Cryptography-Digest Digest #111, Volume #14 Mon, 9 Apr 01 10:13:01 EDT
Contents:
Re: Is this a block cipher? ("Jack Lindso")
Re: SHA PRNG (Volker Hetzer)
Re: Steganography with natural texts (Mok-Kong Shen)
Re: Would dictionary-based data compression violate DynSub? (Mok-Kong Shen)
Re: Would dictionary-based data compression violate DynSub? (Mok-Kong Shen)
Re: Steganography with natural texts (Mok-Kong Shen)
Re: Steganography with natural texts (Mok-Kong Shen)
Re: Spam Message Stegano (Mok-Kong Shen)
Re: How good is steganography in the real world? (Mok-Kong Shen)
Re: Steganography with natural texts (Lassi =?iso-8859-1?Q?Hippel=E4inen?=)
Re: Spam Message Stegano (Frank Gerlach)
Re: Spam Message Stegano (Jan Panteltje)
Re: Dynamic Substitution Question (John Savard)
Re: Dynamic Substitution Question (John Savard)
----------------------------------------------------------------------------
From: "Jack Lindso" <[EMAIL PROTECTED]>
Subject: Re: Is this a block cipher?
Date: Mon, 9 Apr 2001 10:23:58 +0200
On a basic level a key would be :
K="asf asfasfa sfas asfasfas fafq09357q0wfjy489qrqo23y4v190n 230230520m"
now you take you plaintext[P] and combine the two by using the encryption
algorithm (AES,TWOFISH etc) like >>> E(K,P)==CipherText.
So your original Q was quite ok. The difference is the represantation of the
blocks is done by the algorithm.
But as Tom stated do try reading some books.
"Mr. Smith" <[EMAIL PROTECTED]> wrote in message
news:r4aA6.94319$[EMAIL PROTECTED]...
>
> "Rick Wash" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> >
> > I myself have been trying to work out the difference between stream
> > ciphers and block ciphers.
> >
> > Here is what I have so far. Please let me know if this is correct, or
> > if I am missing something.
> >
> > In all cases, Alice and Bob share a key K of size K_n. Alice wants to
> > send Bob a message M. The goal of the cryptosystem is to replace this
> > message with C such that only someone who knows K can recover M from
> > C. This is the definition of a cryptosystem.
> >
> > In old-days classical cryptography, the message M would be divided
> > into letters (which was the smallest division that was easy to work
> > with). Each letter would be replaced with another letter (C->F,
> > etc. for caesar cipher). The problem with this method is that any
> > statistical properties of the language of letters is preserved in the
> > transformation (e.g. since the letter "e" is most likely the most
> > common letter, whatever letter "e" encrypts to will also be the most
> > common letter).
> >
> > To get around this statistical problem, two solutions were proposed.
> >
> > The first solution is to group letters together into block, and
> > encrypt whole blocks together. The goal here is that even when the
> > statistical properties of single letters are strong, groups of
> > letters have less statisticall significant properties. As the blocks
> > get larger, the statistical significance decreases. As such, normally
> > each block is encrypted independent of all other blocks. This is
> > normally known as a block cipher. Note only whole blocks can be
> > encrypted at one time.
> >
> > The second solution to this is to make the encryption depend not only
> > on the key, but also on some kind of state that is updated with a
> > feedback loop. In this case, when a letter is encrypted based on the
> > key and the current state. Then the state is updated, and the next
> > letter is encrypted with the key and the new state. In this way, each
> > time the letter "e" is encrypted, it is encrypted to a different value
> > based on the current state. This obscures the statistical properties
> > of the plaintext. This is normally known as a stream cipher.
> >
> > This is my understanding of the difference. Once tries to group
> > letters into blocks to obscure statistics, and the other tries to add
> > relationships between letters (state) to obscure statistics.
> >
> > In modern cryptography (which is normally performed using computers on
> > bits), a letter is normally 8 bits, and a block is normally 64 or 128
> > bits. However this is not always the case, and the distinction
> > between the two is decreasing as "letter-size" increases. Also, the
> > distinction decreases when using block ciphers in chaining modes
> > (which essentially adds a "state" to the cryptosystem). This is
> > probably why is has been difficult for me to properly distinguish
> > between block ciphers and stream ciphers. The best answer I have for
> > this is "a block cipher primitive specifies no state between blocks",
> > and that normally it is used in some mode (like a chaining mode) which
> > may or may not add state to make it a cryptosystem.
