Cryptography-Digest Digest #687, Volume #10 Sun, 5 Dec 99 21:13:01 EST
Contents:
Re: Random Noise Encryption Buffs (Look Here) ("Trevor Jackson, III")
Re: cookies (E. N. Kilomary)
Re: Distribution of intelligence in the crypto field (David A Molnar)
Re: Distribution of intelligence in the crypto field (David A Molnar)
VIC cipher's PRNG ("r.e.s.")
Re: --- sci.crypt charter: read before you post (weekly notice) (E. N. Kilomary)
Re: Random Noise Encryption Buffs (Look Here) (Tim Tyler)
Re: Why Aren't Virtual Dice Adequate? ("r.e.s.")
Re: Safeboot is it really safe (Matt)
Re: Safeboot is it really safe (Matt)
Re: Random Noise Encryption Buffs (Look Here) (Guy Macon)
Re: VIC cipher's PRNG (David Wagner)
Re: Why Aren't Virtual Dice Adequate? (Guy Macon)
Re: Why Aren't Virtual Dice Adequate? (Guy Macon)
Re: Why Aren't Virtual Dice Adequate? (Guy Macon)
----------------------------------------------------------------------------
Date: Sun, 05 Dec 1999 16:15:04 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Random Noise Encryption Buffs (Look Here)
Tim Tyler wrote:
> Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> : Tim Tyler wrote:
>
> :> Whereas your position appears to be based on faith in the existence of
> :> genuine randomness in subatomic behaviour, and in our ability to
> :> magnify this up to a macroscopic scale, without distorting it at all.
>
> : Do you know about SQUIDs? Photomultipliers? Etc.?
> : Why are you wasting bandwidth arguing about quantum effects
> : when you don't understand the subject? Go learn it first!
>
> It seems to be necessary - since some people seem to have the idea that
> a one-time pad is a realisable system.
>
> Without a source of genuinely random numbers a one-time pad falls short of
> theoretical perfection - and unfortunately, no source of demonstrably
> genuinely random numbers is - or IMO is ever likely to be - known to
> mankind.
>
> Even if you believe that SQUIDs or photomultipliers are capable of
> magnifying quantum events to a macroscopic scale without possibly
> introducing any interference from other sources, I would love to
> hear an explanation of how they could conceivably do this.
There is no need for esoteric equipment. The dark-adapted human eye detects
single quanta.
>
>
> Alternatively, should you have a demonstration that quantum events are
> themselves genuinely random, I would be delighted to hear that as well.
> --
> __________
> |im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
>
> *If* /you/ copy this "tagline virus" *please* mutate it!
------------------------------
From: [EMAIL PROTECTED] (E. N. Kilomary)
Subject: Re: cookies
Date: Sun, 05 Dec 1999 21:37:33 GMT
[EMAIL PROTECTED] (Eric Murray) wrote:
>The server placing the cookie can set restrictions on which
>servers can access the cookie.
I don't believe that's true. A cookie can only be retrieved by the server
that planted it there.
--
"E. N. Kilomary" is actually [EMAIL PROTECTED] (6320 179458).
0 1 23456789 <- Use this key to decode my email address and name.
Play Five by Five Poker at http://www.5X5poker.com.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Distribution of intelligence in the crypto field
Date: 5 Dec 1999 21:57:22 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
> Yeah, but he really ought not to be listing his clearances on a
> public forum. For one thing, it makes him a target for anyone
> who might want to exploit his access to nuclear and other
> sensitive material, terrorists for example.
Oh, good point.
Except I doubt he'll be such a target now. :-(
-David
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Distribution of intelligence in the crypto field
Date: 5 Dec 1999 22:02:59 GMT
CLSV <[EMAIL PROTECTED]> wrote:
>> You would expect the NSA to ask the "father of combinatorics" to
>> work on their problems, wouldn't you ?
> Yes, I didn't expect it being advertized 'though.
Fair enough. I can't find my copy of _Indiscrete Thoughts_, but I
think it has a reference to working at Los Alamos in the chapter
discussing Stan Ulam...but that is very different than actually listing
a Q clearance on your resume.
> (& smart combinatorists :-) are working for intelligence
> agencies.
The crypto sixth column, as it were.
-David
------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: VIC cipher's PRNG
Date: Sun, 5 Dec 1999 15:04:06 -0800
I was looking at the very simple PRNG used in the VIC
cipher, which operated with decimal digits. In pseudo-
code, and generalizing to base-b digits, registers
R(i)(i=1..b) are initialized to R(i)=key(i)(i=1..b),
and a stream is output by iterating the following:
======
R(b+1) = R(1) + R(2) (mod b)
R(i) = R(i+1) for i=1..b
output R(b+1)
======
What I'm wondering about is, for b>2, how to get any
idea of the cycle-length of the stream, e.g., how the
cycle-length depends on the particular (key(i),i=1..b).
