Cryptography-Digest Digest #763, Volume #9 Thu, 24 Jun 99 19:13:02 EDT
Contents:
Re: one time pad (Leejay Wu)
Re: Weakness of split PGP keys? ("Noah Salzman")
TeraPi (Greg Ofiesh)
Re: one time pad ("Douglas A. Gwyn")
Re: On an old topic of internet publication of strong crypto (David A Molnar)
Re: one time pad (William Tanksley)
Re: TeraPi ("Serge")
Re: one time pad (William Tanksley)
Re: one time pad (Terry Ritter)
Re: one time pad (William Tanksley)
Re: A different method of encryption (John Savard)
Re: Kryptos article ("Douglas A. Gwyn")
Re: ElGamal without exponent reduction? (Bodo Moeller)
Re: one time pad ("Douglas A. Gwyn")
Re: one time pad (Jerry Coffin)
Re: one time pad ("Douglas A. Gwyn")
Re: What is the recommended maximum length of the MIDI cable between sequencer and
controller? ("rosi")
----------------------------------------------------------------------------
From: Leejay Wu <[EMAIL PROTECTED]>
Subject: Re: one time pad
Date: Thu, 24 Jun 1999 16:49:54 -0400
Excerpts from netnews.sci.crypt: 24-Jun-99 Re: one time pad by Greg
[EMAIL PROTECTED]
> You have a candidate message for which the odds are (equal to all other
> candidates) one in astronomical odds and the pattern of the pad segment
> that is required from the cipher stream is all 0's, also one in
> astronomical odds. Does this seem to you more than a coincidence? And
> therefore a weakness?
aaaaaaaaaaaaaaaaaaigh.
(popping in with a cheesy example...)
No, it doesn't help you in the general case.
(limiting ourselves to base 26, simply for convenience, using the obvious
mapping with A=0... WLOG.)
Example: If you've got "ciphertext" as
USECHEESEWHIZ
Well, using a key of all ((char) A)'s, that'd turn be the obvious.
However.. it could also be
cipher U S E C H E E S E W H I Z
20 18 4 2 7 4 4 18 4 22 7 8 25
plain U S E M A Y O N N A I S E
# 20 18 4 12 0 24 14 13 13 0 8 18 4
==============================================
key A A A Q H G Q F R W Z Q V
# 0 0 0 16 7 6 16 5 17 22 25 16 21
And, if the source of randomness used is truly IID etc, there is *absolutely*
no reason that AAAAAAAAAAAA and AAAQHGQFRWZQV would not occur with equal
probability; your priors should indicate that *any* two equal-length keys
from true randomness generater should have equal probability.
Think about it. Flip a fair, ideal coin, say, three times in a row. HHH is
just as likely as HTH, and so forth, and so is TTH. The odds that it'll be
a 2-1 split vs. a 3-0 split are not equal, but the exact sequence is
random...
Now, you can derive *any* message given the "correct" key; simply use
subtraction/xor/whatever method is involved. All those keys have equal
probability, given a truly random source. Therefore, you cannot determine
which message is correct based upon the ciphertext alone if that's all ya
got.
If you somehow *know* that the encoding randomness source has certain
properties (such as: it was designed to "avoid" certain patterns, or
that it was operated by a person who has preferences for certain
letters, etc), *then* you might gain; otherwise, no.
--
| [EMAIL PROTECTED] | the silly student |
|--------------------------| he writes really bad haiku |
| #include <stddiscl.h> | readers all go mad |
------------------------------
From: "Noah Salzman" <[EMAIL PROTECTED]>
Subject: Re: Weakness of split PGP keys?
Date: Thu, 24 Jun 1999 13:20:39 -0700
X of Y total shares is just as incomplete as 0 of Y shares. See page 529 in
Schneier's "Applied Cryptography."
Anonymous <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Hi There.
> Say I have a PGP key which has been created with PGP 6.0.2, and is split
> into 20 parts. If 19 of these parts are known to an attacker, is the key
> any less secure than if say only one part was known?
>
> Thanks.
>
------------------------------
From: Greg Ofiesh <[EMAIL PROTECTED]>
Subject: TeraPi
Date: Thu, 24 Jun 1999 20:36:39 GMT
I had such good feedback on one time pad that I think I will venture to
propose a new encryption strategy for your amusement and critique. I
call it TeraPi.
1. Take two million digits of pi and from that form one million bytes.
2. Take that one million bytes and form one million pages, each page
holding the exact same bytes, but arranged differently from any other.
