Cryptography-Digest Digest #212, Volume #14 Mon, 23 Apr 01 01:13:01 EDT
Contents:
Re: OTP WAS BROKEN!!! ("zkn3")
Re: OTP WAS BROKEN!!! ("Tom St Denis")
Re: OTP WAS BROKEN!!! ("Alexis Machado")
Re: OTP WAS BROKEN!!! (nugatory)
1024bit RSA keys. how safe are they? ("George T.")
Re: Steganography with natural texts (Benjamin Goldberg)
Re: OTP WAS BROKEN!!! ("Scott Fluhrer")
Re: 1024bit RSA keys. how safe are they? ("Tom St Denis")
Generating primes by incremental search (David Hopwood)
Re: Hash function (Rob Warnock)
Re: PRNG quality (Rob Warnock)
Re: research on polymorphic crypto/Best Possible Privacy? ("Shea J. Hawes")
Re: OTP WAS BROKEN!!! (John Savard)
Re: ancient secret writing ("Douglas A. Gwyn")
Re: XOR TextBox Freeware: Very Lousy. (Rob Warnock)
Re: Censorship Threat at Information Hiding Workshop ("Douglas A. Gwyn")
Re: OTP WAS BROKEN!!! ("Douglas A. Gwyn")
Re: OTP WAS BROKEN!!! ("Douglas A. Gwyn")
Re: research on polymorphic crypto/Best Possible Privacy? ("Mark G Wolf")
----------------------------------------------------------------------------
From: "zkn3" <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Mon, 23 Apr 2001 02:58:24 GMT
Small point: I believe infinity squared is still aleph-null, hence, not
larger.
-Z.N.
"Ben Cantrick" <[EMAIL PROTECTED]> wrote in message
news:9c01vj$[EMAIL PROTECTED]...
> In article <[EMAIL PROTECTED]>,
> newbie <[EMAIL PROTECTED]> wrote:
> >I'm not talking about random or non random. You have just to read.
> >Nothing more than that.You are inventing what I said.
> >
> >I NEVER SAID THAT!!!!!!!!!!!!
> >
> >
> >You say "well it looks non-random so it must be the solution".
> >> You fail to recognize that the number of non-random plaintexts is
> >> astronomical....
> >
> >THE NUMBER OF MESSAGES WHICH HAVE A SENSE IS INFINITESIMAL COMPARING TO
> >THOSE WHICH DOES NOT HAVE A SENSE!!!!!!!!!!!!!!!!!!!
>
> Infinity squared is bigger than infinity, but it's still impossible
> to pick the correct message out of an infinite number of equiprobable
> choices.
>
> Must I rub your nose in your own stupidity by posting an OTP encrypted
> messaged and then asking you to crack it?
>
>
> -Ben
> --
> Ben Cantrick ([EMAIL PROTECTED]) | Yes, the AnimEigo BGC dubs still
suck.
> BGC Nukem: http://www.dim.com/~mackys/bgcnukem.html
> The Spamdogs: http://www.dim.com/~mackys/spamdogs
> Advanced Supersonic Titanium Nazi Hell Creatures from beneath the hollow
earth!
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Mon, 23 Apr 2001 03:08:58 GMT
"zkn3" <[EMAIL PROTECTED]> wrote in message
news:kTME6.184282$[EMAIL PROTECTED]...
> Small point: I believe infinity squared is still aleph-null, hence, not
> larger.
Since infinity is not a number and doesn't represent one you can't exactly
square it.
It's like saying "really big"**2. Infinity is just a concept if anything at
all.
afaik... from the calc classes I have taken it's a concept as in "as x
aproaches zero/infinity blah blah blah".
Of course I will most likely get flamed by this post. Oh well.
Tom
------------------------------
From: "Alexis Machado" <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Mon, 23 Apr 2001 00:19:56 -0300
Reply-To: "Alexis Machado" <[EMAIL PROTECTED]>
"newbie" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Let me just say that :
>
> If you re-use OTP, it is then easy to break it.
The pad reuse was only *an example* of how the attacker can say P(Ki) !=
1/2.
A defect in the key generator could give this extra information too.
You must concentrate on the fact I proved :
P(Ki) = 1/2 => P(Mi) = 1/2
To be valid, your method must contradict this.
