Cryptography-Digest Digest #522, Volume #13 Mon, 22 Jan 01 12:13:01 EST
Contents:
Re: 32768-bit cryptography (Tom St Denis)
Re: Dynamic Transposition Revisited (long) (Mok-Kong Shen)
Re: Dynamic Transposition Revisited (long) (John Savard)
Easy question for you guys... (CoyoteRed)
Re: 32768-bit cryptography ("Scott Fluhrer")
Re: 3G crypto algorithms (Arturo)
Re: 32768-bit cryptography (Arturo)
Re: cryptographic tourism in Russia (Arturo)
Re: Easy question for you guys... (Bob Silverman)
Re: Why Microsoft's Product Activation Stinks (phil hunt)
Block algorithm on variable length without padding - redux ("N. Weicher")
Re: 32768-bit cryptography (Tom St Denis)
Re: using AES finalists in series? (John Myre)
Re: Easy question for you guys... (Splaat23)
Re: using AES finalists in series? (John Myre)
Re: Differential Analysis (John Myre)
----------------------------------------------------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: 32768-bit cryptography
Date: Mon, 22 Jan 2001 13:02:02 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Niklas Frykholm) wrote:
> In article <94aqn0$qrs$[EMAIL PROTECTED]>, lemaymd wrote:
> > Bermuda Triangle 2001 is an extremely fast, easy-to-use and secure
> >cryptography engine. It is based on a new, 32768-bit algorithm of the same
> >name.
>
> And I thought I'd never find any use for that 32768 bit password I
> memorized...
It's funnier than that. After his "key schedule" it's really just 4096 8-bit
block ciphers in parallel.
Just because he reads 4096-bytes at a time doesn't mean it works on all the
bytes at a time.
Besides it doesn't appear to be a hard cipher to break. I bet with with
under a meg of known plaintext/ciphertext I could easily break it (to be
exact with a meg of chosen plaintext you can break his cipher with a 100%
probability).
Tom
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Dynamic Transposition Revisited (long)
Date: Mon, 22 Jan 2001 14:19:36 +0100
Terry Ritter wrote:
>
[snip]
> Dynamic Substitution is the idea of enciphering data through a keyed
> Simple Substitution table, and then changing the contents of that
> table. When a character is enciphered through a table, that
> particular table transformation may be exposed. We can prevent that
> by changing the just-used table entry to some entry in the table (even
> itself), selected at pseudo-random. We thus get a state-based,
> dynamic, combiner of data and RNG confusion, which is nonlinear and
> yet reversible. Dynamic Substitution is a stream cipher combiner.
In a recent article ('Another poorman's cipher', 15th Jan)
I mentioned that the common way of employing a PRNG's
output as key to address a polyalphabetical substitution
table leads one to consider a fairly computing intensive,
though very simple to implement, special case where the
substitution table consists of one single column only and
that column is newly generated for each input charater
to be encrypted. Is you scheme virtually the same? (From
your description it seems that you keep a large but fixed
table.) Thanks.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Dynamic Transposition Revisited (long)
Date: Mon, 22 Jan 2001 13:05:04 GMT
On Mon, 22 Jan 2001 07:07:48 GMT, [EMAIL PROTECTED] (Terry Ritter) wrote,
in part:
>On Mon, 22 Jan 2001 00:02:04 GMT, in
><[EMAIL PROTECTED]>, in sci.crypt
>[EMAIL PROTECTED] (John Savard) wrote:
>Somewhere there is a reference which continues to corrupt the minds of
>people coming into cryptography. It deludes them into believing the
>OTP is mathematically proven to be unbreakable in practice. I would
>love to find exactly what that reference is. Then maybe we could stop
>all this nonsense before it starts.
The Codebreakers, David Kahn. Chapter 13: "Secrecy for Sale".
>>>The unexpected advantage of Dynamic Transposition is that a plethora
>>>of different permutations produce exactly the same ciphering result.
>>>This would seem to hide the exact permutation used, and thus also hide
>>>any attempt to define the shuffling sequence by moving back from a
>>>known permutation.
>>But that's not an advantage that can't be obtained with substitution.
>The advantage cannot be obtained by substitution.
