Cryptography-Digest Digest #778, Volume #12 Tue, 26 Sep 00 13:13:01 EDT
Contents:
Re: On block encrpytion processing with intermediate permutations (Tom St Denis)
Re: What make a cipher resistent to Differential Cryptanalysis? (Tom St Denis)
Re: continuous functions and differential cryptanalysis (Tom St Denis)
Re: Encryption Project (pink aka Chr. Boesgaard)
Re: Tying Up Loose Ends - Correction (Tim Tyler)
Re: Test for weak keys in 3DES (Paul Schlyter)
Re: continuous functions and differential cryptanalysis (Tim Tyler)
Re: Question on biases in random numbers & decompression (Tim Tyler)
Re: Question on biases in random-numbers & decompression (Tim Tyler)
Re: Question on biases in random-numbers & decompression ("D.A.Kopf")
Re: A New (?) Use for Chi (John Savard)
DES ([EMAIL PROTECTED])
Re: Test for weak keys in 3DES ("kihdip")
Re: continuous functions and differential cryptanalysis (Mika R S Kojo)
Re: Why is TwoFish better than Blowfish? (Eric Lee Green)
Re: DES ("Martin Wolters")
Re: continuous functions and differential cryptanalysis ("Scott Fluhrer")
Re: Again a topic of disappearing e-mail? ("David C. Barber")
----------------------------------------------------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: On block encrpytion processing with intermediate permutations
Date: Tue, 26 Sep 2000 10:56:05 GMT
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
>
> Bryan Olson wrote:
> >
>
> > Tom is right; the diffusion is obviously terrible.
> > Here's a first-cut at an attack strategy:
> >
> > In a typical Fiestel cipher one might have 16 rounds
> > or 8 round-pairs. Let's use chosen messages of about a
> > thousand blocks. We introduce differential pairs in
> > which only one block input differs. There probably
> > exists a left half-block for which any input
> > differential survives to become an output differential.
> > That happens if at each of the seven between-round
> > permutations the differential goes into a left block
> > and the right blocks are still constant.
> >
> > We can easilly detect the case when it happens; the
> > differential put into the left half of input block
> > 'i', appears as the differential comming out of the
> > left half of ouput block 'j'. Now we can put
> > differntial pairs into the right half of i, holding
> > everything else constant, and the differential that
> > comes out in the left half of j is exactly the
> > differential from the right half of i going through
> > the f function in the first round. For most Feistel
> > ciphers that will expose the first round-key, and
> > allow us to push to the next round.
> >
> > There are other opportunities to extract information
> > based on the poor diffusion. As a rule of thumb,
> > letting information out from intermediate rounds is
> > extremely dangerous.
>
> Suppose each half is a word (e.g. DES), the permutation
> is rendering each one of them to go to a different
> location that is unknown to the opponent. I don't yet
> see how he can 'follow' the individual halves as they
> get processed in the different cycles in order to be
> able to exploit differentials etc. He has a moving
> target, so to say, and the motion is invisible.
That's just it. If the blocks diffuse poorly things like differential
cryptanalysis will work. I can send a huge msg in with specific
differences. Then I watch to see which output halves have the required
difference. Then I can guess which are involved...While this is not a
concrete attack if you only use say 2-round DES in each step the
differences will propagate for sure.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: What make a cipher resistent to Differential Cryptanalysis?
Date: Tue, 26 Sep 2000 10:59:47 GMT
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
>
> Tom St Denis wrote:
> >
>
> > Ah, but something can be pratically random. Take the output of say
RC4
> > that is hashed (gather 30 bytes then hash it via SHA-1, etc...) I
would
> > bet 10 bucks that without knowing the RC4 seed you couldn't guess
the
> > output better then 1/2.
> >
> > Make the RC4 seed 256 bits long ... and voila.
> >
> > Of course how do you make a random RC4 seed? recursive problem...
>
> I am really confused. Aren't we discussing the 'ideal'
> OTP that requires (theoretical) perfect randomness
> all the time? Why here 'practical' randomness at all??
That's just it. If you can't practically guess the output, isn't it
effectively random?
