Cryptography-Digest Digest #165
Cryptography-Digest Digest #165, Volume #14 Tue, 17 Apr 01 04:13:01 EDT Contents: Re: Incomplete Blocks in Twofish (Paul Rubin) Re: Incomplete Blocks in Twofish ("Scott Fluhrer") Publishing is *hard* ("John A. Malley") Re: HOW THE HELL DO I FIND "D"?!?! ("Joseph Ashwood") Re: Reusing A One Time Pad ("Joseph Ashwood") Re: Incomplete Blocks in Twofish ("Tom St Denis") Re: AES poll (SCOTT19U.ZIP_GUY) Re: patent issue (Paul Crowley) Re: Reusing A One Time Pad ("Mark G Wolf") Re: Distinguisher for RC4 ([EMAIL PROTECTED]) Re: Incomplete Blocks in Twofish (Eric Lee Green) Re: Reusing A One Time Pad ("Douglas A. Gwyn") Re: MS OSs "swap" file: total breach of computer security. (wtshaw) Re: There Is No Unbreakable Crypto (Mok-Kong Shen) Re: Note on combining PRNGs with the method of Wichmann and Hill ("Bryan Olson") Re: Note on combining PRNGs with the method of Wichmann and Hill ("Bryan Olson") From: Paul Rubin [EMAIL PROTECTED] Subject: Re: Incomplete Blocks in Twofish Date: 16 Apr 2001 21:22:39 -0700 "Mike Moulton" [EMAIL PROTECTED] writes: I've been in the process of testing and modifying the reference implementation of Twofish to meet my needs, and I'm wondering what is the process of encrypting incomplete blocks. What technique should I use considering that I am going to be running it in ECB for Encryption and CBC as a MAC? Should I pad the ECB encryption like MD4/MD5 with a string of zero's and a the length of the padding, or use ciphertext-stealing? After having read through Stinson/HAC/Schneier and the Twofish Book/Paper the only one to even mention it was Applied Cryptgraphy by Schneier. Perhaps there was a mention somewhere else about an *official* way to implement padding in Twofish. If so I'd be grateful for the reference. The closest thing to a standard I know of for this is PKCS5. -- From: "Scott Fluhrer" [EMAIL PROTECTED] Subject: Re: Incomplete Blocks in Twofish Date: Mon, 16 Apr 2001 21:20:17 -0700 Mike Moulton [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... I've been in the process of testing and modifying the reference implementation of Twofish to meet my needs, and I'm wondering what is the process of encrypting incomplete blocks. What technique should I use considering that I am going to be running it in ECB for Encryption and CBC as a MAC? Should I pad the ECB encryption like MD4/MD5 with a string of zero's and a the length of the padding, or use ciphertext-stealing? After having read through Stinson/HAC/Schneier and the Twofish Book/Paper the only one to even mention it was Applied Cryptgraphy by Schneier. Perhaps there was a mention somewhere else about an *official* way to implement padding in Twofish. If so I'd be grateful for the reference. Well, padding is not particularly Twofish specific -- any block cipher has to deal with it. There's several generic ways to handle it, none of which is the "official" way (whatever that means): - Add an explicit length field at the beginning. Pad the last block out any way that's convienent. - Put the pad length as the last byte of the last block. This implies that you always have at least one byte of padding - Ciphertext stealing - Use a mode that handles arbitrary message lengths, such as CFB, OFB or counter mode. BTW: why are you using ECB for encryption? Unless you know a priori that duplicate plaintext blocks are unlikely, that's insecure. -- poncho -- From: "John A. Malley" [EMAIL PROTECTED] Subject: Publishing is *hard* Date: Mon, 16 Apr 2001 21:52:31 -0700 Well the *bad* news is my first attempt to publish the results of some amateur research ended up rejected. :-( (I put up a URL to a draft of the paper last year here in the group - http://www.homeworlds.com/papers/SECLCG.pdf ) The *good* news is I gained better understanding of the referee process. :- ) I got some insightful and helpful comments from an anonymous referee. I don't agree with everything he wrote, BUT, I do now understand the standards to which work will be held, I appreciate the advice, critique and pointers and I'll take it to heart. John A. Malley [EMAIL PROTECTED] -- From: "Joseph Ashwood" [EMAIL PROTECTED] Subject: Re: HOW THE HELL DO I FIND "D"?!?! Date: Mon, 16 Apr 2001 21:29:06 -0700 Finding D you use the extended Euclidian Algorithm (documented several places) For encrypting values you take some representation of it (ASCII is fine) to build a very large number, then you take the first n-1 bits of it (where n is the size of your RSA modulus) (you could also use n-8 bits if it's more convenient) and encrypt. On decryption you know how many top bits were not original data and so can remove them before displaying. Joe "Dopefish" [EMAIL PROTECTED] wrote in message news:[EMAIL
