Cryptography-Digest Digest #887, Volume #11 Mon, 29 May 00 15:13:00 EDT
Contents:
Re: Another sci.crypt Cipher (David A. Wagner)
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May ("Steve Walker")
Re: Help break SNAPPY (tomstd)
Re: encryption without zeros (Guy Macon)
Re: Is OTP unbreakable?/Station-Station (Guy Macon)
Re: Is OTP unbreakable?/Station-Station (Guy Macon)
Re: No-Key Encryption (Tim Tyler)
Re: No-Key Encryption (Tim Tyler)
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May ("Fergus O'Rourke")
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May ("Fergus O'Rourke")
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May ("Fergus O'Rourke")
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May (David Boothroyd)
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May (David Boothroyd)
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May (David Boothroyd)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: Another sci.crypt Cipher
Date: 29 May 2000 10:11:58 -0700
In article <8gstfd$oud$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
> I have extended this attack via related keys. TC1 is vulnerable to
> differential related key cryptanalysis. For best results the attack
> requires chosen plain text.
Oh, if related-key cryptanalysis is allowed, there are other attacks, too.
Use the fact that if subkey 0 = subkey 1, then encryption = decryption.
This condition happens with prob. 1/2^32, and can be tested with just two
encryptions (check if double-encryption gives back the original plaintext).
We try all 2^32 key-differences of the form (x,0,0,0). One of them will
be guaranteed to force subkey 0 to the same value as subkey 1, and then this
condition will be recognized by our double-encryption test. This attack
recovers 32 bits of key material with a total of 2^32 differential related-key
queries and 2^33 chosen plaintexts. Then you can finish it off with an
exhaustive keysearch attack; by using the 32-bit complementation property
found by Mark Wooding, this stage will require only 2^64 trial encryptions.
------------------------------
From: "Steve Walker" <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Mon, 29 May 2000 18:11:32 +0100
David Boothroyd <[EMAIL PROTECTED]> wrote in message
" The idea that the police being able to demand that encrypted data (about
which they have a reasonable suspicion) be decrypted is in some way
unreasonable is absurd. "
Of course it's unreasonable, you pillock. Because *they* define
'reasonable suspicion', and we know that whenever *they* have had powers to
invade privacy in the past, these have been used against political and
social targets too.
You are approving of a law which will make it a criminal offence to have
privacy. Well, if you want your life open to the scrutiny of the
authorities, bully for you. Don't try to force it on others though.
Steve
------------------------------
Subject: Re: Help break SNAPPY
From: tomstd <[EMAIL PROTECTED]>
Date: Mon, 29 May 2000 10:16:31 -0700
In article <8gu7rn$k5k$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David A. Wagner) wrote:
>In article <[EMAIL PROTECTED]>,
>tomstd <[EMAIL PROTECTED]> wrote:
>> I started my cryptanalysis of Snappy.. I began by analyzing
>> repeated usage of the sbox as in
>>
>> t = sbox[t]
>>
>> Or just repeated substitution as it seems the best place to
>> start. Under this model and 7 substitutions the best diff
char
>> I found was [...]
>
>Why do you think this is the right model for studying
>differential cryptanalysis of Snappy?
I don't now. What I am thinking of is getting zero output
differences in the inner cycles... remember that Snappy works
like this
for x = 0 to 15
for y = 0 to 7 do
blk[y] ^= F(blk, x, y)
Since F is a multi-permutation of the input (you can fix any 6
of the bytes and get a complete permutation of 0..255) we can
assume to get a output difference of at most 2^-8 (probably much
higher) per F usage. The entire cycle can be viewed as one char
of at most 2^-24. What I mean by output diff is that
blk[0..7] ^ blk[0..7]' = blk[0..7]'' with prob about 2^-24
That is my new take on it.
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: encryption without zeros
Date: 29 May 2000 13:28:36 EDT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>It strikes me as of rather limited use ;-| Apart from the potential for
>infinite loops, instead of removing 0s from the output, you now have to
>remove them from the input.
>
>If you *don't* have to be able to handle arbitrary inputs it might
>nearly work - but otherwise you've rather pointlessly moved the problem
>around to a different position.
For many people, encrypting ASCII is Good Enough. As for the
potential for infinite loops, 10/100BaseT Ethernet has the potential
for infinite loops, and we use it all of then time without problems.
When the probability of something approaches the probabilty that
I will be killed by a meteorite as I sit here, I stop worrying.
The chances of th***SMASH!***-%$.@&_No Carrier.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Is OTP unbreakable?/Station-Station
Date: 29 May 2000 13:54:56 EDT
In article <8gt18b$1a1$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>
>
>In article <8gqoic$[EMAIL PROTECTED]> Guy Macon,
>[EMAIL PROTECTED] writes:
>>No. If I use any of the standard authentication protocols,
>>someone who knows my plaintext but not my key and who can
>>intercept my ciphertext and replace it with his own cannot
>>send a message that looks like I sent it. In the case of
>>checksum followed by OTP encryption, he can. This is the
>>classic man-in-the middle attack combined with the classic
>>known/chosen plaintext attack. Good security systems resist
>>these attacks, singly or in combination. OTP doesn't.
