Cryptography-Digest Digest #210
Cryptography-Digest Digest #210, Volume #14 Sun, 22 Apr 01 20:13:01 EDT
Contents:
Re: OTP WAS BROKEN!!! ("Tom St Denis")
Re: OTP WAS BROKEN!!! (newbie)
Re: Delta patching of encrypted data (David Wagner)
Re: OTP WAS BROKEN!!! (newbie)
Re: OTP WAS BROKEN!!! ("Tom St Denis")
Re: OTP WAS BROKEN!!! ("Tom St Denis")
research on polymorphic crypto/Best Possible Privacy? ("Shea J. Hawes")
Re: keys and random (David Hopwood)
Re: PK Algorithm Idea (David Hopwood)
Re: patent this and patent that (David Hopwood)
Re: Clarification - Re: Factoring (David Hopwood)
Re: OTP WAS BROKEN!!! (Mathew Hendry)
Re: OTP WAS BROKEN!!! (newbie)
From: "Tom St Denis" [EMAIL PROTECTED]
Subject: Re: OTP WAS BROKEN!!!
Date: Sun, 22 Apr 2001 23:16:35 GMT
"newbie" [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]...
It is not an answer F### off.
It is an insult. I'm not going to insult you, because I'm polite. You
are simply lying. I never said what you are claiming. I did not talk
about non-random.
Thank you Sir Smart.
WTF. OTPs are based on random strings of key bits. Anything else and it's
not an OTP. Look at the subject of this thread.
Tom
--
From: newbie [EMAIL PROTECTED]
Subject: Re: OTP WAS BROKEN!!!
Date: Sun, 22 Apr 2001 19:17:03 -0300
Let me just say that :
If you re-use OTP, it is then easy to break it.
I suppose a key k'.
I use this key to encippher a text that I know for sure.
C = P Xor k
C' = P' Xor k'
If k' = k, k' Xor k = 0 that mean that I re-used the key k to encipher
C'. It is like if I reuse OTP twice.
The solution is easy. And P is text that have a sense.
But, If k' is different from k = C' Xor C = (P Xor k) Xor (P' Xor k') =
(k' Xor k) Xor (p Xor P')
I know P' and I do know P and k.
C' Xor C Xor P' = P Xor ( k Xor K')
I know what C' Xor C Xor P'.
I know that k' Xor k is random, It is like If I have new random key "z"
C' Xor C Xor P' = P Xor z
The probability that P Xor z have a sense is infinitesimal.
How I select my messages?
Using a criteria of "sense".
If k'=k I'm sure that the result of C' Xor C Xor P' is a text that have
a sense and that is nothing more than P. OTP is broken.
If k' is different from k, I'm quite sure because of randomness of z =
k' Xor K is a bit-string that does not have a sense. The probability
that any text Xored With random give you as result a bit-string that
have a sense is infinitesimal.
You have now the proof that OTP could be broken.
Alexis Machado wrote:
"newbie" [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]...
OTP was broken!
It is not a joke.
Let encipher with truly random key a message M.
M is a plaintext
M =( M1 M2 M3 Mn)
K is a Keystream
K = ( K1 K2 K3..Kn)
C is a Ciphertext
C = ( C1 C2 C3 Cn)
___
What I know before breaking is C.
What I could know using extra-information is the specific langugage used
in my ciphertext
Sample : military communication. If I know that I can still assign a
high probability to occur to
all the words and and sentences used by militaries in their mails.
So I'm going to use a specific database to break my ciphertext.
I'm going to show you that even I have not extra-information, it makes
my breaking more difficult but not impossible.
[snip]
Hi,
In my previous reply to your post "OTP breaking strategy", I suggested a
mathematical argument against your claim. Maybe the reasoning was not clear
(and with some errors). So, I will try for the last time, I promise :-)
As you stated
C = M xor K
Let
1) Ai be the bit i of a text A.
2) P(Ai) be the probability of "Ai = 1".
3) 0 = P(Ai) = 1
If the attacker can't guess anything about Ki, P(Ki) = 1/2.
