Cryptography-Digest Digest #216, Volume #14 Mon, 23 Apr 01 15:13:01 EDT
Contents:
Re: C code for GF mults (David Eppstein)
Re: OTP WAS BROKEN!!! (John Savard)
Re: OTP WAS BROKEN!!! ("Tom St Denis")
Re: OTP WAS BROKEN!!! (John Savard)
Re: OTP WAS BROKEN!!! (John Savard)
Re: First cipher (Mark Wooding)
Re: OTP WAS BROKEN!!! (John Savard)
Re: OTP WAS BROKEN!!! ([EMAIL PROTECTED])
Re: OTP WAS BROKEN!!! (Ichinin)
Re: OTP WAS BROKEN!!! (Mark Wooding)
Re: C code for GF mults (Mike Rosing)
Re: compare PRNG (" ink")
Re: OTP WAS BROKEN!!! (John Myre)
Re: OTP WAS BROKEN!!! (newbie)
Re: XOR TextBox Freeware: Very Lousy. (HiEv)
Re: OTP WAS BROKEN!!! (newbie)
Re: No base64 ("Jack Lindso")
Re: OTP WAS BROKEN!!! (Joe H Acker)
First analysis of first cipher ([EMAIL PROTECTED])
Re: OTP WAS BROKEN!!! (Scott Craver)
Re: compare PRNG ("M.S. Bob")
Re: RSA-like primes p and q ("Dobs")
Re: "UNCOBER" = Universal Code Breaker ("Joseph Ashwood")
----------------------------------------------------------------------------
From: David Eppstein <[EMAIL PROTECTED]>
Subject: Re: C code for GF mults
Date: Mon, 23 Apr 2001 09:04:28 -0700
In article <3YQE6.31605$I5.161433@stones>,
"Brian Gladman" <[EMAIL PROTECTED]> wrote:
> I suspect that Conway's method of multiplication is equivalent to the use of
> this method for field extension but I have not yet looked at this again
> since I saw your formulation.
Conway proves that his version is equivalent to repeatedly extending by
polynomials of the form T^2+T+c, where c is the last power of two in the
integer ordering of the previous stage.
I'm not sure how this relates to Jyrki's choice of extending by the
polynomial T^2+x_{i-1}T+1=0.
--
David Eppstein UC Irvine Dept. of Information & Computer Science
[EMAIL PROTECTED] http://www.ics.uci.edu/~eppstein/
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: OTP WAS BROKEN!!!
Date: Mon, 23 Apr 2001 16:16:22 GMT
On Mon, 23 Apr 2001 02:58:24 GMT, "zkn3" <[EMAIL PROTECTED]> wrote, in
part:
>Small point: I believe infinity squared is still aleph-null, hence, not
>larger.
That's true in terms of cardinality.
However, if you have that the probability of one event is p, and the
probability of another event is q, which equals p squared, and the
other event only occurs when the first one does, then the conditional
probability of the second event, given the first, is p; and the limit
of that, as p goes to zero, is zero, even though both p and q are
equal to 1/aleph-null.
Essentially, the discussion in the previous post referred to
infinitesimals and the like in *measure* terms, not cardinality terms.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Mon, 23 Apr 2001 16:16:40 GMT
"newbie" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> I'm going to be more clear.
> If the sender re-use his key to encrypt any message, I will certainly
> recover the 2 plaintext.
If the sender "re-use his key to encrypt any message" then he's not using an
OTP. Si le person utiliser leur clef deux fois ou plus ce n'est pas un OTP
donc votre poste n'est pas applicable aux sujet de la poste. Is that clear?
(my french is rusty...)
> HE DID NOT. He use only once his PAD.
> What I'm trying to exploit is nothing more than REUSING HIS OWN PAD.
Then don't claim it as a break for an OTP. It's a break of a Vinegere
cipher nothing more.
Tom
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: OTP WAS BROKEN!!!
Date: Mon, 23 Apr 2001 16:22:21 GMT
On Sun, 22 Apr 2001 19:20:43 -0300, newbie <[EMAIL PROTECTED]>
wrote, in part:
>I knew it.
>Do not be skeptical please.
