Cryptography-Digest Digest #950, Volume #13 Tue, 20 Mar 01 12:13:01 EST
Contents:
Re: How to eliminate redondancy? (SCOTT19U.ZIP_GUY)
unbreakable code ("dexMilano")
Re: How to eliminate redondancy? (SCOTT19U.ZIP_GUY)
Re: FIPS 140-1 does not adress eavesdropping (Paul Rubin)
Re: Fast and Easy crypt send (amateur)
Re: unbreakable code ("Jakob Jonsson")
Re: Idea (amateur)
Re: Between Silk And Cyanide - Identity checks. (Joe H. Acker)
Re: A future supercomputer (Frank Gerlach)
Re: Idea (amateur)
Re: What do we mean when we say a cipher is broken? (John Myre)
Re: AES encryption speed vs decryption speed ("Scott Fluhrer")
Re: A future supercomputer (Frank Gerlach)
Re: Idea (SCOTT19U.ZIP_GUY)
Re: Idea - (LONG) ("John A. Malley")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: How to eliminate redondancy?
Date: 20 Mar 2001 14:56:30 GMT
[EMAIL PROTECTED] (Benjamin Goldberg) wrote in
<[EMAIL PROTECTED]>:
>Consider the function F(x) = x + 0.5, with the domain of all integers,
>and the range of those reals which are an integer plus 0.5. This
>function is one-to-one, and onto, and is a bijection, because all of the
>properties needed to be one-to-one and onto are fulfilled, and anything
>which is one-to-one and onto is a bijection. However, David Scott would
>say, "but the inverse doesn't map all real numbers to integers, so it's
>not a bijection" because he likes being an ass. If you use some
Actually not true. That is not what I woud say. I would say as I
do with compression followed by encryption. If the input is limited
to all integers and if the output which in this case is an integer
plus .5 it is BIJECTIVE if that is what the following function
use as its input domain. However if the following can use any multiply
of .5 so that 1 and 1.5 and etc in the expected input set. Then it
was "NOT BIJECTIVE" for purpose at end.
As a further example. Suppose you reduced your message down to
an integer. And you this your wonderful function to convert it to
a integer + .5 if one had a encryption product that mapped bijectively
any integer + .5 to an integer then the proces was BIJECTIVE.
But if you have an encryption product that maps any multiple of ,5
to a "as random as reasonly possible" integer. Then a "wrong key"
when used for decryption has a fifty percent chance of decryptiing
to an integer. Something that is not in the set of outputs. from
you function. Since we are in sci.crypt we are looking at the
encryption point of view. Your input function was "NOT BIJECTIVE"
since it did not handle all the data that comes from the decription
process when different key used.
>definition of range other than the correct one, you lose the onto
>property. David doesn't have the mental capacity to understand that the
>range and domain are allowed be different, and that the function can
>still be bijective if this is so.
>
To look at it from the real world point of view something Ben
seems to have lost grip of. If I have two function is isolation
I could claim by clever use of range and domain that they are
BIJECTIVE. But when two functions are placed in series to
one another is the process still bijective. Most claim that
a block cipher is BIJECTIVE at the block level. That is for
any input under a key from the set of all encryption keys
you get a bujection mapping from input block to output block.
This is fundamental to good encryption. I one assumes that
even RIJNDAEL meets this bijective critera. The problem
comes when you use a compression program in front of the encryption
process. You can falsely claim that it is BIJECTIVE. But is it
BIJECTIVE when mated to the encryption routine. One has to be
very careful. The only careful product I have seen is Matt Timmermans
RIJNDAEL version and people seem to not list it.
The neat point is its so easy to test. Just use a wrong key
and see what happens.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: "dexMilano" <[EMAIL PROTECTED]>
Subject: unbreakable code
Date: Tue, 20 Mar 2001 16:14:01 +0100
I'm looking some info on this algorithm.
http://www.securitywatch.com/newsforward/default.asp?AID=5955
any help will be welcome
thx
dex
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: How to eliminate redondancy?
Date: 20 Mar 2001 15:12:30 GMT
[EMAIL PROTECTED] (Joe H. Acker) wrote in
<[EMAIL PROTECTED]>:
>Okay, let's find another term for the property David Scott has proposed.
