Cryptography-Digest Digest #120, Volume #14 Tue, 10 Apr 01 15:13:00 EDT
Contents:
Re: Any positions in cryptography available? ("Joseph Ashwood")
Hardware not that important (Frank Gerlach)
Re: Current best complexity for factoring? ("Tim Gahnstr�m /Bladerman")
Re: WANTED: Voice Encryption and Telephony Consultant
(=?iso-8859-1?Q?Herv=E9=20Andr=E9?=)
Paper One-Time Pad: Cheap and Unbreakable (Frank Gerlach)
Re: Current best complexity for factoring? ("Dr Delta 9")
Q&A ("Jack Lindso")
Re: Is this a block cipher? ("Joseph Ashwood")
Re: Any positions in cryptography available? ("Joseph Ashwood")
Re: Current best complexity for factoring? ("Tim Gahnstr�m /Bladerman")
Re: Q&A (Mathew Hendry)
Re: Whatabout SourceForge ? (Ichinin)
Re: Unnecessary operation in DES? (John Savard)
Re: Any positions in cryptography available? (SCOTT19U.ZIP_GUY)
Re: Steganography with natural texts (Mok-Kong Shen)
Re: FAQ (Francois Grieu)
Re: Steganography with natural texts (Joe H Acker)
Re: question about DES (newbie)
Re: An idea on the blind signature with EC. ("Cristiano")
Re: Unnecessary operation in DES? (DJohn37050)
Re: Steganography with natural texts (Mok-Kong Shen)
Re: Steganography with natural texts (Mok-Kong Shen)
Re: Is this a block cipher? ("Simon Johnson")
Re: How good is steganography in the real world? (Marc)
Re: How secure is AES ? (Marc)
----------------------------------------------------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Any positions in cryptography available?
Date: Mon, 9 Apr 2001 12:21:00 -0700
I just love the responses so far. Generally speaking if you've been around
here 5 years you've probably talked to enough people to get where you need
to be. Just talk to them off group, and see what they have to say.
Joe
"AlphaNerd" <[EMAIL PROTECTED]> wrote in message
news:#qayTdIwAHA.299@cpmsnbbsa09...
[snip gimme job]
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Subject: Hardware not that important
Date: Tue, 10 Apr 2001 16:30:52 +0200
> The long-term solution is to raise the amount of encrypted traffic to a level
> where They, with all their Crays and all the Mips at their disposal, cannot keep
> up.
The hardware is more or less insignificant, the math and signals people are making the
difference. Even if all chip foundries on the world worked only for the govt, they
wouldn't even brute-force a symmetric cipher like 3DES with 90 bit secret.
------------------------------
From: "Tim Gahnstr�m /Bladerman" <[EMAIL PROTECTED]>
Subject: Re: Current best complexity for factoring?
Date: Tue, 10 Apr 2001 14:33:41 GMT
>> Another thing. Are the numbers used in cryptografy usually so big
>> that I cannot assume that I know al the primes from 1 to the
>> number I am factoring?
>>Or is that a "valid" asumption?
>Yes.
I am sorry for my vauge question here.
So what does the "Yes" refer to?
Is it a resonable asumption that I have acces to all thos primes?
Tim
------------------------------
From: =?iso-8859-1?Q?Herv=E9=20Andr=E9?= <[EMAIL PROTECTED]>
Subject: Re: WANTED: Voice Encryption and Telephony Consultant
Date: Tue, 10 Apr 2001 14:37:52 GMT
take some information around a crypto family algorithm call A5 and A8
Frog2000 a �crit :
> --
> http://welcome.to/speechsystemsfortheblind
>
> "Paul Rubin" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > [EMAIL PROTECTED] (MrDbol) writes:
> > > A client calls 212-333-3333. The call is received, encrypted, and
> forwarded to
> > > the pre-programmed # in France. The call is then decoded in France and a
> secure
> > > communication channel is achieved. I would like a system that can handle
> 100
> > > calls at the same time.
> > >
> > > I am awaiting your response. I need this system implemented asap.
> >
> > As described, that relies on the US phone system being secure. So
> > you're concerned about interception on the French side. Is that
> > accurate?