> I suppose a key k'.
>
> I use this key to encippher a text that I know for sure.
>
> C = P Xor k
>
> C' = P' Xor k'
In the previous post you called the plaintext "M". Please keep the same
nomenclature to avoid confusion.
> If k' = k, k' Xor k = 0 that mean that I re-used the key k to encipher
> C'. It is like if I reuse OTP twice.
> The solution is easy. And P is text that have a sense.
>
> But, If k' is different from k => C' Xor C = (P Xor k) Xor (P' Xor k') =
> (k' Xor k) Xor (p Xor P')
>
> I know P' and I do know P and k.
I'm assuming you *don't* know P and k ...
> C' Xor C Xor P' = P Xor ( k Xor K')
>
> I know what C' Xor C Xor P'.
> I know that k' Xor k is random, It is like If I have new random key "z"
> C' Xor C Xor P' = P Xor z
> The probability that P Xor z have a sense is infinitesimal.
>
> How I select my messages?
>
> Using a criteria of "sense".
> If k'=k I'm sure that the result of C' Xor C Xor P' is a text that have
> a sense and that is nothing more than P. OTP is broken.
> If k' is different from k, I'm quite sure because of randomness of z =
> k' Xor K is a bit-string that does not have a sense. The probability
> that any text Xored With random give you as result a bit-string that
> have a sense is infinitesimal.
>
> You have now the proof that OTP could be broken.
No, if K is random and independent of K' you have the same problem again :
For the attacker
Z = (K' xor K) is a new random key
C'' = (C' xor C xor P') is known
P is unknown
and
C'' = P xor Z
---
Alexis
------------------------------
From: nugatory <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Mon, 23 Apr 2001 03:13:02 GMT
newbie wrote:
>
> What it makes me angry is that no one has read carefully my proof.
> Take the time to read carefully what I wrote and then you may ask me if
> you need some precisions.
> I know that my english is not fully correct.
> But, please read my proof.
Many posters (including me) have. The problem is that
you haven't addressed the basic strength of the OTP.
Suppose that you are a military cryptanalyst trying to find
out whether the enemy plans to attack your army in the rear
or on the left flank. You get a copy of the enemy commander's
orders. The message is:
7a 70 71 63 66 69 65 6e 75 72 6a 64 38 6d 6e 79 2b 2b
If the enemy commander used the key:
3b 04 05 02 05 02 45 07 1b 52 1e 0c 5d 4d 1c 1c 4a 59
then the message is "Attack in the rear". However, if
the enemy commander used the key:
3b 04 05 02 05 02 45 01 1b 52 1e 0c 5d 4d 02 1c 4d 5f
then the message is "Attack on the left".
So which is it? There is no way to tell, and that is the
basic strength of the OTP. Of course, if the enemy would
obligingly use the same key to encrypt some other message,
then you could see which key worked with the other messages.
But the whole point of an OTP is that the key is never ever ever
used more than once - that's why it's called a One Time Pad.
[Actually the most useful things that have been said in this
thread have come from Mark Wold - read his comments].
------------------------------
From: "George T." <[EMAIL PROTECTED]>
Subject: 1024bit RSA keys. how safe are they?
Date: Sun, 22 Apr 2001 23:53:23 -0400
HI
Does anyone has idea how safe RSA 1024 bit keys are? Are they safe enough to
be used for encrypting credit card information, travelling over the internet
and or residing on servers (email) for more than 24 hours.
If no, what encrypting method would be sufficient?
Any help is greately appreciated.
George
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: Steganography with natural texts
Date: Mon, 23 Apr 2001 03:58:10 GMT
John A. Malley wrote:
>
> > I should very much appreciate comments and critiques.
>
> Steganography can be viewed as modulation in the sense of
> communications theory. A characteristic of a carrier signal alters in
> proportion to some characteristic of a message signal.
>
> The carrier in steganography must itself carry information. Most
> communications systems don't require the carrier itself represent
> information. They expect the characteristic of the carrier modulated
> by the actual message signal to be robust in the presence of a given
> noise model.
>
> For example, AM communications systems change the amplitude envelope
> of a fixed frequency carrier. The rate of change of the envelope is
> proportional to the original message. The atmosphere attenuates the
> overall amplitude of the AM wave when received but the frequency may
> be chosen in a part of the spectrum where noise is relatively low.
