Cryptography-Digest Digest #101, Volume #12 Sat, 24 Jun 00 22:13:01 EDT
Contents:
Re: Try it. (JimD)
Re: Try it. (JimD)
Re: Variability of chaining modes of block ciphers (Mark Wooding)
Re: Compression & Encryption in FISHYLAND (Joaquim Southby)
Re: Twofish Idea ("Paulo S. L. M. Barreto")
"And the survey says" ("Paul Pires")
Re: Was "And the survey says" Is, I'm a fool. ("Paul Pires")
Re: How Close? (Future Beacon)
Re: Try it. (Boris Kazak)
Re: How Close? (tomstd)
Re: How Close? (Future Beacon)
Yet another cool cipher (tomstd)
Re: does 3des use only keys? (David A. Wagner)
Re: Compression & Encryption in FISHYLAND (zapzing)
Re: Compression & Encryption in FISHYLAND (Johnny Bravo)
Re: Compression & Encryption in FISHYLAND (tomstd)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (JimD)
Subject: Re: Try it.
Date: Sat, 24 Jun 2000 17:35:34 GMT
Reply-To: JimD
On Fri, 23 Jun 2000 20:29:50 -0400, "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
wrote:
>"Trevor L. Jackson, III" wrote:
>
>>
>> Le plus ce change, le plus c'est le meme chose.
>>
>
>It has been pointed out to me that I no longer speak French in any meaningful
>way. Apologies to any offended fracophiles.
Le plus �a change.....le plus c'est la m�me chose.
--
Jim Dunnett.
g4rga at thersgb.net
------------------------------
From: [EMAIL PROTECTED] (JimD)
Subject: Re: Try it.
Date: Sat, 24 Jun 2000 17:35:37 GMT
Reply-To: JimD
On Sat, 24 Jun 2000 04:11:58 GMT, Boris Kazak <[EMAIL PROTECTED]> wrote:
>"Paris, ca vaut la messe!!"
>����� ����� ������!!
>Paris is worth a cermon!!
It's 'sermon'.
What's the second line?
--
Jim Dunnett.
g4rga at thersgb.net
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: Variability of chaining modes of block ciphers
Date: 24 Jun 2000 18:40:20 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> O.k. We could discuss on that. Please give your arguments. (Note that
> this issue is independent of the issue of whether chaining only adds
> a couple of bits to the key space.)
No. Just using *a* chaining mode doesn't affect the key space at all.
Using an secretly chosen chaining mode will add a few effective key
bits.
> (I could have instead given an example like this: My boss, who happens
> to be a friend of an amateur crypto designer, insists on using and
> buying the software developed by the latter, the security of which I
> am however not very sure. Do you find this version of an example
> better for you?)
Not really. Either explain to your boss that he needs to get a clue
from somewhere, or find a different boss.
> > > But something better IS anyway better than without that something,
> > > isn't it?
> >
> > No. Bad cryptography is worse than no cryptography at all, to someone
> > who can't tell the difference, because it is given trust.
>
> We are using chaning so to say on top of a given encryption algorithm.
> So, what does your 'bad cryptography' mean in the present context?
It's a counterexample to the quoted assertion, nothing more.
> > > Why should one close one's eyes and forego a chance simply because
> > > that chance is not very attractively big?
> >
> > I'm not suggesting doing anything blindly. I'm suggesting choosing a
> > cipher to do the job of a cipher, which is to encrypt data strongly, and
> > a chaining mode to do the job of a chaining mode, which is to hide the
> > block structure of a block cipher.
>
> Did I EVER suggest 'doing chaining blindly' in my original post?
No. You were suggesting I was closing my eyes.
> O.k. Suppose that the best cipher you could manage to get is not
> good enough, but almost. Suppose adding the strength due to chaining
> renders it above the capability of the opponent. Would you care to use
> chaining in this situation or not?
I'm disputing whether this situation can happen at all! It calls for an
impractically fine judgement of the adversary's capabilities.
> > By the way, I suspect that I can identify most simple chaining modes
> > using some extremely simple chosen plaintext queries.
