Cryptography-Digest Digest #119
Cryptography-Digest Digest #119, Volume #14 Tue, 10 Apr 01 10:13:00 EDT Contents: Re: Steganography with natural texts (Joe H Acker) Unnecessary operation in DES? ("Brendan Lynskey") Re: Patents for Enigma ?? (John Savard) Re: Unnecessary operation in DES? (Matthew Kwan) Re: Steganography with natural texts (Derek Bell) Re: Steganography with natural texts (Derek Bell) Re: approximating addition vs. xor? (Rob Warnock) Re: latex matrix (Volker Hetzer) FAQ ("Mis Fazi") Current best complexity for factoring? ("Tim Gahnström /Bladerman") Re: Current best complexity for factoring? (Gunnar Andersson) Re: Virtual English Nation ("Michael Scott") Re: CA for encryption (Tim Tyler) Re: Spam Message Stegano (Anonymous) Re: Self Enforcing Protocol (Slightly OT and Long!) (Jim Farran) Re: latex quick help (Jonathan Thornburg) Re: WANTED: Voice Encryption and Telephony Consultant ("Frog2000") From: [EMAIL PROTECTED] (Joe H Acker) Subject: Re: Steganography with natural texts Date: Tue, 10 Apr 2001 11:25:24 +0200 Mok-Kong Shen [EMAIL PROTECTED] wrote: A stego channel can never be protected against active attacks, if I don't err. I don't think so. An optimal steganographic encoding is immune to any attack. I'll give you an example (from another post): A radio signal contains random background noise. You can then use an OTP to hide a message in the background noise. Please ignore the fact that it's also "unbreakable" encryption. Just from the steganographic point of view, the message is completely undetectable without the key. That's a (rather trivial) sample of an optimal steganographic encoding. If you think that's because of the OTP, change the background noise to be non-random. You might still find an optimal steganographic encoding, namely that encoding whose output has all observable statistical properties of the non-random background noise. This can be generalized into a general theory of steganography, but certainly not by me... Regards, Erich -- From: "Brendan Lynskey" [EMAIL PROTECTED] Subject: Unnecessary operation in DES? Date: Tue, 10 Apr 2001 11:36:18 +0100 Hi. I heard that the first operation in DES involves a shifting bits independantly of the key. As the algorithm is public-domain, isn't this step redundant? And if so why is it in there? I wondered if it was there in order to make each round more similar, and so to ease implementation. Any help will be appreciated. Thanks, Brendan -- From: [EMAIL PROTECTED] (John Savard) Subject: Re: Patents for Enigma ?? Date: Tue, 10 Apr 2001 11:24:26 GMT On Tue, 10 Apr 2001 10:33:43 +0200, Frank Gerlach [EMAIL PROTECTED] wrote, in part: You think there is any spook with any respect for patents ? But there is a *commercial* market for encryption also. John Savard http://home.ecn.ab.ca/~jsavard/crypto.htm -- From: [EMAIL PROTECTED] (Matthew Kwan) Subject: Re: Unnecessary operation in DES? Date: 10 Apr 2001 21:32:33 +1000 "Brendan Lynskey" [EMAIL PROTECTED] writes: I heard that the first operation in DES involves a shifting bits independantly of the key. As the algorithm is public-domain, isn't this step redundant? And if so why is it in there? I wondered if it was there in order to make each round more similar, and so to ease implementation. It adds nothing to security (except, maybe, slowing down brute-force software key searches), but rumour has it the initial permutation is there because it simplified the circuit layout in the early hardware implementations of DES. mkwan -- From: Derek Bell [EMAIL PROTECTED] Subject: Re: Steganography with natural texts Date: 10 Apr 2001 12:41:15 +0100 Mok-Kong Shen [EMAIL PROTECTED] wrote: : Most modern stego schemes are based on embedding bits in : pictures. A current thread in the group is discussing that. : I suppose that a competitive way is to embed bits in natural : language texts. Previously I proposed a method exploiting : the format freedom of html files. In the following I like : to present some preliminary thoughts of an alternative, : though implementationally more expensive, scheme that : can easily utilize all natural language covertexts, e.g. : e-mails. If a situation similar to the mail censorship during WW2 ever arose this could have problems. There was an incident where one of the US censors paraphrased a sentence that read "Father is dead" to read "Father is deceased". The anecdote says that there was a reply "Is father dead or deceased?". Derek -- Derek Bell [EMAIL PROTECTED]|"Usenet is a strange place." WWW: htt
Cryptography-Digest Digest #119