> Atmospheric attenuation of the AM signal puts a limit on recovery of
> the carried message signal (if the envelope is attenuated too much.)
>
> FM communications systems change the instantaneous frequency of a
> carrier wave with constant amplitude. The signal can attenuate
> drastically (compared to AM) but the frequency change can still be
> detected and demodulated to recover the original message signal.
>
> Steganography as modulation involves altering a characteristic of an
> intelligible signal that acts as a carrier. The carrier signal must
> remain intelligible after modulation for the steganographic signal to
> remain undetected.
For example, it is surely possible to have a transmitter produce a
single radio signal which simultaneously is modulated in frequency,
amplitude, and phase. One of these would be the cover signal, and the
other [two] would be the stego signal(s). Which is which would depend
on the particular frequency chosen -- eg, if messages are sent in the
range which is AM on a normal music radio's dial, then the amplitude
modulation would contain the cover signal, and freq and/or phase would
contain the stego signal; if the messages are sent in the range which is
normally used for FM, then AM/phM would be the stego signal.
Done right, if a signal is sent with both an AM and an FM signal on one
frequency, both should be seperatly decodable, each without interfering
with the other. Phase modulation might be dectable, though.
[snip]
> P.S. Couldn't resist, here's my earliest memory of steganographic
> "language" :
>
> Frank Herbert in "Dune", first published in 1965, has the Fremen on
> Arrakis using steganography to send secret messages to one another by
> embedding temporary neural imprints on the nervous systems of bats and
> birds with a device called a "distrans". The creature's normal cry
> then carries the message imprint which can be sorted from the carrier
> wave by another "distrans".
IIRC, there was also another, similar, form of stego in that series
(maybe in that book, I don't recall) -- a [human] courier would have his
voice altered in some way to include a signal, but without it being
noticably different to a human ear. The courier would then be sent, his
new voiceprint compared to the old one, and the message extracted. The
courier himself wouldn't even know the contents of the message, and
might even be told some other message as a cover, in case he's
intercepted. He might not even know that his voice was altered.
If he's caught and tortured for info, all he can give is the cover
message he's been told. If his voiceprint is examined, then they still
have to try to compare it to the original (which they might not have).
--
Sometimes the journey *is* its own reward--but not when you're trying to
get to the bathroom in time.
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Sun, 22 Apr 2001 20:26:30 -0700
newbie <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> OTP was broken!
> It is not a joke.
It is a joke. If you don't believe me, look up the proof by Shannon.
For your paticular error:
>
> Let encipher with truly random key a message M.
> M is a plaintext
> M =( M1 M2 M3 .... Mn)
> K is a Keystream
> K = ( K1 K2 K3......Kn)
> C is a Ciphertext
> C = ( C1 C2 C3 .... Cn)
> ___________________________
>
> What I know before breaking is C.
>
> What I could know using extra-information is the specific langugage used
> in my ciphertext
> Sample : military communication. If I know that I can still assign a
> high probability to occur to
> all the words and and sentences used by militaries in their mails.
> So I'm going to use a specific database to break my ciphertext.
> I'm going to show you that even I have not extra-information, it makes
> my breaking more difficult but not impossible.
> ___________________________
>
> FIRST TEP
>
> GOAL : selection of messages which have a "sense".
>
> 1.1. I choose the size of the block that I have to break.
>
> This choice depends on my power computation( it could be 32 bits or
> more)
>
> Let the size of the block = 128 bits.
>
> 1.2. So let suppose that my domain of messages that have a sense is PM.
>
> PM = ( Pm1, Pm2, ..... Pms)
> S is the number of all possible messages.
> The size of every PM is = s = 128 bits.
>
> If I try all 2^128 possible messages without any constraint, a large
> part of them have no sense.
> If I convert those bit-sequences to plaintext using i.e Ascii code, many
> output have no sense.
> What I mean by sense is not only semantic.
> Sample : the sequence-text "ossi" has a sense because it is included in
> the word p...ossi..ble.
> the text "xzyh" has no sense because it is impossible to
> find an english word including the
> the sequence-text "xzyh"
>
> That means that only a low percentage of the 2^128 possible messages has
> a sense.