> >
> > Hope this helps,
> > Rick Wash
> I believe the first system is what I'm looking for. Could I get details on
> it? I'm still a bit confused about how to encrypt a block. Do you use a
> lookup table? How do keys play into this? Sorry if I sound very confused,
> but that's what I am! ;-) Thank you for your time.
>
>
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: SHA PRNG
Date: Mon, 09 Apr 2001 11:29:13 +0200
Mark Wooding wrote:
>
> Tom St Denis <[EMAIL PROTECTED]> wrote:
> > Yarrow is just an example of my 2nd hash mode PRNG (see my original reply).
> > In the case of Yarrow they use a block cipher instead of a hash to randomize
> > the bianry counter.
>
> Which makes the output very diffferent in character. Since a block
> cipher is a permutation, the probability of two successive outputs being
> equal is much lower. This allows us to construct distinguishers.
Of course, this depends on how much data you want to draw from the prng
before reseeding it.
Greetings!
Volker
--
They laughed at Galileo. They laughed at Copernicus. They laughed at
Columbus. But remember, they also laughed at Bozo the Clown.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Steganography with natural texts
Date: Mon, 09 Apr 2001 12:08:29 +0200
Joe H Acker wrote:
>
> There are two problems with your proposal:
>
> (1) The steganographic channel you've chosen (=lexical choice by
> speakers) does not have enough redundancy for practical purposes.
Well, presumably you could also apply the same argument
to other channels. It depends on how many and how large
the subsets I mentioned are. Anyway, there is no attempt
at all to achieve security comparable to the famous ideal
OTP. It is to be noted that very important messages are
correspondingly low volume. For large volume applications,
the scheme is apparently unfavourable, since there is
some non-trivial human work involved to modify the texts
being sent.
>
> (2) You seem to assume that any choice for a certain expression is
> equally possible for any speaker
>
> (2) is the main problem in current steganography: I believe that the
> encoding you need to find is not a random choice between the possible
> alternatives, but has to be based on the actual statistical distribution
> of occurances of such choices, i.e. it has to be based on the relative
> frequencies the alternatives usually occur with.
>
> Remember that it's almost trivial to distinquish a certain speaker from
> others just by analysing the words he has chosen, provided you have
> enough sample data.
See also above. The user is not required to interchange
entire expressions (phrases etc.) but only words that
are synonyms or are otherwise interchangeable (e.g. Mary,
Jane, Joan). Of course, it is assumed that the user has
a certain good level of literacy and not blindly picking
the substitutes. (The software helps him, but doesn't
eliminate human efforts.) Note that there could be many
(pseudo-)names used by one sender. Statistical analysis
of word usage of a person is not that trivial in my
view. (A well known attempt seems to be the one that
concerned the works of Shakespeare.) For a person that
is unknown to the opponent from the start, I surmise
that the chance of success is rather dim.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Would dictionary-based data compression violate DynSub?
Date: Mon, 09 Apr 2001 12:08:45 +0200
"David Formosa (aka ? the Platypus)" wrote:
>
> Terry Ritter <[EMAIL PROTECTED]> wrote:
> >
> > And of course since there are no distinct sequences of data and
> > confusion in Algorithm M, there is also no thought about how the
> > process might be undone or the data extracted on the other end.
>
> Ok that helps.
For your information, Algorithm M is deterministic,
so it can be undone/reversed, if wanted.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Would dictionary-based data compression violate DynSub?
Date: Mon, 09 Apr 2001 12:08:53 +0200
Benjamin Goldberg wrote:
>
> The patent does try to cover combining two keystreams to produce a
> stronger keystream, but these I think that the keystreams must somehow
> be two distinct sources. If both sources are PRNGs, whose states are
> both within the the computer doing the combining, then I believe that
> they can be considered one source. Mr. Ritter will probably disagree
> with that.
>
> If DS is used to combine a plaintext and a PRNG-produced-keystream, or a
> publicly visible random stream and a PRNG-produced-keystream, or a
> plaintext with a public random stream, then the patent surely covers it.