>>
>Perhaps the arguments against your statements are springing from the fact
>that you denigrate OTP using attack scenarios that are somewhat unusual.
>The attack you described on OTP entails finding plaintext that matches a
>particular cyphertext that you have managed to intercept and also prevent
>from reaching the intended receiver. That's some set of circumstances.
>If you want to posit such a string of events, then I will reply that no
>authentication scheme works because I could simply beat the
>authentication info out of you and use it in messages to your confreres.
>Now let's talk about angels dancing on heads of pins.
Rather than assuming that I denigrate OTP, why don't you ask me what
my opinion of it is? (My opinion is that is is wonderful. I don't
have to worry about some crypto expert breaking the scheme throught
cryptanalysis. That's very valuable. My opinion is also that you
shouldn't just run your plaintext through the OTP. You should
compress it, encrypt it with a method that provides authentification,
then encrypt it again with OTP. PGP does the compresssion and the
authentification in one step). I see little point in using OTP to
raise your security level against cryptanalysis from really, really,
really, good to perfect without also taking simple steps to raise
your security level against man-in-the-middle and known plaintext
attacks.
As for likelyhood, I am, among other things, a system administrator
for a corporate LAN. If one of my users starts using OTP (say with
a CD-ROM of random bits) I can probably fake incoming emails and do
a bit of social engineering to achieve chosen plaintext, and I can
certainly intercept and replace the users ciphertext with my own.
One of my jobs as sysadmin is to provide my users with security
that I cannot break. OTP alone doesn't provide that.
Let's be realistic here. The chances of someone using cryptanalysis
to read your PGP encrypted message is way out in the "angels dancing
on heads of pins" area already. The odds of OTP's resistance to
cryptanalysis increasing your security is much smaller than the
chances that your sysadmin or ISP will social engineer you into
encryping cknown plaintext and then do a man-in-the-middle attack.
security are much smaller than the odds
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Is OTP unbreakable?/Station-Station
Date: 29 May 2000 13:59:25 EDT
In article <8gt18b$1a1$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>
>
>In article <8gqoic$[EMAIL PROTECTED]> Guy Macon,
>[EMAIL PROTECTED] writes:
>>No. If I use any of the standard authentication protocols,
>>someone who knows my plaintext but not my key and who can
>>intercept my ciphertext and replace it with his own cannot
>>send a message that looks like I sent it. In the case of
>>checksum followed by OTP encryption, he can. This is the
>>classic man-in-the middle attack combined with the classic
>>known/chosen plaintext attack. Good security systems resist
>>these attacks, singly or in combination. OTP doesn't.
>>
>Perhaps the arguments against your statements are springing from the fact
>that you denigrate OTP using attack scenarios that are somewhat unusual.
>The attack you described on OTP entails finding plaintext that matches a
>particular ciphertext that you have managed to intercept and also prevent
>from reaching the intended receiver. That's some set of circumstances.
>If you want to posit such a string of events, then I will reply that no
>authentication scheme works because I could simply beat the
>authentication info out of you and use it in messages to your confreres.
>Now let's talk about angels dancing on heads of pins.
Rather than assuming that I denigrate OTP, why don't you ask me what
my opinion of it is? (My opinion is that is wonderful. I don't
have to worry about some crypto expert breaking the scheme through
cryptanalysis. That's very valuable. My opinion is also that you
shouldn't just run your plaintext through the OTP. You should
compress it, encrypt it with a method that provides authentication,
then encrypt it again with OTP. PGP does the compression and the
authentication in one step). I see little point in using OTP to
raise your security level against cryptanalysis from really, really,
really, good to perfect without also taking simple steps to raise
your security level against man-in-the-middle and known plaintext
attacks.
As for likelihood, I am, among other things, a system administrator
for a corporate LAN. If one of my users starts using OTP (say with
a CD-ROM of random bits) I can probably fake incoming emails and do
a bit of social engineering to achieve chosen plaintext, and I can
certainly intercept and replace the users ciphertext with my own.
One of my jobs as sysadmin is to provide my users with security
that I cannot break. OTP alone doesn't provide that.
Let's be realistic here. The chances of someone using cryptanalysis
to read your PGP encrypted message is way out in the "angels dancing
on heads of pins" area already. The odds of OTP's resistance to
cryptanalysis increasing your security is much smaller than the
chances that your sysadmin or ISP will social engineer you into
encrypting known plaintext and then do a man-in-the-middle attack.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: No-Key Encryption
Reply-To: [EMAIL PROTECTED]
Date: Mon, 29 May 2000 18:06:41 GMT
Steve Roberts <[EMAIL PROTECTED]> wrote:
: Tim Tyler <[EMAIL PROTECTED]> wrote:
:>Michael Pellaton <[EMAIL PROTECTED]> wrote:
:>: [...] Is there any implementation of no-key ecnryption available?