>
> Hmmm....gotta worry about both sides. Unless you just buy your own telephone
> lines, and maybe satelites :)
--
ZENCOD
[EMAIL PROTECTED]
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Subject: Paper One-Time Pad: Cheap and Unbreakable
Date: Tue, 10 Apr 2001 16:43:37 +0200
Anonymous wrote:
> "They" ARE omnipotent IF you should happen to come under their scrutiny.
Also, not using any electronics for RED information (plaintext) is a good idea.
Encrypt/decrypt RED only on paper with a proper OTP. Generate the OTPs like the lottery
does. Burn the pads after use.
BLACK (encrypted) can then be sent over any kind of virus-infected PC or in plain
english/german/chinese over the phone.
------------------------------
Reply-To: "Dr Delta 9" <[EMAIL PROTECTED]>
From: "Dr Delta 9" <[EMAIL PROTECTED]>
Subject: Re: Current best complexity for factoring?
Date: Tue, 10 Apr 2001 10:52:13 -0400
No, the primes are too large to be able to calculate. I believe (and I am
quite possibly wrong here) that at the very least, the standard for an RSA
prime is 10^308
Too large to calculate with present (publicly known) computers
Pete
"Tim Gahnstr�m /Bladerman" <[EMAIL PROTECTED]> wrote in message
news:9REA6.4074$[EMAIL PROTECTED]...
> >> Another thing. Are the numbers used in cryptografy usually so big
> >> that I cannot assume that I know al the primes from 1 to the
> >> number I am factoring?
> >>Or is that a "valid" asumption?
>
> >Yes.
>
> I am sorry for my vauge question here.
> So what does the "Yes" refer to?
> Is it a resonable asumption that I have acces to all thos primes?
>
> Tim
>
------------------------------
From: "Jack Lindso" <[EMAIL PROTECTED]>
Subject: Q&A
Date: Tue, 10 Apr 2001 17:44:22 +0200
Did anyone but me noticed the strange reacurance of the :
"google.com;altavista.com" answer , and also "known books AC, HAC".
Quite bewildering.......�
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Is this a block cipher?
Date: Mon, 9 Apr 2001 13:57:20 -0700
The difference between a block and a stream cipher is sometimes clear and
sometimes more than a little blurred. However I have found some useful
redefinitions that seem to apply almost universally.
A block cipher is a transform of an input block input an output block. It
typically consists of several rounds and has various behaviors. However it
is worth noting for the next part the existance of a block cipher I will
call XOR, which is simply the combination of a key bit and data bit by
eXclusive-OR.
A stream cipher is a key schedule for external chaining of a cipher. In most
cases the cipher in use is XOR, which pushs the entire cryptographic
reliance onto the stream cipher. This does not need to be the case, in fact
if you examine most block ciphers they include a stream cipher-esque portion
that is typically referred to as the key schedule.
By seperating them in this way, it begins to make sense to do things like
replace the key schedule of Rijndael with RC4 to get something that should
resist any efforts to attack it for even the unforeseeable future.
There are exceptions to this, while most modern block ciphers use a key
schedule that is a pRNG others do not. Just as an example in this newsgroup
I posted a cipher design last month that worked by generating a permutation
of values for s-boxes. This precludes the ability to easily replace it with
a stream cipher, and so it violates the rule that you can replace the key
schedule with a pRNG straight, but it is still possible, just harder.
There are also a very small number of stream ciphers that break the stream
cipher rule. These generally have some form of feedback, either plaintext
feedback or ciphertext feedback, these also do not cleanly fit the
definitions I gave.
With the exception of such strange occurances the above definitions apply.
Joe
"Rick Wash" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
> I myself have been trying to work out the difference between stream
> ciphers and block ciphers.
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Any positions in cryptography available?
Date: Mon, 9 Apr 2001 14:18:45 -0700
On second thought. Since I'll be looking soon (with the next month), any
takers of AlphaNerd's request (or any that just want to reply to me), I'd
certainly be grateful if you inform me also (privately of course, I do agree
with AlphaNerd on that this entire discussion is vastly off-topic).
Joe
"Joseph Ashwood" <[EMAIL PROTECTED]> wrote in message
news:eX#UXpSwAHA.298@cpmsnbbsa09...
