Cryptography-Digest Digest #119
Cryptography-Digest Digest #119, Volume #14 Tue, 10 Apr 01 10:13:00 EDT
Contents:
Re: Steganography with natural texts (Joe H Acker)
Unnecessary operation in DES? ("Brendan Lynskey")
Re: Patents for Enigma ?? (John Savard)
Re: Unnecessary operation in DES? (Matthew Kwan)
Re: Steganography with natural texts (Derek Bell)
Re: Steganography with natural texts (Derek Bell)
Re: approximating addition vs. xor? (Rob Warnock)
Re: latex matrix (Volker Hetzer)
FAQ ("Mis Fazi")
Current best complexity for factoring? ("Tim Gahnström /Bladerman")
Re: Current best complexity for factoring? (Gunnar Andersson)
Re: Virtual English Nation ("Michael Scott")
Re: CA for encryption (Tim Tyler)
Re: Spam Message Stegano (Anonymous)
Re: Self Enforcing Protocol (Slightly OT and Long!) (Jim Farran)
Re: latex quick help (Jonathan Thornburg)
Re: WANTED: Voice Encryption and Telephony Consultant ("Frog2000")
From: [EMAIL PROTECTED] (Joe H Acker)
Subject: Re: Steganography with natural texts
Date: Tue, 10 Apr 2001 11:25:24 +0200
Mok-Kong Shen [EMAIL PROTECTED] wrote:
A stego channel can never be protected against active
attacks, if I don't err.
I don't think so. An optimal steganographic encoding is immune to any
attack. I'll give you an example (from another post): A radio signal
contains random background noise. You can then use an OTP to hide a
message in the background noise. Please ignore the fact that it's also
"unbreakable" encryption. Just from the steganographic point of view,
the message is completely undetectable without the key. That's a (rather
trivial) sample of an optimal steganographic encoding.
If you think that's because of the OTP, change the background noise to
be non-random. You might still find an optimal steganographic encoding,
namely that encoding whose output has all observable statistical
properties of the non-random background noise.
This can be generalized into a general theory of steganography, but
certainly not by me...
Regards,
Erich
--
From: "Brendan Lynskey" [EMAIL PROTECTED]
Subject: Unnecessary operation in DES?
Date: Tue, 10 Apr 2001 11:36:18 +0100
Hi.
I heard that the first operation in DES involves a shifting bits
independantly of the key.
As the algorithm is public-domain, isn't this step redundant?
And if so why is it in there? I wondered if it was there in order to make
each round more similar, and so to ease implementation.
Any help will be appreciated.
Thanks,
Brendan
--
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Patents for Enigma ??
Date: Tue, 10 Apr 2001 11:24:26 GMT
On Tue, 10 Apr 2001 10:33:43 +0200, Frank Gerlach
[EMAIL PROTECTED] wrote, in part:
You think there is any spook with any respect for patents ?
But there is a *commercial* market for encryption also.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
--
From: [EMAIL PROTECTED] (Matthew Kwan)
Subject: Re: Unnecessary operation in DES?
Date: 10 Apr 2001 21:32:33 +1000
"Brendan Lynskey" [EMAIL PROTECTED] writes:
I heard that the first operation in DES involves a shifting bits
independantly of the key.
As the algorithm is public-domain, isn't this step redundant?
And if so why is it in there? I wondered if it was there in order to make
each round more similar, and so to ease implementation.
It adds nothing to security (except, maybe, slowing down brute-force
software key searches), but rumour has it the initial permutation is
there because it simplified the circuit layout in the early hardware
implementations of DES.
mkwan
--
From: Derek Bell [EMAIL PROTECTED]
Subject: Re: Steganography with natural texts
Date: 10 Apr 2001 12:41:15 +0100
Mok-Kong Shen [EMAIL PROTECTED] wrote:
: Most modern stego schemes are based on embedding bits in
: pictures. A current thread in the group is discussing that.
