Cryptography-Digest Digest #815

[Digestifier]

Cryptography-Digest Digest #815, Volume #8   Wed, 30 Dec 98 09:13:07 EST

Contents:
  WEAK4-EX -- Another Poorman's 56-bit Data Encryption Algorithm (long) (Mok-Kong Shen)
  New Book "The Unknowable" ([EMAIL PROTECTED])



From: Mok-Kong Shen [EMAIL PROTECTED]
Subject: WEAK4-EX -- Another Poorman's 56-bit Data Encryption Algorithm (long)
Date: Wed, 30 Dec 1998 13:49:07 +0100

Recently I have designed two 56-bit algorithms, WEAK2-EX and WEAK3-EX,
with which the user can arbitrarily scale up the processing time and
the algorithm initialization time respectively such that the expected
average time for brute forcing can be rendered beyond any practically
infeasible bounds. (The number of rounds in these algorithms can be
suitably chosen such that brute forcing would be the only viable means
of analysis.) Thus, in exchange for some tolerable higher time
expenditure, the user can manage to obtain adequate security despite
the severe limitation posed by the forthcoming 56-bit key length
restriction.

The present algorithm, WEAK4-EX, is based on the same paradox-sounding
paradigm 'security through inefficiency' as its two predecessors but
extends the 'inefficiency' into an additional 'dimension', namely the
volume of the ciphertext. It has in total three user choosable scaling
factors of processing time. The first is the same as one of the two
employed in WEAK2-EX and controls the time rate of pseudo-random
number generation of the PRNG used. The second scaling factor
determines the number of pseudo-random bits thus obtained that are to
be XORed with each single bit of the plaintext. (In WEAK4-EX the
plaintext is treated as a bit stream.) The third scaling factor
determines (approximately) by how much the ciphertext is to be
expanded through filling it with pseudo-random bits at positions that
are determined by the PRNG.

Let input() designate the function delivering the next bit from the
plaintext and scf2 and scf3 be the second and third scaling factor
mentioned above. Then the encryption with WEAK4-EX can be conceptually
(not 'strictly speaking', see below) described by the following very
simple probabilistic automaton, where the function pbit(m) denotes the
result of XORing of m*32 pseudo-random bits obtained from the PRNG,
i.e. their parity:

  do

with probability 1/scf2:
   output( input() XOR pbit(scf3) );

with probability 1 - 1/scf2:
   output( pbit(1) );

  od;

In the implementation we use our PRNG (not a TRNG) to determine the
transition of the automaton. Thus the actual process is not random
but only a 'simulation' and is in fact deterministic, being governed
by the seed of the PRNG. For otherwise the receiver of the message
would have a hard task to do the decryption. Thus WEAK4-EX is a
pseudo-randomized encryption. It is not a (true) randomized
encryption such as the time-honoured but apparently now disfavoured
homophone cipher, where the decision of the choice of the homophones
can be made e.g. through casting of dices. (I suggested recently
though that homophones could once again be interesting in the light
of the 56-bit restriction.)

Through the (simulated) probabilistic nature of the algorithm the
analyst has the essential difficulty to identify which bits of the
ciphertext are information-bearing, i.e. encrypted plaintext bits,
and which are the filling nonsense bits. Since the information-bearing
bits are themselves obtained through XORing the plaintext bit with a
large number (some multiples of 32) of pseudo-random bits, brute
forcing would be the only viable method of attack if the factors scf2
and scf3 are adequately chosen. The price that the user has to pay
through the scaling factor scf3 is that the ciphertext is about scf3
times as large as the plaintext and hence incurs correspondingly
higher transmission expenditure. However, if the plaintext is fairly
short, which is very often likely to be the case in a poorman's
environment, such expansion of the ciphertext, if not carried to the
extreme, may well be sensible. In other cases, one can simply set
scf3=1 and exclusively employ the other two scaling factors to achieve
a sufficient level of security.

An implementation in Fortran 90 is attached below. A binary
executable file for PC can be downloaded via my main Web page.

I am indebted to TPS for discussions leading to the present work.

Constructive critiques, comments and suggestions for improvements
are sincerely solicited.

M. K. Shen

=
NOTE: The program codes of WEAK2-EX and WEAK3-EX have been revised
(with an error reported by CWL and CK corrected). In the zip-file
for download, all three encryption programs and their binaries are
included.