>
> If my choice is right and correct, only one of my PMi is matching the
> message I'm trying to uncover.
> The domain of possible solution is then defined and listed.
> I still do not know wich of PM(i) is the "right one".
> All are equiprobable. But I had limited the number of possible
> solutions.
>
> 1.3. I sort my list of PM(i).
>
> This sort operation has to be done according the position of the block
> in the plain-text. All the PM(i) which likely to be in the head of the
> plaintext are the first in the list. Sample (Dear, My dear etc...).
> The more likely to be in the head of the message will be the first one
> in the list.
> This operation will be repeated after each broken-block.
>
> SECOND STEP :
>
> This step if the core of the OTP breaking algo.
>
> GOAL : finding the right message and breaking the ciphertext.
>
> How could we do that?
>
> 2.1 I choose the first PM(1) in the previous list (1.3)
>
> 2.2. I compute Output 1 ( K'(i) =Ouput (i) ).
>
> K' (1) = PM(1) Xor C(1)
>
> 2.3 I choose a plaintext of 128 bits ( 16 letters ) that have a sense.
>
> Choosen plaintext = CHP= "I am an amateur!"
> I can choose any plaintext of 128 bits that have a sense.
> I can use the same text in all my next operations.
>
> 2.4. I compute a second "ciphertext"
>
> C'(1) = K'(1) Xor CHP.
>
>
>
> C'(1) will allow me to find the solution.
>
> How it works?
>
> The ciphertext analyzed is C1.
>
> I have 2 equations :
>
> C1 = M1 Xor K1 (1)
>
> C'(1) = K'(1) Xor CHP (2)
>
>
> If I Xor C1 with C'(1) I will obtain
>
> C1 Xor C'(1) = (M1 Xor K1) Xor (K'(1) Xor CHP) (3)
>
> I know C1, C'(1), K'(1) and CHP.
>
> I do not know M1 and K1.
>
> We have 2 cases :
>
> First case :
>
> Now let suppose that K1 = K'(1).
>
> Hence K1 Xor K'(1) = 0000000....
>
> C1 Xor C'(1) = M1 Xor CHP (4)
>
> I know C1, C'(1) and CHP. It is easy now to find M1.
>
> C1 Xor C'(1) Xor CHP will give me a text that have NECESSARLY a sense
> which is M1. I found the right solution.
>
> In this case K(1) NEUTRALIZE K1, the randomness disappear. And the
> equation is easily solved.
>
> Second case :
>
> K1 is different from k'(1). What it could happen in this case?
>
> My equation will be
>
> C1 Xor C'(1) = (M1 Xor K1) Xor (K'(1) Xor CHP)
> = (M1 Xor CHP) Xor (K1 Xor K'(1))
>
> I know C1, CHP, K'(1).
>
> I do not know M1 and K1.
>
> But, knowing that K1 is a random key, K1 Xor K'(1) is necessarly random
> string.
Wrong. "K1 being random implies K1 xor K'(1) being random" is a true
statement only if K1 and K'(1) are independent in a probabilistic sense, and
here they are not. In particular, you have defined K'(1) as:
K' (1) = PM(1) Xor C(1)
or
K'(1) = PM(1) Xor (M1 Xor K1)
or (rearranging terms):
K'(1) = K1 Xor (PM(1) Xor M1)
As such, K'(1) is random (as K1 is random, and statistically independent of
either PM(1) or M1), however, K'(1) and K1 are obvious not independent, and
hence any claim of randomness of their Xor is unfounded.
--
poncho
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: 1024bit RSA keys. how safe are they?
Date: Mon, 23 Apr 2001 04:11:37 GMT
"George T." <[EMAIL PROTECTED]> wrote in message
news:9c0956$ph0$[EMAIL PROTECTED]...
> HI
>
> Does anyone has idea how safe RSA 1024 bit keys are? Are they safe enough
to
> be used for encrypting credit card information, travelling over the
internet
> and or residing on servers (email) for more than 24 hours.
Do you want a yes or no answer or something with meaning?
Simpler answer: If all is done well a 1024-bit RSA key is sufficient for a
long time assuming the key is not compromised.
Not so simpler answer: Depends on for how long it's needed, how it's
actually used (padding methods, protocols) and the underlying system in
which it's used.
