Dynamic Hill cipher
in [Cryptography]
|
From: Mok-Kong Shen on 29 Apr 2010 13:02 Maaartin wrote: [snip] > What is the prize for the challenge? I personally hitherto "hate" that money be involved in scientific discussions on principle grounds. But I think making one such exception in my life doesn't equal to a very big sin or an unmoral gamble. So I'll make the following "concrete" offer to you, Mr. Maaartin (and to you personally "only", since it is you who first raised such an issue). The PRNGs will be of the type I mentioned in a reply to you, namely second order polynomial congruential generators having full period mod 2^32. Their coefficients and seeds involved I'll randomly determine, once you accept the offer. The first PRNG will generate a 2*2 Hill matrix using L*R as I stated in the original post and the second PRNG will generate a plaintext vector consisting of 2 elements to result in a ciphertext vector. Now, if you (without foreign aid) succeed to determine the PRNG that generates the Hill matrix from the pair of plaintext and ciphertext vectors, I'll give you one time 50% of a month's income of mine. If you fail to do that within 6 months, you give me one time 5% (not 50%) of a month's income of yours. Is that fair enough for you? M. K. Shen P.S. I apologize to the general readers for the "irrelevant" stuff above.
From: Mok-Kong Shen on 29 Apr 2010 13:13 Maaartin wrote: > Mok-Kong Shen wrote: >> I assume that you are certainly acquainted with the issue of solution >> of systems of linear equations in the special case of the determinant >> being zero. In that case the system is indeterminate, because it doesn't >> have a unique solution but instead a large number of eligible solutions. > > Yes, it's quite improbable (see below), but it may happen. > Nonetheless, if you want any security, you can't count on this. > There are 2 possibilities: > - Either collecting more data helps, i.e., gives enough independent > equations to find a unique result > - Or it doesn't, but then I take any solution, since all lead to the > same ciphertext > > If you don't trust me, just try it out. Mmm, do you trust AES? If you try all the possible keys, you'll certainly hit on the right key corresponding to the pair of plaintext and ciphertext you have at hand, don't you? (So that's also "quite improbable but may happen".) M. K. Shen
From: Scott Fluhrer on 29 Apr 2010 13:34 "Mok-Kong Shen" <mok-kong.shen(a)t-online.de> wrote in message news:hrca2l$svs$00$1(a)news.t-online.com... > Scott Fluhrer wrote: > [snip] >> In other words, you're claiming that it is secure unless someone else >> demonstrates that it is not? Sorry, but that's not how the game is >> played. > > Note what I wrote in my original post: > > I should be grateful to learn concrete hints of techniques of attack, > if any. > > So, if nobody either (1) can or (2) will give hints, then why all the > winds that had since been generated?? Actually, Bryan did give hints; you've been ignoring them. -- poncho
From: Mok-Kong Shen on 29 Apr 2010 13:42 Scott Fluhrer wrote: > "Mok-Kong Shen"<mok-kong.shen(a)t-online.de> wrote: >> Scott Fluhrer wrote: >> [snip] >>> In other words, you're claiming that it is secure unless someone else >>> demonstrates that it is not? Sorry, but that's not how the game is >>> played. >> >> Note what I wrote in my original post: >> >> I should be grateful to learn concrete hints of techniques of attack, >> if any. >> >> So, if nobody either (1) can or (2) will give hints, then why all the >> winds that had since been generated?? > > Actually, Bryan did give hints; you've been ignoring them. Could you elaborate that through quotes? Anyway, I don't see anything that is concrete engough for guiding any practical work at all. (Of course, non-concrete stuffs are trivial to provide. For crypto in genereal, one could always say "do some statistical analysis" etc. etc. etc.) M. K. Shen
From: Maaartin on 29 Apr 2010 14:04
On Apr 29, 7:02 pm, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote: > the second PRNG will generate a plaintext vector consisting of 2 elements > I personally hitherto "hate" that money be involved > in scientific discussions on principle grounds. I agree, but time is money. DJB does it, and it shows his trust in his design and motivates the people to analyze it: http://cubehash.cr.yp.to/prizes.html There seem to be a misunderstanding here. If trying to break a cipher, you always need quite a lot of plaintext and/or ciphertext. For any contemporary cipher worth its name, one assumes unlimited amount of plaintext-ciphertext pairs, which may or may not be chosen by the attacker (CPA = chosen plaintext attack, CCA = chosen ciphertext attack, CPA2 = adaptively chosen plaintext attack, etc.). You can't assume anybody to be able to crack anything when the output is shorter than the inner state. You can't assume anybody to use a cipher which is secure only in such a scenario, since she could OTP instead. I'll answer to your offer after we have resolved all unclean points. Can you write python programs? Can you read them? Can you run them? We need to define it all precisely and a program is the most unambiguous way. Instead of python we could use a different language, but since about two days ago I consider python to be ideal for this. On Apr 29, 7:13 pm, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote: > Mmm, do you trust AES? If you try all the possible keys, > you'll certainly hit on the right key corresponding > to the pair of plaintext and ciphertext you have at hand, > don't you? (So that's also "quite improbable but may happen".) It's not improbable, it's impossible. My computer can easily try some billions if keys, but a billion is a laughable number as compared to 2**128 or 2*256. So I'm sure, the premise is wrong, so the conclusion doesn't matter at all. Or did you mean that when I start the bruteforcing, that I may still be alive by the time it finds the key? That's really quite improbable, something like 2**-80 or 2**-208. Note, that here the probability of attack *success* is negligible, while in the place I wrote about it, the probability of attack *failure* was low. |