Chosen plaintext attacks
JT
baffeled me a bit and made me tell him he was crazy.
When you make a CSPRNG which is just a random number generator with a
small period like a hash, or a long period like PRP pseudo random
permutation. And then you have the LFSR who i guess can have both
longer and shorter periods.
Alll CSPRNG rely on that the algorithm do not leak information about
the internal states so you want to prevent the attacker from being
able to calculate next bit, byte or block of output from the CSPRNG.
So if i give the attacker 1 gigabyte of output from the CSPRNG, he
should not be able to calculate next, bit byte or block. So that
someone who suggested a chosen plaintext attack on CSPRNG what did he
really mean was he just confused or was there any idea within that OT
statement?
So when is known plaintext attacks applicable? To me it seems they are
mainly applicable on blockciphers with fixed S-boxes?
JT
JT
A permutation algorithm ought to have a name i guess so i go for
*small potato* and the CSPRNG could be called *mashed potato*.
It makes cryptoanalyse an obsolete technique outdated you can not
analyse a swarm of mashed potato fragments, even that you know that
the subparticles running into eachother and teleport.
A linear interaction, that in a real world represent a 1st order
chaotic process can be explained by a world where causual complexity
of weather, prevents us from perfectly forecast and predict the
weather due to variable overload.
Using 2th century technology of teleportation the small potato theory
let subparticles interact in a way to make mashed potato a 2 order
chaos theory, where one observable particle is made up from 3 smaller
particles.
The true interaction between subparticles is hidden from the observer,
much like quantum entanglement. It is not the amount of subparticles
variables that prevent us from calculate the result from a round of
mashed potato, It is the irradic behaviour of subparticles using
teleportation before merging to a observable mashed potato fragment.
Maybe this was all mashed potato to you, well it come from little
potato.
JT
rossum
<jonas.t...@hotmail.com> wrote:
>Someone here suggested a chosen plaintext attack on CSPRNG which
>baffeled me a bit and made me tell him he was crazy.
>
>When you make a CSPRNG which is just a random number generator with a
>small period like a hash,
A hash is not a CSPRNG. A hash may be a component of a CSPRNG but not
on its own.
>or a long period like PRP pseudo random
>permutation. And then you have the LFSR who i guess can have both
>longer and shorter periods.
>
> Alll CSPRNG rely on that the algorithm do not leak information about
>the internal states so you want to prevent the attacker from being
>able to calculate next bit, byte or block of output from the CSPRNG.
A good CSPRNG should not leak any information about either the next
state or the previous state. If the attacker captures part of the
keystream then she should not be able to read either new messages sent
after or old messages sent before the known keystream.
>
>So if i give the attacker 1 gigabyte of output from the CSPRNG, he
>should not be able to calculate next, bit byte or block. So that
>someone who suggested a chosen plaintext attack on CSPRNG what did he
>really mean was he just confused or was there any idea within that OT
>statement?
>
>So when is known plaintext attacks applicable? To me it seems they are
>mainly applicable on blockciphers with fixed S-boxes?
A chosen plaintext allows the attacker to easily extract the keystream
from the cyphertext. Having the keystream allows the attacker to
attack the underlying CSPRNG directly.
rossum
JT
> On Tue, 14 Sep 2010 02:45:43 -0700 (PDT), JT
>
There is some vaguely retarded to suggest a chosen plaintext attack
on a cipher who relies on a simple XOR of plaintext, of course the
plaintext will be revealed.
An OTP cipher relies on that the keystream comes from a random source
can not be recreated.
Similarly an PRP cipher relies on the fact that the internal keystream
not can be recreated without the key.
It is afterall 6044 bits that should be guessed so a bruteforce of
the key is far easier.
So there is something vaguely retarded over suggesting a plaintext
attack when the keystream is free for inspection.
Well that is just my thoughts about the subject and the chosen way to
attack it, what have gone wrong?
JT
JT
Ooops that should be keystream............................... Well
well it is all small potato after all.
JT
> An OTP cipher relies on that the keystream comes from a random source
> can not be recreated.
> Similarly an PRP cipher relies on the fact that the internal keystream
> not can be recreated without the key.
>
> It is afterall 6044 bits that should be guessed so a bruteforce of
> the key is far easier.
>
> So there is something vaguely retarded over suggesting a plaintext
> attack when the keystream is free for inspection.
> Well that is just my thoughts about the subject and the chosen way to
> attack it, what have gone wrong?