>I have seen you say that, but I have absolutely no idea what you could
>possibly mean by it.
>>Suppose we enciphered a message using DES, except that the subkeys are
>>generated by some sort of stream cipher. Each 48-bit subkey could be
>>replaced with any member (including itself) from a set of 2^16 subkeys
>>that give the same result.
>How is it that these different keys give the same result?
The same result _for a specific given input block_, just as for a
specific input block in Dynamic Transposition, two bits can both be
1s.
Essentially, to obtain a given f-function output from a given
f-function input in DES, it is sufficient to control the middle four
bits of every six in the 48-bit subkey; the other two bits can have
any value. 4 bits -> any one of 4 S-boxes -> XOR with an arbitrary
value -> any 4 bits you like.
>There is only one permutation per block in Dynamic Transposition. I
>do recommend shuffling twice, only to prevent someone who knows the
>actual permutation from attacking the RNG sequence. But that idea is
>really getting in the way of comprehension, because that is not the
>main source of strength in the system. In the end, there is just some
>permutation.
Four rounds of DES with subkeys that change per block are exactly
analogous.
>>It might have the advantage that successive permutations are harder to
>>unravel than successive XORs, or even additions alternating with XORs.
>"Might?"
I could have said here 'It is likely to have...', but the point is: a)
we don't know how well The Opponent understands permutation groups,
and b) some analysis of the mathematical properties involved is needed
to say much more.
>>And there is the theoretical interest of showing that, fundamentally,
>>a transposition can be, inherently, just as secure as a substitution.
>Dynamic Transposition is vastly more secure than a substitution.
>You will have to define what you mean by "substitution" though, since
>you appear to be describing DES as "substitution."
>Modern block ciphers do attempt to emulate large simple substitutions.
>They are given "large enough" keyspaces to prevent brute-force attacks
>on keys. But nobody should have any delusions about the extent to
>which they actually produce all N! possible cipherings.
Dynamic transposition may produce all n! possible permutations of the
bits involved; it DOES NOT produce all
n!
( ------------) !
(n/2)!(n/2)!
mappings of the set of balanced n-bit strings onto itself any more
than DES produces all (2^64)! possible block substitutions.
This is a mistake that, frankly, I'm surprised at you for making. But
we all slip up, and it's looking like this false assumption is at the
root of some of your claims for Dynamic Transposition as against
substitution.
And with substitution, unlike Dynamic Transposition, instead of being
stuck with one set of n! substitutions, one can use steps of different
kinds so that instead of just having, say, all 2^n possible mappings
obtained by XORing an n-bit block with an n-bit key, one can explore
the space of (2^n)! permutations more deeply - depending on how much
key we use, and how complicated a structure we give the cipher.
>>But because it seems to be stuck with a bandwidth problem
>In my experience with actually running such a cipher, bit-balancing
>adds 25 percent to 33 percent to simple ASCII text. The 1/3 value was
>given both in the "Revisited" article, as well as the original
>Cryptologia article on my pages. And if the text is compressed first,
>there will be even less expansion. If you see even a 33 percent
>expansion as a show-stopping amount, a "bandwidth problem," I think
>you need to pause for re-calibration.
You would be right, unless
>>when taken
>>'straight', and because its advantages can mostly be matched within
>>the substitution world,
>Simply false.
I happen to be right _here_.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: CoyoteRed <[EMAIL PROTECTED]>
Subject: Easy question for you guys...
Reply-To: This NewsGroup unless otherwise directed!
Date: Mon, 22 Jan 2001 13:43:03 GMT
I want to take four 8 bit numbers and create an number that can't be
converted back by an amateur. Resolution can be 12 - 16 bits.
Here is what I'm trying to do. I want to take an IP number and give it
a not-so unique number. The number of IP's to be converted range maybe
in the 10-50 range, so I think that should be sufficient.
What I'm trying to do is identify a poster on a bulletin board without
giving out the IP or computer name. (or force user names and
passwords)
Here's the kicker, I want to use simple math that is available in
Perl, in the fewest lines possible, and be easy enough to understand
that almost anyone can follow the math. But be unable to reverse the
process easily.
