Cryptography-Digest Digest #202, Volume #14 Sat, 21 Apr 01 19:13:00 EDT
Contents:
Re: Why re-using the pad is not secure? (Leonard R. Budney)
Re: Will this defeat keyloggers ? (Nemo psj)
Re: Cryptanalysis Question: Determing The Algorithm? (JPeschel)
Re: Why re-using the pad is not secure? (Samuel Paik)
Re: Why re-using the pad is not secure? ("Tom St Denis")
Re: Note on combining PRNGs with the method of Wichmann and Hill ("Brian Gladman")
Re: Censorship Threat at Information Hiding Workshop (Jim D)
Re: First cipher (David Wagner)
Re: Note on combining PRNGs with the method of Wichmann and Hill ("Bryan Olson")
Re: Why re-using the pad is not secure? (newbie)
Re: Note on combining PRNGs with the method of Wichmann and Hill ("Brian Gladman")
Re: Why re-using the pad is not secure? ("Scott Fluhrer")
Re: Why re-using the pad is not secure? ("Tom St Denis")
Re: Why re-using the pad is not secure? ("Scott Fluhrer")
----------------------------------------------------------------------------
Subject: Re: Why re-using the pad is not secure?
From: [EMAIL PROTECTED] (Leonard R. Budney)
Date: 21 Apr 2001 16:12:02 -0400
"Tom St Denis" <[EMAIL PROTECTED]> writes:
> "newbie" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> >
> > E(i) = P(i) Xor k(i)
> > E'(i)= P'(i) Xor k(i)
> >
> > How could I solve this trivial problem.
>
> You guess k(i) values and see if for all known E values if the key makes
> sense.
Nope. There's a simpler way. Just XOR E(i) and E'(i). Since 1 XOR 1
equals 0, and 0 XOR anything is itself, and XOR is both associative and
commutative, we have:
E(i) Xor E'(i) = (P(i) Xor k(i)) Xor (P'(i) Xor k(i))
= P(i) Xor k(i) Xor P'(i) Xor k(i)
= P(i) Xor P'(i) Xor k(i) Xor k(i)
= P(i) Xor P'(i) Xor 0
= P(i) Xor P'(i)
So now we have the XOR of two plaintext messages. This is extremely easy
to separate into the original two messages, and as a freebie you can then
compute k(i) in case it gets used again.
Len.
--
Frugal Tip #51:
Instead of spending money on an extra blanket, turn up the heat at night.
------------------------------
From: [EMAIL PROTECTED] (Nemo psj)
Date: 21 Apr 2001 20:21:51 GMT
Subject: Re: Will this defeat keyloggers ?
The mouse clicks raise windows events just like keystrokes do.
So the logger might also log the mouse clicks.
and so what if it did it wouldntt register the key...only the mouse click.
heres another solution, when the mouse goes over the key on the keypad the
letter in the buttons caption dispears untill the mouse is no longer over it.
in this way ever if the logger records bmp's of the button clicked it wouldnt
be able to tell what key was pressed.
Solution Acheived.
Ok now what if the keylogger saves the entire parent window the actualy keypad
it self, well you could have a timer after one second of being over a key all
the keys captions are hidden, but after the mouse leaves the key all the
captions com back. in this way the parent window save attack is also defeated.
and combine this with the random orginize feature and youll have a pretty
formitable keylogger proof keypad.
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Date: 21 Apr 2001 20:30:09 GMT
Subject: Re: Cryptanalysis Question: Determing The Algorithm?
[EMAIL PROTECTED] writes:
>The NSA no doubt has a bestiary of bad ciphers, including all hand
>ciphers, where the effort of breaking is so trivial that they could
>simply run a random message through all of them by brute-force, and
>they probably succeed most of the time.
Why would the NSA, or, for that matter, any serious cryptanalyst,
brute-force hand ciphers?
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: Samuel Paik <[EMAIL PROTECTED]>
Subject: Re: Why re-using the pad is not secure?
Date: Sat, 21 Apr 2001 20:59:18 GMT
newbie wrote:
> I tried to find out an answer, but all what cryptographers say is that
> is not secure.
>
> If I encrypt my message P(i) and P'(i) with the same OTP k(i), is there
> a way to find the key?
