Cryptography-Digest Digest #851, Volume #11 Wed, 24 May 00 12:13:00 EDT
Contents:
Re: Observation of Matsui's Sboxes (Mark Wooding)
Re: Observation of Matsui's Sboxes (tomstd)
Re: safer style sboxes (Mark Wooding)
Modulu arithmetic additive stripping? (UBCHI2)
Re: Observation of Matsui's Sboxes (Mark Wooding)
Re: Cascading Crypto Attack (UBCHI2)
RSA/PK Question ([EMAIL PROTECTED])
RSA/PK Question ([EMAIL PROTECTED])
Re: RSA/PK Question (Mark Wooding)
Re: Encryption within newsgroup postings (Mark Wooding)
Re: Crypto patentability (Runu Knips)
Re: Asynchronous and simple algorithm (Runu Knips)
Re: Unbreakable encryption. (Anders Rosendal)
Re: Unbreakable encryption. (Anders Rosendal)
Re: how do you know your decyption worked? (Erich Schnoor)
Re: Asynchronous and simple algorithm (Gisle S�lensminde)
Re: Patent busting for AES usage (Runu Knips)
Re: Schnorr patent and DSA (Roger Schlafly)
Re: Another possible 3DES mode. (David A. Wagner)
Re: Chosen Plaintext Attack (David A. Wagner)
Re: safer style sboxes (David A. Wagner)
Re: safer style sboxes (Mark Wooding)
Re: safer style sboxes (Tom St Denis)
Re: Observation of Matsui's Sboxes (Tom St Denis)
Re: Retail distributors of DES chips? (Tom St Denis)
Re: Chosen Plaintext Attack (Mark Wooding)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Observation of Matsui's Sboxes
Date: 24 May 2000 11:34:22 GMT
tomstd <[EMAIL PROTECTED]> wrote:
> if I understand correctly, flipping x_1 will not effect the last row
> at all.
Bear in mind that this follows the I(x) inversion operation.
-- [mdw]
------------------------------
Subject: Re: Observation of Matsui's Sboxes
From: tomstd <[EMAIL PROTECTED]>
Date: Wed, 24 May 2000 04:37:13 -0700
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(Mark Wooding) wrote:
>tomstd <[EMAIL PROTECTED]> wrote:
>
>> if I understand correctly, flipping x_1 will not effect the
last row
>> at all.
>
>Bear in mind that this follows the I(x) inversion operation.
If the A() function you sent is the sbox, then it's flawed, no
matter what transform you do before/after.
Note: I am not talking about Rijndael (in this case) being
flawed, the I() routine (inversion?) might just as well elminate
the flaws, but you would have to repeatedly apply the matrix for
example
A(A(x)) would incorporate all the bits, flipping one bit of X
would have a bigger effect on the output (assuming A is not a
self-convolution).
Tom
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: safer style sboxes
Date: 24 May 2000 11:51:29 GMT
tomstd <[EMAIL PROTECTED]> wrote:
> I am working on ideal 8x8 sboxes (with an inverse). I will post later
> when I find one.
I think that the point is the search is unnecessary. If you make sure
that enough averagely-good S-boxes are active at any given time, then
your cipher is strong anyway.
Note that improving the S-boxes' linear and differential properties
gives you only a polynomial improvement in resistance, but increasing the
number of active S-boxes is an *exponential* improvement.
Let's take one of your 8/256 = 2^-5 probability S-boxes. If I can
string 12 of these into a differential characteristic, I can break your
cipher in fewer than 2^64 chosen plaintexts. If your diffusion layers
are poor, that could mean breaking 12 rounds. Whereas if I use S-boxes
with poorer characteristics (because I don't care much, or want to avoid
putting too much structure in them) -- say the best differential has
probability 2^-4 -- but I design my cipher so that any three-round
characteristic has at least 6 active S-boxes then three rounds are
resistant to differential cryptanalysis.
Given the choice, I know where I'd put my effort.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (UBCHI2)
Subject: Modulu arithmetic additive stripping?
Date: 24 May 2000 11:53:09 GMT
Are there properties of non-carrying addition or subtraction that aid in the
stripping or at least the identification of additives?
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Observation of Matsui's Sboxes
Date: 24 May 2000 11:55:36 GMT
tomstd <[EMAIL PROTECTED]> wrote:
> If the A() function you sent is the sbox, then it's flawed, no
> matter what transform you do before/after.
