Cryptography-Digest Digest #201, Volume #14 Sat, 21 Apr 01 16:13:01 EDT
Contents:
Re: Better block cipher pre/post whiten step (Mok-Kong Shen)
Re: Better block cipher pre/post whiten step ("Tom St Denis")
Re: MS OSs "swap" file: total breach of computer security. ("Trevor L. Jackson,
III")
Re: Better block cipher pre/post whiten step (Mok-Kong Shen)
Re: Better block cipher pre/post whiten step ("Tom St Denis")
Re: Good textbooks on information theory (Xcott Craver)
example of "better" whitening step in ciphers ("Tom St Denis")
Why re-using the pad is not secure? (newbie)
Key #the first ("Dramar Ankalle")
Re: Why re-using the pad is not secure? ("Tom St Denis")
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Better block cipher pre/post whiten step
Date: Sat, 21 Apr 2001 19:14:30 +0200
Tom St Denis wrote:
>
> "Mok-Kong Shen" <[EMAIL PROTECTED]> wrote:
> >
> > Tom St Denis wrote:
> > >
> > > You know K1 etc.. so you can precompute X * K1 by breaking the mult into
> > > smaller mults... (i.e four 8x32 mults). This trick does work (I've used
> it
> > > before).
> > >
> > > The really keen thing is that as long as the cipher and the decorrelated
> > > functions do not commute all is well.
> > >
> > > Other than the slight speed penalty I wonder why this has't been used
> > > before? Probably some weakness I can't quite see yet
> >
> > Wouldn't the receiver in the scheme you posted have to
> > compute the inverse of K1 etc.?
>
> Yeah, but it's not hard. With a naive sqr-mul method you can trivially find
> the multiplicative inverses (you would need todo four operations for a
> typical two-word feistel-like cipher, eg. des, blowfish, rc5, cast, etc...)
>
> Once that's done you can either compute the mult on the fly (somewhat slow
> but not terribly so) or given enough memory pre-compute the mults. For DES
> you would need eight sets of four 8x32 (or 32 8x32's) which would take 32KB
> of memory. On Athlons and PIII that will fit in the L2 onchip cache and can
> be accessed very quickly.
I don't yet understand why you don't do it in the way
of Feistel, in which case there wouldn't be need of
inversion of K1 etc., if I don't err.
M. K. Shen
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Better block cipher pre/post whiten step
Date: Sat, 21 Apr 2001 17:20:13 GMT
"Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> Tom St Denis wrote:
> >
> > "Mok-Kong Shen" <[EMAIL PROTECTED]> wrote:
> > >
> > > Tom St Denis wrote:
> > > >
> > > > You know K1 etc.. so you can precompute X * K1 by breaking the mult
into
> > > > smaller mults... (i.e four 8x32 mults). This trick does work (I've
used
> > it
> > > > before).
> > > >
> > > > The really keen thing is that as long as the cipher and the
decorrelated
> > > > functions do not commute all is well.
> > > >
> > > > Other than the slight speed penalty I wonder why this has't been
used
> > > > before? Probably some weakness I can't quite see yet
> > >
> > > Wouldn't the receiver in the scheme you posted have to
> > > compute the inverse of K1 etc.?
> >
> > Yeah, but it's not hard. With a naive sqr-mul method you can trivially
find
> > the multiplicative inverses (you would need todo four operations for a
> > typical two-word feistel-like cipher, eg. des, blowfish, rc5, cast,
etc...)
> >
> > Once that's done you can either compute the mult on the fly (somewhat
slow
> > but not terribly so) or given enough memory pre-compute the mults. For
DES
> > you would need eight sets of four 8x32 (or 32 8x32's) which would take
32KB
> > of memory. On Athlons and PIII that will fit in the L2 onchip cache and
can
> > be accessed very quickly.
>
> I don't yet understand why you don't do it in the way
> of Feistel, in which case there wouldn't be need of
> inversion of K1 etc., if I don't err.
The idea is to replace the whitening steps with stronger ones. You take a
cipher, say DES then before the first round you decorrelate both halves. Go
thru 16 rounds of DES and before storing the ciphertext you decorrelate the
halves with other subkeys. The idea is that you still keep the nice
analysis already performed on DES you just add on to it. You must now
either break the decorrelated functions or try to mount the
differential/linear attack which is now impossible.
It's a method of taking a block cipher and just making it more secure
against first order linear/diff attacks.
Note that you could make a feistel out of decorrelated functions. My TC6
cipher is based on this. Unfortunately decorrelation functions in GF(2^W)
are hardly idea due to their extreme linearness (16 rounds of DES would
break that linearness quite well).
