Cryptography-Digest Digest #588, Volume #14 Mon, 11 Jun 01 16:13:01 EDT
Contents:
Re: differential cryptanalysis with a new twist? ("Tom St Denis")
Re: Q: Searching for a free OCSP implementation (Pawel Krawczyk)
Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and ("Douglas
A. Gwyn")
Re: Alice and Bob Speak MooJoo ("Douglas A. Gwyn")
Re: National Security Nightmare? ("Douglas A. Gwyn")
Re: Crypto Links (John Savard)
Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY LONG (Tim
Tyler)
Re: One last bijection question (Tim Tyler)
Re: National Security Nightmare? (Jim D)
Re: National Security Nightmare? (wtshaw)
idea for nonlinear 8x32s ("Tom St Denis")
Re: idea for nonlinear 8x32s ("Tom St Denis")
Re: Crypto Links ("Robert Reynard")
Re: Shannon's definition of perfect secrecy (wtshaw)
Re: Free Triple DES Source code is needed. (Sam Yorko)
IV ("Cristiano")
Re: One last bijection question ([EMAIL PROTECTED])
Re: IV ("Tom St Denis")
Re: Free Triple DES Source code is needed. ("Tom St Denis")
Re: IV ("Cristiano")
Re: IV ("Tom St Denis")
----------------------------------------------------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: differential cryptanalysis with a new twist?
Date: Mon, 11 Jun 2001 17:13:19 GMT
"Mika R S Kojo" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
> "Tom St Denis" <[EMAIL PROTECTED]> writes:
> >
> > Interesting note. I think this isn't new but I've never seen it done
> > before.
> >
> > Instead of using pairs constructed by (A,B) where B = F(x) - F(x - A)
with
> > some prob > 0 why not use triplets (to higher order).
>
> Hmm, perhaps they are "higher order" differentials. :)
I dunno, I'm new to "higher order" attacks. I get std diff attacks (is that
order-1 ?) though which is what I hope to base this on.
> > For example, in TC5 I said the best pair has a DPmax of 8/256. This is
> > true, however the best triplet has a prob of 9/256 which exceeds this
bound.
> > (You can get TC5 off my website under the misc.src section).
> >
> > In TC5 the difference 125 = F(x) - F(x - 59) - F(x - 94) occurs with a
prob
> > of 9/256. (- is XOR)
> >
> > My question. Does this work like regular diff analysis? I.e find a
triplet
> > that has the right input and output difference and use linear analysis
to
> > figure out what the key could have been?
>
> The standard higher-order differential cryptanalysis is slightly
> different. It is ultimately about similar sums as your triples, but
> based on a bit more elaborate theory. Namely, finding the non-linear
> degree of a boolean function (e.g. a block cipher under a fixed
> key).
Would you mind explaning higher-order differentials. Namely how the attack
works? I have read Knudsen's paper but it's not clear. (Usually it takes a
few reads...)
> However, if you find such triplets as you above wish for you can do
> key search in the natural way. The triples would then just be a
> distinguisher just like usual differentials or linear relations. I
> don't see why you need to use linear (crypt)analysis at all, but you
> can do that also (often called differential-linear cryptanalysis then,
> but perhaps here triple-differential-linear?).
Hmmm...
Thanks for the reply,
Tom
------------------------------
From: Pawel Krawczyk <[EMAIL PROTECTED]>
Crossposted-To: comp.security.misc
Subject: Re: Q: Searching for a free OCSP implementation
Date: Mon, 11 Jun 2001 17:37:38 +0000 (UTC)
In comp.security.misc Tomas Perlines Hormann <[EMAIL PROTECTED]>
wrote:
> Does anybody know of a free implementation? I would be very grateful if
> anybody could direct me to some freely available implementations.
Maybe it's available in OpenCA http://www.openca.org/
--
Pawe³ Krawczyk *** home: <http://ceti.pl/~kravietz/>
security: <http://ipsec.pl/> *** fidonet: 2:486/23
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and
Date: Mon, 11 Jun 2001 17:28:25 GMT
Mok-Kong Shen wrote:
> My point was that the stuff of Whitehead and Russell
> is not wrong (mathematically).