>To name it "bijective" is confusing and not appropriate, so let's call
>it "s-bijective" (S in honour of David Scott). But perhaps that is not
>even necessary because there's already a precise term for this that is
>established in contemporary mathematics---I'd guess there is. Anyway
>David Scott has made clear *what* exactly he means, although he has done
>this informally and might not always been using the appropriate terms.
>
I kind of enjoy the tem "unadulterated compression" but am open
for anything.
>So instead of argueing about names, is there actually someone who has
>opinions about how and how much overall security an s-bijective
>compressor would add or not add? What do cryptanalists say about
>s-bijective compression once they have learned what "s-bijective" is
>supposed to mean?
You may have better luck I seem able to piss people off very easily.
But I have written more than once to the RIJNDAEL guys about Matts
product and have only recieved one respose. It said that Matts code
could not do what I said it does and still be encrypting with full
size blocks. And be able to treat any length file as an compressed
encrypted file or as a plaintext file.
It may be my style or it may have been a Wagner clone that was to
much of an asshole to look at it. So he pronounced it not possible
with out so much as looking at like the way David Wagner looked at
scott19u. But Matts code is by most peoples standards more
portable and in the style of modern C and C++ programers so it
is not as if it was in dutch or something most could not understand.
>
>Regards,
>
>Erich
>
>
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: FIPS 140-1 does not adress eavesdropping
Date: 20 Mar 2001 07:33:17 -0800
Frank Gerlach <[EMAIL PROTECTED]> writes:
> > However, I can tell you that hardware designers are acutely aware of
> > these attacks and do what they can to protect against them, whether or
> > not 140-1 requires it.
>
> In which world are you living ? In the world of perfectness or in
> the world of deadlines ? We are all aware of the marketing
> statements of commercial crypto companies - why do you expect that
> they spend *any* money on limiting emanations as long as nobody
> actually *measures* it ?
The designers of these things show up at crypto conferences and talk
about their work. They do measure it.
> > I'm somewhat more concerned about firmware back doors being built into
> > devices.
>
> Then better start doing you own CPU, memory, display, OS, email client.....
> For governments this is actually a necessity, from my point of view :-)
>From the crypto processor's point of view, the surrounding host is assumed
to be insecure.
> > I'd like to see the sci.crypt community design its own
> > device with standard parts
>
> Standard parts like the very popular CPU, which could be halted by
> an instruction sequence of a user-level program ? (And might expose
> something worse to the three-letter agencies ?) There are no
> standard parts you can 100% trust into.
The device shouldn't run any untrusted software.
------------------------------
From: amateur <[EMAIL PROTECTED]>
Subject: Re: Fast and Easy crypt send
Date: Tue, 20 Mar 2001 11:00:27 -0400
It was just an idea of Algo.
Do you think that if you use RSA using any big prime number is secure?
Do you think that if you use DES using any key is secure?
Of course not.
If you think that crypting bit by random characters has yet been done,
so give me a reference. I will be glad to read it.
If you think that sending via network, not the encrypted message, but
the way to calculate it. If I use f(k)= a1*k1 +a2*k2+ ....an*kn+ b
And I send a1, a2, ...,b using k1,k2,...,kn you will find it???
It is just an idea.
The conditions to use the idea, I prefer no to talk about.
Thank mister cryptographer who is try to create a secret community with
his own language.
It's seems becoming like a sect.
Thank you sir.
Joseph Ashwood wrote:
>
> Honestly, I think the first thing you need to do is read about cryptography.
>
> First and foremost. You never specified independent keys, the assumption was
> otherwise. Second if you do use random keys for each block it IS a OTP.
> Third, I strongly suggest that you not just acquire but read (as opposed to
> using it to beat up your brother) a copy of either Handbook of Applied
> Cryptography, or Applied Cryptography, preferably both. We can go round and
> round and round with any learned person here easily capable of decimating
> your ciphers for the next 10 years, or you can take you copy of HAC or AC
> and read it thoroughly, feel free to ask questions, but please stop posting
> idiotic attempt to make ciphers that are either (A) incomplete, (B) known
> for the last century or more, or (C) a Vigenere cipher.
> Joe
>
> "amateur" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > The text is encrypted with my algo. Read before attaching.
> > The ouput you are looking for is random.
> > Every bit is crypted with symbol which is choosen randomly.
> > If I choose odd and even to encrypt. Then the number 0 or 2 or 4 or 6 or
> > 8 represent the bit 0.
