Cryptography-Digest Digest #206, Volume #14 Sun, 22 Apr 01 09:13:01 EDT
Contents:
Re: Diffie-Hellman signatures now described ("Tom St Denis")
Re: Better block cipher pre/post whiten step ("Tom St Denis")
Re: Better block cipher pre/post whiten step (Mok-Kong Shen)
Re: Note on combining PRNGs with the method of Wichmann and Hill (Mok-Kong Shen)
Re: Better block cipher pre/post whiten step ("Tom St Denis")
Re: Why re-using the pad is not secure? (Leonard R. Budney)
Re: Better block cipher pre/post whiten step ("Tom St Denis")
Re: Better block cipher pre/post whiten step (Mok-Kong Shen)
Re: XOR TextBox Freeware: Very Lousy. ("Szopa Swings Again"@anon.lcs.mit.edu,
[EMAIL PROTECTED])
Re: Cryptanalysis Question: Determing The Algorithm? (Leonard R. Budney)
Re: Better block cipher pre/post whiten step ("Tom St Denis")
Re: Will this defeat keyloggers ? ("Thomas J. Boschloo")
basics of cryptography (Pille2)
Re: basics of cryptography ("Tom St Denis")
Re: basics of cryptography (Pille2)
Re: basics of cryptography ("Tom St Denis")
----------------------------------------------------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Diffie-Hellman signatures now described
Date: Sun, 22 Apr 2001 10:30:38 GMT
"John Savard" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> On Fri, 20 Apr 2001 00:40:13 GMT, "Tom St Denis"
> <[EMAIL PROTECTED]> wrote, in part:
>
> >DH afaik describes a key exchange protocol involving the DLP.
>
> But everything using the DLP cryptographically is derived from DH,
> since DH represents the realization that the DLP could be used in this
> manner.
That's like saying MARS is based on RC5 because it uses data dependant
rotations...
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Better block cipher pre/post whiten step
Date: Sun, 22 Apr 2001 10:32:45 GMT
"Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> Tom St Denis wrote:
> >
>
> > It's really simple. If you use a decorrelated function such as F(x) =
ax +
> > b (a,b are round keys a != 0) all in GF(2^W) then your entire cipher
would
> > be xor-linear.
> >
> > Which means an input difference of (a,b) -> (d,e) would hold with a
> > probability of 1 over all plaintexts, obviously not very random
behaviour.
> >
> > Not only that you can break a three round feistel build with this with
only
> > 2 plaintexts/ciphertexts.
> >
> > My idea is to hide the linearness behind the core cipher, and to hide
any
> > known biases of the core cipher (linear or differential) behind the
> > decorrelated functions.
>
> Sorry for one more questions: Would a rotation (static
> or dynamic) help in question of linearity?
The rotation must be data dependent and keyed for it to be non-linear.
Tom
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Better block cipher pre/post whiten step
Date: Sun, 22 Apr 2001 12:42:07 +0200
Tom St Denis wrote:
>
> The rotation must be data dependent and keyed for it to be non-linear.
Yes. But isn't it very fine for improving the strength? (I
ignore the possible Hitachi patent issue).
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To: sci.crypt.random-numbers
Subject: Re: Note on combining PRNGs with the method of Wichmann and Hill
Date: Sun, 22 Apr 2001 12:49:49 +0200
Bryan Olson wrote:
>
[snip]
> You cannot justify a bogus result by restating it a
> different form. You've no evidence that one cannot break
> your scheme if he cannot solve the corresponding problem
> against Wichmann-Hill.
[snip]
I think that you are too much theory-oriented (I am not
against that). Wichmann and Hill (WH for short) has
the effect of producing more uniformity with practically
available not very uniform generators. That effect is
non-perfect but tends (in general) to be better when the
number of PRNGs increases. Now this effect is also
dependent on the quality of the PRNGs themselves.
If these are bad enough, then the result will also be
quite poor. So with WH one is not doing any 'perfect' job
anyway. Now given R1 = r1 + r2 mod 1, one achieves 'some'
uniformity. The same holds for R2 = r3 + r4 mod 1,
where I define r3 = c1*r1 and r4 = c2*r2. It is true
that r3 and r4 would be non-uniform if r1 and r2 were
perfectly uniform. But r1 and r2, being obtained in
practice, are more or less non-uniform from the outset.
r3 and r4 are in general worse PRNGs than the (also
non-perfect) r1 and r2. How much worse evidently depends,
among others, on the magnitude of c1 and c2. My opinion
is that small enough deviations from 1.0 of c1 and c2
would lead to deterioration of R2 (in comparison to R1)
that is practically negligible. Gladman strongly opposed
to that, saying that even slight deviations from the
original WH would give results that are 'very non-uniform'.
