Unicity distance does have one advantage over modern indistinguishability
arguments; it gives concrete lower bounds on security (in contrast, we know
how to show things are distinguishable from random, but we still have no
proof of indistinguishability).

On the other hand, unicity distance does have some problem. Here some of
them from a modern cryptographical perspective:

- Unicity distance is mostly controlled by two things, key size (which is
reasonable) and the distribution of possible plaintexts. In modern
cryptography, we don't get to pick the plaintexts, that's chosen by someone
outside the security area for noncryptographical reasons, and so we as a
rule do not make any security assumptions based on what the plaintext looks
like. And, if we worse-case the plaintext distribution (say, there is only
one possiblity, aka "known plaintext"), then for most ciphers, the unicity
distance is pretty close to the key size (and you really don't want to use
the ciphers for which this isn't the case).

- It is extremely pesimistic, even if we don't worse-case the plaintext
distribution. In most realistic scenarios (with plaintexts and plaintext
sizes that are not under the cryptographer's control), it generally requires
unrealistically huge keys to make sure that the unicity distance is actually
bigger than the ciphertext.

- From a theoretical standpoint (and why do we go with
informational-theoretical models unless we're willing to talk theoretical),
it can be insufficient. Unicity distance allows ciphers to leak significant
amount of information about the plaintext, as long as the information leaked
is not sufficient to reduce the number of possible plaintexts to one. To
take an extreme (and somewhat silly) example, consider a modified OTP where
the first 8 octets of every 64 is replaced by zeros. If we use that to
encode an English ASCII message, that allows the attacker to see 8 out of
every 64 characters. Since there are lots of ways to fill in the remaining
56 with plausible text, this modified OTP still has infinite unicity
distance (for the possible plaintexts of English ASCII messages), but would
obviously be totally unacceptable from a security standpoint.

--
poncho

Many have questioned whether cryptological strength can be adequately
described. Perhaps some unknown method may be found to break a system
therefore rendering it useless for serious purposes. And, different
qualifiers have been advanced to champion a chosen algorithm. Well,
there are only just a couple of considerations that do actually
matter, can the whole functional key(s) be derived using chosen text,
and how much information is necessary to verify that the true
plaintext has been recovered.

SSS# = log base 27 of the approximate amount information of required.
The formula would be valid for any information units with the needed
mathematical conversion.

As 27 is very close to 26, number of common text letters, it is easy
to see level 1 is 27 letters, level 2 is 721 letters, level 3 is 19783
letters, and level 4 is 534441 level 5.

In bits, it would be 128 bits for level 1, 3.5K bits for level 2, 92.6
K bits for level 3, and 2.5M bits for level 4.

Shocked? You should be.

Many have questioned whether cryptological strength can be adequately
described. Perhaps some unknown method may be found to break a system
therefore rendering it useless for serious purposes. And, different
qualifiers have been advanced to champion a chosen algorithm. Well,
there are only just a couple of considerations that do actually
matter, can the whole functional key(s) be derived using chosen text,
and how much information is necessary to verify that the true
plaintext has been recovered.

While the otp is the best in one category and the worst in the other,
see that it as functionally defective, a one-sheet paper plane in a
fleet of many birds. Perhaps no other algorithm is so extreme as the
otp so as the exception it proves the rule...that other algorithms are
a better choice for almost every reason.

Dealing with scaled strength in an intelligent manner is what this
posting is about, even that categories of strength can and should be
mathematically defined and therefore different algorithms and keys
compared as to their ratings.

Remember, one equalizer with the scale is that computer power is not a
factor to be taken seriously. If something is beyond solution on
information grounds alone, that is just the way it is. Yes, those
really good at dealing with marginal data again do prove the point
that given the data, they have enough. Practice at solving is built
on testing ones abilities to find the patterns that are there but
wrong results while being seemingly understandable still means that
the data was insufficient.

"WTShaw" <lurens1 at (no spam) gmail.com> wrote in message
news:96753b1d-08d4-4ba8-a77e-8cbd419ac817 at (no spam) k30g2000hse.googlegroups.com...
Many have questioned whether cryptological strength can be adequately
described. Perhaps some unknown method may be found to break a system
therefore rendering it useless for serious purposes. And, different
qualifiers have been advanced to champion a chosen algorithm. Well,
there are only just a couple of considerations that do actually
matter, can the whole functional key(s) be derived using chosen text,
and how much information is necessary to verify that the true
plaintext has been recovered.

While the otp is the best in one category and the worst in the other,
see that it as functionally defective, a one-sheet paper plane in a
fleet of many birds. Perhaps no other algorithm is so extreme as the
otp so as the exception it proves the rule...that other algorithms are
a better choice for almost every reason.

Dealing with scaled strength in an intelligent manner is what this
posting is about, even that categories of strength can and should be
mathematically defined and therefore different algorithms and keys
compared as to their ratings.

Remember, one equalizer with the scale is that computer power is not a
factor to be taken seriously. If something is beyond solution on
information grounds alone, that is just the way it is. Yes, those
really good at dealing with marginal data again do prove the point
that given the data, they have enough. Practice at solving is built
on testing ones abilities to find the patterns that are there but
wrong results while being seemingly understandable still means that
the data was insufficient.

It appears from the above exposition that you are attempting to reinvent
the idea of "unicity distance" (but, as Joseph Ashwood mentioned, you may
have gotten some of the details a bit off, especially with your
logarithmic scale).

Unicity distance does have one advantage over modern indistinguishability
arguments; it gives concrete lower bounds on security (in contrast, we
know how to show things are distinguishable from random, but we still have
no proof of indistinguishability).

