Foiling the known-plaintext attacks
in [Cryptography]
|
Prev: How cool is this?
Next: The Winds of Change.
From: Mok-Kong Shen on 5 May 2010 19:38 Maaartin wrote: [snip] > Is your schema vulnerable to non-adaptive chosen plaintext attacks? It > is. Isn't it enough? I overlooked to answer this question in my previous reply to you. I assume that for each message a key "unique" to the message is employed (see my original post in this thread). So chosen plaintext is no different from known-plaintext, as far as analysis is concerned. M. K. Shen
From: Bryan on 6 May 2010 06:18 Mok-Kong Shen wrote: > The main point my mine is how could one deal with the "one equation but > two unknowns" issue. Mr. Maaatin, if you could answer that in place of > Mr. Olson, I am grateful to you just as well. Both Maaartin and I already answered that "issue" in the Hill-cipher thread. The attacker collects enough known plaintext that the equations dominate the unknowns. Maaartin had written: | Assuming a perfect PRNG it works, but is useless, as | already said. Assuming any other PRNG, you can collect equations *over | more outputs*. If the PRNG is linear, the equations are linear as | well, you get any number of them, you compute it's initial state, it's | broken. QED. And: | If trying to break a cipher, | you always need quite a lot of plaintext and/or ciphertext. For any | contemporary cipher worth its name, one assumes unlimited amount of | plaintext-ciphertext pairs, which may or may not be chosen by the | attacker Bryan Olson, had written: | Near as I can tell, that's key to what Shen is missing. The initial | unknowns are the variables in the PRNG state. The Hill-matrix entries | are determined by the PRNG state. If we consider each new matrix entry | to be a new variable, another unknown, each also gives us another | equation: the equation expressing the entry as a function of the PRNG | state. Then as we see the encryption of known plaintext, we get yet | more equations, without additional unknowns. The system of | simultaneous equations becomes solvable. Does there exist a cipher such that the number of unknowns is always greater than the number of equations available to an attacker? Yes; it's called the one-time pad. Your scheme is not such. Any cipher with a bounded key size has a unicity distance, which is the amount of ciphertext the attacker needs for the solution to be unique. Mr. Shen, answers don't go away if you refuse to study them, and they're not going to change just because you keep asking the same questions over and over. -- --Bryan
From: Bryan on 6 May 2010 11:03 Mok-Kong Shen wrote: > Mr. Olson, you wrote plenty of stuffs that concern me "personally". No, no -- I don't know you personally. All I know about you is from your posts here on sci.crypt that bring down the quality of the newsgroup. > But > wouldn't you think that matters of scientific nature has priority over > personal matters in postings of this group? If you think the other > way round, then I'll ask you to say clearly and plainly the reasons. > If, on the other hand, you do agree that scientific matters should have > priority over (or at least have a priority not lower than) personal > matters, then I'll sincerely ask you to respond to the following of my > previous post: > > BTW, I have said that the basic idea underlying the present scheme and > my proposal of the dynamic version of the Hill cipher is the same. I already responded those "matters of scientific nature", as did others. You, Mr. Shen, decided to reject what we said. > So, perhaps you could, utilizing your previous work done in > scrutinizing my proposal there, say something concrete/objective on > where the weakness of the scheme lies and in which direction one could > profitably pursue to crack it. Sure. I stand by my ample concrete and objective saying over there, but I did say something not quite right when I referred to the mathematical field underlying the Hill matrix operations. Hill worked with integers modulo 26. That's a ring, but not a field. You, Mr. Shen, ambiguously specified 32-bit words, and near as I can tell you meant arithmetic mod 2**32, not the Galois field. > (It's anyway my "attempt" here to > make it clear that "linear" isn't synonymous to "trivially weak".) While the reality here is that you've over and over posted schemes that were trivially weak precisely because they were linear. I have citations if you want. > If you keep silent on this request, then I believe that most readers of > this group could perceive and understand why (namely that you are > short of objective and clear scientific arguments countering my points). On the other hand, if I and others had answered the request even *before* you asked it this time, perhaps readers will realize what a waste of time your posts are. And when I say "if", of course that's a bit facetious; nothing iffy about it. > I am ready to discuss with you on my personal matters, if you consider > that to be necessary, but I believe I am anyway correct in insisting > that scientific matters should be dealt with "first". Great! State and establish your scientific results. Where's your cryptanalysis? What interesting theorems have you proven? Why are you posting the blather if you think scientific matters take priority? Mr. She, in the course of a decade or two, the posts back and forth between you and me have, sadly, included many inappropriate, ad hominem assertions as to your "poor knowledge" and "low IQ". I believe *you* wrote every single one of those deplorable comments, Mr. Shen. The most "personal" criticism I direct at you, Mr. Shen, is that you do not put forth a serious effort toward learning the subject matter of sci.crypt. -- --Bryan
