Cryptography-Digest Digest #479, Volume #14 Wed, 30 May 01 23:13:01 EDT
Contents:
Re: question: how does brute force key search work? ("Joseph Ashwood")
Re: National Security Nightmare? ("Jeffrey Walton")
Re: PGP Weakness??? (Tom St Denis)
Re: Question about credit card number ("Jeffrey Walton")
Re: question: how does brute force key search work? (David Wagner)
Re: National Security Nightmare? (Paul Rubin)
Re: question: how does brute force key search work? ("Dave Rudolf")
Re: Question about credit card number (those who know me have no need of my name)
And the FBI, too (Re: National Security Nightmare?) (Matthew Montchalin)
Re: National Security Nightmare? (Matthew Montchalin)
Re: Stream Cipher combiners ("Scott Fluhrer")
Re: Good crypto or just good enough? ("Scott Fluhrer")
Re: differential oddity ("Niels Ferguson")
Re: Best, Strongest Algorithm (David Hopwood)
Re: "computationally impossible" and cryptographic hashs ("Scott Fluhrer")
Re: Is this a weakness in RSA key generation? (David Hopwood)
Re: And the FBI, too (Re: National Security Nightmare?) (Paul Rubin)
Re: Medical data confidentiality on network comms (wtshaw)
Re: differential oddity ("Tom St Denis")
Re: Stream Cipher combiners ("Tom St Denis")
Re: Best, Strongest Algorithm (SCOTT19U.ZIP_GUY)
Re: Stream Cipher combiners (John Savard)
----------------------------------------------------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: question: how does brute force key search work?
Date: Wed, 30 May 2001 15:40:56 -0700
Well it's really fairly simple you throw everything you can at it, if you
can get your fax machine to process some it can help. Right now the record
stands at about 22 hours, that break involved a custom machine running in
parallel with a very large network of computers using spare cycles.
The time it will take on average can be computed fairly easily. 2^55 is
36028797018963968, just find out how fast a specific machine works on DES
call the value K, it will take 2^55/K time to complete on average, you can
also sum all the Ks in a network to give the reduced time as 2^55/sum(K).
Joe
"Peter Schurman" <[EMAIL PROTECTED]> wrote in message
news:3b156e4f$0$27410@reader4...
> Hi,
>
> I am interested in what it takes to calculate a 56 bits DES key using
brute
> force search.
> How long does it takes and how many PC's should be used in that case.
> Thereoretical it takes a few years I guess, but there must be another way?
>
> Thanks in advance,
>
> Peter.
>
>
------------------------------
Reply-To: "Jeffrey Walton" <[EMAIL PROTECTED]>
From: "Jeffrey Walton" <[EMAIL PROTECTED]>
Subject: Re: National Security Nightmare?
Date: Wed, 30 May 2001 20:08:39 -0400
That is a funny point. The design of their badge is probably
classified.
I think their charter is still classified. Can anyone comment? I read
a newspaper report that because of the secret charter, the NSA felt it
was good business to spy on US citizens (which is in the FBI's
province). Seems they stepped on some toes over it.
Jeff
"Sam Yorko" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
: Tom St Denis wrote:
: >
: > Sam Yorko wrote:
: > >
: > > JPeschel wrote:
: > > >
: > > > Hmmm... my bother-in-law at Ft Meade sent me this one.
: > > >
: > > > http://cbsnews.com/now/story/0,1597,266857-412,00.shtml
: > > >
: > > > Joe
: > > > __________________________________________
: > > >
: > > > Joe Peschel
: > > > D.O.E. SysWorks
: > > > http://members.aol.com/jpeschel/index.htm
: > > > __________________________________________
: > >
: > > I've been wondering: if someone claims to be from the NSA, how can
you
: > > verify that? I don't think it's possible.
: >
: > I dunno, but I think for the most part you are not required to deny
you
: > work for the NSA. Even if they did/do work for the nsa what does
that
: > mean? They could just be secretaries or file clerks. They are not
: > really the 007 clone ...
