Cryptography-Digest Digest #569, Volume #11 Mon, 17 Apr 00 21:13:01 EDT
Contents:
Re: Twofish problems... (Ron Yaklime)
Re: Sony's Playstation2 export-controlled (Diet NSA)
updated paper on easy entropy (Tom St Denis)
Fighting fire with fire: using encryption to bust encryption [0/2] (Gideon Samid)
Fighting fire with fire: using encryption to bust encryption [0/2] (Gideon Samid)
Fighting fire with fire: using encryption to bust encryption [0/2] (Gideon Samid)
Re: GOST idea (Tom St Denis)
Re: Paper on easy entropy ("Trevor L. Jackson, III")
Just another idea... (Pred.)
Re: GOST idea (Mok-Kong Shen)
Re: Paper on easy entropy (Tom St Denis)
Re: AES-encryption (Tom St Denis)
Re: Paper on easy entropy (stanislav shalunov)
Re: GOST idea (Mok-Kong Shen)
Re: Paper on easy entropy (Mok-Kong Shen)
Fighting fire with fire: using encryption to bust encryption [0/2] (Gideon Samid)
Fighting fire with fire: using encryption to bust encryption [0/2] (Gideon Samid)
Fighting fire with fire: using encryption to bust encryption [0/2] (Gideon Samid)
Encryption as a cryptanalysis tool [0/2] (Gideon Samid)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Ron Yaklime)
Subject: Re: Twofish problems...
Date: Mon, 17 Apr 2000 23:10:52 GMT
[EMAIL PROTECTED] (JONATHAN DINERSTEIN) wrote:
>Can somebody help out a struggling college student???
>I'm working with Twofish...
>...Does anyone have any suggestions or advice?
[EMAIL PROTECTED] (Bruce Schneier) wrote:
>If you're still able to encrypt and decrypt properly, then whatever
>mistake you're making is repeatable. I don't know what you're doing
>wrong, but if you can't match the test vectors than what you have
>isn't Twofish.
I'll bet Jonathan appreciates the Internet just a little bit more now than
he did yesterday!
--
"Ron Yaklime" is actually 8759 243610 <[EMAIL PROTECTED]>.
012 3456789 <- Use this key to decode my email address and name.
Play Five by Five Poker at http://www.5X5poker.com.
------------------------------
Subject: Re: Sony's Playstation2 export-controlled
From: Diet NSA <[EMAIL PROTECTED]>
Date: Mon, 17 Apr 2000 16:02:35 -0700
In article <38FB50FD.17457E25@t-
online.de>, Mok-Kong Shen <mok-
[EMAIL PROTECTED]> wrote:
>I read in today's newspaper that Sony's PlayStation2 (there
>were mentions to it in some recent threads of this group) is
>under export control of Japan. This seems to indicate that
>its 128 bit processor is indeed very powerful.
The PlayStation2 is not under export
control for crypto reasons but because it
does high speed image processing similar
to the type done in some missile guidance
systems.
"I feel like there's a constant Cuban Missile Crisis in my pants."
- President Clinton commenting on the Elian Gonzalez situation
=======================================================================
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: updated paper on easy entropy
Date: Mon, 17 Apr 2000 23:18:23 GMT
I updated the paper (new content and fixed the source), but there are
probably still some flaws... Anyways you can get it at
(html, some formatting lost)
http://24.42.86.123/entropy/base.html
(pdf)
http://24.42.86.123/files/entropy.pdf
(ps)
http://24.42.86.123/files/entropy.ps
Tom
------------------------------
From: Gideon Samid <[EMAIL PROTECTED]>
Subject: Fighting fire with fire: using encryption to bust encryption [0/2]
Date: Mon, 17 Apr 2000 23:37:06 GMT
FIGHTING FIRE WITH FIRE: USING ENCRYPTION TO BUST ENCRYPTION
DES, like other strong cryptographies, are characterized by random-like attributes, on
which they rest. Thus a change of one
bit in the DES key will change each bit in the ciphertext at a probability close to
50%. Similarly for unit changes in the
plaintext. This pattern-less aspect indicates cryptographic strength.