From: Mok-Kong Shen on 6 May 2010 11:04 Bryan wrote: > Mok-Kong Shen wrote: >> The main point my mine is how could one deal with the "one equation but >> two unknowns" issue. Mr. Maaatin, if you could answer that in place of >> Mr. Olson, I am grateful to you just as well. > > Both Maaartin and I already answered that "issue" in the Hill-cipher > thread. The attacker collects enough known plaintext that the > equations dominate the unknowns. But istn't what you wrote entirely "vague"? What is exactly a measure of "dominance"? How (i.e. through which varaibles involved) does there come about a dominance? It is necessary to start from plaintext and ciphertext, via the equation that link them together, to trace the exact path of the "influence" of plaintet and ciphertext on the parameters of the PRNGs involved, isn't it? Could you "formally" demonstrate the "dominance" you meant? > Does there exist a cipher such that the number of unknowns is always > greater than the number of equations available to an attacker? Yes; > it's called the one-time pad. Your scheme is not such. Any cipher with > a bounded key size has a unicity distance, which is the amount of > ciphertext the attacker needs for the solution to be unique. > > Mr. Shen, answers don't go away if you refuse to study them, and > they're not going to change just because you keep asking the same > questions over and over. It would be entirely out of my fantasy to imagine my scheme could be something to be compared to OTP. But the word linearity "without" any "qulifications" doesn't unconditionally equal to "solvability" or "weakness in crypto", as I wrote previously. Every pupil learning elementary math in schools knows that a linear equation having two unknowns can't be solved or more exactly has no unique solution but as a rule have a large number of feasible solutions. In the present case with the equation C_i = g_0 + g_1*P_i mod 2^32 g_0 and g_1 are the unknowns and, for a particular chosen value of g_0, there is further an issue when P_i happens to be even. This state of affairs is of course trivial and well-known. But the "triviality" doesn't (unconditionally) translate to what one needs in the present context, namely to obtain g_0 and g_1, or at the very least obtain frequency distributions of g_0 and g_1 so as to somehow with these to attempt to start predicting the parameters of the PRNGs. If there is not even a dimmest indication of such paths to a crack, it doesn't "help" at all simply to "claim" that the scheme is crakable. Certainly, anything other than an OTP doesn't have perfect security and I would be among the last persons to consider/imagine the scheme to be absolutely secure. But the issue here is not a pure theoretical one but a practical one, namely to look and find where there possibly may be "concrete" paths (mathematical relations) that the analyst can "effectively" exploit: As I said, I haven't yet seen any "concrete" indications at all in this thread. (See also what I said concerning "dominance" above.) M. K. Shen
From: Mok-Kong Shen on 6 May 2010 11:42
Bryan wrote: > Mok-Kong Shen wrote: >> Mr. Olson, you wrote plenty of stuffs that concern me "personally". > > No, no -- I don't know you personally. All I know about you is from > your posts here on sci.crypt that bring down the quality of the > newsgroup. How did you come to that interpretation? Though a non-native, I am sure that you made a grammatical mistake in analysing my sentence. The word "personally" qualifies "concern". Something that concerns me persoanlly means a personal matter, e.g. whether I am going to theatre tonight. How did you infer from my sentence at all that I "meant" there be any personal acquantance between us, which caused you to write the first sentence above?? >> But >> wouldn't you think that matters of scientific nature has priority over >> personal matters in postings of this group? If you think the other >> way round, then I'll ask you to say clearly and plainly the reasons. >> If, on the other hand, you do agree that scientific matters should have >> priority over (or at least have a priority not lower than) personal >> matters, then I'll sincerely ask you to respond to the following of my >> previous post: >> >> BTW, I have said that the basic idea underlying the present scheme and >> my proposal of the dynamic version of the Hill cipher is the same. > > I already responded those "matters of scientific nature", as did > others. You, Mr. Shen, decided to reject what we said. Just "claiming" that you have explained or perhaps even in depth explained doesn't unconditionally mean that an explanation actually exists. Certainly it could be that I overlooked, but in that case you could cut and paste something or provide the beginning and end of paragraphs of past posts and time of the posts,, don't you? Please see however a reply to another post of you that I had just sent, where I questioned on concrete indications of paths of cracking the scheme. >> So, perhaps you could, utilizing your previous work done in >> scrutinizing my proposal there, say something concrete/objective on >> where the weakness of the scheme lies and in which direction one could >> profitably pursue to crack it. > > Sure. I stand by my ample concrete and objective saying over there, > but I did say something not quite right when I referred to the > mathematical field underlying the Hill matrix operations. Hill worked > with integers modulo 26. That's a ring, but not a field. You, Mr. > Shen, ambiguously specified 32-bit words, and near as I can tell you > meant arithmetic mod 2**32, not the Galois field. I never used in this thread the term GF, or did I?? >> (It's anyway my "attempt" here to >> make it clear that "linear" isn't synonymous to "trivially weak".) > > While the reality here is that you've over and over posted schemes > that were trivially weak precisely because they were linear. I have > citations if you want. Any person on the street knows "An (linear) equation with two unknowns" has no (unique) solution. If it were not because of that (trivial) fact, I can assure you that I wouldn't even think about putting up a scheme involving linear relationships. But the "trick" here is (namely) however exploiting the "non-uniqueness" of the solutions. Note that there are two PRNGs used to generate g_0 and g_1. If there were only one, the matter would be different to some extent. > >> If you keep silent on this request, then I believe that most readers of >> this group could perceive and understand why (namely that you are >> short of objective and clear scientific arguments countering my points). > > On the other hand, if I and others had answered the request even > *before* you asked it this time, perhaps readers will realize what a > waste of time your posts are. And when I say "if", of course that's a > bit facetious; nothing iffy about it. > >> I am ready to discuss with you on my personal matters, if you consider >> that to be necessary, but I believe I am anyway correct in insisting >> that scientific matters should be dealt with "first". > > Great! State and establish your scientific results. Where's your > cryptanalysis? What interesting theorems have you proven? Why are you > posting the blather if you think scientific matters take priority? If I wrote down a math equation in one case and claimed that another person had no idea at all of C in another case, are there differences or not in the nature of my actions? Why do you consider the first case non-scientific? There could well be errors in my math, but that doesn't affect the nature of its belonging to a scientific statement from the very beginning. M. K. Shen |