Cryptography-Digest Digest #166
Cryptography-Digest Digest #166, Volume #14 Tue, 17 Apr 01 08:13:01 EDT Contents: Re: Publishing is *hard* (Mok-Kong Shen) Re: Note on combining PRNGs with the method of Wichmann and Hill (Mok-Kong Shen) See the Latest Cryptology Theories Here, Why Silverman is DEAD Wrong! (Mathman) Re: Note on combining PRNGs with the method of Wichmann and Hill (Mok-Kong Shen) Re: Lorentz attractor... (Gerhard Wesp) Re: NSA is funding stegano detection (Mok-Kong Shen) Re: NSA is funding stegano detection (Mok-Kong Shen) Re: Note on combining PRNGs with the method of Wichmann and Hill ("Brian Gladman") Re: Rabin-Miller prime testing (Simon Josefsson) Streem combination without the use of dynamic tables. (David Formosa (aka ? the Platypus)) Re: HOW THE HELL DO I FIND "D"?!?! (John Savard) Re: Lorentz attractor... (John Savard) From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Publishing is *hard* Date: Tue, 17 Apr 2001 10:09:36 +0200 "John A. Malley" wrote: (I put up a URL to a draft of the paper last year here in the group - http://www.homeworlds.com/papers/SECLCG.pdf ) [snip] Very dumb question: Does the article mean that there is indication of a probable weakness of ElGamal (for otherwise such an attack would be inconceivable) or else that for ANY secure cipher encrypting the output of a poor PRNG can be problematical? If it is the second case, then passing the output of a common (statistically good) PRNG to, say, AES would result in a sequence that could be cracked, which I would suppose to be a new and rather significant result. M. K. Shen -- From: Mok-Kong Shen [EMAIL PROTECTED] Crossposted-To: sci.crypt.random-numbers Subject: Re: Note on combining PRNGs with the method of Wichmann and Hill Date: Tue, 17 Apr 2001 10:17:13 +0200 Bryan Olson wrote: Mok-Kong Shen wrote: I like to add something to make my last paragraph better understandable: If one of the streams gets a factor 1.0 (and it is uniform), isn't that everything is again (rigorously) theoretically o.k. in that particular issue? Of course not. The theorem was: | as long as the streams are independent, if any of the | streams are uniform then the sum is uniform. The PRNGs are assumed to be independent (I forgot to explictly say that) and uniform. Now one stream gets the factor 1.0, so that is uniform. The others are not uniform. So according to the theorem the modular sum is uniform, isn't it? (As I said elsewhere, the continuous case can be considered the limiting case of the discrete case, whose proof we have discussed sometime back. There is in fact a rigorous proof of the continuous case that doesn't use that limiting process. I found the paper oneday by chance in Math. Rev. but I unfortunately didn't note down the reference.) M. K. Shen -- From: Mathman [EMAIL PROTECTED] Subject: See the Latest Cryptology Theories Here, Why Silverman is DEAD Wrong! Date: Tue, 17 Apr 2001 03:36:49 -0500 www.mediaboy.net/1010100-111-010/gahk/ -- From: Mok-Kong Shen [EMAIL PROTECTED] Crossposted-To: sci.crypt.random-numbers Subject: Re: Note on combining PRNGs with the method of Wichmann and Hill Date: Tue, 17 Apr 2001 11:01:08 +0200 Mok-Kong Shen wrote: Bryan Olson wrote: Mok-Kong Shen wrote: I like to add something to make my last paragraph better understandable: If one of the streams gets a factor 1.0 (and it is uniform), isn't that everything is again (rigorously) theoretically o.k. in that particular issue? Of course not. The theorem was: | as long as the streams are independent, if any of the | streams are