Using TaKE (Tailored Key Encryption) one could find a key that would fit a given
ciphertext C with a plaintext of choice P.
Hence any C, however random-like, may be transformed to a string P, which is as "far
from being random" as desired.
Similarly, given a set of ciphertexts C1, C2, C3... one could iteratively look for a
key K such that the corresponding plaintexts
P1, P2, ... will be increasingly non-random. This de-randomization process may apply
to any given set of random strings. It
can be applied to sets of DES variables (C, K, P) which are subject for cryptanalysis.
In the transformed format these DES
variables will lose their random-like property, and will be vulnerable to any of
today's powerful pattern recognition tools.
De-randomization (or encryption against encryption) can also be used in conjunction
with the prevailing methods of differential
and linear cryptanalyses. The evolution of the encryption process may be analyzed by
TaKE-transforming the outcome of
each round.
A non-TaKE encryption will not be able to de-randomize input strings at will.
For details:
See attached TAKE article.
------------------------------
From: Gideon Samid <[EMAIL PROTECTED]>
Subject: Fighting fire with fire: using encryption to bust encryption [0/2]
Date: Mon, 17 Apr 2000 23:37:35 GMT
FIGHTING FIRE WITH FIRE: USING ENCRYPTION TO BUST ENCRYPTION
DES, like other strong cryptographies, are characterized by random-like attributes, on
which they rest. Thus a change of one
bit in the DES key will change each bit in the ciphertext at a probability close to
50%. Similarly for unit changes in the
plaintext. This pattern-less aspect indicates cryptographic strength.
Using TaKE (Tailored Key Encryption) one could find a key that would fit a given
ciphertext C with a plaintext of choice P.
Hence any C, however random-like, may be transformed to a string P, which is as "far
from being random" as desired.
Similarly, given a set of ciphertexts C1, C2, C3... one could iteratively look for a
key K such that the corresponding plaintexts
P1, P2, ... will be increasingly non-random. This de-randomization process may apply
to any given set of random strings. It
can be applied to sets of DES variables (C, K, P) which are subject for cryptanalysis.
In the transformed format these DES
variables will lose their random-like property, and will be vulnerable to any of
today's powerful pattern recognition tools.
De-randomization (or encryption against encryption) can also be used in conjunction
with the prevailing methods of differential
and linear cryptanalyses. The evolution of the encryption process may be analyzed by
TaKE-transforming the outcome of
each round.
A non-TaKE encryption will not be able to de-randomize input strings at will.
For details:
See attached TAKE article.
------------------------------
From: Gideon Samid <[EMAIL PROTECTED]>
Subject: Fighting fire with fire: using encryption to bust encryption [0/2]
Date: Mon, 17 Apr 2000 23:38:15 GMT
FIGHTING FIRE WITH FIRE: USING ENCRYPTION TO BUST ENCRYPTION
DES, like other strong cryptographies, are characterized by random-like attributes, on
which they rest. Thus a change of one
bit in the DES key will change each bit in the ciphertext at a probability close to
50%. Similarly for unit changes in the
plaintext. This pattern-less aspect indicates cryptographic strength.
Using TaKE (Tailored Key Encryption) one could find a key that would fit a given
ciphertext C with a plaintext of choice P.
Hence any C, however random-like, may be transformed to a string P, which is as "far
from being random" as desired.
Similarly, given a set of ciphertexts C1, C2, C3... one could iteratively look for a
key K such that the corresponding plaintexts
P1, P2, ... will be increasingly non-random. This de-randomization process may apply
to any given set of random strings. It
can be applied to sets of DES variables (C, K, P) which are subject for cryptanalysis.
In the transformed format these DES
variables will lose their random-like property, and will be vulnerable to any of
today's powerful pattern recognition tools.
De-randomization (or encryption against encryption) can also be used in conjunction
with the prevailing methods of differential
and linear cryptanalyses. The evolution of the encryption process may be analyzed by
TaKE-transforming the outcome of
each round.
A non-TaKE encryption will not be able to de-randomize input strings at will.