>Just try to understand my idea.
>Please.
>
>It is based on the simulated re-use of OTP.
>If I reuse twice OTP you can break it for sure.
>That is the trick that I used.
>It is very simple.
Yes, you can break the OTP very easily if you reuse it.
But your method does not 'simulate' the re-use of the OTP, because you
can't do that unless you already have the key.
Your explanation was very hard to follow, but now it seems to make
more sense:
you have both a 'most probable plaintext' and a 'fixed standard
message'. You use the actual ciphertext and the most probable
plaintext to obtain a guess at the key.
But in the next step, you use neither that guess at the key, nor the
actual ciphertext, with the fixed standard message, so either the
ciphertext or key you used were grabbed out of the air somehow. So I'm
afraid you lost me there.
Again, your method, though, seems to be based on the same fallacy:
that you can look at a possible keypad, and reject it when it doesn't
look random enough. You have no real chance of gaining useful
information that way.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: OTP WAS BROKEN!!!
Date: Mon, 23 Apr 2001 16:23:33 GMT
On Sun, 22 Apr 2001 23:33:52 GMT, "Tom St Denis"
<[EMAIL PROTECTED]> wrote, in part:
>if you use the pad more than once it's not an OTP. Check your subject line
>it's misleading.
Yes, but the person whose message he is trying to break did NOT use
the pad twice. The cryptanalyst is supposed to be able to read the
message by 'simulating' using it twice.
Of course, that's impossible.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: First cipher
Date: 23 Apr 2001 16:23:37 GMT
Mark Wooding <[EMAIL PROTECTED]> wrote:
> > 1.) Would a separate SP network in the key schedule be a good way of
> > confusing the relationship between the subkeys? (I don't mean
> > modifying the cipher I posted, I'm asking in a general sense.)
>
> If you're thinking about the related-key slide, that's not actually
> related to the complexity of either your key schedule stepping function
> or the Feistel F-function.
While I remember: your cipher has another of DES's weaknesses. It has
the `complementation property': if C = E_K(P) then
\bar C = E_{\bar K}(\bar P) (where \bar x is the bitwise complement of
x). This can reduce the complexity of a keyspace search by a factor of
2 given a chosen-plaintext pair.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: OTP WAS BROKEN!!!
Date: Mon, 23 Apr 2001 16:25:22 GMT
On Mon, 23 Apr 2001 11:58:37 -0300, newbie <[EMAIL PROTECTED]>
wrote, in part:
>But if I re-use every time, the key obtained by Xoring PM (i) and his
>ciphertext. I make this hypothesis : if the key I re-use is IDENTICAL to
>HIS KEY, I'm sure that is the key he used. And the plaintext is
>uncovered.
Where does your testing ciphertext come from?
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: OTP WAS BROKEN!!!
Date: 23 Apr 2001 16:33:12 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
> "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
>> Tom St Denis wrote:
>> > Since infinity is not a number and doesn't represent one you can't
>> > exactly square it. ...
>> > Of course I will most likely get flamed by this post. Oh well.
>>
>> The reason you get flamed is for trying to explain something that
>> you don't know as well as the person to whom you're trying to explain.
>>
>> Look up "Cantor" and "transfinite numbers".
> That's cool times two.. nahaha that's cool times infinity...
> heheheh
> You know what, I really don't care. It's one of those things that's "neat"
> but at my stage in life a completely useless fact. Just like knowing the
> universe is expanding. Not much I can do with that fact too.
Be careful about what you say is "useless" and what is not. Different
orders of infinite sets, and Cantor's diagonalization argument, is
precisely what proves that there are lots of functions that are not
computable. And if you're interested in computing things (as
cryptography), then understanding the *un*computable things is
extremely useful...
--
Steve Tate --- srt[At]cs.unt.edu | Gratuitously stolen quote:
Dept. of Computer Sciences | "The box said 'Requires Windows 95, NT,
University of North Texas | or better,' so I installed Linux."
Denton, TX 76201 |
------------------------------
From: Ichinin <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: OTP WAS BROKEN!!!
Date: Tue, 17 Apr 2001 13:32:50 +0200
newbie wrote:
> It is not a joke.
