Re: Silly beginner questions

David Eather <eather@xxxxxxxxxx> writes:

Unruh wrote:
David Eather <eather@xxxxxxxxxx> writes:

Unruh wrote:
David Eather <eather@xxxxxxxxxx> writes:

Unruh wrote:
Mike Amling <nospam@xxxxxxxxxx> writes:

Newbie wrote:
Hi there, I'm totally new to cryptography hence my questions may turn
out to be silly (sorry, in case).

A has a message composed by, let's say, N uppercase letters.
It encrypts it and send it to B, without revealing the decryption key.
Then A reveals to B the letters, one by one.

1 - Can B, given the first M<N letters and the encrypted sequence,
predict exactly the rest of the sequence ? Can B do it with a
probabilistic advantage (i.e. know that the next letter will be M with a
probability greater than 1/26) ?
You don't specify it, I assume you mean the 'message' is itself a
random sequence of characters. B doesn't need to do anything
cryptographic to predict letters of an English sentence.
If B has unlimited computational resources, then B can find the set
of keys that would have encrypted those first M letters to the given
ciphertext. That set will decrease rapidly in size with increasing M.
Once the number of possible keys gets below 26, B obviously can do
better than 1/26.
Modern ciphers have a keyspace that is too large to do this using
feasible computers. However, if A is using, say, a Caesar cipher, it's
trivial.
2 - Are there encryption algorithms that are better in this context
(i.e. that make it harder for B to predict) ?
Pretty much every cipher more than 30 years old can be broken by
current computers.
Since both DES ( including triple DES ) and RSA are over thirty years old,
I would hope you would share with us how you would break them.
The Magic Words are Squeamish Ossifrage and Deep-Crack!
Or can I infer from your statement that you would be happy to send
important data encrypted using a combination of RSA-129 and 56-bit DES?
??? RSA had no limit on the length of the composite when it was invented.
At that time they thought that 129 bits was fine, but that was no limit.
And sure I would use 56 bit DES. I would use it three times-- with
different keys.
AES with a 2 bit key is hopelessly unsecure. Does that mean that AES is
insecure? That AES can be broken by current computers? No.
Similarly neither RSA not DES ( with a longer key eg triple des) are broken.


AES has not ever been specified for use with a 2-bit key. Unruh's
argument here is not valid.

AES can be used with a 2 bit key. One can make all 128 high order bits 0.
The only point is that ANY crypto system is broken if it has too small a
key to exhaustive search.

Please point to the relevant specification of AES that explains how a
2-bit key is used. It does not exist. Anyone who actually tried to do
such a thing and still tried to call the use with unspecified parameters
"AES" deserves a slap on the back of the head.


Unruh's earlier post identifies 3DES as a subset of DES - your words
"...DES ( including triple DES )..." and you then go on to challenge for
details on how DES - not the subset 3DES - is broken. I provided the
name of the cracking machine used. Now you want to say that you meant
"DES" only in terms of "3DES". I will say no more about that.

The original claim was that any crypto system invented over thirty years ago is
broken. That statement is simply wrong. DES is not broken, It falls to
exhaustive search and anything with extends the key obviates that.

I reiterate my previous comment

And
extending the key on a crypto system by reusing it was well known much more
than 30 years ago.
Are all crypto systems invented more than 30 years ago broken on modern
computers? The answer is clearly no, and I have no idea why you are trying
to defend that position.

Ok. Here I see your point cede your correctness.

OK, that was my main point.




lastly,

Unruh said:
??? RSA had no limit on the length of the composite when it was invented.
At that time they thought that 129 bits was fine, but that was no limit.
End Unruh said:

Not one month ago Unruh was arguing that the extra computation required
for Serpent as AES vs the lower computation required for Rijndael as AES
meant that Serpent would be a disaster for business. That extra
computation represents a work factor of about 3 to 1.

It must be nice to make up stories about what people said.

I'll repost that *** if you want.

Sure, but I doubt that anyone would be interested.


Besides, the question being discussed is broken, not usefulness. RSA has never been
very useful for large scale encryption because of speed. It IS useful for
key exchange. RSA is not broken. Serpent is not broken, nor is Rigndal.
Nor is DES.


Bearing the above in mind, at the birth of RSA and the RSA-129 challenge
it was thought that factoring RSA-129 (approx 428bits) would take longer
than 40 quadrillion years. How much overkill would users accept and
implement? Can this number be reconciled with chip manufacturers
producing RSA chips working on a 512bit and even smaller modulus?

What has this to do with anything being discussed here? We are talking
about whether or not a crypto system is broken.

This (above) has to do with the possibility that the then generally used
sizes for RSA would be glossed over with claims that larger parameters
are still secure. RSA with parameters typical at the time when it was
new are insecure.

RSA is not broken. RSA with the key sizes used then is insecure now I
agree.



If you use any crypto
system with too small a key, it falls to exhaustive search, and what can be
searched increases with time. So yes, DES with a 56 bit key, while not
broken is not advised. RSA with a 129 bit key is strongly not advised. And
Ron rivest's claim about 129 bit RSA was stupid even at the time and I am
sure he is embarassed every time he sees it. But that does not mean RSA is
broken. RSA has the advantage of having an infinitely extendable key.



This reminds me of FEAL. FEAL-4 is a better crypto system than DES.

What? Feal-4 is broken? Feal-8 is a better crypto system than DES.

Is it broken or does it fall to exhaustive search? If the latter then
increasing the key size is a fine response. If it is broken-- ie falls to
some technique other than exhaustive search, then I fail to see your point.



Feal-8 is broken too? Feal-N is a better... what? OK Feal-NX where N is
greater than...

If you can continually shift the goal posts then no one can ever claim a
system is broken. RSA with parameters (and usage) typical at the time
when it was new is insecure/broken.

It is insecure due to key size. Just as if someone told you to use AES with
2 bit key size would be insecure. That does not mean AES is broken.
I am primarily arguing that there is a difference to being insecure due to
too small a key space, and being broken.



I would use the term "broken" whenever a cipher would in practice give
up information to an unauthorized recipient. This is possibly not your
definition.
(small snip)

Agreed. I would call a cypher broken if it reveals its information by some
technique other than exhaustive search. If it fails due to too small a key
size and that key size can be increased easily, then I would not call it
broken. Thus OTP is not broken, even if with too small a key space, it is
definitely insecure.




.