TIA
CR
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: 32768-bit cryptography
Date: Mon, 22 Jan 2001 06:43:42 -0800
Tom St Denis <[EMAIL PROTECTED]> wrote in message
news:94hb07$dgj$[EMAIL PROTECTED]...
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (Niklas Frykholm) wrote:
> > In article <94aqn0$qrs$[EMAIL PROTECTED]>, lemaymd wrote:
> > > Bermuda Triangle 2001 is an extremely fast, easy-to-use and secure
> > >cryptography engine. It is based on a new, 32768-bit algorithm of the
same
> > >name.
> >
> > And I thought I'd never find any use for that 32768 bit password I
> > memorized...
>
> It's funnier than that. After his "key schedule" it's really just 4096
8-bit
> block ciphers in parallel.
>
> Just because he reads 4096-bytes at a time doesn't mean it works on all
the
> bytes at a time.
>
> Besides it doesn't appear to be a hard cipher to break. I bet with with
> under a meg of known plaintext/ciphertext I could easily break it (to be
> exact with a meg of chosen plaintext you can break his cipher with a 100%
> probability).
I thought I outlined how to break it with considerably less known plaintext
than that. In addition, I've been looking further at that (and, yes, I
don't have a life -- why do you ask?). It appears (at first glance) that it
shouldn't be that difficult to rederive the plaintext/key from 16-20k with a
ciphertext-only attack, if the plaintext was known to be (say) ASCII
English. If anyone wants to be bored with the details, ask.
--
poncho
------------------------------
From: Arturo <[EMAIL PROTECTED]=NOSPAM>
Subject: Re: 3G crypto algorithms
Date: Mon, 22 Jan 2001 15:57:22 +0100
On 19 Jan 2001 21:32:57 +0100, [EMAIL PROTECTED] (David B.
Hoeffer) wrote:
>[EMAIL PROTECTED] (Janos A. Csirik) writes:
>
>> However, the way in which these documents are made public is
>> unlikely to result in immediate gratification for those who would
>> just like to go in and look at the crypto algorithms.
>> http://www.research.att.com/~janos/3gpp.html
>
>Thank you very much. I have spent half an hour searching on the etsi
>and 3gpp sites and than gave it up. I suspect there's some kind of
>secret page telling you where to find things :)
IIRC, there�s a section in ETSI where you can download technical papers,
and that includes -hope my neurons are not on vacation- the algorithms for 3G
encryption.
You have to register in order to DL them. The trick is, while
registration is confirmed, you are allowed to DL 3 docs. So you can register
with a bogus name/id and get your 3 docs. Then do it again.
------------------------------
From: Arturo <[EMAIL PROTECTED]=NOSPAM>
Subject: Re: 32768-bit cryptography
Date: Mon, 22 Jan 2001 15:58:25 +0100
On Fri, 19 Jan 2001 19:44:35 -0600, "lemaymd" <[EMAIL PROTECTED]> wrote:
>To all interested:
> Bermuda Triangle 2001 is an extremely fast, easy-to-use and secure
>cryptography engine. It is based on a new, 32768-bit algorithm of the same
>name. Algorithm details can be found at my site as well as a software
>product that uses the algorithm, Bermuda Triangle 2001 Golden Edition. I
>also have a free cryptography engine that uses a similar (but incompatible)
>algorithm available for download. Visit the site at:
>http://www.bermudatriangle.f2s.com/
>These software packages are written entirely in 32-bit, win32 assembly
>language and I can encrypt or decrypt an 8.4MB file on my Pentium(R) 166 in
>8 seconds. Please give me your feedback!
>
>
Beep, beep, beep, snake-oil alert.
------------------------------
From: Arturo <[EMAIL PROTECTED]=NOSPAM>
Subject: Re: cryptographic tourism in Russia
Date: Mon, 22 Jan 2001 16:03:01 +0100
On Sun, 21 Jan 2001 14:00:59 GMT, [EMAIL PROTECTED] wrote:
>As a high-tech person interested in cryptography, espionage,
>telecommunications, internet, satellite systems and a related gamut of
>topics, I would like to visit interesting places in Moscow and St Petersburg
>on my impending tourist jaunt there. For instance, visiting buildings that
>were or are, the equivalent of the NSA and GCHQ, or whatever other relevant
>sites. Can readers offer me suggestions ?
