Cryptography-Digest Digest #168
Cryptography-Digest Digest #168, Volume #14 Tue, 17 Apr 01 14:13:01 EDT Contents: Re: Reusing A One Time Pad (SCOTT19U.ZIP_GUY) Re: Reusing A One Time Pad ("Tom St Denis") Re: Reusing A One Time Pad (SCOTT19U.ZIP_GUY) Re: Note on combining PRNGs with the method of Wichmann and Hill ("Brian Gladman") Re: Reusing A One Time Pad ("Tom St Denis") Re: Reusing A One Time Pad (SCOTT19U.ZIP_GUY) Re: Reusing A One Time Pad ("Tom St Denis") Re: Choosing a Smartcard/Crypto Chip for PKI on Win2K ("Ryan Phillips") From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) Subject: Re: Reusing A One Time Pad Date: 17 Apr 2001 17:04:59 GMT [EMAIL PROTECTED] (Tom St Denis) wrote in 4u_C6.31062$[EMAIL PROTECTED]: "SCOTT19U.ZIP_GUY" [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... [EMAIL PROTECTED] (Joseph Ashwood) wrote in ePD6covxAHA.328@cpmsnbbsa07: The moment you reuse *any* portion of the pad, the security immediately falls to precisely 0. That's a simple fact of life (assuming you are using a standard XOR based pad). There is no getting around that, no amount of postulating will get around the mathematic problems involved, your idea is plain and simply insecure. Joe Actually the security is not ZERO. You may have reduced the ppssible set of the messages but as long as there is more than one plausble decryption it is not zero. But I agree the more you use the less secure and its not to had to reach ZERO. Especailly if the plain text file was known to be compressed as part of the encryption package as in PGP. Um to disprove anything you have said for the past 8 years or so.. an OTP is secure even if the message was compressed with deflate. so tell me again how the compression hurts? I don't wish to get in a long argument with you since you really don't want to learn. But I will clarify what I think your misunderstanding is. First of all we both know that a OTP is secure. Joe was commenting that if you repeat one bit its not secure at all. We all know or should know that if you use it over and over again its not secure. IF a "one time Pad" is used correctly. Meaning "one time" then the encryption is secure regardless of what compression was used. As to weakness of using nonbijecetive file compression in encryption systems I think you know where I stand on that after years of trying to get you to understand it. David A. Scott -- SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM" http://www.jim.com/jamesd/Kong/scott19u.zip My website http://members.nbci.com/ecil/index.htm My crypto code http://radiusnet.net/crypto/archive/scott/ MY Compression Page http://members.nbci.com/ecil/compress.htm **NOTE FOR EMAIL drop the roman "five" *** Disclaimer:I am in no way responsible for any of the statements made in the above text. For all I know I might be drugged or something.. No I'm not paranoid. You all think I'm paranoid, don't you! -- From: "Tom St Denis" [EMAIL PROTECTED] Subject: Re: Reusing A One Time Pad Date: Tue, 17 Apr 2001 17:19:22 GMT "SCOTT19U.ZIP_GUY" [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... [EMAIL PROTECTED] (Tom St Denis) wrote in 4u_C6.31062$[EMAIL PROTECTED]: "SCOTT19U.ZIP_GUY" [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... [EMAIL PROTECTED] (Joseph Ashwood) wrote in ePD6covxAHA.328@cpmsnbbsa07: The moment you reuse *any* portion of the pad, the security immediately falls to precisely 0. That's a simple fact of life (assuming you are using a standard XOR based pad). There is no getting around that, no amount of postulating will get around the mathematic problems involved, your idea is plain and simply insecure. Joe Actually the security is not ZERO. You may have reduced the ppssible set of the messages but as long as there is more than one plausble decryption it is not zero. But I agree the more you use the less secure and its not to had to reach ZERO. Especailly if the plain text file was known to be compressed as part of the encryption package as in PGP. Um to disprove anything you have said for the past 8 years or so.. an OTP is secure even if the message was compressed with deflate. so tell me again how the compression hurts? I don't wish to get in a long argument with you since you really don't want to learn. But I will clarify what I think your misunderstanding is. First of all we both know that a OTP is secure. Joe was commenting that if you repeat one bit its not secure at all. We all know or should know that if you use it over and over again its not secure. IF a "one time Pad" is used correctly. Meaning "one time" then
Cryptography-Digest Digest #168