>
> However, if what you have are two deterministic PRNGs, then they could
> concievably be viewed as one PRNG with two outputs, rather than as two
> seperate sources. You can combine the outputs of the PRNG with the
> "prefered embodiement" of DS if you want, but it will not be a Dynamic
> Substitution scheme, and not covered by the patent.
>
> If the above paragraph were untrue, then RC4, all by itself, could be
> considered a violation of DS.
I don't think that the issue is two streams vs. one stream
or other 'purely formal' matters. That might be important
eventually for a legal process but not very interesting
from scientific points of view, I suppose. In a follow-up
in the thread 'rc4 without sbox swapping/updating' on 7th
Apr, I raised the question of novelty/particularity of
DS in comparison to implementation of FSMs, in case DS
does cover (as seems to have been claimed many times in
the group) 'modifications' of tables in a 'wide and
general' sense, and hope that someone knowledgeable
about DS could answer that.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Steganography with natural texts
Date: Mon, 09 Apr 2001 12:09:12 +0200
Yamaneko wrote:
>
> Mok-Kong Shen wrote:
> >
> > Let's partition the set of words that are relevant to the
> > normal messages of the communication partners into
> > disjoint subsets, ...
>
> Good idea. Advantage: A completely natural looking and intelligible text.
> Disadvantage: Both parties must to have two identical and rather large
> (~1000 couples of words) dictionaries.
To get good performance, one should attempt to employ a
fairly large set of words, so that the said subsets are
not too small. But this expensive work has to be done
only once. There are good synonym dictionaries to help
doing that. (I can't name an English one offhand. A good
French one that I happen to have is Le Robert, Dictionnaire
des synonymes.) Note that one could also use antonyms,
namely one can often substitute 'x' with 'not y', if x
and y have opposite meanings. Given a sufficient number
of the said subsets, one could in any given session
choose to use (in conformity with the partner) only a
part of these. The words in the excluded subsets then
become 'dummies' that could have a confounding effect
for the opponent, since these do not carry informations.
Further, it could be advantageous to intentionally
demonstrate some language incompetency (grammatical
errors of the foreigners etc.) to better cover some
eventual imperfections in the substitutions of words
being done.
> > Of course, the covertext must be long enough to be able to
> > embed all the bits of the secret message. A technical point
> > is how to signal the end of the embedded bit sequence,
> > since there may be further words in the covertext that also
> > belong to the agreed-upon subsets. One possibility is to
> > reserve one or two words in each subset for that purpose.
>
> In order to be safe, the entire secret message must be pseudo random.
Yes. It is always preferable to first encrypt the message
with some encryption algorithm and then embed the ciphertext
bit sequence in a stego cover.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Steganography with natural texts
Date: Mon, 09 Apr 2001 12:09:18 +0200
Lassi Hippel�inen wrote:
>
> Mok-Kong Shen wrote:
> <...>
> > Let's partition the set of words that are relevant to the
> > normal messages of the communication partners into
> > disjoint subsets, i.e. groups of synonyms, including such
> > possible groupings as personal names, names of merchandizes,
> > family relations, etc. that could be reasonalbly interchanged
> > in given contexts without causing the sentences modified to
> > become unnatural and thus suspicious to the opponent.<...>
>
> The idea works. Or at least the patent examiners think so. I filed an
> application a few years ago, and it has already been granted here in
> Finland. International patents pending.
>
> Unfortunately the f***ing twerps who run esp@cenet have decided to
> pollute their site with Javascript, which I refuse to enable, so I
> couldn't dig deep in their archives to get any pointers. This is the
> headline that was visible even without Javashit:
>
> "EP0929857 MARKING OF ELECTRONIC DOCUMENTS IN ORDER TO EXPOSE
> UNAUTHORIZED PUBLICATION"
>
> As the name implies, I suggest encoding the recipient's identity into
> any material that is delivered electronically. Alterations of words and
> their order is one embodiment. The width of the channel will depend on
> language; English with its fairly liberal grammar should offer about one
> bit per word, but German, for example, is limited to synonyms only.
