Cryptography-Digest Digest #968, Volume #12 Sat, 21 Oct 00 07:13:01 EDT
Contents:
Re: Hypercube structure / balanced block mixing (Mack)
Re: Hypercube structure / balanced block mixing (Sundial Services)
Re: Dense feedback polynomials for LFSR (Joaquim Southby)
Re: What is meant by non-Linear... ("Stephen M. Gardner")
For those touting "compression as encryption" ideas - Upcoming IEEE ("John A.
Malley")
Re: Rijndael in Perl (Sam Trenholme)
Re: Encrypting large blocks with Rijndael (Sam Trenholme)
Re: Looking for small implementation of an asymmetric encryption (Sam Trenholme)
Re: SDMI Successfully Hacked (Scott Craver)
Re: idea for spam free email (Sam Trenholme)
Re: idea for spam free email (Musashi)
Re: On block encryption processing with intermediate permutations (Mok-Kong Shen)
Re: For those touting "compression as encryption" ideas - Upcoming IEEE (Mok-Kong
Shen)
GCHQ Challenge ("Pom")
Re: new SNAKE web page (David Hopwood)
Re: idea for spam free email ("G. Orme")
Re: idea for spam free email ("G. Orme")
Re: idea for spam free email ("G. Orme")
Re: GCHQ Challenge (CiPHER)
Re: On block encryption processing with intermediate permutations (Bryan Olson)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Mack)
Subject: Re: Hypercube structure / balanced block mixing
Date: 21 Oct 2000 04:05:17 GMT
>The structure of edges in a hypercube, and the structure of mixing pairs
>used in balanced block mixing are identical. I wanted to create a
>cipher which used a hypercube like structure, when I noticed the
>similarity, and then decided to look up ciphers which used balanced
>block mixing. The one I found, TC2, uses a global static array to
>specify pairs of indices. Does anyone know how to use ordinary loops
>(no global data) to list the edges of an arbitrary sized hypercube?
>I've tried myself (using 3 nested loops) but I can't seem to get it
>right. I suspect it will require 4 nested loops, but I'm not sure how.
>
>It might be only doable with a recusive function; I hope not.
Any recursive function can be defined as a non-recursive function
using stacks. Basic algorithm design.
>
>The reason for my asking is that my expanded key is 512 bytes, and I
>want to use an order-10 hypercube to do balanced block mixing in the key
>schedule, and I *don't* want to have a global array containing 10*512
>integer values.
>
I believe that you should contact Mr. Ritter before experimenting too
much with balanced block mixing. He does have a patent on some
of that technology. I am not trying to start an argument about the
legalities surrounding patents. But it is a good idea to check with
patent holders when experimenting with technology that may
cause legal proceedings.
>--
>"Mulder, do you remember when I was missing -- that time that you
> *still* insist I was being held aboard a UFO?"
>"How could I forget?"
>"Well, I'm beginning to wonder if maybe I wouldn't have been
> better off staying abo-- I mean, wherever it was that I was
> being held." [from an untitled spamfic by [EMAIL PROTECTED]]
>
>
>
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
Date: Fri, 20 Oct 2000 21:22:25 -0700
From: Sundial Services <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Hypercube structure / balanced block mixing
Mack wrote:
> I believe that you should contact Mr. Ritter before experimenting too
> much with balanced block mixing. He does have a patent on some
> of that technology. I am not trying to start an argument about the
> legalities surrounding patents. But it is a good idea to check with
> patent holders when experimenting with technology that may
> cause legal proceedings.
.. and even if a patent did not exist, it may be that "Mr. Ritter has
'been there, done that.'" It may well be that you discover (IF you
look) that someone else has driven down a particular highway long before
you thought it even existed .. [and can disclose to you that they have
done it] .. and is willing to sell you their perfected solution for far
less money than you would spend replicating their own work.
Such things can be given a "positive spin."
------------------------------
From: Joaquim Southby <[EMAIL PROTECTED]>
Subject: Re: Dense feedback polynomials for LFSR
Date: 21 Oct 2000 04:34:27 GMT
In article <[EMAIL PROTECTED]> Tim Tyler, [EMAIL PROTECTED] writes:
>The original idea makes no sense, but execution time does not appear to be
>a problem with it.
>
Simply because you fail to grasp an idea or possible applications for it
doesn't mean it makes no sense.
