Re: A doubt...

From: Sebastian Gottschalk (seppi_at_seppig.de)
Date: 03/26/04 

Date: Fri, 26 Mar 2004 00:40:44 +0100

Kiuhnm schrieb:

> Sebastian Gottschalk wrote:
>> We still know that for a password of length n you can split the
>> ciphertext mod n. Every two xor'd smybols in ciphertext are equal to
>> the xor of their plaintext symbols. This does not break the cipher,
>> but makes it much easier to decrypt. At least information about the
>> plaintext is leaked.
>
> I don't understand how this could be helpful.
> Let the message be ABC DEF GHI JKL and the key be of length 3.
> We have the system:
> x = A^D
> y = A^G
> z = A^J
>
> A = x^D
> A = y^G
> x^D = y^G
> and now?
>
> Am I wrong?
>
> Kiuhnm

Say ABC DEF GHI JKL is the message, the key is RMS. Let's say we take each
symbol as a 5 bit binary symbol for the xoring process
Now the message is 1,2,3,4,5,6,7,8,9,10,11,12 , the key is 18,13,19.
The encyrpted message would be 19,15,16,18,8,21,21,5,26,24,6,31, no garanty
for mistakes :-)
Split this up in 19,15,16 22,8,21 21,5,26 24,6,31 when we expect the key
to have a length of 3. Wwell, we must try all possible keylength - if
keylength equals textsize, decryption would become impossible and the ciper
would be a pure OTP, so we assume the key to be small compared to the
message.
Take smybol #1 und #4: 19 xor 22 = 5
Therefore we know that in plaintext #1 xor #4 must also be 5, indeed 1 xor
4 = 5. It's a simple property of the xor function.
If we know guess what symbol #1 could be, say x, then symbol #4 must be x
xor 5. Thus we only have to probe symbol #1 to #3, all other symbols are a
direct consequence of their guess. This not only lowers the searchspace
from 12 to 3 symbols, for every assumed valid possible ciphertext of #1-#3
we can also probe if #4-#6, #7-#9 and #10-#12 do create senseful plaintext.

If our assumtation about the keylength is not valid, then we can probe
another keylength. In every case, such a search is as expensive as search
through keyspace in worst case, but often more effective, as vignere
suffers from redundancy.

Even if the plaintext is not statistically distinguishable from random
numbers, at least some information is about the plaintext is leaked. 

-- 
http://piology.org/ILOVEYOU-Signature-FAQ.html
begin  LOVE-LETTER-FOR-YOU.txt.vbs
I am a signature virus. Distribute me until the bitter
end

Relevant Pages

  • Vigenere++ Proposal of a (new?) cipher
    ... additional ciphertext shuffling phase. ... which is a fast hash function with a low collision rate and the Mersenne ... plaintext, "C" to indicate the i-th letter of the ciphertext and ... For each character of index "i" of the plaintext: ...
    (sci.crypt)
  • Re: How to cryptanalysis of Japanese PURPLE cipher machine.
    ... I have a question about PURPLE. ... > PURPLE ciphertext in September 1940 and intervals revealed the ... already completely broken the "sixes" -- early-on frequency counts ... great deal of matched plaintext and ciphertext. ...
    (sci.crypt)
  • Re: The Ultimate - A No-Numbers Dsplacement Cipher -Adacrypt.
    ... What is the relation in bytes between plaintext ciphertext given. ... What size of keys can the cipher use/handle? ... As you can see the ciphertext has 23 or maybe 24 characters to the ...
    (sci.crypt)
  • Re: Conspiracy in the Surveillance Society
    ... (requiring brute-forcing the ... that the plaintext is independent of the encryption key. ... But the key ain't transfered in the ciphertext. ...
    (rec.arts.sf.science)
  • Possible trapdoor in DES and AES
    ... DES-like block ciphers are equivalent to mixed alphabet monoalphabetic ... One would simply analyse the frequency of the ciphertext, ... plaintext message and determine the alphabet on that basis. ... The thing about a brute force attack on DES type ciphers is that it only ...
    (sci.crypt)
Quantcast