>
> E(i) = P(i) Xor k(i)
> E'(i)= P'(i) Xor k(i)
>
> Knowing : E(i) and E'(i)
> and the equality k(i) = k(i)
>
> I have still 3 unknown P(i), P'(i), k(i)
> How could I solve this trivial problem.
Not directly. However, very typically P(i) xor P'(i) will have
interesting structure, and you can get that by E(i) xor E'(i).
--
Samuel S. Paik | [EMAIL PROTECTED]
3D and digital media, architecture and implementation
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Why re-using the pad is not secure?
Date: Sat, 21 Apr 2001 21:00:21 GMT
"Leonard R. Budney" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "Tom St Denis" <[EMAIL PROTECTED]> writes:
>
> > "newbie" <[EMAIL PROTECTED]> wrote in message
> > news:[EMAIL PROTECTED]...
> > >
> > > E(i) = P(i) Xor k(i)
> > > E'(i)= P'(i) Xor k(i)
> > >
> > > How could I solve this trivial problem.
> >
> > You guess k(i) values and see if for all known E values if the key makes
> > sense.
>
> Nope. There's a simpler way. Just XOR E(i) and E'(i). Since 1 XOR 1
> equals 0, and 0 XOR anything is itself, and XOR is both associative and
> commutative, we have:
>
> E(i) Xor E'(i) = (P(i) Xor k(i)) Xor (P'(i) Xor k(i))
> = P(i) Xor k(i) Xor P'(i) Xor k(i)
> = P(i) Xor P'(i) Xor k(i) Xor k(i)
> = P(i) Xor P'(i) Xor 0
> = P(i) Xor P'(i)
>
> So now we have the XOR of two plaintext messages. This is extremely easy
> to separate into the original two messages, and as a freebie you can then
> compute k(i) in case it gets used again.
That's another way, but if I give you
1d 4f 1f 45 16 05 53 42 07 0a 19 16 00 00
Which is the xor of two 8-bit null terminated ASCII messages. Can you give
me the original plaintexts?
Tom
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Crossposted-To: sci.crypt.random-numbers
Subject: Re: Note on combining PRNGs with the method of Wichmann and Hill
Date: Sat, 21 Apr 2001 22:09:03 +0100
"Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
[snip]
> > > Do you still dispute my claim that the variable (C), as defined above,
has a
> > > non-uniform distribution on [0.0:1.0)?
> >
> > Do you claim that high-school math could exempt the
> > established practice of statistics?
No, but if something can be proved using high school maths without the need
for more advanced statistics then there is no need to resort to the latter.
Proofs should almost always be completed using the simplest techniques that
are capable of showing the result. In this case inspecting the
distributions is easily sufficient without the need for more advanced
statistical tests.
You have already
> > used chi-square, but in a way that I would say
> > totally inacceptable to practice. What do your previous
> > result show, if you used, instead of confidence levels
> > of 0.50 and 0.75, the value 0.95?
The answer to your question is that any sensible confidence intervals will
show that the distribution is non-uniform.
I gave you the necessary ch-squared values - if you are too lazy to look up
the confidence intervals for yourself in a chi-squared table, don't expect
me to do it for you.
And I don't see any value in lessons on chi-squared 'standard practice' from
someone who is unable to see that that a very non-uniform distribution is
non-uniform simply by inspecting it.
> Are the generators you used sufficiently random at all?
Yes. The practical PRNG demonstrations are in full agreement with the
analytically derived distributions [*]. Both theory and practice show that
the resulting distributions are non-uniform when both multipliers are close
to, but diferent from, 1.0.
I have answered your questions now be good enough to answer mine: "Do you
still dispute my claim that the variable (C), as previously described, is
distributed non-uniformly on [0.0:1.0)?"
Brian Gladman
[*] for observers of this exchange: I have a PDF document showing a graph of
the analytically derived distributions that I will email to anyone who is
interested.