Let's find the relation between P(Ci) and P(Mi) :
P(Mi) = P(Ci xor Ki)
= P(Ci or Ki) - P(Ci and Ki)
= P(Ci) + P(Ki) - P(Ci and Ki) - P(Ci and Ki)
= P(Ci) + P(Ki) - 2 * P(Ci) * P(Ki)
= P(Ci) + 1/2 - 2 * P(Ci) * 1/2
= P(Ci) + 1/2 - P(Ci)
= 1/2
Note: Starting from P(Ki) = P(Ci xor Mi) we get the same result.
Hence, P(Mi) and P(Ci) are unrelated and you can't say nothing about one
based on the other.
If K is reused, the attacker may guess something about Ki by analyzing the
plaintexts xor. In this case, P(Ki) is not 1/2 and we have a relation
between P(Mi) and P(Ci).
Alexis
--
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Delta patching of encrypted data
Date: 22 Apr 2001 23:22:31 GMT
Benjamin Goldberg wrote:
Let's call the encryption operations PFB() and CBC() (just cause cbc is
more well known than iapm).
file = CBC(k2, IV, PFB(k1, pt)) == what is stored on disk.
x = CBC^-1(k2, file
Cryptography-Digest Digest #210
Cryptography-Digest Digest #210, Volume #13 Wed, 22 Nov 00 20:13:00 EST
Contents:
10 Pcs. Of Paper Money From Around the World 7848 ([EMAIL PROTECTED])
Re: RSA Signature ! (Steve Portly)
Re: Entropy paradox ("Harvey Rook")
Re: 10 Pcs. Of Paper Money From Around the World 7848 (Steve Portly)
Re: why scramdisk menu don't work on win95 ? ("Sam Simpson")
Re: Q: fast block ciphers (David Wagner)
Re: New Dynamic Algo + Contest + Doc (David Wagner)
Re: New Dynamic Algo + Contest + Doc (David Wagner)
OCR Encryption ([EMAIL PROTECTED])
Re: Mode of operation to maintain input size with block ciphers? (Jerry Leichter)
Re: Mode of operation to maintain input size with block ciphers? (David Hopwood)
Re: New Dynamic Algo + Contest + Doc (proton)
Re: Entropy paradox ([EMAIL PROTECTED])
Re: New Dynamic Algo + Contest + Doc (David Wagner)
Re: A Simple Voting Procedure (Stanley Chow)
Re: Question regarding OS's. ("Juri")
Re: Mode of operation to maintain input size with block ciphers?
([EMAIL PROTECTED])
Re: Question regarding OS's. ("Juri")
Re: A Simple Voting Procedure (David Schwartz)
From: [EMAIL PROTECTED]
Subject: 10 Pcs. Of Paper Money From Around the World 7848
Date: Wed, 22 Nov 2000 18:25:45 GMT
Two days ago I ordered 10 pieces of paper money from 10 different countries from a
company called Perth Numismatics. Lo and behold they arrived today and they are very
nice and colourful. They even have a bill from Antarctica. I didn't even know they
existed. These are perfect for stocking stuffers or people who are hard to buy for.
The website address is www.perthmoney.com
Good luck and Merry Christmas
Cynthia Reeves
zsivyowvzkwvixyrsdmfiwsepftjkqykqxgivvkodhqjjukeufmmnhitrhoujwygjekgskgoqcvvvomcwkj
--
From: Steve Portly [EMAIL PROTECTED]
Subject: Re: RSA Signature !
Date: Wed, 22 Nov 2000 16:05:23 -0500
Frédéric Donnat wrote:
Hi !
I'd need to make my own Signature with RSA , but i first want to know
how works RSA Signature. Ususaly you made a hash of you're data (using
MD5 or SHA for example) and after you signed them ! but how do you
signed them ? is it an encryption ?
If someone can help me or tell me where to find information about
digital signature i'll be very greatfull !
Best regards
Fred
Any one way hash that will provide a unique identifier should work.
Your choice of hash will depend on the number of bits your signature will
contain.
For most signatures of 24 characters or less a hash such as MD5 should be
adequate.
Lots of information can be found in the RFC's. RFC1750 for example.
