Cryptography-Digest Digest #569
Cryptography-Digest Digest #569, Volume #14 Fri, 8 Jun 01 16:13:01 EDT
Contents:
Re: National Security Nightmare? (nemo outis)
Re: Best, Strongest Algorithm (gone from any reasonable topic) (Mok-Kong Shen)
Re: Def'n of bijection (Douglas A. Gwyn)
Re: practical birthday paradox issues (Douglas A. Gwyn)
Re: Def'n of bijection ([EMAIL PROTECTED])
Re: National Security Nightmare? (John Myre)
Re: National Security Nightmare? (Douglas A. Gwyn)
Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and (Douglas A.
Gwyn)
Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and (Douglas A.
Gwyn)
Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and (Douglas A.
Gwyn)
Re: Notion of perfect secrecy (Douglas A. Gwyn)
Re: shifts are slow? (Douglas A. Gwyn)
Prime Directive was _Re: National Security Nightmare? (Dramar Ankalle)
Re: Def'n of bijection (Mok-Kong Shen)
From: [EMAIL PROTECTED] (nemo outis)
Subject: Re: National Security Nightmare?
Date: Fri, 08 Jun 2001 19:17:24 GMT
As a pedant and sciolist I should point out that it's Let *him* who is
without blame cast the first stone.
:-)
Regards,
In article [EMAIL PROTECTED], Phil Carmody
[EMAIL PROTECTED] wrote:
..snip...
Let he who is without blame cast the first stone.
..snip...
--
From: Mok-Kong Shen [EMAIL PROTECTED]
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic)
Date: Fri, 08 Jun 2001 21:24:35 +0200
Tom St Denis wrote:
Not to be a naive kid but I doubt even PhD math types could read a thesis
and understand it in one pass.
I find often the biggest problem with math papers/discussions is the lack of
a good language to discuss it in. For example, my book on Group Theory I
got (From Dover) only has 13 words in the entire text. The rest is vague
human egyptian art work that future archeologists will look at and say this
means fire, and that's water, and
For example, look at some of the papers by Vaudenay. Typically he goes
overboard when trying to say the simplest thing. The benefits of
decorrelation in GF(2^w) wrt to diff/linear analysis can be summed up with
two simple proofs. Yet he brings in all these wierd symbols like
||A||^d_{oo}, etc..
Which looks neat, but doesn't mean anything to me. (I know ||A|| means
normal form, but what normal form means is beyond me).
In my MDFC paper I proved in about 1/2 a page that pair-wise decorrelation
in GF(2^w) leads to functions immune to differential and linear analysis.
[N.B His papers go far into more formal notions of randomness which is why
he uses the funny notation. But to simply prove immunity to 1st order
attacks you don't need such a lengthly paper]
I remember we had discussed over similar topics in the
past. Different books are written for people with different
'pre-knowledge' (my term). Thus not everything is explained
in all details and with all rigor, it being assumed that
the (intended) readers already know stuffs above a
certain level. Certainly, there are differences in the
writing capabilities of the authors. Some are good
pedagogically, i.e. good teachers, others less so.
But I would be very careful in criticizing textbooks
written by academics or papers in respected journals
as vague, imprecise etc. etc. For it is the current
tradition that these are well peer-reviewed. Further,
common textbooks (those that sell en mass) are subjected
to a selection process (in the Darwinian sense) so the
probability of having very poor quality such books on
the market is not very likely. If I have acquired
enough knowledge in a scientific field and am able to
read a lot of books with ease and then discover (on
looking back) that a certain book is really poorly or
carelessly written (with respect to the class of readers
that I am sure that the book is intended), I would
eventually venture to express my critiques, but not
before that time point. Of course, that's my personal
'philosophy', you may have yours that is quite different.
You said that some authors are explaining too much, i.e.
