Cryptography-Digest Digest #410, Volume #9 Sat, 17 Apr 99 18:13:03 EDT
Contents:
Re: Adequacy of FIPS-140 (Terry Ritter)
Re: Comments on Boomerang Attack Sought (David Wagner)
Re: Extreme lossy text compression (Geoffrey Teabo)
Re: Extreme lossy text compression (Geoffrey Teabo)
Re: SNAKE#12 (Peter Gunn)
Re: AES Competition ("Michael Scott")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Adequacy of FIPS-140
Date: Sat, 17 Apr 1999 17:57:39 GMT
On Sat, 17 Apr 1999 14:45:48 GMT, in <[EMAIL PROTECTED]>, in
sci.crypt "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
>Terry Ritter wrote:
>> OK, I'll bite: What do you have in mind?
>
>Gee, I was hoping you'd go off and develop such a method.
>We certainly need something better than "I tried random
>attacks and didn't find one that succeeded."
Gee, I thought you were serious. If you are, you'll have to be a bit
more forthcoming than that, because that is almost what I've been
saying: Since we do not have a complete theory of cryptanalysis, all
the work spent on cryptanalysis can never produce the true strength
value we seek. And while it would be nice to have such a theory, we
have 50 years of mathematical cryptography which argues that there is
no such thing. So we can either stick our heads in the sand, or
instead *assume* the possibility of weakness, then innovate certain
protocols and usage patterns which reduce the consequences of the
failure we cannot prevent. One example is the multi-ciphering,
many-cipher, and dynamically growing cipher-set package that I have
been discussing for several years. This lowers the probability of
failure, reduces the information exposed by cipher failure, and
increases cryptanalytic expenses for The Opponent. These advantages
accrue even if each cipher really does have a weakness.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Comments on Boomerang Attack Sought
Date: 17 Apr 1999 13:28:27 -0700
In article <[EMAIL PROTECTED]>,
John Savard <[EMAIL PROTECTED]> wrote:
> It seemed to me
> that DES, since it uses eight different S-boxes, even if it is homogenous,
> one could still have characteristics sort of "fading away" after a certain
> number of rounds that could make something like the boomerang attack
> useful. That was basically the question I was asking - if characteristics
> lose probability at a quicker-than-exponential rate, then the boomerang
> attack would have a more general value, making differential cryptanalysis
> stronger in almost all cases - and I wondered if I had missed that
> possibility.
Yes, it is a good point. If this super-exponential property holds, then
the boomerang attack might be very interesting indeed.
I can't at the moment think of any good examples of this phenomenom. Do
you know of any ciphers (even artificial ones) where the probability of the
best differential decays super-exponentially in the number of rounds, and
this property is maintained for many rounds?
(Skipjack is the first plausible candidate that comes to mind right now,
but I don't know if it has this property or not.)
DES does not seem to have this property (except for very small numbers of
rounds), because the best characteristics are iterative.
By the way, your comments seem as though they might apply to the
miss-in-the-middle attack, too.
> It seems to me, therefore, the "two cases" where the boomerang attack could
> be useful aren't cases where a cipher is weak - but where measures that
> would strengthen a block cipher just haven't been taken quite far enough.
I don't know. You might be right.
(One example that might support your argument: COCONUT98 can be broken by
a boomerang precisely because it uses only one decorrelation module, whereas
DFC (with one decorrelator per round) seems safe against boomerang techniques.)
------------------------------
From: Geoffrey Teabo <[EMAIL PROTECTED]>
Subject: Re: Extreme lossy text compression
Date: Sat, 17 Apr 1999 19:51:31 GMT
Geoff,
Thank you for your TIME to write such a lengthy and VERY CLEAR post.
> Maybe all you need is to use a standard hash function <
If SHA1 and MD5 are well known secure hashes, what's a well known standard
hash?
> So a secure hash will solve your problems and by design, shouldn't
> require you to take the additional steps I suggested
By "additional steps" you mean the pre-hash "munge" you suggested for a
standard hash, right? Maybe a secure hash is better for me just for its
"munge"-free quality!
