RC4 only has 256 possible plaintexts and it's not a TOY
cipher.
>
> RC4 is a stream cypher - where the notion of plaintext/cyphertext pairs
> is not very meaningful unless you talk about whole messages. If I were
> to count the number of plaintexts RC4 accepts I would say it was infinite.
This just furthers the idea your a crank. How can the size of an RC4
message possibly be infinite when RC4 can only be in a finite number of
states?
> We are talking about an *OTP*. An OTP with only 256 possible
> plaintexts is a toy system, with no practical use.
An OTP can encrypt 1 bit or 100000 bits or 10E33 bits. It's not limited to
8 bits. i just used an eight bit message to show your fallacy.
> :> : You're idea of security only works if your cipher can produce
infinite
> :> : length ciphertexts.
> :>
> :> Not so. Finite plaintexts can produce perfect secrecy.
>
> : Not so.
>
> More erroneous statemnts by Tom. Will he never give up?
How then?
> : According to you the length must be unbounded (i.e unknown) for
> : perfect security.
>
> What? where did I say that?
>
> [...]
>
> : If I cannot know the length of the plaintext then the length must be
within
> : 0,1...oo
>
> : Thus, you must be prepared to send infinite length ciphertexts.
>
> Only if you are dealing with an infinite set of finite files.
>
> Perfect secrect is possible with either:
>
> * Infinite streams (see Shannon's proof) or...
> * A finite number of plaintexts.
>
> It is *not* true that my "idea of security only works if your cipher can
> produce infinite length ciphertexts."
>
> You can get Shannon's perfect secrecy just fine - if you are prepared to
> confine your possible messages to a finite set.
Um ok.
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Date: Thu, 07 Jun 2001 18:50:37 GMT
"Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Tom St Denis <[EMAIL PROTECTED]> wrote:
> : "Tim Tyler" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> :> Tom St Denis <[EMAIL PROTECTED]> wrote:
>
> :> : By your argument [other systems] can't possibly be secure now because
I
> :> : know that you sent a message at 7:15am.
> :>
> :> That doesn't violate the definition of perfect secrecy.
> :>
> :> Perfect secrecy is considered to be a property of a cryptosystem - i.e.
> :> a device for translating between plaintexts and cyphertexts.
> :>
> :> The time of message transmission is outside the scope of the
definition.
>
> : I don't think you can have it both ways.
>
> I'm not having anything "both ways" AFAICS.
>
> : For example, the timing of the messages may be more important. Let's
say I
> : want to find out when Hacker-Bob is breaking into an account. I don't
care
> : about the data, I just want to know when.
>
> : In this case "perfect secrecy" is lost.
>
> No - not by Shannon's definition of perfect secrecy.
>
> Just to clarify things - are you using Shannon's definition
> of this term, Tom? Or are you making up your own terminology?
>
> : Shannon was talking from an information theoretic standpoint. Not some
> : esoteric view. If you have M possible messages and the prob of any one
> : message being the correct one is 1/M, then shannon (and any finite
student)
> : would conclude you have perfect secrecy from a math related attack.
>
> Yes indeed. That is not under dispute.
Um, then why are you posting? You just agreed that shannon proved an OTP is
provably secure.
Wierd.
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Date: Thu, 07 Jun 2001 18:52:32 GMT
<[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Tim Tyler <[EMAIL PROTECTED]> writes:
> >
> > Those points indicate that the chance of getting a false positive in the
> > system you describe are small.
>
> As in, ``you're better off waiting for the sun to burn out and the
universe
> to collapse, than waiting for false positives.'' Yes, correct; I guess you
> could call that ``small''.
You're wrong too.
In an OTP like system, it's not that guessing the message is hard or
improbable. It's that it's IMPOSSIBLE.
For example. Assume you have a perfectly weighted dice, and I toss it 30 ft
in the air and let it tumble. If the dice has 6 sides you have a 1/6 chance
of guessing right. No ammount of precomputation will help you guess this
with any more accuracy then 1/6!
...<snip>
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Notion of perfect secrecy
Date: Thu, 07 Jun 2001 18:55:17 GMT
"Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Tom St Denis <[EMAIL PROTECTED]> wrote:
> : "Tim Tyler" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> :> Tom St Denis <[EMAIL PROTECTED]> wrote:
> :> : "Tim Tyler" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> :> :> Tom St Denis <[EMAIL PROTECTED]> wrote:
>
> :> : In his model WHO, WHEN, LENGTH were not the information he wanted to
> :> protect.