Cryptography-Digest Digest #119, Volume #13 Wed, 8 Nov 00 05:13:01 EST Contents: Re: Brute force against DES (Benjamin Goldberg) Whole file encryption (Benjamin Goldberg) Re: algorithms before 1939 ("John A.Malley") Re: Updated XOR Software Utility (freeware) Version 1.1 from Ciphile (Scott Craver) Re: Hardware RNGs (Benjamin Goldberg) Re: Updated XOR Software Utility (freeware) Version 1.1 from Ciphile (Anthony Stephen Szopa) Re: Updated XOR Software Utility (freeware) Version 1.1 from Ciphile (Cory C. Albrecht) Re: Updated XOR Software Utility (freeware) Version 1.1 from (Anthony Stephen Szopa) Re: Updated XOR Software Utility (freeware) Version 1.1 from Ciphile ("Trevor L. Jackson, III") Re: hacker...beware (yogi) Re: Updated XOR Software Utility (freeware) Version 1.1 from Ciphile (Anthony Stephen Szopa) Re: Whole file encryption (Mok-Kong Shen) Re: Purported "new" BXA Encryption software export restrictions (CiPHER) Re: Updated XOR Software Utility (freeware) Version 1.1 from Ciphile (Richard Heathfield) Re: Updated XOR Software Utility (freeware) Version 1.1 from Ciphile Software (CiPHER) Re: Updated XOR Software Utility (freeware) Version 1.1 from Ciphile Software (Andre van Straaten) From: Benjamin Goldberg [EMAIL PROTECTED] Subject: Re: Brute force against DES Date: Wed, 08 Nov 2000 06:11:27 GMT David Wagner wrote: John A. Malley wrote: If the plaintext block of eight, 8-bit bytes consists of 8 different values - b1, b2, b3, b4, b5, b6, b7, b8 - then when checking the candidate plaintext resulting from trial decryption with candidate key K - d1, d2, d3, d4, d5, d6, d7, d8 - check first that b1 == d1. If not, throw away this key. But this is a very weak test: Over 89% of all incorrect key guesses will survive this test. Also, it requires knowing something about the byte-repetition patterns in the plaintext, a questionable assumption. (Otherwise, you might discard the correct key value.) Compare to the following heuristic: If the high bit is set in any of the bytes of the decryption, throw away this key. This eliminates all but .4% of the wrong key guesses, and is a reliable test. (It requires not much knowledge of the plaintext, and has a very low chance of discarding correct keys when the plaintext is, e.g., ASCII English.) This can be optomized even further, if you are using a bit-sliced DES implementation... Only calculate the ciphertext values for those particular bits. For those who don't know, bit-slicing means using just OR, AND, XOR, NOT (and cominations thereof), run your PC as a SIMD parrallel processor, caluculating 32 (or whatever your word size is) DES encryptions simultaneously, by simulating the gates that would be used in a hardware implementation. A single bit-sliced DES call is significantly faster than doing 32 seperate normal software DES calls. Additionally, by not calculating all 64 bits of ciphertext, we further speed things up. Lastly, by doing an OR of the 8 words containing the high bits of the trial decryption, and a comparison of the result with 0x, we can very quickly discard whole bunches of keys at once. For those wondering what I mean... If any of the 32 keys being tested results in 0s in the 8 high bits, then ORing together those 8 high bits will result in a 1 in that key's offset. Since getting a correct or probably correct key is highly unlikely, most of the time the bitslice OR of the high bits will be 32 1s (0x). Thus, even the very simple high-bit heuristic seems to be more effective than a heuristic based on repeated bytes. For strategies that are even more effective (yet still quite simple to implement), you might take a look at the following paper: A programmable plaintext recognizer, David Wagner and Steven M. Bellovin. http://www.cs.berkeley.edu/~daw/papers/recog.ps OH! you wanted simple to implement. Bleh... there are one or two bitsliced DES implementations out there, though. I would definitely NOT advise you to create your own, unless you can implement DES using wires and gates (no adds, subtracts, or multiplies, just operations that input two bit values, and output one bit value). -- "Mulder, do you remember when I was missing -- that time that you *still* insist I was being held aboard a UFO?" "How could I forget?" "Well, I'm beginning to wonder if maybe I wouldn't have been better off staying abo-- I mean, wherever it was that I was being held." [from an untitled spamfic by [EMAIL PROTECTED]] -- From: Benjamin Goldberg [EMAIL PROTECTED] Subject: Whole file encryption Date: Wed, 08 Nov 2000 06:11:43 GMT The following is a simple idea for whole file encryption. sbox is actually a keyed sbox. encrypt_r( data, length, sbox ) tmp1 = l
Cryptography-Digest Digest #119