Is it a European patent? Could one otherwise search from
the site of the Finnish patent office? Thanks.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Spam Message Stegano
Date: Mon, 09 Apr 2001 12:09:31 +0200
Frank Gerlach wrote:
>
> Should be obvious that you do not even need an Mk1 biological neural net
> to find out this is not a message written by an average english-speaking
> person. A very primitive statistical test will ring the bells...
Dumb question: What if the writer happens really not to be
a native?
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: How good is steganography in the real world?
Date: Mon, 09 Apr 2001 12:09:03 +0200
"Trevor L. Jackson, III" wrote:
>
> Mok-Kong Shen wrote:
>
> > It's absurd, but porno sites could do that kind of job
> > well, I suppose.
>
> In an intensely Muslim nation? That traffic might be more dangerous than the
> plaintext.
Unlikely, in case e.g. your sponsor happens to be a guy
of big influence in such a nation.
M. K. Shen
------------------------------
From: Lassi =?iso-8859-1?Q?Hippel=E4inen?= <[EMAIL PROTECTED]>
Subject: Re: Steganography with natural texts
Date: Mon, 09 Apr 2001 11:42:17 GMT
Mok-Kong Shen wrote:
<...>
> Is it a European patent? Could one otherwise search from
> the site of the Finnish patent office? Thanks.
>
> M. K. Shen
Yes, esp@cenet is the EPO service at
http://www.european-patent-office.org/espacenet/info/index.htm
The Finnish PO is at www.prh.fi, but the stuff may not be too useful for
those not fluent in Finnish :-(
-- Lassi
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Subject: Re: Spam Message Stegano
Date: Mon, 09 Apr 2001 13:46:19 +0200
just the number of exclamation marks is suspicously high...
Mok-Kong Shen wrote:
> Frank Gerlach wrote:
> >
> > Should be obvious that you do not even need an Mk1 biological neural net
> > to find out this is not a message written by an average english-speaking
> > person. A very primitive statistical test will ring the bells...
>
> Dumb question: What if the writer happens really not to be
> a native?
>
> M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Jan Panteltje)
Subject: Re: Spam Message Stegano
Date: Mon, 09 Apr 2001 13:14:27 GMT
On a sunny day (Mon, 09 Apr 2001 13:46:19 +0200) it happened Frank Gerlach
<[EMAIL PROTECTED]> wrote in <[EMAIL PROTECTED]>:
>just the number of exclamation marks is suspicously high...
>
>Mok-Kong Shen wrote:
>
And not enough upper case for a real spam message ;-)
>> Frank Gerlach wrote:
>> >
>> > Should be obvious that you do not even need an Mk1 biological neural net
>> > to find out this is not a message written by an average english-speaking
>> > person. A very primitive statistical test will ring the bells...
>>
>> Dumb question: What if the writer happens really not to be
>> a native?
>>
>> M. K. Shen
>
>
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Dynamic Substitution Question
Date: Mon, 09 Apr 2001 13:52:07 GMT
On Sun, 08 Apr 2001 20:31:36 +0200, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote, in part:
>I believe that you are in the best
>position (among the readers) to do that in neutral terms
>(in contrast to Terry Ritter who is the patent holder),
>such that the 'fog' remaining in discussions about the
>issue could be cleared.
Of course Terry Ritter is himself an interested party.
But I cannot give you a definitive answer to this question. I think
there may indeed be some very limited prior art applicable to the most
general interpretation of the patent, but I am in no way qualified to
translate that into a detailed picture of its valid scope. I can - to
a limited extent - read a patent, but for this sort of thing, even a
patent lawyer, who would be far more qualified than I, would not be
able to give you definitive answers.
I do think, though, that the "preferred embodiment" and everything
that derives from it is quite safe. Therefore, given my understanding
of that patent, I would hesitate to use "alleged RC4" in anything
while that patent remains in force, now that my more recent
examination of it shows that the claims cover the case where two
keystreams, rather than plaintext and keystream, are being mixed.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Dynamic Substitution Question
Date: Mon, 09 Apr 2001 13:45:41 GMT
On Sun, 08 Apr 2001 00:39:29 GMT, [EMAIL PROTECTED] (Terry Ritter) wrote,
in part:
>Well, yes, but "preferred embodiment" is also one of the major terms
>in patents in general:
You are correct, of course. I skipped mentioning that that was
standard "patentese" because I wanted to make a brief reply.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