> > So the ouput E you are trying to test is random.
> > That's what you don't understand.
> > I know this type of attack.
> > If you use you are going to find millions of output with odds and even.
> > Like OTP.
> > You could find "hello" or thank or all strings with 5 characters.
> >
> >
> >
> > Joseph Ashwood wrote:
> > >
> > > This looks to be the same algorithm you posted a few days ago (addition
> and
> > > subtraction are the same operation). Let's see if I remember correctly.
> It's
> > > a Vigenere cipher (I really suggest you at least look this up before
> posting
> > > the same drivel again) therefore the attack is:
> > > Take 2 blocks add them to each other
> > > You have now eliminated the key
> > > If it's in English you will have a very small number of valid texts that
> > > could come out the other end (1 bit of entropy per character), determine
> > > which two add to the given value, decide on order, solve:
> > > A-K=E
> > > Where the value E is from the supplied stream, A is the now
> known-plaintext,
> > > K is easily solves. Your entire cipher is (just like it was the last
> time
> > > you posted it) completely eliminated.
> > > Joe
> > >
> > > "amateur" <[EMAIL PROTECTED]> wrote in message
> > > news:[EMAIL PROTECTED]...
> > > [snip hey look at my Vigenere Cipher which I've posted at least twice
> now]
------------------------------
From: "Jakob Jonsson" <[EMAIL PROTECTED]>
Subject: Re: unbreakable code
Date: Tue, 20 Mar 2001 17:05:32 +0100
Search for <Rabin unbreakable> at
http://groups.google.com/groups?hl=sv&lr=&safe=off&group=sci.crypt
Jakob
"dexMilano" <[EMAIL PROTECTED]> skrev i meddelandet
news:997s3u$3hpv$[EMAIL PROTECTED]...
> I'm looking some info on this algorithm.
>
> http://www.securitywatch.com/newsforward/default.asp?AID=5955
>
> any help will be welcome
>
> thx
>
> dex
>
>
------------------------------
From: amateur <[EMAIL PROTECTED]>
Subject: Re: Idea
Date: Tue, 20 Mar 2001 11:02:15 -0400
????????????????
those who know me have no need of my name wrote:
>
> <[EMAIL PROTECTED]> divulged:
>
> >I'm not using a secret algorithm.
>
> will you please keep a single from header. i really don't want to
> killfile all of netcom.ca. thank you.
>
> --
> okay, have a sig then
------------------------------
From: [EMAIL PROTECTED] (Joe H. Acker)
Subject: Re: Between Silk And Cyanide - Identity checks.
Date: Tue, 20 Mar 2001 17:03:41 +0100
Matthew GC <[EMAIL PROTECTED]> wrote:
> Still I don't think Mark's solution is along these lines. Firstly
> because it doesn't get around the 'what if Alice is captured before
> handing the OTP's over to Roger' problem.
But as Roger's initial integrity depends on Alice's trustworthyness
anyway, because she recruits him, I can't see a solution to this
problem, given the assumption that Alice will give away her identity
when being captured. I haven't read the book, does it claim that Gerald
cannot fake a new agent after he has catched Alice and she has given
away her identity check and her OTPs? I can't believe that.
>Secondly in the book Marks is
> asked not to reveal his solution, why would they ask him to keep quiet
> (even today) if his solution is so *simple* that it can be guessed with
> a few minutes thought by people not even involved in the 'Intelligence'
> community.
That's why I also think my solution cannot be the best.
> Finally (the weakest reason) Marks' boss, is very impressed
> with the cleverness of the solution and I am not that impressed with our
> ideas.
Yeah, I wasn't impressed either, it took me 10 minutes to figure out.
> I'd be interested if you have any other thoughts on this matter.
My solution didn't require a recruitment acknowledgment by Alice. Here's
another obvious solution that gets rid of the problem that Alice might
have seen the OTPs she hands to Roger:
1. Alice hands out some OTPs to Roger.
2. Roger invents an identity, and uses one of his OTPs to encrypt it
(Alice may not be present while he does this). Of course, Roger
immediately destroys the OTP he has used.
3. Alice adds her identity check to Rogers ciphertext and encrypts it
with one of her OTPs (Roger may not be present). She immediately
destroys her OTP.
