Cryptography-Digest Digest #205, Volume #14 Sun, 22 Apr 01 06:13:01 EDT
Contents:
Re: OTP breaking strategy ("Douglas A. Gwyn")
Re: Diffie-Hellman signatures now described (John Savard)
Re: "UNCOBER" = Universal Code Breaker ("Douglas A. Gwyn")
Re: Note on combining PRNGs with the method of Wichmann and Hill ("Douglas A. Gwyn")
Re: "UNCOBER" = Universal Code Breaker ("Douglas A. Gwyn")
Re: newbie: cryptanalysis of pseudo-random OTP? ("Douglas A. Gwyn")
Re: NON SECRET ENCRYPTION (AKA RSA) ("Douglas A. Gwyn")
Re: ANOTHER REASON WHY AES IS BAD ("Douglas A. Gwyn")
Re: Note on combining PRNGs with the method of Wichmann and Hill (Mok-Kong Shen)
Re: XOR TextBox Freeware: Very Lousy. (Anthony Stephen Szopa)
Re: ancient secret writing ("Douglas A. Gwyn")
Re: Note on combining PRNGs with the method of Wichmann and Hill (Mok-Kong Shen)
Re: Cryptanalysis Question: Determing The Algorithm? ("Douglas A. Gwyn")
Re: XOR TextBox Freeware: Very Lousy. (Anthony Stephen Szopa)
Re: Note on combining PRNGs with the method of Wichmann and Hill (Mok-Kong Shen)
Re: Censorship Threat at Information Hiding Workshop ("Douglas A. Gwyn")
Re: XOR TextBox Freeware: Very Lousy. ("Douglas A. Gwyn")
Re: ancient secret writing (Mok-Kong Shen)
Re: Cryptanalysis Question: Determing The Algorithm? (Matthew Kwan)
Re: Better block cipher pre/post whiten step (Mok-Kong Shen)
----------------------------------------------------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: OTP breaking strategy
Date: Sun, 22 Apr 2001 08:10:27 GMT
"SCOTT19U.ZIP_GUY" wrote:
> if your source of randomness is a true rand gerator
> then any output is possible. Including ouputs that
> contain long string of zeroes or ones or even simily
> asci text.
True. One of newbie's (many) misunderstandings is the
notion that a bit string can be characterized in itself
as random or not. It is actually only processes that
can be so categorized, e.g. what you call a true rand
gerator. The data would have to be considered "random"
if it was produced by a random process, but there is no
way to tell just by looking at the data.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Diffie-Hellman signatures now described
Date: Sun, 22 Apr 2001 08:12:01 GMT
On Fri, 20 Apr 2001 00:06:30 GMT, [EMAIL PROTECTED]
(John Savard) wrote, in part:
>At
http://home.ecn.ab.ca/~jsavard/crypto/pk050302.htm
>I have now rectified this omission.
A further revision on that page notes that HAC gives a different list
of values for a, b, and c than AC does.
Although HAC, in general, would seem more authoritative than AC, in
this case I think AC is right. This is because it seems reasonable
that raising (A^y mod P) to the power ((A^y mod P) mod Q), rather than
raising (A^x mod P) to that power, and (A^y mod P) to some other power
does look like it takes into account some interactions between the
coefficients that would lead to some of the secret keys not being
properly masked out.
Of course the encipherment and decipherment equations would be
satisfied if a, b, and c were anything.
Why not
a = m+Y
b = mY
c = s
in other words, an encipherment equation of
signature = x * (message hash + ((A^y mod P) mod Q)) + y * (message
hash * ((A^y mod P) mod Q))
all modulo Q
and a verification equation of
A^signature = (A^x mod P)^(message hash + ((A^y mod P) mod Q)) * (A^y
mod P)^(message hash * ((A^y mod P) mod Q))
... that would seem to be just as valid as anything else, if the
values of the parameters a, b, and c were not very strictly
constrained for some reason.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: "UNCOBER" = Universal Code Breaker
Date: Sun, 22 Apr 2001 08:16:15 GMT
Tom St Denis wrote:
> Why don't ya just read some books on the subject instead of
> constantly randomly posting here?