> :>
> :> "Who" and "when" are not modelled by Shannon. However length /is/
> :> information that relates to the identity of the plaintext
> :> (except in the case where all possible plaintexts are the same length)
> :> and *is* covered by Shannon's definition of perfect secrecy.
>
> : No they are not.
>
> Yes it is - read Shannon's definition of perfect secrecy.
>
> : When will you realize that the contents of the message are
> : what an OTP protects. So if the contents are random than an OTP is
> : perfectly secure.
>
> An OTP doesn't have perfect secrecy - the cyphertext leaks information
> about the length of the plaintext.
>
> If you don't believe me, just read the definition of perfect secrecy.
I don't get why the length of the message tells you more than say when you
sent it. To me this is a moot point. So what if you know I sent a bit or
not. If you don't know what the bit represents you can't do anything with
it!
> :> : You're really mocking the dead here. I sincerely hope you are some
> :> : 12yr kid trying to get a rise out of people, otherwise I wonder how
you
> :> : did in College challenging all your profs without listening to their
> :> : proofs... No offense Tim but you have a lot of growing up todo. Even
> :> : if you are 76 yrs old you're an immature brat as far as I am
concerned.
> :>
> :> Sorry you feel that way Tom. It seems this is the thanks I get for
> :> pointing out your errors. Maybe I won't bother in the future.
>
> : So far it seems #[sci.crypt] vs #[scott, tim].
>
> : I don't think it's my errors....
>
> You never do - but it almost always is.
>
> "Unicity distance", "bijection", "ctr mode", "perfect secrecy" - it
> seems to be just one thing after another these days in a long stream
> of mistakes ;-/
I may have gotten the two first wrong but as far as CTR and perfect secrecy
goes you haven't moved me.
Also you're use of bijection seems like a vast abuse. A cipher in CTR mode
is bijective with an alphabet of 0..255. I.e if you encode a 32-bit message
with a cipher in CTR mode, then all 32-bit strings will map onto another
32-bit string, and vice versa. It's a bijection. Hence CTR mode is
bijective.
Tom
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Reply-To: [EMAIL PROTECTED]
Date: Thu, 7 Jun 2001 18:49:16 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
:> : Tim Tyler wrote:
:> :> Traffic analysis information is indeed often present -
:> :> but we are talking about once a message exists, does
:> :> the attacker gain anything by looking at the cyphertext.
:> :>
:> :> That's what the definition of "perfect secrecy" talks about.
:> :>
:> :> Perfect secrecy applies to encryption devices. Time of
:> :> message transmission etc is considered to be outside its scope.
:> :>
:> :> A conventional OTP, [...] does not
:> :> have Shannon's perfect secrecy property.
:>
:> : I am not of the opinion that size is 'inherently' different
:> : from time etc. in the present context.
:>
:> Well, you should be. Length is a property that can be used to
:> distingush between elements of the set of possible plaintexts -
:> while time cannot be so used.
: Why not?
Shannon's definition relates to the state of the attacker before and
after knowledge of the *cyphertext* - not the cyphertext and a whole
bunch of other information from traffic analysis.
It's a property of a cyphertext/plaintext translator - and is
normally independent of the time the message is sent.
: I could well agree with my partner that if a mail
: (of any innocent content) is sent between 9 and
: 10 o'clock it means one thing while between 10 and 11
: o'clock it means the opposite. At least one bit can
: be transmitted that way. (More could be done by
: more sophisticated agreement.)
So, how do you think that fits into Shannon's definition of perfect
secrecy? In partcular, what is the cyphertext?
ISTM that your arrangement (from the point of view of Shannon's
definition) just complicates the question of what constitutes the
cyphertext of the message.
If you can identify the cyphertext, the definition of perfect secrecy
can again be applied.
--
__________
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: better yet, perfect secrecy => who cares?
Date: Thu, 07 Jun 2001 18:58:22 GMT
You two seem to have an esoteric (i like that word) view on what "secrecy"
is all about.
I say if youcan't solve
55 = P + K mod 256
I have obtained perfect secrecy since by 1 byte message is completely hidden
from your eyes.
You guys have to think along practical lines of thinking. You can't simply
propose ciphers or systems that are inefficient and claim them as good
because they contain a feature you (for no reason) deem required for
security.
No one has yet proven that BICOM is any better than anything else. You guys
just repeat the same stuff over and over. "infinite messages, etc".
It's really getting old quick.
Again, if you can't solve the above system what else must I do for privacy?
Assuming my buddy knows K, I'm set.
--
Tom St Denis
---
http://tomstdenis.home.dhs.org
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************