Cryptography-Digest Digest #210
Cryptography-Digest Digest #210, Volume #14 Sun, 22 Apr 01 20:13:01 EDT Contents: Re: OTP WAS BROKEN!!! ("Tom St Denis") Re: OTP WAS BROKEN!!! (newbie) Re: Delta patching of encrypted data (David Wagner) Re: OTP WAS BROKEN!!! (newbie) Re: OTP WAS BROKEN!!! ("Tom St Denis") Re: OTP WAS BROKEN!!! ("Tom St Denis") research on polymorphic crypto/Best Possible Privacy? ("Shea J. Hawes") Re: keys and random (David Hopwood) Re: PK Algorithm Idea (David Hopwood) Re: patent this and patent that (David Hopwood) Re: Clarification - Re: Factoring (David Hopwood) Re: OTP WAS BROKEN!!! (Mathew Hendry) Re: OTP WAS BROKEN!!! (newbie) From: "Tom St Denis" [EMAIL PROTECTED] Subject: Re: OTP WAS BROKEN!!! Date: Sun, 22 Apr 2001 23:16:35 GMT "newbie" [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... It is not an answer F### off. It is an insult. I'm not going to insult you, because I'm polite. You are simply lying. I never said what you are claiming. I did not talk about non-random. Thank you Sir Smart. WTF. OTPs are based on random strings of key bits. Anything else and it's not an OTP. Look at the subject of this thread. Tom -- From: newbie [EMAIL PROTECTED] Subject: Re: OTP WAS BROKEN!!! Date: Sun, 22 Apr 2001 19:17:03 -0300 Let me just say that : If you re-use OTP, it is then easy to break it. I suppose a key k'. I use this key to encippher a text that I know for sure. C = P Xor k C' = P' Xor k' If k' = k, k' Xor k = 0 that mean that I re-used the key k to encipher C'. It is like if I reuse OTP twice. The solution is easy. And P is text that have a sense. But, If k' is different from k = C' Xor C = (P Xor k) Xor (P' Xor k') = (k' Xor k) Xor (p Xor P') I know P' and I do know P and k. C' Xor C Xor P' = P Xor ( k Xor K') I know what C' Xor C Xor P'. I know that k' Xor k is random, It is like If I have new random key "z" C' Xor C Xor P' = P Xor z The probability that P Xor z have a sense is infinitesimal. How I select my messages? Using a criteria of "sense". If k'=k I'm sure that the result of C' Xor C Xor P' is a text that have a sense and that is nothing more than P. OTP is broken. If k' is different from k, I'm quite sure because of randomness of z = k' Xor K is a bit-string that does not have a sense. The probability that any text Xored With random give you as result a bit-string that have a sense is infinitesimal. You have now the proof that OTP could be broken. Alexis Machado wrote: "newbie" [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... OTP was broken! It is not a joke. Let encipher with truly random key a message M. M is a plaintext M =( M1 M2 M3 Mn) K is a Keystream K = ( K1 K2 K3..Kn) C is a Ciphertext C = ( C1 C2 C3 Cn) ___ What I know before breaking is C. What I could know using extra-information is the specific langugage used in my ciphertext Sample : military communication. If I know that I can still assign a high probability to occur to all the words and and sentences used by militaries in their mails. So I'm going to use a specific database to break my ciphertext. I'm going to show you that even I have not extra-information, it makes my breaking more difficult but not impossible. [snip] Hi, In my previous reply to your post "OTP breaking strategy", I suggested a mathematical argument against your claim. Maybe the reasoning was not clear (and with some errors). So, I will try for the last time, I promise :-) As you stated C = M xor K Let 1) Ai be the bit i of a text A. 2) P(Ai) be the probability of "Ai = 1". 3) 0 = P(Ai) = 1 If the attacker can't guess anything about Ki, P(Ki) = 1/2. Let's find the relation between P(Ci) and P(Mi) : P(Mi) = P(Ci xor Ki) = P(Ci or Ki) - P(Ci and Ki) = P(Ci) + P(Ki) - P(Ci and Ki) - P(Ci and Ki) = P(Ci) + P(Ki) - 2 * P(Ci) * P(Ki) = P(Ci) + 1/2 - 2 * P(Ci) * 1/2 = P(Ci) + 1/2 - P(Ci) = 1/2 Note: Starting from P(Ki) = P(Ci xor Mi) we get the same result. Hence, P(Mi) and P(Ci) are unrelated and you can't say nothing about one based on the other. If K is reused, the attacker may guess something about Ki by analyzing the plaintexts xor. In this case, P(Ki) is not 1/2 and we have a relation between P(Mi) and P(Ci). Alexis -- From: [EMAIL PROTECTED] (David Wagner) Subject: Re: Delta patching of encrypted data Date: 22 Apr 2001 23:22:31 GMT Benjamin Goldberg wrote: Let's call the encryption operations PFB() and CBC() (just cause cbc is more well known than iapm). file = CBC(k2, IV, PFB(k1, pt)) == what is stored on disk. x = CBC^-1(k2, file