For details:
See attached TAKE article.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: GOST idea
Date: Mon, 17 Apr 2000 23:44:54 GMT
Mok-Kong Shen wrote:
> I have in a previous post explained why one can't unconditionally
> expect that it wouldn't give a worse result. (There w1 and w2,
> differing in more than one bit, may be such that their avalanche
> effects cancel out.) You have either to theoretically show that
> or do sufficient amount of experiments as I mentioned earlier.
w1 = input
w2 = S(w1) <<< 11
w3 = 2 * (w2)^2 + w2
I can't imagine w3 equalling w1 or w2 with high probability. Of course
this is the case w2 = 0, or w2 = 2^(w-1), but those are two seperate
cases. I am not sure how I would prove that though.
Another idea for the 'mixing' step is to use the F function from TEA
that is
F(x) = S(x ^ (x << 4) ^ (x >> 5))
Which if a bit above bit four and below bit 28 (5 <= x < 28, 23 bits
fall in this range) is changed three active sboxes are going to be
created. If the bit is above five and bit 28 (27 < x <= 32, 4 bits in
this range) only two active sboxes are created one of the new sboxes is
below bit 28 (thus falls into condition one in the next round).
Similarly for a bit below 5 (5 > x > 0) we get only two active sboxes.
So with the new above function we are assured to get at least the same
amount of active sboxes with a good chance of getting an extra one for
free. I don't know if that constitutes a proof, but I am sure P(x) = (x
^ (x << 4) ^ (x >> 5)) is a permutation modulo 2^32.
Tom
------------------------------
Date: Mon, 17 Apr 2000 19:54:43 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Paper on easy entropy
Tom St Denis wrote:
> Guy Macon wrote:
> >
> > In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Tom St Denis) wrote:
> > >
> > >
> > >
> > >Guy Macon wrote:
> > >>
> > >> O.K. Read the paper. Let's start at the top:
> > >>
> > >> "Entropy is the measure of the unknown information in a closed system".
> > >>
> > >> I believe that Entropy is a measure of the disorder/randomness of
> > >> information or energy in any system. open or closed. In a closed
> > >> system entropy cannot decrease, but open systems have entropy too.
> > >> (Please correct me if I have define Entropy poorly).
> > >
> > >I am discussing entropy in a closed environment though.
> > >
> > >Tom
> >
> > Two comments:
> >
> > [1] The fact that you are discussing entropy in a closed environment
> > has nothing to do with whether you correctly defined "entropy".
> > I suggest using an accurate definition and then stating the
> > subset that you are talking about.
> >
> > [2] Closed environment? You are getting input from a human. That's
> > an open environment.
>
> True I will reword that.
>
> > I am not trying to be pedantic here. Improper definitions of words
> > are a major source of miscommunication.
> >
> > I am also relectant to comment on the rest of the paper if we cannot
> > agree on what "entropy" means. Such an effort will be a W.O.M.B.A.T.
> > (Waste Of Money, Brains, And Time.) This would deprive you of my
> > observation that M and Q are less likely than F and K, and that AWQ
> > is less likely than AVK when a real human is at the keyboard.
>
> Well does entropy just mean uncertainess? So basically I am trying to
> discuss how to measure the uncertainess of characters from appearing...
Tom,
This is a very tough area. Careful definitions are mandatory, but extremely hard to
generate. If you can dodge the question by referring readers to an external
definition, such as Shannon's papers that _created_ the field of information theory,
you should. If you truly want to provide a useful definition, you have to
distinguish yours from the alternates from thermodynamics, statistics, etc.
The best luck I've had with defining information is by the effect it has on the
possessor. One learns from information. If you are searching for something, you
check each place it might be. Every time you fail to find it you learn a tiny little
bit corresponding to the places the target isn't. When you check the place that
contains the target you learn a lot -- the target's location and all of it's
"non-locations". Note that if you have checked all but one place and failed to find
your target, you've already learned where it is. So checking each of the places it
wasn't gives you just as much information as finding the target on the first try.
