Cryptography-Digest Digest #414, Volume #9 Sun, 18 Apr 99 03:13:03 EDT
Contents:
Re: Adequacy of FIPS-140 (wtshaw)
Re: Adequacy of FIPS-140 (wtshaw)
Re: Dynamic Data Dependant Key Schedule (Boris Kazak)
Re: Adequacy of FIPS-140 (wtshaw)
Re: Thought question: why do public ciphers use only simple ops like shift and
XOR? (wtshaw)
Re: Thought question: why do public ciphers use only simple ops like shift and XOR?
(wtshaw)
Re: Thought question: why do public ciphers use only simple ops like shift and XOR?
(wtshaw)
Re: Thought question: why do public ciphers use only simple ops like shift and XOR?
(wtshaw)
Re: Thought question: why do public ciphers use only simple ops like shift and XOR?
(wtshaw)
Re: Question on confidence derived from cryptanalysis. (ovbxotm)
Re: True Randomness & The Law Of Large Numbers (Earth Wolf)
Re: How robust are pencil and paper cyphers? (wtshaw)
Re: John Savard is REALLY REALLY STUPID!! (wtshaw)
Re: Can someone think this through, please. (PGP) (wtshaw)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Adequacy of FIPS-140
Date: Sat, 17 Apr 1999 23:41:18 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Kurt
Wismer) wrote:
>
> why can't you take the minimum cost of all the attacks... it doesn't give
> you a value that will remain constant inspite of new developments in
> cryptanalysis but i don't see how anything could... calculating the cost for
> all possible attacks on the algorithm and taking the minimum would at
> least be formal and the set could be added to/updated as techniques are
> refined or new ones are discovered...
There are a few details to be cleaned up: One is this Shannon Unicity
idea. For many of the algorithms you don't need much to work on to think
of brute force. For a few, it looks like you can't begin to even think in
terms of brute force, or getting enough ciphertext to reasonably mount
some sort of other attack.
You are only going to be able to be formal with the algorithms most likely
to fail to pass your attack. The others, you need not even talk about
because they are in a better league.
>
> it seems to me any metric is going to have to take all possible attacks
> into account since no single one is best for all cryptosystems...
Yet there are systems that seem to resist all known attacks; if there is a
known and realistically doable attack for a cryptosystem, you might only
use if for hobby purposes in the first place, not real security; but,
depending on use, a given algorithm with a particular type of weakness may
not be an important factor.
>
> i know i'm stating the obvious here, but since you need to take all that
> information into account, and you're looking for the lower bound on the
> cost of a succeful attack, i don't see any other obvious alternatives...
Agai I say, make the burden absurdly difficult to consider.
> --
> "when i ran i didn't feel like a runaway
> when i escaped i didn't feel like i got away
> there's more to living than only surviving
> maybe i'm not there but i'm still trying"
Today, we drove into strange areas without a map and discovered the best
chicken fried steak that we had ever eaten, and somehow got to Mary of
Puddin' Hill sometime later. Sometimes it is best to just not to try so
hard to reap the experience of freedom, just do it. Explore some strange
idea in crypto for the fun of it and see if it leads anywhere, no
footnotes involved.
--
Too much of a good thing can be much worse than none.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Adequacy of FIPS-140
Date: Sat, 17 Apr 1999 23:17:29 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> On Sat, 17 Apr 1999 07:03:37 GMT, [EMAIL PROTECTED] (Terry Ritter) wrote:
>
> >2) dynamically select "at random" from a growing field of ciphers,
>
> I thought that violated one of the primary assumptions of crypto,
> namely that the cryptanalyst knows the exact algorithm you are using.
>
That is a useful hypothetical in design, but functionally it need not be
the case. To enhanse security for any circumstance, you only share the
basics with those who you want to have them; it should make it a guessing
game for others.
--
Too much of a good thing can be much worse than none.
------------------------------
From: Boris Kazak <[EMAIL PROTECTED]>
Subject: Re: Dynamic Data Dependant Key Schedule
Date: Sat, 17 Apr 1999 22:39:09 -0400
Reply-To: [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
>
> I have an idea (yeah!), which could benefit many simple ciphers, (RC5/RC6 are
> my fav...), and still keep it simple.
