Cryptography-Digest Digest #239, Volume #14 Thu, 26 Apr 01 10:13:01 EDT
Contents:
Re: First analysis of first cipher ([EMAIL PROTECTED])
Re: First analysis of first cipher ("Tom St Denis")
impossible differentials (help please) ("Tom St Denis")
Re: RC4 Source Code (Mark Wooding)
Re: OTP WAS BROKEN!!! (Lou Grinzo)
Re: AES poll (SCOTT19U.ZIP_GUY)
Re: AES poll ("Tom St Denis")
Re: OTP WAS BROKEN!!! ("Tom St Denis")
Re: OTP WAS BROKEN!!! (Volker Hetzer)
Re: What's up with counterpane.com (SCOTT19U.ZIP_GUY)
Re: What's up with counterpane.com ("Tom St Denis")
Re: "differential steganography/encryption" ("Dirk Mahoney")
Re: First analysis of first cipher ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: First analysis of first cipher
Date: Thu, 26 Apr 2001 04:14:56 -0800
Tom St Denis wrote:
>
> <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> > Tom St Denis wrote:
> > >
> > > <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> >
> >
> > [snip]
> When your round function is not a bijection it is possible to get nice two
> round chars (well not always).
After re-reading Mark Wooding's responses to my "First cipher" post I
finally realize why S-boxes should be bijective. If they aren't
bijective
and the domain isn't larger than the range then two different inputs
can have the same output, i.e. a zero differential occurs which leads to
the two-round char with high probability. You and Mark seem to disagree
about whether or not the function itself should be bijective. I thought
the whole idea of a Feistel network was so you have a complicated
function
that didn't have to be reversible...just have to replicate the output
given
the round key and the input.
> ...I'm only aware of one cipher
> > system
> > that is provably secure and it is practically insecure due to the key management
>problem.
>
> Things like bent vectors and decorrelation are means of provable security
> against known attacks.
Decorrelation is an interesting idea. Take random electrical noise for
instance. Any section
of it as a function of time is completely decorrelated with itself
(except at tau=0
where it is complete correlated, of course) and with any other section
of random
noise. How is decorrelation used in cryptography? It measures the lack
of relationship
between plain and ciphertext?
> One thing people must realize. If it resists all known attacks it is 100%
> secure. The second it doesn't (i.e new attack invented) it's not 100%
> secure.
I would argue that even the system that is provably secure (OTP) is
practically insecure because of the key management issues, i.e. to prove
it is practically secure you'd have to prove that your pads haven't been
copied.
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: First analysis of first cipher
Date: Thu, 26 Apr 2001 13:20:08 GMT
<[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Tom St Denis wrote:
> >
> > <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> > > Tom St Denis wrote:
> > > >
> > > > <[EMAIL PROTECTED]> wrote in message
> > news:[EMAIL PROTECTED]...
> > >
> > >
> > > [snip]
>
> > When your round function is not a bijection it is possible to get nice
two
> > round chars (well not always).
>
> After re-reading Mark Wooding's responses to my "First cipher" post I
> finally realize why S-boxes should be bijective. If they aren't
> bijective
> and the domain isn't larger than the range then two different inputs
> can have the same output, i.e. a zero differential occurs which leads to
> the two-round char with high probability. You and Mark seem to disagree
> about whether or not the function itself should be bijective. I thought
> the whole idea of a Feistel network was so you have a complicated
> function
> that didn't have to be reversible...just have to replicate the output
> given
> the round key and the input.
Yes you can do that but it's a bad idea. Typically you take advantage that
your round function can be complicated since it only needs to be done in one
direction (ala Twofish). It should still be a bijection though.
> > ...I'm only aware of one cipher
> > > system
> > > that is provably secure and it is practically insecure due to the key
management problem.
> >
> > Things like bent vectors and decorrelation are means of provable
security
> > against known attacks.
