The Value of Cryptanalysis


A Ciphers By Ritter Page


This huge conversation starts out with the article by Schneier. That article is controversial in various ways:

These arguments bring out fundamental issues in cryptography which are generally assumed to have been resolved long ago, with the answers now obvious. See my response, my later response and someone else's response and math descriptions.


Contents


Subject: Memo to the Amateur Cipher Designer Date: Sat, 17 Oct 1998 23:35:28 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <36292906.1151332@news.visi.com> Newsgroups: sci.crypt Lines: 152 This was in the October CRYPTO-GRAM, but I thought I'd run it through sci.crypt, since so many people seem to be asking questions on the topic. Bruce Memo to the Amateur Cipher Designer Congratulations. You've just invented this great new cipher, and you want to do something with it. You're new in the field; no one's heard of you, and you don't have any credentials as a cryptanalyst. You want to get well-known cryptographers to look at your work. What can you do? Unfortunately, you have a tough road ahead of you. I see about two new cipher designs from amateur cryptographers every week. The odds of any of these ciphers being secure are slim. The odds of any of them being both secure and efficient are negligible. The odds of any of them being worth actual money are virtually non-existent. Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break. It's not even hard. What is hard is creating an algorithm that no one else can break, even after years of analysis. And the only way to prove that is to subject the algorithm to years of analysis by the best cryptographers around. "The best cryptographers around" break a lot of ciphers. The academic literature is littered with the carcasses of ciphers broken by their analyses. But they're a busy bunch; they don't have time to break everything. How do they decide what to look at? Ideally, cryptographers should only look at ciphers that have a reasonable chance of being secure. And since anyone can create a cipher that he believes to be secure, this means that cryptographers should only look at ciphers created by people whose opinions are worth something. No one is impressed if a random person creates an cipher he can't break; but if one of the world's best cryptographers creates an cipher he can't break, now that's worth looking at. The real world isn't that tidy. Cryptographers look at algorithms that are either interesting or are likely to yield publishable results. This means that they are going to look at algorithms by respected cryptographers, algorithms fielded in large public systems (e.g., cellular phones, pay-TV decoders, Microsoft products), and algorithms that are published in the academic literature. Algorithms posted to Internet newsgroups by unknowns won't get a second glance. Neither will patented but unpublished algorithms, or proprietary algorithms embedded in obscure products. It's hard to get a cryptographic algorithm published. Most conferences and workshops won't accept designs from unknowns and without extensive analysis. This may seem unfair: unknowns can't get their ciphers published because they are unknowns, and hence no one will ever see their work. In reality, if the only "work" someone ever does is in design, then it's probably not worth publishing. Unknowns can become knowns by publishing cryptanalyses of existing ciphers; most conferences accept these papers. When I started writing _Applied Cryptography_, I heard the maxim that the only good algorithm designers were people who spent years analyzing existing designs. The maxim made sense, and I believed it. Over the years, as I spend more time doing design and analysis, the truth of the maxim has gotten stronger and stronger. My work on the Twofish design has made me believe this even more strongly. The cipher's strength is not in its design; anyone could design something like that. The strength is in its analysis. We spent over 1000 man-hours analyzing Twofish, breaking simplified versions and variants, and studying modifications. And we could not have done that analysis, nor would we have had any confidence in that analysis, had not the entire design team had experience breaking many other algorithm designs. A cryptographer friend tells the story of an amateur who kept bothering him with the cipher he invented. The cryptographer would break the cipher, the amateur would make a change to "fix" it, and the cryptographer would break it again. This exchange went on a few times until the cryptographer became fed up. When the amateur visited him to hear what the cryptographer thought, the cryptographer put three envelopes face down on the table. "In each of these envelopes is an attack against your cipher. Take one and read it. Don't come back until you've discovered the other two attacks." The amateur was never heard from again. I don't mean to be completely negative. People occasionally design strong ciphers. Amateur cryptographers even design strong ciphers. But if you are not known to the cryptographic community, and you expect other cryptographers to look at your work, you have to do several things: 1. Describe your cipher using standard notation. This doesn't mean C code. There is established terminology in the literature. Learn it and use it; no one will learn your specialized terminology. 2. Compare your cipher with other designs. Most likely, it will use some ideas that have been used before. Reference them. This will make it easier for others to understand your work, and shows that you understand the literature. 3. Show why your cipher is immune against each of the major attacks known in literature. It is not good enough just to say that it is secure, you have to show why it is secure against these attacks. This requires, of course, that you not only have read the literature, but also understand it. Expect this process to take months, and result in a large heavily mathematical document. And remember, statistical tests are not very meaningful. 4. Explain why your cipher is better than existing alternatives. It makes no sense to look at something new unless it has clear advantages over the old stuff. Is it faster on Pentiums? Smaller in hardware? What? I have frequently said that, given enough rounds, pretty much anything is secure. Your design needs to have significant performance advantages. And "it can't be broken" is not an advantage; it's a prerequisite. 5. Publish the cipher. Experience shows that ciphers that are not published are most often very weak. Keeping the cipher secret does not improve the security once the cipher is widely used, so if your cipher has to be kept secret to be secure, it is useless anyway. 6. Don't patent the cipher. You can't make money selling a cipher. There are just too many good free ones. Everyone who submitted a cipher to the AES is willing to just give it away; many of the submissions are already in the public domain. If you patent your design, everyone will just use something else. And no one will analyze it for you (unless you pay them); why should they work for you for free? 7. Be patient. There are a lot of algorithms to look at right now. The AES competition has given cryptographers 15 new designs to analyze, and we have to pick a winner by Spring 2000. Any good cryptographer with spare time is poking at those designs. If you want to design algorithms, start by breaking the ones out there. Practice by breaking algorithms that have already been broken (without peeking at the answers). Break something no one else has broken. Break another. Get your breaks published. When you have established yourself as someone who can break algorithms, then you can start designing new algorithms. Before then, no one will take you seriously. Creating a cipher is easy. Analyzing it is hard. See "Self-Study Course in Block Cipher Cryptanalysis": http://www.counterpane.com/self-study.html ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Sun, 18 Oct 1998 04:20:15 GMT From: george.barwood@dial.pipex.com (George Barwood) Message-ID: <362967c9.4415110@news.dial.pipex.com> References: <36292906.1151332@news.visi.com> Newsgroups: sci.crypt Lines: 14 On Sat, 17 Oct 1998 23:35:28 GMT, schneier@counterpane.com (Bruce Schneier) wrote in part: > Algorithms posted to Internet newsgroups by unknowns won't get a second glance. I disagree - some time ago I posted an algorithm to sci.crypt, and recieved a quick (and useful) analysis from David Wagner. The algorithm was not strong against known-plaintext attack, but this was as expected (the design aim was speed at all costs). Not that I disagree with the intent or conclusions of your article - but I don't this statement holds up. George
Subject: Re: Memo to the Amateur Cipher Designer Date: 18 Oct 1998 06:07:01 -0700 From: Karl-Friedrich Lenz Message-ID: <70cp5l$jbu@edrn.newsguy.com> References: <362967c9.4415110@news.dial.pipex.com> Newsgroups: sci.crypt Lines: 22 In article , george.barwood@dial.pipex.com says... > >On Sat, 17 Oct 1998 23:35:28 GMT, schneier@counterpane.com (Bruce >Schneier) wrote in part: > >>Algorithms posted to Internet newsgroups by unknowns won't get a second glance. > >I disagree - some time ago I posted an algorithm to sci.crypt, and >recieved a quick (and useful) analysis from David Wagner. The >algorithm was not strong against known-plaintext attack, but this was >as expected (the design aim was speed at all costs). > >Not that I disagree with the intent or conclusions of your article - >but I don't this statement holds up. Probably Mr. Schneier intended to say "not a second glance by professionals in scientific papers", which might be true. But the level of sci.crypt is not that low, and there seem to be quite a lot of people ready to have a swing at new ideas. Karl-Friedrich Lenz :-) www.toptext.com/crypto
Subject: Re: Memo to the Amateur Cipher Designer Date: Sun, 18 Oct 1998 15:00:36 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <362a0287.3103532@news.visi.com> References: <362967c9.4415110@news.dial.pipex.com> Newsgroups: sci.crypt Lines: 23 On Sun, 18 Oct 1998 04:20:15 GMT, george.barwood@dial.pipex.com (George Barwood) wrote: >On Sat, 17 Oct 1998 23:35:28 GMT, schneier@counterpane.com (Bruce >Schneier) wrote in part: > >> Algorithms posted to Internet newsgroups by unknowns won't get a second glance. > >I disagree - some time ago I posted an algorithm to sci.crypt, and >recieved a quick (and useful) analysis from David Wagner. The >algorithm was not strong against known-plaintext attack, but this was >as expected (the design aim was speed at all costs). > >Not that I disagree with the intent or conclusions of your article - >but I don't this statement holds up. You're right. There are exceptions to this. Agreed. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: 18 Oct 1998 17:17:12 +0200 From: Jon Haugsand <haugsand@procyon.nr.no> Message-ID: <yzobtn9nblz.fsf@procyon.nr.no> References: <362a0287.3103532@news.visi.com> Newsgroups: sci.crypt Lines: 19 * Bruce Schneier | >> Algorithms posted to Internet newsgroups by unknowns won't get a second glance. | > | >I disagree - some time ago I posted an algorithm to sci.crypt, and | >recieved a quick (and useful) analysis from David Wagner. The | >algorithm was not strong against known-plaintext attack, but this was | >as expected (the design aim was speed at all costs). | | You're right. There are exceptions to this. Agreed. Actually, wouldn't this be a good way to train oneself with cryptoanalyzing? Breaking amateur ciphers posted to the usenet? -- Jon Haugsand Norwegian Computing Center, <http://www.nr.no/engelsk/> <mailto:haugsand@nr.no> Pho: +47 22852608 / +47 22852500, Fax: +47 22697660, Pb 114 Blindern, N-0314 OSLO, Norway
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 19 Oct 1998 04:09:14 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <362abb52.2020632@news.visi.com> References: <yzobtn9nblz.fsf@procyon.nr.no> Newsgroups: sci.crypt Lines: 25 On 18 Oct 1998 17:17:12 +0200, Jon Haugsand <haugsand@procyon.nr.no> wrote: >* Bruce Schneier >| >> Algorithms posted to Internet newsgroups by unknowns won't get a second glance. >| > >| >I disagree - some time ago I posted an algorithm to sci.crypt, and >| >recieved a quick (and useful) analysis from David Wagner. The >| >algorithm was not strong against known-plaintext attack, but this was >| >as expected (the design aim was speed at all costs). >| >| You're right. There are exceptions to this. Agreed. > >Actually, wouldn't this be a good way to train oneself with >cryptoanalyzing? Breaking amateur ciphers posted to the usenet? Definitely. I think it's the best way. Not only do you get experience breaking ciphers, but you get some very easy ones to start on. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Sat, 17 Oct 1998 22:33:44 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-1710982234000001@dialup175.itexas.net> References: <36292906.1151332@news.visi.com> Newsgroups: sci.crypt Lines: 110 In article <36292906.1151332@news.visi.com>, schneier@counterpane.com (Bruce Schneier) wrote: > This was in the October CRYPTO-GRAM, but I thought I'd run it through > sci.crypt, since so many people seem to be asking questions on the > topic. > > Bruce. .... There have been many such discussions which marry some good advice with propaganda, serving the status quo rather than being inclusive of all attempts at improvement in the condition of man. A contrived obstacle course means being sure that few can finish, and more are discouraged from even trying. Those that do run the gauntlet and break the tape seem to confirm its validity to the blinded faithful, not withstanding the best intentions of those who would sit in judgement, doing the best they can to feel that the whole process is of inordinate value. As with any presentation, you are encouraged to find weaknesses in what is included in the prior posting in this thread. Authoritarianism is always subject to incompleteness in information that conflicts with its adopted views; and, the stronger it is the more vocal it is in denouncing whatever differs with it. Intolerance ain't pretty. Since sound reasoning is essential in cryptography: If you know where your feet are, you should be able to cut through the nonsense to glean something even useful from the talk. Much of the content is not new at all, but contrived decades ago, and seeks to hamstring the possibilities of the present to the hinderances of the past, more especially in this subject of ours, and not further the open art at all. The scripting of the elements is in the form of an arrangement in supportative order for argument's sake so they sound more reasonable that they are. The caveats do form comfortable enclaves for those that want to excuse the rest of the stuff. Remember, the only excuse for formal education is learning how to learn. The end ideal is to become a self-starter in your search for truth, not requiring so many hours credit in order to have particular ability. What is to be acquired is being able to DO rather than always having to ask permission and direction for your occupations. When this honest goal of finding your own direction is realized, it means that you are weaned. It means that you are no longer required to seak an academic teat, or kiss customary areas of despoiled anatomy. You still have the right to seek helpful advice for its own sake, but no obigation to bow and scrape for the priviledge. Good information is not to be cloistered. You are allowed to judge legitimacy on intrinsic content rather than whether it contradicts prior cannonized scripture. You are encouraged in true scientific tradition to test and inquire into the nature of anything that has been spread before as the gospel. If you are overly addicted to the opinons of certain people, you tend to acquire their prejudices; afterwards, know that discovering any flaws is prohibited, and severly punished by excommunication, which has always been a religious act aimed at the unfaithful so as to humiliate and silence them. This technique is often used as well against those that do not buy the bit up front. So often those that tout a regimen are just saying that it worked for them, so it can do the same for you. You can eat the blood pudding of tradition as long as you like, or you can graduate in informal elegancy, freedom of thought being its own reward. If you are not ready to fly, you may crash, which is preferable to being stoned or shot down as a heretic in the other model. You then have the option to dust yourself off, learn from your mistakes, and flap your wings again. Reinforcing the status quo means going nowhere not on the approved map; innovation and creativity mean taking new and unorthodox approaches, and sometimes finding that assumed ground rules are merely generalizations that are not always true. Life is far more variable than anyone can realize. It is such that you can almost have nothing on the surface in common with whole groups of people. This means that methods that work for some are going to be rejected as bad style by others. The challenge is not to forcefully remake everyone else in your own image, but to realize that noone has a lock on the path to truth. It should be self-evident that what leads you is the greater good rather than finding a way to get more articles published than someone else. In crypto, as in many other fields, sufficient study will lead you to agreement with lots of what passes for acceptable thought. It can allow you to unmask areas that have been glossed over. I would never discourage someone from going it alone in a quest; so much in science is the product of the dedicated contrarians who focused on a star that others wanted to excuse as an photographic artifact. Be constrained only by those barriers you show to be actually there. Cryptography is still wide open to new concepts, as well as novel unifying ideas that put older methods in prospective. Bruce is a good soldier, but some don't march to the same drummer. I would like to believe that anyone as intelligent as he appears to be would serve less in the role of retelling so many false echos from the past. He continually tells us how difficult good cryptography is; I suppose that reflects his experience. I am sure that he would like to make it easier for others to learn what he has without going down the same path, yet he would recommend it still. Yet, I would not discourage him either from any cryptological endeavor, as I would not do that to anyone. -- --- Insanity means doing the same thing over and over again and expecting different results...like CDA2. --- Decrypt with ROT13 to get correct email address. User-Agent: tin/pre-1.4-980618 (UNIX) (AIX/4-1) Cache-Post-Path: server.cuug.ab.ca!unknown@ibm.cuug.ab.ca
Subject: Re: Memo to the Amateur Cipher Designer Date: Sun, 18 Oct 1998 04:07:00 GMT From: Lloyd Miller <millerl@cuugnet.cuug.ab.ca> Message-ID: <908683620.523852@server.cuug.ab.ca> References: <jgfunj-1710982234000001@dialup175.itexas.net> Newsgroups: sci.crypt Lines: 25 W T Shaw <jgfunj@EnqvbSerrGrknf.pbz> wrote: : In article <36292906.1151332@news.visi.com>, schneier@counterpane.com : (Bruce Schneier) wrote: :> This was in the October CRYPTO-GRAM, but I thought I'd run it through :> sci.crypt, since so many people seem to be asking questions on the :> topic. :> :> Bruce. : .... ... : If you are overly addicted to the opinons of certain people, you tend to : acquire their prejudices; afterwards, know that discovering any flaws is : prohibited, and severly punished by excommunication, which has always been : a religious act aimed at the unfaithful so as to humiliate and silence : them. This technique is often used as well against those that do not buy : the bit up front. Bruce's religion makes a lot more sense to me than your's. -- Lloyd Miller, Calgary millerl@cuug.ab.ca. Terminal Insomniac
Subject: Re: Memo to the Amateur Cipher Designer Date: Sun, 18 Oct 1998 09:02:32 -0400 From: "Jay Holovacs" <holovacs@idt.net> Message-ID: <70cs7t$kja@nnrp1.farm.idt.net> References: <jgfunj-1710982234000001@dialup175.itexas.net> Newsgroups: sci.crypt Lines: 56 W T Shaw wrote in message ... >>> > >There have been many such discussions which marry some good advice with >propaganda, serving the status quo rather than being inclusive of all >attempts at improvement in the condition of man. A contrived obstacle >course means being sure that few can finish, and more are discouraged from >even trying. Those that do run the gauntlet and break the tape seem to >confirm its validity to the blinded faithful, not withstanding the best >intentions of those who would sit in judgement, doing the best they can to >feel that the whole process is of inordinate value. > [...etc...] Newton said 'if I have seen farther than most, it is because I stood on the shoulders of giants.' It has also been said 'he who will not learn from the past is doomed to repeat it.' Bruce makes a great deal of sense. Crypto is not a random shot in the dark, it has a long history of mistakes and discoveries. Just as the patent office became littered with the products of inventors of 'perpetual energy machines' not realizing what was wrong with their great ideas, the crypto world is littered with schemes that mean nothing. You can't get far in chemistry without learning theory and experience of those that went before. If you want to develop your own winning racing car, you'd best begin by working with as many of the machines built by other great builders as possible. Crypto is no different. If you can't break codes that are out there, why should anyone believe that you have an answer. (In truth, analysis is probably the more important part of the field now, even though most beginners want to rush in and create their own encryption algorithms.) There is this mythology that by *not* learning how something is done, you can come up with a radical new approach. Quaint, but it doesn't work in the real world. Einstein learned existing physics before he shattered the boundaries of the known physics world. Good writers, painters and composers need to know all the rules of their art before they can break them successfully. Only in areas where there is no history of prior art can someone really come out of the blue and change things (as with small computers 15-20 years ago). Crypto is not one of those areas. Bruce offered some really good advice for getting yourself listened to, break known codes and write up your results. These are not hard to get published. If someone who can demonstrably analyze codes produces one, there is much more reason to take such a person seriously. Don't make excuses. Don't blame the 'establishment' that's out to stop you. Listen to people who actually know something. Prove yourself if you want to believed. Jay
Subject: Re: Memo to the Amateur Cipher Designer Date: Sun, 18 Oct 1998 11:34:03 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-1810981134030001@dialup122.itexas.net> References: <70cs7t$kja@nnrp1.farm.idt.net> Newsgroups: sci.crypt Lines: 76 In article <70cs7t$kja@nnrp1.farm.idt.net>, "Jay Holovacs" <holovacs@idt.net> wrote: > > Bruce offered some really good advice for getting yourself listened to, > break known codes and write up your results. These are not hard to get > published. If someone who can demonstrably analyze codes produces one, there > is much more reason to take such a person seriously. > > Don't make excuses. Don't blame the 'establishment' that's out to stop you. > Listen to people who actually know something. Prove yourself if you want to > believed. > The big question is what does one actually know from knowledge delivered in a transfusion. In the days when some of us started working, there were skant few resources to work with, and no open debate on any current crypto advances. That time was distasteful, and we should not go there in any respect. Science is less about belief and more about evidence. You seem to confuse the two. You might prejudice your results by looking for the wrong evidence. In the end, each observation stands or falls on its own through replication and not by the clout of a sole documenter. Personalities can get involved, but true inquisitiveness should cause everyone to rise above that. Apprenticeships are not a universal requirement. There is not real establishment in crypto anymore, just truth where you find it. In Bruce's work, there are sinful omissions and comissions, but the subject is so large that this would always be a surity in some form. To judge his character, we will see if he mentions in the future any things he has previously ignored and have been pointed out directly to him. If he is a true scientist, he will include such. I would gamble that he in the end will chose fairness. You should not figure that he is doomed fail to rise to that imperative. We each have the option of presenting contasting and contradictory evidence as we see it. Look for the amount of cryptological information to explode as growth occurs in a myrid of directions. No one person will be able to keep it under his thumb, and we better be willing to accept increased specialization as it does. It might surprise you that I do considerable work in code breaking, not necessarily the ones you would choose. Sometimes I am more successful, sometimes less. The goal for me is to learn how to defeat a weakness and apply it in a refined design. To broadcast prematurely such results would give others the advantage in future designs that I might reserve for myself; and so probably it is with others. It does not follow that a successful analysis can always to a better design, and particularily that one known for solving a particular problem can pose a better one. For some it is more important to learn from failures and move on to something better than to trash anothers work as a justification for raising a consultant fee. Back to Bruce, he has a couple of interesting designs in a relatively narrow defined area of crypto. He is also a good researcher and has assembled a certain amount of material in a convenient form. He is a serious organizer, and exercises great concentration to get what he wants. He is an excellent presenter, and most capable in matters closely related to his work. He can be a bear in his zeal, and he can be most cheerful when receiving complements, we all tend to be that way at such times. He defends his work as he should; it is considerable, showing a colossal amount of labor, be it like anything else pushing certain viewpoints over others. He is worthy of some respect and will continue to inspire lots of people. But, because he is a limited human being, it also follows that the percentage of cryptography he understands will continue to slip as the field outpaces anyones ablility to completely grasp it. This is not a discourteous observation, just another real one. It could be as well said for all others, even those who are into their work as a priority. We should all be humbled by the magnitude of the that problem. -- --- Insanity means doing the same thing over and over again and expecting different results...like CDA2. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Sun, 18 Oct 1998 22:32:14 GMT From: dscott@networkusa.net Message-ID: <70dq9e$jjt$1@nnrp1.dejanews.com> References: <70cs7t$kja@nnrp1.farm.idt.net> Newsgroups: sci.crypt Lines: 48 In article <70cs7t$kja@nnrp1.farm.idt.net>, "Jay Holovacs" <holovacs@idt.net> wrote: > > W T Shaw wrote in message ... > >>> > > > >There have been many such discussions which marry some good advice with > >propaganda, serving the status quo rather than being inclusive of all > >attempts at improvement in the condition of man. A contrived obstacle > >course means being sure that few can finish, and more are discouraged from > >even trying. Those that do run the gauntlet and break the tape seem to > >confirm its validity to the blinded faithful, not withstanding the best > >intentions of those who would sit in judgement, doing the best they can to > >feel that the whole process is of inordinate value. > > [...etc...] > > Newton said 'if I have seen farther than most, it is because I stood on the > shoulders of giants.' It has also been said 'he who will not learn from the > past is doomed to repeat it.' Bruce makes a great deal of sense. Crypto is > not a random shot in the dark, it has a long history of mistakes and > discoveries. Just as the patent office became littered with the products of > inventors of 'perpetual energy machines' not realizing what was wrong with > their great ideas, the crypto world is littered with schemes that mean > nothing. > > You can't get far in chemistry without learning theory and experience of > those that went before. If you want to develop your own winning racing car, > you'd best begin by working with as many of the machines built by other > great builders as possible. Crypto is no different. If you can't break codes > that are out there, why should anyone believe that you have an answer. (In > truth, analysis is probably the more important part of the field now, even > though most beginners want to rush in and create their own > encryption algorithms.) > I like your chemsitry example it fits well witht the load of stuff Bruce is trying to pass off. In chemistry when I had it in school we got to see a lovely film on the Noble gases. A bunch of PHD experts siad lets try to make compounds useing this part of periodic table. They do all sorts of brainy exotic things. But no compounds formed from the Noble gases. At end of film they pompously stated how foolish it was to even try and that there are no such compounds. Then are teacher should us the articles how some nobodys made some. Yes the chemistry was a good example. -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: 19 Oct 1998 02:14:15 GMT From: jsavard@freenet.edmonton.ab.ca () Message-ID: <70e79n$896$1@news.sas.ab.ca> References: <70cs7t$kja@nnrp1.farm.idt.net> Newsgroups: sci.crypt Lines: 35 Jay Holovacs (holovacs@idt.net) wrote: : Newton said 'if I have seen farther than most, it is because I stood on the : shoulders of giants.' It has also been said 'he who will not learn from the : past is doomed to repeat it.' Bruce makes a great deal of sense. Crypto is : not a random shot in the dark, it has a long history of mistakes and : discoveries. I certainly do agree with this, people wanting to design a new cipher ought to be familiar with what has gone before. : Bruce offered some really good advice for getting yourself listened to, : break known codes and write up your results. These are not hard to get : published. If someone who can demonstrably analyze codes produces one, there : is much more reason to take such a person seriously. Well, I certainly have to admit there is truth to that. In _two_ ways. Certainly, a cipher design from someone like Eli Biham, one of the academic discoverers of differential cryptanalysis, is going to be taken seriously, as it should. And a general familiarity with the principles of cryptanalysis, especially as they apply to the kind of cipher one is attempting to design, is going to be an important guide away from various pitfalls. However, cryptanalysis is a discipline of its own, and requires either considerable stamina or advanced mathematical skills. One does not quite need these qualifications to design a secure cipher, particularly if one is following your earlier advice and not ignoring the lessons of previous designs. Of course, if one wants a hearing, if one's qualifications are modest, one should be modest. John Savard <jgfunj-1710982234000001@dialup175.itexas.net> <70cs7t$kja@nnrp1.farm.idt.net> <70e79n$896$1@news.sas.ab.ca> Cache-Post-Path: cnn!unknown@spike.long.harlequin.co.uk
Subject: Re: Memo to the Amateur Cipher Designer Date: 19 Oct 1998 14:29:21 +0100 From: Mark Tillotson <markt@harlequin.co.uk> Message-ID: <kxsogkfzny.fsf@harlequin.co.uk> References: <36292906.1151332@news.visi.com> Newsgroups: sci.crypt Lines: 64 jsavard@freenet.edmonton.ab.ca () wrote: | And a general familiarity with the principles of cryptanalysis, especially | as they apply to the kind of cipher one is attempting to design, is going | to be an important guide away from various pitfalls. | | However, cryptanalysis is a discipline of its own, and requires either | considerable stamina or advanced mathematical skills. One does not quite | need these qualifications to design a secure cipher, particularly if one | is following your earlier advice and not ignoring the lessons of previous | designs. Nonsense! How on earth can you claim to design a secure cipher if you are _incapable_ of distinquishing a weak cipher from a strong cipher??? It just doesn't make any sense at all. That's like saying a blind person can paint a scene in correct colours despite being unable to see what they are doing! Sure it's not _impossible_ that it could happen, but no-one with an ounce of common sense expects such an outrageously lucky outcome (or even for the paint to end up on the canvas!!) We don't want a cipher that might well be extremely strong, we want ciphers that are extremely likely to be strong... With cipher design we don't even have a way of distinquishing strong from weak, we merely have techniques or varying sophistication for trying to identify and measure weakness, and people more or less highly skilled at applying them and inventing new techniques of analysis. The cipher designer needs to iterate the design through more and more sophisticated analyses until it _seems_ both appropriately secure and efficient. Then the next step is to enlist some more people to help in the process of searching for missed weaknesses, and eventually publication. Its an ongoing process of weeding out weaknesses, gradually bringing in more and more people as one's confidence in the lack of "silly mistakes" grows, just like any other safety-critical large-scale engineering project. There certainly is a lot of scope for amateurs to suggest _ideas_ to use in cipher design, but a serious _design_ itself needs to be at the centre of such a process of cryptanalysis, not just made up by inspired guesswork. So I'd agree that experience in cryptanalysis isn't necessary to create a plausible _looking_ design, but that it is an _absolute necessity_ for creating an actual publishable design (unless you just wanted to create a toy cipher). If the 10000's of amateur cryptographers all started publishing designs, we'd be in a total mess! These days ciphers are expected to be used as building blocks for all sorts of security primitives, so even "security" involves resisitance to many different modes of attack, and the amount of work needed to design a cipher is usually beyond the skills and patience of a single individual anyway. Our whole digital infrastructure is going to depend on future ciphers being secure, and I for one don't want to see the information superhighway made of "concrete" that's washes away the first time it rains because its recipe was formulated by a well-meaning amateur who didn't know anything about QA'ing concrete!! __Mark [ markt@harlequin.co.uk | http://www.harlequin.co.uk/ | +44(0)1954 785433 ]
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 22 Oct 1998 19:13:05 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <362f81e7.14525013@news.prosurfr.com> References: <kxsogkfzny.fsf@harlequin.co.uk> Newsgroups: sci.crypt Lines: 31 Mark Tillotson <markt@harlequin.co.uk> wrote, in part: >jsavard@freenet.edmonton.ab.ca () wrote: >| However, cryptanalysis is a discipline of its own, and requires either >| considerable stamina or advanced mathematical skills. One does not quite >| need these qualifications to design a secure cipher, particularly if one >| is following your earlier advice and not ignoring the lessons of previous >| designs. >Nonsense! How on earth can you claim to design a secure cipher if you are >_incapable_ of distinquishing a weak cipher from a strong cipher??? It >just doesn't make any sense at all. I emphatically _agree_ that if you know *nothing* about cryptanalysis, you won't be able to design a secure cipher (except by accident, or by copying someone else's design with trivial changes). I thought, though, that I was being clear in what I was trying to say; that while a _knowledge_ of cryptanalysis is needed, actually being a cryptanalyst - actually being able to carry out, in full, the cryptanalysis of a difficult cipher, or being able to make theoretical contributions to the field - is not, strictly speaking, necessary (although Bruce is still right that those sorts of qualifications will get you taken seriously) to design a secure cipher. Maybe you would find that position wrong-headed too, and I can understand that. But it's not nearly the same as the position you correctly characterized as expecting a blind person to paint. John Savard http://members.xoom.com/quadibloc/index.html
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 22 Oct 1998 13:56:59 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-2210981357000001@dialup159.itexas.net> References: <kxsogkfzny.fsf@harlequin.co.uk> Newsgroups: sci.crypt Lines: 131 In article <kxsogkfzny.fsf@harlequin.co.uk>, Mark Tillotson <markt@harlequin.co.uk> wrote: > jsavard@freenet.edmonton.ab.ca () wrote: > | And a general familiarity with the principles of cryptanalysis, especially > | as they apply to the kind of cipher one is attempting to design, is going > | to be an important guide away from various pitfalls. > | > | However, cryptanalysis is a discipline of its own, and requires either > | considerable stamina or advanced mathematical skills. One does not quite > | need these qualifications to design a secure cipher, particularly if one > | is following your earlier advice and not ignoring the lessons of previous > | designs. > > Nonsense! How on earth can you claim to design a secure cipher if you are > _incapable_ of distinquishing a weak cipher from a strong cipher??? It > just doesn't make any sense at all. Many imply that if you simply follow their rules for cipher construction, you need not do much of the analysis yourself. They even suggest that someone else do it, a catch 22. > > That's like saying a blind person can paint a scene in correct colours > despite being unable to see what they are doing! Sure it's not > _impossible_ that it could happen, but no-one with an ounce of common sense > expects such an outrageously lucky outcome (or even for the paint to > end up on the canvas!!) Did you see the story on TV about the guy who is blind and bicycles. He has learned sonic location, and clicks his tongue as a generator. Out of curiosity, I once asked a blind man to describe different colors. The explanations he had remembered from what he had heard made sense. This is somewhat in line with my above comments about following someone else's crypto design strategies. > We don't want a cipher that might well be > extremely strong, we want ciphers that are extremely likely to be > strong... According to someone else's plan.... > > With cipher design we don't even have a way of distinquishing strong > from weak, we merely have techniques or varying sophistication for > trying to identify and measure weakness, and people more or less > highly skilled at applying them and inventing new techniques of > analysis. The cipher designer needs to iterate.... As in a Feisal construction? > the design through > more and more sophisticated analyses until it _seems_ both > appropriately secure and efficient. Appropriate for whom? Not too strong, but just about right? Efficient? Meets the requirements of someone of few thoughts worth encrypting or that of a government who would hide the routine from the prying eyes of the curious? > Then the next step is to enlist > some more people to help in the process of searching for missed > weaknesses, and eventually publication. Enlist? Easy for the military to say. Publication? Easy for the established press to say. > > Its an ongoing process of weeding out weaknesses, gradually bringing > in more and more people as one's confidence in the lack of "silly > mistakes" grows, just like any other safety-critical large-scale > engineering project. Large scale projects can fail too...The Broken Pyramid, notable bridge collapses(interior and exterior), numerous levee systems, multistory old masonry buildings in earthquakes, anti-disease vaccinations pushed in hopes that they would work in time of war, etc. Granted, it is easy to guard against some cryptological mistakes, while others are sort of obscure, overcoming prejudice and criticism against concepts that are generally well know is also a hurdle. > > There certainly is a lot of scope for amateurs to suggest _ideas_ to > use in cipher design, but a serious _design_ itself needs to be at the > centre of such a process of cryptanalysis, not just made up by > inspired guesswork. All productive guesswork is inspired, it is just the nature of the inspiration that you really question, but it does not always come in the same form. If you do follow someone else's ingredient list, you may, no surprise, produce ideas in line with the common logic of that receipe. > > So I'd agree that experience in cryptanalysis isn't necessary to > create a plausible _looking_ design, but that it is an _absolute > necessity_ for creating an actual publishable design (unless you just > wanted to create a toy cipher). If the 10000's of amateur > cryptographers all started publishing designs, we'd be in a total mess! Speak for yourself white man. > > These days ciphers are expected to be used as building blocks for all > sorts of security primitives, so even "security" involves resisitance > to many different modes of attack, and the amount of work needed to > design a cipher is usually beyond the skills and patience of a single > individual anyway. Ah, beyond the Expert Syndrome to the group-think phenomena. And, I suppose that such a design system would put ALL the names of the contributers out front. It would seem best to acknowledge even the most meager of efforts that helped the team, as it might make a difference if the coffee was brewed correctly. Including all the help would make the front people look less important, or are they not the essential ingredient in the first place? > > Our whole digital infrastructure is going to depend on future ciphers > being secure, and I for one don't want to see the information > superhighway made of "concrete" that's washes away the first time it > rains because its recipe was formulated by a well-meaning amateur who > didn't know anything about QA'ing concrete!! > Roads unlike cryptographic algorithms are best built under the old Roman model, and pavement has not improved much since. The problem with the whole digital infrastucture is that we have a very sick patient and the base question should be whether we should start over beginning with the very design of the lowest end to include historically known security wisdom and exted it throughout, not to whether we can put it in a rest home so as to prolong the agony. -- --- Passing a budgit that no single person has fully seen is bad. Ronnie was right at least once. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 26 Oct 1998 03:41:23 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <3633eed3.1151576@news.visi.com> References: <jgfunj-2210981357000001@dialup159.itexas.net> Newsgroups: sci.crypt Lines: 40 On Thu, 22 Oct 1998 13:56:59 -0600, jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) wrote: >Many imply that if you simply follow their rules for cipher construction, >you need not do much of the analysis yourself. They even suggest that >someone else do it, a catch 22. Many are wrong. >> That's like saying a blind person can paint a scene in correct colours >> despite being unable to see what they are doing! Sure it's not >> _impossible_ that it could happen, but no-one with an ounce of common sense >> expects such an outrageously lucky outcome (or even for the paint to >> end up on the canvas!!) > >Did you see the story on TV about the guy who is blind and bicycles. He >has learned sonic location, and clicks his tongue as a generator. > >Out of curiosity, I once asked a blind man to describe different colors. >The explanations he had remembered from what he had heard made sense. This >is somewhat in line with my above comments about following someone else's >crypto design strategies. Remember that security is orthogonal to functionality. A blind guy gets feedback--from the pavement, large objects, etc--to tell him he is succeeding or failing at bicycle riding. An algorithm designer gets no such feedback. >> We don't want a cipher that might well be >> extremely strong, we want ciphers that are extremely likely to be >> strong... > >According to someone else's plan.... The totality of "someone elses" are the attackers. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Sun, 25 Oct 1998 23:31:04 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-2510982331040001@207.22.198.192> References: <3633eed3.1151576@news.visi.com> Newsgroups: sci.crypt Lines: 20 In article <3633eed3.1151576@news.visi.com>, schneier@counterpane.com (Bruce Schneier) wrote: > > Remember that security is orthogonal to functionality. A blind guy > gets feedback--from the pavement, large objects, etc--to tell him he > is succeeding or failing at bicycle riding. An algorithm designer > gets no such feedback. Sure he does if and when what he did is discovered to be wanting. However, it is an oft used tactic to hide that news so that you can continue to read his mail. More to the point, the AES process is *designed* as a big feedback mechanism, the quicker acting the better. > -- --- Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 26 Oct 1998 03:38:23 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <3633ee7c.1064691@news.visi.com> References: <kxsogkfzny.fsf@harlequin.co.uk> Newsgroups: sci.crypt Lines: 77 On 19 Oct 1998 14:29:21 +0100, Mark Tillotson <markt@harlequin.co.uk> wrote: >jsavard@freenet.edmonton.ab.ca () wrote: >| And a general familiarity with the principles of cryptanalysis, especially >| as they apply to the kind of cipher one is attempting to design, is going >| to be an important guide away from various pitfalls. >| >| However, cryptanalysis is a discipline of its own, and requires either >| considerable stamina or advanced mathematical skills. One does not quite >| need these qualifications to design a secure cipher, particularly if one >| is following your earlier advice and not ignoring the lessons of previous >| designs. > >Nonsense! How on earth can you claim to design a secure cipher if you are >_incapable_ of distinquishing a weak cipher from a strong cipher??? It >just doesn't make any sense at all. > >That's like saying a blind person can paint a scene in correct colours >despite being unable to see what they are doing! Sure it's not >_impossible_ that it could happen, but no-one with an ounce of common sense >expects such an outrageously lucky outcome (or even for the paint to >end up on the canvas!!) We don't want a cipher that might well be >extremely strong, we want ciphers that are extremely likely to be >strong... Good comment. >With cipher design we don't even have a way of distinquishing strong >from weak, we merely have techniques or varying sophistication for >trying to identify and measure weakness, and people more or less >highly skilled at applying them and inventing new techniques of >analysis. The cipher designer needs to iterate the design through >more and more sophisticated analyses until it _seems_ both >appropriately secure and efficient. Then the next step is to enlist >some more people to help in the process of searching for missed >weaknesses, and eventually publication. > >Its an ongoing process of weeding out weaknesses, gradually bringing >in more and more people as one's confidence in the lack of "silly >mistakes" grows, just like any other safety-critical large-scale >engineering project. > >There certainly is a lot of scope for amateurs to suggest _ideas_ to >use in cipher design, but a serious _design_ itself needs to be at the >centre of such a process of cryptanalysis, not just made up by >inspired guesswork. Agreed. >So I'd agree that experience in cryptanalysis isn't necessary to >create a plausible _looking_ design, but that it is an _absolute >necessity_ for creating an actual publishable design (unless you just >wanted to create a toy cipher). If the 10000's of amateur >cryptographers all started publishing designs, we'd be in a total mess! 1000s of TriStratas and Ultimate Privacies. Sounds horrible. >These days ciphers are expected to be used as building blocks for all >sorts of security primitives, so even "security" involves resisitance >to many different modes of attack, and the amount of work needed to >design a cipher is usually beyond the skills and patience of a single >individual anyway. > >Our whole digital infrastructure is going to depend on future ciphers >being secure, and I for one don't want to see the information >superhighway made of "concrete" that's washes away the first time it >rains because its recipe was formulated by a well-meaning amateur who >didn't know anything about QA'ing concrete!! Rah rah. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 26 Oct 1998 08:18:40 GMT From: cryptonews@my-dejanews.com Message-ID: <711b90$he8$1@nnrp1.dejanews.com> References: <3633ee7c.1064691@news.visi.com> Newsgroups: sci.crypt Lines: 30 In article <3633ee7c.1064691@news.visi.com>, schneier@counterpane.com (Bruce Schneier) wrote: > >So I'd agree that experience in cryptanalysis isn't necessary to > >create a plausible _looking_ design, but that it is an _absolute > >necessity_ for creating an actual publishable design (unless you just > >wanted to create a toy cipher). If the 10000's of amateur > >cryptographers all started publishing designs, we'd be in a total mess! > > 1000s of TriStratas and Ultimate Privacies. Sounds horrible. This is not about crypto and security, it is rather becoming about Bruce Schneir BIG EGO and what he thinks the world should be. You should be ashemed of posting this response on SCI.CRYPT. Cheers, Sam Kamille > Rah rah. > > Bruce > ********************************************************************** > Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 > 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 > Free crypto newsletter. See: http://www.counterpane.com > -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 26 Oct 1998 13:06:03 GMT From: dscott@networkusa.net Message-ID: <711s3r$3j4$1@nnrp1.dejanews.com> References: <711b90$he8$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 33 In article <711b90$he8$1@nnrp1.dejanews.com>, cryptonews@my-dejanews.com wrote: > In article <3633ee7c.1064691@news.visi.com>, > schneier@counterpane.com (Bruce Schneier) wrote: > > >So I'd agree that experience in cryptanalysis isn't necessary to > > >create a plausible _looking_ design, but that it is an _absolute > > >necessity_ for creating an actual publishable design (unless you just > > >wanted to create a toy cipher). If the 10000's of amateur > > >cryptographers all started publishing designs, we'd be in a total mess! > > > > 1000s of TriStratas and Ultimate Privacies. Sounds horrible. > > This is not about crypto and security, it is rather becoming about > Bruce Schneir BIG EGO and what he thinks the world should be. > > You should be ashemed of posting this response on SCI.CRYPT. > > Cheers, > > Sam Kamille > > Play it again Sam. For a while I thought I was the only one intelligent enough to notice Mr B.S. is nothing but a big BLOWHART it seems that every one else was following him like a god. If you read my hate mail messages. -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip ftp search for scott*u.zip in norway -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 26 Oct 1998 18:00:16 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <3634b729.7043376@news.prosurfr.com> References: <711b90$he8$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 39 cryptonews@my-dejanews.com wrote, in part: >In article <3633ee7c.1064691@news.visi.com>, > schneier@counterpane.com (Bruce Schneier) wrote: >> >So I'd agree that experience in cryptanalysis isn't necessary to >> >create a plausible _looking_ design, but that it is an _absolute >> >necessity_ for creating an actual publishable design (unless you just >> >wanted to create a toy cipher). If the 10000's of amateur >> >cryptographers all started publishing designs, we'd be in a total mess! >> 1000s of TriStratas and Ultimate Privacies. Sounds horrible. > This is not about crypto and security, it is rather becoming about > Bruce Schneir BIG EGO and what he thinks the world should be. > You should be ashemed of posting this response on SCI.CRYPT. No, that is not at all true or fair. I'll admit, I'm a bit more liberal. I think that, while some knowledge of cryptanalysis is needed to design a secure cipher, one doesn't actually need the level of knowledge that one can use to easily prove you know what you're talking about - and so life is more complicated. I'd also say that amateur cipher designs are harmless enough, if the person responsible is reasonably modest, and doesn't try to claim he has the solution to everybody's problem, and all other ciphers are irrelevant. Actually, if there were 10,000 amateur cipher designs published, the harm would be mainly to amateur cipher designers - in that their designs would recieve even less attention than is now the case. The channels of professional publication would simply become a bit more exclusive - in self-defence, to remain usable, not out of egotism. John Savard http://members.xoom.com/quadibloc/index.html
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 28 Oct 1998 18:32:41 GMT From: aquiranx@goliat.ugr.es (Gurripato (x=nospam)) Message-ID: <363758d1.27371552@news.cica.es> References: <3634b729.7043376@news.prosurfr.com> Newsgroups: sci.crypt Lines: 22 On Mon, 26 Oct 1998 18:00:16 GMT, jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote: > >Actually, if there were 10,000 amateur cipher designs published, the >harm would be mainly to amateur cipher designers - in that their >designs would recieve even less attention than is now the case. The >channels of professional publication would simply become a bit more >exclusive - in self-defence, to remain usable, not out of egotism. > >John Savard >http://members.xoom.com/quadibloc/index.html Not to speak of crypto-credibility as a whole. If those 10.000 amateur cipher existed and were published, crypto vendors would start incorporating them into their products. How would the customers react when 9.990 of those ciphers are proved to be weak? They would distrust all ciphers in general, and perhaps turn into some "credible" source like the USGov or the NSA (or Bill Gates, come to that). Designing homemade ciphers is fun; pretending they are strong and useful in real life is another matter.
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 28 Oct 1998 19:13:43 GMT From: ritter@io.com (Terry Ritter) Message-ID: <36376ccf.5706026@news.io.com> References: <363758d1.27371552@news.cica.es> Newsgroups: sci.crypt Lines: 65 On Wed, 28 Oct 1998 18:32:41 GMT, in <363758d1.27371552@news.cica.es>, in sci.crypt aquiranx@goliat.ugr.es (Gurripato (x=nospam)) wrote: >On Mon, 26 Oct 1998 18:00:16 GMT, jsavard@tenMAPSONeerf.edmonton.ab.ca (John >Savard) wrote: > > >> >>Actually, if there were 10,000 amateur cipher designs published, the >>harm would be mainly to amateur cipher designers - in that their >>designs would recieve even less attention than is now the case. The >>channels of professional publication would simply become a bit more >>exclusive - in self-defence, to remain usable, not out of egotism. >> >>John Savard >>http://members.xoom.com/quadibloc/index.html > > Not to speak of crypto-credibility as a whole. If those 10.000 >amateur cipher existed and were published, crypto vendors would start >incorporating them into their products. How would the customers react when >9.990 of those ciphers are proved to be weak? They would distrust all >ciphers in general, and perhaps turn into some "credible" source like the >USGov or the NSA (or Bill Gates, come to that). Designing homemade ciphers >is fun; pretending they are strong and useful in real life is another >matter. This is a legitimate concern, but it applies to everything we have. The problem is that we cannot measure the strength of a cipher. But that means *any* cipher, even the well-regarded ones. So, if one of the few well-regarded ciphers that people actually use is found weak, does this not reflect on the entire field, the whole profession, indeed the whole concept of cryptography? I would argue that the better situation for "crypto-credibility" is if we have many ciphers and various users need to select a cipher on their own, and thus take some responsibility for it. In a "many cipher" environment, if a particular cipher fails, some subset of the population is affected, and they quickly change to another cipher. But if the major cipher we all use fails, and users do not normally change ciphers (and thus probably can't), we have a major disaster for a long time, and *that* is how we lose "crypto-credibility." Better a lot of small failures and short changeovers than one huge failure with a changeover that could take years. And when a cipher is actually *found* weak, this is actually the lesser problem, *provided* users have alternate ciphers *and* can select them rather quickly. The larger problem is when a cipher *is* weak and none of our guys can show that. Then we get to use that thing. It is *dangerous* for everybody to use the same cipher. Analysis cannot be enough. We also need to establish defensive protocols -- such as the ability to change ciphers, universal multi-ciphering, and having "many ciphers" (to reduce the value of the traffic under any one) -- to help mitigate our fundamental uncertainty about cipher strength. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: 28 Oct 1998 14:52:00 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <717sl0$m32$1@quine.mathcs.duq.edu> References: <36376ccf.5706026@news.io.com> Newsgroups: sci.crypt Lines: 41 In article <36376ccf.5706026@news.io.com>, Terry Ritter <ritter@io.com> wrote: > >On Wed, 28 Oct 1998 18:32:41 GMT, in <363758d1.27371552@news.cica.es>, >in sci.crypt aquiranx@goliat.ugr.es (Gurripato (x=nospam)) wrote: > >>On Mon, 26 Oct 1998 18:00:16 GMT, jsavard@tenMAPSONeerf.edmonton.ab.ca (John >>Savard) wrote: >> >> >>> >>>Actually, if there were 10,000 amateur cipher designs published, the >>>harm would be mainly to amateur cipher designers - in that their >>>designs would recieve even less attention than is now the case. The >>>channels of professional publication would simply become a bit more >>>exclusive - in self-defence, to remain usable, not out of egotism. >>> >>>John Savard >>>http://members.xoom.com/quadibloc/index.html >> >> Not to speak of crypto-credibility as a whole. If those 10.000 >>amateur cipher existed and were published, crypto vendors would start >>incorporating them into their products. How would the customers react when >>9.990 of those ciphers are proved to be weak? They would distrust all >>ciphers in general, and perhaps turn into some "credible" source like the >>USGov or the NSA (or Bill Gates, come to that). Designing homemade ciphers >>is fun; pretending they are strong and useful in real life is another >>matter. > >This is a legitimate concern, but it applies to everything we have. > > >The problem is that we cannot measure the strength of a cipher. But >that means *any* cipher, even the well-regarded ones. This is untrue. It's fairly easy to come up with a measurement of the strength of a cypher -- and even a fairly meaningful measurement of as an upper bound of the strength of a cypher -- to wit, no cypher can be stronger than the effort required by the best known attack to break it. -kitten
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 02 Nov 1998 17:57:07 GMT From: ritter@io.com (Terry Ritter) Message-ID: <363df228.1199990@news.io.com> References: <717sl0$m32$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 31 On 28 Oct 1998 14:52:00 -0500, in <717sl0$m32$1@quine.mathcs.duq.edu>, in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote: >>[...] >>The problem is that we cannot measure the strength of a cipher. But >>that means *any* cipher, even the well-regarded ones. > >This is untrue. It's fairly easy to come up with a measurement >of the strength of a cypher -- and even a fairly meaningful measurement >of as an upper bound of the strength of a cypher -- to wit, no cypher >can be stronger than the effort required by the best known attack >to break it. From the user's standpoint, an upper bound is *not* the strength, and is not even a useful estimate. For a user, a *lower* bound would be acceptable, since an Opponent would have to invest that amount of effort *at least* to penetrate the cipher. But an *upper* bound is inherently deceptive of the effort an Opponent might have to spend. The real value could be much, much less. For any upper bound, the real strength could be none at all. To the user, since we have *neither* the real strength, *nor* the lower bound, we have no useful measure of strength at all. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: 2 Nov 1998 15:23:18 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <71l4bm$rm9$1@quine.mathcs.duq.edu> References: <363df228.1199990@news.io.com> Newsgroups: sci.crypt Lines: 39 In article <363df228.1199990@news.io.com>, Terry Ritter <ritter@io.com> wrote: > >On 28 Oct 1998 14:52:00 -0500, in <717sl0$m32$1@quine.mathcs.duq.edu>, >in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote: > >>>[...] >>>The problem is that we cannot measure the strength of a cipher. But >>>that means *any* cipher, even the well-regarded ones. >> >>This is untrue. It's fairly easy to come up with a measurement >>of the strength of a cypher -- and even a fairly meaningful measurement >>of as an upper bound of the strength of a cypher -- to wit, no cypher >>can be stronger than the effort required by the best known attack >>to break it. > >From the user's standpoint, an upper bound is *not* the strength, and >is not even a useful estimate. Depends on which user you talk to, I suspect. It's certainly a useful estimate if the upper bound is too small to represent an acceptable risk. In other words, people *know* not to use DES not because of the outside chance that a brilliant cryptographer might be able to crack it quickly, but because there's no possible way that it could resist a determined brute-force attempt. One can, after all, always buy insurance against the lucky break. >To the user, since we have *neither* the real strength, *nor* the >lower bound, we have no useful measure of strength at all. Again, this is incorrect. I stand by my original statement that we have a meaningful measure. Just because it doesn't do what *YOU* want doesn't make it nonexistent. Mere dislike has rarely been able to conjure things out of existence. I have an upper bound, I insure against the lower bound being smaller than I envision, and the risk becomes Lloyd's. -kitten
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 10 Nov 1998 04:37:50 GMT From: ritter@io.com (Terry Ritter) Message-ID: <3647c318.8268430@news.io.com> References: <71l4bm$rm9$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 51 On 2 Nov 1998 15:23:18 -0500, in <71l4bm$rm9$1@quine.mathcs.duq.edu>, in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote: >[...] >In other words, people *know* not to use DES >not because of the outside chance that a brilliant cryptographer >might be able to crack it quickly, but because there's no possible >way that it could resist a determined brute-force attempt. When cryptanalysis identifies a practical break, it provides very useful information. But most cryptanalysis does not do this, but instead produces yet another impractical break. The user thus gets to judge between ciphers with impractical breaks and ciphers as yet unanalyzed. Cryptanalysis does not provide information useful for making such a decision. >>To the user, since we have *neither* the real strength, *nor* the >>lower bound, we have no useful measure of strength at all. > >Again, this is incorrect. I stand by my original statement that >we have a meaningful measure. Just because it doesn't do what >*YOU* want doesn't make it nonexistent. Mere dislike has rarely >been able to conjure things out of existence. Not only does cryptanalysis not do what *I* want, it hardly does anything at all *unless* it comes up with a practical break. The vast majority of cryptanalysis -- so praised by so many -- does nothing at all to inform users about the strength of their cipher. Indeed, The Opponents may be superior to our analysts in many ways, and may have breaks our guys do not. What our guys find in no way implies that The Opponents have nothing better: that is the crux of the problem. >I have an upper bound, I insure against the lower bound being >smaller than I envision, and the risk becomes Lloyd's. So if you have an affair, and The Opponents provide your wife with that information, does Lloyds guarantee a new wife, one just as good or better? --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 10 Nov 1998 16:49:40 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <36486db8.1953802@news.prosurfr.com> References: <3647c318.8268430@news.io.com> Newsgroups: sci.crypt Lines: 22 ritter@io.com (Terry Ritter) wrote, in part: >When cryptanalysis identifies a practical break, it provides very >useful information. >But most cryptanalysis does not do this, but instead produces yet >another impractical break. The user thus gets to judge between >ciphers with impractical breaks and ciphers as yet unanalyzed. >Cryptanalysis does not provide information useful for making such a >decision. Ah. Sorry for failing to understand what you were getting at: since differential, meet-in-the-middle attacks, etc., require enormous quantities of known plaintext, either it is not clear they invalidate a system for practical use, or, if they do prompt some precautionary measures, the result is still not known to be secure. And your point that not all risks can be handled by insurance is true and amusing. John Savard http://www.freenet.edmonton.ab.ca/~jsavard/index.html
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 10 Nov 1998 18:12:23 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <364880f0.803066@news.visi.com> References: <3647c318.8268430@news.io.com> Newsgroups: sci.crypt Lines: 34 On Tue, 10 Nov 1998 04:37:50 GMT, ritter@io.com (Terry Ritter) wrote: >When cryptanalysis identifies a practical break, it provides very >useful information. > >But most cryptanalysis does not do this, but instead produces yet >another impractical break. The user thus gets to judge between >ciphers with impractical breaks and ciphers as yet unanalyzed. >Cryptanalysis does not provide information useful for making such a >decision. To many of us, impractical breaks provide very useful information to judge between ciphers. >Not only does cryptanalysis not do what *I* want, it hardly does >anything at all *unless* it comes up with a practical break. The vast >majority of cryptanalysis -- so praised by so many -- does nothing at >all to inform users about the strength of their cipher. Probably. But to me, that's because users are not mathematicians. The vast majority of cryptoanalysis does a lot of inform cryptographers about the strength of ciphers. There's an NSA saying: "Attacks always get better." Ciphers that allow theoretical breaks are weaker than ciphers that don't. For example, there is an attack against IDEA the works against 4.5 round variants. If there were a cipher for which that other attack did not work, then ALL OTHER THINGS BEING EQUAL I would prefer that other cipher to IDEA. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 11 Nov 1998 15:18:01 GMT From: "Douglas A. Gwyn" <DAGwyn@null.net> Message-ID: <3649AA9A.E8719FD7@null.net> References: <364880f0.803066@news.visi.com> Newsgroups: sci.crypt Lines: 27 Bruce Schneier wrote: > To many of us, impractical breaks provide very useful information to > judge between ciphers. They provide information, which you may *choose* to use in judging, but that is not necessarily a rational choice. To be rational, its *relevance* to the functional criteria needs to be established. > There's an NSA saying: "Attacks always get better." Ciphers that > allow theoretical breaks are weaker than ciphers that don't. Ah, but how do you know that they don't? Unless you have a proof of that, instead what you have is a lack of knowledge of any successful method of attack. That doesn't mean one cannot exist. > For > example, there is an attack against IDEA the works against 4.5 round > variants. If there were a cipher for which that other attack did not > work, then ALL OTHER THINGS BEING EQUAL I would prefer that other > cipher to IDEA. For that to be rational, you'd need to demonstrate that all other things are indeed equal. But that is most unlikely! I think, as often happens in academia, attention is focused too heavily on areas where metrics exist, whether or not the metrics have practical value.
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 12 Nov 1998 21:59:21 GMT From: ritter@io.com (Terry Ritter) Message-ID: <364b5a27.14538834@news.io.com> References: <364880f0.803066@news.visi.com> Newsgroups: sci.crypt Lines: 71 On Tue, 10 Nov 1998 18:12:23 GMT, in <364880f0.803066@news.visi.com>, in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote: >On Tue, 10 Nov 1998 04:37:50 GMT, ritter@io.com (Terry Ritter) wrote: >[...] >>Not only does cryptanalysis not do what *I* want, it hardly does >>anything at all *unless* it comes up with a practical break. The vast >>majority of cryptanalysis -- so praised by so many -- does nothing at >>all to inform users about the strength of their cipher. > >Probably. But to me, that's because users are not mathematicians. >The vast majority of cryptoanalysis does a lot of inform >cryptographers about the strength of ciphers. "Strength" is usually taken to be the minimum possible effort used for any possible successful attack. Finding a successful attack certainly tells us that "strength" can be no higher than that attack. But it does not tell us what the strength really is. So the attack tells us *nothing* about the real strength of the cipher. I would think it quite odd indeed that any mathematician would say otherwise. >There's an NSA saying: "Attacks always get better." We might just as well say: "Any cipher a man can make, another can break." Which means *any* cipher is vulnerable. These sayings have their place: Nobody is going to break a cipher by starting out saying that the job cannot be done. Nobody is going to improve an attack by starting out thinking the first attack is the final word. Such sayings have their place in encouraging creative cryptanalysis on apparently very tough ciphers. But sayings are not a basis for scientific comparison. >Ciphers that >allow theoretical breaks are weaker than ciphers that don't. And that is precisely the leap I have been discussing. I am aware of no scientific basis for that statement. This takes us back to witchcraft and old-wives-tales. >For >example, there is an attack against IDEA the works against 4.5 round >variants. If there were a cipher for which that other attack did not >work, then ALL OTHER THINGS BEING EQUAL I would prefer that other >cipher to IDEA. And that is a different argument. That is the extrapolation argument with which I agree. The argument with which I disagree is that a cipher *with* an impractical break (and which cannot reasonably be extrapolated to further weakness) can be considered weaker than a cipher *without* an impractical break. To the extent that cryptanalysis produces impractical breaks, that work tells us nothing about the practical strength of ciphers. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 03 Nov 1998 00:28:01 GMT From: sandy.harris@sympatico.ca (Sandy Harris) Message-ID: <l6s%1.110$GK.251745@news20.bellglobal.com> References: <363df228.1199990@news.io.com> Newsgroups: sci.crypt Lines: 60 ritter@io.com (Terry Ritter) wrote: >in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote: > >>>[...] >>>The problem is that we cannot measure the strength of a cipher. But >>>that means *any* cipher, even the well-regarded ones. >> >>This is untrue. It's fairly easy to come up with a measurement >>of the strength of a cypher -- and even a fairly meaningful measurement >>of as an upper bound of the strength of a cypher -- to wit, no cypher >>can be stronger than the effort required by the best known attack >>to break it. > >From the user's standpoint, an upper bound is *not* the strength, and >is not even a useful estimate. > >For a user, a *lower* bound would be acceptable, since an Opponent >would have to invest that amount of effort *at least* to penetrate the >cipher. But an *upper* bound is inherently deceptive of the effort an >Opponent might have to spend. The real value could be much, much >less. For any upper bound, the real strength could be none at all. > >To the user, since we have *neither* the real strength, *nor* the >lower bound, we have no useful measure of strength at all. Basically, I think you're right here. But I have a question. We can in fact take the minimum of a set of upper bounds derived from all the obvious attacks. Brute force search. Meet-in-the middle search if that appears possible. Linear & differential cryptanalysis. An attempt to write the cipher as a system of Boolean equations expressing ciphertext bits in terms of key & plaintext and then, given a bunch of plaintext/ciphertext pairs, solve for the key. For stream ciphers, linear complexity. Attacks based on cycles in block ciphers. . . . I think that for good ciphers, lower bounds on the resources required for most or all of those can be proved. Any lower bound on resources needed for an attack is also an upper bound on the strength of the cipher. It cannot be stronger overall than it is against that attack. If all of those are much higher than our worst-case estimate of attacker's resources, then we still don't know the strength of the cipher, but we do at least know that: unless the cipher has a weakness not tested above, it is strong enough if it does have such a weakness, an attacker is going to have to be clever, lucky and/or persistent to find it only a new attack based on an unknown weakness can succeed This still does not measure the real strength, but it at least gives us some reason to hope.
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 03 Nov 1998 09:01:24 GMT From: dscott@networkusa.net Message-ID: <71mgp3$f3h$1@nnrp1.dejanews.com> References: <l6s%1.110$GK.251745@news20.bellglobal.com> Newsgroups: sci.crypt Lines: 58 In article <l6s%1.110$GK.251745@news20.bellglobal.com>, sandy.harris@sympatico.ca (Sandy Harris) wrote: > ritter@io.com (Terry Ritter) wrote: > > >in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote: > > > >>>[...] > >>>The problem is that we cannot measure the strength of a cipher. But > >>>that means *any* cipher, even the well-regarded ones. > >> > >>This is untrue. It's fairly easy to come up with a measurement > >>of the strength of a cypher -- and even a fairly meaningful measurement > >>of as an upper bound of the strength of a cypher -- to wit, no cypher > >>can be stronger than the effort required by the best known attack > >>to break it. > > > >From the user's standpoint, an upper bound is *not* the strength, and > >is not even a useful estimate. > > > >For a user, a *lower* bound would be acceptable, since an Opponent > >would have to invest that amount of effort *at least* to penetrate the > >cipher. But an *upper* bound is inherently deceptive of the effort an > >Opponent might have to spend. The real value could be much, much > >less. For any upper bound, the real strength could be none at all. > > > >To the user, since we have *neither* the real strength, *nor* the > >lower bound, we have no useful measure of strength at all. > > Basically, I think you're right here. But I have a question. > > We can in fact take the minimum of a set of upper bounds derived > from all the obvious attacks. > > Brute force search. > Meet-in-the middle search if that appears possible. > Linear & differential cryptanalysis. > An attempt to write the cipher as a system of > Boolean equations expressing ciphertext bits in > terms of key & plaintext and then, given a bunch > of plaintext/ciphertext pairs, solve for the key. > For stream ciphers, linear complexity. > Attacks based on cycles in block ciphers. > . . . Some other things that most miss that should be added to this is how much information is needed by the guy breaking to know if he his decoded the file. This may same like a hard to follow concept but if one needs only to like at a small fragment of file to runs tests to check for a solution then it is a measureble weakness. My method in scottNu was designed to eliminate this weakness that is in all the Fishy des type of ciphers. -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip ftp search for scott*u.zip in norway -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: 3 Nov 1998 16:48:57 GMT From: jmccarty@sun1307.spd.dsccc.com (Mike McCarty) Message-ID: <71nc5p$6br$1@relay1.dsccc.com> References: <l6s%1.110$GK.251745@news20.bellglobal.com> Newsgroups: sci.crypt Lines: 59 In article <l6s%1.110$GK.251745@news20.bellglobal.com>, Sandy Harris <sandy.harris@sympatico.ca> wrote: )Basically, I think you're right here. But I have a question. ) )We can in fact take the minimum of a set of upper bounds derived )from all the obvious attacks. ) ) Brute force search. ) Meet-in-the middle search if that appears possible. ) Linear & differential cryptanalysis. ) An attempt to write the cipher as a system of ) Boolean equations expressing ciphertext bits in ) terms of key & plaintext and then, given a bunch ) of plaintext/ciphertext pairs, solve for the key. ) For stream ciphers, linear complexity. ) Attacks based on cycles in block ciphers. ) . . . Are you including attacks based on, say, bribery? Unless you are willing specifically to state the exact list of attacks (which seems undesireable), then you must state a specific criterion by which one may, by application of the criterion, determine whether any given proposed attack falls in the list of canonical attacks. This seems difficult to me. )I think that for good ciphers, lower bounds on the resources required )for most or all of those can be proved. Any lower bound on resources )needed for an attack is also an upper bound on the strength of the )cipher. It cannot be stronger overall than it is against that attack. This principle seems good to me. )If all of those are much higher than our worst-case estimate of )attacker's resources, then we still don't know the strength of )the cipher, but we do at least know that: ) ) unless the cipher has a weakness not tested above, it ) is strong enough ) if it does have such a weakness, an attacker is going to ) have to be clever, lucky and/or persistent to find it ) only a new attack based on an unknown weakness can ) succeed ) )This still does not measure the real strength, but it at least )gives us some reason to hope. If we can devise some predicate P(.) which can be applied to attacks and which determines whether the proposed attack satisfies the predicate for canonicity, then I think your idea is workable. It seems to me that formulating this predicate will be (unless it is in the form of a list of canonical attacks) very difficult to do. Perhaps not impossible. This looks to me to be a reasonable research area. Mike -- ---- char *p="char *p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} This message made from 100% recycled bits. I don't speak for Alcatel <- They make me say that.
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 03 Nov 1998 17:05:48 GMT From: ritter@io.com (Terry Ritter) Message-ID: <363f37b9.3868604@news.io.com> References: <l6s%1.110$GK.251745@news20.bellglobal.com> Newsgroups: sci.crypt Lines: 86 On Tue, 03 Nov 1998 00:28:01 GMT, in <l6s%1.110$GK.251745@news20.bellglobal.com>, in sci.crypt sandy.harris@sympatico.ca (Sandy Harris) wrote: >ritter@io.com (Terry Ritter) wrote: >>[...] >>To the user, since we have *neither* the real strength, *nor* the >>lower bound, we have no useful measure of strength at all. > >Basically, I think you're right here. But I have a question. > >We can in fact take the minimum of a set of upper bounds derived >from all the obvious attacks. > > Brute force search. > Meet-in-the middle search if that appears possible. > Linear & differential cryptanalysis. > An attempt to write the cipher as a system of > Boolean equations expressing ciphertext bits in > terms of key & plaintext and then, given a bunch > of plaintext/ciphertext pairs, solve for the key. > For stream ciphers, linear complexity. > Attacks based on cycles in block ciphers. > . . . > >I think that for good ciphers, lower bounds on the resources required >for most or all of those can be proved. Yet if we look in the cryptanalytic literature, we almost invariably find a *sequence* of ever-better versions that each improve on the previous attack. I believe I have seen improved versions of: * Meet-in-the-Middle, * Linear Cryptanalysis, and * Differential Cryptanalysis, but I think such sequences are common. Now, if it were practical to know lower bounds for these attacks, why would we ever see improved versions in the literature? And since we *do* see improved versions, how can we believe in computing lower bounds for strength, even for a particular attack? >Any lower bound on resources >needed for an attack is also an upper bound on the strength of the >cipher. It cannot be stronger overall than it is against that attack. > >If all of those are much higher than our worst-case estimate of >attacker's resources, then we still don't know the strength of >the cipher, but we do at least know that: > > unless the cipher has a weakness not tested above, it > is strong enough These "attacks" each depend upon human interpretation. Now who tests the tester? If someone tells us that a cipher is strong under these attacks, how can we believe it? > if it does have such a weakness, an attacker is going to > have to be clever, lucky and/or persistent to find it We use cryptography to face attackers with far greater resources in training, experience, equipment, time and motivation. Just because *we* have failed to find a weakness is no reason to think the attackers will also. There is no correlation, no correct extrapolation. > only a new attack based on an unknown weakness can > succeed > >This still does not measure the real strength, but it at least >gives us some reason to hope. The reason for hope is the acknowledgement of the problem and the use of protocols which tend to minimize it. The strength quality is literally out of control, so we cannot trust that. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: 6 Nov 1998 08:42:08 GMT From: olson@umbc.edu (Bryan G. Olson; CMSC (G)) Message-ID: <71ucp0$ghp$1@news.umbc.edu> References: <363f37b9.3868604@news.io.com> Newsgroups: sci.crypt Lines: 23 Terry Ritter (ritter@io.com) wrote: [...] : We use cryptography to face attackers with far greater resources in : training, experience, equipment, time and motivation. Just because : *we* have failed to find a weakness is no reason to think the : attackers will also. There is no correlation, no correct : extrapolation. No correlation???? You've talked yourself into a bunch of nonsense. Note that for no correlation to exist, it is necessary that no cipher is weakness free. If any is, then both defender and attacker must fail to find weakness and therefor there would be a correlation. So how do you know there's no correlation? --Bryan
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 02 Nov 1998 20:01:18 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <363e0e04.12569961@news.prosurfr.com> References: <717sl0$m32$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 20 juola@mathcs.duq.edu (Patrick Juola) wrote, in part: >This is untrue. It's fairly easy to come up with a measurement >of the strength of a cypher -- and even a fairly meaningful measurement >of as an upper bound of the strength of a cypher -- to wit, no cypher >can be stronger than the effort required by the best known attack >to break it. But Terry Ritter is right that there's no easy way to derive the actual strength (or, for that matter, a _lower_ bound on the strength of a cipher, IMO). He feels this is an important problem in cryptography to which not enough attention is being devoted. I feel, on the other hand, that this isn't a problem one *can* work on specifically. That this is a goal which requires every great question in mathematics to have been answered. So, in a way, *all* mathematical work proceeds to that goal - but it's a very distant one. John Savard http://members.xoom.com/quadibloc/index.html
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 03 Nov 1998 17:04:48 GMT From: ritter@io.com (Terry Ritter) Message-ID: <363f37a3.3846779@news.io.com> References: <363e0e04.12569961@news.prosurfr.com> Newsgroups: sci.crypt Lines: 49 On Mon, 02 Nov 1998 20:01:18 GMT, in <363e0e04.12569961@news.prosurfr.com>, in sci.crypt jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote: >juola@mathcs.duq.edu (Patrick Juola) wrote, in part: > >>This is untrue. It's fairly easy to come up with a measurement >>of the strength of a cypher -- and even a fairly meaningful measurement >>of as an upper bound of the strength of a cypher -- to wit, no cypher >>can be stronger than the effort required by the best known attack >>to break it. > >But Terry Ritter is right that there's no easy way to derive the >actual strength (or, for that matter, a _lower_ bound on the strength >of a cipher, IMO). He feels this is an important problem in >cryptography to which not enough attention is being devoted. Having no lower bounds for strength may be "an important problem" to the academic study of cryptography. But it also calls into question *the entire field* of practical cryptography. The whole point of the actual use of cryptography is to *enforce* security. Without at least a minimum value for strength, the user has no guarantee -- or even a useful probability -- of that. We can try to improve this situation by multi-ciphering and other protocols, but we have a real problem that should be universally recognized and commonly discussed. This is not just, or even mainly, "academic," it is a real problem in practice for real systems. >I feel, on the other hand, that this isn't a problem one *can* work on >specifically. That this is a goal which requires every great question >in mathematics to have been answered. So, in a way, *all* mathematical >work proceeds to that goal - but it's a very distant one. The actual truth of not knowing the strength of the ciphers we field for people to use is not just an academic problem. Breaking a cipher gives us no more useful information about the strength of the cipher than we had before that cipher was broken. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 03 Nov 1998 23:42:10 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <363f8efc.24854596@news.prosurfr.com> References: <363f37a3.3846779@news.io.com> Newsgroups: sci.crypt Lines: 74 ritter@io.com (Terry Ritter) wrote, in part: >jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote: >>I feel, on the other hand, that this isn't a problem one *can* work on >>specifically. That this is a goal which requires every great question >>in mathematics to have been answered. So, in a way, *all* mathematical >>work proceeds to that goal - but it's a very distant one. >The actual truth of not knowing the strength of the ciphers we field >for people to use is not just an academic problem. Breaking a cipher >gives us no more useful information about the strength of the cipher >than we had before that cipher was broken. Breaking a cipher can, of course, give us information that is useful in a negative sense: we can know for a fact that a certain cipher is too weak to be worth using. Of course it isn't merely an academic problem, but something desirable from a practical point of view, to have a _lower_ bound for a cipher's strength. Solving it perfectly, in the academic sense, however, appears to be impossible - unless mathematics ever gets "finished". Since the current rough-and-ready method of taking the upper bound with a grain of salt and discounting it as a strength guess is not acceptable, I assume you want a real, provable, lower bound. And whether one uses it for academic or practical purposes, it's just as unobtainable. I don't contradict your statement that this is a serious problem for cryptography that we don't have this: but if there is no realistic prospect of obtaining it, directed effort at finding a way of obtaining lower bounds on cipher strength, however badly we need it, is _still_ a waste of time. The fact that we all grow old, and this inevitably leads to death, is certainly a serious problem; but until very recently, attempting to solve this problem was still not a rational act. Of course, the last time I said this, shortly after I came up with an "insight" into cryptanalysis that I thought got us *slightly* closer to the goal; no proven lower bound, but at least a little bit more insight for our guesses. I'll put that insight on the record again: on a very high level, cryptanalysis can be divided into three types of operation: - Brute force trying of all possibilities for the key or for some part of the key; - Directly calculating the key from other information (e.g. calculating the private key from the public key by factoring; trying a probable word on a Vigenere); - Separating the key - or, and this is very important, some internal transform of the key - into pieces that can be brute-forced separately. I claim that #3 is sufficiently broad and vague to cover 99% of all cryptanalytic techniques in existence - yet it has enough content to suggest ways of making ciphers stronger, and maybe even is a first step to quantifying strength - in an imperfect and incomplete sense. Perhaps what I'm saying is obvious to you, and the reason you are going beyond stating the fact that lower bounds on cryptographic strength don't exist to criticizing the cryptographic community for their nonexistence is because you do have some insight into how one might begin to go about looking for a way to find lower bounds. If you do have such an insight, you have come up with something of great value. John Savard http://members.xoom.com/quadibloc/index.html
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 04 Nov 1998 11:56:18 GMT From: "Douglas A. Gwyn" <DAGwyn@null.net> Message-ID: <364040DF.98B1A714@null.net> References: <363f8efc.24854596@news.prosurfr.com> Newsgroups: sci.crypt Lines: 16 John Savard wrote: > I'll put that insight on the record again: on a very high level, > cryptanalysis can be divided into three types of operation: > - Brute force trying of all possibilities for the key or for some part > of the key; > - Directly calculating the key from other information (e.g. > calculating the private key from the public key by factoring; trying a > probable word on a Vigenere); > - Separating the key - or, and this is very important, some internal > transform of the key - into pieces that can be brute-forced > separately. It's nice to try to bring order to the subject, but the above is not complete. Some cryptanalysis doesn't even recover the key (this happened to me with Zendian DDHAA as I recall), and at other times one recovers a decimation of the true key.
