Cryptography-Digest Digest #615, Volume #14      Fri, 15 Jun 01 03:13:01 EDT

Contents:
  Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY ("Paul Pires")
  Re: HELP WITH RSA ENCRYPTION/DECRYPTION INCLUDING GARNER CRT ALGORITHM ("Boyd 
Roberts")
  Re: CipherText E-mail encryption ("Prichard, Chuck")
  Re: curious about MD3 ("Boyd Roberts")
  Re: HELP WITH RSA ENCRYPTION/DECRYPTION INCLUDING GARNER CRT ALGORITHM ("Tom St 
Denis")
  Re: Yarrow PRNG (Mark Wooding)
  Re: HELP WITH RSA ENCRYPTION/DECRYPTION INCLUDING GARNER CRT ALGORITHM ("Boyd 
Roberts")
  Re: Alice and Bob Speak MooJoo ("Robert J. Kolker")
  Re: CipherText E-mail encryption ("Prichard, Chuck")
  Re: Diffusion limits in block ciphers (Tim Tyler)
  Re: Alice and Bob Speak MooJoo ("John A. Malley")
  Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Mok-Kong Shen)
  Re: CipherText E-mail encryption ([EMAIL PROTECTED])
  Re: Alice and Bob Speak MooJoo (Mok-Kong Shen)
  Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY (Mok-Kong Shen)

----------------------------------------------------------------------------

From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY
Date: Thu, 14 Jun 2001 18:54:54 -0700


Mok-Kong Shen <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]...
>
>
> [EMAIL PROTECTED] wrote:
> >
> > Mok-Kong Shen <[EMAIL PROTECTED]> writes:
> > >
> > > I was not changing the subject, i.e. diverting to something else. You
> > > were talking of the possiblity of 'proving' I am not lying (or the
> > > opposite).
> >
> > That's not in the slightest what I was talking about. I was contrasting
> > two situations:
> >
> > (1) You use a OTP. I have your ciphertexts. Given a binary file purporting
> > to be the key, can I verify that it *is* the key? Answer: NEVER.
> > No theoretical means exists for establishing that the key is the key.
> > No matter how ``sure'' I feel that it is the key: even if I kidnapped you,
> > and found the key tatooed on your butt.
> >
> > (2) You us a PK system. I have your ciphertexts. Given a binary file
> > purporting to be the key, can I verify that it *is* the key? Answer:
> > yes, always, with 100% certainty.
> >
> > System #1 is secure IN AN INFORMATION THEORETIC SENSE. System #2 may be
> > secure, but it is NOT secure in an information-theoretic sense.
>
> That's because you 'define' the security that way. But
> consider what the difference is. In the first case,
> you don't know 'for sure' whether the deciphered result
> is actually the plaintext. You have uncertainty. In the
> second case, you don't know 'for sure' (I hope I had
> clearly explained that, we could discuss in the other
> case) whether the key pair is actually mine. Again
> you have uncertainty. Yes, the uncertainty is of
> different nature, but it is there in both cases.
>
> >
> > > I was attempting to show that a proof in the absolute sense, as far
> > > as that topic goes is in practice not possible.
> >
> > Unfortunately, you're full of beans. If I get your private key, I *can*
> > be 100% certain that it is *the* key to *the* messages in my posession,
> > period.
> >
> > Yes, you might try to fool me by living a double life, and hoping I'm
> > reading only messages which are a ``blind''. That's got nothing to do
> > with *cryptographic* security, which is what I was talking about.
> >
> > > My point is that I can deny that the public key is mine...
> >
> > You're completely ignoring that practical cryptanalysis happens in a
> > context. In other words, you COULD make that claim...but then you'd
> > have to explain why gigabytes of data encrypted with that key were
> > sent to you...any why your secretary thought it was your key...and why
> > I sent you a message in that key saying ``Wear a big lizard on your
> > head so I can recognize you. --Mok's #1 spy'' and for some reason you
> > turned up with a lizard on your head...
> >
> > Don't confuse cryptographic issues with human engineering, traffic
> > analysis, psychology, religion, philosophy or anything else. It only
> > annoys people who are willing to discuss crypto with you.
>
> Yes, the gigabytes extremely highly strenthen your belief,
> but it is nonetheless not a proof in the absolute sense (or
> a proof in the mathematical sense).