> If no, what encrypting method would be sufficient?
RSA is hardly used to encrypt real messages...
> Any help is greately appreciated.
I would suggest picking up a text on the subject.
It's not so easy to say "factoring is hard so my RSA implementation must be
secure". Which is why I must stress that there is no hard and fast answer
to your question.
Tom
------------------------------
Date: Mon, 23 Apr 2001 04:48:36 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Subject: Generating primes by incremental search
=====BEGIN PGP SIGNED MESSAGE=====
Terry Boon wrote:
> On Wed, 11 Apr 2001 06:37:36 GMT, Samuel Paik <[EMAIL PROTECTED]> wrote
> [about generating primes for RSA, for example]:
>
> >Generally, pick random odd n-bit number (this means the high order
> >bit and low order bit are set to 1 and the rest of the bits are chosen=
> >randomly). Test for probabilistic primality. If not prime, increment=
> >by 2 and go to test, otherwise, accept as prime.
> =
> I've seen this method suggested elsewhere as well...
> =
> Does this not bias the "random" selection of a prime towards primes
> which come after a long run of composites?
Yes, it does.
> (And, furthermore, is this effect significant? ...)
Almost certainly not. See
J=F8rgen Brandt, Ivan Damg=E5rd,
"On generation of probable primes by incremental search."
Advances in Cryptology - Crypto '92,
Lecture Notes in Computer Science Vol. 740, pp. 358-370.
Springer-Verlag, 1993.
This doesn't appear to be on the web. A brief summary is that they look
at the entropy of the primes output by the incremental search algorithm,
and show that it is not too much less than that of randomly chosen
primes, under a assumption called the 'prime r-tuple conjecture' (which
is well-supported experimentally).
This does not completely rule out the possibility that there could be
a factoring algorithm that works better if a prime factor comes after
a long run of composites. There's no reason to believe that that is
likely, based on existing factoring algorithms, though, and even if such
an algorithm did exist, it could only increase the probability that a
generated key can be broken by some fairly small factor.
> I suspect that the answers to these two questions are "Yes" and "No"
> respectively.
You won't be disappointed, then :-)
- -- =
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 0=
1
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has b=
een
seized under the Regulation of Investigatory Powers Act; see www.fipr.org=
/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOuOl1jkCAxeYt5gVAQHtHwgArl/7wka6vA3U4q1ucefllxbJ3PoOBNLk
bAYP19EUwBwzTqFpVem8jglAGpfyQm/joagc1MpKlBmxTHupnnpYmltqRQ/UUBhD
cnyOZSUh96sGpqYFKyMPl+bCJW+X6RyaUYZTvBaeqnI/dZjogzhU2vl5g7GE43qe
PFyFWZtuEu9Sww+TrL8cAO2DVw6GRdOFYQ+ZOWHwS5ZM2UIQDD7nOeojhHD2P4d9
4EQPrcCwxwpGfIBalzD7ol4sUwxp7sy7P+DAhk8CNBrMx5YhcMUdQMwdKBSPvXWM
yWMcQdmmhGs+YvKT+RkwPcTNeDL8M5LCBQrpriZEQF676XJv0Pp4aA=3D=3D
=3D5/hf
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (Rob Warnock)
Subject: Re: Hash function
Date: 23 Apr 2001 04:23:39 GMT
Jack Lindso <[EMAIL PROTECTED]> wrote:
+---------------
| U29tZWJvZHksIGFueWJvZHkgPyBQbGVlZWFzZSwgcHJldHR5IHBsZWVlYWFhc2UgISEhISEhDQoN
| Ci0tIA0KQW50aWNpcGF0aW5nIHRoZSBmdXR1cmUgaXMgYWxsIGFib3V0IGVudmlzaW9uaW5nIHRo
| ZSBJbmZpbml0eS4NCmh0dHA6Ly93d3cuYXRzdGVwLmNvbQ0KLS0tLS0tLS0tLS0tLS0tLS0tLS0t
+---------------
Please turn *off* BASE64 encoding when posting to newsgroups.
It just wastes bandwidth and annoys other readers...