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 04 Nov 1998 23:49:49 GMT From: dscott@networkusa.net Message-ID: <71qp6u$a6h$1@nnrp1.dejanews.com> References: <364040DF.98B1A714@null.net> Newsgroups: sci.crypt Lines: 33 In article <364040DF.98B1A714@null.net>, "Douglas A. Gwyn" <DAGwyn@null.net> wrote: > John Savard wrote: > > I'll put that insight on the record again: on a very high level, > > cryptanalysis can be divided into three types of operation: > > - Brute force trying of all possibilities for the key or for some part > > of the key; > > - Directly calculating the key from other information (e.g. > > calculating the private key from the public key by factoring; trying a > > probable word on a Vigenere); > > - Separating the key - or, and this is very important, some internal > > transform of the key - into pieces that can be brute-forced > > separately. > > It's nice to try to bring order to the subject, but the above > is not complete. Some cryptanalysis doesn't even recover the > key (this happened to me with Zendian DDHAA as I recall), > and at other times one recovers a decimation of the true key. > And sometimes the encryption program itself does not use or solve for the key that the method is based on. Like in scott19u.zip Which an anonymouse crypto person as offered to set up a site talking about it. I will fix up his omissions and misunderstandings as time goes on. -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip http://members.xoom.com/ecil/index.htm -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 10 Nov 1998 03:33:24 GMT From: ritter@io.com (Terry Ritter) Message-ID: <3647b3ca.4349316@news.io.com> References: <363f8efc.24854596@news.prosurfr.com> Newsgroups: sci.crypt Lines: 59 On Tue, 03 Nov 1998 23:42:10 GMT, in <363f8efc.24854596@news.prosurfr.com>, in sci.crypt jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote: >[...] >Breaking a cipher can, of course, give us information that is useful >in a negative sense: we can know for a fact that a certain cipher is >too weak to be worth using. But many of the results in cryptanalysis do not present us with a cipher known to be unusably weak. Many of these results need impractical efforts. Does an impractical break argue for using another cipher which has no break -- when that cipher *also* has no lower bound on strength? How is that a better situation? >[...] >The fact that we all grow old, and this inevitably leads to death, is >certainly a serious problem; but until very recently, attempting to >solve this problem was still not a rational act. We know that life exists; all we need do is prolong it. Presumably, there are many specific problems. For each one we fix, we can scientifically verify improved results. But we do not know that cryptographic strength exists, and we cannot verify it. No matter how many problems we fix, we have no idea whether strength has improved or not. This is a distinctly different situation. >[...] >Perhaps what I'm saying is obvious to you, and the reason you are >going beyond stating the fact that lower bounds on cryptographic >strength don't exist to criticizing the cryptographic community for >their nonexistence is because you do have some insight into how one >might begin to go about looking for a way to find lower bounds. Well, it is *not* obvious to me that there *cannot* be a cipher with some amount of proven strength. I am aware of no proof that all ciphers must be weak. But the reason I brought this stuff up and stayed with it was in direct response to the recent stuff on attacking ciphers. It was suggested that cryptanalysis is the way users know the strength of their ciphers. That suggestion is false. In reality, cryptanalysis only benefits *users* when their particular cipher is actually shown to be weak in practice *and* the user can switch to something else. Any cryptanalytic results which show impractical breaks are irrelevant to the user and essentially contribute no information about strength. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 10 Nov 1998 17:26:20 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <3648706c.2645679@news.prosurfr.com> References: <3647b3ca.4349316@news.io.com> Newsgroups: sci.crypt Lines: 116 ritter@io.com (Terry Ritter) wrote, in part: >jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote: >>[...] >>Breaking a cipher can, of course, give us information that is useful >>in a negative sense: we can know for a fact that a certain cipher is >>too weak to be worth using. >But many of the results in cryptanalysis do not present us with a >cipher known to be unusably weak. Many of these results need >impractical efforts. Does an impractical break argue for using >another cipher which has no break -- when that cipher *also* has no >lower bound on strength? How is that a better situation? At that point, my comment was just a minor nitpick for the sake of strict correctness. An impractical break is not an argument for using a completely different cipher, but between two closely similar ciphers, the one protected against the impractical break but not otherwise different is likely to be stronger. >>[...] >>The fact that we all grow old, and this inevitably leads to death, is >>certainly a serious problem; but until very recently, attempting to >>solve this problem was still not a rational act. >We know that life exists; all we need do is prolong it. Presumably, >there are many specific problems. For each one we fix, we can >scientifically verify improved results. >But we do not know that cryptographic strength exists, and we cannot >verify it. No matter how many problems we fix, we have no idea >whether strength has improved or not. This is a distinctly different >situation. Looked at that way, yes. But the analogy is aimed at a different aspect of the situation. A fog surrounds cryptographic strength, but it is not clear that we can lift it, or where we would begin to try to do so. I'm not qualified to carry it out, but I wouldn't be surprised if a competent mathematician couldn't supply a proof that "proving a cipher strong" is equivalent to solving the halting problem. (Which may have occurred to Alan Turing...) >>[...] >>Perhaps what I'm saying is obvious to you, and the reason you are >>going beyond stating the fact that lower bounds on cryptographic >>strength don't exist to criticizing the cryptographic community for >>their nonexistence is because you do have some insight into how one >>might begin to go about looking for a way to find lower bounds. >Well, it is *not* obvious to me that there *cannot* be a cipher with >some amount of proven strength. I am aware of no proof that all >ciphers must be weak. No, there certainly won't be such a proof either! And there is one cipher with proven strength: the one-time pad, as someone is sure to note. But proving something about the _work factor_ required to break a cipher requires your proof to say something about every possible attack - based on any mathematical principle that may not even be discovered yet. Which is the basis for my comment about the halting problem. Unless something can be done about this situation, while it is valid to note its existence as a caveat, it does not invalidate the efforts of those who are wirking within the realm of what is practical to achieve. Yes, cryptography is still, in this area, more of an art than an exact science. But there appear to be fundamental reasons why this is so. >But the reason I brought this stuff up and stayed with it was in >direct response to the recent stuff on attacking ciphers. It was >suggested that cryptanalysis is the way users know the strength of >their ciphers. That suggestion is false. It is the way they can know the little that can be known; the people saying this are suggesting cryptanalysis in preference to nothing, citing examples of people designing ciphers with no knowledge of cryptanalysis, thereby making mistakes that we already know how to avoid, and coming up with designs that are easily broken. My response - which I still stand by, despite almost joining the "in club" with a spurious result against Panama - is that a cipher designer ought to have an understanding of cryptanalysis, yes, but having an acquaintance with it and being a fully-qualified cryptanalyst are two different things, of which only the lesser is needed for designing ciphers. Not that a higher degree of qualifications isn't desirable. But doctors and nurses and pharmacists aren't expected to always be all three; composers should have some ability to play an instrument, and performers should understand musical theory, but one can be first-rate at one while only indifferent at the other. >In reality, cryptanalysis only benefits *users* when their particular >cipher is actually shown to be weak in practice *and* the user can >switch to something else. Any cryptanalytic results which show >impractical breaks are irrelevant to the user and essentially >contribute no information about strength. Or when the cipher they might have used was shown to be weak before they used it. Some of the impractical breaks - not all of them - do hint at the possibility of a weakness that could be exploited in practice, and that, too, is of some use. When life gives Bruce a lemon, he makes lemonade. But I'm not aware that he was pretending it was orange juice, even if the fact that it is only lemonade should perhaps be underscored a bit more than it has been. John Savard http://www.freenet.edmonton.ab.ca/~jsavard/index.html
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 04 Nov 1998 09:26:28 -0500 From: Jerry Leichter <leichter@smarts.com> Message-ID: <36406414.3178@smarts.com> References: <363f37a3.3846779@news.io.com> Newsgroups: sci.crypt Lines: 76 | Having no lower bounds for strength may be "an important problem" to | the academic study of cryptography. | | But it also calls into question *the entire field* of practical | cryptography. | | The whole point of the actual use of cryptography is to *enforce* | security. Without at least a minimum value for strength, the user has | no guarantee -- or even a useful probability -- of that.... There is no proof of security for key locks, combination locks, or any other means of providing physical security. There is no proof of the security of any practical end-user software, operating system, or even hardware implementation. There is no proof that any source of random numbers is really random. Even if you *had* a provably-strong encryption algorithm as an abstract mathematical object (and, in fact, we do - a true OTP), it would be impossible for you to realize it in a real world without relying on components about which you could prove very little if anything. Almost nothing in the real world is amenable to proof in any mathe- matical sense. At best, we have "relative" proofs: *If* quantum mechanics is correct, *then* thermal noise from a diode is random and genuinely unpredictable. *If* our theories about how circuits work are correct, then a system built of amplifiers, samplers, and such will retain the randomness inherent in the diode's noise. *If* the real physical parts really do behave "closely enough" to our theories, then the real random noise generator really does generate random bits. And so on. I don't want to criticize mathematical techniques. They are important in many areas, cryptography among them, because our intuitions about security aren't very good: Long experience has shown us that what seems secure on the surface may fall to very simple attacks - simple attacks that may be based on sophisticated mathematical reasoning. But it's important to understand that ultimately *all* our knowledge of how physical artifacts work is empirical. We believe that pin-tumbler locks are reasonably secure because experience has shown that few people known how to pick them. We believe mushroom-head pins give you even more secure locks because the best lock-pickers have trouble with them. Similarly, we believe Medeco's are even more secure because no one has been able to pick them consistently. On the other hand, Ace locks are a great example of how real attacks work: They are virtually unpickable with standard tools, but it's possible to build a special tool (I believe there's even a patent on such a tool) that makes it very easy to pick one. Since hardly anyone has one of these tools, in the real world, Ace locks are considered quite secure. It would be really nice if there were a provably-strong cipher. It would be a triumph for mathematics. Lower bounds on complexity are known for almost no non-trivial algorithms. P vs. NP is only one part of the problem; in most interesting cases, we don't know the degree of the polynomial. We can't, in many cases, even say if a sub-exponential algorithm exists. (It's a common mistake to think that "not-P" means "exponential". There are infinitely many functions that grow faster than any polynomial but slower than any exponential. Factoring is an example of an algorithm for which no polynomial algorithm is known - but for which sub-exponential algorithms have been around for years.) Progress in this area has been slow and difficult. When it comes to proofs (a) the history of mathematics isn't encourag- ing: Usually, proofs are available only for approaches that are idealized in some way to make them amenable to mathematical techniques. These are often not particularly well suited for real-world application; (b) even if you had such a thing, the guarantee that it could give you concerning the entire real-world system in which it was embedded would be so weak as to be almost useless. As always, the security of a system is only as strong as its weakest component. With any of the well-studied cipher systems out there today, it's unlikely that the mathematical structure of the cipher will be the weakest component of a real-world system in which it is embedded. -- Jerry
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 06 Nov 1998 07:14:41 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <3642a1ca.765177@news.visi.com> References: <36406414.3178@smarts.com> Newsgroups: sci.crypt Lines: 16 On Wed, 04 Nov 1998 09:26:28 -0500, Jerry Leichter <leichter@smarts.com> wrote: >As always, the security of a system >is only as strong as its weakest component. With any of the >well-studied cipher systems out there today, it's unlikely that the >mathematical structure of the cipher will be the weakest component of a >real-world system in which it is embedded. Profoundly true. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 10 Nov 1998 03:33:37 GMT From: ritter@io.com (Terry Ritter) Message-ID: <3647b406.4409649@news.io.com> References: <36406414.3178@smarts.com> Newsgroups: sci.crypt Lines: 109 On Wed, 04 Nov 1998 09:26:28 -0500, in <36406414.3178@smarts.com>, in sci.crypt Jerry Leichter <leichter@smarts.com> wrote: >| Having no lower bounds for strength may be "an important problem" to >| the academic study of cryptography. >| >| But it also calls into question *the entire field* of practical >| cryptography. >| >| The whole point of the actual use of cryptography is to *enforce* >| security. Without at least a minimum value for strength, the user has >| no guarantee -- or even a useful probability -- of that.... > >There is no proof of security for key locks, combination locks, or any >other means of providing physical security. But we can be more sure about these simple devices than the vast majority of far-more-complex ciphers. I would say that locks are more like hashes than ciphers. The only "ciphertext" in a lock is "open" vs "close." Often, they are "keyed" by the manufacturer and there is no key-change ability in the field. A known-plaintext attack always works, and we accept that, while we abhor the same thing in a cipher. But most of all, when a lock is physically broken, we will know. We will know that someone had that capability, and exercised it. Presumably we can use that information to improve our security. But when a cipher is broken for real, we will *not* know. This is a much worse and more dangerous situation. In the physical world, we can monitor the current disposition of our holdings and provide real-time support for attacks. We cannot do this in the data world, so we depend more one the quality of the lock itself. Too bad we cannot measure that quality. >There is no proof of the >security of any practical end-user software, operating system, Yes. Vast complexity makes thorough testing impossible, although proper partitioning into testable components can be a significant improvement. >or even >hardware implementation. Certainly chip manufacturers do in fact try to test every transistor and every wire in the device. This testing thus shows a very good correspondence to the schematic. Now, whether the schematic builds a device that does what we want is essentially the previous answer. If someone gets to the chip level and can burn contacts or fuse transistors they can change the operation. But such a device will not pass its tests, so at least we have an indication of problem. >There is no proof that any source of random >numbers is really random. Indeed. >Even if you *had* a provably-strong encryption algorithm as an abstract >mathematical object (and, in fact, we do - a true OTP), it would be >impossible for you to realize it in a real world without relying on >components about which you could prove very little if anything. Then I would not *want* a proof for that type of object! >[...] >With any of the >well-studied cipher systems out there today, it's unlikely that the >mathematical structure of the cipher will be the weakest component of a >real-world system in which it is embedded. Well, you *say* it is "unlikely" as though you know the actual probability distribution involved. But I suspect nobody knows that, so calling it "unlikely" is really quite a leap. If we don't know, we can't make a valid statement, because we really *don't know*. We *don't know* the strength to the cipher, so we cannot infer that it has even the strength of the surrounding system. If the cipher we use happens to be trivially weak -- provided we were twice as smart as we are -- then simply using that cipher may be the weakest link. What I have been addressing here is I think different from relatively simple mechanical things -- most of which should be within our understanding -- and ciphers -- which seem to admit "special" understandings which produce "breaks." The problem is these "special understandings." As long as we produce ciphers that admit new cryptanalysis, we cannot be sure of their true strength. If we cannot somehow confine or bound the unknown "special understandings," we will never have factual grounds to state that cipher strength is "unlikely" to be the weakest part of the system. It is in this sense that cryptanalysis hurts cryptography: not because it breaks ciphers, but because we cannot know when it has done all it can do. Since we do not know that, any cipher continues to be potentially vulnerable. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 10 Nov 1998 09:29:39 -0500 From: Jerry Leichter <leichter@smarts.com> Message-ID: <36484DD3.2452@smarts.com> References: <3647b406.4409649@news.io.com> Newsgroups: sci.crypt Lines: 98 | >With any of the | >well-studied cipher systems out there today, it's unlikely that the | >mathematical structure of the cipher will be the weakest component of | >a real-world system in which it is embedded. | | Well, you *say* it is "unlikely" as though you know the actual | probability distribution involved. But I suspect nobody knows that, | so calling it "unlikely" is really quite a leap. If we don't know, we | can't make a valid statement, because we really *don't know*. While we don't know the exact probability distribution, we *do* have empirical evidence - just as we have empirical evidence concerning the security of other systems we rely on. All we need do is look at the successful attacks of the last 20 years. Repeatedly, we find attacks against things like random number generation (key selection in Net- scape); protocols (many examples); outright incompetent use of primitives (Microsoft's use of RC4 as a stream cipher to protect password databases); physical implementations (many attacks against smart cards); and so on. Many of these attacks have had the practical effect of completely destroying the security of fielded systems. Over the same period of time, there are *no* published attacks with any real-world significance - except for brute force relying on limited key spaces - against any of, say, DES, RC4, IDEA, or RSA. You can explain this difference in three ways: 1. It's just coincidence. Possible; perhaps a plausible explanation 15 years ago. But by now there are enough people, and enough attacks, that it seems very unlikely. 2. Bias in the attack distributions: If there are many more attacks against elements *other than* the mathematical structure of the algorithms than there are attacks against that structure, then naturally there will be more such successes. However, it's hard to believe that this is the explana- tion. In the same time period, we've seen many successful attacks against the mathematical structure of ad hoc cryptosystems (pkzip), secretly developed systems (some of the cell phone stuff), as well as tons and tons of attacks against systems designed by people who've had successes elsewhere and against systems that are variants of the ones that have stood the test of time. There is no evidence that those who've mounted these successful attacks have shied away from attacking the systems that remain standing. To the contrary, some of the most potent techniques (differential, linear, and related-key cryptanalysis) were developed precisely to attack DES (with little success) and PES (with enough success to lead it to be replaced by IDEA). 3. The only remaining possibility is the one I suggested: That the weakest link in current systems is most likely *not* in the mathematical structure of their encryption algorithms. | ...What I have been addressing here is I think different from | relatively simple mechanical things -- most of which should be within | our understanding -- and ciphers -- which seem to admit "special" | understandings which produce "breaks." Do you really think that RC4, say, is any more complicated than a good combination lock? It's easy to stand here today and talk about the simplicity and transparent security of today's locks - but in fact they evolved over many years as new attacks were found, and new defenses developed. The contribution to security of many aspects of the design of a modern lock are only "obvious" when they're explained! You can always raise the specter of the unknown techniques developed and hidden by the "black" organizations. Well, suppose I tell you that the CIA has an electromechanical device that can open any pin-tumbler lock, including the "advanced" versions like the Medeco's, within a few minutes, usually leaving no marks behind. (It uses a bunch of flexible, motor-driven probes and a combination of X-ray backscatter and ultra- sound monitoring to determine pin position and alignment.) Do you still believe your analysis of the "simple, obvious" security of the locks on your doors? Now, in fact, I made all that up. I have absolutely no idea what the CIA is capable of doing with locks. But can you provide any rational basis for claiming my "electromechanical lock picker" is any more or less likely than the NSA's secret DES crack? I don't want to carry this analogy too far. It's a general truth that digital systems can be much more complex, and much harder to reason about, than analogue systems. This causes all kinds of risks - in security, reliability, predictability, and so on. Nevertheless, it's important to keep in mind that engineering - whether of digital or of analogue systems - is ultimately a real-world, empirical activity. Parts of it are amenable to some degree of mathematical analysis; others, at our present state of knowledge, are not; some probably will never be. Even of those amenable to analysis, the role of actual *proof* is even more limited. Where we have it, it can be very useful. But we can't wait for proofs that may, often will, never come! -- Jerry
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 11 Nov 1998 15:07:27 GMT From: "Douglas A. Gwyn" <DAGwyn@null.net> Message-ID: <3649A820.49A28EE8@null.net> References: <36484DD3.2452@smarts.com> Newsgroups: sci.crypt Lines: 19 Jerry Leichter wrote: > Over the same period of time, there are *no* published attacks with any > real-world significance - except for brute force relying on limited key > spaces - against any of, say, DES, RC4, IDEA, or RSA. > You can explain this difference in three ways: More than three. For example: 4) Poorly designed protocols are easy to break. 5) Successful attacks against IDEA et al are likely only by people who know *how*, and would be kept secret. > Do you really think that RC4, say, is any more complicated than a good > combination lock? It's easy to stand here today and talk about the > simplicity and transparent security of today's locks - but in fact they > evolved over many years as new attacks were found, and new defenses > developed. The contribution to security of many aspects of the design > of a modern lock are only "obvious" when they're explained! That's pretty funny, to a locksmith/safeman.
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 11 Nov 1998 15:47:14 -0500 From: Jerry Leichter <leichter@smarts.com> Message-ID: <3649F7D2.37AC@smarts.com> References: <3649A820.49A28EE8@null.net> Newsgroups: sci.crypt Lines: 32 | > Over the same period of time, there are *no* published attacks with | > any real-world significance - except for brute force relying on | > limited key spaces - against any of, say, DES, RC4, IDEA, or RSA. | > You can explain this difference in three ways: | | More than three. For example: Well, OK. | 4) Poorly designed protocols are easy to break. This would be fully consistent with the statement that the crypto algorithm itself is *not* the likely weak spot in the system. | 5) Successful attacks against IDEA et al are likely only by | people who know *how*, and would be kept secret. I suppose. But it would take a hell of a conspiracy, given the number of attacks against *other* systems that *have* been published. | > Do you really think that RC4, say, is any more complicated than a | > good combination lock? It's easy to stand here today and talk about | > the simplicity and transparent security of today's locks - but in | > fact they evolved over many years as new attacks were found, and new | > defenses developed. The contribution to security of many aspects of | > the design of a modern lock are only "obvious" when they're | > explained! | That's pretty funny, to a locksmith/safeman. In what way? -- Jerry
Subject: Re: Memo to the Amateur Cipher Designer Date: Sun, 18 Oct 1998 22:16:30 GMT From: dscott@networkusa.net Message-ID: <70dpbv$gal$1@nnrp1.dejanews.com> References: <36292906.1151332@news.visi.com> Newsgroups: sci.crypt Lines: 50 In article <36292906.1151332@news.visi.com>, schneier@counterpane.com (Bruce Schneier) wrote: > This was in the October CRYPTO-GRAM, but I thought I'd run it through > sci.crypt, since so many people seem to be asking questions on the > topic. > > Bruce > > Memo to the Amateur Cipher Designer > > Congratulations. You've just invented this great new cipher, and you > want to do something with it. You're new in the field; no one's heard > of you, and you don't have any credentials as a cryptanalyst. You > want to get well-known cryptographers to look at your work. What can > you do? > > Unfortunately, you have a tough road ahead of you. I see about two > new cipher designs from amateur cryptographers every week. The odds > of any of these ciphers being secure are slim. The odds of any of > them being both secure and efficient are negligible. The odds of any > of them being worth actual money are virtually non-existent. > > The real truth of the matter is this. If your cipher is any good people like Bruce will go out of there way to spread lies about it. It is mostly a closed group of hreatless people who like it act pompous and wave creditials about. They really know very lttle about real crypto only the spooks at places like the NSA in america know something about it. Part of the NSA job is to keep the world in the dark about real ctypto. Think about it. What better way to do it than by creating crypto preists for people to whorship. You can not get to be a very famous person for long in real crypto with out the blessings of the NSA one way or another. Of course this is just my opionion I am running a real contest that goes to nov 11 1999 and have supplied more info they you will get in a contest from Bruce who has a lot more money at his command than I do. The most liekly reason he can't have a contest like mine is this the AES code he is trying to push is not that good. But then that is my humble opionion. Go ahead and fell free to publish your stuff maybe Bruce will bad mouth your stuff while at the same time claiming he is to busy to have time to look at it. But he may find time to bad mouth it. Which I guess means he is afraid it is better than his stuff. One thing for sure write enough in this group and you will get spam mailed to you about his book. -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 19 Oct 1998 00:47:09 -0400 From: Tim Bass <bass@silkroad.com> Message-ID: <362AC44D.6A988225@silkroad.com> References: <70dpbv$gal$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 50 dscott@networkusa.net strangely wrote: > The real truth of the matter is this. If your cipher is any good > people like ***** will go out of there way to spread lies about it. > It is mostly a closed group of hreatless people .... Disagree. If someone does their homework and puts in the very significant time to understand iterative ciphers, understands and practices cryptanalysis, including the major art forms, then the community of those who have done their homework and have put in the significant time will not be *overly* unkind (unless of course one was having a bad day that day.) Every person who is now "one whom has gained some fame" in this field (or any field) was once one who knew nothing about the art and science. Writing a paper which is peer reviewed takes work, hard work. Writing a book takes more work and discipline. Writing a GOOD BOOK which is well accepted by peers takes even *more* work. Einstein was very accurate when he quipped that genius is 1 percent inspiration and 99 percent sweat. Most of those whom have written strong ciphers did not write them without very significant research into the field. Shannon and Feistel are good places to start. Then there is a large body of literature in books and notes. I suggest all the major work in QA 76.9.A25 and then some of the Z104 areas of the stacks. It always amazes me how the more I read, research, and study, the less and less I know!! The peer review process is the most exciting part of professional collaboration. On the other hand, everyone appreciates those whom have done the necessary background work. It makes collaboration much more fun!! Best Regards, Tim -- Tim Bass Principal Consultant, Systems Engineering Bass & Associates Tel: (703) 222-4243 Fax: (703) 222-7320 EMail: bass@silkroad.com.antispam (remove antispam tag) http://www.silkroad.com/consulting/technical.html
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 19 Oct 1998 11:14:49 GMT From: dscott@networkusa.net Message-ID: <70f6v9$jud$1@nnrp1.dejanews.com> References: <362ACB2C.AEEA9007@null.net> <362AC44D.6A988225@silkroad.com> Newsgroups: sci.crypt Lines: 14 In article <362ACB2C.AEEA9007@null.net>, "Douglas A. Gwyn" <DAGwyn@null.net> wrote: > Tim Bass wrote: > > Einstein was very accurate when he quipped that genius is > > 1 percent inspiration and 99 percent sweat. > > I think that was Edison and perspiration. > John you shouldn't try to confuse a Bruce Worshiper with facts. It might confuse them. -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 19 Oct 1998 12:04:29 GMT From: david@davidham.demon.co.uk (David Hamilton) Message-ID: <362b2aca.7134387@news.demon.co.uk> References: <70dpbv$gal$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 90 -----BEGIN PGP SIGNED MESSAGE----- dscott@networkusa.net wrote: >In article <36292906.1151332@news.visi.com>, > schneier@counterpane.com (Bruce Schneier) wrote: >> This was in the October CRYPTO-GRAM, but I thought I'd run it through >> sci.crypt, since so many people seem to be asking questions on the >> topic. (snip extract) > The real truth of the matter is this. If your cipher is any good >people like Bruce will go out of there way to spread lies about it. Any evidence for Bruce spreading lies? (I don't think so.) Any evidence for your cipher being 'any good'? (nb I said 'evidence', and your opinion or assertions aren't evidence.) And don't forget, the onus is on you to provide evidence; the onus isn't on others to check your offering. Although it is possible that somebody with very little knowledge of cryptography relevant subjects may develop a good cipher, it is unlikely that this will happen. In your case, I don't trust your cryptographic software because: 1) In the context of a dictionary attack, on 14th June, you said that you had seen a dictionary attack work on a system where the attacker never guessed the correct passphrase but he just stumbled on one that hashed to the same value. You subsequently declined to give any information about the passphrase, the hashing algorithm, the dictionary size or the method of word selection. You also declined to give the odds of stumbling on a passphrase that hashed to the same value. Your reason for declining to give this information was that the person you were referring to 'still works for the federal government'. 2) You designed all the algorithms and code used in your software. With one exception, you can't remember the names of people who 'commented'. I would suggest that 'commenting' isn't good enough anyway; what is needed is formal inspection by competent people. (snip some) >only the spooks at places like the NSA in america know something >about it. So the Chinese, Europeans and Indians are excluded. Presumably you're not a spook at a place like the USA NSA and so you don't 'know something about cryptography'. So why are you pushing your crypto software? >Part of the NSA job is to keep the world in the dark about >real ctypto. Has the USA NSA succeeded in keeping you in the dark about 'real crypto'? (snip some) >while at the same time claiming he (Bruce) >is to busy to have time to look at it. Nobody is under any obligation to look at/comment on/inspect your software. You seem to think that somebody owes you something. You've published your software, anybody who wants to use it or look at it can. >One thing for sure write enough in this group >and you will get spam mailed to you about his book. I'm pretty certain I haven't been spam mailed about Bruce's book. I have seen recommendations for it and criticism of it in sci.crypt. On the other hand, I've seen a lot more ads in sci.crypt for your software. David Hamilton. Only I give the right to read what I write and PGP allows me to make that choice. Use PGP now. I have revoked 2048 bit RSA key ID 0x40F703B9. Please do not use. Do use:- 2048bit rsa ID=0xFA412179 Fp=08DE A9CB D8D8 B282 FA14 58F6 69CE D32D 4096bit dh ID=0xA07AEA5E Fp=28BA 9E4C CA47 09C3 7B8A CE14 36F3 3560 A07A EA5E Both keys dated 1998/04/08 with sole UserID=<david@davidham.demon.co.uk> -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com> Comment: Signed with RSA 2048 bit key iQEVAwUBNisih8o1RmX6QSF5AQHonwf6AtOdhoxumP16yzPlx7jEe2DYFInBlpMV YR4o9wQegZlIxqw1letT2jPJijSLwih+IBLr5zViodTASmwHUXUzsOM5+wqCzZXz 1lmMxYe3JpQYDnDth+xMr6azhW/jNP+Inu4mw5vlgRzNWhcGPPhLV3kumMdApHDE T8RfE45P8iLW58zEwwDLAXOThm7auPY4qHwC58eirZ1x26UuJZeNHzDQNm7c5bXH HUDtIZI4s6Omw7KnXO8OXhaejBt9mrLZZZrUv1Xit7+XfimztiDUdXHf5VPJ4E98 Be3dCpA3Mdq14fqEvdvyH0nvhD2/D5KXYk7kAqAoKoCFkjMTdIIewA== =O1EJ -----END PGP SIGNATURE-----
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 19 Oct 1998 23:12:53 GMT From: dscott@networkusa.net Message-ID: <70gh1l$gfo$1@nnrp1.dejanews.com> References: <362b2aca.7134387@news.demon.co.uk> Newsgroups: sci.crypt Lines: 105 In article <362b2aca.7134387@news.demon.co.uk>, david@davidham.demon.co.uk (David Hamilton) wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > dscott@networkusa.net wrote: > > >In article <36292906.1151332@news.visi.com>, > > schneier@counterpane.com (Bruce Schneier) wrote: > >> This was in the October CRYPTO-GRAM, but I thought I'd run it through > >> sci.crypt, since so many people seem to be asking questions on the > >> topic. > > (snip extract) > > > The real truth of the matter is this. If your cipher is any good > >people like Bruce will go out of there way to spread lies about it. > > Any evidence for Bruce spreading lies? (I don't think so.) Obviously you don't read all of crapola that Bruce puts out there or you would notice some of his lies and comments in this group about my code. And yes I have been spamed at least twice by his for profit company. I wrote each time for them to stop the SPAM but like all spamers you don't even get a response. If he hasn't spammed you feel fortunate. > Any evidence for your cipher being 'any good'? (nb I said 'evidence', and > your opinion or assertions aren't evidence.) And don't forget, the onus is on > you to provide evidence; the onus isn't on others to check your offering. > > Although it is possible that somebody with very little knowledge of > cryptography relevant subjects may develop a good cipher, it is unlikely that > this will happen. In your case, I don't trust your cryptographic software > because: > > 1) In the context of a dictionary attack, on 14th June, you said that you > had seen a dictionary attack work on a system where the attacker never > guessed the correct passphrase but he just stumbled on one that hashed to the > same value. You subsequently declined to give any information about the > passphrase, the hashing algorithm, the dictionary size or the method of word > selection. You also declined to give the odds of stumbling on a passphrase > that hashed to the same value. Your reason for declining to give this > information was that the person you were referring to 'still works for the > federal government'. > > 2) You designed all the algorithms and code used in your software. With one > exception, you can't remember the names of people who 'commented'. I would > suggest that 'commenting' isn't good enough anyway; what is needed is formal > inspection by competent people. > > (snip some) > > >only the spooks at places like the NSA in america know something > >about it. > > So the Chinese, Europeans and Indians are excluded. Presumably you're not a > spook at a place like the USA NSA and so you don't 'know something about > cryptography'. So why are you pushing your crypto software? > > >Part of the NSA job is to keep the world in the dark about > >real ctypto. > > Has the USA NSA succeeded in keeping you in the dark about 'real crypto'? > > (snip some) > > >while at the same time claiming he > (Bruce) > >is to busy to have time to look at it. > > Nobody is under any obligation to look at/comment on/inspect your software. > You seem to think that somebody owes you something. You've published your > software, anybody who wants to use it or look at it can. > > >One thing for sure write enough in this group > >and you will get spam mailed to you about his book. > > I'm pretty certain I haven't been spam mailed about Bruce's book. I have seen > recommendations for it and criticism of it in sci.crypt. On the other hand, > I've seen a lot more ads in sci.crypt for your software. > > David Hamilton. Only I give the right to read what I write and PGP allows me > to make that choice. Use PGP now. > I have revoked 2048 bit RSA key ID 0x40F703B9. Please do not use. Do use:- > 2048bit rsa ID=0xFA412179 Fp=08DE A9CB D8D8 B282 FA14 58F6 69CE D32D > 4096bit dh ID=0xA07AEA5E Fp=28BA 9E4C CA47 09C3 7B8A CE14 36F3 3560 A07A EA5E > Both keys dated 1998/04/08 with sole UserID=<david@davidham.demon.co.uk> > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com> > Comment: Signed with RSA 2048 bit key > > iQEVAwUBNisih8o1RmX6QSF5AQHonwf6AtOdhoxumP16yzPlx7jEe2DYFInBlpMV > YR4o9wQegZlIxqw1letT2jPJijSLwih+IBLr5zViodTASmwHUXUzsOM5+wqCzZXz > 1lmMxYe3JpQYDnDth+xMr6azhW/jNP+Inu4mw5vlgRzNWhcGPPhLV3kumMdApHDE > T8RfE45P8iLW58zEwwDLAXOThm7auPY4qHwC58eirZ1x26UuJZeNHzDQNm7c5bXH > HUDtIZI4s6Omw7KnXO8OXhaejBt9mrLZZZrUv1Xit7+XfimztiDUdXHf5VPJ4E98 > Be3dCpA3Mdq14fqEvdvyH0nvhD2/D5KXYk7kAqAoKoCFkjMTdIIewA== > =O1EJ > -----END PGP SIGNATURE----- > -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 26 Oct 1998 13:15:41 GMT From: dscott@networkusa.net Message-ID: <711sls$4a9$1@nnrp1.dejanews.com> References: <711fcj$m5l$1@nnrp1.dejanews.com> <362b2aca.7134387@news.demon.co.uk> Newsgroups: sci.crypt Lines: 61 In article <711fcj$m5l$1@nnrp1.dejanews.com>, cryptonews@my-dejanews.com wrote: > In article <362b2aca.7134387@news.demon.co.uk>, > david@davidham.demon.co.uk (David Hamilton) wrote: > > > Has the USA NSA succeeded in keeping you in the dark about 'real > > crypto'? > > David, > > Put aside the childish temper tantrums that Bruce and his > opponents are throwing at each other. > > Folks at the NSA are in the business of building strong crypto > for preserving the USA national security. This is a valid business > that every nation on earth is entitled to do. I am certain that > similar folks here in the UK work as hard as the folks at the > NSA. The NSA is also in the business of develooping efficient > algorithm to cryptanalyze the crypto of other countries. Every > nation that respect itself must have an NSA. > What you say is true. It may even be necessary. What I don't like is the spying on Americans for political reasons that will someday make what the Soviet Union had look like a dream of a long lost freedom. I don't like there role in control of our future and the dumbing down of America. I don't like the destroying of the Bill or Rights. I have a master degree in contorl theroy the secrect to control is measurement. If they can read everything they can control what we see and hear and trick is into slavery. Americns and world citizens need free open communications without fear of big brother reading everything or else there will be a small rich class of people running the world and the rest of mankind will be nothing but slaves to work and live and die in fear and controled by the few. > I believe that the folks at the NSA are highly respectable > professionals just like all of us. > > My concern here is that when an agency like the NSA which is in > business of National Security starts Cozying with Commercial > developers of crypto. I doubt there is even one company in North > America that is not in bed with the NSA. > > If any body's company is not doing that please let us know. > > Cheers, > > Sam > > -----------== Posted via Deja News, The Discussion Network ==---------- > http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own > -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip ftp search for scott*u.zip in norway -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 20 Oct 1998 00:19:14 GMT From: dscott@networkusa.net Message-ID: <70gku1$md5$1@nnrp1.dejanews.com> References: <362B8C89.52EDE3C@AECengineering.com> <70dpbv$gal$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 86 In article <362B8C89.52EDE3C@AECengineering.com>, Djim <Djim@AECengineering.com> wrote: > >..... > > Mr. Scott, I would like to talk about a few of your points. > > 1) You don't get famous in crypto without the blessings of the NSA. While I > cannot prove a negative, (It is just possible that the invisible hand of the > secret masters of the crypto world has touched everyone competent), I can > state that most of the best crypto research published is from academics and > hobbyist crypto people. There are many people who are quite respectable > sources of info on the internet as well of whom I am aware. I strongly > doubt that they are all in the NSA's pocket -- especially given the efforts > of many of them to get various patented and strong algorithms into the hands > of the public -- and what do they gain by being pocket servants of the NSA. > prestige? no. respect? not if it ever gets out. money? the NSA would have > to be paying a lot of people a lot of money to keep them in their pocket > especially with the consideration that their reputation would be ruined if > it got out that they were an NSA shill. Something else? Maybe, but I am hard > pressed to think what that would be. > what can I say I disagree with most of the above but so what. > 2) Bruce has set a contest where anything that someone says about his cypher > -- even some thing like this code will resist the following attack with the > following strength, or given a reduced round version of twofish the Actually there is no gaurantee any one will win and it appears he is the judge of what wins if anyone does. So since it is not black and white I doubt seriously if he is capable of honest thought. If his contest is honest he would also offer some set of data similar to mine to break. Since many hacker types don't think the way he does and may have trouble writting there thoughts in way his narrow mind could comprehend. He should if he is not chicken throw a bone to the unwashed unclean masses. He does not so as to greatly limit the group of people to those whose thought processes are tuned to his own. Also if he had a contest it would be embarassing to have a rank ametur break it. > following properties are discovered which may be of use against the full > version, or that certain keys have interesting properties. It is even > possible, not probable that if nothing else is published a publication of > commentary regarding one's opinions of the algorithm with some documentation > of the points made could win.(Its ridiculously unlikely to happen, but the > award is for the best paper published regarding it and its weakness/strength > vs. attack). From what he has said a reward WILL be given. Your contest > provides much less info -- Poorly documented code, and some limited > plain/cyphertext pairs -- and sets the bar much higher. A full BREAK of the > code -- nothing less will be enough. Sounds to me like no reward need ever > be given out unless someone devoted way lots of time to this project and > frankly most of us cannot be bothered to do so. Even 20 hours of my time > bills for more than you offer. I feel that your code is at least secure > enough that 50 hours of my time will not break it so why bother. > If you are so sure of your code's security offer a real reward -- or a > smaller prize given each - say year - for the best attacks vs your cypher. > It would pay off in a better cypher and more respect on the group. Think > about it. > I don't think it is fair or honest if I offered more cash than I could gather up. But I think my contest is fairer in that the winner if there is one is back and white. In short in my contest the answer is right or wrong I have no lee way to back out like he does. However in some ways my contest is less fair. In that I know for a fact mine is to hard to solve. You may have realized that when you said 50 hours of your time most likely will not solve it. Something that no one has noticed is that if I did not state how I made the key the solution is not unique. In other words there exist many many keys over 2**1000 that map the first plain text into the given encrypted file and some of those can unmap the second encrytped file into a file that is different by exactly 4 characters and yet they are not the same as the plain text file I started with. I am not sure if there is an easy way to type a set of 4 phrases that can map to a different solution though. I have thought about offering a 100 dollar prise to the first one who gets a close solition. That is one who comes up with just a keyraw.key file that maps first file set and then unmaps (maps) the second encrypted file into a file like the first but different by 4 characters. Is this the kind of thing you mean. Or if one finds something close to what paul onions did I could offer 100 dollars but it would have to be something that good. YOUR THOUGHTS WELCOME SINCE AT LEAST YOU MAY HAVE LOOKED AT IT -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 20 Oct 1998 00:40:21 GMT From: ritter@io.com (Terry Ritter) Message-ID: <362bdbc6.3212829@news.io.com> References: <36292906.1151332@news.visi.com> Newsgroups: sci.crypt Lines: 190 On Sat, 17 Oct 1998 23:35:28 GMT, in <36292906.1151332@news.visi.com>, in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote: >[...] >Congratulations. You've just invented this great new cipher, and you >want to do something with it. You're new in the field; no one's heard >of you, and you don't have any credentials as a cryptanalyst. You >want to get well-known cryptographers to look at your work. What can >you do? Maybe some people are like this, but I doubt I would care to know them. If the reason for inventing a new cipher is to get someone else to look at it -- no matter who may be looking -- there would seem to be some small problem with goals. In my view, the reason for inventing a new cipher -- like any new design -- is to deliver new advantages. If so, it advances the art, quite independent of whether the professional chorus agrees. After that, it is up to the professional cryptographers to stay abreast of advances to the art, if they wish to continue to claim expertise. It is not the responsibility of the developers to go around and inform all the "experts" through their chosen media outlet. Either they keep up, or they are not experts on what they have missed, and it's just that simple. >[...] >What is hard is creating an algorithm that no one else can break, even >after years of analysis. And the only way to prove that is to subject >the algorithm to years of analysis by the best cryptographers around. That last sentence is what the profession says, but it is as false, misleading, and self-delusional as anything in cryptography: Even years of analysis is not proof. It is not close to proof. Lack of proof of weakness is not proof of strength. Obviously. Yet we still get the same old mantra -- that every professional knows is false -- which every newbie and security officer is encouraged to believe. Why is this? Who benefits from this? >[...] >It's hard to get a cryptographic algorithm published. This, of course, is simply false. It is false in the assumption that "published" means accepted by some academic journal. And it is also more or less false in that most reasonable papers *can* be shopped around and placed in some academic journal eventually. There are many journals, and each must fill a gaping maw of pages continuously. It is true, however, that a *good* article is more than a new idea: A good article offers *insight* as opposed to mere symbology and gobbledygook. If someone provide a good presentation to something exciting and new, they won't have much trouble placing it somewhere. >Most >conferences and workshops won't accept designs from unknowns and >without extensive analysis. This may seem unfair: Not accepting designs from "unknowns" is well beyond just *seeming* unfair, it *is* unfair. It is in fact unscientific. More than that, this also has economic consequences. Any time an academic publication will not look at, accept, and publish work based on content -- independent of its source -- that publication is spending its academic reputation. Journals exist to serve a larger ideal than to simply further the academic careers of authors -- their existence depends upon providing the best material to their readers. They can't just reject good stuff and publish the chaff without real audience consequences. To a large extent, the same thing applies to conferences and workshops as well. Science is not tidy, and advances often do not come from those who feel they deserve to have made them. Publishers and conference leaders who do not understand this are presiding over their own decline. >[...] >When I started writing _Applied Cryptography_, I heard the maxim that >the only good algorithm designers were people who spent years >analyzing existing designs. The maxim made sense, and I believed it. Then you were fooled. Vernam, a mere engineer in 1919: The mechanistic stream cipher, and the basis for the one time pad. >[...] >A cryptographer friend tells the story of an amateur who kept >bothering him with the cipher he invented. The cryptographer would >break the cipher, the amateur would make a change to "fix" it, and the >cryptographer would break it again. This exchange went on a few times >until the cryptographer became fed up. When the amateur visited him >to hear what the cryptographer thought, the cryptographer put three >envelopes face down on the table. "In each of these envelopes is an >attack against your cipher. Take one and read it. Don't come back >until you've discovered the other two attacks." The amateur was never >heard from again. Hell, I wouldn't go back if I *did* know the answer: Your friend is a pompous ass. That this sort of thing is ever acceptable -- let alone actually promoted in a public forum -- shows the depth to which this "profession" has sunk. This game of "I'm better than you" is a sickness that infects the entire field of cryptography. It makes every discussion a contest, every relationship a competition, and a mockery of facts and clear, correct reasoning. It works against development in the field, and has got to go. Those professionals who are actively cultivating ego cults for their own self-gratification are part of the problem. In the anecdote, a better alternative would be for the cryptographer to be helpful, to explain the issues, lay out a course of study, and thus in a larger sense generally address why the general public has so little understanding of this profession. We don't of course, see anecdotes about that. Why? See the above paragraph. >[...] >1. Describe your cipher using standard notation. This doesn't mean C >code. There is established terminology in the literature. Learn it >and use it; no one will learn your specialized terminology. Yes. There are established notations for the design of logic systems, and they include both "schematics" and "flow charts" as well as C. But more than anything else, the "standard notation" includes a clear, logical presentation in some language (but if that is not English, *I* will have a problem!). It is also important to give some justification for the various design decisions which are usually necessary. >[...] >3. Show why your cipher is immune against each of the major attacks >known in literature. It is not good enough just to say that it is >secure, you have to show why it is secure against these attacks. This >requires, of course, that you not only have read the literature, but >also understand it. Expect this process to take months, and result in >a large heavily mathematical document. And remember, statistical >tests are not very meaningful. That last sentence sounds a lot like statistics-envy. Surely it should read that "statistical tests should not be used to support inappropriate conclusions." But we could say the same thing about mathematics itself. Even though mathematical cryptography is about 60 years old, it has yet to produce a road map to provable security. This means that all the cryptanalysis and all the arguments about that analysis simply hide the fact that unsuspected and unanalyzed attacks may yet exist. This does not mean that we do not analyze. But it *does* mean that analysis *cannot* be sufficient, and that makes *testing* important. Testing is often inherently statistical. But many desirable tests are simply *impossible* to perform on a cipher of real size. In my view, that means that no cipher can lay claim to a "thorough" analysis unless it has a scalable architecture, and *is* tested -- necessarily including statistics -- at a tractable size. Not only are statistical tests *meaningful*, they are all that stands between us and the unknown attack. Certainly it is going to be very difficult to do a good job fielding *any* cipher system without extensive statistical testing. >4. Explain why your cipher is better than existing alternatives. It >makes no sense to look at something new unless it has clear advantages >over the old stuff. Is it faster on Pentiums? Smaller in hardware? >What? I have frequently said that, given enough rounds, pretty much >anything is secure. Your design needs to have significant performance >advantages. And "it can't be broken" is not an advantage; it's a >prerequisite. Note, however, that "performance advantages" include far more than the simple speed of an AES-style cipher box: Large blocks can be an advantage. Dynamically selectable block size can be an advantage. Dynamically variable block size to the byte can be an advantage. Block independence can be an advantage. Self-authentication can be an advantage. There are many advantages which are restricted to particular uses, yet are real advantages in their proper context. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: 22 Oct 1998 01:55:12 GMT From: olson@umbc.edu (Bryan G. Olson; CMSC (G)) Message-ID: <70m3a0$e2g$1@news.umbc.edu> References: <362bdbc6.3212829@news.io.com> Newsgroups: sci.crypt Lines: 21 Terry Ritter (ritter@io.com) wrote: Bruce Schneier had written: : >Most : >conferences and workshops won't accept designs from unknowns and : >without extensive analysis. This may seem unfair: : Not accepting designs from "unknowns" is well beyond just *seeming* : unfair, it *is* unfair. It is in fact unscientific. I have to agree with Mr. Ritter on this one. I'll also note that the major crypto conferences remove the author's name from submission before they go the referees. The system is based on good faith, though I have heard referees talk about secure cryptographic protocols for anonymous review of papers. :) --Bryan
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 22 Oct 1998 11:37:42 GMT From: dscott@networkusa.net Message-ID: <70n5e6$kog$1@nnrp1.dejanews.com> References: <70m3a0$e2g$1@news.umbc.edu> Newsgroups: sci.crypt Lines: 41 In article <70m3a0$e2g$1@news.umbc.edu>, olson@umbc.edu (Bryan G. Olson; CMSC (G)) wrote: > Terry Ritter (ritter@io.com) wrote: > > Bruce Schneier had written: > : >Most > : >conferences and workshops won't accept designs from unknowns and > : >without extensive analysis. This may seem unfair: > > : Not accepting designs from "unknowns" is well beyond just *seeming* > : unfair, it *is* unfair. It is in fact unscientific. > > I have to agree with Mr. Ritter on this one. I'll also note that the > major crypto conferences remove the author's name from submission > before they go the referees. The system is based on good faith, > though I have heard referees talk about secure cryptographic protocols > for anonymous review of papers. :) > > --Bryan > Well Mr Ritter in my view is a much more honest an open person than Bruce ever will be. At least it is obvious that Ritter works had to learn and stay abreast of current trends in crypto. SOmething Bruce is incapable of becasue of his narrow focus and mind set. I have never never heard of condferences where the author name is removed. And even if the name is removed I bet any one with have a brain could tell mine from Bruces and from Mr Ritter since we all 3 have different writting styles even if we all 3 write about the exact same subject. Bruces would be acepted even if it left out key points that Mr Ritter or me may have included since he is the King of B.S. and he can Pile it Higher and Deeper. -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip ftp search for scott*u.zip in norway -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own Originator: markc@news.chiark.greenend.org.uk ([127.0.0.1])
Subject: Re: Memo to the Amateur Cipher Designer Date: 22 Oct 1998 13:56:30 +0100 (BST) From: markc@chiark.greenend.org.uk (Mark Carroll) Message-ID: <+au*FR8In@news.chiark.greenend.org.uk> References: <70n5e6$kog$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 47 In article <70n5e6$kog$1@nnrp1.dejanews.com>, <dscott@networkusa.net> wrote: (snip) > Well Mr Ritter in my view is a much more honest an open person than >Bruce ever will be. At least it is obvious that Ritter works had to >learn and stay abreast of current trends in crypto. SOmething Bruce >is incapable of becasue of his narrow focus and mind set. What current trends in crypto do you think that Bruce isn't abreast of? > I have never never heard of condferences where the author name >is removed. And even if the name is removed I bet any one with have In artificial intelligence (my field) it's very common indeed, even for the big conferences (as AAAI-98 was). To be honest, I'd be surprised if it was uncommon in most fields, but I'm open to correction. What policy do, say, CRYPTO, EUROCRYPT, ASIACRYPT, the Fast Software Encryption conferences, etc. have? I'd be quite curious to find out. (-: >a brain could tell mine from Bruces and from Mr Ritter since we >all 3 have different writting styles even if we all 3 write about the >exact same subject. Bruces would be acepted even if it left out With your Usenet writing style you probably wouldn't get published anyway, though. The written English in conference proceedings rarely has copious spelling and grammatical errors; if you were writing a conference paper, you would no doubt be sensible enough to improve the English a lot to increase its chances of acceptance. Correct English - especially in the style of most academic papers - has much less scope for obvious personal idiosyncrasies (though with rigorous analysis it's still amazing how personal it turns out to be!). Certainly, it's sometimes the case that the reviewers guess who the author(s) might be, but AFAIK it's usually for a tiny minority of papers, and more from the content than the writing style. (e.g. X is the only person working on this, and lo and behold here's a paper about it...) >key points that Mr Ritter or me may have included since he is the >King of B.S. and he can Pile it Higher and Deeper. What interests would the review panel have in choosing Bruce's paper over yours if yours is so much better? If they start publishing rubbish, then they'll quickly stop being a major conference (or jettison any chances of ever becoming one)... -- Mark
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 23 Oct 1998 00:01:05 GMT From: dscott@networkusa.net Message-ID: <70oh01$2o2$1@nnrp1.dejanews.com> References: <+au*FR8In@news.chiark.greenend.org.uk> Newsgroups: sci.crypt Lines: 93 In article <+au*FR8In@news.chiark.greenend.org.uk>, markc@chiark.greenend.org.uk (Mark Carroll) wrote: > In article <70n5e6$kog$1@nnrp1.dejanews.com>, <dscott@networkusa.net> wrote: > (snip) > > Well Mr Ritter in my view is a much more honest an open person than > >Bruce ever will be. At least it is obvious that Ritter works had to > >learn and stay abreast of current trends in crypto. SOmething Bruce > >is incapable of becasue of his narrow focus and mind set. > > What current trends in crypto do you think that Bruce isn't abreast of? > Well I think the method I use is beyond his tiny limited brain since I don't use the big words he does. I for one fill if you can write in C then that should be enough of an explantion of what is going on in my method. To put it in words gives the wrong impression of it since my use of words will never really say what I want. And then people would enterpit the words differently than I mean. Bruce only has access to a narrow field of encryption that acidemia uses. I doubt if he understands what Ritter has done either. Even though Ritter is a prolific writter. Bruce might be a phony in only playiing at encryption I have meet many so called Phd where I use to work that lacked any real knowledge of the field they got there degree in. I would've got a Phd in mathematics no sweet but Could not pass all the English stuff that normals could that is why I went into Fields and Waves in Electrical Engineering it had less english crapola. > > I have never never heard of condferences where the author name > >is removed. And even if the name is removed I bet any one with have > > In artificial intelligence (my field) it's very common indeed, even > for the big conferences (as AAAI-98 was). To be honest, I'd be > surprised if it was uncommon in most fields, but I'm open to > correction. What policy do, say, CRYPTO, EUROCRYPT, ASIACRYPT, the > Fast Software Encryption conferences, etc. have? I'd be quite > curious to find out. (-: > > >a brain could tell mine from Bruces and from Mr Ritter since we > >all 3 have different writting styles even if we all 3 write about the > >exact same subject. Bruces would be acepted even if it left out > > With your Usenet writing style you probably wouldn't get published > anyway, though. The written English in conference proceedings rarely > has copious spelling and grammatical errors; if you were writing a > conference paper, you would no doubt be sensible enough to improve the > English a lot to increase its chances of acceptance. Correct English - > especially in the style of most academic papers - has much less scope > for obvious personal idiosyncrasies (though with rigorous analysis > it's still amazing how personal it turns out to be!). > Trust me I can use spell checkers and finally come to correctly spelled words but they wont be the right words anyway so spell checkers don't really add much especially when you think your close to a word and they don't find the one you want or the one they find may be farther than the one you want so you are either stuck with that word or use one you feel is more wrong an a vain attempt to convey your idea. In which your train if thought is lost or broken becasue of the tremendous focus to try to get words in to written form that you can't focus on what you wanted to say in the first place. I hope some day the need for the written word becomes less or that english becomes more like speech and thought. > Certainly, it's sometimes the case that the reviewers guess who the > author(s) might be, but AFAIK it's usually for a tiny minority of > papers, and more from the content than the writing style. (e.g. > X is the only person working on this, and lo and behold here's a > paper about it...) > > >key points that Mr Ritter or me may have included since he is the > >King of B.S. and he can Pile it Higher and Deeper. > > What interests would the review panel have in choosing Bruce's paper > over yours if yours is so much better? If they start publishing > rubbish, then they'll quickly stop being a major conference (or > jettison any chances of ever becoming one)... > Not sure you really want to ask but they may be aready attuned to his narrow closed style of thinking since the reveiwers most like got to there positions in the same way he did and they may not be any more cabable of objective thought than he is. -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip ftp search for scott*u.zip in norway -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: 22 Oct 1998 19:28:15 GMT From: aph@cygnus.remove.co.uk (Andrew Haley) Message-ID: <70o10f$js7$1@korai.cygnus.co.uk> References: <70n5e6$kog$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 26 dscott@networkusa.net wrote: : I have never never heard of condferences where the author name : is removed. It's normal procedure. : And even if the name is removed I bet any one with have a brain : could tell mine from Bruces and from Mr Ritter Indeed. They use commas, and can string together two or more grammatically correct sentences. Why should anyone be bothered to read what you write if you can't be bothered to correct any of your mistakes? No publication would put up with your abysmal English. Andrew.
Subject: Re: Memo to the Amateur Cipher Designer Date: 22 Oct 1998 15:58:29 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <70o69l$291$1@quine.mathcs.duq.edu> References: <70o10f$js7$1@korai.cygnus.co.uk> Newsgroups: sci.crypt Lines: 15 In article <70o10f$js7$1@korai.cygnus.co.uk>, Andrew Haley <aph@cygnus.remove.co.uk> wrote: >dscott@networkusa.net wrote: >: I have never never heard of condferences where the author name >: is removed. > >It's normal procedure. Shall I add my voice to the chorus of people pointing out how common it is? In fact, Mr. Scott, I suspect that part of the reason you haven't heard of such things is because for most major conferences, it's expected. I suspect you've never seen a warning label on a jar of peanut butter stating "warning : will break if dropped," either. -kitten
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 22 Oct 1998 23:16:52 GMT From: ritter@io.com (Terry Ritter) Message-ID: <362fbcde.3893888@news.io.com> References: <70o69l$291$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 35 On 22 Oct 1998 15:58:29 -0500, in <70o69l$291$1@quine.mathcs.duq.edu>, in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote: >In article <70o10f$js7$1@korai.cygnus.co.uk>, >Andrew Haley <aph@cygnus.remove.co.uk> wrote: >>dscott@networkusa.net wrote: >>: I have never never heard of condferences where the author name >>: is removed. >> >>It's normal procedure. > >Shall I add my voice to the chorus of people pointing out how common >it is? [...] Shall I point out that this entire thread is a response to the original article by Schneier, who wrote: >[...] >It's hard to get a cryptographic algorithm published. Most >conferences and workshops won't accept designs from unknowns and >without extensive analysis. Now, presumably Schneier knows something about crypto conferences. He did *not* say that the practice of removing the author's name for reviewers was not followed. But he clearly *did* imply that *something* prevents "unknowns" from publishing in conferences and workshops. Maybe he is right. If he is, that is the real issue. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: 23 Oct 1998 09:33:34 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <70q43u$3tp$1@quine.mathcs.duq.edu> References: <362fbcde.3893888@news.io.com> Newsgroups: sci.crypt Lines: 45 In article <362fbcde.3893888@news.io.com>, Terry Ritter <ritter@io.com> wrote: [Re: Anonymous review] >Shall I point out that this entire thread is a response to the >original article by Schneier, who wrote: > >>[...] >>It's hard to get a cryptographic algorithm published. Most >>conferences and workshops won't accept designs from unknowns and >>without extensive analysis. > >Now, presumably Schneier knows something about crypto conferences. He >did *not* say that the practice of removing the author's name for >reviewers was not followed. But he clearly *did* imply that >*something* prevents "unknowns" from publishing in conferences and >workshops. Maybe he is right. If he is, that is the real issue. Funny how when you eliminate all the "ands" it's very possible to misinterpret sentences, ya know? Workshops are generally not reviewed anonymously -- but workshops are generally not put together as the primary distribution of results; instead, it's generally a group of people who know each other, or at least know of each other, getting together to talk shop. In this sense, they *are*, or can be, closed shops -- which would be a lot more bothersome if they were taken at all seriously by professionals. Conferences are generally reviewed anonymously, especially important ones. But the standards for conferences are generally much higher -- for instance, most technical conferences require you to submit a paper, sometimes as much as 10 pages or so, while most workshops only want an abstract or a one-page summary of what you intend to talk about. And part of what is expected in the extra nine pages is a lot more detail about the strengths and weaknesses of what you're doing. So if you're a total unknown, you probably won't get workshop invitations. You can, however, easily get into conferences *if* you can write a good enough paper -- good enough referring not only to ability to write decent English but also to the quality of your methodology and the amount of results. -kitten
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 26 Oct 1998 04:11:12 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <3633f47d.2601979@news.visi.com> References: <362fbcde.3893888@news.io.com> Newsgroups: sci.crypt Lines: 72 On Thu, 22 Oct 1998 23:16:52 GMT, ritter@io.com (Terry Ritter) wrote: > >On 22 Oct 1998 15:58:29 -0500, in <70o69l$291$1@quine.mathcs.duq.edu>, >in sci.crypt juola@mathcs.duq.edu (Patrick Juola) wrote: > >>In article <70o10f$js7$1@korai.cygnus.co.uk>, >>Andrew Haley <aph@cygnus.remove.co.uk> wrote: >>>dscott@networkusa.net wrote: >>>: I have never never heard of condferences where the author name >>>: is removed. >>> >>>It's normal procedure. >> >>Shall I add my voice to the chorus of people pointing out how common >>it is? [...] > >Shall I point out that this entire thread is a response to the >original article by Schneier, who wrote: > >>[...] >>It's hard to get a cryptographic algorithm published. Most >>conferences and workshops won't accept designs from unknowns and >>without extensive analysis. > >Now, presumably Schneier knows something about crypto conferences. He >did *not* say that the practice of removing the author's name for >reviewers was not followed. But he clearly *did* imply that >*something* prevents "unknowns" from publishing in conferences and >workshops. Maybe he is right. If he is, that is the real issue. Crypto and Eurocrypt use anonymous refereeing. With a few possible exceptions (I don't know about them all, and Asiacrypt especially) the other crypto conferences keep authors names on the papers during refereeing. And "hard" is not impossible. Pulling a random (well, pseudorandom) Fast Software Encryption proceedings off my shelf (1997), I see six cipher designs: MISTY, by Mitsuru Matsui, the man who intented linear cryptanalysis. It is still unbroken, and I am sorry a variant was not submitted to AES. ICE, by Matthew Kwan, who has not cryptanalyzed much of anything. Broken in FSE 1998. TWOPRIME, by Ding, Niemi, Renvall, and Salomaa. Some of these people are good cryptographers, but they are much more mathematicians. I don't think they have ever written a real cryptanalysis paper. TWOPRIME was broken in FSE 1998. Chameleon, by Ross Anderson and Charalampos Manifavas. Ross has many scalps under his belt. Unbroken. Square, by Joan Daemen, Lars Knudsen, and Vincent Rijmen, a team that shoud strike fear in the hearts of cipher designers everywhere. Unbroken, and the basis for the AES submission Rijndael. xmx, by David M'Raihi, David Naccache, Jacques Stern, and Serge Vaudenay. Serge has done some excellent block cipher cryptanalytic work. His design, DFC, has been submitted to AES. Unbroken. See the pattern? Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 26 Oct 1998 16:46:05 GMT From: ritter@io.com (Terry Ritter) Message-ID: <3634a746.2458264@news.io.com> References: <3633f47d.2601979@news.visi.com> Newsgroups: sci.crypt Lines: 51 On Mon, 26 Oct 1998 04:11:12 GMT, in <3633f47d.2601979@news.visi.com>, in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote: >>[...] >>Now, presumably Schneier knows something about crypto conferences. He >>did *not* say that the practice of removing the author's name for >>reviewers was not followed. But he clearly *did* imply that >>*something* prevents "unknowns" from publishing in conferences and >>workshops. Maybe he is right. If he is, that is the real issue. > >Crypto and Eurocrypt use anonymous refereeing. With a few possible >exceptions (I don't know about them all, and Asiacrypt especially) the >other crypto conferences keep authors names on the papers during >refereeing. > >And "hard" is not impossible. Pulling a random (well, pseudorandom) >Fast Software Encryption proceedings off my shelf (1997), I see six >cipher designs: >[...] > >See the pattern? First of all, this is the usual sort of rationalization for treating individuals similarly according to their membership in some sort of despised group. And while clearly unfair and unscientific, it *is* an all-too-American activity. Next, your argument assumes that science is best served by descriptions of unbreakable cipher designs. But I suggest that they also serve who present new designs of any sort. In fact, it is largely the lack of a broad and robust literature on breaks of all types which makes "the newbie problem" as bad as it is. The process of selecting only good designs for the archival literature leaves us with little description of the bad ones, and less archived reasoning about their weaknesses. I claim we would be better off if every newbie cipher was presented and broken in the literature. But the original issue wasn't whether limiting crypto conferences to known experts was a reasonable expedient that could be supported by the evidence: The issue instead was whether this occurs. If it does, it is bad science, and if you are participating in this, you are part of the problem. See the pattern now? --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 27 Oct 1998 00:46:37 GMT From: dscott@networkusa.net Message-ID: <71355d$ias$1@nnrp1.dejanews.com> References: <3634a746.2458264@news.io.com> Newsgroups: sci.crypt Lines: 68 In article <3634a746.2458264@news.io.com>, ritter@io.com (Terry Ritter) wrote: > > On Mon, 26 Oct 1998 04:11:12 GMT, in <3633f47d.2601979@news.visi.com>, > in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote: > > >>[...] > >>Now, presumably Schneier knows something about crypto conferences. He > >>did *not* say that the practice of removing the author's name for > >>reviewers was not followed. But he clearly *did* imply that > >>*something* prevents "unknowns" from publishing in conferences and > >>workshops. Maybe he is right. If he is, that is the real issue. > > > >Crypto and Eurocrypt use anonymous refereeing. With a few possible > >exceptions (I don't know about them all, and Asiacrypt especially) the > >other crypto conferences keep authors names on the papers during > >refereeing. > > > >And "hard" is not impossible. Pulling a random (well, pseudorandom) > >Fast Software Encryption proceedings off my shelf (1997), I see six > >cipher designs: > >[...] > > > >See the pattern? > > First of all, this is the usual sort of rationalization for treating > individuals similarly according to their membership in some sort of > despised group. And while clearly unfair and unscientific, it *is* an > all-too-American activity. > > Next, your argument assumes that science is best served by > descriptions of unbreakable cipher designs. But I suggest that they > also serve who present new designs of any sort. In fact, it is > largely the lack of a broad and robust literature on breaks of all > types which makes "the newbie problem" as bad as it is. The process > of selecting only good designs for the archival literature leaves us > with little description of the bad ones, and less archived reasoning > about their weaknesses. I claim we would be better off if every > newbie cipher was presented and broken in the literature. > > But the original issue wasn't whether limiting crypto conferences to > known experts was a reasonable expedient that could be supported by > the evidence: The issue instead was whether this occurs. If it does, > it is bad science, and if you are participating in this, you are part > of the problem. > > See the pattern now? > Mr RItter I feel that Bruce is one of those self inflated people incapable of understanding your writting. He is afraid of real competition so will attempt to put it done with jokes and such but don't except him to see such an obvious easy pattern in logic it mat be beyond his brain power. > --- > Terry Ritter ritter@io.com http://www.io.com/~ritter/ > Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM > > -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip ftp search for scott*u.zip in norway -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 26 Oct 1998 18:03:49 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <3634b8f5.7503638@news.prosurfr.com> References: <3633f47d.2601979@news.visi.com> Newsgroups: sci.crypt Lines: 16 schneier@counterpane.com (Bruce Schneier) wrote, in part: > ICE, by Matthew Kwan, who has not cryptanalyzed much of > anything. Broken in FSE 1998. But we can be very thankful he published his design. The principle of using a mask to control swapping bits between words is a very useful principle, and can efficiently contribute to a cipher's security. If ICE hadn't come along, some other cipher designer might have come up with that particular principle, and patented its use in a block cipher. John Savard http://members.xoom.com/quadibloc/index.html
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 27 Oct 1998 20:39:45 GMT From: klockstone@cix.compulink.co.uk ("Keith Lockstone") Message-ID: <F1I6qA.L1u@cix.compulink.co.uk> References: <3634b8f5.7503638@news.prosurfr.com> Newsgroups: sci.crypt Lines: 89 > But we can be very thankful he published his design. The > principle of using a mask to control swapping bits between > words is a very useful principle, and can efficiently > contribute to a cipher's security. > > If ICE hadn't come along, some other cipher designer might have > come up with that particular principle, and patented its use in > a block cipher. This idea has been published before on sci.crypt although its significance probably went unnoticed. It was originally conceived after I read a Friedman publication that described swapping the most significant halves of two indices. There's little new under the Sun! Keith. > From: Keith Lockstone <keith.lockstone@gecm.com> > Newsgroups: sci.crypt > Subject: Re: New Dynamic Substitution Implications > Date: 20 Dec 1996 16:48:06 GMT > Organization: GEC Marconi Radar and Defence Systems Ltd > To: ritter@io.com > Lines: 81 > > In <850598749.26798@dejanews.com>, Terry Ritter said: > > A better approach would be to use two Dynamic Substitution > > operations in sequence. > and: > > Another approach would be to make a pseudo-random selection > > among multiple Dynamic Substitution combiners. > > A further approach could make use of 4 lookup tables. (Related > to: Playfair cipher, 4 table ciphers - see William Friedman's > books on Military Cryptanalysis) This helps to break up patterns > in the plaintext and the PRNGs. > > The basis of this approach is to take pairs of plaintext bytes, > use them to look up 2 intermediate values, randomly 'splice' > these to form 2 further intermediate values - which are then used > to look up the final pair of ciphertext bytes. > > All 4 tables are then updated by swapping the used entry with a > randomly chosen one. > > This system has the disadvantage of a random to plaintext ratio > of 5:2. > > Note: if the splicing stage uses 2 random bytes instead of one > for multiplexing then the system becomes non-reversible - but > still usable as a mixer for PRNGs. > > Keith. > > ---------------------------------------------------------------- > #define BYTE unsigned char > /* tables for encoding (and decoding) */ > BYTE W[256], X[256], Y[256], Z[256]; > > BYTE p1, p2, /* 2 plaintext input/output bytes */ > c1, c2; /* 2 ciphertext input/output bytes */ > > /***************************************************************/ > void encrypt(void) > { BYTE r1, r2, r3, r4, r5, /* random bytes */ > a, b, f, g; /* intermediate results */ > > r1 = getrand(1); /* get 5 random bytes from 5 */ > > r2 = getrand(2); r3 = getrand(3); /* different generators */ > r4 = getrand(4); r5 = getrand(5); > > a = W[p1]; /* plaintext 1 -> intermediate result 1 */ > b = X[p2]; /* plaintext 2 -> intermediate result 2 */ > > f = a & r5 | b & ~r5; /* multiplex intermediate results: 1 */ > g = b & r5 | a & ~r5; /* multiplex intermediate results: 2 */ > > c1 = Y[f]; /* intermediate mix 1 -> ciphertext 1 */ > c2 = Z[g]; /* intermediate mix 2 -> ciphertext 2 */ > > W[p1] = W[r1]; W[r1] = a; /* update table W */ > X[p2] = X[r2]; X[r2] = b; /* update table X */ > Y[f] = Y[r3]; Y[r3] = c1; /* update table Y */ > Z[g] = Z[r4]; Z[r4] = c2; /* update table Z */ > }
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 23 Oct 1998 00:24:58 GMT From: dscott@networkusa.net Message-ID: <70oicq$3qo$1@nnrp1.dejanews.com> References: <70o10f$js7$1@korai.cygnus.co.uk> Newsgroups: sci.crypt Lines: 52 In article <70o10f$js7$1@korai.cygnus.co.uk>, aph@cygnus.remove.co.uk (Andrew Haley) wrote: > dscott@networkusa.net wrote: > : I have never never heard of condferences where the author name > : is removed. > > It's normal procedure. Well it is a phony procedure to have the air of respectibility when in reality it hids nothing. REAL CRYPTO conferences should have executable program or functions where the input and output can be analysed and various real testing done on computers. Since in the real world that is where it has to stand up. But that might be to difficult and to different for the stuff onces use to not being creative. > > : And even if the name is removed I bet any one with have a brain > : could tell mine from Bruces and from Mr Ritter > > Indeed. They use commas, and can string together two or more > grammatically correct sentences. > still I meant you could tell Mr Ritter from B.S. by there styles even though they both like ,s in there stuff. > Why should anyone be bothered to read what you write if you can't be > bothered to correct any of your mistakes? No publication would put up > with your abysmal English. Then I guess I can just continue to write the worlds greatest crypto for the unwashed masses while the one how write can fool themselves. I don't have to write I can program. May be like Heavyside some one else will write it in terms that even narrow minded individuals like Bruce can understand. But I am not that person. > > Andrew. > > -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip ftp search for scott*u.zip in norway -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 22 Oct 1998 21:58:09 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-2210982158250001@207.101.116.111> References: <70oicq$3qo$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 22 In article <70oicq$3qo$1@nnrp1.dejanews.com>, dscott@networkusa.net wrote: .... even narrow > minded individuals like Bruce can understand... > You are confusing narrow mindedness with focus. I can respect him on that. Certain algorithms are prehaps too demanding of intricate attention, leaving little time for much else. Each of us is faced with economy of time. These discussions are important, so I spend some effort it them. It is not that I don't have other competing things to do. To keep up seems to take from 20 minutes to several hours per day, but the yield can be much more rapid than running through some sluggish formal procedure. Expanding the fundamental process for introducing and exploring algorithms, prying open the process as far as possible, is more important than any one cryptosystem. -- --- Passing a budgit with obscure items is bad; preventing government payment for birth control while authorizing millions for viagra lets us focus on the hard facts of prevalent sexism. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: 23 Oct 1998 09:38:24 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <70q4d0$3up$1@quine.mathcs.duq.edu> References: <W%QX1.340$4a.1584242@news20.bellglobal.com> <70oicq$3qo$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 30 In article <W%QX1.340$4a.1584242@news20.bellglobal.com>, Sandy Harris <sandy.harris@sympatico.ca> wrote: >dscott@networkusa.net wrote: > >> Then I guess I can just continue to write the worlds greatest >>crypto for the unwashed masses while the one how write can fool >>themselves. I don't have to write I can program. . . . > >"Besides a mathematical inclination, an exceptionally good mastery of >"one's native tongue is the most vital asset of a competent programmer. > > Edsger W.Dijkstra It probably helps that Dr. Dijkstra's native tongue is Dutch, where there is a large programming community. It probably also helps that Dr. Dijkstra's command of English is astonishing. I think he's overstating the case -- I remember a brilliant student I had the pleasure to teach once whos native language was spoken by about two hundred people in a mountain valley in New Guinea or something like that. I suspect that his ability to master English will be a more vital asset for his eventual programming abilities. But overall, I agree with Dr. Dijkstra's sentiments -- which is itself astonishing, as normally when Dr. Dijkstra states that the sun is shining, my initial reaction is to turn on my headlights. 8-) -kitten
Subject: Re: Memo to the Amateur Cipher Designer Date: 23 Oct 1998 15:59:40 GMT From: aph@cygnus.remove.co.uk (Andrew Haley) Message-ID: <70q95c$au2$2@korai.cygnus.co.uk> References: <70q4d0$3up$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 28 Patrick Juola (juola@mathcs.duq.edu) wrote: : In article <W%QX1.340$4a.1584242@news20.bellglobal.com>, : Sandy Harris <sandy.harris@sympatico.ca> wrote: : >dscott@networkusa.net wrote: : > : >"Besides a mathematical inclination, an exceptionally good mastery of : >"one's native tongue is the most vital asset of a competent programmer. : > : > Edsger W.Dijkstra Dijkstra goes on to explain that in his experience a competent programmer always has such a mastery of his own tongue; in other words, you can gain some idea of the level of a programmer's skill just by listening to them. This tallies with my experience. : I think he's overstating the case -- I remember a brilliant student : I had the pleasure to teach once whos native language was spoken : by about two hundred people in a mountain valley in New Guinea : or something like that. I suspect that his ability to master : English will be a more vital asset for his eventual programming : abilities. I doubt it; Dijkstra isn't talking about a language skill that someone will actually use to communicate, but is using skill in one's native language as an indicator of linguistic skills in general. After all, one generally thinks in one's native language. Andrew.
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 26 Oct 1998 13:42:51 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <36346E4B.9720682F@stud.uni-muenchen.de> References: <70r9tt$i7f$1@nnrp1.dejanews.com> <3630BE5C.5B765F9B@stud.uni-muenchen.de> <70q95c$au2$2@korai.cygnus.co.uk> Newsgroups: sci.crypt Lines: 26 dscott@networkusa.net wrote: > > If you really think in more than one language do you do certain > things better in one language than the other. Are you using language > when you play a game like chess. If so do you do better in one than > the other. Are your politics and views on religion a function some > what of the language you use at the time your thinking. Just > wondered. I can't say that my personal experience generalize. I am however anyway convinced that if one has acquired sufficient proficiency in a foreign language, the difference between a foreign language and one's mother tongue disappears. At that point it is somehow 'uneconomical' to speak or write in one language while thinking partly in another (and then mentally translate before speaking out or writing down) and one tends therefore to work (for convenience) in one single language only. Language proficiency has to be maintained through practice. To my dismay I find my proficiency in my native language (especially in writing) is deteriorating due to lack of practice. Language is neutral to its use. It has no influence on what is expressed, I am convinced, since all natural languages (at least those of the civilized world) are of sufficient expressive power to formulate everything imaginable. M. K. Shen
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 27 Oct 1998 14:35:46 +0100 From: fungus <spam@egg.chips.and.spam.com> Message-ID: <3635CC32.F1A238CF@egg.chips.and.spam.com> References: <36346E4B.9720682F@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 39 Mok-Kong Shen wrote: > > dscott@networkusa.net wrote: > > > > > If you really think in more than one language do you do certain > > things better in one language than the other. > > It has no influence on what is expressed, I am convinced, since > all natural languages (at least those of the civilized world) > are of sufficient expressive power to formulate everything > imaginable. > If you actually learn a foreign language you'll find that there are some concepts which have a word in one language but not in another. Sometimes you find yourself arrive at the middle of a sentence wanting to use a word from the other language because no equivalent exists in the language you're speaking. You'll also notice this in films with subtitles. Sometimes the subtitles are saying a completely different thing than the people on the screen, and, if you think about it, it's very hard to translate directly. And then there's cultural differences. The concept of swearing (as in "bad language") doesn't really exist in Spain. Over here you'll see Disney films with the characters saying "Oh Shit!", and people say the equivalent of "fuck" all the time on TV chat shows. In the UK you'll have *big* problems to find somebody saying "fuck" on TV. Beverly Hills Cop had all the words changed to "hell" when it was shown.... -- <\___/> / O O \ \_____/ FTB.
