Re: A basic cryptanalysis question

From: DSCOTT (daVvid_a_scott_at_email.com)
Date: 07/09/03 

Date: 9 Jul 2003 14:23:29 GMT

rwash@citi.umich.edu (Rick Wash) wrote in
<slrnbgn273.10o.rwash@elysium.citi.umich.edu>:

>In article <h3LOa.3$Uz3.2@news-server.bigpond.net.au>, RR wrote:
>> According to my limited understanding of cryptanalysis, Mallory can
>> only know that he has recovered a pX based on what it looks like. For
>> example, if p1 is "Hello World", then when Mallory sees that string
>> appear out of his attack, he assumes he's recovered the plaintext.
>>
>> Is my understanding correct?
>
>Yes, but only for what is known as a ciphertext-only attack. In the
>real world, it usually isn't very difficult to find or guess very
>accurately a plaintext block. There are known headers, signatures, etc
>that make known plaintext fairly easy to come by. And when this
>happens, validating plaintext is much easier.
>
>> If so, then it follows that a brute-force attack is impossible if I do
>> this instead (where F is another symmetric cipher):
>> c1 = E(F(p1))
>
>I wouldn't say impossible, but slightly more difficult. You forgot to
>include the keys in your construction. Let's assume you did it right
>and used different, independent keys for E and F. (if you used the
>same or a derived key for F, then what you said is not true). With
>independent keys and a single known plaintext, you can build an
>encryption table for E and a decryption table for F and use a
>meet-in-the-middle strategy to recover the keys. This means that the
>work required to brute-force this construction is only that required to
>brute-force E and F independently, instead of together. This is a
>well-known meet in the middle attack on double encryption. This is why
>the world uses triple-DES (3DES) instead of just 2DES.
>

  Though there are theorms that state you can't in general make a system
that is more secure than one of the ciphers done in series. You can
for example use different block sizes that could greatly add to the
confuseion. First forget the idea of c1 = E(F(p1)) since this implies
F() works on same block sizes as E(). You can use a bijective compression
on text P and than add bijective random rotation in result as the F().
 Using this will satisfy your criterion that the attacker would always
be lookingat random single blocks when decoding E().
 If that attacker has no idea of the bijective
compression function used he would have a very hard time trying to
break it even if E() is the identity function. Its not hard to consturct
such a function look at my second order bijective compression of english
text as an example. And use my DSC routines to do the random bijective
padding or rotation. Just slightly changing the table values and positions
in table are equivalent to using a large encryption key compared to what
is commonly considered safe. I think my code is a good starting place
for you to look at.

David A. Scott 

-- 
My Crypto code
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott16u.zip
http://www.jim.com/jamesd/Kong/scott19u.zip old version
My Compression code http://bijective.dogma.net/
**TO EMAIL ME drop the roman "five" **
Disclaimer:I am in no way responsible for any of the statements
 made in the above text. For all I know I might be drugged.
As a famous person once said "any cryptograhic
system is only as strong as its weakest link"

Relevant Pages

  • Re: A basic cryptanalysis question
    ... he assumes he's recovered the plaintext. ... but only for what is known as a ciphertext-only attack. ... include the keys in your construction. ... decryption table for F and use a meet-in-the-middle strategy to recover the ...
    (sci.crypt)
  • Re: Countering chosen-plaintext attacks
    ... > If one passes the same plaintext to a encryptor X times, ... > means that we now have X ciphertexts that all decrypt to the same ... plaintext attack. ... "Her failure to do so meant that she was masking her Midway preparation ...
    (sci.crypt)
  • Re: Bijective - an explanation please?
    ... :>: of all bitstrings of length n or less map to images that begin ... :> rejecting keys, though. ... If that's the case then a particular compressor might well be able to ... convert that knowledge into known plaintext. ...
    (sci.crypt)
  • Re: Dynamic Hill cipher
    ... plaintext attack, since with plaintext materials of an amount equal ... Why base a modern cipher on an old and broken idea such as Hill's?. ... the fact that you do not see an attack on some method would ... Purely linear ciphers are ...
    (sci.crypt)
  • Re: how secure is SSL?
    ... Most SSL protocols in practice are using 1024-bit RSA keys. ... Untrusted code is another, extra huge problem. ... the number of linearly independent equations. ... Well, if this particular attack is flawed, I don't know. ...
    (sci.crypt)