>
> The purpose of my original post is to elicit more discussions on
> chaining. I should therefore appreciate your presenting your
> techniques. It doesn't matter if these are not yet fully developed
> ideas. We could discuss nonetheless.
Try thinking.
-- [mdw]
------------------------------
From: Joaquim Southby <[EMAIL PROTECTED]>
Subject: Re: Compression & Encryption in FISHYLAND
Date: 24 Jun 2000 19:23:51 GMT
In article <8j0ui2$sf1$[EMAIL PROTECTED]> zapzing, [EMAIL PROTECTED]
writes:
>I have a wonderful idea! Let's just compress
>all messages of the form "you are a
>presumptuous bastard" and/or "you are an
>ignorant foolish jerk" etc. to the small
>case letter z!
>
An interesting and novel proposition. However, given your username,
wouldn't that get you into a lot of unwanted confrontations? (Example
email to the Queen: Your Majesty, my name is (you presumptuous
asshole)ap(filthy, scumsucking cack weasel)ing...) I would also think
that messages from or about you, Zoe, Zorro, Scuzzlebutt, Azazel, etc.,
would cause in the reader a form of Tourette's Syndrome.
------------------------------
Date: Sat, 24 Jun 2000 17:13:55 -0300
From: "Paulo S. L. M. Barreto" <[EMAIL PROTECTED]>
Subject: Re: Twofish Idea
tomstd wrote:
> Ideally they should have used a 8x8 MDS and 8 unique sboxes.
> This could be precomputed as eight 8x64 sboxes and xor them
> together. This would increase the memory and execution time,
> but have a more ideal data path.
>
> This is purely speculative, just my two cents worth.
To be sure this is not purely speculative. The Shark cipher (the grandfather of
Rijndael ) does use an 8x8 linear mixing layer based on an MDS code; this
boosts diffusion because the branch number is now 9 instead of 5, and it makes
the Square attack considerably more difficult (the original 6-round attack on
Square only works against 3 rounds of Shark; I conjecture the partial sum
attack can be applied to 5 rounds at most -- perhaps David Wagner could shed
more light on this issue with his own estimate, if he reads this article).
This idea could be easily extended to a 16x16 MDS matrix. The problem is, the
LUT implementation commonly used on 32-bit and 64-bit platforms suffers from
the huge tables needed (2x16x16x256 = 128 Kbytes).
Paulo Barreto.
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: "And the survey says"
Date: Sat, 24 Jun 2000 14:44:02 -0700
Care to indulge in an experiment?
I wanted some input on something that has been bothering me for awhile. Some
old hands in here seem to be coming from a particular viewpoint that modern
symmetric ciphers contain all of the cryptographic art that could be
desired. To my knowledge, that viewpoint has never been stated. I was
wondering if a tabulation of viewpoints might be useful.
What would be the attributes of an "Ultimate" symmetric cipher and how do
the various approaches compare to this yardstick? Notice, I said Attributes.
Is it possible to describe the cage that this beast lives in and therefore
understand the beast itself? Other disciplines pursue design by first
defining the constraints and required degrees of freedom required of a
solution. Would this approach have benefit here?
Quite often the discussions revolve around the relative merits or theory
behind an
approach and dissolve off into the discussion of minutia not relevant to the
issue of "Does it do what it's supposed to?".
This discussion could only be useful if a practical scope was determined.
Obviously, 64Kb keys and 1024 rounds could be seen as "conservative" but
could hardly be considered efficient. Rational constraints should eliminate
these as being irrelevant.
So, what would be some of the constraints?
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Was "And the survey says" Is, I'm a fool.
Date: Sat, 24 Jun 2000 14:48:30 -0700
Please excuse the previous half formed post, I often contemplate posting
something as a way to get my thoughts in order. I save these and revisit and
if I think it wise, I post. Now I know why this is not a good Idea. The save
button is too close to the send button on my browser.
Paul
------------------------------
From: Future Beacon <[EMAIL PROTECTED]>
Subject: Re: How Close?
Date: Sat, 24 Jun 2000 17:59:46 -0400
On Sat, 24 Jun 2000, Scott Nelson wrote:
> On Sat, 24 Jun 2000 Future Beacon <[EMAIL PROTECTED]> wrote:
>
> >
> >
> >How random do you think these numbers are:
> >
> >Large files of equal size A, B, and C are composed of the
> >least significant two bits of bytes found in news group messages
> >(excluding headers, carriage returns, line feeds, and spaces).