: >
: > Tom
:
: I guess what I really meant is if someone confronted me with an NSA
: badge, how in the world could I verify this? What does a real NSA
badge
: look like? Who could I call to verify he was how he said he was?
: (social engineering, and all).
:
: Sam
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: PGP Weakness???
Date: Thu, 31 May 2001 00:07:43 GMT
Dave Rudolf wrote:
>
> Hi all.
>
> I heard mumbling rumours of a flaw in the PGP algorithm that reduces its
> analysis time. I have found stuff about implementation/platform security
> holes, etc., but nothing about the pure algorithm. Has anyone else seen or
> heard anything about this?
Where did you here about these flaws? Or are you some mis-informed
induhvidual who read some IT buzzwords?
There was the ADK problem but it was quickly fixed and apparently no
keys on the public server were affected.
What is "the pure algorithm"?
Tom
------------------------------
Reply-To: "Jeffrey Walton" <[EMAIL PROTECTED]>
From: "Jeffrey Walton" <[EMAIL PROTECTED]>
Subject: Re: Question about credit card number
Date: Wed, 30 May 2001 20:11:35 -0400
http://www.thebee.com/bweb/iinfo189.htm
"Chenghuai Lu" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
: I have some questions below.
:
: Most of the commecial websites keep the customers' credit card numbers
: in their database.
:
: Does anyone know how they store the credit card numbers in their
: database?
: Are they stored in encrypted form, or just in plaintext?
:
: There are some websites being hacked, and the credit card numbers are
: stolen by hackers.
:
: How can the hackers get the credit card numbers if they are encrypted?
:
: Thanks.
:
: Lu
:
: --
:
: -Chenghuai Lu ([EMAIL PROTECTED])
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: question: how does brute force key search work?
Date: Thu, 31 May 2001 00:12:53 +0000 (UTC)
Peter Schurman wrote:
>I am interested in what it takes to calculate a 56 bits DES key using brute
>force search.
Please see the book titled _Cracking DES_ for more information
than you ever wanted to know (maybe).
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Subject: Re: National Security Nightmare?
Date: 30 May 2001 17:19:04 -0700
"Jeffrey Walton" <[EMAIL PROTECTED]> writes:
> That is a funny point. The design of their badge is probably
> classified.
>
> I think their charter is still classified. Can anyone comment? I read
> a newspaper report that because of the secret charter, the NSA felt it
> was good business to spy on US citizens (which is in the FBI's
> province). Seems they stepped on some toes over it.
I recommend James Bamford's new book "Body of Secrets" for more than
you wanted to know about this.
------------------------------
From: "Dave Rudolf" <[EMAIL PROTECTED]>
Subject: Re: question: how does brute force key search work?
Date: Thu, 31 May 2001 01:10:57 GMT
This may also be some good reading for you. It's not at all technical, but
gives you an idea of what can be done with a lot of machines
http://www.eff.org/pub/Privacy/Crypto_misc/DESCracker/HTML/19990119_deschall
enge3.html
======================
www.daverudolf.ca
"Peter Schurman" <[EMAIL PROTECTED]> wrote in message
news:3b156e4f$0$27410@reader4...
> Hi,
>
> I am interested in what it takes to calculate a 56 bits DES key using
brute
> force search.
> How long does it takes and how many PC's should be used in that case.
> Thereoretical it takes a few years I guess, but there must be another way?
>
> Thanks in advance,
>
> Peter.
>
>
------------------------------
From: those who know me have no need of my name <[EMAIL PROTECTED]>
Subject: Re: Question about credit card number
Date: 31 May 2001 00:44:07 GMT
<[EMAIL PROTECTED]> divulged:
>Does anyone know how they store the credit card numbers in their
>database?
>Are they stored in encrypted form, or just in plaintext?
>
>There are some websites being hacked, and the credit card numbers are
>stolen by hackers.
>
>How can the hackers get the credit card numbers if they are encrypted?
you seem to have answered your own question.
