Cryptography-Digest Digest #71, Volume #13 Thu, 2 Nov 00 00:13:01 EST
Contents:
Re: BENNY AND THE MTB? (Tim Tyler)
Re: BENNY AND THE MTB? (Tim Tyler)
Re: BENNY AND THE MTB? (Tim Tyler)
Re: BENNY AND THE MTB? ([EMAIL PROTECTED])
Re: BENNY AND THE MTB? ([EMAIL PROTECTED])
Re: is NIST just nuts? (Shawn Willden)
Re: End to end encryption in GSM (Marcus AAkesson)
Re: BENNY AND THE MTB? (SCOTT19U.ZIP_GUY)
Re: BENNY AND THE MTB? (SCOTT19U.ZIP_GUY)
Re: BENNY AND THE MTB? (SCOTT19U.ZIP_GUY)
Re: End to end encryption in GSM ("Big Jase")
testing -- Deja says no discussions here ([EMAIL PROTECTED])
Re: Open Request to Dr. Kaliski, Jr. at RSA Research - looking for your ("John A.
Malley")
Re: testing -- Deja says no discussions here ("John A. Malley")
----------------------------------------------------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: BENNY AND THE MTB?
Reply-To: [EMAIL PROTECTED]
Date: Wed, 1 Nov 2000 23:09:25 GMT
[EMAIL PROTECTED] wrote:
: I'm sorry, but you have now given enough information to PROVE that Matt
: is not using Rijndael, he is using some homegrown cipher that he has
: chosen to name Rijndael.
Your conclusion appears to be false and - AFAICS - your supporting
argument was not coherent ;-/
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Niagra falls.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: BENNY AND THE MTB?
Reply-To: [EMAIL PROTECTED]
Date: Wed, 1 Nov 2000 23:07:52 GMT
[EMAIL PROTECTED] wrote:
: Let's start with the obvious stupidities.
: 1) A Rijndael block of "1 byte"
: Truth : Rijndael is a 128-bit block cipher, there is not way to make it
: generate a single byte output that is decryptable
Surely you are mistaken. You might like to look at what Matt has done.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ ILOVEYOU.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: BENNY AND THE MTB?
Reply-To: [EMAIL PROTECTED]
Date: Wed, 1 Nov 2000 23:32:34 GMT
Richard Heathfield <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> Not so. Could it be that you are aauming that a 8 bit cyphertext need map
:> to an 8 bit plaintext? It need not - and indeed in Matt's code, it
:> typically does not - an 8-bit byte cyphertext typically maps to a much
:> longer plaintext.
: I can see how the 8-bit ciphertext could effectively be the equivalent
: of a code-book header entry, and that the plaintext would be in the body
: of that entry. But I don't think that's what you mean, so I'm baffled.
Matt's code takes a message, compresses it, maps the result to a 128-bit
granular file, encrypts it, and maps the result to an 8-bit granular file.
All these operations are bijective.
Consequently (working backwards) an 8 bit cyphertext will map to a 128-bit
Rijndael block, which will be decrypted, and then transformed to a
bitstream, which is decompressed into a file. It should be clear that
this process will not typically result in an 8-bit result.
:> I don't think "256 messages" comes into it. The interceptors have
:> received a *particular* byte. They are not considering what messages
:> could be transmitted by *any* single byte value, but the message that is
:> *actually* transmitted by one specific byte - the one they have
:> intercepted.
: If this is only one byte out of many, then I withdraw my bafflement -
: it's just a partial ciphertext, and that puts a completely different
: complexion on things.
The cyphertext in question was one byte long. It was not a partial
cyphertext.
:> There are probably almost as many possible messages that could be
:> represented by that single bye as there are keys; since almost every
:> key is likely to lead to a different message.
: Okay, my layman's reasoning is that there are 2^128 keys and 2^8
: ciphertexts, so there are a total of 2^136 possible messages.
Yes - though a few of these will be duplicates of one another.
: If we are dealing with a specific key, however, then I can only see
: 256, no matter how long the key is.
Well yes - but if the attackers knew which key was in use, they would not
be performing cryptanalysis. The OP was based on the premise that the key
was not known to the attackers.
: From Eve's perspective, however, I can easily see that there are 2^136
: /potential/ messages within that byte - but, again, only if it's part of
: a longer ciphertext.
Well, in this case there's a *particular* value specified for the byte, so
that 2^136 should probably be 2^128. Some of these messages will be
duplicates of one another, though.
This perspective of Eve's (whose POV is that under discussion) does not
depend on the byte being part of a longer cyphertext.