: I suppose that a competitive way is to embed bits in natural
: language texts. Previously I proposed a method exploiting
: the format freedom of html files. In the following I like
: to present some preliminary thoughts of an alternative,
: though implementationally more expensive, scheme that
: can easily utilize all natural language covertexts, e.g.
: e-mails.
If a situation similar to the mail censorship during
WW2 ever arose this could have problems. There was an incident
where one of the US censors paraphrased a sentence that read
"Father is dead" to read "Father is deceased". The anecdote
says that there was a reply "Is father dead or deceased?".
Derek
--
Derek Bell [EMAIL PROTECTED]|"Usenet is a strange place."
WWW: htt
Cryptography-Digest Digest #119
Cryptography-Digest Digest #119, Volume #13 Wed, 8 Nov 00 05:13:01 EST
Contents:
Re: Brute force against DES (Benjamin Goldberg)
Whole file encryption (Benjamin Goldberg)
Re: algorithms before 1939 ("John A.Malley")
Re: Updated XOR Software Utility (freeware) Version 1.1 from Ciphile (Scott Craver)
Re: Hardware RNGs (Benjamin Goldberg)
Re: Updated XOR Software Utility (freeware) Version 1.1 from Ciphile (Anthony
Stephen Szopa)
Re: Updated XOR Software Utility (freeware) Version 1.1 from Ciphile (Cory C.
Albrecht)
Re: Updated XOR Software Utility (freeware) Version 1.1 from (Anthony Stephen Szopa)
Re: Updated XOR Software Utility (freeware) Version 1.1 from Ciphile ("Trevor L.
Jackson, III")
Re: hacker...beware (yogi)
Re: Updated XOR Software Utility (freeware) Version 1.1 from Ciphile (Anthony
Stephen Szopa)
Re: Whole file encryption (Mok-Kong Shen)
Re: Purported "new" BXA Encryption software export restrictions (CiPHER)
Re: Updated XOR Software Utility (freeware) Version 1.1 from Ciphile (Richard
Heathfield)
Re: Updated XOR Software Utility (freeware) Version 1.1 from Ciphile Software
(CiPHER)
Re: Updated XOR Software Utility (freeware) Version 1.1 from Ciphile Software
(Andre van Straaten)
From: Benjamin Goldberg [EMAIL PROTECTED]
Subject: Re: Brute force against DES
Date: Wed, 08 Nov 2000 06:11:27 GMT
David Wagner wrote:
John A. Malley wrote:
If the plaintext block of eight, 8-bit bytes consists of 8 different
values - b1, b2, b3, b4, b5, b6, b7, b8 - then when checking the
candidate plaintext resulting from trial decryption with candidate
key K - d1, d2, d3, d4, d5, d6, d7, d8 - check first that b1 == d1.
If not, throw away this key.
But this is a very weak test: Over 89% of all incorrect key guesses
will survive this test.
Also, it requires knowing something about the byte-repetition patterns
in the plaintext, a questionable assumption. (Otherwise, you might
discard the correct key value.)
Compare to the following heuristic: If the high bit is set in any of
the bytes of the decryption, throw away this key. This eliminates
all but .4% of the wrong key guesses, and is a reliable test. (It
requires not much knowledge of the plaintext, and has a very low
chance of discarding correct keys when the plaintext is, e.g., ASCII
English.)
This can be optomized even further, if you are using a bit-sliced DES
implementation... Only calculate the ciphertext values for those
particular bits.
For those who don't know, bit-slicing means using just OR, AND, XOR, NOT
(and cominations thereof), run your PC as a SIMD parrallel processor,
caluculating 32 (or whatever your word size is) DES encryptions
simultaneously, by simulating the gates that would be used in a hardware
implementation.
A single bit-sliced DES call is significantly faster than doing 32
seperate normal software DES calls. Additionally, by not calculating
all 64 bits of ciphertext, we further speed things up. Lastly, by doing
an OR of the 8 words containing the high bits of the trial decryption,
and a comparison of the result with 0x, we can very quickly
discard whole bunches of keys at once.