Hear, hear.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Crossposted-To: sci.crypt.random-numbers
Subject: Re: Note on combining PRNGs with the method of Wichmann and Hill
Date: Sun, 22 Apr 2001 08:22:17 GMT
Mok-Kong Shen wrote:
> Thanks. One sees the effects of export regulations. The
> AC I bought was without disks.
I had the impression that they were available on the net
(probably at more than one site).
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: "UNCOBER" = Universal Code Breaker
Date: Sun, 22 Apr 2001 08:18:52 GMT
Paul Pires wrote:
> [tests] detect a probability that an output might not be random.
Likelihood, not probability, please.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: newbie: cryptanalysis of pseudo-random OTP?
Date: Sun, 22 Apr 2001 08:25:43 GMT
Osugi Sakae wrote:
> ... one book mentioned using a Carl Sagan book as the "keyword").
> What they don't say is why this is not secure, ...
Because a guess as to a portion of the plaintext can be confirmed
or refuted very simply by reconstructing the corresponding portion
of key and seeing if it looks like text from a book.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: NON SECRET ENCRYPTION (AKA RSA)
Date: Sun, 22 Apr 2001 08:30:37 GMT
"SCOTT19U.ZIP_GUY" wrote:
> We will never know the truth.
Some of us do. The published history of this is accurate.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: ANOTHER REASON WHY AES IS BAD
Date: Sun, 22 Apr 2001 08:39:20 GMT
"SCOTT19U.ZIP_GUY" wrote:
> I think one can apply the same thoery to crypto. Since
> the idea is to take a low entropy string and make it appear
> to be random. It should take a fairly long program it achive
> this. ...
Since we normally assume that the attackers knows the encryption
procedure, the only way the (Chaitin-encoded) size of the
procedure could much matter is if any viable attack somehow *has*
to struggle against that amount of complication. Is that a theorem?
(Or, is there a simple counterexample?)
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To: sci.crypt.random-numbers
Subject: Re: Note on combining PRNGs with the method of Wichmann and Hill
Date: Sun, 22 Apr 2001 10:40:44 +0200
Brian Gladman wrote:
>
[snip]
> [*] for observers of this exchange: I have a PDF document showing a graph of
> the analytically derived distributions that I will email to anyone who is
> interested.
Since my arguments are based on this PDF file, we (Brian
Gladman and I) will for some time have to converse directly
with E-mail, before again discussing with each other in the
group. I'll in any case (whether I am wrong or right) post
the result of our private discussions to this thread,
eventually to be followed by public discussions with Brian
Gladman here. As I said, I (and hopefully many) don't
exclude (categorically) the probability of making
blunders. But the truth of scientific proposititions
has to be found (clearly and definitely) and not left in
a fuzzy unknown state, hence my continuing discussion
with Brian Gladman.
M. K. Shen
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.hacker
Subject: Re: XOR TextBox Freeware: Very Lousy.
Date: Sun, 22 Apr 2001 01:22:23 -0700
Joseph Ashwood wrote:
>
> "Bodo Eggert" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > David Schwartz <[EMAIL PROTECTED]> wrote:
> >
> > > the user. If the user had a good, secure means of sending the OTP to the
> > > recipient, why wouldn't he just use that mechanism to transfer the
> > > plaintext itself?
> >
> > The trick is to transfer the random generator or the seed,
> > which allows to encrypt a certain (bigger) amount of plaintext.
>
> Wrong. What was being discussed was a OTP. To build a OTP you have to have
> as much entropy in the pad as the pad can hold, since your assumption is
> that the seed or generator is smaller than the pad the entropy of the
> seed/generator must be smaller than the entropy that can be contained in the
> pad. It is not a OTP, it will never be a OTP, it can never be a OTP, and
> anyone who thinks it's a OTP is incorrect.
> Joe
Read the US Patent Office definition of a OTP.
Then please, set them straight, right away.
And by the way, does it matter to a cracker whether or not the random
number files used to XOR messages were from a genuine OTP or from an
unreproducable group of random number files?
Seems pretty academic to me if in either case the cracker hasn't a
Chinaman's chance.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: ancient secret writing
Date: Sun, 22 Apr 2001 08:45:18 GMT
John Savard wrote:
> image appears to be of shorthand, perhaps the well-known and
> still-used Pitman or Gregg.