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 27 Oct 1998 16:26:40 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <3635E630.DB9FF944@stud.uni-muenchen.de> References: <3635CC32.F1A238CF@egg.chips.and.spam.com> Newsgroups: sci.crypt Lines: 27 fungus wrote: > > If you actually learn a foreign language you'll find that there > are some concepts which have a word in one language but not > in another. Sometimes you find yourself arrive at the middle > of a sentence wanting to use a word from the other language > because no equivalent exists in the language you're speaking. That's why good translations of master pieces are rare. But I am not convinced that languages can influence thought or behaviour. There are always more or less good equivalents. (Though I heard that in one language one can count up to 5 only.) A language may be superior in certain expressions but inferior in others. (There are 'fanatics' who believe that their native languages are the best.) > And then there's cultural differences. The concept of swearing > (as in "bad language") doesn't really exist in Spain. My respect for Spain. But other languages, including French, long time the chosen language of the diplomats, are abundant in words expressing such strong sentiments. I find it difficult to imagine what happens when two persons get very angry with each other in Spain. M. K. Shen
Subject: Re: Memo to the Amateur Cipher Designer Date: 27 Oct 1998 10:35:31 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <714p83$i54$1@quine.mathcs.duq.edu> References: <3635CC32.F1A238CF@egg.chips.and.spam.com> Newsgroups: sci.crypt Lines: 34 In article <3635CC32.F1A238CF@egg.chips.and.spam.com>, fungus <spam@egg.chips.and.spam.com> wrote: >Mok-Kong Shen wrote: >> >> dscott@networkusa.net wrote: >> > >> >> > If you really think in more than one language do you do certain >> > things better in one language than the other. >> >> It has no influence on what is expressed, I am convinced, since >> all natural languages (at least those of the civilized world) >> are of sufficient expressive power to formulate everything >> imaginable. >> > >If you actually learn a foreign language you'll find that there >are some concepts which have a word in one language but not >in another. Sometimes you find yourself arrive at the middle >of a sentence wanting to use a word from the other language >because no equivalent exists in the language you're speaking. True but irrelevant. Translation doesn't necessarily require that every word be replaced with an equivalent word, but that every concept be somehow represented with a word or phrase. French, for example, has no single word meaning "shallow." This does NOT, however, mean that the French don't understand the distinction between deep and shallow water, or even that they can't talk about it. -kitten
Subject: Re: Memo to the Amateur Cipher Designer Date: Sun, 25 Oct 1998 23:20:50 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-2510982320500001@207.22.198.192> References: <5LHY1.278$MY4.2154610@news.goodnet.com> <jgfunj-2510981033500001@dialup126.itexas.net> Newsgroups: sci.crypt Lines: 23 In article <5LHY1.278$MY4.2154610@news.goodnet.com>, "Steve Sampson" <ssampson@access.usa-site.net> wrote: > W T Shaw wrote > > >I went to Oklahoma yesterday, so on returning to Texas, the contrast with > >the dimension of past dominated experiences makes me want to confirm my > >salvation that I recovered by nightfall and express myself in a more > >linguisting challenging way, at for a little while. Is this prejudice > >justifed so that I should disregard anything Okie in nature? Perhaps, but > >I should not bend so easily to such a feeling if I believe that reality is > >even expressed there. > > > What the hell are you talking about? Prejudice by language, life style, heritage, anything you want to throw in. Concentrating on style rather that substance is easy, and wrong. -- --- Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 26 Oct 1998 04:02:03 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <3633f403.2480424@news.visi.com> References: <70n5e6$kog$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 18 On Thu, 22 Oct 1998 11:37:42 GMT, dscott@networkusa.net wrote: I have never never heard of condferences where the author name >is removed. And even if the name is removed I bet any one with have >a brain could tell mine from Bruces and from Mr Ritter since we >all 3 have different writting styles even if we all 3 write about the >exact same subject. Bruces would be acepted even if it left out >key points that Mr Ritter or me may have included since he is the >King of B.S. and he can Pile it Higher and Deeper. You can figure out the authors of some papers without the authors' names, but not all of them. You can easily figure out who is schooled in the mathematics of cryptography and who isn't. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 26 Oct 1998 04:00:47 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <3633f3c2.2415094@news.visi.com> References: <70m3a0$e2g$1@news.umbc.edu> Newsgroups: sci.crypt Lines: 28 On 22 Oct 1998 01:55:12 GMT, olson@umbc.edu (Bryan G. Olson; CMSC (G)) wrote: >Terry Ritter (ritter@io.com) wrote: > >Bruce Schneier had written: >: >Most >: >conferences and workshops won't accept designs from unknowns and >: >without extensive analysis. This may seem unfair: > >: Not accepting designs from "unknowns" is well beyond just *seeming* >: unfair, it *is* unfair. It is in fact unscientific. > >I have to agree with Mr. Ritter on this one. I'll also note that the >major crypto conferences remove the author's name from submission >before they go the referees. The system is based on good faith, >though I have heard referees talk about secure cryptographic protocols >for anonymous review of papers. :) Agreed that it is unfair. But even the conferences that referee papers anonymously don't publish design papers unless they are REALLY impressive. Different for the sake of difference just doens't cut it. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: 26 Oct 1998 07:52:04 GMT From: olson@umbc.edu (Bryan G. Olson; CMSC (G)) Message-ID: <7119n4$7hu$1@news.umbc.edu> References: <3633f3c2.2415094@news.visi.com> Newsgroups: sci.crypt Lines: 21 Bruce Schneier wrote: : Agreed that it is unfair. But even the conferences that referee : papers anonymously don't publish design papers unless they are REALLY : impressive. Different for the sake of difference just doens't cut it. Oh absolutely. There seems to be a sci.crypt myth that cryptology is primarily concerned with inventing ciphers, and the crypto literature with publishing them. In reality cryptologists are pursuing knowledge within the science of secrecy. The journals and conferences are looking for papers that establish results not previously known. So here's how to really get a design published in the crypto lit: Find some new and interesting fact, develop a design that incorporates the result, then write a paper that presents both the theorem and the system. I'm still working on mine, but from what I've read, that's how it's usually done. --Bryan
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 26 Oct 1998 03:59:50 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <3633f37a.2343159@news.visi.com> References: <362bdbc6.3212829@news.io.com> Newsgroups: sci.crypt Lines: 9 I invite you to submit a paper, based on your patent #5,727,062 ("Variable Size Block Ciphers") to the 1999 Fast Software Encryption workshop. I believe it will be published. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 26 Oct 1998 04:20:14 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <3633f6f6.3235025@news.visi.com> References: <362bdbc6.3212829@news.io.com> Newsgroups: sci.crypt Lines: 143 On Tue, 20 Oct 1998 00:40:21 GMT, ritter@io.com (Terry Ritter) wrote: >In my view, the reason for inventing a new cipher -- like any new >design -- is to deliver new advantages. If so, it advances the art, >quite independent of whether the professional chorus agrees. Security is orthogonal to functionality. A cipher cannot deliver any new advantages until it is considered strong. That's what makes this discipline complicated. >>What is hard is creating an algorithm that no one else can break, even >>after years of analysis. And the only way to prove that is to subject >>the algorithm to years of analysis by the best cryptographers around. > >That last sentence is what the profession says, but it is as false, >misleading, and self-delusional as anything in cryptography: Even >years of analysis is not proof. It is not close to proof. > >Lack of proof of weakness is not proof of strength. Obviously. Agreed. "Proof" was a bad word choice. You are, of course, correct. >>It's hard to get a cryptographic algorithm published. > >This, of course, is simply false. It is false in the assumption that >"published" means accepted by some academic journal. And it is also >more or less false in that most reasonable papers *can* be shopped >around and placed in some academic journal eventually. There are many >journals, and each must fill a gaping maw of pages continuously. > >It is true, however, that a *good* article is more than a new idea: A >good article offers *insight* as opposed to mere symbology and >gobbledygook. If someone provide a good presentation to something >exciting and new, they won't have much trouble placing it somewhere. Agreed. Please submit your good ideas to cryptography workshops. FSE and SAC are good places to start. >>Most >>conferences and workshops won't accept designs from unknowns and >>without extensive analysis. This may seem unfair: > >Not accepting designs from "unknowns" is well beyond just *seeming* >unfair, it *is* unfair. It is in fact unscientific. More than that, >this also has economic consequences. > >Any time an academic publication will not look at, accept, and publish >work based on content -- independent of its source -- that publication >is spending its academic reputation. Journals exist to serve a larger >ideal than to simply further the academic careers of authors -- their >existence depends upon providing the best material to their readers. >They can't just reject good stuff and publish the chaff without real >audience consequences. Agreed. The work is accepted and rejected based on the work, not on the name. If there are errors based on name, it is when a work by a well-known name is refereed less stringently because of who they are. I don't believe the reverse happens anywhere near as often. >>When I started writing _Applied Cryptography_, I heard the maxim that >>the only good algorithm designers were people who spent years >>analyzing existing designs. The maxim made sense, and I believed it. > >Then you were fooled. Vernam, a mere engineer in 1919: The >mechanistic stream cipher, and the basis for the one time pad. Yes. I believe my point still stands. >This game of "I'm better than you" is a sickness that infects the >entire field of cryptography. It makes every discussion a contest, >every relationship a competition, and a mockery of facts and clear, >correct reasoning. It works against development in the field, and has >got to go. Those professionals who are actively cultivating ego cults >for their own self-gratification are part of the problem. No. The adversarial game of making and breaking is what makes cryptography cryptography. I design; you break. You design; I break. This is what cryptography is. >In the anecdote, a better alternative would be for the cryptographer >to be helpful, to explain the issues, lay out a course of study, and >thus in a larger sense generally address why the general public has so >little understanding of this profession. We don't of course, see >anecdotes about that. Why? See the above paragraph. I believe we do this. There are excellent courses of study in cryptography that have turned out some excellent cryptographers. >>1. Describe your cipher using standard notation. This doesn't mean C >>code. There is established terminology in the literature. Learn it >>and use it; no one will learn your specialized terminology. > >Yes. There are established notations for the design of logic systems, >and they include both "schematics" and "flow charts" as well as C. >But more than anything else, the "standard notation" includes a clear, >logical presentation in some language (but if that is not English, *I* >will have a problem!). It is also important to give some >justification for the various design decisions which are usually >necessary. I don't mean established notations for the design of logic systems. This is mathematics after all. I mean standard mathematical notation. >>3. Show why your cipher is immune against each of the major attacks >>known in literature. It is not good enough just to say that it is >>secure, you have to show why it is secure against these attacks. This >>requires, of course, that you not only have read the literature, but >>also understand it. Expect this process to take months, and result in >>a large heavily mathematical document. And remember, statistical >>tests are not very meaningful. > >That last sentence sounds a lot like statistics-envy. Surely it >should read that "statistical tests should not be used to support >inappropriate conclusions." But we could say the same thing about >mathematics itself. No. I stand by my sentence. Statistical tests are not very meaningful. If you saw a cipher design that was accompanied by nothing other than statistical tests of randomness, wouldn't your snake-oil detector go off? >>4. Explain why your cipher is better than existing alternatives. It >>makes no sense to look at something new unless it has clear advantages >>over the old stuff. Is it faster on Pentiums? Smaller in hardware? >>What? I have frequently said that, given enough rounds, pretty much >>anything is secure. Your design needs to have significant performance >>advantages. And "it can't be broken" is not an advantage; it's a >>prerequisite. > >Note, however, that "performance advantages" include far more than the >simple speed of an AES-style cipher box: Large blocks can be an >advantage. Dynamically selectable block size can be an advantage. >Dynamically variable block size to the byte can be an advantage. >Block independence can be an advantage. Self-authentication can be an >advantage. There are many advantages which are restricted to >particular uses, yet are real advantages in their proper context. Of course. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 26 Oct 1998 09:34:59 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-2610980935000001@dialup165.itexas.net> References: <3633f6f6.3235025@news.visi.com> Newsgroups: sci.crypt Lines: 28 In article <3633f6f6.3235025@news.visi.com>, schneier@counterpane.com (Bruce Schneier) wrote: > > I don't mean established notations for the design of logic systems. > This is mathematics after all. I mean standard mathematical notation. > >..... Statistical tests are not very > meaningful. If you saw a cipher design that was accompanied by > nothing other than statistical tests of randomness, wouldn't your > snake-oil detector go off? > Statistics can measure more things than randomness. Good logic should be inclusive rather than exclusive. Calling something snake-oil might mean that you merely chose not to explore the idea in full, but chose to look for an excuse to dismiss it, granted that it could be easily applied when an author will not settle down and converse legitimately about a particular algorithm; both have nothing to do with whether something is good or bad. Randomness would be hard to determine since it includes even things that don't look random. This is where I start questioning some of the tests that are touted. -- --- Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 26 Oct 1998 18:09:47 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <3634ba1b.7797506@news.prosurfr.com> References: <jgfunj-2610980935000001@dialup165.itexas.net> Newsgroups: sci.crypt Lines: 28 jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) wrote, in part: >In article <3633f6f6.3235025@news.visi.com>, schneier@counterpane.com >(Bruce Schneier) wrote: >>..... Statistical tests are not very >> meaningful. If you saw a cipher design that was accompanied by >> nothing other than statistical tests of randomness, wouldn't your >> snake-oil detector go off? >Randomness would be hard to determine since it includes even things that >don't look random. This is where I start questioning some of the tests >that are touted. And the other way around, things can look nice and random, and even appear very random to conventional statistical tests, and yet be vulnerable to the right attack. For example, I could use the digits of pi as if they were a "one-time pad", and the result would be beautifully random, but crackable immediately if someone decided to compare it to pi. That's all Bruce was saying; statistics aren't enough - although specialized statistical tests, directly related to the possible forms of cryptanalysis that a cipher may face, can, of course, be very applicable. John Savard http://members.xoom.com/quadibloc/index.html
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 26 Oct 1998 16:46:15 GMT From: ritter@io.com (Terry Ritter) Message-ID: <3634a751.2469260@news.io.com> References: <3633f6f6.3235025@news.visi.com> Newsgroups: sci.crypt Lines: 143 On Mon, 26 Oct 1998 04:20:14 GMT, in <3633f6f6.3235025@news.visi.com>, in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote: >On Tue, 20 Oct 1998 00:40:21 GMT, ritter@io.com (Terry Ritter) wrote: >>In my view, the reason for inventing a new cipher -- like any new >>design -- is to deliver new advantages. If so, it advances the art, >>quite independent of whether the professional chorus agrees. > >Security is orthogonal to functionality. A cipher cannot deliver any >new advantages until it is considered strong. That's what makes this >discipline complicated. Apparently I have been unable to communicate the issue: We *never* know that a cipher is strong. Ever. Now, we might "consider" a cipher strong when all *our* guys have looked at it and found no break. But, quite frankly, the *other* guys have more training, more experience, more resources, more time, and they may even be smarter than our guys. So what does it mean when our guys have anointed a cipher? For the user, it means that even ciphers with a good reputation are *not* guaranteed secure -- and this is the *same* situation they have with unknown ciphers. I will agree that new cipher designs often have silly errors, and we don't need to be using those ciphers. But if we must greatly reduce the number of ciphers users might have because we don't have the resources to analyze them all, I think we are missing a bet. I claim it is more important to have many different ciphers than to have a few which are "considered strong." Why? Because we *can't* know how strong our ciphers *really* are to the other guy. But we *can* -- guaranteed -- make The Opponent pay dearly to keep up. >[...] >>This game of "I'm better than you" is a sickness that infects the >>entire field of cryptography. It makes every discussion a contest, >>every relationship a competition, and a mockery of facts and clear, >>correct reasoning. It works against development in the field, and has >>got to go. Those professionals who are actively cultivating ego cults >>for their own self-gratification are part of the problem. > >No. The adversarial game of making and breaking is what makes >cryptography cryptography. I design; you break. You design; I break. >This is what cryptography is. I am not referring to legitimate thrust and parry of design and analysis, I am referring to exactly the sort of behavior in your (now deleted) anecdote. I claim: * The legitimate response to a design is a break. * The legitimate response to a fixed design is a break. * The legitimate response to a fixed fixed design is a break. A humiliating response is never appropriate. And while I am sure we all fail at this goal, we don't all laugh about it, nor do we provide it as an example for others to follow. Life is tough for cipher analyzers. It must be frustrating when newbies simply do not (no doubt interpreted as "will not") get the point. But *I* am no newbie, and *I* often miss *my* own errors, so I have some sympathy for these guys. I am sure that very few designers quit designing until they are satisfied; almost nobody brings you weak ciphers on purpose. A big reason that newbies are such a problem is that *we* have failed to communicate cryptography to them. If we had a literature of newbie ciphers and their breaks, we could avoid much of this. But we don't have such a literature specifically because those who complain most about the newbie problem have not allowed that literature to develop. Well, they can't have it both ways. >[...] >>>1. Describe your cipher using standard notation. This doesn't mean C >>>code. There is established terminology in the literature. Learn it >>>and use it; no one will learn your specialized terminology. >> >>Yes. There are established notations for the design of logic systems, >>and they include both "schematics" and "flow charts" as well as C. >>But more than anything else, the "standard notation" includes a clear, >>logical presentation in some language (but if that is not English, *I* >>will have a problem!). It is also important to give some >>justification for the various design decisions which are usually >>necessary. > >I don't mean established notations for the design of logic systems. >This is mathematics after all. I mean standard mathematical notation. No, cryptography is *not* mathematics. I suppose that all cryptography can be *described* by mathematics, but that is a far different situation. It is different in the same way that trees can be described by mathematics, but such a description will not contain the essence of "tree-ness," or at least not clearly. Math descriptions *are* appropriate for essentially mathematical ciphers like number-theoretic designs. But math descriptions are *less* appropriate for logic systems. There is a *reason* most logic designers communicate by schematic: That reason is clarity. Most symmetric ciphers are before all else logic systems, not theorems. I also note that a math description is hardly a panacea, since 50 years of mathematical cryptography have yet to give us strength. It would be different if we could just take the math description, crank the numbers, and get the answer we want. But we can't. It may be time for a change. >>>3. Show why your cipher is immune against each of the major attacks >>>known in literature. It is not good enough just to say that it is >>>secure, you have to show why it is secure against these attacks. This >>>requires, of course, that you not only have read the literature, but >>>also understand it. Expect this process to take months, and result in >>>a large heavily mathematical document. And remember, statistical >>>tests are not very meaningful. >> >>That last sentence sounds a lot like statistics-envy. Surely it >>should read that "statistical tests should not be used to support >>inappropriate conclusions." But we could say the same thing about >>mathematics itself. > >No. I stand by my sentence. Statistical tests are not very >meaningful. If you saw a cipher design that was accompanied by >nothing other than statistical tests of randomness, wouldn't your >snake-oil detector go off? Not all statistics is frequency testing. Presumably, one goal in cryptography *ought* to be the coordinated construction of both ciphering structures and statistical tests of those structures which could argue for overall strength. This is a laudable goal, and could be meaningful as hell. But we aren't going to see very much of it if we first discourage everyone from taking that path. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 27 Oct 1998 17:37:47 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <3635fffc.3625753@news.prosurfr.com> References: <3634a751.2469260@news.io.com> Newsgroups: sci.crypt Lines: 63 ritter@io.com (Terry Ritter) wrote, in part: >I will agree that new cipher designs often have silly errors, and we >don't need to be using those ciphers. But if we must greatly reduce >the number of ciphers users might have because we don't have the >resources to analyze them all, I think we are missing a bet. I claim >it is more important to have many different ciphers than to have a few >which are "considered strong." Why? Because we *can't* know how >strong our ciphers *really* are to the other guy. But we *can* -- >guaranteed -- make The Opponent pay dearly to keep up. This is something I basically agree with. Supposing one, or a small handful of ciphers, are so popular that nobody uses anything else: DES, IDEA, Blowfish. Down the road, despite all the work that has gone into studying them, a weakness that had been overlooked is discovered. But the recommendations you appear to be making to avoid this danger all seem to have a worse danger: removing the barriers to less credible cipher designers will result in an awful lot of cipher designs with 'silly errors' floating around, with fewer signposts to indicate how to avoid them. An argument that the barriers are currently too high - that the cryptographic community, as far as symmetric-key systems is concerned, is focused too much on conventional block ciphers to the exclusion of all else - is something I would be glad to agree with. A radical call to dispense with all barriers, though, doesn't make sense. It makes it look like you think David A. Scott, and others like him, are right; and creating that impression is not going to help your own struggle for a fair hearing. My own viewpoint is that even if only a limited number of ciphers are analyzed, if these ciphers are representative of a number of basic types, it should be possible to establish groundwork on which essentially trivial variations of these ciphers could be made safely. So that The Opponent doesn't get to attack DES, but DES-alike number 1,394,442. Symmetric ciphers that don't lengthen the input text don't have much opportunity to leak data and make things worse in a multiple-cipher chain, therefore: I'd tend to advocate the following as a standard high-security practice: use three ciphers, each from a different tier, on one's secret message. One that is of a type that is very thoroughly analyzed, another one that is different but has recieved some analysis, and something from out in left field - but yet showing some evidence of care in its design, so that it will not be a waste of time. Even if the less-analyzed cipher does turn out to be weak, one has the example of DESX - certainly XOR by a 64-bit constant is weak - to show that the weak cipher, acting as whitening for the strong one, could still contribute security fully proportionate to (the lesser of) its key size (and that of the stronger cipher). Making the Opponent work harder is not the same thing as providing the Opponent with an opportunity to get lucky. John Savard http://members.xoom.com/quadibloc/index.html
Subject: Re: Memo to the Amateur Cipher Designer Date: 28 Oct 1998 04:32:35 GMT From: cbbrowne@news.hex.net (Christopher Browne) Message-ID: <7166p3$s7p$4@blue.hex.net> References: <3635fffc.3625753@news.prosurfr.com> Newsgroups: sci.crypt Lines: 164 On Tue, 27 Oct 1998 17:37:47 GMT, John Savard <jsavard@tenMAPSONeerf.edmonton.ab.ca> wrote: >ritter@io.com (Terry Ritter) wrote, in part: > >>I will agree that new cipher designs often have silly errors, and we >>don't need to be using those ciphers. But if we must greatly reduce >>the number of ciphers users might have because we don't have the >>resources to analyze them all, I think we are missing a bet. I claim >>it is more important to have many different ciphers than to have a few >>which are "considered strong." Why? Because we *can't* know how >>strong our ciphers *really* are to the other guy. But we *can* -- >>guaranteed -- make The Opponent pay dearly to keep up. > >This is something I basically agree with. Supposing one, or a small >handful of ciphers, are so popular that nobody uses anything else: >DES, IDEA, Blowfish. > >Down the road, despite all the work that has gone into studying them, >a weakness that had been overlooked is discovered. And these are quite valid reasons to encourage as much participation *as possible.* Note that *as possible* does not necessarily imply that *everyone* that wishes that they could "play the game" gets into the game. >But the recommendations you appear to be making to avoid this danger >all seem to have a worse danger: removing the barriers to less >credible cipher designers will result in an awful lot of cipher >designs with 'silly errors' floating around, with fewer signposts to >indicate how to avoid them. And this is to some extent self-correcting. In order to be able to *communicate* whether designs are competently done, it is necessary to have credible *communications* of designs. That requires having some reasonably expressive common language. As far as I can tell, the only reasonably universal such language is that of mathematical notation. The situation is self-correcting in that those that do not have enough grasp of common notations such that they can communicate their ideas will not be heard. The same is true in various areas of science; there may be some neat ideas being found out in obscure places relating to many disciplines. And if those ideas cannot be communicated using the common languages and notations in use, they will not "make it" whether they have merit or not. The point is that whatever notations get used to describe cryptographic algorithms and systems, they *will* represent isomorphisms to *some* form of mathematical notation. And if someone is so "independent" of any "established" community that they have notation that is, or nearly is, incomprehensible to the rest of the community, there are several possible causes/effects: a) Perhaps there is a previously-used notation that nicely represents the algorithm or protocol. "That's a minor variant of Scheider's Feistel cipher.../" In which case it is preferable for the newcomer to learn the existing notation, so as to be able to fit whatever is new about the cipher into the existing taxonomy. b) Perhaps the idea really is new and crucial to the community, and should add to the taxonomy. Which is difficult to determine without having a previous attempt to find isomorphisms that would allow the cipher features to be mapped onto existing notations. c) The ideas might *not* be crucial or new, and it is thus *not* important for the the community at large to understand the new notation. There *are* crackpots out there, and lots of them, in virtually any area of scientific endeavor. In scientific study, it seems to be considered appropriate for people initiating research to try to figure out the common features that new work has with old work. In the context of crypto research, this implies that a good deal of responsibility for figuring out "where their work fits in" falls to those that come up with new algorithms. It is all well and good to suggest that those already knowledgeable can help determine taxonomy; Bruce Schneier has done a pretty good job of assisting with this via having written a relatively approachable book that explains many existing ciphers. >An argument that the barriers are currently too high - that the >cryptographic community, as far as symmetric-key systems is concerned, >is focused too much on conventional block ciphers to the exclusion of >all else - is something I would be glad to agree with. And they may be focusing that way as: - Network protocols work with "blocks" of data - File systems work with "blocks" of data which all implies that blocks are of fundamental importance. Further, even a single byte represents a block of 8 bits. And CPUs are getting increasingly large registers, such that it makes little sense to work with quantities of data much smaller than 64 bits at a time. In effect, there are many reasons to think blocks are important. >A radical call >to dispense with all barriers, though, doesn't make sense. It makes it >look like you think David A. Scott, and others like him, are right; >and creating that impression is not going to help your own struggle >for a fair hearing. Unfortunately, an algorithm presentation that can't be read due to the use of unconventional notation will be given less attention than one that uses more conventional notation. And in an area of study where being off by a single bit is expected to make a message into a seemingly random jumble, spelling really does count. >My own viewpoint is that even if only a limited number of ciphers are >analyzed, if these ciphers are representative of a number of basic >types, it should be possible to establish groundwork on which >essentially trivial variations of these ciphers could be made safely. >So that The Opponent doesn't get to attack DES, but DES-alike number >1,394,442. Evidence in the area of construction of random number generators suggests some contrary evidence; the composition of artificial randomness does not necessarily make things look more random. Not so incidentally, that suggests further the importance of mathematical analysis and the validity of the use of mathematical notation as the "lingua franca" for cryptography. >I'd tend to advocate the following as a standard high-security >practice: use three ciphers, each from a different tier, on one's >secret message. One that is of a type that is very thoroughly >analyzed, another one that is different but has recieved some >analysis, and something from out in left field - but yet showing some >evidence of care in its design, so that it will not be a waste of >time. This isn't an outrageous idea; I would suggest also that it is important to make sure that each "tier" is suitably associated with protocols and (perhaps) appropriate "salting" so that security is not lost via the interfacing of the "tiers." That is, the tiers should be kept as independent as possible so that the evidence found by breaking one level is minimally helpful for attacking other levels. Otherwise, you may wind up effectively depending on the weakest of the three ciphers... -- "There are two types of hackers working on Linux: those who can spell, and those who can't. There is a constant, pitched battle between the two camps." --Russ Nelson (Linux Kernel Summary, Ver. 1.1.75 -> 1.1.76) cbbrowne@ntlug.org- <http//www.hex.net/~cbbrowne/lsf.html>
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 28 Oct 1998 05:21:13 GMT From: ritter@io.com (Terry Ritter) Message-ID: <3636a99a.11757150@news.io.com> References: <3635fffc.3625753@news.prosurfr.com> Newsgroups: sci.crypt Lines: 156 On Tue, 27 Oct 1998 17:37:47 GMT, in <3635fffc.3625753@news.prosurfr.com>, in sci.crypt jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote: >[...] >But the recommendations you appear to be making to avoid this danger >all seem to have a worse danger: removing the barriers to less >credible cipher designers will result in an awful lot of cipher >designs with 'silly errors' floating around, with fewer signposts to >indicate how to avoid them. I see nothing wrong with ordinary people making their own decisions on cryptography -- or anything else -- based on whatever information they wish to use. If the academics find weakness in particular designs, they can announce that. After some real-world interpretation of those results, people may take steps to move to another cipher. But this implies that users *have* another cipher, and that it is fairly easy to make a change. Neither of these is likely to be true currently, and I would like to see that change. >An argument that the barriers are currently too high - that the >cryptographic community, as far as symmetric-key systems is concerned, >is focused too much on conventional block ciphers to the exclusion of >all else - is something I would be glad to agree with. I do think "the barriers are too high" in the sense that the archival literature tends to avoid what we really want to know. The current ideal article is a cipher with lots of mathematical manipulation -- yet no overall proof of strength -- which rarely if ever supports a reasonable attack. But I think we generally learn more from attacks than we do from new ciphers. We would thus be better served to have more designs -- including weaker ciphers -- in the archival literature, which would support attacks and so deliver insight not otherwise apparent. Allowing "weaker" designs into the archival literature would also give us a reasonable way first to handle the unique designs that academics now actively avoid, and second to serve as a roadmap to knowledge for most newbies. I think a desire to keep the academic literature "pristine" is misguided with respect to cipher designs. Cipher designs cannot be considered "science" in the usual sense anyway, because no new facts are developed and no conclusions proven. This is a design literature, and what we want to know for the future are the failures of the past, in great detail. >A radical call >to dispense with all barriers, though, doesn't make sense. Information security necessarily requires personal commitment. Making individuals (or corporate departments) responsible for using their best judgment on cipher selection seems a very worthwhile tool to get people to pay attention. The cipher itself is almost never the real problem, and paying attention to security can help a lot. >It makes it >look like you think David A. Scott, and others like him, are right; >and creating that impression is not going to help your own struggle >for a fair hearing. (I would normally ignore this, but it is a repeat.) If someone is going to judge me by which "side" I seem to be taking, I have little hope that *anything* I *could* present would be received "fairly." The issue is the argument, not who presents it, nor who their acquaintances might be, nor what "side" they are on. [With respect to "sides," I note that reality is not subject to a popular vote. And I don't think I *have* a "struggle for a fair hearing" -- none of this is about me.] Many newbies act as they do because they think they are ignored. This is not their delusion, they really *are* ignored. Now, academics may feel that this separates the great unwashed from those of worth, but I think a professor with that point of view should be fired. There really needs to be a better way to help newbies understand where their designs fit in the overall scheme of things. In my view, a "putdown" shows more about the "put-er" than the "put-ee." Experts who cannot explain something simply probably don't really know the subject. >My own viewpoint is that even if only a limited number of ciphers are >analyzed, if these ciphers are representative of a number of basic >types, it should be possible to establish groundwork on which >essentially trivial variations of these ciphers could be made safely. >So that The Opponent doesn't get to attack DES, but DES-alike number >1,394,442. It would be nice if different cipher versions required significantly different attacks. But since we don't know "the" weakness of a cipher in the first place, it would seem difficult to know which weakness each variation has. I guess DES-like ciphers might have different tables, and we could index those tables and select among them for each "different" cipher, which might be good enough. >Symmetric ciphers that don't lengthen the input text don't have much >opportunity to leak data and make things worse in a multiple-cipher >chain, therefore: That is a very good point. >I'd tend to advocate the following as a standard high-security >practice: use three ciphers, each from a different tier, on one's >secret message. One that is of a type that is very thoroughly >analyzed, another one that is different but has recieved some >analysis, and something from out in left field - but yet showing some >evidence of care in its design, so that it will not be a waste of >time. And that is another good point, which I intend to adopt. In the past I have not seriously considered multiple ciphering for a production environment, but it may be time to change that. Because the mathematicians among us have not delivered provable strength in practical ciphers, it may be time to argue that multi-ciphering *should* be considered the *expected* operation. We don't need to depend on a single cipher. Multi-ciphering does seem to require three levels to gain the full strength benefit, and having three different ciphers should be pretty nice. Slow, but nice. >Even if the less-analyzed cipher does turn out to be weak, one has the >example of DESX - certainly XOR by a 64-bit constant is weak - to show >that the weak cipher, acting as whitening for the strong one, could >still contribute security fully proportionate to (the lesser of) its >key size (and that of the stronger cipher). > >Making the Opponent work harder is not the same thing as providing the >Opponent with an opportunity to get lucky. There are several types of "working harder" here. One is the actual deciphering of messages, which I assume you mean. Another type of "working harder" is the identification, acquisition, and analysis of each cipher variant. And since "many ciphers" means distributing information of value among them, breaking any one means getting only a subset of the information. So with "many ciphers," "attacking" costs more and produces less, an approach which naturally favors the user over the attacker. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 28 Oct 1998 12:47:39 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-2810981247390001@dialup136.itexas.net> References: <3636a99a.11757150@news.io.com> Newsgroups: sci.crypt Lines: 21 In article <3636a99a.11757150@news.io.com>, ritter@io.com (Terry Ritter) wrote: > > >Symmetric ciphers that don't lengthen the input text don't have much > >opportunity to leak data and make things worse in a multiple-cipher > >chain, therefore: > > That is a very good point. > It's a good point to consider since it is not accurate. It all depends on what is happening in the algorithms themselves. You could run the risk of producing some interference pattern in the combination of algorithms that could produce a poor result, less than what you want; there are many good examples. -- --- Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 28 Oct 1998 19:13:12 GMT From: ritter@io.com (Terry Ritter) Message-ID: <36376cba.5685292@news.io.com> References: <jgfunj-2810981247390001@dialup136.itexas.net> Newsgroups: sci.crypt Lines: 30 On Wed, 28 Oct 1998 12:47:39 -0600, in <jgfunj-2810981247390001@dialup136.itexas.net>, in sci.crypt jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) wrote: >In article <3636a99a.11757150@news.io.com>, ritter@io.com (Terry Ritter) wrote: > >> >Symmetric ciphers that don't lengthen the input text don't have much >> >opportunity to leak data and make things worse in a multiple-cipher >> >chain, therefore: >> >> That is a very good point. >> >It's a good point to consider since it is not accurate. It all depends on >what is happening in the algorithms themselves. > >You could run the risk of producing some interference pattern in the >combination of algorithms that could produce a poor result, less than what >you want; there are many good examples. While *possible*, in the context of structurally-different ciphers it is *extremely* unlikely. Indeed, exactly the type of thing we might be most suspicious of -- encipher, decipher, encipher, using the exact same cipher -- is widely accepted as Triple DES. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 29 Oct 1998 00:07:54 GMT From: dscott@networkusa.net Message-ID: <718bkq$t1i$1@nnrp1.dejanews.com> References: <36376cba.5685292@news.io.com> Newsgroups: sci.crypt Lines: 49 In article <36376cba.5685292@news.io.com>, ritter@io.com (Terry Ritter) wrote: > > On Wed, 28 Oct 1998 12:47:39 -0600, in > <jgfunj-2810981247390001@dialup136.itexas.net>, in sci.crypt > jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) wrote: > > >In article <3636a99a.11757150@news.io.com>, ritter@io.com (Terry Ritter) wrote: > > > >> >Symmetric ciphers that don't lengthen the input text don't have much > >> >opportunity to leak data and make things worse in a multiple-cipher > >> >chain, therefore: > >> > >> That is a very good point. > >> > >It's a good point to consider since it is not accurate. It all depends on > >what is happening in the algorithms themselves. > > > >You could run the risk of producing some interference pattern in the > >combination of algorithms that could produce a poor result, less than what > >you want; there are many good examples. > > While *possible*, in the context of structurally-different ciphers it > is *extremely* unlikely. Indeed, exactly the type of thing we might > be most suspicious of -- encipher, decipher, encipher, using the exact > same cipher -- is widely accepted as Triple DES. > I don't see why this is not obvious to the socalled experts. I think they speak highly of Triple DES so as to stay on good terms with there handlers. It is obvious that mixinf three different types of ciphers would be better than Triple DES my feelings are that the NSA can most likely break it easily. What do you think Ritter. > --- > Terry Ritter ritter@io.com http://www.io.com/~ritter/ > Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM > > -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip ftp search for scott*u.zip in norway -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 29 Oct 1998 18:40:17 GMT From: ritter@io.com (Terry Ritter) Message-ID: <3638b653.7408218@news.io.com> References: <718bkq$t1i$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 42 On Thu, 29 Oct 1998 00:07:54 GMT, in <718bkq$t1i$1@nnrp1.dejanews.com>, in sci.crypt dscott@networkusa.net wrote: >[...] > I don't see why this is not obvious to the socalled experts. >I think they speak highly of Triple DES so as to stay on good terms >with there handlers. It is obvious that mixinf three different types >of ciphers would be better than Triple DES my feelings are that >the NSA can most likely break it easily. > What do you think Ritter. I was briefly involved in ANSI X9F3 banking security standards discussions some years ago, and as I recall there was pressure from NSA to use only registered ciphers, to avoid Triple DES, and to prevent multi-ciphering. But maybe that was just disinformation to make us think Triple DES was strong. We don't know what NSA can do, and I am not sure it is useful to speculate. Can they break our strongest ciphers? Well, we really do desperately need some way to measure or prove cipher strength. Lacking that, I think large blocks, many ciphers, and multi-ciphering make a lot of sense, especially if the goal is to achieve cryptographic levels of assured strength. But in practice, most of the time, ciphers only need oppose direct technical attacks which are cheaper than bribery, and that will be a pretty weak attack. In that sense, weak ciphers may be less of a problem than having a single fixed cipher that might be cryptanalyzed once and used to expose everybody. Since we can't know what NSA can do, I think it can be a waste of time to worry about it. (Of course, if NSA is doing things a democracy should not do, that's something else.) I think the danger is less in what NSA can do, and more in what we refuse to do to help ourselves. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 29 Oct 1998 14:10:50 -0500 From: Tim Bass <bass@silkroad.com> Message-ID: <3638BDBA.7D31E61@silkroad.com> References: <3638b653.7408218@news.io.com> Newsgroups: sci.crypt Lines: 45 > We don't know what NSA can do, and I am not sure it is useful to > speculate. Can they break our strongest ciphers? Well, we really do > desperately need some way to measure or prove cipher strength. ... > Since we can't know what NSA can do, I think it can be a waste of time > to worry about it. On a lighter but related note. If all the brainpower used on this and similar threads (both reading and writing and deleting) were converted to useful crypto' teamwork, analysis, model development, etc. NSA or any organization would have little in the way of 'greater abilities and technological advancement'. From an intellectual perspective, I've read nothing which is remotely enlightening from this entire thread. The posts with personal attacks on others and the harsh opinions without facts are not the words of gentlemen, IMHO. It speaks very poorly for sci.crypt that those of diverse backgrounds and opinions cannot discuss relative trivia without resorting to 'angry hate mail'. There is no cryptographic algorithm, cipher, or mathematical implementation which is more important that conducting oneselves as gentlemen in the face of controversy. My hats off to the many on sci.crypt who enjoy the pleasure of conducting yourselves as gentlemen as you are being attacked by the angry and frustrated minority. That's all I have to say on this thread. It would be very pleasurable if we could find a way to harness anger, frustration, and all the negative energy and create useful, meaningful work in sci.crypt. Just think of what we could accomplish as collaborators vis-a-vis antagonists! My apologies for the raw idealism.... -Tim -- Tim Bass Principal Consultant, Systems Engineering Bass & Associates Tel: (703) 222-4243 Fax: (703) 222-7320 EMail: bass@silkroad.com.antispam (remove antispam tag) http://www.silkroad.com/consulting/technical.html
Subject: Re: Memo to the Amateur Cipher Designer Date: 29 Oct 1998 19:59:12 GMT From: aph@cygnus.remove.co.uk (Andrew Haley) Message-ID: <71aheg$phd$2@korai.cygnus.co.uk> References: <3638BDBA.7D31E61@silkroad.com> Newsgroups: sci.crypt Lines: 10 Tim Bass (bass@silkroad.com) wrote: : There is no cryptographic algorithm, cipher, or mathematical : implementation which is more important that conducting oneselves : as gentlemen in the face of controversy. How do you expect a female cryptographer feels when told to conduct herself like a gentleman? That's crude sexism, not raw idealism. First take the mote from your own eye... Andrew.
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 05:23:01 GMT From: "Douglas A. Gwyn" <DAGwyn@null.net> Message-ID: <36394CD6.333B43BC@null.net> References: <71aheg$phd$2@korai.cygnus.co.uk> Newsgroups: sci.crypt Lines: 8 Andrew Haley wrote: > How do you expect a female cryptographer feels when told to conduct > herself like a gentleman? He didn't address an individual, he addressed an entire anonymous group. "Gentlemen" was correct English in that context. And yes, some of my best friends are women -- but I wouldn't want my sister to marry one!
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 12:36:42 GMT From: dscott@networkusa.net Message-ID: <71cbsq$ahc$1@nnrp1.dejanews.com> References: <36394CD6.333B43BC@null.net> Newsgroups: sci.crypt Lines: 27 In article <36394CD6.333B43BC@null.net>, "Douglas A. Gwyn" <DAGwyn@null.net> wrote: > Andrew Haley wrote: > > How do you expect a female cryptographer feels when told to conduct > > herself like a gentleman? > > He didn't address an individual, he addressed an entire anonymous group. > "Gentlemen" was correct English in that context. > And yes, some of my best friends are women -- but I wouldn't want my > sister to marry one! > That is a sexist statement if I ever saw one. I think maybe your sister might be better off with a woman. I know I prefer them over men. So it makes sense to me that they might like woman better too. Of course of you prefer men like the best of the British crypto people that they the brits only use during war time when the rules are solve the problew or die that is your business. To bad the brits don't have an open mind during peace time. Every body like a little piece know and then. -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip ftp search for scott*u.zip in norway -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 17:07:25 -0500 From: Tim Bass <bass@nospam.silkroad.com> Message-ID: <363A389D.4988F47B@nospam.silkroad.com> References: <71d3kq$ivl$1@korai.cygnus.co.uk> <36394CD6.333B43BC@null.net> Newsgroups: sci.crypt Lines: 52 If an adult was looking at a sandbox full of children and many of the boys were hitting, kicking, spiting, and scratching all the other childern while other boys and girls tried to enjoy playing; then an adult is perfectly correct to use the phrase: "Please Little Boys, Be Nice, Stop Fighting and Play Together!" Of course! there always seems to be an angry boy or two in the sandbox who turns their mischief to annoying the one who asked them to be nice :):) Enlightened adults with sensibility who reads sci.crypt and the personal attacks on many of the good folks during this and other threads, can see whom in the sci.crypt sandbox wants to play together and who wants go throw mud at everyone else. If "the mudslingers" want to continue to attack others in this sandbox, I suggest they attack them in private email and not in public. And yes, it would be good to behave as "gentlemen". (I have not read any negative comments, harsh speech, nor personal attacks by any of the fairer kinder, calmer, mature, sensible, and more enlightened sex in sci.crypt. woman are far too enlightened, IHMO). Also, if those whom have been picking on and attacking Mr. Schneier would kindly stop and conduct themselves as gentlemen, it would be much appreciated by many of us. It is really uncalled for and of very poor taste to attack out of malice with the intent to discredit and destroy others. All restraint from harsh and offensive speech would make sci.crypt a much more positive experience for everyone, IMHO. - Best Regards, Tim -- Tim Bass Principal Consultant, Systems Engineering Bass & Associates Tel: (703) 222-4243 Fax: (703) 222-7320 EMail: bass@silkroad.com.antispam (remove antispam tag) http://www.silkroad.com/consulting/technical.html
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 17:11:35 -0500 From: Tim Bass <bass@nospam.silkroad.com> Message-ID: <363A3997.93DE323@nospam.silkroad.com> References: <363A389D.4988F47B@nospam.silkroad.com> Newsgroups: sci.crypt Lines: 13 > All restraint from harsh and offensive speech would make sci.crypt > a much more positive experience for everyone, IMHO. Obviously, the above sentence should read (my humble apologies): Restraint from harsh and offensive speech would make sci.crypt a much more positive experience for everyone, IMHO. Thank you for your cooperation in making sci.crypt a good experience for everyone!! -Tim
Subject: Re: Memo to the Amateur Cipher Designer Date: Sat, 31 Oct 1998 03:34:30 GMT From: dscott@networkusa.net Message-ID: <71e0g6$m8p$1@nnrp1.dejanews.com> References: <363A3997.93DE323@nospam.silkroad.com> Newsgroups: sci.crypt Lines: 31 In article <363A3997.93DE323@nospam.silkroad.com>, Tim Bass <bass@nospam.silkroad.com> wrote: > > All restraint from harsh and offensive speech would make sci.crypt > > a much more positive experience for everyone, IMHO. > > Obviously, the above sentence should read (my humble apologies): > > Restraint from harsh and offensive speech would make sci.crypt > a much more positive experience for everyone, IMHO. > > Thank you for your cooperation in making sci.crypt a good > experience for everyone!! > > -Tim > Are you for real. Or not I supect a troll if I didn't know better I would think your last name BASS was a BS clever attempt since it does sound a little fishy to me. And Bruce is a Spammer and he laughingly admits it. So what is wrong with telling him the truth about his self. He is nothing but a pompous phony. At least Ritter has more integrity. -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip ftp search for scott*u.zip in norway -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Sat, 31 Oct 1998 06:59:50 GMT From: "Douglas A. Gwyn" <DAGwyn@null.net> Message-ID: <363AB508.9E02F0A9@null.net> References: <71d3kq$ivl$1@korai.cygnus.co.uk> <36394CD6.333B43BC@null.net> Newsgroups: sci.crypt Lines: 5 Andrew Haley wrote: > Think about it. I have thought about it, and trying to change the language to force one's political views on the world is sickening.
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 01:08:16 GMT From: dscott@networkusa.net Message-ID: <71b3i1$p14$1@nnrp1.dejanews.com> References: <3638b653.7408218@news.io.com> Newsgroups: sci.crypt Lines: 56 In article <3638b653.7408218@news.io.com>, ritter@io.com (Terry Ritter) wrote: > > On Thu, 29 Oct 1998 00:07:54 GMT, in > <718bkq$t1i$1@nnrp1.dejanews.com>, in sci.crypt dscott@networkusa.net > wrote: > > >[...] > > I don't see why this is not obvious to the socalled experts. > >I think they speak highly of Triple DES so as to stay on good terms > >with there handlers. It is obvious that mixinf three different types > >of ciphers would be better than Triple DES my feelings are that > >the NSA can most likely break it easily. > > What do you think Ritter. > > I was briefly involved in ANSI X9F3 banking security standards > discussions some years ago, and as I recall there was pressure from > NSA to use only registered ciphers, to avoid Triple DES, and to > prevent multi-ciphering. But maybe that was just disinformation to > make us think Triple DES was strong. > > We don't know what NSA can do, and I am not sure it is useful to > speculate. Can they break our strongest ciphers? Well, we really do > desperately need some way to measure or prove cipher strength. > Lacking that, I think large blocks, many ciphers, and multi-ciphering > make a lot of sense, especially if the goal is to achieve > cryptographic levels of assured strength. > > But in practice, most of the time, ciphers only need oppose direct > technical attacks which are cheaper than bribery, and that will be a > pretty weak attack. In that sense, weak ciphers may be less of a > problem than having a single fixed cipher that might be cryptanalyzed > once and used to expose everybody. > > Since we can't know what NSA can do, I think it can be a waste of time > to worry about it. (Of course, if NSA is doing things a democracy > should not do, that's something else.) I think the danger is less in > what NSA can do, and more in what we refuse to do to help ourselves. > > --- > Terry Ritter ritter@io.com http://www.io.com/~ritter/ > Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM > > I liked your answer I just thought I would say so for these that like to read my posts in case they miss your response. I have to admit you write better than me. Which of course is an understatment. -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip ftp search for scott*u.zip in norway -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 29 Oct 1998 10:32:50 -0500 From: Jerry Leichter <leichter@smarts.com> Message-ID: <36388AA2.3E87@smarts.com> References: <36376cba.5685292@news.io.com> Newsgroups: sci.crypt Lines: 36 | >You could run the risk of producing some interference pattern in the | >combination of algorithms that could produce a poor result, less | >than what you want; there are many good examples. | | While *possible*, in the context of structurally-different ciphers it | is *extremely* unlikely. Not only is it extremely unlikely - it would be a direct indication that *both* of the ciphers involved were weaker than expected. After all, if an attacker has an easier time of attacking E1(E2(X)) than E2(X), then against a target using E2 he can simply apply E1 himself! This works for any class of attack, all the way from ciphertext only to chosen plaintext. (Things are only slightly more subtle for an attack against E1.) It *is* essential for this argument that the keys for the two encryptions be uncorrelated. Then again, you can see that's essential anyway. As a trivial example, if there were a ciphertext-only attack against E1, and the key used for E2 could be computed from the one used from E1, an attack will have no problem with E1(E2(X)). | Indeed, exactly the type of thing we might | be most suspicious of -- encipher, decipher, encipher, using the exact | same cipher -- is widely accepted as Triple DES. The same argument (with the same restriction) goes through here. Iterating a cipher is often the start of an attack - it's essential that there be no (well, almost no) short cycles under iteration. This has been tested for DES. Interestingly, it doesn't seem to be among the standard list of things that new ciphers get tested against. I'm unaware of any general results about, say, Feistel ciphers with certain kinds of F functions, that guarantee no short cycles. Is this a potential (if unlikely) vulnerability that's being overlooked? -- Jerry
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 29 Oct 1998 16:31:12 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <36389829.6513924@news.visi.com> References: <36388AA2.3E87@smarts.com> Newsgroups: sci.crypt Lines: 22 On Thu, 29 Oct 1998 10:32:50 -0500, Jerry Leichter <leichter@smarts.com> wrote: >| >You could run the risk of producing some interference pattern in the >| >combination of algorithms that could produce a poor result, less >| >than what you want; there are many good examples. >| >| While *possible*, in the context of structurally-different ciphers it >| is *extremely* unlikely. > >Not only is it extremely unlikely - it would be a direct indication that >*both* of the ciphers involved were weaker than expected. Indeed. You cannot prove that a cascade of several ciphers is stronger than any individual cipher, but is seems reasonable that it is the case. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 29 Oct 1998 15:43:28 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-2910981543280001@dialup105.itexas.net> References: <36389829.6513924@news.visi.com> Newsgroups: sci.crypt Lines: 26 In article <36389829.6513924@news.visi.com>, schneier@counterpane.com (Bruce Schneier) wrote: > On Thu, 29 Oct 1998 10:32:50 -0500, Jerry Leichter > <leichter@smarts.com> wrote: > > >| >You could run the risk of producing some interference pattern in the > >| >combination of algorithms that could produce a poor result, less > >| >than what you want; there are many good examples. > >| > >| While *possible*, in the context of structurally-different ciphers it > >| is *extremely* unlikely. > > > >Not only is it extremely unlikely - it would be a direct indication that > >*both* of the ciphers involved were weaker than expected. > > Indeed. You cannot prove that a cascade of several ciphers is > stronger than any individual cipher, but is seems reasonable that it > is the case. > Reason requires consideration of details. -- --- Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 29 Oct 1998 20:56:54 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <3638d619.22372027@news.visi.com> References: <36388AA2.3E87@smarts.com> Newsgroups: sci.crypt Lines: 26 On Thu, 29 Oct 1998 10:32:50 -0500, Jerry Leichter <leichter@smarts.com> wrote: >The same argument (with the same restriction) goes through here. >Iterating a cipher is often the start of an attack - it's essential that >there be no (well, almost no) short cycles under iteration. This has >been tested for DES. Interestingly, it doesn't seem to be among the >standard list of things that new ciphers get tested against. I'm >unaware of any general results about, say, Feistel ciphers with certain >kinds of F functions, that guarantee no short cycles. Is this a >potential (if unlikely) vulnerability that's being overlooked? I think people are thinking about this, but with long key lengths like 128- and 256 bits, it's hard to make any difinitive statements about short cycles. This would be an excellent criterion for someone to analyze at the AES submissions against. I know of various efforts to look at the AES submmissions with respect to different attacks, but I have never heard of anyone looking at the possibilty of short cycles or group structure. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 29 Oct 1998 15:41:00 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-2910981541010001@dialup105.itexas.net> References: <36388AA2.3E87@smarts.com> Newsgroups: sci.crypt Lines: 35 In article <36388AA2.3E87@smarts.com>, Jerry Leichter <leichter@smarts.com> wrote: > > The same argument (with the same restriction) goes through here. > Iterating a cipher is often the start of an attack - it's essential that > there be no (well, almost no) short cycles under iteration. This has > been tested for DES. Interestingly, it doesn't seem to be among the > standard list of things that new ciphers get tested against. I'm > unaware of any general results about, say, Feistel ciphers with certain > kinds of F functions, that guarantee no short cycles. Is this a > potential (if unlikely) vulnerability that's being overlooked? > I seems to be all important. Not testing for this out of fear that you a weakness would be found seems irresponsible. If you work from certain premises, in this case that some ciphers are imune to this problem, then you should want to test to some extent that those ideas actually do hold. You can only mix a few things in so many ways in a fixed length block until your ciphertext is identical with one of your previous plaintexts. Using bigger and more complicated keystructures merely lengthens the cycle. Strangely, it does not matter as to which one or several ciphers you use, the same phenomena must occur as it is axiomatic; only the period will change, like different structured pseudorandom generators. To counter the phenomena, I cheat: I change the amount of information in the block; an interated output can never the the same as a previous input. Remember, Insanity is doing the same thing over and over again and expecting a different result; cryptographically, this still holds. -- --- Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 29 Oct 1998 21:51:53 GMT From: ritter@io.com (Terry Ritter) Message-ID: <3638e349.18919442@news.io.com> References: <36388AA2.3E87@smarts.com> Newsgroups: sci.crypt Lines: 32 On Thu, 29 Oct 1998 10:32:50 -0500, in <36388AA2.3E87@smarts.com>, in sci.crypt Jerry Leichter <leichter@smarts.com> wrote: >[...] >Iterating a cipher is often the start of an attack - it's essential that >there be no (well, almost no) short cycles under iteration. I'm not sure I understand this. Presumably "iterating a cipher" means taking some block, then ciphering it repeatedly until some block value shows up again, which of course locks us in fixed cycle of states. A conventional block cipher is a simulated huge Simple Substitution. So if we look to substitution tables we may see the same issue there. Certainly Scott has been talking about "single-cycle" tables for a long time, and I have equally long been questioning what such a construction would buy. Some attacks are even *defeated* by multi-cycle tables. If these "short cycles" are just those which naturally appear in random permutations, surely a large block is a prescription to make it unlikely that we could ever find one, or encounter one by chance. But if the whole purpose here is to make a stream cipher RNG, surely it would be better to feed the thing from a polynomial counter than to have it eat its own tail. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 02:05:08 GMT From: dscott@networkusa.net Message-ID: <71b6sk$t5b$1@nnrp1.dejanews.com> References: <3638e349.18919442@news.io.com> Newsgroups: sci.crypt Lines: 63 In article <3638e349.18919442@news.io.com>, ritter@io.com (Terry Ritter) wrote: > > On Thu, 29 Oct 1998 10:32:50 -0500, in <36388AA2.3E87@smarts.com>, in > sci.crypt Jerry Leichter <leichter@smarts.com> wrote: > > >[...] > >Iterating a cipher is often the start of an attack - it's essential that > >there be no (well, almost no) short cycles under iteration. > > I'm not sure I understand this. Presumably "iterating a cipher" means > taking some block, then ciphering it repeatedly until some block value > shows up again, which of course locks us in fixed cycle of states. > > A conventional block cipher is a simulated huge Simple Substitution. > So if we look to substitution tables we may see the same issue there. > Certainly Scott has been talking about "single-cycle" tables for a > long time, and I have equally long been questioning what such a > construction would buy. Some attacks are even *defeated* by > multi-cycle tables. > Yes the Paul Onion attack for a choosen plain test file if allowed shows that if cycle length known you can taylor an attack against a pure iterating cipher. If the cycle length not known one could still use the attack with multipe length choosen files shorter than the longer one needed for the longer cycle. So if one was to base it in that it might be best to have 2 or 3 cycles which is kind of what SKIPJACK used in its S table. However there are various ways to defeat Maack of X8.zip tried several I think the round keys was his best and he did not limit his self to a single cycle. I still feel a single cycle best from an information point of view and my method of breaking this kind of attack was to use the Paul routine and for bit rotations on the passes. If Bruce coughs up his money (follow thread on RE: BOOK RECOM) then when Joes get it. Someone may win a thousand dollars. But most millionars are penny pinchers so don't expect to much. > If these "short cycles" are just those which naturally appear in > random permutations, surely a large block is a prescription to make it > unlikely that we could ever find one, or encounter one by chance. > > But if the whole purpose here is to make a stream cipher RNG, surely > it would be better to feed the thing from a polynomial counter than to > have it eat its own tail. But you do like to eat tail don't you Terry? > > --- > Terry Ritter ritter@io.com http://www.io.com/~ritter/ > Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM > > -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip ftp search for scott*u.zip in norway -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 09:59:32 -0500 From: Jerry Leichter <leichter@smarts.com> Message-ID: <3639D454.23D5@smarts.com> References: <3638e349.18919442@news.io.com> Newsgroups: sci.crypt Lines: 51 | >[...] | >Iterating a cipher is often the start of an attack - it's essential | >that there be no (well, almost no) short cycles under iteration. | | I'm not sure I understand this. Presumably "iterating a cipher" means | taking some block, then ciphering it repeatedly until some block value | shows up again, which of course locks us in fixed cycle of states. Assuming an invertible cipher, that cycle must contain the original plaintext. Suppose you knew that fairly short cycles were common. Then a chosen-plaintext attack against a given cipher block X is to feed it back to the encryptor, feed the result, etc. If you're in a short cycle, you'll eventually see X again. The value you saw just before seeing X is the original plaintext. | A conventional block cipher is a simulated huge Simple Substitution. | So if we look to substitution tables we may see the same issue there. | Certainly Scott has been talking about "single-cycle" tables for a | long time, and I have equally long been questioning what such a | construction would buy. Some attacks are even *defeated* by | multi-cycle tables. | | If these "short cycles" are just those which naturally appear in | random permutations, surely a large block is a prescription to make it | unlikely that we could ever find one, or encounter one by chance. I can't recall the form of the results on this, but in a truely random subgroup of the permutation group, at least some cycles are certain to be very long. Note that the issue is not the *existence* of short cycles: In a random group, there will be some, but if there aren't many, they can't involve more than a tiny fraction of the elements in the group. (If there is even one cycle of length 1/2 the group, then your chance of picking a key that gives you a short cycle is at most 50%: Half the elements are "already spoken for" by the single long cycle.) What we need to know is that the short cycles - all of whose members correspond to "weak keys" of a sort - amount to only an insignificant fraction of the group. (If there is only one cycle, of course, we know this for certain. Then again, cyclic groups have other limitations for cryptographic purposes.) Of course, we usually choose subsets of the permutation group that are not actually groups (hence not subgroups). However, the same requirement - not too many short cycles - continues to apply over the group generated by the subset. | But if the whole purpose here is to make a stream cipher RNG, surely | it would be better to feed the thing from a polynomial counter than to | have it eat its own tail. I don't understand the connection. -- Jerry
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 18:23:27 GMT From: ritter@io.com (Terry Ritter) Message-ID: <363a0414.6595253@news.io.com> References: <3639D454.23D5@smarts.com> Newsgroups: sci.crypt Lines: 85 On Fri, 30 Oct 1998 09:59:32 -0500, in <3639D454.23D5@smarts.com>, in sci.crypt Jerry Leichter <leichter@smarts.com> wrote: >| >[...] >| >Iterating a cipher is often the start of an attack - it's essential >| >that there be no (well, almost no) short cycles under iteration. >| >| I'm not sure I understand this. Presumably "iterating a cipher" means >| taking some block, then ciphering it repeatedly until some block value >| shows up again, which of course locks us in fixed cycle of states. > >Assuming an invertible cipher, that cycle must contain the original >plaintext. [ This is not a set-up for future attack: ] Is it shown that there can be no "lead in" to the short cycles? >Suppose you knew that fairly short cycles were common. Then >a chosen-plaintext attack against a given cipher block X is to feed it >back to the encryptor, feed the result, etc. If you're in a short >cycle, you'll eventually see X again. The value you saw just before >seeing X is the original plaintext. Ah, I see. Chosen-plaintext. >| A conventional block cipher is a simulated huge Simple Substitution. >| So if we look to substitution tables we may see the same issue there. >| Certainly Scott has been talking about "single-cycle" tables for a >| long time, and I have equally long been questioning what such a >| construction would buy. Some attacks are even *defeated* by >| multi-cycle tables. >| >| If these "short cycles" are just those which naturally appear in >| random permutations, surely a large block is a prescription to make it >| unlikely that we could ever find one, or encounter one by chance. > >I can't recall the form of the results on this, but in a truely random >subgroup of the permutation group, at least some cycles are certain to >be very long. Note that the issue is not the *existence* of short >cycles: In a random group, there will be some, but if there aren't >many, they can't involve more than a tiny fraction of the elements in >the group. (If there is even one cycle of length 1/2 the group, then >your chance of picking a key that gives you a short cycle is at most >50%: Half the elements are "already spoken for" by the single long >cycle.) What we need to know is that the short cycles - all of whose >members correspond to "weak keys" of a sort - amount to only an >insignificant fraction of the group. (If there is only one cycle, of >course, we know this for certain. Then again, cyclic groups have other >limitations for cryptographic purposes.) OK, with the implication being that a random permutation of reasonable size should not have this difficulty. On the other hand, it seems like we could traverse permutations of modest size and collect cycle-length probability statistics. Then we could measure maximum or minimum cycle lengths, or the distribution itself. Experimental success should improve our confidence that constructions do indeed behave like random permutations. This is probably orthogonal to Boolean function nonlinearity, and may be another reasonable test. >Of course, we usually choose subsets of the permutation group that are >not actually groups (hence not subgroups). However, the same >requirement - not too many short cycles - continues to apply over the >group generated by the subset. > >| But if the whole purpose here is to make a stream cipher RNG, surely >| it would be better to feed the thing from a polynomial counter than to >| have it eat its own tail. > >I don't understand the connection. I was just casting about to find the intent of this. Short cycles are a problem in a stream cipher confusion RNG (even for ciphertext only), so maybe the point of not having short cycles was to support that usage. Now I see that was not your point. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 02 Nov 1998 11:23:00 -0500 From: Jerry Leichter <leichter@smarts.com> Message-ID: <363DDC64.412@smarts.com> References: <363a0414.6595253@news.io.com> Newsgroups: sci.crypt Lines: 24 | >Assuming an invertible cipher, that cycle must contain the original | >plaintext. | | [ This is not a set-up for future attack: ] Is it shown that there | can be no "lead in" to the short cycles? That's easy to prove: Suppose there were such a lead in, so that (writing F for the particular encryption under the given key) A -F-> B -F-> C ...-F-> L -F-> X -F-> X' -F-> Xn+ ^ | +--------F-------+ That is, there's a cycle (X, X', ..., Xn), and there's a lead-in starting A, leading to L, and then L "falls into the cycle" at X. But then what's F^-1 (F inverse) of X? According to the diagram, both L and Xn map to X under F. But F is supposed to be invertible - it's an encryption algorithm after all, and we'd like to be able to get our plaintext back uniquely! So this diagram is impossible - there cannot be a "lead-in". Rather, L must actually equal Xn (and, working backwards, A must equal one of the Xi's, i.e., must actually *be in* the cycle.) -- Jerry
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 29 Oct 1998 15:19:03 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-2910981519030001@dialup105.itexas.net> References: <36376cba.5685292@news.io.com> Newsgroups: sci.crypt Lines: 22 In article <36376cba.5685292@news.io.com>, ritter@io.com (Terry Ritter) wrote: > On Wed, 28 Oct 1998 12:47:39 -0600, in > <jgfunj-2810981247390001@dialup136.itexas.net>, in sci.crypt > jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) wrote: > > > > >You could run the risk of producing some interference pattern in the > >combination of algorithms that could produce a poor result, less than what > >you want; there are many good examples. > > While *possible*, in the context of structurally-different ciphers it > is *extremely* unlikely. Indeed, exactly the type of thing we might > be most suspicious of -- encipher, decipher, encipher, using the exact > same cipher -- is widely accepted as Triple DES. > And, we find that the effective keylength is somewhat less than 3 times DES. -- --- Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 29 Oct 1998 17:24:13 GMT From: ssimpson@hertreg.ac.uk Message-ID: <71a8bt$fm9$1@nnrp1.dejanews.com> References: <3636a99a.11757150@news.io.com> Newsgroups: sci.crypt Lines: 66 In article <3636a99a.11757150@news.io.com>, ritter@io.com (Terry Ritter) wrote: > > On Tue, 27 Oct 1998 17:37:47 GMT, in > <3635fffc.3625753@news.prosurfr.com>, in sci.crypt > jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote: > > >[...] > >But the recommendations you appear to be making to avoid this danger > >all seem to have a worse danger: removing the barriers to less > >credible cipher designers will result in an awful lot of cipher > >designs with 'silly errors' floating around, with fewer signposts to > >indicate how to avoid them. > > I see nothing wrong with ordinary people making their own decisions on > cryptography -- or anything else -- based on whatever information they > wish to use. If the academics find weakness in particular designs, > they can announce that. After some real-world interpretation of those > results, people may take steps to move to another cipher. > > But this implies that users *have* another cipher, and that it is > fairly easy to make a change. Neither of these is likely to be true > currently, and I would like to see that change. > > >An argument that the barriers are currently too high - that the > >cryptographic community, as far as symmetric-key systems is concerned, > >is focused too much on conventional block ciphers to the exclusion of > >all else - is something I would be glad to agree with. > > I do think "the barriers are too high" in the sense that the archival > literature tends to avoid what we really want to know. The current > ideal article is a cipher with lots of mathematical manipulation -- > yet no overall proof of strength -- which rarely if ever supports a > reasonable attack. "Proving" the general security of a block cipher would also prove that P != NP - something that I don't expect will happen in the near future! If you can prove it then I'm sure a university or two would like to hear from you :-) The best we can hope to do is use our complete arsenal of analysis tools to prove that a cipher is insecure. If it fails to succumb to these tools then it is not _proven_ to be secure, but it indicates that a degree of faith can be placed in the cipher. What other methods would you use to test block ciphers? (e.g. other than all currently known and published techniques). If a person presenting a new cipher (e.g. Scott) can't even apply all of the standard analysis tools then the cipher surely has to be considered "weaker" than a cipher which passes all of the tests (e.g. TwoFish - which is currently the object of Scotts hate). It may be stronger, but empirical evidence suggests not. Regards, Sam Simpson Comms Analyst -- See http://www.hertreg.ac.uk/ss/ for ScramDisk, a free virtual disk encryption for Windows 95/98. PGP Keys available at the same site. -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 04:19:54 GMT From: ritter@io.com (Terry Ritter) Message-ID: <36393e18.1633145@news.io.com> References: <71a8bt$fm9$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 89 On Thu, 29 Oct 1998 17:24:13 GMT, in <71a8bt$fm9$1@nnrp1.dejanews.com>, in sci.crypt ssimpson@hertreg.ac.uk wrote: >In article <3636a99a.11757150@news.io.com>, > ritter@io.com (Terry Ritter) wrote: >>[...] >> I do think "the barriers are too high" in the sense that the archival >> literature tends to avoid what we really want to know. The current >> ideal article is a cipher with lots of mathematical manipulation -- >> yet no overall proof of strength -- which rarely if ever supports a >> reasonable attack. > >"Proving" the general security of a block cipher would also prove that P != NP >- something that I don't expect will happen in the near future! If you can >prove it then I'm sure a university or two would like to hear from you :-) Most block ciphers are not number-theoretic, and I doubt that a proof of block cipher strength necessarily implies that P <> NP. Indeed, a block cipher of limited strength may be all we will ever need, if we could only prove that it has *enough* strength. >The best we can hope to do is use our complete arsenal of analysis tools to >prove that a cipher is insecure. If it fails to succumb to these tools then >it is not _proven_ to be secure, but it indicates that a degree of faith can >be placed in the cipher. Concluding that a cipher which has not been shown weak is therefore strong is surely incorrect reasoning. So the cipher may be weak. And if the cipher *is* weak, we surely would be fools to have faith in it, no matter how much analysis was done previously. The evidence we get from analysis simply does not support a conclusion that a worked-on cipher is more deserving of "faith" than a new cipher. I think we make this logical leap because the result is comforting, because it seems to reward the effort spent in analysis, and because we seem to have little choice. But that does not make the reasoning right, or the conclusion correct. Indeed, for all we know, there may *be* no strong cipher. And that would mean that the partitioning of ciphers into "weak" and "strong" is an irrelevant illusion. >What other methods would you use to test block ciphers? (e.g. other than all >currently known and published techniques). We should test everything we can, and then understand that everything we have not tested is in an unknown state. If we can't test it, we can't control it. And in ciphers, we cannot test strength. >If a person presenting a new cipher (e.g. Scott) can't even apply all of the >standard analysis tools then the cipher surely has to be considered "weaker" >than a cipher which passes all of the tests (e.g. TwoFish - which is currently >the object of Scotts hate). That is the reasoning which is generally applied, but that reasoning is false. This is precisely the point I have been addressing: When we don't know, we *really* don't know. And we can't draw correct conclusions from not knowing. The only thing we can prove with analysis is a limit on strength; that the real strength could not exceed the effort of a given break. But it does not say that there is not a weaker break, somewhere, if we only could see deeper, or understand more. Analysis cannot say that the analyzed cipher is stronger than an unanalyzed cipher. In fact, the regrettable situation with regard to the academic literature implies that analysis results generally will not be published if no attack is found. This means that any cipher we call "analyzed" will have a break of some sort. Do we really trust a cipher which has a known break more than one which does not? >It may be stronger, but empirical evidence suggests not. There is no such "evidence." There is no support for a correct conclusion one way or the other. When we choose rumor and innuendo to support a conclusion, we have no reason to expect a correct result. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 09:51:46 GMT From: ssimpson@hertreg.ac.uk Message-ID: <71c27h$ue1$1@nnrp1.dejanews.com> References: <36393e18.1633145@news.io.com> Newsgroups: sci.crypt Lines: 104 In article <36393e18.1633145@news.io.com>, ritter@io.com (Terry Ritter) wrote: > > On Thu, 29 Oct 1998 17:24:13 GMT, in > <71a8bt$fm9$1@nnrp1.dejanews.com>, in sci.crypt ssimpson@hertreg.ac.uk > wrote: > > >In article <3636a99a.11757150@news.io.com>, > > ritter@io.com (Terry Ritter) wrote: > > >>[...] > >> I do think "the barriers are too high" in the sense that the archival > >> literature tends to avoid what we really want to know. The current > >> ideal article is a cipher with lots of mathematical manipulation -- > >> yet no overall proof of strength -- which rarely if ever supports a > >> reasonable attack. > > > >"Proving" the general security of a block cipher would also prove that P != NP > >- something that I don't expect will happen in the near future! If you can > >prove it then I'm sure a university or two would like to hear from you :-) > > Most block ciphers are not number-theoretic, and I doubt that a proof > of block cipher strength necessarily implies that P <> NP. Indeed, a > block cipher of limited strength may be all we will ever need, if we > could only prove that it has *enough* strength. > I was quoting pg 52 (right column) of the paper "Twofish: A 128-bit Block Cipher" by Schneier, Kelsey, Whiting, Wagner, Hall & Ferguson. > >The best we can hope to do is use our complete arsenal of analysis tools to > >prove that a cipher is insecure. If it fails to succumb to these tools then > >it is not _proven_ to be secure, but it indicates that a degree of faith can > >be placed in the cipher. > > Concluding that a cipher which has not been shown weak is therefore > strong is surely incorrect reasoning. So the cipher may be weak. And > if the cipher *is* weak, we surely would be fools to have faith in it, > no matter how much analysis was done previously. But we have to have faith in one (or possibly more) block ciphers. Rather than pick this cipher at "random" it is surely better to pick the a block cipher that has been subjected to and resisted all known attacks. For example I would pick Blowfish over ICE. Wouldn't you? > Indeed, for all we know, there may *be* no strong cipher. And that > would mean that the partitioning of ciphers into "weak" and "strong" > is an irrelevant illusion. Quite. It may be true that no strong ciphers are strong or weak. But at the moment we can certainly point our fingers at ciphers that *are* weak and others that are relatively secure. (e.g. ICE *is* weak and should not be used. Blowfish has not been shown to be weak and as such can be trusted). > >What other methods would you use to test block ciphers? (e.g. other than all > >currently known and published techniques). > > We should test everything we can, and then understand that everything > we have not tested is in an unknown state. If we can't test it, we > can't control it. And in ciphers, we cannot test strength. Indeed. But more faith has to be placed in a block cipher that has undergone all tests (and passed) rather than a cipher that has not been tested thoroughly. If you disagree on this point then I think we'll just have to "agree to disagree". For now, I'm not putting untested ciphers into ScramDisk :-) > > >If a person presenting a new cipher (e.g. Scott) can't even apply all of the > >standard analysis tools then the cipher surely has to be considered "weaker" > >than a cipher which passes all of the tests (e.g. TwoFish - which is currently > >the object of Scotts hate). > <SNIP> > > The only thing we can prove with analysis is a limit on strength; that > the real strength could not exceed the effort of a given break. But > it does not say that there is not a weaker break, somewhere, if we > only could see deeper, or understand more. Analysis cannot say that > the analyzed cipher is stronger than an unanalyzed cipher. > No. But they can say that the analysed cipher (that has passed the tests) has more credibility. <SNIP> Regards, Sam Simpson Comms Analyst -- See http://www.hertreg.ac.uk/ss/ for ScramDisk, a free virtual disk encryption for Windows 95/98. PGP Keys available at the same site. -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 19:02:45 GMT From: ritter@io.com (Terry Ritter) Message-ID: <363a0d51.8960237@news.io.com> References: <71c27h$ue1$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 127 On Fri, 30 Oct 1998 09:51:46 GMT, in <71c27h$ue1$1@nnrp1.dejanews.com>, in sci.crypt ssimpson@hertreg.ac.uk wrote: >>[...] >> Concluding that a cipher which has not been shown weak is therefore >> strong is surely incorrect reasoning. So the cipher may be weak. And >> if the cipher *is* weak, we surely would be fools to have faith in it, >> no matter how much analysis was done previously. > >But we have to have faith in one (or possibly more) block ciphers. I guess faith is about the only thing we *can* have. But that's religion, not science. We may use a cipher, but we *cannot* trust it. >Rather >than pick this cipher at "random" it is surely better to pick the a block >cipher that has been subjected to and resisted all known attacks. Frankly, I have come to believe that it may be more important to use a multiplicity of ciphers -- accepting their possible weaknesses -- than to use a single cipher -- and accepting its possible weakness. I think what we gain from an analysis, and from wide use, is that successful attacks are unlikely from people like us, or those who tried to break the cipher. So if the purpose of the cipher is to prevent people like us from getting in, there is some reason to think that analysis has given us that assurance. But if we intend to stop people who are better trained, better funded, and who have more experience, time, and equipment than us -- and who may even be smarter than we are -- our attempts at analysis tell us nothing at all. They may in fact delude us into the belief that nobody can be better at doing what we try to do than we are. This is why we need to innovate and use protocols which allow us to accept cipher weakness, yet continue to get the job done. >For example I would pick Blowfish over ICE. Wouldn't you? Not if picking Blowfish means that I have no access to other ciphers. Since any cipher may have weakness, a widely used cipher is asking for weakness to be found. And using any cipher for a large amount of data is asking for weakness to be exploited. The exploitation of our data is the risk. How can we possibly "put all our eggs in one basket" when we know that it is *impossible* to "watch that basket"? >> Indeed, for all we know, there may *be* no strong cipher. And that >> would mean that the partitioning of ciphers into "weak" and "strong" >> is an irrelevant illusion. > >Quite. It may be true that no strong ciphers are strong or weak. But at the >moment we can certainly point our fingers at ciphers that *are* weak and >others that are relatively secure. (e.g. ICE *is* weak and should not be >used. Blowfish has not been shown to be weak and as such can be trusted). Fine. But not being shown weak still does not mean we can trust it. How can we possible trust something to be strong which admittedly may be weak? >> >What other methods would you use to test block ciphers? (e.g. other than all >> >currently known and published techniques). >> >> We should test everything we can, and then understand that everything >> we have not tested is in an unknown state. If we can't test it, we >> can't control it. And in ciphers, we cannot test strength. > >Indeed. But more faith has to be placed in a block cipher that has undergone >all tests (and passed) rather than a cipher that has not been tested >thoroughly. > >If you disagree on this point then I think we'll just have to "agree to >disagree". I do indeed disagree. One cannot gain faith about untested things by testing other things. There is no reason to expect that the outcome of future tests will be like past successes. If this were generally true, we would never need complex tests. >For now, I'm not putting untested ciphers into ScramDisk :-) I did say "test everything we can." But I think the idea of selecting some subset of ciphers for inclusion in a program should gradually fade away. (All but one of these will be unused at any particular time anyway.) >>[...] >> The only thing we can prove with analysis is a limit on strength; that >> the real strength could not exceed the effort of a given break. But >> it does not say that there is not a weaker break, somewhere, if we >> only could see deeper, or understand more. Analysis cannot say that >> the analyzed cipher is stronger than an unanalyzed cipher. >> > >No. But they can say that the analysed cipher (that has passed the tests) has >more credibility. There is a lot to be said for experience. By experiencing many of the ways things can go wrong, one can take steps to avoid those problems. And this extends far beyond the cipher into the design and implementation of the cipher system. I suspect that problems in the cipher system are likely to be more easily exploited than any publicly-described cipher. When we first install a normal program, we may not trust it. After we use it for a while, and it has not failed, we may develop trust. And certainly we can trust a cipher system in the same way when we talk about data not being lost or scrambled. But we can't trust strength, because use does not stress that, and its failure is not reported to us. We have no idea whether the program really is delivering strength or not, so we cannot develop a trust of strength. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 05:15:28 GMT From: "Douglas A. Gwyn" <DAGwyn@null.net> Message-ID: <36394B11.2DDFF3CE@null.net> References: <71a8bt$fm9$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 7 ssimpson@hertreg.ac.uk wrote: > "Proving" the general security of a block cipher would also prove that P != NP I wonder on what basis you could make that claim. In other words, I don't think that's right -- I can exhibit the design for a block cipher that is demonstrably secure according to the rules of the game, although it wouldn't be *practical*.
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 05:22:15 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <36394cbf.326485@news.visi.com> References: <36394B11.2DDFF3CE@null.net> Newsgroups: sci.crypt Lines: 19 On Fri, 30 Oct 1998 05:15:28 GMT, "Douglas A. Gwyn" <DAGwyn@null.net> wrote: >ssimpson@hertreg.ac.uk wrote: >> "Proving" the general security of a block cipher would also prove that P != NP > >I wonder on what basis you could make that claim. >In other words, I don't think that's right -- I can exhibit the design >for a block cipher that is demonstrably secure according to the rules of >the game, although it wouldn't be *practical*. While it is certainly possible to, in theory, give a proof of security that does not also prove that P != NP, most formulations of such a proof--which, of course, does not exist--hinge on proving P != NP. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Sat, 31 Oct 1998 06:34:34 GMT From: "Douglas A. Gwyn" <DAGwyn@null.net> Message-ID: <363AAF1C.AF37BF7F@null.net> References: <36394cbf.326485@news.visi.com> Newsgroups: sci.crypt Lines: 15 Bruce Schneier wrote: > On Fri, 30 Oct 1998 05:15:28 GMT, "Douglas A. Gwyn" <DAGwyn@null.net> > wrote: > >ssimpson@hertreg.ac.uk wrote: > >> "Proving" the general security of a block cipher would also prove that P != NP > >I wonder on what basis you could make that claim. > >In other words, I don't think that's right -- I can exhibit the design > >for a block cipher that is demonstrably secure according to the rules of > >the game, although it wouldn't be *practical*. > While it is certainly possible to, in theory, give a proof of security > that does not also prove that P != NP, most formulations of such a > proof--which, of course, does not exist--hinge on proving P != NP. This is getting weirder -- I still would like a reference. I don't think *any* block ciphers have anything to do with P?=NP.