> I just love the responses so far. Generally speaking if you've been around
> here 5 years you've probably talked to enough people to get where you need
> to be. Just talk to them off group, and see what they have to say.
> Joe
>
> "AlphaNerd" <[EMAIL PROTECTED]> wrote in message
> news:#qayTdIwAHA.299@cpmsnbbsa09...
> [snip gimme job]
>
>
------------------------------
From: "Tim Gahnstr�m /Bladerman" <[EMAIL PROTECTED]>
Subject: Re: Current best complexity for factoring?
Date: Tue, 10 Apr 2001 15:17:28 GMT
Thanks very much both of you, this is exactly what a newly born
"algorithmist" need to know to get started with some thinking :-)
Thanks Tim
------------------------------
From: Mathew Hendry <[EMAIL PROTECTED]>
Subject: Re: Q&A
Date: Tue, 10 Apr 2001 16:38:06 +0100
"Jack Lindso" <[EMAIL PROTECTED]> wrote:
: Did anyone but me noticed the strange reacurance of the :
: "google.com;altavista.com" answer , and also "known books AC, HAC".
: Quite bewildering.......�
Nah. In most technical newsgroups, the number of posts could probably
be cut in half if people would check other sources before asking
questions. They'd also probably get their answer more quickly, and
pick up other useful info along the way.
-- Mat.
------------------------------
From: Ichinin <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Whatabout SourceForge ?
Date: Tue, 10 Apr 2001 02:23:20 +0200
Frank Gerlach wrote:
> ...useless source code...
Which prooves that you haven't looked through the site.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Unnecessary operation in DES?
Date: Tue, 10 Apr 2001 16:48:36 GMT
On Tue, 10 Apr 2001 11:36:18 +0100, "Brendan Lynskey"
<[EMAIL PROTECTED]> wrote, in part:
>I heard that the first operation in DES involves a shifting bits
>independantly of the key.
>As the algorithm is public-domain, isn't this step redundant?
Yes it is.
>And if so why is it in there? I wondered if it was there in order to make
>each round more similar, and so to ease implementation.
It is possible that it might have simplified a certain class of
hardware implementation, similar to what is suggested for SERPENT.
(Another reply has noted this.)
Also, if DES is used to encipher ASCII characters, it changes how the
constant bits are located in the block.
One report claimed that when the NSA certified DES as secure, it did
so in the belief the algorithm _would not_ be made public. It is
possible that IBM did not know either if the NBS would make the
algorithm public, and so two unnecessary steps - the initial
permutation and its inverse, to which you refer, IP and IIP, and also
Permuted Choice I in the key schedule, (Permuted Choice II *is*
necessary, so it's important not to get them confused - and
Permutation P is *vital*, for that matter) may have been included to
make the algorithm harder to guess or reverse-engineer had it not been
made public. For example, the bytes of an official 8-byte DES key all
have odd parity; Permuted Choice I means that the *least* significant
bit of each byte is the parity bit - not the most significant bit, as
everyone would naturally expect.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Any positions in cryptography available?
Date: 10 Apr 2001 16:42:34 GMT
[EMAIL PROTECTED] (Joseph Ashwood) wrote in <OuzxVuTwAHA.287@cpmsnbbsa09>:
>On second thought. Since I'll be looking soon (with the next month), any
>takers of AlphaNerd's request (or any that just want to reply to me),
>I'd certainly be grateful if you inform me also (privately of course, I
>do agree with AlphaNerd on that this entire discussion is vastly
>off-topic).
> Joe
Actaully I would not mind getting paid to work on crypto too.
But I will only work at home. So it would have to be done over
the net. But at this time it would have to be for US corporations
only since I don't want to piss Uncle off to much.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Steganography with natural texts
Date: Tue, 10 Apr 2001 18:51:40 +0200
Joe H Acker wrote:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> > A stego channel can never be protected against active
> > attacks, if I don't err.
>
> I don't think so. An optimal steganographic encoding is immune to any
> attack. I'll give you an example (from another post): A radio signal
> contains random background noise. You can then use an OTP to hide a
> message in the background noise. Please ignore the fact that it's also
> "unbreakable" encryption. Just from the steganographic point of view,
> the message is completely undetectable without the key. That's a (rather
> trivial) sample of an optimal steganographic encoding.