==
c The design of WEAK4-EX is explained in the text of the article
c introducing the present program code:
c
c

Cryptography-Digest Digest #816

[Digestifier]

Cryptography-Digest Digest #816, Volume #8   Wed, 30 Dec 98 15:13:04 EST

Contents:
  Re: WEAK4-EX -- Another Poorman's 56-bit Data Encryption Algorithm (long) (Mok-Kong 
Shen)
  Re: Decoder for Reed-Solomon codes? (Jyrki Lahtonen)
  Re: New Book "The Unknowable" (John Savard)
  Secure Credit Card Transactions (Benzbrood)
  Re: Session keys in Elliptic Curve (liminal)
  Re: Secure Credit Card Transactions ("Steve Sampson")
  Re: Session keys in Elliptic Curve (Anonymous)
  Re: Security through obscurity in the smartcard world (liminal)
  Re: "Encrypted Magic Folders" substitute ("Sam Simpson")
  Re: biometrics (Anthony Stephen Szopa)
  Re: Opinions on S/MIME ("Sam Simpson")
  Re: "should have" for an encrypting filesystem ("Sam Simpson")
  Re: Session keys in Elliptic Curve (Mr. Tines)
  Re: Blowfish assembler (i386) help needed (Paul Rubin)



From: Mok-Kong Shen [EMAIL PROTECTED]
Subject: Re: WEAK4-EX -- Another Poorman's 56-bit Data Encryption Algorithm (long)
Date: Wed, 30 Dec 1998 15:34:51 +0100

Sorry for a typing error in text. Corrected:

  do

with probability 1/scf3:
   output( input() XOR pbit(scf2) );

with probability 1 - 1/scf3:
   output( pbit(1) );

  od;


M. K. Shen

--

From: [EMAIL PROTECTED] (Jyrki Lahtonen)
Crossposted-To: comp.dsp,sci.math
Subject: Re: Decoder for Reed-Solomon codes?
Date: 30 Dec 1998 06:57:36 GMT

 You probably also need to find a primitive
element modulo 929. This shouldn't be too hard - I will come back to
this later. 

If I didn't make any typos when plugging the numbers into Mathematica,
3 (or its residue class, if you want to be pedantic) is a primitive
element of GF(929), i.e. all the other non-zero elements are of the
form 3 raised to power i for a unique i in the range from 0 to 927
inclusive.


Jyrki Lahtonen, Ph.D.
Department of Mathematics,
University of Turku,
FIN-20014 Turku, Finland
Note to human e-mailers! To obtain my real e-mail address form the
string consisting of my first name, a period, my family name (names in
lower case) and an at-sign followed by utu.fi

--

From: [EMAIL PROTECTED] (John Savard)
Subject: Re: New Book "The Unknowable"
Date: Wed, 30 Dec 1998 15:37:39 GMT

[EMAIL PROTECTED] wrote, in part:

Hi folks, this is to let everyone know that I've
just finished a new book, "The Unknowable".
It's a prequel/sequel to my book on "The Limits
of Mathematics".  "The Unknowable" is available
in html and in postscript at these two URL's:
http://www.umcs.maine.edu/~chaitin/unknowable
http://www.cs.auckland.ac.nz/CDMTCS/chaitin/unknowable
Best wishes for 1999,

Ah. I read about you in Rudy Rucker's "Mind Tools".

His description of your famous proof was somewhat ambiguous.
Obviously, there is a simple proof that for any t, there _exist_
strings of complexity greater than t; as there are 2^(t+2) strings of
length t+2, there are insufficient strings of length t (2^(t+1)-1) to
generate them all.

What you had proved, I believe, was that for some t sufficiently
large, any finite system/machine cannot prove, for any specific
string, that that particular string has complexity greater than t.

John Savard
http://www.freenet.edmonton.ab.ca/~jsavard/index.html

--

From: [EMAIL PROTECTED] (Benzbrood)
Subject: Secure Credit Card Transactions
Date: 30 Dec 1998 16:08:30 GMT


I need the info, progs, urls, or whatever I need to make a web site with secure
transactions for an online store, subscriptions, etc.  Please reply.

--

From: liminal [EMAIL PROTECTED]
Subject: Re: Session keys in Elliptic Curve
Date: Wed, 30 Dec 1998 08:58:15 -1000

 Hello again.
 
 Big thanks to both Mr. Tines and Harpy-34 for their
 graceful handing of information regarding elliptic
 curve cryptography.

My pleasure.

 Now, as the session key-thing is effectively settled
 (as far as matters anyway,) now I'd like to ask a bit
 about the private key in elliptic curve, and generation
 of private/public keypair.
 
 What would be the process of generating a 160 bit
 elliptic curve key? 

This is so difficult that I would not even consider attempting to explain 
the method. But I will outline the hurdles you would fail to surmount. 
First, chose an elliptic curve which satisfies the MOV condition and 
which has enough Points on it so that a search is intractible for your 
adversaries. For a discussion of these tasks see:

http://ds.dial.pipex.com/george.barwood/ec_faq.txt

which George Barwood has generously posted on the WWWeb.

Public/private keylengths?

All numbers are less than 170 bits.

 Does the generation of the keys correspond to
 the generation methods in RSA et all? 

No.

And is
 a hash algorithm used in the generation, which
 would impose a limit of 160 bits if for example
 SHA-1 was used?

No.

 
 - --EO

Please read these books cover to cover,