>
> JT- Dölj citerad text -
>
> - Visa citerad text -
unruh
> On 14 Sep, 15:31, rossum <rossu...@coldmail.com> wrote:
>> A chosen plaintext allows the attacker to easily extract the keystream
>> attack the underlying CSPRNG directly.
>>
>> rossum
>
> There is some vaguely retarded to suggest a chosen plaintext attack
> on a cipher who relies on a simple XOR of plaintext, of course the
> plaintext will be revealed.
??? If you read the paragraph you are responding to you will note that
it says that the chosen plaintext allows to extract the KEYSTREM not the
plaintext.
>
> An OTP cipher relies on that the keystream comes from a random source
> can not be recreated.
But this discussion is NOT about OTP but about stream cyphers. Stream
cyphers generate a pseudo random stream from a small key.
This in theory they have very very little entropy and there are huge
long range correlations in the stream. Finding them is the diffculty.
> Similarly an PRP cipher relies on the fact that the internal keystream
> not can be recreated without the key.
For a finite key, you know that is not true. There exists some way of
finding the generation of the stream without the key.
>
> It is afterall 6044 bits that should be guessed so a bruteforce of
> the key is far easier.
That is one way of finding the keystream without knowing the key.
>
> So there is something vaguely retarded over suggesting a plaintext
> attack when the keystream is free for inspection.
??? HOw is the keystream free for inspection?
rossum
>[keystream] will be revealed.
>
>An OTP cipher relies on that the keystream comes from a random source
>can not be recreated.
>Similarly an PRP cipher relies on the fact that the internal keystream
>not can be recreated without the key.
Not necessarily so. If you can completely determine the internal
state of the PRNG at any time then you can run it forwards (and
possibly backwards as well) regardless of whether you have the key or
not.
>
>It is afterall 6044 bits that should be guessed so a bruteforce of
>the key is far easier.
That depends on there being no other weaknesses in the PRNG. A weak
PRNG will leak information about its internal state and/or its key in
the keystream. See
http://aboba.drizzlehosting.com/IEEE/rc4_ksaproc.pdf
for an example, the Fluhrer, Mantin and Shamir attack on RC4.
>
>So there is something vaguely retarded over suggesting a plaintext
>attack when the keystream is free for inspection.
How? I presume you are not giving away the secret key for free? The
first step in attacking a stream cypher is often to recover the
underlying keystream and a chosen plaintext atttack is one way to do
that.
rossum
JT
> On 2010-09-14, JT <jonas.thornv...@hotmail.com> wrote:
>
> > On 14 Sep, 15:31, rossum <rossu...@coldmail.com> wrote:
> >> A chosen plaintext allows the attacker to easily extract the keystream
> >> from the cyphertext. ?Having the keystream allows the attacker to
> >> attack the underlying CSPRNG directly.
>
> >> rossum
>
> > There is some vaguely retarded to suggest a chosen plaintext attack
> > on a cipher who relies on a simple XOR of plaintext, of course the
> > plaintext will be revealed.
>
> ??? If you read the paragraph you are responding to you will note that
> it says that the chosen plaintext allows to extract the KEYSTREM not the
> plaintext.
It was slopy written of me of course i meant the the keystream, i did
actually correct it but you missed it in an answer to myself.
>
> > An OTP cipher relies on that the keystream comes from a random source
> > can not be recreated.
>
> But this discussion is NOT about OTP but about stream cyphers. Stream
> cyphers generate a pseudo random stream from a small key.
> This in theory they have very very little entropy and there are huge
> long range correlations in the stream. Finding them is the diffculty.
No the stream have the entropy of the possible keysize in a variable
key cipher, i thought professionals should know that. There is 256!
possible different keys in this cipher if you fully utilize the
keyexpansion. And there is no problem whatsoever to expand the max
keysize to any size like example 4096!. It is about permutations and
keyexpansion.
That is not a small entropy it is small potato, even to bruteforce a
256! key is a gigantic
undertaken.
> > Similarly an PRP cipher relies on the fact that the internal keystream
> > not can be recreated without the key.
>
> For a finite key, you know that is not true. There exists some way of
> finding the generation of the stream without the key.
Well if you find it easier to find(bruteforce) the 6044 bites of the
internal stream then to bruteforce the key. There is, but what is the
point.
>
>
> > It is afterall 6044 bits that should be guessed so a bruteforce of
> > the key is far easier.
>
> That is one way of finding the keystream without knowing the key.