>
> If you think that's because of the OTP, change the background noise to
> be non-random. You might still find an optimal steganographic encoding,
> namely that encoding whose output has all observable statistical
> properties of the non-random background noise.
>
> This can be generalized into a general theory of steganography, but
> certainly not by me...
I know barely anything about electrical engineering.
But about radios I still remember very well that during
WWII I was totally unable to get news from some stations
due to very strong noises from others (enemy) stations
whose sole purpose was to prevent the reception of the
message being broadcasted.
M. K. Shen
------------------------------
From: Francois Grieu <[EMAIL PROTECTED]>
Subject: Re: FAQ
Date: Tue, 10 Apr 2001 18:57:17 +0200
"Mis Fazi" <[EMAIL PROTECTED]> wrote:
> Where can I find FAQ?
http://www.faqs.org/faqs/cryptography-faq/
------------------------------
From: [EMAIL PROTECTED] (Joe H Acker)
Subject: Re: Steganography with natural texts
Date: Tue, 10 Apr 2001 19:03:26 +0200
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> Joe H Acker wrote:
> >
> > Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> >
> > > A stego channel can never be protected against active
> > > attacks, if I don't err.
> >
> > I don't think so. An optimal steganographic encoding is immune to any
> > attack. I'll give you an example (from another post): A radio signal
> > contains random background noise. You can then use an OTP to hide a
> > message in the background noise. Please ignore the fact that it's also
> > "unbreakable" encryption. Just from the steganographic point of view,
> > the message is completely undetectable without the key. That's a (rather
> > trivial) sample of an optimal steganographic encoding.
> >
> > If you think that's because of the OTP, change the background noise to
> > be non-random. You might still find an optimal steganographic encoding,
> > namely that encoding whose output has all observable statistical
> > properties of the non-random background noise.
> >
> > This can be generalized into a general theory of steganography, but
> > certainly not by me...
>
> I know barely anything about electrical engineering.
> But about radios I still remember very well that during
> WWII I was totally unable to get news from some stations
> due to very strong noises from others (enemy) stations
> whose sole purpose was to prevent the reception of the
> message being broadcasted.
Sorry, I was imprecise, I didn't want to say that an optimal
steganographic encoding is immune to a DoS attack...of course it is not.
It is also not immune to side-channel attacks.
Greetings,
Erich
------------------------------
From: newbie <[EMAIL PROTECTED]>
Subject: Re: question about DES
Date: Tue, 10 Apr 2001 13:01:23 -0300
What if we apply a technic of traceability.
Suppose that we assign to every k(j) a color (red or blue or yellow).
And for every combination of two color we associate a colr as product.
If we represent the output as spectrum.
We may distinguish some repeated pattern.
I don't know if it's feasible.
Francois Grieu wrote:
>
> newbie <[EMAIL PROTECTED]> wrote:
>
> > Can someone give for every c(i) all elements involved m(i),k(j)
> > Is it possible?
>
> The expression of each c(i) can not be expressed as a boolean
> function in practice, due to combinatorial explosion: the size of
> the expression baloons with the number of rounds
>
> The only feasible expression is built in steps, by defining
> each bit of the result of a round as a function of the result
> of the previous round and the k(j). Basically, this is
> applying the definition of DES.
>
> One thing is for sure: none of the m(i) or k(j) can be eliminated
> from the (theoretical) expression of any c(i).
>
> Francois Grieu
------------------------------
From: "Cristiano" <[EMAIL PROTECTED]>
Subject: Re: An idea on the blind signature with EC.
Date: Tue, 10 Apr 2001 20:05:18 +0200
"Mike Rosing" wrote:
> Cristiano wrote:
> > 1) B compute only once: Q1=k*P; Q2=k*QB; s=x(Q2)/dB mod n
> > 2) B send to A Q1 and s;
> > 3) A map the message to point M and send to B the point
> > X=M+s*R; (R is a random secret point)
> > 4) B send to A T=dB/x(Q2)*X;
> > 5) A can compute the signature S=T-R=dB/x(Q2)*M.