What was wrong was the idea that such an approach would
provide a firm logical foundation for all of mathematics.
A major motivator was the hope that thereby all antinomies
could be eliminated. But the mechanism introduced for
that purpose was awkward and unnatural. Today we take
different approaches for such matters. For example:
Tightest form of antinomy: "This statement is false."
Is that statement true or false, or neither, or what?
A simple, *stable* solution is to treat the truth value
on a continuum, or in other words, to apply fuzzy logic;
then the statement has a truth value of (true+false)/2,
which is 0.5 using true=1 and false=0, or 0 using
true=1 and false=-1. (There is a theorem to the effect
that this approach solves all logical antinomies.)
There is actually a connection with cryptanalysis lurking
in this approach, in that one can treat Boolean variables
as fuzzy; then a *mutually contradictory* or "incorrect"
(according to "hard" logic) assignment of values to
variables no longer stymies further solution. (Think
eigenvalue convergence, etc.)
> There is an analogous case, namely that of the legendary
> Nicolas Bourbaki (passed away a few years ago officially).
? Bourbaki was the pseudonym of a group of mathematicians.
> He attempted to axiomatize the whole of mathematics
> but failed. But that does not mean that anything he
> wrote is wrong.
I don't think that is the thrust of Bourbaki. As I see it,
it was to provide rigorous developments of the "standard"
content of mathematics.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Alice and Bob Speak MooJoo
Date: Mon, 11 Jun 2001 17:36:13 GMT
Boyd Roberts wrote:
> "Tom St Denis" <[EMAIL PROTECTED]> a écrit:
> > How would a blind person learn to speak?
> verbal feedback. it's a bootstrap problem.
Note that Helen Keller learned to communicate despite
being deaf, dumb, and blind. But it wasn't easy.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: National Security Nightmare?
Date: Mon, 11 Jun 2001 17:33:29 GMT
"SCOTT19U.ZIP_GUY" wrote:
> ... One of the first things they plan to do is to
> change all spellings of there to there and that it would be
> come more like the spoken language.
Unfortunately, that adopts the *worst* feature of the spoken
form, namely its ambiguity. If I say "You have two", you
don't know which of two possible uses I meant, but as written
it is unambiguous. Or, for your specific example, "There love
is overrated".
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Crypto Links
Date: Mon, 11 Jun 2001 17:52:37 GMT
On Mon, 11 Jun 2001 12:52:26 +0800, "news.singnet.com.sg"
<[EMAIL PROTECTED]> wrote, in part:
>BlankCan anyone provide a list of links to go to where I could find =
>general info about Cryptography from general issues all the way to the =
>nitty grittys of each cipher technique?
>Just realised I had links for all my other hobbies but none for Crypto! =
>(except for this newsgroup link)
My web site has a few links having to do with cryptography on its
links page, and is perhaps worth linking to itself.
John Savard
http://home.ecn.ab.ca/~jsavard/frhome.htm
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) - VERY LONG
Reply-To: [EMAIL PROTECTED]
Date: Mon, 11 Jun 2001 17:48:17 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
:> : [...] Does Shannon's writing (alone) has established
:> : (fully) the perfect security of the conventional OTP? My
:> : interpretation of what you wrote would be 'no'. Is that
:> : the case?
:>
:> Yes. The OTP has perfect secrecy if transmitted messages don't
:> have proper ends, or if they are all the same length - and not
:> in the case where plaintext length varies and cyphertext length
:> is equal to plaintext length.
: Was 'if they are all the same length' explicitly stated
: in Shannon's work?
It appears that Shannon's work didn't address the case of finite
strings being encrypted with an OTP.
His reference to an OTP was in the context of infinite messages.
--
__________
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: One last bijection question
Reply-To: [EMAIL PROTECTED]
Date: Mon, 11 Jun 2001 17:51:30 GMT
Mark Wooding <[EMAIL PROTECTED]> wrote:
: Nicol So <[EMAIL PROTECTED]> wrote:
:> A comment on the terminology: the range of a function f is the image of
:> the domain under f. The codomain of a function is a (not necessarily
:> proper) superset of its range.