Specifically, the sequence is defined as:
page 0: X0, X1, X2,...Xn-1;
page 1: X0, X2, X4,...Xn-2, X1, X3,...Xn-1;
page 2: X0, X3, X6,...Xn-3, X1, X4,...Xn-2, X2, X5,...Xn-1
...
page n-2:X0, Xn-1, Xn-2,...X1
page n-1: same as page 0
At this point you have one tera byte of values in which no pattern
repeats and each byte is of a subset of all possible byte values, 100
possible in all (as opposed to 256).
3. Publish this tera byte "pad". Make it well known.
4. Use a passphrase of any size to build keys from. Each key is an
index into the terabyte pad (40 bits in size).
5. Each key is generated from bits 0-5 of each character in the
passphrase (8 characters per key).
6. Encrypt the message with the pad segment beginning with the first
key. Use XOR or ADD (something simple).
7. Take the resulting cipher stream and encrypt it with the next key.
8. Continue until all keys are exhausted.
9. Add in simple code to produce some avalanche effect to help hide any
weaknesses in key choice or pad segments.
Issues:
Key space could be narrowed due to english language restrictions on
letter sequencing. While the key can be anything, the greater weight
must be given to this scenario and tried first. Assuming that the key
space is narrowed, by how much? Perhaps from 2^40 to 2^20?
Benefits:
The pad can be represented by 1M of disk space and an indexing
algorithm to form virtual pages. The code can sit on a floppy.
I submit that the only form of attack would be via exhaustive key space
search, and that the key space to be searched will grow exponentially
with each key used. Even if the key space for a single key is limited
to 2^20, for 10 keys, this yields 2^200 combination of keys and 2^199
that must be tested and tried on average before the message is
revealed. Furthermore, the number of keys is a secret as well as the
key values, further complicating an attack.
What say all of you?
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: one time pad
Date: Thu, 24 Jun 1999 21:43:02 GMT
Greg Ofiesh wrote:
> And this is one good example. In another post, I point out that I
> realize now that randomness is not the issue but building a pad
> without any long term patterns is important.
Then you "realize" the exact opposite of the truth.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: On an old topic of internet publication of strong crypto
Date: 24 Jun 1999 21:19:36 GMT
[EMAIL PROTECTED] wrote:
> duplicators). Would you believe in a country where is was illegal to
> assemble much less publish a phone book? That's a reference book
> containing phone numbers. A reference book containg cryptological
Actually, it is against university policy here to attempt to
assemble phone information in a fashion that can be easily searched.
There is an official phone book accessible via "ph" and print, but
massive queries (as in "ph a*" followed by "ph b*" etc) attract
unwelcome attention. I think the rationale is that easy searches
allow for spamming and other unfortunate activities.
Plus the data belongs to the university, anyway.
(I'm not sure how much irony should be attached to that sentence)
Looks like another application for private information retreival.
-David
------------------------------
From: [EMAIL PROTECTED] (William Tanksley)
Subject: Re: one time pad
Reply-To: [EMAIL PROTECTED]
Date: Thu, 24 Jun 1999 21:58:02 GMT
On Thu, 24 Jun 1999 06:48:58 GMT, Greg Ofiesh wrote:
>> Not true -- utter urban legend. PI has noticable statistical trends,
>> and it's very well approximated by very simple functions.
>I thought Statistical randomness ment:
>> >is ment that the digits are generally well distributed, and that they
>> >occur approximately as often as each other- that 1' occur as
>> >frequently, as 2's which occur as frequently as..., you get the idea.
>Are you certain that this definition is not correct? Is this not what
>you call statistical trends? i.e.- even distribution.
Even distribution is one possible statistical measure. So's the average
value of all the digits in the number. So's the minimum digit. Or the
RMS of the digits.
A statistic is to a series of numbers what a fingerprint is to a person.
You might suspect that a particular Go master had been playing using your
set of Go stones because of a partial fingerprint on one of them, but that
fingerprint in and of itself won't play a decent game of Go. Or even
chess. You need to play against the person to know.
>Sent via Deja.com http://www.deja.com/
--
-William "Billy" Tanksley
Utinam logica falsa tuam philosophiam totam suffodiant!
:-: May faulty logic undermine your entire philosophy!
------------------------------
From: "Serge" <[EMAIL PROTECTED]>
Subject: Re: TeraPi
Date: Fri, 25 Jun 1999 01:42:55 +0400
>Even if the key space for a single key is limited
> to 2^20, for 10 keys, this yields 2^200 combination of keys and 2^199
> that must be tested and tried on average before the message is
> revealed.