>
> Decorrelation is an interesting idea. Take random electrical noise for
> instance. Any section
> of it as a function of time is completely decorrelated with itself
> (except at tau=0
> where it is complete correlated, of course) and with any other section
> of random
> noise. How is decorrelation used in cryptography? It measures the lack
> of relationship
> between plain and ciphertext?
Decorrelation doesn't have todo with auto-correlation functions on spatially
sample data (etc...). In crypto it can be used to reduce a connection from
point A to point B. Vaudenay showed for example, how decorrelation can be
used to hinder differential and linear cryptanalysis (and it's quite trivial
actually). Galois Field multiplication (with a characteristic of two) can
be used for example to kill first order GF(2) attacks like dif and linear
analysis.
> > One thing people must realize. If it resists all known attacks it is
100%
> > secure. The second it doesn't (i.e new attack invented) it's not 100%
> > secure.
>
> I would argue that even the system that is provably secure (OTP) is
> practically insecure because of the key management issues, i.e. to prove
> it is practically secure you'd have to prove that your pads haven't been
> copied
My point was that a cipher is secure upto the second before an attack is
found.
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: impossible differentials (help please)
Date: Thu, 26 Apr 2001 13:20:59 GMT
Could someone just explain the jist of the style of attack.
I am hung up on if we take the difference of the round function output, or
do we fully decrypt the last round and look for the impossible diff?
--
Tom St Denis
---
http://tomstdenis.home.dhs.org
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: RC4 Source Code
Date: 26 Apr 2001 13:29:51 GMT
Dirk Mahoney <[EMAIL PROTECTED]> wrote:
> Thank-you for that friendly and helpful reply. If I had a description
> handy, I probably would have coded it. I hope all newcomers to sci.crypt
> aren't 'spoken' to like that.
That's more than a little rich, coming from someone who clearly hasn't
even made the effort to try a few simple expressions in a search
engine.
I hope that most other newcomers are better mannered than to waste our
time with questions they can answer themselves and then complain at us.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED] (Lou Grinzo)
Subject: Re: OTP WAS BROKEN!!!
Date: Thu, 26 Apr 2001 13:36:42 GMT
I think this discussion could really use a completely worked
out example. I suggest the following: Someone post a piece
of English prose encrypted with a OTP, and you crack it, and
then show us the exact technique you used, step by step. Once
you post your results, the person who created the encrypted
message will post the original plaintext and the key.
I'll volunteer to generate and post an encrypted message of a
few hundred bytes. Are you willing to go along with the
experiment?
(Everyone reading this--please note that I'm NOT framing this
as a "challenge" or anything similar. I'm simply suggesting
this as a way to cut through a lot of the discussion, which
seems to be going in circles at this point.)
Lou
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
> Let analyze the first bit.
> The sender, when writing, its message has a probability NOT EQUAL TO 1/2
> to write 1 rather than 0 or 0 rather than 1.
> It is very simple.
>
> Let suppose that the probability that the sender start its letter with
> the letter "I" is quite near to 1 and the first bit of "I" is 1.
> Let suppose that my keystream start with "K" unknown value.
> If I know C(1), let suppose C(1)= 1, I can conclude that k(1)= 0 with
> the same probability of the first bit of "I".
> So, if I compute all the bits for all the message, I will obtain a
> keystream with n bits wrong et m bit right. The percentage a "truth" ( k
> estimated and real k ) is equal m/(n+m). If my guess and my statistics
> are correct, k estimated will be quite equal to the real k that the
> sender used.
>
> Once, I obtain k estimated, I can compute another random bit-string
> (Plaintext).
> This random bit-string has individual probabilities for each position.
> Those probabilities are nothing than the probability that n-th bit is
> equal to 0 or 1.
>
> My table :
>
> Position 1 2 3 4 and so on....
> bit 1 (%)64 45 67 48 and so on
> bit 0 36 55 33 42 and so on
> Plaintext
> estimated 1 0 1 0 .....
>
> When the probability that 1 occur is very important (65 %), I consider
> that the value of the position is 1.
> Same thing for 0.
>
> When they are equal or near (48-42), I use random bit-string to decide.