FINALLY: I just want to re-ask one other question, which no one responded
to... Do hash developers run any statistical TESTS to back up their theory of
random output, particularly for secure hashes?
Thanks, again,
Geoff Teabo
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: Geoffrey Teabo <[EMAIL PROTECTED]>
Subject: Re: Extreme lossy text compression
Date: Sat, 17 Apr 1999 19:36:34 GMT
Dan,
Criminals are just soooo NOT an issue for this application.
Suppose I'm monitoring stories coming in off a newswire service (like
Reuters), I'm just trying to make sure that I don't capture the identical
news story TWICE in my database.
A so-called attacker, or criminal, in this case would be trying to compose a
news article to intentionally collide with an old news article, and supposedly
to what purpose? The only effect would be that my system would IGNORE the new
phony story anyway!!!!! How ironic!
So clearly my ONLY concern is that a new VALID and REAL news story would
appear with the same hash result as the hash result of ANOTHER DIFFERENT and
OLDER news story. That would be really BAD because I'd be ignoring a VALID
story.
In light of my specific issues, another post to this thread suggested that a
128 bit CRC would be okay, and that a hash is more trouble than it's worth.
What do you think?
I have a hunch that a CRC isn't as good because it's not as random, and I
might have to worry that similar plaintexts like "BBBBBBBB" and "BBBBBBDA"
might have the same CRC.
Geoff
===
Dan wrote:
>
> If you reveal the hash for more than one article then a criminal can
> create new articles with any desired hash. Even if you don't think this
> is a problem now, there's no reason for you to allow it. You can, for
> example, feed the hash127 result through Rijndael_k with a secret key k.
> This is very fast---the hash127 result is only 16 bytes long.
>
===
Geoff wrote:
> > I'm not clear why secrecy is an issue.
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: Peter Gunn <[EMAIL PROTECTED]>
Subject: Re: SNAKE#12
Date: Sat, 17 Apr 1999 20:58:06 +0100
Peter Gunn wrote:
> [snip]
>
> Now, this seems too easy, so there must be a catch...
>
> [snip]
Catch is MITM can offline guess for all values of P. :-(
but maybe I can fix this?...
hmmmm... more thinking required.
ttfn
PG.
------------------------------
From: "Michael Scott" <[EMAIL PROTECTED]>
Subject: Re: AES Competition
Date: Sat, 17 Apr 1999 22:13:05 +0100
OK Thats the information I wanted.
So its even money Rijndael & RC6
2/1 TwoFish
3/1 Mars & Serpent
10/1 E2
100/1 bar those
I must say Rijndael is looking good, given that its completely patent free,
scales nicely to various architectures, and can also be used as a one-way
hash. Its only problem seems to be its awful name.
Mike Scott
Helger Lipmaa <[EMAIL PROTECTED]> wrote in message
news:7famgh$hti$[EMAIL PROTECTED]...
> As I didn't find this information on the AES webpage, I decided to put it
up
> myself. Namely, there was an _informal_ questionnaire filled at the end of
> the AES2 conference, where everyone visiting the conference could suggest
if
> the corresponding cipher should make it to the second round (+1), should
not
> make (-1) or if it was an open question. There were 104 answers, and the
> results were as follows:
>
> Cipher Total + - =
> ----------------------------------------------
> Rijndael +76 +77 - 1 =19
> RC6 +73 +79 - 6 =15
> Twofish +61 +64 - 3 =28
> Mars +52 +58 - 6 =35
> Serpent +45 +52 - 7 =39
> E2 +14 +27 -13 =53
>
> followed by CAST-256 (-2), SAFER+ (-4), DFC (-5), Crypton (-15), DEAL
(-70),
> HPC (-77), Magenta (-83), Frog (-85), Loki97 (-85).
>
> Among the participants were most of the world renowned cryptographers in
the
> area.
>
> (the results are archived at http://home.cyber.ee/helger/aes)
>
> Helger
> http://home.cyber.ee/helger
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