: This isn't the terminology I'm familiar with. I've always used the
: terms `range' and `image' to mean what you're calling the `codomain' and
: `range' respectively. I think these names were standard in the UK when
: I learned this stuff.
I'm in much the same boat - possibly for the same reason. Can anyone
describe the difference between the range of a function and its co-domain?
--
__________
|im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/
------------------------------
From: [EMAIL PROTECTED] (Jim D)
Subject: Re: National Security Nightmare?
Date: Mon, 11 Jun 2001 18:09:20 GMT
Reply-To: Jim D
On Mon, 11 Jun 2001 11:03:54 +0200, Mok-Kong Shen <[EMAIL PROTECTED]>
wrote:
>
>
>JPeschel wrote:
>>
>> "Boyd Roberts" [EMAIL PROTECTED] writes:
>>
>> >yeah, wrong. i'm pleading an 'upper respiratory infection' defence.
>> >
>>
>> Watch out! The grammar police is a comin'. Or is it, "are a comin'?"
>>
>> Nevermind. They got us. Apparently, we have the right to remain silent...
>
>In France I heard that there is a national instute
>that decides authoritatively on language issues of French.
>Is there a similar one for the English world?
No, but there should be.
--
______________________________________________
Posted by Jim D.
Propino tibi salutem !
jim @sideband.fsnet.co.uk
dynastic @cwcom.net
___________________________________
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: National Security Nightmare?
Date: Mon, 11 Jun 2001 12:14:46 -0600
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
> In France I heard that there is a national instute
> that decides authoritatively on language issues of French.
> Is there a similar one for the English world?
No! And I question the sense of looking for capturing the sense of all
cultures in any dictated language, viz., le hot dog.
> If yes, I
> suppose we should forward some of the posts of the thread
> there and simply wait for the genuinely correct answers.
Genuine is *as it is* and *as use dictates* in English, a different world
view than many want as a part of a irrational static conserve.
Suggested Reading: Personalities of Language by Gary Jennings.
--
To make a person into a puppet, start with one with a wooden head.
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: idea for nonlinear 8x32s
Date: Mon, 11 Jun 2001 18:33:26 GMT
Why not truncate the input? For example use cubing in GF(2^33) which has a
low DP and LP maximums, then truncate the output to 32 bits and fix 25 of
the input bits.
For the first part i.e truncating the input we know that the best LP and DP
maxes will not change (this should be self obvious). So we should expect
alot of zeroes and the rest will be 2/256.
As for truncating the output we should see a higher DP maximum since several
differences can lead to the same output diff (i.e when two differences
differ themselves by the upper bit which is truncated). As I observed
earlier last month this was done in Misty and is not a severe problem. It
raised the DP max from 2/512 to 4/512.
It should then be possible to make four 8x32's by using different 25 bits
fixed to the other part.
Couldn't a similar idea be used to make 8x64's or would those be too linear?
(Bihams' observation)
--
Tom St Denis
---
http://tomstdenis.home.dhs.org
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: idea for nonlinear 8x32s
Date: Mon, 11 Jun 2001 18:38:20 GMT
"Tom St Denis" <[EMAIL PROTECTED]> wrote in message
news:W98V6.87683$[EMAIL PROTECTED]...
> Why not truncate the input? For example use cubing in GF(2^33) which has
a
> low DP and LP maximums, then truncate the output to 32 bits and fix 25 of
> the input bits.
>
> For the first part i.e truncating the input we know that the best LP and
DP
> maxes will not change (this should be self obvious). So we should expect
> alot of zeroes and the rest will be 2/256.
>
> As for truncating the output we should see a higher DP maximum since
several
> differences can lead to the same output diff (i.e when two differences
> differ themselves by the upper bit which is truncated). As I observed
> earlier last month this was done in Misty and is not a severe problem. It
> raised the DP max from 2/512 to 4/512.
As a follow up I tried making a good 8x8 with a 9-bit field. (p == 0x385).
I got a DPmax of 8/256 and a LPmax of 16/256. By comparison inverse in
GF(2^8) has a DPmax of 4/256 ... so it seems my method may not apply to all
configurations.