Think so?
> Let encipher with truly random key a message M.
Okey, you use a "truly random key".
> So I'm going to use a specific database to break my ciphertext.
Ahh, you have a DB of all plaintexts and all randompads in the
world. Do you even KNOW the TREMENDOUS workload you are talking
about?
> GOAL : selection of messages which have a "sense".
Messages? You mean "Message" since the OTP is only used once?
> If I try all 2^128 possible messages without any constraint, a large
> part of them have no sense.
...and you have infinite computing power, and you will decrypt the OTP
to
basically every possible message that can fit into m[].
> If I convert those bit-sequences to plaintext using i.e Ascii code, many
> output have no sense.
> That means that only a low percentage of the 2^128 possible messages has
> a sense.
[I think this thread have no sense]
A OTP doesn't encrypt data or even work that way, when one look for
plausible plaintexts one talk about cryptosystems based on keys, not
otp's.
> 1.3. I sort my list of PM(i).
> This sort operation ...
...and now you destroy the plausible PT.
> SECOND STEP :
> Choosen plaintext = CHP= "I am an amateur!"
> I do not know M1 and K1.
N.s.?
> The breaking strategy is based on the removing of randomness. That is
> the core of the strategy.
Wait now, weren't you using a "truly random key"?
> This strategy may be used to break all stream ciphers even DS.
> Newbie
You are talking about sciense fiction IN sciense fiction, the only
time when OTP's have been broken was when they were reused, or when
K was intercepted. You may as well try to figure out how to utilise
gravitation from a micro-black hole to slingshot a colony ship to
Tau Ceti with more luck, than to break a OTP.
A hint: Re-read everything there is to know about one time pads.
I did alot of reading before i even posted to sci.crypt, i think
you should too.
Wish you luck with your studies,
Ichinin
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: OTP WAS BROKEN!!!
Date: 23 Apr 2001 16:59:03 GMT
Ben Cantrick <[EMAIL PROTECTED]> wrote:
> Infinity squared is bigger than infinity,
Errr... no. \aleph_0^2 = \aleph_0 (since |\mathbb Z^2| = |\mathbb Z|).
However, 2^{\aleph_0} > \aleph_0.
-- [mdw]
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: C code for GF mults
Date: Mon, 23 Apr 2001 12:30:15 -0500
Brian Gladman wrote:
>
> I believe that there will also be an explanation along the lines you suggest
> in terms of the n'th roots of unity. These roots can be expressed in terms
> of finite fields (the cyclotomic fields) as well as in terms of complex
> numbers. The relationship between the n'th roots of unity expressed in
> terms of complex numbers and in terms of finite fields is itself an
> interesting aspect of the subject.
Thanks for the explanation, I see how it doubles now. How do you connect
complex numbers with finite fields? I just worked out GF(16) elements in
a GF(148) field by solving g^16 = g over GF(148). This is simple. But it's
the same as g^15 = 1 (I checked, my answers do that too). How can I connect
the 15th root of unity in the complex plane with the g's I found in GF(148)?
(It does seem pretty interesting!)
Patience, persistence, truth,
Dr. mike
------------------------------
From: " ink" <[EMAIL PROTECTED]>
Subject: Re: compare PRNG
Date: Mon, 23 Apr 2001 19:31:08 +0200
"Tom St Denis" <[EMAIL PROTECTED]> schrieb im Newsbeitrag
news:_9YE6.35771$[EMAIL PROTECTED]...
>
> "Dobs" <[EMAIL PROTECTED]> wrote in message news:9c1hkn$9c8$[EMAIL PROTECTED]...
> > How can I decide that one PRNG is better and more secure than other . Do I
> > have to test them for randomness. Is it true that the more random the
> number
> > is the more secure PRNG is?
>
> You analyze the algorithm not the output.
C'mon... instead of just critizising, mention DieHard. That will at least
give *some* indication on how *good* or random the output of a PRNG
is.
I don't have a link, though, maybe somebody could provide that?
Cheers, and no offence intended.