You should really back up and take a deep breath here.
You can deny anything and there is no absolute proof.
Lack of absolute proof is not a proof that a denial is
valid. A denial is judged on it's own merits. Take the
private key example. Sure no one can prove that it
is your key (I think). They would have to prove that
there was no key that could also decrypt everything you
have to prove it absolutely. But they can establish with
a statistical certainty that it was in fact your key.

In the otherexample OTP where Len has a ciphertext and
what he thinks is your key can he prove it with any certainty?
No, Not without having knowledge of what the corresponding
plaintext was since you can claim a different plaintext (of the
same length) and produce a different key that will decrypt the
cyphertext to the substituted plaintext. You cannot prove an
OTP key belongs to a ciphertext in any way without the plaintext.
You can prove (to a certainty) that a particular private
key is related to a particular ciphertext without needing
the associated plaintext.

Someone slap me if I have it wrong please.

Paul
>
> M. K. Shen




------------------------------

From: "Boyd Roberts" <[EMAIL PROTECTED]>
Subject: Re: HELP WITH RSA ENCRYPTION/DECRYPTION INCLUDING GARNER CRT ALGORITHM
Date: Fri, 15 Jun 2001 04:02:33 +0200

"tE!" <[EMAIL PROTECTED]> a écrit dans le message news: 
[EMAIL PROTECTED]
>
> tom st denis sucks. who gives a **** about his crap comments anyway ?
>

was '****' encoded with a OTP?  are you trying to say crap or fuck?

or that other _terrible_ f word: frog

toad, of course, is the correct term.

[with apologies to _the league of gentleman_]




------------------------------

From: "Prichard, Chuck" <[EMAIL PROTECTED]>
Subject: Re: CipherText E-mail encryption
Date: Fri, 15 Jun 2001 02:06:23 GMT

Dear Mr. Ashwood:

The CipherText application can be downloaded and examined.

You would have learned that as a user you have the ability to setup a
large list of assorted contacts, their email addresses and undividual
unique keys.

You would have learned that you can easily communicate using Outlook
Express to receive all of your encrypted CipherText messages without
having to differentiate between the two kinds of messages on your server
and fiddling around with two clients.

You would have experienced the prototype demonstration of an idea that is
being rapidly developed to fruition as a product.

You would have been impressed with use of the Outlook Express product in
a manner that you have probably have not been priveleged to have yet
experienced.

CipherText is the integration of several technologies made possible for
the most part by Microsoft. I have merely implemented the ASCII
encryption algorithm in order to work with existing messaging
technologies in a manner that I perceived necessary a couple of years
ago. For me, arriving at this place in my development is not an end but a
beginning.

Your input imparts very little that is constructive and lacks definitive
content that can be regarded as having any real value. I'm at work
realizing the tradeoffs in working with STRING vs. BYTE array data types
in VB applications to overcome the deficiencies. However the existing
demonstration provides the means to encrypt a short 2K message and send
it to anyone who is new to computers and encryption without confusing
them with key exchanges, public keys, private keys, transfer encoding and
security providers.

And it works.


-C. Prichard



------------------------------

From: "Boyd Roberts" <[EMAIL PROTECTED]>
Subject: Re: curious about MD3
Date: Fri, 15 Jun 2001 04:05:27 +0200

"jlcooke" <[EMAIL PROTECTED]> a écrit dans le message news: 
[EMAIL PROTECTED]
> If I recall MD3 never mad it out of Ron's study and circle of friends.

iirc, i think he realised that it was buggered so he dropped it.

i think i read this in _network security_, kaufman et al.





