Cryptography-Digest Digest #450, Volume #14 Sat, 26 May 01 17:13:01 EDT
Contents:
Re: taking your PC in for repair? WARNING: What will they (Darren New)
Re: DES Crypto Myth?? ([EMAIL PROTECTED])
Re: DES Crypto Myth?? (Tom St Denis)
Re: DES Crypto Myth?? ([EMAIL PROTECTED])
Re: Essay on "The need for a look at real life crypto" (Ryan Phillips)
Re: A generic feistel cipher with hash and gf(257) mixers (David Wagner)
Re: Comparison of Diff. Cryptanalysis countermeasures ([EMAIL PROTECTED])
Re: A generic feistel cipher with hash and gf(257) mixers (SCOTT19U.ZIP_GUY)
Re: James Felling: Sorry to break your bubble (HiEv)
Re: Differential cryptanalysis. (JPeschel)
New book (Jim Haynes)
Re: A generic feistel cipher with hash and gf(257) mixers (David Wagner)
Re: Good crypto or just good enough? (Bryan Olson)
Re: Comparison of Diff. Cryptanalysis countermeasures (David Wagner)
Re: Crypto NEWBIE, wants to create the 100% SAFE FRACTAL encoding... (Scientific
Language) (John Savard)
----------------------------------------------------------------------------
From: Darren New <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy,alt.privacy.anon-server
Subject: Re: taking your PC in for repair? WARNING: What will they
Date: Sat, 26 May 2001 19:10:45 GMT
Eric Lee Green wrote:
> For speed, the only thing faster than C/C++ is assembly language. I
> don't think any of us are THAT masochistic!
My point was that the speed of the algorithm is almost undoubtably going
to be swamped by the speed of the disk I/O. What difference does it make
if it takes 0.01 seconds or 0.1 seconds to calculate a set of data
that'll take 10 seconds to flush to the disk? :-)
--
Darren New / Senior MTS & Free Radical / Invisible Worlds Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
This is top-quality raw fish, the Rolls-Rice of Sushi!
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: DES Crypto Myth??
Date: Sat, 26 May 2001 10:15:47 -0800
Tom St Denis wrote:
>
> <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> >
> > I pretty sure the robustness calculation didn't take linear
> > cryptanalysis
> > into account. The equation is
> > Robustness R = (1-N/2^n)(1-L/2^n)
> > where N = non-zero entries in first column of diff. distribution table
> > L = largest non-zero value in diff. distribution table
>
> This equation is out of date. Let's suppose you have a perfect 3x3 sbox
> (i.e dpmax and lpmax of 2/8) this will get me a robustness of (1-0/8)(1-2/8)
> = 0.75. Which is nowhere close to a useful value since it's perfect....
>
> for bijective functions the correct calc for robusness is
>
> R = (1-N/2^n)(1 - (L-2)/2^n)
> or simply
> R = 1 - (L-2)/2^n
I don't think this robustness formula is applicable to the
S-boxes being discussed because the
DES 6x4 boxes aren't bijective.
>
> For linear cryptanalysis you make a LAT (Linear Approximation Table) where
> you check to see how often or not a given approximation on the input leads
> to a particular approximation on the output. For example
>
> Walsh-Transform Output:
> 0 0 0 0 0 0 0 0
> 0 0 -2 2 0 0 -2 -2
> 0 2 -2 0 0 2 2 0
> 0 2 0 2 0 -2 0 2
> 0 0 0 0 2 2 -2 2
> 0 0 2 2 -2 2 0 0
> 0 -2 -2 0 -2 0 0 2
> 0 2 0 -2 -2 0 -2 0
>
> Which tells me that (for example) the first output bit is a linear function
> of all 3 inputs with a prob of 0.5 + 2/8 = 0.75 (look at the bottom row
> which would be 7 = 111_2 and the second column in that row). This 3x3
> bijection is maximally nonlinear (i.e for a non-bent function). For a 4x4
> the best you can do is 4/16=1/4, for a 8x8 the best is 16/256 = 1/16. The
> best non-bent function you can make will have a min bias of 2^(n/2) / 2^n.
