Cryptography-Digest Digest #586, Volume #10 Thu, 18 Nov 99 11:13:03 EST
Contents:
Re: Weak keys in Rijndael? What happened to that? ([EMAIL PROTECTED])
Known attacks on AES candidates? ([EMAIL PROTECTED])
Re: Codebook examples on Web? ("Douglas A. Gwyn")
Re: "Compressible Encryption" - Is it an oxymoron? ("Lassi Hippel�inen")
New web page for The Cunningham Project (Francois Grieu)
Re: more about the random number generator (Tom St Denis)
Question about enigma rotors (Erik H.)
Re: What part of 'You need the key to know' don't you people get? (Tom St Denis)
Re: Known attacks on AES candidates? (Tom St Denis)
Re: more about the random number generator (Tom St Denis)
Re: Realistic view of AES (Tom St Denis)
Re: Realistic view of AES (DJohn37050)
Re: NSA should do a cryptoanalysis of AES ([EMAIL PROTECTED])
Re: NSA should do a cryptoanalysis of AES ([EMAIL PROTECTED])
Re: ENCRYPTOR 4.0 by Comotex USA Inc. CRACKED !! (fungus)
Simpson's Paradox and Quantum Entanglement ([EMAIL PROTECTED])
Re: What part of 'You need the key to know' don't you people get? (SCOTT19U.ZIP_GUY)
Re: weak ciphers and their usage (SCOTT19U.ZIP_GUY)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Weak keys in Rijndael? What happened to that?
Date: Thu, 18 Nov 1999 04:54:04 GMT
In article <[EMAIL PROTECTED]>,
albert <[EMAIL PROTECTED]> wrote:
> I seem to recall reading someone (think his name was Tom???) who
posted
> something about Rijndael having weak keys. Anybody hear any more on
> this? Was it a joke or for real?
>
> Albert
>
>
I was the original poster on the Rijndael key schedule.
Mr. Vincent Rijnmen and Mr. Lars Knudsen were kind enough to respond
via email to my questions about the key schedules in Serpent and
Rijndael.
The basic arguement was that for two related keys given the XOR of the
Round keys, an attack can recover the Cipher Key. In Rijndael, only a
subset of the XOR of the Round keys is required. Additionally, for
some odd keys and ciphertext, some of the key bits can be recovered
with just the XOR of the last Round Key.
How to get such information is the trick :-) The only method I have
found is to know the XOR of the ciphertext in the last fews rounds.
Rijndael appears to be impervious to a differential attack however thus
I have no method of finding the XOR of the Round Keys.
Both Mr. Rijnmen and Mr. Knudsen assured me that this is not a known
weakness. After further study, I have not been able to extend the
oddity to an actual attack.
The key schedule in Rijndael still bothers me however. The ability to
reverse the schedule seems and odd requirement. Given any Round Key, -
all- other Round Keys can be found. Mr. Rijnmen said this requirement
allows the key to retain full entropy. I assume this design avoids
nearly equivalent keys as well.
Additionally, the key schedules in Rijndael and Serpent do not seem to
follow the guidelines laid out by Kelesy, Schneier and Wagner. The
title is 'Related Key cryptanalysis of 3-WAY, Biham-DES, ...' The
rules of thumb state that the key schedules should be immune to
differential attack and should be one way. Essentially, the key
schedule should be a hash function.
Another oddity in the Rijndael schedule is that given the XOR of two
consecutive Rounds Keys, the Cipher Key can be obtained. Imagine a
related key attack with two keys being XORed together. It is possible
that the second key's first Round Key is equal to the first key's
second Round Key. In that odd case, the mere XOR of the Cipher Key
allows recovery of the Cipher Keys. For each Cipher Key there is
exactly one other Cipher Key that allows this attack.
In summary, I take it back. I have not found any weak keys in
Rijndael. I have found some interesting oddities however.
I wish to thank Mr. Rijnmen and Mr. Knudsen for thier patience in
educating me.
--Matthew
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Known attacks on AES candidates?
Date: Thu, 18 Nov 1999 05:07:23 GMT
Hello All,
I have been studing the AES candidates and want to summarize know the
attacks.
Mars -- Equivalent keys for non AES key lengths.
RC6 -- Equivalent keys for non AES key lengths. Not totally random up
to 15 rounds. Differential weakness in reduced round versions.
TwoFish -- Whitening keys are not equally distributed.
Serpent -- ??
Rijndael -- ??
Any other know weakness? I am especially interested in papers on
Rijndael or Serpent.
RC6 seems to be the only one with a serious problem at this point.
BTW, papers are available for all of the above in the 'Cipher Block
Lounge.'
--Matthew
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Codebook examples on Web?
Date: Thu, 18 Nov 1999 06:52:43 GMT
John Savard wrote:
> ... Never use the words "one time" for any system that doesn't use
> genuinely random numbers, ...