Note that this explanation also explains why rechecking a location doesn't provide
you with any information. You already knew the target wasn't at that location, so
you can't learn anything new no matter how many times you check it.
This explanation can be formalized and deriving numeric results is easy.
------------------------------
From: Pred. <[EMAIL PROTECTED]>
Subject: Just another idea...
Date: Mon, 17 Apr 2000 23:36:31 GMT
#define ulKeyLen 8
#define rotl(x,y) ... rotate unsigned char left
#define rotr(x,y) ... rotate unsigned char right
void my_encrypt(unsigned char *szPlainText, size_t szPlainTextLen,
unsigned char *szEncryptedText, unsigned char *szKey)
{
size_t i=0;
unsigned long ulKey[ulKeyLen];
/* expand key */
for(i=0; i < (size_t) ulKeyLen*3; i++)
ulKey[i%ulKeyLen] = 3413215433*i ^ (unsigned long)szKey[i%
ulKeyLen] * szKey[(i+1)%ulKeyLen] * szKey[(i+1)%ulKeyLen] * szKey[(i+3)%
ulKeyLen];
/* encrypt */
for(i=0; i < szPlainTextLen; i++)
{
/* operation depends on key */
switch(ulKey[i] & 1)
{
case 0: szEncryptedText[i] = rotr(szPlainText[i]^szKey[i%
ulKeyLen], rotl((unsigned char)ulKey[i%ulKeyLen], i)) ; break;
case 1: szEncryptedText[i] = rotl(szPlainText[i]^szKey[i%
ulKeyLen], rotr((unsigned char)ulKey[i%ulKeyLen], i)) ; break;
}
}
}
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: GOST idea
Date: Tue, 18 Apr 2000 01:57:56 +0200
Tom St Denis wrote:
>
> Mok-Kong Shen wrote:
> > > > > > Could you please give a literature reference to the fact that
> > > > > > the function you gave previously is a permutation?
> > > > >
> > > > > 2x^2 + x mod 2^w is a permutation polynomial of x. Hmm I got the idea
> > > > > from a paper on Rivest's site, and I can email a copy if you want.
> > > >
> > > > But in your post of 16th April you said you are working in GF(2^w).
> > > > Now GF(2^w) has characteristic 2, so 2x^2 = 0, if I don't err.
> > >
> > > Actually no it doesn't. modulo 2^w, 2x^2 + x is always a permutation
> > > polynomial.
> >
> > Note that you are NOW talking of modulo 2^w. As I pointed out,
> > you were instead talking of GF(2^w) in the post where you first
> > mentioned that the function is meant to be a permutation! (Thus I
> > was quite surprised and asked you to give references to support
> > that claim.) Do you see my point?
>
> Yea, sorry bout that. So you say GF(2^w) when the polynomial itself is
> taken modulo that?
lordcow77 has clearly indicated in a post (obviously addressed
to you) that computing in GF(2^w) is not identical to computing
some binary numbers in [0, 2^w-1] and doing integer arithmetics
modulo 2^w. For example, in GF(4) one has 1 + 1 = 0, instead of 2.
I am not a mathematician. My very humble math knowledge is not
sufficient to well explain to you here the theory of Galois fields.
You will find some explanation of it in most textbooks on coding
theory. An in-depth treatment may be found in
R. Lidl and H. Niederreiter, Introduction to finite fields
and their applications. Cambridge University Press, 1986.
M. K. Shen
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Paper on easy entropy
Date: Mon, 17 Apr 2000 23:51:30 GMT
"Trevor L. Jackson, III" wrote:
> Tom,
>
> This is a very tough area. Careful definitions are mandatory, but extremely hard to
> generate. If you can dodge the question by referring readers to an external
> definition, such as Shannon's papers that _created_ the field of information theory,
> you should. If you truly want to provide a useful definition, you have to
> distinguish yours from the alternates from thermodynamics, statistics, etc.