> > When A want to use the signature she sends to B: S and M; B verify S by
> > doing Q2=dB*Q1, V=dB/x(Q2)*M. If S=V then the message is good.
> By sending s in the clear you make it possible for anyone to fake a
signature.
Sorry, I don't understand.
Only B can compute x(Q2) (x coordinate of Q2), so if B send to A x(Q2)/dB
where is the problem?
> All you have to do is compute s^-1 mod n and multiply by
> any message M', then add a random point R. This gives you a fake
> "T". So someone could impersonate A, send a message to B they want
> them to verify, and it'd all be fake.
In my implementation this works only if M=M'; if M<>M' B refuse the
signature.
Do I have missed something? Could you elaborate?
> Do a web search on "discrete log" "blind signatures". When you find one
> you like, translate it from DL to EC by changing exponentiation in DL to
> multiplication in EC, multiplication in DL to addition in EC. It'll be
> the same thing, but in a different algebra.
The only algo I know for blind signature is RSA, but there is the problem of
"d" and "e"...
Could you point me somewhere?
Thanks
Cristiano
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Date: 10 Apr 2001 18:30:53 GMT
Subject: Re: Unnecessary operation in DES?
What I heard is that it can make certain hardware easier. And remember, DES as
originally conceived was only supposed to be in hardware.
Don Johnson
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Steganography with natural texts
Date: Tue, 10 Apr 2001 20:43:17 +0200
Joe H Acker wrote:
>
[snip]
> Your assumption that there is not much linguistic data available to the
> attacker to me seems unrealistic in practise. Still, you're method has
> one *big* advantage over other steganographic methods: While it is
> possible to attack it efficiently given enough data, it's almost
> impossible to *proof* that a message was hidden because the methods I've
> described do not give any proof but just hints. That's a very important
> property of good steganography.
>
> But as I've written in another posts, the "synonym channel" does not
> have much redundancy and there are better channels like sound or
> pictures. I've also written in another thread that a notion of optimal
> steganographic encoding can be established information theoretically and
> that's what I'm missing about most discussions of steganographic
> methods.
As expressed previously, I don't consider it an easy
task to do the modification of sentences and so we don't
have diametrically opposite opinions. In a post (just
sent) in response to a follow-up of John Malley, I
have attempted, though, to elaborate a bit more of
my optimistic view.
I failed to find the description of your optimal
steganographic encoding. Could you give the reference
of your article? Do you have details of that elsewhere
that is available? Thanks.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Steganography with natural texts
Date: Tue, 10 Apr 2001 20:43:07 +0200
"John A. Malley" wrote:
>
{snip]
> The characteristics of the written text modulated for steganography must
> not be required to understand it. Look for the equivalent of the "noise"
> in the text - what is in the text that we ignore when it comes to
> understanding it but is always present in the text. That is the likely
> candidate for steganographic modulation.
>
> I'm at a loss to point to anything in the larger structures of text
> (like paragraphs of sentences and the development of an
> idea/theme/argument/message in succeeding paragraphs) that is "noise"
> and could be modulated without affecting the ability to understand the
> text.
>From a global standpoint, consider the case where pupils
in school write compositions on the same theme set by
their teacher. Neglecting the obvious fact that the ideas
put down by the individual pupils are not entirely
identical, doesn't this indicate that in principle one
and the same idea can be written in a number of different
ways (formulations) and that these are all entirely
'natural'? There is also the paraphrasing work, i.e.
rewriting an article into another style of literature.
I suppose that such results can also be regarded as
'natural' (with respect to the competency of the pupil).
On the smaller scale, I think it is reasonable to
consider that paragraphs and sentences can also be
individually rewritten, without incurring anything
'unnatural', provided that proper effort is done.
Certainly, in my proposed scheme one is constrained to
change a word selected by the software to another one
among a rather limited set of words offered that
presumably (though often not exactly) have the same
meaning. That naturally is not without consequences.
However, I don't think that that constraint is severe
enough to lead to unnatural characteristics of the
sentences in general. (Note that one can, if needed,
also replace an entire sentence (even by one that is
different in meaning) such that one is afterwards
likely to have other (different) words that need to be
replaced.) It may not always be easy to prevent some
slight degradation of (literature) quality. Note on
the other hand that the result of paraphrasing an
article of a well-known author is also almost certainly
of a lower quality then the original. Isn't that piece
of text a very 'natural' writing of the pupil concerned,
provided that he has well assimilated the thoughts of
the original author and has done the work properly?