--
From: "Harvey Rook" [EMAIL PROTECTED]
Subject: Re: Entropy paradox
Date: Wed, 22 Nov 2000 13:24:59 -0800
The problem is with your use of the phrase "the u bits are provably secure."
Provably secure does mean that m can never be calculated and that u is
perfectly random. It means that the best available attack is brute force.
Such a brute force attack would take about O(sqrt(m)) work/space to execute.
Since u m, you've provided more than enough material to calculate m.
So there is no paradox.
Harv
"Mok-Kong Shen" [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]...
This is a re-formulation of an issue that I questioned
previously. Suppose one has m perfectly random bits and
uses that in some appropriate way to get a BBS generator
to generate u bits, with u m. We know that (accepting
certain plausible assumptions) the u bits are provably
secure. It seems thus that we have obtained more entropy
that way, i.e. having obtained an amount of additional
entropy from nothing. How is this apparent paradox to be
properly explained? (Or does each bit of the generated
sequence have in average m/u bits of entropy?) Thanks in
advance.
M. K. Shen
--
http://home.t-online.de/home/mok-kong.shen
--
From: Steve Portly [EMAIL PROTECTED]
Subject: Re: 10 Pcs. Of Paper Money From Around the World 7848
Date: Wed, 22 Nov 2000 16:28:02 -0500
[EMAIL PROTECTED] wrote:
Two days ago I ordered 10 pieces of paper money from 10 different countries from a
company called Perth Numismatics. Lo and behold they arrived today and they are very
nice and colourful. They even have a bill from Antarctica. I didn't even know they
existed. These are perfect for stocking stuffers or people who are hard to buy for.
The website address is www.perthmoney.com
Good luck and Merry Christmas
Cynthia Reeves
zsivyowvzkwvixyrsdmfiwsepftjkqykqxgivvkodhqjjukeufmmnhitrhoujwygjekgskgoqcvvvomcwkj
Ok I got one.
zsvyowvzkwvixyrsmfispfjkqykqxgivvkodhqjjukeufmmhihojwyjekgkgqcvvvomcwkj
--
From: "Sam Simpson" [EMAIL PROTECTED]
Crossposted-To: comp.security.misc
Subje
Cryptography-Digest Digest #210
Cryptography-Digest Digest #210, Volume #12 Wed, 12 Jul 00 05:13:01 EDT
Contents:
Re: Crypto jokes? (potentially OT) (Steve Meyer)
Re: Proposal of some processor instructions for cryptographical applications (Greg)
Re: Base Encryption: Strongest Cypher ([EMAIL PROTECTED])
New Idea - Cipher on a Disk (Greg)
Re: Base Encryption: Strongest Cypher (S. T. L.)
Re: New Idea - Cipher on a Disk (David A Molnar)
Definition question (Ichinin)
Re: Base Encryption: Strongest Cypher (Steve Rush)
Re: RC4-- repetition length? (Runu Knips)
Re: blowfish 8 byte blocks (Runu Knips)
Re: Proposal of some processor instructions for cryptographical applications (Jan
Vorbrueggen)
attack against CBC mode (Serge Vaudenay)
Re: Proposal of some processor instructions for cryptographical applications (Jan
Vorbrueggen)
SC also in inverse ? (Runu Knips)
Re: RC4-- repetition length? (Benjamin Goldberg)
Re: Proposal of some processor instructions for cryptographical applications ("Peter
L. Montgomery")
Re: Steganographic encryption system (John Hasler)
From: [EMAIL PROTECTED] (Steve Meyer)
Subject: Re: Crypto jokes? (potentially OT)
Reply-To: [EMAIL PROTECTED]
Date: 12 Jul 2000 05:24:50 GMT
How about claim by BBC television producer that English spy ageny
discovered public key cryptography. Probably in joke that one must
attend IACR conference to appreciate.
/Steve
On Thu, 06 Jul 2000 11:41:36 GMT, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Does anyone know any crypto-related jokes or links to them?
Or perhaps someone could come up with an ingenious answer to the
question:
How may cryptographer does it take to change a light bulb?
Thanks in advance for any suggestions
rot26
Sent via Deja.com http://www.deja.com/
Before you buy.