Yes to bruteforce the much bigger internal stream makes very much
sense, a search space of 2^6044 is much easier to attack then a
keyspace of 256! duuuuuuuuh........
>
>
> > So there is something vaguely retarded over suggesting a plaintext
> > attack when the keystream is free for inspection.
>
> ??? HOw is the keystream free for inspection?
By a chosen plaintext attack CPRNG output layer ***mashed potato*** is
shown.
Maybe we misunderstod eachother, i call also the CPRNG output a
keystream or is there another name for it?
Of course the three internal convoluting stream buffers is keystreams.
However the ***small potato*** streams and savestate of total 6044
bit are not revealed.
I give you mashed potato to observ, small potato stays hidden.
JT
And this is what i beleive is regarded in the argument you suggest to
find the internal states, which have a keyspace of 2^6044 pretending
that would be easier then finding the original key which have a
keyspace of 256!.
So i am not sure what you suggesting here, also note there is a many
to one relationship between internal state to CSPRNG output. Many
combinations of internal stream can make up same CSPRNG stream.
Your suggestions is either just distractions or you are wondering in
the dark.
>
>
> >It is afterall 6044 bits that should be guessed so a bruteforce of
> >the key is far easier.
>
> That depends on there being no other weaknesses in the PRNG. A weak
> PRNG will leak information about its internal state and/or its key in
> the keystream. See
Ok i understand that, i do not beleive there to be any weakness in the
CSPRNG, it will not leak internal bitstates***small potatoes*** to the
CSPRNG***mashed potato***.
> http://aboba.drizzlehosting.com/IEEE/rc4_ksaproc.pdf
>
> for an example, the Fluhrer, Mantin and Shamir attack on RC4.
>
>
>
> >So there is something vaguely retarded over suggesting a plaintext
> >attack when the keystream is free for inspection.
>
> How? I presume you are not giving away the secret key for free? The
> first step in attacking a stream cypher is often to recover the
> underlying keystream and a chosen plaintext atttack is one way to do
> that.
Well that would work for an OTP also you will have the OTP key, but it
is still not an attack, just vaguely retarded.
I called some of my ciphers POTP for a reason, you did not like it so
now i say PRP cihpers, but they have many of the trades of OTP.
JT
Joseph Ashwood
"JT" <jonas.t...@hotmail.com> wrote in message
news:2818809f-a710-4169...@k30g2000vbn.googlegroups.com...
> Someone here suggested a chosen plaintext attack on CSPRNG which
> baffeled me a bit and made me tell him he was crazy.
>
> When you make a CSPRNG which is just a random number generator with a
> small period like a hash, or a long period like PRP pseudo random
> permutation. And then you have the LFSR who i guess can have both
> longer and shorter periods.
> So when is known plaintext attacks applicable?
Oddly, it is actually possible that under some circumstances a chosen
plaintext attack could be mounted on a PRNG. To see exactly how this would
be done consider a block cipher in CTR mode, a chosen ciphertext attack on
the PRNG in this case would be concievable, although the exact circumstances
to mount this attack are murky at best.
> To me it seems they are
> mainly applicable on blockciphers with fixed S-boxes?
They are easily appicable any time a PRF (Pseudo Random Function, a PRP is
one type of PRF) with an input that can be thought of as a plaintext is
present in the system. In a streamcipher mode of operation these can be
difficult to mount, but such an attack can still be possible.
Its also worth noting that in a streamcipher mode of operation the
plaintexts are forced to an order chosen by the user, even if the attacker
gets to choose the base point. For example, if a block cipher has a special
plaintext where ciphertext=key, then the attack works quickly and quite
obviously. However, if the attack requires plaintexts of the form where only
one bit is set for each bit in the block, the attack would require near
exahustion of the plaintext space in CTR mode, making the attack effectively
impossible.
So the truth is, it is often possible to mount a chosen basepoint attack
against a CSPRNG, but chosen basepoint attacks are significantly more
difficult to understand than chosen plaintext.
Joe
rossum
<jonas.t...@hotmail.com> wrote:
>On 15 Sep, 01:23, rossum <rossu...@coldmail.com> wrote:
>> On Tue, 14 Sep 2010 10:24:15 -0700 (PDT), JT
[snip for brevity]
>>
>> >There is some vaguely retarded to suggest a chosen plaintext attack
>> >on a cipher who relies on a simple XOR of plaintext, of course the
>> >[keystream] will be revealed.
>>
>> >An OTP cipher relies on that the keystream comes from a random source
>> >can not be recreated.