------------------------------

From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: HELP WITH RSA ENCRYPTION/DECRYPTION INCLUDING GARNER CRT ALGORITHM
Date: Fri, 15 Jun 2001 02:09:01 GMT


"Boyd Roberts" <[EMAIL PROTECTED]> wrote in message
news:9gbqdk$da1$[EMAIL PROTECTED]...
> "tE!" <[EMAIL PROTECTED]> a écrit dans le message news:
[EMAIL PROTECTED]
> >
> > tom st denis sucks. who gives a **** about his crap comments anyway ?
> >
>
> was '****' encoded with a OTP?  are you trying to say crap or fuck?
>
> or that other _terrible_ f word: frog
>
> toad, of course, is the correct term.
>
> [with apologies to _the league of gentleman_]

Why would frog be terrible?

Tom



------------------------------

From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Yarrow PRNG
Date: 14 Jun 2001 23:09:24 GMT

Mark Wooding <[EMAIL PROTECTED]> wrote:

> Reading 2^{64} blocks and returning `random' if there is a repeated
> block and `non-random' if there is none gives an advantage of about
> 0.63.

Whoops.  This isn't right.  The advantage is about 0.53.  I forgot to
take into account the probability that  a Yarrow output might be
misidentified as being random, which is about 1/10.  The improved result
is still correct, I believe.

-- [mdw]

------------------------------

From: "Boyd Roberts" <[EMAIL PROTECTED]>
Subject: Re: HELP WITH RSA ENCRYPTION/DECRYPTION INCLUDING GARNER CRT ALGORITHM
Date: Fri, 15 Jun 2001 04:32:21 +0200

"Tom St Denis" <[EMAIL PROTECTED]> a écrit dans le message news: 
17eW6.120455$[EMAIL PROTECTED]
> Why would frog be terrible?

you'd have to see the episode of _the league of gentleman_ on the bbc.

short form is:

    a delivery of toads is made to one of the locals

    the postal employee refers to them as frogs

    recipient replies:

        we don't use the _F_ word in this _house_




------------------------------

From: "Robert J. Kolker" <[EMAIL PROTECTED]>
Subject: Re: Alice and Bob Speak MooJoo
Date: Thu, 14 Jun 2001 23:14:10 -0400



Boyd Roberts wrote:

>
> eg. terebi = tv [from television]

You are suprised I speak your ranguage. I
was educated in your country at U.C.R.A.

Bob Kolker




------------------------------

From: "Prichard, Chuck" <[EMAIL PROTECTED]>
Subject: Re: CipherText E-mail encryption
Date: Fri, 15 Jun 2001 03:17:29 GMT

I have a little saying about my work Joe:

"Unless you are getting someone at least a little pissed off, you
probably aren't doing very much."

Sorry if you experienced heartburn, nausea, headache, dizziness or any
other such discomfort known to mankind.

-C. Prichard
www.greentv.com






------------------------------

From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Diffusion limits in block ciphers
Reply-To: [EMAIL PROTECTED]
Date: Fri, 15 Jun 2001 05:42:16 GMT

Tom St Denis <[EMAIL PROTECTED]> wrote:
: "Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...

:> You can do diffusion by preprocessing, whitening, or compression - then
:> it doesn't much matter if it's patchy, irregular, or incomplete.
:>
:> For example D. Scott has advocated compressing the file, reversing it
:> and compressing it again before finally encrypting.  This is normally
:> quite effective at making every byte depend on every other one - but if
:> there is partial diffusion, it doesn't much matter since it's covered by
:> subsequent encryption.

: This is a sign of amateur cryptology.  Anyone can make complete inefficient
: transforms.

: Generally ideal crypto would consist of each part being as good as possible.

Well, as I said, that was an example.

I would defend the idea.  You are likely to be compressing in one
direction anyway, so you only need diffusion in the other direction
to get a complete AONT.  Compression (usually) operates as a stream - so
you can encrypt the file and send it as you compress in the reverse
direction.  Plus you already have a compressor to hand, so you don't need
to construct any additional machinery.  It's easy for the programmer,
meaning fewer mistakes are made.  It reuses existing components
meaning less space is required.