Currently Gladman and I are discussing directly via E-mail
to settle that issue, as I said in another follow-up. Now,
even if it turns out that statistical tests show the
'practical negligibility', you certain could claim that
that's not a 'proof' that is acceptable to you. You could
say that the tests are not sufficient, etc. etc. and that
these are empirical and not 'rigorous' in the sense of
theory, etc. etc. Yes, one can certainly maintain a very
strict theoretical spirit. But then please also consider
the question e.g. whether AES has a 'rigorous' theoretical
proof that it is unbreakable. (Anyway I am not aware
of one.) The multipliers c1, etc. are introduced to
make the scheme (as such) of pseudo-random number
generation somewhat more complicated, necessitating
the opponent to spend some more effort to work around
that. It it to be noted on the other hand that pseudo-random
number generation, if employed, is only A part of an
encryption scheme. It is not by itself THE defense
against the opponent. But it can generally be hoped that
any small 'complication' of any part of the whole encryption
scheme would contribute something (hopefully) in more than
'additive' way. Thus said, I like to propose that we make
a short pause currently till the private discussion between
Gladman and I comes to an end. For if I indeed turn out to
be wrong in that discussion, then it would have been an
unnecessary waste of effort (and bandwidth) if we continued
discussion at the current time point. In the other case
(I'll post the result of the private discussion in either
case), I should certainly very much appreciate further
discussions with you.
M. K. Shen
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Better block cipher pre/post whiten step
Date: Sun, 22 Apr 2001 10:51:19 GMT
"Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> Tom St Denis wrote:
> >
>
> > The rotation must be data dependent and keyed for it to be non-linear.
>
> Yes. But isn't it very fine for improving the strength? (I
> ignore the possible Hitachi patent issue).
My point is that with a single GF mult I destroy any chance of doing first
order attacks. Sure I could tack on 10 rounds of RC5 first then 16 rounds
of DES and finish with 10 rounds of CAST, but that isn't very elegant even
if it is secure.
Tom
------------------------------
Subject: Re: Why re-using the pad is not secure?
From: [EMAIL PROTECTED] (Leonard R. Budney)
Date: 22 Apr 2001 06:52:50 -0400
[EMAIL PROTECTED] (JPeschel) writes:
> [EMAIL PROTECTED] writes:
>
>> "In English, 'e' occurs about 14% of the time, 't' a little less than
>> 10%, etc." If you've memorized the commonest dozen letters in order,
>> then I agree the table can be dispensed with...
>
> I think you have other simple substitution ciphers in mind.
True. I meant any monoalphabetic substitution cipher. Now I've no idea
where I got the habit of calling them all "Caeser ciphers", though I
got it from somewhere. (quick net search) Apparently some sources do
call k-shift ciphers "caeser ciphers", even when k isn't 3. But thanks
for setting me straight.
Len.
--
"I am" is reportedly the shortest sentence in the English language.
Could it be that "I do" is the longest sentence?
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Better block cipher pre/post whiten step
Date: Sun, 22 Apr 2001 10:54:57 GMT
"Scott Fluhrer" <[EMAIL PROTECTED]> wrote in message
news:9btsdj$mh$[EMAIL PROTECTED]...
>
> Tom St Denis <[EMAIL PROTECTED]> wrote in message
> news:e8gE6.15919$[EMAIL PROTECTED]...
> > Here's a neat idea. Instead of just xor-ing a key against the block
> > before/after the main core of the cipher (as in most modern ciphers) why
> not
> > use a pair-wise decorrelated function? Unlike COCONUT98 where the
> function
> > was put in the middle of the cipher you put it at the ends i.e
> Like most proposed ideas along the lines of "if we make this operation
more
> expensive, the cipher looks stronger", it presumes the wrong question.
The
> question isn't "how can we make a cipher that is as strong as possible",
> because essentially we already know how to do that -- as Rivest put it,
1000
> rounds of just about anything is usually pretty secure. Instead, the
> interesting question is "how can we make a cipher that is as cheap as
> possible, and still be secure" (where cheap is defined by the usage --
> possibly the number of cycles per byte encrypted, or the memory footprint,
> or the complexity of the software, or the number of transistors used in a
> hardware implementation, or hardware throughput or the key agility, to
give
> a partial list). This is the interesting question because if we do not
> insist on "cheap", we already know the answer.
Ah although a GF mult is somewhat slow it does have provable benefits.
> Hence, the question to answer really is "does this operation allow us to
> remove enough rounds from the core block cipher so that we have an overall
> gain in at least some area". Now, that would obviously depend greatly on
> the exact construction of the core block cipher. However, it doesn't look
> good (unless the round function uses GF/2 multiplications internally,
where
> the below really doesn't apply):
>
> - In terms of memory footprint, going GF/2 multiplications cost memory,
> especially if we go after large table driven approaches (which also chew
up
> cache space).