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 02 Nov 1998 20:07:17 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <363e0fff.13076835@news.prosurfr.com> References: <363AAF1C.AF37BF7F@null.net> Newsgroups: sci.crypt Lines: 19 "Douglas A. Gwyn" <DAGwyn@null.net> wrote, in part: >This is getting weirder -- I still would like a reference. >I don't think *any* block ciphers have anything to do with P?=NP. Not in the simple way that some public-key systems do. But someone did note that he had converted DES into a gigantic Boolean expression ... in hopes that it could be, at least partly, inverted. I think inverting logic equations does touch on P versus NP. Essentially, if a proof that P=NP is interpreted as indicating there are no mathematical problems that get really intractable to solve, compared to the effort required to verify the solution, then that would seem to affect everything - even if the application to secret-key ciphers would still be awkwards. John Savard http://members.xoom.com/quadibloc/index.html
Subject: Re: Memo to the Amateur Cipher Designer Date: 2 Nov 1998 15:31:14 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <71l4qi$rmv$1@quine.mathcs.duq.edu> References: <363e0fff.13076835@news.prosurfr.com> Newsgroups: sci.crypt Lines: 40 In article <363e0fff.13076835@news.prosurfr.com>, John Savard <jsavard@tenMAPSONeerf.edmonton.ab.ca> wrote: >"Douglas A. Gwyn" <DAGwyn@null.net> wrote, in part: > >>This is getting weirder -- I still would like a reference. >>I don't think *any* block ciphers have anything to do with P?=NP. > >Not in the simple way that some public-key systems do. > >But someone did note that he had converted DES into a gigantic Boolean >expression ... in hopes that it could be, at least partly, inverted. I >think inverting logic equations does touch on P versus NP. Only if the size of the problem varies. In the case of any *particular* block cypher, with any *particular* key-space and any *particular* block size, &c, then the problem size is probably fixed (and P/NP is indeed a red herring). So proving that P == NP probably wouldn't affect the solution of DES much. *However*, a lot of cyphers are in fact cypher schemes with variable size. An obvious example is creating an LFSR-based stream cypher, where the difficulty of recreating the stream can be related to the size of the LFSR-state (and hence to the size of the secret key). If I were to develop a clever trick with N-bit LFSRs and prove that to recover the internal state or decrypt the cyphertext *required* at least 2^N operations, then I would indeed have proven that P != NP. A similar example, this one involving a block cypher, would be if I used N-bit RSA, but kept both factors secret (and part of the key). This, of course, means that I lose the advantages of public-key encryption. On the other hand, it also means that I have a symmetric algorithm with a variable problem size. If I could then *prove* that the only way to decrypt my messages required exponential time (in the size of the RSA keys), then I would, again, have proven P < NP. -kitten
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 03 Nov 1998 00:21:06 GMT From: "Douglas A. Gwyn" <DAGwyn@null.net> Message-ID: <363E4C10.C05E0898@null.net> References: <363e0fff.13076835@news.prosurfr.com> Newsgroups: sci.crypt Lines: 9 John Savard wrote: > But someone did note that he had converted DES into a gigantic Boolean > expression ... in hopes that it could be, at least partly, inverted. I > think inverting logic equations does touch on P versus NP. But the issue is not whether there is an *effective algorithm* for inverting *every* system of equations, which might bear on P?=NP. The statement was that proof of security of *any particular example* of a block cipher system would imply P=NP. That's what I doubt.
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 02 Nov 1998 20:49:04 -0500 From: Nicol So <nobody@no.spam.please> Message-ID: <363E6110.9D3FF87@no.spam.please> References: <363E4C10.C05E0898@null.net> Newsgroups: sci.crypt Lines: 48 Douglas A. Gwyn wrote: > But the issue is not whether there is an *effective algorithm* for > inverting *every* system of equations, which might bear on P?=NP. > The statement was that proof of security of *any particular example* > of a block cipher system would imply P=NP. That's what I doubt. Whether a proof of security of a block cipher has anything to do with the question of P?=NP depends on how you formalize the notion of security. Theoreticians (I mean theoretical computer scientists) like to define security in terms of asymptotic properties. For the purpose of this discussion, ignore whether such definitions properly capture the notion of security for practical ciphers. There are different formalizations of security, some of which are not applicable to (deterministic) block ciphers. For example, no deterministic ciphers can be semantically secure. A probably more applicable notion of security for block ciphers is that of superpseudorandom permutation generator, as introduced in a 1986 paper by Luby and Rackoff. To use the definition, a block cipher is modeled as a (uniform) family of polynomial-time computable permutations, indexed by a security parameter k. The intuition behind superpseudorandom permutation generator is that a block cipher is secure if it passes off as a (length-preserving) permutation on {0,1}^k, and no (non-uniform) polynomial-time algorithm can distinguish them. The (non-uniform) algorithm here takes two oracles: a "normal" one computing a function f, and an "inverse" one computing the inverse of f. "Distinguish", as used in the definition, means "distinguishes with a non-negligible advantage". (If you make random guesses, you already have a 50% success rate of saying whether a given permutation is truly random or just pseudorandom). "Negligible" here has the conventional meaning of "converging to 0 faster than the inverse of any polynomial k^c (where c>0), as the security parameter k tends to infinity. So much for the background definitions. Now consider a particular block cipher (modeled as a family of ciphers of variable block sizes and key lengths). In non-deterministic polynomial time, an algorithm can determine, with good success probability, whether a given pair of encryption/decryption functions could have been an instance of our block cipher (with some appropriate key). This can be done by by guessing a key and perform a number of trial encryptions and decryptions. If P=NP, the above computation can also be performed in polynomial-time. That means, for any given cipher, there is always a polynomial-time algorithm that can "distinguish" the cipher from permutations chosen uniformly at random from the appropriate space. And therefore, no deterministic block cipher can be secure under such a definition of security.
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 03 Nov 1998 20:25:23 -0500 From: Nicol So <nobody@no.spam.please> Message-ID: <363FAD03.75C29461@no.spam.please> References: <363E6110.9D3FF87@no.spam.please> Newsgroups: sci.crypt Lines: 14 Nicol So wrote: > ... > The intuition behind superpseudorandom permutation generator is that a block > cipher is secure if it passes off as a (length-preserving) permutation on > {0,1}^k, and no (non-uniform) polynomial-time algorithm can distinguish > them. ... When I wrote "permutation on {0,1}^k", I meant to say "permutation on {0,1}^k chosen uniformly at random". Despite the accidental omission, the intended meaning should be obvious from the ensuing text. Nicol
Subject: Re: Memo to the Amateur Cipher Designer Date: 3 Nov 1998 09:32:34 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <71n462$sgp$1@quine.mathcs.duq.edu> References: <363E4C10.C05E0898@null.net> Newsgroups: sci.crypt Lines: 35 In article <363E4C10.C05E0898@null.net>, Douglas A. Gwyn <DAGwyn@null.net> wrote: >John Savard wrote: >> But someone did note that he had converted DES into a gigantic Boolean >> expression ... in hopes that it could be, at least partly, inverted. I >> think inverting logic equations does touch on P versus NP. > >But the issue is not whether there is an *effective algorithm* for >inverting *every* system of equations, which might bear on P?=NP. >The statement was that proof of security of *any particular example* >of a block cipher system would imply P=NP. That's what I doubt. The demonstration of a particular category of equations, such that a) "size" is meaningful and b) to determine whether or not they are satisfiable provably requires exponential time would indeed prove that P < NP. The reason, of course, is that the general case encompasses the specific case, and no general equation-solver could solve these particular problems faster than the provable bound -- so the general equation solver would also require exponential time. However, this is a one-way implication. If I could prove that DES (or any particular sub-class of the general problem) *were* solvable in polynomial time, this would NOT prove that P == NP. -kitten
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 03 Nov 1998 17:00:14 GMT From: bobs@rsa.com Message-ID: <71ncqv$j7d$1@nnrp1.dejanews.com> References: <363e0fff.13076835@news.prosurfr.com> Newsgroups: sci.crypt Lines: 17 In article <363e0fff.13076835@news.prosurfr.com>, jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote: > "Douglas A. Gwyn" <DAGwyn@null.net> wrote, in part: > Essentially, if a proof that P=NP is interpreted as indicating there > are no mathematical problems that get really intractable to solve, > compared to the effort required to verify the solution, then that > would seem to affect everything - even if the application to > secret-key ciphers would still be awkwards. Such an interpretation would be grossly wrong. It is well known that problems exist that are HARDER than any problems in NP. See Garey & Johnson, for example. -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 03 Nov 1998 23:05:41 GMT From: "Douglas A. Gwyn" <DAGwyn@null.net> Message-ID: <363F8BE2.7469BAAF@null.net> References: <71ncqv$j7d$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 17 bobs@rsa.com wrote: > In article <363e0fff.13076835@news.prosurfr.com>, > jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote: > > "Douglas A. Gwyn" <DAGwyn@null.net> wrote, in part: > > > Essentially, if a proof that P=NP is interpreted as indicating there > > are no mathematical problems that get really intractable to solve, > > compared to the effort required to verify the solution, then that > > would seem to affect everything - even if the application to > > secret-key ciphers would still be awkwards. > > Such an interpretation would be grossly wrong. ... Please, check the attributions before posting. You posted "Douglas A. Gwyn wrote:" followed by text that I certainly did not write. (Presumably it was written by John Savard.)
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 10:38:15 GMT From: ssimpson@hertreg.ac.uk Message-ID: <71c4ul$1fl$1@nnrp1.dejanews.com> References: <36394B11.2DDFF3CE@null.net> Newsgroups: sci.crypt Lines: 30 In article <36394B11.2DDFF3CE@null.net>, "Douglas A. Gwyn" <DAGwyn@null.net> wrote: > ssimpson@hertreg.ac.uk wrote: > > "Proving" the general security of a block cipher would also prove that P != NP > > I wonder on what basis you could make that claim. > In other words, I don't think that's right -- I can exhibit the design > for a block cipher that is demonstrably secure according to the rules of > the game, although it wouldn't be *practical*. I was quoting pg 52 (right-hand column) of the paper "Twofish: A 128-bit Block Cipher" by Schneier, Kelsey, Whiting, Wagner, Hall & Ferguson. I would be interested in your views on this. Are Schneier et al wrong? Have I miss something? Did I (gasp!) take the quote out of context? I am honestly interested in an answer if the statement was wrong as I'm relatively new to encryption e.g. less than 7 years, so am still learning. Thanks, Sam Simpson Comms Analyst -- See http://www.hertreg.ac.uk/ss/ for ScramDisk, a free virtual disk encryption for Windows 95/98. PGP Keys available at the same site. -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 12:51:38 GMT From: sandy.harris@sympatico.ca (Sandy Harris) Message-ID: <uDi_1.603$Gh4.1162471@news21.bellglobal.com> References: <71c4ul$1fl$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 25 ssimpson@hertreg.ac.uk wrote: > "Douglas A. Gwyn" <DAGwyn@null.net> wrote: >> ssimpson@hertreg.ac.uk wrote: >> > "Proving" the general security of a block cipher would also prove that P != >NP >> >> I wonder on what basis you could make that claim. Encryption/decryption with known key is presumably not worse than polynomial in keylength or the cipher's wildly impractical. If "proving the security" of the cipher means showing that no attack is better than brute force, i.e. all possible attacks are exponential in keylength, & if this applies for any keylength, then QED. Methinks this argument is hopelessly flawed because the keylength in most ciphers cannot vary beyond a certain range & the whole P/NP distinction depends on reasoning for "in the limit" & "for sufficiently large N", so it cannot reasonably be applied. Of course if you consider an iterated block cipher with independent round keys & a variable # of rounds, then the total key can be arbitrarily large, so perhaps the argument is salvagable for such ciphers.
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 16:29:15 GMT From: bobs@rsa.com Message-ID: <71cpgq$uqd$1@nnrp1.dejanews.com> References: <uDi_1.603$Gh4.1162471@news21.bellglobal.com> Newsgroups: sci.crypt Lines: 29 In article <uDi_1.603$Gh4.1162471@news21.bellglobal.com>, sandy.harris@sympatico.ca (Sandy Harris) wrote: > ssimpson@hertreg.ac.uk wrote: > > > "Douglas A. Gwyn" <DAGwyn@null.net> wrote: > >> ssimpson@hertreg.ac.uk wrote: > >> > "Proving" the general security of a block cipher would also prove that P != > >NP > >> > >> I wonder on what basis you could make that claim. > > Encryption/decryption with known key is presumably not worse than > polynomial in keylength or the cipher's wildly impractical. > > If "proving the security" of the cipher means showing that no attack > is better than brute force, i.e. all possible attacks are exponential in > keylength, & if this applies for any keylength, then QED. No! No! No! Proving that only brute force could work would NOT, repeat NOT prove P != NP *** unless **** you first proved that breaking the key was an NP-Complete problem. Merely showing that breaking the key takes exponential time is NOT equivalent to proving it is NP-Complete. -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: 30 Oct 1998 14:44:46 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <71d4ve$p8o$1@quine.mathcs.duq.edu> References: <71cpgq$uqd$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 37 In article <71cpgq$uqd$1@nnrp1.dejanews.com>, <bobs@rsa.com> wrote: >In article <uDi_1.603$Gh4.1162471@news21.bellglobal.com>, > sandy.harris@sympatico.ca (Sandy Harris) wrote: >> ssimpson@hertreg.ac.uk wrote: >> >> > "Douglas A. Gwyn" <DAGwyn@null.net> wrote: >> >> ssimpson@hertreg.ac.uk wrote: >> >> > "Proving" the general security of a block cipher would also prove that P != >> >NP >> >> >> >> I wonder on what basis you could make that claim. >> >> Encryption/decryption with known key is presumably not worse than >> polynomial in keylength or the cipher's wildly impractical. >> >> If "proving the security" of the cipher means showing that no attack >> is better than brute force, i.e. all possible attacks are exponential in >> keylength, & if this applies for any keylength, then QED. > >No! No! No! > >Proving that only brute force could work would NOT, repeat NOT >prove P != NP *** unless **** you first proved that breaking the key >was an NP-Complete problem. > >Merely showing that breaking the key takes exponential time is NOT >equivalent to proving it is NP-Complete. Nope. Showing that breaking the key takes *provably* exponential time would suffice to show that P != NP. If there exists a subset S of NP such that P < S <= NP, that proves P < NP. (S, in this case, is the class of problems to which this cypher belongs.) And of course, the problem is "obviously" in NP because you can verify a correct solution in polynomial time. -kitten
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 21:49:07 GMT From: phr@netcom.com (Paul Rubin) Message-ID: <phrF1ntxv.4ys@netcom.com> References: <71cpgq$uqd$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 24 In article <71cpgq$uqd$1@nnrp1.dejanews.com>, <bobs@rsa.com> wrote: >Proving that only brute force could work would NOT, repeat NOT >prove P != NP *** unless **** you first proved that breaking the key >was an NP-Complete problem. > >Merely showing that breaking the key takes exponential time is NOT >equivalent to proving it is NP-Complete. Bob, are you sure of this? If the statement came from someone less knowledgeable than you, I'd have shrugged it off as wrong rather than paying attention. If brute force works, then cryptanalizing the cipher is in NP. Once you have guessed the key by brute force, you can validate the guess by showing it properly encrypts the known plaintext to the known ciphertext. If you can prove that *only* brute force works, the cipher is not in P. Brute force means exponential search through the keyspace. It is true that cryptanalyzing the cipher may not be NP-hard, but it is not in P. If something is in NP but not in P, it follows that P != NP. Did I miss something??!!
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 02 Nov 1998 20:12:24 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <363e112c.13377666@news.prosurfr.com> References: <phrF1ntxv.4ys@netcom.com> Newsgroups: sci.crypt Lines: 22 phr@netcom.com (Paul Rubin) wrote, in part: >If you can prove that *only* brute force works, the cipher is not in P. >Brute force means exponential search through the keyspace. It is true >that cryptanalyzing the cipher may not be NP-hard, but it is not in P. I think the idea is that while a _proof_ that only brute force works would indeed catapult cryptanalyzing it out of P, in general the fact that only brute force is known at present (which some people might take for a proof) certainly doesn't have anything to do with P versus NP. And secret-key designs can easily be made much too messy for anything to be proven about them... So, at present I think you're right and they're not expressing themselves clearly (they're right too about what they're trying to say). If I'm wrong, and there is a reason why the P=NP question doesn't apply, even in theory, that would be interesting. John Savard http://members.xoom.com/quadibloc/index.html
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 03 Nov 1998 11:21:42 -0700 From: Shawn Willden <shawn@willden.org> Message-ID: <363F49B6.8CE95B8@willden.org> References: <363e112c.13377666@news.prosurfr.com> Newsgroups: sci.crypt Lines: 34 John Savard wrote: > So, at present I think you're right and they're not expressing > themselves clearly (they're right too about what they're trying to > say). If I'm wrong, and there is a reason why the P=NP question > doesn't apply, even in theory, that would be interesting. Let me see if I can lay this out clearly and thoroughly enough that someone can point out the flaw in the reasoning (Douglas Gwyn? Bob Silverman?). P is the set of all problems that are solvable in polynomial time. NP is the set of all problems for which candidate solutions can be tested in polynomial time. P is a subset of NP. To see this, choose a problem p in P and a candidate solution c, run the polynomial-time algorithm to solve p which yields a solution s, then test if c=s. So, P=NP iff NP is a subset of P. Therefore, to show P!=NP, it is sufficient to show that there exists a problem p s.t. p is an element of NP but p is not an element of P. Let p be a problem whose candidate solutions can be tested in polynomial time (p is an element of NP) but which requires (provably) that an exponentially growing solution space be brute force searched to find a solution. This implies that p is not an element of P, which shows that P != NP. What's wrong with that argument? Or is there something wrong with my definitions of P and NP? Shawn.
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 02 Nov 1998 20:16:46 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <363e1282.13719546@news.prosurfr.com> References: <71cpgq$uqd$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 23 bobs@rsa.com wrote, in part: >Proving that only brute force could work would NOT, repeat NOT >prove P != NP *** unless **** you first proved that breaking the key >was an NP-Complete problem. >Merely showing that breaking the key takes exponential time is NOT >equivalent to proving it is NP-Complete. Proving that brute force was not necessary would not prove P=NP, unless you proved that breaking the key was NP-complete, since there are problems that aren't known to be in P, but aren't known to be NP-complete either, like factoring. But the converse _is_ valid, unless my memory is very faulty: NP-complete problems are supposed to be the hardest kind of scalable problems; thus, if some problem was shown not to be in P, even if that problem was _not_ NP complete, that would only mean that the NP-complete problems were as hard, or even harder, and therefore not in P either. John Savard http://members.xoom.com/quadibloc/index.html
Subject: Re: Memo to the Amateur Cipher Designer Date: Sat, 31 Oct 1998 06:47:39 GMT From: "Douglas A. Gwyn" <DAGwyn@null.net> Message-ID: <363AB22D.D9725C8@null.net> References: <uDi_1.603$Gh4.1162471@news21.bellglobal.com> Newsgroups: sci.crypt Lines: 11 Sandy Harris wrote: > Encryption/decryption with known key is presumably not worse than > polynomial in keylength or the cipher's wildly impractical. Granted. > If "proving the security" of the cipher means showing that no attack > is better than brute force, i.e. all possible attacks are exponential in > keylength, & if this applies for any keylength, then QED. No, that's not even close to a proof of: <given cipher secure> => P!=NP.
Subject: Re: Memo to the Amateur Cipher Designer Date: 2 Nov 1998 07:31:30 GMT From: olson@umbc.edu (Bryan G. Olson; CMSC (G)) Message-ID: <71jn4i$510$1@news.umbc.edu> References: <363AB22D.D9725C8@null.net> Newsgroups: sci.crypt Lines: 67 Douglas A. Gwyn (DAGwyn@null.net) wrote: : Sandy Harris wrote: : > Encryption/decryption with known key is presumably not worse than : > polynomial in keylength or the cipher's wildly impractical. : Granted. : > If "proving the security" of the cipher means showing that no attack : > is better than brute force, i.e. all possible attacks are exponential in : > keylength, & if this applies for any keylength, then QED. : No, that's not even close to a proof of: <given cipher secure> => P!=NP. Hmmm, I see it as kind of close. From the assumption that (en/de)cryption is polytime and attack is exponential in key length, we must be talking about a cipher with a variable size and arbitrarily large key. Now let's define encryption as f(K,M) = C Where K is the key, M is the plaintext, and C is the ciphertext. Lets say K is an integer, since any key can be coded in that form. Now we define language L as the set of all strings of the form: [m,c,x] Where there exists some key k such that: k < x and f(k,m) = c. L is in NP. We assumed (en/de)cryption is polytime, so for any string in L, there is a short certifier - namely a value for k that satisfies the "such that: ...CRYPHTML.HTM" above. L is not in P. I'll prove this by contradiction. If L is in P, then given plaintext m and ciphertext c, I can recover k such that f(m,k)=p using the following procedure: Test the strings [m,c,2], [m,c,4], [m,c,8]... for membership in L until I find the first that is in L. Now I have two strings [m,c,x1] and [m,c,x2] where x1<x2, [m,c,x1] is not in L, and [m,c,x2] is in L. I now test whether [m,c,floor((x1+x2)/2)] is in L. Either way, I can divide in half the interval containing the lowest x' such that [m,c,x'] is in L. I repeat this procedure to form a binary search for x', and when I find it I return k=x'. The procedure takes time proportional to the time to test whether a string is in L times the length of K. Since we assumed L in in P, this gives me a sub-exponential break of the cipher, and since our premise says such a break doesn't exist, the assumption that L is in P must be false. Given the cipher, we can construct a language that is in NP but not in P. Thus, this particular form of cipher security - where we can use an arbitrarily large key, encryption and decryption are polytime in the key size and cryptanalysis is exponential in the key size - requires that P != NP. --Bryan
Subject: Re: Memo to the Amateur Cipher Designer Date: 28 Oct 1998 08:43:07 GMT From: olson@umbc.edu (Bryan G. Olson; CMSC (G)) Message-ID: <716ler$h90$1@news.umbc.edu> References: <3634a751.2469260@news.io.com> Newsgroups: sci.crypt Lines: 42 Terry Ritter wrote: : Bruce Schneier wrote: : >Security is orthogonal to functionality. A cipher cannot deliver any : >new advantages until it is considered strong. That's what makes this : >discipline complicated. : Apparently I have been unable to communicate the issue: That may be, but Bruce understands the issues anyway. [...] : >No. The adversarial game of making and breaking is what makes : >cryptography cryptography. I design; you break. You design; I break. : >This is what cryptography is. : I am not referring to legitimate thrust and parry of design and : analysis, I am referring to exactly the sort of behavior in your (now : deleted) anecdote. I claim: : * The legitimate response to a design is a break. : * The legitimate response to a fixed design is a break. : * The legitimate response to a fixed fixed design is a break. Absolutely. Please, please, start responding that way. Enough of all the posts that respond to someone else's design by pointing out features of your own designs. There are very few on this group who actually devote time and effort to looking into other peoples suggestions. : Life is tough for cipher analyzers. It must be frustrating when : newbies simply do not (no doubt interpreted as "will not") get the : point. Yes it is. The major "point" is that a cipher designer must _be_ a cipher analyzer. That's what good designers spend most of their time doing. --Bryan
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 21 Oct 1998 05:22:08 GMT From: dianelos@tecapro.com Message-ID: <70jr20$k0l$1@nnrp1.dejanews.com> References: <36292906.1151332@news.visi.com> Newsgroups: sci.crypt Lines: 99 In article <36292906.1151332@news.visi.com>, schneier@counterpane.com (Bruce Schneier) wrote: >[...] > "The best cryptographers around" break a lot of ciphers. The academic > literature is littered with the carcasses of ciphers broken by their > analyses. I would rather not use the word "break" to describe the successful cryptanalysis of a cipher. If somebody found an attack against 3DES with 2^60 chosen plaintexts it would certainly be a great piece of cryptanalytic work but it would *not* mean that bank wire transfers could be BROKEN in any reasonable sense of the word. Again: if somebody found a way to compute the 3DES key with two known plaintexts and 15 seconds on a PC, how would we describe this attack - a "demolition" of 3DES or what? I think it would be better to say that a successful cryptanalysis discovered a weakness in a cipher. Any weakness can or should be mortal for a cipher, particularly if discovered with little effort or if that cipher can show no other advantages. Even so, the word "break" we should reserve for what the British did to the Enigma machine. I know this is only semantics but still I think it is important. Security issues are slowly seeping into public awareness and it would be best not to use common words in a way that is contrary to their normal meaning. > [...] Algorithms > posted to Internet newsgroups by unknowns won't get a second glance. My personal opinion is that in the future Internet newsgroups will be the most important medium for communicating ideas while peer reviewed publications, as we know them today, will be less and less important. This is not an either-or proposition. Stuffy, paper-based publications and chaotic, unstructured newsgroups will gravitate towards a medium that combines the best of the two worlds. Newsgroups do have enormous advantages: immediate and free movement of ideas is one of them. The other, I think, is that it is much cheaper for an author to be proven wrong in a newsgroup post; therefore people feel more free to publish crazy, less well thought out ideas. One of the seminal books in my life was Minsky's "Society of Mind". I think newsgroups will evolve to what is functionally a bigger mind. When I started toying with the idea of participating in the AES competition, I intended to post my basic idea and invite the sci.crypt crowd to participate as a group in the competition. When I finally started working on the submission it was too late. Pity - it would have been an interesting experiment of the BIG MIND paradigm. > [...] The > cipher's strength is not in its design; anyone could design something > like that. The strength is in its analysis. Clearly there is no known formula or experiment that measures a cipher's strength. This leaves human based analysis as the only way to validate a cipher's strength today. Still, I see a problem here: Suppose cipher A is analyzed by good cryptographers and many interesting results are published even though no weakness is found. Cipher B is analyzed even more intensely by the same people, no weakness is found but neither is there anything interesting to report. B should be considered stronger than A, but in the current state of affairs the opposite would happen. My point is that published results do not necessarily indicate the quantity or quality of analysis done on a cipher. Successful analysis depends not only on the cryptographer's previous experience or effort invested, but also on uncontrollable, unquantifiable factors such as inspiration or even luck. There is a real possibility that somebody will have an ingenious idea tomorrow that will demolish many ciphers we consider secure today. This is a terribly unfortunate situation: we are betting a significant part of tomorrows stability not so much on technology that is not *proven* but rather on technology we have no way to *test*. Meanwhile, NSA is not allowed to talk, and this, I think, is not wise. >[...] > 1. Describe your cipher using standard notation. This doesn't mean C > code. There is established terminology in the literature. Learn it > and use it; no one will learn your specialized terminology. I don't completely agree. A standard representation often restricts the group of ideas that can comfortably be expressed. For example, FROG cannot be represented with the traditional hardware schematic; some algorithms can be represented more elegantly with unstructured pseudocode filled with GOTOs. A cipher is an algorithm - traditionally algorithms are described with pseudo-code or even with documented code written in Pascal, Lisp, C or some other well known language. I don't quite see why using C to describe a cipher is a bad idea. Anyway, I am splitting hairs here. It is self-evident that a cipher should be described in a clear way and that no specialized terminology should be used when none is needed. -- http://www.tecapro.com email: dianelos@tecapro.com -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 22 Oct 1998 15:20:06 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <362f4c6d.832631@news.prosurfr.com> References: <70jr20$k0l$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 15 dianelos@tecapro.com wrote, in part: > I would rather not use the word "break" to describe the successful > cryptanalysis of a cipher. If somebody found an attack against > 3DES with 2^60 chosen plaintexts it would certainly be a great > piece of cryptanalytic work but it would *not* mean that bank wire > transfers could be BROKEN in any reasonable sense of the word. Well, that's a valid enough comment on terminology. However, with specific reference to the AES process, a cryptanalytic result that indicates a proposed cipher is less than _perfect_ is, quite properly, considered significant. John Savard http://members.xoom.com/quadibloc/index.html
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 23 Oct 1998 10:53:08 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-2310981053080001@dialup133.itexas.net> References: <36305059.CAE8032F@stud.uni-muenchen.de> <jgfunj-2210981318390001@207.22.198.187> Newsgroups: sci.crypt Lines: 43 In article <36305059.CAE8032F@stud.uni-muenchen.de>, Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: > W T Shaw wrote: > > > > In article <362F34E7.118E41AC@stud.uni-muenchen.de>, Mok-Kong Shen > > <mok-kong.shen@stud.uni-muenchen.de> wrote: > > > > > > dianelos@tecapro.com wrote: > > > > For example, FROG cannot be represented with the traditional > > > > hardware schematic; some algorithms can be represented more > > > > elegantly with unstructured pseudocode filled with GOTOs. A cipher > > > > is an algorithm - traditionally algorithms are described with > > > > pseudo-code or even with documented code written in Pascal, Lisp, > > > > C or some other well known language. I don't quite see why using C > > > > to describe a cipher is a bad idea. > > > > > I get his idea, that to predicate a description or demonstration to an > > artificially restrictive set of circumstances might preclude the simplest > > or the most most meaningful one. Each media has its own built in > > prejudices which might make things look harder than they are. I challenge > > you to build a DES encryption machine with no electronics in it. > > Sorry that I don't yet understand. I thought what Dianelos wrote > amounts to the following: FROG cannot be described with a program > written in any of the currently used programming languages. See above; clearly he said the describing a cipher in C would be OK with him, but not in a traditional *hardware* schematic. > But > with what should FROG be properly described? Does one need a > real-time programming language? There are hardware design languages, > VHDL. Should FROG be described using these? I think we should > await the answer from the designer of FROG rather than making > speculations ourselves. > I expect him to agree with what he has said already as he is consistent. -- --- Security by obscurity is a good description of bureaucratic spending. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Sat, 24 Oct 1998 03:31:06 GMT From: dianelos@tecapro.com Message-ID: <70rhlq$ock$1@nnrp1.dejanews.com> References: <36305059.CAE8032F@stud.uni-muenchen.de> <jgfunj-2210981318390001@207.22.198.187> Newsgroups: sci.crypt Lines: 65 In article <36305059.CAE8032F@stud.uni-muenchen.de>, Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: > W T Shaw wrote: > > > > In article <362F34E7.118E41AC@stud.uni-muenchen.de>, Mok-Kong Shen > > <mok-kong.shen@stud.uni-muenchen.de> wrote: > > > > > > dianelos@tecapro.com wrote: > > > > For example, FROG cannot be represented with the traditional > > > > hardware schematic; some algorithms can be represented more > > > > elegantly with unstructured pseudocode filled with GOTOs. A cipher > > > > is an algorithm - traditionally algorithms are described with > > > > pseudo-code or even with documented code written in Pascal, Lisp, > > > > C or some other well known language. I don't quite see why using C > > > > to describe a cipher is a bad idea. Anyway, I am splitting hairs > > > > > > I don't quite catch your point. Does the sentence 'FROG cannot be ...' > > > imply that it can't be described fully in C etc.? > > > > > I get his idea, that to predicate a description or demonstration to an > > artificially restrictive set of circumstances might preclude the simplest > > or the most most meaningful one. Each media has its own built in > > prejudices which might make things look harder than they are. I challenge > > you to build a DES encryption machine with no electronics in it. > > Sorry that I don't yet understand. I thought what Dianelos wrote > amounts to the following: FROG cannot be described with a program > written in any of the currently used programming languages. But > with what should FROG be properly described? Does one need a > real-time programming language? There are hardware design languages, > VHDL. Should FROG be described using these? I think we should > await the answer from the designer of FROG rather than making > speculations ourselves. In my original post I mentioned two examples of cases where the traditional representation of an idea turns out not to be simplest. Mok-kong thought the two examples are related - they are not. Sorry for the ambiguity. FROG cannot easily be represented by a hardware diagram because it uses key dependent addresses. Hardware diagrams have fixed data paths. In principle, of course, you can represent *any* algorithm either in C or as hardware diagram. Sometimes a hardware diagram is the better option. For example, it is easier to express a permutation using a hardware diagram rather than in C. In general it is easier to express concurrency with diagrams. What representation you choose is not a trivial matter. If a cipher designer always works sketching diagrams, in praxis he will artificially limit the range of ideas that he will consider. Also, changing back and forth from one representation to another can be very useful sometimes. I recall how in school exams I had to solve geometry problems using only Euclidean reasoning. Well, I found out that I could often translate the problem into vector algebra, easily solve it in this representation, and then translate my proof, step by step, back into pure geometry. -- http://www.tecapro.com email: dianelos@tecapro.com -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Sun, 25 Oct 1998 10:39:00 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-2510981039000001@dialup126.itexas.net> References: <70rhlq$ock$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 21 In article <70rhlq$ock$1@nnrp1.dejanews.com>, dianelos@tecapro.com wrote: > > What representation you choose is not a trivial matter. If a cipher > designer always works sketching diagrams, in praxis he will > artificially limit the range of ideas that he will consider. > Also, changing back and forth from one representation to another > can be very useful sometimes. I recall how in school exams > I had to solve geometry problems using only Euclidean reasoning. > Well, I found out that I could often translate the problem into > vector algebra, easily solve it in this representation, and then > translate my proof, step by step, back into pure geometry. > Hook or crook means anything that works is open for use. Having to work things out in solely by careful appearing and impressive sounding logic that may not be applicable to the real world is the essence of the scientific Greek Tragedy. -- --- Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 26 Oct 1998 03:56:39 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <3633f23c.2025257@news.visi.com> References: <70jr20$k0l$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 61 On Wed, 21 Oct 1998 05:22:08 GMT, dianelos@tecapro.com wrote: > I would rather not use the word "break" to describe the successful > cryptanalysis of a cipher. If somebody found an attack against > 3DES with 2^60 chosen plaintexts it would certainly be a great > piece of cryptanalytic work but it would *not* mean that bank wire > transfers could be BROKEN in any reasonable sense of the word. > Again: if somebody found a way to compute the 3DES key with two > known plaintexts and 15 seconds on a PC, how would we describe > this attack - a "demolition" of 3DES or what? I think it would be > better to say that a successful cryptanalysis discovered a > weakness in a cipher. Any weakness can or should be mortal for a > cipher, particularly if discovered with little effort or if that > cipher can show no other advantages. Even so, the word "break" we > should reserve for what the British did to the Enigma machine. I agree that "break" is overused. No one will argue that most of the breaks in the literature are what some of us call "academic breaks": attacks that show theoretical weakness but cannot be used in real life to break operational traffic. Prudence, of course, teaches that if you have to choose between two ciphers, one with an academic break and one without, you choose the one without. >> [...] Algorithms >> posted to Internet newsgroups by unknowns won't get a second glance. > > My personal opinion is that in the future Internet newsgroups will > be the most important medium for communicating ideas while peer > reviewed publications, as we know them today, will be less and > less important. Not a chance. In a world where everyone is a publisher, editors become even more important. >> 1. Describe your cipher using standard notation. This doesn't mean C >> code. There is established terminology in the literature. Learn it >> and use it; no one will learn your specialized terminology. > > I don't completely agree. A standard representation often > restricts the group of ideas that can comfortably be expressed. > For example, FROG cannot be represented with the traditional > hardware schematic; some algorithms can be represented more > elegantly with unstructured pseudocode filled with GOTOs. A cipher > is an algorithm - traditionally algorithms are described with > pseudo-code or even with documented code written in Pascal, Lisp, > C or some other well known language. I don't quite see why using C > to describe a cipher is a bad idea. Anyway, I am splitting hairs > here. It is self-evident that a cipher should be described in a > clear way and that no specialized terminology should be used when > none is needed. I disagree with your disagreement, but I expect it is a semantic distinction. "The established terminology in the literature" is not C code, assembly code, a hardware schematic, or any implementation language. The established terminology for cryptography is mathematics. I can describe FROG mathematically, and so can you. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 26 Oct 1998 14:21:00 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <3634773C.B78AB011@stud.uni-muenchen.de> References: <3633f23c.2025257@news.visi.com> Newsgroups: sci.crypt Lines: 21 Bruce Schneier wrote: > > On Wed, 21 Oct 1998 05:22:08 GMT, dianelos@tecapro.com wrote: > > here. It is self-evident that a cipher should be described in a > > clear way and that no specialized terminology should be used when > > none is needed. > > I disagree with your disagreement, but I expect it is a semantic > distinction. "The established terminology in the literature" is not C > code, assembly code, a hardware schematic, or any implementation > language. The established terminology for cryptography is mathematics. > I can describe FROG mathematically, and so can you. I think that the economy of description decides to some extent which way of presentation is to be prefered. As far as I know, in mathematics one rarely (almost never) writes proofs in terms of formal logic calculus, because that, although more rigorous, is much more tedious. M. K. Shen
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 26 Oct 1998 16:46:24 GMT From: ritter@io.com (Terry Ritter) Message-ID: <3634a75a.2478727@news.io.com> References: <3633f23c.2025257@news.visi.com> Newsgroups: sci.crypt Lines: 72 On Mon, 26 Oct 1998 03:56:39 GMT, in <3633f23c.2025257@news.visi.com>, in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote: >[...] >>> [...] Algorithms >>> posted to Internet newsgroups by unknowns won't get a second glance. >> >> My personal opinion is that in the future Internet newsgroups will >> be the most important medium for communicating ideas while peer >> reviewed publications, as we know them today, will be less and >> less important. > >Not a chance. In a world where everyone is a publisher, editors >become even more important. I recently posted a quote about this from the current IEEE Spectrum in another thread. Basically the idea is that the world is moving *away* from intermediaries who filter and decide for us, to the end-user (of clothes, of technical articles, etc.) surveying it all, and making the decision on what to select. One can argue how far this will go, but the time is past when somebody could just sit and wait for the articles to arrive and thus be assured of knowing the field. >>> 1. Describe your cipher using standard notation. This doesn't mean C >>> code. There is established terminology in the literature. Learn it >>> and use it; no one will learn your specialized terminology. >> >> I don't completely agree. A standard representation often >> restricts the group of ideas that can comfortably be expressed. >> For example, FROG cannot be represented with the traditional >> hardware schematic; some algorithms can be represented more >> elegantly with unstructured pseudocode filled with GOTOs. A cipher >> is an algorithm - traditionally algorithms are described with >> pseudo-code or even with documented code written in Pascal, Lisp, >> C or some other well known language. I don't quite see why using C >> to describe a cipher is a bad idea. Anyway, I am splitting hairs >> here. It is self-evident that a cipher should be described in a >> clear way and that no specialized terminology should be used when >> none is needed. > >I disagree with your disagreement, but I expect it is a semantic >distinction. "The established terminology in the literature" is not C >code, assembly code, a hardware schematic, or any implementation >language. The established terminology for cryptography is mathematics. >I can describe FROG mathematically, and so can you. Sure, we can describe *any* logic machine mathematically, but why would one want to? If math is a great advantage in understanding logic machines, why are logic machines not generally described that way? Why? Because schematics can be clearer, that's why. And clarity in the presentation is exactly what we want. Now, there are ciphers for which math is the appropriate description: Number-theoretic ciphers and so on. Math is at the heart of those ciphers, and governs how they work. To understand them, math is the appropriate notation. Most symmetric designs, however, are not number-theoretic, nor do they have any coherent mathematical theory. Yes, one could cast them into math, but why? Without the underlying mathematical theory, where is the advantage? Indeed, translating the arbitrary machine from its design notation into another notation seems likely to hide the very issues on which the cipher is based, and those are exactly the issues which might be most important for analysis. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 28 Oct 1998 10:56:20 +0000 From: Frank O'Dwyer <fod@brd.ie> Message-ID: <3636F854.65C31548@brd.ie> References: <3633f23c.2025257@news.visi.com> Newsgroups: sci.crypt Lines: 16 Bruce Schneier wrote: > On Wed, 21 Oct 1998 05:22:08 GMT, dianelos@tecapro.com wrote: > > My personal opinion is that in the future Internet newsgroups will > > be the most important medium for communicating ideas while peer > > reviewed publications, as we know them today, will be less and > > less important. > > Not a chance. In a world where everyone is a publisher, editors > become even more important. I think the key phrase above is "peer reviewed publications, as we know them today". In a world where everyone can be a publisher, everyone can be an editor too. Cheers, Frank O'Dwyer.
Subject: Re: Memo to the Amateur Cipher Designer Date: 28 Oct 1998 09:41:52 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <717afg$jir$1@quine.mathcs.duq.edu> References: <3636F854.65C31548@brd.ie> Newsgroups: sci.crypt Lines: 25 In article <3636F854.65C31548@brd.ie>, Frank O'Dwyer <fod@brd.ie> wrote: >Bruce Schneier wrote: >> On Wed, 21 Oct 1998 05:22:08 GMT, dianelos@tecapro.com wrote: >> > My personal opinion is that in the future Internet newsgroups will >> > be the most important medium for communicating ideas while peer >> > reviewed publications, as we know them today, will be less and >> > less important. >> >> Not a chance. In a world where everyone is a publisher, editors >> become even more important. > >I think the key phrase above is "peer reviewed publications, as we know >them today". In a world where everyone can be a publisher, everyone can >be an editor too. Which implies that the value of good, worthwhile editing will continue to climb, just as the value of good *writing* has been climbing since the development of the Internet. I suspect that peer-reviewed publications have become more and more important over the last 20 years as information channels, as the informal channels (e.g. Karp, p.c.) have gotten more and more clogged by garbage. -kitten
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 28 Oct 1998 18:32:40 GMT From: aquiranx@goliat.ugr.es (Gurripato (x=nospam)) Message-ID: <36375758.26994734@news.cica.es> References: <3633f23c.2025257@news.visi.com> Newsgroups: sci.crypt Lines: 13 On Mon, 26 Oct 1998 03:56:39 GMT, schneier@counterpane.com (Bruce Schneier) wrote: >I agree that "break" is overused. No one will argue that most of the >breaks in the literature are what some of us call "academic breaks": >attacks that show theoretical weakness but cannot be used in real life >to break operational traffic. Prudence, of course, teaches that if >you have to choose between two ciphers, one with an academic break and >one without, you choose the one without. > How would you then best describe Dobbertin´s attack on the compression function of MD5? Does it go all the way to demolition, plan brack, or just academic break?
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 27 Oct 1998 11:16:48 GMT From: sjmz@hplb.hpl.hp.com (Stefek Zaba) Message-ID: <F1HGo1.GIC@hplb.hpl.hp.com> References: <jgfunj-2210981318390001@207.22.198.187> <362F34E7.118E41AC@stud.uni-muenchen.de> <70jr20$k0l$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 23 In sci.crypt, W T Shaw (jgfunj@EnqvbSerrGrknf.pbz) wrote: > > I get his idea, that to predicate a description or demonstration to an > artificially restrictive set of circumstances might preclude the simplest > or the most most meaningful one. Each media has its own built in > prejudices which might make things look harder than they are. I challenge > you to build a DES encryption machine with no electronics in it. > OK: consider a city full of Chinese people, rigorously following written instructions on the handling of small (8-byte, to be concrete) amounts of information in particular systematic ways. (Yes, a group of individuals running round with an internal monologue which if dragged first from mentalese to Cantonese and thus to English might be rendered as "I'm an S-box! I'm an S-box!", "I'm an transposer! I'm a transposer!", and the like.) They pass the outputs of their rule-following to designated, possibly conditionally-different, individuals. Such a small city can compute DES encryptions/decryptions without a semiconductor in sight. And that estimable Mr Searle will explain why each of them must be shot after performing their role more than a few times, as they now understand not only block cipher design but the content of the encrypted message :-) Cheerski, Stefek "I Was A Chinese Sex Slave" Z
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 22 Oct 1998 23:31:33 GMT From: mr.i.o.yankle@anagrams.r.us (Mr. I. O. Yankle) Message-ID: <362fbdbc.162209710@news.alt.net> References: <36292906.1151332@news.visi.com> Newsgroups: sci.crypt Lines: 8 When I first read "Memo to the Amateur Cipher Designer" in Bruce Schneier's CRYPTO-GRAM, it was so clearly true and sensible to me that I expected it to gain immediate acceptance on sci.crypt and to even gain the status of "required reading". I still hope that this will be the case, but I can see now that it will take some time. -- "Mr. I. O. Yankle" better known as 0279.654831@mail.serve.com. 01 2 3 456789 <- Use this key to decode my email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 22 Oct 1998 21:41:08 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-2210982141230001@207.101.116.111> References: <362fbdbc.162209710@news.alt.net> Newsgroups: sci.crypt Lines: 20 In article <362fbdbc.162209710@news.alt.net>, mr.i.o.yankle@anagrams.r.us (Mr. I. O. Yankle) wrote: > When I first read "Memo to the Amateur Cipher Designer" in Bruce Schneier's > CRYPTO-GRAM, it was so clearly true and sensible to me that I expected it > to gain immediate acceptance on sci.crypt and to even gain the status of > "required reading". I still hope that this will be the case, but I can see > now that it will take some time. I could be that the what is so clearly true and sensible to you is not necessarily so. Indeed, many of the thoughts have been expressed before. It is rather that the devil is as always in the details, and the audience here is not immune to nit picking at generalizations which are best accepted by those who know little or nothing about the subject. Such popularistic wisdom is best spent elsewhere. -- --- Passing a budgit with obscure items is bad; preventing government payment for birth control while authorizing millions for viagra lets us focus on the hard facts of prevalent sexism. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 26 Oct 1998 16:45:49 GMT From: ritter@io.com (Terry Ritter) Message-ID: <3634a72a.2430860@news.io.com> References: <362fbdbc.162209710@news.alt.net> Newsgroups: sci.crypt Lines: 35 On Thu, 22 Oct 1998 23:31:33 GMT, in <362fbdbc.162209710@news.alt.net>, in sci.crypt mr.i.o.yankle@anagrams.r.us (Mr. I. O. Yankle) wrote: >When I first read "Memo to the Amateur Cipher Designer" in Bruce Schneier's >CRYPTO-GRAM, it was so clearly true and sensible to me that I expected it >to gain immediate acceptance on sci.crypt and to even gain the status of >"required reading". I still hope that this will be the case, but I can see >now that it will take some time. I would hope that anyone reading Schneier's article would recognize that it is seriously flawed in many ways. Here are some interesting points from the article: * Someone with a good idea and presentation will have trouble getting published if they are not part of "the crypto clique." * The way to handle those with less knowledge is to demonstrate how much smarter we are so they will go away. * Extensive cryptanalysis can prove cipher strength. From a whole list of appalling ideas, this last is perhaps the most breathtaking, as it goes to the fundamental basis of modern cryptography by a renowned expert in the field. Perhaps you should review my response of Tue, 20 Oct 1998 00:40:21 GMT in message id 362bdbc6.3212829@news.io.com. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 27 Oct 1998 02:36:58 GMT From: kery.minola@anagrams.r.us (Kery Minola) Message-ID: <36352680.84964040@news.gate.net> References: <3634a72a.2430860@news.io.com> Newsgroups: sci.crypt Lines: 58 ritter@io.com (Terry Ritter) wrote: >I would hope that anyone reading Schneier's article would recognize >that it is seriously flawed in many ways. Here are some interesting >points from the article: >* Someone with a good idea and presentation will have trouble getting >published if they are not part of "the crypto clique." Bruce Schneier's article does not mention a "clique", perhaps that's your term for the scientific community. That you must show that you know what you're talking about before people will listen to you is a fact of life. He merely reported it. >* The way to handle those with less knowledge is to demonstrate how >much smarter we are so they will go away. The way to handle those with less knowledge is to show them how much they have yet to learn and to point the way. >* Extensive cryptanalysis can prove cipher strength. I had no problem understanding what he meant. He meant that extensive cryptanalysis of a cipher is the best evidence of strength that you can hope for. >From a whole list of appalling ideas, this last is perhaps the most >breathtaking, as it goes to the fundamental basis of modern >cryptography by a renowned expert in the field. Here's what he said: >What is hard is creating an algorithm that no one else can break, even >after years of analysis. And the only way to prove that is to subject >the algorithm to years of analysis by the best cryptographers around. You are really grasping at straws if you are trying to pin him down to the literal, mathematical meaning of "prove". Are you suggesting that Bruce Schneier is totally oblivious to the weekly sci.crypt discussions about how the O.T.P. is the only provably secure cipher? Obviously he meant "prove" in the everyday sense of "beyond a reasonable doubt". >Perhaps you should review my response of Tue, 20 Oct 1998 00:40:21 GMT >in message id 362bdbc6.3212829@news.io.com. Yes, I read that message as well. My impression is that the amateur cryptologists here are currently in denial of what they know is true. In time, I believe the document "Memo to the Amateur Cipher Designer" will become a handy countermeasure to use against the annoying posts of gibberish that we see here, which are always accompanied by an arrogant challenge to break the code. It's the truth. Face it and embrace it! -- "Kery Minola" better known as 4501.693872@mail.serve.com. 0123 456789 <- Use this key to decode my email address. 5 X 5 Poker - http://www.serve.com/games/
Subject: Re: Memo to the Amateur Cipher Designer Date: 27 Oct 1998 04:04:19 GMT From: caj@baker.math.niu.edu (Xcott Craver) Message-ID: <713go3$ora$1@gannett.math.niu.edu> References: <3634a72a.2430860@news.io.com> Newsgroups: sci.crypt Lines: 26 Terry Ritter <ritter@io.com> wrote: > >I would hope that anyone reading Schneier's article would recognize >that it is seriously flawed in many ways. Here are some interesting >points from the article: > >* Someone with a good idea and presentation will have trouble getting >published if they are not part of "the crypto clique." Well, they say that every reading is a misreading. Not only did the memo NOT say this, but it outlined how to get one's foot in the door via publishing attacks. I can verify that this strategy works like a charm. Publishing is not easy or perfect, but the accusation of an entrenched scientific clique is the stuff of UFO cover-up theories, creationism and flawed proofs of Fermat's last theorem. >* Extensive cryptanalysis can prove cipher strength. !!! It's obvious that the memo did not mean "prove" in the strict mathematical sense, but in the empirical sense. Cryptography being a science, I don't exactly see anything wrong with using the SCIENTIFIC METHOD. -Caj
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 27 Oct 1998 05:59:54 GMT From: "Douglas A. Gwyn" <DAGwyn@null.net> Message-ID: <36356103.9BC3B1FA@null.net> References: <713go3$ora$1@gannett.math.niu.edu> Newsgroups: sci.crypt Lines: 15 Xcott Craver wrote: > !!! It's obvious that the memo did not mean "prove" in the > strict mathematical sense, but in the empirical sense. The trouble is, with cryptography the protected message seems absolutely secure against eavesdropping, until a cryptanalytic breakthrough occurs, after which it is horribly insecure. The "empirical proof" means very little since it can't allow for the eavesdropper's cryptanalytic abilities. > Cryptography being a science, I don't exactly see anything > wrong with using the SCIENTIFIC METHOD. There is a huge difference between studying nature and analyzing products of the mind of man.
Subject: Re: Memo to the Amateur Cipher Designer Date: 27 Oct 1998 19:05:14 GMT From: caj@baker.math.niu.edu (Xcott Craver) Message-ID: <7155ha$nt3$1@gannett.math.niu.edu> References: <36356103.9BC3B1FA@null.net> Newsgroups: sci.crypt Lines: 25 Douglas A. Gwyn <DAGwyn@null.net> wrote: >Xcott Craver wrote: > >> Cryptography being a science, I don't exactly see anything >> wrong with using the SCIENTIFIC METHOD. > >There is a huge difference between studying nature and >analyzing products of the mind of man. Are you suggesting that we should use something other than the scientific method? Nobody claims that basing a conclusion on empirical evidence is perfect, or even safe; but what alternative? Further, whether or not mathematical constructs are "the products of the mind of man" has been debated, hotly, for as long as there have been philosophers. Mathematical realists would consider the study of ciphers literally the study of the universe around us --- just the intangible part of the universe. Finally, why on Earth should the scientific method be disqualified in the case of studying the products of the human mind? Do you know something that all the psychologists in the world don't?
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 27 Oct 1998 20:50:22 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-2710982050220001@dialup146.itexas.net> References: <7155ha$nt3$1@gannett.math.niu.edu> Newsgroups: sci.crypt Lines: 42 In article <7155ha$nt3$1@gannett.math.niu.edu>, caj@baker.math.niu.edu (Xcott Craver) wrote: > Douglas A. Gwyn <DAGwyn@null.net> wrote: > >Xcott Craver wrote: > > > >> Cryptography being a science, I don't exactly see anything > >> wrong with using the SCIENTIFIC METHOD. > > > >There is a huge difference between studying nature and > >analyzing products of the mind of man. > > Are you suggesting that we should use something other than the > scientific method? Nobody claims that basing a conclusion > on empirical evidence is perfect, or even safe; but what > alternative? > Science uses lots of methods, including one actually called *the scientific method*. To demand a single route to the truth is to prejudice against truths that may not be so conform to that path. This is the essence of what is wrong with what Bruce advocates, which is the same old tired argument we have heard for ages. Sophisocated groups, like individuals, can be entirely wrong. To use popularity and acceptance as measures to oppose the introduction of new ideas moves from scientific humility to politics, which is seldom a friend to basic science. You must realize your own prejudices before you can be worthy of judging the motives of others; you should be ready to accept good data, even if it conflicts with that which you have perviously accepted. If anyone really is on a search for truth, they will not press artificial hurdles in anyones way. This means that informal means should not be ignored, because formalism by definition tends to be prejudicial and self-serving, rationalizing the importance of its own existence. It even cause well-meaning people to lose there handle on what science is all about, if they ever considered finding truth as a lofty imperative. -- --- Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: 28 Oct 98 05:50:37 GMT From: rigoleto@table.jps.net (Mike Zorn) Message-ID: <3636b0ad.0@blushng.jps.net> References: <jgfunj-2710982050220001@dialup146.itexas.net> Newsgroups: sci.crypt Lines: 17 W T Shaw (jgfunj@EnqvbSerrGrknf.pbz) wrote: : In article <7155ha$nt3$1@gannett.math.niu.edu>, caj@baker.math.niu.edu : (Xcott Craver) wrote: : > Douglas A. Gwyn <DAGwyn@null.net> wrote: : > >Xcott Craver wrote: : > >> Cryptography being a science, I don't exactly see anything : > >> wrong with using the SCIENTIFIC METHOD. : > >There is a huge difference between studying nature and : > >analyzing products of the mind of man. : > Are you suggesting that we should use something other than the : > scientific method? Nobody claims that basing a conclusion : > on empirical evidence is perfect, or even safe; but what : > alternative? As an example, the benzene ring was not discovered by the 'scientific method'. (on the other hand, we can't all be Kekule.) The SM is a powerful tool, and it is quite useful - it's just not the olny one. Mike Zorn
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 28 Oct 1998 17:09:04 GMT From: stefekz@netcom.com (Stefek Zaba) Message-ID: <stefekzF1Jrn4.HGK@netcom.com> References: <3636b0ad.0@blushng.jps.net> Newsgroups: sci.crypt Lines: 23 Mike Zorn (rigoleto@table.jps.net) wrote: : As an example, the benzene ring was not discovered by the 'scientific : method'. (on the other hand, we can't all be Kekule.) The SM is a powerful : tool, and it is quite useful - it's just not the olny one. Kekule's *intuition* about a possible structure for benzene may be implausible to explain as a deductive process: however, the observational data which K was trying to explain, and subsequent observations on the behaviour of benzene, *are* applications of "the scientifdic method". Were Kekule doing abstract drawing, he could doodle a hexagon with thickened vertices, and leave appreciation to the aesthetic sense of his intended audience: but as a falsifiable hypothesis about the structure of a benzene molecule, such a sketch must also agree with observed data. Similarly, you, I, or my cat can come up with a block cipher design, and can call it "elegant", "minimal", "beautiful", "secure", or "toffee-flavoured". As an act of private creation it's an interesting artefact. But if we want it to be used, either in practice or as a case study of potential design principles, we must expect that design to be subjected to inspection, testing, analysis, attack, and other procedures which play the role of "observations". Cheers, Stefek
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 28 Oct 1998 19:12:39 GMT From: ritter@io.com (Terry Ritter) Message-ID: <36376c92.5645084@news.io.com> References: <stefekzF1Jrn4.HGK@netcom.com> Newsgroups: sci.crypt Lines: 34 On Wed, 28 Oct 1998 17:09:04 GMT, in <stefekzF1Jrn4.HGK@netcom.com>, in sci.crypt stefekz@netcom.com (Stefek Zaba) wrote: >[...] >Similarly, you, I, or my cat can come up with a block cipher design, and >can call it "elegant", "minimal", "beautiful", "secure", or "toffee-flavoured". >As an act of private creation it's an interesting artefact. But if we want >it to be used, either in practice or as a case study of potential design >principles, we must expect that design to be subjected to inspection, testing, >analysis, attack, and other procedures which play the role of "observations". Note, however, that cryptographic "observations" do not have the same flavor as the usual scientific investigation: The thing we wish to show -- strength -- cannot be shown by observation, and also cannot be proven as a result of observations. In normal science we innovate experiments to prove a result and get a new fact. In cryptography, we innovate experiments to prove a failure, and with a lack of failure we somehow leap to a conclusion of strength. This is a faulty leap. Crucially, the inability to break a cipher after much effort says nothing about its "real" strength. Indeed, the conclusion of strength after analysis is *so* faulty that an old, well-accepted cipher could in fact be weaker than a new cipher with an obvious break. Even a broken new cipher could in fact be the better choice. Not being able to know strength is *really* not being able to know, and that is what we have. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 28 Oct 1998 23:48:40 GMT From: dscott@networkusa.net Message-ID: <718ago$r61$1@nnrp1.dejanews.com> References: <stefekzF1Jrn4.HGK@netcom.com> Newsgroups: sci.crypt Lines: 35 In article <stefekzF1Jrn4.HGK@netcom.com>, stefekz@netcom.com (Stefek Zaba) wrote: > Mike Zorn (rigoleto@table.jps.net) wrote: > ... > Similarly, you, I, or my cat can come up with a block cipher design, and > can call it "elegant", "minimal", "beautiful", "secure", or "toffee-flavoured". > As an act of private creation it's an interesting artefact. But if we want > it to be used, either in practice or as a case study of potential design > principles, we must expect that design to be subjected to inspection, testing, > analysis, attack, and other procedures which play the role of "observations". > > Cheers, Stefek > ACtually if you come up with a good cipher you will not get it tested since they try to keep the rank of phony experts quite small. They may toss a bone from there high perch be decypting some easy old stuff but if it is good they will steal it modify it a little and try to take the credit for them selves. When did the experts start talking about all or nothing crypto not to long ago was it? I have need told BS Bruce hates my guts. He can joke about my code but I am a thron in his side. He would show that it is easy to break mine if he could. The facts are he and his clan can't. But they may post some babble one of these days to confuse the masses. -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip ftp search for scott*u.zip in norway -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 28 Oct 1998 05:43:00 GMT From: "Douglas A. Gwyn" <DAGwyn@null.net> Message-ID: <3636AE8A.4BC508A4@null.net> References: <7155ha$nt3$1@gannett.math.niu.edu> Newsgroups: sci.crypt Lines: 37 Xcott Craver wrote: > Douglas A. Gwyn <DAGwyn@null.net> wrote: > >Xcott Craver wrote: > > > >> Cryptography being a science, I don't exactly see anything > >> wrong with using the SCIENTIFIC METHOD. > >There is a huge difference between studying nature and > >analyzing products of the mind of man. > Are you suggesting that we should use something other than the > scientific method? Sure. Merriam-Webster's Collegiate Dictionary says: scientific method n (1854): principles and procedures for the systematic pursuit of knowledge involving the recognition and formulation of a problem, the collection of data through observation and experiment, and the formulation and testing of hypotheses. This clearly is an empirical method (observation and experiment) and so is less relevant to mathematical disciplines than it is to physical science. In other words, the so-called "scientific method" is but one tool in our epistemological arsenal and ought not to be applied where it is ineffective. > Further, whether or not mathematical constructs are > "the products of the mind of man" has been debated, hotly, > for as long as there have been philosophers. Yeah, but the Platonists are wrong. > Finally, why on Earth should the scientific method be > disqualified in the case of studying the products of the human > mind? Do you know something that all the psychologists in the > world don't? That would be no great trick.