>
Once I was driven from St Petersburg to Petrodvorets somewhere south of
it (great palace, like Versailles, I recommend it). Somewhere along the trip I
saw a lot of antennas, a whole forest. The guide told me it was some sort of
communications installation for the Navy, but I don�t remember well. Anyway,
keep an eye on it.
And do tell us about your findings in a reasonable time (or else we�ll
have to call in Amnesty International;-) )
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: Easy question for you guys...
Date: Mon, 22 Jan 2001 15:07:39 GMT
In article <[EMAIL PROTECTED]>,
This NewsGroup unless otherwise directed! wrote:
> I want to take four 8 bit numbers and create an number that can't be
> converted back by an amateur.
Converted "back" to WHAT?
> Resolution can be 12 - 16 bits.
>
> Here is what I'm trying to do. I want to take an IP number and give it
> a not-so unique number. The number of IP's to be converted range maybe
> in the 10-50 range, so I think that should be sufficient.
>
> What I'm trying to do is identify a poster on a bulletin board without
> giving out the IP or computer name. (or force user names and
> passwords)
>But be unable to reverse the
Impossible. 32 bits is easily reversed, no matter what process
you use.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com
http://www.deja.com/
------------------------------
From: [EMAIL PROTECTED] (phil hunt)
Crossposted-To: or.politics,talk.politics.crypto,misc.survivalism,us.issues
Subject: Re: Why Microsoft's Product Activation Stinks
Date: Mon, 22 Jan 2001 14:43:45 +0000
On Sun, 21 Jan 2001 14:23:54 -0800, Matthew Montchalin <[EMAIL PROTECTED]> wrote:
>On Sat, 20 Jan 2001, Anthony Stephen Szopa wrote:
>|Did Microsoft do it again?
>|
>|I read in MicroTimes a week or so ago that Microsoft has added a
>|"new" anti-piracy feature to their soon to be released new Operating
>|System.
>|
>|In the article it said that the user would have to contact Microsoft
>|and run a registration program, the output of which would send a
>|message to MS, whereupon MS would use this information to generate
>|a password and send it back to the user unlocking or enabling the
>|OS software.
>
>Why stop there? Wouldn't MS provide itself with a backdoor to any
>OS they offer to the public?
Probably.
--
*****[ Phil Hunt ***** [EMAIL PROTECTED] ]*****
"An unforseen issue has arisen with your computer. Don't worry your
silly little head about what has gone wrong; here's a pretty animation
of a paperclip to look at instead." -- Windows2007 error message
------------------------------
Reply-To: "N. Weicher" <[EMAIL PROTECTED]>
From: "N. Weicher" <[EMAIL PROTECTED]>
Subject: Block algorithm on variable length without padding - redux
Date: Mon, 22 Jan 2001 15:45:03 GMT
Scott Fluhrer was kind enough to offer the following reply to my question:
> That doesn't work: You don't need to know the key to get the final partial
> block, and *neither does the attacker*. Doing:
> C(N) = P(N) ^ E(C(N-1))
> would work...
My question is: would the technique shown above be just as secure as the
full "ciphertext stealing in CBC mode" outlined on pages 195/196 in "Applied
Cryptography"?
Thanks.
Neil
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: 32768-bit cryptography
Date: Mon, 22 Jan 2001 16:07:03 GMT
In article <94hh9v$gpg$[EMAIL PROTECTED]>,
"Scott Fluhrer" <[EMAIL PROTECTED]> wrote:
>
> Tom St Denis <[EMAIL PROTECTED]> wrote in message
> news:94hb07$dgj$[EMAIL PROTECTED]...
> > In article <[EMAIL PROTECTED]>,
> > [EMAIL PROTECTED] (Niklas Frykholm) wrote:
> > > In article <94aqn0$qrs$[EMAIL PROTECTED]>, lemaymd wrote:
> > > > Bermuda Triangle 2001 is an extremely fast, easy-to-use and secure
> > > >cryptography engine. It is based on a new, 32768-bit algorithm of the
> same
> > > >name.
> > >
> > > And I thought I'd never find any use for that 32768 bit password I
> > > memorized...