>
> My plaintext will be revealed little by little.
>
> All my idea is based on the "predictable behaviour of the sender".
> And the goal is to try to isolate randomness.
>
>
>
>
>
>
> John Savard wrote:
> >
> > On Wed, 25 Apr 2001 12:57:54 -0300, newbie <[EMAIL PROTECTED]>
> > wrote, in part:
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: AES poll
Date: 26 Apr 2001 13:32:19 GMT
[EMAIL PROTECTED] (Benjamin Goldberg) wrote in
<[EMAIL PROTECTED]>:
>
>I say, ignorant, stupid, lazy people generally make poor decisions. I
>say, smart, knowledable people who are willing to listen, read and
>learn, and who aren't lazy generally make good decisions. You are
>perfectly free to disagree with me.
>
I assume the group is a political corrent group that is influenced
by its bosses. I am sure that if there was any threast of real
crypto being done the NSA would have stepped in to stop it. Look
they can't even get bijective padding for simple modes. Since it
reduces the ablitiy of the spooks to check for bad keys. Tell me
again they want good crypto. They don't its a closed group with
no interest in secure crypto. The whole AES thing is to give the
appearance of security while hoping the masses will join in so the
NSA doesn't have to try very hard to break messages and to reduce
the use of a wide variety of messages.
And yes I can't break it but then again I don't have access to
the best machines nor do I habe a staff of hundreds of Phd mathematicans.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: AES poll
Date: Thu, 26 Apr 2001 13:44:08 GMT
"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> [EMAIL PROTECTED] (Benjamin Goldberg) wrote in
> <[EMAIL PROTECTED]>:
>
> >
> >I say, ignorant, stupid, lazy people generally make poor decisions. I
> >say, smart, knowledable people who are willing to listen, read and
> >learn, and who aren't lazy generally make good decisions. You are
> >perfectly free to disagree with me.
> >
>
> I assume the group is a political corrent group that is influenced
> by its bosses. I am sure that if there was any threast of real
> crypto being done the NSA would have stepped in to stop it. Look
> they can't even get bijective padding for simple modes. Since it
> reduces the ablitiy of the spooks to check for bad keys. Tell me
> again they want good crypto. They don't its a closed group with
> no interest in secure crypto. The whole AES thing is to give the
> appearance of security while hoping the masses will join in so the
> NSA doesn't have to try very hard to break messages and to reduce
> the use of a wide variety of messages.
You truly are slow. Why do you think only the NSA would care to snoop on
it's citizens. Oh yeah that's because the average lamer like you thinks
America is the center of the world. Wait till you realize that the worlds
population of 6 or so billion is not primarily from the US.
> And yes I can't break it but then again I don't have access to
> the best machines nor do I habe a staff of hundreds of Phd mathematicans.
Yes we know of your academic short commings. However, did you ever stop to
think the people participating in AES are PhD mathematicians?
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Thu, 26 Apr 2001 13:45:14 GMT
"Lou Grinzo" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> I think this discussion could really use a completely worked
> out example. I suggest the following: Someone post a piece
> of English prose encrypted with a OTP, and you crack it, and
> then show us the exact technique you used, step by step. Once
> you post your results, the person who created the encrypted
> message will post the original plaintext and the key.
>
> I'll volunteer to generate and post an encrypted message of a
> few hundred bytes. Are you willing to go along with the
> experiment?
>
> (Everyone reading this--please note that I'm NOT framing this
> as a "challenge" or anything similar. I'm simply suggesting
> this as a way to cut through a lot of the discussion, which
> seems to be going in circles at this point.)
There has already been a few "stop the retard newbie" fake challenges (I
posted one of them). He won't learn, I suggest just ignore Newbie from now
on, until he/she learns.
Tom
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: OTP WAS BROKEN!!!
Date: Thu, 26 Apr 2001 16:06:46 +0200
Lou Grinzo wrote:
>
> I think this discussion could really use a completely worked
> out example. I suggest the following: Someone post a piece
> of English prose encrypted with a OTP, and you crack it, and
> then show us the exact technique you used, step by step. Once
> you post your results, the person who created the encrypted
> message will post the original plaintext and the key.
