Cryptography-Digest Digest #112, Volume #9 Sat, 20 Feb 99 07:13:04 EST
Contents:
Re: More Security for Single-DES? ([EMAIL PROTECTED])
Re: Bruce's Feb. "CRYPTO-GRAM" (JPeschel)
Re: Bruce's Feb. "CRYPTO-GRAM" (wtshaw)
Re: Export Laws (wtshaw)
check out site ("annemitchell")
Re: Naval Enigma - Extra rotor stepping an advantage? (Frode Weierud)
Re: New high-security 56-bit DES: Less-DES (Bryan Olson)
Re: Bruce's Feb. "CRYPTO-GRAM" (wtshaw)
Re: crypton.c (Fabrice Noilhan)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: More Security for Single-DES?
Date: Sat, 20 Feb 1999 05:32:15 GMT
[EMAIL PROTECTED] () wrote:
> If we XOR the current value of T to the input and the output of DES with
> K2, then we are essentially making use of the idea behind DESX. And then a
> brute-force search on K2 won't be possible where T (or K1) is unknown.
> Except for an extra key setup, this looks like a way of obtaining 112-bit
> (Triple DES) security, not at double-DES speeds, but at single-DES speeds.
"Suffers" from assymetric key use. K1 is used minimally, but K2 gets
hammered. In comparison, 3DES uses its key bits more "evenly". Whether
this can be efficiently exploited is a question. I think the best way to
answer it is to pose it to the government: "Oh kind sirs, please can
I mail this source code to my friends in <country X>?"
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: Bruce's Feb. "CRYPTO-GRAM"
Date: 20 Feb 1999 05:36:07 GMT
>[EMAIL PROTECTED] writes:
>Hay I'm from missouri what's your point.
It was a little joke about the "Show Me" state.
A lot of the stuff Bruce refers to has been broken
and is on my page, Dave.
J
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Bruce's Feb. "CRYPTO-GRAM"
Date: Sat, 20 Feb 1999 02:12:26 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(Bruce Schneier) wrote:
> On Fri, 19 Feb 1999 12:08:28 -0600, [EMAIL PROTECTED] (wtshaw) wrote:
> >I government is guilty of hype in all this stuff, perhaps he has begun to
> >pick-up their ways by osmosis through close association. I suppose, as a
> >person of high profile, he could even be sued by someone unhappy with his
> >pronouncements, not a problem for government it seems.
>
> Indeed, the author of the Snake Oil FAQ (a first, and an excellent,
> essay on the warnings of snake oil) had been afraid to name names for
> just that reason. I was more willing to take the risk, so I decided
> to name names and give actual quotes from product literature. So far
> no one has threatened me.
>
I hope that none do. It is still a possiblity however.
Last I read, some of the statements suggestive of snake oil that might be
made by someone might also be honest claims, whether or not they were
backed up at the time. Sometimes, truth is strong enough that it is not
easily accepted; And, of course, plainly misleading statements gather no
moss, or something like that.
--
A much too common philosophy:
It's no fun to have power....unless you can abuse it.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Export Laws
Date: Sat, 20 Feb 1999 02:23:54 -0600
In article <[EMAIL PROTECTED]>, Mr. Tines
<[EMAIL PROTECTED]> wrote:
>
> On Thu, 18 Feb 1999 20:00:38 GMT, in <[EMAIL PROTECTED]>
> [EMAIL PROTECTED] (Michael Kjorling) wrote.....
>
> > The point is that cryptographic programs are not allowed to be exported
> in
> > ELECTRONIC form. Suppose I want to export a simple program, of a few
> thousand
> > bytes. I could then convert it into ASCII, print it to paper, get it
> outside
> > the USA and then scan and reconvert it into computer-executable binaries.
> > Voila...
>
> ...there you have PGP5
A disk is magnetic in form, not electronic except in its writing, but I
know that you meant that. The exporting could be done in photons rather
than electrons, but this is splitting hair again, or is it?
It seems that the media is merged with the message, as predicted in the
60's. Information format should make no difference. You might just as
well export it on film, which is not paper either, and get away with it.
However, would putting the images on tape be the same as a disk, or does
it matter whether it is video tape or computer tape?
.....This is an endless and senseless argument that government chooses to
make as its playpen.
--
A much too common philosophy:
It's no fun to have power....unless you can abuse it.
------------------------------
From: "annemitchell" <[EMAIL PROTECTED]>
Subject: check out site
Date: Sat, 20 Feb 1999 10:01:06 -0000
http://www.fis.lv/olympic
for wincrypt95
------------------------------
From: [EMAIL PROTECTED] (Frode Weierud)
Subject: Re: Naval Enigma - Extra rotor stepping an advantage?