uniform then the sum is uniform. The PRNGs are assumed to be independent (I forgot to explictly say that) and uniform. Now one stream gets the factor 1.0, so that is uniform. The others are not uniform. So according to the theorem the modular sum is uniform, isn't it? (As I said elsewhere, the continuous case can be considered the limiting case of the discrete case, whose proof we have discussed sometime back. There is in fact a rigorous proof of the continuous case that doesn't use that limiting process. I found the paper oneday by chance in Math. Rev. but I unfortunately didn't note down the reference.) Addendum: The scheme of Wichmann and Hill is intended to get a more uniform stream from a number of not well uniform streams. The assumption I made above that the PRNGs are uniform is for discussion of the theoretical point you raised which I quote below: The modification destroys an important property of the basic combination method: as long as the streams are independent, if any of the streams are uniform then the sum is uniform. So in that situation we assume that there are uniform streams to start with. Note that we are actually doing splitting of hairs. The
Cryptography-Digest Digest #167
Cryptography-Digest Digest #167, Volume #14 Tue, 17 Apr 01 13:13:01 EDT Contents: Re: "I do not feel secure using your program any more." ("upyerkilt") Re: Lorentz attractor... (Richard Heathfield) Re: Publishing is *hard* ("John A. Malley") Re: Publishing is *hard* ("John A. Malley") Re: MS OSs "swap" file: total breach of computer security. (Richard Heathfield) Re: Distinguisher for RC4 ("Scott Fluhrer") Re: Distinguisher for RC4 ("Roger Schlafly") Re: Note on combining PRNGs with the method of Wichmann and Hill (Mok-Kong Shen) Re: Publishing is *hard* (Mok-Kong Shen) Q: Choosing a Smartcard/Crypto Chip for PKI on Win2K ("Miguel Almeida") Re: REAL OTP Systems (Mok-Kong Shen) Re: Reusing A One Time Pad (SCOTT19U.ZIP_GUY) Re: Reusing A One Time Pad (SCOTT19U.ZIP_GUY) Re: Primality Testing Algorithm ("Jack Lindso") Size of dictionaries (Mok-Kong Shen) Re: "differential steganography/encryption" ("Paul Pires") Re: Reusing A One Time Pad ("Tom St Denis") Re: Reusing A One Time Pad ("Tom St Denis") Re: REAL OTP Systems (Volker Hetzer) Reply-To: "upyerkilt" [EMAIL PROTECTED] From: "upyerkilt" [EMAIL PROTECTED] Crossposted-To: talk.politics.misc,alt.hacker Subject: Re: "I do not feel secure using your program any more." Date: Tue, 17 Apr 2001 13:02:52 GMT As you requested, Tom St Denis. "Tom St Denis" [EMAIL PROTECTED] wrote in message news:KoMC6.24724$[EMAIL PROTECTED]... "Anthony Stephen Szopa" [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... "I do not feel secure using your program any more." You sure jumped to a hasty conclusion. Who posed the quotation text? (BTW I may be in his killfile, so for fun could someone please just repost this message in it's completeness) For instance, one could suggest: "Why even generate these random digit sequences using the OAP-L3 methods. I will just generate a file containing nothing but the digit sequence 0123456789 repeated until I have created a file of 18,144,000 bytes in length then I will use the other methods from OAP-L3 to scramble these up to create a random digit sequence." Why not juse use 0 and 1? for a binary system... I surely don't make files that are base10 in size... You surely know that it won't take very many of these processes to scramble up THIS file before the odds of guessing the final sequence becomes practicably impossible to guess or analyze because there will simply not be enough computing power available or time or energy to accomplish this. Perhaps. Where does the source of entropy come from? What "mixing" process is used? Not all mixing algorithms are equal. If only use 14 bits of entropy and a trivially stupid algorithm to shuffle the array it should be simple to figure out what the state is. Again, using the methods of OAP-L3 to generate your random digit sequences is just the first step of creating your OTPs. And since I believe you would agree that even if you started with a known file containing the