I didn't come up with this idea; it was passed on to me from a friend who
uses me as a sounding board from time to time. She pointed out that
sub-maximal LFSR's have most of the same behaviour as maximal LFSR's. If
a maximal length LFSR has a tap sequence of n, A, B, C, then an LFSR with
the tap sequence n, n-A, n-B, n-C will also be maximal length. Guess
what -- it works for sub-maximal LFSR's, too. The state spaces of two
sub-maximal LFSR's constructed in that way and using the same init vector
are the same size. What's interesting is that many of the states in
their state spaces are different. What's even more interesting is that
every state in one of those spaces is the mirror image of a state in the
other space.
One group of behaviours that is dissimilar between the two is how
"random" the output stream looks. The output over a period of a
maximal-length LFSR will *always* have the same characteristics: a) # of
1's minus # of 0's = 1; b) the number of runs is strictly quantifiable --
1/2 of all runs have length 1, 1/4 have length 2, etc.; c) perform a
circular shift of some number less than the period on the output string
and then XOR the result with the original string -- the result of the XOR
will exhibit the same characteristics described in a) and b).
Conversely, the output over a period of a submaximal-length LFSR is not
constrained to these characteristics. (The autocorrelation exhibited in
part c is still very strong, though.) In that regard, this output looks
more like a random stream of bits because it will statistically vary from
the idealized output described above. (Before anyone jumps in with the
old "what is random" thread, I did not say that the output is random -- I
said it looks more like a random stream than that of the maximal-length
LFSR.) Can you see any possible uses for a sub-maximal LFSR now?
If you think about LFSR's in terms of state spaces, you might realize
that the two types we're discussing differ only in the number of state
spaces. All LFSR's have at least two state spaces; one of these is the
space that contains the single state of zero. The maximal-length LFSR
has two state spaces: one is that zero state space and the other consists
of all the states between 1 and 2^n - 1. The sub-maximal LFSR has more
than 2 state spaces. Of the non-degenerative (by this I mean an LFSR
that returns to its original state -- those that have an odd number of
taps or that do not include the output bit in the tap sequence will not
do so) sub-maximal LFSR's I've had time to investigate, every one has an
even number of state spaces; at least one of those spaces' size was equal
to a power of 2 minus 1. These puppies are a lot more interesting than
their maximal-length brethren simply because of the wider range of
behaviour that, AFAIK, hasn't been explored yet.
------------------------------
From: "Stephen M. Gardner" <[EMAIL PROTECTED]>
Subject: Re: What is meant by non-Linear...
Date: Fri, 20 Oct 2000 23:16:59 -0500
Tim Tyler wrote:
> Like this (on a torus).
>
> 2 . . .
> 1. . .
> 0 . . .
> 2 . . .
> 1. . .
> 0 . . .
> 2 . . .
> 1. . .
> 0 . . .
> +0 1 2 0 1 2 0 1 2 -> x
>
> I'm sure you can make out the straight line yourself.
Doesn't this rule for plotting make any equation look linear as long as it
jumps around enough to hit all the lattice points? How does this distinguish
something that is non-linear (say y = x^2 + 1)?
--
Take a walk on the wild side: http://www.metronet.com/~gardner/
There is a road, no simple highway, between the dawn and the
dark of night. And if you go no one may follow. That path is
for your steps alone.
The Grateful Dead ("Ripple")
------------------------------
From: "John A. Malley" <[EMAIL PROTECTED]>
Subject: For those touting "compression as encryption" ideas - Upcoming IEEE
Date: Fri, 20 Oct 2000 23:04:53 -0700
Over the past few months several posters described and debated:
1. the relative merits of and security afforded by different compression
schemes prior to encryption;
2. adaptation of arithmetic encoding as a form of encryption;
3. adaptations of Huffman codings as forms of encryption.
Here's a great chance to present analyses and results - the
***** IEEE Data Compression Conference (DCC'2001) *****
Snowbird, Utah
Tues, March 27 - Thurs March 29, 2001
A call for papers is posted at: www.cs.brandeis.edu/~dcc
John A. Malley
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Sam Trenholme)
Crossposted-To: comp.lang.perl.misc
Subject: Re: Rijndael in Perl
Date: 21 Oct 2000 07:00:11 GMT
>http://home.pacific.net.ph/~dido/Crypt-Rijndael-0.01.tar.gz
I noticed that a script called makertbls.pl is referred to in the code,
but is not part of this archive.