Tom
------------------------------
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.hacker
Subject: Re: MS OSs "swap" file: total breach of computer security.
Date: Sat, 21 Apr 2001 17:30:53 GMT
Anthony Stephen Szopa wrote:
> wtshaw wrote:
> >
> > In article <_XIC6.22803$[EMAIL PROTECTED]>, "Tom St
> > Denis" <[EMAIL PROTECTED]> wrote:
> >
> > > "wtshaw" <[EMAIL PROTECTED]> wrote in message
> >
> > > > It does not follow that if a better choice is available why one would seek
> > > > a ride in a leaky boat with only a slight hole in it. I doubt you
> > > > understand what you advocate nor the limitations of trying to fully
> > > > control the effects of a black box.
> > >
> > > Now repeat your reply in English please.
> > >
> > > Tom
> >
> > The basic problem like Jessica Rabbit is that security need not be bad, it
> > is just drawn that way. It is not for want of the knowledge of how yo do
> > things correctly, just that the prospective has been that insecurity is
> > better for national security and discouraging autonomous systems.
> >
> > The fly in the ointment as far as the power mongers is that different
> > teams did not always agree and some designs have turned out to be much
> > more secure than others.
> >
> > Fortunately for them, hype has sold the worse plans to almost everyone.
> > People worship quantity over quality. To protect the beast, the code has
> > been obscure. Tools have been designed with certain peculiar limitations
> > to keep accessory products insecure and under central control. External
> > improvements suffer under a poor architecture and a swamp of system code
> > to try to figure out. This was all shortsighted because covert faults
> > that were touted as good are showing as its Mr. Hyde side.
> > --
> > Ah, so! Chop suey on a bagel. Now...say, "So Sorry."
>
> He is going to ask you again to say it in English.
>
> If he can't recognize the problem then no matter what he says, he
> cannot solve the problem. He's great at trying to trash someone
> else's ideas, though.
>
> But I know what the problem is and I intend to solve it at least as far
> as my own encryption software is concerned.
>
> I do not plan to signal what my solution is but when it is ready you
> will be satisfied with my approach.
Paraphrase: "Zat his un Order, und ve haf veys to deal vis zose who disobey Orders."
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Better block cipher pre/post whiten step
Date: Sat, 21 Apr 2001 19:30:00 +0200
Tom St Denis wrote:
>
> The idea is to replace the whitening steps with stronger ones. You take a
> cipher, say DES then before the first round you decorrelate both halves. Go
> thru 16 rounds of DES and before storing the ciphertext you decorrelate the
> halves with other subkeys. The idea is that you still keep the nice
> analysis already performed on DES you just add on to it. You must now
> either break the decorrelated functions or try to mount the
> differential/linear attack which is now impossible.
>
> It's a method of taking a block cipher and just making it more secure
> against first order linear/diff attacks.
>
> Note that you could make a feistel out of decorrelated functions. My TC6
> cipher is based on this. Unfortunately decorrelation functions in GF(2^W)
> are hardly idea due to their extreme linearness (16 rounds of DES would
> break that linearness quite well).
My poor knowledge doesn't yet permit me to see that the
modified version (i.e. Feistel like) is much easier
to crack than the original. Could you explain a bit
more (or refer to literatures)? Thanks.
M. K. Shen
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Better block cipher pre/post whiten step
Date: Sat, 21 Apr 2001 17:36:11 GMT
"Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> Tom St Denis wrote:
> >
>
> > The idea is to replace the whitening steps with stronger ones. You take
a
> > cipher, say DES then before the first round you decorrelate both halves.
Go
> > thru 16 rounds of DES and before storing the ciphertext you decorrelate
the
> > halves with other subkeys. The idea is that you still keep the nice
> > analysis already performed on DES you just add on to it. You must now
> > either break the decorrelated functions or try to mount the
> > differential/linear attack which is now impossible.
> >
> > It's a method of taking a block cipher and just making it more secure
> > against first order linear/diff attacks.
> >
> > Note that you could make a feistel out of decorrelated functions. My
TC6
> > cipher is based on this. Unfortunately decorrelation functions in
GF(2^W)
> > are hardly idea due to their extreme linearness (16 rounds of DES would
> > break that linearness quite well).
>
> My poor knowledge doesn't yet permit me to see that the
> modified version (i.e. Feistel like) is much easier
> to crack than the original. Could you explain a bit
> more (or refer to literatures)? Thanks.