Cryptography-Digest Digest #168, Volume #13 Thu, 16 Nov 00 15:13:00 EST Contents: Re: Big-block cipher, perhaps a new cipher family? (Mok-Kong Shen) Re: so many fuss about impossibility to backtrace from MD to original ("Douglas A. Gwyn") Re: Hitachi - on what grounds ?? ("Douglas A. Gwyn") Re: Hitachi - on what grounds ?? (Mok-Kong Shen) Re: vote buying... (David Schwartz) Re: Q: fast block ciphers (David Schwartz) Re: vote buying... ("Frog2000") Re: vote buying... ("Frog2000") Re: Anyone has read / poses / is found of book by M.Schroeder(not the ("John A. Malley") Re: Hitachi - on what grounds ?? ("Paul Pires") Re: vote buying... (Paul Rubin) Re: Q: fast block ciphers (Tom St Denis) Re: vote buying... (Eric Lee Green) From: Mok-Kong Shen [EMAIL PROTECTED] Subject: Re: Big-block cipher, perhaps a new cipher family? Date: Thu, 16 Nov 2000 19:32:55 +0100 Manuel Pancorbo wrote: Mok-Kong Shen [EMAIL PROTECTED] wrote: It is not clear in your description how the 'diffusion' is achieved through stream encryption. A stream cipher encrpyts each 'unit' independent of the other. The 'state' of the cipher changes with each unit, but this is generally independent of the content of the plaintext unit being processed. So there is no 'interaction' between the units. Should I name it "stream cipher with feedback"? In my design, state depends on the input. Anyway, let me explain how it works. As I said the chosen unit length is 32 bits. The key (K) can be 128 to 256 bit long (in 32 bit steps); let's take 128 bits i.e. 4 units. The state vector (S) is also 4 units long. At the beginning the state vector is filled up with the key: S - K In the forward encryption each plaintext unit is ciphered this way: P'[0] = F(P[0], S[0], S[1]) S[1] = G(P[0], P'[0]) . P'[1] = F(P[1], S[1], S[2]) S[2] = G(P[1], P'[1]) . And so on. The state cycles over itself (S[0], S[1], S[2], S[3], S [0],...). F and G are two 32-bit nonlinear functions. Both propagate any single bit change of the P[0] input to 16 bits on the output P'[0] and to 24 bits on the new state unit S[1]; in the next step S[1] carries the (imperfect) diffusion of P[0] again to F and G which amplify it to 32 bits in P'[1] (and S[2]). You can see how avalanche works forward. At the end a new encryption pass is performed backwards: S - K . C[N-1] = F(P'[N-1], S[0], S[1]) S[1] = G(P'[N-1], C[N-1]) . C[N-2] = F(P'[N-2], S[1], S[2]) S[2] = G(P'[N-2], C[N-2]) The result is that any single bit change in the plaintext packet propagates to the full ciphertext packet (except perhaps if the change occurs in the last units). The point is that it doesn't really matter how F and G are built, provided a minimum diffusion, unlinearity and operations economy (I think). Anyway I can give details in a further post. You can also use any common block cipher to do chaining in the forward direction and, after having processed the whole file, do a second encryption pass in the backward direction. (This is a known method of forcing the opponent to process the whole file, as also mentioned previously in several threads of the group.) In fact, the block cipher is doing 'stream' encryption here if you look on the block as a single 'unit' of the 'stream'. My goal is to avoid the repetitive rounds and the key scheduling of block ciphers, but giving the same diffusion power and disorder. If possible, giving the same strength ;-) But in the scheme you described there are the functions F and G which you don't specify in detail. If the F is not good, you wouldn't have good diffusion. One can have a combination of stream and block techniques. I designed one with a block size of 640 bits driven by a PRNG with feedback to the PRNG by hash values obtained during the processing and with block chaining. In other words, the state of the PRNG is influenced by the plaintext blocks and the processing of the blocks is determined by the PRNG outputs and the successive blocks are chained. See my web page. M. K. Shen http://home.t-online.de/home/mok-kong.shen -- From: "Douglas A. Gwyn" [EMAIL PROTECTED] Subject: Re: so many fuss about impossibility to backtrace from MD to original Date: Thu, 16 Nov 2000 17:51:03 GMT [EMAIL PROTECTED] wrote: Birthday Paradox (if you bring random people into a room, you can only have 20 of them on average before 2 of them have the same birthday) That's not accurate; it's 23 people and the "averaging" is over the ensemble of sets of 23-random-people, or better expressed: if you randomly select a sample of 23 people from the whole population, the probability is greater than 0.5 that at least 2 of that sample were born on the sa