>
> Let's look at RC5 first
>
> for r = 1 to rounds
> A = ((A xor B) <<< B) + S[2 * r]
> B = ((B xor A) <<< A) + S[2 * r + 1]
>
> Ok, we all know this works well. But, apply my idea, and you get something
> like
>
> for r = 1 to rounds
> A = ((A xor B) <<< B) + (S[2 * r] <<< (B >> 5))
> B = ((B xor A) <<< A) + (S[2 * r + 1] <<< (A >> 5))
>
> Which would change the key value (rotate it using the next 5 bits in the data
> dependant register). Such that two blocks with the same key will not get
> encrypted the same way (using the same subkeys)
>
> This is basically dynamic key scheduling. Pretty cool no? What does anyone
> think about it?
>
> I think you could apply this to RC5, RC6, probably Blowfish (rotate the result
> of the F function), and others.
>
> I think using this would make sure that the same subkeys (scheduled keys) are
> not used, but are derived from the same private key. Even with chosen
> plaintext you don't know the value of the data dependant registers in
> intermitent rounds, so you wouldn't be able to derive anything from that.
>
> Tom
>
====================
Here is something that might respond to your thoughts.
....On the other hand, exact knowledge of the algorithm allows very
finely
tuned attacks, which exploit the minute details of the ciphering
mechanism.
Quoting Schneier: "...chosen-key attack, which exploits the fact that
all rounds
are identical and that the key schedule is just a cyclic shift by 32
bits" (p.327)
"...examined Blowfish with known S-boxes..." (p.339) and so on.
In course of this reading, by an unknown memory twist, I
remembered
a funny word combination - "Problem of a Drunken Sailor". Actually this
is a
serious mathematical problem, conventionally known as the problem of
random walk.
The essense of this problem can be visualized if one imagines a drunken
sailor
on a street crossing in an unknown city. The guy has about the equal
probability
to go in any of the 4 possible directions. On the next crossing there
will be
again 1 out of 4 choice, then again and again, until he comes to the
harbor
(if this ever happens).
And then a crazy idea came to my mind - why not introduce some
trick
which will deny the cryptanalist the access to his main weapon? Why not
make the
algorithm itself key-dependent and plaintext-dependent. In this case our
friend
cryptanalyst will be thrown back to square zero, because there will be
nothing
certain to cryptanalyze - only the "C" code which will explain how the
choices
are made between different algorithms.
Elaborating a little further, the number of possible choices
must be
greater than the combined number of all possible keys and all possible
plaintexts.
Then the brute-force attack will really be the only way - all other ways
will
require more plaintexts or more keys than can exist.
Now the purists are advised to close their eyes and to read the
rest of
the text with the eyes closed, because the main concept which will be
discussed
here is the concept of BOOZE.
There are two variable parts processed by the encryption
algorithm in
order to produce ciphertext - key and plaintext. Accordingly, if the
choices
in encryption procedure will be dictated by the key alone, we will call
this
Master Booze, if the choices will be dictated by the plaintext, we will
call
this Peer Booze. Both are necessary in varying proportions, and it is my
intent
to draw attention to the fact that a big amount of high quality Peer
Booze is
present in many successful block ciphers. Neglect of the amount or
quality of
Booze (both Master and Peer) facilitates the cryptanalysis enormously.
--- MASTER BOOZE BREWERY (Stuffing the cellar) ---
BOOZE (orig. boo-zah)
* word of Mongolian origin,
denotes a beverage which
makes
people aggressive and
delirious.
* (amer.slang) strong
liquor.
Conventionally this procedure is known as Key Schedule, and its
purpose
boils down to generating some bytes or words which will be used for
subsequent
encryption. The generated stuff is known as Subkeys, and different
ciphers use
different number of those and different generating procedures. IDEA
generates
its subkeys by the 25-bit cyclic shift of the key, FEAL uses a special
"Fk"
function, BLOWFISH uses itself and the hex digits of Pi, and so on...
Good luck and best wishes BNK
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Adequacy of FIPS-140
Date: Sat, 17 Apr 1999 23:23:39 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> On Sat, 17 Apr 1999 14:45:48 GMT, "Douglas A. Gwyn" <[EMAIL PROTECTED]>
> wrote:
>
> >Terry Ritter wrote:
> >> OK, I'll bite: What do you have in mind?
> >
> >Gee, I was hoping you'd go off and develop such a method.
> >We certainly need something better than "I tried random
> >attacks and didn't find one that succeeded."
>
> Gee, I was hoping you could show us how you successfully attacked the
> OTP cryptosystem.