--
okay, have a sig then
------------------------------
From: Matthew Montchalin <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,us.misc
Subject: And the FBI, too (Re: National Security Nightmare?)
Date: Wed, 30 May 2001 18:39:54 -0700
On Wed, 30 May 2001, Sam Yorko wrote:
|I guess what I really meant is if someone confronted me with an NSA
|badge, how in the world could I verify this? What does a real NSA
|badge look like? Who could I call to verify he was how he said he
|was? (social engineering, and all).
A similar question arises concerning the forms and papers that
are used in hiring FBI agents, and when they need to be transfered
from one part of the country to the next. What does a typical
order look like, in terms of paper size, stamp or imprint or water
seal, and so on. Now that we have entered the digital age, and some
transfers are probably made electronically, how does one branch of
the department check to make sure an agent is actually the proper
person being transfered?
I can think of at least two foreign powers that would find this
sort of information very interesting.
------------------------------
From: Matthew Montchalin <[EMAIL PROTECTED]>
Crossposted-To: us.misc
Subject: Re: National Security Nightmare?
Date: Wed, 30 May 2001 18:43:34 -0700
On 30 May 2001, Paul Rubin wrote:
|"Jeffrey Walton" <[EMAIL PROTECTED]> writes:
|> That is a funny point. The design of their badge is probably
|> classified.
|>
|> I think their charter is still classified. Can anyone comment?
|> I read a newspaper report that because of the secret charter, the
|> NSA felt it was good business to spy on US citizens (which is in
|> the FBI's province). Seems they stepped on some toes over it.
|
|I recommend James Bamford's new book "Body of Secrets" for more than
|you wanted to know about this.
Thanks for the recommendation.
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: Stream Cipher combiners
Date: Wed, 30 May 2001 18:43:49 -0700
Tom St Denis <[EMAIL PROTECTED]> wrote in message
news:2dWQ6.77254$[EMAIL PROTECTED]...
>
> "David Wagner" <[EMAIL PROTECTED]> wrote in message
> news:9f16n3$2c1h$[EMAIL PROTECTED]...
> > Tom St Denis wrote:
> > >[...] GF(p^k)/p(x) [...]
> >
> > That's meaningless, too, as far as I can tell.
> > Did you mean (Z/qZ)[x]/(p(x))?
> > (This is isomorphic to GF(q^k) when q is prime,
> > the polynomial p is irreducible over Z/qZ, and deg p = k.)
>
> What the world needs is smarter Toms or better notation.
I vote for smarter Toms...
;-)
--
poncho
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: Good crypto or just good enough?
Date: Wed, 30 May 2001 18:53:10 -0700
David Wagner <[EMAIL PROTECTED]> wrote in message
news:9f0n43$1rh5$[EMAIL PROTECTED]...
> Scott Fluhrer wrote:
> >[1] Actually, that's obviously true of 3DES in EEE mode. It's almost
> >certainly true of the more common EDE mode, although a proof of that
eludes
> >me at the moment.
>
> I believe the proof that the set of 2^56 DES keys generates a large
> subgroup of S_{2^56} actually also shows that the set of 2^56 DES
> keys along with their 2^56 inverses also generates a large subgroup of
> S_{2^56}. (This is because the proof used cycling properties of weak
> keys, which are self-inverse.) Shouldn't this suffice to show that the
> set of 3DES-EDE permutations is a strict superset of the set of DES keys
> and their inverses? Maybe I missed something.
Nope -- that proves it. In particular, given that there are two generators
g_a and g_b such that (g_a g_b^{-1}) has a large order (and in particular,
larger than the total number of generators), then there must be a triplet
(g_1 g_2^{-1} g_3) that is not one of the generators. Since that assumption
is precisely what was proved for DES (for g_a, g_b being two weak keys),
that proves that EDE 3DES has > 2^{56} possible permutations.