--
From: Greg [EMAIL PROTECTED]
Crossposted-To: comp.arch
Subject: Re: Proposal of some processor instructions for cryptographical applications
Date: Wed, 12 Jul 2000 05:07:33 GMT
Finite field GF(2^8) and GF(2^16) multiplication (modulo some
fixed irreducible polynomial) would be nice. May be also some
other operations (x-x^-1, e.g.).
I agree, that support for finite fields would be a welcomed
enhancement to any general processor, but then it would not be
so general. In fact, the finite field processing must be kept
general, and that is hard enough. But then you want to take
up silicon as well. That would be a hard push for any chip
manufacture to justify given today's market. But perhaps soon
they will, given the improvements and other enhancements we
are seeing.
Several AES finalists (Rijndael, Twofish, MARS) would accelerate
considerably if the next block of four 32-bit memory references
could be computed by one instruction:
A:=table[(X0)255 + C1*256]
B:=table[(X8)255 + C2*256]
C:=table[(X16)255 + C3*256]
D:=table[(X24)255 + C4*256]
It would be nice if there was a multi pipeline that worked
in such a way to provide similar action on a single instruction.
But if it is kept general enough, then you have setup, and that
overhead would have to be worth the size of the effort. For those
who want to encrypt an entire disk, the payoff would certainly
be there.
--
Tyranny is kept at bay by guns and will. Our government
knows we have the guns, but they don't know if we have
the will. Nor do we.
The only lawful gun law on the books- the second amendment.
Sent via Deja.com http://www.deja.com/
Before you buy.
--
From: [EMAIL PROTECTED]
Subject: Re: Base Encryption: Strongest Cypher
Date: Wed, 12 Jul 2000 05:30:05 GMT
[EMAIL PROTECTED] wrote:
It is immune from plain-text-attacks because multiple algorithms
can generate same plaintext. Multiple algorithms can generate
same cyphertext. It is like saying how many ways are there to
come up with 12345? (infinite: 12344+1, 12343+2, 1+1+1+12342, etc)
It's late here, but I strongly suspect the set of numbers that add up
to 12345 is finite. I mean, there certainly aren't any small integers
with inifnite amounts of numbers that add up to them, and I fail to
see why the same principle doesn't apply to five digit ones. ;)
It is immune from brute-force-attacks. A lot of pepple on this
forum simply do not understand this. Read the Garage Door example,
then the Chinese Newspaper, then come back to me. It is exponentially
expensive. Then when you come back to me, and STILL don't get it.
A problem with a solution in exponential time isn't impossible. It's
just difficult.
3) MORE secure as OTP.
This is extremely doubtful.
Now, you can use plain text attack on that piece of paper on the One
Time Pad. Can you do that on Base Encryption? NO.
I, for one, would be interested in hearing how a known plaintext
attack on a sheet off a one time pad worked. (Assuming you don't know
the entire plaintext, that is.)
Where can I find more info
Cryptography-Digest Digest #210
Cryptography-Digest Digest #210, Volume #11 Sun, 27 Feb 00 21:13:01 EST
Contents:
Re: - US "allows" encryption program online ("Steve Everley")
Re: CRC-16 Reverse Algorithm ? (David A. Wagner)
Re: CRC-16 Reverse Algorithm ? (lordcow77)
Re: CRC-16 Reverse Algorithm ? (David A. Wagner)
Re: CRC-16 Reverse Algorithm ? (David A. Wagner)
Re: It could have been done to any human, but Markku J. Saarelainen was chosen due
to his extensive global experience ("Noel")
Re: I am really Markku J. Saarelainen. I can have a video conference ("Markku J.
Saarelainen")
Re: On jamming interception networks ("John E. Kuslich")
Re: I am really Markku J. Saarelainen. -- review my educational records ("Markku J.
Saarelainen")
Re: Newbie Brute Force Question ("Joseph Ashwood")
How do I get the key from the passphrase in DES? ("Amit IG")
Re: I am really Markku J. Saarelainen. I can have a video conference with you if you
do not believe. William A. Nelson was my invention to teach a lesson to one person.