4. Alice might send the result back to Bob, or give it back to Roger who
could send it to Bob whenever he wants. Of course, Roger has to make
sure to destroy it when he's catched, so it's wise to send it
immediatly.
Bob now knows Rogers new identity, but neither Roger knows that of Alice
nor Alice knows that of Roger. Alice has just signed Roger's ciphertext.
However, this solution is trivial as well.
Both of my suggestions don't knock me off the chair...
Regards,
Erich
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Subject: Re: A future supercomputer
Date: Tue, 20 Mar 2001 17:02:10 +0100
Will be more of a 1000 Teraflop (Petaflop ?) computer, as a single CPU can
already do 10^9 floating point ops.
I'd like to know about the contracts *not* for protein & nuclear reseach :-) You
know, the contracts for some agencies in the north-east of the US, three
letters, can't recall its name....
DJohn37050 wrote:
> A gigaflop computer, this has been reported in The Economist and is at IBM's
> web site.
> Don Johnson
------------------------------
From: amateur <[EMAIL PROTECTED]>
Subject: Re: Idea
Date: Tue, 20 Mar 2001 11:05:12 -0400
Cryptographers are still picking ideas of amateurs.
If someone look carefully to what amateurs wrote, you will certainly
find ideas of those amateurs in the next "theories".
Paul Crowley wrote:
>
> [EMAIL PROTECTED] (John Savard) writes:
>
> > On 18 Mar 2001 19:50:25 GMT, [EMAIL PROTECTED]
> > (SCOTT19U.ZIP_GUY) wrote, in part:
> >
> > >Of couse the pompous assholes will find fault with many
> > >of so called ametur stuff and use that as an excuse to never really
> > >check what many ametures are doing.
> >
> > Given the number of hours in the day, and the fact that as far as most
> > amateur stuff is concerned, the time of the 'pompous' ones is better
> > spent for them working on their own stuff than looking at that, they
> > need _some_ excuse.
>
> Actually the professionals will look at amateur cryptosystems, and
> even accept them as papers to conferences, if you can present them
> properly and argue their advantages in the right way. I know, because
> I did it.
>
> I was in every way an amateur - I had a largely unrelated day job to
> do and had to work on the paper in my free time, I'd only ever bought
> two books about crypto (Applied Crypto 1st ed and 2nd FSE proceedings)
> downloading everything else, my only qualification was a 2:2 in
> Computer Science, and I'd never met anyone on the program committee or
> had any kind of "friend of a friend" recommendation - anyone who *did*
> know me, knew me through my participation in this very newsgroup. But
> I wrote up my cipher as best I could, submitted it to a conference,
> got it rejected with reviewer's comments, worked on it some more using
> the comments to direct me, submitted it again, and got accepted; I did
> the first presentation of my life in front of a crowd including quite
> a few crypto demogods presenting my cipher at Fast Software Encryption
> 2000 in New York.
>
> Now I'm a professional cryptographer. I am living proof that this
> idea of a "cryptographer's closed shop" is nonsense. Scott's ideas
> are ignored, not because he's an amateur, but because:
>
> - they are presented very badly in every way
> - they actually don't have the merit to warrant more attention.
>
> And that's it.
> --
> __ Paul Crowley
> \/ o\ [EMAIL PROTECTED]
> /\__/ http://www.cluefactory.org.uk/paul/
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: What do we mean when we say a cipher is broken?
Date: Tue, 20 Mar 2001 09:04:01 -0700
Paul Crowley wrote:
> "Douglas A. Gwyn" <[EMAIL PROTECTED]> writes:
<snip>
> > if the adversary cannot recover any of the
> > hidden information then he cannot be said to have broken the system.
<snip>
> if there's a cheaper way than brute force for an attacker to
> distinguish the pseudo-random stream from a truly random stream.
<snip>
And here we have a fundamental difference between "academic"
and "practical" cryptology. Since both ways of looking at
the problem are useful, the terminological discrepancy is
unfortunate.
I think that in this instance I would side with the "practical"
definition, since it is clearly a more severe condition. If a
cipher is "broken" by a distinquisher, does a practical break
make it "exploded" or "incinerated" or what? And do we say
that RC4 is "broken"?
JM
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: AES encryption speed vs decryption speed
Date: Tue, 20 Mar 2001 08:05:16 -0800
Brian Gladman <[EMAIL PROTECTED]> wrote in message
news:QdFt6.631$Ph.34391@stones...