Cryptography-Digest Digest #210
Cryptography-Digest Digest #210, Volume #13 Wed, 22 Nov 00 20:13:00 EST Contents: 10 Pcs. Of Paper Money From Around the World 7848 ([EMAIL PROTECTED]) Re: RSA Signature ! (Steve Portly) Re: Entropy paradox ("Harvey Rook") Re: 10 Pcs. Of Paper Money From Around the World 7848 (Steve Portly) Re: why scramdisk menu don't work on win95 ? ("Sam Simpson") Re: Q: fast block ciphers (David Wagner) Re: New Dynamic Algo + Contest + Doc (David Wagner) Re: New Dynamic Algo + Contest + Doc (David Wagner) OCR Encryption ([EMAIL PROTECTED]) Re: Mode of operation to maintain input size with block ciphers? (Jerry Leichter) Re: Mode of operation to maintain input size with block ciphers? (David Hopwood) Re: New Dynamic Algo + Contest + Doc (proton) Re: Entropy paradox ([EMAIL PROTECTED]) Re: New Dynamic Algo + Contest + Doc (David Wagner) Re: A Simple Voting Procedure (Stanley Chow) Re: Question regarding OS's. ("Juri") Re: Mode of operation to maintain input size with block ciphers? ([EMAIL PROTECTED]) Re: Question regarding OS's. ("Juri") Re: A Simple Voting Procedure (David Schwartz) From: [EMAIL PROTECTED] Subject: 10 Pcs. Of Paper Money From Around the World 7848 Date: Wed, 22 Nov 2000 18:25:45 GMT Two days ago I ordered 10 pieces of paper money from 10 different countries from a company called Perth Numismatics. Lo and behold they arrived today and they are very nice and colourful. They even have a bill from Antarctica. I didn't even know they existed. These are perfect for stocking stuffers or people who are hard to buy for. The website address is www.perthmoney.com Good luck and Merry Christmas Cynthia Reeves zsivyowvzkwvixyrsdmfiwsepftjkqykqxgivvkodhqjjukeufmmnhitrhoujwygjekgskgoqcvvvomcwkj -- From: Steve Portly [EMAIL PROTECTED] Subject: Re: RSA Signature ! Date: Wed, 22 Nov 2000 16:05:23 -0500 Frédéric Donnat wrote: Hi ! I'd need to make my own Signature with RSA , but i first want to know how works RSA Signature. Ususaly you made a hash of you're data (using MD5 or SHA for example) and after you signed them ! but how do you signed them ? is it an encryption ? If someone can help me or tell me where to find information about digital signature i'll be very greatfull ! Best regards Fred Any one way hash that will provide a unique identifier should work. Your choice of hash will depend on the number of bits your signature will contain. For most signatures of 24 characters or less a hash such as MD5 should be adequate. Lots of information can be found in the RFC's. RFC1750 for example. -- From: "Harvey Rook" [EMAIL PROTECTED] Subject: Re: Entropy paradox Date: Wed, 22 Nov 2000 13:24:59 -0800 The problem is with your use of the phrase "the u bits are provably secure." Provably secure does mean that m can never be calculated and that u is perfectly random. It means that the best available attack is brute force. Such a brute force attack would take about O(sqrt(m)) work/space to execute. Since u m, you've provided more than enough material to calculate m. So there is no paradox. Harv "Mok-Kong Shen" [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... This is a re-formulation of an issue that I questioned previously. Suppose one has m perfectly random bits and uses that in some appropriate way to get a BBS generator to generate u bits, with u m. We know