I tried posting a similar response, but Netscape died and I had to
tke care of other business. There are a zillion different schemes
of shorthand. Jim Gillogly has broken at least one of these. It's
similar to attacking a code system.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Note on combining PRNGs with the method of Wichmann and Hill
Date: Sun, 22 Apr 2001 10:41:04 +0200
Brian Gladman wrote:
>
[snip]
> My apologies for this posting with a PDF attachment - this was a mistake on
> my part since it was intended to be a direct email rather than a posting.
You don't have to apology, since (if my server is the same
as the others), your PDF attachment was NOT present in
the previous post sent to the group.
I have in a (simultaneously sent) follow-up to your previous
post said to the group that we'll for a time converse
directly with E-mail and that I'll later post the result of
our private discussion to the group, for eventual further
discussion with you in the group.
M. K. Shen
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Cryptanalysis Question: Determing The Algorithm?
Date: Sun, 22 Apr 2001 08:52:45 GMT
pjf wrote:
> If someone gets a chunk of cyphertext that they are trying to
> cryptoanalyze, how do they determine what algorithm was used ...?
Often, there are only a reasonably finite number of possibilities,
so try them all in parallel and abort the others when one succeeds.
Beyond that, the field is called "cryptodiagnosis", and while it is
not an exact science, it has been well-developed "behind the fence".
There are some powerful general tools that can discriminate among
various classes of system; some of them should be fairly obvious.
For example, as everyone should know, Fourier analysis is good at
detecting periodic phenomena; these are likely to correspond to
component cycles.
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.hacker
Subject: Re: XOR TextBox Freeware: Very Lousy.
Date: Sun, 22 Apr 2001 01:52:27 -0700
Bodo Eggert wrote:
>
> David Schwartz <[EMAIL PROTECTED]> wrote:
>
> > the user. If the user had a good, secure means of sending the OTP to the
> > recipient, why wouldn't he just use that mechanism to transfer the
> > plaintext itself?
>
> The trick is to transfer the random generator or the seed,
> which allows to encrypt a certain (bigger) amount of plaintext.
>
> 1) Unfortunately, this requires a _good_ pseudo-random-generator.
> 2) there are other encryption methods allowing a bigger amount of
> plaintext to be chiphered with the same key.
> --
> Linux forces a brain to configure
> Windows forces a brain-damaged configuration
We seem to be thinking in the same terms.
OAP-L3 can generate trillions of random numbers with a key of only
a few thousand bytes and with a security level of several thousand
bits. A longer key and you get a higher bit security level.
OTP transfer doesn't seem to be too terribly big a problem to the US
military. I would think that the Captain, the XO and probably the
Communications Officer get their OTPs on DVDs and walk them from the
Pentagon right on board their nuclear sub. I bet they don't use pgp.
Imagine this: Your contact in Germany makes one trip to the US and
pays you a visit. You hand him a floppy containing an OAP-L3
encryption key. With this one transfer, in a very short period of
time, the continents of Europe, Asia, and Africa could have
unbreakable encryption and begin secure communications with you here
in the western hemisphere. All that is needed is a wide spread
organization desirous to attain this capability. And then they
disseminate it to all their stations.
This could also be done here in the western hemisphere. You could
have the entire world securely wired in very short order.
This one key is all you need.
Or maybe you and he have agreed to transfer partial keys via various
methods such as email, snail mail, telephone, etc. all sent and
received at different locations. Then the partial keys are to be
assembled to create the full key.
I mean, if you are not on the NSA, or FBI, or CIA suspect list, does
anyone think that if they called on the telephone, then sent an email,
then sent a letter, etc. all with only a partial key, that all these
partial keys would be intercepted while being sent from different
locations and received at different locations at unpredictable times
by these intelligent agencies and then assembled in the correct order
and then used with the right software by them, etc.?
I just don't think the transfer of a OAP-L3 encryption key is
difficult at all to get to anyone in Europe. Some of you talk as
if it is just an insurmountable problem. I say, NOT with OAP-L3.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To: sci.crypt.random-numbers
Subject: Re: Note on combining PRNGs with the method of Wichmann and Hill
Date: Sun, 22 Apr 2001 10:51:40 +0200
"Douglas A. Gwyn" wrote:
>
> Mok-Kong Shen wrote:
> > Thanks. One sees the effects of export regulations. The
> > AC I bought was without disks.
>
> I had the impression that they were available on the net
> (probably at more than one site).