>
> The best luck I've had with defining information is by the effect it has on the
> possessor. One learns from information. If you are searching for something, you
> check each place it might be. Every time you fail to find it you learn a tiny little
> bit corresponding to the places the target isn't. When you check the place that
> contains the target you learn a lot -- the target's location and all of it's
> "non-locations". Note that if you have checked all but one place and failed to find
> your target, you've already learned where it is. So checking each of the places it
> wasn't gives you just as much information as finding the target on the first try.
> Note that this explanation also explains why rechecking a location doesn't provide
> you with any information. You already knew the target wasn't at that location, so
> you can't learn anything new no matter how many times you check it.
>
> This explanation can be formalized and deriving numeric results is easy.
I can't refer to his papers since I have yet to read them. Can I not
just assume entropy = uncertainy?
Tom
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: AES-encryption
Date: Mon, 17 Apr 2000 23:57:01 GMT
You are such a crank. First AES is already in development and
finalazion [is that even a word?] so your choice of calling your cipher
'aes' is pretty arrogant. Second your DES/RSA NULL attacks belong in
the journal of crapology.
Tom
[EMAIL PROTECTED] wrote:
>
> AES is symmetric encryption algorithm, which is developed from the
> DES architecture.
>
> There are following features:
> 1. S-boxes are multiplication tables of finite groups
> 2. A key is used for
> 2.1. S-boxes generation
> 2.2. Extension permutation (EP)
> 2.3. Initial permutation (IP)
>
> One can see following advantages:
>
> 1. Algorithm architecture is scalable.
> 2. Better performance, while a key is used only
> once and not in each round.
> 3. More security, while:
> 3.1 S-boxes are derived from sub-keys
> 3.2 Long key and sub-keys.
>
> 256-bit AES one round block cipher implementation:
>
> 1. Key length 256 byte
> 2. 16 S-boxes and 16 sub-keys
> 3. Initial permutation and Extension permutation derived from key
>
> Performance with my IP II,267 Mhz, 128 Mb is 64Kb/sec.
>
> Algorithm description and source code can be found
> at <www.alex-encryption.de>
>
> Have fan.
> Best regards.
> Alex.
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
Subject: Re: Paper on easy entropy
From: stanislav shalunov <[EMAIL PROTECTED]>
Date: Tue, 18 Apr 2000 00:11:55 GMT
Tom St Denis <[EMAIL PROTECTED]> writes:
> It's a really short paper, but it discusses a way to get entropy
> other then trapping hardware faults.
I assume you mean interrupts rather than faults. The only way
keyboard can let the system about about a key press or release is by
generating an interrupt. (The scancode is usually added to the
entropy pool after some manipulation, but one could as well add
network packets.)
--
stanislav shalunov | Speaking only for myself.
My address in From: is correct; if yours isn't, I don't want to hear from you.
Try to reply in newsgroup. I don't need courtesy copies.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: GOST idea
Date: Tue, 18 Apr 2000 02:26:59 +0200
Tom St Denis wrote:
>
> Mok-Kong Shen wrote:
> > I have in a previous post explained why one can't unconditionally
> > expect that it wouldn't give a worse result. (There w1 and w2,
> > differing in more than one bit, may be such that their avalanche
> > effects cancel out.) You have either to theoretically show that
> > or do sufficient amount of experiments as I mentioned earlier.
>
> w1 = input
> w2 = S(w1) <<< 11
> w3 = 2 * (w2)^2 + w2
>
> I can't imagine w3 equalling w1 or w2 with high probability. Of course
> this is the case w2 = 0, or w2 = 2^(w-1), but those are two seperate
> cases. I am not sure how I would prove that though.
> Another idea for the 'mixing' step is to use the F function from TEA
> that is
>
> F(x) = S(x ^ (x << 4) ^ (x >> 5))
>
> Which if a bit above bit four and below bit 28 (5 <= x < 28, 23 bits
> fall in this range) is changed three active sboxes are going to be
> created. If the bit is above five and bit 28 (27 < x <= 32, 4 bits in
> this range) only two active sboxes are created one of the new sboxes is
> below bit 28 (thus falls into condition one in the next round).
> Similarly for a bit below 5 (5 > x > 0) we get only two active sboxes.