No. S(x) = A(I(x)). The affine transformation A is applied after the
inversion I. Read what I said.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (UBCHI2)
Subject: Re: Cascading Crypto Attack
Date: 24 May 2000 11:57:40 GMT
The attack on cascading crypto reminds one of the theory that if a spear always
cuts its distance to the target in half as it is traveling, then it will never
reach the target. In fact, it the spear does reach the target.
The use of multiple algorthims, if each algorithm is completed in its entirety,
increases security. If you do only 1 piece of an algorithm before stepping to
the next algorithm, then you may leave out an important step that weakens the
whole.
------------------------------
From: [EMAIL PROTECTED]
Subject: RSA/PK Question
Date: Wed, 24 May 2000 12:25:01 GMT
If Kp and Ks are the public and secret RSA Keys and if Ka is a random
key of the same lenth:
If Ka is XORed with Kp and Ks indpendently i.e.
Kp`= Ka XOR Kp
Ks`= Ka XOR Ks
Can one still encrypt with Kp`and decrept with Ks`using RSA ?
My second question relates to long RSA keys...Is it reasonable to assume
that a 10000 bit RSA key will take 10 times as long to generate as a
1000 bit RSA key.... Would appreciate some key generation timmings...for
long key pairs...
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: RSA/PK Question
Date: Wed, 24 May 2000 12:25:01 GMT
If Kp and Ks are the public and secret RSA Keys and if Ka is a random
key of the same lenth:
If Ka is XORed with Kp and Ks indpendently i.e.
Kp`= Ka XOR Kp
Ks`= Ka XOR Ks
Can one still encrypt with Kp`and decrept with Ks`using RSA ?
My second question relates to long RSA keys...Is it reasonable to assume
that a 10000 bit RSA key will take 10 times as long to generate as a
1000 bit RSA key.... Would appreciate some key generation timmings...for
long key pairs...
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: RSA/PK Question
Date: 24 May 2000 12:57:23 GMT
[EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> If Kp and Ks are the public and secret RSA Keys and if Ka is a random
> key of the same lenth:
>
> If Ka is XORed with Kp and Ks indpendently [...] Can one still encrypt
> with Kp`and decrept with Ks`using RSA ?
No. This will hardly ever work.
> My second question relates to long RSA keys...Is it reasonable to assume
> that a 10000 bit RSA key will take 10 times as long to generate as a
> 1000 bit RSA key.... Would appreciate some key generation timmings...for
> long key pairs...
No. It'll take about 1000 times as long, I think. Key generation times
increase with the cube of the key length.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Encryption within newsgroup postings
Date: 24 May 2000 13:16:58 GMT
zapzing <[EMAIL PROTECTED]> wrote:
> In a slightly different vein, have you noticed all the stuff in
> alt.test lately? If that's not encrypted top secret plans to ake over
> the world, I'm a monkey's uncle.
Oook.
-- [mdw]
------------------------------
Date: Wed, 24 May 2000 15:34:36 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: Crypto patentability
Mok-Kong Shen wrote:
> Paul Pires wrote:
> > How long do you think that patents have been a part of our legal system?
> > It goes way back to old English law. This is not some new social program
> > that isn't working. This is the culmination of hundreds of years of use. My
>
> Mmh. Sentencing to death has been practiced since before man could
> write anything. Yet in most democratic countries of the world that has
> been eliminated from laws today.
I've to second that. Same is true for slavery, and many other things.
So what ? The argument that it has always been that way is simply NO
argument.
------------------------------
Date: Wed, 24 May 2000 15:38:08 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: Asynchronous and simple algorithm
"Gisle S�lensminde" wrote:
> Well, it is in fact _not_ particulary tricky to make a cryptosystem
> without any of these primitives.
But LISP always has lists, which is a totally uncommon feature for
most languages.
------------------------------
From: Anders Rosendal <[EMAIL PROTECTED]>
Subject: Re: Unbreakable encryption.
Date: Wed, 24 May 2000 13:50:42 GMT
[EMAIL PROTECTED] wrote:
> Thank you very much for your response. It seems of all the posts
> I got, yours was the only post that displayed knowledge and insightful
> comments. I find most of the posters here wasting their productivity,
> mainly with flaming. It seems this is more of a
> political arena for them, rather than a place for fruitful discussions.
Just give us some code that encrypts with base 60
plaintext: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb
And post the encrypted text. Thank you and looking foward to your reply.
BTW. could you post the sourcecode or port your program to linux?