--
poncho
------------------------------
From: "Niels Ferguson" <[EMAIL PROTECTED]>
Subject: Re: differential oddity
Date: Thu, 31 May 2001 04:11:17 +0200
"Tom St Denis" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Here's a neat question. In a finite function that has differentials
> (input/output xor pairs) of probability one is a standard differential
> attack possible?
It is hard to do a key-recovery attack on a block cipher
using a differential with probability 1. As you mention, you get can
distinguish
the cipher from a perfect one with ease. However, you cannot test keys
for the last round, as usually they all have the prob. 1 differential
and therefore the differential provides no help in distinguishing the
correct round
key from the incorrect ones.
Using the prob. 1 differential through part of the cipher in a boomerang
attack doesn't work either. The prob. 1 differential forces itself all the
way
through the cipher and destroys the properties that allow key-recovery.
In general I don't worry about this. A cipher that is that bad isn't worth
spending
too much time on.
Note that Akelarre has prob. 1 differentials that were used in an attack.
Here they were helpful as the input and output whitening provided the handle
to do the key-recovery. Our paper "Cryptanalysis of Akelarre" is available
on
my web site http://niels.ferguson.net/. There is another paper with a better
attack on Akelarre:
L.R. Knudsen, V. Rijmen, ``Two rights sometimes make a wrong,'' Proceedings
of the SAC'97 workshop , 1997, pp. 213-223.
for which I don't have a URL at hand.
Cheers!
Niels
=======================
Niels Ferguson, email: niels at ferguson dot net.
------------------------------
Date: Thu, 31 May 2001 00:38:53 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Subject: Re: Best, Strongest Algorithm
=====BEGIN PGP SIGNED MESSAGE=====
"SCOTT19U.ZIP_GUY" wrote:
> [EMAIL PROTECTED] (Benjamin Goldberg) wrote in
> <[EMAIL PROTECTED]>:
> >Tim Tyler wrote:
> >> "Most types of padding used in association with modern cyphers result
> >> in a non-bijective map between the space of possible plaintexts and
> >> the space of possible cyphertexts."
> >
> >And how is a bijective map an advantage in this case? Doesn't it imply
> >that two identical plaintexts enciphered under the same key will result
> >in the exact same ciphertexts?
>
> Unless one is talking about the adding of random info. the ecnryption
> program would result in the same exact ciphertext. If the exact same
> plaintext when using the same key. This should happen in any crypto
> program then doesn't use random data.
But any sensibly designed encryption program *should* use random data
(either in the form of an IV, or salt, or a nonce for a public key-based
protocol).
It's not quite impossible to achieve semantic security without using random
data (you could use the current time as a salt, for instance, or other data
that is unlikely to repeat), but using random data is usually the easiest
and most robust approach.
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOxV+8TkCAxeYt5gVAQF4rQgAv+EhuMSMWlNCngow90rL7ZBXfACg5W5I
5IBY9tMAdGlSgERilrv+RdJTH5Xyh4plQAOeo2wLg1Ph6bND6nVjsoX993skIfsc
5nPBU0/dCem61RedBoNW7S6EyUeGjUiA/pThU8nikWsVt5L/r8bJuPeUkGXm539+
JEMS2RdJsrOJ6pHV4wH64c/rJnKlZVmLo51vd+IhloXt1J+D6d/w8P46Y3og8eg+
+epsFZi5WjRZoEY63eKQ+mpC9fGAI2a/KFQFkRLd8g57seY2dOOrpqya72vWtDAP
GgSk00kgw4HHC/8xrvP/XXzsHEdZljczBLFp/ahyEnHQVDsc2bMomg==
=ESUu
=====END PGP SIGNATURE=====
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: "computationally impossible" and cryptographic hashs
Date: Wed, 30 May 2001 19:00:53 -0700
Dj Le Dave <[EMAIL PROTECTED]> wrote in message
news:GedR6.7654$[EMAIL PROTECTED]...
> "Scott Fluhrer" <[EMAIL PROTECTED]> wrote in message
> news:9f1m3u$dr1$[EMAIL PROTECTED]...