Kurt
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Mon, 23 Apr 2001 11:36:51 -0600
Mark Wooding wrote:
>
> Ben Cantrick <[EMAIL PROTECTED]> wrote:
>
> > Infinity squared is bigger than infinity,
>
> Errr... no. \aleph_0^2 = \aleph_0 (since |\mathbb Z^2| = |\mathbb Z|).
> However, 2^{\aleph_0} > \aleph_0.
>
> -- [mdw]
I seem to recall that the same rules apply to \aleph_n for
all n. True?
JM
------------------------------
From: newbie <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Mon, 23 Apr 2001 13:55:41 -0300
The sender does not re-use the key!!!!!!
I simulate re-using the key!!!!
C'est clair??????
I re-use all the keys that belong to a possible solution's domain.
The sender is sender a message that have a sense! Not any message.
I'm sure that xedrcfdrcfdrc is not a text that have a sense.
It is eliminated.
Suppose a child that use only 4 words.
He use OTP to send a message. Ok
I have the ciphertext 01001001010101
I compute Word(1) Xor Cipher = k'1. I'm going to obtain a possible key
Word (2) Xor cipher= k'2
Word (3) Xor cipher = k'3
Word (4) Xor cipher = k'4
It is sure that the key I'm looking is one of k'(i) i=1 to 4.
Is that statement true???????
If you agree with that statement I may continue.
Tom St Denis wrote:
>
> "newbie" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > I'm going to be more clear.
> > If the sender re-use his key to encrypt any message, I will certainly
> > recover the 2 plaintext.
>
> If the sender "re-use his key to encrypt any message" then he's not using an
> OTP. Si le person utiliser leur clef deux fois ou plus ce n'est pas un OTP
> donc votre poste n'est pas applicable aux sujet de la poste. Is that clear?
> (my french is rusty...)
>
> > HE DID NOT. He use only once his PAD.
> > What I'm trying to exploit is nothing more than REUSING HIS OWN PAD.
>
> Then don't claim it as a break for an OTP. It's a break of a Vinegere
> cipher nothing more.
>
> Tom
------------------------------
From: HiEv <[EMAIL PROTECTED]>
Crossposted-To: alt.hacker,talk.politics.crypto
Subject: Re: XOR TextBox Freeware: Very Lousy.
Date: Mon, 23 Apr 2001 18:03:08 GMT
"David Formosa (aka ? the Platypus)" wrote:
>
> On Tue, 17 Apr 2001 22:32:03 -0700, David Schwartz
> <[EMAIL PROTECTED]> wrote:
>
> > In any realistic application, the XOR function is
> > crackable. Generally,
> > you attack the means of distributing the OTP. The big flaw in XOR is it
> > shifts the burden of keeping the cipher secure from the cipher itself to
> > the user.
>
> Isn't this the rule of good crypto? All streanth should be in the
> key?
No, because if you have a weak encryption algorithm then you don't NEED
the key. (Though that's not the problem in this case.)
In public key encryption you can pass the key along with the cyphertext
and the text is still secure, however if you send the key with the
cyphertext with XOR then you've given anyone who intercepts this the
lock and the key.
The person who is supposed to get this key would need to receive it via.
a secure route, which means that in most cases this system is very
inconvenient, especially compared to public key encryption, where the
keys don't need to be as large or larger than the plaintext.
------------------------------
From: newbie <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Mon, 23 Apr 2001 13:59:25 -0300
I use my ciphertext as test-key.
My ciphertext is any message encrypted with k'.
K' = PM(I) Xor Ciphertext ( the cipher I'm trying to break).
John Savard wrote:
>
> On Mon, 23 Apr 2001 11:58:37 -0300, newbie <[EMAIL PROTECTED]>
> wrote, in part:
>
> >But if I re-use every time, the key obtained by Xoring PM (i) and his
> >ciphertext. I make this hypothesis : if the key I re-use is IDENTICAL to
> >HIS KEY, I'm sure that is the key he used. And the plaintext is
> >uncovered.
>
> Where does your testing ciphertext come from?
>
> John Savard
> http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: "Jack Lindso" <[EMAIL PROTECTED]>
Subject: Re: No base64
Date: Mon, 23 Apr 2001 21:22:00 +0200
Any comments ?