: If it's on its own, there are only 256 different states which it can
: have.
Yes - though it can represent many different messages, if the key is not
known. The key is not known to the attackers - and it is their
perspecitve which was given originally.
: You seem to be saying that you can encode > 256 states within an 8-bit
: byte, [...]
No - only 256 states - but each state can represent about 2^128
plaintexts, depending on the (unknown) key.
--
__________ http://alife.co.uk/ http://mandala.co.uk/
|im |yler [EMAIL PROTECTED] http://hex.org.uk/ http://atoms.org.uk/
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: BENNY AND THE MTB?
Date: Wed, 01 Nov 2000 23:51:47 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Your conclusion appears to be false and - AFAICS - your supporting
> argument was not coherent ;-/
The argument is fairly simple. If you chop all but 8-bits of a Rijndael
block, the decryption is one of 2^120 possibilities. Therefore is
Matt's version of "Rijndael" can in fact encrypt to a block of 8 bits
(more importantly decrypt that block) there is no possible way for it
to be the Rijndael that was reviewed as a part of the AES process,
unless he has found a major flaw in Rijndael.
I attempt to make my statements as clear as possible, sometimes I'm not
as effective as I'd like.
Joe
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: BENNY AND THE MTB?
Date: Thu, 02 Nov 2000 00:02:01 GMT
"Tim Tyler" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Richard Heathfield <[EMAIL PROTECTED]> wrote:
> : Tim Tyler wrote:
[snip]
> Matt's code takes a message, compresses it, maps the result to
> a 128-bit granular file, encrypts it, and maps the result to
> an 8-bit granular file.
Actually that clarified the issue. Correct me if I'm wrong, but what
matt has done is taken a file, compressed it, encrypted it, and (de)
compressed it (I'm a little hazy on whether the last step should be
considered compression or decompression). I was wrong, this can result
in even a 1-bit ciphertext, so an 8-bit ciphertext is clearly possible.
However I would still consider it proper to call it a 128-bit
ciphertext, as that should be close to the average length (there will
be tiny biases in the ciphertext which can be compressed further and
there will be encoding in the compression that adds a tiny amount of
space).
Joe
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Shawn Willden <[EMAIL PROTECTED]>
Subject: Re: is NIST just nuts?
Date: Tue, 31 Oct 2000 07:53:43 -0700
Tim Tyler wrote:
> Tom St Denis <[EMAIL PROTECTED]> wrote:
> : Albert Yang <[EMAIL PROTECTED]> wrote:
>
> :> It wasn't the fastest on hardware (Serpent, Rijndael)
>
> : Hardware is *not* where we will see alot uses of it.
>
> I thought that was a pretty central design consideration.
>
> AES will be used in smart cards and the like.
AES will not be implemented in hardware on smart cards, just as DES is
not. For smart cards the relevant question is how an algorithm performs
in software on simple 8-bit architectures.
Shawn.
------------------------------
From: Marcus AAkesson <[EMAIL PROTECTED]>
Crossposted-To: alt.cellular.gsm
Subject: Re: End to end encryption in GSM
Date: Thu, 02 Nov 2000 02:42:14 +0100
On Wed, 01 Nov 2000 05:36:51 GMT, matt weber <[EMAIL PROTECTED]>
wrote:
>The commercial product's encryption capability will be severly
>constrained by US export law.
Not applicable. Sectra doesn't care about US export laws since they
are not re-exporting US cryptography.
/Marcus
--
Marcus AAkesson [EMAIL PROTECTED]
Gothenburg Callsigns: SM6XFN & SB4779
Sweden
>>>>>> Keep the world clean - no HTML in news or mail ! <<<<<<
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: BENNY AND THE MTB?
Date: 2 Nov 2000 01:57:19 GMT
[EMAIL PROTECTED] wrote in <8tqaaf$s4v$[EMAIL PROTECTED]>:
>In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] wrote:
>> Your conclusion appears to be false and - AFAICS - your supporting
>> argument was not coherent ;-/
>
>The argument is fairly simple. If you chop all but 8-bits of a Rijndael
>block, the decryption is one of 2^120 possibilities. Therefore is
>Matt's version of "Rijndael" can in fact encrypt to a block of 8 bits
>(more importantly decrypt that block) there is no possible way for it
>to be the Rijndael that was reviewed as a part of the AES process,
>unless he has found a major flaw in Rijndael.
>
If he found a flaw in Rijndael then he never shared it with me.