>
When you try to cut open a watermelon, it is nice to have friends around
to share the experience, otherwise you are apt to get lonely and
depressed.
If you can make the attacker consider you are using a OTP when you are
not, he might quit earlier, or not even try, consider the following as a
header for any message:
----BEGIN OTP MESSAGE HERE----
If the algorithm you choice is sufficiently good, it probably should mean
about the same thing.
--
Too much of a good thing can be much worse than none.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Thought question: why do public ciphers use only simple ops like shift
and XOR?
Date: Sun, 18 Apr 1999 00:18:55 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Terry Ritter) wrote:
>
> I guess I would suggest that if the goal was to get the best cipher,
> we would see a post-analysis re-design phase intended to fix known
> problems, with the final comparison being made between full-strength
> designs.
Even some of the worst overall ciphers that have come to light here and
there can have a novelity within which should be cherished by the crypto
community.
It would seem that the best use of the talent involved in the AES process
would be to identify any new techniques that might have crept in, and see
how these could be used to supplement the best of whatelse we know. To
stop with what we have seen thusfar would be a big mistake. It is in the
interest of cryptography for some sort of evolutionary recombination to
continue, with active support of those civilians involved, which is almost
a given as the process is merely a seed for growing beyond any government
imposed limits.
Well known are some of my reservations about AES, but I cheer on those who
even try to do the best they can, even with self-imposed handicaps.
--
Too much of a good thing can be much worse than none.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Thought question: why do public ciphers use only simple ops like shift
and XOR?
Date: Sun, 18 Apr 1999 00:28:12 -0600
In article <[EMAIL PROTECTED]>, "Trevor Jackson, III"
<[EMAIL PROTECTED]> wrote:
>
> There's a name for this attitude. It's called the Aristotelean Fallacy
> -- the appeal to authority. It dominated science for centuries, and
> science suffered for it.
>
> But even granting that I would prefer to purchase cryptographic products
> from a professional rather than an amateur, all this changes is the unit
> of measure. Instead of measuring the quality of the product we'll end
> up measuring the quality of the author. Now it's hard enough to define
> a unit of measure for ciphers. Imagine defining the unit of measure for
> cipher designers.
The most professional cryptographic designers, the opponents, in the world
have offered of late...dung.
>
> The fact that the best (only) standard we have for judging ciphers and
> their implementations is that of Brand Names indicates just how
> young/volatile/immature the field is. We've got good mathematical tools
> and good software engineering tools, but the toolbox for the crypto
> designer is mostly defined in the negative; by the toolbox of the crypto
> analyst.
So they would have you believe.
>
> When we have crypto-engineering standards similar to civil-engineering
> standards, we'll have a mature science (and very little excitement :-).
Over standardization, regulation, formalizaton, and authoritarization has
killed many a good field. Maturation is not the enemy of creative, but
wheeler-dealer, power-sponges, who imagine that everyone else must follow
their lead, are.
--
Too much of a good thing can be much worse than none.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Thought question: why do public ciphers use only simple ops like shift
and XOR?
Date: Sun, 18 Apr 1999 00:41:15 -0600
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote:
>
> I guess you're talking about AES. If time constraints allow,
> that would be one reasonable part of the evaluation procedure,
> but you still have to drawn the line somewhere and pick the
> best-to-date.
Ah, elections do come up at some point. As I remember, the final pick is
to be submitted to higher, political, authority for *approval*, which is
apt not to be a technical decision based on purely scientific
considerations. Meanwhile, back at the ranch, we can make things better
by trying to go beyond such a seal.
--
Too much of a good thing can be much worse than none.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Thought question: why do public ciphers use only simple ops like shift
and XOR?
Date: Sun, 18 Apr 1999 00:35:24 -0600
In article <7fa0n5$v4m$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>
> My feeling is that the method that computers use should involve much
> more operations than what the public is use to. My code treats the
> whole file as a block. Which is something else the current blessed
> methods do not do.
>
Which is strange since the one thing that you highlight is something that
perhaps is the biggest weakness in the utility of what you have done.
And, trying to make the various blessed methods somehow stronger by making
block affect each other through shoddy methods is also a step in the wrong
direction. All-or-nothing logic has always been considered as a fallacy.
--
Too much of a good thing can be much worse than none.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Thought question: why do public ciphers use only simple ops like shift
and XOR?