> >In each case, these bits are strung together, four pairs per byte
> >in these files. At least three quarters of the original data is
> >not used. Let's assume that the files are over a megabyte in size.
> >
> A quick check shows a significant bias in favor of 01, and against 11.
> If we pretend that the bits are independent, then there's a bias
> toward 1.
>
> >Then, file B is divided into two files (BP and BQ) this way: If the
> >first bit in A is a 0, then the first bit in B becomes the first bit
> >in BP. If the first bit in A is a 1, the first bit in B becomes the
> >first bit in BQ. Each next bit in A determines whether the next bit
> >in B becomes the next bit in BP or BQ. When the bits of A and B are
> >exhausted, BQ is appended to BP and the resultant file is called RAND.
> >
> >How random is RAND?
> >
> That procedure will not change the ratio of 1's to 0's.
> The resultant file will still be biased.
> It may also introduce new correlations, but it probably
> doesn't make it any worse than it was originally.
>
> There was little point in creating the file C,
> since it's not used in the procedure.
> This suggests that the procedure as outlined was not
> what you intended. I recommend re-reading your post,
> then re-writing it, and then submitting it to
> the more appropriate sci.crypt.random-numbers
>
> Scott Nelson <[EMAIL PROTECTED]>
>
Scott,
Thank you for this reply and thank you for informing me of
sci.crypt.random-numbers. I was unaware of it.
The inclusion of the file C was simply a mistake.
My question is how random is RAND? Actually, I would really like to
know how random the original files A and B are. It seem to me that
the last two bits of each byte from the bytes described above are
not too orderly (even if they come from a lot more e's than z's.
I'm not asking whether these files are absolutely random, but how
random (if randomness has degrees).
I have been reading from this news group for a long time. There are
people here I would listen to, but I will also get familiar with the
random numbers group.
Thank you for your help.
Jim Trek
Future Beacon Technology
http://eznet.net/~progress
[EMAIL PROTECTED]
------------------------------
From: Boris Kazak <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Try it.
Date: Sat, 24 Jun 2000 22:36:19 GMT
JimD wrote:
>
> On Sat, 24 Jun 2000 04:11:58 GMT, Boris Kazak <[EMAIL PROTECTED]> wrote:
>
> >"Paris, ca vaut la messe!!"
> >����� ����� ������!!
> >Paris is worth a cermon!!
>
> It's 'sermon'.
>
> What's the second line?
Russian, Win-1251 encoding.
Best wishes BNK
>
> --
> Jim Dunnett.
>
> g4rga at thersgb.net
------------------------------
Subject: Re: How Close?
From: tomstd <[EMAIL PROTECTED]>
Date: Sat, 24 Jun 2000 16:09:06 -0700
Future Beacon <[EMAIL PROTECTED]> wrote:
>Scott,
>
>Thank you for this reply and thank you for informing me of
>sci.crypt.random-numbers. I was unaware of it.
It's not on remarq or deja yet so I doubt it's really that
popular.
>The inclusion of the file C was simply a mistake.
>
>My question is how random is RAND? Actually, I would really
like to
>know how random the original files A and B are. It seem to me
that
>the last two bits of each byte from the bytes described above
are
>not too orderly (even if they come from a lot more e's than z's.
>I'm not asking whether these files are absolutely random, but
how
>random (if randomness has degrees).
Maybe you should actually read his post. The lower two bits are
NOT RANDOM AT ALL which renders then useless for your purpose,
unless you want non-random bits.
>I have been reading from this news group for a long time.
There are
>people here I would listen to, but I will also get familiar
with the
>random numbers group.
this group is pretty cool, got lots of wickedly smart people
(Mark, David, Don, etc...) stick around you will enjoy it.
Tom
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: Future Beacon <[EMAIL PROTECTED]>
Subject: Re: How Close?