that (accepting certain plausible assumptions) the u bits are provably secure. It seems thus that we have obtained more entropy that way, i.e. having obtained an amount of additional entropy from nothing. How is this apparent paradox to be properly explained? (Or does each bit of the generated sequence have in average m/u bits of entropy?) Thanks in advance. M. K. Shen -- http://home.t-online.de/home/mok-kong.shen -- From: Steve Portly [EMAIL PROTECTED] Subject: Re: 10 Pcs. Of Paper Money From Around the World 7848 Date: Wed, 22 Nov 2000 16:28:02 -0500 [EMAIL PROTECTED] wrote: Two days ago I ordered 10 pieces of paper money from 10 different countries from a company called Perth Numismatics. Lo and behold they arrived today and they are very nice and colourful. They even have a bill from Antarctica. I didn't even know they existed. These are perfect for stocking stuffers or people who are hard to buy for. The website address is www.perthmoney.com Good luck and Merry Christmas Cynthia Reeves zsivyowvzkwvixyrsdmfiwsepftjkqykqxgivvkodhqjjukeufmmnhitrhoujwygjekgskgoqcvvvomcwkj Ok I got one. zsvyowvzkwvixyrsmfispfjkqykqxgivvkodhqjjukeufmmhihojwyjekgkgqcvvvomcwkj -- From: "Sam Simpson" [EMAIL PROTECTED] Crossposted-To: comp.security.misc Subje
Cryptography-Digest Digest #210
Cryptography-Digest Digest #210, Volume #12 Wed, 12 Jul 00 05:13:01 EDT Contents: Re: Crypto jokes? (potentially OT) (Steve Meyer) Re: Proposal of some processor instructions for cryptographical applications (Greg) Re: Base Encryption: Strongest Cypher ([EMAIL PROTECTED]) New Idea - Cipher on a Disk (Greg) Re: Base Encryption: Strongest Cypher (S. T. L.) Re: New Idea - Cipher on a Disk (David A Molnar) Definition question (Ichinin) Re: Base Encryption: Strongest Cypher (Steve Rush) Re: RC4-- repetition length? (Runu Knips) Re: blowfish 8 byte blocks (Runu Knips) Re: Proposal of some processor instructions for cryptographical applications (Jan Vorbrueggen) attack against CBC mode (Serge Vaudenay) Re: Proposal of some processor instructions for cryptographical applications (Jan Vorbrueggen) SC also in inverse ? (Runu Knips) Re: RC4-- repetition length? (Benjamin Goldberg) Re: Proposal of some processor instructions for cryptographical applications ("Peter L. Montgomery") Re: Steganographic encryption system (John Hasler) From: [EMAIL PROTECTED] (Steve Meyer) Subject: Re: Crypto jokes? (potentially OT) Reply-To: [EMAIL PROTECTED] Date: 12 Jul 2000 05:24:50 GMT How about claim by BBC television producer that English spy ageny discovered public key cryptography. Probably in joke that one must attend IACR conference to appreciate. /Steve On Thu, 06 Jul 2000 11:41:36 GMT, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Does anyone know any crypto-related jokes or links to them? Or perhaps someone could come up with an ingenious answer to the question: How may cryptographer does it take to change a light bulb? Thanks in advance for any suggestions rot26 Sent via Deja.com http://www.deja.com/ Before you buy. -- From: Greg [EMAIL PROTECTED] Crossposted-To: comp.arch Subject: Re: Proposal of some processor instructions for cryptographical applications Date: Wed, 12 Jul 2000 05:07:33 GMT Finite field GF(2^8) and GF(2^16) multiplication (modulo some fixed irreducible polynomial) would be nice. May be also some other operations (x-x^-1, e.g.). I agree, that support for finite fields would be a welcomed enhancement to any general processor, but then it would not be so general. In fact, the finite field processing must be kept general, and that is hard enough. But then you want to take up silicon as well. That would be a hard push for any chip manufacture to justify given today's market. But perhaps soon they will, given the improvements and other enhancements we are seeing. Several AES finalists (Rijndael, Twofish, MARS) would accelerate considerably if the next block of four 32-bit memory references