>
> I'll volunteer to generate and post an encrypted message of a
> few hundred bytes. Are you willing to go along with the
> experiment?
>
> (Everyone reading this--please note that I'm NOT framing this
> as a "challenge" or anything similar. I'm simply suggesting
> this as a way to cut through a lot of the discussion, which
> seems to be going in circles at this point.)
This has been done already.
He's had atleast two challenges where his job (or part of it)
was to differentiate between two given plaintexts. He's not
done it and instead kept whining for more "context".
Greetings!
Volker
--
They laughed at Galileo. They laughed at Copernicus. They laughed at
Columbus. But remember, they also laughed at Bozo the Clown.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: What's up with counterpane.com
Date: 26 Apr 2001 13:42:40 GMT
[EMAIL PROTECTED] (Tom St Denis) wrote in
<y1VF6.64758$[EMAIL PROTECTED]>:
>
>"Volker Hetzer" <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>> Tom St Denis wrote:
>> >
>> > I used to look at Counterpane for some cool crypto stuff but lately
>their
>> > site has become (using Schneier's own words) more "Buzzword compliant"
>then
>> > before.
>> The labs page is the same as always, isn't it?
>> I almost never look at the other stuff.
>
>Yeah the labs is up but even that is "media whore" ish. Bah. Their
>research is cool, just they go about getting the word out wrong.
>
>Tom
>
At least it seems he has stopped his spamming which at one
time was a pain in the ass. However its rude to refer to the site
of Mr BS as being a "media whore" shame on you. But you have to
remember he is first a business man and the main goal is money and the
second goal is more money. So that fact has to color what he does.
I know you think of him as a god. But I assure you he is a little mortal
man. I hope these insights to reality don't totally pop your bubble.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: What's up with counterpane.com
Date: Thu, 26 Apr 2001 13:58:17 GMT
"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> [EMAIL PROTECTED] (Tom St Denis) wrote in
> <y1VF6.64758$[EMAIL PROTECTED]>:
>
> >
> >"Volker Hetzer" <[EMAIL PROTECTED]> wrote in message
> >news:[EMAIL PROTECTED]...
> >> Tom St Denis wrote:
> >> >
> >> > I used to look at Counterpane for some cool crypto stuff but lately
> >their
> >> > site has become (using Schneier's own words) more "Buzzword
compliant"
> >then
> >> > before.
> >> The labs page is the same as always, isn't it?
> >> I almost never look at the other stuff.
> >
> >Yeah the labs is up but even that is "media whore" ish. Bah. Their
> >research is cool, just they go about getting the word out wrong.
> >
> >Tom
> >
>
> At least it seems he has stopped his spamming which at one
> time was a pain in the ass. However its rude to refer to the site
> of Mr BS as being a "media whore" shame on you. But you have to
> remember he is first a business man and the main goal is money and the
> second goal is more money. So that fact has to color what he does.
> I know you think of him as a god. But I assure you he is a little mortal
> man. I hope these insights to reality don't totally pop your bubble.
Ok you must have penis envy or something because you pick on him for no good
reason.
I never considered him a "god" just a somewhat intelligent cryptographer.
(similar with the others in the crowd i.e Wagner, Knudsen, Biham, etc..). I
don't doubt he is still a good cryptographer. I just find it saddening that
he became a hypocrite.
Tom
------------------------------
Reply-To: "Dirk Mahoney" <[EMAIL PROTECTED] (remove the _)>
From: "Dirk Mahoney" <[EMAIL PROTECTED] (remove the _)>
Subject: Re: "differential steganography/encryption"
Date: Thu, 26 Apr 2001 13:59:09 GMT
James,
If you use a 20KB picture (it could be a 20KB sound file, or MPEG or
anything) and you had a text file of exactly the same length, then what you
are using is a one-time pad. You can simply pad out the text file (the
plaintext) with rubbish if it is smaller than the picture you use. Doesn't
matter if you use addition (or subtraction) modulo 256 or XOR (the operation
used must be invertible). The picture file thus becomes the key, and your
'difference' file becomes the ciphertext.