All that is meant by "one-time pad" is that the keying material is
not reused. What you have in mind is better called an "ideal" OTP.
------------------------------
From: "Lassi Hippel�inen" <"lahippel$does-not-eat-canned-food"@ieee.org>
Subject: Re: "Compressible Encryption" - Is it an oxymoron?
Date: Thu, 18 Nov 1999 10:09:57 +0200
Yes, it does. I've seen it with my own eyes.
There are algorithms that preserve compressible structure in the
plaintext: substitution ciphers. Therefore I assume that the algorithm
used in M$ Overlook is ROT-13.
-- Lassi
fungus wrote:
>
> Paul Mullen wrote:
> >
> > As you are probably aware, the default setting for Microsoft Outlook
> > personal folder files is "Compressible Encyption", with alternatives of
> > better encyption and no encryption.
>
> Pfffttttt!
>
> <Caffeinated beverage hits the screen...>
>
> Does it *really* say that?????
>
> --
> <\___/>
> / O O \
> \_____/ FTB.
------------------------------
From: [EMAIL PROTECTED] (Francois Grieu)
Subject: New web page for The Cunningham Project
Date: Thu, 18 Nov 1999 10:38:12 +0100
The Cunningham Project seeks to factor the numbers b^n +- 1
for b = 2, 3, 5, 6, 7, 10, 11, 12, up to high powers n.
Started in 1925 by Cunningham and Woodall, it may be the
longest running computing project in history.
The collection of current results, kept by Sam Wagstaff,
has recently moved to :
<http://www.cerias.purdue.edu/homes/ssw/cun/>
Introductory info on the Cunningham Project is at
<ftp://sable.ox.ac.uk/pub/math/cunningham/README>
[with slightly outdated listings in the same directory]
Notewhorthy related pages:
NFSNET, a distributed effort using the Number Field Sieve
to factor Cunningham Project numbers.
<http://sushi.st.usm.edu/~cwcurry/nfs/nfs.html>
ECMNET, where the Elliptic Curves factoring method is used
for the same purpose (it is more efficient for small factors)
<http://www.loria.fr/~zimmerma/records/ecmnet.html>
Enjoy.
Francois Grieu (admirer of the above)
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: more about the random number generator
Date: Thu, 18 Nov 1999 12:40:57 GMT
http://www.cell2000.net/security/peekboo/test.wav
and
http://www.cell2000.net/security/peekboo/test.bin
are two different streams made by my rng. [330kb and 250kb
respectively].
If anyone wants to poke or prode at them go ahead. And by all means
let us know how they work.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Erik H. <[EMAIL PROTECTED]>
Subject: Question about enigma rotors
Date: Thu, 18 Nov 1999 12:11:07 GMT
Hello!
I read some web pages about the ENIGMA device used during WW II
and have a question about the rotors used.
After the first character is send through the device the
first rotor turns a little bit so that the rotor uses a different
'permutation' the next time. Every rotor had
26 different 'permutations'.
Some of the pages I found describe the rotors
by using 26 numbers/letters.
But how can this be? You need 26 numbers/letters only to describe one
permutation for a 26 letter alphabet.
Is it possible that the rotors are not using 'true' permutations
but only transpositions of the alphabet
(at pos 1 substitute a with d, b with e, ...
at pos 2 substitute a with m, b with n, ...)
Then it would be possible to describe a rotor with only 26 numbers,
one for every transposition.
Who knows exactly?
Bye,
Erik.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: What part of 'You need the key to know' don't you people get?
Date: Thu, 18 Nov 1999 12:18:58 GMT
In article <80vcv9$18e0$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> Yes and the Germans where convinced there Engima was safe due to
its
> large key size. Much larger than the AES key sizes found in the weak
AES
> ciphers. See articles on just how large this actually key size was in
some
> versions of the ENigma it would surprise you. Yet without modern
computers
> they were broken. It is foolish to assume your safe just because you
think
> it is. THe enemy may think different than you.
Assuming 26 pins per wheel you need 28 wheels to match a 128-bit key.
Did they have 28 wheels? I am not sure... did they?
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Known attacks on AES candidates?
Date: Thu, 18 Nov 1999 12:31:10 GMT
In article <8101i4$2c9$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Hello All,
>
> I have been studing the AES candidates and want to summarize know the
> attacks.
>
> Mars -- Equivalent keys for non AES key lengths.
>
> RC6 -- Equivalent keys for non AES key lengths. Not totally random up
> to 15 rounds. Differential weakness in reduced round versions.
>
> TwoFish -- Whitening keys are not equally distributed.
^^^^^
This with 8-byte keys though, not 16/24/32 byte keys.
> Serpent -- ??
>
> Rijndael -- ??
>
> Any other know weakness? I am especially interested in papers on
> Rijndael or Serpent.