could be computed by one instruction: A:=table[(X0)255 + C1*256] B:=table[(X8)255 + C2*256] C:=table[(X16)255 + C3*256] D:=table[(X24)255 + C4*256] It would be nice if there was a multi pipeline that worked in such a way to provide similar action on a single instruction. But if it is kept general enough, then you have setup, and that overhead would have to be worth the size of the effort. For those who want to encrypt an entire disk, the payoff would certainly be there. -- Tyranny is kept at bay by guns and will. Our government knows we have the guns, but they don't know if we have the will. Nor do we. The only lawful gun law on the books- the second amendment. Sent via Deja.com http://www.deja.com/ Before you buy. -- From: [EMAIL PROTECTED] Subject: Re: Base Encryption: Strongest Cypher Date: Wed, 12 Jul 2000 05:30:05 GMT [EMAIL PROTECTED] wrote: It is immune from plain-text-attacks because multiple algorithms can generate same plaintext. Multiple algorithms can generate same cyphertext. It is like saying how many ways are there to come up with 12345? (infinite: 12344+1, 12343+2, 1+1+1+12342, etc) It's late here, but I strongly suspect the set of numbers that add up to 12345 is finite. I mean, there certainly aren't any small integers with inifnite amounts of numbers that add up to them, and I fail to see why the same principle doesn't apply to five digit ones. ;) It is immune from brute-force-attacks. A lot of pepple on this forum simply do not understand this. Read the Garage Door example, then the Chinese Newspaper, then come back to me. It is exponentially expensive. Then when you come back to me, and STILL don't get it. A problem with a solution in exponential time isn't impossible. It's just difficult. 3) MORE secure as OTP. This is extremely doubtful. Now, you can use plain text attack on that piece of paper on the One Time Pad. Can you do that on Base Encryption? NO. I, for one, would be interested in hearing how a known plaintext attack on a sheet off a one time pad worked. (Assuming you don't know the entire plaintext, that is.) Where can I find more info
Cryptography-Digest Digest #210
Cryptography-Digest Digest #210, Volume #11 Sun, 27 Feb 00 21:13:01 EST Contents: Re: - US "allows" encryption program online ("Steve Everley") Re: CRC-16 Reverse Algorithm ? (David A. Wagner) Re: CRC-16 Reverse Algorithm ? (lordcow77) Re: CRC-16 Reverse Algorithm ? (David A. Wagner) Re: CRC-16 Reverse Algorithm ? (David A. Wagner) Re: It could have been done to any human, but Markku J. Saarelainen was chosen due to his extensive global experience ("Noel") Re: I am really Markku J. Saarelainen. I can have a video conference ("Markku J. Saarelainen") Re: On jamming interception networks ("John E. Kuslich") Re: I am really Markku J. Saarelainen. -- review my educational records ("Markku J. Saarelainen") Re: Newbie Brute Force Question ("Joseph Ashwood") How do I get the key from the passphrase in DES? ("Amit IG") Re: I am really Markku J. Saarelainen. I can have a video conference with you if you do not believe. William A. Nelson was my invention to teach a lesson to one person. I'll be departing the world and my life soon .. but this was what I planned... all m ("Thorn") Re: Newbie Brute Force Question (JPeschel) Re: Cryonics and cryptanalysis (John Savard) Re: Cryonics and cryptanalysis (John Savard) Re: Cryonics and cryptanalysis (John Savard) Re: blowfish and questions..??? ("Joseph Ashwood") Re: Cryonics and cryptanalysis (Jerry Coffin) From: "Steve Everley" [EMAIL PROTECTED] Crossposted-To: alt.sources.crypto,talk.politics.crypto,us.legal Subject: Re: - US "allows" encryption program online Date: Sun, 27 Feb 2000 17:12:28 -0600 "John Galt" [EMAIL PROTECTED] wrote: "Professor allowed to post encryption program online" I have seen lots of this in some fifty plus listings and messages ---and yet no one has put up the web site If Known on where one