I would like to look at this script, so I can get a better picture of
Rijndael in my mind. I am slowly but surely "getting" how it works.
- Sam
--
"Reality is the most perfect vision of God's will" -- Orson Scott Card
Note that this email address times out in two weeks
http://www.samiam.org/ssi/mailme.shtml has my email address
------------------------------
From: [EMAIL PROTECTED] (Sam Trenholme)
Subject: Re: Encrypting large blocks with Rijndael
Date: 21 Oct 2000 07:03:56 GMT
[The larger block sizes Rijndael allows]
>Under what circumstances would one be willing to pay
>this speed penalty? Is it at all reasonable to extend
>the rule the about number of rounds this far?
Well, presuming that Rijndael is still around 50 years from now (a not
altogether unreasonable assumption, it being AES and all), we may have
enough technology then that a 128-bit block looks weak.
The flexoble block size design does a lot to future-proof Rijndael.
Also, those big blocks are useful for using Rijndael as a hash compression
function or as a MAC.
- Sam
--
"Reality is the most perfect vision of God's will" -- Orson Scott Card
Note that this email address times out in two weeks
http://www.samiam.org/ssi/mailme.shtml has my email address
------------------------------
From: [EMAIL PROTECTED] (Sam Trenholme)
Subject: Re: Looking for small implementation of an asymmetric encryption
Date: 21 Oct 2000 07:13:14 GMT
>Granted, I have no idea if there is such a thing as a block
>algorithm with a 49 bit block.
Blowfish is easily enough modified to have a 48-bit block size. The
essential structure of Blowfish is such that changing the block size
doesn't really change the security (except to note that 2^48 chosen
plaintexts is now the codebook).
Blowfish has been around for six years, and there are no known weaknesses
as long as checks are made to insure that a given key does not generate
duplicate SBox entries.
- Sam
--
"Reality is the most perfect vision of God's will" -- Orson Scott Card
Note that this email address times out in two weeks
http://www.samiam.org/ssi/mailme.shtml has my email address
------------------------------
From: [EMAIL PROTECTED] (Scott Craver)
Subject: Re: SDMI Successfully Hacked
Date: 21 Oct 2000 07:00:20 GMT
Mack <[EMAIL PROTECTED]> wrote:
>Simple crack
>
>do random 1% phase shifts
>and level shifts. Destroys
>the watermark with minimal
>distortion.
"The" watermark? Which one? You mean all the watermarks?
I can imagine this approach destroying some techniques but not all.
Did you try this on all of their technologies?
>Mack
-S
------------------------------
From: [EMAIL PROTECTED] (Sam Trenholme)
Subject: Re: idea for spam free email
Date: 21 Oct 2000 07:37:14 GMT
[Snip. Spam filter discussion]
>Topicality note: is the study of *not* receiving unwanted but
>unenciphered messages considered to be part of cryptology? ;-)
Let me offer a shameless plug to bring this discussion back to being on
topic:
http://kiwispam.sourceforge.net/
- Sam
--
"Reality is the most perfect vision of God's will" -- Orson Scott Card
Note that this email address times out in two weeks
http://www.samiam.org/ssi/mailme.shtml has my email address
------------------------------
From: Musashi <a [EMAIL PROTECTED]>
Subject: Re: idea for spam free email
Date: Sat, 21 Oct 2000 03:55:59 -0400
In article <[EMAIL PROTECTED]>,
abuse@localhost says...
> On Thu, 19 Oct 2000 10:06:01 GMT, "G. Orme" <[EMAIL PROTECTED]>
> wrote:
>
> > Any suggestions are most welcome on the folowing.
> >
> >Basically the idea involves having two email addresses, a public known one
> >such as e.g. [EMAIL PROTECTED], and a private address, e.g.
> >[EMAIL PROTECTED]
> [snip]
>
> I can see two possible attacks. One is by sniffing the network traffic
> and logging the TO: field when a real message is sent. This can be
> done between the sender or receiver and his/her mail server, or
> anywhere between the two mail servers. The other is by cracking the
> software so that it yields the real address. Since your software is
> able to decrypt the real address and you give away the executable
> code, cracking the executable can force the real address out in the
> same way used by crackers to generate serial numbers of commercial
> programs. There is no way to protect executable code from a determined
> cracker.