>
> So with the new above function we are assured to get at least the same
> amount of active sboxes with a good chance of getting an extra one for
> free. I don't know if that constitutes a proof, but I am sure P(x) = (x
> ^ (x << 4) ^ (x >> 5)) is a permutation modulo 2^32.
I suppose you will agree that 'rigorous' scientific results can't
be established simply by making statements of the kind you gave
in the first paragraph above. If a theoretical approach is
difficult, then, as I said, if you do sufficient computations, you
can determine what the avalanche actually is. You could also do
less amount of computations and for whatever reason feel confident
of the result being o.k. for use in your applications. An
experimental/heuristic approach is essentially acceptable for the
practice, if it turns out to work well. But you can't rigorously
claim something without correspondingly rigorous supporting materials.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Paper on easy entropy
Date: Tue, 18 Apr 2000 02:33:31 +0200
Tom St Denis schrieb:
>
> Mok-Kong Shen wrote:
> >
> > Tom St Denis wrote:
> > >
> >
> > > Order-0 means I evalutate the probability of each symbol in the 'zero'
> > > context, which means I don't care about preceding chars. An order-1
> > > model is more accurate. For example the letter 'h' is not fairly
> > > probable, but it's more probable after a 't'. So if the preceding char
> > > was a 't' and we are on a 'h' now it's not very random.
> >
> > Is that 'probability' equal to the frequency of the symbols in
> > the 'particular' sequence whose entropy you are determining?
> > If yes, why don't you just take the text from a book or books to
> > obtain the desired entropy? If not, would you please explain how
> > you determine that 'probability'?
>
> The user types random chars like "dfkhthegolhsflgkeoguig". Then I count
> the occurences of each char, then I use that #/#ofchars as the
> probability of each char.
>
> I can't train the model after abook since that's hardly random.
How random really is what the user types in? How certain/exact is
then the entropy value that you compute from that? I don't
understand how/why (based on what theory) are you going to train
a user model.
M. K. Shen
------------------------------
From: Gideon Samid <[EMAIL PROTECTED]>
Subject: Fighting fire with fire: using encryption to bust encryption [0/2]
Date: Tue, 18 Apr 2000 00:45:12 GMT
FIGHTING FIRE WITH FIRE: USING ENCRYPTION TO BUST ENCRYPTION
DES, like other strong cryptographies, are characterized by random-like attributes, on
which they rest. Thus a change of one
bit in the DES key will change each bit in the ciphertext at a probability close to
50%. Similarly for unit changes in the
plaintext. This pattern-less aspect indicates cryptographic strength.
Using TaKE (Tailored Key Encryption) one could find a key that would fit a given
ciphertext C with a plaintext of choice P.
Hence any C, however random-like, may be transformed to a string P, which is as "far
from being random" as desired.
Similarly, given a set of ciphertexts C1, C2, C3... one could iteratively look for a
key K such that the corresponding plaintexts
P1, P2, ... will be increasingly non-random. This de-randomization process may apply
to any given set of random strings. It
can be applied to sets of DES variables (C, K, P) which are subject for cryptanalysis.
In the transformed format these DES
variables will lose their random-like property, and will be vulnerable to any of
today's powerful pattern recognition tools.
De-randomization (or encryption against encryption) can also be used in conjunction
with the prevailing methods of differential
and linear cryptanalyses. The evolution of the encryption process may be analyzed by
TaKE-transforming the outcome of
each round.
A non-TaKE encryption will not be able to de-randomize input strings at will.
For details:
See attached TAKE article.
------------------------------
From: Gideon Samid <[EMAIL PROTECTED]>
Subject: Fighting fire with fire: using encryption to bust encryption [0/2]
Date: Tue, 18 Apr 2000 00:45:35 GMT
FIGHTING FIRE WITH FIRE: USING ENCRYPTION TO BUST ENCRYPTION
DES, like other strong cryptographies, are characterized by random-like attributes, on
which they rest. Thus a change of one
bit in the DES key will change each bit in the ciphertext at a probability close to
50%. Similarly for unit changes in the
plaintext. This pattern-less aspect indicates cryptographic strength.