Tom
------------------------------
From: "Robert Reynard" <[EMAIL PROTECTED]>
Subject: Re: Crypto Links
Date: Mon, 11 Jun 2001 14:49:30 -0400
I have a short list of the usual 'crypto' links on my web site Secret Code
Breaker Online at ==> http://codebreaker.dids.com
The really good site for 'crypto' links of every description can be found on
Joe Peschel's web site ==> http://members.aol.com/jpeschel/index.htm
Robert Reynard
Author, Secret Code Breaker series of crypto books for young readers (8-16
yr.)
> "news.singnet.com.sg" <[EMAIL PROTECTED]> wrote in message
> news:9g1i2i$fn4$[EMAIL PROTECTED]...
> Can anyone provide a list of links to go to where I could find general
info
> about Cryptography from general issues all the way to the nitty grittys of
> each cipher technique?
>
> Just realised I had links for all my other hobbies but none for Crypto!
> (except for this newsgroup link)
>
> Thanks in advance!
>
> Annie L.
>
>
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Shannon's definition of perfect secrecy
Date: Mon, 11 Jun 2001 12:24:00 -0600
In article <[EMAIL PROTECTED]>, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
> One may add additional layers to increase the complexity
> for the opponent, but that's not necessary, if the
> encryption is otherwise secure. Consider the normal case
> of business letters. They have each sufficient header
> informations (including page numbers), such that, if the
> pages of several letters get mixed up, they can be
> separated. What I said is that one could always have
> the headers included in the encryption processing and
> that one has a number messages concatenated with the
> result sent as a number of 'records' of some fixed
> constant length. (The last message, if not urgent, could
> be sent only partly, with the remaining sent on the next
> day, say.)
>
> M. K. Shen
Yes, all this works if care is given to allowing at least two layers.
Such a continuous system should not be encumbered by cross block
chaining. The choices of ciphers then narrows to those with better
security, need I suggest one that can do meet the requirements as I reject
those that can't.
--
To make a person into a puppet, start with one with a wooden head.
------------------------------
From: Sam Yorko <[EMAIL PROTECTED]>
Subject: Re: Free Triple DES Source code is needed.
Date: Mon, 11 Jun 2001 12:47:33 -0800
Tom St Denis wrote:
>
> <[EMAIL PROTECTED]> wrote in message
> news:rhlI6.389$[EMAIL PROTECTED]...
> >
> > Hi;
> >
> > I have looked every where on the web to find a Free C/C++ Source Code
> > implementation of Triple-DES.
> > I have found some, but it either has a damaged zip or tar file.
> >
> > Can some one help me please? Where can I find the Triple DES source code?
>
> Not to be picky but look harder. It's not hard to find FTP's that have tons
> of source code.
>
> Second what is this C/C++ thing you talk about? It's C *OR* C++ not both.
> That's like saying I eat apple-pears instead "i eat apples and/or pears".
> The combo is non-existant.
>
> Tom
Obviously you've never eaten fruit cocktail...
We have projects where we are compiling C and C++ source modules, and
then linking them into a single executable....
Sam
------------------------------
From: "Cristiano" <[EMAIL PROTECTED]>
Subject: IV
Date: Mon, 11 Jun 2001 21:40:34 +0200
I want to encrypt a file of L bytes with a block cipher in CBC mode (like
RC6 or Rijndael).
For speed reasons I read N bytes at time (N>1024) and then I encrypt this
block.
Every N bytes I use the IV to XORing the firsts 16 bytes of plain text.
Is there some weakness in this way?
Thanks
Cristiano
------------------------------
Subject: Re: One last bijection question
From: [EMAIL PROTECTED]
Date: 11 Jun 2001 15:50:31 -0400
Tim Tyler <[EMAIL PROTECTED]> writes:
> Mark Wooding <[EMAIL PROTECTED]> wrote:
>
> I'm in much the same boat - possibly for the same reason. Can anyone
> describe the difference between the range of a function and its
> co-domain?
The co-domain is the set of *possible* values of f(x). The range is the
set of *actual* values of f(x), as x ranges over the domain.
Note that the range is uniquely determined, having specified f(). There
is no single co-domain; any superset of the range may be selected as
the codomain. In fact, sometimes the math gets simpler if we enlarge
the codomain.