Random is not a point in uncertainty, it's a state of it. If something
is random to you, that means you can study it to guess the next output
with any success better then the standard distribution. (1/p ...).
Universal randomness as people want to see it CANNOT EXIST. It's
impossible for something to be totally random. But it's possible for
me to take some americium and make a rng that you can't guess. Is that
not random?
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: continuous functions and differential cryptanalysis
Date: Tue, 26 Sep 2000 11:14:22 GMT
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
>
> Tom St Denis wrote:
> >
> > Paul Rubin <[EMAIL PROTECTED]> wrote:
>
> > > Um, what's wrong with this sentence? Hint: do you know what a
> > > derivative is?
> >
> > Um? Derivative is the slope of the tangent of a function at a given
> > point. I.e F(x) = 1/x, F'(x) = -1/x^2.
>
> I think he meant you are in a discrete field, not in R.
> Do you actually have a reference for a definition
> of derivative in GF? I am not quite sure.
Let's try F(x) = ax^3 + b, in GF(p). The derivative is just
F'(x) = 3ax^2 mod p. So what? Try it out... given p = 257 and say x =
3, a = 2, then F'(x) = 3a(3)^2 mod 257 = 27(2) mod 257 = 54 mod 257.
Even in R the result is the same.
So I think the def of the derivative will work here too? Perhaps not...
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (pink aka Chr. Boesgaard)
Subject: Re: Encryption Project
Date: 26 Sep 2000 14:03:31 +0200
"Robert Hulme" <[EMAIL PROTECTED]> writes:
I assume the system would hold each users key somewhere (to encrypt
the content) and the user has the key. I would fear someone cracking
the machine and on the traffic with cleartext passwords (after ssl) or
something. A safer solution could be something like:
Encrypt the data on a trusted host (not on the network or well
protected) move the encrypted data to the server.
Use signed javaapplets and do all decryption on the users machine.
This way its harder to crack the machine and get the sensitive data.
It would of course still be a good idea to use ssl and passwords or
something for the connections.
Checkout blowfish, 3des or some of the AES algorithms for
encryption. Good implementations is out there...
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Tying Up Loose Ends - Correction
Reply-To: [EMAIL PROTECTED]
Date: Tue, 26 Sep 2000 12:13:23 GMT
Tim Tyler <[EMAIL PROTECTED]> wrote:
: Bryan Olson <[EMAIL PROTECTED]> wrote:
: : Tim Tyler wrote:
: :> Bryan Olson wrote:
: :> The "effective keyspace" contains the keys that can't be dismissed out
: :> of hand on a priori grounds - and may need further consideration.
: : Not one single key can be dismissed a priori. [...]
: That may - or may not - be true, depending on how much known plaintext
: is involved.
Not my most coherent statement ever - I'll try again.
Known plaintext added by (say) a compression program, can allow
keys to be rejected without any other knowledge of the contents
of the plaintext of the decompressed message.
This is what "a priori" means: "in advance of knowledge from experience".
The knowledge I was referring to was knowledge of the characteristics of
the plaintext - not knowledge of the cyphertext.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Sarcasm: Barbed ire
------------------------------
From: [EMAIL PROTECTED] (Paul Schlyter)
Subject: Re: Test for weak keys in 3DES
Date: 26 Sep 2000 13:26:22 +0200
In article <8qpfgl$los$[EMAIL PROTECTED]>,
kihdip <[EMAIL PROTECTED]> wrote:
> In RFC2409 it is stated that you should test your key before use in a DES
> CBC encryption, and be sure it is not a weak or semi-weak key.
>
> This is not mentioned for 3DES CBC encryption. Does it matter whether you
> use weak keys in 3DES ??
3DES uses a double-length or triple-length key, which is nothing but
two or three DES keys. If one of them is weak, your 3DES will become
not much safer than 1-DES or 2-DES (and there are possuble attacks on 2-DES
which reduce its safety to the same as 1-DES). And if all of them are weak,
well.....
It's easy enough to avoid the weak keys of 1-DES though, and the same caution
shoul of course be applied when you use the two or three DES keys for 3-DES.