with unnecessary details. But this is probably because
you have known more in that particular point than the
average reader that the authors have in mind. For one
who doesn't have that 'pre-knowledge', one would be very
grateful to the authors for easing their way of capturing
the stuff with these details. There are literatures of
diverse levels. If you find one class too easy/simplistic
for you, switch to a higer class. Sometimes one has to
switch in the reverse direction. (At least this is often
my personal experience.) This is analogous to what I knew
in school education when I was young. (I have no
knowledge of the current systems.) At that time pupils
that were exceptionally good were allowed to jump
classes. Transfers in the reverse direction
Cryptography-Digest Digest #569
Cryptography-Digest Digest #569, Volume #13 Sat, 27 Jan 01 14:13:01 EST
Contents:
Re: Mr Szopa's encryption (was Why Microsoft's Product Activation Stinks) (Alan
Mackenzie)
Re: How many bits of security can a password give? (George Weinberg)
Re: Dynamic Transposition Revisited (long) (Mok-Kong Shen)
Re: what was the problem with E2 ? (DJohn37050)
Re: Paranoia (Roger Schlafly)
Re: 32768-bit cryptography, updated (Splaat23)
Re: Paranoia (Roger Schlafly)
Re: Why Microsoft's Product Activation Stinks (Lord Running Clam)
Re: 32768-bit cryptography, updated (Mike 8465)
Re: Why Microsoft's Product Activation Stinks (Splaat23)
Description of algorithm (Mike 8465)
Re: What do you do with broken crypto hardware? ("Douglas A. Gwyn")
From: Alan Mackenzie[EMAIL PROTECTED]
Crossposted-To: or.politics,talk.politics.crypto,misc.survivalism
Subject: Re: Mr Szopa's encryption (was Why Microsoft's Product Activation Stinks)
Date: Sat, 27 Jan 2001 14:00:32 +
Anthony Stephen Szopa [EMAIL PROTECTED] wrote on Sat, 27 Jan 2001
03:53:12 -0800:
Alan Mackenzie wrote:
[A few comments on the controversy over Mr. Szopa's encryption program.]
All one need do is read the first three help files and you would have
all the information you need to answer all your questions.
This is why I posted the Help Files to begin with.
Give them a try.
You know the rules: one of them is that the attacker knows
everything about the algorithm.
Indeed so. Other posters on these newsgroups have been asserting that
they _don't_ know everything about the algorithm. Possibly you could help
clarify whether or not this is the case by giving a direct answer to the
following question:
Could a software engineer, using as a specification only the descriptive
material available at your web site, duplicate your encryption program?
That is, for any given plaintext, identical key material, and identical
states for any programmable pseudo random number generators, his program
and your program would produce the same cyphertext.
--
Alan Mackenzie (Munich, Germany)
Email: [EMAIL PROTECTED]; to decode, wherever there is a repeated letter
(like "aa"), remove one of them (leaving, say, "a").
--
From: [EMAIL PROTECTED] (George Weinberg)
Subject: Re: How many bits of security can a password give?
Date: Sat, 27 Jan 2001 16:54:11 GMT
On Wed, 24 Jan 2001 11:50:11 -0800, "Joseph Ashwood" [EMAIL PROTECTED]
wrote:
"Erik Runeson" [EMAIL PROTECTED] wrote in message
news:94nafd$lff$[EMAIL PROTECTED]...
I'm trying to find an upper limit to how strong a
regular password can be.
Depends on the password. If you let the user choose an English word, it is
rather predictably 1 bit of entropy per character. If you require that there
be at least one capital, they will almost certainly capitalize the first
letter, so maybe .25 bits of entropy added. Adding a number on the end adds
an average of log2(10) although it will be biased towards 1. So your normal
passwords would have anywhere from 6 to ~12 bits of entropy.
This is way pessimistic. 12 bits of entropy implies you could get it
with a dictionary attack with only 4000 guesses. six bits
means you would only need 64 guesses!
If you educate them to use random capitalization that can be your
best friend, it adds a pure 1 bit of entropy per character.
Only if the capitalization is truly random, and then it makes it hard
to remember.
George
If they use
diceware, along with random capitalization you are in very good shape and
they will probably have more entropy in their passphrase then you will
harvest in your verification.
Joe
--
From: Mok-Kong Shen [EMAIL PROTECTED]
Subject: Re: Dynamic Transposition Revisited (long)
Date: Sat, 27 Jan 2001 18:08:27 +0100
John Savard wrote:
Mok-Kong Shen[EMAIL PROTECTED] wrote, in part:
I suppose you have a different and problematical concept
of the (THEORETICAL) OTP. The bit sequence of OTP is by
definition/assumption unpredictable. If a 'claimed' OTP
uses a predictable bit sequence and consequently is weak
as you said, then it is by definition NOT an OTP, though
snake-oil peddlers used to call that OTP.
This is true.
But Terry Ritter isn't talking about fake OTPs based on algorithmic
PRNGs, as far as I understand it.
He is saying that even what people acknowledge as "real" OTPs, where
the key has been generated by physical randomness, aren't provably the
'theoretical OTP', because you can't prove a particular physical
random noise generator to be perfect.
That is not, in itself, untrue. Physical random number generators can
have bias, for example.