:>
:>While "no-key" is not a common cryptographic term, ROT-13 is probably the
:>best-known algorithm which uses no key.
: Er, ROT-13 *does* have a key - it's the "13" in the name. [...]
ROT-13 is described by practially everyone as an unkeyed algorithm -
since simple knowledge of the system used is sufficent to uniquely
determine the plaintext.
ROT-N would be an example of a keyed rotation algorithm.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Destroy Microsoft.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: No-Key Encryption
Reply-To: [EMAIL PROTECTED]
Date: Mon, 29 May 2000 18:13:25 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
: Mok-Kong Shen wrote:
:> The scheme is probably what initiated the idea of current public key
:> systems. [...]
: It occurs to me that there might be something that could be further
: discussed. If one could generate high quality bit sequences and
: could avoid manipulations, e.g. through appending an encrypted
: hash, and the trasmission cost were low enough, couldn't the
: scheme be a useful one in practice? [...]
It could not.
As Decklin Foster mentioned, "an eavesdropper would see M+A, M+B, and
M+A+B, and thus would able to recover M, A, and B."
The scheme appears to be of virtually no practical use.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Destroy Microsoft.
------------------------------
From: "Fergus O'Rourke" <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Mon, 29 May 2000 19:25:12 +0100
><[EMAIL PROTECTED]> wrote:
>(snip)
>We have every right to get worked up. I wasn't old enough to vote in
>> the last election (not that I would have)
You deserve anything that happens, then
(snip)
------------------------------
From: "Fergus O'Rourke" <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Mon, 29 May 2000 19:27:37 +0100
Anarchist Lemming wrote in message <8gtvqg$chk$[EMAIL PROTECTED]>...
>(snip)
>The only
>effective method to resist tyrannical government is mass civil
disobedience.
(snip)
The best way to get a tyrannical government is not to vote
------------------------------
From: "Fergus O'Rourke" <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Mon, 29 May 2000 19:28:36 +0100
Steve Walker wrote in message <8gu8im$762$[EMAIL PROTECTED]>...
(snip)
>*they* define
>'reasonable suspicion', (snip)
Where ?
------------------------------
From: [EMAIL PROTECTED] (David Boothroyd)
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Mon, 29 May 2000 19:51:59 +0000
In article <[EMAIL PROTECTED]>, Adrian Kennard
<[EMAIL PROTECTED]> wrote:
> David Boothroyd wrote:
> >...
> > I thought you said you were too young. The Poll Tax was replaced because
> > Conservative MPs realised it was too unpopular. The idea that the police
> > being able to demand that encrypted data (about which they have a reasonable
> > suspicion) be decrypted is in some way unreasonable is absurd.
>
> The idea that the police may have unfounded suspicion.
Then they will find the decrypted document does not contain anything
wrong, and no further action will be taken.
> The idea that the individual may not wish to disclose a key
> which can then be used to decode everything they have ever
> recevied regardless of relevance, and sign things with their name, etc.
I'm sure many people interviewed by the police do not wish to disclose
things. This does not cause particular problems now.
> The idea that the data may not be encrypted, or the suspect
> may not have the key and cannot prove this. After all, if plod
> knew what it was then they would not need the key - they must have
> only suspicions.
People cannot be put in jail because they have lost their keys, as
Ministers have made clear during debate on the bill.
Without this bill criminals will get away with it. With it they will
not. It's a simple as that.
------------------------------
From: [EMAIL PROTECTED] (David Boothroyd)
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.politics.uk,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Mon, 29 May 2000 19:53:31 +0000
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> On Mon, 29 May 2000 10:58:09 +0000, [EMAIL PROTECTED] (David
> Boothroyd) wrote:
>
> > It was not huge. Since 1983 Labour manifestos have not been huge. However
> > it is not the job of the manifesto to include the complete range of
> > policies the party intends to introduce.
>
> Yes it is. Anything less is dishonest.
..
> Doing something which is not in the manifesto is just
> as deceitful as failing to fulfil promises which are
> in it.
The £150 the government is giving to pensioners to help with their
winter fuel bill wasn't in the manifesto. Are you saying the government
was dishonest when it introduced it?
------------------------------
From: [EMAIL PROTECTED] (David Boothroyd)
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Mon, 29 May 2000 19:55:23 +0000
In article <8gu8im$762$[EMAIL PROTECTED]>, "Steve Walker"
<[EMAIL PROTECTED]> wrote:
> David Boothroyd <[EMAIL PROTECTED]> wrote in message
>
> " The idea that the police being able to demand that encrypted data (about
> which they have a reasonable suspicion) be decrypted is in some way
> unreasonable is absurd. "
>
> Of course it's unreasonable, you pillock. Because *they* define
> 'reasonable suspicion',
No, the court decides it.
> and we know that whenever *they* have had powers to invade privacy in
> the past, these have been used against political and social targets too.
"They" in that paragraph begins to sound paranoid. There are inevitably
cases in which the police have gone too far. That does not amount to any
sort of argument against police powers in general.
> You are approving of a law which will make it a criminal offence to have
> privacy.
It does not.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