However, it is probably not a good idea to use a picture (sound/MPEG etc) as
the key to a one-time pad as it is very non-random. Let's use the common
crypto personas to play out the scenario...
Alice and Bob both share a JPEG file. Alice wants to send Bob a message and
they decide to use the picture as the key to a one-time pad.
1) Alice creates the ciphertext by XORing her plaintext with the picture.
She sends this to Bob.
2) Bob receives the ciphertext and XORs it with the same picture. Bob now
reads the message.
The problem lies with the fact that all JPEG files aren't strictly random.
If Eve intercepts the ciphertext and she knows that the key is a JPEG (but
doesn't know what the picture looks like) she has some information.
She knows the message is 20KB long (using your example) because the
ciphertext she intercepted is 20KB long (this is true for all one-time pads
and cannot be avoided). She also has some (granted, not a lot) key material
in the form of the standard headers used in the JPEG file format. These
headers do not change between JPEG images, regardless of what the picture
actually looks like. She XORs the parts of the key material she knows with
the ciphertext and gets some of the plaintext.
The problem gets worse if Eve knows other attributes of the picture, such as
the resolution or colours used. Worse still is if Bob decides to reply to
the message using the same picture as the key, he then violates the sacred
law of one-time pads - and that is to use the key only ONCE. If Eve
intercepts this, she can gain even more information about the key and hence
about both plaintexts.
The exact amount of key material Eve can gain will depend largely on the
type of file used as the key. Some file formats contain a lot of standard
header information, while others contain very little.
Of course, the 'difference file' (the ciphertext) will not resemble a JPEG
at all and then the whole idea of steganography goes out the window. A more
subtle method of altering an image or sound is required for good
steganography.
I hope I understood your query correctly and that this helps you a little.
- Dirk
"Dopefish" <[EMAIL PROTECTED]> wrote in
message news:3adb6540$[EMAIL PROTECTED]...
> would it be possible to make a program that could take, say, a 20 KB
picture
> and a <20KB text file and generate a file that gives the difference
between
> the two? so, if i wanted to send somebody a private message and he
already
> has the same exact picture that i do, i can send him the difference file
and
> he could generate the message from it and the picture. thank you for your
> comments (if any)
>
>
> james
>
>
> --
> ------BEGIN SIGNATURE------
> A.K.A "Dopefish" or "fish" for short on Usenet.
>
> Microsoft? Is that some kind of toilet paper?
>
> "Rockin' the town like a moldy crouton!"
> - Beck (Soul Suckin' Jerk - Reject)
>
> "Help me, I broke apart my insides. Help me,
> I've got no soul to sell. Help me, the only thing
> that works for me, help me get away from
> myself."
> - Nine Inch Nails (Closer)
>
>
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.12
> GO dpu s++:++ a---- C++++ U--->UL
> P L+ E? W++ N+++ o+ K--- w+>w+++++
> O--- M-- V? PS+++ PE Y-- PGP t 5--
> X+ R tv b+ DI D+ G-- e- h! r z
> ------END GEEK CODE BLOCK------
> (www.geekcode.com)
>
> ------END SIGNATURE------
>
>
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: First analysis of first cipher
Date: Thu, 26 Apr 2001 05:03:56 -0800
Tom St Denis wrote:
>
[snip]
> Decorrelation doesn't have todo with auto-correlation functions on spatially
> sample data (etc...). In crypto it can be used to reduce a connection from
> point A to point B. Vaudenay showed for example, how decorrelation can be
> used to hinder differential and linear cryptanalysis (and it's quite trivial
> actually). Galois Field multiplication (with a characteristic of two) can
> be used for example to kill first order GF(2) attacks like dif and linear
> analysis.
>
I found the Vaudenay paper. Thanks.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