--
Anticipating the future is all about envisioning the Infinity.
http://www.atstep.com
====================================================
"Jack Lindso" <[EMAIL PROTECTED]> wrote in message
news:9c0l7s$[EMAIL PROTECTED]...
> Sorry I didn't notice the base64 thingy.
> Here it is again :
>
> I realize that this function is quite amateurish and probably lacks in
design, still
> thou I would like to hear your comments on it.
> It's a hash function of 32 bit ( ... yes I know), the important thing is
design, optimization
> isn't (not now anyways).
>
> *. There is a key of 64 bits (QWord).
> [1a]. Take the text, append to it its length.
> [2a]. Pad the text till it reaches a length which can be divided into
QWords
> (e.g. 16 chars).
>
> [1b]. Take each (char's asci) * (it's position in the text)
> [2b]. Then XOR [1b] with the partial value of the key.
>
> [1c]. Split the result of [2b] into an Array of DWords.
> [2c]. XOR all the blocks (block1 ^ block2 ^ block3 etc.), while every even
block is
> reversed ($ae34 --> $43ea).
> 3c. The result is a DWord (... yes I know).
>
> It would help me allot if you could tell me what you think of it.
> Cheers.
>
> --
> Anticipating the future is all about envisioning the Infinity.
> http://www.atstep.com
> ----------------------------------------------------
>
------------------------------
From: [EMAIL PROTECTED] (Joe H Acker)
Subject: Re: OTP WAS BROKEN!!!
Date: Mon, 23 Apr 2001 20:20:20 +0200
newbie <[EMAIL PROTECTED]> wrote:
> I'm going to be more clear.
> If the sender re-use his key to encrypt any message, I will certainly
> recover the 2 plaintext.
All right, as noted by others, it's not an OTP in this case.
> HE DID NOT. He use only once his PAD.
Sounds good.
> What I'm trying to exploit is nothing more than REUSING HIS OWN PAD.
>
> I do not wich key he used.
> But if I re-use every time, the key obtained by Xoring PM (i) and his
> ciphertext. I make this hypothesis : if the key I re-use is IDENTICAL to
> HIS KEY, I'm sure that is the key he used. And the plaintext is
> uncovered.
Okay, in this case you've guessed the key. Or, if you want to say so,
you've guessed the ciphertext. But you don't know his key as you don't
know the plaintext, so you don't know wether the key k' you re-use is
identical to his key. That's obvious.
> But my testing-key k' is different from k, than P ( is his plaintext )
> Xor (k Xor k') will with high probability give a text with no sense.
Yes. But you have your ordered list of probable senseful plaintexts,
ordered on their probability of occurance as estimated by you. That
severely limits the total search space and that can be useful. I don't
think anyone disagrees on this. However, if the above gives a message
with sense...will that help you determining the plaintext?
> I exploit 2 things :
>
> - matching my hypothetical key with his key
Here you probably mean something different. You don't know his key.
> - the probability that any text (with sense) if Xored with random key (
> k Xor k'; k different from k') will not give me NECESSARLY A text (with
> sense). If k' is equal to k , I'm sure 100 % that I could obtain by
> simplification his PLAIN-TEXT.
But the crucial point is that you do not know k. Hence, you cannot
determine wether k' is equal to k.
It seems you want to approximate k or p. What fact (correlation, bias,
unequality or whatever you think it is and however you describe it) do
you intend to use as a way to approximate k or p?
You're talking about intentionally re-using k. You cannot do that,
because you don't know k. What you probably mean and said elsewhere, you
re-use the ciphertext as key. That's the step that is unclear to me and
probably others. How exactly does this operation help you decide which
of the messages in PM(i) is the actual plaintext?
Regards,
Erich
------------------------------
From: [EMAIL PROTECTED]
Subject: First analysis of first cipher
Date: Mon, 23 Apr 2001 09:24:30 -0800
Last week I posted my first cipher (now dubbed "Brontosaurus") and
was challeged to cryptanalyze it. Once again, point out WHY I'm going
wrong as well as where:
The short analysis is that Bronto will be "easily" broken using
differential
cryptanalysis techniques. The primary weakness of the cipher is that
S-boxes
with 4-bit entries, chosen at random, are used. At this point, I think
that
the weakness is due primarily to the small m, and not necessarily due to
the fact that the entries are randomly chosen.
