Cryptography-Digest Digest #399, Volume #12 Thu, 10 Aug 00 14:13:01 EDT
Contents:
Re: 1-time pad is not secure... (AllanW)
Re: 1-time pad is not secure... (Mickey McInnis)
Re: 1-time pad is not secure... (Mickey McInnis)
Re: BBS and the lack of proof (Mok-Kong Shen)
Re: OTP using BBS generator? (Mok-Kong Shen)
Re: OTP using BBS generator? (Mok-Kong Shen)
Re: OTP using BBS generator? (Terry Ritter)
Re: 1-time pad is not secure... ("Tumbleweed")
Re: Destruction of CDs (Mok-Kong Shen)
Re: 1-time pad is not secure... (Mickey McInnis)
Re: OTP using BBS generator? (Terry Ritter)
Re: OTP using BBS generator? (Terry Ritter)
Re: Knowing when you've cracked an encryption (Jerry Coffin)
----------------------------------------------------------------------------
From: AllanW <[EMAIL PROTECTED]>
Subject: Re: 1-time pad is not secure...
Date: Thu, 10 Aug 2000 17:34:33 GMT
In article <8mth1u$vpt$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Here's a different viewpoint.
It certainly is!
> I think all the crypto-books are wrong. One-time pad is only secure
> based on the assumption that random numbers do exist.
> But
[snip]
> Can you generate truely random numbers? No.
[snip]
> The key-generating process may be duplicated, if not
> exactly, to some probability.
Because Pseudo-Random Number Generators don't produce "true"
random numbers, you then say that there's no such thing as
a random number? An analogy: Consider get-rich-quick schemes
that promise you can make $200,000 per month in your "spare
time." These are all rip offs; they don't work. Does that
mean that there are no wealthy people in the world? Wealthy
people didn't get their money through these schemes, but
they really do exist.
Similarly, random numbers don't come from PRNGs, but they
do exist. There are devices created for the specific
purpose of creating truely random numbers. I've heard that
the next Intel CPU will include some functionality
specifically for this, as well. The point is, this does
not rely on any PRNG "algorithm" susceptible to analysis.
Recently I read about a system that uses the computer's
sound board to create entropy; I can't say how well this
works, but at least it's another alternative to PRNGs.
> And because the key is so long, getting at least a
> portion of the key right will be easier than in
> systems with a shorter key.
Oh, no I see -- shorter keys are more secure. But why
settle for 64-bit keys, or 40-bit keys? Let's go to the
ultimate conclusion of this concept: we'll use a 1-bit
key for the highest security. No, wait, don't dismiss
the idea out of hand! Critics will point out that a
brute-force attack will take an average of one try
(2^1/2), with a worst-case of two tries (2^1). That's
true, of course -- but there's no way an attacker will
ever get PART of the key, right?!? How can you get part
of a bit?!?
One benefit of true OTP is that ANY message of the correct
length could be embedded. So unless you're CERTAIN that
you have correctly found 8 bits in a row of the pad, you
can't be certain that the one byte you just decoded is
the correct byte. Every single message of at least 4 bytes
has at least one pad that makes it decipher with the word
"BOMB." But as you probably know, very few of the actual
messages really did have anything to do with bombs...
> Get the picture? You can duplicate the key-generating
> parameters: computer model, OS, PRNG, date, time,
> location, hardware, software, room temperature, humidity,
> magnetic field... The list goes on and on.
Yes, it does go on and on. No matter how much you duplicate,
there's still something else you didn't duplicate. If you
have spare time, look into a science field called "chaos
theory." You'll find it fascinating -- and you'll also
find out why duplicating every single aspect of any scenario
is simply not possible.
But let's step back a moment. Suppose we use a conventional
PRNG for our pad, so that the only important key-generating
parameter is the computer model. But now have the user enter
data during the encryption process. The data isn't a key,
in the sense that knowing what was entered could be used to
decipher the message. It's just input to the PRNG, to help
it stay truely random. We time the number of milliseconds
between keystrokes, and use the low-order bits of that value,
perhaps combined with a low-order bit of the key pressed, to
seed the PRNG. (If the user holds down a key, we prevent it
from auto-repeating. We want to time the user's fingers, not
the system clock.)