>> >Similarly an PRP cipher relies on the fact that the internal keystream
>> >not can be recreated without the key.
>>
>> Not necessarily so. If you can completely determine the internal
>> state of the PRNG at any time then you can run it forwards (and
>> possibly backwards as well) regardless of whether you have the key or
>> not.
>
>And this is what i beleive is regarded in the argument you suggest to
>find the internal states, which have a keyspace of 2^6044 pretending
>that would be easier then finding the original key which have a
>keyspace of 256!.
If the PRNG is leaking information about its internal state then it
would be a lot easier. It is for that reason that cryptographers
never use linear congruential PRNGs; they leak far too much
information about their internal state.
>
>So i am not sure what you suggesting here, also note there is a many
>to one relationship between internal state to CSPRNG output. Many
>combinations of internal stream can make up same CSPRNG stream.
>
>Your suggestions is either just distractions or you are wondering in
>the dark.
>
>>
>>
>> >It is afterall 6044 bits that should be guessed so a bruteforce of
>> >the key is far easier.
>>
>> That depends on there being no other weaknesses in the PRNG. A weak
>> PRNG will leak information about its internal state and/or its key in
>> the keystream. See
>
>Ok i understand that, i do not beleive there to be any weakness in the
>CSPRNG, it will not leak internal bitstates***small potatoes*** to the
>CSPRNG***mashed potato***.
You designed this PRNG so of course you do not see any weaknesses in
it. If you did see a weakness then you would have corrected it before
publishing it. That does not mean that other people will not find
weaknesses. The designers of RC4 did not see any weaknesses in it yet
there were weaknesses present.
>
>> http://aboba.drizzlehosting.com/IEEE/rc4_ksaproc.pdf
>>
>> for an example, the Fluhrer, Mantin and Shamir attack on RC4.
>>
>>
>>
>> >So there is something vaguely retarded over suggesting a plaintext
>> >attack when the keystream is free for inspection.
>>
>> How? I presume you are not giving away the secret key for free? The
>> first step in attacking a stream cypher is often to recover the
>> underlying keystream and a chosen plaintext atttack is one way to do
>> that.
>
>Well that would work for an OTP also you will have the OTP key, but it
>is still not an attack, just vaguely retarded.
Your cypher is not an OTP. We are well aware of the requirements for
an OTP, and the properties it can be expected to have if those
requirements are met. If the attacker has the key for an OTP then all
plaintext is immediately recoverable. Remember that for an OTP the
key IS the keystream -- they are byte for byte identical. Your cypher
is different in that a short key is transformed into a long keystream.
>
>I called some of my ciphers POTP for a reason, you did not like it so
>now i say PRP cihpers, but they have many of the trades of OTP.
Please do not do this. One of the infallible indicators of
cryptographic snake-oil is comparison to the OTP, "just like a One
Time Pad but simpler". You cypher is NOT a one time pad. It fails to
meet the requirements for an OTP so it also fails to have the security
properties of the OTP. Have a look at the unicity distance for the
OTP and then have a look at the unicity distance for your cypher.
They will be different, I guarantee it. It is the unicity distance
which gives the OTP its security properties. Your cypher does not
have those properties so it is a big mistake to compare it with the
OTP.
rossum
JT
> I'm deliberately ignoring the keystream recovery version.
>
To be honest Joe i am nor a programming or crypto guru but i am fairly
smart. The first thing i would start with if i tried to break my
cipher would be to analyse how many possible combinations of (XOR)
A^B^D = D that can produce a specific D.
That is an indication of how hard the cipher will be to break, if the
number of combinations is *bigger then the keysize*, that would mean
trouble.
A chosen plaintext attack on this cipher would just not make sense,
what i try to figure out here is the strength of the pseudo random
permutation stream the CSPRNG. So we go direct on the CSPRNG skip the
salt and so on just analyse our pseudorandom XOR stream.
So we check if there is any mathematical way to describe the relations
between the output of the CSPRNG blocks, and since this is not a PRF
but a PRP. There seem to be no single mathematical formula or function
that can describe the relation between the blocks. It is just an PRP
algorithm that do not express itself as a mathematical function.
So what is left is to look for weaknesses in the keysetup, when the
permutation buffers is created from the key.
JT
Next thing would be to study
Joseph Ashwood
> On 15 Sep, 11:55, "Joseph Ashwood" <ashw...@msn.com> wrote:
> The first thing i would start with if i tried to break my
> cipher would be to analyse how many possible combinations of (XOR)
> A^B^D = D that can produce a specific D.