sequences of 0123456789 of length 18,144,000 bytes and this becoming very quickly practicably impossible to guess using the methods from OAP-L3, then by actually generating the random digit files using OAP-L3 makes this impossibility that much more impossible. Unless the # of bits into OAP is the same as the # of bits out OAP can never be a OTP (assuming OAP doesn't degrade the entropy). It's as simple as that. Again you assume that you shuffled your array with some good source of entropy at hand... This is because if you have gone to ciphile.com and looked up the Sterling Approximation web page you would know that there are about 1E66,000,000 possible sequences to arrange three permutation files. Of course there may be trillions and trillions of useable sequences. How lucky are you at guessing one in 1E24 or 1E48 or 1E96, etc. sequences from 1E66,000,000. Not even incredible Chinese gamblers think they are this lucky. So what. Lucifer had a 128-bit key... that's 340,282,366,920,938,463,463,374,607,431,768,211,456 what a big number! Does that mean it's secure... er NOPE! Now you may feel that the problem is greatly simplified (as if anything could simplify a problem with 1E66,000,000 possible outcomes) if you just had some plaintext and encrypted text. How so? The random number sequence you determine from having these two data sources has so little relationship with the random digit file(s) generated from using the OAP-L3 methods as to be worthless for attacking subsequent numbers from the OTPs because this original random digit file has been further processed using all the methods available with OAP-L3, where above I hope you agreed, even if you knew this file and its sequences, it would make no difference. You assume your OAP methods are sound and non-degenerate. You
Cryptography-Digest Digest #168
Cryptography-Digest Digest #168, Volume #14 Tue, 17 Apr 01 14:13:01 EDT Contents: Re: Reusing A One Time Pad (SCOTT19U.ZIP_GUY) Re: Reusing A One Time Pad ("Tom St Denis") Re: Reusing A One Time Pad (SCOTT19U.ZIP_GUY) Re: Note on combining PRNGs with the method of Wichmann and Hill ("Brian Gladman") Re: Reusing A One Time Pad ("Tom St Denis") Re: Reusing A One Time Pad (SCOTT19U.ZIP_GUY) Re: Reusing A One Time Pad ("Tom St Denis") Re: Choosing a Smartcard/Crypto Chip for PKI on Win2K ("Ryan Phillips") From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: Reusing A One Time Pad Date: 17 Apr 2001 17:04:59 GMT [EMAIL PROTECTED] (Tom St Denis) wrote in 4u_C6.31062$[EMAIL PROTECTED]: "SCOTT19U.ZIP_GUY" [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... [EMAIL PROTECTED] (Joseph Ashwood) wrote in ePD6covxAHA.328@cpmsnbbsa07: The moment you reuse *any* portion of the pad, the security immediately falls to precisely 0. That's a simple fact of life (assuming you are using a standard XOR based pad). There is no getting around that, no amount of postulating will get around the mathematic problems involved, your idea is plain and simply insecure. Joe Actually the security is not ZERO. You may have reduced the ppssible set of the messages but as long as there is more than one plausble decryption it is not zero. But I agree the more you use the less secure and its not to had to reach ZERO. Especailly if the plain text file was known to be compressed as part of the encryption package as in PGP. Um to disprove anything you have said for the past 8 years or so.. an OTP is secure even if the message was compressed with deflate. so tell me again how the compression hurts? I don't wish to get in a long argument with you since you really don't want to learn. But I will clarify what I think your misunderstanding is. First of all we both know that a OTP is secure. Joe was commenting that if you repeat one bit its not secure at all. We all know or should know that if you use it over and over again its not secure. IF a "one time Pad" is used correctly. Meaning "one time" then the encryption is secure regardless of what compression was used. As to weakness of using nonbijecetive file compression in encryption systems I think you know where I stand on that after years of trying to