--
Anders Rosendal
"The box said 'Windows 95 or better', so I installed Linux"
Make software, not war.
------------------------------
From: Anders Rosendal <[EMAIL PROTECTED]>
Subject: Re: Unbreakable encryption.
Date: Wed, 24 May 2000 13:50:42 GMT
[EMAIL PROTECTED] wrote:
> There is a more detailed explaination at http://www.edepot.com/phl.html
> Remember, intractable problem domains like NP HARD are proven
> to be "non-brute-forceable". Base Encryption implements an
> NP HARD intractable problem domain.
bruteforce is not the only way to crack something.
--
Anders Rosendal
"The box said 'Windows 95 or better', so I installed Linux"
Make software, not war.
------------------------------
From: Erich Schnoor <[EMAIL PROTECTED]>
Subject: Re: how do you know your decyption worked?
Date: Wed, 24 May 2000 16:08:31 +0200
Carb Unit schrieb:
> .............., and that there are thousands of such formats
> in the world today, what do you do after you run your decryption
> algorithm? Test if it's a GIF?, no?, a ZIP?, no?, a WAV?, etc?
>
> Or is the assumption always that the material is plain text?
>
In good programs the original file name is included into the encrypted
Data. Then the decrypted file will get the same name ( .txt, .doc, .gif,
.exe, .pdf etc.)
Best greetings
Erich Schnoor
------------------------------
From: [EMAIL PROTECTED] (Gisle S�lensminde)
Subject: Re: Asynchronous and simple algorithm
Date: 24 May 2000 16:26:24 +0200
In article <[EMAIL PROTECTED]>, Runu Knips wrote:
>"Gisle S�lensminde" wrote:
>> Well, it is in fact _not_ particulary tricky to make a cryptosystem
>> without any of these primitives.
>
>But LISP always has lists, which is a totally uncommon feature for
>most languages.
It would be possible in C by implementing it as a linked list of
pointers, and implementing supporting routines, but it would
certainly not have been a 100 lines 1 hour hack like the lisp
code in my last posting. The point was that you made a bit too
strong claim.
--
Gisle S�lensminde ( [EMAIL PROTECTED] )
ln -s /dev/null ~/.netscape/cookies
------------------------------
Date: Wed, 24 May 2000 16:27:20 +0200
From: Runu Knips <[EMAIL PROTECTED]>
Subject: Re: Patent busting for AES usage
Sundial Services wrote:
> It seems to me that the Twofish people have the right idea:
> no copyright, no patent, full disclosure.
Yep. The other candidates did AFAIK the same. Only RSA/RC6
didn't followed that idea.
> What I mean is... "nobody outside this newsgroup really
> understands :-) crypto."
Ouch. When did you have understand crypto ?
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: Schnorr patent and DSA
Date: Wed, 24 May 2000 07:59:16 -0700
James Moore wrote:
> Was the question of DSA being covered by the Schnorr patent ever
> resolved? Authoritative references would be appreciated.
>
> The issue was probably beaten to death way back in 1994-95... I'm
> still tryin' to get caught up :) Following is a passage from a CSL
> Bulletin on NIST's website (http://csrc.nist.gov/nistbul/csl94-11.txt)
> that summarizes the question. My understanding is that all of the
> patents in question have expired except the Schnorr patent.
Yes, it was established that the Schnorr patent does not cover DSA.
Schnorr turned over the patent rights to Public Key Partners,
and later to RSA Data Security. The subject was litigated,
and they renounced any patent coverage in court.
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: Another possible 3DES mode.
Date: 24 May 2000 08:15:04 -0700
In article <8gfo3a$l88$[EMAIL PROTECTED]>, zapzing <[EMAIL PROTECTED]> wrote:
> In the faq, the following idea was
> suggested as a way of accomplishing
> 3DES on an enlarged block:
>
> F(x)=Tran(E(k1,Tran(E(k2,Tran(E(k3,Tran(x)))))))
I believe there are weaknesses in this -- Paul Crowley found
an especially pretty attack -- and I do not recommend its use.
See http://www.hedonism.demon.co.uk/paul/crypto/dtdtd.html.
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: Chosen Plaintext Attack
Date: 24 May 2000 08:35:03 -0700
In article <[EMAIL PROTECTED]>,
Raphael Phan Chung Wei <[EMAIL PROTECTED]> wrote:
> If we have a 10-round differential of prob. 2^-15.... how do we make use
> of this to break the cipher?