Thus I continue to think that my proposal should be
practically feasible, though I must admit that it
apparently incurs much effort and demands sufficiently
good literature competency and therefore cannot be
recommended for transmitting large volumes of
informations bits. (For these, it may be useful to
consider the applicability of the other scheme
that I proposed previously, which utilizes html files
or other text files that have free formats in stucture,
e.g. Latex.)
M. K. Shen
------------------------------
From: "Simon Johnson" <[EMAIL PROTECTED]>
Subject: Re: Is this a block cipher?
Date: Tue, 10 Apr 2001 19:52:23 +0100
Mr. Smith <[EMAIL PROTECTED]> wrote in message
news:De8A6.94286$[EMAIL PROTECTED]...
> Greetings! I'm a newbie here, trying to grasp the basic structure of
> ciphers, and cryptography in general. I know what a stream ciper is.
> However, the block ciper is a bit confusing. Does it work like the example
> below?
>
> Key 1:
> aaa = gws
> aab = wjc
> aac = qlg
> ...
> zzz = eut
>
> Key 2:
> aaa = jsd
> aab = nas
> aac = qlm
> ...
> zzz = haa
>
> I'd also like a clarification on exactly what a ket is. I think I know,
but
> re-enfocement wouldn't hurt! ;-) Thanks.
Okies, a Block cipher is can be thought of as an enormous one-to-one
(bijective) mapping of inputs to outputs. The size of the input is usually
the same as the output, and the mapping is the key. So your example is
correct in this sense. As tom as said.
However, if we wanted to store the details of each mapping exactly, the
system quickly becomes impractical. Imagine that we swapped 8-bytes at a
time for some other 8-bytes.. well each byte has 256 possible values, and we
have eight of them, so the total number of mappings we need to store is
18,446,744,073,709,551,616... Ouch....
Instead, we use a more intelligent way of producing these mappings.... we
define a sequence of steps (called an algorithm) that takes some users key
and applies it to the input block to produce an output block.
A really simple (but woefully insecure) example of an encryption algorithm
is addition mod n... The input block T is transformed to the output block C,
using a key K as follows:
C=(T + K) mod N
Decryption: T=(C-K) mod N
(note: z=x mod y means divide x by y and find the remainder z)
A block cipher has the general target of having no way to exploit the
relationship between the set of blocks, set of encrypted blocks and the set
of keys, with the aim of trying to recover a key faster than trying them
all.
In my example, we can break it trivially with one known plain-text and its
encryption.. because
K=(C-T) mod N
Simon.
------------------------------
From: [EMAIL PROTECTED] (Marc)
Crossposted-To: comp.security.misc,talk.politics.crypto
Subject: Re: How good is steganography in the real world?
Date: 10 Apr 2001 18:52:59 GMT
>Quite some effort necessary to make sure the
>hidden data matches the characteristics of the sampled sensor (CCD,
>microphone,...)
Exactly. Placing the data directly into the LSBs of a GIF without
further thought is probably not a good idea.
One can either hope that the LSB is not related to the MSBs but simply
noisy in itself. In this case, a promising idea is to use blocks
of observed real life LSBs and assign new meaning to them. The blocks
must be large enough to withstand autocorrelation attacks but small
enough to be managable.
Or one has to go up from micro to macro and generate artifical images that
pass through a filter that adds the typical desired characteristics
(and even if this means to print out at high resolution and then
grab with the cam). In the case of a web cam claiming to point to a
crowded place, the information could be encoded in the cloth color and
position of the people visible.
------------------------------
From: [EMAIL PROTECTED] (Marc)
Subject: Re: How secure is AES ?
Date: 10 Apr 2001 18:52:58 GMT
>The best attack against 128-bit Rijndael breaks 7 rounds with 2^120
>work and very nearly the entire codebook (2^128 - 2^119 chosen
>plaintexts).
Wouldn't an attack be called 2^128 when I need to choose 2^128 plaintexts?
After all, this too is an operation and not "free".
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