can obtain the program. If he is allowed to post it then has he in fact released it or is that still under future consideration. Anyone care to give the address... -=Steve=- -- From: [EMAIL PROTECTED] (David A. Wagner) Subject: Re: CRC-16 Reverse Algorithm ? Date: 27 Feb 2000 15:08:08 -0800 In article [EMAIL PROTECTED], Terry Ritter [EMAIL PROTECTED] wrote: Missing and extra 0's are also detected. How can this be? Take a vanilla CRC initialized to the all-zeros state. Clock in a single zero bit. The result will still be the all-zeros state. Clock in as many zero bits as you like, the state won't change. Consequently, the CRC can't tell the difference between the message 0^j || M (i.e., j zeros followed by M) and the message 0^k || M. Sure, in a real implementation you should add extra precautions to eliminate this property. For instance, simply avoid starting in the all-zeros state. Or start in the all-zeros state but always prepend a one-bit to the message (a roughly equivalent countermeasure). But if you do nothing, it seems you get into trouble. And I'm talking about the vanilla "do-nothing" case. Consider the pseudocode you suggested: if (msb(crc) = databit) crc = crc 1; else crc = (crc 1) ^ poly; If you run this code fragment with crc=0 and databit=0, you will execute the statement `crc = crc 1;', and since 0 1 = 0, we will still have crc=0 after the code fragment. This supports what I said above. There, I tried it. Now, where did I go wrong? Ignore the all-ones stuff for the moment; Are you *sure* I'm wrong about this all-zeros property? -- Subject: Re: CRC-16 Reverse Algorithm ? From: lordcow77 [EMAIL PROTECTED] Date: Sun, 27 Feb 2000 15:58:59 -0800 In article 89caoo$v8j$[EMAIL PROTECTED], [EMAIL PROTECTED] (David A. Wagner) wrote: Ignore the all-ones stuff for the moment; Are you *sure* I'm wrong about this all-zeros property? You're right if the CRC register starts with all zeroes, but IF the register is initially initialized with all ones, the CRC algorithm will detect a prepended string ones OR zeroes. Just run the algorithm through a couple of times (I find the byte- wise table method more clear for intiutive expression of these concepts). REG=0x After we push a 0x00 byte into the register, we get REG=0xff00 and so on until REG=0x. * Sent from RemarQ http://www.remarq.com The Internet's Discussion Network * The fastest and easiest way to search and participate in Usenet - Free! -- From: [EMAIL PROTECTED] (David A. Wagner) Subject: Re: CRC-16 Reverse Algorithm ? Date: 27 Feb 2000 15:20:51 -0800 In article [EMAIL PROTECTED], Terry Ritter [EMAIL PROTECTED] wrote: if (msb(crc) = databit) crc = crc 1; else crc = (crc 1) ^ poly; Ok, let's try this. I will show a initial state which allows you t
Cryptography-Digest Digest #210
Cryptography-Digest Digest #210, Volume #10 Thu, 9 Sep 99 15:13:03 EDT Contents: Digital Certificates and Authentication ([EMAIL PROTECTED]) Re: THE NSAKEY ("Douglas A. Gwyn") Re: arguement against randomness ("Douglas A. Gwyn") Re: simple key dependent encryption ("Douglas A. Gwyn") Re: Random and pseudo-random numbers ("Douglas A. Gwyn") Re: Unix Crypt on MS Windows platform ("Douglas A. Gwyn") Re: Plaintext block size ("Douglas A. Gwyn") Re: Difference between Encryption and scrambling..? Re: DES and initial permutation ("Charlie Harrison") Re: compression and encryption (Tom St Denis) Re: some information theory (Tom St Denis) Re: GnuPG 1.0 released (Tom St Denis) Re: Digital Certificates and Authentication (Tom St Denis) Re: Description of SQ ("Kostadin Bajalcaliev") Re: unix clippers that implement strong crypto. (Bill Unruh) Re: compression and encryption ("Douglas A. Gwyn") Re: SQ2 Announcement (David Wagner) From: [EMAIL PROTECTED] Subject: Digital Certificates and Authentication Date: Thu, 09 Sep 1999 14:45:34 GMT This may be a dumb question, but let's say you have a system that server that requires authentication