I'll be departing the world and my life soon .. but this was what I planned... all m
("Thorn")
Re: Newbie Brute Force Question (JPeschel)
Re: Cryonics and cryptanalysis (John Savard)
Re: Cryonics and cryptanalysis (John Savard)
Re: Cryonics and cryptanalysis (John Savard)
Re: blowfish and questions..??? ("Joseph Ashwood")
Re: Cryonics and cryptanalysis (Jerry Coffin)
From: "Steve Everley" [EMAIL PROTECTED]
Crossposted-To: alt.sources.crypto,talk.politics.crypto,us.legal
Subject: Re: - US "allows" encryption program online
Date: Sun, 27 Feb 2000 17:12:28 -0600
"John Galt" [EMAIL PROTECTED] wrote:
"Professor allowed to post encryption program online"
I have seen lots of this in some fifty plus listings and
messages ---and yet no one has put up the web site If
Known on where one can obtain the program. If he is
allowed to post it then has he in fact released it or is
that still under future consideration.
Anyone care to give the address...
-=Steve=-
--
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: CRC-16 Reverse Algorithm ?
Date: 27 Feb 2000 15:08:08 -0800
In article [EMAIL PROTECTED], Terry Ritter [EMAIL PROTECTED] wrote:
Missing and extra 0's are also detected.
How can this be? Take a vanilla CRC initialized to the all-zeros state.
Clock in a single zero bit. The result will still be the all-zeros
state. Clock in as many zero bits as you like, the state won't change.
Consequently, the CRC can't tell the difference between the message
0^j || M (i.e., j zeros followed by M) and the message 0^k || M.
Sure, in a real implementation you should add extra precautions to eliminate
this property. For instance, simply avoid starting in the all-zeros state.
Or start in the all-zeros state but always prepend a one-bit to the message
(a roughly equivalent countermeasure). But if you do nothing, it seems you
get into trouble. And I'm talking about the vanilla "do-nothing" case.
Consider the pseudocode you suggested:
if (msb(crc) = databit)
crc = crc 1;
else
crc = (crc 1) ^ poly;
If you run this code fragment with crc=0 and databit=0, you will execute the
statement `crc = crc 1;', and since 0 1 = 0, we will still have crc=0
after the code fragment. This supports what I said above.
There, I tried it. Now, where did I go wrong?
Ignore the all-ones stuff for the moment;
Are you *sure* I'm wrong about this all-zeros property?
--
Subject: Re: CRC-16 Reverse Algorithm ?
From: lordcow77 [EMAIL PROTECTED]
Date: Sun, 27 Feb 2000 15:58:59 -0800
In article 89caoo$v8j$[EMAIL PROTECTED],
[EMAIL PROTECTED] (David A. Wagner) wrote:
Ignore the all-ones stuff for the moment;
Are you *sure* I'm wrong about this all-zeros property?
You're right if the CRC register starts with all zeroes, but IF
the register is initially initialized with all ones, the CRC
algorithm will detect a prepended string ones OR zeroes. Just
run the algorithm through a couple of times (I find the byte-
wise table method more clear for intiutive expression of these
concepts).
REG=0x
After we push a 0x00 byte into the register, we get
REG=0xff00 and so on until REG=0x.
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
--
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: CRC-16 Reverse Algorithm ?
Date: 27 Feb 2000 15:20:51 -0800
In article [EMAIL PROTECTED], Terry Ritter [EMAIL PROTECTED] wrote:
if (msb(crc) = databit)
crc = crc 1;
else
crc = (crc 1) ^ poly;
Ok, let's try this.
I will show a initial state which allows you t
Cryptography-Digest Digest #210
Cryptography-Digest Digest #210, Volume #10 Thu, 9 Sep 99 15:13:03 EDT
Contents:
Digital Certificates and Authentication ([EMAIL PROTECTED])
Re: THE NSAKEY ("Douglas A. Gwyn")
Re: arguement against randomness ("Douglas A. Gwyn")
Re: simple key dependent encryption ("Douglas A. Gwyn")
Re: Random and pseudo-random numbers ("Douglas A. Gwyn")
Re: Unix Crypt on MS Windows platform ("Douglas A. Gwyn")
Re: Plaintext block size ("Douglas A. Gwyn")
Re: Difference between Encryption and scrambling..?