> >
> > Dj Le Dave <[EMAIL PROTECTED]> wrote in message
> > news:yJYQ6.7617$[EMAIL PROTECTED]...
> > > Related to this, I always wondered why UNIX (and other such systems)
> > bother
> > > to hash at all. Could they not just "encrypt" the entire password, so
to
> > > speak? Break it up into 56-bit blocks (or whatever) and perform the
hash
> > > independantly on each block, then concat. all the output together to
> form
> > > the password file entry. This way, an attacker would have to
essentially
> > > have to do a plaintext-cyhertext attack on each block to get the whole
> > > password. Thus, if the password is X bits long, then the attacker
would
> > have
> > > to brute-force all X bits (well, except for dictionary attacks, etc.).
> > And,
> > > we don't run into the birthday-paradox, as DES is a one-to-one
function.
> > At
> > > any rate, it seems to me that we gain quite a bit of security at the
> cost
> > of
> > > a little disk space.
> >
> >
> > If you encrypt, what key do you use? If the attacker figured it out
> (using
> > whatever means), he could take the password file, and decrypt it, giving
> him
> > all the passwords.
> >
> > --
> > poncho
> >
>
> Sorry, I didn't mean to literally encrypt, but to use the multi-DES "hash"
> (which is really just a one-to-one function) and hash each block of the
> password. In crypt(), the hash is done by iterating DES on the plaintext
> 0x0000.... and using the password to form the key for these DES
operations.
> The key is 56-bit, regardless of the size of the password. I merely submit
> that we use the whole password by breaking it up into 56-bit chunks and
> using each chunk as a key for a separate DES encryption.
In that case, your statement:
> > > we don't run into the birthday-paradox, as DES is a one-to-one
function.
is invalid, because DES (to the best of anyone's knowledge) does not prevent
different keys from encrypting the same plaintext block to the same
ciphertext block
--
poncho
------------------------------
Date: Thu, 31 May 2001 00:43:51 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Subject: Re: Is this a weakness in RSA key generation?
=====BEGIN PGP SIGNED MESSAGE=====
Mark Borgerding wrote:
> I found that pgp 2.6.2 may sometimes generate a private exponent n
> that does not entirely match the RSA spec (as I know it)
>
> An RSA private exponent d
> 1) d*e = 1 , mod (p-1)*(q-1)
That is indeed how it was stated in the original RSA paper:
Ron Rivest, Adi Shamir, Leonard Adelman,
"A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,"
MIT Laboratory for Computer Science and Department of Mathematics.
Communications of the ACM, February 1978, Volume 21, Number 2, pp. 120-126.
http://theory.lcs.mit.edu/~rivest/rsapaper.ps or
http://citeseer.nj.nec.com/rivest78method.html
However, it's sufficient that d*e = 1 (mod lcm(p-1, q-1)).
> which implies
> 2) d*e = 1 , mod (p-1)
> 3) d*e = 1 , mod (q-1)
2) and 3) <=> d*e = 1 (mod lcm(p-1, q-1)).
> pgp seems to occasionally generate a key that satisfies 2&3, but not 1.
> I know that stmt #1 implies 2&3, but the reverse is not true.
>
> My question is: is this something to worry about? What effect would
> this have on security of the key.
No, and none whatsoever.
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOxWFjDkCAxeYt5gVAQEVpAgAjLvh/Jk6u1j4bjwAmI842zHzJ2v1EWpC
NB6oAN+1BY5Cpa1jFiy9TaudkKZ3aLaWyT2WX+eFEHzt7k2jffYr62LMX88qhYRh
K0zD3lzYgRudkSjeB2bxtcauq2AdfNQJ6KSH6F/NDX0b32AEyY+shwILR2Z+6MDY
1417sPJiOQrJIH58eeHveQqEifdUpVFYwxRKbI7vzn8tMEyeLl8ZuUFJgO+j5MWf
s7nfI/F7jTGP8Z6NXGIqoD7fy1VU4QCdoCyL5C49DGBH8WdEWR/TulNm9kwGK72r
ic2B3cepj0CJhCepFzpLHh4oACPArz5+U0+2ayfGvyDGlrZILr7BUQ==
=C12t
=====END PGP SIGNATURE=====
------------------------------
From: Paul Rubin <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: And the FBI, too (Re: National Security Nightmare?)