It's really simple. If you use a decorrelated function such as F(x) = ax +
b (a,b are round keys a != 0) all in GF(2^W) then your entire cipher would
be xor-linear.
Which means an input difference of (a,b) -> (d,e) would hold with a
probability of 1 over all plaintexts, obviously not very random behaviour.
Not only that you can break a three round feistel build with this with only
2 plaintexts/ciphertexts.
My idea is to hide the linearness behind the core cipher, and to hide any
known biases of the core cipher (linear or differential) behind the
decorrelated functions.
Tom
------------------------------
Subject: Re: Good textbooks on information theory
From: [EMAIL PROTECTED] (Xcott Craver)
Date: Sat, 21 Apr 2001 18:28:28 GMT
<[EMAIL PROTECTED]> wrote:
>Joe H Acker <[EMAIL PROTECTED]> wrote:
>
>> There are plenty of books about information theory, which one would you
>> recommend?
>
>The best I've seen is "Elements of Information Theory" by Cover and
>Thomas....
I second this. Cover and Thomas also covers a lot of diverse
subject matter, including Komogorov complexity, the theory of
types, and broadcast/multiple-access channels, so it is ideal
for someone looking for a general text or a good overview.
>Steve Tate --- srt[At]cs.unt.edu
-S
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: example of "better" whitening step in ciphers
Date: Sat, 21 Apr 2001 18:55:08 GMT
As an example of what I was talking about you can get somewhat clear C code
that does what I was thinking of
http://tomstdenis.home.dhs.org/src/tc11.c
Essentially I pair-wise decorrelate the four-word input (it's a 128-bit
block cipher), then I perform 8 rounds of a simple (and fast) linear mixing
in Z. The idea is that the linear mixing will not commute with the
decorrelated functions. Finally I decorrelate the output.
The entire tables can be precomputed in 32kb for either direction (although
the same tables cannot be used for both, so you would need 64kb if you
simulatneously encrypt and decrypt). With precomputed tables this cipher
should hit about 12 cycles or so per byte since the linear mixing steps are
all pairable on the pentium...
Would be neat to see breaks on it. Note that my key schedule function is
just some lame-arse thing I tacked on. My real interest is how strong isthe
encrypt/decrypt functions assuming the key is truly random...
--
Tom St Denis
---
http://tomstdenis.home.dhs.org
------------------------------
From: newbie <[EMAIL PROTECTED]>
Subject: Why re-using the pad is not secure?
Date: Sat, 21 Apr 2001 15:40:23 -0300
I tried to find out an answer, but all what cryptographers say is that
is not secure.
If I encrypt my message P(i) and P'(i) with the same OTP k(i), is there
a way to find the key?
E(i) = P(i) Xor k(i)
E'(i)= P'(i) Xor k(i)
Knowing : E(i) and E'(i)
and the equality k(i) = k(i)
I have still 3 unknown P(i), P'(i), k(i)
How could I solve this trivial problem.
It is my last question.
I apologize for my ennoying posts.
Thank you for help.
------------------------------
From: "Dramar Ankalle" <[EMAIL PROTECTED]>
Crossposted-To: alt.religion.kibology,alt.alien.visitors
Subject: Key #the first
Date: Sat, 21 Apr 2001 15:53:09 -0400
From: "Mikal 606" <[EMAIL PROTECTED]>
To: REDACTED
Subject: Re: ::: Circular Doorways Appearing in Midair :::
Date: Thursday, July 20, 2000 4:59 PM
http://www.virtualsk.com/current_issue/premier/grey_owl_bio.html
http://www.theice.org/byrdmemorial.html
http://www.oneworld.org/revision/assagioli.html
http://www.weyrich.com/book_reviews/constitution_supreme_2nd.html
From: "Leo Sgouros" <[EMAIL PROTECTED]>
Subject: The Treveri routed (53 BC)
Date: Sunday, October 31, 1999 12:39 AM
Caesar had many reasons, however, for expecting still more serious
disturbances before long.He therefore charged three of his generals, Marcus
Silanus,Gaius Antistius Reginus, and Titus Sextuis, with the duty of raising
fresh troops"
--
| ~o ~o ~o ~o ~o ~o ~o ~o I am selling some sperm this week |
| ~o ~o ~o ~o ~o ~o ~o ~o because I need some extra cash. |
| ~o ~o~o~o ~o ~o~o ~o ~o Profile |
| ~o ~o ~o ~o ~o ~o ~o Decent looking, good hair, |
| ~o ~o ~o ~o ~o ~o ~o ~o IQ well over 200, ambidextrous, |
| ~o ~o ~o ~o ~o ~o ~o ~o ~o ~o natural musician, multilingual,|
| ~o ~o ~o~o ~o ~o ~o ~o multi-orgasmic, but a dickhead. |
| ~o ~o ~o ~o ~o ~o [EMAIL PROTECTED] |
`---------------------------------------------------------------------'
"inserted in the place of the living human other"
Morpheal contemplates his glorious humanity in
news:7vbrg6$ela$[EMAIL PROTECTED]...