This method demanding very long passphrases. For 10 keys you must to type 80
characters. Its enough to encrypt the message with, for example, IDEA, 4 or
5 times with different keys.
Regards,
Serge.
------------------------------
From: [EMAIL PROTECTED] (William Tanksley)
Subject: Re: one time pad
Reply-To: [EMAIL PROTECTED]
Date: Thu, 24 Jun 1999 22:14:02 GMT
On Thu, 24 Jun 1999 16:42:54 GMT, Greg Ofiesh wrote:
>> > How many aeons did you say you had to look through this list?
>> It's irrelevant. The point is that as long as 100 0xa7's in a row is
>> exactly as likely as any other sequence of 100 characters, the
>> attacker has no better idea that this particular decryption is valid
>> compared to all the others that his criteria says are plausible.
>This is exactly what I disagree with. First, the odds that 100 0xa7's
>would occur are astronomical. Then the fact that a valid candidate
>would math anything is astonomical (since they all have 1 in
>astronomical chances). But then you combine the two and you have
>astronomical squared. That has got to give weight, don't you think?
Sure does -- but it would give equal weight to ANY possible sequence. I
mean, let's suppose that you decided that PI was an improbable sequence
(obviously, it's exactly as unlikely as all 0xa7s). Your argument applies
to its cyphertext in exactly the same way. By extension, it applies to
ALL of the keystreams you can imagine, and gives them ALL equal weight.
Finally, I already covered this, but you point out that the odds of a huge
stream of 0xa7s occuring in a random stream are so low as to be
negligable. Doesn't that mean that you are being bizzarely foolish to
choose such an impossible key as your first guess?
In fact (of course), since all keys are equally astronomically improbable,
choosing ANY of them as the first key to try is "bizzarely foolish".
In other words, attempting to crack such a large keyspace by sequential
brute force is bizzarely foolish. QED.
But let's suppose you found a way to generate all the possible cracked
texts at once (in parallel), thus avoiding the opprobation of your peers
as a 'fool'. Now, is there a reason why you should look at the texts
which happened to have a patterned key? In short, NO, because once again,
all of the patterns and non-patterns are exactly equally unlikely.
>Sent via Deja.com http://www.deja.com/
--
-William "Billy" Tanksley
Utinam logica falsa tuam philosophiam totam suffodiant!
:-: May faulty logic undermine your entire philosophy!
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: one time pad
Date: Thu, 24 Jun 1999 22:01:23 GMT
On Thu, 24 Jun 1999 04:34:00 -0400, in <[EMAIL PROTECTED]>,
in sci.crypt [EMAIL PROTECTED] wrote:
>Terry Ritter wrote:
>>
>> On Wed, 23 Jun 1999 18:06:41 GMT, in <7kr7n8$dva$[EMAIL PROTECTED]>, in
>> sci.crypt [EMAIL PROTECTED] wrote:
>>
>> >I would like to put forth the following claims
>> >and if anyone would care to comment, disprove,
>> >ect., I would appreciate it. I thought I new
>> >some things (being new to cryptography), but a
>> >patient individual helped me see I have more to
>> >learn. He suggested I come to Deja, so here I am.
>> >
>> >1. One time pads, when implemented, deployed, and
>> >used correctly are the only known cipher that
>> >guarantees the security of the plain text over a
>> >non secured media. (Physical security is assumed
>> >for this discussion.)
>>
>> False. The key word here is "guarantees." Unless we have a proof
>> which applies in practice, there can be no such "guarantee" in a
>> realized cipher.
>>
>> The OTP which is "proven" secure is the *theoretical* OTP which
>> assumes and thus "uses" a perfect theoretical random keystream. Alas,
>> a theoretical OTP can only "protect" theoretical data. When we get
>> into the real world, we have to measure what we have and guarantee
>> that the theoretical assumptions are met in practice. But that is
>> impossible.
>>
>> If we have some known plaintext, all it takes to enter the OTP is to
>> have a relationship in the keystream such that some future bits can be
>> predicted from past bits. (This could be some sort of correlation
>> between bits or multi-bit symbols.) We have tests which check for
>> particular correlations, but we have no test which can prove that no
>> such correlation exists. Thus we have no proof of strength.