If a user presses 25 keys per second, you can say that the
average timing of the keystrokes is 40 milliseconds -- but
did the first 5 keystrokes take 41,38,42,35,44? Or did they
take 39,41,38,41,41? In the first case, the low order bits
are 1,0,0,1,0 and in the second case they were 1,1,0,1,1.
This data is truely random for all practical purposes,
including OTP.
If that isn't enough, keep going. For each bit of pad, call
the PRNG N times and throw out the first N-1 results.
Determine N the same way we got a seed -- use the low-order
bits of the time and key pressed. Now even if you know exactly
which PRNG was used AND the initial seed, you still don't get
much -- for each and every bit of the pad, you still have to
determine what N was, by trying to reproduce what the user
did during the encipherment. But not even the user can
recreate that with millisecond accuracy!
--
[EMAIL PROTECTED] is a "Spam Magnet," never read.
Please reply in newsgroups only, sorry.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Mickey McInnis)
Subject: Re: 1-time pad is not secure...
Date: 10 Aug 2000 17:26:42 GMT
Reply-To: [EMAIL PROTECTED]
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(John Savard) writes:
|> On Thu, 10 Aug 2000 06:11:11 GMT, [EMAIL PROTECTED] wrote, in part:
|>
|> >But can you prove that random numbers really exist? No.
|> >Can you generate truely random numbers? No.
|>
|> >One-time pad is only computationally secure, no difference than any
|> >other systems. The key-generating process may be duplicated, if not
|> >exactly, to some probability.
|>
|> If the key is produced by, for example, rolling dice by hand, I am not
|> exactly sure how one would even begin attempting to 'duplicate' the
|> key generation process in order to arrive at the same, or a similar,
|> sequence of numbers.
|>
|> The advantage of physically-generated numbers lies precisely in the
|> fact that even though deterministic physical laws may be involved in
|> their production, the all-important _initial conditions_ are too
|> complex, and too local, to be guessed or measured or duplicated.
|>
|> John Savard (teneerf <-)
|> http://home.ecn.ab.ca/~jsavard/crypto.htm
The problem with "physically-generated" numbers is that if you
don't do it right, you may have a very slight bias in the distribution
of the numbers. Consider, for instance, a coin flip with a coin with
a 51% chance of heads. Given cleartext that you think goes with
an intercepted ciphertext, you can produce a "trial key". If the
message is long enough, you can say with some probability that
you have the correct cleartext because the trial key shows the
bias you're looking for.
Note this isn't a pure "break", but it should illustrate how a
bad or badly used physical key generation system weakens the system.
If the output of a pseudo random number generator has some detectable
"signature", it will suffer from similar weaknesses, even if the
enemy can't predict the exact pattern.
--
Mickey McInnis - [EMAIL PROTECTED]
--
All opinions expressed are my own opinions, not my company's opinions.
------------------------------
From: [EMAIL PROTECTED] (Mickey McInnis)
Subject: Re: 1-time pad is not secure...
Date: 10 Aug 2000 17:29:40 GMT
Reply-To: [EMAIL PROTECTED]
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(John Savard) writes:
|> On Thu, 10 Aug 2000 09:15:48 +0200, Runu Knips <[EMAIL PROTECTED]>
|> wrote, in part:
|>
|> >I'm very surprised to hear someone believes true
|> >random isn't available. Shows a serious lack in
|> >ideas about modern physics, doesn't it ?
|>
|> That's true, but his errors are more serious than just not accepting
|> quantum mechanics, since even in a classical world a secure OTP is
|> very much possible.
|>
|> John Savard (teneerf <-)
|> http://home.ecn.ab.ca/~jsavard/crypto.htm
Actually, if you are purely "classical" and believe in predetermination,
a sufficiently advanced enemy can forget about trying to predict
the pad, and just predict the cleartext. 8-)
--
Mickey McInnis - [EMAIL PROTECTED]
--
All opinions expressed are my own opinions, not my company's opinions.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: BBS and the lack of proof
Date: Thu, 10 Aug 2000 19:57:44 +0200
lordcow77 wrote:
>
> The result of the proof is conceptually very simple to
> understand. One should not mistake the vocal pronouncements of a
> minority for real controversy over the validity of an assertion.