> "Scott Fluhrer" <[EMAIL PROTECTED]> wrote in message
> news:996gu1$mnu$[EMAIL PROTECTED]...
> >
> > Or, is there something subtle with the AES key schedule that I missed?
>
> Yes!
Thank you for showing me something I wasn't aware of.
--
poncho
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Subject: Re: A future supercomputer
Date: Tue, 20 Mar 2001 17:06:31 +0100
Although I am not sure they will use a CPU like the G5, because that would be in the
order of 20W per CPU. This would mean 20MW for the whole system at least, more
likely 60MW.
But yeah, they would build dedicated nuclear power stations if they were really
interested in some DNA. Say the DNA of some guy called "Bin Laden" :-))
Frank Gerlach wrote:
> Will be more of a 1000 Teraflop (Petaflop ?) computer, as a single CPU can
> already do 10^9 floating point ops.
> I'd like to know about the contracts *not* for protein & nuclear reseach :-) You
> know, the contracts for some agencies in the north-east of the US, three
> letters, can't recall its name....
>
> DJohn37050 wrote:
>
> > A gigaflop computer, this has been reported in The Economist and is at IBM's
> > web site.
> > Don Johnson
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Idea
Date: 20 Mar 2001 16:13:28 GMT
[EMAIL PROTECTED] (amateur) wrote in <[EMAIL PROTECTED]>:
>Cryptographers are still picking ideas of amateurs.
>If someone look carefully to what amateurs wrote, you will certainly
>find ideas of those amateurs in the next "theories".
>
>
No doubt many of the ideas are incorpprated
but you can beat your sweet ass they suck up all
the credit themselves and then still look down
on those like you as unworthy to be in there
mist.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: "John A. Malley" <[EMAIL PROTECTED]>
Subject: Re: Idea - (LONG)
Date: Tue, 20 Mar 2001 08:29:51 -0800
amateur wrote:
>
> Don't forget that with my idea the same clear could produce multiple
> cyphertext.
> Schneier is defining restricted algorithm when algo is kept secret.
> That's not my case.
> All my algo is public. The secret who is to find and distinguish two
> categories of symbols is not secret at all.
> But the sender has the freedom to imagine any kind of two categories
> before encrypting.
> This secret is disclose if the recipient has the key.
> All modern cryptography is based on power of computing.
> What I'm proposing is to found a new cryptography based on the inability
> of computer to analyse a text trying to distinguish two categories.
Humans write programs. Algorithms employed by humans to decide
something can be transcribed to a computer program (encoded as binary
numbers.) A human recognizes the symbols in the ciphertext correspond
to one or another category. The ability of a human to spot patterns can
be encoded as an algorithm acting on the data. So a computer program
can be written to do the same thing.
Computers sort through data faster than humans. That's the advantage of
a computer.
> Computer has no this attribute.
Computers are glorified adding machines. We tell them to add, subtract,
multiply and divide numbers. We encode information as numbers and
manipulate information as numbers. No program "means" anything to a
computer. Computers do literally what we tell them to do with a program.
For a time the word "computer" meant a person who carried out
particular numerical calculations. "Computers" did not necessarily know
what they were working on or what the calculation results meant.
> So the cryptanalist even if he use the
> computer is helpless. The only strategy for him is to try to guess what
> a sender has choosen to encrypt every bit.
> And this domain is infinite.
So you encode binary-represented ciphertext with members of two set of
symbols, each set with the same number of elements. The two sets differ
in one property - one set has the property, the other set does not. The
absence and presence of the property corresponds to binary 0 or 1.
This "encoded" ciphertext is human-readable - it must be, or how can a
human decode it? So a computer program can be written to recognize it
same as a human did.
This "encoded" ciphertext is program-readable if a program is written to
generate the "encoded" ciphertext to send it electronically or to print
it onto paper. And that which is generated by a program is recognized by
a program.
I read the "idea" post and the proposed cipher. A human cryptanalyst
*can* figure out which symbols correspond to 0 and 1 no matter what
symbols are used, due to the statistics of the plaintext as exposed in
the ciphertext.
How! you ask...
Well, (1) the first thing the cipher does it apply a Caesar substitution
to a fixed length of plaintext message.