From: "Mikal 606" <[EMAIL PROTECTED]>
Subject: IS IT TO THE SKY? ::operation mkpedestal notefile:: (2,0,2,)
Date: Friday, August 11, 2000 10:08 PM
FLIGHT 19
Ft. 28
Lt. C.C. Taylor, USNR
G.F. Devlin, AOM3c, USNR
W.R. Parpart, ARM3c, USNR
FT. 36
Capt. E.J. Powers, USMC
H.Q. Thompson, Sgt., USMCR
G.R. Paonessa, Sgt., USMC
Ft. 117
Capt. G.W. Stivers, USMC
R.P. Gruebel, Pvt., USMCR
R.F. Gullivan, Sgt., USMC
Ft. 81
2nd Lt. F.J. Gerber, USMCR
W.E. Lightfoot, Pfc., USMCR
Ft. 3
Ens. J.T. Bossi, USNR
A.H. Thelander, S1c, USNR
B.E. Baluk, JR., S1c, USNR
http://www.bobjenny-artist.com/nas/lostpat.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Painted blue across my eyes
And tied the linen on
And I'm on my way
Looking for the paradigm
So I can pass it off
Is it on my side
Is to the sky
Looking to the sky and down
Searching for a ground
With my good eye closed
If I took you for a ride
Would you take it wrong
Or would you make it right
Looking for a pedestal
That I can put you on
And be on my way
Is it to the sky
Looking to the sky and down
Searching for a ground
With my good eye closed
Stop you're trying to bruise my mind
I can do it on my own
Stop you're trying to kill my time
It's been my death since I was born
I don't remember have the time
If I'm hiding or I'm lost
But I'm on my way
http://imusic.com/soundgarden/sg3/discography/lyrics3/ly-search.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remains of U.S. flight crew from WWII found at remote Russian site
August 11, 2000
Web posted at: 7:40 p.m. EDT (2340 GMT)
WASHINGTON (CNN) -- A joint U.S.-Russian recovery team operating at a remote
site in eastern Russia has discovered remains believed to be those of U.S.
servicemen missing in action since World War II, the Pentagon announced
Friday.
Members of the U.S.-Russia Joint Commission on POW/MIAs said they positively
identified the wreckage of a U.S. Navy PV-1 Ventura bomber during an August
7-9 visit to the steep face of Mutnovskiy volcano on the desolate Kamchatka
peninsula in eastern Russia.
A number of sets of remains found at the site are believed to those of the
crew members of the Navy bomber.
The plane went missing on March 25, 1944, after taking off from a U.S. base
on Attu in the Aleutian Island chain.
The bomber and its seven-man crew was part of a five-plane formation that
embarked on a bombing mission that day as part of what the military then
called "The Empire Express." Their mission was to bomb targets on the Kurile
Islands in northern Japan, the Pentagon statement said.
Of the five planes that took to the sky from Attu that day, only one was
able to successfully complete the mission, the Pentagon said.
One of the planes crashed shortly after take off. Two others encountered
extreme weather and were forced to drop their bomb loads in the ocean before
returning to base. The last plane simply never returned.
It is that plane that was discovered by the team more 56 years after it
disappeared.
Russian geologists apparently found the wreckage there decades ago but the
discovery was not reported to the U.S. until recently, the Pentagon said.
The U.S. Central Identification Laboratory in Hawaii has recommended that a
U.S. team return to the barren site next summer to conduct a more complete
excavation, in the hope of achieving a more complete accounting of the
missing crewmen.
There are more than 78,000 U.S. servicemen unaccounted for from World War
II.
P E D E S T A L
From: "Mikal 606" <[EMAIL PROTECTED]>
Subject: Re: A K 0 /\ 0 Y 0I A ROFOCALE
Date: Saturday, January 27, 2001 11:53 PM
"Mikal 606" <[EMAIL PROTECTED]> wrote in message news:...
> Yeah people come up
>
> Yeah, we better turn tha bass up on this one
> Check it, since 1516 minds attacked and overseen
> Now crawl amidst the ruins of this empty dream
> Wit their borders and boots on top of us
> Pullin' knobs on the floor of their toxic metropolis
> But how you gonna get what you need ta get?