------------------------------
From: [EMAIL PROTECTED] (Jim D)
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: Sat, 21 Apr 2001 19:39:10 GMT
Reply-To: Jim D
On Sat, 21 Apr 2001 14:22:55 +0200, Mok-Kong Shen <[EMAIL PROTECTED]>
wrote:
>
>
>Jonas wrote:
>>
>> It seems the US record industry tries to prevent publication
>> of an academic paper next week at the Information Hiding
>> Workshop in Pittsburgh:
>>
>> http://cryptome.org/sdmi-attack.htm
>
>From this one couldn't help wonder whether there aren't
>analogous situations where instead of the phrase
>'commercial interest' there is 'national (security) interest'.
These two are the same thing.
--
______________________________________________
Posted by Jim D.
jim @sideband.fsnet.co.uk
dynastic @cwcom.net
George Dubya Bushisms No 23:
Families is where our nation finds hope,
where wings take dream.
___________________________________
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: First cipher
Date: 21 Apr 2001 21:41:43 GMT
>So, you can't learn how to write good ciphers by writing ciphers but you
>can learn good cryptanalysis by doing cryptanalysis ?? ;}
Yes, I think that's right. (Sounds counter-intuitive, doesn't it?)
------------------------------
From: "nospam"@"nonsuch.org" ("Bryan Olson")
Crossposted-To: sci.crypt.random-numbers
Subject: Re: Note on combining PRNGs with the method of Wichmann and Hill
Date: Sat, 21 Apr 2001 21:56:14 GMT
Mok-Kong Shen wrote:
>
>Bryan Olson wrote:
>>
>> Mok-Kong Shen wrote:
>> >Essential is my last sentence above. The quote from
>> >you mentioned 'uniform'. Actually the scheme of Wichmann
>> >and Hill is intended to get more uniform streams from
>> >not so uniform ones. So we couldn't, strictly speaking,
>> >argue about your quote (and hence your claimed
>> >'distruction') at all, since we don't have any 'exactly'
>> >'uniform' streams.
>>
>> Nonsense. Your note implies cryptographic use, not the
>> original intended use.
>
>I certainly imply crypto use. Otherwise I wouldn't have
>posted to this group. What's wrong that I introduced
>something that is in my view useful to crypto to the
>group? Could you clear exlain the point of yours here?
>I don't understand you.
You make no sense. You argue the theorem seems less
important based on Wichmann and Hill's intention, but that's
irrelevant; you propose a different use.
>Since, as
>you also pointed out, Wichmann and Hill was originally
>not for crypto, why would one (in that situation) use his
>scheme if one already had a uniform stream?
You need to take cryptography more seriously. We can
certainly produce apparently uniform streams. We cannot
prove an attacker cannot distinguish them from uniform.
>About the
>issue of deterioration of uniformity, we can wait for the
>result of Brian Gladman, from which one will see whether
>introducing multipliers with only small deviation from
>1.0 shows up in the statistical tests. (Gladman claimed
>the combination is very non-uniform.)
Slightly non-uniform is often enough to break a
cryptosystem.
Also note that for cryptographic use, the "uniform" we need
is not just the individual values. We want the entire
sequence to appear to be drawn at random. The defect
Gladman pointed out is real, but it is only part of the
problem.
[...]
>> >The original Wichmann and Hill scheme gives e.g.
>> >
>> > R = r1 + r2 + r3 mod 1
>> >
>> >The modified one gives
>> >
>> > R = c1*r1 + c2*r2 + c3*r3 mod 1
>> >
>> >What the opponent has is R. Assuming he had a method
>> >to get the components r1, r2 and r3 from R, he would
>> >have more difficulty to do in the second case, since
>> >the c1, c2 and c3 are unknown to him, isn't it?
>>
>> Are you joking? What is the justification for that
>> assumption? Can you in general get the components from the
>> sum? Can you in realistic cases?
>>
>> If you are asked to compare schemes A and B, you can't
>> simply assume scheme A is broken and conclude scheme B looks
>> better. Cryptosystems don't fall just because you assume
>> they do.
>>
>> Still a completely bogus result. No justification.
>
>If in the first case one can't obtain r1, r2, r3 from
>R, then all is very well.
All is well with Wichmann-Hill. The R value is different
in your scheme, and yours can still fall.
>It follows that one also can't
>obtain c1*r1 etc. and hence r1 etc.
You cannot justify a bogus result by restating it a
different form. You've no evidence that one cannot break
your scheme if he cannot solve the corresponding problem
against Wichmann-Hill.