Re: DES and initial permutation ("Charlie Harrison")
Re: compression and encryption (Tom St Denis)
Re: some information theory (Tom St Denis)
Re: GnuPG 1.0 released (Tom St Denis)
Re: Digital Certificates and Authentication (Tom St Denis)
Re: Description of SQ ("Kostadin Bajalcaliev")
Re: unix clippers that implement strong crypto. (Bill Unruh)
Re: compression and encryption ("Douglas A. Gwyn")
Re: SQ2 Announcement (David Wagner)
From: [EMAIL PROTECTED]
Subject: Digital Certificates and Authentication
Date: Thu, 09 Sep 1999 14:45:34 GMT
This may be a dumb question, but let's say you have a system that server
that requires authentication to access. My question is, if the
authentication process uses Digital Certificates, do you need to deal
with passwords? Since you can verify a Digital Certificate for
authenticity, why bother with a password?
Casey
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
--
From: "Douglas A. Gwyn" [EMAIL PROTECTED]
Subject: Re: THE NSAKEY
Date: Thu, 9 Sep 1999 14:33:23 GMT
fungus wrote:
Ask yourself why the hell the NSA would give cash to Netscape?
Perhaps they are dependent on Netscape Navigator and wanted to
ensure that they had access to the source code.
--
From: "Douglas A. Gwyn" [EMAIL PROTECTED]
Subject: Re: arguement against randomness
Date: Thu, 9 Sep 1999 14:39:35 GMT
Tim Tyler wrote:
elarson [EMAIL PROTECTED] wrote:
: It doesn't take a pompous genuis to see the randomness of Nature.
If the universe is deterministic, all this is dead wrong.
No, randomness and determinism are not exact opposites.
--
From: "Douglas A. Gwyn" [EMAIL PROTECTED]
Subject: Re: simple key dependent encryption
Date: Thu, 9 Sep 1999 14:38:29 GMT
steve cator wrote:
1. the user enters a key.
2. the program reads in a file, byte by byte.
3. the value of each byte is added to the next ascii value of the key,
and written back to the file.
for decryption, the ascii value of the each key character is SUBTRACTED
from the byte.
a) what is this type of encryption called?
All sorts of epithets come to mind, but if you use a finite,
repeating key it is called a "periodic Caesar polyalphabetic".
b) am i wrong in thinking this type of key dependent encryption would be
tough to crack?
You're not only wrong, you're way wrong. Such systems are
used as exercises in elementary courses on cryptanalysis.
It is much safer to use an encryption system designed by an
experienced cryptographer than to roll your own as a newbie.
--
From: "Douglas A. Gwyn" [EMAIL PROTECTED]
Subject: Re: Random and pseudo-random numbers
Date: Thu, 9 Sep 1999 14:44:03 GMT
Eric Lee Green wrote:
None of these are working for me if I'm wanting my code to run on
HPUX, Solaris, or SCO Unix in unattended mode.
There is (so far as I know) no POSIX-standard true-random generator.
You can attach a hardware RNG to a serial port, for example, and fetch
however many random bits you need when you need them; or, if all your
systems are attached to a net, they could fetch random bits from some
random bit server that has the appropriate hardware. I think there's
even a publicly-accessible Internet site serving random bits, if you
want to trust it.
--
From: "Douglas A. Gwyn" [EMAIL PROTECTED]
Subject: Re: Unix Crypt on MS Windows platform
Date: Thu, 9 Sep 1999 14:57:53 GMT
John Brugioni wrote:
Anybody have a utility to do unix crypt on Windows NT, 95 or 98?
Sure, just use the freely available binary release of 7th Edition
UNIX with one of the freely available PDP-11 emulations.
--
From: "Douglas A. Gwyn" [EMAIL PROTECTED]
Subject: Re: Plaintext block size
Date: Thu, 9 Sep 1999 14:49:02 GMT
Kwong Chan wrote:
My understanding is that for a stream cipher, both the input plaintext
alphabets, the ciphertext alphabets and the key alphabets consists of
{0,1}. And the substitution mapping is defined by S=p xor z
No. A stream cipher operates on a plaintext alphabet one symbol
at a time and produces one ciphertext symbol per plaintext symbol.