> >
> > It's funnier than that. After his "key schedule" it's really just 4096
> 8-bit
> > block ciphers in parallel.
> >
> > Just because he reads 4096-bytes at a time doesn't mean it works on all
> the
> > bytes at a time.
> >
> > Besides it doesn't appear to be a hard cipher to break. I bet with with
> > under a meg of known plaintext/ciphertext I could easily break it (to be
> > exact with a meg of chosen plaintext you can break his cipher with a 100%
> > probability).
>
> I thought I outlined how to break it with considerably less known plaintext
> than that. In addition, I've been looking further at that (and, yes, I
> don't have a life -- why do you ask?). It appears (at first glance) that it
> shouldn't be that difficult to rederive the plaintext/key from 16-20k with a
> ciphertext-only attack, if the plaintext was known to be (say) ASCII
> English. If anyone wants to be bored with the details, ask.
Well you could mount a linear attack with a prob of 1/8th very easily. Just
guess the rotation amount then you are set.
Tom
Sent via Deja.com
http://www.deja.com/
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: using AES finalists in series?
Date: Mon, 22 Jan 2001 09:28:42 -0700
Terry Ritter wrote:
<snip>
> Now, I had no illusions about actually winning; no
> tiny company is going to win such a contest.
<snip>
I don't know why you say this, unless you mean that no tiny
company could afford to create an adequate entry. The actual
winner is certainly not from a big company; one author works
at a university, which has the Rijndael web site:
http://www.esat.kuleuven.ac.be/~rijmen/rijndael/
http://www.esat.kuleuven.ac.be/
and the other actually has a job (*) but you can't say that
the company (Proton World) is a major player; their web site
http://www.protonworld.com
doesn't exactly trumpet AES.
I hope you didn't mean to imply that NIST would/did show
favoritism toward companies with a lot of money.
JM
(*) With apologies toward those who work in education. It's
only a turn of phrase, OK?
------------------------------
From: Splaat23 <[EMAIL PROTECTED]>
Subject: Re: Easy question for you guys...
Date: Mon, 22 Jan 2001 16:30:36 GMT
You could obviously just use the first n bits of a SHA-1 hash. But even
that will not prevent a brute-force attack which, with on 2^32 possible
inputs, will not be difficult. The inputs aren't even random - there is
not a full 32 bits of entropy in an IP address. Plus, collisions can be
generated with fewer inputs that that even.
- Andrew
In article <[EMAIL PROTECTED]>,
This NewsGroup unless otherwise directed! wrote:
> I want to take four 8 bit numbers and create an number that can't be
> converted back by an amateur. Resolution can be 12 - 16 bits.
>
> Here is what I'm trying to do. I want to take an IP number and give it
> a not-so unique number. The number of IP's to be converted range maybe
> in the 10-50 range, so I think that should be sufficient.
>
> What I'm trying to do is identify a poster on a bulletin board without
> giving out the IP or computer name. (or force user names and
> passwords)
>
> Here's the kicker, I want to use simple math that is available in
> Perl, in the fewest lines possible, and be easy enough to understand
> that almost anyone can follow the math. But be unable to reverse the
> process easily.
>
> TIA
>
> CR
>
Sent via Deja.com
http://www.deja.com/
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: using AES finalists in series?
Date: Mon, 22 Jan 2001 09:46:00 -0700
Terry Ritter wrote:
<snip>
> An existing system may have to change or be extended.
> But even that is no reason to prevent the use of large keys.
<snip>
It can be. Changing an existing system costs money. It can
be perfectly rational to believe in "short" (128 bits or even
less) keys if that saves real dollars. It depends, as always,
on the details.
The internet is not the only communication mechanism.
JM
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Differential Analysis
Date: Mon, 22 Jan 2001 09:50:36 -0700
Richard Heathfield wrote (regarding TSD):
<snip>
> Perhaps I'll let you out of my killfile in a month or two, when you've
> calmed down a bit.
<snip>
I found it better just to leave him there. I let my
newsreader killfile "mark as read" (rather than deleting
altogether), so the messages are still there, if I need
to follow a thread. Certainly, I get through Usenet a
lot quicker now.
JM
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