Subject: Re: Memo to the Amateur Cipher Designer Date: 28 Oct 1998 17:15:07 GMT From: caj@baker.math.niu.edu (Xcott Craver) Message-ID: <717jer$3c2$1@gannett.math.niu.edu> References: <3636AE8A.4BC508A4@null.net> Newsgroups: sci.crypt Lines: 36 Douglas A. Gwyn <DAGwyn@null.net> wrote: >Xcott Craver wrote: >> >> Are you suggesting that we should use something other than the >> scientific method? > >Sure. Merriam-Webster's Collegiate Dictionary says: [...] >This clearly is an empirical method (observation and experiment) >and so is less relevant to mathematical disciplines than it is to >physical science. Well, so what do you suggest as an alternative? Remember, this was about how one decides to trust a cipher as "secure." The empirical method is to pick one most resistant to analysis. Your suggestion? >> Further, whether or not mathematical constructs are >> "the products of the mind of man" has been debated, hotly, >> for as long as there have been philosophers. > >Yeah, but the Platonists are wrong. Care to explain why, and put half the philosophy faculty in the world out of business? 'Sides, I'm talking about mathematical Realism. Slightly different from Platonism, and a LARGE number of mathematicians are realists. Surely you're a smart guy, especially if you know a better way to judge a cipher's security other than empirically, but you're implicitly declaring yourself smarter than a large number of people. Call me an empiricist, but I'd like to see some data. -Caj
Subject: Re: Memo to the Amateur Cipher Designer Date: 28 Oct 1998 08:23:05 GMT From: olson@umbc.edu (Bryan G. Olson; CMSC (G)) Message-ID: <716k99$gqm$1@news.umbc.edu> References: <3634a72a.2430860@news.io.com> Newsgroups: sci.crypt Lines: 67 Terry Ritter wrote: : Mr. I. O. Yankle wrote: : >When I first read "Memo to the Amateur Cipher Designer" in Bruce Schneier's : >CRYPTO-GRAM, it was so clearly true and sensible to me that I expected it : >to gain immediate acceptance on sci.crypt and to even gain the status of : >"required reading". Absolutely. I agreed with Mr. Ritter on one point, but clearly Bruce got at least a 95%. : I would hope that anyone reading Schneier's article would recognize : that it is seriously flawed in many ways. Here are some interesting : points from the article: : * Someone with a good idea and presentation will have trouble getting : published if they are not part of "the crypto clique." That's not really what he said. He recommended beginning with cryptanalysis which is more likely to be publishable than designs. Note that he said most conferences and workshops won't accept design from unknowns "without extensive analysis". The only unfairness is the suggestion that the same forums present designs from established experts without extensive analysis. : * The way to handle those with less knowledge is to demonstrate how : much smarter we are so they will go away. That's not in Bruce's paper. : * Extensive cryptanalysis can prove cipher strength. Again, what you're saying isn't what Bruce said, and I think you know it. Bruce wrote: What is hard is creating an algorithm that no one else can break, even after years of analysis. And the only way to prove that is to subject the algorithm to years of analysis by the best cryptographers around. No one claimed that failure to break a cipher results in some kind of mathematical theorem saying it's strong. What Bruce did say is the _only_ way we can know a cipher stands up to years of cryptanalysis by actually subjecting it to years of cryptanalysis. : From a whole list of appalling ideas, this last is perhaps the most : breathtaking, as it goes to the fundamental basis of modern : cryptography by a renowned expert in the field. You can misinterpret it or whine about it all you want, but what Bruce actually wrote is true. : Perhaps you should review my response of Tue, 20 Oct 1998 00:40:21 GMT : in message id 362bdbc6.3212829@news.io.com. Or perhaps you should go back and read the memo. There are clues in it for you. --Bryan
Subject: Re: Memo to the Amateur Cipher Designer Date: 26 Oct 1998 10:57:43 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <71265n$sbd$1@quine.mathcs.duq.edu> References: <jgfunj-2610980949060001@dialup165.itexas.net> <711sa1$f74$5@korai.cygnus.co.uk> Newsgroups: sci.crypt Lines: 28 In article <jgfunj-2610980949060001@dialup165.itexas.net>, W T Shaw <jgfunj@EnqvbSerrGrknf.pbz> wrote: >In article <711sa1$f74$5@korai.cygnus.co.uk>, aph@cygnus.remove.co.uk >(Andrew Haley) wrote: >> >> I don't see the relevance of this. The best evidence of a >> one-year-old's thinking is the way in which the communicate. >> >The question of whether language is necessary for complex thought is one >of ongoing debate and research; it is not simply answered. Some would >jump to the conclusion that problem solving could not exist in isolation. >I've been around too many animals that learned, even wild ones where >instinct could not be blamed for resulting elaborate behavior. It's also completely irrelevant to the discussion at hand, unless one is suggesting that one's goldfish is the designer of a cryptographic algorithm. Whether ``language'' and ``complex thought'' are separable in the abstract is one question -- but in practical terms, every human is capable of both and usually does both at the same time. It's quite reasonable to use a person's ability to write clearly as a gauge for his/her ability to *think* clearly, given the observed high correlation between the two. The actual statistics of correlation are left as an exercise to be pulled out of any Psychology 101 textbook. They're out there, believe me. -kitten
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 27 Oct 1998 16:56:18 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <3635ED22.2F970FC3@stud.uni-muenchen.de> References: <36292906.1151332@news.visi.com> Newsgroups: sci.crypt Lines: 113 Bruce Schneier wrote: > > This was in the October CRYPTO-GRAM, but I thought I'd run it through > sci.crypt, since so many people seem to be asking questions on the > topic. The present thread is the biggest one I have ever seen in this group. After reading so many interesting viewpoints (maybe I missed some, due to the shear volume), I like to also contribute a tiny little bit to the original theme of Bruce Schneier. In all fields of knowledge (including handcrafts) there are professionals and amateurs, the one group can't exist (by definition) without the other. There are two kinds of people, those who like to be professionals and those who like to be amateurs, with those who like to be professionals albeit necessarily have to start in the status of amateurs (or more appropriately appretices.) Becoming professionals have certian essential benefits, financial as well as social. That's what attract people of the first group. But people of the second group envisage other (individually different) advantages (of being amateurs). To use an analogon, a grandma may hate to learn and work as the star cook of the best-known restaurant but instead prefer to see her grandchildren enjoy her simple country dishes. In sport, Olympic participants are amateurs, while big money and spectacles are resverved for distinguished names like Boris and Steffi. Thus, professionals and amateurs co-exist and, I believe, should be able to co-exist peacefully, with each group profiting from the existence of the other. (In crypto, without the professionals the amateurs would lack general orientation for their endeavor and without the amateurs the would-be professionals (apprentices) wouldn't find the weak cryptos, the cracking of which constitutes the credentials for their ascension.) Bruce Schneier has described a route for a would-be professional to proceed from the current amatuer status to the future professional status. Though this may be argued to be not the single possible route, I am sure that he has shown the most common and proper route. In fact the only way, for example, to become the world champion of boxing is to knock down every other competitors. There is no reason why things should be different in cryptology. If a cryptologist cracks all reputedly hard cryptos and nobody cracks his, he is duly the master and deserves a tenure. However, I think it is correct to say that not all practical applications need the strongest crypto, not to mention that the very concept of the strength of crypto is subject to debate. Most secrets need not be kept very long, whether civil, military or political. On the other hand really unbreakable ciphers exist only in theory, if I don't err. Hence there is a wide spectrum of encryption algorithms conceivable, some strong, others weak, yet all applicable provided that they are used under the appropriate circumstances. Not always is the strongest crypto indicated. The best crypto may be unavailable due to patents, high cost, export restriction and crypto regulations, etc. etc. In such cases one has to look for comparatively weak cryptos. With possible rare exceptions, amateurs can't compete with professionals. This is true in all fields. It follows that the design of the strongest ciphers is in a sense reserverd for the professional cryptologists. But that certainly doesn't preclude amateurs bringing forth good ciphers or even novel ideas. The critical issue is how this can happen in as favourable a manner as possible. Being an amateur (a very humble one, due to my poor knowledge in the field) and on the assumption that the majority of participants in this group are amateurs (at least in the sense of Bruce Schneier), I venture to make a few suggestions that could be useful. 1. Often discussions in the group are less subject-oriented but carry a certain portion of sentiments. This is common in almost all internet groups I know of. However, this widening of the bandwidth tends to render the material less interesting, perhaps even boring, for the professionals, with the consequence that they wouldn't subscribe to the group and we have thus less chance to get valuable comments and critiques from them. Hence I like to suggest that general attention be paid to argue sharply and unambiguously without 'side-tracking' etc. 2. It appears that materials (documents) presented are often either difficult to understand or very incomplete (lacking details). This is at least my personal impression in trying recently to learn from two algorithms by authors of this group. A better documentation would facilitate the exchange of ideas, promote the spread of knowledge and thus further the progress of the group as a whole. 3. In the modern world a single person has only little chance of achieving very much. Collaboration is on the other hand highly effective in obtaining success. Dianelos mentioned recently that he once intended to initiate a collective design in our group of a cipher starting from an idea of him. I believe that our group has enough potential to indeed successfully carry out such projects, provided that these are appropriately managed in some way. Eventually the heatly debated opinions of the professionals on amateurs as exemplified by the Memo of Bruce Schneier could get modified. I have yet some other thoughts. However, since these are related to or in the same direction as the above, I believe it's better that I cut short and await discussions (or flames). M. K. Shen ------------------------------------------------------ M. K. Shen, Postfach 340238, D-80099 Muenchen, Germany +49 (89) 831939 (6:00 GMT) mok-kong.shen@stud.uni-muenchen.de http://www.stud.uni-muenchen.de/~mok-kong.shen/ ---------------------------------------------- The words of a man's mouth are as deep waters, and the wellspring of wisdom as a flowing brook. (Proverbs 18:4) A little that a righteous man hath is better than the riches of many wicked. (Psalms 37:16)
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 27 Oct 1998 21:02:07 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <36363316.8304318@news.visi.com> References: <3635ED22.2F970FC3@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 69 On Tue, 27 Oct 1998 16:56:18 +0100, Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: I agree with your distinction between amateurs and professionals, and agree that there is room for both in cryptography. I don't think, though, that my comments only applied to those who wanted to become professionals. They applied to those who wanted to become good. Whether they choose cryptography as a vocation or an avocation is not particular relevent. >However, I think it is correct to say that not all practical >applications need the strongest crypto, not to mention that the very >concept of the strength of crypto is subject to debate. Most secrets >need not be kept very long, whether civil, military or political. On >the other hand really unbreakable ciphers exist only in theory, if I >don't err. Hence there is a wide spectrum of encryption algorithms >conceivable, some strong, others weak, yet all applicable provided >that they are used under the appropriate circumstances. Not always >is the strongest crypto indicated. The best crypto may be unavailable >due to patents, high cost, export restriction and crypto regulations, >etc. etc. In such cases one has to look for comparatively weak cryptos. While it is true that not every application need strong cryptography, this does not mean that these applications should look towards weak cryptography. Unlike physical locks on physical doors, weaker cryptographic algorithms are not cheaper. They are not not faster, don't take up less code, don't use less RAM, etc. There are certainly exceptions--the identity cipher being the most flagrant example--but in general strong cryptography is no more expensive than weak cryptogreaphy. Hence, it makes sense to use the strongest cryptography possible, regardless of the threat model. >With possible rare exceptions, amateurs can't compete with >professionals. This is true in all fields. It follows that the design >of the strongest ciphers is in a sense reserverd for the professional >cryptologists. But that certainly doesn't preclude amateurs bringing >forth good ciphers or even novel ideas. The critical issue is how this >can happen in as favourable a manner as possible. I think cryptography is one of the few branches of mathematics where the amateur can definitely compete with the professional. The field is so new that anyone can learn the literature and contribute. There are so many conferences and workshops that there are places for any quality piece of research. There are a lot of amateurs out there doing cryptography research, and many graduate students in cryptography started out that way. >3. In the modern world a single person has only little chance of > achieving very much. Collaboration is on the other hand highly > effective in obtaining success. Dianelos mentioned recently that > he once intended to initiate a collective design in our group of > a cipher starting from an idea of him. I believe that our group > has enough potential to indeed successfully carry out such projects, > provided that these are appropriately managed in some way. > Eventually the heatly debated opinions of the professionals on > amateurs as exemplified by the Memo of Bruce Schneier could get > modified. This is an interesting thought. I don't believe a collaborative design process would work at all--it's just too easy to propose ideas without really knowing how good they are--a collaborative cryptanalysis could be very interesting. Is there an interest in finding an algorithm and, as a group, cryptanalyzing it? Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 27 Oct 1998 20:56:40 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-2710982056400001@dialup146.itexas.net> References: <36363316.8304318@news.visi.com> Newsgroups: sci.crypt Lines: 19 In article <36363316.8304318@news.visi.com>, schneier@counterpane.com (Bruce Schneier) wrote: > > I think cryptography is one of the few branches of mathematics where > the amateur can definitely compete with the professional. The field > is so new that anyone can learn the literature and contribute. There > are so many conferences and workshops that there are places for any > quality piece of research. There are a lot of amateurs out there > doing cryptography research, and many graduate students in > cryptography started out that way. This means more than the *Memo* you posted. What you said above suggests the importance of diversity of method and manner which is opposed to the message of the Memo. -- --- Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 27 Oct 1998 21:04:20 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-2710982104200001@dialup146.itexas.net> References: <36363316.8304318@news.visi.com> Newsgroups: sci.crypt Lines: 41 In article <36363316.8304318@news.visi.com>, schneier@counterpane.com (Bruce Schneier) wrote: > On Tue, 27 Oct 1998 16:56:18 +0100, Mok-Kong Shen > <mok-kong.shen@stud.uni-muenchen.de> wrote: > > .... I think it is correct to say that not all practical > >applications need the strongest crypto, not to mention that the very > >concept of the strength of crypto is subject to debate. Most secrets > >need not be kept very long, whether civil, military or political. On > >the other hand really unbreakable ciphers exist only in theory, if I > >don't err. Hence there is a wide spectrum of encryption algorithms > >conceivable, some strong, others weak, yet all applicable provided > >that they are used under the appropriate circumstances. Not always > >is the strongest crypto indicated. The best crypto may be unavailable > >due to patents, high cost, export restriction and crypto regulations, > >etc. etc. In such cases one has to look for comparatively weak cryptos. > > While it is true that not every application need strong cryptography, > this does not mean that these applications should look towards weak > cryptography. Unlike physical locks on physical doors, weaker > cryptographic algorithms are not cheaper. They are not not faster, > don't take up less code, don't use less RAM, etc. There are certainly > exceptions--the identity cipher being the most flagrant example--but > in general strong cryptography is no more expensive than weak > cryptogreaphy. Hence, it makes sense to use the strongest > cryptography possible, regardless of the threat model. I agree that strong crypto is desirable, but how you get there is most important. Experience with a weaker version of an algorithm can teach you many things. If true scalable algorithms are involved, it remains the question of how strong do you want some implementation to be, always being able to make it infinitely stronger. There might be a twilight zone between weak and strong with a scalable algorithm, it all depends on how you define these terms. -- --- Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 28 Oct 1998 11:59:03 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <3636F8F7.F8287D6B@stud.uni-muenchen.de> References: <36363316.8304318@news.visi.com> Newsgroups: sci.crypt Lines: 53 Bruce Schneier wrote: > > On Tue, 27 Oct 1998 16:56:18 +0100, Mok-Kong Shen > <mok-kong.shen@stud.uni-muenchen.de> wrote: ............................ > > I agree with your distinction between amateurs and professionals, and > agree that there is room for both in cryptography. I don't think, > though, that my comments only applied to those who wanted to become > professionals. They applied to those who wanted to become good. > Whether they choose cryptography as a vocation or an avocation is not > particular relevent. Good knowledge of techniques of analysis is certainly indispensable and I suppose everyone knows that but your Memo seems to imply that no one should publish anything before he publishes successful analysis of some (presumably good, known) algorithms. Now such algorithms are limited in number. The easier jobs have probably already all been discovered by the more capable professionals and done earlier, leaving the newcommers little chance. Thus I think the requirement of proving ones 'better' analysis capability is suppressive for novel design ideas from coming up. > > >However, I think it is correct to say that not all practical > >applications need the strongest crypto, not to mention that the very > >concept of the strength of crypto is subject to debate. Most secrets > >need not be kept very long, whether civil, military or political. On > >the other hand really unbreakable ciphers exist only in theory, if I > >don't err. Hence there is a wide spectrum of encryption algorithms > >conceivable, some strong, others weak, yet all applicable provided > >that they are used under the appropriate circumstances. Not always > >is the strongest crypto indicated. The best crypto may be unavailable > >due to patents, high cost, export restriction and crypto regulations, > >etc. etc. In such cases one has to look for comparatively weak cryptos. > > While it is true that not every application need strong cryptography, > this does not mean that these applications should look towards weak > cryptography. Unlike physical locks on physical doors, weaker > cryptographic algorithms are not cheaper. They are not not faster, > don't take up less code, don't use less RAM, etc. There are certainly > exceptions--the identity cipher being the most flagrant example--but > in general strong cryptography is no more expensive than weak > cryptogreaphy. Hence, it makes sense to use the strongest > cryptography possible, regardless of the threat model. Maybe I misunderstood you. But I don't see essential points of disagreement between us in this respect. (Compare our two last sentences.) M. K. Shen
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 28 Oct 1998 15:32:00 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <36373706.886670@news.visi.com> References: <3636F8F7.F8287D6B@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 53 On Wed, 28 Oct 1998 11:59:03 +0100, Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: >Good knowledge of techniques of analysis is certainly indispensable >and I suppose everyone knows that but your Memo seems to imply that >no one should publish anything before he publishes successful analysis >of some (presumably good, known) algorithms. Now such algorithms are >limited in number. The easier jobs have probably already all been >discovered by the more capable professionals and done earlier, leaving >the newcommers little chance. Thus I think the requirement of proving >ones 'better' analysis capability is suppressive for novel design >ideas from coming up. And I meant my memo to imply that: people who have not demonstrated their ability to break algorithms are unlikely to develop algorithms that cannot easily be broken. I don't believe the easier jobs havae all been taken. Two designs from FSE 97 were easily broken in FSE 98. Three AES designs were easily broken, and there have been small weaknesses found in a few others. There are designs posted on sci.crypt regularly that can be broken without developing any new cryptanalytic techniques. In my "Self-Study Course" I listed some algorithms that no one has bothered analyzing yet. There are commercial designs--all the digital cellular algorithms, the Firewire algorithms, etc--that should be looked at. There are Ritter's designs. Any of these algorithms could potentially be cryptanalyzed by amateurs. The easier jobs are not all taken, precisely becuase there are so many of them. >> >The best crypto may be unavailable >> >due to patents, high cost, export restriction and crypto regulations, >> >etc. etc. In such cases one has to look for comparatively weak cryptos. > >>There are certainly >> exceptions--the identity cipher being the most flagrant example--but >> in general strong cryptography is no more expensive than weak >> cryptogreaphy. Hence, it makes sense to use the strongest >> cryptography possible, regardless of the threat model. > >Maybe I misunderstood you. But I don't see essential points of >disagreement between us in this respect. (Compare our two last >sentences.) If you are going to deliberately weaken an algorithm, fix some key bits. Don't choose a random untested algorithm; you won't know how strong or weak it is. And since there are a ready supply of tested, trusted, unpatented, and free algorithms, I don't see this being much of a problem. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 28 Oct 1998 17:31:59 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <363746FF.B2E33D31@stud.uni-muenchen.de> References: <36373706.886670@news.visi.com> Newsgroups: sci.crypt Lines: 43 Bruce Schneier wrote: > > algorithms, etc--that should be looked at. There are Ritter's > designs. Any of these algorithms could potentially be cryptanalyzed > by amateurs. The easier jobs are not all taken, precisely becuase > there are so many of them. I still guess that your logical argument is probably not perfect. These are so to say 'ready foods' for the would-be professionals on the way to their true professional status. Why have these been so rarely attacked? Or are there barely any would-be professionals around perhaps? > > >> >The best crypto may be unavailable > >> >due to patents, high cost, export restriction and crypto regulations, > >> >etc. etc. In such cases one has to look for comparatively weak cryptos. > > > >>There are certainly > >> exceptions--the identity cipher being the most flagrant example--but > >> in general strong cryptography is no more expensive than weak > >> cryptogreaphy. Hence, it makes sense to use the strongest > >> cryptography possible, regardless of the threat model. > > > >Maybe I misunderstood you. But I don't see essential points of > >disagreement between us in this respect. (Compare our two last > >sentences.) > > If you are going to deliberately weaken an algorithm, fix some key > bits. Don't choose a random untested algorithm; you won't know how > strong or weak it is. And since there are a ready supply of tested, > trusted, unpatented, and free algorithms, I don't see this being much > of a problem. I said if the best crypto is unavailable than one has (is forced) to take a weaker one. This does not imply one deliberately takes the weakest of the available ones (only a fool would do that). You said that one uses the strongest possible, i.e. the strongest of the set of available ones. So there is no conflict between our opinions, isn't it? M. K. Shen
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 28 Oct 1998 22:41:04 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <36379ca4.2650087@news.visi.com> References: <363746FF.B2E33D31@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 46 On Wed, 28 Oct 1998 17:31:59 +0100, Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: >Bruce Schneier wrote: >> > >> algorithms, etc--that should be looked at. There are Ritter's >> designs. Any of these algorithms could potentially be cryptanalyzed >> by amateurs. The easier jobs are not all taken, precisely becuase >> there are so many of them. > >I still guess that your logical argument is probably not perfect. >These are so to say 'ready foods' for the would-be professionals on >the way to their true professional status. Why have these been so >rarely attacked? Or are there barely any would-be professionals >around perhaps? Because people are busy. Because not everyone has time to spend weeks (or days or even hours) analyzing every random cipher that comes across their desk. Because the designs are not pubished, so the breaks are not publishable. Beucause they are not widely known. Because breaking them requires no new insights and hence is uninteresting. For as many reasons as there are ciphers. The argument "it's been around since 19xx and has not been broken, therefor it is secure" is a flawed one. It assumes that people have analyzed it during that time. Most ciphers are not analyzed by anyone but the designers. This is why random designs are risky. And this is also a great opportunity for someone who wants to learn. Cryptography is rare, and possibly unique, in that a beginner can generate new--and possibly publishable--results right from the beginning. >I said if the best crypto is unavailable than one has (is forced) >to take a weaker one. This does not imply one deliberately takes >the weakest of the available ones (only a fool would do that). You >said that one uses the strongest possible, i.e. the strongest of the >set of available ones. So there is no conflict between our opinions, >isn't it? Don't think so. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 29 Oct 1998 10:05:03 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <36382FBF.7209447B@stud.uni-muenchen.de> References: <36379ca4.2650087@news.visi.com> Newsgroups: sci.crypt Lines: 117 Bruce Schneier wrote: > > On Wed, 28 Oct 1998 17:31:59 +0100, Mok-Kong Shen > <mok-kong.shen@stud.uni-muenchen.de> wrote: > > >Bruce Schneier wrote: > >> > >> algorithms, etc--that should be looked at. There are Ritter's > >> designs. Any of these algorithms could potentially be cryptanalyzed > >> by amateurs. The easier jobs are not all taken, precisely becuase > >> there are so many of them. > > > >I still guess that your logical argument is probably not perfect. > >These are so to say 'ready foods' for the would-be professionals on > >the way to their true professional status. Why have these been so > >rarely attacked? Or are there barely any would-be professionals > >around perhaps? > > Because people are busy. Because not everyone has time to spend weeks > (or days or even hours) analyzing every random cipher that comes > across their desk. Because the designs are not pubished, so the > breaks are not publishable. Beucause they are not widely known. > Because breaking them requires no new insights and hence is > uninteresting. For as many reasons as there are ciphers. I disagree. The would-be professionals are busy in attempting to proving their 'better' (than his colleagues and certainly the amateurs) analyis capability through cracking algorithms that are presumably hard. They have thus strong incentives to do that work which according to your Memo is sort of 'must'. Now it is also my opinion that a number of algorithms published by amateurs are difficult to understand (read) or very incomplete (lacking details) (see a previous post of mine) or even obscure or trivial (your 'breaking requiring no new insights and hence uninteresting'). But I would personally make an (at least one single) exception of Terry Ritter's designs which you explicitly mentioned. Independent of how easy or hard his designs can be broken, he has got patents. Now it may well be argued whether obtaining pattens really means very much. However a would-be professional choosing to break his designs has an obvious advantage over breaking other equally weak (or harder) algorithms. He could show off and say 'Hay, Look! I have cracked a couple of patented cryptos!' I can't imagine that such an advantange could be overlooked by any would-be professionals. Further, Ritter's work is apparently known to you to some degree. I believe that there are quite a number of the would-be professionals researching under your supervision and that you have very probably given to one or some of them a tip to attack Ritter's designs. A success in that would provide at least one very valuable 'insight' for general users of cryptological algorithms (and for the cryptology community as well), namely that the carrying of patents of cryptological algorithms is a very questionalbe qualification of the same and that these should be regarded with extreme care (suspicion) in evaluations. (Note: patents are published in government announcements. Scientific patents have at least the status of papers in established scientific journals, in particular can be assumed to have the same degree of 'known-ness' to researchers in the corresponding fields.) > > The argument "it's been around since 19xx and has not been broken, > therefor it is secure" is a flawed one. It assumes that people have > analyzed it during that time. Most ciphers are not analyzed by anyone > but the designers. This is why random designs are risky. And this is > also a great opportunity for someone who wants to learn. Cryptography > is rare, and possibly unique, in that a beginner can generate new--and > possibly publishable--results right from the beginning. I wholly agree with you. Let me however remark that this is all very well known to this group. It appears time and again and repeatedly in posts of this group (I admit that sometimes I even found this theme boring) and has been well accepted and acknowleged to my knowledge. There is presently one exception, though, namely your sentence 'this is also a great opportunity for someone who wants to learn'. Do the would-be professionals (at least the beginners among them who have not yet accumulated too much knowledge) not want to learn? If yes, then there appears to be in my opinion a certain contradiction to what you wrote in the previous paragraph. > > >I said if the best crypto is unavailable than one has (is forced) > >to take a weaker one. This does not imply one deliberately takes > >the weakest of the available ones (only a fool would do that). You > >said that one uses the strongest possible, i.e. the strongest of the > >set of available ones. So there is no conflict between our opinions, > >isn't it? > > Don't think so. Please be kind enough to explain with a couple of sentences rather than making a difficult to comprehend categorical statement. M. K. Shen ------------------------------------------------------ M. K. Shen, Postfach 340238, D-80099 Muenchen, Germany +49 (89) 831939 (6:00 GMT) mok-kong.shen@stud.uni-muenchen.de http://www.stud.uni-muenchen.de/~mok-kong.shen/ (Last updated: 10th October 1998. origin site of WEAK1, WEAK2, WEAK3 and WEAK3-E. Containing 2 mathematical problems with rewards totalling US$500.) ---------------------------------------------- Apply not techniques that you haven't fully understood. Use only subprograms that you have thoroughly verified. Never blindly trust what your colleagues claim. (a programmer advising novices, ~1970) ---------------------------------------------- Sunshine is the best disinfectant. (citation of a citation in B. Schneier and D. Banisar, The Electronic Privacy Papers. John-Wiley, New York, 1997.) ---------------------------------------------- The words of a man's mouth are as deep waters, and the wellspring of wisdom as a flowing brook. (Proverbs 18:4) A little that a righteous man hath is better than the riches of many wicked. (Psalms 37:16)
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 29 Oct 1998 15:09:50 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <363881dd.804381@news.visi.com> References: <36382FBF.7209447B@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 129 On Thu, 29 Oct 1998 10:05:03 +0100, Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: >Bruce Schneier wrote: >> >> On Wed, 28 Oct 1998 17:31:59 +0100, Mok-Kong Shen >> <mok-kong.shen@stud.uni-muenchen.de> wrote: >> >> >Bruce Schneier wrote: >> >> >> >> algorithms, etc--that should be looked at. There are Ritter's >> >> designs. Any of these algorithms could potentially be cryptanalyzed >> >> by amateurs. The easier jobs are not all taken, precisely becuase >> >> there are so many of them. >> > >> >I still guess that your logical argument is probably not perfect. >> >These are so to say 'ready foods' for the would-be professionals on >> >the way to their true professional status. Why have these been so >> >rarely attacked? Or are there barely any would-be professionals >> >around perhaps? >> >> Because people are busy. Because not everyone has time to spend weeks >> (or days or even hours) analyzing every random cipher that comes >> across their desk. Because the designs are not pubished, so the >> breaks are not publishable. Beucause they are not widely known. >> Because breaking them requires no new insights and hence is >> uninteresting. For as many reasons as there are ciphers. > >I disagree. The would-be professionals are busy in attempting to >proving their 'better' (than his colleagues and certainly the >amateurs) analyis capability through cracking algorithms that are >presumably hard. They have thus strong incentives to do that work >which according to your Memo is sort of 'must'. Now it is also >my opinion that a number of algorithms published by amateurs are >difficult to understand (read) or very incomplete (lacking details) >(see a previous post of mine) or even obscure or trivial (your >'breaking requiring no new insights and hence uninteresting'). But I >would personally make an (at least one single) exception of >Terry Ritter's designs which you explicitly mentioned. Independent >of how easy or hard his designs can be broken, he has got patents. >Now it may well be argued whether obtaining pattens really means very >much. However a would-be professional choosing to break his designs >has an obvious advantage over breaking other equally weak (or harder) >algorithms. He could show off and say 'Hay, Look! I have cracked a >couple of patented cryptos!' I can't imagine that such an advantange >could be overlooked by any would-be professionals. Further, Ritter's >work is apparently known to you to some degree. I believe that there >are quite a number of the would-be professionals researching under >your supervision and that you have very probably given to one or some >of them a tip to attack Ritter's designs. A success in that would >provide at least one very valuable 'insight' for general users of >cryptological algorithms (and for the cryptology community as well), >namely that the carrying of patents of cryptological algorithms is >a very questionalbe qualification of the same and that these should >be regarded with extreme care (suspicion) in evaluations. (Note: >patents are published in government announcements. Scientific patents >have at least the status of papers in established scientific journals, >in particular can be assumed to have the same degree of 'known-ness' >to researchers in the corresponding fields.) I don't understand. Do you disagree with reality (that there are all these ciphers that are not being looked at) or with my reasoning as to why they are not being looked at? I don't know what to tell you. I know all of the algorithms I listed in my previous posting have not been looked at by the academic cryptographers who I think of as the "good cryptanalysts." I know the reasons listed are ones that I have heard others use or use myself. Maybe you're right--these algorithms have been analyzed and some of them have been broken--and the breaks have either not been published or have been published in places I dont know about, but I kind of doubt that. Many of us have breaks of amateur ciphers, ones that appear on sc.crypt, get patents, or are used opterationally, that we just don't have time to write up or flesh out. It's just not worth the bother. I don't mean this to be statement of opinion, but a statement of fact. Fact 1: There are many unpublished, and even some published ones, that no one has bothered trying to cryptanalyze. Fact 2: Some of the reasons people give for not bothering are listed above. >> The argument "it's been around since 19xx and has not been broken, >> therefor it is secure" is a flawed one. It assumes that people have >> analyzed it during that time. Most ciphers are not analyzed by anyone >> but the designers. This is why random designs are risky. And this is >> also a great opportunity for someone who wants to learn. Cryptography >> is rare, and possibly unique, in that a beginner can generate new--and >> possibly publishable--results right from the beginning. > >I wholly agree with you. Let me however remark that this is all >very well known to this group. It appears time and again and repeatedly >in posts of this group (I admit that sometimes I even found this theme >boring) and has been well accepted and acknowleged to my knowledge. >There is presently one exception, though, namely your sentence 'this >is also a great opportunity for someone who wants to learn'. Do the >would-be professionals (at least the beginners among them who have not >yet accumulated too much knowledge) not want to learn? If yes, then >there appears to be in my opinion a certain contradiction to what you >wrote in the previous paragraph. I believe that: 1) There are very few beginner cryptanalysts. 2) They tend to try to reproduce published results, as I described in my "Self Study Course in Block Cipher Cryptanalysis. 3) They don't know about the random designs that appear. (Remember, most people in the field don't EVER read sci.crypt.) 4) Some realize that they need to break things to learn. >> >I said if the best crypto is unavailable than one has (is forced) >> >to take a weaker one. This does not imply one deliberately takes >> >the weakest of the available ones (only a fool would do that). You >> >said that one uses the strongest possible, i.e. the strongest of the >> >set of available ones. So there is no conflict between our opinions, >> >isn't it? >> >> Don't think so. > >Please be kind enough to explain with a couple of sentences rather >than making a difficult to comprehend categorical statement. I do not believe there is any conflict between our opinions. I believe that your opinion and mine are not in conflict, meaning that they can coexist without conflict, but strongly implying (and I mean this too) that they are compatible and in agreement. (Honestly, I don't know how else to explain it.) Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 29 Oct 1998 16:58:33 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <363890A9.605EB4BF@stud.uni-muenchen.de> References: <363881dd.804381@news.visi.com> Newsgroups: sci.crypt Lines: 114 Bruce Schneier wrote: > > On Thu, 29 Oct 1998 10:05:03 +0100, Mok-Kong Shen > <mok-kong.shen@stud.uni-muenchen.de> wrote: > > >Bruce Schneier wrote: > >> > >> Because people are busy. Because not everyone has time to spend weeks > >> (or days or even hours) analyzing every random cipher that comes > >> across their desk. Because the designs are not pubished, so the > >> breaks are not publishable. Beucause they are not widely known. > >> Because breaking them requires no new insights and hence is > >> uninteresting. For as many reasons as there are ciphers. > > > >I disagree. The would-be professionals are busy in attempting to > >proving their 'better' (than his colleagues and certainly the > >amateurs) analyis capability through cracking algorithms that are > >presumably hard. They have thus strong incentives to do that work > >which according to your Memo is sort of 'must'. Now it is also > >my opinion that a number of algorithms published by amateurs are > >difficult to understand (read) or very incomplete (lacking details) > >(see a previous post of mine) or even obscure or trivial (your > >'breaking requiring no new insights and hence uninteresting'). But I > >would personally make an (at least one single) exception of > >Terry Ritter's designs which you explicitly mentioned. Independent > >of how easy or hard his designs can be broken, he has got patents. > >Now it may well be argued whether obtaining pattens really means very > >much. However a would-be professional choosing to break his designs > >has an obvious advantage over breaking other equally weak (or harder) > >algorithms. He could show off and say 'Hay, Look! I have cracked a > >couple of patented cryptos!' I can't imagine that such an advantange > >could be overlooked by any would-be professionals. Further, Ritter's > >work is apparently known to you to some degree. I believe that there > >are quite a number of the would-be professionals researching under > >your supervision and that you have very probably given to one or some > >of them a tip to attack Ritter's designs. A success in that would > >provide at least one very valuable 'insight' for general users of > >cryptological algorithms (and for the cryptology community as well), > >namely that the carrying of patents of cryptological algorithms is > >a very questionalbe qualification of the same and that these should > >be regarded with extreme care (suspicion) in evaluations. (Note: > >patents are published in government announcements. Scientific patents > >have at least the status of papers in established scientific journals, > >in particular can be assumed to have the same degree of 'known-ness' > >to researchers in the corresponding fields.) > > I don't understand. Do you disagree with reality (that there are all > these ciphers that are not being looked at) or with my reasoning as to > why they are not being looked at? I don't know what to tell you. I > know all of the algorithms I listed in my previous posting have not > been looked at by the academic cryptographers who I think of as the > "good cryptanalysts." I know the reasons listed are ones that I have > heard others use or use myself. Maybe you're right--these algorithms > have been analyzed and some of them have been broken--and the breaks > have either not been published or have been published in places I dont > know about, but I kind of doubt that. > > Many of us have breaks of amateur ciphers, ones that appear on > sc.crypt, get patents, or are used opterationally, that we just don't > have time to write up or flesh out. It's just not worth the bother. > > I don't mean this to be statement of opinion, but a statement of fact. > Fact 1: There are many unpublished, and even some published ones, > that no one has bothered trying to cryptanalyze. Fact 2: Some of the > reasons people give for not bothering are listed above. In response to your point 'I don't understand': You said that because people are busy no one has the time to look at the amateur ciphers that are unpublished, etc. etc. I argued, hopefully convincingly and clearly, that at least Terry Ritter's designs do deserve being analyzed by the would-be professionals and these should be (the or one of) their first choice (of amateur algorithms) of objects of attack. For to these every one of your arguments of 'not published' etc. etc. evidently do not apply. Since Ritter's work is not new at all, the cracks must have been successful if his designs were indeed so weak as your wordings clearly claimed them to be. Let me perhaps quote what you wrote previously in this thread to illustrate the inconsistency of your logic, particularly in reference to Ritter's work. In response to Ritter's post of 20 Oct. 00:40:21 you wrote on 26 Oct 03:59:50 : I invite you to submit a paper, based on your patent #5,727,062 ("Variable Size Block Ciphers") to the 1999 Fast Software Encryption workshop. I believe it will be published. However on 28 Oct 15:32:00 you wrote There are Ritter's designs. Any of these algorithms could potentially be cryptanalyzed by amateurs. Unless you are firmly of the opinion that FSE workshop is at such a (low) level such that it readily accepts papers presenting algorithms that could potentially be cryptanalyzed by amateurs (I am afraid the program committee of FES workshop would be angry with you) the above two paragraphs are entirely incompatible with each other in my humble view. > >> Don't think so. > > > >Please be kind enough to explain with a couple of sentences rather > >than making a difficult to comprehend categorical statement. > > I do not believe there is any conflict between our opinions. I > believe that your opinion and mine are not in conflict, meaning that > they can coexist without conflict, but strongly implying (and I mean > this too) that they are compatible and in agreement. (Honestly, I > don't know how else to explain it.) Well, I think that does finally explain away the phrase in question. Thanks. M. K. Shen
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 29 Oct 1998 16:41:19 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <3638987e.6598604@news.visi.com> References: <363890A9.605EB4BF@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 70 On Thu, 29 Oct 1998 16:58:33 +0100, Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: >In response to your point 'I don't understand': You said that because >people are busy no one has the time to look at the amateur ciphers >that are unpublished, etc. etc. I argued, hopefully convincingly and >clearly, that at least Terry Ritter's designs do deserve being >analyzed by the would-be professionals and these should be (the or >one of) their first choice (of amateur algorithms) of objects of >attack. For to these every one of your arguments of 'not published' >etc. etc. evidently do not apply. Since Ritter's work is not new at >all, the cracks must have been successful if his designs were indeed >so weak as your wordings clearly claimed them to be. You know, I don't want to pick on Ritter in particular here. I don't know about whether his designs "deserve" to be analyzed; that is a value judgment. I don't know if they are strong or weak. I do believe that, as I said below, they "could potentially be be cryptanalyzed by amateurs." (Note the word "potentially." I put that in there to indicate that I did not know if they actually could.) I know that the cryptanalysts I have talked with have not looked at his designs at all (again, it's the "published in a refereed journal or conference" business--like it or not, it's a real issue in the publish-or-perish world of academia). Feel free to email any cryptanalyst you want and argue that his reasons are wrong; I cannot stop you. I can only state my reasons, and list reasons I have heard from others. >Let me perhaps quote what you wrote previously in this thread to >illustrate the inconsistency of your logic, particularly in reference >to Ritter's work. In response to Ritter's post of 20 Oct. 00:40:21 >you wrote on 26 Oct 03:59:50 : > > I invite you to submit a paper, based on your patent #5,727,062 > ("Variable Size Block Ciphers") to the 1999 Fast Software Encryption > workshop. I believe it will be published. > >However on 28 Oct 15:32:00 you wrote > > There are Ritter's designs. Any of these algorithms could > potentially be cryptanalyzed by amateurs. > >Unless you are firmly of the opinion that FSE workshop is at such >a (low) level such that it readily accepts papers presenting algorithms >that could potentially be cryptanalyzed by amateurs (I am afraid the >program committee of FES workshop would be angry with you) the >above two paragraphs are entirely incompatible with each other in my >humble view. Being on the program committee of FSE, I can categorically state that the conference accepts papers preventing algorithms that could potentially be cryptanalyzed by amateurs. In FSE 97 we saw ICE and TwoPrime, both of which were easy cryptanalyses. In SAC 96 we saw Akelarre, which could have been cryptanalyzed by someone with not a lot of skill. I assure you, the program committee is angry with itself when a medeocre design slips in, but it happens. FSE is supposed to publish cipher designs, so that there is fodder to be analyzed. Really, analysis isn't this big mysterious thing that only a few people can do so the rest of the world might as well not bother. It isn't true that there aren't things to analyze out there. It isn't true that all the "low hanging fruit" is taken. It is true that most of the "low hanging publishable fruit" is taken, but by no means all of it. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 00:29:36 GMT From: dscott@networkusa.net Message-ID: <71b19g$m61$1@nnrp1.dejanews.com> References: <3638987e.6598604@news.visi.com> Newsgroups: sci.crypt Lines: 86 In article <3638987e.6598604@news.visi.com>, schneier@counterpane.com (Bruce Schneier) wrote: > On Thu, 29 Oct 1998 16:58:33 +0100, Mok-Kong Shen > <mok-kong.shen@stud.uni-muenchen.de> wrote: > >In response to your point 'I don't understand': You said that because > >people are busy no one has the time to look at the amateur ciphers > >that are unpublished, etc. etc. I argued, hopefully convincingly and > >clearly, that at least Terry Ritter's designs do deserve being > >analyzed by the would-be professionals and these should be (the or > >one of) their first choice (of amateur algorithms) of objects of > >attack. For to these every one of your arguments of 'not published' > >etc. etc. evidently do not apply. Since Ritter's work is not new at > >all, the cracks must have been successful if his designs were indeed > >so weak as your wordings clearly claimed them to be. > > You know, I don't want to pick on Ritter in particular here. I don't > know about whether his designs "deserve" to be analyzed; that is a > value judgment. I don't know if they are strong or weak. I do > believe that, as I said below, they "could potentially be be > cryptanalyzed by amateurs." (Note the word "potentially." I put that > in there to indicate that I did not know if they actually could.) I > know that the cryptanalysts I have talked with have not looked at his > designs at all (again, it's the "published in a refereed journal or > conference" business--like it or not, it's a real issue in the > publish-or-perish world of academia). Feel free to email any > cryptanalyst you want and argue that his reasons are wrong; I cannot > stop you. I can only state my reasons, and list reasons I have heard > from others. > > >Let me perhaps quote what you wrote previously in this thread to > >illustrate the inconsistency of your logic, particularly in reference > >to Ritter's work. In response to Ritter's post of 20 Oct. 00:40:21 > >you wrote on 26 Oct 03:59:50 : > > > > I invite you to submit a paper, based on your patent #5,727,062 > > ("Variable Size Block Ciphers") to the 1999 Fast Software Encryption > > workshop. I believe it will be published. > > > >However on 28 Oct 15:32:00 you wrote > > > > There are Ritter's designs. Any of these algorithms could > > potentially be cryptanalyzed by amateurs. > > > >Unless you are firmly of the opinion that FSE workshop is at such > >a (low) level such that it readily accepts papers presenting algorithms > >that could potentially be cryptanalyzed by amateurs (I am afraid the > >program committee of FES workshop would be angry with you) the > >above two paragraphs are entirely incompatible with each other in my > >humble view. > > Being on the program committee of FSE, I can categorically state that > the conference accepts papers preventing algorithms that could > potentially be cryptanalyzed by amateurs. In FSE 97 we saw ICE and > TwoPrime, both of which were easy cryptanalyses. In SAC 96 we saw > Akelarre, which could have been cryptanalyzed by someone with not a > lot of skill. I assure you, the program committee is angry with > itself when a medeocre design slips in, but it happens. FSE is > supposed to publish cipher designs, so that there is fodder to be > analyzed. > Sorry mok-kong I agree with Bruce they allow some easy to brake ciphers in so that it can inflate there egos. But they really don't wish to try to look at any thing to difficult or out of the main stream since if they are like Bruce they lack the intelligence to anallize something not done over and over or in a all or nothing sort of way that there little pee brains can't conceive of. So I guess I sometimes do agree with limited parts of what Bruce Babels out. Of course a lot of his babel covers both sides so like a good sleazy politican you can't disagree with every thing the guy says. But that is just my humble opinion of pompous Bruce the Spammer. Don't expect to see a published real crack of scott19u since it is to hard for them. -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip ftp search for scott*u.zip in norway -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 11:18:36 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <3639927C.D5B723BF@stud.uni-muenchen.de> References: <71b19g$m61$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 53 dscott@networkusa.net wrote: > But that is just my humble opinion of pompous Bruce the > Spammer. Don't expect to see a published real crack of scott19u > since it is to hard for them. Very sorry that I am not on your side. Quite a lot of what Bruce Schneier said does correspond to the reality (a sad reality though), even though I can't agree with him in a certain point and have shown recently (I hope clearly) his logical inconsistency there. As long as some writings are not clearly written and the authors seem to be not motivated to improve them, there is no chance at all that these could get into publications (journals, official publications, etc.) and thus these would not be read, let alone recognized. One may invent a really good crypto algorithm, but if the description is messy, one can't blame anybody for being neglected. For the readers can't be expected to 'decrypt' obscure descriptions. Papers being chosen by an editorial committe are undergoing a real competition process. For two papers of equal scientific value, one readable the other not, it is only fair that the first one gets chosen. Those who have published papers have a certain advantage over the newcomers in that they know well from experience how to write manuscripts in styles that maximize the chance of getting accepted. In other words the newcomers should take more effort to present their thoughts convincingly and write exceptionally clearly. Returning to the general situation of amateur ciphers, I have expressed in a previous post my personal view that many (I hesitate to use a superlative word in fear of flames) are not described in a style common to publications in scientific literatures. (Lest there be misunderstandings, let me say that my own stuffs put on my Web page are no good in style and related aspects.) There is therefore a bad need for us amateurs to take effort in presenting our materials appropriately such that they are palatable to the professionals and the academia. Needless to say that a weak cipher with a super description is nothing. But the other way round, a good cipher with a poor description will find no user. It thus lastly all depends on us ourselves whether we like to have our designs used by the public or just left as precious objects in our living rooms for showing to visitors from time to time. I hope that in future we all (I mean the amateurs among the subscribers of the group) could cooperate (through reciprocal non-sentimental critiques and comments) in such a way that we not only produce good cipher products but also have excellent descriptions of the same to present them to the professionals and the public. If on the other hand the current situation remains unaltered, then I am very pessimistic. Having said this, I suppose it is understandable that I personally believe that the Memo of Bruce Schneier, all the heated debates notwithstanding, probably has done for us something fairly positive and for that contribution I like to express my appreciation. M. K. Shen
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 15:25:03 +0100 From: <tbb03ar@mail.lrz-muenchen.de> Message-ID: <Pine.GSO.4.03.9810301420580.1419-100000@sun5.lrz-muenchen.de> References: <3639927C.D5B723BF@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 39 On Fri, 30 Oct 1998, Mok-Kong Shen wrote: > ... > There is therefore > a bad need for us amateurs to take effort in presenting our materials > appropriately such that they are palatable to the professionals > and the academia. Needless to say that a weak cipher with a super > description is nothing. But the other way round, a good cipher > with a poor description will find no user. I for my own prefer the weak cipher with good description, not to protect data but to argue and to learn how to develope stronger ciphers. > It thus lastly all > depends on us ourselves whether we like to have our designs used > by the public or just left as precious objects in our living rooms > for showing to visitors from time to time. I hope that in future > we all (I mean the amateurs among the subscribers of the group) could > cooperate (through reciprocal non-sentimental critiques and comments) > in such a way that we not only produce good cipher products but also > have excellent descriptions of the same to present them to the > professionals and the public. I'd like to see a group that tries to develop and to break amateur ciphers - not as a group of cryptographers that develope strong ciphers, but as cryptanalyticers (something like the ACA but working with computers and modern cryptanalysis). The people within this group would be able to do better cryptanalysis and would be more familiar with the language and descriptions used by cryptographers. This way they would be able to test and publish ciphers and to become accepted by the professionals. Andreas Enterrottacher enterrottacher@lrz.tu-muenchen.de enterrottacher@t-online.de
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 15:05:16 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-3010981505170001@dialup68.itexas.net> References: <Pine.GSO.4.03.9810301420580.1419-100000@sun5.lrz-muenchen.de> Newsgroups: sci.crypt Lines: 30 In article <Pine.GSO.4.03.9810301420580.1419-100000@sun5.lrz-muenchen.de>, <tbb03ar@mail.lrz-muenchen.de> wrote: > > I'd like to see a group that tries to develop and to break amateur > ciphers - not as a group of cryptographers that develope strong ciphers, > but as cryptanalyticers (something like the ACA but working with > computers and modern cryptanalysis). Many in the ACA are working with computers and extending their capabilities. The first hurdle has been in developing automated means of solving all ciphers in the ACA stable. While being generally successful, a small minority of sequences require rather elaborate judgement to guess their plaintext if it can be determined at all. The future activity of the computer oriented segement of the group is largely determined by suggestions and contributions. Can join the ACA for a nominal annual fee, largely used mainly to cover current expenses. The American Cryptogram Association has members throughout the world, so don't let the historic name throw you. This month's The Cryptogram marks the beginning of the formal use of QBasic in the Computer Column. The column author states that code will be placed at the Crypto Drop Box, http://www.und.nodak.edu/org/crypto/crypto, which full of cryptographic resources. -- --- Heard recently on Larry King: Jimmy Carter and Billy Graham agreeing that it is sometimes wise to tell a lie. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Sat, 31 Oct 1998 06:49:46 GMT From: "Douglas A. Gwyn" <DAGwyn@null.net> Message-ID: <363AB2AC.B6B67D8D@null.net> References: <Pine.GSO.4.03.9810301420580.1419-100000@sun5.lrz-muenchen.de> Newsgroups: sci.crypt Lines: 8 tbb03ar@mail.lrz-muenchen.de wrote: > I'd like to see a group that tries to develop and to break amateur > ciphers - not as a group of cryptographers that develope strong ciphers, > but as cryptanalyticers (something like the ACA but working with > computers and modern cryptanalysis). Actually, the ACA does have a section devoted to computers. But it needs more members!
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 09:56:24 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <36397F38.A8381A2@stud.uni-muenchen.de> References: <3638987e.6598604@news.visi.com> Newsgroups: sci.crypt Lines: 77 Bruce Schneier wrote: > > On Thu, 29 Oct 1998 16:58:33 +0100, Mok-Kong Shen > <mok-kong.shen@stud.uni-muenchen.de> wrote: > >In response to your point 'I don't understand': You said that because > >people are busy no one has the time to look at the amateur ciphers > >that are unpublished, etc. etc. I argued, hopefully convincingly and > >clearly, that at least Terry Ritter's designs do deserve being > >analyzed by the would-be professionals and these should be (the or > >one of) their first choice (of amateur algorithms) of objects of > >attack. For to these every one of your arguments of 'not published' > >etc. etc. evidently do not apply. Since Ritter's work is not new at > >all, the cracks must have been successful if his designs were indeed > >so weak as your wordings clearly claimed them to be. > > You know, I don't want to pick on Ritter in particular here. I don't > know about whether his designs "deserve" to be analyzed; that is a > value judgment. I don't know if they are strong or weak. I do > believe that, as I said below, they "could potentially be be > cryptanalyzed by amateurs." (Note the word "potentially." I put that > in there to indicate that I did not know if they actually could.) I > know that the cryptanalysts I have talked with have not looked at his > designs at all (again, it's the "published in a refereed journal or > conference" business--like it or not, it's a real issue in the > publish-or-perish world of academia). Feel free to email any > cryptanalyst you want and argue that his reasons are wrong; I cannot > stop you. I can only state my reasons, and list reasons I have heard > from others. My point was Ritter hat got patents. Patents are published by the governments. Certain very good algorithms have patents that prevent free use. Are you saying that the academia neglects the patent publications? Some crypto patents are claimed by highly distinguished figures of the academia! You said now you don't want to pick Ritter in particular. But you explicitly (and singularly) mentioned Ritter's designs in a particular context in a previous post! > > >Let me perhaps quote what you wrote previously in this thread to > >illustrate the inconsistency of your logic, particularly in reference > >to Ritter's work. In response to Ritter's post of 20 Oct. 00:40:21 > >you wrote on 26 Oct 03:59:50 : > > > > I invite you to submit a paper, based on your patent #5,727,062 > > ("Variable Size Block Ciphers") to the 1999 Fast Software Encryption > > workshop. I believe it will be published. > > > >However on 28 Oct 15:32:00 you wrote > > > > There are Ritter's designs. Any of these algorithms could > > potentially be cryptanalyzed by amateurs. > > > >Unless you are firmly of the opinion that FSE workshop is at such > >a (low) level such that it readily accepts papers presenting algorithms > >that could potentially be cryptanalyzed by amateurs (I am afraid the > >program committee of FES workshop would be angry with you) the > >above two paragraphs are entirely incompatible with each other in my > >humble view. > > Being on the program committee of FSE, I can categorically state that > the conference accepts papers preventing algorithms that could > potentially be cryptanalyzed by amateurs. In FSE 97 we saw ICE and > TwoPrime, both of which were easy cryptanalyses. In SAC 96 we saw > Akelarre, which could have been cryptanalyzed by someone with not a > lot of skill. I assure you, the program committee is angry with > itself when a medeocre design slips in, but it happens. FSE is > supposed to publish cipher designs, so that there is fodder to be > analyzed. I find it is surprising that someone on the program committee can be so inconsiderate of the committee and make use of the name of the workshop to argue for his own issues in logically entirely inconsitent manner. Please say in clear terms if what I pointed out as contradiction is false. M. K. Shen
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 12:31:20 GMT From: dscott@networkusa.net Message-ID: <71cbio$a4o$1@nnrp1.dejanews.com> References: <36397F38.A8381A2@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 25 In article <36397F38.A8381A2@stud.uni-muenchen.de>, Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: > Bruce Schneier wrote: > >...snip... > > I find it is surprising that someone on the program committee can > be so inconsiderate of the committee and make use of the name of the > workshop to argue for his own issues in logically entirely inconsitent > manner. Please say in clear terms if what I pointed out as > contradiction is false. > > M. K. Shen > I guess then you greatly underestamate the EGO of the phony crypto gods. Weak up have some gin sing or something. -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip ftp search for scott*u.zip in norway -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 15:31:06 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <3639d8bf.741333@news.visi.com> References: <36397F38.A8381A2@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 137 On Fri, 30 Oct 1998 09:56:24 +0100, Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: >Bruce Schneier wrote: >> >> On Thu, 29 Oct 1998 16:58:33 +0100, Mok-Kong Shen >> <mok-kong.shen@stud.uni-muenchen.de> wrote: >> >In response to your point 'I don't understand': You said that because >> >people are busy no one has the time to look at the amateur ciphers >> >that are unpublished, etc. etc. I argued, hopefully convincingly and >> >clearly, that at least Terry Ritter's designs do deserve being >> >analyzed by the would-be professionals and these should be (the or >> >one of) their first choice (of amateur algorithms) of objects of >> >attack. For to these every one of your arguments of 'not published' >> >etc. etc. evidently do not apply. Since Ritter's work is not new at >> >all, the cracks must have been successful if his designs were indeed >> >so weak as your wordings clearly claimed them to be. >> >> You know, I don't want to pick on Ritter in particular here. I don't >> know about whether his designs "deserve" to be analyzed; that is a >> value judgment. I don't know if they are strong or weak. I do >> believe that, as I said below, they "could potentially be be >> cryptanalyzed by amateurs." (Note the word "potentially." I put that >> in there to indicate that I did not know if they actually could.) I >> know that the cryptanalysts I have talked with have not looked at his >> designs at all (again, it's the "published in a refereed journal or >> conference" business--like it or not, it's a real issue in the >> publish-or-perish world of academia). Feel free to email any >> cryptanalyst you want and argue that his reasons are wrong; I cannot >> stop you. I can only state my reasons, and list reasons I have heard >> from others. > >My point was Ritter hat got patents. Patents are published by the >governments. Certain very good algorithms have patents that prevent >free use. Are you saying that the academia neglects the patent >publications? Some crypto patents are claimed by highly distinguished >figures of the academia! You said now you don't want to pick Ritter in >particular. But you explicitly (and singularly) mentioned Ritter's >designs in a particular context in a previous post! Some cryptographic algorithms are patented, yes. I'm not sure how that's relevent. I do not know of any academic cryptographers that regularly look through the U.S. patent system. Patents are not a peer-reviewed publication. If an academic (in any discipline) presented a list of patents to his tenure review board, they would not be considered publication. Patents are not relevent to academic publication. There are academics who also patent. Ritter is an example of someone who does not publish (in an academic sense) but does patent. His writings are generally ignored by the academic community. I'm sorry this is true; I'd like it to be different. If I wrote a paper on Ritters designs, citing his patents and Usenet postings and webpages, I believe that I would have a lot of trouble getting it published. >> >Let me perhaps quote what you wrote previously in this thread to >> >illustrate the inconsistency of your logic, particularly in reference >> >to Ritter's work. In response to Ritter's post of 20 Oct. 00:40:21 >> >you wrote on 26 Oct 03:59:50 : >> > >> > I invite you to submit a paper, based on your patent #5,727,062 >> > ("Variable Size Block Ciphers") to the 1999 Fast Software Encryption >> > workshop. I believe it will be published. >> > >> >However on 28 Oct 15:32:00 you wrote >> > >> > There are Ritter's designs. Any of these algorithms could >> > potentially be cryptanalyzed by amateurs. >> > >> >Unless you are firmly of the opinion that FSE workshop is at such >> >a (low) level such that it readily accepts papers presenting algorithms >> >that could potentially be cryptanalyzed by amateurs (I am afraid the >> >program committee of FES workshop would be angry with you) the >> >above two paragraphs are entirely incompatible with each other in my >> >humble view. >> >> Being on the program committee of FSE, I can categorically state that >> the conference accepts papers preventing algorithms that could Oops. That's "presenting" up there. >> potentially be cryptanalyzed by amateurs. In FSE 97 we saw ICE and >> TwoPrime, both of which were easy cryptanalyses. In SAC 96 we saw >> Akelarre, which could have been cryptanalyzed by someone with not a >> lot of skill. I assure you, the program committee is angry with >> itself when a medeocre design slips in, but it happens. FSE is >> supposed to publish cipher designs, so that there is fodder to be >> analyzed. > >I find it is surprising that someone on the program committee can >be so inconsiderate of the committee and make use of the name of the >workshop to argue for his own issues in logically entirely inconsitent >manner. Please say in clear terms if what I pointed out as >contradiction is false. Near as I can tell your "contradiction" is: I would like Ritter to submit his designs to FSE. I believe that Ritter's designs could potentially be cryptanalyzed by amateurs. I see no contradiction there. 1. Some designs published at FSE could be (or could have been) cryptanalyzed by amateurs. The committee is not perfect; never has been. Clunkers slip through. I gave some exxamples above. 2. Ritters designs could potentiall be cryptanalyzed by amateurs. The "potentially" indicates that maybe I am wrong. However, Ritter's deisgns are designed to be scalable, so there are by definition "toy" versions that are much easier to analyze than large versions. What do you see as the logical and entirely inconsistent manner of this argument? Do you think that I am wrong in saying that some FSE designs are medeocre? If so, please read the cryptanalyses of the algorithms mentioned above. Do you believe that Ritter's designs are a priori unanalyzable by amateurs? If so, please read Ritter's postings on his toy versions. I'm really trying to help here. I am not being inconsiderate to the program committee of FSE. I am not making use of the FSE name to argue my own position. I don't have a position. I have more than my share of ad hominum arguments on sci.crypt, and I would appreciate a little bit of curtesy. Bruce Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 19:10:13 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <363A0105.81B31DB5@stud.uni-muenchen.de> References: <3639d8bf.741333@news.visi.com> Newsgroups: sci.crypt Lines: 73 Bruce Schneier wrote: > > Some cryptographic algorithms are patented, yes. I'm not sure how > that's relevent. I do not know of any academic cryptographers that > regularly look through the U.S. patent system. Patents are not a > peer-reviewed publication. If an academic (in any discipline) > presented a list of patents to his tenure review board, they would not > be considered publication. This is not true. Applications for patents are examined by a number of professionals in the corresponding fields to ensure that the ideas are really novel and useful. There are huge data bases maintained by the patent offices and are carefully checked to ensure patents are not given to some one bring forth duplication or near duplication of prior art. You can certainly refer to a patent number (with title) as one of your (valid) literature reference. A good and hence accepted paper can on the other hand well be, say, an overview of certain currently interesting part of a discipline and contains nothing new. If one seldem sees references to patents, it is because they are quite few in number relative to the normal papers in any field. > > Patents are not relevent to academic publication. There are academics > who also patent. Ritter is an example of someone who does not publish > (in an academic sense) but does patent. His writings are generally > ignored by the academic community. I'm sorry this is true; I'd like > it to be different. Patents cannot be ignored by the academic community. If one develops a new cipher, he needs to know whether he doesn't infringe on someone's patents. It is a legal issue that concerns him. Certainly one could ignore that like one could ignore possible violation of other laws. As far as I know R&D in organic chemistry and pharmacy quite often have to consider the patent problem. > > If I wrote a paper on Ritters designs, citing his patents and Usenet > postings and webpages, I believe that I would have a lot of trouble > getting it published. > >> > I invite you to submit a paper, based on your patent #5,727,062 > >> > ("Variable Size Block Ciphers") to the 1999 Fast Software Encryption > >> > workshop. I believe it will be published. Isn't there some contradiction between these two paragraphs (given your opinions on patents above) ? > > Near as I can tell your "contradiction" is: > > I would like Ritter to submit his designs to FSE. > > I believe that Ritter's designs could potentially be > cryptanalyzed by amateurs. > > I see no contradiction there. As far as I know in scientific conferences there are always much much more submissions than can be taken up. Certainly there would be plenty of good papers from professionals that would be rejected by the coming FSE because of the capacity problem. As member of the program committee you really needn't fear that there would be too few good submissions to make the workshop successful. No propagada is needed at all. I don't yet see why you are particularly inclined to look for manuscripts coming from amateurs instead of from your fellow professionals or would-be professionals. Are Ritter's patents that interest you? But that seems to contradict what you said about patents. M. K. Shen
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 18:41:08 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <363b062f.2065537@news.visi.com> References: <363A0105.81B31DB5@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 98 On Fri, 30 Oct 1998 19:10:13 +0100, Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: >Bruce Schneier wrote: >> > >> Some cryptographic algorithms are patented, yes. I'm not sure how >> that's relevent. I do not know of any academic cryptographers that >> regularly look through the U.S. patent system. Patents are not a >> peer-reviewed publication. If an academic (in any discipline) >> presented a list of patents to his tenure review board, they would not >> be considered publication. > >This is not true. Applications for patents are examined by a number >of professionals in the corresponding fields to ensure that the >ideas are really novel and useful. There are huge data bases maintained >by the patent offices and are carefully checked to ensure patents are >not given to some one bring forth duplication or near duplication of >prior art. You can certainly refer to a patent number (with title) >as one of your (valid) literature reference. A good and hence accepted >paper can on the other hand well be, say, an overview of certain >currently interesting part of a discipline and contains nothing new. >If one seldem sees references to patents, it is because they are quite >few in number relative to the normal papers in any field. Patents are not considered peer-reviewed publications in academia. Please confirm this with academics in other disciplines. I do not want you to take my word for this. Patent applications are generally reviewed by one examiner, not "a number of professionals in the corresponding fields." As far as I know, the US patent office cannot, by law, use outside professionals. Please confirm this with your patent attorney. Do not take my word for it. Patent applications are checked for patentability, not quality of research. Again, please confirm this with your attorney. One seldom sees references to patents because people who write papers don't look through patent databases like they look through journals. Again, please check this with other academics. >As far as I know in scientific conferences there are always much much >more submissions than can be taken up. Certainly there would be plenty >of good papers from professionals that would be rejected by the coming >FSE because of the capacity problem. As member of the program >committee you really needn't fear that there would be too few good >submissions to make the workshop successful. There is usually many more submissions than accepted papers, and one of the ways to judge a conference is the acceptance rate. Crypto and Eurocrypt, for example, have acceptance rates around 25%. Some of the lessar cryptography conferences have much higher acceptance rate--I konw of one that was around 80%--and the quality of accepted papers are much lower because of this. There was one crypto conference that was cancelled because they did not receive enough quality papers. Other conferences take medeocre papers. Other conferences take average papers and fewer papers. CARDIS 98 is an example of this; I was on the program committee and we just didn't get enough quality papers. Except for well-known and popular conferences, program committees always fear not getting enough quality papers to make for a successful conference. It's a big program in many disciplines, and a problem in the lesser cryptography conferences. (Look at the Australian conference, for example.) >No propagada is needed >at all. I don't yet see why you are particularly inclined to look for >manuscripts coming from amateurs instead of from your fellow >professionals or would-be professionals. All the committees I know of review all papers received, regardless of where they are from. Crypto and Eurocrypt have blind refereeing, which means that the referees don't know whether the papers come from "fellow professionals or would-be professionals." I have pulled three proceedings off my shelves at pseudo-random, and all contain some papers not from people in the "mainstream." >Are Ritter's patents >that interest you? But that seems to contradict what you said >about patents. I'm not sure what I said about patents that indicates that Ritter's would not interest me. Ritter's work interests me, and his patents are one of the few places I can read about it. I admit that I have not studied his designs in any detail, but that is more due to lack of time (and the lessened possibility of publishable results) than lack of interest. Are we getting somewhere? Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 02 Nov 1998 17:34:09 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <363DDF00.CD0B2609@stud.uni-muenchen.de> References: <363b062f.2065537@news.visi.com> Newsgroups: sci.crypt Lines: 305 Bruce Schneier wrote: > > On Fri, 30 Oct 1998 19:10:13 +0100, Mok-Kong Shen > <mok-kong.shen@stud.uni-muenchen.de> wrote: > > >Bruce Schneier wrote: > >> > > > >> Some cryptographic algorithms are patented, yes. I'm not sure how > >> that's relevent. I do not know of any academic cryptographers that > >> regularly look through the U.S. patent system. Patents are not a > >> peer-reviewed publication. If an academic (in any discipline) > >> presented a list of patents to his tenure review board, they would not > >> be considered publication. > > > >This is not true. Applications for patents are examined by a number > >of professionals in the corresponding fields to ensure that the > >ideas are really novel and useful. There are huge data bases maintained > >by the patent offices and are carefully checked to ensure patents are > >not given to some one bring forth duplication or near duplication of > >prior art. You can certainly refer to a patent number (with title) > >as one of your (valid) literature reference. A good and hence accepted > >paper can on the other hand well be, say, an overview of certain > >currently interesting part of a discipline and contains nothing new. > >If one seldem sees references to patents, it is because they are quite > >few in number relative to the normal papers in any field. > > Patents are not considered peer-reviewed publications in academia. > Please confirm this with academics in other disciplines. I do not > want you to take my word for this. Lest our discussions go eventually into wrong directions because there are essential differences between your and my definitions, I like very much first to obtain agreement with you on the definition of the term 'peer review', which is an important concept in our current debate. I don't know a dictionary giving exactly that. But in Webster Third New International Dictionary there is the following for the word 'peer': 1 a: one that is of the seme or equal standing (as in law, rank, quality, age, ability) with another : EQUAL. b: a fellow citizen. 2: archaic: COMPANION, FELLOW. So I think it is appropriate to define 'peer review' in a scientific discipline to be review by knowledgeable, capable persons in that field. Since we have been employing the dichotomy amateur and professional, I suggest that we can agree to understand 'peer review' to be review by professionals. That is, the people doing peer review are from the general scientific community and NOT limited to those from academia (those having positions in the universities and in particular those with tenure). If you are not in (at least near) agreement with this, then it is unconditionally necessary that we carry out a discussion on this essential terminology problem, otherwise our writings to and fro would be senseless. In the following, I assume that there is no terminology difficulty in the said point. The immediately following paragraphs of my comment will also cover materials that concern later parts that are to be responded by me (this lumping together is done in order to achieve some better continuity of my argumentation.) With the said assumption, your point above could be rephrased into : 'Patents are not considered publications reviewed by the professionals in the respective field.' Is there difficulty here for you to accept this? If yes, please state your counter- argument in a bit detail and give a proposal of your rephrasing so that we can further discuss on that. Before waiting your follow-up I temporary assume that you agree on that and carry on my argumentation based on that. Now as I said, a patent office employs professionals in diverse scientific fields with the purpose to ensure that the goals of the patent laws are achieved, i.e., to say roughly, that patents are only issued to inventions that are really novel and potentially useful. It may well be argued whether these employed professionals are good or bad, but I think this is the responsibility of the government. To make an analogon, we can't for purpose of general discussions ask whether the judges in courts are capable or incapable. We have to assume that the government has done a proper job and has choosen capable people to take the positions of judges. (If many people are of the opinion that the government has done a bad job, they should do something in politics, including revolution.) In our case it is my point that an examination at the patent office (by the professionals there) has the equivalent (scientific) quality as the normally designated 'peer reviews' that are done by persons chosen by the journals. (It is my personal opinion that the quality might probably be higher, since the examiners would obtain difficulties if they were found to be careless in scrutinizing the patent applications while a reviewer of a normal journal paper doesn't have material consequences if his evaluation turns out to be wrong. But let's ignore that in order not to overly lenghten our discussions.) Do you agree? If not, please elaborate your view. Now each professional, however knowledgeable he is, has only a finite limited knowledge. An application may happen to be at a higer knowledge level than his current stand. I don't know exactly what happens in that case in the different countries. But I'll like to make a plausible guess. Suppose someone applies for a crypto patent involving very high mathematical knowledge of the kind of Prof. Schnorr's patent. I can very well imagine that the professionals at the patent offices might feel uncertain of their own judgement and would seek outside advice, i.e. from other government institutions (the so-called 'mutual assistance' of government institutions, in this case quite likely to involve a three-lettered agency), from universities or from industry that are known to have the expertise. It is in any case the responsiblity of the examiner(s) (lastly the resposibility of the patent office as a legal person) to see to it that their job is properly done (i.e. is done as is desired by the patent law). I don't see that we should question in the framework of this thread whether that responsibility is in fact fulfilled or not. See also the previous paragraph. (One would also not question whether a university has chosen professors that really do good teaching jobs in similar contexts of discussion.) Now I like to argue for the degree of acknowlegement of the value (status) of patents by the professionals (the scientific community) with special reference to cryptology. In A. J. Menezes et al. a whole chapter, Chap. 15, is devoted to 'Patents and Standards'. There they write: This chapter discusses two topics which have significant impact on the use of cryptology in practice: patents and standards. At their best, cryptographic patents make details of significant new processes and efficient techiques publicly available, thereby increasing awareness and promoting use; at their worst, they limit or stifle the use of such techniques due to licencing requirement. This in my view clearly shows that patents plays in important role in R&D in cryptology. Like them or not, they ARE there and cannot be willingly ignored if one conducts proper business. In Menezes's book the number of pages actually dealing with patents amounts to about 2% of the total pages of the book, a certainly non-trivial figure. Patent publications cannot be ignored simply because they are government publications and thus in some respect different from the normal journals. (I guess someone doing a serious implementation would not rely entirely on informations obtainable from some text book on cryptology but consult the original document MBS FIPS PUB 45-1.) > > Patent applications are generally reviewed by one examiner, not "a > number of professionals in the corresponding fields." As far as I > know, the US patent office cannot, by law, use outside professionals. > Please confirm this with your patent attorney. Do not take my word > for it. Two points. One: If the responsible examiner feels his competence is well good enough in a specific case, I believe he will assume his responsibility of deciding alone. But there is nothing wrong in that. There are plenty of courts precided by a single judge. Does that mean injustice? But patents are NOT granted simply because an examiner or a group of examiner employed by the patent office think it is o.k. A draft of a patent must be published and within a certain time period anybody can bring forth objections to the pending patent. I suppose you know that large firms like IBM have fairly sizable patent divisions that not only work closely with the research divisions to ensure that patentable research results indeed get patented but also to constantly watch whether a patent applied by somebody else infringes on existing or pending patents of their own.) So this gives in fact possibility of examination by a much much wider circle of professionals than is the case with a paper that is submitted to a journal (with a few referees only). Sometimes journals publish papers containing results duplicating prior publications (leading to letters to the editor), which is a consequence of the fact that the manuscripts are only available to a rather small number of referees before the papers actually come out. Two: Your challenge 'Please confirm this with your patent attorney.' is an inappropriate type of challenge. If I were to say to you 'In Germany (or even US), as far as I know the law in the field X is such and such. Please confirm this with your lawyer.', would you accept that challenge? (Note that to consult a lawyer costs money, not only time.) If you know something for sure and like to use it for your argument in the debate, it is YOUR job to bring forth the evidence, not mine! > > Patent applications are checked for patentability, not quality of > research. Again, please confirm this with your attorney. Again two points: One: What do you exactly define as 'qualtity of research'? And as 'patentability'? Two: Analogous response to the last part of my previous paragraph. > > One seldom sees references to patents because people who write papers > don't look through patent databases like they look through journals. > Again, please check this with other academics. In your own book, Applied Cryptography, 2nd ed., a quick (hence maybe incomplete) scan gives the following references (in number) to patent publications: 111 223 323 326 327 328 331 388 514 554 667 678 684 685 686 710 722 1013 1066 1072 1086 1087 1330 1389 1483 1489 1614 You give in your book the exact number, title and date of issue of each patent and even take care to give references to patent numbers of different countries in case the same thing is granted a patent by different countries. Why do you take so much trouble if you are convinced that patent publications are unimportant for research and learning and hence barely of value to readers of your book? The above references make 2 percent of the total references of your book. Do you think that this is too low a figure? Note that patents are not easy to obtain. Their applications and maintenance cost money, in some cases quite a lot. Some people just give up their right to patent because of finance or do not apply patents for reasons of principle (e.g. not to stifle the technical developments in cryptology). By nature patent publications cannot be as abundant as normal scientific papers. (Analogon: one can't expect to encounter as many of the families of the nobles as the common people, simply because there are fewer of the former in existence.) Otherwise lots of scientists would be earning money from patent licences. > > >As far as I know in scientific conferences there are always much much > >more submissions than can be taken up. Certainly there would be plenty > >of good papers from professionals that would be rejected by the coming > >FSE because of the capacity problem. As member of the program > >committee you really needn't fear that there would be too few good > >submissions to make the workshop successful. > > There is usually many more submissions than accepted papers, and one > of the ways to judge a conference is the acceptance rate. Crypto and > Eurocrypt, for example, have acceptance rates around 25%. Some of the > lessar cryptography conferences have much higher acceptance rate--I > konw of one that was around 80%--and the quality of accepted papers > are much lower because of this. There was one crypto conference that > was cancelled because they did not receive enough quality papers. > Other conferences take medeocre papers. Other conferences take > average papers and fewer papers. CARDIS 98 is an example of this; I > was on the program committee and we just didn't get enough quality > papers. I suppose an interesting and relevant figure in the present context is that of FSE 98, which has an acceptance rate of 50%. But that certainly imply that there were sufficiently ample good candidates than could be accepted by the workshop. I happened to have some 'internal' knowledge of some scientific conferences (not cryptology). If thses cases could be generalized, than the (high) majority of submissions are good candidates, i.e. bad papers are seldom submitted. (I guess that the distinguished names of the members of the program committe alone usually suffice to 'frighten' away submitters of poor papers.) > > Except for well-known and popular conferences, program committees > always fear not getting enough quality papers to make for a successful > conference. It's a big program in many disciplines, and a problem in > the lesser cryptography conferences. (Look at the Australian > conference, for example.) See above. It seems reasonalbe to 'extrapolate' (anticipate) for FSE 99 using the data of FSE 98. > > >No propagada is needed > >at all. I don't yet see why you are particularly inclined to look for > >manuscripts coming from amateurs instead of from your fellow > >professionals or would-be professionals. > > All the committees I know of review all papers received, regardless of > where they are from. Crypto and Eurocrypt have blind refereeing, > which means that the referees don't know whether the papers come from > "fellow professionals or would-be professionals." I have pulled three > proceedings off my shelves at pseudo-random, and all contain some > papers not from people in the "mainstream." > > >Are Ritter's patents > >that interest you? But that seems to contradict what you said > >about patents. > > I'm not sure what I said about patents that indicates that Ritter's > would not interest me. Ritter's work interests me, and his patents > are one of the few places I can read about it. I admit that I have > not studied his designs in any detail, but that is more due to lack of > time (and the lessened possibility of publishable results) than lack > of interest. > Are we getting somewhere? You snipped a part from the previous post which I take the liberty to reproduce below. I like very much to have your answers to the question therein before commenting (effectively) to what you wrote above. Here is the reproduction: > > > > If I wrote a paper on Ritters designs, citing his patents and Usenet > > postings and webpages, I believe that I would have a lot of trouble > > getting it published. > > > >> > I invite you to submit a paper, based on your patent #5,727,062 > > >> > ("Variable Size Block Ciphers") to the 1999 Fast Software Encryption > > >> > workshop. I believe it will be published. > > Isn't there some contradiction between these two paragraphs (given > your opinions on patents above) ? M. K. Shen
Subject: Re: Memo to the Amateur Cipher Designer Date: 2 Nov 1998 12:01:40 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <71kohk$r3j$1@quine.mathcs.duq.edu> References: <363DDF00.CD0B2609@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 126 In article <363DDF00.CD0B2609@stud.uni-muenchen.de>, Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: >Bruce Schneier wrote: >> On Fri, 30 Oct 1998 19:10:13 +0100, Mok-Kong Shen >> <mok-kong.shen@stud.uni-muenchen.de> wrote: >> >Bruce Schneier wrote: >> >> >> > >> >> Some cryptographic algorithms are patented, yes. I'm not sure how >> >> that's relevent. I do not know of any academic cryptographers that >> >> regularly look through the U.S. patent system. Patents are not a >> >> peer-reviewed publication. If an academic (in any discipline) >> >> presented a list of patents to his tenure review board, they would not >> >> be considered publication. >> > >> >This is not true. Applications for patents are examined by a number >> >of professionals in the corresponding fields to ensure that the >> >ideas are really novel and useful.... >> >> Patents are not considered peer-reviewed publications in academia.... > >Lest our discussions go eventually into wrong directions because >there are essential differences between your and my definitions, I >like very much first to obtain agreement with you on the definition >of the term 'peer review', which is an important concept in our >current debate. I don't know a dictionary giving exactly that. But >in Webster Third New International Dictionary there is the following >for the word 'peer': > > 1 a: one that is of the seme or equal standing (as in law, rank, > quality, age, ability) with another : EQUAL. > > b: a fellow citizen. > > 2: archaic: COMPANION, FELLOW. > >So I think it is appropriate to define 'peer review' in a scientific >discipline to be review by knowledgeable, capable persons in that >field. Um, Mr. Shen, the definition of what is regarded as "peer review" is not for you (nor Mr. Schneier) to make; the people whose opinions matter are generally those sitting on tenure and promotion boards, funding and review committees for scientific foundations, and editorial boards of journals and conferences. Irrespective of what you -- or Webster's Third -- might wish to say about the definition of the word "peer," the phrase "peer review" has a very specific meaning to those people. You might as well complain because the "National Football League" has a definition of "football" that differs from other sports called "football." It's a largely irrelevant quibble of interest to very few and that will change no one's opinion. Similarly, "peer review" does not simply mean "review by one's peers" -- I can't just walk a paper around my department, have everyone in the department review it and initial it, and then claim that that document is "peer-reviewed." > Since we have been employing the dichotomy amateur and >professional, I suggest that we can agree to understand 'peer review' >to be review by professionals. That is, the people doing peer review >are from the general scientific community and NOT limited to those >from academia (those having positions in the universities and in >particular those with tenure). The "general scientific community" is *NOT* restricted only to academics (or only to those with tenure, &c.) For example, most of the active researchers at Bell Labs, Xerox PARC, or IBM T.J. Watson would all be regarded as members of the scientific community, as "peers" for a review board. You can confirm this fairly easily by looking at the program committee for any major meeting (or the editorial board of any journal. On the other hand, patent agents are *NOT*, in general, members of the scientific community. They generally don't know enough about science. Despite your claim, > Now as I said, a >patent office employs professionals in diverse scientific fields >with the purpose to ensure that the goals of the patent laws are >achieved, i.e., to say roughly, that patents are only issued to >inventions that are really novel and potentially useful. It may well >be argued whether these employed professionals are good or bad, but >I think this is the responsibility of the government. To make an >analogon, we can't for purpose of general discussions ask whether the >judges in courts are capable or incapable. We have to assume that >the government has done a proper job and has choosen capable people >to take the positions of judges. (If many people are of the opinion >that the government has done a bad job, they should do something >in politics, including revolution.) ... this is, in fact, exactly what's happened. The overall standing of patent review is sufficiently low that the people who have the authority to decide what does and doesn't constitute "peer review" have decided that patents don't cut it. > In our case it is my point that >an examination at the patent office (by the professionals there) >has the equivalent (scientific) quality as the normally designated >'peer reviews' that are done by persons chosen by the journals. This point is simply speaking untrue. And even if it were true, it's neither your place nor Mr. Schneier's to correct it, as you don't sit on the relevant committees. >> Patent applications are generally reviewed by one examiner, not "a >> number of professionals in the corresponding fields." As far as I >> know, the US patent office cannot, by law, use outside professionals. >> Please confirm this with your patent attorney. Do not take my word >> for it. > >Two points. One: If the responsible examiner feels his competence is >well good enough in a specific case, I believe he will assume his >responsibility of deciding alone. But there is nothing wrong in that. >There are plenty of courts precided by a single judge. Irrelevant comparison. Judges don't issue "peer reviewed" decisions, nor are their decisions regarded as "scientifically" valid. And, in fact, the law is very careful in how it treats issues of "scientific questions" because of the fact that, *BY PRESUMPTION*, judges are not scientific experts. -kitten
Subject: Re: Memo to the Amateur Cipher Designer Date: 2 Nov 1998 22:41:42 GMT From: jpeschel@aol.com (JPeschel) Message-ID: <19981102174142.20334.00002760@ng141.aol.com> References: <363DDF00.CD0B2609@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 17 >Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de>writes a lot of stuff about patents that I snipped. Why not go here and look around: Http://www.uspto.gov/web/offices/pac/doc/general/index.html Joe __________________________________________ Joe Peschel D.O.E. SysWorks http://members.aol.com/jpeschel/index.htm __________________________________________
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 03 Nov 1998 19:01:17 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <363F44ED.FEF5E3C@stud.uni-muenchen.de> References: <363b062f.2065537@news.visi.com> Newsgroups: sci.crypt Lines: 532 Note: For motivation given at the end of this post, I select the alternative to reply in the group. For this reason, the incoming material is nowhere snipped. Apology for its length. -------------------------------------------------------------------- Bruce Schneier wrote: > > Look, this isn't worth this long an email. I will read briefly, respond > briefly, and then probably drop the matter. > > At 05:34 PM 11/2/98 +0100, Mok-Kong Shen wrote: > >Bruce Schneier wrote: > >> > >> On Fri, 30 Oct 1998 19:10:13 +0100, Mok-Kong Shen > >> <mok-kong.shen@stud.uni-muenchen.de> wrote: > >> > >> >Bruce Schneier wrote: > >> >> > >> > > >> >> Some cryptographic algorithms are patented, yes. I'm not sure how > >> >> that's relevent. I do not know of any academic cryptographers that > >> >> regularly look through the U.S. patent system. Patents are not a > >> >> peer-reviewed publication. If an academic (in any discipline) > >> >> presented a list of patents to his tenure review board, they would not > >> >> be considered publication. > >> > > >> >This is not true. Applications for patents are examined by a number > >> >of professionals in the corresponding fields to ensure that the > >> >ideas are really novel and useful. There are huge data bases maintained > >> >by the patent offices and are carefully checked to ensure patents are > >> >not given to some one bring forth duplication or near duplication of > >> >prior art. You can certainly refer to a patent number (with title) > >> >as one of your (valid) literature reference. A good and hence accepted > >> >paper can on the other hand well be, say, an overview of certain > >> >currently interesting part of a discipline and contains nothing new. > >> >If one seldem sees references to patents, it is because they are quite > >> >few in number relative to the normal papers in any field. > >> > >> Patents are not considered peer-reviewed publications in academia. > >> Please confirm this with academics in other disciplines. I do not > >> want you to take my word for this. > > > >Lest our discussions go eventually into wrong directions because > >there are essential differences between your and my definitions, I > >like very much first to obtain agreement with you on the definition > >of the term 'peer review', which is an important concept in our > >current debate. I don't know a dictionary giving exactly that. But > >in Webster Third New International Dictionary there is the following > >for the word 'peer': > > > > 1 a: one that is of the seme or equal standing (as in law, rank, > > quality, age, ability) with another : EQUAL. > > > > b: a fellow citizen. > > > > 2: archaic: COMPANION, FELLOW. > > I define peer review as appearing in a conference proceedings, workshop > proceedings, or journal that is peer reviewed. I mean the term in the > academic sense, as a professor might use in "peer reviewed publication." > > I am not defending "shoulds." I am stating reality. Please confirm with > others. > > >So I think it is appropriate to define 'peer review' in a scientific > >discipline to be review by knowledgeable, capable persons in that > >field. Since we have been employing the dichotomy amateur and > >professional, > > ...which I don't like at all... > > >I suggest that we can agree to understand 'peer review' > >to be review by professionals. That is, the people doing peer review > >are from the general scientific community and NOT limited to those > >from academia (those having positions in the universities and in > >particular those with tenure). > > Ah, academics only use academic peer-review for things like tenure.\ > This may be our disagreement. > > >If you are not in (at least near) > >agreement with this, then it is unconditionally necessary that we > >carry out a discussion on this essential terminology problem, > >otherwise our writings to and fro would be senseless. > > We can just choose to drop the matter, which seems much easier. A few points for reflexion: Are the journals and proceedings published to be read exclusively by the academics (and not by the scientific community as a whole)? It is the value (and hence meaning) of 'peer review' for the scientific community as a whole and not the possible deviating meaning of someones in the universities that really (practically) counts for the material that the publishing bodies provide to the scientific community as services (for which they pay their money). There are scientific conferences where the majority of the program committe, even including the chair, are not from universities. Are those who are not academics not 'peers' doing the review and are not equivalent to those who have university positions in the process? Why is it necessary to lay weight at all on being academics or not academics in the present context? Is a good scientist, say one from a research division of an industrial firm, necessarily less qualified for the review work? Why couldn't we forget in the present discussion the special professional subclass academics and talk instead only in terms of the professionals in the scientific community (the superclass) as I suggested? > > >In the following, I assume that there is no terminology difficulty > >in the said point. The immediately following paragraphs of my > >comment will also cover materials that concern later parts that are > >to be responded by me (this lumping together is done in order to > >achieve some better continuity of my argumentation.) > > > >With the said assumption, your point above could be rephrased into : > >'Patents are not considered publications reviewed by the > >professionals in the respective field.' Is there difficulty here > >for you to accept this? If yes, please state your counter- > >argument in a bit detail and give a proposal of your rephrasing so > >that we can further discuss on that. > > This is true. > > >Before waiting your follow-up I temporary assume that you agree on > >that and carry on my argumentation based on that. Now as I said, a > >patent office employs professionals in diverse scientific fields > >with the purpose to ensure that the goals of the patent laws are > >achieved, i.e., to say roughly, that patents are only issued to > >inventions that are really novel and potentially useful. It may well > >be argued whether these employed professionals are good or bad, but > >I think this is the responsibility of the government. To make an > >analogon, we can't for purpose of general discussions ask whether the > >judges in courts are capable or incapable. We have to assume that > >the government has done a proper job and has choosen capable people > >to take the positions of judges. (If many people are of the opinion > >that the government has done a bad job, they should do something > >in politics, including revolution.) In our case it is my point that > >an examination at the patent office (by the professionals there) > >has the equivalent (scientific) quality as the normally designated > >'peer reviews' that are done by persons chosen by the journals. (It > >is my personal opinion that the quality might probably be higher, > >since the examiners would obtain difficulties if they were found > >to be careless in scrutinizing the patent applications while a > >reviewer of a normal journal paper doesn't have material > >consequences if his evaluation turns out to be wrong. But let's > >ignore that in order not to overly lenghten our discussions.) Do > >you agree? If not, please elaborate your view. > > Have you ever met patent examiners? I have. They are the ones > who can't get real jobs in the field. Patent review does not equal > per review in an academic sense. Yes, I in fact have met some, though longtime ago and not in discussions about any specific patents but about building data base facilities for searching patents. For the 'equality' issue see previous post and below. > > >Now each professional, however knowledgeable he is, has only a > >finite limited knowledge. An application may happen to be at a higer > >knowledge level than his current stand. I don't know exactly what > >happens in that case in the different countries. But I'll like to > >make a plausible guess. Suppose someone applies for a crypto patent > >involving very high mathematical knowledge of the kind of Prof. > >Schnorr's patent. I can very well imagine that the professionals at > >the patent offices might feel uncertain of their own judgement and > >would seek outside advice, i.e. from other government institutions > >(the so-called 'mutual assistance' of government institutions, in > >this case quite likely to involve a three-lettered agency), from > >universities or from industry that are known to have the expertise. > >It is in any case the responsiblity of the examiner(s) (lastly the > >resposibility of the patent office as a legal person) to see to it > >that their job is properly done (i.e. is done as is desired by the > >patent law). I don't see that we should question in the framework > >of this thread whether that responsibility is in fact fulfilled or > >not. See also the previous paragraph. (One would also not question > >whether a university has chosen professors that really do good > >teaching jobs in similar contexts of discussion.) > > The patent office does not have the same aims as an academic reviewer. > The patent office doesn't care if a partular crypto algorithm is any good, > only if it is unique. Remember that. Try to arbitrarily assemble some pieces of metal in the fashion of some (very) modern artists into a 'machine' and apply for a patent (claiming it to be a new crypto hardware). That 'machine' is certainly unique (an unique art object in the whole world!). According to what you wrote, one can get a patent. Can this be true?? (The 'machine' can be so constructed so as to allow an 'interpretation' of transforming a bit 1 to 0 and vice versa, thus substantiating its 'claim' of 'encrypting' informations and hence being a crypto hardware.) > > >Now I like to argue for the degree of acknowlegement of the value > >(status) of patents by the professionals (the scientific community) > >with special reference to cryptology. In A. J. Menezes et al. a > >whole chapter, Chap. 15, is devoted to 'Patents and Standards'. > >There they write: > > > > This chapter discusses two topics which have significant impact > > on the use of cryptology in practice: patents and standards. At > > their best, cryptographic patents make details of significant > > new processes and efficient techiques publicly available, > > thereby increasing awareness and promoting use; at their worst, > > they limit or stifle the use of such techniques due to licencing > > requirement. > > > >This in my view clearly shows that patents plays in important role > >in R&D in cryptology. Like them or not, they ARE there and cannot > >be willingly ignored if one conducts proper business. In Menezes's > >book the number of pages actually dealing with patents amounts to > >about 2% of the total pages of the book, a certainly non-trivial > >figure. Patent publications cannot be ignored simply because they > >are government publications and thus in some respect different from > >the normal journals. (I guess someone doing a serious implementation > >would not rely entirely on informations obtainable from some text > >book on cryptology but consult the original document MBS FIPS PUB 45-1.) > > Okay. Fine. > > > >> Patent applications are generally reviewed by one examiner, not "a > >> number of professionals in the corresponding fields." As far as I > >> know, the US patent office cannot, by law, use outside professionals. > >> Please confirm this with your patent attorney. Do not take my word > >> for it. > > > >Two points. One: If the responsible examiner feels his competence is > >well good enough in a specific case, I believe he will assume his > >responsibility of deciding alone. But there is nothing wrong in that. > >There are plenty of courts precided by a single judge. Does that > >mean injustice? But patents are NOT granted simply because an > >examiner or a group of examiner employed by the patent office think > >it is o.k. A draft of a patent must be published and within a certain > >time period anybody can bring forth objections to the pending patent. > >I suppose you know that large firms like IBM have fairly sizable > >patent divisions that not only work closely with the research > >divisions to ensure that patentable research results indeed get > >patented but also to constantly watch whether a patent applied by > >somebody else infringes on existing or pending patents of their own.) > >So this gives in fact possibility of examination by a much much wider > >circle of professionals than is the case with a paper that is > >submitted to a journal (with a few referees only). Sometimes journals > >publish papers containing results duplicating prior publications > >(leading to letters to the editor), which is a consequence of the > >fact that the manuscripts are only available to a rather small number > >of referees before the papers actually come out. > > Have you ever submitted a patent, been involved in patent prosecution, > or fought a patent in court? I wish reality worked like the above > paragraph. I haven't submitted patents. But it is certainly permitted that I discuss about the matter? In the real world there are also judges who are incapable and decide wrongly. As I argued previously patents are NOT issued simply because the examiners employed by the patent officices think they are o.k. There is a public review period, in which the pending patents are invariably critically examined by professionals of firms whose own patents potentially could be infringed on. (Truly critically, because big revenues may under circumstances be involved.) Tell me how a pending crypto patent under the watching eyes of professionals of those firms like IBM can have a easier chance of getting passed (i.e. not objected to in case of infringement) than a paper subjected to a journal (in case of duplication of prior results). (Recently in a mailing list someone said he could not exploit the idea of using faces in a scheme for passphrase entry because IBM has a patent that is very broad to cover that.) In which sense is such a public review less effective (stringent) than a 'peer review' in a journal? If despite this fact some academics have a different opinion, then we of the scientific community CAN really ignore that opinion. (Is there any scientist willing to adhere to doctrines (upheld maybe by some 'authorities') that are evidently wrong?) > > >Two: Your challenge 'Please confirm this with your patent attorney.' > >is an inappropriate type of challenge. If I were to say to you 'In > >Germany (or even US), as far as I know the law in the field X is > >such and such. Please confirm this with your lawyer.', would you > >accept that challenge? (Note that to consult a lawyer costs money, > >not only time.) If you know something for sure and like to use it > >for your argument in the debate, it is YOUR job to bring forth the > >evidence, not mine! > > THen I won't be doing my job, because this discussion isn't worth > that much time. Sorry; I don't mean to be rude. I read sci.crypt for > fun, not to find more work to do. I don't see you are responding to my point here at all. I claimed that the quoted challenge is inappropriate. What has that to do with fun or not fun in sci.crypt or work or not work?? You challenged other people to consult lawers. That is not only WORK but monetary expenses!! > > > >> Patent applications are checked for patentability, not quality of > >> research. Again, please confirm this with your attorney. > > > >Again two points: One: What do you exactly define as 'qualtity of > >research'? And as 'patentability'? Two: Analogous response to the > >last part of my previous paragraph. > > "Quality of research" is whether the algoritm of secure or not. > Patentability is VERY broadly defined. Again, talk to your attorney. I refer you to my previous point on inappropriateness of the said challenge. You think that the predicate 'secure' or 'not secure' necessarily has to come from academics?? We discussed sometime ago in the group that the very definition of the strength of encryption algorithms is a difficult (highly debatable) issue. You simply claimed that the one concept of the two above is broader than the other, giving no clues at all of what you have exactly in mind. Please give some appropriate and clear definitions so that others can see your point and be able to discuss. > > >> One seldom sees references to patents because people who write papers > >> don't look through patent databases like they look through journals. > >> Again, please check this with other academics. > > > >In your own book, Applied Cryptography, 2nd ed., a quick (hence > >maybe incomplete) scan gives the following references (in number) > >to patent publications: > > > > 111 223 323 326 327 328 331 388 > > 514 554 667 678 684 685 686 710 > > 722 1013 1066 1072 1086 1087 1330 1389 > > 1483 1489 1614 > > Seldom does not equal never. I purposely referenced patents. Open a > CRYPTO proceedings and to the same measurement. How 'seldom' is the stuff here really? Patents issued are inventions that have already been achieved by some scientists. Normally a patent has a certain coverage, preventing some more or less variants being done by others. (I remember recently in a mailing list there was some disscussion of that matter in relation to Schnorr's patent.) A crypto paper is most likely to cite a patent if there is some significant analysis of that patented crypto, which is seldom if we assume that the patented cryptos are mostly fairly strong and even then it would mostly suffice to use the common name of the crypto without pedantically giving the patent number, date of issue, etc. in the list of references of the paper. This suffices to explain the phenomenon you described. BTW, when you designed and submitted your AES candidate, did you have no concerns at all about patent issues? I simply can't imagine that. > > >You give in your book the exact number, title and date of issue of > >each patent and even take care to give references to patent numbers > >of different countries in case the same thing is granted a patent by > >different countries. Why do you take so much trouble if you are > >convinced that patent publications are unimportant for research > >and learning and hence barely of value to readers of your book? The > >above references make 2 percent of the total references of your book. > >Do you think that this is too low a figure? Note that patents are not > >easy to obtain. Their applications and maintenance cost money, > >in some cases quite a lot. Some people just give up their right to > >patent because of finance or do not apply patents for reasons of > >principle (e.g. not to stifle the technical developments in > >cryptology). By nature patent publications cannot be as abundant as > >normal scientific papers. (Analogon: one can't expect to encounter > >as many of the families of the nobles as the common people, simply > >because there are fewer of the former in existence.) Otherwise lots > >of scientists would be earning money from patent licences. > > > >> >As far as I know in scientific conferences there are always much much > >> >more submissions than can be taken up. Certainly there would be plenty > >> >of good papers from professionals that would be rejected by the coming > >> >FSE because of the capacity problem. As member of the program > >> >committee you really needn't fear that there would be too few good > >> >submissions to make the workshop successful. > >> > >> There is usually many more submissions than accepted papers, and one > >> of the ways to judge a conference is the acceptance rate. Crypto and > >> Eurocrypt, for example, have acceptance rates around 25%. Some of the > >> lessar cryptography conferences have much higher acceptance rate--I > >> konw of one that was around 80%--and the quality of accepted papers > >> are much lower because of this. There was one crypto conference that > >> was cancelled because they did not receive enough quality papers. > >> Other conferences take medeocre papers. Other conferences take > >> average papers and fewer papers. CARDIS 98 is an example of this; I > >> was on the program committee and we just didn't get enough quality > >> papers. > > > >I suppose an interesting and relevant figure in the present context > >is that of FSE 98, which has an acceptance rate of 50%. But that > >certainly imply that there were sufficiently ample good candidates > >than could be accepted by the workshop. I happened to have some > >'internal' knowledge of some scientific conferences (not cryptology). > >If thses cases could be generalized, than the (high) majority of > >submissions are good candidates, i.e. bad papers are seldom > >submitted. (I guess that the distinguished names of the members of > >the program committe alone usually suffice to 'frighten' away > >submitters of poor papers.) > > Crypto is different. There are MANY poor papers. I am on the > EUCROCRYPT '99 committee, and there are about 1/4 papers that > can be imediately rejected. > > >> Except for well-known and popular conferences, program committees > >> always fear not getting enough quality papers to make for a successful > >> conference. It's a big program in many disciplines, and a problem in > >> the lesser cryptography conferences. (Look at the Australian > >> conference, for example.) > > > >See above. It seems reasonalbe to 'extrapolate' (anticipate) for > >FSE 99 using the data of FSE 98. > > Extrapolate away. You are free not to believe me, although I'm not sure > why you think I would lie. Is there any word of mine suspecting that you lie in this point? I said only that for FSE 99 you don't need to fear for not having insufficient good submissions in view of the statistics of FSE 98. BTW in scientific discussions a false statement expressed with all sincerity remains false and a true statement from a liar (if the statement happens to be true because he misunderstood the matter) is true. So the question of to lie or not to lie plays no role in scientific discussions. It is only the truth- finding that is at issue. > > >> >No propagada is needed > >> >at all. I don't yet see why you are particularly inclined to look for > >> >manuscripts coming from amateurs instead of from your fellow > >> >professionals or would-be professionals. > >> > >> All the committees I know of review all papers received, regardless of > >> where they are from. Crypto and Eurocrypt have blind refereeing, > >> which means that the referees don't know whether the papers come from > >> "fellow professionals or would-be professionals." I have pulled three > >> proceedings off my shelves at pseudo-random, and all contain some > >> papers not from people in the "mainstream." > > > >> > >> >Are Ritter's patents > >> >that interest you? But that seems to contradict what you said > >> >about patents. > >> > >> I'm not sure what I said about patents that indicates that Ritter's > >> would not interest me. Ritter's work interests me, and his patents > >> are one of the few places I can read about it. I admit that I have > >> not studied his designs in any detail, but that is more due to lack of > >> time (and the lessened possibility of publishable results) than lack > >> of interest. > > > >> Are we getting somewhere? > > > >You snipped a part from the previous post which I take the liberty > >to reproduce below. I like very much to have your answers to the > >question therein before commenting (effectively) to what you wrote > >above. Here is the reproduction: > > > >> > > >> > If I wrote a paper on Ritters designs, citing his patents and Usenet > >> > postings and webpages, I believe that I would have a lot of trouble > >> > getting it published. > >> > >> > >> > I invite you to submit a paper, based on your patent #5,727,062 > >> > >> > ("Variable Size Block Ciphers") to the 1999 Fast Software > Encryption > >> > >> > workshop. I believe it will be published. > >> > >> Isn't there some contradiction between these two paragraphs (given > >> your opinions on patents above) ? > > No. There is no contradiction. If you see one, I am sorry. I may respond > a bit > in public if you continue the thread, but I don't see the point in continuing. O.K. I'll say what I think in this connection. You are a professional, Ritter is an amateur. You have published a lot in the established journals and have written a (the) bestseller in cryptology. It can be safely said that to write a paper on one and the same subject you have much much more advantages over Ritter at the current moment of time because of your ample experience (in writing papers) and the extent of your knowledge in the field. (Ritter could certainly catch up, but that would at least take some time.) If such a paper written by you would have a lot of trouble of getting published, how can you 'believe' that a paper written by Ritter will be published? You can know to some degree (self-feeling) how good or bad the paper would be if you indeed attempt that. How do you know the quality of Ritter's paper which you invite him to submit? Independent of the quality of the scientific content, what happens if he presents the stuff very poorly? How can you 'believe' that the submission will be successful? In the Memo it is your golden rule that amateurs and would-be professionals should first do solid analysis work and publish some appreciable analysis results before publishing designs. This is a highly valuable advice acknowledged by many in this thread. But aren't you presently recommending Ritter to break your own rule? There are other aspects not entirely to be neglected. You have now already a definite 'belief' of the quality of Ritter's future work without seeing his manuscript ('it will be published'). Would this 'belief' somehow unconciously affect your evaluation of Ritter's paper when you come to actually referee it? (Compare the issue of prejudice with repect to judges in courts.) Even if the editorial procedure is such that Ritter's name is not on the manuscript, the probability is almost 1 that you can identify Ritter's paper and since Ritter is going to cite his patent number other members of the program commitee can do the same with high probability. Now you have given already some evaluation of his (yet non-existant) paper in that you 'believe' it will be published and give this openly in sci.crpyt. Would other members of the program committe somehow unconciously be affectd in their evaluation of the same by your (premature) opinion? In other words, would the 'neutralness' and 'independence' of the program commitee become thereby a litle bit not 100% perfect? With the Memo you have probably done something fairly positive to the amatuers of sci.crypt (I expressed my appreciation in another post), but in my humble view you have done something negative to FSE 99 and perphaps even modifies a little bit the view of the common people (excluding those in the academia) towards the 'peer reviewed' publications. This is in my personal view rather unfortunate. All in all I have come through the stuffs discussed to the personal opinion that Terry Ritter is going to have a very thorny road before him, if he indeed takes your recommendation to write a paper on his design for submission to FSE 99. I like very much to warn him of that. For that purpose I have to argue with you, attempting to show the logical inconsitency of your argumentation and discussing with you openly in the group so that any mistakes and errors on my part may be readily discovered by other people. (This is why I have chosen to post this to the group.) M. K. Shen
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 06 Nov 1998 07:49:39 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <3648a66c.1950739@news.visi.com> References: <363F44ED.FEF5E3C@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 200 On Tue, 03 Nov 1998 19:01:17 +0100, Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: >Try to arbitrarily assemble some pieces of metal in the fashion of >some (very) modern artists into a 'machine' and apply for a patent >(claiming it to be a new crypto hardware). That 'machine' is certainly >unique (an unique art object in the whole world!). According to what >you wrote, one can get a patent. Can this be true?? (The 'machine' can >be so constructed so as to allow an 'interpretation' of transforming >a bit 1 to 0 and vice versa, thus substantiating its 'claim' of >'encrypting' informations and hence being a crypto hardware.) I believe you would be amazed by what gets through the patent office. The only thing they regularly catch are perpetual motion machines; bad cryptography will fly right over their heads. (For heavens sake, they can't even week out impossible compression patents.) >I haven't submitted patents. But it is certainly permitted that I >discuss about the matter? In the real world there are also judges >who are incapable and decide wrongly. As I argued previously patents >are NOT issued simply because the examiners employed by the patent >officices think they are o.k. Yes. You argued that previously. You are wrong. Patents are issued because the patent examiner who has the application has allowed some of the claims. >There is a public review period, in >which the pending patents are invariably critically examined by >professionals of firms whose own patents potentially could be >infringed on. I don't know what country you live in, but in the U.S. there is no public review period for pending patents. Patents are made public after they are granted, and not before. (Note: this is changing now that we have signed up to GATT. U.S. patents will be made public 18 months after filing, regardless of award status.) >(Truly critically, because big revenues may under >circumstances be involved.) Tell me how a pending crypto patent >under the watching eyes of professionals of those firms like IBM >can have a easier chance of getting passed (i.e. not objected to in >case of infringement) than a paper subjected to a journal (in case of >duplication of prior results). Sure. IBM does not see the patent application. >(Recently in a mailing list someone >said he could not exploit the idea of using faces in a scheme for >passphrase entry because IBM has a patent that is very broad to >cover that.) In which sense is such a public review less effective >(stringent) than a 'peer review' in a journal? It's not public. There is no such public review. In very competitive industries--pharmasuticals come to mind--companies watch foreign filings for clies as to what the competition is doing. But I know of no instance of a company trying to block a patent from being awarded. If you have such examples, please let me know. >> >Two: Your challenge 'Please confirm this with your patent attorney.' >> >is an inappropriate type of challenge. If I were to say to you 'In >> >Germany (or even US), as far as I know the law in the field X is >> >such and such. Please confirm this with your lawyer.', would you >> >accept that challenge? (Note that to consult a lawyer costs money, >> >not only time.) If you know something for sure and like to use it >> >for your argument in the debate, it is YOUR job to bring forth the >> >evidence, not mine! >> >> THen I won't be doing my job, because this discussion isn't worth >> that much time. Sorry; I don't mean to be rude. I read sci.crypt for >> fun, not to find more work to do. > >I don't see you are responding to my point here at all. I claimed that >the quoted challenge is inappropriate. What has that to do with >fun or not fun in sci.crypt or work or not work?? You challenged other >people to consult lawers. That is not only WORK but monetary expenses!! Look, I didn't challenge anyone to consult a lawyer. I suggested that if you don't believe me, you should consider asking someone else who may know. I really don't care enough about this argument to spend the time necessary to convince you. And there are some excellent books on patent law by Nolo Press. >BTW, when you designed and submitted your AES candidate, did you >have no concerns at all about patent issues? I simply can't imagine >that. Of course I had concern. But if I was simply writing an academic paper, I wouldn't. >Is there any word of mine suspecting that you lie in this point? I >said only that for FSE 99 you don't need to fear for not having >insufficient good submissions in view of the statistics of FSE 98. Agreed. Because there is so much good research, and the AES process is bringing even more of it out of the woodwork, I expect an excellent program for FSE 98. >O.K. I'll say what I think in this connection. You are a professional, >Ritter is an amateur. You have published a lot in the established >journals and have written a (the) bestseller in cryptology. It can >be safely said that to write a paper on one and the same subject you >have much much more advantages over Ritter at the current moment of >time because of your ample experience (in writing papers) and the >extent of your knowledge in the field. (Ritter could certainly catch >up, but that would at least take some time.) If such a paper written >by you would have a lot of trouble of getting published, how can you >'believe' that a paper written by Ritter will be published? You can >know to some degree (self-feeling) how good or bad the paper would >be if you indeed attempt that. How do you know the quality of >Ritter's paper which you invite him to submit? Independent of the >quality of the scientific content, what happens if he presents the >stuff very poorly? How can you 'believe' that the submission will be >successful? Thank you. I finally understand what your issue is. You believe that for me to 1) say that I would have trouble getting a paper published on Ritter's stuff published, and 2) suggest that Ritter write one himself, is contradictory. I wish you said that in the beginning; it would have saved a lot of bandwidth. A few things: 1. Ritter's paper would be a design paper, not an analysis paper. Design papers appear at FSE. I think this is a good thing. I believe it would be easier for Ritter to get a paper published at FSE with some of his design ideas than for someone to get a paper published at FSE analyzing some of his design ideas (unless they were published first). 2. I was specifically suggesting that Ritter publish in FSE, in hopes that he would join the committee. 3. You know, you're right. >In the Memo it is your golden rule that amateurs and would-be >professionals should first do solid analysis work and publish >some appreciable analysis results before publishing designs. This is >a highly valuable advice acknowledged by many in this thread. But >aren't you presently recommending Ritter to break your own rule? Indeed. I am. >There are other aspects not entirely to be neglected. You have >now already a definite 'belief' of the quality of Ritter's future >work without seeing his manuscript ('it will be published'). Would >this 'belief' somehow unconciously affect your evaluation of Ritter's >paper when you come to actually referee it? Oh, definitely. But if it wasn't any good, the committee would not let it in. >(Compare the issue of >prejudice with repect to judges in courts.) Even if the editorial >procedure is such that Ritter's name is not on the manuscript, the >probability is almost 1 that you can identify Ritter's paper and >since Ritter is going to cite his patent number other members of the >program commitee can do the same with high probability. Now you >have given already some evaluation of his (yet non-existant) paper >in that you 'believe' it will be published and give this openly >in sci.crpyt. Would other members of the program committe somehow >unconciously be affectd in their evaluation of the same by your >(premature) opinion? No. Trust me on this one. >In other words, would the 'neutralness' and >'independence' of the program commitee become thereby a litle bit not >100% perfect? With the Memo you have probably done something fairly >positive to the amatuers of sci.crypt (I expressed my appreciation >in another post), but in my humble view you have done something >negative to FSE 99 and perphaps even modifies a little bit the view >of the common people (excluding those in the academia) towards the >'peer reviewed' publications. This is in my personal view rather >unfortunate. Oh, I get it. Honestly, I don't think it will be a problem. The paper would have been judged on its own merits. I believe that his design writings, as I have seen them, are the sorts of things that FSE accepts. That's all. >All in all I have come through the stuffs discussed to the personal >opinion that Terry Ritter is going to have a very thorny road before >him, if he indeed takes your recommendation to write a paper on his >design for submission to FSE 99. I like very much to warn him of that. >For that purpose I have to argue with you, attempting to show the >logical inconsitency of your argumentation and discussing with you >openly in the group so that any mistakes and errors on my part may >be readily discovered by other people. (This is why I have chosen to >post this to the group.) Got it. I hope we're done now. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 06 Nov 1998 16:05:19 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <36441e09.660949@news.visi.com> References: <3648a66c.1950739@news.visi.com> Newsgroups: sci.crypt Lines: 13 On Fri, 06 Nov 1998 07:49:39 GMT, schneier@counterpane.com (Bruce Schneier) wrote: >2. I was specifically suggesting that Ritter publish in FSE, in hopes >that he would join the committee. Oops. I meant "community." Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 10 Nov 1998 10:54:36 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <36480D5C.7676EE5D@stud.uni-muenchen.de> References: <3648a66c.1950739@news.visi.com> Newsgroups: sci.crypt Lines: 32 Bruce Schneier wrote: > > I don't know what country you live in, but in the U.S. there is no > public review period for pending patents. Patents are made public > after they are granted, and not before. (Note: this is changing now > that we have signed up to GATT. U.S. patents will be made public 18 > months after filing, regardless of award status.) I have been able to verify that there are public reviews for German, British and European patents. I have no easy access to US laws. It is strange but I can well comprehend the radical difference of patenting in US from patenting in other countries, since there apprears to me to be differences in the underlying general 'philosophy' of laws as is manisfested in the issue of carrying of guns by common people which is prohibited in almost all nations. > Thank you. I finally understand what your issue is. You believe that > for me to 1) say that I would have trouble getting a paper published > on Ritter's stuff published, and 2) suggest that Ritter write one > himself, is contradictory. > > I wish you said that in the beginning; it would have saved a lot of > bandwidth. My sincere apology all to readers of the group for having wasted bandwidth. (But I thought it would have been sufficient to simply ask (twice) the question of the existence of contradiction in point without appending too many words.) Sorry. M. K. Shen
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 11 Nov 1998 09:08:54 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <36494616.1500C031@stud.uni-muenchen.de> References: <36480D5C.7676EE5D@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 50 Mok-Kong Shen wrote: > My sincere apology all to readers of the group for having wasted > bandwidth. (But I thought it would have been sufficient to simply > ask (twice) the question of the existence of contradiction in point > without appending too many words.) Sorry. Someone pointed out to me that I could have saved more bandwidth if I had paid attention to the following fact: In the academically 'peer reviewed' paper by J. Kelsey, B. Schneier, D. Wagner, C. Hall, Cryptanalytic Attacks on Pseudo- random Number Generators (in S. Vaudenay (ed), Fast Software Encryption, Springer, 1998), there is the following entry in the references: [Koc95] P. Kocher, post to sci.crypt Internet newsgroup (message- ID pckDIr4Ar.L4zQnetcom.com), 4 Dec 1995 This clearly refutes the claim that references to newsgroup articles are unworthy of good scientific papers and shows up the existence of some more logical inconsistencies than I had been able to uncover. It is noteworthy that in the same paper there are also references to Web page URL and to ftp URL. So these are also valid references for good scientific papers. Should patent publications be less worthy of being cited scientifically?? (In scientific publications one sometimes even see such references as 'Privte communiction from XXX'. I personally consider these to be rather useless since the reader has practically no possibility to access these communications.) I am taking this opportunity to say a bit more about peer review of patent publications. A scientific paper is reviewed by a number of peers before publishing. Afterwards, there is public review. A reader may object by writing a 'letter to editor'. For a patent (in the case of US, not other countries!) there is no review by peers before patent publication. But afterwards the document is examined by the professionals in the patent divisions of a number of firms whose own patents may be concerned. If there are objections there will be a legal issue in court. (This is at least true in countries other than US.) So what is the essential difference in the value of information transmission (to the scientific community which comprises not solely of the academics but many more) between a scientific paper and a patent document? If the academics choose to ignore the patent publications and claim that only the papers in journals edited by them are scientific contributions (I doubt this), then they are not practicizing science but 'religion'! (Note though, that in ancient times science was not separated from religion.) M. K. Shen
Subject: Re: Memo to the Amateur Cipher Designer Date: 11 Nov 1998 08:50:05 GMT From: sax@rmovt.rply.ce.chalmers.se (Stefan Axelsson) Message-ID: <72bj3t$bbk$1@nyheter.chalmers.se> References: <36494616.1500C031@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 34 In article <36494616.1500C031@stud.uni-muenchen.de>, Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: > [Koc95] P. Kocher, post to sci.crypt Internet newsgroup (message- > ID pckDIr4Ar.L4zQnetcom.com), 4 Dec 1995 > >This clearly refutes the claim that references to newsgroup articles >are unworthy of good scientific papers and shows up the existence >of some more logical inconsistencies than I had been able to uncover. > >It is noteworthy that in the same paper there are also references to >Web page URL and to ftp URL. So these are also valid references >for good scientific papers. No, in general, they, currently, are, not. The problem of what to do with URL:s is a somewhat debated topic in academic circles today, and no real consensus has been reached. However, the majority of researchers recognise that there are difficult, and fundamental problems with referring to URL:s, or other forms of transient communication. The requirements for a "good" scientific paper, whatever that may be, today, I would say, would exclude even references to obscure publications, where they not crucial to the treatment of the subject. A newsgroup posting, I would say, is (almost) right up there with "personal conversation with N.N.", dejanews or not. It detracts from the scientific value of the paper, it doesn't add to it! Stefan, -- Stefan Axelsson Chalmers University of Technology sax@rmovt.rply.ce.chalmers.se Dept. of Computer Engineering (Remove "rmovt.rply" to send mail.)