For those wondering what I mean... If any of the 32 keys being tested
results in 0s in the 8 high bits, then ORing together those 8 high bits
will result in a 1 in that key's offset. Since getting a correct or
probably correct key is highly unlikely, most of the time the bitslice
OR of the high bits will be 32 1s (0x).
Thus, even the very simple high-bit heuristic seems to be more
effective than a heuristic based on repeated bytes.
For strategies that are even more effective (yet still quite simple to
implement), you might take a look at the following paper:
A programmable plaintext recognizer, David Wagner and Steven M.
Bellovin.
http://www.cs.berkeley.edu/~daw/papers/recog.ps
OH! you wanted simple to implement. Bleh... there are one or two
bitsliced DES implementations out there, though. I would definitely NOT
advise you to create your own, unless you can implement DES using wires
and gates (no adds, subtracts, or multiplies, just operations that input
two bit values, and output one bit value).
--
"Mulder, do you remember when I was missing -- that time that you
*still* insist I was being held aboard a UFO?"
"How could I forget?"
"Well, I'm beginning to wonder if maybe I wouldn't have been
better off staying abo-- I mean, wherever it was that I was
being held." [from an untitled spamfic by [EMAIL PROTECTED]]
--
From: Benjamin Goldberg [EMAIL PROTECTED]
Subject: Whole file encryption
Date: Wed, 08 Nov 2000 06:11:43 GMT
The following is a simple idea for whole file encryption.
sbox is actually a keyed sbox.
encrypt_r( data, length, sbox )
tmp1 = l
Cryptography-Digest Digest #119
Cryptography-Digest Digest #119, Volume #12 Tue, 27 Jun 00 21:13:00 EDT
Contents:
Re: Idea or 3DES ("Trevor L. Jackson, III")
Re: Variability of chaining modes of block ciphers (Shawn Willden)
Re: Variability of chaining modes of block ciphers (Shawn Willden)
Re: Variability of chaining modes of block ciphers (Mark Wooding)
Re: Variability of chaining modes of block ciphers (Mark Wooding)
Re: Idea or 3DES (Mark Wooding)
Re: What's matter with http://tomstdenis.com/crypto/ ? ("Jeff Moser")
Re: What's matter with http://tomstdenis.com/crypto/ ? ("Adam Durana")
Re: Idea or 3DES (JPeschel)
Sellotape and scotch tape (John Myre)
Re: Thoughts on "Cracking" of Genetic Code ([EMAIL PROTECTED])
Re: Sellotape and scotch tape ([EMAIL PROTECTED])
Re: Idea or 3DES (Jim Gillogly)
Re: Thoughts on "Cracking" of Genetic Code (John Savard)
Re: Dynamical Cryptography algorithm (John Savard)
Re: searching for a special GUI crypto tool (JPeschel)
Re: simple crypting (Benjamin Goldberg)
Re: Dixon's random square algorithm (Bob Silverman)
Re: Compression Encryption in FISHYLAND (John Savard)
Re: Dynamical Cryptography algorithm ("Ryan Nicoletti")
Re: What's matter with http://tomstdenis.com/crypto/ ? (JPeschel)
Date: Tue, 27 Jun 2000 18:31:21 -0400
From: "Trevor L. Jackson, III" [EMAIL PROTECTED]
Crossposted-To: alt.security.scramdisk,comp.security.pgp.discuss
Subject: Re: Idea or 3DES
Jim Gillogly wrote:
Joseph Ashwood wrote:
... It is my
opinion that the likelihood of there being a significant known break in
either is exemplified by the US Governments willingness to prosecute the
author of PGP, indicating that neither is broken.
Shouldn't you be arguing on the other side? The USG was in fact unwilling
to prosecute the author of PGP, so according to your analysis shouldn't that
indicate that IDEA was broken?