Can anyone recommend sources for this?
(LFSR literature that I find is focussed only on bit
registers, and don't seem to treat base-b, b>2.)
--
r.e.s.
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (E. N. Kilomary)
Subject: Re: --- sci.crypt charter: read before you post (weekly notice)
Date: Sun, 05 Dec 1999 23:06:08 GMT
[EMAIL PROTECTED] (D. J. Bernstein) wrote:
>A common myth is that sci.crypt is USENET's catch-all crypto newsgroup.
When will you face the fact that this "common myth" is reality? Maybe you
don't like it and maybe it wasn't conceived that way, but for better or
worse, that's the way it is today.
--
"E. N. Kilomary" is actually [EMAIL PROTECTED] (6320 179458).
0 1 23456789 <- Use this key to decode my email address and name.
Play Five by Five Poker at http://www.5X5poker.com.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Random Noise Encryption Buffs (Look Here)
Reply-To: [EMAIL PROTECTED]
Date: Sun, 5 Dec 1999 23:42:32 GMT
Trevor Jackson, III <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
:> : Tim Tyler wrote:
:> :> Whereas your position appears to be based on faith in the existence of
:> :> genuine randomness in subatomic behaviour, and in our ability to
:> :> magnify this up to a macroscopic scale, without distorting it at all.
:>
:> : Do you know about SQUIDs? Photomultipliers? Etc.?
:> : Why are you wasting bandwidth arguing about quantum effects
:> : when you don't understand the subject? Go learn it first!
:>
:> It seems to be necessary - since some people seem to have the idea that
:> a one-time pad is a realisable system.
:>
:> Without a source of genuinely random numbers a one-time pad falls short of
:> theoretical perfection - and unfortunately, no source of demonstrably
:> genuinely random numbers is - or IMO is ever likely to be - known to
:> mankind.
:>
:> Even if you believe that SQUIDs or photomultipliers are capable of
:> magnifying quantum events to a macroscopic scale without possibly
:> introducing any interference from other sources, I would love to
:> hear an explanation of how they could conceivably do this.
: There is no need for esoteric equipment. The dark-adapted human eye detects
: single quanta.
I see no presentation of a complete system, though. If you give me
something concrete to criticise, I will be able to do a better job.
Say you use a source of light and a polariser followed by the human eye.
You need to make sure that no light sources exist outside the system which
could cause a false detection. Perhaps a bunker underground would
suffice to shield from cosmic rays causing false positives in some
potentially biased manner. Or perhaps not.
How are you ensuring the light is evenly polarised? what are the
polarising properties of the material between the light source and the
polarising filter? How good is the polariser. Polarisers generally
consist of very thin slits. But they are not /infinitely/ thin campared
to the wavelength of photons. This causes deviations from a 50-50 split
of photon absorbsion.
How are you storing the binary sequence? Is this immune to undetected
drop-outs? DO any dropouts occur to 1s as much as to 0s?
*Some* of these issues can be cleaned up by post-processing. Indeed, I
doubt all of them can. In fact, I doubt all of them can even be
enumerated :-(
A *perfect* source of random numbers is a bit like a perpetual motion
machine - I doubt its existence.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
"Bollocks," said Pooh, being more forthright than usual.
------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Date: Sun, 5 Dec 1999 16:25:44 -0800
"Trevor Jackson, III" <[EMAIL PROTECTED]> wrote ...
: r.e.s. wrote:
[...]
: > Also, incorporating additional ingredients such as a "shared secret",
: > is a nice example of what I was calling the "strengtheneing" of a
: > "pure OTP alone".
:
: You may understand the terminology you are using, but I, and apparently
: others, do not. The phrase "strengthening and OTP" rings false on the ears
: because the strength of an OTP is maximal for systems where PT size == CT
: size. It cannot be made stronger. Of course this describes the strength
of
: the protection of the plaintext. If you add in authentication as a
strength
: parameter, you confuse two distinct issues.
:
: Now in another recent thread I was contradicted for using terminology in a
: non-standard way. In that case I was trying to use the terminology of the
: person to/at whom I was aiming my replies. In this case, I believe the
: terminology issue needs to be handled carefully or similar arguments will
: arise.
I think the main underlying problem is that words like
"strength" are used as absolutes. If I, and others, were
to refer to a cipher's "strength wrt to secrecy"
as distinguished from "strength wrt to authentication"
there would less confusion. Since it appears to be
standard to restrict the term to secrecy issues alone,
however, I'll try to use it accordingly in future.
(The implication is that authentication is not part of
the role of a cipher, i.e., not something we should
expect of it.)