Date: 30 May 2001 19:21:12 -0700
Matthew Montchalin <[EMAIL PROTECTED]> writes:
> On Wed, 30 May 2001, Sam Yorko wrote:
> |I guess what I really meant is if someone confronted me with an NSA
> |badge, how in the world could I verify this? What does a real NSA
> |badge look like? Who could I call to verify he was how he said he
> |was? (social engineering, and all).
>
> A similar question arises concerning the forms and papers that
> are used in hiring FBI agents, and when they need to be transfered
> from one part of the country to the next. What does a typical
> order look like, in terms of paper size, stamp or imprint or water
> seal, and so on. Now that we have entered the digital age, and some
> transfers are probably made electronically, how does one branch of
> the department check to make sure an agent is actually the proper
> person being transfered?
I don't think "NSA agents" are likely to show anyone badges to start
questioning them.
If someone showed me a badge and claimed to be an FBI agent and wanted
some info from me, I suppose I'd call the local FBI office and them
ask to confirm the person's credentials before talking to them.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Crossposted-To: comp.security.misc
Subject: Re: Medical data confidentiality on network comms
Date: Wed, 30 May 2001 20:13:41 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Larry Kilgallen) wrote:
>
> It depends on what you mean by "very difficult". If they want it
> on computer media, they would have to attach a drive to the workstation
> they use to access the data. The would also have to break into the
> application that presents the results to them on that workstation.
>
> Of course if an organization tries to take stock Microsoft machines
> and uses file transfer to deliver results to them, all bets are off,
> but organizations that take no precautions in this regard are not
> worth discussing.
Poetic justice would be having Gates need emergency medical care, be
hooked up to equipment powered by Windoze, and having it unexpectedly
crash. Decision making techfolk should think of the serious implications
of bad designs when what goes around comes around.
--
Sign for the White House lawn:
WARNING! Irresponsible Parents Live Here.
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: differential oddity
Date: Thu, 31 May 2001 02:34:55 GMT
"Niels Ferguson" <[EMAIL PROTECTED]> wrote in message
news:9f4962$5lq$[EMAIL PROTECTED]...
> "Tom St Denis" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > Here's a neat question. In a finite function that has differentials
> > (input/output xor pairs) of probability one is a standard differential
> > attack possible?
>
> It is hard to do a key-recovery attack on a block cipher
> using a differential with probability 1. As you mention, you get can
> distinguish
> the cipher from a perfect one with ease. However, you cannot test keys
> for the last round, as usually they all have the prob. 1 differential
> and therefore the differential provides no help in distinguishing the
> correct round
> key from the incorrect ones.
>
> Using the prob. 1 differential through part of the cipher in a boomerang
> attack doesn't work either. The prob. 1 differential forces itself all the
> way
> through the cipher and destroys the properties that allow key-recovery.
>
> In general I don't worry about this. A cipher that is that bad isn't worth
> spending
> too much time on.
Ah notice that ciphers based on decorrelation theory (pair-wise) in
GF(2^n)[2]/p(x) have prob 1 differentials yet don't emit a known difference
with prob 1. I am just seeing if there is a connection here... i.e prob 1
differentials don't have to be a bad thing.
> Note that Akelarre has prob. 1 differentials that were used in an attack.
> Here they were helpful as the input and output whitening provided the
handle
> to do the key-recovery. Our paper "Cryptanalysis of Akelarre" is available
> on
> my web site http://niels.ferguson.net/. There is another paper with a
better
> attack on Akelarre:
Thanks. I remember skimming through your paper (you did that with the
counterpane team right?) a while back... I will give it a serious read
tommorow (it's late right now).