>
> RC6 seems to be the only one with a serious problem at this point.
Define serious.
> BTW, papers are available for all of the above in the 'Cipher Block
> Lounge.'
Yup or just off
www.nist.gov
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: more about the random number generator
Date: Thu, 18 Nov 1999 12:35:10 GMT
In article <80vpni$jo1$[EMAIL PROTECTED]>,
Scott Fluhrer <[EMAIL PROTECTED]> wrote:
> In article <[EMAIL PROTECTED]>,
> Anton Stiglic <[EMAIL PROTECTED]> wrote:
>
> >Tom St Denis wrote:
> >>
> >>
> >> Chi square distribution for 417792 samples is 0.14, and randomly
> >> would exceed this value 50.00 percent of the times.
> >>
> >I don't remember my probability distributions well enough to comment
> >on this. Maybe someone else can give their input?
>
> This sounds fishy to me in that it sounds *too* good. Running it
> on a truly random source should give an "exceed this value" value
> evenly distributed between 0 and 100 percent, and the fact that
> you get precisely 50.00 percent sounds like either you're getting
> a subtle bias (!), or the chi square distribution test isn't
> computing that number accurately.
>
> My suggestion: re-run the test on a freshly generated batch of bits.
> If you get the same 0.14/50.00 percent figure, you may have found
> a subtle bias. If the 0.14 varies, but the 50.00 percent figure
> stays the same, the percentage is computed wrong
>
you can get some of it from
http://www.cell2000.net/security/peekboo/test.wav
Where I saved it as a 8-bit 11khz pcm [hopefully none of the content
changed when I changed it from raw to pcm]. I will try to generate more
data and have it made available as just a raw file.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Realistic view of AES
Date: Thu, 18 Nov 1999 12:37:21 GMT
In article <80vkiu$1uks$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> Tom on this you are most likely correct. But I wonder what the
> hell will happen to the export regulations. If AES is adopted by the
> US will it allow it to be exported? You have to ralize in my country
> many many times the left hand of government does not know what
> the right hand does and often there is disagreement.
Last I heard export rules were slacking off in both our countries.
Apparently they are beginning to take a hint.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: Realistic view of AES
Date: 18 Nov 1999 13:33:15 GMT
NIST has said there will be a winner or winners to AES contest. Not
necessarily only one winner.
Don Johnson
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: NSA should do a cryptoanalysis of AES
Date: Thu, 18 Nov 1999 13:23:51 GMT
I think one of the issues relating to this is trust. When Clipper was
announced by the NSA and they tried to make people use it, did anybody
really trust it? No. If the NSA were to create an algorithm and enter
it in AES, I think everyone would be wary. I think their cryptanalysis
capabilities are still ahead of ours, but not that far ahead anymore,
and they certainly have the capabilities to embed a backdoor in a
cipher. Anyway, that's my $.02.
csybrandy
In article <[EMAIL PROTECTED]>,
albert <[EMAIL PROTECTED]> wrote:
> I see that NSA has not entered a candidate for AES. I assume it's
> because they don't want to give away some secrets they have. What
> secrets? My conspiracy theories...
> Suppose the NSA has found a way to break feistel ciphers, and SP
> style ones. So what would that mean? That would mean that their
> algorithm would be based on something totally different, to combat
that
> kind of attack, just like before Serpent came out, we all knew that
> Eli's entry would almost certainly be resistant against differential
> attacks. That is why Bruce says good crypto analysists make good
cipher
> writers, because they will design ciphers that are resistant to their
> own attacks, so the better the attacker, the more resistant their
> algorithms (generally).
> BUT, they should post a thorough analysis of the AES candidates. We'd
> like to see what our tax-dollar funded crypto-think tanks have come up
> with in terms of attacks and analysis.
>
> Do you think the reason they aren't giving an analysis is because they
> can break all the second round candidates and so they aren't going to
> say anything about it? I personally don't, but it's a thought...
>
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: NSA should do a cryptoanalysis of AES
Date: Thu, 18 Nov 1999 13:23:54 GMT
I think one of the issues relating to this is trust. When Clipper was
announced by the NSA and they tried to make people use it, did anybody
really trust it? No. If the NSA were to create an algorithm and enter
it in AES, I think everyone would be wary. I think their cryptanalysis
capabilities are still ahead of ours, but not that far ahead anymore,
and they certainly have the capabilities to embed a backdoor in a
cipher. Anyway, that's my $.02.
csybrandy
In article <[EMAIL PROTECTED]>,
albert <[EMAIL PROTECTED]> wrote:
> I see that NSA has not entered a candidate for AES. I assume it's
> because they don't want to give away some secrets they have. What
> secrets? My conspiracy theories...