However, it his his insistence that this is a major concern, and more
specifically the implication that this makes the proof that th
Cryptography-Digest Digest #569
Cryptography-Digest Digest #569, Volume #12 Wed, 30 Aug 00 01:13:00 EDT
Contents:
Re: Patent, Patent is a nightmare, all software patent shuld not be allowed (qun
ying)
Re: Serious PGP v5 v6 bug! ("Nathan Williams")
Re: The DeCSS ruling (Eric Smith)
Re: The DeCSS ruling (Roger Schlafly)
Re: Future computing power (David A Molnar)
Re: Future computing power (David A Molnar)
Re: Best way! (Eric Smith)
Re: Destruction of CDs (Eric Smith)
Re: PRNG Test Theory ("Trevor L. Jackson, III")
Re: The DeCSS ruling (David A. Wagner)
Re: "Warn when encrypting to keys with an ADK" (Philip Stromer)
Re: Patent, Patent is a nightmare, all software patent shuld not be allowed (John
Savard)
Re: Best way! (Edward A. Falk)
Re: 4096 BIT RSA Key ([EMAIL PROTECTED])
Re: Bytes, octets, chars, and characters (Brian Inglis)
From: qun ying [EMAIL PROTECTED]
Subject: Re: Patent, Patent is a nightmare, all software patent shuld not be allowed
Date: Wed, 30 Aug 2000 02:03:24 GMT
In article [EMAIL PROTECTED],
Mok-Kong Shen [EMAIL PROTECTED] wrote:
I wonder in the case in question how much is actually
'disclosed' in the text that one can read on the web page
cited. Are there more texts about that patent that one
can read? Or are these texts inaccessible to the public?
Since the patent apparently has the potential of attacking
at the very root of PK applications, if I don't err, we
should pay due attention to the issue, I suppose.
M. K. Shen
http://home.t-online.de/home/mok-kong.shen
The actual patent is not much more than you can see from the web, just
a few more diagrams. I get the impression that it is some kind of
hotmail services with PKI system. But I don't think that will qualify
for the patent. The company also selling products based on the patent.
the company's address:
http://www.tumbleweed.com/
Sent via Deja.com http://www.deja.com/
Before you buy.
--
From: "Nathan Williams" [EMAIL PROTECTED]
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: Serious PGP v5 v6 bug!
Date: Wed, 30 Aug 2000 02:17:45 GMT
=BEGIN PGP SIGNED MESSAGE=
Hash: SHA1
No it doesn't. Reread my post Shawn. The "master" KEY is SPLIT!!!
No one person could decrypt and use the stored keys.
"Shawn Willden" [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]...
No, this solution is far worse than the ADK solution. This
solution gives someone else control of your private key, meaning
they can
impersonate you. This scenario allows a tie-dyed, sockless,
ponytailed, late-to-work-every-day geek who hasn't been fired yet
only because HR isn't sure they could find a replacement in this
unbelievably tight technical-labor market to impersonate the CEO;
not a good idea.
[Nothing against tie-dye, ponytails, Tevas or going to work late,
BTW; I fit that profile whenever possible.]
Really, there is no weakness created by an ADK in a proper
implementation. The only "badness" about ADKs in general is that
they create yet another opportunity for making mistakes. But then
*any* key escrow solution creates another opportunity for error.
IMO, ADKs are a reasonable solution, as long as they are properly
authenticated (part of the signed public key package).
Shawn.
=BEGIN PGP SIGNATURE=
Version: PGP 6.5.8
iQA/AwUBOaxugd8G10zX/RREEQJdJACferMr1c1UW2brQ0Sflf39Iyb2Bw8AoPRl
WNRGF+eeSyEbIE3nPLY4jdPO
=T15t
=END PGP SIGNATURE=
--
From: Eric Smith [EMAIL PROTECTED]
Subject: Re: The DeCSS ruling
Date: 29 Aug 2000 19:20:36 -0700
"Trevor L. Jackson, III" [EMAIL PROTECTED] writes:
Does a security system that publishes the cipher key count as copy
protection? Calling it copy protection does not make it copy protection.
US Code, Title 17, Chapter 12, Section 1201 (b)(2)(B) sets the legal
standard:
a technological measure `effectively protects a right
of a copyright owner under this title' if the measure, in the
ordinary course of its operation, prevents, restricts, or
otherwise limits the exercise of a right of a copyright owner
under this title.
--
From: Roger Schlafly [EMAIL PROTECTED]
Subject: Re: The DeCSS ruling
Date: Tue, 29 Aug 2000 19:27:32 -0700
Eric Smith wrote:
US Code, Title 17, Chapter 12, Section 1201 (b)(2)(B) sets the legal
standard:
a technological measure `effectively protects a right
of a copyright owner under this title' if the measure, in the
ordinary course of its operation, prevents, restricts, or
otherwise limits the exercise of a right of a copyright owner
under this title.