So the first thing you would do is ignore everything I said, and make the
worst possible mistake.
> That is an indication of how hard the cipher will be to break, if the
> number of combinations is *bigger then the keysize*, that would mean
> trouble.
It is trivial to prove that your approach will fail completely. If there is
more data available than length(key)/2 then you immediately determine that
there is trouble. The opposite is true, read up a bit on the unicity
distance, by the unicity distance you'll need slightly over length(key) data
to make it possible to attack the key.
> A chosen plaintext attack on this cipher would just not make sense,
So you didn't read anything I wrote. I'll explain it again more briefly this
time.
> what i try to figure out here is the strength of the pseudo random
> permutation stream the CSPRNG.
No, all you're doing is not understanding anything.
> So we go direct on the CSPRNG skip the
> salt
No, the salt is the critical point to the attack.
> and so on just analyse our pseudorandom XOR stream.
Wrong, you don't analyze the stream, you analyze the cipher.
> So we check if there is any mathematical way to describe the relations
> between the output of the CSPRNG blocks,
This is a trivial step, the way to describe the relationship is given by the
cipher, this is why the attack is on the cipher, not on the stream.
> and since this is not a PRF
> but a PRP.
That statement is absolutely and completely false. Every PRP is a PRF. As
usual you are ignoring everything I said, and ignoring every bit of reality.
> There seem to be no single mathematical formula or function
> that can describe the relation between the blocks.
Actually it is exactly describable, the simple fact that it has been
computed reveals that there is a formula.
> It is just an PRP
> algorithm that do not express itself as a mathematical function.
The only thing a computer does is math, so you have effectively claimed that
a computer can't do the encryption.
> So what is left is to look for weaknesses in the keysetup, when the
> permutation buffers is created from the key.
No, what is left is to do anything that might resemble cryptanalysis.
Now to explain again.
Every XOR combined stream cipher can be expressed as
Output[I] = Input[I]^F(Key, I)
I have deliberately avoided the terms ciphertext and plaintext because that
is part of your problem, you don't understand what the plaintext is. When
attacking F() THE PLAINTEXT IS I. Now since the attacker very often has the
ability to choose the beginning I there is the ability to mount a chosen
plaintext attack.
So, if you actually pay attention to what has been written, you will see
that every single statement you made is completely incorrect.
Joe
JT
> "JT" <jonas.thornv...@hotmail.com> wrote in message
>
> news:3cff2629-abd4-4631...@g18g2000vbn.googlegroups.com...
>
> > On 15 Sep, 11:55, "Joseph Ashwood" <ashw...@msn.com> wrote:
> > The first thing i would start with if i tried to break my
> > cipher would be to analyse how many possible combinations of (XOR)
> > A^B^D = D that can produce a specific D.
>
> So the first thing you would do is ignore everything I said, and make the
> worst possible mistake.
>
That is not even an argument, just losely connected words.
> > That is an indication of how hard the cipher will be to break, if the
> > number of combinations is *bigger then the keysize*, that would mean
> > trouble.
>
> It is trivial to prove that your approach will fail completely. If there is
> more data available than length(key)/2 then you immediately determine that
> there is trouble. The opposite is true, read up a bit on the unicity
> distance, by the unicity distance you'll need slightly over length(key) data
> to make it possible to attack the key.
You seem to have no clue, you to not have the key, you can bruteforce
it in 256! tries or lless (depending on if you feel lucky). there is
more work to bruteforce the internal states 256!*256!*2^2048, you can
not make a mathematical correlation between the blocks.
> > A chosen plaintext attack on this cipher would just not make sense,
>
> So you didn't read anything I wrote. I'll explain it again more briefly this
> time.
I did and it do not make a single bit of sense just lose words
stringed toghether.
>
> > what i try to figure out here is the strength of the pseudo random
> > permutation stream the CSPRNG.
>
> No, all you're doing is not understanding anything.
Oh i do i understand that you have no idea.
> > So we go direct on the CSPRNG skip the
> > salt
>
> No, the salt is the critical point to the attack.
Well i give you the CSPRNG without the salt and you cannot even attack
that, why should i need to use a salt to make your attack even more
out of reach.
> > and so on just analyse our pseudorandom XOR stream.
>
> Wrong, you don't analyze the stream, you analyze the cipher.
Well i can do my cipher with or without a salt, and as i said i prefer
showing that you cannot even attack the CSPRNG, the salt takes you
even further away from an attack.