to access. My question is, if the authentication process uses Digital Certificates, do you need to deal with passwords? Since you can verify a Digital Certificate for authenticity, why bother with a password? Casey Sent via Deja.com http://www.deja.com/ Share what you know. Learn what you don't. -- From: "Douglas A. Gwyn" [EMAIL PROTECTED] Subject: Re: THE NSAKEY Date: Thu, 9 Sep 1999 14:33:23 GMT fungus wrote: Ask yourself why the hell the NSA would give cash to Netscape? Perhaps they are dependent on Netscape Navigator and wanted to ensure that they had access to the source code. -- From: "Douglas A. Gwyn" [EMAIL PROTECTED] Subject: Re: arguement against randomness Date: Thu, 9 Sep 1999 14:39:35 GMT Tim Tyler wrote: elarson [EMAIL PROTECTED] wrote: : It doesn't take a pompous genuis to see the randomness of Nature. If the universe is deterministic, all this is dead wrong. No, randomness and determinism are not exact opposites. -- From: "Douglas A. Gwyn" [EMAIL PROTECTED] Subject: Re: simple key dependent encryption Date: Thu, 9 Sep 1999 14:38:29 GMT steve cator wrote: 1. the user enters a key. 2. the program reads in a file, byte by byte. 3. the value of each byte is added to the next ascii value of the key, and written back to the file. for decryption, the ascii value of the each key character is SUBTRACTED from the byte. a) what is this type of encryption called? All sorts of epithets come to mind, but if you use a finite, repeating key it is called a "periodic Caesar polyalphabetic". b) am i wrong in thinking this type of key dependent encryption would be tough to crack? You're not only wrong, you're way wrong. Such systems are used as exercises in elementary courses on cryptanalysis. It is much safer to use an encryption system designed by an experienced cryptographer than to roll your own as a newbie. -- From: "Douglas A. Gwyn" [EMAIL PROTECTED] Subject: Re: Random and pseudo-random numbers Date: Thu, 9 Sep 1999 14:44:03 GMT Eric Lee Green wrote: None of these are working for me if I'm wanting my code to run on HPUX, Solaris, or SCO Unix in unattended mode. There is (so far as I know) no POSIX-standard true-random generator. You can attach a hardware RNG to a serial port, for example, and fetch however many random bits you need when you need them; or, if all your systems are attached to a net, they could fetch random bits from some random bit server that has the appropriate hardware. I think there's even a publicly-accessible Internet site serving random bits, if you want to trust it. -- From: "Douglas A. Gwyn" [EMAIL PROTECTED] Subject: Re: Unix Crypt on MS Windows platform Date: Thu, 9 Sep 1999 14:57:53 GMT John Brugioni wrote: Anybody have a utility to do unix crypt on Windows NT, 95 or 98? Sure, just use the freely available binary release of 7th Edition UNIX with one of the freely available PDP-11 emulations. -- From: "Douglas A. Gwyn" [EMAIL PROTECTED] Subject: Re: Plaintext block size Date: Thu, 9 Sep 1999 14:49:02 GMT Kwong Chan wrote: My understanding is that for a stream cipher, both the input plaintext alphabets, the ciphertext alphabets and the key alphabets consists of {0,1}. And the substitution mapping is defined by S=p xor z No. A stream cipher operates on a plaintext alphabet one symbol at a time and produces one ciphertext symbol per plaintext symbol. A
Cryptography-Digest Digest #210