On the other hand, unicity distance does have some problem. Here some of
them from a modern cryptographical perspective:

- Unicity distance is mostly controlled by two things, key size (which is
reasonable) and the distribution of possible plaintexts. In modern
cryptography, we don't get to pick the plaintexts, that's chosen by
someone outside the security area for noncryptographical reasons, and so
we as a rule do not make any security assumptions based on what the
plaintext looks like. And, if we worse-case the plaintext distribution
(say, there is only one possiblity, aka "known plaintext"), then for most
ciphers, the unicity distance is pretty close to the key size (and you
really don't want to use the ciphers for which this isn't the case).

I disagre. Take fore example an attack not on a block cipher itself, but on
its selection of permutation. If the permutation can be identified, this
does not necessarily leak the key, but it undeniably breaks the security. It
is arguable that this delivers an equivalent key in an equivalent algorithm,
but it certainly does not recover the "functional key" of the original
algorithm, and may not necessarily be possible to convert to the key itself.
Admittedly, this is a significantly unusual form of attack, but it certainly
violates the statement that there are "only ... a couple of considerations
that do actually matter" by providing an attack that avoids both, but is
unarguably security destroying.

That has to be one of the worst scales I've ever seen. It has no relation to
reality, only serves to provide an appearance of thoughtfulness.

In bits, it would be 128 bits for level 1, 3.5K bits for level 2, 92.6
K bits for level 3, and 2.5M bits for level 4.

This directly contradicts the earlier metric as well. 27 is only 4.something
bits, a far cry from 128. In short your metric is worthless on the surface
and gets worse the more you explain it. Feel free to stop.

It will take much, much more than fool-hearty handwaving based on a lack of
knowledge will serve no purpose.
                Joe

I appear to have forgetten to include a definition of unicity distance.
Well, it's the minimum amount of ciphertext for which there exists only one
plausible plaintext (or, if you don't like that definition, go with the one
on Wikipedia).

I've seen variations on the definition, all getting at much the same

Unicity distance does have one advantage over modern indistinguishability
arguments; it gives concrete lower bounds on security (in contrast, we
know how to show things are distinguishable from random, but we still have
no proof of indistinguishability).

On the other hand, unicity distance does have some problem.  Here some of
them from a modern cryptographical perspective:

- Unicity distance is mostly controlled by two things, key size (which is
reasonable) and the distribution of possible plaintexts.  In modern
cryptography, we don't get to pick the plaintexts, that's chosen by
someone outside the security area for noncryptographical reasons, and so
we as a rule do not make any security assumptions based on what the
plaintext looks like.  And, if we worse-case the plaintext distribution
(say, there is only one possiblity, aka "known plaintext"), then for most
ciphers, the unicity distance is pretty close to the key size (and you
really don't want to use the ciphers for which this isn't the case).

Sigh.... I really blew it here: if there is only one possible plaintext, the
unicity distance is, of course, 0 (we don't need any ciphertext if we
already know the plaintext).  I was thinking about the amount of ciphertext
you needed to recover the key, but unicity distance isn't about recovering
the key, it's about recovering the plaintext.

--
poncho

 ...So that still is not a reason to not have large keyed systems for
those that
want more security.

- Unicity distance is mostly controlled by two things, key size (which is
reasonable) and the distribution of possible plaintexts. In modern
cryptography, we don't get to pick the plaintexts, that's chosen by someone
outside the security area for noncryptographical reasons, and so we as a
rule do not make any security assumptions based on what the plaintext looks
like. And, if we worse-case the plaintext distribution (say, there is only
one possiblity, aka "known plaintext"), then for most ciphers, the unicity
distance is pretty close to the key size (and you really don't want to use
the ciphers for which this isn't the case).

It appears from the above exposition that you are attempting to reinvent the
idea of "unicity distance"

On Jul 16, 7:40 am, "Scott Fluhrer" <sfluh... at (no spam) ix.netcom.com> wrote:

It appears from the above exposition that you are attempting to reinvent the
idea of "unicity distance"

Although he did say

(begin quote)
Contrary to your view, there are good examples of amounts of data
necessary to solve different ciphers. Note ACA's list of required
lengths of ciphertexts for different ciphers.
(end quote)

I doubt that. The unicity distance is based strictly on key length
against plaintext redundancy, and shows a _theoretical_ limit on it
being _possible_ to solve a cipher.

Instead, he is looking for something quantitative that reflects the
other part - the "work factor" - of the strength of a cipher. There
are good reasons for the belief that we not only don't have a good
quantitative measure for that at the moment, but also that we don't
have a structure to build on to obtain one. Thus, all we can do where
security is needed is make ciphers much more complicated than they
"need" to be to be on the safe side.

John Savard

On Jul 21, 11:33 am, Quadibloc <jsav... at (no spam) ecn.ab.ca> wrote:

Instead, he is looking for something quantitative that reflects the
other part - the "work factor" - of the strength of a cipher. There
are good reasons for the belief that we not only don't have a good
quantitative measure for that at the moment, but also that we don't
have a structure to build on to obtain one. Thus, all we can do where
security is needed is make ciphers much more complicated than they
"need" to be to be on the safe side.

No that is a fallacy. We do not need to just attempt to make them
appear more secure by appearing to make them more complicated.
We need to attack the problem on all fronts. And part of it is to try
to minimize information leakage that weakens the overall encryption.
We know that good compression can prevent enough information
leakage so that ciphertext only attacks can become impossible.
One should still consider information security thats why specialized
bijective compressors should be used before encryption.