Date: 20 Feb 1999 10:02:39 GMT
Reply-To: [EMAIL PROTECTED]
John Halliwell <[EMAIL PROTECTED]> writes:
>I've been trying to figure out the following:
>The standard Enigma used three rotors from a set of five, these rotors
>all stepped in the same positions. The Navy (U-boats at least) added
>another four, each of these stepped in different positions (to each
>other and the other five). I think?
The five first rotors which were used in all Enigma machines also
those of the German Army and Air Force had their notches (turnover)
positions in different places (Y,M,D,R,H). The three Naval rotors
VI, VII and VIII had their notches at the same position (H, U).
That the five first rotors had notches in different positions gave
them specific turnover characteristics which was used to identify
which rotor was in the rightmost, fast position. This was not
possible with the Naval rotors as they all showed the same turnover
pattern.
A weakness in the Service Enigma was the very regular turnover
mechanism. Multinotched wheels would have made the machine much
more difficult to break. This was the case of the model Enigma T,
which used wheels with five notches, however, as this machine had
no Steckers it was not as strong as it could have been.
To break the Enigma using the Bombe it was necessary to run several
menus with different turnover hypothesis. It is clear that with more
frequent turnovers this becomes extremely expensive in Bombe time and
other methods like Multiple Grenades where devised to deal with these
sort of problems.
In the case of the Naval Enigma it was not so much the extra notch per
wheel that made a difference but rather the fact that the Naval rotors
all had the notches in the same place.
Frode
>I've read Kahn's book "Seizing the Enigma" (paperback). In it he
>mentions that Bletchly Park initially had problems due to the different
>stepping, but once they knew about it (maybe by capturing the rotors),
>it made things slightly easier. If BP knew when a rotor started to move,
>it enabled them to guess correctly the rotor (it's number and position)
>that had turned it (not sure whether to the right or left). Hope I've
>explained it in enough detail!
>My question, did this difference in the stepping ultimately make it
>easier or harder to break?
>Any ideas?
>--
>John
>Preston, Lancs, UK.
--
Frode Weierud Phone : +41 22 7674794
CERN, SL, CH-1211 Geneva 23, Fax : +41 22 7679185
Switzerland E-mail : [EMAIL PROTECTED]
WWW : wwwcn.cern.ch/~frode
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: New high-security 56-bit DES: Less-DES
Date: Sat, 20 Feb 1999 03:27:04 -0800
[EMAIL PROTECTED] wrote:
>
> [EMAIL PROTECTED] wrote:
> [...]
> > I never saw a reply,
>
> ;-) as I said yesterday, of course you saw my reply ...as it was done here
> ...since your "new" questions had already been answered by myself before. I
> see no need to answer twice.
[...]
> To recall, your "example" was:
>
> To which you have not answered == of course, such system does NOT even exist
> as we all know, don't we? It was an "example" out of thin air, misleading
> rather than illuminating. This lack of proper dialogue in your presentations
> has IMO confused issues even more -- to yourself.
The archives show that I directly responded, and in fact later in my
post of 16 Jan 1999 when you later said I hadn't answered, I explained
| I wrote what I intended to be
| an answer, though it's not in the form Ed requested:
[...]
So the situation is this, when I said I never saw a reply and you
said you "it was done here", in fact the archive shows there was no
reply. When you said I didn't answer, in fact I did respond, and
perhaps you meant that you didn't think my response adequately
answered your objection.
> For example, in one of
> your last msgs you again claimed the impossible:
>
> |The unicity distance of English without any key is zero.
>
> and then you proceeded to "prove" it -- which of course would imply that any
> English message is unambiguously known before being even written! As I
> pointed out yesterday.
Good strategy. Edit out the theorem from Shannon that shows you're
wrong and repeat what you said with no justification.
> But, instead of recognizing the mistake in a positive
> dialogue, as you should have done also with the impossible cipher above, you
> tried now to "justify" that the message you had in mind was "" ;-)
You missed the point. It's the _only_ zero letter message. With
no key there really is zero equivocation even given zero intercepted
letters.
Read carefully Shannon's section 12 and the definition of unicity
distance on page 693. The equivocation that drops to negligible
at the unicity point does _not_ include the entropy of the portion
of plaintext beyond that recoverable from the intercepted text.
You say that a zero unicity distance would mean a message is known
before it's written. Does that mean a unicity distance of 8 means
any message is known after the first 8 letters are written? What is
uniquely determined at the unicity point is the transformation induced
by the key. Since the transformation is known, the plaintext
corresponding to the intercepted ciphertext is also known. There's no
requirement that plaintext past that point be known, whether that
point is at 8 letters of 0 letters.
> However, your "claim" about the unicity of plain English is obviously NOT
> correct -- and, as I pointed out yesterday, Shannon even calculated it in his
> paper ...but you cannot seem to find it in his text.
