|
|
 Up |
|
|
  |
Author: da5id65536da5id65536
Date: Dec 21, 2006 20:05
As I wrote in my original posting, I didn't find a free copy of the
Biham paper in question.
I believe the relavant paper is titled, "How to Decrypt or Even
Substitute DES-Encrypted Messages in 2^28 Steps" in Information
Proccessing Letters 84, (2002) 117-124.
According to this paper
http://eprint.iacr.org/2002/159.pdf
by Loughran and Dowling, what the Biham paper proposes is exactly what
you wrote.
"Applying this to our attack, n=2^56 and it is only necessary to have
two collections of 2^28 ciphertexts to have a high probability of
finding a matching pair of ciphertexts."
If loughran and Dowling correctly understood Biham, then your objection
should be taken up with Biham.
The gentleman asked what the attack was, and I did my best to answer
his question correctly.
David Sexton
Unruh wrote: > "da5id65536@ yahoo.com" yahoo.com> writes:
>>>It's really a kind of known-plaintext attack. Many types of files
>>always begin with some kind of header. Encrypt the header...
|
| Show full article (2.14Kb) |
|
| |
no comments
|
|
|
Author: Le Chaud LapinLe Chaud Lapin
Date: Dec 21, 2006 19:02
Mike Amling wrote:
> Le Chad Lapin wrote:
>> So I would like to your insight on what I can expect on RSA performance
>> for specific parameters.
>>
>> I would like to take 8192 bytes of data, do a hash using MD5, and
>> encrypt the 128-bit hash using an exponent of 17 and moduli of both 512
>> bits and 1024 bits.
>
> For security, don't forget the padding (OAEP, SAEP+, etc.).
> For fastest verification, you may as well use public exponent 3.
> Don't forget to calculate d==e**-1 mod ((p-1)*(q-1)/gcd(p,q)), which
> should produce a smaller d than d==e**-1 mod phi(p*q).
> For faster signing, you could try different p and/or q until you get
> a smaller-than-usual d. There's only a percent or so speed improvement
> to be had, though.
> Are you sure RSA is going to be faster...
|
| Show full article (1.05Kb) |
|
| |
no comments
|
|
|
Author: fiddle_flyerfiddle_flyer
Date: Dec 21, 2006 18:32
When opening freeme.exe I get the message: "Usage: FreeMe [-v]
protectedfile. Press to acknowledge error." Does anyone
know why it's not working? I'm running XP but have the backwards
compatibility option enabled.....
thanks,
thebaron
|
| |
|
1 Comment |
|
|
Author: r.e.s.r.e.s.
Date: Dec 21, 2006 17:44
When reading John Savard's webpages (very well-written, imo)
on some of the historical ciphers, I found this remark ...
While the seriation step is an essential part of some
fractionation ciphers [...], using it with a digraphic
cipher has been questioned, since it allows the
cryptanalyst to pretend he is dealing with simple
substitution with 26 homophones for each letter, and
therefore may make solution easier instead of harder.
at http://www.quadibloc.com/crypto/pp1321.htm .
I don't understand how seriation followed by digraphic
substitution relates to "simple substitution with 26
homophones for each letter". (Let's ignore that the "26"
should presumably be "25" for the ciphers discussed there.)
Anyone care to explain?
|
| |
|
no comments
|
|
|
Author: Jeff DegeJeff Dege
Date: Dec 21, 2006 17:25
Block ciphers are generally used using one of the various cryptographic
modes. Electronic Code Book, Cipher Block Chaining, Cipher Feedback,
Output Feedback, etc.
Everyone of these I've ever read about involved mixing the prior block or
a sequential constant with the plaintext, the ciphertext, or both.
I've not seen one that mixed the prior block with the key - so that each
block was encrypted with a different key. And I can think of no
particular reason that this would not work.
Have these been discussed in the literature? Are there any particular
reasons why they're not used? Less secure? Harder to prove secure?
Fashion?
|
| Show full article (1.29Kb) |
|
3 Comments |
|
|
Author: Le Chaud LapinLe Chaud Lapin
Date: Dec 21, 2006 15:23
Carlos Moreno wrote:
> Le Chaud Lapin wrote:
>
> Hey hot rabbit!! Nice to recognize names from other newsgroups :-)
Hi Carlos.