get you to understand it. David A. Scott -- SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM" http://www.jim.com/jamesd/Kong/scott19u.zip My website http://members.nbci.com/ecil/index.htm My crypto code http://radiusnet.net/crypto/archive/scott/ MY Compression Page http://members.nbci.com/ecil/compress.htm **NOTE FOR EMAIL drop the roman "five" *** Disclaimer:I am in no way responsible for any of the statements made in the above text. For all I know I might be drugged or something.. No I'm not paranoid. You all think I'm paranoid, don't you! -- From: "Tom St Denis" [EMAIL PROTECTED] Subject: Re: Reusing A One Time Pad Date: Tue, 17 Apr 2001 17:19:22 GMT "SCOTT19U.ZIP_GUY" [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... [EMAIL PROTECTED] (Tom St Denis) wrote in 4u_C6.31062$[EMAIL PROTECTED]: "SCOTT19U.ZIP_GUY" [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... [EMAIL PROTECTED] (Joseph Ashwood) wrote in ePD6covxAHA.328@cpmsnbbsa07: The moment you reuse *any* portion of the pad, the security immediately falls to precisely 0. That's a simple fact of life (assuming you are using a standard XOR based pad). There is no getting around that, no amount of postulating will get around the mathematic problems involved, your idea is plain and simply insecure. Joe Actually the security is not ZERO. You may have reduced the ppssible set of the messages but as long as there is more than one plausble decryption it is not zero. But I agree the more you use the less secure and its not to had to reach ZERO. Especailly if the plain text file was known to be compressed as part of the encryption package as in PGP. Um to disprove anything you have said for the past 8 years or so.. an OTP is secure even if the message was compressed with deflate. so tell me again how the compression hurts? I don't wish to get in a long argument with you since you really don't want to learn. But I will clarify what I think your misunderstanding is. First of all we both know that a OTP is secure. Joe was commenting that if you repeat one bit its not secure at all. We all know or should know that if you use it over and over again its not secure. IF a "one time Pad" is used correctly. Meaning "one time" then the encryption is secure regardless of what compression was used. As to weakness of using nonbijecetive file compression in encryption systems I
Cryptography-Digest Digest #169
Cryptography-Digest Digest #169, Volume #14 Tue, 17 Apr 01 16:13:01 EDT Contents: Re: Reusing A One Time Pad (SCOTT19U.ZIP_GUY) Re: Reusing A One Time Pad (SCOTT19U.ZIP_GUY) Re: Reusing A One Time Pad ("Tom St Denis") Re: Reusing A One Time Pad ("Tom St Denis") Re: Note on combining PRNGs with the method of Wichmann and Hill (Mok-Kong Shen) Re: Reusing A One Time Pad (SCOTT19U.ZIP_GUY) Re: Reusing A One Time Pad ("Tom St Denis") Re: LFSR Security (Ian Goldberg) Re: Reusing A One Time Pad ("Joseph Ashwood") ansi x9.23 / iso 10126 (Fabian Kaiser) From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: Reusing A One Time Pad Date: 17 Apr 2001 18:14:29 GMT [EMAIL PROTECTED] (Tom St Denis) wrote in Td%C6.31344$[EMAIL PROTECTED]: You have yet to prove that bijective compression is any more secure. In fact it's not. Let's demonstrate. I get a message from you and I want to try decrypting it. Say you use a 64-bit RC5 key or something... I feel it's about money so amongst the ciphertexts I decrypt I get What are you trying to show? First of all if I was sending text I would be using my conditional adaptive huffman compressor so that only characters in the set "A to Z' "0 to 9" and space actually I would use underscore for space it i used space at all. AKSJHDKH2309SLDFJSDFHSFJKGHW DFGJSHSKFHKJ2340OWE7FKJFSD THE MONEY IS IN MY POCKET 345U3RWHERFRLSJFHKJGFYSUKJFTHSJK DFGJLHGJKHGDFJKGHDFKJGDGJDFLK349 I see using the general bijective compressor you get only the cases above that contian characters. How nice. Yes you can say if you know it was about money that you can tell which one was the input message. And in this example even if you didn't know it was about money you can guess which one it was. Lets suppose instead that