> Tha gut eaters, blood drenched get offensive like Tet
> Tha fifth sun sets get back reclaim
> Tha spirit of Cuahtemoc alive an untamed
> Now face tha funk now blastin' out ya speaker, on tha one Maya, Mexica
> That vulture came ta try and steal ya name
> But now you got a gun, yeah this is for the people of the sun
>
> It's comin' back around again!
> This is for the people of the sun!
> It's comin' back around again! Uh!
>
> It's comin' back around again!
> This is for the people of the sun!
> It's comin' back around again! Uh!
>
> Yeah, neva forget that tha wip snapped ya back
> Ya spine cracked for tobacco, oh I'm the Marlboro man, uh
> Our past blastin' on through the verses
> Brigades of taxi cabs rollin' Broadway like hearses
> Troops strippin' zoots, shots of red mist,
> Sailors blood on tha deck, come sista resist
> From tha era of terror check this photo lens,
> Now tha city of angels does the ethnic cleanse
> Uh, heads bobbin' to tha funk out ya speaker, on tha one Maya, Mexica
> That vulture came to try and steal ya name
> But now you found a gun, you're history, this is for the people of the sun
>
> It's comin' back around again!
> This is for the people of the sun!
> It's comin' back around again! Yeah!
>
> It's comin' back around again!
> This is for the people of the sun!
> It's comin' back around again!
>
> It's comin' back around again!
> This is for the people of the sun!
> It's comin' back around again!
>
> It's comin' back around again!
> This is for the people of the sun!
> It's comin' back around!
> Of the sun
> People Of The Sun (Original, as on Bombs & Bullets)
> Bastard son is in, swimin' in a sea of funk
> Clear the lane, I'm gonna have to dunk ya
> Up and down like a donut in a caffeinated drink
> So take the sink, I'll take ya to the brink
> Check the rugged style I flip (some versions say "bring")
> If the price is right, I'll take you on a trip
> In my old school '62, two-tone white and blue
> One that ya never wanna step to
> Face my baseline, feel the earth quaking
> Sweat is on site at appamatox
> Mistakin' for my culture
> White boys who came and tried to steal my name
> But now I got a gun, this is for the people of the sun!
>
> This is for the people of the sun!
> It's coming back around again!
> Yeah it's coming back around again!
> This is for the people of the sun!
> Yeah
>
> I'm not a silent one, I'm a defiant one,
> Never the normal one, 'cause I'm the bastard's son
> Trip the way before the sky gives birth
> And now I trip the way from mother earth
> I'm tearin' off a, big fat chunk of the funk
> Clear the lane I gotta dunk, never smoke the skunk
> Or the cest
> The Humboldt, the showman of the buddha
> Gotta product six shooter, so fuck the hoota
> Face the baselines feel the earth quakin
> Sweat is on site at appamatox
> Mistaken for my culture,
> White boys who came and tried to steal my name
> But now I got a gun, this is for the people of the sun!
>
> It's coming back around again!
> This is for the people of the sun!
> It's coming back around again!
> Yeah it's coming back around again!
> This is for the people of the sun!
> For the sun!
>
> http://www.musicfanclubs.org/rage/lyrics.htm
>
> DRAMAR ANKALLE HELLIOPOLIS
>
> 1,2,1, 3,3,3, N(-1)
>
>
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Why re-using the pad is not secure?
Date: Sat, 21 Apr 2001 19:52:02 GMT
"newbie" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> I tried to find out an answer, but all what cryptographers say is that
> is not secure.
>
> If I encrypt my message P(i) and P'(i) with the same OTP k(i), is there
> a way to find the key?
>
> E(i) = P(i) Xor k(i)
> E'(i)= P'(i) Xor k(i)
>
> Knowing : E(i) and E'(i)
> and the equality k(i) = k(i)
>
> I have still 3 unknown P(i), P'(i), k(i)
> How could I solve this trivial problem.
> It is my last question.
> I apologize for my ennoying posts.
You guess k(i) values and see if for all known E values if the key makes
sense.
In other words let's say you have five ciphertexts. For every byte of the
pad (8-bits) you guess a value. Then you check if for all five ciphertexts
if the guessed plaintext is valid (i.e ascii). Then from there it's
language. You see if the guessed keys lead to seemingly english words,
etc..
You can't do this when only one ciphertext is known since you can't
eliminate suggested keys by the redundancy...
Hope this helps,
Tom
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
