Re: A basic cryptanalysis question
From: DSCOTT (daVvid_a_scott_at_email.com)
Date: 9 Jul 2003 14:23:29 GMT
email@example.com (Rick Wash) wrote in
>In article <h3LOa.3$Uz3.firstname.lastname@example.org>, RR wrote:
>> According to my limited understanding of cryptanalysis, Mallory can
>> only know that he has recovered a pX based on what it looks like. For
>> example, if p1 is "Hello World", then when Mallory sees that string
>> appear out of his attack, he assumes he's recovered the plaintext.
>> Is my understanding correct?
>Yes, but only for what is known as a ciphertext-only attack. In the
>real world, it usually isn't very difficult to find or guess very
>accurately a plaintext block. There are known headers, signatures, etc
>that make known plaintext fairly easy to come by. And when this
>happens, validating plaintext is much easier.
>> If so, then it follows that a brute-force attack is impossible if I do
>> this instead (where F is another symmetric cipher):
>> c1 = E(F(p1))
>I wouldn't say impossible, but slightly more difficult. You forgot to
>include the keys in your construction. Let's assume you did it right
>and used different, independent keys for E and F. (if you used the
>same or a derived key for F, then what you said is not true). With
>independent keys and a single known plaintext, you can build an
>encryption table for E and a decryption table for F and use a
>meet-in-the-middle strategy to recover the keys. This means that the
>work required to brute-force this construction is only that required to
>brute-force E and F independently, instead of together. This is a
>well-known meet in the middle attack on double encryption. This is why
>the world uses triple-DES (3DES) instead of just 2DES.
Though there are theorms that state you can't in general make a system
that is more secure than one of the ciphers done in series. You can
for example use different block sizes that could greatly add to the
confuseion. First forget the idea of c1 = E(F(p1)) since this implies
F() works on same block sizes as E(). You can use a bijective compression
on text P and than add bijective random rotation in result as the F().
Using this will satisfy your criterion that the attacker would always
be lookingat random single blocks when decoding E().
If that attacker has no idea of the bijective
compression function used he would have a very hard time trying to
break it even if E() is the identity function. Its not hard to consturct
such a function look at my second order bijective compression of english
text as an example. And use my DSC routines to do the random bijective
padding or rotation. Just slightly changing the table values and positions
in table are equivalent to using a large encryption key compared to what
is commonly considered safe. I think my code is a good starting place
for you to look at.
David A. Scott
-- My Crypto code http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott16u.zip http://www.jim.com/jamesd/Kong/scott19u.zip old version My Compression code http://bijective.dogma.net/ **TO EMAIL ME drop the roman "five" ** Disclaimer:I am in no way responsible for any of the statements made in the above text. For all I know I might be drugged. As a famous person once said "any cryptograhic system is only as strong as its weakest link"