--
================================================================
Paul Schlyter, Swedish Amateur Astronomer's Society (SAAF)
Grev Turegatan 40, S-114 38 Stockholm, SWEDEN
e-mail: pausch at saaf dot se or paul.schlyter at ausys dot se
WWW: http://hotel04.ausys.se/pausch http://welcome.to/pausch
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: continuous functions and differential cryptanalysis
Reply-To: [EMAIL PROTECTED]
Date: Tue, 26 Sep 2000 12:40:26 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
: Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
:> Tom St Denis wrote:
:> > Paul Rubin <[EMAIL PROTECTED]> wrote:
:> > > Um, what's wrong with this sentence? Hint: do you know what a
:> > > derivative is?
:> >
:> > Um? Derivative is the slope of the tangent of a function at a given
:> > point. I.e F(x) = 1/x, F'(x) = -1/x^2.
:>
:> I think he meant you are in a discrete field, not in R.
:> Do you actually have a reference for a definition of derivative in GF? []
: Let's try F(x) = ax^3 + b, in GF(p). The derivative is just
: F'(x) = 3ax^2 mod p. So what? Try it out... given p = 257 and say x =
: 3, a = 2, then F'(x) = 3a(3)^2 mod 257 = 27(2) mod 257 = 54 mod 257.
: So I think the def of the derivative will work here too? Perhaps not...
I can't see how any of this makes sense. If derivitives in a Galois
field are a coherent idea at all it's news to me.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Eschew obfuscation
------------------------------
Crossposted-To: com.compression
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Question on biases in random numbers & decompression
Reply-To: [EMAIL PROTECTED]
Date: Tue, 26 Sep 2000 12:52:48 GMT
Benjamin Goldberg <[EMAIL PROTECTED]> wrote:
:> [EMAIL PROTECTED] (Tim Tyler) wrote in <[EMAIL PROTECTED]>:
:> >I think you will find you might still wind up taking an arbitrarily
:> >long time to get a single trit, though - I don't think there's any
:> >way around that without introducing bias.
:> >
:> >I suspect that your arithmetic compressor will need access to an
:> >unbounded quantity of RAM as well in order to be guaranteed to
:> >operate correctly.
: I AM willing to take an arbitrarily long time (and use an arbitrarily
: large amount of memory) to get a symbol.
That's good. I don't think there's a way around the "arbitrarily
long time", issue - but you can probably avoid the "arbitrarily large
quantity of memory" requirement - if you're prepared to chuck out a
tiny fraction of a bit from the original stream once in a while.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Hat: Baldness cure
------------------------------
Crossposted-To: comp.compression
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Question on biases in random-numbers & decompression
Reply-To: [EMAIL PROTECTED]
Date: Tue, 26 Sep 2000 13:03:52 GMT
In sci.crypt D.A.Kopf <[EMAIL PROTECTED]> wrote:
: Why not just take enough bits from the random bitstream to get a max-min,
: and add any remainder to the next chunk. E.G., for numbers in the range 6-10
: take 3 bits modulo 5 and add 6. [...]
3 bits modulo five is probably not what you want.
That gives: 0, 1, 2, 3, 4, 0, 1, 2. ;-(
>From what I understand of what you wrote, I think this objection is a
terminal one for the idea.
--
__________ http://alife.co.uk/ http://mandala.co.uk/
|im |yler [EMAIL PROTECTED] http://hex.org.uk/ http://atoms.org.uk/
------------------------------
From: "D.A.Kopf" <[EMAIL PROTECTED]>
Crossposted-To: comp.compression
Subject: Re: Question on biases in random-numbers & decompression
Date: 26 Sep 2000 13:16:24 GMT
Reply-To: [EMAIL PROTECTED]
Tom St Denis wrote:
>
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] wrote:
>
> The problem is hte numerical range (6, 7, 8, 9, 10) has five choices,
> and three bits gives you eight choices.... so you have to either get
> log2(5) bits from the stream or ignore the three bits when their
> decimal value is 5 <= x < 8.
I see. Efficient use of random bits would then seem to be the reverse
mapping of an optimum compression of the result. For example mapping a
series of 1-of-6 random choices into the fewest possible binary digits, would
also provide a mapping from the fewest possible binary digits to the
greatest number of random 1-of-6 decisions.