>
> - In terms of complexity of software, doing GF/2 multiplications are
> considerably more complex than increasing an iteration counter, or
> duplicating some lines if the iterations are unrolled.
>
> - In terms of transistors, well, if you're doing a low-transistor version
> that have just one round hardware, putting in GF/2 multiplications is
> obviously increases the minimal transistor count.
>
> In contrast, traditional pre- and post-whitening are almost free (just an
> xor), and often give you the effect of an additional round or so -- that's
> why the idea is so popular.
Ahh but my idea makes diff/linear attacks (first order) impossible. I think
that should be a bit more popular.
The core cipher doesn't have to be good, if you look at my TC11 I just use a
two-layer 2-PHT and fixed rotations as the core cipher. As long as the GF
mults don't commute from one end to another the concept is secure. In the
case of my TC11 (see below) cipher the core cipher is very fast and the GF
mults can be sped up using 32kb of tables.... this cipher would be faster
than probably a slew of commonly known ciphers.
Note: My TC11 is a toy cipher. Anyone else reading this should be advised
of that.
Tom
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Better block cipher pre/post whiten step
Date: Sun, 22 Apr 2001 13:06:12 +0200
Tom St Denis wrote:
>
> "Mok-Kong Shen" <[EMAIL PROTECTED]> wrote:
> >
> >
> > Tom St Denis wrote:
> > >
> >
> > > The rotation must be data dependent and keyed for it to be non-linear.
> >
> > Yes. But isn't it very fine for improving the strength? (I
> > ignore the possible Hitachi patent issue).
>
> My point is that with a single GF mult I destroy any chance of doing first
> order attacks. Sure I could tack on 10 rounds of RC5 first then 16 rounds
> of DES and finish with 10 rounds of CAST, but that isn't very elegant even
> if it is secure.
What I meant is that rotation is very cheap and can be
advantageously employed.
M. K. Shen
------------------------------
Date: 22 Apr 2001 11:15:29 -0000
From: "Szopa Swings Again"@anon.lcs.mit.edu, [EMAIL PROTECTED]
Subject: Re: XOR TextBox Freeware: Very Lousy.
Crossposted-To: talk.politics.crypto,alt.hacker
On Sun, 22 Apr 2001, Anthony Stephen Szopa <[EMAIL PROTECTED]> drooled:
. . And drooled . . .
. . And drooled . . .
------------------------------
Subject: Re: Cryptanalysis Question: Determing The Algorithm?
From: [EMAIL PROTECTED] (Leonard R. Budney)
Date: 22 Apr 2001 07:30:37 -0400
[EMAIL PROTECTED] (JPeschel) writes:
>> The NSA no doubt has a bestiary of bad ciphers, including all hand
>> ciphers, where the effort of breaking is so trivial that they could
>> simply run a random message through all of them by brute-force, and
>> they probably succeed most of the time.
You got me again--I was abusing the term "brute force". I didn't mean
brute-forcing the keys; I meant brute-forcing the algorithms. In other
words, I conjectured that the NSA can triage a random ciphertext by
feeding it to a fully automated process which, if it's anything stupid
like a hand cipher, or any of hundreds of well-known algorithms, will
crack it immediately.
That's "brute force" to a CS person, not to a cryptanalyst. The cracks
employed by such a system would not be brute force at all, as the above
apparently implied.
> Why would the NSA, or, for that matter, any serious cryptanalyst,
> brute-force hand ciphers?
Indeed. Why would a serious cryptanalyst even think about hand ciphers
today--except maybe as recreation? Your point is my point, too.
My apologies,
Len.
--
Frugal Tip #43:
Invent something like the Internet, only much, much better, and collect
the royalties.
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Better block cipher pre/post whiten step
Date: Sun, 22 Apr 2001 11:36:10 GMT
"Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> Tom St Denis wrote:
> >
> > "Mok-Kong Shen" <[EMAIL PROTECTED]> wrote:
> > >
> > >
> > > Tom St Denis wrote:
> > > >
> > >
> > > > The rotation must be data dependent and keyed for it to be
non-linear.
> > >
> > > Yes. But isn't it very fine for improving the strength? (I
> > > ignore the possible Hitachi patent issue).
> >
> > My point is that with a single GF mult I destroy any chance of doing
first
> > order attacks. Sure I could tack on 10 rounds of RC5 first then 16
rounds
> > of DES and finish with 10 rounds of CAST, but that isn't very elegant
even
> > if it is secure.
>
> What I meant is that rotation is very cheap and can be
> advantageously employed.