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 11 Nov 1998 16:42:23 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-1111981642240001@dialup164.itexas.net> References: <72bj3t$bbk$1@nyheter.chalmers.se> Newsgroups: sci.crypt Lines: 15 In article <72bj3t$bbk$1@nyheter.chalmers.se>, sax@rmovt.rply.ce.chalmers.se (Stefan Axelsson) wrote: > > A newsgroup posting, I would say, is (almost) right up there with > "personal conversation with N.N.", dejanews or not. It detracts from > the scientific value of the paper, it doesn't add to it! > Scientific truth is what is valuable, preferable to that of a paper published through a process that might ignore aspects by limiting debate of the particulars. -- --- The public is harder to steamroller than some might think. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: 12 Nov 1998 13:09:15 GMT From: sax@rmovt.rply.ce.chalmers.se (Stefan Axelsson) Message-ID: <72emlr$jsa$1@nyheter.chalmers.se> References: <jgfunj-1111981642240001@dialup164.itexas.net> Newsgroups: sci.crypt Lines: 35 In article <jgfunj-1111981642240001@dialup164.itexas.net>, W T Shaw <jgfunj@EnqvbSerrGrknf.pbz> wrote: >Scientific truth is what is valuable, preferable to that of a paper >published through a process that might ignore aspects by limiting debate >of the particulars. Not being a native speaker, I had difficulty parsing that, but I'm going to take one last stab anyway, feel free to have the last word. "Scientific truth" is the operative phrase here. While the fact that the author of a scientific paper has chosen to refer to sources that the reader cannot himself verify, not in, and of, itself detracts from the intrinsic "truth" of the paper's stated position, it does detract heavily from the "scientific" part of your statement. The process is specifically *not* designed to "limit the discussion of the particulars" but, instead to further such discussion! Now, of course there are references, and references, but if one resorts to to building ones argument on a reference that the reader cannot himself verify, then of course one must question why, and if, that reference is to be included at all, it is of little, or no, value to the reader. *) The peer review process may not be perfect, not many human endeavors are, but it's the best there is. *) No reference to the paper by Bruce Schneier intended. I haven't read the paper in question, and thus could not possibly comment, on the kind of reference intended. Stefan, -- Stefan Axelsson Chalmers University of Technology sax@rmovt.rply.ce.chalmers.se Dept. of Computer Engineering (Remove "rmovt.rply" to send mail.)
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 12 Nov 1998 14:19:41 GMT From: "Joseph K. Nilaad" <jknilaad@xoommail.com> Message-ID: <364AEE7D.FCF@xoommail.com> References: <72bj3t$bbk$1@nyheter.chalmers.se> Newsgroups: sci.crypt Lines: 31 Stefan Axelsson wrote: > [snip] > No, in general, they, currently, are, not. The problem of what to do > with URL:s is a somewhat debated topic in academic circles today, and > no real consensus has been reached. However, the majority of > researchers recognise that there are difficult, and fundamental > problems with referring to URL:s, or other forms of transient > communication. Those researchers you've mentioned, should stop using the damn computers and hand writing manuscript with the manual type writers and send it to their peers via regular mail. I can see that URL may be short life, but as long as it lives, it should be considered valid reference. > > The requirements for a "good" scientific paper, whatever that may be, > today, I would say, would exclude even references to obscure > publications, where they not crucial to the treatment of the subject. > > A newsgroup posting, I would say, is (almost) right up there with > "personal conversation with N.N.", dejanews or not. It detracts from > the scientific value of the paper, it doesn't add to it! > Maybe you should stop using news group. But how contradiction that is since you do read dejanews. --- Joseph K. Nilaad Nature is simple and beautiful... Life is too short to appreciate it all...
Subject: Re: Memo to the Amateur Cipher Designer Date: 12 Nov 1998 10:19:38 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <72euaa$dob$1@quine.mathcs.duq.edu> References: <364AEE7D.FCF@xoommail.com> Newsgroups: sci.crypt Lines: 46 In article <364AEE7D.FCF@xoommail.com>, Joseph K. Nilaad <jknilaad@xoommail.com> wrote: >Stefan Axelsson wrote: >> >[snip] >> No, in general, they, currently, are, not. The problem of what to do >> with URL:s is a somewhat debated topic in academic circles today, and >> no real consensus has been reached. However, the majority of >> researchers recognise that there are difficult, and fundamental >> problems with referring to URL:s, or other forms of transient >> communication. >Those researchers you've mentioned, should stop using the damn computers >and hand writing manuscript with the manual type writers and send it to >their peers via regular mail. I can see that URL may be short life, but >as long as it lives, it should be considered valid reference. Yes, but what happens when it no longer lives? The point of references isn't to impress people with how widely you've read. It's to provide explanations for when someone else can't follow your work or needs to look at the foundations. For example, "It has been observed (Flintstone and Rubble, 1999) that 20% of microfleems are subradiant." Observed under what conditions? The microfleems in my lab are running at damn nearly 40% subradiant. Does this mean that I'm using an odd back of microfleems, or has the population changed over time, or that I'm measuring them wrongly? So I go to the journals and figure out just what definition F&R are using for subradiantness. (Flintstone, p.c.) is marginally helpful. I can at least phone Fred up and ask him what the hell he was doing. *If* I know who Flintstone is and what lab he's at now and if he still remembers doing the work. But http://www.bedrock.com/~fleems isn't nearly as helpful if the domain no longer exists and I can't even tell who did the work to phone him. Sending everything to my peers through regular mail would make the problem worse, not better. I don't have access to the private letters that Flintstone writes you. What I need is some way to confirm the Flintstone-Rubble data, and the only way I can do that is if you give me a location that you and I both *know* I can find it. -kitten
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 18 Nov 1998 03:24:44 GMT From: "Joseph K. Nilaad" <jknilaad@xoommail.com> Message-ID: <36523DFC.7E11@xoommail.com> References: <72euaa$dob$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 47 Patrick Juola wrote: > [snip] > >as long as it lives, it should be considered valid reference. > > Yes, but what happens when it no longer lives? Likewise, what if the publishers like Random house no longer exist. So what If referenced URL no longer exist. At least you're being *honest* about it. There are so many good things come out of URL, that's undeniable. > The point of references isn't to impress people with how widely > you've read. It's to provide explanations for when someone else can't > follow your work or needs to look at the foundations. Agreed. But lack of them, isn't impressive either. [snip] > But http://www.bedrock.com/~fleems isn't nearly as helpful if the > domain no longer exists and I can't even tell who did the work to > phone him. I neither agree nore disagree here. It's tough issue. However, what if the URL still exists. Now let say, you see something that Fred talks his buddy about how to improve the ride for Flint mobile from http://www.bedrock.com/~fleems. The improvement has a lot of text and demonstration graphics such that you can't absorb information in a reasonable amount of time or maybe you want to study further. You like the idea and want to use it sometime in the future. What will you do? Most likely, you will print the page(s) for reading later. Most browsers now print the URL address and date. One day your peer, Steve, drops by. You tell Steve about the improvement idea. He likes it and want to know more. What will you tell him? Are you afraid to tell him that it's from http://www.bedrock.com/~fleems or it's your because URL doesn't count. > that Flintstone writes you. What I need is some way to confirm the > Flintstone-Rubble data, and the only way I can do that is if you > give me a location that you and I both *know* I can find it. I've read from September 1998 issue that a company may deliver 800MHz x86 CPU in Q1 1999. --- Joseph K. Nilaad Nature is simple and beautiful... Life is too short to appreciate it all...
Subject: Re: Memo to the Amateur Cipher Designer Date: 18 Nov 1998 08:45:35 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <72uj1v$oqq$1@quine.mathcs.duq.edu> References: <36523DFC.7E11@xoommail.com> Newsgroups: sci.crypt Lines: 37 In article <36523DFC.7E11@xoommail.com>, Joseph K. Nilaad <jknilaad@xoommail.com> wrote: >Patrick Juola wrote: >> The point of references isn't to impress people with how widely >> you've read. It's to provide explanations for when someone else can't >> follow your work or needs to look at the foundations. >Agreed. But lack of them, isn't impressive either. > >[snip] >> But http://www.bedrock.com/~fleems isn't nearly as helpful if the >> domain no longer exists and I can't even tell who did the work to >> phone him. >I neither agree nore disagree here. It's tough issue. However, what if >the URL still exists. > >Now let say, you see something that Fred talks his buddy about how to >improve the ride for Flint mobile from http://www.bedrock.com/~fleems. >The improvement has a lot of text and demonstration graphics such that >you can't absorb information in a reasonable amount of time or maybe you >want to study further. You like the idea and want to use it sometime in >the future. What will you do? Most likely, you will print the page(s) >for reading later. Most browsers now print the URL address and date. > >One day your peer, Steve, drops by. You tell Steve about the >improvement idea. He likes it and want to know more. What will you >tell him? Are you afraid to tell him that it's from >http://www.bedrock.com/~fleems or it's your because URL doesn't count. I'm likely to photocopy the page(s) for him (or loan them to him). Particularly if I have any reason to suspect that the page has been changed and/or gone 404. The basic problem is that telling him that it's at http:[...]/~fleems is borderline useless. -kitten
Subject: Re: Memo to the Amateur Cipher Designer Date: 23 Nov 1998 00:44:36 GMT From: clvisser@gene.wins.uva.nl (Coen L.S. Visser) Message-ID: <73ab5k$p8d$1@nbox.wins.uva.nl> References: <72uj1v$oqq$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 33 Joseph K. Nilaad <jknilaad@xoommail.com> wrote: >Patrick Juola wrote: >> The point of references isn't to impress people with how widely >> you've read. It's to provide explanations for when someone else can't >> follow your work or needs to look at the foundations. > Agreed. But lack of them, isn't impressive either. >> But http://www.bedrock.com/~fleems isn't nearly as helpful if the >> domain no longer exists and I can't even tell who did the work to >> phone him. >I neither agree nore disagree here. It's tough issue. However, what if >the URL still exists. The problem is more serious than just a disappearing URL. What if the URL still exists, but the content has changed. That might give some semantical problems. A writer is responsible for his or her references. If you want to use a webpage as reference mirror the specific page and make sure that the exact content that is refered to is available even if the original page changes or disappears. Example: Patrick Reijnen (november 1998), Linux Hardware Compatibility HOWTO, http://sunsite.unc.edu/LDP/HOWTO/Hardware-HOWTO.html also at http://my.own.site/MyBookRefs/Hardware-HOWTO.html There could be some copyright issues. These might be resolved by denying access to the mirror until the original disappears. Regards, Coen Visser
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 23 Nov 1998 09:44:33 +0100 From: galactus@stack.nl (Arnoud "Galactus" Engelfriet) Message-ID: <xBSW24uYOdQY089yn@stack.nl> References: <73ab5k$p8d$1@nbox.wins.uva.nl> Newsgroups: sci.crypt Lines: 22 In article <73ab5k$p8d$1@nbox.wins.uva.nl>, clvisser@gene.wins.uva.nl (Coen L.S. Visser) wrote: > A writer is responsible for his or her references. If you want to use a > webpage as reference mirror the specific page and make sure that the exact > content that is refered to is available even if the original page changes > or disappears. How about downloading the relevant documents from the Web and putting them on a CD-ROM, which is distributed together with the report? This is what I'll be doing for my graduation project. The copyright issues still exist, of course, and it may not be very practical for articles that are published for a wide audience. Greetings, Arnoud -- \/ Arnoud "Galactus" Engelfriet - galactus@stack.nl This space 5th year Business & Computing Science student left blank URL: http://www.stack.nl/~galactus/ PGP: 0x416A1A35 intentionally.
Subject: Re: Memo to the Amateur Cipher Designer Date: 23 Nov 1998 23:20:51 GMT From: clvisser@gene.wins.uva.nl (Coen L.S. Visser) Message-ID: <73cqkj$lb0$1@nbox.wins.uva.nl> References: <xBSW24uYOdQY089yn@stack.nl> Newsgroups: sci.crypt Lines: 21 galactus@stack.nl (Arnoud "Galactus" Engelfriet) writes: >In article <73ab5k$p8d$1@nbox.wins.uva.nl>, >clvisser@gene.wins.uva.nl (Coen L.S. Visser) wrote: >> A writer is responsible for his or her references. If you want to use a >> webpage as reference mirror the specific page and make sure that the exact >> content that is refered to is available even if the original page changes >> or disappears. >How about downloading the relevant documents from the Web and putting >them on a CD-ROM, which is distributed together with the report? This >is what I'll be doing for my graduation project. The copyright issues >still exist, of course, and it may not be very practical for articles >that are published for a wide audience. That would be really nice of course but as you already state it has a lot of practical problems. Regards, Coen
Subject: Re: Memo to the Amateur Cipher Designer Date: 23 Nov 1998 10:13:38 GMT From: sax@rmovt.rply.ce.chalmers.se (Stefan Axelsson) Message-ID: <73bcgi$nis$1@nyheter.chalmers.se> References: <73ab5k$p8d$1@nbox.wins.uva.nl> Newsgroups: sci.crypt Lines: 34 In article <73ab5k$p8d$1@nbox.wins.uva.nl>, Coen L.S. Visser <clvisser@gene.wins.uva.nl> wrote: >The problem is more serious than just a disappearing URL. What if the >URL still exists, but the content has changed. That might give some >semantical problems. A writer is responsible for his or her >references. If you want to use a webpage as reference mirror the >specific page and make sure that the exact content that is refered to >is available even if the original page changes or disappears. >Example: Patrick Reijnen (november 1998), Linux Hardware >Compatibility HOWTO, >http://sunsite.unc.edu/LDP/HOWTO/Hardware-HOWTO.html also at >http://my.own.site/MyBookRefs/Hardware-HOWTO.html There could be some >copyright issues. These might be resolved by denying access to the >mirror until the original disappears. Regards, Coen Visser Only that doesn't work either, I've found many cases of papers, not too old, where the author *himself* refers to his own papers, that would supposedly be available through the web. Only, he was a PhD student when he wrote them, and as you know, such aren't necessarily around for all that long, after which most of their web pages fall into that great big bit-bucket in the sky... What is needed, is some other, resilient, long lasting, redundant third party storage of references, such as a library is for printed material today. I know I can count the British Library several orders of magnitude more than I do the web... (But then they charge for the service...) Stefan, -- Stefan Axelsson Chalmers University of Technology sax@rmovt.rply.ce.chalmers.se Dept. of Computer Engineering (Remove "rmovt.rply" to send mail.)
Subject: Re: Memo to the Amateur Cipher Designer Date: 23 Nov 1998 14:28:27 GMT From: clvisser@gene.wins.uva.nl (Coen L.S. Visser) Message-ID: <73breb$cj4$1@nbox.wins.uva.nl> References: <73bcgi$nis$1@nyheter.chalmers.se> Newsgroups: sci.crypt Lines: 28 sax@rmovt.rply.ce.chalmers.se (Stefan Axelsson) writes: >Coen L.S. Visser <clvisser@gene.wins.uva.nl> wrote: >>If you want to use a webpage as reference mirror the >>specific page and make sure that the exact content that is refered to >>is available even if the original page changes or disappears. >Only that doesn't work either, I've found many cases of papers, not >too old, where the author *himself* refers to his own papers, that >would supposedly be available through the web. Only, he was a PhD >student when he wrote them, and as you know, such aren't necessarily >around for all that long, after which most of their web pages fall >into that great big bit-bucket in the sky... >What is needed, is some other, resilient, long lasting, redundant >third party storage of references, such as a library is for printed >material today. I know I can count the British Library several orders >of magnitude more than I do the web... (But then they charge for the >service...) Yes, I agree, a third party storage of references would be the best thing. That would take the burden of archiving from the shoulders of authors. Libraries would be ideal for that task, they have the experience. Research institutes and publishers also have the knowledge to do it. Regards, Coen Visser
Subject: Re: Memo to the Amateur Cipher Designer Date: 14 Nov 1998 15:32:53 GMT From: sax@rmovt.rply.ce.chalmers.se (Stefan Axelsson) Message-ID: <72k7r5$mju$1@nyheter.chalmers.se> References: <364AEE7D.FCF@xoommail.com> Newsgroups: sci.crypt Lines: 44 In article <364AEE7D.FCF@xoommail.com>, Joseph K. Nilaad <jknilaad@xoommail.com> shared his lack of insight with us, and wrote: >Those researchers you've mentioned, should stop using the damn computers >and hand writing manuscript with the manual type writers and send it to >their peers via regular mail. I can see that URL may be short life, but >as long as it lives, it should be considered valid reference. [...] >Maybe you should stop using news group. But how contradiction that is >since you do read dejanews. Look, the average time from research to publication in a refereed journal today is two years. Many/most of those URL:s will be dead by the time the paper leaves the presses. Furthermore, those same papers, the ones that won't immediately fall into oblivion, will be read for another 5-10-20 years, even in CS/CE. The average "web" year quite frankly does not cut it. So much for your "as long as it lives". Furthermore, the research community of course won't stop using the web, or the internet, they were the ones that created it, remember? Private citizens weren't even allowed in. In the case of the web, the communication of scientific research results were the sole motivation in the first place. The first web page ever communicated scientific results. No, the research community, knows full well, what the technology is capable of, and today, quite frankly, said technology is not capable of providing a source for scientific references that is, accurate, reliable, long lived, etc. etc. The internet/web may be fine for other (early) forms of scientific communication, but this isn't one of them. This may well change, and in fact said researchers are working on the problem right now, see for instance, Ross Anderson's "Eternity service", but today, we are simply not there. That's all I have to say to you, Mr. Nilaad, on the subject. No doubt, you'll feel the urge keep on spewing. Stefan, -- Stefan Axelsson Chalmers University of Technology sax@rmovt.rply.ce.chalmers.se Dept. of Computer Engineering (Remove "rmovt.rply" to send mail.)
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 16 Nov 1998 22:32:36 GMT From: "Joseph K. Nilaad" <jknilaad@xoommail.com> Message-ID: <3650A804.19D6@xoommail.com> References: <72k7r5$mju$1@nyheter.chalmers.se> Newsgroups: sci.crypt Lines: 51 Stefan Axelsson wrote: > > Look, the average time from research to publication in a refereed > journal today is two years. Many/most of those URL:s will be dead by Yes, I know that. By the time it is published, the matterial may not be applicable 2-3 years later. > the time the paper leaves the presses. Furthermore, those same papers, > the ones that won't immediately fall into oblivion, will be read for > another 5-10-20 years, even in CS/CE. The average "web" year quite This is true for some other fields. In computer? I doubt it. > frankly does not cut it. So much for your "as long as it lives". My point is that so what, if it's last less than one second. if you read the posted URL and get the ideas from it, then you should refer it unless you want to tell the world that it's your idea. Will you? Correct me if I'm wrong, other than common knowledge, we should give credit to those whom we got some ideas from. URL or not URL, hardcopy or not. > > Furthermore, the research community of course won't stop using the > web, or the internet, they were the ones that created it, remember? > Private citizens weren't even allowed in. In the case of the web, the > communication of scientific research results were the sole motivation > in the first place. The first web page ever communicated scientific > results. Of course not. This is one of the most efficient way to communicate with colleagues. If I get some ideas from you through this means and say the ideas are mine, you won't like that. > [snip] > reliable, long lived, etc. etc. The internet/web may be fine for other > (early) forms of scientific communication, but this isn't one of them. Why it was OK then, but not now. Give me some scientific reason(s). > This may well change, and in fact said researchers are working on the > problem right now, see for instance, Ross Anderson's "Eternity > service", but today, we are simply not there. The obvious problems that I can see with URL are authenticateion and short live. See my reply to Bruce Scheier in sci.crypt for detail. > > That's all I have to say to you, Mr. Nilaad, on the subject. No doubt, > you'll feel the urge keep on spewing. Look, just because publishing via URL is relatively short life comparing with hard copies, it doesn't mean we should not give publishers their credits. Unless, if you think that swindling someone's idea is OK. That would really gag me.
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 17 Nov 1998 01:07:54 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-1711980107540001@dialup163.itexas.net> References: <3650A804.19D6@xoommail.com> Newsgroups: sci.crypt Lines: 27 In article <3650A804.19D6@xoommail.com>, jknilaad@xoommail.com wrote: > > Correct me if I'm wrong, other than common knowledge, we should give > credit to those whom we got some ideas from. URL or not URL, hardcopy > or not. > If you can give credit, fine. It may be that you do not remember reading something, but use the idea anyway. In scanning lots of material, the end use of tidbits is not always obvious, and taking a note on where everything comes from is next to impossible. It is another case where demanding full footnotes may sound good, but it is next to impossible. Being able to scan the full archives should help. .... > Look, just because publishing via URL is relatively short life comparing > with hard copies, it doesn't mean we should not give publishers their > credits. Unless, if you think that swindling someone's idea is OK. > That would really gag me. It may not be intentional, and sometimes people do have convergent thoughts. Try not to get too choked up about it. The only honest thing to do is to quote references when you know them, and not when you don't. -- --- Your future is ahead of you.--Thomas E. Dewey --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: 17 Nov 1998 11:49:49 GMT From: sax@rmovt.rply.ce.chalmers.se (Stefan Axelsson) Message-ID: <72rnst$t6t$1@nyheter.chalmers.se> References: <3650A804.19D6@xoommail.com> Newsgroups: sci.crypt Lines: 40 In article <3650A804.19D6@xoommail.com>, Joseph K. Nilaad <jknilaad@xoommail.com> wrote: >Look, just because publishing via URL is relatively short life comparing >with hard copies, it doesn't mean we should not give publishers their >credits. As I said in my original posting, the one which wound you up to no end, there are references, and there are references. If your only motivation for including a reference is to acknowledge someone else's, idea, then the name of said person would (in general) do nicely. If you include a URL, it should be with the knowledge that it is/will become useless to the reader in a very short period of time. Read Patrick Juola's post in this thread, he's put it very succinctly. Now, when it comes to your time frame, believe me when I say that *I* read plenty of papers that are 5, 10 (even) 20 years old (and so do my peers btw), and computer security, which is my field, is moving as fast as the rest of them. 6 months just won't cut it. And this is just one of the problems, others being lack of peer review, authenticity etc. etc. The main use of electronic communication in the research community today is to learn of research results, (what's everybody else up to?), down load papers already published elsewhere (while waiting for them, or deciding whether to bother, to arrive from the library), and communicating with peers around the world to do research, write about it, and review what other's have written. (And of course the telephone and fax are not excluded from the means of electronic communication.) Read my lips: For the peer reviewed publication of research results, today, a URL, just will not cut it, and this will be true for a long time to come (when counting web years at least) Stefan, -- Stefan Axelsson Chalmers University of Technology sax@rmovt.rply.ce.chalmers.se Dept. of Computer Engineering (Remove "rmovt.rply" to send mail.)
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 12 Nov 1998 22:00:49 GMT From: ritter@io.com (Terry Ritter) Message-ID: <364b5a73.14615148@news.io.com> References: <72bj3t$bbk$1@nyheter.chalmers.se> Newsgroups: sci.crypt Lines: 47 On 11 Nov 1998 08:50:05 GMT, in <72bj3t$bbk$1@nyheter.chalmers.se>, in sci.crypt sax@rmovt.rply.ce.chalmers.se (Stefan Axelsson) wrote: >[...] >The problem of what to do >with URL:s is a somewhat debated topic in academic circles today, and >no real consensus has been reached. However, the majority of >researchers recognise that there are difficult, and fundamental >problems with referring to URL:s, or other forms of transient >communication. Problems with URL's include the fact that their contents change over time, and that the URL's themselves may change or die. Still, as opposed to having *no* introductions to the literature, URL's can make a contribution. >The requirements for a "good" scientific paper, whatever that may be, >today, I would say, would exclude even references to obscure >publications, where they not crucial to the treatment of the subject. This addresses the *convenience* of Science to the reader. But it ignores the *responsibility* of the author and the *requirement* of scientific publication to acknowledge the previous work, the source of the inspiration (rarely is any work completely original). If that previous work came in a private letter, so be it. >A newsgroup posting, I would say, is (almost) right up there with >"personal conversation with N.N.", dejanews or not. It detracts from >the scientific value of the paper, it doesn't add to it! A News posting has a "fixed expression" as of a given date, and a message-ID that identifies it particularly. It is also available in libraries, and all this makes it a "publication" for legal purposes. Nor is DejaNews the only News archive (I know of Reference.com; maybe somebody will know of others which do not use the DejaNews engine). And News articles *can* be given a URL which has meaning, simply because the News article has a particular fixed expression. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: 14 Nov 1998 15:18:53 GMT From: sax@rmovt.rply.ce.chalmers.se (Stefan Axelsson) Message-ID: <72k70t$ksj$1@nyheter.chalmers.se> References: <364b5a73.14615148@news.io.com> Newsgroups: sci.crypt Lines: 36 In article <364b5a73.14615148@news.io.com>, Terry Ritter <ritter@io.com> wrote: >This addresses the *convenience* of Science to the reader. But it >ignores the *responsibility* of the author and the *requirement* of >scientific publication to acknowledge the previous work, the source of >the inspiration (rarely is any work completely original). If that >previous work came in a private letter, so be it. No, that's not what I meant. Note my comment that not all references are created equal. In either case, if you *build* your argument on something you reference, then this reference should be reliably available to your peers. >A News posting has a "fixed expression" as of a given date, and a >message-ID that identifies it particularly. It is also available in >libraries, and all this makes it a "publication" for legal purposes. Not in any library I know of... Now, I won't go into the american legal definition of "publication". Save to say that in (most) academic circles, a web page, or a news article does not a publication make. And this, I would add, for good, already stated, reasons. The web/internet is an outstanding medium for many forms of scientific communication, and indeed that was the reason *) the underlying technology was created in the first place, but for references in peer reviewed publications, it leaves too much to be desired. *) Sole reason in the case of the web, less so in the case of the internet. My last post in this subthread. Feel free to have the last word. Stefan, -- Stefan Axelsson Chalmers University of Technology sax@rmovt.rply.ce.chalmers.se Dept. of Computer Engineering (Remove "rmovt.rply" to send mail.)
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 11 Nov 1998 16:52:29 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <3649c053.4536194@news.visi.com> References: <36494616.1500C031@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 40 On Wed, 11 Nov 1998 09:08:54 +0100, Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: >Someone pointed out to me that I could have saved more bandwidth if >I had paid attention to the following fact: > > In the academically 'peer reviewed' paper by J. Kelsey, B. > Schneier, D. Wagner, C. Hall, Cryptanalytic Attacks on Pseudo- > random Number Generators (in S. Vaudenay (ed), Fast Software > Encryption, Springer, 1998), there is the following entry in > the references: > > [Koc95] P. Kocher, post to sci.crypt Internet newsgroup (message- > ID pckDIr4Ar.L4zQnetcom.com), 4 Dec 1995 > >This clearly refutes the claim that references to newsgroup articles >are unworthy of good scientific papers and shows up the existence >of some more logical inconsistencies than I had been able to uncover. > >It is noteworthy that in the same paper there are also references to >Web page URL and to ftp URL. So these are also valid references >for good scientific papers. Should patent publications be less >worthy of being cited scientifically?? (In scientific publications >one sometimes even see such references as 'Privte communiction from >XXX'. I personally consider these to be rather useless since the >reader has practically no possibility to access these communications.) Fascinating. And I consider myself avant guard by citing email messages, URLs, and patents in my papers. I take some flak for it, but I do it anyway. Most others don't bother, although it is much more common in computer security circles to add a URL if a paper appears on a website in addition to a proceedings or journal. Whatever. I'm not sure what the discussion is about anymore, and I don't really want to bother figuring it out. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 11 Nov 1998 19:36:11 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <3649D91B.36B84298@stud.uni-muenchen.de> References: <3649c053.4536194@news.visi.com> Newsgroups: sci.crypt Lines: 46 Bruce Schneier wrote: > > On Wed, 11 Nov 1998 09:08:54 +0100, Mok-Kong Shen > <mok-kong.shen@stud.uni-muenchen.de> wrote: > >Someone pointed out to me that I could have saved more bandwidth if > >I had paid attention to the following fact: > > > > In the academically 'peer reviewed' paper by J. Kelsey, B. > > Schneier, D. Wagner, C. Hall, Cryptanalytic Attacks on Pseudo- > > random Number Generators (in S. Vaudenay (ed), Fast Software > > Encryption, Springer, 1998), there is the following entry in > > the references: > > > > [Koc95] P. Kocher, post to sci.crypt Internet newsgroup (message- > > ID pckDIr4Ar.L4zQnetcom.com), 4 Dec 1995 > > > >This clearly refutes the claim that references to newsgroup articles > >are unworthy of good scientific papers and shows up the existence > >of some more logical inconsistencies than I had been able to uncover. > > > >It is noteworthy that in the same paper there are also references to > >Web page URL and to ftp URL. So these are also valid references > >for good scientific papers. Should patent publications be less > >worthy of being cited scientifically?? (In scientific publications > >one sometimes even see such references as 'Privte communiction from > >XXX'. I personally consider these to be rather useless since the > >reader has practically no possibility to access these communications.) > > Fascinating. And I consider myself avant guard by citing email > messages, URLs, and patents in my papers. I take some flak for it, > but I do it anyway. Most others don't bother, although it is much > more common in computer security circles to add a URL if a paper > appears on a website in addition to a proceedings or journal. > > Whatever. I'm not sure what the discussion is about anymore, and I > don't really want to bother figuring it out. To be an avantguard is one thing yet not to mention a relevant fact that a scientist himself is MOST familiar with (because it concerns HIS own writing) in a scientific discussion and that obviously consciously (unless one suffers from the blackout-syndrom of some politicians) and thus misleading others to waste bandwidth and above that also to accuse these others having wasted bandwidth is certainly entirely another matter! M. K. Shen
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 11 Nov 1998 18:50:02 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <3649dc0c.11634433@news.visi.com> References: <3649D91B.36B84298@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 19 On Wed, 11 Nov 1998 19:36:11 +0100, Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: >To be an avantguard is one thing yet not to mention a relevant >fact that a scientist himself is MOST familiar with (because it >concerns HIS own writing) in a scientific discussion and that obviously >consciously (unless one suffers from the blackout-syndrom of >some politicians) and thus misleading others to waste bandwidth and >above that also to accuse these others having wasted bandwidth is >certainly entirely another matter! Yeah. Sure. You're right. Whatever. I apologise for misleading you (delierately, it seems) can causing you to waste bandwidth and then to accuse you of wasting bandwidth. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 11 Nov 1998 16:52:53 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-1111981652530001@dialup164.itexas.net> References: <3649c053.4536194@news.visi.com> Newsgroups: sci.crypt Lines: 15 In article <3649c053.4536194@news.visi.com>, schneier@counterpane.com (Bruce Schneier) wrote: > > Fascinating. And I consider myself avant guard by citing email > messages, URLs, and patents in my papers. I take some flak for it, > but I do it anyway. Most others don't bother, although it is much > more common in computer security circles to add a URL if a paper > appears on a website in addition to a proceedings or journal. > You have that in common with Ritter, as I recall. -- --- The public is harder to steamroller than some might think. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 11 Nov 1998 22:31:47 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <364a1014.24956416@news.visi.com> References: <jgfunj-1111981652530001@dialup164.itexas.net> Newsgroups: sci.crypt Lines: 26 On Wed, 11 Nov 1998 16:52:53 -0600, jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) wrote: >In article <3649c053.4536194@news.visi.com>, schneier@counterpane.com >(Bruce Schneier) wrote: >> >> Fascinating. And I consider myself avant guard by citing email >> messages, URLs, and patents in my papers. I take some flak for it, >> but I do it anyway. Most others don't bother, although it is much >> more common in computer security circles to add a URL if a paper >> appears on a website in addition to a proceedings or journal. >> >You have that in common with Ritter, as I recall. There are others, too. Currently the academic community is still trying to figure out how to handle URL references. The problem is that they are not stagnant, as references usually are. That is, if I reference a URL, and someone reads my paper two years later and looks at the same URL, they may not see what I saw. This problem does not exist with journals and conference proceedings. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 12 Nov 1998 11:43:48 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-1211981143480001@207.22.198.202> References: <364a1014.24956416@news.visi.com> Newsgroups: sci.crypt Lines: 20 In article <364a1014.24956416@news.visi.com>, schneier@counterpane.com (Bruce Schneier) wrote: > >..Currently the academic community is still > trying to figure out how to handle URL references. The problem is > that they are not stagnant, as references usually are. That is, if I > reference a URL, and someone reads my paper two years later and looks > at the same URL, they may not see what I saw. This problem does not > exist with journals and conference proceedings. > Fair use should mean that you could post the reference if it disappeared. Important things change from what is printed in journals and books too, job titles, mailing addresses and phone numbers. Actual technical mistakes are rather hard to reverse as well in fixed media; note the increased leaning on the web for current updates. -- --- Your future is ahead of you.--Thomas E. Dewey --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 12 Nov 1998 19:16:36 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <364c3360.14791002@news.visi.com> References: <jgfunj-1211981143480001@207.22.198.202> Newsgroups: sci.crypt Lines: 47 On Thu, 12 Nov 1998 11:43:48 -0600, jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) wrote: >In article <364a1014.24956416@news.visi.com>, schneier@counterpane.com >(Bruce Schneier) wrote: >> >>..Currently the academic community is still >> trying to figure out how to handle URL references. The problem is >> that they are not stagnant, as references usually are. That is, if I >> reference a URL, and someone reads my paper two years later and looks >> at the same URL, they may not see what I saw. This problem does not >> exist with journals and conference proceedings. >> >Fair use should mean that you could post the reference if it disappeared. >Important things change from what is printed in journals and books too, >job titles, mailing addresses and phone numbers. Actual technical >mistakes are rather hard to reverse as well in fixed media; note the >increased leaning on the web for current updates. Of course job titles, mailing addresses, and phone numbers change. That's not the issue. The issue is that the actual reference may change. That is, in a printed journal the page I look at when I write the paper is the same page you look at when you check my reference. It is the same text, the same mailing address, the same everything. This is how conventional references work. URL references do not work this way. The page I look at when I write my paper may or may not be the same page you look at when you check my reference. And neither of us has any way of knowing what will change in the future or what has changed in the past. This is not a complaint, criticism, or anything like that. I am not saying that URLs are not valid references. I am not saying that URLs are necessarily less valuable than articles. I am not saying that academics ignore URLs. All I am saying is that there is an essential characteristic that is different, and the academic community is still trying to figure out how to handle that difference. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 12 Nov 1998 15:05:19 -0500 From: Tim Bass <"nobody"@silkroad.com (No Spam Please)> Message-ID: <xiH22.2457$fl.17272491@audrey2.cais.com> References: <364c3360.14791002@news.visi.com> Newsgroups: sci.crypt Lines: 67 > The issue is that the actual reference may change. That is, in a > printed journal the page I look at when I write the paper is the same > page you look at when you check my reference. Absolutely!!! The primary purpose of technical writing, publishing, etc. is to communicate knowledge which is consistant, accurate, and is grounded in historical events and facts. With the current state of the network, it is quite unprofessional to reference URLS. URLS are not static. They can change; they do change. The information content may change. In fact, I can easily modify my apache server to provide a completely different paper (URL) to the network user based on ip address, domain, or userid/password. The same info that Sally, Ted, and Alice read which was written by Joe must be the same. In addition, historians in some future year looking for Mr. Bass' papers (if he was alive in the year 2050) may not be able to find http://www.silkroad.com/papers/. They may, however, have luck with a CDROM database of a statically reviewed paper, or paper journals. Could we please discuss the technical aspects of crypto and cryptanalysis and work constructively on topics which are important? Instead of shouting opinions and picking apart other spelling or grammer, how about we work in building a new algorithm together and do the cryptanalysis together and have some fun! I don't know about you, but I think cryptanalysis is a great topic, very interesting, and fun. It is not important to me 'who gets credit for what' and 'who knows more about x than y'. Everyone has something to offer and if given a chance and encouragement, many will become experts and scholars. Unfortunately, the interesting technical threads 'just die '; while the ' mud slinging ' threads with harsh speech and strong ungrounded opinions live on. It's it interesting how little we humans have evolved! We have WWW servers, 300 MHZ processors, LCD touch screens, and with all this, we just throw rocks and mud at each other. Let's have some technical fun! -Tim -- Tim Bass Principal Consultant, Systems Engineering The Silk Road Group, Ltd. Tel: (703) 222-4243 Fax: (703) 222-7320 EMail: bass (at symbol) silkroad (.) com http://www.silkroad.com/ http://www.silkroad.com/consulting/technical.html
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 12 Nov 1998 22:01:02 GMT From: ritter@io.com (Terry Ritter) Message-ID: <364b5a95.14648894@news.io.com> References: <364a1014.24956416@news.visi.com> Newsgroups: sci.crypt Lines: 41 On Wed, 11 Nov 1998 22:31:47 GMT, in <364a1014.24956416@news.visi.com>, in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote: >[...] >Currently the academic community is still >trying to figure out how to handle URL references. The problem is >that they are not stagnant, as references usually are. That is, if I >reference a URL, and someone reads my paper two years later and looks >at the same URL, they may not see what I saw. This problem does not >exist with journals and conference proceedings. This concept is often called "fixed expression," and is fundamental to the concept of "publication": When content is changed, which version is "the" publication? But this happens with books as well, and I often find myself dealing with an different version of a well-known work than someone else is quoting. I handle this, when necessary, by going to the library and getting "the" reference. The problem with the Web is that the older publications actually *disappear*, and that *is* a problem. One thing we *could* do is to use "document information" to give us a particular file date, but that is not going to be much use when others have no access to the older document. It also can change without the content changing, for example, when the ISP moves to a new machine. So I guess that most Web URL's need to be seen as "additional information," not central to an argument. But Web URL's *can* be an appropriate way to further identify the source of an idea which has been expanded differently. Note that the "fixed expression" issue does not occur with News articles, which do have a particular expression fixed by a particular message-ID. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 13 Nov 1998 15:12:13 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <364C3E3D.88571908@stud.uni-muenchen.de> References: <364a1014.24956416@news.visi.com> Newsgroups: sci.crypt Lines: 25 Bruce Schneier wrote: > There are others, too. Currently the academic community is still > trying to figure out how to handle URL references. The problem is > that they are not stagnant, as references usually are. That is, if I > reference a URL, and someone reads my paper two years later and looks > at the same URL, they may not see what I saw. This problem does not > exist with journals and conference proceedings. Informations on the internet, in particular Web, is getting archived. I personally have not yet made use of this resource but here is the URL: http://www.archive.org/ and here is it what it claims anyway: The Archive will provide historians, researchers, scholars, and others access to this vast collection of data (reaching ten terabytes), and ensure the longevity of this information. Assuming that this archive (or similar archives in future) does a good job, the said problem should disappear. M. K. Shen
Subject: Re: Memo to the Amateur Cipher Designer Date: 13 Nov 1998 09:26:04 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <72hfhs$fv9$1@quine.mathcs.duq.edu> References: <364C3E3D.88571908@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 40 In article <364C3E3D.88571908@stud.uni-muenchen.de>, Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: >Bruce Schneier wrote: > >> There are others, too. Currently the academic community is still >> trying to figure out how to handle URL references. The problem is >> that they are not stagnant, as references usually are. That is, if I >> reference a URL, and someone reads my paper two years later and looks >> at the same URL, they may not see what I saw. This problem does not >> exist with journals and conference proceedings. > >Informations on the internet, in particular Web, is getting archived. >I personally have not yet made use of this resource but here is >the URL: > > http://www.archive.org/ > >and here is it what it claims anyway: > > The Archive will provide historians, researchers, scholars, > and others access to this vast collection of data (reaching > ten terabytes), and ensure the longevity of this information. > >Assuming that this archive (or similar archives in future) does a >good job, the said problem should disappear. Absolutely. But that's a *HUGE* assumption -- the more so as the volume of information on the web at any one time is, to a first approximation, several percent of the total hard drive capacity manufactured and in service. Think of it this way -- assuming the average document half-life is about six months (which I pulled out of thin air, but seems about right), then you'll need to buy the entire Web in terms of disk capacity EVERY YEAR. I don't think it's prudent to assume that someone will make that investment of time and money. -kitten
Subject: Re: Memo to the Amateur Cipher Designer Date: 18 Nov 1998 14:09:39 GMT From: clvisser@gene.wins.uva.nl (Coen L.S. Visser) Message-ID: <72ukf3$938$1@nbox.wins.uva.nl> References: <72hfhs$fv9$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 24 juola@mathcs.duq.edu (Patrick Juola) writes: >Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: >>Bruce Schneier wrote: Bruce> Currently the academic community is still Bruce> trying to figure out how to handle URL references. The problem is Bruce> that they are not stagnant, as references usually are. Mok-Kong> Informations on the internet, in particular Web, is getting archived. Mok-Kong> Assuming that this archive (or similar archives in future) does a Mok-Kong> good job, the said problem should disappear. Patrick> Absolutely. But that's a *HUGE* assumption I think the author making the reference should be responsible for archiving the particular web page in case the original reference becomes invalid. That creates of course copyright issues. Furthermore there is the dilemma which link should be printed as the reference. The original web page or the author's copy (with a reference from the author's page to the original of course). Regards, Coen
Subject: Re: Memo to the Amateur Cipher Designer Date: 18 Nov 1998 09:52:12 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <72umus$pc6$1@quine.mathcs.duq.edu> References: <72ukf3$938$1@nbox.wins.uva.nl> Newsgroups: sci.crypt Lines: 36 In article <72ukf3$938$1@nbox.wins.uva.nl>, Coen L.S. Visser <clvisser@gene.wins.uva.nl> wrote: >juola@mathcs.duq.edu (Patrick Juola) writes: >>Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: >>>Bruce Schneier wrote: > >Bruce> Currently the academic community is still >Bruce> trying to figure out how to handle URL references. The problem is >Bruce> that they are not stagnant, as references usually are. > >Mok-Kong> Informations on the internet, in particular Web, is getting archived. >Mok-Kong> Assuming that this archive (or similar archives in future) does a >Mok-Kong> good job, the said problem should disappear. > >Patrick> Absolutely. But that's a *HUGE* assumption > >I think the author making the reference should be responsible for archiving >the particular web page in case the original reference becomes invalid. I think that's about the fourth most unreasonable assertion I've heard in my life. In the second place, it's no more likely that I will be findable in three years than the original author of the URL under discussion. And in the first place, it's an unreasonable burden to place on the author. I neither have disk space, money, time, or (most importantly) interest in archiving every URL I've ever found useful on the off-chance that someone might call upon me to produce my references. The whole point of the reference scheme is to point the reader to someplace where s/he can be reasonably expected to find background material relevant to my document. To expect the author to do the work of a librarian as well as an author is completely out of line. Why don't you expect me to hand-deliver copies of my manuscript as well, just in case the postal trucks break down? -kitten
Subject: Re: Memo to the Amateur Cipher Designer Date: 23 Nov 1998 01:33:53 GMT From: clvisser@gene.wins.uva.nl (Coen L.S. Visser) Message-ID: <73ae21$oo$1@nbox.wins.uva.nl> References: <72umus$pc6$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 59 juola@mathcs.duq.edu (Patrick Juola) writes: >Coen L.S. Visser <clvisser@gene.wins.uva.nl> wrote: >>I think the author making the reference should be responsible for archiving >>the particular web page in case the original reference becomes invalid. >I think that's about the fourth most unreasonable assertion I've heard >in my life. Ok, I want to know: what are the other three? But seriously ;-) >In the second place, it's no more likely that I will be >findable in three years than the original author of the URL under >discussion. There is always the risk that you change ISP or something like that. But if you write books for a living and you have a web page, I believe the chances are quite high that your (new) web page can be found. >And in the first place, it's an unreasonable burden to place on the >author. I neither have disk space, money, time, or (most importantly) >interest in archiving every URL I've ever found useful on the off-chance >that someone might call upon me to produce my references. It is possible to make a distinction between an important reference (one whose web pages you mirror) and an unimportant web reference which you just mention. >The whole point of the reference scheme is to point the reader to someplace >where s/he can be reasonably expected to find background material >relevant to my document. Unfortunately, information on the net is much more volatile than that in printed media. There are some big discussions about the severe amnesia the internet suffers from. There is no need to make it worse. If you write something that you think is still important in five years and it contains a vital web page reference you would do well to preserve it. And if your paper is outdated in a year or so, well why bother mirroring all the web pages you refer to. >To expect the author to do the work of a librarian as well as an author is >completely out of line. My statement that an author is responsible for his/her references was a bit unjust I think now. Of course not all the work of mirroring should come on the shoulders of authors. There are many ways how to manage a mirroring scheme. A research institute could create a reference repository. If it is your Big Book (TM), you could harass your publisher to mirror the documents that you find important. Many publishers already make errata to "their" books available in electronic form. Regards, Coen Visser NB I've posted my opinion in this thread twice because my posting disappeared from our local news server. Apologies for the waste of bandwidth.
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 13 Nov 1998 14:23:36 GMT From: "Joseph K. Nilaad" <jknilaad@xoommail.com> Message-ID: <364C40E8.1D24@xoommail.com> References: <364a1014.24956416@news.visi.com> Newsgroups: sci.crypt Lines: 28 Bruce Schneier wrote: > > There are others, too. Currently the academic community is still > trying to figure out how to handle URL references. The problem is > that they are not stagnant, as references usually are. That is, if I > reference a URL, and someone reads my paper two years later and looks > at the same URL, they may not see what I saw. This problem does not > exist with journals and conference proceedings. This is just a thought of handling referred URL documents: If a document has references from any URL, those URL referrences must be electronically signed. By doing this, we can have authentic documents. In addition the author of the document must copy the whole URL documents and keep them as referrences. In case of any conflict, the electronically copied documents can be used as proofs. For signing the document, URL address must always be included with the original document owner's signature. However, I still see some potential problem. 1. Which method is used to provide authentication? 2. Who will keep the database of disappeared URL? Are there any other ideas? --- Joseph K. Nilaad Nature is simple and beautiful... Life is too short to appreciate it all...
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 17 Nov 1998 09:05:00 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <36512E2C.CB9FB39B@stud.uni-muenchen.de> References: <364C40E8.1D24@xoommail.com> Newsgroups: sci.crypt Lines: 32 Joseph K. Nilaad wrote: > This is just a thought of handling referred URL documents: > If a document has references from any URL, those URL referrences must be > electronically signed. By doing this, we can have authentic documents. > In addition the author of the document must copy the whole URL documents > and keep them as referrences. In case of any conflict, the > electronically copied documents can be used as proofs. For signing the > document, URL address must always be included with the original document > owner's signature. > > However, I still see some potential problem. > 1. Which method is used to provide authentication? > 2. Who will keep the database of disappeared URL? I see rather the same problems with the originals of published Web pages. Due to the inherent insecurity of the internet (see faked mail addresses, for example) there is the question of authentication of the author. Of course, paper publications actually also have the same problem. But I suppose the problem really becomes serious with Web publications. As to disappeared URL the archives I reported in another post should remove the problem, at least in principle. However, the volume of informations on the internet is expanding (super-)exponentially. There is the question of economy of storing them, if one simply archives everything. One way I could imagine is for the archives to charge some fees for the archiving rather than offering free service. Another problms is that there are more often updates to Web pages than to printed stuffs. One could use the technique of storing the differences like in version management of software. But clearly there is some tough problem here. M. K. Shen
Subject: Re: Memo to the Amateur Cipher Designer Date: 17 Nov 1998 12:00:56 GMT From: sax@rmovt.rply.ce.chalmers.se (Stefan Axelsson) Message-ID: <72roho$18$1@nyheter.chalmers.se> References: <36512E2C.CB9FB39B@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 43 In article <36512E2C.CB9FB39B@stud.uni-muenchen.de>, Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: >I see rather the same problems with the originals of published >Web pages. Due to the inherent insecurity of the internet (see faked >mail addresses, for example) there is the question of authentication >of the author. Of course, paper publications actually also have >the same problem. Not really. You see, this is actually a model of trust in action. Some of the societies that peer review scientific work have the highest reputation, others do not. While there's the occasional slip-up this in general works very well. (Much of it, of course, hinges on the ability of the readers of said peer reviewed work to be able to check the references...) The IEEE stands behind the printed copy, and they are able to do so with some authority, and confidence. Now, if the IEEE for example where to say, OK, to h*ll with the dead trees, let there be business as usual, but on the web instead, then of course, (almost) all that which is the IEEE would transfer to the electronic medium, and little would have to change. The situation with everyone "publishing" their material is so far removed from this that I don't know where to start. Suffice it to say, that as is common, it is not (mainly) a question of technology, but one of the human element. What do we want, and how do we accomplish that? >but clearly there is some tough problem here. >M. K. Shen Amen. P.S. I've continued the discussion on a number of occasions, when I've promised not to, and this is getting so far removed from sci.crypt, that I suggest that the interested parties (myself included) take it to email. Stefan, -- Stefan Axelsson Chalmers University of Technology sax@rmovt.rply.ce.chalmers.se Dept. of Computer Engineering (Remove "rmovt.rply" to send mail.)
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 17 Nov 1998 13:38:07 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <36516E2F.FB265F4A@stud.uni-muenchen.de> References: <72roho$18$1@nyheter.chalmers.se> Newsgroups: sci.crypt Lines: 26 Stefan Axelsson wrote: > > In article <36512E2C.CB9FB39B@stud.uni-muenchen.de>, > Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: > > >I see rather the same problems with the originals of published > >Web pages. Due to the inherent insecurity of the internet (see faked > >mail addresses, for example) there is the question of authentication > >of the author. Of course, paper publications actually also have > >the same problem. > > Not really. You see, this is actually a model of trust in action. Some > of the societies that peer review scientific work have the highest > reputation, others do not. While there's the occasional slip-up this > in general works very well. (Much of it, of course, hinges on the > ability of the readers of said peer reviewed work to be able to check > the references...) The IEEE stands behind the printed copy, and they > are able to do so with some authority, and confidence. I supposed either you misunderstood me or vice versa. What I mean is this: Suppose there is circulated on the internet a document (of whatever type) bearing a name X. Suppose X is unique. How do we know that this document is really from the person having the name X? (This has nothing to do peer review or such stuffs.) M. K. Shen
Subject: Re: Memo to the Amateur Cipher Designer Date: 17 Nov 1998 10:11:58 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <72s3nu$mhu$1@quine.mathcs.duq.edu> References: <36516E2F.FB265F4A@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 58 In article <36516E2F.FB265F4A@stud.uni-muenchen.de>, Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: >Stefan Axelsson wrote: >> >> In article <36512E2C.CB9FB39B@stud.uni-muenchen.de>, >> Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: >> >> >I see rather the same problems with the originals of published >> >Web pages. Due to the inherent insecurity of the internet (see faked >> >mail addresses, for example) there is the question of authentication >> >of the author. Of course, paper publications actually also have >> >the same problem. >> >> Not really. You see, this is actually a model of trust in action. Some >> of the societies that peer review scientific work have the highest >> reputation, others do not. While there's the occasional slip-up this >> in general works very well. (Much of it, of course, hinges on the >> ability of the readers of said peer reviewed work to be able to check >> the references...) The IEEE stands behind the printed copy, and they >> are able to do so with some authority, and confidence. > >I supposed either you misunderstood me or vice versa. What I mean >is this: Suppose there is circulated on the internet a document (of >whatever type) bearing a name X. Suppose X is unique. How do we >know that this document is really from the person having the >name X? (This has nothing to do peer review or such stuffs.) Actually, it does have something to do with peer review. The IEEE (for example) has implicitly "signed" or "authenticated" the claims made in its published work. So if you have an authentic copy of an IEEE publication, it implicitly stands behind the authenticity and accuracy of the works contained between the covers. And, of course, the publication is a physical copy and as such is relatively tamper-proof; it's easy to tell if someone has (naively) ripped out several pages and replaced them with something else. Of course, it isn't perfect -- I rarely get my journal articles straight from the IEEE, and it's possible that the CIA or someone could break into my office in the middle of the night and replace my journal copies with indetectable forgeries -- or that they could conspire with my *librarian* with the same intention but much worse result. So, in direct answer to your question, if there is a document on the Web purporting to be from me, that means little or nothing. If you got it from a Web site demonstrably owned by me, that means significantly more. *OR* if you got it from a Web site whose judgement and trustworthiness you accept, that also means more. In the case of physical objects, if you don't believe that I have the skill to indetectably tamper with a physical journal, you can also trust the copy of IEEE Trans. Info. Thy. that I lent you from my shelves. -kitten
Subject: Re: Memo to the Amateur Cipher Designer Date: 23 Nov 1998 10:18:23 GMT From: sax@rmovt.rply.ce.chalmers.se (Stefan Axelsson) Message-ID: <73bcpf$nk8$1@nyheter.chalmers.se> References: <72s3nu$mhu$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 21 In article <72s3nu$mhu$1@quine.mathcs.duq.edu>, Patrick Juola <juola@mathcs.duq.edu> wrote: >Actually, it does have something to do with peer review. The >IEEE (for example) has implicitly "signed" or "authenticated" >the claims made in its published work. My point exactly, and that's even side stepping the issue of the review of the content, the most valuable service performed by the IEEE in this case. And of course, the beauty of there being several hard copies made of each publication, makes it trivial for the reader to get his material from several sources, should he lack trust in any single one of them. The converse is of course not true of the web. Stefan, -- Stefan Axelsson Chalmers University of Technology sax@rmovt.rply.ce.chalmers.se Dept. of Computer Engineering (Remove "rmovt.rply" to send mail.)