>
> My sboxgen program makes both LAT and xor-pair tables... the walsh transform
> is easy todo if you want it's simply
>
> LAT(a,b) = SUM[0..2^n - 1] of (-1)^( (x dot a) + (F(x) dot b) )
>
> Where <a,b> are the LAT pair (a is the input approx and b is the output
> approx), the dot is a binary vector dot product (typically done via an AND)
> and the '+' takes the vectors and reduces them to their parities then sums
> those...
>
> Essentially you do a AND operation 'x AND a' then get that parity 'x =
> par[x]', then 'y = F(x) AND b, y = par[y]' ... finally 'z = x+y' and that
> determines the exponent.
>
> Tom
Is there a good paper out there that steps through the entire linear
cryptanalysis
process? What sources did you use to learn about it?
Thanks.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: DES Crypto Myth??
Date: Sat, 26 May 2001 19:21:12 GMT
[EMAIL PROTECTED] wrote:
>
> Tom St Denis wrote:
> >
> > <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
>
> > >
> > > I pretty sure the robustness calculation didn't take linear
> > > cryptanalysis
> > > into account. The equation is
> > > Robustness R = (1-N/2^n)(1-L/2^n)
> > > where N = non-zero entries in first column of diff. distribution table
> > > L = largest non-zero value in diff. distribution table
> >
> > This equation is out of date. Let's suppose you have a perfect 3x3 sbox
> > (i.e dpmax and lpmax of 2/8) this will get me a robustness of (1-0/8)(1-2/8)
> > = 0.75. Which is nowhere close to a useful value since it's perfect....
> >
> > for bijective functions the correct calc for robusness is
> >
> > R = (1-N/2^n)(1 - (L-2)/2^n)
> > or simply
> > R = 1 - (L-2)/2^n
>
> I don't think this robustness formula is applicable to the
> S-boxes being discussed because the
> DES 6x4 boxes aren't bijective.
I don't have the original threads any longer, but if I recall we stemmed
out into making bijections... in either case I did state "for bijective
functions the c...."
> > For linear cryptanalysis you make a LAT (Linear Approximation Table) where
> > you check to see how often or not a given approximation on the input leads
> > to a particular approximation on the output. For example
> >
> > Walsh-Transform Output:
> > 0 0 0 0 0 0 0 0
> > 0 0 -2 2 0 0 -2 -2
> > 0 2 -2 0 0 2 2 0
> > 0 2 0 2 0 -2 0 2
> > 0 0 0 0 2 2 -2 2
> > 0 0 2 2 -2 2 0 0
> > 0 -2 -2 0 -2 0 0 2
> > 0 2 0 -2 -2 0 -2 0
> >
> > Which tells me that (for example) the first output bit is a linear function
> > of all 3 inputs with a prob of 0.5 + 2/8 = 0.75 (look at the bottom row
> > which would be 7 = 111_2 and the second column in that row). This 3x3
> > bijection is maximally nonlinear (i.e for a non-bent function). For a 4x4
> > the best you can do is 4/16=1/4, for a 8x8 the best is 16/256 = 1/16. The
> > best non-bent function you can make will have a min bias of 2^(n/2) / 2^n.
> >
> > My sboxgen program makes both LAT and xor-pair tables... the walsh transform
> > is easy todo if you want it's simply
> >
> > LAT(a,b) = SUM[0..2^n - 1] of (-1)^( (x dot a) + (F(x) dot b) )
> >
> > Where <a,b> are the LAT pair (a is the input approx and b is the output
> > approx), the dot is a binary vector dot product (typically done via an AND)
> > and the '+' takes the vectors and reduces them to their parities then sums
> > those...
> >
> > Essentially you do a AND operation 'x AND a' then get that parity 'x =
> > par[x]', then 'y = F(x) AND b, y = par[y]' ... finally 'z = x+y' and that
> > determines the exponent.
> >
> > Tom
>
> Is there a good paper out there that steps through the entire linear
> cryptanalysis
> process? What sources did you use to learn about it?
Hmm, I got a hold of an early paper by Sean Murphy (I think...) it
covered basic diff/linear analysis (had some attacks on TEA variants if
I am not mistaken). Then I moved onto reading Biham/Shamirs papers.