OK. This preserves the frequencies of occurrence of every letter,
digraph
and trigraph in the plaintext message. And the structure of every
sentence. And the order of every plaintext word.
Next, (2) convert each character in the substitution output into its hex
equivalent, and then to binary (0 and 1.)
OK. This preserves the frequencies of occurrence of every letter,
digraph and trigraph in the plaintext message. And the structure of
every sentence. And the order of every plaintext word.
All (2) does it substitute a binary string for each character in the
output of (1). That's why all the salient statistical information in the
plaintext comes sailing on through.
Now here's a interesting fact:
The number of 1s and 0s in the resulting binary string produced in the
output of step (2) are NOT equal. There are either more 1s than 0s or
there are more 0s than 1s.
Why?
Well, some characters in the plaintext occurred far more often than
others. And after the substitution cipher in step (1), their ciphertext
character equivalents occur far more often than the ciphertext
equivalents of the others. And after (2), the binary string
representations of the ciphertext character equivalents occur far more
often than the binary string equivalents of the ciphertext equivalents
of
the others.
So what comes next?
In step (3) of your idea, form two sets of symbols, each set with equal
numbers of elements. Take the binary string representation output of
step (2) and substitute an element out of one set selected uniformly at
random for a 0 and a substitute an element out of the other set selected
uniformly at random for a 1.
OK. But remember, the number of 1s and 0s in the binary string
representation are NOT equal! So symbols from one set appear more often
than symbols from the other set. And the symbols selected from a set
are selected uniformly a random. For a quantity of ciphertext encrypted
this way, every symbol from the set corresponding to 1 should appear
the same number of times and every symbol from the set corresponding to
0 should appear the same number of times.
This information allows a cryptanalyst to determine which symbols
correspond to which of the two sets representing 0 and 1.
It can be determined by frequency count of each symbol in the encoded
ciphertext. Half of the symbols in the "encoded" ciphertext will occur
with the same frequency, f_a, and half of the symbols in the "encoded"
ciphertext will occur with the same frequency f_b, and f_a will NOT
equal f_b. Which set corresponds to 1 and 0? It's one or the other -
but a clever cryptanalyst knows already what the binary coding of
characters is, so therefore already knows if 1s or 0s occur with more
frequency in the binary representation of the plaintext alphabet.
So in step (3) the 0s are represented with {0,1,2,3,4} and 1s are
represented with {5,6,7,8,9}.
Again, the number of 0s, 1s, 2s, 3s, 4s will tend to be equal and the
number of 5s, 6s, 7s, 8s, and 9s will tend to be equal but the number of
0s will not equal the number of 5s, #1s will not equal #5s, etc.
In Step (4) a further Caesar substitution (? there's no modulo operation
though, it's just addition) is done by adding a constant key value to
the numerical result
of Step (3).
Does this hide the fact that the number of 0s and 1s in the binary
representation output of step (2) are not equal?
No.
In fact, take any two message blocks encrypted with this cipher (using
your notation, E1' + K and E2' + K, and just subtract one from the
other to get E1' - E2'.
No key involved here now. It's possible for the cryptanalyst to examine
the statistics of the plaintext directly. What are the statistics of the
differences between plaintext binary representations - they show up
directly in the ciphertext.
The addition of a fixed constant (key) in step (4) will not change the
statistics of the underlying plaintext as revealed by the substituted
ciphertext in step (2).
Once a cryptanalyst determines which symbols represent 0s and 1s in a
manner like the described, he replaces the symbols with 0s and 1s and
gets the binary string equivalent to the Caesar substitution on the
original plaintext (output of step 3.) Then all the known tools for
cracking simple substitution ciphers apply to rapidly crack this cipher.
The attack is even quicker and easier with known plaintext! Try it
yourself and see. :-)
In summary, here's the core of the attack:
Homophonic substitution of the 0s and 1s of the binary string
equivalents of the ciphertext output of a simple substitution cipher
keeps the statistics of the plaintext (and its binary string equivalent
) intact. Any bias in the number of occurrences of 0s and 1s shows up
in the frequencies of the symbols used to encode 0s and 1s.
Hope this helps,
John A. Malley
[EMAIL PROTECTED]
> You have multiple combinations using only the characters of ASCII table.
> If using others codes, you have to understand thas it's quite impossible
> to attack.
>
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