>>
>> Even if we had ideal measures, our concepts of randomness and entropy
>> are statistical: even good results refer only to the body of data
>> tested, not previous data, not subsequent data, and not even each and
>> every byte of the test. Individual bytes could leak information, yet
>> the overall sequence might still be measurably random (whatever that
>> might mean). But if we leak *any* information, then, clearly, our
>> "guarantee" is something less than one might expect.
>>
>> One approach to a solution might be to build a physically-random
>> device which cannot be incorrectly built, cannot fail to perform,
>> cannot be damaged in an undetectable way, and will meet every possible
>> test for randomness, even if we have not yet defined those tests.
>> Then we could say that our device was "provably random," which would
>> imply a security proof for an OTP using such a device as a keystream
>> generator. In my opinion, any attempt to build such a device would be
>> a foolish quest.
>>
>> On the other hand, I am willing to believe that a well-designed,
>> well-constructed, and well-tested physically-random RNG could be very
>> secure indeed. The difference is that we have no absolute *proof*.
>> And that places the OTP firmly into the body of ciphers we know.
>
>Terry, I tend to agree with you about the fallaciousness of assigning
>relative strengths to ciphers, but this usage of the term proof is
>probably not a good one. It implies a mathematical level of proof.
>Note that we have no equivalent proof that the earth is not flat. We
>could inhabit a strange hyperbolic space with the speed of light varying
>with distance from the center of the earth.
I disagree. We have evidence. We draw conclusions. That is logic,
and that is mathematics.
>But we do have emperical proof. Both the flat earth scenario and the
>insecure OTP scenario can be addressed in terms of a lesser standard of
>proof.
It is true that I disagree with the term "proof" in cryptography
meaning anything other than absolute, guaranteed certainty. We might
have "indications" and "evidence," but I see "proof" as the result,
not the process.
My reason for this is that we see in practice, over and over and over
again, a claim of proven strength, based on something less than
absolute proof, and then find the result wanting. In this field I
claim we dare not accept less than true absolute proof.
And I do *not* accept that we have "empirical proof" of OTP strength.
>The legal system uses "preponderance of evidence", "proof beyond
>a reasonable doubt" etc. to set standards less than mathematically
>rogorous. BY YOUR OWN ARGUMENTS, waiting for a rigorous mathematical
>proof of cipher strength, even OTP strength, is a waste of time.
Yet we find, over and over again, that people *insist* that OTP
strength *is* mathematically proven. It is *their* argument -- not
mine -- which drags in the unassailable quality of "proof." They
*want* the absolute definition; they need it to make their point: For
if they accept proof as being less than absolute, they find the OTP
back with all the rest of the ciphers by their own definition. That
is not what they want. They want absolute certainty for a practical
cipher, and cannot believe that it is just not available.
>The standard of proof referred to in "provably secure" is not that of
>mathematical rigor applied to all aspect of the implementation.
The original proposition was that we assume "correct" implementation
and deployment. My position is that there *can* be no such thing. We
*cannot* achieve a "correct" implementation of the provably secure
cipher. When we try, we get something else.
>It is,
>instead, a proof that IFF you have a good pad you have security ghod
>cannot defeat. This is a useful conclusion because building a good pad
>is feasible whereas building a non-crackable cipher system is
>problematic.
Alas, we also *cannot* know whether a pad is "good" or not. Any pad
we create may have some predictable pattern of which we are unaware.
No tests can assure us otherwise. We use any pad at all at risk of
failure when our opponents find something we missed.
We have no proof because there really *is* no proof. These are not
just word games. Our supposedly invulnerable OTP might fail and we
probably would never know, and would go on using that same failing
cipher, all while claiming it to be invulnerable. *That* is the
consequence of having no proof.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (William Tanksley)
Subject: Re: one time pad
Reply-To: [EMAIL PROTECTED]
Date: Thu, 24 Jun 1999 22:16:28 GMT
On Thu, 24 Jun 1999 18:36:28 GMT, Greg Ofiesh wrote:
>odds of being correct). But when you have one astronomical event
>coincide with another, that cannot be coincidence. Thus patterns to
>What say you?
You don't understand that the prime rule of statistics is that
astronomical events HAPPEN. It's unlikely that I should collide with a
particular air molecule, but I just did.
>Sent via Deja.com http://www.deja.com/
--
-William "Billy" Tanksley
Utinam logica falsa tuam philosophiam totam suffodiant!
:-: May faulty logic undermine your entire philosophy!
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: A different method of encryption
Date: Thu, 24 Jun 1999 22:07:21 GMT
[EMAIL PROTECTED] wrote, in part:
>I suppose I probably could have found the answers to these and many
>more questions if I read the faq, but somehow this seems more direct.