> Suppose the NSA has found a way to break feistel ciphers, and SP
> style ones. So what would that mean? That would mean that their
> algorithm would be based on something totally different, to combat
that
> kind of attack, just like before Serpent came out, we all knew that
> Eli's entry would almost certainly be resistant against differential
> attacks. That is why Bruce says good crypto analysists make good
cipher
> writers, because they will design ciphers that are resistant to their
> own attacks, so the better the attacker, the more resistant their
> algorithms (generally).
> BUT, they should post a thorough analysis of the AES candidates. We'd
> like to see what our tax-dollar funded crypto-think tanks have come up
> with in terms of attacks and analysis.
>
> Do you think the reason they aren't giving an analysis is because they
> can break all the second round candidates and so they aren't going to
> say anything about it? I personally don't, but it's a thought...
>
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: ENCRYPTOR 4.0 by Comotex USA Inc. CRACKED !!
Date: Thu, 18 Nov 1999 12:31:07 +0100
JPeschel wrote:
>
> It's always good to do more reading, and I shall, in the
> meantime, you'll find of plenty of examples of attacks
> that require only one ciphertext.
>
The only one which works is brute-force. All the others
assume some sort of knowledge about the plaintext (even
if it's only a frequency distribution).
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: comp.ai.fuzzy,sci.physics,sci.math
Subject: Simpson's Paradox and Quantum Entanglement
Date: Thu, 18 Nov 1999 14:08:58 GMT
Simpson's Paradox:
http://curriculum.qed.qld.gov.au/kla/eda/sim_par.htm
Simpson's Paradox is a statistical artifact related to
hidden variables. Here it in terms of quantum entanglement.
Given that
1) A and B are complementary
2) A and B are both true XOR A and B are both false
then, that 1) contradicts 2) is the essence of Simpson's Paradox.
We can make an arbitrary determination that "A is True"
to resolve that paradox, but this choice is arbitrary as we could
equally have chosen to make the determination that
"B is True". Regardless of the choice we can then instantly
determine the complementary variables state as "anti-correlated".
Similarly, in entanglement the arbitrary measurement of
a polarization or spin state will instantly (non-locally)
determine the state of the anti-correlated entangled twin.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: What part of 'You need the key to know' don't you people get?
Date: Thu, 18 Nov 1999 15:22:30 GMT
In article <810qrg$jg0$[EMAIL PROTECTED]>, Tom St Denis <[EMAIL PROTECTED]> wrote:
>In article <80vcv9$18e0$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
>> Yes and the Germans where convinced there Engima was safe due to
>its
>> large key size. Much larger than the AES key sizes found in the weak
>AES
>> ciphers. See articles on just how large this actually key size was in
>some
>> versions of the ENigma it would surprise you. Yet without modern
>computers
>> they were broken. It is foolish to assume your safe just because you
>think
>> it is. THe enemy may think different than you.
>
>Assuming 26 pins per wheel you need 28 wheels to match a 128-bit key.
>Did they have 28 wheels? I am not sure... did they?
>
are you a complete fool where did you get such a rediculus number.
Are you stuoid enough to think that the number 26 is a binary number.
You really are full of shit Mr Tom. Each wheel is a specail arrangement
of 26 characters and don't forget the plug borad in the front of machine.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website NOT FOR WIMPS
http://members.xoom.com/ecil/index.htm
Scott rejected paper for the ACM
http://members.xoom.com/ecil/dspaper.htm
Scott famous Compression Page WIMPS allowed
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: weak ciphers and their usage
Date: Thu, 18 Nov 1999 15:15:49 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Johnny Bravo)
wrote:
>On Wed, 17 Nov 1999 02:24:12 GMT, [EMAIL PROTECTED]
>(SCOTT19U.ZIP_GUY) wrote:
>
>> Nonsense Dave just as you lack the ability to understand the complexites
>>of my code. You seem to lack a basic understand of what common chaining does.
>>Here is something you can do with a crappy AES type of encryption with your
>>secret IV. Take a long file and encrypt it. Cut off the front third and last
>>third of the file. Know if a good cryptographer like me or better in case
>>your not good enough to handle it. Is given the middle thrid of file with the
>>cipher and key but not the IV the center third of file can be recovered easily
>
> This is the attack you have been ranting about all this time? If
>your attacker has your key and IV and only the middle third of the
>file you are vulnerable?
> Well hell, under your system if your attacker has the key and IV the
>first third of your file you are vulnerable. Under your own criteria
>scottXXu is a weak cipher whose only security lies in the chance that
>your attacker doesn't get the first part of your encrypted
>transmission, glad to see you finally admit your tinkertoy cipher
>isn't worth the electrons it was coded with.
>
Sorry Mr Bravo but scottXXu is not weak under the attack described.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website NOT FOR WIMPS
http://members.xoom.com/ecil/index.htm
Scott rejected paper for the ACM
http://members.xoom.com/ecil/dspaper.htm
Scott famous Compression Page WIMPS allowed
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