I compressed not using a bijective compressor but a compressor that compresses as well but is non bijective. Since many cases are not used becasue the test encryption keys lead to files that could not have compressed with the nonbijective compressor DFGJSHSKF J2340OWE7FKJFSD THE MONEY IS IN MY POCKET Gee there are fewer cases to look at since the filter effect casued by the use of the nonbijective compressor. Gives me extra information on how to eliminate candidate files. In the bijective compressor you don't get this free filter to toss out cases that can't exist. Yes Tom which one is easier to look at and guess a solution. But you know all this we go over and over this all the time what do you have that is new. Or are you just trying to confuse new people. David A. Scott -- SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM" http://www.jim.com/jamesd/Kong/scott19u.zip My website http://members.nbci.com/ecil/index.htm My crypto code http://radiusnet.net/crypto/archive/scott/ MY Compression Page http://members.nbci.com/ecil/compress.htm **NOTE FOR EMAIL drop the roman "five" *** Disclaimer:I am in no way responsible for any of the statements made in the above text. For all I know I might be drugged or something.. No I'm not paranoid. You all think I'm paranoid, don't you! -- From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: Reusing A One Time Pad Date: 17 Apr 2001 18:33:17 GMT [EMAIL PROTECTED] (Tom St Denis) wrote in hA%C6.31591$[EMAIL PROTECTED]: "SCOTT19U.ZIP_GUY" [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... I can argue with your statments about the "super evil deflate". Being better. Compression is a lose lose situation. It is well known for certain classes of files Huffman would be the optimal. I don't think that can be said for deflate for any class of files. There are no classes of files where huffman is optimal. If the file has a bias towards a certain symbol more than likely it's in some pattern. Actually I need go no farther. snip David A. Scott -- SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM" http://www.jim.com/jamesd/Kong/scott19u.zip My website http://members.nbci.com/ecil/index.htm My crypto code http://radiusnet.net/crypto/archive/scott/ MY Compression Page http://members.nbci.com/ecil/compress.htm **NOTE FOR EMAIL drop the roman "five" *** Disclaimer:I am in no way responsible for any of the statements made in the above text. For all I know I might be drugged or something.. No I'm not paranoid. You all think I'm paranoid, don't you! -- From: "Tom St Denis" [EMAIL PROTECTED] Subject: Re: Reusing A One Time Pad Date: Tue, 17 Apr 2001 18:45:44 GMT "SCOTT19U.ZIP_GUY" [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... [EMAIL PROTECTED] (Tom St Denis) wrote in Td%C6.31344$[EMAIL PROTECTED]: You have yet to prove that bijective compression is any more secure. In fact it's not. Let's demonstrate. I get a message from you and I want to try decrypting it. Say you use a 64-bit RC5 key or something... I
Cryptography-Digest Digest #170
Cryptography-Digest Digest #170, Volume #14 Tue, 17 Apr 01 19:13:01 EDT Contents: Re: Distinguisher for RC4 ("Joris Dobbelsteen") "UNCOBER" = Universal Code Breaker (newbie) Re: Size of dictionaries (Jim Gillogly) Re: There Is No Unbreakable Crypto (David Wagner) DES Optimizaton - Can Someone Explain? ("Kevin D. Kissell") Re: "differential steganography/encryption" ("Dopefish") Re: HOW THE HELL DO I FIND "D"?!?! ("Dopefish") Re: "UNCOBER" = Universal Code Breaker ("Joseph Ashwood") lagged fibonacci generator idea ("Tom St Denis") Re: Size of dictionaries (Mok-Kong Shen) Re: "differential steganography/encryption" (Mok-Kong Shen) Re: "UNCOBER" = Universal Code Breaker (newbie) Re: Note on combining PRNGs with the method of Wichmann and Hill ("Brian Gladman") From: "Joris Dobbelsteen" [EMAIL PROTECTED] Subject: Re: Distinguisher for RC4 Date: Tue, 17 Apr 2001 22:53:00 +0200 And using a method like CBC, OFB or CFB? These XOR a result that comes out a block cipher, making it possible to replace them for a stream cipher. This may, however, still not be suited for every situation, but it can