So the original poster was correct, the inverse of an arithmetic
compresser would be effective. Just "decompress" the random bitstream
into the needed bin size.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: A New (?) Use for Chi
Date: Tue, 26 Sep 2000 13:24:02 GMT
On Mon, 25 Sep 2000 22:57:04 +0200, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote, in part:
>For a Vigenere, if the key is sufficiently long, couldn't
>it be that the quantities you mentioned are not sufficiently
>differentiating to be easily exploited? (I don't know,
>just a conjecture.)
I mentioned that possibility myself. In any event, using a corpus of
literary text, I've had my BASIC program provide the answers, which
are:
(1) (2) (3) (4)
A .0726 .1040 .0824 .1118
B .0836 .1689 .1920 .1710
C .1161 .1247 .1474 .1272
D .1859 .0790 .2204 .1752
E .0908 .0707 .0943 .1027
F .2058 .1014 .3937 .1456
G .2120 .0942 .3003 .1333
H .3376 .2852 .4939 .3405
I .0732 .1159 .0768 .1227
J .1008 .2788 .2891 .2932
K .1148 .1730 .1444 .3085
L .1009 .1042 .1120 .1267
M .1133 .1474 .1581 .1767
N .1865 .0983 .2070 .1219
O .0669 .0919 .0711 .1073
P .0953 .1232 .1159 .1327
Q .2020 .9973 .3059 .9993
R .1472 .1072 .1547 .1420
S .1082 .0918 .1192 .1266
T .0808 .1742 .1170 .2490
U .1343 .0974 .1526 .1011
V .1666 .5113 .1940 .5173
W .1120 .1556 .3053 .1772
X .6689 .1324 .7036 .1492
Y .1093 .0782 .1227 .2433
Z .2322 .3181 .3207 .3474
(1) Chi of the letters which precede this letter, ignoring word
divisions.
(2) Chi of the letters which follow this letter, ignoring word
divisions.
(3) Chi of the letters which precede this letter, respecting word
divisions.
(4) Chi of the letters which follow this letter, respecting word
divisions.
These are somewhat preliminary results, as I wish to use a larger
sample of English text for definitive results. However, the sample is
of a few million letters.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED]
Subject: DES
Date: Tue, 26 Sep 2000 14:00:00 GMT
Hi all,
I am looking for a C implementation of DES to try to see how it works
in practice and eventually, i have to come up with a HC05 assembler
version of DES.
Has anyone got any suggestions on how i should approach the assembler
implementation?
Thank you,
Brice.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "kihdip" <[EMAIL PROTECTED]>
Subject: Re: Test for weak keys in 3DES
Date: Tue, 26 Sep 2000 16:25:36 +0200
>I suggest you read sci.crypt posts, before posting yourself. This is
>asked at least once a week.
>
>You don't have to check because the probability of picking one is
>about the same as spontaneously combusting while winning the lottery
>and having aliens visit your neighbours.
>
>Tom
Reading your's and Paul Schlyter's answers, you'll perhabs forgive me for
posting my question ??
;-)
------------------------------
From: Mika R S Kojo <[EMAIL PROTECTED]>
Subject: Re: continuous functions and differential cryptanalysis
Date: 26 Sep 2000 18:15:11 +0300
Tim Tyler <[EMAIL PROTECTED]> writes:
>
> Tom St Denis <[EMAIL PROTECTED]> wrote:
> : Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> :> Tom St Denis wrote:
> :> > Paul Rubin <[EMAIL PROTECTED]> wrote:
>
> :> > > Um, what's wrong with this sentence? Hint: do you know what a
> :> > > derivative is?
> :> >
> :> > Um? Derivative is the slope of the tangent of a function at a given
> :> > point. I.e F(x) = 1/x, F'(x) = -1/x^2.
> :>
> :> I think he meant you are in a discrete field, not in R.