As for the other problem, I think it should be clear that
"strengthening 'X alone'" may involve adding something to
'X alone', in which case it is no longer "X alone". But
again, I'll avoid the contruction in future.
--
r.e.s.
[EMAIL PROTECTED]
------------------------------
From: Matt <[EMAIL PROTECTED]>
Subject: Re: Safeboot is it really safe
Date: Mon, 06 Dec 1999 00:42:16 +0000
Cheers Keith,
BestCrypt sounds good but I would like to know more on safeboot.
I undersand if it is in the public domain then its hackable, is this so
and has it been cracked, if so how easy is it to be cracked ?
Regards
Matt
Keith A Monahan wrote:
> Matt,
>
> I use BestCrypt which works well on my 95/98 machines. It uses strong
> encryption like Blowfish, 3DES, GOST algorithms. I've found it to be
> pretty good. You can download the development kit which has the source
> code to verify security.
>
> Keith
>
> Matt ([EMAIL PROTECTED]) wrote:
> : Hi,
>
> : Which is the better for encription of HDD or partitions
> : safeboot or PGP for WinNT/Win95/Win98/Win2000
> : and Linux ?
>
> : Regards
>
> : Matt
------------------------------
From: Matt <[EMAIL PROTECTED]>
Subject: Re: Safeboot is it really safe
Date: Mon, 06 Dec 1999 00:42:24 +0000
Cheers Keith,
BestCrypt sounds good but I would like to know more on safeboot.
I undersand if it is in the public domain then its hackable, is this so
and has it been cracked, if so how easy is it to be cracked ?
Regards
Matt
Keith A Monahan wrote:
> Matt,
>
> I use BestCrypt which works well on my 95/98 machines. It uses strong
> encryption like Blowfish, 3DES, GOST algorithms. I've found it to be
> pretty good. You can download the development kit which has the source
> code to verify security.
>
> Keith
>
> Matt ([EMAIL PROTECTED]) wrote:
> : Hi,
>
> : Which is the better for encription of HDD or partitions
> : safeboot or PGP for WinNT/Win95/Win98/Win2000
> : and Linux ?
>
> : Regards
>
> : Matt
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Random Noise Encryption Buffs (Look Here)
Date: 05 Dec 1999 19:50:16 EST
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Tim Tyler) wrote:
>Without a source of genuinely random numbers a one-time pad falls short of
>theoretical perfection - and unfortunately, no source of demonstrably
>genuinely random numbers is - or IMO is ever likely to be - known to
>mankind.
There are many things that are non-provable (including the theory that
you are reading this on a computer screen instead of halucinating).
theoretical perfection of an OTP and genuinely random numbers fall
into this catagory, so you are 100% correct.
Consider. if you will, MOM (Macon's Overkill Method or Massive Overkill
Method) of generating "random" numbers:
Consider a "random" sequence of 1's and 0's
(RBS, or Random Binary Sequence).
Any "random" collection of anything can be converted to a RBS.
Whether the "random" is true is unprovable. (We can prove
various candidates to be nonrandom or biased, though.)
An Exclusive OR (XOR) of a RBS with any sequence not derived
from the same RBS is still a RBS. XORing any sequence will
not and can not reduce the randomness.
If a large number of candidate RBS's are XORed together, it only
takes one true RBS to make the result a true RBS (but we can't
prove that such a true RBS exists, so the result may not be a
true RBS.)
Thus my MOM method. Make as many binary sequences as you can,
using various biased and unbiased RNGs. Look for sequences
with biases that seem to be unrelated to the biases of other
methods. Example; XOR the result of flipping a head-heavy
coin with the digitized output of a local AM radio talk show
and with the number of microseconds between your keystrokes.
what are the chances that these all share the same bias?
Now XOR in many other sequences, including state of the art
pseudorandom number generators, FM noise, Diode noise,
time between photons emmited by Radium, Speed of a hamster
on an exercise wheel, etc, etc.
I cannot prove that the final result is unbiased, but it
turns the question "what are the chances that RNG X is
biased?" into "what are the chances that RNG X shares a
bias with every other RNG used in the MOM?".
There is one other consideration. Does "Biased" imply
"Insecure" in an OTP? If I made an OTP with a coin flip
that was 0.1% more likely to turn up heads but was
otherwise random, could an attacker use this method to
decode my OTP encrypted messages? If so, how many bits
of cyphertext would he have to analyse to exploit this
bias?