However, I would agree it may fall short of perfection in information
theoretic terms - I expect it is slower than necessary, and /may/ expand
the files a bit (which is not terribly desirable).

Assuming you've already compressed "in one direction" - what alternative
would you propose?

: I am not an advocate (for example) of fast weak round functions and adding
: tons of rounds. [...]

Whereas I am.  I think this technique may well produce fast strong cyphers
in hardware better than the competition.  I would agree that this thesis
has yet to be put to the test properly, though.

: Quite obvious a compromise must be made. [...]

Not obvious to me.  I would say this area was still a controversial one,
looking at the AES candidates.

: I would be in favour of stronger rounds. [...]

I believe this is the conventional view.  I have seen it expressed a
number of times.  I think the idea is to use s-boxes big enough that they
/just/ fit into the cache of your target processor - for maximum strength
without sacrificing speed.
-- 
__________
 |im |yler  [EMAIL PROTECTED]  Home page: http://alife.co.uk/tim/

------------------------------

From: "John A. Malley" <[EMAIL PROTECTED]>
Subject: Re: Alice and Bob Speak MooJoo
Date: Thu, 14 Jun 2001 23:04:58 -0700


"Robert J. Kolker" wrote:
> 
> "John A. Malley" wrote:
> 
> >
> > What Eve gets is not _noise_ in the electrical
> > engineering/communications systems point of view, though. Eve detects
> > correlations between portions of the stream of signal over time. She'll
> > detect similar or identical modulations of signal characteristics
> > (amplitudes of frequencies, phases of frequencies ) in different
> > portions of the stream of signal over time.  Time-varying modulation of
> > signal characteristics is indicative of communication between
> > intelligent creatures.
> >
> > Eve can learn a lot about the "meaning" of the signal from their
> > responses with respect to the context dictated by events common to
> > Alice, Bob and her.  She can correlate events, the signal patterns
> > following immediately after the events and any observable actions of
> > Alice or Bob and assign a rough "meaning" to the patterns.
> 
> There are no observable actions of Alice and Bob other than the
> communications. In the absence of a shared referrent, Eve is up
> the creek. Now let us assume, Eve does something like the
> chosen plaintext attack. Eve creates events which she * hopes *
> Alice and Bob will referrence in their communications. Let us
> assume, arguendo, that Alice and Bob oblige Eve in this regard.
> The best Eve can come up with is some good guesses pertaining
> to nouns, the names of thing things and events. Is this is enough
> to understand the communication? No. What about adjectives
> and adverbs.  How does one convey to a child, the concept of
> "pretty" or "bad"  except by ostention (initially anyway)? In the absence
> of the Pointing Finger no human child can learn his first language.
> The only possible crib that Eve has with regard to MooJoo is a
> shared cultural experience. If Alice and Bob had totally foreign
> cultural outlooks and artificats, Eve would not have a chance to
> figuare out what A/B are saying to each other.
> 
[...]

The original assertion at the head of the thread is

"Suppose Alice and Bob share a language
(herein called MooJoo) which is spoken
or read by no others.

Then all their plaintexts would be perfectly
secure. No crypto necessary at all."

Alice and Bob want to keep the content of their messages secret from
listeners like Eve. This implies Alice and Bob share a threat model.  

A threat means Eve can "do something" to Alice or Bob with the
information she learns.  A threat implies:

-  Alice, Bob and Eve share some kind of common physical, biological and
social environment,

-  Eve can interact with Alice or Bob via some common physical,
biological or social mechanism,
 
-  The physical, biological or social mechanism brings
consequences/results Alice and Bob want to avoid.

The threat model for the original post does not rule out the existence
of shared referents due to shared physical, biological and social
environments. Even though the language is not immediately known to Eve
there are techniques Eve can use to build up a "code book" or dictionary
of the language in use while observing events in the shared physical,
biological and social environment and their correlations with "symbols"
(maybe phonemes, or graphics) exchanged between Alice and Bob. And Eve
can deliberate influence Alice or Bob through the shared physical,
biological and social environment to prompt directed exchanges to learn
more about the language used. 