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 17 Nov 1998 14:08:18 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-1711981408180001@dialup176.itexas.net> References: <36516E2F.FB265F4A@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 26 In article <36516E2F.FB265F4A@stud.uni-muenchen.de>, Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: > > I supposed either you misunderstood me or vice versa. What I mean > is this: Suppose there is circulated on the internet a document (of > whatever type) bearing a name X. Suppose X is unique. How do we > know that this document is really from the person having the > name X? (This has nothing to do peer review or such stuffs.) > You could mail or email a question to the author. It should be meaningful to post an email address, real address, and phone number. This either checks to the author, or it does not. Perhaps we need some bind PO/call forwarding schemes that can verify the identity of their subscribers if the direct approach is not acceptable. Sending a letter via PO without giving a return address is a fairly good way to get an anonymous message across. It is easy to recognize that threats and harassment via snail mail are a federal offense, and you would be bound to respect a directive to not send something again to a party telling you not to. The big problem is how to transfer this situation to the net and neither lose nor add anything. -- --- Your future is ahead of you.--Thomas E. Dewey --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: 17 Nov 1998 14:12:50 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <72shri$nae$1@quine.mathcs.duq.edu> References: <jgfunj-1711981408180001@dialup176.itexas.net> Newsgroups: sci.crypt Lines: 30 In article <jgfunj-1711981408180001@dialup176.itexas.net>, W T Shaw <jgfunj@EnqvbSerrGrknf.pbz> wrote: >In article <36516E2F.FB265F4A@stud.uni-muenchen.de>, Mok-Kong Shen ><mok-kong.shen@stud.uni-muenchen.de> wrote: >> >> I supposed either you misunderstood me or vice versa. What I mean >> is this: Suppose there is circulated on the internet a document (of >> whatever type) bearing a name X. Suppose X is unique. How do we >> know that this document is really from the person having the >> name X? (This has nothing to do peer review or such stuffs.) >> >You could mail or email a question to the author. It should be meaningful >to post an email address, real address, and phone number. Not especially helpful, I'm afraid. These things are *SO* ephemeral that they can't be reliably checked after six months or so. And even if you send mail and get a response back, how do you know that you're getting the right person? I could, for instance, easily create an Email address : monica.lewinsky@quine.mathcs.duq.edu and circulate a document claiming to "tell all" (not that there's much left to tell). When I receive mail to that address, I could easily forge something purporting to confirm that Monica *does* dial into an obscure machine at an obscure Pittsburgh university. And if you believe *that*, you'll probably believe anything. -kitten
Subject: Re: Memo to the Amateur Cipher Designer Date: Sun, 22 Nov 1998 12:47:22 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-2211981247370001@207.101.116.115> References: <72shri$nae$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 29 In article <72shri$nae$1@quine.mathcs.duq.edu>, juola@mathcs.duq.edu (Patrick Juola) wrote: > >> > >You could mail or email a question to the author. It should be meaningful > >to post an email address, real address, and phone number. > > Not especially helpful, I'm afraid. These things are *SO* ephemeral > that they can't be reliably checked after six months or so. And > even if you send mail and get a response back, how do you know that > you're getting the right person? > The problem of authentication is big. You could go on content alone.....so anything that I have said that was incorrect, I can claim was a forgery. There is something said for meeting people physically, creating a history on which verification can be based. Now, if someone showed up and claimed to be David Sternlight, who would believe it, and who could verify it? We could test his rhetoric against the wealth of unique logic patterns claimed to have originated by him. Such a scientific test, a sort of linguistic fingerprint, might surfice. It would be hard to orallly identify a certain affected attribute of my writings without me doing a Victor Borge style punctuated presentation; haven't you noticed the gimmick? -- --- Jail would not be a cheerful place for revisiting ones recollections. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 11 Nov 1998 16:55:42 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <364bc0f8.4701632@news.visi.com> References: <36494616.1500C031@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 29 On Wed, 11 Nov 1998 09:08:54 +0100, Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: >I am taking this opportunity to say a bit more about peer review >of patent publications. A scientific paper is reviewed by a number >of peers before publishing. Afterwards, there is public review. >A reader may object by writing a 'letter to editor'. For a patent >(in the case of US, not other countries!) there is no review by >peers before patent publication. But afterwards the document is >examined by the professionals in the patent divisions of a number >of firms whose own patents may be concerned. If there are objections >there will be a legal issue in court. (This is at least true in >countries other than US.) I don't know what company you work for, but I am willing to concede that your company acts in the manner you describe. No company I have ever worked with has behaved in this manner, and I know of no company that does so. Almost all patents are examined by almost nobody. And I assure you that if a company sees a patent and has objections, in the great majority of cases there is no legal issue in court. Court is expensive; most companies have better things to do with their time. But again, I have no direct experience with the company (or companies) that you work for. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 11 Nov 1998 19:53:11 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <3649DD17.867829C@stud.uni-muenchen.de> References: <364bc0f8.4701632@news.visi.com> Newsgroups: sci.crypt Lines: 25 Bruce Schneier wrote: > I don't know what company you work for, but I am willing to concede > that your company acts in the manner you describe. No company I have > ever worked with has behaved in this manner, and I know of no company > that does so. Almost all patents are examined by almost nobody. And > I assure you that if a company sees a patent and has objections, in > the great majority of cases there is no legal issue in court. Court > is expensive; most companies have better things to do with their time. > > But again, I have no direct experience with the company (or companies) > that you work for. From which part of my writing did you infer that I argued in reference to a or the company I work for??? I argued in general terms, didn't I? As I wrote previously I know that many organic chemical compounds, for example, are patented. A competitor can't use these or have to pay license fees. That's why large chemical firms need people knowledgeable in such patents in order that they can do their business properly. These companies have so much money that the court expenses are really entirely negligible. This is one example that I happen to be able to present. Are you going to counter with sentence like 'But in crypto it is different'? M. K. Shen
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 11 Nov 1998 22:33:11 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <364b1060.25032108@news.visi.com> References: <3649DD17.867829C@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 41 On Wed, 11 Nov 1998 19:53:11 +0100, Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: >Bruce Schneier wrote: > >> I don't know what company you work for, but I am willing to concede >> that your company acts in the manner you describe. No company I have >> ever worked with has behaved in this manner, and I know of no company >> that does so. Almost all patents are examined by almost nobody. And >> I assure you that if a company sees a patent and has objections, in >> the great majority of cases there is no legal issue in court. Court >> is expensive; most companies have better things to do with their time. >> >> But again, I have no direct experience with the company (or companies) >> that you work for. > >From which part of my writing did you infer that I argued in >reference to a or the company I work for??? I argued in general >terms, didn't I? Don't know. I was just giving you the benefit of the doubt that your experiences may have differed from my own. As you show below, you have experience (or at least knowledge) from chemical firms, which is knowledge that I lack. >As I wrote previously I know that many organic >chemical compounds, for example, are patented. A competitor can't >use these or have to pay license fees. That's why large chemical >firms need people knowledgeable in such patents in order that >they can do their business properly. These companies have so much >money that the court expenses are really entirely negligible. This >is one example that I happen to be able to present. Are you going >to counter with sentence like 'But in crypto it is different'? Nah. I'm going to drop the thread. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 12 Nov 1998 10:25:16 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <364AA97C.5EDD0267@stud.uni-muenchen.de> References: <364b1060.25032108@news.visi.com> Newsgroups: sci.crypt Lines: 39 Bruce Schneier wrote: > >From which part of my writing did you infer that I argued in > >reference to a or the company I work for??? I argued in general > >terms, didn't I? > > Don't know. I was just giving you the benefit of the doubt that your > experiences may have differed from my own. As you show below, you > have experience (or at least knowledge) from chemical firms, which is > knowledge that I lack. But this is simply example of so-called 'common knowledge'. Some one happens to know this, another happens to know that. Maybe you know more about space travel than I, while I know a bit more about gene manipulations than you. That patents are important in the 'practice' (as against pure theory) of a large number of professions should be well-known. All of us use, for example, laser printers. But a large number of fonts are protected (the fonts of Knuth are free). We users of the printers don't need to know that but the 'professionals' in the industry concerned with printers have to know the details. Let me say some more words against the be-littlement of patent publications. I'll choose an analogy which I already have used. DES is described in your well-known book. But where did you get the informations? Maybe you got that from another author. But then where did he get that? Ultimately one comes to the original government publication, if one continues asking. So if that original document (which is perhaps not a scientific paper in the eyes of certain academics) doesn't get cited very often, that doesn't mean anything, in particular it does not affect the scientific value and significance (contribution) of that document. If a patented crypto is really good, it will be popular and more people will study it, eventually publishing papers on it. Whether the authors of the papers cite the patent document is in my view not very essential. One thing is on the other hand certain, namely that without the publishing of the original document these papers could not exist. M. K. Shen
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 13 Nov 1998 10:30:55 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <364BFC4F.4AED9332@stud.uni-muenchen.de> References: <364b1060.25032108@news.visi.com> Newsgroups: sci.crypt Lines: 46 To my post of 12 Nov 1998 10:25:16 +0100 I like to add the following information related to patents which I have just (an hour before) acquired. This consists of the two URLs: http://www.wired.com/news/print_version/technology/story/16180.html?wnpg=all http://jya.com/rivest111098.htm The first is an article 'Patent May Threaten E-Privacy' which reported that much concern has been directed to a pending patent of P3P (Platform for Privacy Preferences) that could have significant impact for the internet. This shows that people are vigilent even on pending patents which are not officially published in the US (different from other countries). The second has the title 'US5835600 Block encryption algorithm with data dependent rotations' and is a patent issued to Prof. R. Rivest. This is interesting in that only three days after the issue of the patent it is already to be found on a Web page maintained by some private person, (highly probably) in contradiction to the thesis that 'Almost all patents are examined by almost nobody'. I think that it is universally true that where big money and/or its equivalents, e.g. personal survival, are involved there will be proportionately high attention paid by the community. Otherwise it could well happen under circumstances that very few people read a very high quality scientific paper that has no practical relevances. This is lamentable but is a fact of life. BTW, although I haven't yet closely studied Rivest's patent, I guess that there is a certain (maybe only weak) parallel of a small part of his idea with a small part of the idea underlying my WEAK3-E, since I also make use of rotations in block encryption (that is controled by a hash value which is dependent on the plain text being processed and hence data dependent (though differing in the detailed manner from the patent)). M. K. Shen ------------------------------------------------------ M. K. Shen, Postfach 340238, D-80099 Muenchen, Germany +49 (89) 831939 (6:00 GMT) mok-kong.shen@stud.uni-muenchen.de http://www.stud.uni-muenchen.de/~mok-kong.shen/ (Last updated: 10th October 1998. origin site of WEAK1, WEAK2, WEAK3 and WEAK3-E. Containing 2 mathematical problems with rewards totalling US$500.)
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 18 Nov 1998 14:21:39 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <3652C9E3.1B972124@stud.uni-muenchen.de> References: <364b1060.25032108@news.visi.com> Newsgroups: sci.crypt Lines: 818 There has been recently some one-to-one discussions on themes occuring in this thread between Bruce Schneier and me, i.e. discussions outside of the group. I am posting in the following three e-mails (separated from one another by triple lines of *****) : (1) Shen to Schneier 17th Nov (2) Schneier to Shen 13th Nov (3) Shen to Schneier 16th Nov The motivation of posting these is given in (1). (I chose to post (2) instead of a previous e-mail of mine since that material is entirely contained in (2)). I have tried my best to argue, particularly in (3), especially for the following: a. Patents play in science and technology a significant role which cannot be and is not ignored by the academic community (which is a subset of the scientific/professional community). b. Sci.crypt is not a chatroom. Concerning the special field of cryptology I like to stress that I am not arguing that patent documents are excellent sources for one to search for good crytos but I am definitely against the notion that they are all valueless to science. I hope that there will be further discussions in the group to make very clear what is true and what is not. M. K. Shen ************************************************************************ ************************************************************************ ************************************************************************ I had today the opportunity to talk to a number of persons interested in patents and mentioned the topic vehemently disputed by us in the current time point. They found that our one-to-one discussion contain very interesting informations and opinions that should be accessible to a larger circle of readers so as to induce more discussions on the position of patents in scientific research, resulting in better insight about this essential theme. I therefore suggest that you delay answering my mail of yesterday by some 24 hours. I'll try to post my previous two responses tomorrow afternoon as a base upon which we and others of the group could carry on further discussions. Cheers, M. K. Shen ************************************************************************ ************************************************************************ ************************************************************************ At 07:29 PM 11/13/98 +0100, Mok-Kong Shen wrote: >Bruce Schneier wrote: > >> I'm still not sure what you're position is. Are you mad at me because I am >> describing the academic position at patents? Do you believe I am wrong >> when I say that patents are not cited very often? Do you think that >> academics do read patents, and just don't cite them for some nefarious >> reasons? Have you still note been convinced that patents do not go through >> the same peer review process that academic papers do? Do you believe >> that patent applications do count as publications for tenure? > >Please don't feel offended in any way in the following. I attempt >to express clearly and directly my thoughts without spending too >much time in the choice of wordings to make them 'look' nicer. > >I am not 'mad' at you at all. I feel (subjectively) I am arguing >within the framework of scientific discussions, arguing as strong as >possible for the truth (as believed by me, before I am shown to >be wrong). In other words, I have no 'personal' feeling against you. >(Why shoud I have one? You have at no time hurt me!) You described >the academic position at patents. I doubt that this is so. Do you doubt that my description is so, or that I am decribing it? >I don't >like to argue too much about that. However it appears to me that you >are defending the position of the academics. I am no defending. I am describing. As you have pointed out, I am one of the few who regularly cites patents. >It is my basic view that >the academics should not neglect the informations in the patent >publications because there are (at least some) valuable scientific >informations there. Fine. That is a perfectly valid position. Please take it up with people who believe the reverse position. >Noting that we are (at least partly) discussing >on the general level, i.e. not restricting exclusively to crypto >matters, I believe that some academics do read patents. Of course some do. Most do not. ' >Just two >supporting arguments: 1) Some patents are applied by academics. In cryptography at least, most academics hate patents. You wouldn't believe the bile that such a discussion brings up at a crypto conference. >2) In engineering, for example, there are patented machine parts, >patented production methods, etc. These are to be taught to the >students. So the professors have to be acquainted with them. No. It is possible to teach X without reading the patent on X, just as it is possible to teach RSA without reading the RSA patent. Actually, it's better not to. The description is terrible and misleading. The academic paper is much easier to read, and much more useful as a teaching tool. >I agreed >that patents are not cited very often and have (twice) given my >explanation of the phenomenon. Academics don't cite patents because >of convenience. I don't understand this. It is no less convenient to cite one thing or another, assuming you've read them both. Academics don't cite patents because they don't read them. >This is understandable (if something is well-known, >it is pedantic to cite the original document everytime one writes >about it). The original document cited is the paper, not the patent. Look at RSA, DES, Chaum's blind signatures stuff, and pretty much everything else in cryptography that has been patented. Find me one paper where the IDEA patent is cited instead of the IDEA paper. Or one where the RC5 patent is cited instead of the RC5 paper. I try to cite patents, because I don't want academics to be able to ignore the problems of their colleagues patenting their reserch. But I am a minor minority. >I have argued recently (though only implicitly expressed) >that it is the 'total' review (not the review before publication) that >should be taken into consideration. A paper receives proportinally >more review before publication than a patent (the US case is singular >but can be subsumed here) but if the content is worth scientifically >there is no inherent reason why the amount of total (before and >after publication) review (review by the scientific community, not >solely by the academics!) should be less in one case than the others. A patent receives no peer review. From the point of view of an academic, a patent receives no review. In the past, I have tried explaining the patent proceess and explaining the referee process for a paper. I have suggested that you get other opinions if you do not believe me. You can do whatever you want, though, and believe whatever you want. >For a paper there are a number of referees who because of their faith >to science conduct a rigorous examination. For a patent there are the >people of the patent divisions of the competitors, who are >professionals in the fields and are instructed by their employers to >conduct a rigorous examination because revenues could be at stake. The above does not happen, in general. I'm sorry if you don't believe me. I assumed you believed the above based on person experience, but you got annoyed when I suggested that. I have no idea what to do now, and you are welcome to believe whatever you want. >I am of the opinion there is a rough equivalence in this respect, >even if the motivations of the examination differ. This is not true. Again, you can believe whatever you want. Please find others to discuss this with; possibly multiple opinions will convince you. (Please do not take the above as a suggestion that you spend money seeking professional advice, which would not be right in me suggesting.) >Patent applications >might not count for the tenure. I don't know. (But these do count for >those academics that have applied for patents!) Patent applications do not count as publications, period. They do not count as publications when tenure is discussed. The ability to get patents may be a goodness for a university in and of itself, though. >However, it is my >view that this situation (if it is indeed true) is not correct and >should get changed. (I can only hope but can offer of course no >means of effecting such change.) Good luck. >I hope that the above answers the >bunch of questions you posed above. Please let me know if some points >are not yet adequately covered. They do. I understand your position. I just have no further interest in debating it. >> But as I said in Usenet, I really don't want to carry on this conversation. >> It >> is not fun. You are not listening, either to me or to others on the >> newsgroup. >> I feel like you are blaming me personally simply because you don't like >> what I am saying. If this kind of thing happens socially, I generally walt >> away from the offending person. I did so, and you have followed me and >> sent me personal mail. So I am talking again. If I still find the >> conversation >> unpleasant, I will walk away again. > >It is my humble opinion that people engage in scientific discussions >because they desire to find the truth and not becuase they desire >to find fun and pleasure. That is the difference. You are engaging in a scientific discussion. I am merely chatting on Usenet. We are invested in differing amounts. >In order to find the truth one is ready to >pay the price, if necessary, of unpleasantness. I am excluding >impoliteness here which I hate and which unfortunately I experienced >often in discussion groups. I can assure you that from my standpoint >I have at no time point blamed you (in the sense of the word 'blame' >as I understand it). But it is true that I am very hard-necked (is >this a correct English word?) in scientific discussions. "Stiff necked" is proper. But nice choice. >If something >is in my opinion wrong, I alway say it 'very' 'very' directly (without >'speaking through the flowers'). Perhaps you are not used to >discussion partners of my kind. I am. >After all, to take part in a scientific >discussion is free will, there is no obligation. If one gets tired, >feel the stuff uninteresting, or for whatever reason, one is >entirely free to stop arguing. You are not bound to reply to posts >of anybody. Due to my hard-neckedness I used to continue discussion, >however, up to the very end. (Not very long ago I was engaged in a >discussion on possible parapsychological influences on phsical events >and in a discussion on Rivest's chaffing and winnowing. Both cases had >cost me quite a lot of extra time and energy because a few discussion >partners were not arguing scientifically in my humble view.) That's fine. I respect this. >> >The second has the title 'US5835600 Block encryption algorithm with >> >data dependent rotations' and is a patent issued to Prof. R. Rivest. >> >This is interesting in that only three days after the issue of >> >the patent it is already to be found on a Web page maintained by some >> >private person, (highly probably) in contradiction to the thesis >> >that 'Almost all patents are examined by almost nobody'. >> >> I knew about it the day it was released. This was important. Again, I don't >> see how it relates to a discussion as whether or not patents are generally >> read by academics. They are not. My apologies if you don't like this >> fact. > >You misunderstood me. My point here is not concerned with the academics. >The point is that patents do get attention from the scientific >(professional) community (which is not identical to the set of >academics!). Of course they get attention from the scientific community; I didn't think that was an issue. If I misquoted you, it is because I could think of no other reason for you to bring the item up. If you simply brought it up to make the point that patents get attention from professionals, then I agree with you. I do not believe that "get attention from" and "are worth an academic's time to read" are very different things. >> >I think that it is universally true that where big money and/or its >> >equivalents, e.g. personal survival, are involved there will be >> >proportionately high attention paid by the community. Otherwise >> >it could well happen under circumstances that very few people read >> >a very high quality scientific paper that has no practical relevances. >> >This is lamentable but is a fact of life. >> >> Yes, and the academic community is generally unconcerned with patents. >> The examples above are from the business community. > >You seem to stick to the issue of academic community. I am concerned >with the scientific (professional) community, including the >scientists that work for the business firms. Much of the divergence >of our discussions can be traced to this fact. Since most of >the readers of the group are not academics, not to say having tenures, >I believe that my broader standpoint is the more appropriate one >for the present discussion than yours. Oh. I didn't think this was about the professional community. I thought we were talking about patents being 1) worthy of academic citation, 2) worthy of "publication" status on par with real publications, and 3) the recipient of peer review similar to real publications. >> >BTW, although I haven't yet closely studied Rivest's patent, I guess >> >that there is a certain (maybe only weak) parallel of a small part >> >of his idea with a small part of the idea underlying my WEAK3-E, since >> >I also make use of rotations in block encryption (that is controled >> >by a hash value which is dependent on the plain text being processed >> >and hence data dependent (though differing in the detailed manner >> >from the patent)). >> >> And there's an algorithm in my book that has data dependent rotations. >> And IBM makes a claim about them. >> >> Again, I don't see what this has to do with the fact that patents are not >> generally cited as academic papers, are not generally considered publications >> by academics, and are not subjected to the same peer review process >> as academic papers. > >You misunderstood me. Actually here it is my fault. I wanted to put >before the string 'BTW' above the phrase 'Something off-topic:'. >But an uncontrolled movement of my hand caused the message to be >sent without that phrase. My intention here is more 'personal' >(or egoistic), hoping that someone of the group would say something >about the idea of using rotations (which I also used in my algorithm >and of which I like to hear some opinions for eventually improving >my own design). Oh. >I hoped that I have given you a sufficiently understandable response. >If you have further questions or points, I shall be very glad to >answer them and discuss with you. As I said, I am very hard-necked in >scientific discussions (not so in private social discussions) and >I express my thougts plainly without 'artificial' modifications. >I hope I have not said anything impolite, using bad words etc., >since I have not a single reason to be angry with you. Maybe >some words were 'strong' because I don't like to 'speak through >the flowers' but I am not conscious of having ever said anything that >does not correspond to plain facts. Please feel free to point out >directly, quoting my writing, if this is not true in your opinion, >so that I may learn something in this respect. Cheers, Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com ************************************************************************ ************************************************************************ ************************************************************************ Bruce Schneier wrote:> > At 07:29 PM 11/13/98 +0100, Mok-Kong Shen wrote: > >(Why shoud I have one? You have at no time hurt me!) You described > >the academic position at patents. I doubt that this is so. > > Do you doubt that my description is so, or that I am decribing it? I don't doubt at all the sincerity with which you gave your description. I simply doubt that what you described really corresponds to real world facts. (This lies at the foundation of our discussions.) > >I don't > >like to argue too much about that. However it appears to me that you > >are defending the position of the academics. > > I am no defending. I am describing. As you have pointed out, I am > one of the few who regularly cites patents. Once again, could we just forget about the academics in our discussions and concentrate on the scientific (professional) community as a whole (and even including the amateurs)? Note that by taking this broader scope the academics are NOT excluded, they become simply a minority. > >It is my basic view that the academics should not neglect the > >informations in the patent publications because there are (at > >least some) valuable scientific informations there. > > Fine. That is a perfectly valid position. Please take it up with > people who believe the reverse position. > > >Noting that we are (at least partly) discussing > >on the general level, i.e. not restricting exclusively to crypto > >matters, I believe that some academics do read patents. > > Of course some do. Most do not. Just consider those prominent persons as Rivest, Shamir, Schnoor and Chaum. (As far as I know Chaum is not a professor but he is working for a scientfic institution (comparable to an academy of science) in Netherland.) These all have patents. They must read other patents (not merely their own) when applying for patents. If some professors do not 'directly' read patent publications they 'indirectly' read them (see below). Does that make an essential difference in the context of the present discussion? (If you don't know Russian and you read English translations of Tolstoi, does that mean Tolstoi's original work is valueless??) I have two friends who are professors and who have some patens. One of them asked me recently even a question on convenient accesses to patent materials. (It happened that I could help him a bit because both the German and the European patent offices are in Munich.) The other made essential contributions to energy dissipation devices to prevent destructive vibrations of structures due to wind forces. He teaches his (patented) research stuffs to students and gives also lectures on that to professional engineers. By PURE chance, it happens that TODAY (16th Nov.) begins an information week organized by LMU, one of the universities in Munich, on patents for the students, in order to raise their awareness to the importance of patents to technology transfer. You can look at their program at: http://www.uni-muenchen.de/kft/patente/infowoche.html Even if you don't read German you can verify that e.g. it includes visits to the two patent offices in Munich, etc. Note that LMU is more humanities oriented, almost all technological faculties are concentrated in another university, the TU (Technical University), which by nature is more involved with patents. > >Just two > >supporting arguments: 1) Some patents are applied by academics. > > In cryptography at least, most academics hate patents. You wouldn't > believe the bile that such a discussion brings up at a crypto conference. > > >2) In engineering, for example, there are patented machine parts, > >patented production methods, etc. These are to be taught to the > >students. So the professors have to be acquainted with them. > > No. It is possible to teach X without reading the patent on X, just as > it is possible to teach RSA without reading the RSA patent. Actually, > it's better not to. The description is terrible and misleading. The > academic paper is much easier to read, and much more useful as > a teaching tool. Well, what matters if a professor does not read the patent document but his fellow professor reads that and describes it in detail in a text book or paper so that the first professor can teach the stuff to his students? (Isn't it even better, since in putting the stuff in a text book he has to well digest the meterial in the patent publication and thus is at the same time doing sort of 'peer review'?) What matters if you, when you wrote on DES in your book, did not consult the original NBS document but get all materials, say, from the book of H. Kazan who makes the material more palatable to the readers by providing an implemenation with example results?? Does that mean the NBS document is unimportant, to be ignored?? The NBS document is, on the contrary, the 'bible' for implementing DES! > >I agreed > >that patents are not cited very often and have (twice) given my > >explanation of the phenomenon. Academics don't cite patents because > >of convenience. > > I don't understand this. It is no less convenient to cite one thing or > another, > assuming you've read them both. Academics don't cite patents because > they don't read them. Covered sufficiently above, I think. Why are you attaching so much weight to the 'academics' in the present discussions? Excuse me for asking you a more personal question. Are you teaching in a university? Assuming the answer is 'no', are you doing 'peer review' (a term according to your definition) when you do work in the program committe of FSE? > >This is understandable (if something is well-known, > >it is pedantic to cite the original document everytime one writes > >about it). > > The original document cited is the paper, not the patent. Look at RSA, > DES, Chaum's blind signatures stuff, and pretty much everything else > in cryptography that has been patented. Find me one paper where the > IDEA patent is cited instead of the IDEA paper. Or one where the RC5 > patent is cited instead of the RC5 paper. I try to cite patents, because > I don't want academics to be able to ignore the problems of their > colleagues patenting their reserch. But I am a minor minority. At least in Germany, stuffs already published are not viable for patent considerations. That's why often results are at first kept secret. I once heard a public lecture by a professor on some electronic stuffs. He declined to give details of the work of one of his projects, saying that even a revelation in a talk (not publication in journal) could endanger his planned patent application (for that would be equivalent to publication for the patent office). Now if after the issue of a patent there are papers or books describing sufficiently well the stuff in the patent document, then one certainly perfers to cite the papers or books, since they are more easily accessible. (This situation has changed. The German patents are e.g. on-line!) But why does this fact render the value of the patent publications to zero?? Could there be papers in such cases at all WITHOUT the patent publications? Let me put one question? Should we properly argue on patents (the 'invention' which happens to be published by the government) OR should we argue extremely over-proportionately on the physical sheets of paper on which some words and sentences and diagrams of the inventor are put? We began the present patent argument when I said that Terry Ritter's algorithms have a special (singular) position among the amateur ciphers because there are patents on them . Suppose one of his patents is indeed of comparable quality to IDEA, what is going to happen? For IDEA the history shows that there will be papers that are more easily accessible to the public. On the assumption just made, why should there not be papers for Ritter's designs as well?? You could only argue the other way round, namely that because some long time has elapsed without seeing papers on Ritter's designs, his work appears to be probably not especially good. But if you argue that, you implicitly assume that there are quite a number of people who have already examined his stuffs. (Note that from the very beginning, IDEA is a patent and Ritter's design is a patent. Why should one give from the outset less attention to one patent document than the other??) > >I have argued recently (though only implicitly expressed) > >that it is the 'total' review (not the review before publication) that > >should be taken into consideration. A paper receives proportinally > >more review before publication than a patent (the US case is singular > >but can be subsumed here) but if the content is worth scientifically > >there is no inherent reason why the amount of total (before and > >after publication) review (review by the scientific community, not > >solely by the academics!) should be less in one case than the others. > > A patent receives no peer review. From the point of view of an > academic, a patent receives no review. In the past, I have tried > explaining the patent proceess and explaining the referee process for > a paper. I have suggested that you get other opinions if you do not > believe me. You can do whatever you want, though, and believe > whatever you want. I am on the thread. If there are opinions I'll see them and argue! Only region is to be 'believed'. Science has to be established on facts. Please pay attention to my repeated appeal to concentrate on the scientific community as a whole and NOT to consider only the academics! I said more than once that particularly the professionals in the patent divisions of commercial/industrial firms are ALSO 'peers'. I happen to have cast a glance into the recent issue of New Scientist (7th Nov.). There is a job offer on p.75 to a 'scientist with up-to-date biotechnology insight to manage and protect the intellectual property and patent interest of the company'. Doesn't that say something to you in the present context? > >For a paper there are a number of referees who because of their faith > >to science conduct a rigorous examination. For a patent there are the > >people of the patent divisions of the competitors, who are > >professionals in the fields and are instructed by their employers to > >conduct a rigorous examination because revenues could be at stake. > > The above does not happen, in general. I'm sorry if you don't believe me. > I assumed you believed the above based on person experience, but you > got annoyed when I suggested that. I have no idea what to do now, and > you are welcome to believe whatever you want. If there are not often legal issues about patents, it is because the examiners have done a good job and because there are (in countries other than US) public review before patents are issued. Just the other day I read something about patents of electronics in handys. There are competing patents of Philips and Hitachi with different merits. Don't tell me that there are no professionals who critically compare and evaluate these. > >I am of the opinion there is a rough equivalence in this respect, > >even if the motivations of the examination differ. > > This is not true. Again, you can believe whatever you want. Please find > others to discuss this with; possibly multiple opinions will convince you. > (Please do not take the above as a suggestion that you spend money > seeking professional advice, which would not be right in me suggesting.) This IS happening on the thread which is still active. We are conducting here a one to one private conversation. Do you prefer that I post this mail and the last response of mine to the group in order to elicite more discussions? I'll do it if you think that's better. > >Patent applications > >might not count for the tenure. I don't know. (But these do count for > >those academics that have applied for patents!) > > Patent applications do not count as publications, period. They do not > count as publications when tenure is discussed. The ability to get > patents may be a goodness for a university in and of itself, though. So government publications are NO publications according to you? Even a newspaper IS a publication! What dictionary do you use? How many persons in the world have tenures? How many professionals are there? Should a handful of guys (here the academics) choose to call white black, all the rest of the mankind could FORGET them!!! As I said nowadays science is NO LONGER religion! > >However, it is my > >view that this situation (if it is indeed true) is not correct and > >should get changed. (I can only hope but can offer of course no > >means of effecting such change.) > > Good luck. > > >I hope that the above answers the > >bunch of questions you posed above. Please let me know if some points > >are not yet adequately covered. > > They do. I understand your position. I just have no further interest in > debating it. Then of course you could keep silence, which is an alternative I pointed out in my previous post (quoted below). > >> But as I said in Usenet, I really don't want to carry on this > >> conversation. > >> It > >> is not fun. You are not listening, either to me or to others on the > >> newsgroup. > >> I feel like you are blaming me personally simply because you don't like > >> what I am saying. If this kind of thing happens socially, I generally > >> walt > >> away from the offending person. I did so, and you have followed me and > >> sent me personal mail. So I am talking again. If I still find the > >> conversation > >> unpleasant, I will walk away again. > > > >It is my humble opinion that people engage in scientific discussions > >because they desire to find the truth and not becuase they desire > >to find fun and pleasure. > > That is the difference. You are engaging in a scientific discussion. I am > merely chatting on Usenet. We are invested in differing amounts. May I remind you that for chatting there is IRC. Why does sci.crypt have the prefix 'sci' and not 'talk'??? (Are you formally asking here others not to take seriously of whatever you say in the group???) > >In order to find the truth one is ready to > >pay the price, if necessary, of unpleasantness. I am excluding > >impoliteness here which I hate and which unfortunately I experienced > >often in discussion groups. I can assure you that from my standpoint > >I have at no time point blamed you (in the sense of the word 'blame' > >as I understand it). But it is true that I am very hard-necked (is > >this a correct English word?) in scientific discussions. > > "Stiff necked" is proper. But nice choice. > > >If something > >is in my opinion wrong, I alway say it 'very' 'very' directly (without > >'speaking through the flowers'). Perhaps you are not used to > >discussion partners of my kind. > > I am. > > >After all, to take part in a scientific > >discussion is free will, there is no obligation. If one gets tired, > >feel the stuff uninteresting, or for whatever reason, one is > >entirely free to stop arguing. You are not bound to reply to posts > >of anybody. Due to my hard-neckedness I used to continue discussion, > >however, up to the very end. (Not very long ago I was engaged in a > >discussion on possible parapsychological influences on phsical events > >and in a discussion on Rivest's chaffing and winnowing. Both cases had > >cost me quite a lot of extra time and energy because a few discussion > >partners were not arguing scientifically in my humble view.) > > That's fine. I respect this. > > >> >The second has the title 'US5835600 Block encryption algorithm with > >> >data dependent rotations' and is a patent issued to Prof. R. Rivest. > >> >This is interesting in that only three days after the issue of > >> >the patent it is already to be found on a Web page maintained by some > >> >private person, (highly probably) in contradiction to the thesis > >> >that 'Almost all patents are examined by almost nobody'. > >> > >> I knew about it the day it was released. This was important. Again, I > don't > >> see how it relates to a discussion as whether or not patents are > >> generally > >> read by academics. They are not. My apologies if you don't like this > >> fact. > > > >You misunderstood me. My point here is not concerned with the academics. > >The point is that patents do get attention from the scientific > >(professional) community (which is not identical to the set of > >academics!). > > Of course they get attention from the scientific community; I didn't think > that > was an issue. If I misquoted you, it is because I could think of no other > reason > for you to bring the item up. If you simply brought it up to make the > point > that patents get attention from professionals, then I agree with you. I don't care whether the academics choose to ignore something, so long as the MAJORITY of the scientific community pay attention to that. > I do not believe that "get attention from" and "are worth an > academic's time to read" are very different things. I refer you again to what I said about 'academics'. > >> >I think that it is universally true that where big money and/or its > >> >equivalents, e.g. personal survival, are involved there will be > >> >proportionately high attention paid by the community. Otherwise > >> >it could well happen under circumstances that very few people read > >> >a very high quality scientific paper that has no practical relevances. > >> >This is lamentable but is a fact of life. > >> > >> Yes, and the academic community is generally unconcerned with patents. > >> The examples above are from the business community. So Prof. Rivest is one of the business community, not scientist, according to you??? > >You seem to stick to the issue of academic community. I am concerned > >with the scientific (professional) community, including the > >scientists that work for the business firms. Much of the divergence > >of our discussions can be traced to this fact. Since most of > >the readers of the group are not academics, not to say having tenures, > >I believe that my broader standpoint is the more appropriate one > >for the present discussion than yours. > > Oh. I didn't think this was about the professional community. > I thought we > were talking about patents being 1) worthy of academic citation, 2) worthy > of "publication" status on par with real publications, and 3) the recipient > of peer review similar to real publications. There is really only one single criterion for any publication: Worthy to be known by the community it addresses! A paper is NOT printed only for reading by those having tenures!!! And the scientific community isn't comprised of teenagers who are incapable of knowing what are good stuffs and what are bad and consequently have to follow strictly the advice and guides (or commands) of professors as to what they should and should not read!!! > >> >BTW, although I haven't yet closely studied Rivest's patent, I guess > >> >that there is a certain (maybe only weak) parallel of a small part > >> >of his idea with a small part of the idea underlying my WEAK3-E, since > >> >I also make use of rotations in block encryption (that is controled > >> >by a hash value which is dependent on the plain text being processed > >> >and hence data dependent (though differing in the detailed manner > >> >from the patent)). > >> > >> And there's an algorithm in my book that has data dependent rotations. > >> And IBM makes a claim about them. > >> > >> Again, I don't see what this has to do with the fact that patents are > >> not > >> generally cited as academic papers, are not generally considered > publications > >> by academics, and are not subjected to the same peer review process > >> as academic papers. > > > >You misunderstood me. Actually here it is my fault. I wanted to put > >before the string 'BTW' above the phrase 'Something off-topic:'. > >But an uncontrolled movement of my hand caused the message to be > >sent without that phrase. My intention here is more 'personal' > >(or egoistic), hoping that someone of the group would say something > >about the idea of using rotations (which I also used in my algorithm > >and of which I like to hear some opinions for eventually improving > >my own design). > > Oh. Isn't that even without the forgotten phrase it is fairly evident from the wordings that I was not arguing for patent or not patent in this particular paragraph but speaking on a possible comparison of the basic ideas underlying the two algorithms? > >I hoped that I have given you a sufficiently understandable response. > >If you have further questions or points, I shall be very glad to > >answer them and discuss with you. As I said, I am very hard-necked in > >scientific discussions (not so in private social discussions) and > >I express my thougts plainly without 'artificial' modifications. > >I hope I have not said anything impolite, using bad words etc., > >since I have not a single reason to be angry with you. Maybe > >some words were 'strong' because I don't like to 'speak through > >the flowers' but I am not conscious of having ever said anything that > >does not correspond to plain facts. Please feel free to point out > >directly, quoting my writing, if this is not true in your opinion, > >so that I may learn something in this respect. Cheers, M. K. Shen
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 19 Nov 1998 08:57:45 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <3653CF79.B04B3E6B@stud.uni-muenchen.de> References: <19981118100730.12389.00002976@ng104.aol.com> <3652C9E3.1B972124@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 17 JPeschel wrote: > > > And the discussions should be kept outside of the group. > The truth is, Mok, if you want to read patents go ahead > and read them. Nobody is going to stop you. > > But please stop yammering about them here. I way not even saying that I myself am reading much patents or not. I was only arguing about the VALUE of patent documents which Bruce Schneier negated, saying that these are not even publications. I am not yammering, nor chatting, which Bruce Schneier said he is doing. M. K. Shen
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 12 Nov 1998 14:02:26 GMT From: "Joseph K. Nilaad" <jknilaad@xoommail.com> Message-ID: <364AEA72.559E@xoommail.com> References: <3649DD17.867829C@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 45 Mok-Kong Shen wrote: > [snip] > Let me say some more words against the be-littlement of patent > publications. I'll choose an analogy which I already have used. > DES is described in your well-known book. But where did you get > the informations? Maybe you got that from another author. But > then where did he get that? Ultimately one comes to the original > government publication, if one continues asking. So if that original > document (which is perhaps not a scientific paper in the eyes of > certain academics) doesn't get cited very often, that doesn't mean > anything, in particular it does not affect the scientific value and > significance (contribution) of that document. If a patented crypto > is really good, it will be popular and more people will study it, > eventually publishing papers on it. Whether the authors of the > papers cite the patent document is in my view not very essential. > One thing is on the other hand certain, namely that without the > publishing of the original document these papers could not exist. You have very good point. Each patent here in the U.S. usually has related patents that are searched against. Though, I think it's kind of narrow but again 1000's of patent applications are filed yearly. I've heard that 2-3 years back-log. Back to crypto. I agreed with your statement "If a patented crypto is really good, it will be popular and more people will study it". I think that Bruce will also agree in which he has posted a reply to me here in sci.crypt. But he does have a valid point in the sense that why should one work for someone for free? The patents are owned by somebody! In case of DES, no one yet is being sued by DES owner but that doesn't guarantee the users of DES will not be sued. I think the patent owners should have choice to decide who can use their patents. I've seen some shareware allow for personal use. Maybe patent owners will do the same. We all agree that we want the *BEST CRYPTO* possible, patent or not, academic or not, etc. Ultimately, we need our own privacy. We can drag this forever. I sometime think, are we the muppets being manipulated? --- Joseph K. Nilaad Nature is simple and beautiful... Life is too short to appreciate it all...
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 16 Nov 1998 03:07:07 GMT From: Denning Langston <denninglangston@yahoo.com> Message-ID: <364F961A.2408B9D0@yahoo.com> References: <3649DD17.867829C@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 45 Mok-Kong Shen wrote: > As I wrote previously I know that many organic > chemical compounds, for example, are patented. A competitor can't > use these or have to pay license fees. That's why large chemical > firms need people knowledgeable in such patents in order that > they can do their business properly. These companies have so much > money that the court expenses are really entirely negligible. This > is one example that I happen to be able to present. Are you going > to counter with sentence like 'But in crypto it is different'? > > M. K. Shen This is entirely wrong, at least in the US. Organic compounds are not patentable in and of themselves. Processes that create useful chemical compounds efficiently or cheaply are patentable, and specific uses of chemical compounds are patentable (pharmaceuticals, pesticides, herbicides, etc.), but chemical compounds in and of themselves are not patentable. Perhaps you are confusing chemical compounds whose synthesis is patented and that synthesis is the only known method by which the compound can be created. This will render the compound proprietary because no-one can find a unpatented process that results in the same compound. When the patent runs out, the entire world starts making it. (polytetraflouroethylene is such an example - aka Teflon when DuPont had the patent, PTFE now that they don't.) The beginning of my career as a process design chemical engineer soley consisted of breaking both foreign and domestic process patents. Analyze a process resulting in compound 'A', determine it's patentable 'uniqueness', and devise a process that results in the same compound without utilizing the same uniqueness. This usually resulted in a new patentable chemical process, at which point 'they' (the competition) would do the same to us. It's a chemical game of cat 'n mouse. Occasionally a court case would develop when a patent was granted for a chemical synthesis process that was not unique, but that rarely occurred (and at least one person lost his job when it did!). Denning Langston, PE
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 16 Nov 1998 08:51:35 +0100 From: Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> Message-ID: <364FD987.C11A2589@stud.uni-muenchen.de> References: <364F961A.2408B9D0@yahoo.com> Newsgroups: sci.crypt Lines: 42 Denning Langston wrote: > This is entirely wrong, at least in the US. > > Organic compounds are not patentable in and of themselves. Processes that > create useful chemical compounds efficiently or cheaply are patentable, and > specific uses of chemical compounds are patentable (pharmaceuticals, > pesticides, herbicides, etc.), but chemical compounds in and of themselves > are not patentable. > > Perhaps you are confusing chemical compounds whose synthesis is patented and > that synthesis is the only known method by which the compound can be > created. This will render the compound proprietary because no-one can find a > unpatented process that results in the same compound. When the patent runs > out, the entire world starts making it. (polytetraflouroethylene is such an > example - aka Teflon when DuPont had the patent, PTFE now that they don't.) I am not a chemist. You certainly exactly about chemical patents. But your argument does not invalidate the essence of my arguments in this thread, which is that patents (more properly the informations contained and made public through the patents) contain (at least in part) essential and valuable scientific informations which should not be ignored by the academics (those at the universities and the academies of sciences) and, as far as I can make out, are indeed not largely ignored by them (the converse was argued by Bruce Schneier.) What I can find about chemistry is that there are lots of literature references to patents, see e.g. Ullmann's Encyclopedia of Industrial Chemistry, 5th Ed. VCH Verlagsgesellschaft, Weinheim, 1985. Your information on the issue of whether a compound or only the synthesis method is patentable reminds me of a long disputed and more deep issuue whether only a machine or also simply an idea without being coupled to a machine design is patentable. More specifically in the interest of this thread, the question is whether an algorithm is patentable or is it necessary to present for patent application some hardware implementing it. I am not knowledgeable about this. But examples like the RSA patents seem to indicate that current law practices do allow ideas to be patentable to some extent. M. K. Shen
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 10 Nov 1998 15:34:48 GMT From: "Joseph K. Nilaad" <jknilaad@xoommail.com> Message-ID: <36485D18.4093@xoommail.com> References: <363F44ED.FEF5E3C@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 118 Bruce Schneier wrote: > > On Tue, 03 Nov 1998 19:01:17 +0100, Mok-Kong Shen > <mok-kong.shen@stud.uni-muenchen.de> wrote: [snip] > > I believe you would be amazed by what gets through the patent office. > The only thing they regularly catch are perpetual motion machines; bad > cryptography will fly right over their heads. (For heavens sake, they > can't even week out impossible compression patents.) I just can't help it to get in this thread, first of all, I don't work at patent office. It is unfair that the way you judge their works. 1000's patents have been filed yearly, how many people are working there. Give them a break. In crypto, you know darn well it takes a lot of time to analyze, for instance, whatever FISH you have, have you finished with it? Maybe those people at the patent office are not expert in any field. But just because they are not *expert* in crypto, it doesn't mean that they are not in the other field. Now why don't you tell me the merits of turbine engine and rotary engine? > > >I haven't submitted patents. But it is certainly permitted that I > >discuss about the matter? In the real world there are also judges > >who are incapable and decide wrongly. As I argued previously patents > >are NOT issued simply because the examiners employed by the patent > >officices think they are o.k. > > Yes. You argued that previously. You are wrong. Patents are issued > because the patent examiner who has the application has allowed some > of the claims. Perhaps you should do a thorough research on how patent is granted before you make this kind of statement. Are there any patent guys out there want to defend yourselves? As far as I know there are more than one person who make decision whether to grant or not. [snip] > > >(Recently in a mailing list someone > >said he could not exploit the idea of using faces in a scheme for > >passphrase entry because IBM has a patent that is very broad to > >cover that.) In which sense is such a public review less effective > >(stringent) than a 'peer review' in a journal? > > It's not public. There is no such public review. In very competitive > industries--pharmasuticals come to mind--companies watch foreign > filings for clies as to what the competition is doing. But I know of > no instance of a company trying to block a patent from being awarded. Agree. [snip] > >> THen I won't be doing my job, because this discussion isn't worth > >> that much time. Sorry; I don't mean to be rude. I read sci.crypt for > >> fun, not to find more work to do. I tend to incline that your comments are begining to amuse me. > > > >I don't see you are responding to my point here at all. I claimed that > >the quoted challenge is inappropriate. What has that to do with > >fun or not fun in sci.crypt or work or not work?? You challenged other > >people to consult lawers. That is not only WORK but monetary expenses!! > > Look, I didn't challenge anyone to consult a lawyer. I suggested that > if you don't believe me, you should consider asking someone else who > may know. I really don't care enough about this argument to spend the > time necessary to convince you. > > And there are some excellent books on patent law by Nolo Press. Different countries have different laws, so what good is it for Nolo Press in other countries. It is unfair challenge. [snip] My point is that it doesn't matter whether it is amateur or expert who design the crypto, patent or not, we all want the best crypto possible. If AES confine to non patent algorithm, I think it is very narrow minded. So what if the best algorithm we have to pay to use it, so be it. If the guy who own the best algorithm, has patent on it and charge too much for use, then most likely there will be less people using his crypto. AES closed the for entries this year, the winner will be annouced few years later. Get real. I don't know exactly how many entries, but I know it is less than 20. Let say 2 years to announce the winner, and 3-5 persons "so called crypto expert" assigned to each algorithm to do cryptanalysis. How much money are we talking about? Not many people can afford to work for charity for that long. Maybe you can. Oh, you guys offer $10,000 for a person who has the best cryptanalysis against TWOFISH, that is a smart way to spend money. Let see if 5 people try for 5 months that 25 man-months, divide into $10,000 that $400 a month per person. The more people try, the less money per month. If everybody is *considered* failure to come up the answer, zero out of pocket. *FREE LABOR*. Wow, that is novelty. $10,000 for the expert, they don't even blink at it. Perhaps you can get Casio to sponsor your algorithm up the ante, then maybe Mr. Ritter or Dave Scott will give a shot at it. To me, whether the crypto algorithm is published or not, it is irralevant. If the algorithm has any merits, let it stands out! I've worked with many people who pubished so many papers, but it seems that's all they can do. When it comes to do real work, most of the time, they can't even walk and chewing gum at the same time. Just because you (in general) can write, it doesn't mean your stuff is correct or better than anyone else. In addition, it is lucky for you that you can use DDJ for you contest, but not for many like Mr. Ritter or David A. Scott, etc. This thread is tooooo long, Bruce, what do you have against patent algorithms, sum it all out, don't waste any bandwidth. I am beginning to find this thread very amusing now, ha ha ha. --- Joseph K. Nilaad Nature is simple and beautiful... Life is too short to appreciate it all...
Subject: Re: Memo to the Amateur Cipher Designer Date: 10 Nov 1998 11:53:37 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <729r2h$91c$1@quine.mathcs.duq.edu> References: <36485D18.4093@xoommail.com> Newsgroups: sci.crypt Lines: 41 In article <36485D18.4093@xoommail.com>, Joseph K. Nilaad <jknilaad@xoommail.com> wrote: >Bruce Schneier wrote: >> >> On Tue, 03 Nov 1998 19:01:17 +0100, Mok-Kong Shen >> <mok-kong.shen@stud.uni-muenchen.de> wrote: >[snip] >> >> I believe you would be amazed by what gets through the patent office. >> The only thing they regularly catch are perpetual motion machines; bad >> cryptography will fly right over their heads. (For heavens sake, they >> can't even week out impossible compression patents.) >I just can't help it to get in this thread, first of all, I don't work >at patent office. It is unfair that the way you judge their works. >1000's patents have been filed yearly, how many people are working >there. Give them a break. In crypto, you know darn well it takes a lot >of time to analyze, for instance, whatever FISH you have, have you >finished with it? Maybe those people at the patent office are not >expert in any field. But just because they are not *expert* in crypto, >it doesn't mean that they are not in the other field. Now why don't you >tell me the merits of turbine engine and rotary engine? But this whole thread started with a discussion of whether or not patents were "peer-reviewed." They're not, as you admit above. The fact that patent agents aren't experts in cryptography isn't a moral failing -- or even surprising -- as you point out, they can't be expert in *everything*. But this doesn't mean that they're the "peers" of the experts who constitute the peer reviewers. Quite the contrary, it's an assertion that they're not -- and as such, the opinion of a patent agent doesn't constitute "peer review." Furthermore, the opinion of a patent agent is given on other grounds than scientific merit and for a different purpose. No apologies for patent agents should be necessary -- they're overworked civil servants doing the best they can under adverse conditions. But they're certainly not the peers of the authors of papers at CRYPTO'97. -kitten
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 10 Nov 1998 17:58:27 +0100 From: <tbb03ar@mail.lrz-muenchen.de> Message-ID: <Pine.GSO.4.03.9811101744230.21447-100000@sun5.lrz-muenchen.de> References: <36485D18.4093@xoommail.com> Newsgroups: sci.crypt Lines: 41 On Tue, 10 Nov 1998, Joseph K. Nilaad wrote: > Bruce Schneier wrote: > > > > On Tue, 03 Nov 1998 19:01:17 +0100, Mok-Kong Shen > > <mok-kong.shen@stud.uni-muenchen.de> wrote: > [snip] > > > > I believe you would be amazed by what gets through the patent office. > > The only thing they regularly catch are perpetual motion machines; bad > > cryptography will fly right over their heads. (For heavens sake, they > > can't even week out impossible compression patents.) > I just can't help it to get in this thread, first of all, I don't work > at patent office. It is unfair that the way you judge their works. > 1000's patents have been filed yearly, how many people are working > there. Give them a break. In crypto, you know darn well it takes a lot > of time to analyze, for instance, whatever FISH you have, have you > finished with it? Maybe those people at the patent office are not > expert in any field. But just because they are not *expert* in crypto, > it doesn't mean that they are not in the other field. Now why don't you > tell me the merits of turbine engine and rotary engine? > ... Nobody says the people at the patent office wouldn't do a good job. Of course they do and of course what they do is importgant for all of us: Without patents all new inventions would have to be kept secret to keep others from copying it. But it is really not their job to test an encryption algorithm for strength. You should have a look at what strange mashines - and algorithms - were patented. It's interesting and funny. Andreas Enterrottacher enterrottacher@lrz.tu-muenchen.de enterrottacher@t-online.de
Subject: Re: Memo to the Amateur Cipher Designer Date: 10 Nov 1998 18:16:26 GMT From: aph@cygnus.remove.co.uk (Andrew Haley) Message-ID: <729vtq$5oq$1@korai.cygnus.co.uk> References: <36485D18.4093@xoommail.com> Newsgroups: sci.crypt Lines: 25 Joseph K. Nilaad (jknilaad@xoommail.com) wrote: : My point is that it doesn't matter whether it is amateur or expert who : design the crypto, patent or not, we all want the best crypto possible. : If AES confine to non patent algorithm, I think it is very narrow : minded. So what if the best algorithm we have to pay to use it, so be : it. If the AES is to be universally used, it must not be encumbered by royalties. Much of the software which runs the Internet is free, and so there is no possibility of the supplier paying a royalty. Any algorithm which can only be used in unfree software faces an enormous barrier to acceptance: such an algorithm had better be obviously better than any free algorithm or it will not be used. : If the guy who own the best algorithm, has patent on it and charge : too much for use, then most likely there will be less people using : his crypto. Indeed. And the AES will have failed, and people will carry on using a diverse bunch of algorithms. The whole selection procedure will have been a complete waste of time. Andrew.
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 11 Nov 1998 16:35:20 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-1111981635210001@dialup164.itexas.net> References: <729vtq$5oq$1@korai.cygnus.co.uk> Newsgroups: sci.crypt Lines: 16 In article <729vtq$5oq$1@korai.cygnus.co.uk>, aph@cygnus.remove.co.uk (Andrew Haley) wrote: > > Indeed. And the AES will have failed, and people will carry on using > a diverse bunch of algorithms. The whole selection procedure will > have been a complete waste of time. > AES has several implications, only one of them be that could replace lots of others. It is destined not to do that, so consider that having a government standard is still necessary, at least for them. The AES process has added to the mix of ciphers, and more is better. -- --- The public is harder to steamroller than some might think. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 10 Nov 1998 18:25:43 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <364982dc.1295475@news.visi.com> References: <36485D18.4093@xoommail.com> Newsgroups: sci.crypt Lines: 127 On Tue, 10 Nov 1998 15:34:48 GMT, "Joseph K. Nilaad" <jknilaad@xoommail.com> wrote: >Bruce Schneier wrote: >> >> On Tue, 03 Nov 1998 19:01:17 +0100, Mok-Kong Shen >> <mok-kong.shen@stud.uni-muenchen.de> wrote: >[snip] >> >> I believe you would be amazed by what gets through the patent office. >> The only thing they regularly catch are perpetual motion machines; bad >> cryptography will fly right over their heads. (For heavens sake, they >> can't even week out impossible compression patents.) > >I just can't help it to get in this thread, first of all, I don't work >at patent office. It is unfair that the way you judge their works. >1000's patents have been filed yearly, how many people are working >there. Give them a break. In crypto, you know darn well it takes a lot >of time to analyze, for instance, whatever FISH you have, have you >finished with it? Maybe those people at the patent office are not >expert in any field. But just because they are not *expert* in crypto, >it doesn't mean that they are not in the other field. Now why don't you >tell me the merits of turbine engine and rotary engine? I'm sorry. I thought I was giving them a break. I know it is difficult. I know that they do the best job they can. I know that lots of things get by them. I don't mean to malign the patent office at all. I apologise if you thought otherwise. >Perhaps you should do a thorough research on how patent is granted >before you make this kind of statement. Are there any patent guys out >there want to defend yourselves? As far as I know there are more than >one person who make decision whether to grant or not. Generally, there is just one examiner per patent. Occasionally they are bumbed to supervisors for review, but not often. I understand that people aren't going to take my word here, but I don't have the time and patience to provide evidence to convince. Anyone who is interested is welcome to do their own research. >Different countries have different laws, so what good is it for Nolo >Press in other countries. It is unfair challenge. Don't know. I believe they discuss foreign filings And I don't mean it as a challenge. I just suggested a book with information. People are welcome to either read it or not, or to find their own books. >My point is that it doesn't matter whether it is amateur or expert who >design the crypto, patent or not, we all want the best crypto possible. >If AES confine to non patent algorithm, I think it is very narrow >minded. So what if the best algorithm we have to pay to use it, so be >it. If the guy who own the best algorithm, has patent on it and charge >too much for use, then most likely there will be less people using his >crypto. Possibly. NIST made their decision based on their own analysis and outside input. They decided to require submissions to be unpatented. Perhaps it is a mistake; we will find out soon enough. >AES closed the for entries this year, the winner will be annouced few >years later. Get real. I don't know exactly how many entries, but I >know it is less than 20. Let say 2 years to announce the winner, and >3-5 persons "so called crypto expert" assigned to each algorithm to do >cryptanalysis. How much money are we talking about? Not many people >can afford to work for charity for that long. Maybe you can. We can't. One of the main problems with the whole process is that NIST is counting on everyone in the community to work on analysis for free. This has nothing to do with whether or not the algorithms are patented. I have no idea what level of cryptanalysis we will see by the Second AES Workshop. I hope we'll see some good work. My fear is that people are just too busy with real work. NIST is hoping that because AES will be a world-wide standard that cryptanalysts will feel that it is in their best interest to donate their labor to the process. >Oh, you guys offer $10,000 for a person who has the best cryptanalysis >against TWOFISH, that is a smart way to spend money. Let see if 5 >people try for 5 months that 25 man-months, divide into $10,000 that >$400 a month per person. The more people try, the less money per >month. If everybody is *considered* failure to come up the answer, zero >out of pocket. *FREE LABOR*. Wow, that is novelty. $10,000 for the >expert, they don't even blink at it. Perhaps you can get Casio to >sponsor your algorithm up the ante, then maybe Mr. Ritter or Dave Scott >will give a shot at it. Some submissions have large corporate sponsors. IBM, RSA, and NTT submitted algorithms. Intel funded the work on Serpent. But yes, you are right: NIST is asking for free labor from cryptanalysts. >To me, whether the crypto algorithm is published or not, it is >irralevant. If the algorithm has any merits, let it stands out! I've >worked with many people who pubished so many papers, but it seems that's >all they can do. When it comes to do real work, most of the time, they >can't even walk and chewing gum at the same time. Just because you (in >general) can write, it doesn't mean your stuff is correct or better than >anyone else. Agreed. >In addition, it is lucky for you that you can use DDJ for you contest, >but not for many like Mr. Ritter or David A. Scott, etc. Dr Dobbs publishes different algorithms from different people. The issue with Twofish also includes Panama, which is not an AES submission and is by other people entirely. And Dr Dobbs is not involved with the Twofish contest, although they did sponsor the Blowfish contest. >This thread is tooooo long, Bruce, what do you have against patent >algorithms, sum it all out, don't waste any bandwidth. I have nothing against patented algorithms. People are welcome to patent algorithms. I see no reason to implement patented algorithms when there are unpatented alternatifves. This is just good economics. I see no reason to perform free analysis on patented algorithms unless there is a good reason to do so. This is simply the same "work for free for someone else's benefit" argument that you gave above. Other than that, patented algorithms are fine. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 11 Nov 1998 14:32:50 GMT From: malinov@mindless.com Message-ID: <72c76i$m3o$1@nnrp1.dejanews.com> References: <364982dc.1295475@news.visi.com> Newsgroups: sci.crypt Lines: 26 Bruce said something like . . . > Generally, there is just one examiner per patent. Occasionally they > are bumbed to supervisors for review, but not often. Last I checked, cryptography is examined at the USPTO in art unit 2766 by three primary examiners, two juniors on the verge of becoming primaries and four juniors still in their first six months. The senior five examine their cases independently. The new juniors report their cases to their supervisor. All AU2766 examines is crypto, although that includes every system (tv, phone, computer, network, ATM, etc.) which uses crypto in some way. There has been much talk about reorganizing the art. With less than eighteen hours to examine each case, the patent office is only a filter. Bad patents are bound to get through although many more are caught and squashed. A patent can't rise to the level of "seal of approval," much less a peer review. It's just a property deed. Some of the paper is bound to represent worthless swamp land. It's up to the market to assign value. David Cain -- Power belongs to those who dare . . . Sapere Aude -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 12 Nov 1998 22:00:05 GMT From: ritter@io.com (Terry Ritter) Message-ID: <364b5a51.14580571@news.io.com> References: <364982dc.1295475@news.visi.com> Newsgroups: sci.crypt Lines: 60 On Tue, 10 Nov 1998 18:25:43 GMT, in <364982dc.1295475@news.visi.com>, in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote: >[...] >I see no reason to implement patented algorithms >when there are unpatented alternatifves. This is just good economics. This is *temporary* economics. By failing to compensate the work actually performed, we fail to build a profit-based business of cipher design. We have ciphers, yes. But we do not have a continuing business of cipher design, along with the expensive expertise and corporate history associated with other technologies. >I see no reason to perform free analysis on patented algorithms unless >there is a good reason to do so. And that is a fundamental difference: Some people make what they know their property (even though most of what we all know is gained from open sources), and they protect their knowledge-property with trade secrecy. In contrast, patents are about *exposing* knowledge. So on the one hand we have patents which *reveal* what they know, and on the other we have trade secrecy which *hides* what it knows from society -- unless they pay a fee, of course. Or unless they buy a book (for which they pay a fee). It is true that a patent is a limited-term monopoly. But that monopoly costs users only to the extent that it successfully competes -- royalties and all -- in the marketplace against other solutions. The people can thus decide what to use, based on full prior knowledge of the costs and advantages. Currently cryptanalysts *do* get fees to expose their private information, but cipher designers do *not* get rewards for making their information open to society. This would seem to be an interesting take on "freedom of information." >This is simply the same "work for >free for someone else's benefit" argument that you gave above. Other >than that, patented algorithms are fine. The idea of AES is to convince cipher designers to give away their work for free to companies who will turn around and sell it for a profit. Oh, yes, a few users will use free cipher implementations and so avoid payment. But most will not, so, in general, society will pay companies for merely *implementing* what they did not have to fund in research or development. AES is not about free end-user crypto; AES is about free crypto designs for companies to use to their profit. In this way our government avoids compensating cipher design, since a continuing business of cipher design is seen as a threat. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 13 Nov 1998 09:02:29 +0100 From: <tbb03ar@mail.lrz-muenchen.de> Message-ID: <Pine.GSO.4.03.9811130832040.6919-100000@sun5.lrz-muenchen.de> References: <364b5a51.14580571@news.io.com> Newsgroups: sci.crypt Lines: 73 On Thu, 12 Nov 1998, Terry Ritter wrote: > > On Tue, 10 Nov 1998 18:25:43 GMT, in <364982dc.1295475@news.visi.com>, > in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote: > > >[...] > >I see no reason to implement patented algorithms > >when there are unpatented alternatifves. This is just good economics. > > This is *temporary* economics. By failing to compensate the work > actually performed, we fail to build a profit-based business of cipher > design. We have ciphers, yes. But we do not have a continuing > business of cipher design, along with the expensive expertise and > corporate history associated with other technologies. > Free software has a long tradition and no other software is developed faster and more continuous than free software. I don't see why ciphers shopuld be different: They are a neccessary part of information security, but there are enough free ones. > > >I see no reason to perform free analysis on patented algorithms unless > >there is a good reason to do so. > > And that is a fundamental difference: Some people make what they know > their property (even though most of what we all know is gained from > open sources), and they protect their knowledge-property with trade > secrecy. In contrast, patents are about *exposing* knowledge. I think the question was something completely different: Free algorithms will be used by more people and they will be tested as well by some of the implementors as by some of the users. Patented algorithms will be used by few people - maybe only in the security systems of the developer. In the worst case nobody else will test the cipher and the strength will be unknown. > ... > > Currently cryptanalysts *do* get fees to expose their private > information, but cipher designers do *not* get rewards for making > their information open to society. This would seem to be an > interesting take on "freedom of information." > A good designer is a good cryptanalyst :-) > > >This is simply the same "work for > >free for someone else's benefit" argument that you gave above. Other > >than that, patented algorithms are fine. > > The idea of AES is to convince cipher designers to give away their > work for free to companies who will turn around and sell it for a > profit. So you don't think the person or company developing the final AES will earn lots of money because they are the developers of AES? It is simple to make use of the patent rights if it is refused. This way the developer gets either a good analysis of his patented algorithm or he becomes the developer of AES. No risk, as far as I can see. Andreas Enterrottacher enterrottacher@lrz.tu-muenchen.de enterrottacher@t-online.de
Subject: Re: Memo to the Amateur Cipher Designer Date: 13 Nov 1998 13:06:53 GMT From: aph@cygnus.remove.co.uk (Andrew Haley) Message-ID: <72hatd$9g3$1@korai.cygnus.co.uk> References: <364b5a51.14580571@news.io.com> Newsgroups: sci.crypt Lines: 53 Terry Ritter (ritter@io.com) wrote: : On Tue, 10 Nov 1998 18:25:43 GMT, in <364982dc.1295475@news.visi.com>, : in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote: : >[...] : >I see no reason to implement patented algorithms : >when there are unpatented alternatifves. This is just good economics. : This is *temporary* economics. By failing to compensate the work : actually performed, we fail to build a profit-based business of cipher : design. We have ciphers, yes. But we do not have a continuing : business of cipher design, along with the expensive expertise and : corporate history associated with other technologies. : The idea of AES is to convince cipher designers to give away their : work for free to companies who will turn around and sell it for a : profit. Oh, yes, a few users will use free cipher implementations and : so avoid payment. You don't seem to be addressing what I think is the central point. A successful AES candidate must be universal. This means that it must be used everywhere, in both free and unfree software. A patented algorithm may not be used in free software, so cannot be used universally. Therefore a patented AES will fail to be universal. I can see no point in having a standard cipher which is not universal. : But most will not, so, in general, society will pay companies for : merely *implementing* what they did not have to fund in research or : development. AES is not about free end-user crypto; AES is about : free crypto designs for companies to use to their profit. AES is about a universal crypto standard, just like DES. : In this way our government avoids compensating cipher design, since a : continuing business of cipher design is seen as a threat. There is no need for your government to compensate cipher designers. The idea of the AES, as I see it, is to exchange the prospect of future royalties for the advantage of having your algorithm approved. This is what IBM accepted when the DES was standardized. Andrew.
Subject: Re: Memo to the Amateur Cipher Designer Date: 13 Nov 1998 23:26:59 GMT From: olson@umbc.edu (Bryan G. Olson; CMSC (G)) Message-ID: <72if83$as$1@news.umbc.edu> References: <364b5a51.14580571@news.io.com> Newsgroups: sci.crypt Lines: 41 Terry Ritter (ritter@io.com) wrote: : in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote: : >I see no reason to perform free analysis on patented algorithms unless : >there is a good reason to do so. : And that is a fundamental difference: Some people make what they know : their property (even though most of what we all know is gained from : open sources), and they protect their knowledge-property with trade : secrecy. In contrast, patents are about *exposing* knowledge. [...] : Currently cryptanalysts *do* get fees to expose their private : information, but cipher designers do *not* get rewards for making : their information open to society. This would seem to be an : interesting take on "freedom of information." Here's how the cipher analysis game is played: If Bob works on an algorithm for free, then if he finds a weakness he gets to publish, and if he doesn't he never has reveal he tried. If a company pays Bob to look at their cipher, the company will invariably insist that Bob sign a non-disclosure, so he can't reveal weaknesses he finds. They'll also want to say that Bob failed to find any weakness if that's the case. : >This is simply the same "work for : >free for someone else's benefit" argument that you gave above. Other : >than that, patented algorithms are fine. : The idea of AES is to convince cipher designers to give away their : work for free to companies who will turn around and sell it for a : profit. Oh, yes, a few users will use free cipher implementations and : so avoid payment. Whey one buys an implementation, one pays for the implementation. If you look at how patented ciphers are sold, you'll find that companies charge for _both_ the implementation and the patent rights. Buy BSAFE and you include it's DES code in your product at no extra cost. RSA you still have to license. --Bryan
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 13 Nov 1998 23:58:24 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <364dc730.2338361@news.visi.com> References: <72if83$as$1@news.umbc.edu> Newsgroups: sci.crypt Lines: 22 On 13 Nov 1998 23:26:59 GMT, olson@umbc.edu (Bryan G. Olson; CMSC (G)) wrote: >Here's how the cipher analysis game is played: If Bob works on >an algorithm for free, then if he finds a weakness he gets to >publish, and if he doesn't he never has reveal he tried. If >a company pays Bob to look at their cipher, the company will >invariably insist that Bob sign a non-disclosure, so he can't >reveal weaknesses he finds. They'll also want to say that >Bob failed to find any weakness if that's the case. This has been my experience, working on both open and proprietary cryptography. Occasionally a company hires us to review an open cryptographic primitive, and allows us to publish our results. Hence, the work on SSL and Microsoft PPTP, and an analysis of IPSec that we are going to start as soon as the RFCs are published. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: 16 Nov 1998 03:22:57 GMT From: jsavard@freenet.edmonton.ab.ca () Message-ID: <72o5qh$4qn$3@news.sas.ab.ca> References: <364b5a51.14580571@news.io.com> Newsgroups: sci.crypt Lines: 30 Terry Ritter (ritter@io.com) wrote: : This is *temporary* economics. By failing to compensate the work : actually performed, we fail to build a profit-based business of cipher : design. Certainly, there are some egregious cases; that of Edward S. Hebern comes to mind. But leaving that aside, you have a valid point. While I don't think one can expect the market to purchase something patented for a situation where, say, DES is fully satisfactory, it is reasonable to say that the absence of a thriving cryptography industry means that the ciphers available for use are not as strong, or as well-analyzed, as they might be. It is a perennial problem that even those who do have a need for security persistently undervalue it. Of course, looking at many of the designs that have originated in the academic sector, I also must confess that I am inclined to think that, as far as conventional symmetric-key cryptography is concerned, there is not that great a need for vastly more secure algorithms than those which currently exist, or which could be obtained by trivially scaling-up an existing algorithm. Of course, impressive complexity is not a proof of security; but that goal, as I have noted, is one I do not believe to be realistic, as I suspect it is equivalent to solving the halting problem. John Savard
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 11 Nov 1998 03:39:17 GMT From: "Joseph K. Nilaad" <jknilaad@xoommail.com> Message-ID: <364906E5.3520@xoommail.com> References: <36485D18.4093@xoommail.com> Newsgroups: sci.crypt Lines: 79 Bruce Schneier wrote: [snip] > Generally, there is just one examiner per patent. Occasionally they > are bumbed to supervisors for review, but not often. > > I understand that people aren't going to take my word here, but I > don't have the time and patience to provide evidence to convince. > Anyone who is interested is welcome to do their own research. Agreed totally. I've seen you've taken a lot of heat, we all have short fuse every now and then. > > >Different countries have different laws, so what good is it for Nolo > >Press in other countries. It is unfair challenge. > > Don't know. I believe they discuss foreign filings And I don't mean > it as a challenge. I just suggested a book with information. People > are welcome to either read it or not, or to find their own books. Sorry, I missed your point. [snip] > Possibly. NIST made their decision based on their own analysis and > outside input. They decided to require submissions to be unpatented. > Perhaps it is a mistake; we will find out soon enough. > > >AES closed the for entries this year, the winner will be annouced few > >years later. Get real. I don't know exactly how many entries, but I > >know it is less than 20. Let say 2 years to announce the winner, and > >3-5 persons "so called crypto expert" assigned to each algorithm to do > >cryptanalysis. How much money are we talking about? Not many people > >can afford to work for charity for that long. Maybe you can. > > We can't. One of the main problems with the whole process is that > NIST is counting on everyone in the community to work on analysis for > free. This has nothing to do with whether or not the algorithms are > patented. I have no idea what level of cryptanalysis we will see by > the Second AES Workshop. I hope we'll see some good work. My fear is > that people are just too busy with real work. > > NIST is hoping that because AES will be a world-wide standard that > cryptanalysts will feel that it is in their best interest to donate > their labor to the process. It seems obvious to me that the person who will be benefit the most is the government. They are using more computers than any organization. But looking at different view, this may save our tax dollars. For all us average citizens, maybe AES doesn't matter much. What I want to see is, our Bill of Rights are not violate. For community work, perhaps it's time to use the famous phrase "ask not what can your country do for you, but what you can do to your country" or something like that. [snip] > > Some submissions have large corporate sponsors. IBM, RSA, and NTT > submitted algorithms. Intel funded the work on Serpent. But yes, you > are right: NIST is asking for free labor from cryptanalysts. This really bothers me. I can see if all works are for a good sake. Someone may be benefit from this, but all you guys get is piss in your dark pants, you get the warm feelings but nobody notice (in the long run though). [snip] > > I have nothing against patented algorithms. People are welcome to > patent algorithms. I see no reason to implement patented algorithms > when there are unpatented alternatifves. This is just good economics. > I see no reason to perform free analysis on patented algorithms unless > there is a good reason to do so. This is simply the same "work for > free for someone else's benefit" argument that you gave above. Other > than that, patented algorithms are fine. Now for all you guys out there, Bruce has made his point. Can we now live in sci.crypt in harmony? ---- Joseph K. Nilaad Nature is simple and beautiful... Life is too short to appreciate it all...