They are hefty and it took me a really long time to actually figure out
the key extraction bit...
Tom
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: DES Crypto Myth??
Date: Sat, 26 May 2001 10:41:14 -0800
Tom St Denis wrote:
>
> "Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> >
> >
> Bingo. Schneier said it well in AC2. [paraphrasing now since AC2 is all
> the way on the bookshelf...] "Anyone can design a secure block cipher with
> 128 rounds and a 512-bit key ...".
> Tom
It's funny how many Schneier quotes I've seen since I've been following
this
newsgroup. (BTW, ever read what he said about USENET crypto posts? )
:)
Of course, I'm not qualified to make a judgment since he is a
professional
cryptographer and I am not, but I'm curious as to why he seems to speak
for
the entire crypto community (ok, I'm exaggerating a bit but look at how
many
times he gets quoted in this newsgroup). AC is a very good and easy to
read
overview of many different aspects of crypto, but if you'll look
carefully at
the number of references in the back of the book you'll realize that AC
is
just a summary of the work of a LOT of researchers. Plus, there's very
little
mathematical meat in it. AC was fun to read and its a popular crypto
book, but
I think my reading time was better spent with HAC. Why is Schneier such
a
popular cryptographer? Is it charisma or is he a real innovator
(compared
to other professional cryptographers)?
Before posting any flames re-read the line "...I'm not qualified to make
a
judgment..." :) Just curious...
------------------------------
Subject: Re: Essay on "The need for a look at real life crypto"
From: [EMAIL PROTECTED] (Ryan Phillips)
Date: 26 May 2001 14:36:29 -0500
"Tom St Denis" <[EMAIL PROTECTED]> wrote in
news:vGSP6.46752$[EMAIL PROTECTED]:
>
> "Ryan Phillips" <[EMAIL PROTECTED]> wrote in message
> news:3b0ff375$1_4@newsfeeds...
>> Tom St Denis <[EMAIL PROTECTED]> wrote in news:3B0F9EFE.907F2A73
>> @yahoo.com:
>>
>> > Based on my turn about look at computer security...
>> >
>> > http://tomstdenis.home.dhs.org/on.pdf
>> >
>> > Please comment if possible. Does this hit the mark with what you
>> > guys are thinking?
>> >
>> > Tom
>> >
>>
>> I thought it was a decent essay. The only complaint I have is related
>> to the PGP paragraph, it is just not about PGP; all public key
>> algorithms have the problem of identifying and verifying public keys
>> and certficates issued by users and the CA's.
>>
>> If you create a key that has the same username and email of one my
>> friends keys, and I already know that I have a verified public key on
>> my keyring (by calling them up and verifying the fingerprint, or them
>> giving it to me in person), then I'm going to know that the message
>> sent was with a bogus key and is fradulent.
>>
>> There are ways to minimize your risk, but any PKI algorithm has this
>> drawback.
>
> True, I was focusing on PGP because it's a buzzword. Sure there are
> other PK programs out there that have the same flaws..
>
> Tom
Any PK algorithm is potentially insecure. Even SSL can be insecure if
certificates are issued to the wrong people (ie: microsoft), or rerouting a
secure connection to a hostile host.
--
please delete NOSPAM from the email address to
uncover my real address.
====== Posted via Newsfeeds.Com, Uncensored Usenet News ======
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
======= Over 80,000 Newsgroups = 16 Different Servers! ======
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: A generic feistel cipher with hash and gf(257) mixers
Date: 26 May 2001 20:09:56 GMT
Roger Schlafly wrote:
>"David Wagner" <[EMAIL PROTECTED]> wrote
>> If the goal is `slow but secure', how does it compare to the GGR
>> tree-based scheme that I posted earlier? (I've posted the citation to
>> GGR several times before on this newsgroup, so I won't do it again.)
>
>Sounds intriguing, but could you give us a clue? I missed your previous
>cites. A search turned up references to GGM and CTR, but I don't
>know if these are the same or not.
Sure. (I don't know what GGM refers to, but GGR's tree-based scheme
is different from CTR.)