Using TaKE (Tailored Key Encryption) one could find a key that would fit a given
ciphertext C with a plaintext of choice P.
Hence any C, however random-like, may be transformed to a string P, which is as "far
from being random" as desired.
Similarly, given a set of ciphertexts C1, C2, C3... one could iteratively look for a
key K such that the corresponding plaintexts
P1, P2, ... will be increasingly non-random. This de-randomization process may apply
to any given set of random strings. It
can be applied to sets of DES variables (C, K, P) which are subject for cryptanalysis.
In the transformed format these DES
variables will lose their random-like property, and will be vulnerable to any of
today's powerful pattern recognition tools.
De-randomization (or encryption against encryption) can also be used in conjunction
with the prevailing methods of differential
and linear cryptanalyses. The evolution of the encryption process may be analyzed by
TaKE-transforming the outcome of
each round.
A non-TaKE encryption will not be able to de-randomize input strings at will.
For details:
See attached TAKE article.
------------------------------
From: Gideon Samid <[EMAIL PROTECTED]>
Subject: Fighting fire with fire: using encryption to bust encryption [0/2]
Date: Tue, 18 Apr 2000 00:46:08 GMT
FIGHTING FIRE WITH FIRE: USING ENCRYPTION TO BUST ENCRYPTION
DES, like other strong cryptographies, are characterized by random-like attributes, on
which they rest. Thus a change of one
bit in the DES key will change each bit in the ciphertext at a probability close to
50%. Similarly for unit changes in the
plaintext. This pattern-less aspect indicates cryptographic strength.
Using TaKE (Tailored Key Encryption) one could find a key that would fit a given
ciphertext C with a plaintext of choice P.
Hence any C, however random-like, may be transformed to a string P, which is as "far
from being random" as desired.
Similarly, given a set of ciphertexts C1, C2, C3... one could iteratively look for a
key K such that the corresponding plaintexts
P1, P2, ... will be increasingly non-random. This de-randomization process may apply
to any given set of random strings. It
can be applied to sets of DES variables (C, K, P) which are subject for cryptanalysis.
In the transformed format these DES
variables will lose their random-like property, and will be vulnerable to any of
today's powerful pattern recognition tools.
De-randomization (or encryption against encryption) can also be used in conjunction
with the prevailing methods of differential
and linear cryptanalyses. The evolution of the encryption process may be analyzed by
TaKE-transforming the outcome of
each round.
A non-TaKE encryption will not be able to de-randomize input strings at will.
For details:
See attached TAKE article.
------------------------------
From: Gideon Samid <[EMAIL PROTECTED]>
Subject: Encryption as a cryptanalysis tool [0/2]
Date: Tue, 18 Apr 2000 00:51:07 GMT
FIGHTING FIRE WITH FIRE: USING ENCRYPTION TO BUST ENCRYPTION
DES, like other strong cryptographies, are characterized by random-like attributes, on
which they rest. Thus a change of one
bit in the DES key will change each bit in the ciphertext at a probability close to
50%. Similarly for unit changes in the
plaintext. This pattern-less aspect indicates cryptographic strength.
Using TaKE (Tailored Key Encryption) one could find a key that would fit a given
ciphertext C with a plaintext of choice P.
Hence any C, however random-like, may be transformed to a string P, which is as "far
from being random" as desired.
Similarly, given a set of ciphertexts C1, C2, C3... one could iteratively look for a
key K such that the corresponding plaintexts
P1, P2, ... will be increasingly non-random. This de-randomization process may apply
to any given set of random strings. It
can be applied to sets of DES variables (C, K, P) which are subject for cryptanalysis.
In the transformed format these DES
variables will lose their random-like property, and will be vulnerable to any of
today's powerful pattern recognition tools.
De-randomization (or encryption against encryption) can also be used in conjunction
with the prevailing methods of differential
and linear cryptanalyses. The evolution of the encryption process may be analyzed by
TaKE-transforming the outcome of
each round.
A non-TaKE encryption will not be able to de-randomize input strings at will.
For details:
See attached TAKE article.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