From what did you infer unwillingness? Certainly the USG was both willing and
able to persecute PRZ, and made serious attempts to collect sufficient evidence
to prosecute him. It appears to me that the USG lacked ability to prosecute not
willingness to prosecute.
I suggest that it's irrelevant to the
security analysis: that it was dropped because (a) they didn't have
strong evidence against PRZ himself; and (b) that they didn't want a
court to tell them that the ITAR were unconstitutional. I suspect further
that they didn't prosecute KG because of (b) and because he wasn't a
well-known enough target to serve as a horrible example to other potential
crypto hackers if they did manage to score a conviction without having
the ITAR thrown out in their entirety. Again, nothing to do with the
security of IDEA (nor, of course, [3]DES).
It may have something to do with revelations regarding the security of IDEA.
The Brady doctrine requires a prosecutor to reveal to the defense any
exculpatory information the prosecutor possesses. The USG may have demurred on
the basis that that had (have) knowledge of weaknesses in IDEA, or, OTOH, on the
basis that they had no knowledge of weaknesses. It would not be in the interest
of the USG to reveal what they did/did not know about weaknesses in IDEA.
If the USG knew that IDEA was weak, the defense might have been able to claim
that IDEA's strength put it below the threshold for ITAR restrictions. Of
course such a revelations would have discouraged the use of IDEA and the USG
would have lost some intelligence capability.
If the USG claimed no known weakness in IDEA, this might have acted as an
endorsement, encouraging the wide-spread use of the cipher, and again the USG
would have lost some intelligence capability.
In this realm there is no incentive for the USG to be either forward or honest
about cipher strength.
--
Date: Tue, 27 Jun 2000 16:24:38 -0600
From: Shawn Willden [EMAIL PROTECTED]
Subject: Re: Variability of chaining modes of block ciphers
Mok-Kong Shen wrote:
I personally prefer chaining using both accumulated plaintext and
accumulated ciphertext (xor or addition mod 2^n). One can use
two IVs that are secret. If these are independent of the key of the
cipher, the scheme certainly adds more than a few bits of keyspace
in my view.
If I understand what you're saying, the IV's add no security, at least with xor
accumulation.
Let Pj be the jth plaintext
Let Cj be the jth ciphertext
Let IV1 and IV2 be secret IVs
Let sum(P,j) be the xor of the first j plaintexts and IV1
Let sum(C,j) be the xor of the first j ciphertexts and IV2
Let ^ denote xor, E denote encryption and D denote decryption (with some key).
Let Cj = E(sum(P,j) ^ sum(C,j-1))
To attack using brute force, first pick two adjacent ciphertext blocks, Cj-1 and
Cj. Pick a key and decrypt both blocks, yielding D(Cj-1) and D(Cj). Then
calculate:
D(Cj)
Cryptography-Digest Digest #119
Cryptography-Digest Digest #119, Volume #11 Mon, 14 Feb 00 08:13:02 EST
Contents:
Re: Does the NSA have ALL Possible PGP keys? (W A Collier)
Re: Does the NSA have ALL Possible PGP keys? ("tiwolf")
Re: Does the NSA have ALL Possible PGP keys? ("tiwolf")
Predicting the next random number ([EMAIL PROTECTED])
Re: Predicting the next random number (Tony L. Svanstrom)
Funniest thing I've seen in ages - RSA.COM hacked :) ([EMAIL PROTECTED])
Re: Large Floating Point Library? (Mok-Kong Shen)
Re: Fractal Cryptography (Mok-Kong Shen)
Re: Funniest thing I've seen in ages - RSA.COM hacked :) (Tony L. Svanstrom)
Re: SHA-1 sources needed! (Runu Knips)
Re: Large Floating Point Library? (Runu Knips)
Re: Funniest thing I've seen in ages - RSA.COM hacked :)
([EMAIL PROTECTED])
Re: Funniest thing I've seen in ages - RSA.COM hacked :) ("Lassi Hippeläinen")
Re: Funniest thing I've seen in ages - RSA.COM hacked :) (Tony L. Svanstrom)
Re: Funniest thing I've seen in ages - RSA.COM hacked :) (Tony L. Svanstrom)
Re: Does the NSA have ALL Possible PGP keys? ([EMAIL PROTECTED])
Re: Funniest thing I've seen in ages - RSA.COM hacked :) (Robert Hallgren)
Associative Symmetric Encryption (Gary)
Re: Funniest thing I've seen in ages - RSA.COM hacked :) (Tony L. Svanstrom)
Re: Which compression is best? (Runu Knips)
Re: UK publishes 'impossible' decryption law (Geoff Lane)
From: W A Collier [EMAIL PROTECTED]
Crossposted-To: comp.security.pgp,misc.survivalism
Subject: Re: Does the NSA have ALL Possible PGP keys?