You can not attack it, you are just dreaming.
> > So we check if there is any mathematical way to describe the relations
> > between the output of the CSPRNG blocks,
>
> This is a trivial step, the way to describe the relationship is given by the
> cipher, this is why the attack is on the cipher, not on the stream.
No there is no single mathematical function that can describe an
complex algorithms behaviour.
> > and since this is not a PRF
> > but a PRP.
>
> That statement is absolutely and completely false. Every PRP is a PRF. As
> usual you are ignoring everything I said, and ignoring every bit of reality.
No a PRP can be any number of PRFif the PRF have a single mathematical
function as base.
> > There seem to be no single mathematical formula or function
> > that can describe the relation between the blocks.
>
> Actually it is exactly describable, the simple fact that it has been
> computed reveals that there is a formula.
No that would be an algorithm my friend you should learn a bit of math
there is problems that can not be broken with standard mathematical
formulas or functions, you have to use an recursive algorithm.
> > It is just an PRP
> > algorithm that do not express itself as a mathematical function.
>
> The only thing a computer does is math, so you have effectively claimed that
> a computer can't do the encryption.
Welll a PRP is not a mathematical formula and can not be expressed as
one, it is an algorithm.
> > So what is left is to look for weaknesses in the keysetup, when the
> > permutation buffers is created from the key.
>
> No, what is left is to do anything that might resemble cryptanalysis.
Well you have not even started, just thrown a lot of lose words in the
air, i feel a small breeze ohh what a shame your arguments are void,
did you ever have any?
> Now to explain again.
>
> Every XOR combined stream cipher can be expressed as
> Output[I] = Input[I]^F(Key, I)
>
> I have deliberately avoided the terms ciphertext and plaintext because that
> is part of your problem, you don't understand what the plaintext is. When
> attacking F() THE PLAINTEXT IS I. Now since the attacker very often has the
> ability to choose the beginning I there is the ability to mount a chosen
> plaintext attack.
There is clearly something wrong with your logic, you can *NEVER*
recover the plaintext without the CSPRNG material.
I do not need to say anymore to show how far away from an attack you
are, this cipher only use XOR.
It is your unability to create my CSPRNG stream that make it
impossible for you to break, i give you mashed potato, you have to
find small potato.
You either find key or internal states, the rest is just dreaming on
your part.
> So, if you actually pay attention to what has been written, you will see
> that every single statement you made is completely incorrect.
> Joe
Yes you are Joe, but that is not the point, the point is your
inability to deal with reality, instead you dream up attacks similarly
to attack an OTP with a known plaintext attack.
Goddluck!!!
JT
Joseph Ashwood
> On 18 Sep, 15:39, "Joseph Ashwood" <ashw...@msn.com> wrote:
>> So the first thing you would do is ignore everything I said, and make the
>> worst possible mistake.
>>
>
> That is not even an argument, just losely connected words.
I won't even bother responding beyond the clear inability to understand your
own problems. You have a very demonstrated lack of understanding about terms
as simple as PRP and PRF, you have a demonstrated inability to understand
cryptanalysis, you have a demonstrated inability to understand even fairly
basic english. Its not worth any further effort.
You asked a question, you got the correct answer, you ignored the answer and
blathered on about whatever delusion you have.
Joe
rossum
<jonas.t...@hotmail.com> wrote:
>There is clearly something wrong with your logic, you can *NEVER*
>recover the plaintext without the CSPRNG material.
This is cryptography. If a cryptosystem cannot resist a known
plaintext attack then it is useless.
For example, the Freedonian government uses its diplomatic cypher to
send a long encyphered message to its Ambassador in Ruritania. The
Ruritanian security service intercepts the cyphertext. The next day
the Freedonian Ambassador reads out a long statement declaring war.
The Ruritanians now have both the intercepted cyphertext and the known
plaintext. If the Freedonian cypher cannot withstand the resulting
attack then that cypher is useless.
You might also want to research the cryptographic history surrounding
the statement made by the Japanese Ambassador to Washington on the day
of Pearl Harbour.
It seems to me that you less about this subject than you think you do.
rossum
JT
> On Sat, 18 Sep 2010 13:06:19 -0700 (PDT), JT
>
Well everyone should forever remember that rossum said OTP to be
useless, they do not resist a known plaintext attack.
JT
Kristian Gjųsteen
>Well everyone should forever remember that rossum said OTP to be
>useless, they do not resist a known plaintext attack.
