Re: First timer with a code..
- From: David Eather <eather@xxxxxxxxxx>
- Date: Tue, 08 Feb 2011 13:30:53 +1000
On 8/02/2011 11:44 AM, jerry wrote:
On Feb 7, 6:45 pm, David Eather<eat...@xxxxxxxxxx> wrote:On 8/02/2011 4:27 AM, jerry wrote:
This looks like a very interesting place. Last night while partaking
in some "herbal" therapy, I thought up a code. This is a code that can
be encrypted and decrypted using a key without any type of computer
program. In other words it can by done at both ends on a piece of
paper, or in your head if you are the really smart type.
I am attaching a sample to see if any of you find it blatantly obvious
how it works.
This is a simple plain English sentence.
I wrote this the other day - well a couple days ago. It seems relevant.
Is my Cipher Secure – how to ask for a review
Before you ask there are some things you should realise:
1. You are asking for a favour. Anyone who spends time evaluating your
cipher gives up their spare time and resources for you. While you may
find working on your cipher interesting and even exciting, other people
probably won't, regardless of how good you think it is. Almost certainly
the reviewer could have found a more interesting use of their time but
they gave it to you as a service and a courtesy. Don't make them regret it.
2. If the reviewer's opinion on your cipher differs from yours, don't
resort to insults and name calling. That just makes you look childish.
Many (or even most!) of the people who populate sci.crypt are
professors, doctors, university lecturers and other cryptography
professionals. Insults and name calling immediately destroys any reason
anyone had to help you.
3. Nobody, repeat, nobody is interested in weak cryptography. If the
method your cryptography uses must stay secret to remain secure then it
is weaki cryptography. If your cryptography can't resist standard
attacks, even if you think those attacks are “unfair”, then it is weak
cryptography. Don't waste everyone’s time by submitting it. If you think
that is unfair, then you shouldn't be in the field of cryptography at all..
4. Just as nobody is interested in weak cryptography, nobody is
interested in slow cryptography. Two things slow down cryptography more
than anything else. They are excessive computation and excessive size.
For the first, don't do 100 computations if 10 will produce a secure
code. For the second make sure all the running code can fit in the cache
of the target system and still leave useful room for any other software
required by the system. It might be useful to think of your code as
having to run on a smart-card. That is, about 2 kilobytes of RAM and 8
kilobytes of ROM as a maximum, although that is somewhat flexible.
5. Cryptography is a hard science. When someone faults your cipher, they
are not faulting you. It is not a personal attack. It is not their fault
that your cipher is not secure. It is not their fault that you did not
know or did not think about the attack they describe. Just because you
did not think of it, does not make an attack invalid. Good cryptography
is secure regardless of the attack.
6. Never, never, never ever, post some scrambled gibberish as the output
of your cipher and ask if it is secure, or even worse, claim it is
secure unless someone can tell you what the original plain-text was.
Only the most absolutely infantile encryption is broken that way. Not
being broken that way proves nothing about a ciphers genuine security
and that makes such “challenges” totally pointless.
7. Everyone, and that includes every sci.crypter believes, or at least
believed, their first cipher to be unbreakable. It never is. That is
just a fact, but at least you don't have to feel like the Lone Ranger.
Your second and subsequent attempts have a better and improving chance
of being secure, but don't bombard the group with minor variation after
minor variation. Before you resubmit take time to learn more about
cryptography and deeply review you own work.
With that out of the way the question of “how” can be approached. You
aren't expected to write up a university grade submission but don't just
paste source code. You already know what you were intending to do, so
while it might be easy for you to read, it won't be easy for anyone else.
Post a short introduction to your cipher identifying what it is, how it
is intended to work. Include information on where it might be used and
what advantages you feel it has over other solutions and if you can,
references to any relevant cryptographic papers will help.
Include a high level description of your algorithm with further
descriptions of sub components as required. Include information on the
requirements for data input and output.
Cryptography has been a public science for decades. It has a terminology
of its own. Using that terminology makes it easier for professionals to
know what you are doing and to make evaluations, so you are more likely
to get a deeper analysis. If you aren't sure of the terminology make a
note of it so as not to lead to confusion. Lastly, if you have to use
your own terminology say so, but don't become so wedded to it that you
can't accept another name for particular functions. It would be
appropriate to include pseudo-code at this point.
Then you can post source code, but use a main stream language, which in
crypto means preferably “C”. There is nothing wrong with other
languages, but “C” is what cryptographers are used to.
To conclude your request it helps if you include the steps you have
taken to try and break the cipher yourself. The very last thing is to
publish some plain-text – cipher-text pairs along with the keys used to
encode them. This is so anyone can check your work and also so they can
check the output of your code on their machine.
Thank you. Very informative.
In the above, don't take the harsh words to heart, you were polite and for a cipher text only thing, informative. The more typical (which I had in mind when writing) are bombastic, rude and aggressive.