I believe you are right. In fact I remember to have
read about that in this group or elsewhere. But these were
against the (at least the old) regulations, I suppose. I
remember that someone said in the group that the text of
AC itself is also availabe on the net. That's certainly
a 'prirated' edition. (Only Menezes' HAC is officially
free on the net.)
M. K. Shen
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: Sun, 22 Apr 2001 08:56:51 GMT
wtshaw wrote:
> It is an attack on individuals who dare fight corporate greed and
> corporate welfare.
Funny how pirates always find rationalizations like that.
If it hadn't been for rampant piracy, the music publishing industry
would never have resorted to copy-protection in the first place.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: XOR TextBox Freeware: Very Lousy.
Date: Sun, 22 Apr 2001 09:17:23 GMT
Anthony Stephen Szopa wrote:
> Read the US Patent Office definition of a OTP.
I rather doubt that they have an "official" definition.
Please give a reference to it.
> And by the way, does it matter to a cracker whether or not the random
> number files used to XOR messages were from a genuine OTP or from an
> unreproducable group of random number files?
Because in the former case (only), cryptanalysis is demonstrably
infeasible.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: ancient secret writing
Date: Sun, 22 Apr 2001 11:25:17 +0200
"Douglas A. Gwyn" wrote:
>
> John Savard wrote:
> > image appears to be of shorthand, perhaps the well-known and
> > still-used Pitman or Gregg.
>
> I tried posting a similar response, but Netscape died and I had to
> tke care of other business. There are a zillion different schemes
> of shorthand. Jim Gillogly has broken at least one of these. It's
> similar to attacking a code system.
A related thought: There are, if I don't err, quite a
number of archaeological findings with symbol sequences
of yet unknown meaning. Are there any attempts to
'decrypt' these with the help of the now much advanced
knowledge of crypto (in comparison to the time of
'decryption' of hieroglyphs)?
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Matthew Kwan)
Subject: Re: Cryptanalysis Question: Determing The Algorithm?
Date: 22 Apr 2001 19:35:25 +1000
"Douglas A. Gwyn" <[EMAIL PROTECTED]> writes:
>pjf wrote:
>> If someone gets a chunk of cyphertext that they are trying to
>> cryptoanalyze, how do they determine what algorithm was used ...?
>Often, there are only a reasonably finite number of possibilities,
>so try them all in parallel and abort the others when one succeeds.
>Beyond that, the field is called "cryptodiagnosis", and while it is
>not an exact science, it has been well-developed "behind the fence".
>There are some powerful general tools that can discriminate among
>various classes of system; some of them should be fairly obvious.
>For example, as everyone should know, Fourier analysis is good at
>detecting periodic phenomena; these are likely to correspond to
>component cycles.
When you say "powerful", do you mean capable of distinguishing between
64-bit block ciphers? At first glance, this seems unlikely. A well-
designed block cipher should not let *any* characteristics of the
plaintext leak through to the ciphertext (apart from the trivial case
where encrypting identical plaintexts results in identical ciphertexts).
And changing the key should result in a completely different set of
characteristics, in the unlikely case that any characteristics exist.
I'll stick my neck out here. Using CBC, or ECB with no repeating
plaintext blocks, and assuming the length of the ciphertext is a
multiple of all likely block sizes, you should not even be able to
figure out the block length, let alone the identity of the cipher,
if it is a strong cipher.
If there really are any techniques that could achieve this, I'd be
interested in hearing about them. I'm fairly sure they could be
adapted to breaking the cipher itself.
mkwan
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Better block cipher pre/post whiten step
Date: Sun, 22 Apr 2001 11:43:28 +0200
Tom St Denis wrote:
>
> It's really simple. If you use a decorrelated function such as F(x) = ax +
> b (a,b are round keys a != 0) all in GF(2^W) then your entire cipher would
> be xor-linear.
>
> Which means an input difference of (a,b) -> (d,e) would hold with a
> probability of 1 over all plaintexts, obviously not very random behaviour.
>
> Not only that you can break a three round feistel build with this with only
> 2 plaintexts/ciphertexts.
>
> My idea is to hide the linearness behind the core cipher, and to hide any
> known biases of the core cipher (linear or differential) behind the
> decorrelated functions.
Sorry for one more questions: Would a rotation (static
or dynamic) help in question of linearity?
M. K. Shen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