------------------------------
From: [EMAIL PROTECTED] (Rob Warnock)
Subject: Re: PRNG quality
Date: 23 Apr 2001 04:33:06 GMT
Trevor L. Jackson, III <[EMAIL PROTECTED]> wrote:
+---------------
| Since PRNGs are deterministic their output contains no more entropy
| than their input, the initial seed value. In a trivial sense the
| sequence P xor Q has randomness (entropy) equal to Pseed + Qseed.
+---------------
By "Pseed + Qseed" did you mean "length(Pseed)+length(Qseed)"? I suspect
it's probably something more like H(P XOR Q) <= H(Pseed) + H(Qseed), since
the entropy of the seeds might be *very* small [if badly chosen], and if
the seeds are duplicates or share content, the inequality will definitely
apply.
-Rob
=====
Rob Warnock, 31-2-510 [EMAIL PROTECTED]
SGI Network Engineering <URL:http://reality.sgi.com/rpw3/>
1600 Amphitheatre Pkwy. Phone: 650-933-1673
Mountain View, CA 94043 PP-ASEL-IA
------------------------------
From: "Shea J. Hawes" <[EMAIL PROTECTED]>
Subject: Re: research on polymorphic crypto/Best Possible Privacy?
Date: Sun, 22 Apr 2001 21:36:34 -0700
Reply-To: [EMAIL PROTECTED]
I'm not sure I understand what you mean by hoping I'm a coincidence. If there
is another thread realted to this I have not been able to find it. If that is
not what you meant then you have succeeded in confusing me. Any help clearing
up your response would be appriciated.
Thanks,
Shea
Mark G Wolf wrote:
> > I'm looking for research that anyone may have done regarding the product
> > Best Possible Privacy. The underlying technology is described as a
> > polymorphic encryption scheme. There is a description of the algorithm
> > at www.identification.de/crypto/descript.html with a related site
> > selling the product at www.ciphers.de/bpp. I have searched for other
> > references to either of these pages and found nothing so far. I have
> > read the snake oil faq and this seems to fall into that category but I
> > am not an expert so I turn to those of you who are.
>
> I hope your just a coincidence. Absolutely not. Thou doth protest too
> much.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: OTP WAS BROKEN!!!
Date: Mon, 23 Apr 2001 04:41:31 GMT
On Sun, 22 Apr 2001 16:13:13 -0300, newbie <[EMAIL PROTECTED]>
wrote, in part:
>Let encipher with truly random key a message M.
>M is a plaintext
>M =( M1 M2 M3 .... Mn)
>K is a Keystream
>K = ( K1 K2 K3......Kn)
>C is a Ciphertext
>C = ( C1 C2 C3 .... Cn)
>What I know before breaking is C.
>What I could know using extra-information is the specific langugage used
>in my ciphertext
>Sample : military communication. If I know that I can still assign a
>high probability to occur to
>all the words and and sentences used by militaries in their mails.
So far, so good.
>So I'm going to use a specific database to break my ciphertext.
>I'm going to show you that even I have not extra-information, it makes
>my breaking more difficult but not impossible.
>If I try all 2^128 possible messages without any constraint, a large
>part of them have no sense.
>That means that only a low percentage of the 2^128 possible messages has
>a sense.
This also makes sense.
>I still do not know wich of PM(i) is the "right one".
>All are equiprobable. But I had limited the number of possible
>solutions.
And the claim is that you will _never_ know which one is right.
>2.1 I choose the first PM(1) in the previous list (1.3)
>2.2. I compute Output 1 ( K'(i) =Ouput (i) ).
>K' (1) = PM(1) Xor C(1)
The trouble is, K'(1) will be a perfectly good random one-time-pad!
>2.3 I choose a plaintext of 128 bits ( 16 letters ) that have a sense.
>Choosen plaintext = CHP= "I am an amateur!"
>I can choose any plaintext of 128 bits that have a sense.
>I can use the same text in all my next operations.
OK, so CHP is *not* the same as PM(1). This is where it gets
confusing.
>2.4. I compute a second "ciphertext"
>C'(1) = K'(1) Xor CHP.
>C'(1) will allow me to find the solution.
No, it won't.