> :> Do you actually have a reference for a definition of derivative in GF? []
>
> : Let's try F(x) = ax^3 + b, in GF(p). The derivative is just
> : F'(x) = 3ax^2 mod p. So what? Try it out... given p = 257 and say x =
> : 3, a = 2, then F'(x) = 3a(3)^2 mod 257 = 27(2) mod 257 = 54 mod 257.
>
> : So I think the def of the derivative will work here too? Perhaps not...
>
> I can't see how any of this makes sense. If derivitives in a Galois
> field are a coherent idea at all it's news to me.
Derivative is well-defined for any field, but its usually called
"formal derivative". It is even possible to talk about continuous
functions, but for for this you need p-adic numbers.
-- Mika
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Subject: Re: Why is TwoFish better than Blowfish?
Date: Tue, 26 Sep 2000 08:26:32 -0700
Tom St Denis wrote:
> Why? I know the NSA broke Scottu19 which is why he totes it so much.
> Oh proof? Um left that in my other pants... hehehehe
>
> His posts are funny if not completely useless....
In other words, scottu19 is a NSA plant who is here in order to cast doubt on
secure algorithms, right? And the NSA funded the development of scott19u, who
is actually an artificial intelligence that only simulates being a person?
Tom promises to fax me the evidence shortly :-).
--
Eric Lee Green [EMAIL PROTECTED]
------------------------------
From: "Martin Wolters" <[EMAIL PROTECTED]>
Subject: Re: DES
Date: Tue, 26 Sep 2000 18:14:43 +0200
>I am looking for a C implementation of DES to try to see how it works
I made an Implementation of DES, but I think it's not
really good. It works correct (now), but I'm no good
Programmer. If you want It, I could mail it to you.
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: continuous functions and differential cryptanalysis
Date: Tue, 26 Sep 2000 09:28:16 -0700
Tom St Denis <[EMAIL PROTECTED]> wrote in message
news:8qq0e2$7qh$[EMAIL PROTECTED]...
> In article <[EMAIL PROTECTED]>,
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> >
> >
> > Tom St Denis wrote:
> > >
> > > Paul Rubin <[EMAIL PROTECTED]> wrote:
> >
> > > > Um, what's wrong with this sentence? Hint: do you know what a
> > > > derivative is?
> > >
> > > Um? Derivative is the slope of the tangent of a function at a given
> > > point. I.e F(x) = 1/x, F'(x) = -1/x^2.
> >
> > I think he meant you are in a discrete field, not in R.
> > Do you actually have a reference for a definition
> > of derivative in GF? I am not quite sure.
>
> Let's try F(x) = ax^3 + b, in GF(p). The derivative is just
> F'(x) = 3ax^2 mod p. So what?
Errr, no. A derivative is traditionally defined as:
F'(x) = lim ( F(x+e) - F(x) ) / e
where the limit is taken as e goes to zero. The idea "e goes to zero"
doesn't appear to make sense in GF(p) -- if e is an element of GF(p), it is
either zero or bounded away from zero. Hence, the traditional sense of
derivative doesn't appear to make sense in GF(p).
And, if you do come up with a sense where it makes sense (which you'll need
to define), it very well might not happen to be the same formula as over the
field R.
--
poncho
.
------------------------------
From: "David C. Barber" <[EMAIL PROTECTED]>
Subject: Re: Again a topic of disappearing e-mail?
Date: Tue, 26 Sep 2000 10:04:51 -0700
Then your first hypothesis is correct -- I didn't get it.
*David Barber*
"Paul Pires" <[EMAIL PROTECTED]> wrote in message
news:lEPz5.5450$[EMAIL PROTECTED]...
>
> David C. Barber <[EMAIL PROTECTED]> wrote in message
> news:8qofbd$1np2$[EMAIL PROTECTED]...
> > I'm tired of bashing "oil executives". I don't see you taking all uses
of
> > their product out of your life.
> >
> > *David Barber*
>
> Er... Either you didn't get his joke or I didn't get yours.
>
> The Oil executive in question is herptologic, not petrolum based.
>
> Herpatologic? Snakes! man.
>
> Paul
>
> >
> > "Matthew Skala" <[EMAIL PROTECTED]> wrote in message
> > > An oil executive, huh? Sounds reptilian to me.
> >
> >
> >
>
>
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