Date: Sat, 24 Jun 2000 19:12:14 -0400
Tom,
Thank you for this message:
On Sat, 24 Jun 2000, tomstd wrote:
> Future Beacon <[EMAIL PROTECTED]> wrote:
> >
> >
> >How random do you think these numbers are:
> >
> >Large files of equal size A, B, and C are composed of the
> >least significant two bits of bytes found in news group messages
> >(excluding headers, carriage returns, line feeds, and spaces).
> >In each case, these bits are strung together, four pairs per
> >byte in these files. At least three quarters of the original
> >data is not used. Let's assume that the files are over a
> >megabyte in size.
I apologize for defining the file C which was not used. It was
simply a mistake.
> >Then, file B is divided into two files (BP and BQ) this way:
> >If the first bit in A is a 0, then the first bit in B becomes
> >the first bit in BP. If the first bit in A is a 1, the first
> >bit in B becomes the first bit in BQ. Each next bit in A
> >determines whether the next bit in B becomes the next bit in
> >BP or BQ. When the bits of A and B are exhausted, BQ is appended
> >to BP and the resultant file is called RAND.
> >
> >How random is RAND?
>
> ..... First off anyone can calculate this.
The use of this that I intend would not disclose file A or file B.
The cryptanalyst may be able to discern RAND, but that would be hard
if RAND is very random. My question is not whether RAND is random,
but how random is RAND.
Thank you for your help.
Jim Trek
Future Beacon Technology
http://eznet.net/~progress
[EMAIL PROTECTED]
------------------------------
Subject: Yet another cool cipher
From: tomstd <[EMAIL PROTECTED]>
Date: Sat, 24 Jun 2000 16:21:34 -0700
I modified my TC5 block cipher to use less stack memory and
optimized the code a bit. It's a really slow cipher at about
7mbit/sec on my K6-350 but it has some theoretical merit.
The idea of TC5 is to repeatedly use Feistel Structures which
are easy to analyze with typical statistical attacks. It's a
128-bit block cipher so the first Feistel used is the 128-bit
one. It then passes one half of the input onto a 64-bit four-
round Feistel, which uses a four round 32-bit feistel and
finally a eight round 16-bit feistel.
>From the ground up we can begin to try and attack the 16-bit
feistel. It uses a 8x8 sbox which has a LPmax of 16 and a DPmax
of 4. It has a low nonlinear order of 2 which means in reality
16 rounds (2^16 == impossible to exploit) are required to make
the 16-bit feistel secure against interpolation attacks.
Vaguely I have tried to use addition as the round mixer operator
(instead of xor) to help.... For right now I don't get the
definition of "nonlinear order" so I will ignore it. I use 8
rounds because the higher DPmax value. I have yet to actual
calculate some differentials (I know I have todo my home
work...) but I feel 8 rounds should pretty much cancel anything
out. (I will write a appropriate program tommorow).
In the 16-bit feistel 8 key bytes are used. In the 32-bit
feistel 32 bytes are used (4*8). Assuming all of the key bytes
are independent each round of the 32-bit feistel should be
independent. Assuming that the 16-bit feistel is secure (i.e a
secure sbox) the 32-bit feistel should be secure as well... all
the way up. All in all 512 bytes are used in the 128-bit block
cipher. I made a very simple cryptographic key schedule that
takes keys from 1 to 32 bytes.
Tommorow I will calc all high prop differentials of the 16-bit
feistel (well as many rounds as possible) and post a good sumary
of the algorithm.
I was just looking for some comments on the design and possible
technical corrections where nessecary. One question is given
the key schedule the possibility of exploiting the cipher in a
particular direction (based on the "encrypt the round keys"
idea). For example the last set of round key bytes may be less
dependent on the others then appropriate... etc..
The cipher is at
http://www.geocities.com/tomstdenis/
And is called "TC5a" (near the bottom of the page).
Please let me know what you think.
Tom
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: does 3des use only keys?
Date: 24 Jun 2000 16:25:36 -0700
In article <[EMAIL PROTECTED]>, Runu Knips <[EMAIL PROTECTED]> wrote:
> And yes, one could use 3 different keys, but that useless because at
> the moment 112 bits is as unbreakable as 168 bits.