However since it appears you can't read code I will tell you a
test someone like you could do with Matts code to check if its
Rijndael. I doubt if you will check since you seem so correct in
your false belief and I have seen people like you that suffer mental
breakdowns if to much truth is realved at once. But here goes
Use a real short file. But look at his code and put a lot of
printf statemetns in. Especailly where it calls the Rijndael
block encryption routine. And you can take that data a
run it through someone elses version of Rijndael and see
if it treats a block the way you feel it should be treated.
I think you will be surpreised. It does uses Rijndael
that my friend has nothing to do with makeing it run in a
full bijective unaduleterated 1-1 premutative type of program.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: BENNY AND THE MTB?
Date: 2 Nov 2000 02:05:57 GMT
[EMAIL PROTECTED] (Tim Tyler) wrote in <[EMAIL PROTECTED]>:
>[EMAIL PROTECTED] wrote:
>
>: Let's start with the obvious stupidities.
>: 1) A Rijndael block of "1 byte"
>: Truth : Rijndael is a 128-bit block cipher, there is not way to make it
>: generate a single byte output that is decryptable
>
>Surely you are mistaken. You might like to look at what Matt has done.
Tim this guy is either a Tommy false identiy or a NSA a troll
that is trying to misled people with his babble. Anyone with
any intellijence would test the program first instead of spouting
the crap this guy is spounting. I could see them attacking without
checking if there was no code. But there is simple portable code.
If the guy or Tomm had any honesty they would check it themselves
instead of this rant that only there view of reality is possible.
My code may be hard to read or port. But Matts is in the modern
way of doing things and is portable. Not sure what else we can
offer some of these people short of a brain transplant.
Sure its possilbe the version of apporved Rijndael has a bug.
and if one is found it will be most likely corrected in a few days.
But these assholes will rag on the error if one occurs as a totally
vindication of the crap they are spouting. The same if Matt missed
a bijective case. IT would be fixed in a day or two if any is found.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: BENNY AND THE MTB?
Date: 2 Nov 2000 02:23:38 GMT
[EMAIL PROTECTED] wrote in <8tqatk$slb$[EMAIL PROTECTED]>:
>
>
>"Tim Tyler" <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>> Richard Heathfield <[EMAIL PROTECTED]> wrote:
>> : Tim Tyler wrote:
>[snip]
>> Matt's code takes a message, compresses it, maps the result to
>> a 128-bit granular file, encrypts it, and maps the result to
>> an 8-bit granular file.
>
>Actually that clarified the issue. Correct me if I'm wrong, but what
>matt has done is taken a file, compressed it, encrypted it, and (de)
>compressed it (I'm a little hazy on whether the last step should be
Well I am sure I can't speak the proper words. To explain what he
has done. But the compression is not to a 128bit granular file.
(At least not in my mind) But to a infinite finitely odd file.
which as no granularity. It has no end. But the last one that
occurs in the string of bits is a finite distance away.
When he encrypts he is grapping the a proper block size but
the is modifying is to that finitely odd infinite file,
Then he converts that file back to one that has 8-bit granularity.
>considered compression or decompression). I was wrong, this can result
>in even a 1-bit ciphertext, so an 8-bit ciphertext is clearly possible.
>However I would still consider it proper to call it a 128-bit
>ciphertext, as that should be close to the average length (there will
>be tiny biases in the ciphertext which can be compressed further and
>there will be encoding in the compression that adds a tiny amount of
>space).
> Joe
Actaully the final output can be any number of bytes.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: "Big Jase" <[EMAIL PROTECTED]>
Crossposted-To: alt.cellular.gsm
Subject: Re: End to end encryption in GSM
Date: Wed, 1 Nov 2000 20:51:38 -0600
> How do you know whether it is secure or not?
How do you know any algorithm/mechanism/protocol is secure? You don't. You
of all people should know this.
> The GSM consortium also claimed that their cellphones were secure,
> but things didn't turn out quite so well for them.
But you have to ask yourself two questions:
1. Despite your vastly hyped claims, is COMP128-1 being defeated in the
field today to bill calls to someone else's account?
2. Despite your vastly hyped claims, is A5/1 being cracked in real time in
the field today?
By the way, where is Ian these days? He's keeping a very low profile.
------------------------------
From: [EMAIL PROTECTED]
Subject: testing -- Deja says no discussions here
Date: Thu, 02 Nov 2000 04:25:07 GMT
Deja said that there are no discussions here.