Here's a reference to my post where I described the basic idea:
http://groups.google.com/groups?q=super+strong+4n+daw
Here's a reference to a subsequent post where I gave citations for
further reading on the topic:
http://groups.google.com/groups?q=group:sci.crypt+goldreich+author:wagner
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Comparison of Diff. Cryptanalysis countermeasures
Date: Sat, 26 May 2001 11:12:26 -0800
David Wagner wrote:
>
> >How can one tell that a 64-bit block is "meaningful" or "meaningless"?
>
> For best results, consider multiple blocks.
>
> If you like, you can read a paper Steve Bellovin and I wrote on fast
> techniques for recognizing probable plaintext, in the context of exhaustive
> DES keysearch: http://www.cs.berkeley.edu/~daw/papers/recog.ps
I've given the paper a "once-over" and I think the idea is really neat
because
it appears to be practical. I didn't see a date anywhere on the paper
although
there were references to 1994 stuff. I'm curious about the date because
a hardware
analysis was done...
Do you know if this type of research has been continued, i.e. has
something
like this been built and tested (the paper mentions extensive analysis
but
no hardware fabrication)? Possible VHDL application?
It seems that this attack could be effective with even a small amount of
intercepted plaintext, i.e. just enough to determine if the plaintext
was C++, TeX, ASCII, .jpg, .ps, .pdf, or whatever.
Neato.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: A generic feistel cipher with hash and gf(257) mixers
Date: 26 May 2001 18:34:43 GMT
[EMAIL PROTECTED] (David Wagner) wrote in
<9eoqbl$o15$[EMAIL PROTECTED]>:
>SCOTT19U.ZIP_GUY wrote:
>>[... BICOM ...]
>>Ask Wagner to comment on this hobbyist approach. Yes its slow
>>but it would be a hell of a lot more secure than a mode of AES
>>the "experts would recommend".
>
>Sorry, I'm not familiar with BICOM, so I can't comment on it. Does it
>come with a proof of security?
>
>If the goal is `slow but secure', how does it compare to the GGR
>tree-based scheme that I posted earlier? (I've posted the citation to
>GGR several times before on this newsgroup, so I won't do it again.)
This GGR you've been talking about. Does it add information to
the encryption that could help an attacker. No your don't have to
repeat your posts. What I am asking is it bijective which BICOM is.
And by bijective I think you know what I mean. Can any file be
considered a possible valid output. And since you and I know that
security proofs are always iffy and based on other conditions that
may or may not be true. Is GGR secure enough that any key tested
will not lead to a conditon of being able to toss the key out.
This is a stronger form of security that you may not be use to.
And yes BICOM is secure if RIJNDEAL is secure. But to prove it you would
have to understand the bijection concept which BICOM is based on.
I think you understand the concept of why compression is a good
thing in encryption. Your friend even states on one page in his book
(saw it at book store) that its a good thing. BICOM does a very special
form of entropy compression that adds noinformation to the data
so that the compression is combined with RIJNDAEL to make a total
product where any key can be used with any file to encrypt or
decrypt in a unique way. Many modern methods wondered from the
Shannon concept of total mappings since its hard to do properly.
But even though Matts code is very readable by todays standards.
More so than mine which I know you could not read. You stated
scott19u was to hard to follow. But I think you can follow Matts
code.
>
>Note that the GGR scheme comes with a proof of the following statement:
> Suppose AES is secure against all attacks that use four blocks of chosen
> plaintext and a reasonable amount of computation. Then AES-GGR is
> secure against all attacks that use a reasonable amount of computation,
> even if the adversary has access to many blocks of adaptively-chosen
> plaintexts and ciphertexts.
>AES-GGR can be made to run pretty fast: It needs about 2 AES encryptions
>per block of plaintext that you'd like to encrypt, I believe. In other
>words, GGR provides very strong security at not too much performance cost.
>
>As a consequence, if you want `slow but secure', GGR seems to be the
>construction to beat.
Actaully BICOM when used in the way I was sugguesting
1) pass 1 use BICOM
2) pass 2 reverse file
3) pass 3 use BICOM again
THe above construction even if the final output file is one byte
long will not lend itself to the type of plaintext cipher text
attacks you are familar with. Since one can't islolate any input
out pairs of data to the full size RIJNDAEL blocks.