You're back? Unfortunately, you are still talking nonsense. Obviously,
the one-time pad resists a known plaintext attack. A stream cipher
may not.
If you try to understand rossum's example, you'll find that it is helpful.
--
kg
JT
wrote:
You are just confused a OTP uses a XOR on a plaintext, if you chose
the plaintext you have the OTP stream.
Bye
Phoenix
"The known-plaintext attack (KPA) or crib is an attack model for
cryptanalysis where the attacker has samples of both the plaintext and
its encrypted version (ciphertext), and is at liberty to make use of
them to reveal further secret information such as secret keys and code
books. The term "crib" originated at Bletchley Park, the British World
War II decryption operation" from http://en.wikipedia.org/wiki/Known-plaintext_attack
"In cryptography, the one-time pad (OTP) is a type of encryption,
which has been proven to be impossible to crack if used correctly.
Each bit or character from the plaintext is encrypted by a modular
addition with a bit or character from a secret random key (or pad) of
the same length as the plaintext, resulting in a ciphertext. If the
key is truly random, as large as or greater than the plaintext, never
reused in whole or part, and kept secret, the ciphertext will be
impossible to decrypt or break without knowing the key. It has also
been proven that any cipher with the perfect secrecy property must use
keys with effectively the same requirements as OTP keys.[1] However,
practical problems have prevented one-time pads from being widely
used." http://en.wikipedia.org/wiki/One-time_pad
If the cipher is created by a OTP, explain to me, how can you extract
the whole OTP stream from the rest of palin text, assuming that you
only know or guess part or parts of the plain text ?
JT
> On 19 Set, 16:05, JT <jonas.thornv...@hotmail.com> wrote:
>
> > On 19 Sep, 14:33, Kristian Gjøsteen <kristiag+n...@math.ntnu.no>
> > wrote:
> > You are just confused a OTP uses a XOR on a plaintext, if you chose
> > the plaintext you have the OTP stream.
>
> "The known-plaintext attack (KPA) or crib is an attack model for
> cryptanalysis where the attacker has samples of both the plaintext and
> its encrypted version (ciphertext), and is at liberty to make use of
> them to reveal further secret information such as secret keys and code
> books. The term "crib" originated at Bletchley Park, the British World
> War II decryption operation" fromhttp://en.wikipedia.org/wiki/Known-plaintext_attack
Yes and i told you that you can have as many GB as you like of the
CPRNG stream.
It will be no help, same for an OTP if you have an OTP stream of 10GB
and get the 5 first GB you are not helped.
You suggest to have the text to be encrypted by an OTP and the cipher
stream from the same encrypted text, to show you can get reverse the
XOR to get the OTP numbers used to XOR the plaintext.
You basicly the laughingstock of sci.crypt you are just weird is it
funny it do not know, maybe tragic.
> "In cryptography, the one-time pad (OTP) is a type of encryption,
> which has been proven to be impossible to crack if used correctly.
> Each bit or character from the plaintext is encrypted by a modular
> addition with a bit or character from a secret random key (or pad) of
> the same length as the plaintext, resulting in a ciphertext. If the
> key is truly random, as large as or greater than the plaintext, never
> reused in whole or part, and kept secret, the ciphertext will be
> impossible to decrypt or break without knowing the key. It has also
> been proven that any cipher with the perfect secrecy property must use
> keys with effectively the same requirements as OTP keys.[1] However,
> practical problems have prevented one-time pads from being widely
> used."http://en.wikipedia.org/wiki/One-time_pad
You are nowhere near serious, i can give you 64GB stream from the
CSPRNG you can still not calculate next output bit, next output byte
or next output block. And you can not calculate the previous output
bit, byte or block.
You basicly just tell i can reverse a XOR if you give me the the
plaintext and the ciphertext........... tragic.....
> If the cipher is created by a OTP, explain to me, how can you extract
> the whole OTP stream from the rest of palin text, assuming that you
> only know or guess part or parts of the plain text ?
You are tragic, read first post in thread...
JT
rossum
<jonas.t...@hotmail.com> wrote:
>Well everyone should forever remember that rossum said OTP to be
>useless, they do not resist a known plaintext attack.
>
>JT
Your ignorance is showing. The OTP can always resist a known
plaintext attack. Stream cyphers may not be able to resist. It is
the ability to resist that helps us separate the secure stream cyphers
from the insecure stream cyphers.