be adapted easily... - Joris "David Formosa (aka ? the Platypus)" [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... On 15 Apr 2001 06:24:34 GMT, David Wagner [EMAIL PROTECTED] wrote: [...] Well, it does scare me away from the idea of using RC4 in new systems. [...] Why bother with such uncertainty when we have 3DES and AES? But then, maybe I'm too paranoid. RC4 is a streem cyper/pydorandom number generator, while 3DES is a block cyper. You can't replace RC4 with 3DES in most situtations. -- Please excuse my spelling as I suffer from agraphia. See http://dformosa.zeta.org.au/~dformosa/Spelling.html to find out more. Free the Memes. -- From: newbie [EMAIL PROTECTED] Subject: "UNCOBER" = Universal Code Breaker Date: Tue, 17 Apr 2001 16:49:34 -0300 Cryptographers are still talking about unbreakable code. And sometimes after someone break the code. So, all the cryptographers are always trying to find the "unbreakable". Has cryptograhers thought to universal way to break any code? Has cryptographers thought to the basis to elaborate universal theory to break any code? I found a funny name to that theory "UNCOBER" = Universal Code Breaker Newbie -- From: Jim Gillogly [EMAIL PROTECTED] Subject: Re: Size of dictionaries Date: Tue, 17 Apr 2001 14:15:02 -0700 Mok-Kong Shen wrote: I am interested to know the order of magnitude of the minimum size of a dictionary in English that could permit ordinary messages of common people (private and commercial) to be written in as terse a manner as possible without negatively affecting the essential semantics that is to be conveyed. In other words, I am thinking of writing in a style CK Ogden chopped the vocabulary down to 850 words for his proposal "Basic English" which he said "will cover those needs of everyday life for which a vocabulary of 20,000 words is frequently employed." It was first proposed in the 1920s, during the time when the second- and third-generation constructed languages (Esperanto, Ido, etc.) were hitting their stride. It had a few high-profile supporters, such as Winston Churchill and Franklin D. Roosevelt. I may be mistaken, but I think he left out verbs, but presumably few enough verbs would be needed to keep it under 10 bits. Shakespeare looks quite odd in Basic English, as you might guess. like telegrams. Among technical points to be clarified seem to be those of grammatical forms, e.g. whether the present participle of a verb is to be in the dictionary and how special words, if needed but not in the dictionary, can be represented (using escape symbols?), etc. etc. As foreigner, I clearly can barely have good ideas about these. Would 2^12 be an appropriate size of the dictionary? In that case As a foreigner (umm -- you mean a foreigner in Germany? we're from all over), what would be your estimate for one of the languages you know? I understand unabridged English dictionaries are larger than those of most (all?) other languages, so English might not be the best choice for your plan. You might consider an artificial language such as Esperanto or one of the more modern efforts, depending on what application you have in mind. each word of a message could be coded into 12 bits, which means quite a significant compression ratio, isn't it? It seems to me that a proposal like this would be useful only in extreme conditions of some sort, where constructing the message could be very human-intensive labor, and the transmission channel is extremely expensive. An example might be communicating with scientists on the 30-year Titan probe, assuming they had lost the use of their main antenna and can receive mail on only a very limited-bandwidth
Cryptography-Digest Digest #171