This also causes the whole file to be treated like a single
block.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: HiEv <[EMAIL PROTECTED]>
Crossposted-To: alt.hacker,talk.politics.crypto
Subject: Re: James Felling: Sorry to break your bubble
Date: Sat, 26 May 2001 20:13:06 GMT
Kt wrote:
>
> HiEv wrote:
>
> > First of all, the phrase is "burst your bubble" not "break your bubble".
>
> HiEv, this guy is one of life's embittered losers. Let him be.
You're right, I just couldn't stand to see him try to publicly humiliate
someone who was just trying to give constructive criticism.
I'll ignore future replies this thread.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask
about Exchange Server next.
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Date: 26 May 2001 20:27:10 GMT
Subject: Re: Differential cryptanalysis.
[EMAIL PROTECTED] writes:
>"Cryptography Theory and Practice" by Doug Stinson (ISBN 0-8493-8521-0)
>discusses it and guides you through a few examples. The book is a little bit
>on the expensive side, but well worth it.
Good book. It's also available, with other good books, on the Dr. Dobb's
crypto and security CD.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
Subject: New book
Reply-To: [EMAIL PROTECTED]
From: [EMAIL PROTECTED] (Jim Haynes)
Date: Sat, 26 May 2001 20:31:14 GMT
I spotted this in a mall bookstore this morning:
The Emperor's Codes : The Breaking of Japan's Secret Ciphers
Michael Smith / Arcade Publishing, Inc. / May 2001
ISBN 155970568X
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: A generic feistel cipher with hash and gf(257) mixers
Date: 26 May 2001 20:56:55 GMT
SCOTT19U.ZIP_GUY wrote:
> This GGR you've been talking about. Does it add information to
>the encryption that could help an attacker.
No.
>Can any file be considered a possible valid output.
Yes.
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: Good crypto or just good enough?
Date: Sat, 26 May 2001 13:57:38 -0700
"John A. Malley" wrote:
>
> Bryan Olson wrote:
> [...]
> >
> > Today, crypto has two serious problems:
> > 1. We don't really understand complexity.
> > 2. The world runs on cleartext.
>
> I think I understand the first stated problem. I do not understand the
> second problem as stated.
All I mean there is that use of encryption is still rare.
We discuss new ciphers and multiple encryption while our
most private information resides in the clear.
--Bryan
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Comparison of Diff. Cryptanalysis countermeasures
Date: 26 May 2001 20:59:27 GMT
Bellovin and I wrote the `probable plaintext' paper during the course of
my summer internship there in, uhh, Summer '94, I believe. I'm not aware
of anyone who has built such a device, but you might look at what the EFF
DES cracker supports (see the book _Cracking DES_).
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Crypto NEWBIE, wants to create the 100% SAFE FRACTAL encoding...
(Scientific Language)
Date: Sat, 26 May 2001 21:03:35 GMT
On Sat, 26 May 2001 14:21:49 -0400, "BenZen" <[EMAIL PROTECTED]>
wrote, in part:
>For John, here is Mr Shen's page:
>(I did a search for M.K.shen... Found a link on this page:
>http://www.mandala.co.uk/links/cryptography/
>) Which led me to his page:
>http://home.t-online.de/home/mok-kong.shen/
>And there is (was) a reward for solving these problems... I gave-up on both,
>from lack of scientific notation background.
Ah, and now I see what the context is: the first problem.
g(m) is the largest multiple of m for which there exists an m by g(m)
matrix of which the each group of m columns are an m by m Latin
square, so that within each of these squares, no two columns have the
same number in any row, and any two columns from two different squares
have exactly one number matching.
Defining H(m,n) as the number of _distinct_ such matrices, when we are
really looking for the largest n for which any such matrix exists, is
somewhat of a confusing smokescreen.
>Seriously;.. Is there a comprehensive web site that could introduce me to the
>Layman's language and notation ?
Since the "lay" are the ordinary people, originally as opposed to the
"clergy", one does not need an introduction to the layman's language;
that is what one is already speaking.
John Savard
http://home.ecn.ab.ca/~jsavard/frhome.htm
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