> Certainly, we in the United States would not be having the
> current ridiculous spat about the teaching of evolution if
> people thought for themselves. You are free to read the paper
> for yourself and decide what is correct.
But if experiments indicate high probability of a theory
being wrong, then there is no need to study that theory.
Many past theories, e.g. in physics and chemistry, are
still there to be read in some libraries that preserve
historical stuffs. But one normally need not read them,
excepting one is doing historical research. I find your
style of arguments very odd. Probably you haven't even
read the follow-up of mine referred to above.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: OTP using BBS generator?
Date: Thu, 10 Aug 2000 19:57:57 +0200
Mark Wooding wrote:
>
> Terry Ritter <[EMAIL PROTECTED]> wrote:
>
> > From my point of view, the whole reason for a proof is to absolutely
> > guarantee something. The sort of proof we have been discussing simply
> > does not do that, presumably because it is not really the same sort of
> > "proof" that students learn in algebra. I assume that what we really
> > have is a *statistical* proof, which is *not* just a different form of
> > proof and just as good, but instead a *lesser* *standard* of proof.
>
> Errr... no. The proof not statistical. It states that the output of a
> BBS generator cannot be distibguished from random data by any
> polynomial-time test by an adversary who cannot decide quadratic
> residuosity.
>
> And this is the way that security proofs work in cryptography: we prove
[snip]
Would a LSB sequence of 000000..... or 010101..... be
indistinguishable from random data or distinguishable?
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: OTP using BBS generator?
Date: Thu, 10 Aug 2000 19:57:52 +0200
Guy Macon wrote:
>
> Mok-Kong Shen wrote:
>
> >a very rare chance happending but could well be the tip of an iceberg.
>
> Hmmm. Those very rare chances again. Sort of like the very rare but
> nonzero chance that your hardware RNG might randomly put out a couple
> of million zeros in a row and thus turn your one time pad into sending
> the plaintext in the clear...
How rare are these? Have you ever tried? I got in my example
with my 2nd trial. You have to show mathematically that
they are indeed rare, if experiment indicates that is
probably not that rare. Or do you simply 'wish' that they are
rare? Note that I got the suspicion from David Molnar's
information that for non-BBS moduli, i.e. not of the form
3 mod 4, he [often] got 01010101.... . Now it seems to me to
be very reasonable to think that for BBS moduli, the same
could happen through maybe not so often. I was indeed very
surprised, when I got the example so easily.
Note that the phenomenon with LSB is well known with linear
congruential generators. Such generators can have namely
very large period length, but the LSB alternates between
0 and 1.
Now, such extremly bad patterns are actually not belonging
to stuffs that one normally NEED to check, for a reasonably
good generator shouldn't by definition have these patterns.
A generator is therefore normally checked more carefully
with comparatively sophisticated means, i.e. with tests
like FIPS-140-1, the serial tests with different lags, the
Maurer's universtatistical test, etc. It is in retrospect
indeed extremely odd, that nobody has (as far as I am aware
from literatures) ever done such tests on BBS and yet many
persons say offhand that BBS is 'provably secure'. Probably
this comes from the circumstance that BBS was presented with
lots of high mathematics (partly difficult to understand for
non-mathematicians) and one simply 'believes' that, where
high mathematics is, everything 'must' be o.k. David Hopwood
reported that the BBS article left entirely open the issue
of the link between the cycle length of the numbers from
the congruence relation and the cycle length of LSB. That
this very essential fact has obviously excaped the attention
of many people that claimed to have to do with BBS appears
to be quite understandable from this psychological
interpretation.
M. K. Shen
===========================
http://home.t-online.de/home/mok-kong.shen
M
M. K. Shen
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: OTP using BBS generator?