Cryptography-Digest Digest #171, Volume #14 Tue, 17 Apr 01 23:13:00 EDT Contents: Re: "UNCOBER" = Universal Code Breaker ("Joseph Ashwood") Re: "UNCOBER" = Universal Code Breaker ("Tom St Denis") Re: "UNCOBER" = Universal Code Breaker ("Jack Lindso") Re: Advantages of attackers and defenders (Bart Bailey) Re: "UNCOBER" = Universal Code Breaker (newbie) Re: "UNCOBER" = Universal Code Breaker (newbie) Re: "UNCOBER" = Universal Code Breaker ("Tom St Denis") Re: "UNCOBER" = Universal Code Breaker ("Tom St Denis") Re: lagged fibonacci generator idea ("Scott Fluhrer") Re: Distinguisher for RC4 ("Scott Fluhrer") Re: lagged fibonacci generator idea ("Tom St Denis") Re: "UNCOBER" = Universal Code Breaker (David Formosa (aka ? the Platypus)) Re: "UNCOBER" = Universal Code Breaker (John Savard) Re: "UNCOBER" = Universal Code Breaker (John Savard) Re: "UNCOBER" = Universal Code Breaker (John Savard) Re: DES Optimizaton - Can Someone Explain? (John Savard) Re: C code for GF mults ("Brian McKeever") From: "Joseph Ashwood" [EMAIL PROTECTED] Subject: Re: "UNCOBER" = Universal Code Breaker Date: Tue, 17 Apr 2001 16:11:34 -0700 "newbie" [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... I'm not talking about universal algo, but about "unified theory". Theory means designing concepts and tools to solve types of encryption. Theory means thinking to hypothesis, conditions etc... to solve any encryption. Theory means conceptual vision of the cryptanalysis concern. Theory does not mean creating a super-algo breaker. But the existance of a single algorithm which can provably not be broken by such a theory eliminates the possibility of that theory. The One-Time-Pad algorithm exists, therefore a unified theory that "solves" (aka breaks, because there is no other possibility) an encryption algorithm cannot exist. I proved that at least 2 ways now. Joe -- From: "Tom St Denis" [EMAIL PROTECTED] Subject: Re: "UNCOBER" = Universal Code Breaker Date: Tue, 17 Apr 2001 23:20:40 GMT "newbie" [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... I'm not talking about universal algo, but about "unified theory". Theory means designing concepts and tools to solve types of encryption. Theory means thinking to hypothesis, conditions etc... to solve any encryption. Theory means conceptual vision of the cryptanalysis concern. Theory does not mean creating a super-algo breaker. What are you yabbing about? He proved that it can't exist given you can't break an OTP Tom -- From: "Jack Lindso" [EMAIL PROTECTED] Subject: Re: "UNCOBER" = Universal Code Breaker Date: Wed, 18 Apr 2001 02:42:21 +0200 The fact that TRUE OTP is unbreakable doesn't contradict the existence of a cryptanalysis algorithm e.g. a set of rules or a function which tries to evaluate encrypted cipher text. Perhaps Code Breaker is a wrong name for it, a Cryptanalysis Algorithm would be a better one : 1: check the deviation from RAND 2: Try shifting And so on. -- Anticipating the future is all about envisioning the Infinity. http://www.atstep.com "Tom St Denis" [EMAIL PROTECTED] wrote in message news:cd4D6.33598$[EMAIL PROTECTED]... "newbie" [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... I'm not talking about universal algo, but about "unified theory". Theory means designing concepts and tools to solve types of encryption. Theory means thinking to hypothesis, conditions etc... to solve any encryption. Theory means conceptual vision of the cryptanalysis concern. Theory does not mean creating a super-algo breaker. What are you yabbing about? He proved that it can't exist given you can't break an OTP Tom -- From: Bart Bailey [EMAIL PROTECTED] Subject: Re: Advantages of attackers and defenders Date: Tue, 17 Apr 2001 16:46:46 -0700 AY wrote: , but I am not sure how the knowledge of "network terrains" can help defend against attackers. Knowledge of the nomenclature and locations of bait files and tripwires would, hopefully, be held by the defenders and not the attackers. There could be some rearranging of these resources as attack methods are exhibited. ~~Bart~~ -- From: newbie [EMAIL PROTECTED] Subject: Re: "UNCOBER" = Universal Code Breaker Date: Tue, 17 Apr 2001 19:51:28 -0300 You are starting to elaborate it. This theory. Because the universal breaking-theory is kowing the conditions unbreakability too. This theory has to answer why is OTP likely unbreakable. It is not so sure. It is sure only in theory. Because the language domain is not infinite. There is not only redundancy is using the alphabet. There is redundancy in plain-text using. The domain of vocabulray used in