Cryptography-Digest Digest #444, Volume #14 Fri, 25 May 01 22:13:00 EDT
Contents:
Re: Good crypto or just good enough? ("Joseph Ashwood")
Re: Getting back to the self-study Analysis ("BenZen")
Re: Good crypto or just good enough? (John Savard)
Re: Good crypto or just good enough? (Tom St Denis)
Re: Crypto NEWBIE, wants to create the 100% SAFE FRACTAL encoding... Am I a fool ?
(John Savard)
Re: Getting back to the self-study Analysis (Tom St Denis)
Re: A generic feistel cipher with hash and gf(257) mixers (David Wagner)
Re: Good crypto or just good enough? (SCOTT19U.ZIP_GUY)
Re: Good crypto or just good enough? (SCOTT19U.ZIP_GUY)
Re: Getting back to the self-study Analysis ("bubba")
Re: Evidence Eliminator Detractors Working Hard But No Result? (Eric Lee Green)
Re: Good crypto or just good enough? ("John A. Malley")
Re: RSA's new Factoring Challenges: $200,000 prize. ("Michael Brown")
Re: Getting back to the self-study Analysis (Tom St Denis)
Re: A generic feistel cipher with hash and gf(257) mixers (Jim Steuert)
----------------------------------------------------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Good crypto or just good enough?
Date: Fri, 25 May 2001 16:29:11 -0700
> >> Scott said
> >> Fully bijective
> >> Treats whole file as a single block. and etc...
> > Tom said
> >These are features but don't contribute to the security.
> Scott again
> Really what makes you so sure?
Arguments can be made in several ways for both statements. Since they are
seperate I will address them seperately.
Fully bijective. Let me first explain that what Scott means by fully
bijective is not the same as the Computer Science term in general, what he
means is fully bijective in the set of all possible files (possibly above a
specific length, that is open to debate), and additionally that a given file
decrypted, and later encrypted is identical to the original file. This can
increase security in that every possible file has a set of inputs that
direct to it, something that does not occur with many padding/encryption
modes. There is a downside though, because bijectivity (in the sense Scott
refers to) requires a 1-1 equation, to say this differently f(f'(x))=x and
f'(f(y))=y. This eliminates a potential source of security from expanding
AONTs which add their own randomness to the value before encryption (see
OAEP). So although it does offer some help, it does not necessarily indicate
the most optimal statement of a security problem.
Treats whole file as a single block. I think this one is fairly
self-explanitory, this one I actually agree with in some cases. The case
that it adds to the security is fairly clear, until the key is guessed
correctly no information is revealed (with high probability). The detracting
information though is that not everything can be treated in this fashion.
Any infinite stream cannot be treated this way, and there may be cases where
you want partial recovery even where it is file based.
Joe
------------------------------
From: "BenZen" <[EMAIL PROTECTED]>
Subject: Re: Getting back to the self-study Analysis
Date: Fri, 25 May 2001 20:40:46 -0400
Tom St Denis wrote in message <[EMAIL PROTECTED]>...
>Anyways, not like my original thread didn't go down hill...
>
>Any hints or tips? I am gonna work it out on paper a bit more later
>on... I can't figure out how to exploit the linear relationship
>
>A xor K = B
>A' xor K = B'
>
Hi Tom,
I found a LOT of very pertinent documents on all aspects of Mathematics here:
http://forum.swarthmore.edu/dr.math/ Try boolean for a database search.
For this you need Boolean Algebra check this link:
http://www.pte.it/didain1/frame7.htm
Just Expand the XOR into it's boolean components, NOT and AND, and OR.
What is your purpose on this ?
Hope this helps,
Don't worry so much Tom. Keep your energy on your study, work and health;
Never forget to have some fun Okay pal !
The rest will become clear once you are there.
'Happiness is a path, not a destination.'
Regards,
Ben
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Good crypto or just good enough?
Date: Sat, 26 May 2001 00:45:35 GMT
On Fri, 25 May 2001 20:24:27 GMT, Tom St Denis <[EMAIL PROTECTED]>
wrote, in part:
>For
>example, 3DES and Serpent are about as fast and take about the same code
>etc. But Serpent has a higher security margin and allows for larger
>keys.
On the other hand, DES has been around longer, and has been more
thoroughly analyzed. So I wouldn't think of that as an obvious
example.
John Savard
http://home.ecn.ab.ca/~jsavard/frhome.htm
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Good crypto or just good enough?
Date: Sat, 26 May 2001 00:49:19 GMT
John Savard wrote:
>
> On Fri, 25 May 2001 20:24:27 GMT, Tom St Denis <[EMAIL PROTECTED]>
> wrote, in part:
>
> >For
> >example, 3DES and Serpent are about as fast and take about the same code
> >etc. But Serpent has a higher security margin and allows for larger
> >keys.