Len.
--
Whatever happened to Preparations A through G?
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: IV
Date: Mon, 11 Jun 2001 19:50:38 GMT
"Cristiano" <[EMAIL PROTECTED]> wrote in message
news:9g36s0$ol4$[EMAIL PROTECTED]...
> I want to encrypt a file of L bytes with a block cipher in CBC mode (like
> RC6 or Rijndael).
> For speed reasons I read N bytes at time (N>1024) and then I encrypt this
> block.
> Every N bytes I use the IV to XORing the firsts 16 bytes of plain text.
> Is there some weakness in this way?
Hmm? This doesn't sound like CBC mode.
How about using CTR mode instead?
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Free Triple DES Source code is needed.
Date: Mon, 11 Jun 2001 19:51:50 GMT
"Sam Yorko" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Tom St Denis wrote:
> >
> > <[EMAIL PROTECTED]> wrote in message
> > news:rhlI6.389$[EMAIL PROTECTED]...
> > >
> > > Hi;
> > >
> > > I have looked every where on the web to find a Free C/C++ Source Code
> > > implementation of Triple-DES.
> > > I have found some, but it either has a damaged zip or tar file.
> > >
> > > Can some one help me please? Where can I find the Triple DES source
code?
> >
> > Not to be picky but look harder. It's not hard to find FTP's that have
tons
> > of source code.
> >
> > Second what is this C/C++ thing you talk about? It's C *OR* C++ not
both.
> > That's like saying I eat apple-pears instead "i eat apples and/or
pears".
> > The combo is non-existant.
> >
>
> > Tom
>
> Obviously you've never eaten fruit cocktail...
>
> We have projects where we are compiling C and C++ source modules, and
> then linking them into a single executable....
Yes, but you compile the C++ parts with a C++ compiler and C parts with a C
compiler.
That's like saying I use a C/C++/ASM compiler since some of the object code
comes from assembly written routines (i.e crt0 in GCC).
Tom
------------------------------
From: "Cristiano" <[EMAIL PROTECTED]>
Subject: Re: IV
Date: Mon, 11 Jun 2001 21:54:44 +0200
"Tom St Denis" <[EMAIL PROTECTED]> ha scritto nel messaggio
news:ii9V6.87860$[EMAIL PROTECTED]...
>
> "Cristiano" <[EMAIL PROTECTED]> wrote in message
> news:9g36s0$ol4$[EMAIL PROTECTED]...
> > I want to encrypt a file of L bytes with a block cipher in CBC mode
(like
> > RC6 or Rijndael).
> > For speed reasons I read N bytes at time (N>1024) and then I encrypt
this
> > block.
> > Every N bytes I use the IV to XORing the firsts 16 bytes of plain text.
> > Is there some weakness in this way?
>
> Hmm? This doesn't sound like CBC mode.
>
> How about using CTR mode instead?
What is CTR?
Cristiano
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: IV
Date: Mon, 11 Jun 2001 20:06:36 GMT
"Cristiano" <[EMAIL PROTECTED]> wrote in message
news:9g37mj$ot7$[EMAIL PROTECTED]...
> "Tom St Denis" <[EMAIL PROTECTED]> ha scritto nel messaggio
> news:ii9V6.87860$[EMAIL PROTECTED]...
> >
> > "Cristiano" <[EMAIL PROTECTED]> wrote in message
> > news:9g36s0$ol4$[EMAIL PROTECTED]...
> > > I want to encrypt a file of L bytes with a block cipher in CBC mode
> (like
> > > RC6 or Rijndael).
> > > For speed reasons I read N bytes at time (N>1024) and then I encrypt
> this
> > > block.
> > > Every N bytes I use the IV to XORing the firsts 16 bytes of plain
text.
> > > Is there some weakness in this way?
> >
> > Hmm? This doesn't sound like CBC mode.
> >
> > How about using CTR mode instead?
>
> What is CTR?
CTR is where instead of encrypting the message you encrypt a binary counter
than xor the output against your message.
Look up Wagners website, he has a paper on the subkect
Tom
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