Cryptography-Digest Digest #210, Volume #9Tue, 9 Mar 99 16:13:03 EST Contents: Re: Really Nonlinear Cipher Idea (Boris Kazak) Re: Cyclotomic Number Generators (R. Knauer) Re: British Crypto Fascists (Derek Bell) Re: Limitations of testing / filtering hardware RNG's (Mark Currie) Re: Testing Algorithms (Herman Rubin) Re: ElGamal vs RSA ([EMAIL PROTECTED]) Re: checksum algorithm ? (wtshaw) Re: Does/Can multiple XORing of the Plain/Cipher text improve security? (wtshaw) From: Boris Kazak [EMAIL PROTECTED] Subject: Re: Really Nonlinear Cipher Idea Date: 9 Mar 1999 19:28:09 GMT Reply-To: [EMAIL PROTECTED] John Savard wrote: I'm always looking for simple ways to make a block cipher nonlinear. I've come up with a really extreme one. Let us take a typical DES-like Feistel cipher, acting on a 64-bit block. Now, let us build a block cipher for a 128-bit block. Here is my really weird idea: One half of the block goes through 16 rounds of the ordinary Feistel cipher. This process produces 16 intermediate f-function values, each 32 bits wide. We then encipher the other half of the block for two or more rounds. It is divided into halves. Each round involves the eight nibbles of one half of the 64-bit half selecting an entry from an S-box with 16 32-bit entries. Since we only have one S-box, they're rotated one bit before the next one is XORed to create the f-function value. Oh, yes: what was that S-box? It was composed of the 16 f-function values produced when enciphering the other half of the block. A *data-dependent* S-box. Almost (there's Terry Ritter's autokey Dynamic Substitution, for example) a new frontier in cryptography! If key-dependent S-boxes create high security, it would seem that one which is even data-dependent as well would truly produce a cipher that defies analysis. John Savard (teneerf is spelled backwards) http://members.xoom.com/quadibloc/index.html == Would you spend a minute or two... A Drunken Family. This essay will be centered about an ignorant layman's approach to the design of symmetric ciphers, and I apologize in advance for the terminology, which may seem to some people simply strange, to others outright offensive. In course of this reading, by an unknown memory twist, I remembered a funny word combination - "Problem of a Drunken Sailor". Actually this is a serious mathematical problem, conventionally known as the problem of random walk. The essense of this problem can be visualized if one imagines a drunken sailor on a street crossing in an unknown city. The guy has about the equal probability to go in any of the 4 possible directions. On the next crossing there will be again 1 out of 4 choice, then again and again, until he comes to the harbor (if this ever happens). And then a crazy idea came to my mind - why not introduce some trick which will deny the cryptanalist the access to his main weapon? Why not make the algorithm itself key-dependent and plaintext-dependent. In this case our friend cryptanalyst will be thrown back to square zero, because there will be nothing certain to cryptanalyze - only the "C" code which will explain how the choices are made between different algorithms. Elaborating a little further, the number of possible choices must be greater than the combined number of all possible keys and all possible plaintexts. Then the brute-force attack will really be the only way - all other ways will require more plaintexts or more keys than can exist. Now the purists are advised to close their eyes and to read the rest of the text with the eyes closed, because the main concept which will be discussed here is the concept of BOOZE. BOOZE (orig. boo-zah) * word of Mongolian origin, denotes a beverage which makes people aggressive and delirious. * (amer.slang) strong liquor. There are two variable parts processed by the encryption algorithm in order to produce ciphertext - key and plaintext. Accordingly, if the choices in encryption procedure will be dictated by the key alone, we will call this Master Booze, if the choices will be dictated by the plaintext, we will call this Peer Booze. Both are necessary in varying proportions, and it is my intent to draw attention to the fact that a big amount of high quality Peer Booze is present in many successful block ciphers. Neglect of the amount or quality of Booze (both Master and Peer) facilitates the cryptanalysis enormously. In order to appreciate the difference between a sober cipher and a drunken one, I deci