In my opinion, simple precautions such as padding the
plaintext to a standard length, varying how much of the
padding goes before or after the plaintext, compressing
the plaintext, using a CRC checksum to attempt to
detect errors in the decoded message, or never sending
the exact same plaintext to two different recipients
do not qualify as modifications to the "purity" of
an OTP scheme.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Crossposted-To: sci.math
Subject: Re: VIC cipher's PRNG
Date: 5 Dec 1999 17:08:16 -0800
In article <82eqnr$cd3$[EMAIL PROTECTED]>,
r.e.s. <[EMAIL PROTECTED]> wrote:
> I was looking at the very simple PRNG used in the VIC
> cipher, which operated with decimal digits. In pseudo-
> code, and generalizing to base-b digits, registers
> R(i)(i=1..b) are initialized to R(i)=key(i)(i=1..b),
> and a stream is output by iterating the following:
>
> ------
> R(b+1) = R(1) + R(2) (mod b)
> R(i) = R(i+1) for i=1..b
> output R(b+1)
> ------
>
> What I'm wondering about is, for b>2, how to get any
> idea of the cycle-length of the stream, e.g., how the
> cycle-length depends on the particular (key(i),i=1..b).
Yeah, there's some interesting mathematics here.
Factor b as a product of prime powers, b = \prod_{j=1}^n p_j^{e_j}.
Reducing modulo each prime power gives us n recurrence relations:
R(i) = R(i-b) + R(i-b+1) mod p_j^{e_j}, j=1,..,n.
Let C be the desired cycle-length mod b, and C_j be the cycle length
mod p_j^{e_j}. By the Chinese Remainder Theorem, C = lcm(C_1,..,C_n).
Consequently, it suffices to analyze the cycle length of the recurrence
relation over the rings Z/p^eZ. Classical shift register theory should
get you the rest of the way, I suspect -- or at least, for the e=1 case.
See, e.g., Golomb's treatise.
(Does anyone know if the e>1 case has been studied? Or does Hensel
lifting make the e>1 case follow easily from the e=1 case, or somesuch?)
To give you a taste of classical shift register theory, we will probably
want to look at the polynomial
f(x) = x^b + x^{b-1} + 1 in (Z/p^eZ)[x]:
e.g., is it irreducible, primitive, and so on. More generally, if I'm
not mistaken, the cycle length mod p^e should divide the order of x in
(Z/p^eZ)[x]/(f(x)), I think. But please check these claims carefully for
yourself -- they're off the top of my head, and I'm not too terribly good
at shift register theory, so I might have gotten important facts wrong.
In the special case where b=10, we write b=2*5, and note that we get
a linear combination of a 10-bit traditional LFSR over GF(2) and a
10-symbol linear shift register over GF(5). Therefore, I'd expect the
cycle length to be very good, but the security to be potentially very
low: the LFSR over GF(2) provides very little security, thanks to the
Berlekamp-Massey cryptanalysis algorithm; I can't imagine the LFSR over
GF(5) is much better (but I don't know for sure whether Berlekamp-Massey
generalizes to arbitrary finite fields, offhand).
Hopefully that should be enough to get you started, even if I got some
of the details slightly wrong. Enjoy!
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Date: 05 Dec 1999 20:27:02 EST
In article <82edsi$28d$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (r.e.s.) wrote:
><snip description of the scenario I *thought* we were discussing>
>(A good laugh!)
Ah. I misunderstood. I did not know that when I originate a topic
on this newsgroup that any drift into related topics is not allowed.
Being a clueless newbie, I was not aware of this rule.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Date: 05 Dec 1999 20:40:18 EST
In article <82ei0e$2f2$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
([EMAIL PROTECTED]) wrote:
>Yes, if you mean "absolute" in the sense that
>authentication is provable, even against a
>computationally unbounded attacker. Cryptographic
>Authentication is always probabilistic: the
>attacker might guess a correct signature. The
>mechanism allows us to make the probability of
>successful forgery arbitrarily close to zero.
You *might* be able to go that extra distance to zero.
Speaking of guessing things in general, I would say that
if the probability of making a corect guess is so
low that that the sum total of the results of all
of the attackers guesses equals the sum total of all
possible messages of that length, then it seems that
the probabilty of making a correct guess and detecting
that your guess was correct is zero. In the larger
sense, no method is 100% secure against someone who
sends random data. It might randomly turn out to be
a valid encyption of the attackers favorite plaintext.
I wouldn't hold my breath waiting for this to happen...
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Date: 05 Dec 1999 20:42:52 EST
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Trevor Jackson, III) wrote:
>Now in another recent thread I was contradicted for using terminology in a
>non-standard way. In that case I was trying to use the terminology of the
>person to/at whom I was aiming my replies. In this case, I believe the
>terminology issue needs to be handled carefully or similar arguments will
>arise.
I am in special need of such correction. I am a cluless newbie trying
to apply knowledge gained in another field, and am thus very likely to
use incorrect terminology. Please feel free to correct me if I do.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