>C1 = M1 Xor K1 (1)
actual ciphertext = most likely message xor hypothetical key
>C'(1) = K'(1) Xor CHP (2)
second ciphertext = hypothetical key xor standard message
Oh, but K1 isn't the same as K'(1)? Oh dear, then this isn't making
sense, it seems.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: ancient secret writing
Date: Mon, 23 Apr 2001 04:41:17 GMT
Mok-Kong Shen wrote:
> I tend also to think that there is a substantial probability
> of the more recent stuffs like the Voynich Manuscript
> being a hoax intended to fool people.
The Voynich manuscript is hardly "recent".
Also, if it is a hoax, it is an incredibly subtle one;
for example, there are four (if I recall correctly) distinct
"hands" (textual styles), which is a totally unnecessary detail
for a hoax.
> More sensible seems to spend resources on the very ancient
> findings of archeology. But these are apparently very very
> hard to attack, since we have no knowledge at all of the
> languages involved.
Which languages did you have in mind? Several have in fact
been deciphered.
------------------------------
From: [EMAIL PROTECTED] (Rob Warnock)
Subject: Re: XOR TextBox Freeware: Very Lousy.
Date: 23 Apr 2001 04:42:11 GMT
Henrick Hellstr�m <[EMAIL PROTECTED]> wrote:
+---------------
| "David Schwartz" <[EMAIL PROTECTED]> skrev:
| > If the user had a good, secure means of sending the OTP to the
| > recipient, why wouldn't he just use that mechanism to transfer the
| > plaintext itself?
|
| Old question and IMHO still fomulated the wrong way. You should use an OTP
| when you have a need to send messages more frequently than you are able to
| exchange the OTP securely. So the answer is: Because he can't.
+---------------
I think "frequency" is still the wrong determinant -- "ease/convenience"
is, or to say it another way, "timing". In order to use an OTP, you *must*
have a means of securely distributing the keys (as we all know), but that
secure means might not be equally available at all times, especially perhaps
not at times we might want to send a message. Or that secure means might be
*SLOW* (e.g., a hand-carried briefcase locked to a courier's wrist, with
two armed Marines riding along on either side of him) compared to the speed
with which we need to send the message ("missile launch detected!").
An OTP is very useful when (1) there exists a relatively-convenient secure
means of distributing the keys ahead of time, *and* (2) the total volume
of expected traffic [including dummy traffic to foil traffic analysis]
does not exceed the amount of key material that can be conveniently
"pre-staged" at the receiver's site.
-Rob
=====
Rob Warnock, 31-2-510 [EMAIL PROTECTED]
SGI Network Engineering <URL:http://reality.sgi.com/rpw3/>
1600 Amphitheatre Pkwy. Phone: 650-933-1673
Mountain View, CA 94043 PP-ASEL-IA
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Censorship Threat at Information Hiding Workshop
Date: Mon, 23 Apr 2001 04:47:26 GMT
David A Molnar wrote:
> Can we agree that Felten et. al. are not pirates?
Sure, they weren't the one I was replying to.
The real crime is not cracking the copy protection scheme.
My point was that it is *also* not in using a copy protection scheme.
Rather, the real problem here is the theft of content that started
the chain of developments.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Mon, 23 Apr 2001 04:55:14 GMT
Benjamin Johnston wrote:
> Your procedure is equivalent to asking, "What do I think this sender
> may have sent to the recipient"...
Exactly. The whole procedure produces no new information from the
ciphertext data; one could product the same result without even
bothering to examine the ciphertext. There is no rational way to
call that "breaking the system".
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Mon, 23 Apr 2001 04:57:37 GMT
Tom St Denis wrote:
> Since infinity is not a number and doesn't represent one you can't
> exactly square it. ...
> Of course I will most likely get flamed by this post. Oh well.
The reason you get flamed is for trying to explain something that
you don't know as well as the person to whom you're trying to explain.
Look up "Cantor" and "transfinite numbers".
------------------------------
From: "Mark G Wolf" <[EMAIL PROTECTED]>
Subject: Re: research on polymorphic crypto/Best Possible Privacy?
Date: Mon, 23 Apr 2001 00:00:40 -0500
> I'm not sure I understand what you mean by hoping I'm a coincidence. If
there
> is another thread realted to this I have not been able to find it. If
that is
> not what you meant then you have succeeded in confusing me. Any help
clearing
> up your response would be appriciated.
Oh, but you understand the rest of my message. What about that?
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