Date: Sun, 18 Apr 1999 00:45:35 -0600
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote:
> wtshaw wrote:
> > The design can demand so many equations be written that it is
> > impractical to do so.
>
> How could the design be conveyed to the implementor, then?
I was thinking more in terms of a simple design, guess, where the burden
of writing the equations would be on the attacker who would be trying to
make sense out of lots of ciphertext. You know, something easy to do
knowing the key, and impractical not knowing it.
--
Too much of a good thing can be much worse than none.
------------------------------
From: [EMAIL PROTECTED] (ovbxotm)
Subject: Re: Question on confidence derived from cryptanalysis.
Date: Sun, 18 Apr 1999 06:38:36 GMT
Reading the same stuff from you Terry is getting old. Listening to you
try to discuss "logic" with your tone is also getting old.
Guess its time to add an entry to my killfile.
------------------------------
From: [EMAIL PROTECTED] (Earth Wolf)
Subject: Re: True Randomness & The Law Of Large Numbers
Date: Sun, 18 Apr 1999 06:38:40 GMT
On Thu, 15 Apr 1999 19:26:34 GMT, [EMAIL PROTECTED] (R. Knauer)
wrote:
>Please speak for yourself. You don't have a clue whether I am an
>expert or not in reality. Since you claim that you are not an expert,
>you do not have the capability to judge me in that regard.
To paraphrase Samuel Johnson, one does not have to be a carpenter to
know that the table wobbles. :-)
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: How robust are pencil and paper cyphers?
Date: Sun, 18 Apr 1999 01:05:20 -0600
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote:
> InEN97 wrote:
> > It is my understanding that pencil and paper cyphers ... have
> > a degree of security ... that is inversly porportional to the
> > message length and key length, repeatition and reuse.
>
> No. There is no simple formula for this.
Many ciphers are far too *busy* for pencil and paper methods, there are a
few which have potential great usefulness, and yet are not an OTP method.
Because non-machine methods are laborious, limited traffic is apt to be
involved, which can make attacking an otherwise mediocre cipher extremely
difficult.
--
A new random permutation generator: You put X windoze
machines in a room, merely start them up, and record the
order in which they eventually crash on their own.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: John Savard is REALLY REALLY STUPID!!
Date: Sun, 18 Apr 1999 01:22:53 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> John Savard wrote:
> >
> > "Charles Booher" <[EMAIL PROTECTED]> wrote, in part:
> >
> > >Can you please give me the next prime number?
> >
> > No. If the real Mr. Booher is inded not the author of these posts, I hope
> > he reads this newsgroup and complains...
> >
> > John Savard (teneerf is spelled backwards)
> > http://members.xoom.com/quadibloc/index.html
> ----------------------
> Dear Mr. Savard!
> (this is a repetition of a post which I did in answer to someone else)
> You probably just don't have enough cynicism to understand what is
> really going on here. The guy who makes these postings IS NOT and
> NEVER WAS Charles Booher.
I suppose it would be asking too much to have him sign them with PGP.
--
A new random permutation generator: You put X windoze
machines in a room, merely start them up, and record the
order in which they eventually crash on their own.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Can someone think this through, please. (PGP)
Date: Sun, 18 Apr 1999 01:19:02 -0600
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote:
> wtshaw wrote:
> > I ask for patience in spite of exurberance.
>
> I'm using this forum as an exercise in patience.
Perhaps the pot just boiled over for a instant...now, down to the issue.
>
> It also is reasonable to ask for support for the claim being made,
> as others have done. It is unlikely that this person posting as
> Booher has actual *knowledge* of the alleged conspiracy, so the
> claim is presumably an inference from some evidence. What evidence?
> Inquiring minds want to know. It has already been suggested that
> the supposed inadequately large key space is not the true
> effective key space..
I don't know him previously, but talks a good line. I do disagree with
him on some of his other conclusions in other areas beyond this
discussion. I also strongly agree with him on certain things. Probably,
most likely, the same guy as who he says he is. I would not mind visiting
him on certain issues; I don't think the best choice would be PGP however.
Considering the matter at hand, yes, inquiring minds want to know whether
he is on to something, or whether does not know what he does not know. He
claims lots of expertise in some areas, but, gosh, all of us do in some,
just not exactly the same ones.
I urge the continuation of a mathematically based discussion here so that
those most adept at such things can meet in the open.
--
A new random permutation generator: You put X windoze
machines in a room, merely start them up, and record the
order in which they eventually crash on their own.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