>
> On the other hand, DES has been around longer, and has been more
> thoroughly analyzed. So I wouldn't think of that as an obvious
> example.
Technically 3DES is not DES though. It's incorrect to assume it
inherants all the *trust* of DES (Although it does inherant alot of the
analysis). Therefore saying "I will use 3DES because DES has been
around alot" is not entirely a sane thing todo.
On the other hand I would trust 3DES on it's own since it has been out
for quite some time, my trust doesn't really stem from my trust of DES
though.
Tom
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Crypto NEWBIE, wants to create the 100% SAFE FRACTAL encoding... Am I a
fool ?
Date: Sat, 26 May 2001 00:49:37 GMT
On Fri, 25 May 2001 20:05:40 -0400, "BenZen" <[EMAIL PROTECTED]>
wrote, in part:
>One thing I don't understand yet, is the necessity for 'randomness'.
>I would be satisfied with a non-periodic sequence of sufficient lenght.
>As long as it meets certain criterias; I can't express properly here.
Well, if you use a biased sequence to combine with your plaintext,
then partial information about your plaintext is not obscured by the
fractal output: you have at least an extra likelihood that each byte
is the byte that, XORed with the most common output of your generator,
is the cipher byte that is seen.
John Savard
http://home.ecn.ab.ca/~jsavard/frhome.htm
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Getting back to the self-study Analysis
Date: Sat, 26 May 2001 00:51:17 GMT
BenZen wrote:
>
> Tom St Denis wrote in message <[EMAIL PROTECTED]>...
> >Anyways, not like my original thread didn't go down hill...
> >
> >Any hints or tips? I am gonna work it out on paper a bit more later
> >on... I can't figure out how to exploit the linear relationship
> >
> >A xor K = B
> >A' xor K = B'
> >
> Hi Tom,
> I found a LOT of very pertinent documents on all aspects of Mathematics here:
> http://forum.swarthmore.edu/dr.math/ Try boolean for a database search.
>
> For this you need Boolean Algebra check this link:
> http://www.pte.it/didain1/frame7.htm
>
> Just Expand the XOR into it's boolean components, NOT and AND, and OR.
> What is your purpose on this ?
I want to solve for K given the pair. I don't really want to decompose
XOR unless I need to (which I can't see why off hand().
I will look at those links in a min or two...
> Hope this helps,
> Don't worry so much Tom. Keep your energy on your study, work and health;
> Never forget to have some fun Okay pal !
> The rest will become clear once you are there.
Thanks, I hope so.... eegad... speaking of study I have three
assignments due monday ! arrg..
> 'Happiness is a path, not a destination.'
Truer words have never been spoken.
Tom
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: A generic feistel cipher with hash and gf(257) mixers
Date: 26 May 2001 01:03:36 GMT
If I understood correctly, your cipher can be expressed as
E_k(x) = G(F(x) xor k)
for some unkeyed, invertible functions F,G. If this is correct, the
cipher is trivially insecure: Given a single known plaintext/ciphertext
pair (x,y), one computes k = F(x) xor G^{-1}(y), and the cipher is broken.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Good crypto or just good enough?
Date: 26 May 2001 00:57:42 GMT
[EMAIL PROTECTED] (Joseph Ashwood) wrote in <eXn0RLX5AHA.195@cpmsnbbsa07>:
>> >> Scott said
>> >> Fully bijective
>> >> Treats whole file as a single block. and etc...
>
>> > Tom said
>> >These are features but don't contribute to the security.
>
>> Scott again
>> Really what makes you so sure?
>
>Arguments can be made in several ways for both statements. Since they
>are seperate I will address them seperately.
>
>Fully bijective. Let me first explain that what Scott means by fully
>bijective is not the same as the Computer Science term in general, what
>he means is fully bijective in the set of all possible files (possibly
>above a specific length, that is open to debate), and additionally that
>a given file decrypted, and later encrypted is identical to the original
>file. This can increase security in that every possible file has a set
>of inputs that direct to it, something that does not occur with many
>padding/encryption modes. There is a downside though, because
>bijectivity (in the sense Scott refers to) requires a 1-1 equation, to
>say this differently f(f'(x))=x and f'(f(y))=y. This eliminates a
>potential source of security from expanding AONTs which add their own
>randomness to the value before encryption (see OAEP). So although it
>does offer some help, it does not necessarily indicate the most optimal
>statement of a security problem.
Actually I like to look at security before one adds randomness. And
even scott19u has a mode where one can add random data if one wishes.
but then the bijection is between the file with a random part added
before the actual encryption.