Date: Thu, 10 Aug 2000 17:48:36 GMT
On 10 Aug 2000 11:01:17 GMT, in <[EMAIL PROTECTED]>,
in sci.crypt [EMAIL PROTECTED] (Mark Wooding) wrote:
>Trevor L. Jackson, III <[EMAIL PROTECTED]> wrote:
>
>> Interesting verb: "find". AFAICT the issue is not finding short
>> cycles by searching for them, but finding a short cycle in the "oops"
>> sense of having inadvertently selected one for use. The practical
>> impossibility of finding one on purpose is independent of the
>> theoretical possibility of finding one by accident.
>
>Errr... no.
>
>If finding X by trying very hard is impractically difficult, then
>finding X by accidentally tripping over it must be at least as
>difficult.
"Errr... no" yourself: Difficulty is not the issue. There is no
difficulty for an opponent, just waiting. There is no difficulty for
us either: we just choose.
When we choose at random there is always the chance of choosing the
improbable. That's what "improbable" means as distinguished from
"impossible." If short cycles are not excluded, they will be chosen,
sooner or later. Then we are using weakness, even if we assume
factoring is hard. So the assumption has not bought us what we wanted
it to.
>Otherwise, I have the algorithm for finding X by trying very
>hard: pick possible values at random and hope to trip over one by
>accident. This must work unless X can read minds and is deliberately
>perverse.
No. This is not about an algorithm for an attack. It is about
leaving weakness in the signal we send. Just as it would not be
acceptable to leave plaintext between our impossible-to-break
ciphertext, it is also not acceptable to every once in a while have a
breakable result that we can prevent. Calling that "proven secure" is
just adding insult to the injury.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: "Tumbleweed" <[EMAIL PROTECTED]>
Subject: Re: 1-time pad is not secure...
Date: Thu, 10 Aug 2000 18:40:25 +0100
Guy Macon <[EMAIL PROTECTED]> wrote in message
news:8mtvus$[EMAIL PROTECTED]...
> Runu Knips wrote:
> >
> >fvw wrote:
> >> <8mth1u$vpt$[EMAIL PROTECTED]> ([EMAIL PROTECTED]):
> >> >Can you generate truly random numbers? No.
> >
> >> yes. time between radioactive decays for instance is a
> >> textbook example of a perfect random generator.
> >
> >Yep.
> >
> >I'm very surprised to hear someone believes true
> >random isn't available. Shows a serious lack in
> >ideas about modern physics, doesn't it ?
>
> Actually, oddly enough, what I learned in Seminary explains why we
> keep seeing this idea much better than anything I ever learned in
> a Physics class.
>
> There is a branch of theology that seems to be influencing people
> who don't know the root source of the ideas they hold. I refer, of
> course, to Fatalism.
>
> One particular branch of Fatalism is largely based on the idea of a
> pure Newtonian universe where, if we only knew the exact position,
> velocity, and all other information about every particle that exists,
> we could predict the future with 100% accuracy forever. Thus all
> future event are foreordained and free will is an illusion.
>
> Heisenberg killed this theory, Chaos theory nailed the coffin shut,
> and Quantum Mechanics presided over the cremation. Alas, by this
> time enough people were infected with the "no randomness" meme that
> it became a self-sustaining memeplex which attempts to propagate
> into sci.crypt on a regular basis.
>
>
It should have been dead before Heisenberg, I have even read that Newton
made a statement (not that I could point to a source) that not all events
are predicable in detail simply because some bodies will have velocities
measured as an irrational numbers, and therefore can only be computed to a
particular but not perfect detail. I wonder how it arose in the first place
since the maths around at Newton's time was enough to disprove this, wasn't
it?
Joe
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Destruction of CDs
Date: Thu, 10 Aug 2000 20:01:38 +0200
Thomas Kellar wrote:
>
> There was a thread on this topic a couple of weeks ago.
> I received an advertisement for a device that shreds
> CDs. If anyone is interested the company name/address is
Wouldnt a very strong magnetic field help?
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Mickey McInnis)
Subject: Re: 1-time pad is not secure...