This is the point where it is probably best to refer you to
Biham and Shamir's book, Differential Cryptanalysis of the Data
Encryption Standard, which gives all the gory details.
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: safer style sboxes
Date: 24 May 2000 08:44:12 -0700
In article <[EMAIL PROTECTED]>,
Mark Wooding <[EMAIL PROTECTED]> wrote:
> Does anyone have any analysis of Rijndael which actually depends
> strongly on the S-box used?
As the designers say in their submission document, if the affine layer
were omitted from the S-box (so that one just used inversion in GF(2^8)
as the S-box), the resulting algebraic structure would be problematic.
In particular, it might allow interpolation attacks, where you write
the whole cipher as a polynomial over GF(2^8) and then use known texts
to interpolate the polynomial. The affine transformation over GF(2)
destroys the GF(2^8) structure (as far as I know), so this is an example
of where changing the S-box can apparently cause serious damage.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: safer style sboxes
Date: 24 May 2000 15:59:10 GMT
David A. Wagner <[EMAIL PROTECTED]> wrote:
> As the designers say in their submission document, if the affine layer
> were omitted from the S-box (so that one just used inversion in
> GF(2^8) as the S-box), the resulting algebraic structure would be
> problematic.
Thanks, David -- I'd forgotten that bit of the paper ;-).
I don't think that this affects the main thrust of my argument, which
was that Rijndael doesn't depend greatly on its S-box for its security.
-- [mdw]
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: safer style sboxes
Date: Wed, 24 May 2000 15:51:28 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Mark Wooding) wrote:
> tomstd <[EMAIL PROTECTED]> wrote:
>
> > I am working on ideal 8x8 sboxes (with an inverse). I will post
later
> > when I find one.
>
> I think that the point is the search is unnecessary. If you make sure
> that enough averagely-good S-boxes are active at any given time, then
> your cipher is strong anyway.
>
> Note that improving the S-boxes' linear and differential properties
> gives you only a polynomial improvement in resistance, but increasing
the
> number of active S-boxes is an *exponential* improvement.
>
> Let's take one of your 8/256 = 2^-5 probability S-boxes. If I can
> string 12 of these into a differential characteristic, I can break
your
> cipher in fewer than 2^64 chosen plaintexts. If your diffusion layers
> are poor, that could mean breaking 12 rounds. Whereas if I use S-
boxes
> with poorer characteristics (because I don't care much, or want to
avoid
> putting too much structure in them) -- say the best differential has
> probability 2^-4 -- but I design my cipher so that any three-round
> characteristic has at least 6 active S-boxes then three rounds are
> resistant to differential cryptanalysis.
How exactly do you calculate the DP given a probability 'p' and 'n'
active sboxes?
Thanks,
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Observation of Matsui's Sboxes
Date: Wed, 24 May 2000 15:52:09 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Mark Wooding) wrote:
> tomstd <[EMAIL PROTECTED]> wrote:
>
> > If the A() function you sent is the sbox, then it's flawed, no
> > matter what transform you do before/after.
>
> No. S(x) = A(I(x)). The affine transformation A is applied after the
> inversion I. Read what I said.
Neither A or I follow SAC, so would S?
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Retail distributors of DES chips?
Date: Wed, 24 May 2000 15:54:45 GMT
In article <8gf9eu$9sb$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Paul Rubin) wrote:
> In article <8gf5j2$8ui$[EMAIL PROTECTED]>, zapzing <zapzing@my-
deja.com> wrote:
> >Well, One of the things I have been considering is the possibility of
> >malicious software. That's why I was considering using a chip. That
> >way there is absolutely no possibility that anythink will be placed
> >in any subliminal channels.
>
> DES is a block cipher, a one-to-one, invertible mapping between
plaintext
> and ciphertext. It can't and doesn't have subliminal channels. Maybe
> you're thinking of DSA. For DSA, a hardware implementation would be
> *more* susceptible to subliminal channels than a software
implementation,
> assuming you had source code for the software that you could inspect.
That's not true. This cipher could simply be
Ek(P) = P xor K
unless you test it.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Chosen Plaintext Attack
Date: 24 May 2000 16:00:47 GMT
David A. Wagner <[EMAIL PROTECTED]> wrote:
> This is the point where it is probably best to refer you to Biham and
> Shamir's book, Differential Cryptanalysis of the Data Encryption
> Standard, which gives all the gory details.
This is now out of print (at least, according to Amazon it is). Where
could I get a copy from?
-- [mdw]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