>Thanks in advance!
Well, the reason that I was less than gentle with you is because with
paragraphs like this in your original post:
>(Before going on, I must note that the reader will have the most to
>gain from this text if he/she has an active comprehension of
>mathematics and a basic understanding of the logic behind information
>theory. Some fundamental knowledge of the C++ and BASIC programming
>languages, including the concepts of indirection and subscripting, is
>also recommended.)
I kind of expected that you had some background. If you are also
interested in cryptography, I find it astonishing that you had not
read some books (or even encyclopedia articles, but actually the
Britannica is the only one with a decent article on this) on the
subject, never mind the FAQ for this newsgroup. That you had not heard
of the one-time-pad, not to mention Vigenere encryption, was
surprising, to say the least.
Of course, if one accepts that, it isn't surprising that you might not
realize the degree to which security is compromised by repeating the
key.
John Savard ( teneerf<- )
http://members.xoom.com/quadibloc/crypto.htm
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Kryptos article
Date: Thu, 24 Jun 1999 22:38:15 GMT
Jim Gillogly wrote:
> In addition, I've just been told that some of the letters on the
> sculpture are in italics.
Hm, you'd think I would have noticed something like that.
Now that we know where the real "message breaks" are,
I wonder if there is any indication of them on the sculpture,
such as a slightly wider inter-letter spacing or whatever.
------------------------------
From: [EMAIL PROTECTED] (Bodo Moeller)
Subject: Re: ElGamal without exponent reduction?
Date: 24 Jun 1999 22:47:24 GMT
Safuat Hamdy <[EMAIL PROTECTED]>:
> G: generator
> a: secret value
> A: public value G^a
>
> and for the signature
>
> k: secret random value
> R: G^k
> and
> s = a h(m) + k g(R) mod n (*)
>
> where h is a hash-function, n is the group order, and g is a (public)
> mapping from the elements of the group to Z (the integers). The signature
> is (s, R).
>
> For the verification, check that
> G^s = A^h(m) R^g(R)
> holds.
>
> Now suppose that the reduction mod n in (*) is omitted. Except that the
> size of s would be larger, can anybody see whether this would be harmful?
Each signature provides the attacker with an equation
s_i = a * h_i + k_i * g_i
where s_i, k_i, and g_i are known. At first sight, the number of
equations k will always be less than the number of unknowns
(a, h_1, ..., h_k), but the attacker can reduce each equation modulo
g_i, or modulo some factor f_i thereof, giving
s_i = a * h_i mod f_i,
and thus (if f_i can be so chosen as to make h_i invertible)
a = s_i / h_i mod f_i.
Obtain enough samples, use the Chinese Remainder Theorem, and you
have a.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: one time pad
Date: Thu, 24 Jun 1999 22:30:07 GMT
> > > ... If a pure and perfect (okay, theoretical) random generator
> > > can produce any sequence of bits, and no bit is dependent on any
> > > other, then you could theoretically produce streams of obvious
> > > patterns. ... And this should produce weaknesses in the pad.
> >
> > No, it doesn't.
Greg Ofiesh wrote:
> You have a candidate message for which the odds are (equal to all other
> candidates) one in astronomical odds and the pattern of the pad segment
> that is required from the cipher stream is all 0's, also one in
> astronomical odds. Does this seem to you more than a coincidence? And
> therefore a weakness?
How many times do we have to tell you that it is not a weakness?
In a properly functioning OTP system, here are the *same* odds of the
cipher stream being, e.g.
0100110101011101011011010100010100...
as of its being
0000000000000000000000000000000000...
And if you examine enough OTP key stream, sooner or later you will
(with high probability) encounter each of those. The only thing
"special" about the latter, or your earlier example of a repeated
8-bit pattern, is that your nervous system is tuned to see a pattern
there, but not for the first string I exhibited. (By the way, I
used a strong mathematical pattern to generate that first string,
although so far as the vast majority of people are concerned it is
just a random string of 0,1 bits.)
It is common in cryptanalytic work to see patterns which aren't
"causal", i.e., which are produced by pure coincidence and are not
indicative of the true encryption process. Even in the Kryptos
work, Jim and I noted some fairly long plaintext sequences that
were apparent in the ciphertext (under certain arrangements), but
we had enough experience to realize that they were spurious.
History contains many examples of people finding spurious patterns
in Shakespeare's plays, the Bible, the Torah, etc.