David Molnar and Paul Pires made similar observations about the threat
model in another branch of this thread. 

This proposal is not as secure a communications channel as it first
appears - but only because of the shared physical, biological and social
environments. Some smidgen of context shared between Alice, Bob and Eve
permits cryptanalysis. 


> 
> What is wrong with the following scenario found in just about
> any sci fi movie made in the 1950-s.
> 
> "We learned your Earth Languages from your * radio *
> broadcasts"..


Here I heartily and readily agree!  This example of the "Alien Lurking
at the Threshold" doesn't fit the threat model above. 

The intelligence listening in to radio communications between Alice and
Bob 

- does NOT share the same social environment as Alice and Bob,

- may or may not share the same biological environment as Alice and
Bob,  

- does share the same basic physics/physical environment as Alice and
Bob (should know the same basic elements (Periodic Table),     physical
constants, mathematical constants Alice and Bob know.) 

This situation makes it difficult if not impossible to establish any
smidgen of shared context between Alice, Bob and Gort.   Gort gets radio
soaps, concerts, talk shows, news reports, morning shock DJs and
thousands upon thousands of 3.5 - 4.5 minute long rhymes set to music
and advertisements.

The Martians in the movie (1996) "Mars Attacks" captured the alien
viewpoint of Earth radio best, and I quote,

 "ACK ACK, ACK ACK ACK ACK ACK, ACK ACK ACK ACK ACK ACK!"

Couldn't resist. :-)  

What is takes to build up a mutual language with an extrasolar contact
is under serious study (in fact, take a look at "Beyond Contact, A Guide
to SETI and Communications with Alien Civilizations" by Brian McConnell,
O'Reilly & Associates, c. 2001, ISBN 0-596-00037-5.  It's now in US
bookstores or, 

see http://www.oreilly.com/catalog/alien 


John A. Malley
[EMAIL PROTECTED]

------------------------------

From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY
Date: Fri, 15 Jun 2001 08:09:10 +0200



[EMAIL PROTECTED] wrote:
> 
> Mok-Kong Shen <[EMAIL PROTECTED]> writes:
> > [EMAIL PROTECTED] wrote:
> >>
> >> System #1 is secure IN AN INFORMATION THEORETIC SENSE. System #2 may
> >> may be secure, but it is NOT secure in an information-theoretic sense.
> >
> > That's because you 'define' the security that way.
> 
> No. I define ``information theoretic security'' that way. You wanted to
> know what it means that ``PK systems have zero information-theoretic
> security''. Now you know, because I've told you what ``information-
> theoretic security'' means in this context.
> 
> If you want to discuss *other* notions of security, start a new
> thread. Don't confuse yourself by using the word ``security'' as a
> generic term encompassing every possible notion of security. (By the way,
> ``security'' is only meaningful w.r.t. a specific threat model. Why is
> it news to you that there is no single definition of ``security''?)
> 
> And most of all, *don't* turn it into a religious discussion about whether
> there is such a thing as ``certainty'' in the first place--which you seem
> in imminent danger of doing.

Yes, it is always o.k. to make definitions. I recall in 
this connection a famous sentence from Lewis Carrol, 
though I no longer can reproduce the exact wording from 
memory. It's something like: 'When I use a word, it means 
just what it means, no more nor less'. In other follow-ups 
(discussing with others) I have pointed out that having 
the co-existence of different measures creates at least 
one problem, namely, given one cipher, one does not know 
which measure one should apply, and that could be 
confusing, if not misleading. (You might object, saying
that there isn't any other good measure. There I can't
counter you, because I am personally of the opinion that
a more or less good measure of security doesn't exist in
practice.) It is indeed true that one should first 
seriously consider what threat model one has before 
applying any measure, in order to avoid getting wrong or
inappropriate results. On the other hand, I doubt very 
much that your threat model occurs to be applicable that 
often. In fact, I could hardly imagine a case of 
significant application in reality (scenarios that you 
gave in a previous post), considering the safe protection 
of a private key to be given (this is equivalent to that 
the user has accepted the risk of the eventual consequence 
of losing the key). (Well, in literature one meets also 
other kinds of in my humble view entirely unrealistic 
assumptions, like the opponent's being able to acquire
a very huge number of plaintext-ciphertext pairs 
encrypted with the same key of a symmetric cipher.)