Stepping through the differential cryptanalysis technique outlined in
_Diff. Crypt. of DES-like Cryptosystems_ by Biham and Shamir using the
randomly generated S-box (n=6, m=4)
s1= [6 11 2 0 9 10 10 4;
7 4 3 4 0 10 10 3;
3 6 9 0 0 1 7 12;
9 14 9 5 2 6 8 3;
4 10 5 10 8 6 1 12;
14 3 8 1 0 5 6 13;
10 12 6 0 5 2 10 3;
6 9 0 9 9 10 13 3]
and using a MATLAB script which I wrote to generate a pairs XOR
distribution table, yields:
del_Output
del_Input 0 1 2 3 ...
0 64 0 0 0 ...
1 0 2 2 6 ...
2 8 4 2 2 ...
3 4 2 0 8 ...
4 0 4 0 6 ...
. .
. .
63 6 4 8 4 ...
N = number of non-zero entries in the first column = 13
L = largest non-zero value in table = 12
Robustness R=(1-N/64)(1-L/64)=0.647
Percentage possible entries = (256-44)/256 per cent = 82.8 percent
(44 zeros counting those in the first row. Is this correct or are those
not counted?)
Largest entry in table: delta=12 (best possible is 2^(n-m) = 4 )
The high delta=12 is an indication that the box is vulnerable to diff.
attacks.
Using an unshown part of the table, a del_Input of 63 results in a
del_Output
of 9 with a probability of 12/64 = 0.1875.
I also wrote a MATLAB script to check the avalanche criterion, but I'm
not
sure about the results. I used a Gray code to choose entries in the
S-box,
which I then XOR'ed. I summed the Hamming weights of all the XOR'd
values
and obtained a value of 135 which does not equal the m*2^(n-1) required
by
the avalanche criterion. I was expecting the value to be less than 128,
but
assuming that I wrote the MATLAB script correctly, I think the result
indicates
that the S-box is not balanced.
I have a definition of "completeness" but I don't understand the
notation
well enough to implement a completeness test. What is the index of
summation:
all possible inputs or all possible bit changes?
Another test which I plan to do is for propagation (XOR S-box rows
together
and see if the result is balanced).
Weak S-boxes can be exploited using differential cryptanalysis to find a
probable
round key in the last round of the cipher (the input to the last round
function
is known). With a weak key schedule, the knowledge of the probable last
round
key can be exploited for several previous rounds.
Since the S-boxes are the only part of the cipher which provides
non-linearity,
the strength of the cipher depends almost entirely on the strength of
the S-boxes.
Next, I'm going to try to determine the del_Input, del_Output table for
the F function of my cipher.
Comments, tips, pointers to references in the lit. ?
veb3
4/23/01
------------------------------
From: [EMAIL PROTECTED] (Scott Craver)
Subject: Re: OTP WAS BROKEN!!!
Date: 23 Apr 2001 18:16:13 GMT
newbie <[EMAIL PROTECTED]> wrote:
>
>It is based on the simulated re-use of OTP.
>If I reuse twice OTP you can break it for sure.
>That is the trick that I used.
>It is very simple.
Ah, well, that explains the confusion. It is assumed that
nobody will re-use a OTP. The "OT" in "OTP" stands for "One Time."
One can also break an OTP if the key is mistakenly published in
the New York Times, but people aren't supposed to do that either.
It has been long established how one can break a misused OTP,
in which a keystring has been used twice: XOR together two
ciphertexts suspected of using the same key, and check for
non-randomness.
-S
------------------------------
From: "M.S. Bob" <[EMAIL PROTECTED]>
Subject: Re: compare PRNG
Date: Mon, 23 Apr 2001 19:20:07 +0100
ink wrote:
>
> "Tom St Denis" <[EMAIL PROTECTED]> schrieb im Newsbeitrag
> news:_9YE6.35771$[EMAIL PROTECTED]...
> >
> > "Dobs" <[EMAIL PROTECTED]> wrote in message news:9c1hkn$9c8$[EMAIL PROTECTED]...
