Cryptography-Digest Digest #694, Volume #9 Fri, 11 Jun 99 03:13:02 EDT
Contents:
Tom St.Dennis, Scott16 & the Chosen Plaintext Attack (JPeschel)
Re: Does scott19u.zip make full use of it's large key size ? ([EMAIL PROTECTED])
Re: ATTN: Bruce Schneier - Street Performer Protocol (David A Molnar)
Street Performer Protocol and PBS (Nicol So)
Re: ATTN: Bruce Schneier - Street Performer Protocol (Inky O. Lamer)
Re: Cracking DES ([EMAIL PROTECTED])
Re: Does scott19u.zip make full use of it's large key size ? (SCOTT19U.ZIP_GUY)
Re: cracking RSA (Hideo Shimizu)
cracking RSA ("Particle")
Re: Cracking DES (Terry Ritter)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Tom St.Dennis, Scott16 & the Chosen Plaintext Attack
Date: 10 Jun 1999 23:56:11 GMT
Around April '97 Paul Onions posted
a possible cryptanalysis of an early
incarnation of scott16. 'Twas an adaptive
chosen plaintext attack. You can find
some of the details through DejaNews,
but I don't recall ever seeing an
implementation of the attack.
I noticed that Tom mentioned it would
be easier for him to "mount a chosen
plaintext attack faster on your cipher
(Scott19u) then my simple one." I was
wondering if Tom or any one else for that
matter, might want to implement
an attack on the early version of
scott16.
No money invloved, only, perhaps, a bit of
prestige, thanks, a firm virtual handshake,
or a spot in the key recovery section of
my web site.
Understanding the break should help
everyone here understand better the workings
of the old cipher, perhaps the new 16u cipher,
and maybe scott19u.
Anyhoo, it might be fun!
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Does scott19u.zip make full use of it's large key size ?
Date: Thu, 10 Jun 1999 21:59:18 GMT
<snip>
Not true the sbox actually contains log2((2^19)!) bits of information.
Even if the message is small you will not be able to easily determine
the mapping (if special conditions are met). I think the problem is
that there is not enough diffusion in the cipher.
> You don't seem concerned. Not using all the
> S-Box entries means that only a fraction of the
> key is being used. The effective key size used
> will not be what the user thinks. So much
> for million bit encryption. It's only that large
> when encrypting very large files.
Well if there is enough mixing in the round function chances are most
entries will be used in some unpredicatble manner (have you seen my toy
cipher?).
Tom
--
PGP public keys. SPARE key is for daily work, WORK key is for
published work. The spare is at
'http://members.tripod.com/~tomstdenis/key_s.pgp'. Work key is at
'http://members.tripod.com/~tomstdenis/key.pgp'. Try SPARE first!
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: ATTN: Bruce Schneier - Street Performer Protocol
Date: 11 Jun 1999 00:00:01 GMT
Organization: Harvard University, Cambridge, Massachusetts
> On Thu, 10 Jun 1999 15:03:26 +0200, Mok-Kong Shen
> <[EMAIL PROTECTED]> wrote:
>>This is non-scientific way of
>>argumentation and is not appropriate for this group.
> This newsgroup has never been particularly scientific.
I bet if we poll enough people, we can pool enough
responses to answer yes or no to the question
"was period x a golden age of scientific inquiry for
sci.crypt?" with an arbitrarily low probabilty of
error.
-David Molnar
------------------------------
From: Nicol So <[EMAIL PROTECTED]>
Subject: Street Performer Protocol and PBS
Date: Thu, 10 Jun 1999 21:10:56 -0400
[This is not really a follow-up message. I just thought this may be a
insertion point to add to the thread.]
Bruce Schneier wrote:
>
>...
I took a cursory look at the Street Performer Protocol and found it
quite interesting. The proposed method for raising money reminded me
of... uh... PBS during pledge drives.