> L.R. Knudsen, V. Rijmen, ``Two rights sometimes make a wrong,''
Proceedings
> of the SAC'97 workshop , 1997, pp. 213-223.
Hmm, well perhaps I will order the preceedings...
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Stream Cipher combiners
Date: Thu, 31 May 2001 02:37:36 GMT
"Scott Fluhrer" <[EMAIL PROTECTED]> wrote in message
news:9f48cp$9dv$[EMAIL PROTECTED]...
>
> Tom St Denis <[EMAIL PROTECTED]> wrote in message
> news:2dWQ6.77254$[EMAIL PROTECTED]...
> >
> > "David Wagner" <[EMAIL PROTECTED]> wrote in message
> > news:9f16n3$2c1h$[EMAIL PROTECTED]...
> > > Tom St Denis wrote:
> > > >[...] GF(p^k)/p(x) [...]
> > >
> > > That's meaningless, too, as far as I can tell.
> > > Did you mean (Z/qZ)[x]/(p(x))?
> > > (This is isomorphic to GF(q^k) when q is prime,
> > > the polynomial p is irreducible over Z/qZ, and deg p = k.)
> >
> > What the world needs is smarter Toms or better notation.
>
> I vote for smarter Toms...
>
> ;-)
Somehow I thought people would. hehehe. Well I'm trying.
BTW did I finally get it right? i.e the multiplicative subgroup is Z*/nZ
all (modulo n)...? or is it just Z/nZ
arrg..
Tom
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Best, Strongest Algorithm
Date: 31 May 2001 02:36:02 GMT
[EMAIL PROTECTED] (David Hopwood) wrote in
<[EMAIL PROTECTED]>:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>"SCOTT19U.ZIP_GUY" wrote:
>> [EMAIL PROTECTED] (Benjamin Goldberg) wrote in
>> <[EMAIL PROTECTED]>:
>> >Tim Tyler wrote:
>> >> "Most types of padding used in association with modern cyphers
>> >> result
>> >> in a non-bijective map between the space of possible plaintexts
>> >> and the space of possible cyphertexts."
>> >
>> >And how is a bijective map an advantage in this case? Doesn't it
>> >imply that two identical plaintexts enciphered under the same key
>> >will result in the exact same ciphertexts?
>>
>> Unless one is talking about the adding of random info. the
>> ecnryption
>> program would result in the same exact ciphertext. If the exact same
>> plaintext when using the same key. This should happen in any crypto
>> program then doesn't use random data.
>
>But any sensibly designed encryption program *should* use random data
>(either in the form of an IV, or salt, or a nonce for a public key-based
>protocol).
Yes I can see random data in a public key encryption. Also in
scott16u or scott19u I allow the use of random data. But even
when one analysises RIJNDAEL you see how easy it breaks before
you attempt to plug the leaks with random data.
>
>It's not quite impossible to achieve semantic security without using
>random data (you could use the current time as a salt, for instance, or
>other data that is unlikely to repeat), but using random data is usually
>the easiest and most robust approach.
Well current time is considered somewhat random if the attacker
dosn't know exactly at what time you did it. Unless your quantazation
level for time is on the order of a day or two.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Stream Cipher combiners
Date: Thu, 31 May 2001 02:50:52 GMT
On Wed, 30 May 2001 07:49:17 GMT, Nigel Smart <[EMAIL PROTECTED]>
wrote, in part:
>There is a distinct confusion here between what Math generally people do
>and what CS/Engineers do. Rather like the sqrt(-1) being i or j depending
>on where you come from. Neither is wrong/right just a matter of taste....
Of course, where I come from, i, j, and k are three distinct numbers.
However, each of them behaves identically, so one can work with the
numbers of the form x+yj for x and y real, and they are isomorphic to
the complex numbers. (The same would be true of, say, (1/sqrt(2))*i +
1/2 j + 1/2 k as well. On which I can base a nice symmetrical
definition of the gamma function of a quaternion...)
John Savard
http://home.ecn.ab.ca/~jsavard/frhome.htm
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