A single data dependent rotation is not very secure against differential
cryptanalysis (i.e 27/32 ofthe time their is no rotation). In the case of
RC5 the attacker is trying to avoid a difference in the lower bits anyways
so their attack will go straight through that.
Maybe I am not clear, the point of the GF mult is not as a "tack-on" adhoc
design, it will make the cipher provably (...but opens doors to other
attacks...) resilient to diff and linear cryptanalysis.
You could take eight round DES and make it secure from diff and linear
attacks by tacking these on.... etc..
Tom
------------------------------
From: "Thomas J. Boschloo" <[EMAIL PROTECTED]>
Subject: Re: Will this defeat keyloggers ?
Date: Sun, 22 Apr 2001 13:49:55 +0200
=====BEGIN PGP SIGNED MESSAGE=====
Lyalc wrote:
>
> Not necessarily.
> Attacks that capture the screen image around the click site (e.g. as a BMP)
> as send the off already exist.
The 'key' or whatever 'logger' could also do some character recognition
in it's code, resulting in a much smaller log file.
An approach that might work (and is being worked on AFAIK), is to use a
smart card which will respond to challenges and server software that
never asks the same challenge twice (like including a system date in
Zulu/GMT time).
Hi,
Thomas
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>
iQB5AwUBOuK3UAEP2l8iXKAJAQGJEgMgshPeV7+NVBE6LOcNUOOBuE/gbb67fF7g
T1rwaaPpDPEGV18E9hdgb/fA8uQO3fcBuRkF/46Kc6+zGpRu6RRIDLCW5y7ebtpg
mFDg8BzlxjX5RUYxGwwmCn7+vVSS7c5c12b6aw==
=ONaG
=====END PGP SIGNATURE=====
--
EWD 1969 - "Program testing can be used to show the presence of bugs,
but never to show their absence"
------------------------------
From: Pille2 <[EMAIL PROTECTED]>
Subject: basics of cryptography
Date: Sun, 22 Apr 2001 15:15:09 +0200
Hi!
I�m writing a text about the basics of cryptography: In this work simple
encryption methods are explained etc.
Perhaps an easy question but how do i calculate the number of possibilities
that exist for the encryption of a char. For example in the vigenere cipher.
How do i calculate the possibilities for monoalphabetic and polyalphabetic
ciphers or is there no difference?
Sorry if the question is too stupid
Philipp
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: basics of cryptography
Date: Sun, 22 Apr 2001 12:23:41 GMT
"Pille2" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Hi!
> I�m writing a text about the basics of cryptography: In this work simple
> encryption methods are explained etc.
> Perhaps an easy question but how do i calculate the number of
possibilities
> that exist for the encryption of a char. For example in the vigenere
cipher.
> How do i calculate the possibilities for monoalphabetic and polyalphabetic
> ciphers or is there no difference?
>
> Sorry if the question is too stupid
Just not thought threw.
In a monoalphabetic you sub one letter for another. So if you have N
letters there are N! ways to create the required permutation.
etc..
Hmm perhaps you should **read** some texts before writting one. I tried to
start a book on block ciphers and quickly got swamped with "what the heck is
that letter thingy!".
Tom
------------------------------
From: Pille2 <[EMAIL PROTECTED]>
Subject: Re: basics of cryptography
Date: Sun, 22 Apr 2001 15:30:10 +0200
> Hmm perhaps you should **read** some texts before writting one. I tried to
> start a book on block ciphers and quickly got swamped with "what the heck is
> that letter thingy!".
I did and i�m not as stupid as it seems at least i think i�m not :)
But nevertheless in none of these texts it is explained how i calculate the
mentioned possibilities. I know what monoalphabetic and polyalphabetic is
that was�nt my question.
nevertheless thx for your answer
Philipp
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: basics of cryptography
Date: Sun, 22 Apr 2001 12:58:30 GMT
"Pille2" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> > Hmm perhaps you should **read** some texts before writting one. I tried
to
> > start a book on block ciphers and quickly got swamped with "what the
heck is
> > that letter thingy!".
>
> I did and i�m not as stupid as it seems at least i think i�m not :)
> But nevertheless in none of these texts it is explained how i calculate
the
> mentioned possibilities. I know what monoalphabetic and polyalphabetic is
> that was�nt my question.
> nevertheless thx for your answer
<valey girl slang>Like Whatever.</valey girl slang>
Anyone who says "books ain't got no answers" then says "I want to write one"
is either ignorant or a retard. Which one are you?
And anything is possible the word you want is "probable". i.e "How
probrable is....". Seriously read some papers or texts on the subject. You
can get quite a bit of free info on the web if you use this new fangled
thing called a *****SEARCH ENGINE*****.
Tom
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