>
>
>Treats whole file as a single block. I think this one is fairly
>self-explanitory, this one I actually agree with in some cases. The case
>that it adds to the security is fairly clear, until the key is guessed
>correctly no information is revealed (with high probability). The
>detracting information though is that not everything can be treated in
>this fashion. Any infinite stream cannot be treated this way, and there
>may be cases where you want partial recovery even where it is file
>based.
>
Well as I tell KING its for files not streams. I don't think one
method can handle all cases. And your correct your don't get partial
recovery with my encryption. Which is why my last contest would be
easy to break with conventail RIJNDEAL.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Good crypto or just good enough?
Date: 26 May 2001 01:07:16 GMT
[EMAIL PROTECTED] (John Savard) wrote in
<[EMAIL PROTECTED]>:
>On Fri, 25 May 2001 20:24:27 GMT, Tom St Denis <[EMAIL PROTECTED]>
>wrote, in part:
>
>>For
>>example, 3DES and Serpent are about as fast and take about the same code
>>etc. But Serpent has a higher security margin and allows for larger
>>keys.
>
>On the other hand, DES has been around longer, and has been more
>thoroughly analyzed. So I wouldn't think of that as an obvious
>example.
>
The fact that DES has been around longer could mean that the NSA
has found very easy breaks for it. But then again one can't really
saw for certiany that Serpents more secure than DES. Only that it appears
more secure. How ever reading what the authors of Serpent wrote makes
me think they did a good job (but I could be fooled like anyone else)
But I find it interesting that they are not convinced RIJNDAEL was
designed with a very large safety margin. And that in a few short
years that in open literatire will show much better attacks than
what currently seems possible. I don't think such attacks if
very strong would ever be made public. The NSA wants people to use
it for several years. If I was working on a break and found one
I would fear for my life.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: "bubba" <[EMAIL PROTECTED]>
Subject: Re: Getting back to the self-study Analysis
Date: Fri, 25 May 2001 20:28:11 -0500
Tom,
To me, what the two equations say is that if you have
an exclusive-or gate, a 2 input one in this example,
flipping a single input will flip the output.
If you think of the exclusive-or operation as
calculating the parity of the inputs, it makes since
because parity detects single bit errors.
"Tom St Denis" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Anyways, not like my original thread didn't go down hill...
>
> Any hints or tips? I am gonna work it out on paper a bit more later
> on... I can't figure out how to exploit the linear relationship
>
> A xor K = B
> A' xor K = B'
>
> (Dave you are not invited into this thread).
>
> Tom
------------------------------
From: [EMAIL PROTECTED] (Eric Lee Green)
Crossposted-To: alt.privacy,alt.security.pgp
Subject: Re: Evidence Eliminator Detractors Working Hard But No Result?
Reply-To: [EMAIL PROTECTED]
Date: Sat, 26 May 2001 01:33:12 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
On Fri, 25 May 2001 20:50:23 +0200, Mok-Kong Shen <[EMAIL PROTECTED]>
wrote:
>Eric Lee Green wrote:
>>
>Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>> >Sorry for not having followed past postings. Is this
>> >something analogous to SafeWeb? (See
>>
>> Sorry, have no info about SafeWeb. Do have info about EE (see
>> http://badtux.org/eric/editorial/scumbags.html ). Basically, what we
>> have here is some virulent spammer spawn. I personally do not buy
>> anything from spammers, because if they're ethically challenged enough
>> to spam, they're probably ethically challenged enough to sell you
>> worthless overpriced junk too.
>
>What I don't understand, when glancing at the web page
>www.evidence-eliminator.com, is the sentence:
>
> your PC is keeping frightening records of both your
> online and off-line activity.
>
>I know too little about current OSs. Could you tell where
>these records are kept under Window98? I guess that the
Okay, here's the deal. You know and I know that you can 'undelete'
files under MS-DOS and Windows, files that were previously deleted.
So if you've been browsing some porn and want to get rid of it so that
your kiddies can't see what you've been browsing when it's their turn
to use the computer, simply clearing the web browser cache is not
enough (sad but true, many 10 year olds are adept enough to operate
things like the Norton Utilities that totally mystify their parents!).
The notion, then, is to run a "clean my disk" utility which cleans up
all those files, cleans up the list of URL's visited that the browser
maintains (so that the kiddy doesn't just hit the down arrow on the
URL bar and see that you were browsing www.xxxgirlzzz.com!), and clean
up any cookies related to such also. It should also overwrite them
first with some random data so that if they get undeleted, the kiddy
doesn't get anything sexy to see. It should also zap any registry entries
associated with any files it just deleted, just on general principle.