> > > How can I decide that one PRNG is better and more secure than other . Do I
> >
> > You analyze the algorithm not the output.
>
> C'mon... instead of just critizising, mention DieHard. That will at least
> give *some* indication on how *good* or random the output of a PRNG
No it doesn't. Tests such as diehard will only show if a PRNG fails or
manages to pass the test. True random numbers may fail the test, and
poor PRNG may pass the test.
That has to do with the difficulty of trying to determine is something
cannot be easily determined (unpredictable). :-)
I would recommend that anyone creating an application use a
cryptographicial strong random number generators from a cryptographic
library. Whether it is from BSAFE (commercial from RSA Security),
OpenSSL (www.openssl.org), or makes use of existing RNG: Intel 810
Pentium III chipset, Linux /dev/random, MS CryptoAPI (included with Win
NT4/98/ME/2000), Java java.security.SecureRandom, Yarrow, cryptlib,
truerand, PGPsdk from Network Associaties (www.pgp.com) or other
good/decent sources that I can't think of off the top of my head.
Must reads:
http://www.cs.berkeley.edu/~daw/rnd/
http://world.std.com/~cme/P1363/ranno.html (no longer at clark.net)
http://www.ietf.org/rfc/rfc1750.txt
http://www.counterpane.com/yarrow.html
------------------------------
From: "Dobs" <[EMAIL PROTECTED]>
Subject: Re: RSA-like primes p and q
Date: Mon, 23 Apr 2001 20:38:28 +0200
It was in algorithm in Menezes book 'Handbook of applied cryptography' :)
U�ytkownik Tom St Denis <[EMAIL PROTECTED]> w wiadomo�ci do grup
dyskusyjnych napisa�:J8YE6.35769$[EMAIL PROTECTED]
>
> "Dobs" <[EMAIL PROTECTED]> wrote in message news:9c1hkl$9c8$[EMAIL PROTECTED]...
> > In one of the algorithm there was written that I need RSA-like primes p
> and
> > q . What does 'RSA-like' mean.
> > Does it only mean that I need big primes numbers (at least 512
> > bits)???????????????????????
> >
>
> Where the heck did you hear "rsa-like primes"? It's a meaningless term.
>
> RSA just requires two large primes...
>
> Tom
>
>
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: "UNCOBER" = Universal Code Breaker
Date: Mon, 23 Apr 2001 11:26:44 -0700
"Joe H Acker" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> I don't quite understand your statement. I wasn't claiming that
> discarding sequences in general can't do any harm, I was claiming that
> discarding sequences that fail basic tests for randomness can't do any
> harm.
Except for the very strong statement that by removing what you percieve as
non-randomness you are in fact biasing the output towards the "patternless"
pattern, which is more predictable than random. You have yet to deal with
this statement, and your continuing statements show that you still do not
understand this. You need to understand the simple fact that although purely
entropic data is random, you can introduce bias by discarding portions. You
also very cleanly blocked yourself into a corner in your logic, going from
stating that the sequence "is not actually random" to relying on the
absolute randomness of the sequence to get somewhere, choosing one
eliminates the ability to use the other.
> When basic tests indicate failure for a certain longer time without
> working correctly again, it's important that the whole system does not
> switch to a less secure default mode, but indicates overall failure and
> refuses to work.
You still don't seem to understand. THE TESTS BASED ON STATISTICS _*CANNOT*_
ESTABLISH ANYTHING ABOUT THE GENERATOR. This has been proven mathematically,
proven through logical statements, and is a fact you obviously do not grasp.
>
> Discarding whole random sequences can *never* do any harm to a tRNG.
But discarding the "patterned" sequences and leaving only the "patternless"
sequence does harm, substantial, unrecoverable, permanently destructive
harm.
> You
> were talking about *filtering* them---changing them heuristically, which
> is a complete different issue and indeed not correct.
No, I was talking about selecting two patterns, allowing one of them to pass
through, and disallowing the other. That fact that I chose 1 and 0 as my
patterns only served to enhance the effect to the point where it could be
viewed without substantial thought processes.
Joe
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