>> Please tell me about these trucks.
> 2) Why not use a *standard* digital signature mechanism? They have
> been developed by brilliant and experienced cryptographers, and
> they have been tested and reviewed by the scientific community at
> large.
If you mean something like DSA, I have thought about it, but I wanted
to see what to expect with RSA. Using both DSA and RSA would
complicate my system, and there is the matter of the patent dispute....
|
| Show full article (1.88Kb) |
|
1 Comment |
|
|
Author:
Date: Dec 21, 2006 13:23
Tony Hill wrote:
> Spoon wrote:
>
>> Tony Hill wrote:
>>
>>> As for Hyperthreading, at best it's a poor-mans excuse for dual-core
>>> that offers slight improvements in multithreaded performance. At
>>> worst it makes the system slower, which is why it's often disabled.
>
> I remember reading about that security risk back when it first came
> out and thinking that the author was just being a jackass.
Perhaps you should tell all the people working on side-channel attacks
(such as Adi Shamir (the S in RSA), and Daniel Bernstein (timing attack
against AES)) that you consider their work to be worthless? ;-þ
|
| Show full article (1.80Kb) |
|
2 Comments |
|
|
Author: vedaalvedaal
Date: Dec 21, 2006 11:18
David Eather wrote:
> LTP got me thinking about the nature of the problem and how there is no
> real fix.
>
> The problem is the posts of the criminal nature did not occur on
> sci.crypt. So we could have someone who has ID'ed himself, plays by the
> rules here, and then out of malice/spite/stupidity anonymously posts to
> a few other news groups the sort of trash that has caused this problem.
>
> back to square one.
but if it is known or suspected that one one the posters here did such
a thing,
and some sort of identity verification were required here,
then that poster could be traced,
(not, by you, me, or anyone here,)
but by law enforcement personnel who have the authoriity to obtain such
identifying information
from the third party certifier,
especially for a non-political universally acknowledged 'crime'
|
| Show full article (0.84Kb) |
|
no comments
|
|
|
Author: UnruhUnruh
Date: Dec 21, 2006 10:47
>It's really a kind of known-plaintext attack. Many types of files
>always begin with some kind of header. Encrypt the header with many
>keys (enough for the Birthday Paradox to be significant). Then wait
>for one of the keys to be used. Apparently, in the 2002 paper I assume
>you refer to (I didn't find a free copy of it, but did find references
>to it), Biham proposes storing a header encrypted with 2 to the 28th
>different keys in order to attack plain DES with 56 bit keys.
This makes little sense unless there really are a huge number of different
keys out there.
The probability of hitting one of those keys for each external key is
2^{-28}. Since one has no guarentee that the external keys are all
different, the probability of hitting it once in n tries is
1-(1-2^{-28})^n = 1-exp(2^{-28}n). Thus n has to be at least 2^28 for this
to have any probability of success.
Ie, one would need 2^28~10^9 messages of the same header encrypted with
different keys for this to pay off once.
>David Sexton
|
| Show full article (1.27Kb) |
|
no comments
|
|
|
|
|
|
Author: camilcamil
Date: Dec 21, 2006 09:22
WEA 2007
6th International Workshop on Experimental Algorithms
http://www.dis.uniroma1.it/~wea07
June 6-9, 2007
School of Engineering
University of Rome "La Sapienza", Rome, Italy
SECOND CALL FOR PAPERS
--------------------------------------
SUBMISSION DEADLINE: January 20, 2007
--------------------------------------
GENERAL INFORMATION
WEA is an international forum for researchers in the area of
experimental evaluation and engineering of algorithms, as well as in
various aspects of computational optimization and its applications.
The preceding Workshops were held in Riga (Latvia, 2001), Ascona
(Switzerland, 2003), Angra dos Reis (Brazil, 2004), Santorini (Greece,
2005), and Menorca Island (Spain, 2006).
TOPICS OF INTEREST
|
| Show full article (5.01Kb) |
|
no comments
|
|
|
|
|
|
|