M. K. Shen

------------------------------

From: [EMAIL PROTECTED]
Subject: Re: CipherText E-mail encryption
Date: Fri, 15 Jun 2001 06:13:34 GMT

=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1

"Prichard, Chuck" wrote:
> > Your knowledge of algorithms is demonstrated further on the page by the
> > simple fact that you cannot seem to find a way to use your encryption to
> > encrypt generic data. I'll give you a big hint, the process begins with the
> > word "base" and ends with "64" That should make it entirely suitable. Of
> > course the simple fact that your algorithm is horribly unsuited to protect
> > anything will certainly not occur to you.
> >                     Joe
> 
> Base-64 is an encoding scheme for transmission. It is not encryption.
> 
> CipherText content is suitable for transmission without time-consuming
> Base-64 encoding.
> -C. Prichard

"time-consuming Base-64 encoding" :->>>>>>>>>

if Base-64 encoding is time-consuming I don't know what is not...

what encryption is faster than Base-64 encoding ?
only XOR with 0xAA I think..

== <EOF> ==
Disastry  http://i.am/disastry/
http://disastry.dhs.org/pgp <----PGP plugins for Netscape and MDaemon
 ^--GPG for Win32 (supports loadable modules and IDEA)
 ^---PGP 2.6.3ia-multi04 (supports IDEA, CAST5, BLOWFISH, TWOFISH,
     AES, 3DES ciphers and MD5, SHA1, RIPEMD160 hashes)
=====BEGIN PGP SIGNATURE=====
Version: Netscape PGP half-Plugin 0.15 by Disastry / PGPsdk v1.7.1

iQA/AwUBOymLXjBaTVEuJQxkEQKHWQCgy4tyztZd16C6SvE4bD1C4zyY5JkAn16u
/FkKkGY8wDr2Nq8x59ko0P4k
=CN1Y
=====END PGP SIGNATURE=====

------------------------------

From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Alice and Bob Speak MooJoo
Date: Fri, 15 Jun 2001 08:22:01 +0200



"John A. Malley" wrote:
> 
[snip]
> What is takes to build up a mutual language with an extrasolar contact
> is under serious study (in fact, take a look at "Beyond Contact, A Guide
> to SETI and Communications with Alien Civilizations" by Brian McConnell,
> O'Reilly & Associates, c. 2001, ISBN 0-596-00037-5.  It's now in US
> bookstores or,
> 
> see http://www.oreilly.com/catalog/alien

I remember that in the sixties a mathematician in Holland
published a book, developing a language based on logic
that enables mutual understanding through slowing building 
up basic concepts of math. The language is call LINCOS, if 
I don't err.

M. K. Shen

------------------------------

From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY
Date: Fri, 15 Jun 2001 08:44:32 +0200



Paul Pires wrote:
> 
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:

> >
> > [EMAIL PROTECTED] wrote:
> > >
> > > Mok-Kong Shen <[EMAIL PROTECTED]> writes:
> > > >
> > > > I was not changing the subject, i.e. diverting to something else. You
> > > > were talking of the possiblity of 'proving' I am not lying (or the
> > > > opposite).
> > >
> > > That's not in the slightest what I was talking about. I was contrasting
> > > two situations:
> > >
> > > (1) You use a OTP. I have your ciphertexts. Given a binary file purporting
> > > to be the key, can I verify that it *is* the key? Answer: NEVER.
> > > No theoretical means exists for establishing that the key is the key.
> > > No matter how ``sure'' I feel that it is the key: even if I kidnapped you,
> > > and found the key tatooed on your butt.
> > >
> > > (2) You us a PK system. I have your ciphertexts. Given a binary file
> > > purporting to be the key, can I verify that it *is* the key? Answer:
> > > yes, always, with 100% certainty.
> > >
> > > System #1 is secure IN AN INFORMATION THEORETIC SENSE. System #2 may be
> > > secure, but it is NOT secure in an information-theoretic sense.
> >
> > That's because you 'define' the security that way. But
> > consider what the difference is. In the first case,
> > you don't know 'for sure' whether the deciphered result
> > is actually the plaintext. You have uncertainty. In the
> > second case, you don't know 'for sure' (I hope I had
> > clearly explained that, we could discuss in the other
> > case) whether the key pair is actually mine. Again
> > you have uncertainty. Yes, the uncertainty is of
> > different nature, but it is there in both cases.
> >
> > >
> > > > I was attempting to show that a proof in the absolute sense, as far
> > > > as that topic goes is in practice not possible.
> > >
> > > Unfortunately, you're full of beans. If I get your private key, I *can*
> > > be 100% certain that it is *the* key to *the* messages in my posession,
> > > period.
> > >
> > > Yes, you might try to fool me by living a double life, and hoping I'm
> > > reading only messages which are a ``blind''. That's got nothing to do
> > > with *cryptographic* security, which is what I was talking about.
> > >
> > > > My point is that I can deny that the public key is mine...
> > >
> > > You're completely ignoring that practical cryptanalysis happens in a
> > > context. In other words, you COULD make that claim...but then you'd
> > > have to explain why gigabytes of data encrypted with that key were
> > > sent to you...any why your secretary thought it was your key...and why
> > > I sent you a message in that key saying ``Wear a big lizard on your
> > > head so I can recognize you. --Mok's #1 spy'' and for some reason you
> > > turned up with a lizard on your head...
> > >
> > > Don't confuse cryptographic issues with human engineering, traffic
> > > analysis, psychology, religion, philosophy or anything else. It only
> > > annoys people who are willing to discuss crypto with you.
> >
> > Yes, the gigabytes extremely highly strenthen your belief,
> > but it is nonetheless not a proof in the absolute sense (or
> > a proof in the mathematical sense).
> 
> You should really back up and take a deep breath here.
> You can deny anything and there is no absolute proof.
> Lack of absolute proof is not a proof that a denial is
> valid. A denial is judged on it's own merits. Take the
> private key example. Sure no one can prove that it
> is your key (I think). They would have to prove that
> there was no key that could also decrypt everything you
> have to prove it absolutely. But they can establish with
> a statistical certainty that it was in fact your key.
> 
> In the otherexample OTP where Len has a ciphertext and
> what he thinks is your key can he prove it with any certainty?
> No, Not without having knowledge of what the corresponding
> plaintext was since you can claim a different plaintext (of the
> same length) and produce a different key that will decrypt the
> cyphertext to the substituted plaintext. You cannot prove an
> OTP key belongs to a ciphertext in any way without the plaintext.
> You can prove (to a certainty) that a particular private
> key is related to a particular ciphertext without needing
> the associated plaintext.

It is indeed fine to get reminded of 'statistical certainty'. 
In fact one applies often much in the sense of subjective 
probabilities. This results at least partly from the fact 
that humans are involved in most cases and one can't 
mechanically and accurately calculate as if everything 
were done by an automaton. One applies estimates and 
'considers' that one has done the right thing when the 
probability of being wrong is judged/believed to be
negligible.

I have reponded to lbudney's post, giving some of my
humble opinions.

M. K. Shen

------------------------------


** FOR YOUR REFERENCE **

The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:

    Internet: [EMAIL PROTECTED]

You can send mail to the entire list by posting to sci.crypt.

End of Cryptography-Digest Digest
******************************

Reply via email to