Cryptography-Digest Digest #119, Volume #12 Tue, 27 Jun 00 21:13:00 EDT Contents: Re: Idea or 3DES ("Trevor L. Jackson, III") Re: Variability of chaining modes of block ciphers (Shawn Willden) Re: Variability of chaining modes of block ciphers (Shawn Willden) Re: Variability of chaining modes of block ciphers (Mark Wooding) Re: Variability of chaining modes of block ciphers (Mark Wooding) Re: Idea or 3DES (Mark Wooding) Re: What's matter with http://tomstdenis.com/crypto/ ? ("Jeff Moser") Re: What's matter with http://tomstdenis.com/crypto/ ? ("Adam Durana") Re: Idea or 3DES (JPeschel) Sellotape and scotch tape (John Myre) Re: Thoughts on "Cracking" of Genetic Code ([EMAIL PROTECTED]) Re: Sellotape and scotch tape ([EMAIL PROTECTED]) Re: Idea or 3DES (Jim Gillogly) Re: Thoughts on "Cracking" of Genetic Code (John Savard) Re: Dynamical Cryptography algorithm (John Savard) Re: searching for a special GUI crypto tool (JPeschel) Re: simple crypting (Benjamin Goldberg) Re: Dixon's random square algorithm (Bob Silverman) Re: Compression Encryption in FISHYLAND (John Savard) Re: Dynamical Cryptography algorithm ("Ryan Nicoletti") Re: What's matter with http://tomstdenis.com/crypto/ ? (JPeschel) Date: Tue, 27 Jun 2000 18:31:21 -0400 From: "Trevor L. Jackson, III" [EMAIL PROTECTED] Crossposted-To: alt.security.scramdisk,comp.security.pgp.discuss Subject: Re: Idea or 3DES Jim Gillogly wrote: Joseph Ashwood wrote: ... It is my opinion that the likelihood of there being a significant known break in either is exemplified by the US Governments willingness to prosecute the author of PGP, indicating that neither is broken. Shouldn't you be arguing on the other side? The USG was in fact unwilling to prosecute the author of PGP, so according to your analysis shouldn't that indicate that IDEA was broken? From what did you infer unwillingness? Certainly the USG was both willing and able to persecute PRZ, and made serious attempts to collect sufficient evidence to prosecute him. It appears to me that the USG lacked ability to prosecute not willingness to prosecute. I suggest that it's irrelevant to the security analysis: that it was dropped because (a) they didn't have strong evidence against PRZ himself; and (b) that they didn't want a court to tell them that the ITAR were unconstitutional. I suspect further that they didn't prosecute KG because of (b) and because he wasn't a well-known enough target to serve as a horrible example to other potential crypto hackers if they did manage to score a conviction without having the ITAR thrown out in their entirety. Again, nothing to do with the security of IDEA (nor, of course, [3]DES). It may have something to do with revelations regarding the security of IDEA. The Brady doctrine requires a prosecutor to reveal to the defense any exculpatory information the prosecutor possesses. The USG may have demurred on the basis that that had (have) knowledge of weaknesses in IDEA, or, OTOH, on the basis that they had no knowledge of weaknesses. It would not be in the interest of the USG to reveal what they did/did not know about weaknesses in IDEA. If the USG knew that IDEA was weak, the defense might have been able to claim that IDEA's strength put it below the threshold for ITAR restrictions. Of course such a revelations would have discouraged the use of IDEA and the USG would have lost some intelligence capability. If the USG claimed no known weakness in IDEA, this might have acted as an endorsement, encouraging the wide-spread use of the cipher, and again the USG would have lost some intelligence capability. In this realm there is no incentive for the USG to be either forward or honest about cipher strength. -- Date: Tue, 27 Jun 2000 16:24:38 -0600 From: Shawn Willden [EMAIL PROTECTED] Subject: Re: Variability of chaining modes of block ciphers Mok-Kong Shen wrote: I personally prefer chaining using both accumulated plaintext and accumulated ciphertext (xor or addition mod 2^n). One can use two IVs that are secret. If these are independent of the key of the cipher, the scheme certainly adds more than a few bits of keyspace in my view. If I understand what you're saying, the IV's add no security, at least with xor accumulation. Let Pj be the jth plaintext Let Cj be the jth ciphertext Let IV1 and IV2 be secret IVs Let sum(P,j) be the xor of the first j plaintexts and IV1 Let sum(C,j) be the xor of the first j ciphertexts and IV2 Let ^ denote xor, E denote encryption and D denote decryption (with some key). Let Cj = E(sum(P,j) ^ sum(C,j-1)) To attack using brute force, first pick two adjacent ciphertext blocks, Cj-1 and Cj. Pick a key and decrypt both blocks, yielding D(Cj-1) and D(Cj). Then calculate: D(Cj)
Cryptography-Digest Digest #119