Now in pratical cryptanalysis, we have to take into account such
factors as the probability of the OTP pad generator having broken
down, or of some system other than OTP having been used, or of human
error in the encryption operation, etc., etc. So, for instance, we
may judge that it is much more likely for an all-0 key to have been
used due to one of these other factors than for it to have occurred
in a correctly-generated OTP key stream purely by random chance.
We can easily estimate the probability of the latter event, but can
normally make only fuzzy estimates of the other possibilities.
But if we assume the OTP system is functioning properly, an all-0
key *must* occur as often as any other specified key of the same
length, and by the time it does occur, which for any reasonable
message length happens "not within my lifetime", we will be so
accustomed to seeing every conceivable pattern in OTP keys that
all-0s won't appear special at all.
As is often the case, to understand this phenomenon you would do
well to familiarize yourself with its operation in a small, "toy"
problem. Let's introduce a mini-"language" where an entire
message is always just an 4-bit "word", there are three valid
words:
0001 0010 0100
, and the valid words have equal probability of occurrence:
Then consider a collection of OTP-encrypted messages (create
these yourself as part of the exercise): randomly select a
plaintext (one of those three valid 4-bit words), and randomly
encipher it by bitwise XOR (modulo-2 addition) with the next
unused 4 bits of a uniform random bit generator. Take that
collection of ciphertexts and "cryptanalyze" it without using
any knowledge of the choice of plaintext nor key. While one
time in 16, on average, the key is 0000, knowing this will
help you *not at all* in your cryptanalysis; for every correct
plaintext recovered by any means whatsoever, you'll have two
incorrect recoveries (on average). For example, ciphertext
0010 is equally likely to be: (plain,key)=(0010,0000) or
(0001,0011) or (0100,0110). Why would you presume the first?
Try it and gain enlightenment!
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: one time pad
Date: Thu, 24 Jun 1999 16:55:38 -0600
In article <7kttrb$dp7$[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
[ ... ]
> Examining the pad segment, one would immediately realize
> that the odds of 20 0's are astronomical.
Sure. What one might not realize so quickly, but is still true, is
that the odds of ANY other sequence of 20 bytes in a row is EXACTLY
THE SAME! The odds or producing one exact sequence that happens to
look like it has no pattern at all is identical.
> The plain text as well is an
> equally astronomical candidate (all candidates have same astronomical
> odds of being correct). But when you have one astronomical event
> coincide with another, that cannot be coincidence. Thus patterns to
> the naked eye must be avoided in the pad.
>
> What say you?
I I'm not quite sure what you're talking about in when you mention
astronomical odds with respect to the plain text, but ultimately it
comes down to this: anything you say looks like a pattern, and
therefore avoid, is one possibility the attacker can then eliminate
from consideration. Provable security is based on the attacker not
being able to eliminate ANY possible decryption based on information
you've given him -- he may decide that some possibilities are
unlikely, but that's only based on what he guesses your plaintext
probably looked like, not on any information you've imparted. If, for
example, you compress the text before encrypting it, most of what he'd
be likely to guess about the plaintext could be invalid. Then again,
assuming he knows it's compressed in a particular fashion, the
compression itself might impart useful information. Just for example,
if you used an LZ-type compression, some possibilities can't happen,
so if a decryption created them, you'd be able to eliminate the key
that led to that decryption.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: one time pad
Date: Thu, 24 Jun 1999 22:58:54 GMT
"Douglas A. Gwyn" wrote:
> ... For example, ciphertext
> 0010 is equally likely to be: (plain,key)=(0010,0000) or
> (0001,0011) or (0100,0110).
Furthermore, if you modified the OTP system so that "highly
patterned keys" such as 0000 were never used, the cryptanalyst
could be *certain* that the message was actually (0001,0011)
or (0100,0110), but definitely not (0010,000). which means that
he has gained information he would not have been able to obtain
if you had left the OTP keys alone. That should illustrate the
folly of pre-filtering the OTP keys to eliminate "patterns".
------------------------------
From: "rosi" <[EMAIL PROTECTED]>
Crossposted-To: rec.music.makers.synth
Subject: Re: What is the recommended maximum length of the MIDI cable between
sequencer and controller?
Date: Thu, 24 Jun 1999 18:18:46 -0400
My post was to the thread "Breaking" a cipher
rosi wrote in message <7kudc9$9tj$[EMAIL PROTECTED]>...
>What I click is what I see.
[... etc. ...]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