> So, looking to our exchange I see that I cannot help you further than
> suggesting you keep earnstly reading Shannon's paper until you convince
> yourself that:
>
> 1. the unicity of plain English is NOT zero (please, do find his value),
>
Granted, I cannot find it. Give me a citation and win the point.
Of course if you cite text where Shannon computes something other
than unicity distance, or for something other than plain English,
then the point is mine.
> 2. the concept of unicity is broader in scope than the mathematical expression
> of it in the special case of a random cipher as given by Shannon in terms of
> conditional entropies (aka, equivocation),
Who said it wasn't broader than the random cipher? It is defined
in terms of entropy or equivocation, but the definition in no way
depends on the random cipher model.
I had quoted Ed's claim:
> > : Shannon [Sha49] defined "unicity distance" (hereafter, "n") as the
> > : least amount of plaintext which can be uniquely deciphered from the
> > : corresponding ciphertext -- given unbounded resources by the attacker.
and wrote:
>> You say it's there, I say it's not. Now I challenge you to quote
>> it.
> 3. the concept of unicity was defined by Shannon as the least number of
> letters which provide a unique solution to a cryptogram under certain
> assumptions, which I did NOT diverge from except as to the term "distance",
> but summarized in http://www.mcg.org.br/unicity.htm as:
>
> ---------------BEGIN QUOTE------------------------- Shannon [Sha49] defined
> "unicity distance" (hereafter, "n") as the least amount of plaintext which
> can be uniquely deciphered from the corresponding ciphertext -- given
> unbounded resources by the attacker. The "amount" of plaintext (i.e., "n")
> can be measured in any units the user may find convenient, such as bits,
> bytes, letters, symbols, etc. Actually, Shannon used "letters" in his paper.
[...]
I challenged you to quote it from Shannon. That's a quote of
yourself.
> 4. I also showed in that paper that the current literature[...]
I don't think the point in (4) became an issue. And since we have
enough issues [...]
> 5. the unicity of a block cipher can NEVER exceed that cipher's block-size
> and that is why Bruce Schneier's and Menezes' calculations using unicity for
> DES and other block-ciphers are in error, as I showed in
> http:///www.mcg.org.br/nrdes.htm
If you mean the unicity distance as Shannon defined it, then the
result is wrong. Proof: consider a cipher with a 64-bit block and
a 128 bit key, and with no equivalent keys (i.e. no two keys induce
the same mapping). If the unicity distance were one block or less,
we could transmit any 128-bit key by encrypting and sending one
64-bit block. (Hmm, I guess I should cite Shannon's definition yet
again to show that a 64-bit unicity distance does in fact mean that
64 bits intercepted text is enough to determine the key. But we all
know page 693 pretty well by now.)
> which paper I suggest you read until you convince yourself that:
>
> 6. The unicity of DES is LESS than a block-size of 8 bytes because DES is a
> random cipher only over 7 bytes and NOT over 8 bytes.
Look at the description of the random cipher. It has both a number
of messages, Shannon calls it 'T', and a number of keys, called 'k'.
DES approximates a random cipher where T=2^64 and k=2^56. If you're
talking about the key space over which DES approximates a random
cipher, then it's 7 bytes. If you're talking about the message space,
then it's 8 bytes. If you're not distinguishing between key space and
message space, then it's nonsense.
You advise me to read your work and Shannon's since I obviously don't
understand the subject. You claim to correct errors in the literature.
Well Schneier, Menezes and myself do not claim the key space of DES is
8 bytes; we do not claim the message space is 7 bytes; and we do not
confuse the two.
> 7. Due to the 56:64 dimensional reduction in DES, the probability of
> obtaining English-looking text (compressed or not) in a DES decryption with a
> wrong key is only (3~300):2^56 for one block and effectively zero for two
> blocks.
I think we agree that the (3~300) figure depends on our estimate for
the entropy of English-looking text. I'd estimate that given an
octogram without context the figure is higher than 300, but I don't
think this is a major point of disagreement.
> 8. The above two properties allow an English message (copmpressed or not)
> encrypted with DES to be broken by a ciphertext-only attack which
> considers at most trigram frequencies (ie, a three-letter attack) in one
> block of ciphertext, followed by a final confirmation with a second-block
> test but only for very few keys (3~300).
Granted. Which puts the unicity distance of DES/Engish at a little
over one block.
> BTW, this is actually how the EFF's DES Cracker works, as later private
> exchanges between myself and John Gilmore have revealed. Only that they allow
> for a couple thousand tentative messages after processing the first DES
> block, since their plaintext recognition engine favors false positives (this
> is IMO a sound design decision, since the cost of a false negative is
> higher).
They don't use even trigram frequencies. They just look at bytes,
and they only have two categories.