You didn't bother to calculate unicity distances for the OTP and for
your cypher did you? Had you done so you would not make such obvious
errors.
rossum
JT
> On Sun, 19 Sep 2010 05:18:31 -0700 (PDT), JT
>
> >Well everyone should forever remember that rossum said OTP to be
> >useless, they do not resist a known plaintext attack.
>
> >JT
>
> Your ignorance is showing. The OTP can always resist a known
> plaintext attack.
You are not even ignorant you are just plain lying, if you have the
plaintext of an OTP you can just XOR to reveal the XOR
stream(material).
JT
rossum
<jonas.t...@hotmail.com> wrote:
>> Your ignorance is showing. The OTP can always resist a known
>> plaintext attack.
>
>You are not even ignorant you are just plain lying, if you have the
>plaintext of an OTP you can just XOR to reveal the XOR
>stream(material).
>
>
>JT
It can only reveal *part* of the keystream. With the OTP I will have
no idea what the previous keystream was nor what the future keystream
will be. With a stream cypher that may not be the case. A weak
stream cypher will allow me to construct some or all of the forward or
reverse keystream beyond what I have the plaintext for.
It is you who do not understand what a known plaintext attack is.
Think back to my example of the long statement by the Ambassador.
That text is already known. The important thing is the security of
future (or past) messages sent in the same cypher. It is against them
that the attack is directed.
rossum
Tom St Denis
[which in an of itself is sad enough, JT - go outside, enjoy life,
seriously!] and is not looking for an actual discussion.
Tom
JT
> On Tue, 21 Sep 2010 01:49:42 -0700 (PDT), JT
>
> >> Your ignorance is showing. The OTP can always resist a known
> >> plaintext attack.
>
> >You are not even ignorant you are just plain lying, if you have the
> >plaintext of an OTP you can just XOR to reveal the XOR
> >stream(material).
>
> >JT
>
> It can only reveal *part* of the keystream. With the OTP I will have
> no idea what the previous keystream was nor what the future keystream
> will be. With a stream cypher that may not be the case. A weak
> stream cypher will allow me to construct some or all of the forward or
> reverse keystream beyond what I have the plaintext for.
What previous keystream, you are confused every bit in a OTP in
unrelated to before or next bit you use a chaotic process to create
every single bit, you do not create any before or after block, you are
dreaming or talking about PRF.
So OTP material is only somehting that you preshare in a codebook or
database with the one you want to share communication with.
However my composed PRP functions forming my CSPRNG share one thing
with both chaotic process and OTP just as you say above you can not
find previous or next (bit, byte, block) that is why i call it a
pseudo OTP or PRP cipher.
You can not reveal the internal streams to creat next or previous
bits, bytes blocks with my cipher.
JT
rossum
<jonas.t...@hotmail.com> wrote:
>On 21 Sep, 13:44, rossum <rossu...@coldmail.com> wrote:
>> On Tue, 21 Sep 2010 01:49:42 -0700 (PDT), JT
>>
>> <jonas.thornv...@hotmail.com> wrote:
>> >> Your ignorance is showing. The OTP can always resist a known
>> >> plaintext attack.
>>
>> >You are not even ignorant you are just plain lying, if you have the
>> >plaintext of an OTP you can just XOR to reveal the XOR
>> >stream(material).
>>
>> >JT
>>
>> It can only reveal *part* of the keystream. With the OTP I will have
>> no idea what the previous keystream was nor what the future keystream
>> will be. With a stream cypher that may not be the case. A weak
>> stream cypher will allow me to construct some or all of the forward or
>> reverse keystream beyond what I have the plaintext for.
>
>What previous keystream, you are confused every bit in a OTP in
>unrelated to before or next bit
Correct, that is how the OTP works.
>you use a chaotic process to create
>every single bit, you do not create any before or after block, you are
>dreaming or talking about PRF.
You have no idea how the OTP works. I suggest that you look up why
the word "Pad" is in there.
>
>So OTP material is only somehting that you preshare in a codebook or
>database with the one you want to share communication with.
>
>However my composed PRP functions forming my CSPRNG share one thing
>with both chaotic process and OTP just as you say above you can not
>find previous or next (bit, byte, block) that is why i call it a
>pseudo OTP or PRP cipher.
There is no such thing as a pseudo-OTP. It is either an OTP or it is
not. Your cypher is not. The OTP has no internal state and a key as
long as the keystream. Your cypher has an internal state and a key
shorter than the keystream. You really need to go away and study
unicity distance.
>
>You can not reveal the internal streams to creat next or previous
>bits, bytes blocks with my cipher.
That remains to be seen.
rossum