>
> In my opinion, filters installed on the receiver's e-mail software are
> still the best way to eliminate spam. Your sistem seems to be designed
> so that you will receive e-mail only from a list of sources you have
> hand-picked. You can obtain the same result by writing a filter that
> lets in only e-mail originating from a list of approved addresses.
>
My personal e-mail filters scan for a list of phrases and words in the
subject line that I had been receiving from spammers (e.g. "$$$" "extra
income" "casino"). After downloading the headers from the server, if any
of those words/phrases are found, it deletes it from the server without
wasting my time downloading it, only to delete it on my end. So far I
haven't lost any e-mails from people that I want to hear from, nor any
"serious" e-mails from strangers (like people on Usenet).
====== Posted via Newsfeeds.Com, Uncensored Usenet News ======
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
======= Over 80,000 Newsgroups = 16 Different Servers! ======
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On block encryption processing with intermediate permutations
Date: Sat, 21 Oct 2000 10:57:31 +0200
Bryan Olson wrote:
>
> Mok-Kong Shen wrote:
> >
> > Bryan Olson wrote:
> > > Of course in your two-cycle case finding a sibling pair using
> > > just the one-block plaintext is vacuously easy.
> >
> > Fine. Please kindly write your equations with respect to
> > what I denoted in the previous post which is repeated below.
> > (I assume that you don't retract what you wrote about
> > (u,u) previously. Actually using (u,v) would take more
> > space in the post only, for the principle is the same.)
> >
> > Input of first cycle:
> > (u,u) (u,u) (u,u) (u,u)
>
> If you insist on four-block messages while my chosen plaintext
> attack calls for one-block and two-block messages, then any
> equations you need are up to you.
As I said in a previous post the problem lies in
'identification'. The communication partners know the
permutation. Hence they can know that e.g. the first
ciphertext block (a,b) (in the designation you snipped)
is the encryption (one cycle) of (v,v) and can therefore
continue to trace back to (u,u) and establish the
functional relation between (a,b) and (u,u). But the
opponent can do the same, because he is ignorant of the
permutation. Isn't that obvious?
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: For those touting "compression as encryption" ideas - Upcoming IEEE
Date: Sat, 21 Oct 2000 11:12:21 +0200
"John A. Malley" wrote:
>
>
> Here's a great chance to present analyses and results - the
>
> ***** IEEE Data Compression Conference (DCC'2001) *****
Thanks for your pointer so that one could at least look
for some related literatures. However, that kind of
conference is very likely highly centred on the techniques
of compression, in particular for multimedia applications
(i.e. non-reversable due to information loss) rather than
encryption that borrows the technique from compression,
which may well lead to expansion instead of compression.
But of couse I am not disuading people from submitting
papers there, if they have good ideas.
M. K. Shen
------------------------------
From: "Pom" <[EMAIL PROTECTED]>
Subject: GCHQ Challenge
Date: Sat, 21 Oct 2000 10:54:11 +0100
Probably a dumb question - has anyone seen the GCHQ Challenge at
www.gchq.gov.uk - I stumbled accross it, and immediately found one clue -
can anyone point me towards any info on this?
------------------------------
Date: Sat, 21 Oct 2000 06:16:07 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: new SNAKE web page
=====BEGIN PGP SIGNED MESSAGE=====
[EMAIL PROTECTED] wrote:
> The old SNAKE web page died of natural causes a while back,
> and Ive just found some space for it...
>
> SNAKE:
> http://www.kripto.org/snake
>
> It hasnt changed much in recent times, but I guess thats a
> good thing :-)
The specification is not complete - the function f is not given.
It's not really possible to analyse it properly without knowing f.