This isn't a very difficult program to write. Anybody halfway
competent with Visual BASIC can write it in a few weeks time at most,
and in fact several people have done so. It's even a useful program
under certain circumstances (such as the scenario above). On the other
hand, all the scare tactics stuff ("frightening records of your
activities!" etc.), are just an attempt to part the gullible from
their money. Anybody halfway concerned about privacy already knows
about those issues, and is taking far more stringent steps to deal
with them (such as using a multi-boot system and Safeboot to maintain
a seperate system on the same hard drive for his "unsafe" activities,
or doing like the NSA is doing -- running virtual PC's on encrypted
hard drives using Linux and VMWare).
=====BEGIN PGP SIGNATURE=====
Version: GnuPG v1.0.5 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7Dwa23DrrK1kMA04RAmblAJ9ylf8XBXixZYzxm7J9tJ/ytjoDXQCeO/Wt
x0+vtPkxy4eKn5ITCAKOUTY=
=IlKm
=====END PGP SIGNATURE=====
------------------------------
From: "John A. Malley" <[EMAIL PROTECTED]>
Subject: Re: Good crypto or just good enough?
Date: Fri, 25 May 2001 18:50:15 -0700
Bryan Olson wrote:
[...]
>
> Today, crypto has two serious problems:
> 1. We don't really understand complexity.
> 2. The world runs on cleartext.
I think I understand the first stated problem. I do not understand the
second problem as stated.
I'm thinking it means:
"Encrypting a message and sending it through a channel keeps it secret
from third parties. Keeping a message secret at either end of the
channel is another problem. Alice or Bob could reveal to a third party
the secret passed between them. What are mechanisms that require Alice
and Bob cooperate to reveal a mutual secret to a third party?"
Did I miss the mark?
John A. Malley
[EMAIL PROTECTED]
------------------------------
From: "Michael Brown" <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: RSA's new Factoring Challenges: $200,000 prize.
Date: Sat, 26 May 2001 13:58:07 +1200
"The Scarlet Manuka" <[EMAIL PROTECTED]> wrote in message
news:9el16v$ke5$[EMAIL PROTECTED]...
> "Michael Brown" <[EMAIL PROTECTED]> wrote in message
> news:vVlP6.3471$[EMAIL PROTECTED]...
> > Sorry if this is a duplicate. The first one seems to have got itself
> killed as
> > the modem disconnected it around the time I sent it (it's on another
> computer,
> > so I'm not exactly sure).
> > Anyhow, here it is (with a few modifications):
> >
> >
> > First, go read my page at http://odin.prohosting.com/~dakkor/rsa
>
> Something I don't understand about this system: You introduce arbitrary
> choices as to which number gets the 1 bit when you know the numbers
> differ at a certain bit position. Now this is fine the first time, if
> all the preceding bits have been identical; but what do you do if you
> need to make several such choices to complete the tree? Once you have
> made the first choice the others will be fixed, but you have no way of
> knowing which is which.
As far as I can tell, you only need to make the 1st choice, and the rest will
end up working. As I said on the site, I cannot prove that this will always be
the case, although it has been so for all the numbers which I have tested (all 8
bit composites and a few 12 bit ones). I'm working on a new hunch at the moment,
based on the far left column, that may help a lot in showing that this will
always work.
If I manage to implement the algorithm on my computer, I'll be able to start
testing some bigger numbers to see if it still works on them as well. Still not
a proof, but a bit more substantial than 12 bit numbers.
Regards
Michael
>
> --
> The Scarlet Manuka
>
>
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Getting back to the self-study Analysis
Date: Sat, 26 May 2001 01:51:53 GMT
bubba wrote:
>
> Tom,
>
> To me, what the two equations say is that if you have
> an exclusive-or gate, a 2 input one in this example,
> flipping a single input will flip the output.
>
> If you think of the exclusive-or operation as
> calculating the parity of the inputs, it makes since
> because parity detects single bit errors.
The problem is that you don't know A,A' or K. It's three unknowns.
Would three texts suffice to solve this? To me it would be
0A' + A + K = Y
A' + 0A + K = Y'
We will know if A' == A or not since B is known and K is fixed if A' ==
A then Y == Y'.
My problem is how do you exploit this to learn K from only Y/Y' and B/B'
Tom
------------------------------
From: Jim Steuert <[EMAIL PROTECTED]>
Subject: Re: A generic feistel cipher with hash and gf(257) mixers
Date: Fri, 25 May 2001 22:03:31 -0400
Sorry, of course I stand corrected. The key should be
mixed into such a cipher in a much different
manner. Thanks for the response.
David Wagner wrote:
> If I understood correctly, your cipher can be expressed as
> E_k(x) = G(F(x) xor k)
> for some unkeyed, invertible functions F,G. If this is correct, the
> cipher is trivially insecure: Given a single known plaintext/ciphertext
> pair (x,y), one computes k = F(x) xor G^{-1}(y), and the cipher is broken.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