Note that this is also essentially the attack Schneier proposed, and
for which I calculated the expected number of trial decryptions in
my previous post. I'm still waiting to hear how your claimed speed-up
works.
> About the term "three-letter DES attack" that I use, please note that my
> cited texts are clear about the context of it -- it is a statistical
> coherence of unigrams, digrams and trigrams over the full 8 bytes of a DES
> block. It is NOT a letter-by-letter coherence of three-letters. It may not
> even use a dictionary -- it is purely a decision problem against known
> language statistics.
O.K. But you claimed that Schneier and others were wrong to state
the unicity distance of DES at about 8.2 bytes, and wrote,
: However, I will show that DES unicity is actually close to 3 bytes of
: English -- and could even be 0 byte in some systems, such as in SSL
: that contains a large fraction of known plaintext.
I want to see _that_ attack. A method that uses 16 bytes of
intercepted text _supports_ Schneier's estimate. Where are these
"wrong results" you were talking about?
(Hmmm you ridicule me for observing that the unicity distance without
any key is 0, but you had claimed that you can get 0 for 56-bit key.)
> Short of these comments, Bryan, I really cannot see how I can help further but
> insist that you read those papers and try to grasp their meaning -- which seem
> to remain a bit ellusive as I can read from your postings.
>
> Particularly fruitful will be if you can clearly distinguish between the
> concept of unicity as defined in words: "the least amount of plaintext which
> can be uniquely deciphered from the corresponding ciphertext -- given
> unbounded resources by the attacker", and the mathematical formulation of it
> in the *special case* of a random cipher as given by: n = H(K)/(|M| - H(M)).
O.K, I'll try to understand your definition. I ask you to try to
grasp Shannon's definition - the amount of intercepted text such that
the equivocation of the system drops to a negligible distance from
zero. That definition is _not_ just for the random cipher. It's the
general form, and the random cipher is one model system for which we
can easily calculate an expected value.
Do you think your definition is the same? Then why do you come up
with three characters when you used 16 characters of intercepted
text?
Do you think your definition is different? Then why do you state that
it is how Shannon defined unicity distance? Why do you say the
literature is wrong when your figure disagrees?
Let's see, we have some other outstanding issues. You seemed not
to believe figures on how many DES keys we expect to induce trial
decrypted blocks of a certain form. I showed my math, and asked
you,
>> If we use
>> the all zero ciphertext, and test keys in numerical order
>> from 0000..0001, about how many keys do you think we'd have
>> to try to find 10 that decipher the zero block to a block
>> beginning "The". We don't care what the other bytes of
>> the block contain. I'd say well have to try about 168
>> million.
Oh, and I also asked:
>> So here's a clear, straightforward question: If we know that
>> a plaintext is English coded in ASCII and encrypted with DES and
>> only DES, how many letters of ciphertext do we need in order to
>> have a unique solution for plaintext and key with negligible
>> chance of error?
Was that 16-byte attack your best?
--Bryan
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Bruce's Feb. "CRYPTO-GRAM"
Date: Sat, 20 Feb 1999 02:02:16 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (JPeschel) wrote:
> [EMAIL PROTECTED] (wtshaw) writes:
>
> >I left it open to interpretation. It seems that anything goes on the
> >internet, even attempted identity theft; I simpy draw your attention to
> >the chance of dishonesty in the situation, and offer him a way out of it.
> >--
>
> So you accuse of him of dishonesty for not coming up with a more
> clever name for his newsletter? My god, man, what are you thinking?
>
No, I have again left this open to interpretation, and please, try not to
have a hair trigger. I rather think highly of him these days for some of
what I have seen him do, but will see how he responds to the knowledge
that he is using a previously rather instituted name for those pages. As
I read through the responses, I will see how many are prematurely
defensive, or rationalize the situation rather than suggest a cure.
There are those who are rather blatent in such excercises, knowing exactly
what they are doing. I would like to think that while the title is
catchy, others were ahead of him by scores of years with it.
The most gentlemanly thing to do is to realize that language is rich
enough to come up with something really original when pointed out that an
alternative is indicated.
--
A much too common philosophy:
It's no fun to have power....unless you can abuse it.
------------------------------
From: [EMAIL PROTECTED] (Fabrice Noilhan)
Subject: Re: crypton.c
Date: 20 Feb 1999 11:44:23 GMT
According to naf <[EMAIL PROTECTED]>:
> when i compile crypton.c (availible under
> www.seven77.demon.co.uk/aes.htm )
> visual c++ 6.0 returns error LNK2001 (unresolved external symbol _main)
> can anyone help me?
Well, you have to write a main function to use this encryption
algorithm!!!! This is just a module, but as it seems that you don't know
C, I suppose you won't write anything...
Fabrice
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