>If, to take an
>extreme case, he knows for one value of R the corresponding
>values of r1 and r2, he can determine r3 in the first
>scheme but not in the second scheme (assuming c1 etc.
>are unknown). Isn't that clear?
He may or may not be able to in the second scheme. But that
still proves nothing about the relative security of your
scheme.
[...]
>> >Partly covered above. For the rest: See my follow-up
>> >to Brian Gladman, who claimed essentially the same as
>> >you but in a more concrete way. I have asked him to redo
>> >his chi-square tests and present the results.
>>
>> You were the advocate of that particular test. Where are
>> your results?
>
>Not MY results. His results! Unfortunately his results
>did not conform to common practice in statistics. I
>therefore asked him to revise his experiments.
That's the point: you have no results. Your arguments are
nonsense, your conclusions are fabricated. Where are your
tests? Where's the justification for your scheme being
secure if the Wichmann and Hill scheme is unpredictable?
>> >As said
>> >there, I never exclude the possibilty of my making
>> >blunders, anywhere, anytime. But I want to see concrete
>> >refutations rather than fuzzy categorical claims of
>> >my being wrong without any accompanying supporting
>> >materials.
>>
>> Utter hypocrisy. Your claims have only nonsense behind
>> them. There's nothing fuzzy in the theorems we can show
>> about Wichmann- Hill.
>
>I like to use this opportunity to once again ask Brian
>Gladman to present to us his revised results, helping
>to settle the dispute.
Gladman has produced reasonable justification for his claims
already. You have not.
--Bryan
------------------------------
From: newbie <[EMAIL PROTECTED]>
Subject: Re: Why re-using the pad is not secure?
Date: Sat, 21 Apr 2001 18:15:19 -0300
Let suppose that I know P'(i). But I do not know k(i) and P(i).
If I know it the solution is easy.
newbie wrote:
>
> I tried to find out an answer, but all what cryptographers say is that
> is not secure.
>
> If I encrypt my message P(i) and P'(i) with the same OTP k(i), is there
> a way to find the key?
>
> E(i) = P(i) Xor k(i)
> E'(i)= P'(i) Xor k(i)
>
> Knowing : E(i) and E'(i)
> and the equality k(i) = k(i)
>
> I have still 3 unknown P(i), P'(i), k(i)
> How could I solve this trivial problem.
> It is my last question.
> I apologize for my ennoying posts.
>
> Thank you for help.
------------------------------
From: "Brian Gladman" <[EMAIL PROTECTED]>
Subject: Re: Note on combining PRNGs with the method of Wichmann and Hill
Date: Sat, 21 Apr 2001 23:38:04 +0100
"Brian Gladman" <[EMAIL PROTECTED]> wrote in message
news:GznE6.31207$I5.149947@stones...
> "Mok-Kong Shen" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
>
> [snip]
> The attached PDF compares my theoretical results with those obtained from
> the experimental PRNG trials. As you can see, there is a good agreement
> between theory and practice.
>
> You should now be in no doubt that you are wrong about the uniformity of
> this distribution.
My apologies for this posting with a PDF attachment - this was a mistake on
my part since it was intended to be a direct email rather than a posting.
Brian Gladman
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: Why re-using the pad is not secure?
Date: Sat, 21 Apr 2001 15:32:39 -0700
Tom St Denis <[EMAIL PROTECTED]> wrote in message
news:FxmE6.20603$[EMAIL PROTECTED]...
>
> "Leonard R. Budney" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > "Tom St Denis" <[EMAIL PROTECTED]> writes:
> >
> > > "newbie" <[EMAIL PROTECTED]> wrote in message
> > > news:[EMAIL PROTECTED]...
> > > >
> > > > E(i) = P(i) Xor k(i)
> > > > E'(i)= P'(i) Xor k(i)
> > > >
> > > > How could I solve this trivial problem.
> > >
> > > You guess k(i) values and see if for all known E values if the key
makes
> > > sense.