Nicol
------------------------------
From: [EMAIL PROTECTED] (Inky O. Lamer)
Subject: Re: ATTN: Bruce Schneier - Street Performer Protocol
Date: Fri, 11 Jun 1999 01:22:15 GMT
[EMAIL PROTECTED] (Bruce Schneier) wrote:
>This newsgroup has never been particularly scientific.
Ouch! You're attacking the entire sci.crypt newsgroup?
------------------------------
Date: Thu, 10 Jun 1999 09:44:09 -0400
From: [EMAIL PROTECTED]
Subject: Re: Cracking DES
Greg Bartels wrote:
>
> I remembered to check my bookshelf last night, but then forgot to bring
> the
> book in this morning. the name of the book is "Cracking DES", not
> "Breaking DES", as I had thought. must of been some bit flipping going
> on in the brain.
>
> it was published by the Electronic Frontier Foundation.
> http://www.eff.org
> it contains a foreword by Whitfield Diffie, which says,
>
> "It ("Cracking DES") describes a computer built out of custom
> chips. A machine that 'anyone' can build; from the plans it presents
> --- a machine that can extract DES keys in days at reasonable prices,
> or hours at high prices. With the appearance of this book and the
> machine it represents, the game changes forever. It is not a question
> of whether DES keys can be extracted by exhaustive search; it is a
> question of how cheaply they can be extracted and for what purposes."
>
> Since I forgot to bring in the book, I cant remember the
> specifics, but I think a million bucks would build a machine that
> would crack a DES key in an hour or two. multiply the value of the
> key times the length of time you want to run the machine, and you
> can probably easily recover the cost of building the machine.
>
> 3DES may be more secure, but it seems to me that the old claims
> of 1DES would take more time to crack than the universe is old
> and then the reality of a million bucks and a couple hours,
> makes me question any claims about 3DES, which just uses
> the exact same algorithm, and just runs it three times.
>
> is there no serious contender for a block algorithm that
> would provide security against the next century or so of cracking
> advances?
> is there nothing being worked on to replace DES?
> what is this newsgroup for if not that?
A cipher algorithm can be weak in several orthognal ways. Two of the
principal areas to consider are algorithmic weakness and key size.
Algorithmic weakness implies that there exists a method to recover
plaintext from cipher text that is faster than brute force. DES is not
known to be algorithmicly weak.
Key size weakness implies that brute force is "too easy". Flame wars
are fought over the definition of "too easy", but consensus is that
DES's keys were too small even when it was first released.
Note that algorithmic weaknesses scale linearly. I.e. if you double the
number of algorithms you double the amout of work for an adversary
(Ritter and others have suggested that this may not be true, for this
topic it is true.)
Key weakness does not scale linearly. If you double the key size (which
is the usual technique for 3DES) you do much more than double the
adversary's workload. "Just running it three times" does not increase
the security by a factor of three. It increses it by a factor of 2^56.
So if you buy a super-duper one minute DES cracker, you need 2^56
minutes to crack 3DES with it.
That's not weak.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Does scott19u.zip make full use of it's large key size ?
Date: Fri, 11 Jun 1999 02:54:30 GMT
In article <7jpc30$u60$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>BTW have you ever stopped to think the large sbox kills the cache? It
>will almost certainly run slower then anything else (Blowfish/Rc5 for
>example) on pentium cpus.
I guess that I am more worried about actaul encryption than a dead cache.
>
>> What are you talking about? Can you show any real examples
>> of this occurring?
>
>It is possible to have some condition which will cancel out. Which
>means that Cn = ... will return to what it was suppose to. This means
>the error will not propagate (cause it only uses Cn-1). If this is not
>possible the cipher is not bijective!
I gues this means you don't have a good example.
>
>> When a single bit changes in the input file you go to get
>> a different slot in the S table That slot can point to anything
>> but itself and the what the original vaule the S-box pointed to. So
>in effect
>> you start a change there and it propagates down that pass and
>> then comes back to the top to change the following 24 passes.