Date: 10 Aug 2000 17:39:33 GMT
Reply-To: [EMAIL PROTECTED]
In article <rfAAu$[EMAIL PROTECTED]>, Mike Calder <[EMAIL PROTECTED]>
writes:
|> In article <8mu4r8$[EMAIL PROTECTED]>, Guy Macon
|> <[EMAIL PROTECTED]> writes
|> >Mike Calder wrote:
|> >
|> >>It may be unpredictable, but does that make it random?
|> >
|> >For use as the key in a one time pad, isn't unpredictable good enough?
|> >
|>
|> Unpredictable depends on where you stand, as does whether it matters.
|>
|> "010" -
|> "01010101010101010101010101010101010101010101010101010" -
|> "Yes, you get that sometimes. Hit the back of the generator casing."
|> "You used WHAT as a key?"
|>
|> For crypto, it needs to be unpredictable in both directions.
|> Unpredictable both locally and globally helps.
|>
|> The central issue is confidence.
|>
|> That's why I would tend to be very unsure of any hardware random
|> generator. We just don't really know what is the source of the
|> randomness in those cases, and how it will behave in the future; are
|> there going to be periods when it gives analyzable sequences? Are you
|> sure? Are you really, really, sure? Am I being sufficiently paranoid?
|>
|> With PRNGs on the other hand, the process is wide open, we see where the
|> output is coming from. It's comparable to a cipher where the algorithm
|> is known; the hardware generator has a hidden algorithm.
|>
|> The PRNG may produce a sequence that is almost completely, but not
|> quite, totally unlike a random one, but if we know the degree of
|> unlikelihood, we're more confident with it.
|>
|> Clear skies!
|> Mike Calder
|>
|> These statements are totally contrary to fact and also meaningless.
|>
|> "Don't depend on any software where you don't have access to the source."
Well, if it makes you happy, xor your hardware RNG output with the
output of an independent PRNG. That won't reduce the "randomness" of
the output of the hardware RNG. (or the PRNG). Just don't reuse either
of the two input streams or the final pad.
Just remember, any PRNG has a seed of size "N". Using the
PRNG output as an "OTP" pad is mathematically equivalent to using a
non-OTP crypto algorithm with a key of length "N", with all the
potential weaknesses of any non-OTP cryptosystem.
--
Mickey McInnis - [EMAIL PROTECTED]
--
All opinions expressed are my own opinions, not my company's opinions.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: OTP using BBS generator?
Date: Thu, 10 Aug 2000 17:54:18 GMT
On Fri, 11 Aug 2000 04:49:56 +0100, in
<[EMAIL PROTECTED]>, in sci.crypt David Hopwood
<[EMAIL PROTECTED]> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>"Trevor L. Jackson, III" wrote:
>> lcs Mixmaster Remailer wrote:
>> > Terry Ritter writes:
>> > > The LSB of the x^2 mod N result *is* the output of BB&S. If a cycle
>> > > of LSB's could be shorter than the cycle itself, BB&S would be
>> > > seriously damaged. To the extent that there is a proof of BB&S, that
>> > > proof must cover this situation, because this *is* BB&S.
>> >
>> > This is correct. It is frustrating that you have come so close here to
>> > understanding the position of those who have been arguing against you
>> > for so many years.
>> >
>> > You need only expand your argument to say, that if a cycle of outputs were
>> > short enough to be found in practice, BB&S would be seriously damaged.
>> > And then, as you say, "To the extent that there is a proof of BB&S,
>> > that proof must cover this situation, because this *is* BB&S."
>> >
>> > The point being, that if anyone could feasibly find short cycles when
>> > using intractably large RSA moduli (other than trivial cases like x=1 or
>> > -1), that would invalidate the BB&S proofs.
>>
>> Interesting verb: "find". AFAICT the issue is not finding short cycles by
>> searching for them, but finding a short cycle in the "oops" sense of having
>> inadvertently selected one for use. The practical impossibility of finding
>> one on purpose is independent of the theoretical possibility of finding one by
>> accident.
>
>No; the impracticality of finding one on purpose *implies* that there is
>negligable probability of selecting one by accident, because we can assume
>without loss of generality that the attacker is able to test sequences for
>short cycles at at least the same rate as a legitimate user can select and
>use sequences.
No; a "negligable probability" means that some probability remains.
And with random selection, that result will eventually occur.