Cryptography-Digest Digest #168
Cryptography-Digest Digest #168, Volume #11 Sun, 20 Feb 00 11:13:01 EST Contents: Re: Is Phi perfect? (Frank the_root) Re: OAP-L3 Encryption Software - Complete Help Files at web site (lordcow77) Re: OAP-L3 Encryption Software - Complete Help Files at web site (lordcow77) Re: NSA Linux and the GPL (John Savard) ISIT2000 -crypto (Quisquater) Re: NIST publishes AES source code on web (John Savard) Re: Biggest keys needed (was Re: Does the NSA have ALL Possible PGP keys?) (David A Molnar) Re: Using virtually any cipher as public key system? (David Hopwood) Re: EOF in cipher??? (David Hopwood) Re: EOF in cipher??? (David Hopwood) Re: EOF in cipher??? (David Hopwood) From: Frank the_root [EMAIL PROTECTED] Subject: Re: Is Phi perfect? Date: Sun, 20 Feb 2000 14:24:53 GMT Xcott Craver left in some server logs : Frank the_root [EMAIL PROTECTED] wrote: Hi, Hi, Frank the Root, I always thought that the Euler's Phi fonction ( Phi(n) ) was the fonction that gives the number of numbers relatively prime to n and smaller than n by the multiplication of each primes factors of n reduced by one. That's not how Phi(n) is defined. When n is a product of distinct primes pq (as occurs in RSA,) it is true that Phi(n) = Phi(pq) = (p-1)(q-1). However, this is a special case: in general, Phi(n) is defined as Phi(n) = n * (1 - 1/p)(1 - 1/q)(...) where p,q,... are the distinct prime factors of n. So: For exemple: Let's determine the number of numbers relatively prime to 125: 125 = 5³, so we can see that at each 5 numbers, 4 of them are relatively prime to 125. 125 × (5/4) = 42 != (5-1)(5-1)(5-1) Phi(125) = 125*(1-1/5) = 125*(4/5) = 100. Phi(9) (3-1)(3-1) != 6 Phi(9) = 9*(1-1/3) == 6 Phi(16): (2-1)(2-1)(2-1)(2-1) != 8 Phi(16) = 16*(1-1/2) == 8 Phi(49): (7-1)(7-1) != 42 Phi(49) = 49*(1-1/7) == 42 Frank -Xcott Thanks, your exemple is really the most "visual" one. Thanks to all. Frank -- Ceux qui rêvent le jour savent des choses qu'ignorent ceux qui rêvent la nuit. -- Subject: Re: OAP-L3 Encryption Software - Complete Help Files at web site From: lordcow77 [EMAIL PROTECTED] Crossposted-To: talk.politics.crypto,alt.privacy Date: Sun, 20 Feb 2000 06:37:55 -0800 Actually, most educated people knew that the Earth was spherical when Columbus initiated his voyage. They did underestimate the size of the world, thus allowing the expedition to be funded in the first place. * Sent from RemarQ http://www.remarq.com The Internet's Discussion Network * The fastest and easiest way to search and participate in Usenet - Free! -- Subject: Re: OAP-L3 Encryption Software - Complete Help Files at web site From: lordcow77 [EMAIL PROTECTED] Crossposted-To: talk.politics.crypto,alt.privacy Date: Sun, 20 Feb 2000 06:49:35 -0800 In article [EMAIL PROTECTED], Anthony Stephen Szopa [EMAIL PROTECTED] wrote: Obviously you claim to be unimpressed with my random number generator and the processing done on this output to generate the OTP files in OAP-L3 encryption software. True; why use your PRNG when there are others that have withstood far more attention (ie. RC4, SEAL)? Are you also saying that the OTP file management used in the software is also worthless? Let's say you use your own random numbers and just use OAP-L3 to encrypt and manage your own OTP files. Are you saying no one should do this because you merely say so with no supporting arguments? Yes. Your user interface looks like it was designed by a person who has no conception of GUI design. It does not appear to be event-based at all, as it is centered on a series of uni-modal dialog boxes. There are no "wizards" for novice users and no multi-document interface system for more advanced users. What about the utility files included with the software? You are saying that it should be of no interest to anyone to have a utility program to look at a random number file and provide them with a frequency for each random number in the file? #include ... int main(void) { FILE *fin; struct stat fs; int arr[256]; int fsize; int i; char c; fin=fopen("foo","rb"); stat("foo",fs); fsize=fs.st_size; for(i=0;i255;i++){arr[i]=0}; for(i=0;ifsize;i++){ fread(c,1,1,fin); arr[c]++; } for(i=0;i255;i++){ printf("I=%d, n=%d\n",i,arr[i]); } return EXIT_SUCCESS; } Do you think no one should be interested in a utility program that will read a file in binary and output the ASCII decimal equivalent for each character? #include ... int main(void) { FILE *fin; stru
Cryptography-Digest Digest #168