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOfEmcTkCAxeYt5gVAQHkZAgA0beqT7dYpN21bPA7umxDJ9/C6FQgAIJz
tLw0dDQ6IXXxHh5Lh0UPMC6O7jzneGTC4ou6wUn/1Qe+geCeNUQz01qQnG49eyI9
Ah+oaTyv6wXq/add3bDGtkllQb2rnRIupy5jZgSaFACmBHTEQx+GkBHElOKQzbuX
gTyQ1UuZJyoq5AKsHdt125eG7HI1+8eyWQJu9nHZjaW3vPqMtKBwCgdveAbDOjTL
Cy3hFjHVrAcLpeSNyqiQc9oFyeggX7DcbOI9YHmkG2rZSZXg4z9pv+J2ww18CCuG
9zgHeoCBmuwJ0W6cHlKQPZuFnd2ILXR3xptis6Lss4LtyFTTjoA19g==
=pQzR
=====END PGP SIGNATURE=====
------------------------------
From: "G. Orme" <[EMAIL PROTECTED]>
Subject: Re: idea for spam free email
Date: Sat, 21 Oct 2000 10:39:01 GMT
"Musashi" <a [EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> In article <[EMAIL PROTECTED]>,
> abuse@localhost says...
> > On Thu, 19 Oct 2000 10:06:01 GMT, "G. Orme" <[EMAIL PROTECTED]>
> > wrote:
> >
> > > Any suggestions are most welcome on the folowing.
> > >
> > >Basically the idea involves having two email addresses, a public known
one
> > >such as e.g. [EMAIL PROTECTED], and a private address, e.g.
> > >[EMAIL PROTECTED]
> > [snip]
> >
> > I can see two possible attacks. One is by sniffing the network traffic
> > and logging the TO: field when a real message is sent. This can be
> > done between the sender or receiver and his/her mail server, or
> > anywhere between the two mail servers.
G. if anyone wants to go to this amount of trouble just to send people
advertising there is probably little one can do. One way would be to send
the email encrypted to a remailer.
The other is by cracking the
> > software so that it yields the real address.
G. This is a good point because the system could be rendered worthless. I
would propose to stop this by every month people download a small update to
their software. The server would be set to not accept emails from people who
didn't have this update. Hackers would then have to crack the software once
a month to keep sending advertising which is a lot of work for a small
return. In a variation of this the update is emailed to each person once a
month to make it easier for them.
Since your software is
> > able to decrypt the real address and you give away the executable
> > code, cracking the executable can force the real address out in the
> > same way used by crackers to generate serial numbers of commercial
> > programs. There is no way to protect executable code from a determined
> > cracker.
> >
> > In my opinion, filters installed on the receiver's e-mail software are
> > still the best way to eliminate spam. Your sistem seems to be designed
> > so that you will receive e-mail only from a list of sources you have
> > hand-picked. You can obtain the same result by writing a filter that
> > lets in only e-mail originating from a list of approved addresses.
G. The idea is to build a system that more or less permanently stops all
spam without inconveniencing legitimate users. Most of the devices so far
would not be noticed by the user, it would seem like any normal email
service to them except that people would have to crack their software
regularly and sniff for packets just to send them advertising. In fact I am
doubtful hackers would be interested in breaking the system, as they
probably hate spam as much as anyone. The problem of new users entering the
system is easily done. Say you want to send an email to someone who has a
protected email address as described. One would send the email as before,
but this would be diverted to an administrator who would send them a message
that they must download the program to send the email. In a few minutes they
can be logged on to the system and sending emails. One might have additional
safeguards such as proof of ID, but if someone did spam then they would be
automatically cut off on a complaint from a customer.
> >
> My personal e-mail filters scan for a list of phrases and words in the
> subject line that I had been receiving from spammers (e.g. "$$$" "extra
> income" "casino"). After downloading the headers from the server, if any
> of those words/phrases are found, it deletes it from the server without
> wasting my time downloading it, only to delete it on my end. So far I
> haven't lost any e-mails from people that I want to hear from, nor any
> "serious" e-mails from strangers (like people on Usenet).
>
>
> -----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
> http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
> -----== Over 80,000 Newsgroups - 16 Different Servers! =-----
------------------------------
From: "G. Orme" <[EMAIL PROTECTED]>
Subject: Re: idea for spam free email
Date: Sat, 21 Oct 2000 10:42:54 GMT
"Sam Trenholme" <[EMAIL PROTECTED]> wrote in message
news:8srh39$ica$[EMAIL PROTECTED]...
> [Snip. Spam filter discussion]
>
> >Topicality note: is the study of *not* receiving unwanted but
> >unenciphered messages considered to be part of cryptology? ;-)
G. I guess the topicality is justified by that this system would encrypt
email addresses.