>IOW, if the user has a non-negligable probability of selecting a short cycle,
>then the attacker has a non-negligable probability of finding one, and that
>would contradict the assumption that factoring moduli of the size being used
>is intractible.
That logic is wrong. If there is a possibility of choosing a short
cycle, that *will* happen, sooner or later. Then the attacker *can*
factor N, which contradicts the assumption.
It is *not* difficult to factor N . . . if we give a factor away. To
even attempt to assume that factoring is difficult *implies* that the
system be constructed in such a way as to not give away the secret.
And a proper construction happens with BB&S (as far as I know), only
when short cycles are excluded from use.
>Note that the proofs in the BBS paper (and in the Crypto '84 paper by Vazirani
>and Vazirani proving a reduction to factoring) are all asymptotic, so
>unfortunately we can't make stronger statements relating the exact probability
>of being able to distinguish the BBS output from random with a specific amount
>of work, to the probability of being able to factor or solve the QRP with a
>similar amount of work (at least, not based on those proofs). But if the
>underlying question being debated in this thread is about the general validity
>of probabilistic proof, rather than its application to BBS in particular, then
>there are plenty of other cryptosystems for which exact reductions have been
>proven.
I have no problem with a probabilistic proof. But what we can get
from it is that something is "almost always secure." The very reason
we don't have an ordinary proof is that we *know* that sometimes the
system is weak.
Were this to be explained as it really is, I doubt that many users
would be happy with the phrase "proven secure."
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: OTP using BBS generator?
Date: Thu, 10 Aug 2000 17:55:22 GMT
On Thu, 10 Aug 2000 11:05:14 +0200, in
<[EMAIL PROTECTED]>, in sci.crypt Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>[...]
>In another follow-up I have argued for a replacement of the
>term 'provable security' without having considered statistics.
>Here is a modified version:
>
> 'existence of a rigorous security proof of statistical
> nature contigent on fulfillment of certain assumptions'
I think that hides the true situation. For the purposes of discussion
we are willing to assume that factoring is difficult. Yet even *with*
that assumption, the reduced BB&S without short-cycle checks will be
weak occasionally. Here "occasionally" means "ALMOST never," instead
of the absolute "never" we would like to see.
The issue, then, is *not* the assumption, but instead the construction
of the system to be secure when the assumption is true.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: Knowing when you've cracked an encryption
Date: Thu, 10 Aug 2000 11:54:41 -0600
In article <8mso3t$4ct$[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> A problem I never see discussed is: How do you know when you've successfully
> cracked an encryption?
>
> You're in one of these cracking contests and brute forcing the cipher, but
> what does one use to determine that you have successfully found the key?
> Are there any on-line references to this subject? It must be its own kind
> of science.
That depends. If you have any known plaintext, the problem simply
doesn't exist, since you can compare the decoded ciphertext to the
known plaintext (or depending on how you're doing things, you might
encrypt the known plaintext and see if it matches the cipher text).
In a ciphertext-only attack, some fairly trivial statistical analysis
is normally adequate to determine whether something "looks like"
plain text or not. The most trivial test, but one that's often more
than adequate, is to simply test frequencies of individual
characters. With an incorrect key, different characters will be used
with fairly similar frequency, but with a correct key you'll see
substantial differences in frequency of usage.
In some cases, you have to get sophisticated and look at frequencies
of usage of digraphs, trigraphs, etc.(I.e. groups of two, three or
more letters). Note in particular that there are quite a few
digraphs, trigraphs, etc., that are SO rare that nearly as soon as
you encounter them, you can nearly eliminate that key from further
consideration unless there's a chance that what you're looking at was
encoded as well as enciphered (I.e. that the plaintext being fed to
the cipher is NOT really plain text at all).
In this case, you have to break the code along with the cipher. That
basically involves figuring out the length of the code groups and
then attacking the code groups in a roughly similar fashion. At one
time, when relatively weak ciphers were the general rule, this was
quite common. I'd be at least mildly surprised to see such a system
in use today except, maybe, by somebody who's interested in old
ciphers and codes.
--
Later,
Jerry.
The Universe is a figment of its own imagination.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