But exhaustive keysearch is not the best attack on 2-key 3-des, so
the keylength is the wrong measure. If you take into account those
attacks, and if you are very conservative, you might indeed find 2-key
3-des insufficient and thus be motivated to use 3-key 3-des.
In any case, 3-key 3-des is no slower (and no weaker) than 2-key 3-des,
so I see no reason to use the 2-key variant, and every reason to use
the 3-key version.
------------------------------
From: zapzing <[EMAIL PROTECTED]>
Subject: Re: Compression & Encryption in FISHYLAND
Date: Sun, 25 Jun 2000 01:07:23 GMT
In article <8j31s7$t63$[EMAIL PROTECTED]>,
Joaquim Southby <[EMAIL PROTECTED]> wrote:
> In article <8j0ui2$sf1$[EMAIL PROTECTED]> zapzing, [EMAIL PROTECTED]
> writes:
> >I have a wonderful idea! Let's just compress
> >all messages of the form "you are a
> >presumptuous bastard" and/or "you are an
> >ignorant foolish jerk" etc. to the small
> >case letter z!
> >
> An interesting and novel proposition. However, given your username,
> wouldn't that get you into a lot of unwanted confrontations? (Example
> email to the Queen: Your Majesty, my name is (you presumptuous
> asshole)ap(filthy, scumsucking cack weasel)ing...) I would also think
> that messages from or about you, Zoe, Zorro, Scuzzlebutt, Azazel,
etc.,
> would cause in the reader a form of Tourette's Syndrome.
I guess you don't think much of the dear
recently departed Japanese Prime Minister
Takeshita, then, do you?
--
If you know about a retail source of
inexpensive DES chips, please let
me know, thanks.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Johnny Bravo <[EMAIL PROTECTED]>
Subject: Re: Compression & Encryption in FISHYLAND
Date: Sat, 24 Jun 2000 21:34:54 -0400
On Fri, 23 Jun 2000 19:09:34 -0700, tomstd
<[EMAIL PROTECTED]> wrote:
>BTW Don't PGP sign all your messages. a) WASTE OF SPACE b)
>Don't check anyways.
I'm sorry, I didn't realize that you and I were the entire USENET
community and you are the one in charge of both of us. If a third
user should actually join to USENET will you be in charge of them as
well?
--
Best Wishes,
Johnny Bravo
"The most merciful thing in the world, I think, is the inability
of the human mind to correlate all it's contents." - HPL
------------------------------
Subject: Re: Compression & Encryption in FISHYLAND
From: tomstd <[EMAIL PROTECTED]>
Date: Sat, 24 Jun 2000 18:57:21 -0700
Johnny Bravo <[EMAIL PROTECTED]> wrote:
>On Fri, 23 Jun 2000 19:09:34 -0700, tomstd
><[EMAIL PROTECTED]> wrote:
>
>>BTW Don't PGP sign all your messages. a) WASTE OF SPACE b)
>>Don't check anyways.
>
> I'm sorry, I didn't realize that you and I were the entire
USENET
>community and you are the one in charge of both of us. If a
third
>user should actually join to USENET will you be in charge of
them as
>well?
I hope I didn't sound like I was ordering him. Just let me
attach the following to all my messages.
---POINTLESSWASTEOFSPACE
gkjhwgiouhgoiywehgowihgoiwhgoewhgowrhgwkghwkghwerwkweio;sghwefkjw
ghjkwhgvkjshgvkjgvkwerjghviwejgvgvwerkghrwejkghwerjkghwrkghskgjwr
ekgjhwrgkjhwrkgkjhwgiouhgoiywehgowihgoiwhgoewhgowrhgwkghwkghwerwk
weio;sghwefkjwghjkwhgvkjshgvkjgvkwerjghviwejgvgvwerkghrwejkghwerj
kghwrkghskgjwrekgjhwrgkjhwrkgkjhwgiouhgoiywehgowihgoiwhgoewhgowrh
gwkghwkghwerwkweio;sghwefkjwghjkwhgvkjshgvkjgvkwerjghviwejgvgvwer
kghrwejkghwerjkghwrkghskgjwrekgjhwrgkjhwrk
---ENDOFPOINTLESSWASTEOFSPACE
Tom
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