Subject: Re: Memo to the Amateur Cipher Designer Date: 30 Oct 1998 14:48:32 -0500 From: juola@mathcs.duq.edu (Patrick Juola) Message-ID: <71d56g$p9e$1@quine.mathcs.duq.edu> References: <363A0105.81B31DB5@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 38 In article <363A0105.81B31DB5@stud.uni-muenchen.de>, Mok-Kong Shen <mok-kong.shen@stud.uni-muenchen.de> wrote: >Bruce Schneier wrote: >> > >> Some cryptographic algorithms are patented, yes. I'm not sure how >> that's relevent. I do not know of any academic cryptographers that >> regularly look through the U.S. patent system. Patents are not a >> peer-reviewed publication. If an academic (in any discipline) >> presented a list of patents to his tenure review board, they would not >> be considered publication. > >This is not true. Applications for patents are examined by a number >of professionals in the corresponding fields to ensure that the >ideas are really novel and useful. They are not. They are examined by professional patent agents who typically know something, but not very much, of the areas involved. The existence of embarassingly large numbers of thoroughly ludicrous patents is well-documented. The basic problem is that patent agents are *NOT* "experts" in the domains that they are passing judgement upon, and their opinions of what is "novel" are frequently wrong and completely misguided based on their unfamiliarity with the literature. > There are huge data bases maintained >by the patent offices and are carefully checked to ensure patents are >not given to some one bring forth duplication or near duplication of >prior art. Based, of course, on other *patents*. But no such databases exist for publications. And as the patent agents never (or rarely) read "the literature", they don't know about new developments. -kitten
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 04 Nov 1998 11:59:43 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-0411981159440001@207.22.198.223> References: <71d56g$p9e$1@quine.mathcs.duq.edu> Newsgroups: sci.crypt Lines: 26 In article <71d56g$p9e$1@quine.mathcs.duq.edu>, juola@mathcs.duq.edu (Patrick Juola) wrote: > > And as the patent agents never (or rarely) read "the literature", > they don't know about new developments. > Cryptography is a special class, probably not entirely alone as other subjects might also get similiar attention. Consider what is apt to happen: PTO gets some crypto related application; it gets put into a pile since it might be messing with ideas that could classified. The application is properly forwarded to the Defense Department for review, if not directly to NSA itself. It would be on the recommendations of the particular agencies that handled the details of inspection that the PTO office would act. The paperwork could be simply passed back quickly to PTO and processed as representing something trivial, but patentable all the same, returned and rejected to the submitter with no reasons given, or held for further study. From there, more options could click in. I bet you Ritter's work got lots more than a quick glance. -- --- Remember...vote early and vote often ;) --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 05 Nov 1998 00:00:35 GMT From: dscott@networkusa.net Message-ID: <71qpr3$auf$1@nnrp1.dejanews.com> References: <jgfunj-0411981159440001@207.22.198.223> Newsgroups: sci.crypt Lines: 44 In article <jgfunj-0411981159440001@207.22.198.223>, jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) wrote: > In article <71d56g$p9e$1@quine.mathcs.duq.edu>, juola@mathcs.duq.edu > (Patrick Juola) wrote: > > > > > And as the patent agents never (or rarely) read "the literature", > > they don't know about new developments. > > > Cryptography is a special class, probably not entirely alone as other > subjects might also get similiar attention. Consider what is apt to > happen: PTO gets some crypto related application; it gets put into a pile > since it might be messing with ideas that could classified. The > application is properly forwarded to the Defense Department for review, if > not directly to NSA itself. > > It would be on the recommendations of the particular agencies that handled > the details of inspection that the PTO office would act. The paperwork > could be simply passed back quickly to PTO and processed as representing > something trivial, but patentable all the same, returned and rejected to > the submitter with no reasons given, or held for further study. From > there, more options could click in. I bet you Ritter's work got lots more > than a quick glance. > -- If the NSA is doing its job at all any encryption that is used at all on the net would be analyzed by them. I am sure megabucks where spent on PGP since it is so common. I think my stuff is stronger than IDEA or the FISHY methods but since not in public eye I doubt if they have given it as much attention yet. But it is very different from the kind they are use to breaking. Since 19u is built around 19 bit boundaries on a PC indian type of machine. The program has to be decrypt by several passes in the reverse direction. And as the R of RSA is now pushing or talking about. It is a true all or nothing encryption something that may be beyond the B S crypto class of peoples current limited mind kind of thinking. -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip http://members.xoom.com/ecil/index.htm -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 04 Nov 1998 16:41:25 -0800 From: aXcarol@apple.com (Andrew Carol) Message-ID: <aXcarol-0411981641250001@andrew1.apple.com> References: <71qpr3$auf$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 36 In article <71qpr3$auf$1@nnrp1.dejanews.com>, dscott@networkusa.net wrote: >I doubt >if they have given it as much attention yet. But it is very different >from the kind they are use to breaking. Since 19u is built around >19 bit boundaries on a PC indian type of machine. The effect the word size and bit direction will have to slow them down can be summed up in one word. ZERO. Do you really belive that the crypto they are used to cracking from other nations really restricts itself to nice clean word sizes and alignments? That the brillance of choosing a 19 bit word size will stun them into inaction? "Sir, Mr Scott is not following the rules that we ask the Russians and Chinese to follow in their crypto!" If they have custom hardware, this is simply a matter of bit re-aligning on the fly. There is already, in commerical use, reconfigurable hardware where the design can be redefined _in circuit_ under the control of a computer. This is perfect to build little 'converter' units to nudge your 19 bit little endian data into whatever they want, and as fast as a CPU could want it done. In my military comm days, we had a custom IO proccessor which could handle word sizes from 5 upto 32 bits, in either big or little endian, in either positive or negative logic, with any parity (or even multiple parity per word). And it could do that for upto 128 high data rate channels at the same time. All in hardware, all very fast, all built in the mid 70's. Oh well... -- Andrew Carol aXcarol@apple.com (Remove the spam avoiding 'X' from my e-mail address)
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 05 Nov 1998 04:26:33 GMT From: dscott@networkusa.net Message-ID: <71r9dp$uv3$1@nnrp1.dejanews.com> References: <aXcarol-0411981641250001@andrew1.apple.com> Newsgroups: sci.crypt Lines: 76 In article <aXcarol-0411981641250001@andrew1.apple.com>, aXcarol@apple.com (Andrew Carol) wrote: > In article <71qpr3$auf$1@nnrp1.dejanews.com>, dscott@networkusa.net wrote: > > >I doubt > >if they have given it as much attention yet. But it is very different > >from the kind they are use to breaking. Since 19u is built around > >19 bit boundaries on a PC indian type of machine. > > The effect the word size and bit direction will have to slow them down > can be summed up in one word. > > ZERO. > > Do you really belive that the crypto they are used to cracking from > other nations really restricts itself to nice clean word sizes and > alignments? That the brillance of choosing a 19 bit word size will > stun them into inaction? "Sir, Mr Scott is not following the rules > that we ask the Russians and Chinese to follow in their crypto!" > I doubt if they can break my 16bit version. But the point is if it is not ordinary they would have a hard time deteriming the bit size that was used unless they knew for sure it was a given size. It just makes there work harder. I am not trying to say it is safe becasue it is 19 bits I think the 16bit version safe. But I still feel that having a non mulitple of 8 makes it even safer. > If they have custom hardware, this is simply a matter of bit re-aligning > on the fly. There is already, in commerical use, reconfigurable hardware > where the design can be redefined _in circuit_ under the control of a > computer. This is perfect to build little 'converter' units to nudge > your 19 bit little endian data into whatever they want, and as fast > as a CPU could want it done. > What this means is they could use my method for there own use since my method is not limited like some of the older methods. Maybe the NSA will use my methods. But if they do they will claim they invented it first and will change the name. > In my military comm days, we had a custom IO proccessor which could handle > word sizes from 5 upto 32 bits, in either big or little endian, in either > positive or negative logic, with any parity (or even multiple parity per > word). And it could do that for upto 128 high data rate channels at the > same time. All in hardware, all very fast, all built in the mid 70's. > > Oh well... > So what engineer hasn't worked for them big deal. I liked the 36 bit one's compliment machine the best. The computer people today have no concept of what the real machines in the past could do. I guess you worked for a smaller branch if your stuff only good t0 32 bits. I am talking about the mid 70's too. What I really miss and am not sure why it never caught on in current microprocessors was the fix point arithmic fractions scaled -1 to 1 so every thing a fraction. C is written as if all numbers integer or floating point the first machines I used where integer or fixed point fraction Do todays computer jocks even know what the hell we are talking about. > -- > Andrew Carol aXcarol@apple.com > (Remove the spam avoiding 'X' from my e-mail address) > -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip http://members.xoom.com/ecil/index.htm -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 05 Nov 1998 10:18:43 -0800 From: aXcarol@apple.com (Andrew Carol) Message-ID: <aXcarol-0511981018450001@andrew1.apple.com> References: <71r9dp$uv3$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 40 In article <71r9dp$uv3$1@nnrp1.dejanews.com>, dscott@networkusa.net wrote: > So what engineer hasn't worked for them big deal. I liked the 36 bit >one's compliment machine the best. One's complement is, in my humble opinion, a real waste. Two's complement is much more elegant because the sign is an ordinary data bit. You can do signed and unsigned arithmetic using exactly the same hardware. The sign is simply iterpreted as such by the user. With one's complement, the sign bit is always the sign bit which means your range of legal unsigned values is cut in half. It's also much harder to do multiple precision math in one's complement. Much less flexible. That's why nobody uses it anymore. It's dead Jim. >I guess you worked for a smaller branch if your stuff only good >t0 32 bits. If you consider NORADs air sovereignty mission to be a smaller branch. Not much data to proccess, only every fixed military air defense radar in the country to think about (in real time). Each ROCC system had a 1's complement dual-CPU mainframe, supported by 4 two's complement minicomputers. With lots of custom proccessing hardware in support. This ran to a room of large vector radar consoles. There are 7 such ROCC systems for North America which all feed NORAD and their stuff. >Do todays computer jocks even know what the hell we are >talking about. My first system, designed mid 50's, had two 2400 bps modems. It was 3 large 19" rack mounted drawers using mechanical resonators for the tone detection and discrete transisters for everything else. 2400bps did not reach consumer prices till the early 80's. Oh well... -- Andrew Carol aXcarol@apple.com (Remove the spam avoiding 'X' from my e-mail address)
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 05 Nov 1998 23:50:39 GMT From: dscott@networkusa.net Message-ID: <71tdkf$ovs$1@nnrp1.dejanews.com> References: <aXcarol-0511981018450001@andrew1.apple.com> Newsgroups: sci.crypt Lines: 30 In article <aXcarol-0511981018450001@andrew1.apple.com>, aXcarol@apple.com (Andrew Carol) wrote: > In article <71r9dp$uv3$1@nnrp1.dejanews.com>, dscott@networkusa.net wrote: > > So what engineer hasn't worked for them big deal. I liked the 36 bit > >one's compliment machine the best. > > One's complement is, in my humble opinion, a real waste. > > Two's complement is much more elegant because the sign is an ordinary > data bit. You can do signed and unsigned arithmetic using exactly the > same hardware. The sign is simply iterpreted as such by the user. With > one's complement, the sign bit is always the sign bit which means your > range of legal unsigned values is cut in half. It's also much harder to > do multiple precision math in one's complement. > > Much less flexible. That's why nobody uses it anymore. It's dead Jim. > > Depends on you definition of flexable. At least the 1's complement had the same range of numbers in the positive and negative direction the 2's compliment had an unbalanced range in the sense when you take absolute values the negativies could be bigger. Also the 2 zeros was very handy. -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip http://members.xoom.com/ecil/index.htm -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 05 Nov 1998 17:07:37 -0800 From: aXcarol@apple.com (Andrew Carol) Message-ID: <aXcarol-0511981707370001@andrew1.apple.com> References: <71tdkf$ovs$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 22 In article <71tdkf$ovs$1@nnrp1.dejanews.com>, dscott@networkusa.net wrote: > Depends on you definition of flexable. At least the 1's complement >had the same range of numbers in the positive and negative direction >the 2's compliment had an unbalanced range in the sense when you take >absolute values the negativies could be bigger. Also the 2 zeros >was very handy. Very true, but since it's cheaper to implement 2's complement in hardware (because signed and unsigned use the same hardware), and more people need to to extended precision math than need 2 zeros, it's what people use. I have used both extensively, it's just that I end up using features of 2's complement almost everyday, and can't think of the last time I wished I was using the 1's complement. Oh well... -- Andrew Carol aXcarol@apple.com (Remove the spam avoiding 'X' from my e-mail address)
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 5 Nov 1998 18:13:44 -0600 From: "R H Braddam" <rbraddam@aic-fl.com> Message-ID: <71tf04$g2e$1@server.cntfl.com> References: <aXcarol-0511981018450001@andrew1.apple.com> Newsgroups: talk.politics.crypto,comp.security.pgp.discuss,sci.crypt Lines: 43 Andrew Carol wrote in message ... >In article <71r9dp$uv3$1@nnrp1.dejanews.com>, > >My first system, designed mid 50's, had two 2400 bps modems. It was 3 >large 19" rack mounted drawers using mechanical resonators for the tone >detection and discrete transistors for everything else. 2400bps did not >reach consumer prices till the early 80's. > Your post reminds me of the AN/FST-2B data processor. It took analog input from a search radar and a height-finder radar, digitized the radar returns, and sent the digital data to vector displays (RAndom Plan Position Indicators - RAPPI) and to 2400 bps modems. From there the data went to the AN/FSQ-7 computers of the Air Defense Command. This was in 1967. The T-2 had hundreds of vacuum tubes (12ax7s mostly, if I remember correctly). It had an advanced feature, for the time, of a transistorized Selective Identification Feature which received a code transmitted from an aircraft (or missile) which identified it as friend (or foe if radar tracked an aircraft which did not transmit the code). I guess the facts that there were few modems, and the data was digital, provided the necessary security for data that was not encrypted. Things have changed some since then, and the times, they are a-changing....still. And still, some things do not change. We have always had, and will always have, *some* well-meaning people who seek jobs in government. Then when they get them, they believe they have the duty and obligation to determine how the rest of us should live. If a little thing like (in the U.S.) the Constitution gets in the way, ignore it. The U.S. Constitution says that U.S. citizens have the right to speak freely, and the right to privacy. In today's modern world with electronic communication by computer, strong encryption is the only way privacy and free speech can be ensured during communication by computer. However, privacy and free speech can not be ensured if even the *threat* of eavesdropping exists. If keys are escrowed with *any* agency, government or commercial, the threat of eavesdropping will exist. There can be no key escrow. Period. You don't take away the rights, directly or indirectly, of the general population to keep criminals from committing crimes. Sure, make it a felony to use cryptography in the commission of a felony. That will help. But depriving the public of the use of cryptography will not prevent criminals from using it.
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 05 Nov 1998 17:13:29 -0800 From: aXcarol@apple.com (Andrew Carol) Message-ID: <aXcarol-0511981713290001@andrew1.apple.com> References: <71tf04$g2e$1@server.cntfl.com> Newsgroups: talk.politics.crypto,comp.security.pgp.discuss,sci.crypt Lines: 24 In article <71tf04$g2e$1@server.cntfl.com>, "R H Braddam" <rbraddam@aic-fl.com> wrote: >Your post reminds me of the AN/FST-2B data processor. It took analog input >from a search radar and a height-finder radar, digitized the radar returns, >and sent the digital data to vector displays (RAndom Plan Position >Indicators - RAPPI) and to 2400 bps modems. From there the data went to the >AN/FSQ-7 computers of the Air Defense Command. This was in 1967. The T-2 had >hundreds of vacuum tubes (12ax7s mostly, if I remember correctly). I worked on the follow-on system, FYQ-9? (Can't remember the last digit). We took dozens of radars and merged them into a single display and put it on large vector consoles. Lot's of custom hardware to do the signal procc. A wonderful system to work on. It was the last of the actual large scale, local board level repair systems in the Air Force. It was a fairly large computer system implemented in TTL. Very nice. All I/O was encrypted (KG-84's, etc). They were much more compact than the KY-3's and KG-13's my prior system used. -- Andrew Carol aXcarol@apple.com (Remove the spam avoiding 'X' from my e-mail address)
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 06 Nov 1998 04:42:58 GMT From: "Douglas A. Gwyn" <DAGwyn@null.net> Message-ID: <36427E4F.23A27E06@null.net> References: <71tf04$g2e$1@server.cntfl.com> Newsgroups: talk.politics.crypto,sci.crypt Lines: 28 R H Braddam wrote: > ... The U.S. Constitution says that > U.S. citizens have the right to speak freely, and the right to privacy. The right to privacy is not explicitly spelled out, although the right to be secure in their homes and possessions is. The founders of the US generally believed in natural rights (rights inherent in a person by virtue of his existence) and "reserved" for the citizens all rights not explicitly guaranteed by wording in the Constitution. Unfortunately, as predicted by some during the debate over the Bill of Rights, the fact that some rights are explicitly enumerated has led to confusion, such that many people believe that rights are *conveyed* explicitly by the Bill of Rights and that unenumerated rights don't exist or at least are not protected. > ... But depriving the public of the use > of cryptography will not prevent criminals from using it. Yup, and as I previously pointed out, the criminals can use secure unescrowed encryption *within* any key-escrow scheme. As with most similar laws, notably gun control laws, there is adverse impact on the good guys and little if any good impact on the bad guys. It's easier for politicians to enact such misguided laws and claim to be "doing something" than for them to justify upholding individual freedom.
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 06 Nov 1998 14:38:50 -0800 From: David Sternlight <david@sternlight.com> Message-ID: <36437A79.23158BFC@sternlight.com> References: <jgfunj-0611981226220001@dialup104.itexas.net> <71u125$lm6$1@news.cudenver.edu> <71tf04$g2e$1@server.cntfl.com> Newsgroups: talk.politics.crypto,comp.security.pgp.discuss,sci.crypt Lines: 36 W T Shaw wrote: > In article <71u125$lm6$1@news.cudenver.edu>, Zero@ouray.cudenver.edu > (Zero) wrote: > > > R H Braddam (rbraddam@aic-fl.com) wrote: > > : Constitution gets in the way, ignore it. The U.S. Constitution says that > > : U.S. citizens have the right to speak freely, and the right to privacy. In > > > > Not that I disagree with the general content of your post, but to > > the best of my knowledge, the U.S. Constitution does not even mention > > privacy. > > > The Supremes seem to see that it is implied...so do lots of common folk. > If you don't, you are merely a sophist. We've had this discussion ad nauseam here. The Supremes have found a right to certain specific privacies on a case-by-case basis, in the "penumbra" of the Constitution. They have not found a general right to privacy even in the penumbra. Some specific rights to privacy they've found include the marital bed, etc. They have found no right to privacy having to do with crypto. And there is no absolute right to privacy in a number of other areas ordinarily thought to be so--for example the government may compel productions of one's private papers via lawful subpoena despite the Constitutional "right to be secure in one's papers". And one may, of course, be lawfully arrested despite the "right to be secure in one's person". Even with respect to speech, the right to free speech is limited, as in the case of falsely shouting "Fire!" in a crowded theatre. David
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 11 Nov 1998 17:15:49 GMT From: scott@helsbreth.org (Scott Nelson) Message-ID: <3649c569.4548892@news.inreach.com> References: <36437A79.23158BFC@sternlight.com> Newsgroups: talk.politics.crypto,comp.security.pgp.discuss,sci.crypt Lines: 54 On Fri, 06 Nov 1998 David Sternlight <david@sternlight.com> wrote: [edit] > . . .The Supremes have found a right to >certain specific privacies on a case-by-case basis, in the "penumbra" of the >Constitution. They have not found a general right to privacy even in the >penumbra. > The Ninth amendment in the Bill of Rights states "The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people." This includes the right to privacy. However, many rights conflict with others. "Your right to swing your fist stops where my nose begins" and all that. You're not entitled to yell "fire" in a crowded theater, not because you don't have the right to speak, but rather because the other patrons' rights override your right to speak thus. This weighing of other concerns against the general right to privacy is what the supreme court has adjudicated. The existence of the general right to privacy has never seriously been questioned. >Some specific rights to privacy they've found include the marital bed, etc. They >have found no right to privacy having to do with crypto. That's inaccurate. National security may override a citizens' right to privacy, but that's very different from not having the right. And IIRC, the supreme court has rejected all claims by the government that National Security concerns are overriding in the case of crypto. They haven't even gotten past the first amendment yet, much less the forth and ninth. >And there is no absolute >right to privacy in a number of other areas ordinarily thought to be so--for >example the government may compel productions of one's private papers via lawful >subpoena despite the Constitutional "right to be secure in one's papers". And >one may, of course, be lawfully arrested despite the "right to be secure in one's >person". > The rights are not absolute rights in the sense that they override everything, but privacy, like all other rights, can't just be ignored either. There must be an overriding reason to violate the right to privacy. ---------------------------------------- DiehardC 1.03 now available via ftp from ftp://helsbreth.org/pub/helsbret/random Scott Nelson <scott@helsbreth.org>
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 12 Nov 1998 06:03:04 GMT From: pstromer@my-dejanews.com Message-ID: <72dtmo$566$1@nnrp1.dejanews.com> References: <364A2925.B027031D@sternlight.com> <3649c569.4548892@news.inreach.com> Newsgroups: talk.politics.crypto,comp.security.pgp.discuss,sci.crypt Lines: 51 In article <364A2925.B027031D@sternlight.com>, david@sternlight.com wrote: > The discussion was about a right to privacy in the Constitution. Anyone may > argue, using the Ninth amendment, that anything they like is a "right". It's > nonsense without a legal basis. Perhaps the Supreme Court's decision in Griswold v. Connecticut, 381 U.S. 479 (1965) qualifies as a "legal basis?" Held: The Connecticut statute forbidding use of contraceptives violates the right of marital privacy which is within the penumbra of specific guarantees of the Bill of Rights. A few choice quotes from Justice Douglas' majority opinion, which I'm sure will delight Mr. Sternlight: "specific guarantees in the Bill of Rights have penumbras, formed by emanations from those guarantees that help give them life and substance" "We recently referred [p*485] in Mapp v. Ohio, 367 U.S. 643, 656, to the Fourth Amendment as creating a "right to privacy, no less important than any other right carefully an particularly reserved to the people." But it's "only" the Supreme Court, not the Constitution. > The Supreme Court never acknowledged a general right to privacy, so they > couldn't very well have adjudicated it. See the above quotes for a spirited refutation of this comment. > There needs to be no "overiding reason", just due process and a judicially > approved reasonable expectation that a search warrant will produce the > objects sought. Spoken from someone who doesn't understand the process of obtaining a search warrant. The judge must be capable of making an independent evaluation of the merits of the application for the warrant. And the standard for a search warrant is not "reasonable expectation," but it is "probable cause." Without "probable cause," the "reasonable expectation" standard results in "fruits of the poisonous tree" and are inadmissible in court. See the landmark case of Wong Sun v. United States, 371 U.S. 471 (1963). -- Philip Stromer Send me email at pstromer@SPAMSUCKShotmail.com (remove the capital letters). -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 12 Nov 1998 03:31:45 -0600 From: "R H Braddam" <rbraddam@aic-fl.com> Message-ID: <72e9ur$kb4$1@server.cntfl.com> References: <364A2925.B027031D@sternlight.com> <3649c569.4548892@news.inreach.com> Newsgroups: talk.politics.crypto,comp.security.pgp.discuss,sci.crypt Lines: 87 I went to this Government Printing Office URL and searched on the word privacy: http://www.access.gpo.gov/congress/senate/constitution/index.html The following is the report provided on my search: "Searching constitution...Your query was: (PRIVACY) The database contains 769,912 words in 106 documents. There are no fields in this database.privacy occurs 218 times in 15 documents. The search found 15 documents. It took less than a second." The documents returned to me had a total size of 2,822,965 bytes. The documents I scanned primarily addressed the 1st, 4th, 9th, and 14th amendments. This seems to indicate to me that the Congress and the Supreme Court consider the amendments to be part of the Constitution. So do I. There are also federal laws addressing privacy. There is the Privacy Act of 1974, the Privacy Protection Act of 1980, the Electronic Communications Privacy Act of 1986, and the Computer Matching and Privacy Protection Act of 1988. These are just two quotes from Supreme Court justices: "Justice Douglas, writing the opinion of the Court, asserted that the ``specific guarantees in the Bill of Rights have penumbras, formed by emanations from those guarantees that help give them life and substance.''\6\ Thus, while privacy is nowhere mentioned, it is one of the values served and protected by the First Amendment, through its protection of associational rights, and by the Third, the Fourth, and the Fifth Amendments as well. The Justice recurred to the text of the Ninth Amendment, apparently to support the thought that these penumbral rights are protected by one Amendment or a complex of Amendments despite the absence of a specific reference. Justice Goldberg, concurring, devoted several pages to the Amendment." "United States v. Padilla, 508 U.S. 77 (1993) (only persons whose privacy or property interests are violated may object to a search on Fourth Amendment grounds;" Or go here, and you can search for anything about anything that's published by the Government Printing Office. Of course, not everything that's been published has been transcribed to on-line form, but they say they are continually updating their databases. http://www.access.gpo.gov/su_docs/dbsearch.html I hope this ends the discussion about the right to privacy -- whether it exists or not. It does, not just in my opinion, but in the opinion of the Congress and the Supreme Court. Anonymity is another matter. In 1962 the Supreme Court made a ruling that indicated that anonymity is a fundamental requirement of free speech. Check the link below for the full text (200+kb) from which the following excerpt was taken: http://cpsr.org/cpsr/free_speech/talley_v_california.txt (The case was about a requirement for leaflets to have identification information printed on them.) "Even the Federalist Papers, written in favor of the adoption of our Constitution, were published under fictitious names. It is plain that anonymity has sometimes been assumed for the most constructive purposes. We have recently had occasion to hold in two cases that there are times and circumstances when States may not compel members of groups engaged in the dissemination of ideas to be publicly identified. Bates v. Little Rock, 361 U.S. 516; N. A. A. C. P. v. Alabama, 357 U.S. 449, 462. The reason for those holdings was that identification and fear of reprisal might deter perfectly peaceful discussions of public matters of importance. This broad Los Angeles ordinance is subject to the same infirmity. We hold that it, like the Griffin, Georgia, ordinance, is void on its face. The judgment of the Appellate Department of the Superior Court of the State of California is reversed and the cause is remanded to it for further proceedings not inconsistent with this opinion." You don't have to be a lawyer to do an Internet search. Now explain to me how we can have anonymity over the Internet without encryption. Don't bother telling me that this posting is not like a leaflet. IMHO, that is exactly what it is, in electronic form. If I were afraid of government retaliation, I would have to encrypt this -- assuming encryption was available without escrowed keys, as it is now. If we want to keep the capability we have now, and improve upon it, we have to take action. Try http://www.ciec.org/ and send email urging action to block the Embassy chip. One message might help, two would be better, and if everyone reading this responds you might get a snowball rolling that will prevent the Embassy from even getting started.
Subject: Re: Memo to the Amateur Cipher Designer Date: 18 Nov 1998 03:11:25 GMT From: lamontg@bite.me.spammers Message-ID: <72tdst$1ieu$1@nntp6.u.washington.edu> References: <72e9ur$kb4$1@server.cntfl.com> Newsgroups: talk.politics.crypto,comp.security.pgp.discuss,sci.crypt Lines: 62 "R H Braddam" <rbraddam@aic-fl.com> writes: >The documents I scanned primarily addressed the 1st, 4th, 9th, and 14th >amendments. This seems to indicate to me that the Congress and the Supreme >Court consider the amendments to be part of the Constitution. So do I. There >are also federal laws addressing privacy. There is no explicit right to privacy in the Constitution of the United States. From Roe v. Wade: ``The Constitution does not explicitly mention any right of privacy. In a line of decisions, however, going back perhaps as far as Union Pacific R. Co. v. Botsford, 141 U.S. 250, 251 (1891), the Court has recognized that a right of personal privacy, or a guarantee of certain areas or zones of privacy, does exist under the Constitution. In varying contexts, the Court or individual Justices have, indeed, found at least the roots of that right in the First Amendment, Stanley v. Georgia, 394 U.S. 557 , 564 (1969); in the Fourth and Fifth Amendments, Terry v. Ohio, 392 U.S. 1 , 8-9 (1968), Katz v. United States, 389 U.S. 347 , 350 (1967), Boyd v. United States, 116 U.S. 616 (1886), see Olmstead v. United States, 277 U.S. 438 , 478 (1928) (Brandeis, J., dissenting); in the penumbras of the Bill of Rights, Griswold v. Connecticut, 381 U.S. at 484-485 ; in the Ninth Amendment, id. at 486 (Goldberg, J., concurring); or in the concept of liberty guaranteed by the first section of the Fourteenth Amendment, see Meyer v. Nebraska, 262 U.S. 390 , 399 (1923). These decisions make it clear that only personal rights that can be deemed "fundamental" or "implicit in the concept of ordered liberty," Palko v. Connecticut, 302 U.S. 319, 325 (1937), are included in this guarantee of personal privacy. They also make it clear that the right has some extension to activities relating to marriage, Loving v. Virginia, 388 U.S. 1 , 12 (1967); procreation, Skinner v. Oklahoma, 316 U.S. 535 , 541-542 (1942); contraception, Eisenstadt v. Baird, 405 U.S. at 453-454; id. at 460, 463-465 [p*153] (WHITE, J., concurring in result); family relationships, Prince v. Massachusetts, 321 U.S. 158, 166 (1944); and childrearing and education, Pierce v. Society of Sisters, 268 U.S. 510 , 535 (1925), Meyer v. Nebraska, supra. ``This right of privacy, whether it be founded in the Fourteenth Amendment's concept of personal liberty and restrictions upon state action, as we feel it is, or, as the District Court determined, in the Ninth Amendment's reservation of rights to the people, is broad enough to encompass a woman's decision whether or not to terminate her pregnancy.'' >I hope this ends the discussion about the right to privacy -- whether it >exists or not. It does, not just in my opinion, but in the opinion of the >Congress and the Supreme Court. It has never, however, been an explicit part of the Constitition. It has merely been argued that it can be based on the Constitution. And I do view this as "merely", since it is possible that a more conservative court could argue against it and weaken it. >Anonymity is another matter. In 1962 the Supreme Court made a ruling that >indicated that anonymity is a fundamental requirement of free speech. [...] >Now explain to me how we can have anonymity over the Internet without >encryption. Anonymity is easy on the Internet. Just forge all your articles. No Crypto required. -- Lamont Granquist (lamontg@u.washington.edu) ICBM: 47 39'23"N 122 18'19"W
Subject: Re: Memo to the Amateur Cipher Designer Date: 6 Nov 1998 09:10:16 GMT From: olson@umbc.edu (Bryan G. Olson; CMSC (G)) Message-ID: <71uedo$hv8$2@news.umbc.edu> References: <aXcarol-0511981018450001@andrew1.apple.com> Newsgroups: sci.crypt Lines: 25 Andrew Carol (aXcarol@apple.com) wrote: : One's complement is, in my humble opinion, a real waste. : Two's complement is much more elegant because the sign is an ordinary : data bit. You can do signed and unsigned arithmetic using exactly the : same hardware. The sign is simply iterpreted as such by the user. With : one's complement, the sign bit is always the sign bit which means your : range of legal unsigned values is cut in half. Not so. Two's complement is simply arithmetic mod 2^WordSize, while one's complement is mod (2^WordSize)-1. With either one we use the same addition and subtraction operations for both signed and unsigned. We're left with the the modular remainder and we choose whether to interpret the values with the one bit set as the least residue or to subtract the modulus from the least residue. : It's also much harder to : do multiple precision math in one's complement. True. That missing value is a huge pain. --Bryan
Subject: Re: Memo to the Amateur Cipher Designer Date: 7 Nov 1998 15:11:15 GMT From: jsavard@freenet.edmonton.ab.ca () Message-ID: <721nuj$57m$1@news.sas.ab.ca> References: <36427A25.C9CFD81D@null.net> <aXcarol-0511981018450001@andrew1.apple.com> Newsgroups: sci.crypt Lines: 31 Douglas A. Gwyn (DAGwyn@null.net) wrote: : Andrew Carol wrote: : > One's complement is, in my humble opinion, a real waste. : > Two's complement is much more elegant because the sign is an ordinary : > data bit. You can do signed and unsigned arithmetic using exactly the : > same hardware. The sign is simply iterpreted as such by the user. With : > one's complement, the sign bit is always the sign bit which means your : > range of legal unsigned values is cut in half. It's also much harder to : > do multiple precision math in one's complement. : You're completely wrong. Operations using ones-complement and : twos-complement representation are very similar; CDC chose to : use ones-complement because it was slightly faster (negation : doesn't require any carry cycles). Well, it is true that less circuitry is required to add a negative integer to a positive integer in two's complement; one does need extra gates to test for opposing signs and adjust the result in one's complement. Two's complement is the reasonable representation for integers. But for floating-point numbers, composed of separate fields, the normal representation is sign-magnitude for the mantissa, and excess-N for the exponent. If one wants one's floating-point numbers to compare using integer comparison operations, then inverting the other bits of the number when the sign is negative - a one's complement on the mantissa, but the exponent is also inverted - makes sense, because field boundaries are not straddled. (Of course, the architecture should be big-endian, so that integer compares work on strings too, if you're doing this...) John Savard
Subject: Re: Memo to the Amateur Cipher Designer Date: Sun, 08 Nov 1998 06:51:57 GMT From: "Douglas A. Gwyn" <DAGwyn@null.net> Message-ID: <36453F84.9E2E6827@null.net> References: <721nuj$57m$1@news.sas.ab.ca> Newsgroups: sci.crypt Lines: 18 jsavard@freenet.edmonton.ab.ca wrote: > Well, it is true that less circuitry is required to add a negative integer > to a positive integer in two's complement; one does need extra gates to > test for opposing signs and adjust the result in one's complement. > Two's complement is the reasonable representation for integers. Which representation produces faster results depends on the exact mix of operations. I've programmed both, and either representation is reasonable for most purposes. > ... (Of course, the architecture should be big-endian, so that > integer compares work on strings too, if you're doing this...) Endianness is another architectural property that has pros and cons on both sides. Anyway, this is outside the sci.crypt charter; I just couldn't stand by while ones-complement was being badmouthed.
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 04 Nov 1998 19:48:04 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-0411981948040001@dialup150.itexas.net> References: <71qpr3$auf$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 103 In article <71qpr3$auf$1@nnrp1.dejanews.com>, dscott@networkusa.net wrote: > > If the NSA is doing its job at all any encryption that is used at > all on the net would be analyzed by them. I am sure megabucks where > spent on PGP since it is so common. I think my stuff is stronger > than IDEA or the FISHY methods but since not in public eye I doubt > if they have given it as much attention yet. But it is very different > from the kind they are use to breaking. Since 19u is built around > 19 bit boundaries on a PC indian type of machine. The program has > to be decrypt by several passes in the reverse direction. And as > the R of RSA is now pushing or talking about. It is a true all or > nothing encryption something that may be beyond the B S crypto > class of peoples current limited mind kind of thinking. > I expect they already have looked at your various algorithms. After all it is their job to do this sort of thing. About getting word on what they feel about someones work in particular, that is rare, but it does happen. We keep hearing how difficult it is to come up with algorithms, so in an hour of thinking and calculating, here is a new one for you, Cipher 4045: PW5.B40.D8.T8.D4.B22.W3.T12.W4.B32M.D6.T24.D8.B40.CW5 --Cipher "4045" features three tranposition boxes, 8/12/24 equivalent to 15/29/79, or total of 123 bits. The plaintext and ciphertext are both in base 40 and the input/output block size is 40/45 characters. Without increasing the block size, the transposition boxes can be as big as 64/48/72, for equivalent keys of 290/203/345, or 838 bits all together. Even with no transpositions, straight pass through, this cipher in translation mode exhibits some diffusion. In cryptoanalysis, the weakest length is in the second transposition, so part of the keylength can be somewhat divided at that point. Note: the above formula is fully descriptive of the algorithm. In case you missed the introduction of this system of notation, here is a repeat of the first three algorithms that tends to explain it by example: PW1.B100.D2.T12.D4.B22.CW3 describes an algorithm I presented at the ACA in Los Angeles in August. CYCLISTE named this algorithm RIMFIRE, since it uses takes a 22 base shot at all familiar ascii characters , almost all of those in the set of 100. In it plaintext (P) characters are converted individually(W1, words of one character) from a set of 100 elements (B100) to two digits (D2, normal base 10). The digits undergo transposition in blocks of twelve (T12). Digits in groups of four (D4) are converted to base 22 characters (B22) in blocks of three ciphertext letters (CW3). The keylength is entirely in the possible permutations of the 12 elements in the transposition stage, only 479,001,600 different keys. This cipher is targeted at the twilight above hand breakable ciphers yet somewhat easy to break with a computer. PW3.B22.D4.GVA6X11PC1.P.D6.B32M.CW4 is the algorithm that I am using with the 6 wheels using alphabets of 11 characters in the FLAT CYLINDER EXAMPLE of the GVA. In it, plaintext in words of three letters each (PW3) from a base 22 character set (B22) produce groups of 4 digits each (D4). Using the Grandview Algorithm as a build block (GVA), noting its size (6X11), and a selection of a group of six digits (D6) to be changed to base 32, the medium table available, (B32M), producing ciphertext words of four characters each (CW4). PW5.B40.D8.GVA11X16PC2.B16.CW11 is a slightly more complicated implementation of the Grandview Algorithm called CAPS, because it is worked on a cylinder made from punched plastic milk bottle caps, and is more uniform and compact than the push-pop cylinder. In it, plaintext words of five characters each (PW5) from a set of 22 (B22) produce groups of 8 digits each (D8). The Grandview Algorithm is exercised on a cylinder of 11 wheels having 16 charcters each with two hexadecimal (B16), containing eleven characters in each ciphertext word (CW11). This is lots stronger than the flat cylinder example as it has 3375 possible outputs for each input group. It can work from any of the 225 available pathcodes. Using a hex set on the cylinder means that digits are a subset of it, and easily applied. Using the GVA Alternate Form, it can work with 4096 different pathcodes. PW5.B40.D8.T8.D4.B22.W3.T12.W4.B32M.D6.T24.D8.B40.CW5 --Cipher "4045" features three tranposition boxes, 8/12/24 equivalent to 15/29/79, or total of 123 bits. The plaintext and ciphertext are both in base 40 and the input/output block size is 40/45 characters. Without increasing the block size, the transposition boxes can be as big as 64/48/72, for equivalent keys of 290/203/345, or 838 bits all together. Even with no transpositions, straight pass through, this cipher in translation mode exhibits some diffusion. The weakest length is in the second transposition. Note: the above formula is fully descriptive of the algorithm. In case you missed the introduction of this system of notation, here is a repeat of the first three algorithms: -- --- The public is harder to steamroller than some might think. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 06 Nov 1998 07:51:19 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <3649aa3b.2925663@news.visi.com> References: <jgfunj-0411981159440001@207.22.198.223> Newsgroups: sci.crypt Lines: 28 On Wed, 04 Nov 1998 11:59:43 -0600, jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) wrote: >Cryptography is a special class, probably not entirely alone as other >subjects might also get similiar attention. Consider what is apt to >happen: PTO gets some crypto related application; it gets put into a pile >since it might be messing with ideas that could classified. The >application is properly forwarded to the Defense Department for review, if >not directly to NSA itself. The NSA does not comment on patentability. Actually, I'm pretty sure they don't review crypto patent apps anymore. That kind of thing only worked in the 70s and early 80s. >It would be on the recommendations of the particular agencies that handled >the details of inspection that the PTO office would act. The paperwork >could be simply passed back quickly to PTO and processed as representing >something trivial, but patentable all the same, returned and rejected to >the submitter with no reasons given, or held for further study. From >there, more options could click in. I bet you Ritter's work got lots more >than a quick glance. Sounds like a good idea, but the patent office doesn't work that way. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 06 Nov 1998 12:47:00 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-0611981247000001@dialup104.itexas.net> References: <3649aa3b.2925663@news.visi.com> Newsgroups: sci.crypt Lines: 17 In article <3649aa3b.2925663@news.visi.com>, schneier@counterpane.com (Bruce Schneier) wrote: > > The NSA does not comment on patentability. Actually, I'm pretty sure > they don't review crypto patent apps anymore. That kind of thing only > worked in the 70s and early 80s. .... Don't be so sure. Sent in a technically-heavy sounding fuzzy description for a megathermoneutrogismo with 10 pages of obscure drawings and be sure to get somebody's attention. I don't expect NSA to be incompetent, which means it should it sops up and funnels ALL the easy leads to the company store for analysis. -- --- The public is harder to steamroller than some might think. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 10 Nov 1998 03:33:58 GMT From: ritter@io.com (Terry Ritter) Message-ID: <3647b41e.4433230@news.io.com> References: <jgfunj-0411981159440001@207.22.198.223> Newsgroups: sci.crypt Lines: 59 On Wed, 04 Nov 1998 11:59:43 -0600, in <jgfunj-0411981159440001@207.22.198.223>, in sci.crypt jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) wrote: >[...] >Cryptography is a special class, probably not entirely alone as other >subjects might also get similiar attention. Consider what is apt to >happen: PTO gets some crypto related application; it gets put into a pile >since it might be messing with ideas that could classified. The >application is properly forwarded to the Defense Department for review, if >not directly to NSA itself. It is my understanding that there is "a NSA desk" in the PTO which does review crypto applications. If so, it must be a tough job. There is a whole section to the MPEP (Manual of Patent Examination Procedure) that deals with secrecy orders, and anybody can read that. It seem unlikely, however, that it could apply to a patent whose information had been publicly revealed. Not only would a secrecy order be ineffective in that case, it would actually highlight a significant idea, so that would not be done. >It would be on the recommendations of the particular agencies that handled >the details of inspection that the PTO office would act. The paperwork >could be simply passed back quickly to PTO and processed as representing >something trivial, but patentable all the same, returned and rejected to >the submitter with no reasons given, or held for further study. From >there, more options could click in. I bet you Ritter's work got lots more >than a quick glance. My Dynamic Substitution patent file actually *disappeared* from the PTO for a while in 1990. Presumably it was signed out, but the file was physically out of the PTO. This was *after* allowance by the examiner, but before publication. After repeated telephone requests for information, eventually I was passed to the head of the publication department, who ordered the file *recalled* from wherever it was, although she would not say where that was, or why it was there. Very spooky in 1990, but perhaps more humorous in retrospect. The information already had been *published* on sci.crypt and was ready for print in Cryptologia. But only after the file was ordered recalled could it be assigned a publication slot and an issue date, and so eventually issue. One might speculate that there was *some* sort of a review going on, but certainly not for patentability. There were fewer crypto patents in those days, so there may have been greater anxiety. Still, the content was already published! There is no way for me to know whether the patent is being used by the government. But if someone were to provide the name of a machine which they claim does use it, I could request a formal inquiry. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 10 Nov 1998 14:18:34 GMT From: malinov@mindless.com Message-ID: <729hvq$ehh$1@nnrp1.dejanews.com> References: <3647b41e.4433230@news.io.com> Newsgroups: sci.crypt Lines: 27 Terry Ritter said something like . . . > It is my understanding that there is "a NSA desk" in the PTO which > does review crypto applications. If so, it must be a tough job. Not at all, having worked there many years. All applications are reviewed for subject matter which might involve national security. Applications by US citizens which involve real cryptography are copied; the copy is sent to someone at NSA for review. Secrecy orders are rare. They are not easily impressed. > My Dynamic Substitution patent file actually *disappeared* from the > PTO for a while in 1990. Presumably it was signed out, but the file > was physically out of the PTO. Welcome to the bureaucracy. I can't say for sure, but I'd bet good money there was a dumb reason your file wasn't where it should have been. Government dumbness outweighs conspiracy by several orders of magnitude. David Cain Ex-PTO Crypto -- Power belongs to those who dare . . . Sapere Aude -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 10 Nov 1998 18:43:18 GMT From: ritter@io.com (Terry Ritter) Message-ID: <3648892f.4989511@news.io.com> References: <729hvq$ehh$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 51 On Tue, 10 Nov 1998 14:18:34 GMT, in <729hvq$ehh$1@nnrp1.dejanews.com>, in sci.crypt malinov@mindless.com wrote: >Terry Ritter said something like . . . > >> It is my understanding that there is "a NSA desk" in the PTO which >> does review crypto applications. If so, it must be a tough job. > >Not at all, having worked there many years. All applications are reviewed for >subject matter which might involve national security. Applications by US >citizens which involve real cryptography are copied; the copy is sent to >someone at NSA for review. You mean they send over the entire input to the crypto section? If not, the person who makes the decision about what to send over would seem to need some knowledge beyond patents. >Secrecy orders are rare. They are not easily >impressed. It's more than that: Secrecy orders on crypto inherently identify systems which the government finds particularly interesting. Few secrecy orders last forever, so the very use of this power eventually highlights what it is supposed to hide. There may be very few situations where that is warranted. And of course a secrecy order is really only useful on ideas which have not been published. >> My Dynamic Substitution patent file actually *disappeared* from the >> PTO for a while in 1990. Presumably it was signed out, but the file >> was physically out of the PTO. > >Welcome to the bureaucracy. I can't say for sure, but I'd bet good money >there was a dumb reason your file wasn't where it should have been. >Government dumbness outweighs conspiracy by several orders of magnitude. Normally very true, although in this case the clerks were more hush-hush close-mouthed than in the usual screw-up. I was eventually bucked up to the department head Herself and she wouldn't tell me where the file was or why, which seems unusual to this day. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 11 Nov 1998 13:54:56 GMT From: malinov@mindless.com Message-ID: <72c4vg$kau$1@nnrp1.dejanews.com> References: <3648892f.4989511@news.io.com> Newsgroups: sci.crypt Lines: 47 Terry said something like . . . > You mean they send over the entire input to the crypto section? If > not, the person who makes the decision about what to send over would > seem to need some knowledge beyond patents. They send all the nuts and bolts crypto to NSA - i.e. no protocols, no business apps, just algorithms for turning plaintext into ciphertext. At one time, half of the screeners were crypto examiners. But it doesn't take a cryptographer to recognize cryptography. NSA decides if there's anything worth looking at. > It's more than that: Secrecy orders on crypto inherently identify > systems which the government finds particularly interesting. Few > secrecy orders last forever, so the very use of this power eventually > highlights what it is supposed to hide. There may be very few > situations where that is warranted. Actually, I was being glib. Secrecy orders are only imposed on government owned systems, usually classified from birth. Ostensibly, they're looking for projects they already own - although I suspect they use the patent review system to keep an extra eye on developing technology. Secrecy orders are routinely rescinded when the information they protect is outed. With few exceptions, the government does not file patent applications for cryptography. I gave NSA a patent for a key escrow system, and that was probably the only NSA application I ever saw. Never Say Anything. > Normally very true, although in this case the clerks were more > hush-hush close-mouthed than in the usual screw-up. I was eventually > bucked up to the department head Herself and she wouldn't tell me > where the file was or why, which seems unusual to this day. Admissions create exposure for a bureaucrat, especially when dealing with the public. Anything is possible, but in fourteen years at the PTO, I witnessed no covert operations and twenty million instances of hush-hush bureaucratic bumbling. My money is still on "whoops, goof, what application?" David Cain -- Power belongs to those who dare . . . Sapere Aude -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 10 Nov 1998 19:42:53 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <36489454.11838628@news.prosurfr.com> References: <729hvq$ehh$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 31 malinov@mindless.com wrote, in part: >Secrecy orders are rare. They are not easily >impressed. I'm not surprised, - considering the embarassment resulting from two unwarranted secrecy orders during the 1970s, and - given that ciphers, and not cryptanalytic approaches, are usually the subjects of patents, while there probably is quite a bit in the field of cryptanalysis that the NSA would like to have remain secret, unless someone comes up with a radically new idea, on the order of public-key cryptography, what is there to classify? Existing block ciphers include elements that can be strung together on small computers with more complexity; enough so that unbreakable encryption is already a reality for anyone who wants it. Quantum computing ... that could change the situation, both for ways of making it practical, and for ciphers specifically designed to be resistant to it. The NSA has many secrets, I'm sure ... but how to make a really, really secure cipher is not one of them. (What things you don't have to bother with, and yet still be secure ... now _that_ is, no doubt, highly classified.) John Savard http://www.freenet.edmonton.ab.ca/~jsavard/index.html
Subject: Re: Memo to the Amateur Cipher Designer Date: Tue, 10 Nov 1998 16:42:05 GMT From: bo.doemstedt@mbox200.swipnet.se (Bo Dömstedt) Message-ID: <364a606f.12593692@nntpserver.swip.net> References: <3647b41e.4433230@news.io.com> Newsgroups: sci.crypt Lines: 19 ritter@io.com (Terry Ritter) wrote: >It is my understanding that there is "a NSA desk" in the PTO which >does review crypto applications. If so, it must be a tough job. > >There is a whole section to the MPEP (Manual of Patent Examination >Procedure) that deals with secrecy orders, and anybody can read that. [...] Fantastic! What would happen if some foreigner, such as me, would file a cipher patent application? Is there some international co-operation of secrecy orders? :) Bo Dömstedt Cryptographer Protego Information AB Malmoe,Sweden SG100 Hardware Random Number Generator http://www.protego.se/sg100_en.htm
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 11 Nov 1998 16:25:00 GMT From: malinov@mindless.com Message-ID: <72cdot$s3i$1@nnrp1.dejanews.com> References: <364a606f.12593692@nntpserver.swip.net> Newsgroups: sci.crypt Lines: 22 Bo said something like . . . > Fantastic! What would happen if some foreigner, such as me, would > file a cipher patent application? Is there some international > co-operation of secrecy orders? :) If you filed an application from Sweden in the US, it would not even be shown to NSA. If you lived in the US, or worked with a US citizen as a joint inventor, they'd take a look. If any of it came from here, it might be ours. But the US is usually more than happy to publish foreign secrets. ; ) The US has an agreement with NATO on secrecy orders, but that just allows NATO members a mechanism to file classified applications in the US. All original classifiction would be done in the home country. David Cain -- Power belongs to those who dare . . . Sapere Aude -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 20:01:08 GMT From: ritter@io.com (Terry Ritter) Message-ID: <363a1ada.12425654@news.io.com> References: <3639d8bf.741333@news.visi.com> Newsgroups: sci.crypt Lines: 88 On Fri, 30 Oct 1998 15:31:06 GMT, in <3639d8bf.741333@news.visi.com>, in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote: >[...] >Some cryptographic algorithms are patented, yes. I'm not sure how >that's relevent. For one thing, the patent literature is far more "archival" than almost any academic journal. >I do not know of any academic cryptographers that >regularly look through the U.S. patent system. I have no doubt that understanding the patent literature is substantially more difficult than understanding academic papers. Still, it *is* published technology. Failing to know published technology means failing to be an expert in the field. >Patents are not a >peer-reviewed publication. If an academic (in any discipline) >presented a list of patents to his tenure review board, they would not >be considered publication. Obviously we need to adjust our understanding of an academic as an expert. People can hardly be experts on a field if they refuse to keep informed of parts of it. The implication that any field consists only of that in the academic literature is not only insulting, it is also dangerously wrong for academia. When I was doing processor design at Motorola, some of my former professors came over, and simply had no idea how MOS design worked. They were irrelevant, and now we see how that happens. (Of course, Motorola could not have had a public web page on our design technology, but the profs probably wouldn't have used it anyway. They were arrogant.) >Patents are not relevent to academic publication. There are academics >who also patent. Ritter is an example of someone who does not publish >(in an academic sense) but does patent. His writings are generally >ignored by the academic community. I'm sorry this is true; I'd like >it to be different. It's *not* true that I don't publish; I just don't publish in a particular form and outlet. It *is* true that I rarely even consider a magazine publication anymore, let alone an academic journal. But the material is there. The content is there. If academics fail to click up my pages and read them, I probably can't force them to do so. >If I wrote a paper on Ritters designs, citing his patents and Usenet >postings and webpages, I believe that I would have a lot of trouble >getting it published. Now, I think *that* is a serious problem: If your paper is reviewed not by its content, but by where the original ideas came from, or what its references are, we are back to having a serious conflict with the meaning of Science. And I have been a peer reviewer: I claim that publication references should be checked for correctness and applicability to the content; that's it. Authors who allow reviewers to remove valid references risk real damage to their reputation when prior publications come to light. Acknowledging the prior art is not optional. The appearance of having used someone else's work for your advantage is not going to help people trust you with their own newest work. >[...] >I'm really trying to help here. I am not being inconsiderate to the >program committee of FSE. I am not making use of the FSE name to >argue my own position. I don't have a position. I have more than my >share of ad hominum arguments on sci.crypt, and I would appreciate a >little bit of curtesy. Everybody has a bad day once in a while (or more often for me). We just need to tolerate stuff sometimes. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 20:34:52 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <363a2037.500639@news.visi.com> References: <363a1ada.12425654@news.io.com> Newsgroups: sci.crypt Lines: 133 On Fri, 30 Oct 1998 20:01:08 GMT, ritter@io.com (Terry Ritter) wrote: > >On Fri, 30 Oct 1998 15:31:06 GMT, in <3639d8bf.741333@news.visi.com>, >in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote: > >>[...] >>Some cryptographic algorithms are patented, yes. I'm not sure how >>that's relevent. > >For one thing, the patent literature is far more "archival" than >almost any academic journal. > >>I do not know of any academic cryptographers that >>regularly look through the U.S. patent system. > >I have no doubt that understanding the patent literature is >substantially more difficult than understanding academic papers. >Still, it *is* published technology. Failing to know published >technology means failing to be an expert in the field. Look, I'm not arguing about whether this is good or beneficial or useful. I am just stating some facts. Perhaps it is true that someone who does not regularly read the patent output stream should not be considered an expert in the field. I don't know. None of this is related to my point, which is about what actually does happen. >>Patents are not a >>peer-reviewed publication. If an academic (in any discipline) >>presented a list of patents to his tenure review board, they would not >>be considered publication. >Obviously we need to adjust our understanding of an academic as an >expert. People can hardly be experts on a field if they refuse to >keep informed of parts of it. Adjust away. That's fine. >The implication that any field consists only of that in the academic >literature is not only insulting, it is also dangerously wrong for >academia. When I was doing processor design at Motorola, some of my >former professors came over, and simply had no idea how MOS design >worked. They were irrelevant, and now we see how that happens. (Of >course, Motorola could not have had a public web page on our design >technology, but the profs probably wouldn't have used it anyway. They >were arrogant.) I don't mean to insult you. I am just the bearer of news. You are free to be insulted. Maybe you are correct. I have found that it is better to play by the rules as they are than it is to complain about how unfair they are. I have found this to be true, even if the rules are unfair. >>Patents are not relevent to academic publication. There are academics >>who also patent. Ritter is an example of someone who does not publish >>(in an academic sense) but does patent. His writings are generally >>ignored by the academic community. I'm sorry this is true; I'd like >>it to be different. > >It's *not* true that I don't publish; I just don't publish in a >particular form and outlet. Which is why I added the parenthetical remark above. >It *is* true that I rarely even consider a magazine publication >anymore, let alone an academic journal. But the material is there. >The content is there. If academics fail to click up my pages and read >them, I probably can't force them to do so. You cannot force them to do so. >>If I wrote a paper on Ritters designs, citing his patents and Usenet >>postings and webpages, I believe that I would have a lot of trouble >>getting it published. > >Now, I think *that* is a serious problem: If your paper is reviewed >not by its content, but by where the original ideas came from, or what >its references are, we are back to having a serious conflict with the >meaning of Science. Possibly we do. But I don't have any conflict here. I am simply stating what I believe to be the realities of publishing in journals, conferences, or workshops. I would prefer it if I could get such a paper published. A few weeks ago I mentioned something that happened to me in one of my papers. In the submitted version of one of the two papers on related-key cryptanalysis, we talked about the analysis of S1, a cipher posted to sci-crypt and believed by some to be Skipjack. (As it turned out, it wasn't.) Among the anonymous review comments we received was a note saying that ciphers posted to sci.crypt are not considered interesting (I forget the exact wording), and that we should delete that section from our paper. We did. Look, I didn't write the comment. I would have liked to include our result (well David Wagner's result) on S1 in the paper. I thought it was unfair. But it did happen. This is a true story. >And I have been a peer reviewer: I claim that publication references >should be checked for correctness and applicability to the content; >that's it. Authors who allow reviewers to remove valid references >risk real damage to their reputation when prior publications come to >light. Acknowledging the prior art is not optional. The appearance >of having used someone else's work for your advantage is not going to >help people trust you with their own newest work. I've never heard of reviewers removing references. I've heard of reviewers asking for changes in content. And remember, there is an agreement on both sides here. The author is agreeing to make the change in order for the paper to be published. We willingly removed the section on S1 from our paper because we wanted it to be published, and didn't feel that we lost much in removing it. >>[...] >>I'm really trying to help here. I am not being inconsiderate to the >>program committee of FSE. I am not making use of the FSE name to >>argue my own position. I don't have a position. I have more than my >>share of ad hominum arguments on sci.crypt, and I would appreciate a >>little bit of curtesy. > >Everybody has a bad day once in a while (or more often for me). We >just need to tolerate stuff sometimes. I'm about as tolerant as you can get, but the personal attacks on me have been going on for a lot longer than a day and are getting worse. I have just installed a newsreader with a killfile, though, and things are looking up. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Sat, 31 Oct 1998 00:13:17 GMT From: dscott@networkusa.net Message-ID: <71dkmt$763$1@nnrp1.dejanews.com> References: <363a2037.500639@news.visi.com> Newsgroups: sci.crypt Lines: 26 In article <363a2037.500639@news.visi.com>, schneier@counterpane.com (Bruce Schneier) wrote: > > >>[...] > I'm about as tolerant as you can get, but the personal attacks on me > have been going on for a lot longer than a day and are getting worse. > I have just installed a newsreader with a killfile, though, and things > are looking up. > > Bruce > How political correct. I guess that means he has not the balls to follow through with the dough. So he can pretend not to read all the posts. Bruce is a little man with a big EGO He reads it! -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip ftp search for scott*u.zip in norway -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: 31 Oct 1998 00:36:10 GMT From: jpeschel@aol.com (JPeschel) Message-ID: <19981030193610.25670.00001657@ng34.aol.com> References: <71dkmt$763$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 17 dscott@networkusa.net writes: > How political correct. I guess that means he has not the balls >to follow through with the dough. So he can pretend not to read >all the posts. Bruce is a little man with a big EGO Look, Dave, you aren't helping your cause any by flinging personal insults. Analyze his work -- Blowfish, TwoFish, etc., -- if you must but we already got the idea you don't like Schneier. Joe __________________________________________ Joe Peschel D.O.E. SysWorks http://members.aol.com/jpeschel/index.htm __________________________________________
Subject: Re: Memo to the Amateur Cipher Designer Date: Sat, 31 Oct 1998 01:27:55 GMT From: remo.a.linky@anagrams.r.us (Remo A. Linky) Message-ID: <363a6605.428958859@news.alt.net> References: <363a2037.500639@news.visi.com> Newsgroups: sci.crypt Lines: 21 schneier@counterpane.com (Bruce Schneier) wrote: >I'm about as tolerant as you can get, I noticed that. >but the personal attacks on me >have been going on for a lot longer than a day and are getting worse. It's a foolish way to treat sci.crypt's most valuable contributor. >I have just installed a newsreader with a killfile, though, and things >are looking up. You upgraded from Forte Free Agent to Forte Agent. Good move! It has a powerful and versatile filter expression language that should make things more livable for you here. Thanks for hanging in there! -- "Remo A. Linky" better known as 2681.749530@mail.serve.com. 0123 4 56789 <- Use this key to decode my email address. 5 X 5 Poker - http://www.serve.com/games/
Subject: Re: Memo to the Amateur Cipher Designer Date: Sat, 31 Oct 1998 17:23:36 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <363e477c.2403864@news.visi.com> References: <363a6605.428958859@news.alt.net> Newsgroups: sci.crypt Lines: 30 On Sat, 31 Oct 1998 01:27:55 GMT, remo.a.linky@anagrams.r.us (Remo A. Linky) wrote: >schneier@counterpane.com (Bruce Schneier) wrote: > >>I'm about as tolerant as you can get, > >I noticed that. > >>but the personal attacks on me >>have been going on for a lot longer than a day and are getting worse. > >It's a foolish way to treat sci.crypt's most valuable contributor. Thanks. >>I have just installed a newsreader with a killfile, though, and things >>are looking up. > >You upgraded from Forte Free Agent to Forte Agent. Good move! It has a >powerful and versatile filter expression language that should make things >more livable for you here. Thanks for hanging in there! It's working out already.... Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Sat, 31 Oct 1998 03:59:13 GMT From: dscott@networkusa.net Message-ID: <71e1uh$nv8$1@nnrp1.dejanews.com> References: <363a2037.500639@news.visi.com> Newsgroups: sci.crypt Lines: 29 In article <363a2037.500639@news.visi.com>, schneier@counterpane.com (Bruce Schneier) wrote: snip... > > I don't mean to insult you. I am just the bearer of news. You are > free to be insulted. Maybe you are correct. I have found that it is > better to play by the rules as they are than it is to complain about > how unfair they are. I have found this to be true, even if the rules > are unfair. > > snip.... Lets exaime this GEM from the so called crypto god for what it really means. It means I am recognized as on top. So even though my rules are unfair to bad for you other guys and I don't mind telling about these unfair rules of mine. Of course I was parpharsing him by I ( I meant Mr. B. S.) -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip ftp search for scott*u.zip in norway -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Sat, 31 Oct 1998 02:14:18 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-3110980214190001@dialup168.itexas.net> References: <363a2037.500639@news.visi.com> Newsgroups: sci.crypt Lines: 26 In article <363a2037.500639@news.visi.com>, schneier@counterpane.com (Bruce Schneier) wrote: > > I'm about as tolerant as you can get, but the personal attacks on me > have been going on for a lot longer than a day and are getting worse. > I have just installed a newsreader with a killfile, though, and things > are looking up. > That seems somehow consistent. But, please don't consider our academic and philosophical criticisms as personal attacks; heated debate can merely mean that people are getting down to the most important aspects of their differences, those which they feel comfortable with and find painful to analyze. It is good that you have strong feelings about what you know; it could mean that you are likely to be able to defend your position with information you have considered already. However, if you have missed something, it is best to hear from proponents of other points of view who might be just as zealous for their own reasons. Truth is sometimes found where no one previously stood, and all relish in the outcome. -- --- Heard recently on Larry King: Jimmy Carter and Billy Graham agreeing that it is sometimes wise to tell a lie. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Sat, 31 Oct 1998 17:25:23 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <363f47a9.2448333@news.visi.com> References: <jgfunj-3110980214190001@dialup168.itexas.net> Newsgroups: sci.crypt Lines: 35 On Sat, 31 Oct 1998 02:14:18 -0600, jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) wrote: >In article <363a2037.500639@news.visi.com>, schneier@counterpane.com >(Bruce Schneier) wrote: >> >> I'm about as tolerant as you can get, but the personal attacks on me >> have been going on for a lot longer than a day and are getting worse. >> I have just installed a newsreader with a killfile, though, and things >> are looking up. >> >That seems somehow consistent. But, please don't consider our academic >and philosophical criticisms as personal attacks; heated debate can merely >mean that people are getting down to the most important aspects of their >differences, those which they feel comfortable with and find painful to >analyze. I'm not. I like the academic and philosophical criticisms; that's why I stay here. >It is good that you have strong feelings about what you know; it could >mean that you are likely to be able to defend your position with >information you have considered already. However, if you have missed >something, it is best to hear from proponents of other points of view who >might be just as zealous for their own reasons. Truth is sometimes found >where no one previously stood, and all relish in the outcome. Of course. It's the bad-English slightly-psychotic zero-content personal abuse that I was tired of. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Sat, 31 Oct 1998 02:01:34 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-3110980201340001@dialup168.itexas.net> References: <363a1ada.12425654@news.io.com> Newsgroups: sci.crypt Lines: 18 In article <363a1ada.12425654@news.io.com>, ritter@io.com (Terry Ritter) wrote: > > If your paper is reviewed > not by its content, but by where the original ideas came from, or what > its references are, we are back to having a serious conflict with the > meaning of Science. > Then, so much for inspiration. Answering the call for knowing exactly where ideas might come from might cause some rather foolish sounding, be they most important, references. Sometimes it is best to see how far you can go on your own without tainting your thoughts with the misgivings of others. -- --- Heard recently on Larry King: Jimmy Carter and Billy Graham agreeing that it is sometimes wise to tell a lie. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 22:00:05 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <363a367c.19019214@news.prosurfr.com> References: <3639d8bf.741333@news.visi.com> Newsgroups: sci.crypt Lines: 14 schneier@counterpane.com (Bruce Schneier) wrote, in part: >Patents are not relevent to academic publication. There are academics >who also patent. Ritter is an example of someone who does not publish >(in an academic sense) but does patent. His writings are generally >ignored by the academic community. I'm sorry this is true; I'd like >it to be different. It should be noted, though, that Terry Ritter has had academic publications in the past; three or so papers in Cryptologia on Dynamic Substitution and related topics. John Savard http://members.xoom.com/quadibloc/index.html
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 23:06:10 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <363a4656.4232760@news.visi.com> References: <363a367c.19019214@news.prosurfr.com> Newsgroups: sci.crypt Lines: 22 On Fri, 30 Oct 1998 22:00:05 GMT, jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote: >schneier@counterpane.com (Bruce Schneier) wrote, in part: > >>Patents are not relevent to academic publication. There are academics >>who also patent. Ritter is an example of someone who does not publish >>(in an academic sense) but does patent. His writings are generally >>ignored by the academic community. I'm sorry this is true; I'd like >>it to be different. > >It should be noted, though, that Terry Ritter has had academic >publications in the past; three or so papers in Cryptologia on Dynamic >Substitution and related topics. Thanks for pointing that out. I had meant to, but forgot. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Sat, 31 Oct 1998 03:51:34 GMT From: dscott@networkusa.net Message-ID: <71e1g6$nae$1@nnrp1.dejanews.com> References: <363a4656.4232760@news.visi.com> Newsgroups: sci.crypt Lines: 33 In article <363a4656.4232760@news.visi.com>, schneier@counterpane.com (Bruce Schneier) wrote: > On Fri, 30 Oct 1998 22:00:05 GMT, jsavard@tenMAPSONeerf.edmonton.ab.ca > (John Savard) wrote: > > >schneier@counterpane.com (Bruce Schneier) wrote, in part: > > > >>Patents are not relevent to academic publication. There are academics > >>who also patent. Ritter is an example of someone who does not publish > >>(in an academic sense) but does patent. His writings are generally > >>ignored by the academic community. I'm sorry this is true; I'd like > >>it to be different. > > > >It should be noted, though, that Terry Ritter has had academic > >publications in the past; three or so papers in Cryptologia on Dynamic > >Substitution and related topics. > > Thanks for pointing that out. I had meant to, but forgot. > Get real your iragance is showing through. NO WAY IN HELL did you mean to. Just like clinton he wasn't sure he had sex. You are a good politician. I doubt if you can hold a candle to Ritter in the brains department though. -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip ftp search for scott*u.zip in norway -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Sat, 31 Oct 1998 03:47:59 GMT From: dscott@networkusa.net Message-ID: <71e19g$n7t$1@nnrp1.dejanews.com> References: <363a367c.19019214@news.prosurfr.com> Newsgroups: sci.crypt Lines: 38 In article <363a367c.19019214@news.prosurfr.com>, jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) wrote: > schneier@counterpane.com (Bruce Schneier) wrote, in part: > > >Patents are not relevent to academic publication. There are academics > >who also patent. Ritter is an example of someone who does not publish > >(in an academic sense) but does patent. His writings are generally > >ignored by the academic community. I'm sorry this is true; I'd like > >it to be different. > > It should be noted, though, that Terry Ritter has had academic > publications in the past; three or so papers in Cryptologia on Dynamic > Substitution and related topics. > > John Savard > http://members.xoom.com/quadibloc/index.html > John Bruce most likely was in his usual put people down mode I guess he never reads things like Cryptologia. If Ritter gets published in that it is a better honor than in some toy book Brucey writes. Ritter is a person whose life is real crypto Bruce most likely has people doing it for him so he can be a the front man. I have never meet either man but it is obvious from the posts of past Ritter is more up on what is happening in real crypto. But Bruce is a better PR man. And when it comes to money good PR wins hands down. But then again this is just my humble opinion. -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip ftp search for scott*u.zip in norway -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Sat, 31 Oct 1998 04:52:24 GMT From: ritter@io.com (Terry Ritter) Message-ID: <363a971b.2194234@news.io.com> References: <71e19g$n7t$1@nnrp1.dejanews.com> Newsgroups: sci.crypt Lines: 19 On Sat, 31 Oct 1998 03:47:59 GMT, in <71e19g$n7t$1@nnrp1.dejanews.com>, in sci.crypt dscott@networkusa.net wrote . . . all sorts of stuff: Time out guys! Try to relax. Different viewpoints can be irritating but life would be pretty dull without them. Or we can get mad and yell, but that won't change anything or anybody, or drive anybody away, or create any groundswell of approval, so all of that is just a waste of time for everybody. Let's just try to hold it down a little. --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 28 Oct 1998 22:00:27 GMT From: ritter@io.com (Terry Ritter) Message-ID: <363793f4.15728422@news.io.com> References: <36373706.886670@news.visi.com> Newsgroups: sci.crypt Lines: 45 On Wed, 28 Oct 1998 15:32:00 GMT, in <36373706.886670@news.visi.com>, in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote: >[...] >There are Ritter's >designs. Any of these algorithms could potentially be cryptanalyzed >by amateurs. In fact I *encourage* my designs to be broken. The problem I pose in my designs is distinctly unlike the usual cryptanalysis situation: Normally, someone develops a large, complex, fixed design and says "break it." Such an attack generally takes a very significant investment of resources. Even then the best we can know is that the given design "was" or "was not" broken. But my stuff is *scalable*: We have *no* *doubt* that the ultimate scaled-down versions will be weak. By using few component types and an overall regular structure, I hope to *expose* every avenue into the design. The very intent of this is to have some well-understood strength at tiny size. The hope of this strategy is the ability to extrapolate from one or more toy versions to real size strength values which have some science behind them. That would be a nice change. Currently I display no cipher code, but of course the scaled-down ciphers will be special builds anyway. I obviously do have some internal prototypes (the ones aimed for AES before I was not allowed to participate) which I can test and measure. But technology development has continued and I expect that any new versions of these ciphers would use the keyed nonlinear mixings I described last month. In the Mixing designs, the only thing left which is not keyed is the FFT-style mixing pattern (and that could be). A great deal can be learned by studying systems and attacks of the past. I give some references to stream cipher constructions and attacks in: http://www.io.com/~ritter/LEARNING.HTM#ForDesigners --- Terry Ritter ritter@io.com http://www.io.com/~ritter/ Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 28 Oct 1998 22:45:43 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <36379d96.2892303@news.visi.com> References: <363793f4.15728422@news.io.com> Newsgroups: sci.crypt Lines: 70 On Wed, 28 Oct 1998 22:00:27 GMT, ritter@io.com (Terry Ritter) wrote: > >On Wed, 28 Oct 1998 15:32:00 GMT, in <36373706.886670@news.visi.com>, >in sci.crypt schneier@counterpane.com (Bruce Schneier) wrote: > >>[...] >>There are Ritter's >>designs. Any of these algorithms could potentially be cryptanalyzed >>by amateurs. > >In fact I *encourage* my designs to be broken. Of couse. As any reasonable designer would. >The problem I pose in my designs is distinctly unlike the usual >cryptanalysis situation: Normally, someone develops a large, complex, >fixed design and says "break it." Such an attack generally takes a >very significant investment of resources. Even then the best we can >know is that the given design "was" or "was not" broken. > >But my stuff is *scalable*: We have *no* *doubt* that the ultimate >scaled-down versions will be weak. By using few component types and >an overall regular structure, I hope to *expose* every avenue into the >design. The very intent of this is to have some well-understood >strength at tiny size. The hope of this strategy is the ability to >extrapolate from one or more toy versions to real size strength values >which have some science behind them. That would be a nice change. But your designs are as analyzable as any others. It would be better if you would put up strawman designs, so that people would have something concrete to analyze: the idea being that the concrete analysis serves to illuminate something about the general design. But in some ways your stuff is easier for a beginner to look at; he can attack the toy versions successfully and learn from the results, and then hopefully take that knowledge to the more elaborate versions. >Currently I display no cipher code, but of course the scaled-down >ciphers will be special builds anyway. I obviously do have some >internal prototypes (the ones aimed for AES before I was not allowed >to participate) (Don't take me there....) >which I can test and measure. But technology >development has continued and I expect that any new versions of these >ciphers would use the keyed nonlinear mixings I described last month. >In the Mixing designs, the only thing left which is not keyed is the >FFT-style mixing pattern (and that could be). > >A great deal can be learned by studying systems and attacks of the >past. I give some references to stream cipher constructions and >attacks in: > > http://www.io.com/~ritter/LEARNING.HTM#ForDesigners > >Terry Ritter ritter@io.com http://www.io.com/~ritter/ >Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM By the way, thank you for not assuming that I was calling your designs poor or weak or stupid or anything like that. I simply put your work in the pile as something that has not received sufficient attention. I didn't think you would misinterpret what I said, althoguh I got two emails from people who warned me you would. Thank you again. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 22:06:31 GMT From: jsavard@tenMAPSONeerf.edmonton.ab.ca (John Savard) Message-ID: <363a374d.19228278@news.prosurfr.com> References: <36379d96.2892303@news.visi.com> Newsgroups: sci.crypt Lines: 18 schneier@counterpane.com (Bruce Schneier) wrote, in part: >I didn't think you would misinterpret what I said, althoguh I got two >emails from people who warned me you would. Thank you again. It was clear enough what you originally said, so I wouldn't think that any reasonable person would misinterpret it: that there are these various designs out there, and an amateur might consider looking at them to try and cryptanalyze them. But the quote as I saw it in later posts, out of context, seems to say that here are designs that even amateurs can break. Thus, if Terry Ritter, or someone else, had seen only the quote, and couldn't get at the original post, (these things happen on USENET) misinterpretation would have been excusable. John Savard http://members.xoom.com/quadibloc/index.html
Subject: Re: Memo to the Amateur Cipher Designer Date: Wed, 28 Oct 1998 22:25:25 GMT From: "Douglas A. Gwyn" <gwyn@arl.mil> Message-ID: <363799D5.7DD4A347@arl.mil> References: <3636F8F7.F8287D6B@stud.uni-muenchen.de> Newsgroups: sci.crypt Lines: 31 One point about the role of amateurs in cryptosystem design: One can consider a body of knowledge (think: physics) as a domain for a "goodness" function that is more or less continuous with maxima at the "best" understanding. As usual in optimization problems, one can search for the maximum via "hill-climbing" methods, but there is the danger of converging to a local maximum rather than the higher global maximum. Thus, a continual evolution of knowledge by incremental improvements might reach stability but completely fail to attain a better understanding; in applications of hill-climbing, one sometimes resorts to a "scattering" of starting points searched in parallel, or an occasional step in what temporarily appears to be a detour, with the hope that the problem of convergence to local maxima is thereby reduced and thus that better results are found. (One improves the odds of attaining the true global maximum.) Similarly, occasionally breakthroughs in knowledge are made by "dabblers" who work outside the mainstream. However, the odds are still that in any given case a dabbler is wasting his time. It's just good for the overall evolution of science that there are a lot of dabblers. Unfortunately, in fields like particle physics, dabblers aren't even able to get on the playing field; thus those fields tend to get into a rut where everybody sings from the same sheet of music and never realize that it's the wrong song, because there is no corrective factor.
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 29 Oct 1998 15:55:28 -0600 From: jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) Message-ID: <jgfunj-2910981555280001@dialup105.itexas.net> References: <36386EBF.E621AB07@egg.chips.and.spam.com> <19981027172831.09766.00000187@ng26.aol.com> <36363316.8304318@news.visi.com> Newsgroups: sci.crypt Lines: 35 In article <36386EBF.E621AB07@egg.chips.and.spam.com>, fungus <spam@egg.chips.and.spam.com> wrote: > JPeschel wrote: > > > > schneier@counterpane.com writes: > > >Is there an interest in > > >finding an algorithm and, as a group, cryptanalyzing it? > > > > I can think of one algorithm that might interest the group: > > scott16! > > > > No, please...! > > If we break scott16 or scott19 then all that will happen > is that a scott21 will appear, and we'll be back to square > one.... > > Don't believe me? Ask what happened to scott14... > Don't you believe in evolution? Advances are allowed to be vertical as well as horizontal, which means that one can improve on his own designs and others can cherry pick and cull out the obvious bad aspects. However, I'm not sure what the dressed weight of one of his ciphers would be after all the waste was trimmed; there may actually be something worthwhile, worth crediting him, maybe not; full analysis might tell. I suppose I am an optomist, but fairness seems to mean giving someone the benefit of the doubt, whether you want to or not. -- --- Please excuse if there are multiple postings for my responses...I have no idea where they come from as I only receive one confirmation for each posting from my newsserver. --- Decrypt with ROT13 to get correct email address.
Subject: Re: Memo to the Amateur Cipher Designer Date: Thu, 29 Oct 1998 20:59:10 GMT From: schneier@counterpane.com (Bruce Schneier) Message-ID: <3638d6d7.22562148@news.visi.com> References: <jgfunj-2910981555280001@dialup105.itexas.net> Newsgroups: sci.crypt Lines: 26 On Thu, 29 Oct 1998 15:55:28 -0600, jgfunj@EnqvbSerrGrknf.pbz (W T Shaw) wrote: >> If we break scott16 or scott19 then all that will happen >> is that a scott21 will appear, and we'll be back to square >> one.... >> >> Don't believe me? Ask what happened to scott14... >> >Don't you believe in evolution? Advances are allowed to be vertical as >well as horizontal, which means that one can improve on his own designs >and others can cherry pick and cull out the obvious bad aspects. However, >I'm not sure what the dressed weight of one of his ciphers would be after >all the waste was trimmed; there may actually be something worthwhile, >worth crediting him, maybe not; full analysis might tell. > >I suppose I am an optomist, but fairness seems to mean giving someone the >benefit of the doubt, whether you want to or not. If someone tries hard enough, he will wear his "benefit of the doubt" out. I suspect that is what is happening in this case. Bruce ********************************************************************** Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 Free crypto newsletter. See: http://www.counterpane.com
Subject: Re: Memo to the Amateur Cipher Designer Date: Fri, 30 Oct 1998 01:49:25 GMT From: dscott@networkusa.net Message-ID: <71b5v5$s49$1@nnrp1.dejanews.com> References: <3638d6d7.22562148@news.visi.com> Newsgroups: sci.crypt Lines: 51 In article <3638d6d7.22562148@news.visi.com>, schneier@counterpane.com (Bruce Schneier) wrote: > On Thu, 29 Oct 1998 15:55:28 -0600, jgfunj@EnqvbSerrGrknf.pbz (W T > Shaw) wrote: > >> If we break scott16 or scott19 then all that will happen > >> is that a scott21 will appear, and we'll be back to square > >> one.... > >> > >> Don't believe me? Ask what happened to scott14... > >> > >Don't you believe in evolution? Advances are allowed to be vertical as > >well as horizontal, which means that one can improve on his own designs > >and others can cherry pick and cull out the obvious bad aspects. However, > >I'm not sure what the dressed weight of one of his ciphers would be after > >all the waste was trimmed; there may actually be something worthwhile, > >worth crediting him, maybe not; full analysis might tell. > > > >I suppose I am an optomist, but fairness seems to mean giving someone the > >benefit of the doubt, whether you want to or not. > > If someone tries hard enough, he will wear his "benefit of the doubt" > out. I suspect that is what is happening in this case. > OK Bruce I hope others read your response to re:book recom since it was the only time I think you may have thrown a bone my way. The question is was it full of meat or so empty as to be marrowless? Not sure if I should give you the benefit of the doubt since you only tend to look down on the masses and prevent any one with a good idea to get a fair chance. Look at my respose to your response to me the ball is in your court. > Bruce > ********************************************************************** > Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098 > 101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590 > Free crypto newsletter. See: http://www.counterpane.com > -- http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip ftp search for scott*u.zip in norway -----------== Posted via Deja News, The Discussion Network ==---------- http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Subject: Re: Memo to the Amateur Cipher Designer Date: Sat, 31 Oct 1998 07:53:18 +0100 From: fungus <spam@egg.chips.and.spam.com> Message-ID: <363AB3DE.B3C3378D@egg.chips.and.spam.com> References: <jgfunj-2910981555280001@dialup105.itexas.net> Newsgroups: sci.crypt Lines: 26 W T Shaw wrote: > > > Don't believe me? Ask what happened to scott14... > > > > I suppose I am an optomist, but fairness seems to mean giving > someone the benefit of the doubt, whether you want to or not. > A serious analysis of something like ScottXX is a serious undertaking, probably a couple of months of hard work. Given that we can be fairly sure about the outcome (based on personal experience with Mr Scott) nobody's volunteering to do this. Are you? Read a few of Mr Scott's postings before answering... -- <\___/> / O O \ \_____/ FTB.
Subject: Re: Memo to the Amateur Cipher Designer Date: Mon, 09 Nov 1998 04:45:45 -1000 From: newWebsite <ww@wW.com> Message-ID: <36470019.53DE@wW.com> References: <N910589592.4879@ruby.ansuz.sooke.bc.ca> <363AB3DE.B3C3378D@egg.chips.and.spam.com> Newsgroups: sci.crypt Lines: 15 > For whatever it's worth: whenever the web site with the readable algorithm > descriptions is up, I plan to make a serious examination of the scottNu > algorithms. I am not a professional nor even a serious amateur > cryptanalyst, just a programmer who likes encryption, and I don't really > expect to be able to crack the system. That's a comment on my own > abilities, not on the strength of the system! But I think it'd be > interesting to look at, and should I find a weakness in it, I think the > bragging rights and feeling of achievement would be adequate reward; I > have no expectation of getting any money from the cipher designer. > -- > The third girl had an upside-down penguin on Matthew Skala The website is ready for you! http://members.xoom.com/ecil/

Terry Ritter, his current address, and his top page.

Last updated: 1999-01-20