Cryptography-Digest Digest #119, Volume #11 Mon, 14 Feb 00 08:13:02 EST Contents: Re: Does the NSA have ALL Possible PGP keys? (W A Collier) Re: Does the NSA have ALL Possible PGP keys? ("tiwolf") Re: Does the NSA have ALL Possible PGP keys? ("tiwolf") Predicting the next random number ([EMAIL PROTECTED]) Re: Predicting the next random number (Tony L. Svanstrom) Funniest thing I've seen in ages - RSA.COM hacked :) ([EMAIL PROTECTED]) Re: Large Floating Point Library? (Mok-Kong Shen) Re: Fractal Cryptography (Mok-Kong Shen) Re: Funniest thing I've seen in ages - RSA.COM hacked :) (Tony L. Svanstrom) Re: SHA-1 sources needed! (Runu Knips) Re: Large Floating Point Library? (Runu Knips) Re: Funniest thing I've seen in ages - RSA.COM hacked :) ([EMAIL PROTECTED]) Re: Funniest thing I've seen in ages - RSA.COM hacked :) ("Lassi Hippeläinen") Re: Funniest thing I've seen in ages - RSA.COM hacked :) (Tony L. Svanstrom) Re: Funniest thing I've seen in ages - RSA.COM hacked :) (Tony L. Svanstrom) Re: Does the NSA have ALL Possible PGP keys? ([EMAIL PROTECTED]) Re: Funniest thing I've seen in ages - RSA.COM hacked :) (Robert Hallgren) Associative Symmetric Encryption (Gary) Re: Funniest thing I've seen in ages - RSA.COM hacked :) (Tony L. Svanstrom) Re: Which compression is best? (Runu Knips) Re: UK publishes 'impossible' decryption law (Geoff Lane) From: W A Collier [EMAIL PROTECTED] Crossposted-To: comp.security.pgp,misc.survivalism Subject: Re: Does the NSA have ALL Possible PGP keys? Reply-To: [EMAIL PROTECTED] Date: Mon, 14 Feb 2000 07:50:20 -0700 In article [EMAIL PROTECTED], [EMAIL PROTECTED] says... Does anyone here really think that any cryto program self made or commercial is not broken already or can't be broken given a little effort by the NSA geeks. I know that someone might use some type of cryto that might give them trouble for a while, but if they really want to I think that the NSA geeks can break it. They can "really want to" all they like, but they cant change fundamental nature of NP-Hard and other mathematic concepts upon which modern crypto is based. Try reading up before you make a jackass out of yourself again. -- From: "tiwolf" [EMAIL PROTECTED] Crossposted-To: comp.security.pgp,misc.survivalism Subject: Re: Does the NSA have ALL Possible PGP keys? Date: Sun, 13 Feb 2000 23:45:53 -0800 You are assuming that you and everyone else here know the full extent of current computer power and storage mediums. You are also assuming that there are no mathematical programs that do away with the needs for the PGP codes. You assume a lot. I for one know nothing about computer and crypto breaking, but I do know that give resources and time nothing is truly impossible. Johnny Bravo wrote in message [EMAIL PROTECTED]... On Sun, 13 Feb 2000 13:46:34 -0800, "tiwolf" [EMAIL PROTECTED] wrote: You are assuming that they would be using current disks as a meduim for storage, Ok, for the sake of argument I'll pretend that the NSA has a sooper-seekrit storage medium, so compact that they can fit 512 bits of information onto a single atom. There are not enough atoms in the Universe to store all the 512 bit PGP keys. When you are talking about the 4096 bit keys you would run out of room even if you managed to fit 4096 bits of info onto the smallest known sub-atomic particles. or that they would even need the whole lot of keys in the first place. Without the keys, how can the lookup your key? That is what this thread is about. Johnny Bravo -- From: "tiwolf" [EMAIL PROTECTED] Crossposted-To: comp.security.pgp,misc.survivalism Subject: Re: Does the NSA have ALL Possible PGP keys? Date: Sun, 13 Feb 2000 23:50:38 -0800 You are assuming that it can't be done now with current technology, I will not make that assumption. I will assume that anything is possible and knowing that governments are always looking to gain more power and want to know why people would want to keep secrets from the government. Government is more than willing to waste large portions of the public's money on breaking any code that they cannot now break. Beretta wrote in message ... On Sun, 13 Feb 2000 13:21:56 -0800, "tiwolf" [EMAIL PROTECTED] wrote: Does anyone here really think that any cryto program self made or commercial is not broken already or can't be broken given a little effort by the NSA geeks. I know that someone might use some type of cryto that might give them trouble for a while, but if they really want to I think that the NSA geeks can break it. snip You seem to assume the NSA is all powerful, has an infinite budget, infinite room for computers, and somehow is the only agency that is not bound by the laws of mathematics...