A
Cryptography-Digest Digest #210
Cryptography-Digest Digest #210, Volume #9Tue, 9 Mar 99 16:13:03 EST Contents: Re: Really Nonlinear Cipher Idea (Boris Kazak) Re: Cyclotomic Number Generators (R. Knauer) Re: British Crypto Fascists (Derek Bell) Re: Limitations of testing / filtering hardware RNG's (Mark Currie) Re: Testing Algorithms (Herman Rubin) Re: ElGamal vs RSA ([EMAIL PROTECTED]) Re: checksum algorithm ? (wtshaw) Re: Does/Can multiple XORing of the Plain/Cipher text improve security? (wtshaw) From: Boris Kazak [EMAIL PROTECTED] Subject: Re: Really Nonlinear Cipher Idea Date: 9 Mar 1999 19:28:09 GMT Reply-To: [EMAIL PROTECTED] John Savard wrote: I'm always looking for simple ways to make a block cipher nonlinear. I've come up with a really extreme one. Let us take a typical DES-like Feistel cipher, acting on a 64-bit block. Now, let us build a block cipher for a 128-bit block. Here is my really weird idea: One half of the block goes through 16 rounds of the ordinary Feistel cipher. This process produces 16 intermediate f-function values, each 32 bits wide. We then encipher the other half of the block for two or more rounds. It is divided into halves. Each round involves the eight nibbles of one half of the 64-bit half selecting an entry from an S-box with 16 32-bit entries. Since we only have one S-box, they're rotated one bit before the next one is XORed to create the f-function value. Oh, yes: what was that S-box? It was composed of the 16 f-function values produced when enciphering the other half of the block. A *data-dependent* S-box. Almost (there's Terry Ritter's autokey Dynamic Substitution, for example) a new frontier in cryptography! If key-dependent S-boxes create high security, it would seem that one which is even data-dependent as well would truly produce a cipher that defies analysis. John Savard (teneerf is spelled backwards) http://members.xoom.com/quadibloc/index.html == Would you spend a minute or two... A Drunken Family. This essay will be centered about an ignorant layman's approach to the design of symmetric ciphers, and I apologize in advance for the terminology, which may seem to some people simply strange, to others outright offensive. In course of this reading, by an unknown memory twist, I remembered a funny word combination - "Problem of a Drunken Sailor". Actually this is a serious mathematical problem, conventionally known as the problem of random walk. The essense of this problem can be visualized if one imagines a drunken sailor on a street crossing in an unknown city. The guy has about the equal probability to go in any of the 4 possible directions. On the next crossing there will be again 1 out of 4 choice, then again and again, until he comes to the harbor (if this ever happens). And then a crazy idea came to my mind - why not introduce some trick which will deny the cryptanalist the access to his main weapon? Why not make the algorithm itself key-dependent and plaintext-dependent. In this case our friend cryptanalyst will be thrown back to square zero, because there will be nothing certain to cryptanalyze - only the "C" code which will explain how the choices are made between different algorithms. Elaborating a little further, the number of possible choices must be greater than the combined number of all possible keys and all possible plaintexts. Then the brute-force attack will really be the only way - all other ways will require more plaintexts or more keys than can exist. Now the purists are advised to close their eyes and to read the rest of the text with the eyes closed, because the main concept which will be discussed here is the concept of BOOZE. BOOZE (orig. boo-zah) * word of Mongolian origin, denotes a beverage which makes people aggressive and delirious. * (amer.slang) strong liquor. There are two variable parts processed by the encryption algorithm in order to produce ciphertext - key and plaintext. Accordingly, if the choices in encryption procedure will be dictated by the key alone, we will call this Master Booze, if the choices will be dictated by the plaintext, we will call this Peer Booze. Both are necessary in varying proportions, and it is my intent to draw attention to the fact that a big amount of high quality Peer Booze is present in many successful block ciphers. Neglect of the amount or quality of Booze (both Master and Peer) facilitates the cryptanalysis enormously. In order to appreciate the difference between a sober cipher and a drunken one, I deci