> >
> > Nope. There's a simpler way. Just XOR E(i) and E'(i). Since 1 XOR 1
> > equals 0, and 0 XOR anything is itself, and XOR is both associative and
> > commutative, we have:
> >
> > E(i) Xor E'(i) = (P(i) Xor k(i)) Xor (P'(i) Xor k(i))
> > = P(i) Xor k(i) Xor P'(i) Xor k(i)
> > = P(i) Xor P'(i) Xor k(i) Xor k(i)
> > = P(i) Xor P'(i) Xor 0
> > = P(i) Xor P'(i)
> >
> > So now we have the XOR of two plaintext messages. This is extremely easy
> > to separate into the original two messages, and as a freebie you can
then
> > compute k(i) in case it gets used again.
>
> That's another way, but if I give you
>
> 1d 4f 1f 45 16 05 53 42 07 0a 19 16 00 00
>
> Which is the xor of two 8-bit null terminated ASCII messages. Can you
give
> me the original plaintexts?
"Tom was here"
"I read books"
Does this answer the argument?
--
poncho
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Why re-using the pad is not secure?
Date: Sat, 21 Apr 2001 22:47:47 GMT
"Scott Fluhrer" <[EMAIL PROTECTED]> wrote in message
news:9bt2ec$6j3$[EMAIL PROTECTED]...
>
> Tom St Denis <[EMAIL PROTECTED]> wrote in message
> news:FxmE6.20603$[EMAIL PROTECTED]...
> >
> > "Leonard R. Budney" <[EMAIL PROTECTED]> wrote in message
> > news:[EMAIL PROTECTED]...
> > > "Tom St Denis" <[EMAIL PROTECTED]> writes:
> > >
> > > > "newbie" <[EMAIL PROTECTED]> wrote in message
> > > > news:[EMAIL PROTECTED]...
> > > > >
> > > > > E(i) = P(i) Xor k(i)
> > > > > E'(i)= P'(i) Xor k(i)
> > > > >
> > > > > How could I solve this trivial problem.
> > > >
> > > > You guess k(i) values and see if for all known E values if the key
> makes
> > > > sense.
> > >
> > > Nope. There's a simpler way. Just XOR E(i) and E'(i). Since 1 XOR 1
> > > equals 0, and 0 XOR anything is itself, and XOR is both associative
and
> > > commutative, we have:
> > >
> > > E(i) Xor E'(i) = (P(i) Xor k(i)) Xor (P'(i) Xor k(i))
> > > = P(i) Xor k(i) Xor P'(i) Xor k(i)
> > > = P(i) Xor P'(i) Xor k(i) Xor k(i)
> > > = P(i) Xor P'(i) Xor 0
> > > = P(i) Xor P'(i)
> > >
> > > So now we have the XOR of two plaintext messages. This is extremely
easy
> > > to separate into the original two messages, and as a freebie you can
> then
> > > compute k(i) in case it gets used again.
> >
> > That's another way, but if I give you
> >
> > 1d 4f 1f 45 16 05 53 42 07 0a 19 16 00 00
> >
> > Which is the xor of two 8-bit null terminated ASCII messages. Can you
> give
> > me the original plaintexts?
>
> "Tom was here"
> "I read books"
>
> Does this answer the argument?
Keen, how did you do that? Just trial and error?
Tom
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: Why re-using the pad is not secure?
Date: Sat, 21 Apr 2001 15:37:18 -0700
newbie <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Let suppose that I know P'(i). But I do not know k(i) and P(i).
> If I know it the solution is easy.
If you know P'(i) and E'(i), then you know k(i). If you know k(i) and E(i),
you know P(i). Problem solved.
It is only slightly nontrivial if you only know E(i) and E'(i). Then you
have to rely on plaintext statistics to figure them out.
>
> newbie wrote:
> >
> > I tried to find out an answer, but all what cryptographers say is that
> > is not secure.
> >
> > If I encrypt my message P(i) and P'(i) with the same OTP k(i), is there
> > a way to find the key?
> >
> > E(i) = P(i) Xor k(i)
> > E'(i)= P'(i) Xor k(i)
> >
> > Knowing : E(i) and E'(i)
> > and the equality k(i) = k(i)
> >
> > I have still 3 unknown P(i), P'(i), k(i)
> > How could I solve this trivial problem.
> > It is my last question.
> > I apologize for my ennoying posts.
> >
> > Thank you for help.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