>
> Let me offer a shameless plug to bring this discussion back to being on
> topic:
>
> http://kiwispam.sourceforge.net/
>
> - Sam
G. I'm not sure I understand how this works. You appear to be generating a
unique email address so you can tell where it was taken from, but can this
actually stop spam? I appreciate you change the email address, is this the
same as simply getting a lot of email addresses for different places?
>
> --
> "Reality is the most perfect vision of God's will" -- Orson Scott Card
> Note that this email address times out in two weeks
> http://www.samiam.org/ssi/mailme.shtml has my email address
------------------------------
From: "G. Orme" <[EMAIL PROTECTED]>
Subject: Re: idea for spam free email
Date: Sat, 21 Oct 2000 10:44:50 GMT
"Richard Heathfield" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Graceful Twerp wrote:
> >
> <snip>
> >
> > In my opinion, filters installed on the receiver's e-mail software are
> > still the best way to eliminate spam. Your sistem seems to be designed
> > so that you will receive e-mail only from a list of sources you have
> > hand-picked. You can obtain the same result by writing a filter that
> > lets in only e-mail originating from a list of approved addresses.
G. Your idea is very good. The system I am proposing is designed to
automatically do a similar thing so people using it don't need the hmmm
folder.
>
> Right, although some people may prefer a slightly more forgiving
> three-level system, which filters emails like this:
>
> Is the email from someone on this list of approved addresses? Yes -
> Store in Inbox. No - Proceed.
> Is it on this list of non-approved addresses? Yes - Junk. No - proceed.
> Store in "hmmm" box for later human decision (and, perhaps, updates to
> filter lists).
>
> "Addresses" doesn't have to be the only criterion, of course. You might
> want to check the high bit of each byte in the subject line (to identify
> Unicode etc), or check the subject line against known words or phrases,
> etc.
>
> Filtering is an art.
>
> Topicality note: is the study of *not* receiving unwanted but
> unenciphered messages considered to be part of cryptology? ;-)
>
>
> --
> Richard Heathfield
> "Usenet is a strange place." - Dennis M Ritchie, 29 July 1999.
> C FAQ: http://www.eskimo.com/~scs/C-faq/top.html
> K&R Answers: http://users.powernet.co.uk/eton/kandr2/index.html
------------------------------
From: CiPHER <[EMAIL PROTECTED]>
Subject: Re: GCHQ Challenge
Date: Sat, 21 Oct 2000 10:25:38 GMT
In article <[EMAIL PROTECTED]>,
"Pom" <[EMAIL PROTECTED]> wrote:
> Probably a dumb question - has anyone seen the GCHQ Challenge at
> www.gchq.gov.uk
Yeah, it's easy peasy, (and just to brag) I managed to do it in 30
mins. The height of the 'challenge' is morse code and ASCII numbers as
far as I can remember.
The hardest thing was actually _finding_ all the bits.
--
Marcus
---
[ www.cybergoth.cjb.net ] [ alt.gothic.cybergoth ]
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: On block encryption processing with intermediate permutations
Date: Sat, 21 Oct 2000 10:41:40 GMT
Mok-Kong Shen wrote:
> > If you insist on four-block messages while my chosen plaintext
> > attack calls for one-block and two-block messages, then any
> > equations you need are up to you.
>
> As I said in a previous post the problem lies in
> 'identification'. The communication partners know the
> permutation. Hence they can know that e.g. the first
> ciphertext block (a,b) (in the designation you snipped)
What I snipped was your four-block example, which seems to
be irrelevant.
> is the encryption (one cycle) of (v,v) and can therefore
> continue to trace back to (u,u) and establish the
> functional relation between (a,b) and (u,u). But the
> opponent can do the same, because he is ignorant of the
> permutation.
I'm not sure what that last sentence means. Did you mean
"can not" where you wrote "can"?
> Isn't that obvious?
Upon reading your scheme, it is neither obvious that the
attacker can set up equations that isolate one round-pair,
nor obvious that he cannot. Figuring out how to find the
sibling pairs took me several hours, and writing it up took
a couple more.
I clearly specified the sizes of the chosen plaintexts that
the attack uses. When you complain of a problem with the
attack based on using some other message size, this tells me
that you did not make a serious attempt to understand the
material.
In the special case of your reduced version in which there
is only one permutation, the sibling pairs and thus the
equations are obvious. You will discover how to find them
if you put forth an effort.
--Bryan
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