Zulu time: 2000a11l02d04h24m
--
| || \ __/__ / \ _/_ | || /
| _|_ ,--, / \ /_ | -+- / ,-. | /
| V T_) | | | \ | | | / _
\_/ + / `' ' __/ \ / `-' \_/ L/ \
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "John A. Malley" <[EMAIL PROTECTED]>
Subject: Re: Open Request to Dr. Kaliski, Jr. at RSA Research - looking for your
Date: Wed, 01 Nov 2000 20:48:08 -0800
David Wagner wrote:
>
> John A. Malley wrote:
> [... prng : G -> G is a group homomorphism, as is c : G -> G ...]
> >Show there is an "analog" for the ciphertext-only attack on the output
> >of a LCG encrypted with ElGamal (as outline in the draft paper) for the
> >output of prng() enciphered by c() as defined on the group G?
>
> I still don't understand what this should mean. A prng() takes a short
> random seed and stretches it into a long output. Your prng() takes a
> short seed and gives a same-size output, so you can only use it for
> one signature. A scheme that can only be used to sign one message
> is probably not too interesting. Did you mean something different?
> I'm sure I must be misunderstanding.
(Forgive the delayed response, Dr. Wagner, I've been stuck in bed for
over a day with viral induced vertigo - makes it hard to type when the
keyboard continuously swoops from left to right :-)
Yes, I did mean something different.
Consider a simple LCG such as x[i+1] = a*x[i] mod p, where p is a prime,
and x[0] gets an initial seed value S where S is a value in the set {1
.. p-1} = Z*p. This PRNG takes the previous output and multiplies it by
a fixed factor a and reduces the product modulo p for the next PRNG
output. A "good" PRNG should generate each number in the set Z*p once
before it repeats. Z*p is a cyclic group. A generator g on this group
will generate each value in Z*p.
Let a be a generator g on Z*p. Then x[i+1] = ( S* g^i ) mod p for i = {
1 .. p-1 ). Now S itself is generated by some value k in the set {
1..p-1 ). The output of the LCG as PRNG can be rewritten as x[i+1] = (
g^(i+k) ) mod p. And the PRNG output for this LCG can be represented as
x[i+1] = ( g^(i+k) ) mod p for i = 1, 2, 3, ...p-1.
Let S = 1. The generator g takes the set {1, 2, 3, ... p-1} and
transforms it into the set Output = {g^1, g^2, g^3, ...g^p-1}, where
each successive element in the set Output is the successive output of
the PRNG.
Let S = k. The generator g takes the set {1+k, 2+k, 3+k, ... p-1+k} and
transforms it into the set Output = {g^1+k mod p, g^2+k mod p,
...g^p-1+k mod p}. The input set can be written as { 1+k mod p, 2+k mod
p, 3+k, mod p.... p-1+k mod p) to become {1+k, 2+k, ...p-1, 1, 2, 3....
k} which is a shift by k of the integers from 1...p-1, modulo p.
The output of such a LCG which included every number from 1 to p-1 is
then enciphered by ElGamal, a cipher that is an isomorphism on Z*p. The
pseudo-random number output of the LCG is used as the random exponent in
the ElGamal cipher. The enciphered output from ElGamal is the supposed
cryptographically secure (i.e unpredictable) PRNG output, and
cryptographic security is defined as equivalence to solving the discrete
logarithm problem on Z*p. But in the draft paper an attack is shown that
does not require solving the discrete logarithm problem. This attack
relies on the public key of ElGamal acting as a generator on the group
Z*p.
I propose (am going) to show this attack actually depends on the
properties of the group Z*p - describe the attack in terms of
relationships between generators on Z*p.
Next step is to generalize the attack. Define a PRNG that is an
isomorphism/homomorphism on a group G that is isomorphic/homomorphic to
Z*p (so G is cyclic and has generators). Take its output and encipher it
with a cipher that is an isomorphism/homomorphism on another group H
that is isomorphic/homomorphic to Z*p (so H is cyclic and has
generators.) Finally, show the attack in terms of relationships between
generators on the groups G and H.
John A. Malley
[EMAIL PROTECTED]
------------------------------
From: "John A. Malley" <[EMAIL PROTECTED]>
Subject: Re: testing -- Deja says no discussions here
Date: Wed, 01 Nov 2000 20:51:56 -0800
[EMAIL PROTECTED] wrote:
>
> Deja said that there are no discussions here.
>
> Zulu time: 2000a11l02d04h24m
>
Seen it too, several times. That message seems to appear at the end of
the every month. Maybe it has something to do with their archiving
routines.
John A. Malley
[EMAIL PROTECTED]
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
