David Honig (honig@sprynet.com)
Tue, 01 Sep 1998 09:03:54 -0700
At 11:13 PM 8/31/98 -0400, Sandy Harris wrote:
>I've thought up a method of cryptanalysis which I don't recall
>reading of anywhere, probably for several of the following reasons:
A few random associations that may be of use:
1. Look up Shannon's "unicity distance" which specifies, given
the redundancy in the plaintext, how much ciphertext you need
to recover the key. Its surprisingly little, theoretically.
2. Look up Lester Hill's paper on algebra and crypto. Its on the
net somewhere. He was the first to apply algebraic methods.
3. You'll enjoy Kahn's _Codebreakers_ and the 1940's era _Military
Crypto_ by Friedman et al.
>Given enough matched input/output
>(plaintext/ciphertext) pairs known to use the same key, can we
>just solve for the key?
With everything but a OTP, I think the answer is yes. Its solving for
an unknown and given enough data you should be able to. 'Crypto is
economics'. This is why you should change your keys periodically
(e.g., using ephemeral keys, e.g., the PK-encrypted symmetric key sent in a
PGP
message).
>This is why we need non-linear operations in a cipher. If the
Linear operations would also allow a 'push button' (analytic, no search
involved) solution.
>For ciphers using key-dependent s-boxes, you might treat the
>s-box contents as unknowns & try to solve for them. This looks
>highly impractical against Blowfish with its 32K bits of s-box
>material, but perhaps less so for Twofish.
The paranoid would note that some of the AES criteria
rule out the use of large internal states and
large key-setup times. (See Counterpane's Twofish paper
about NSA suggestions that two blocks be encipherable
under one key in the same time as with two).
David Honig
We will be obliged to take action ourselves -Gore on privacy
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:13:58