Reply-To: [EMAIL PROTECTED]
Date: Mon, 14 Feb 2000 07:50:20 -0700
In article [EMAIL PROTECTED], [EMAIL PROTECTED]
says...
Does anyone here really think that any cryto program self made or commercial
is not broken already or can't be broken given a little effort by the NSA
geeks. I know that someone might use some type of cryto that might give them
trouble for a while, but if they really want to I think that the NSA geeks
can break it.
They can "really want to" all they like, but they cant change fundamental
nature of NP-Hard and other mathematic concepts upon which modern crypto
is based. Try reading up before you make a jackass out of yourself
again.
--
From: "tiwolf" [EMAIL PROTECTED]
Crossposted-To: comp.security.pgp,misc.survivalism
Subject: Re: Does the NSA have ALL Possible PGP keys?
Date: Sun, 13 Feb 2000 23:45:53 -0800
You are assuming that you and everyone else here know the full extent of
current computer power and storage mediums. You are also assuming that there
are no mathematical programs that do away with the needs for the PGP codes.
You assume a lot. I for one know nothing about computer and crypto breaking,
but I do know that give resources and time nothing is truly impossible.
Johnny Bravo wrote in message
[EMAIL PROTECTED]...
On Sun, 13 Feb 2000 13:46:34 -0800, "tiwolf" [EMAIL PROTECTED] wrote:
You are assuming that they would be using current disks as a meduim for
storage,
Ok, for the sake of argument I'll pretend that the NSA has a
sooper-seekrit storage medium, so compact that they can fit 512 bits of
information onto a single atom. There are not enough atoms in the
Universe to store all the 512 bit PGP keys. When you are talking about
the 4096 bit keys you would run out of room even if you managed to fit
4096 bits of info onto the smallest known sub-atomic particles.
or that they would even need the whole lot of keys in the first
place.
Without the keys, how can the lookup your key? That is what this thread
is about.
Johnny Bravo
--
From: "tiwolf" [EMAIL PROTECTED]
Crossposted-To: comp.security.pgp,misc.survivalism
Subject: Re: Does the NSA have ALL Possible PGP keys?
Date: Sun, 13 Feb 2000 23:50:38 -0800
You are assuming that it can't be done now with current technology, I will
not make that assumption. I will assume that anything is possible and
knowing that governments are always looking to gain more power and want to
know why people would want to keep secrets from the government. Government
is more than willing to waste large portions of the public's money on
breaking any code that they cannot now break.
Beretta wrote in message ...
On Sun, 13 Feb 2000 13:21:56 -0800, "tiwolf" [EMAIL PROTECTED] wrote:
Does anyone here really think that any cryto program self made or
commercial
is not broken already or can't be broken given a little effort by the NSA
geeks. I know that someone might use some type of cryto that might give
them
trouble for a while, but if they really want to I think that the NSA geeks
can break it.
snip
You seem to assume the NSA is all powerful, has an infinite budget,
infinite room for
computers, and somehow is the only agency that is not bound by the laws of
mathematics...