The word "effectively" is the interesting one. The whole purpose
Cryptography-Digest Digest #569
Cryptography-Digest Digest #569, Volume #11 Mon, 17 Apr 00 21:13:01 EDT
Contents:
Re: Twofish problems... (Ron Yaklime)
Re: Sony's Playstation2 export-controlled (Diet NSA)
updated paper on easy entropy (Tom St Denis)
Fighting fire with fire: using encryption to bust encryption [0/2] (Gideon Samid)
Fighting fire with fire: using encryption to bust encryption [0/2] (Gideon Samid)
Fighting fire with fire: using encryption to bust encryption [0/2] (Gideon Samid)
Re: GOST idea (Tom St Denis)
Re: Paper on easy entropy ("Trevor L. Jackson, III")
Just another idea... (Pred.)
Re: GOST idea (Mok-Kong Shen)
Re: Paper on easy entropy (Tom St Denis)
Re: AES-encryption (Tom St Denis)
Re: Paper on easy entropy (stanislav shalunov)
Re: GOST idea (Mok-Kong Shen)
Re: Paper on easy entropy (Mok-Kong Shen)
Fighting fire with fire: using encryption to bust encryption [0/2] (Gideon Samid)
Fighting fire with fire: using encryption to bust encryption [0/2] (Gideon Samid)
Fighting fire with fire: using encryption to bust encryption [0/2] (Gideon Samid)
Encryption as a cryptanalysis tool [0/2] (Gideon Samid)
From: [EMAIL PROTECTED] (Ron Yaklime)
Subject: Re: Twofish problems...
Date: Mon, 17 Apr 2000 23:10:52 GMT
[EMAIL PROTECTED] (JONATHAN DINERSTEIN) wrote:
Can somebody help out a struggling college student???
I'm working with Twofish...
...Does anyone have any suggestions or advice?
[EMAIL PROTECTED] (Bruce Schneier) wrote:
If you're still able to encrypt and decrypt properly, then whatever
mistake you're making is repeatable. I don't know what you're doing
wrong, but if you can't match the test vectors than what you have
isn't Twofish.
I'll bet Jonathan appreciates the Internet just a little bit more now than
he did yesterday!
--
"Ron Yaklime" is actually 8759 243610 [EMAIL PROTECTED].
012 3456789 - Use this key to decode my email address and name.
Play Five by Five Poker at http://www.5X5poker.com.
--
Subject: Re: Sony's Playstation2 export-controlled
From: Diet NSA [EMAIL PROTECTED]
Date: Mon, 17 Apr 2000 16:02:35 -0700
In article 38FB50FD.17457E25@t-
online.de, Mok-Kong Shen mok-
[EMAIL PROTECTED] wrote:
I read in today's newspaper that Sony's PlayStation2 (there
were mentions to it in some recent threads of this group) is
under export control of Japan. This seems to indicate that
its 128 bit processor is indeed very powerful.
The PlayStation2 is not under export
control for crypto reasons but because it
does high speed image processing similar
to the type done in some missile guidance
systems.
"I feel like there's a constant Cuban Missile Crisis in my pants."
- President Clinton commenting on the Elian Gonzalez situation
===
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
--
From: Tom St Denis [EMAIL PROTECTED]
Subject: updated paper on easy entropy
Date: Mon, 17 Apr 2000 23:18:23 GMT
I updated the paper (new content and fixed the source), but there are
probably still some flaws... Anyways you can get it at
(html, some formatting lost)
http://24.42.86.123/entropy/base.html
(pdf)
http://24.42.86.123/files/entropy.pdf
(ps)
http://24.42.86.123/files/entropy.ps
Tom
--
From: Gideon Samid [EMAIL PROTECTED]
Subject: Fighting fire with fire: using encryption to bust encryption [0/2]
Date: Mon, 17 Apr 2000 23:37:06 GMT
FIGHTING FIRE WITH FIRE: USING ENCRYPTION TO BUST ENCRYPTION
DES, like other strong cryptographies, are characterized by random-like attributes, on
which they rest. Thus a change of one
bit in the DES key will change each bit in the ciphertext at a probability close to
50%. Similarly for unit changes in the
plaintext. This pattern-less aspect indicates cryptographic strength.
Using TaKE (Tailored Key Encryption) one could find a key that would fit a given
ciphertext C with a plaintext of choice P.
Hence any C, however random-like, may be transformed to a string P, which is as "far
from being random" as desired.
Similarly, given a set of ciphertexts C1, C2, C3... one could iteratively look for a
key K such that the corresponding plaintexts
P1, P2, ... will be increasingly non-random. This de-randomization process may apply
to any given set of random strings. It
can be applied to sets of DES variables (C, K, P) which are subject for cryptanalysis.
In the transformed format these DES
variables will lose their random-like property, and will be vulnerable to any of
today's powerful pattern recognition tools.
De-randomization (or encryption against encryption) can also be used in conjunction
with the prevailing methods