>
>No you most likely get a change, you will not always get a 'huge'
>change in the block.
I have yet to see it cause anything other than a huge change
again you flap your jaws but can you provide an example where
a one bit change in a file will not make hudge changes in the
whole encrypted file. I think you can't. You just like to think you
can when in reality you don't know what the hell your talking about
again "SHOW ME AN EXAMPLE"
>
>I will give you the glory and say 'I cannot break your cipher' however
>I have found some weakness which someone else could probably exploit.
>BTW your challenge is useless because I would have to mount a
>chosen/known plaintext attack to guess the sbox contents. There are
>some flaws in your cipher
>
>1. memory usage
The fact it use a large memory does not mean its weak in fact
if all else is not considered it would most likely be better by this
weighting factor alone.
>2. speed
again with more time one can in general get more securvity
all else being equal. But as above this may be to hard for you
to understand.
>3. It's static only
You get me what the hell do you mean?
>4. Hard to explain
Well again if it is so dam hard to explain why do you think you
know that it is weak. Kid grow up.
>
>Tom
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: Hideo Shimizu <[EMAIL PROTECTED]>
Subject: Re: cracking RSA
Date: Fri, 11 Jun 1999 11:38:19 +0900
The situation you mentioned is investigated by J. Hastad.
Good summary of attacking history on RSA by D. Boneh is found at
http://theory.stanford.edu/~dabo/pubs.html .
Hideo Shimizu, TAO Japan
------------------------------
From: "Particle" <[EMAIL PROTECTED]>
Subject: cracking RSA
Date: Thu, 10 Jun 1999 22:20:26 -0400
I'm getting a point of thinking about public keys,
and would like to know a few things about the
security of RSA in different situations.
situation: I have the same plain text encrypted
with many different public keys. I have access to dozens
of these ciphertexts (one for each public key used),
and know that it is the same encrypted plan text.
Does it make it possible (or at least easier <how
easier?>) for me to figure out the plain text given
dozens of these ciphertexts?
Does it make it easier for me to figure out at least
one secret key for any one of these public keys?
If I know the same plain text, and then it is encrypted
using these many public keys, is it easier to figure
out any of the secret keys?
thanks
--
Particle
[EMAIL PROTECTED]
http://www.geocities.com/SiliconValley/Way/7650
Home of the Java Data Structures 2nd Edition.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Cracking DES
Date: Fri, 11 Jun 1999 04:03:44 GMT
On Thu, 10 Jun 1999 09:44:09 -0400, in <[EMAIL PROTECTED]>,
in sci.crypt [EMAIL PROTECTED] wrote:
>[...]
>Note that algorithmic weaknesses scale linearly. I.e. if you double the
>number of algorithms you double the amout of work for an adversary
>(Ritter and others have suggested that this may not be true, for this
>topic it is true.)
Well, you lost me there.
There are several different effects to having multiple ciphers: One
effect is that each cipher must be detected, acquired, attacked, and
broken for future use (if possible). So the more ciphers there are,
the more effort which must be expended, and this is linear.
Another effect of multiple ciphers is that the universe of information
is partitioned into multiple channels, which means that the reward for
breaking any cipher is proportionately less. The more ciphers there
are, the less information any one of them can expose, and this is also
linear.
So for n ciphers, we have n times the attack effort, and 1/n reward
for any success, which makes the reward/effort ratio 1/n**2. This is
not linear, and that should make the attack business somewhat more
discouraging.
And then if we have only one cipher, we are not going to be changing
ciphers. So if that cipher has an ongoing break, continuing to
encipher our data may be only a hopeless delusion. We cannot expect
to know if our cipher is broken. Consequently, it makes sense to
change ciphers frequently, and thus terminate any ongoing break.
Exactly what is the benefit ratio of having multiple ciphers, if the
cipher we would otherwise use is in fact broken in practice?
I do not claim that all ciphers are weak. I do claim that we cannot
know which ciphers are strong.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