Cryptography-Digest Digest #168, Volume #10 Fri, 3 Sep 99 16:13:03 EDT Contents: Description of SQ ("Kostadin Bajalcaliev") Description of SQ ("Kostadin Bajalcaliev") Re: 512 bit number factored (SCOTT19U.ZIP_GUY) Re: 512 bit number factored (D. J. Bernstein) Different Encryption Algorithms ("entropy") Re: Alleged NSA backdoor in Windows CryptoAPI (Stephan Eisvogel) Re: Alleged NSA backdoor in Windows CryptoAPI (Ian Goldberg) Re: ECC, D.S., Fravia, Ian (Ian Goldberg) Re: Implementing crypto algorithms in Fortran. (SCOTT19U.ZIP_GUY) Re: Home Invasion Bill Drives U.S. Computer Users across border ([EMAIL PROTECTED]) Re: IDEA- safe? (jerome) Re: Alleged NSA backdoor in Windows CryptoAPI (DJohn37050) From: "Kostadin Bajalcaliev" [EMAIL PROTECTED] Subject: Description of SQ Date: Fri, 3 Sep 1999 20:06:18 +0200 Please send your comments about my Stream cipher. Here is only the description. If you need more details visit http://eon.pmf.ukim.edu.mk/~kbajalc or http://members.tripod.com/kbajalc. The SQ1 Stream Cipher Kostadin Bajalcaliev April 26th Street num: 14, 91480 Gevgelija, Macedonia, Europe [EMAIL PROTECTED] Abstract: This document describes SQ1 stream cipher. SQ1 is Cryptographically Secure Pseudo-Random bit generator. A novel feature of SQ1 is its hybrid design, using both permutation and variation. It is simple and easy to implement, suitable for software and hardware implementation. 1. Data Structures SQ1 is word-oriented algorithm; any word size is supported respecting the available memory. In order to implement SQ1 data structures below are required: (given in C notation) P[w] permutation of numbers from 0 to w V[w] variation, every element can have any value 0 to w Sr - feedback register * All data types are W-bit The word size can be some conventional value 8,16 bits, but the formal definition of the algorithm assume any value with respect to available memory. In the real implementation other variables are used but they are meter of optimization. 2. Notation and SQ Primitive Operations SQ1 require only four primitive operations supported by major processor families. 1. Addition of two words, denoted by +, addition is done modulo 2w 2. Bit-wise exclusive OR of words, denoted by XOR 3. A left-rotation of words: the rotation of word x left by y bits is denoted xy 4. Modulo, x modulo y equal z denoted x mod y = z. A left-rotation of fields: X[y]=X[y+z mod field_size], denoted by Xz is basic operation in SQ1, it is not primitive but easily deliverable from the primitive operations. 3. Algorithm Specification According to definition of data structure and primitive operations here is algorithm formal definition: /* initialization */ for j=0 to 2w { P[j]=j; V[j]=0; } /* generator iteration */ {1} A=P[Sr]; B=P[V[A]]; {2} V[A]=B; Swap P[A], P[B]; P1; {3} Out=P[A+B mod 2w]; {4} Sr1; Sr=Sr+Out; Return Out SQ1 is very simple, you can encode it as a function SQ which produce values according to its internal state. The state of the generator is defined with P[], V[] and Sr. The first step {1} is calculation of indexes A and B according to present state of the generator. The second step {2} is the transformation of P[] and V[] according to A and B, P1 is default transformation (the counter). The third step {3} is calculation of the output value, and the forth {4} step is changing the value into feedback register. 4. Keying SQ1 SQ as most of Stream Ciphers keying the generator is setting the initial state. Very simple strategy is used. The key stream is feed into Variation V[] and the key length is feed into Sr. First 22w outputs are discarded to worm up the generator. Here is the formal definition of keying procedure. K[0..L] is the keystream L is length of the keystream r=0; For j=0 to 2w { V[j]=K[r]; r=(r+1) mod L; } For j=0 to 22w SQ1(); SQ1() is the generator function described before. The keystream should be the same word size as P[] and V[] but it is allowed to be smaller to. For example if w=14, the keystream can be conventional 8-bit character field. If the w8 (what is very bed idea) that the keystream should be cut in w-bit peace in order to feed it into V. The maximal key length allowed using this strategy is 22w bits, the length of V in bits. 5. Implementation Remarks This is document is intended to help you implementing SQ1, if you are interested about the design solutions read the thesis available on-line. Because of security of the algorithm please follow these remarks: 1. SQ1 is not intending to be secure for any word size or key length. The word size must be greater than 8bits. 2. Do not use all the bits produced by the generator, discard at least one. If you need 8-bit values to encrypt files or communication channel use 9-bit word. The values produced