Cryptography-Digest Digest #864, Volume #8 Fri, 8 Jan 99 05:13:04 EST
Contents:
Re: What is left to invent? (Mok-Kong Shen)
Re: What is left to invent? ([EMAIL PROTECTED])
Re: On the Generation of Pseudo-OTP (Mok-Kong Shen)
Re: On the Generation of Pseudo-OTP (Mok-Kong Shen)
Re: On the Generation of Pseudo-OTP (Mok-Kong Shen)
Re: coNP=NP Made Easier? (Matt Brubeck)
Re: coNP=NP Made Easier? (Lasse Reichstein Nielsen)
Re: Chosen-Signature Steganography (Tom)
Re: On the Generation of Pseudo-OTP (Mok-Kong Shen)
Re: On the Generation of Pseudo-OTP (Darren New)
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: What is left to invent?
Date: Fri, 08 Jan 1999 08:22:52 +0100
[EMAIL PROTECTED] wrote:
>
> Mok-Kong Shen wrote:
>
> > It is my humble opinion that it might be easier (and more promising)
> > to find ways to realize sufficient security (despite the restriction)
> > than to argue with the authority. But other people may think that the
> > other way round is better.
>
> I don't find realizing strong systems within the restrictions
> to be very promising. Not that we couldn't do it, but any
> victory would last only as long as it takes a federal agency
> to promulgate revised regulations.
Do you have a good effective idea, given the historical record of the
attempts of many civilian organizations and persons who have worked
admirably hard in opposing governments' meddling with the freedom of
privacy? I hope that such work will be continued and I sincerely
wish that there will be good success. But I also think that the way
I indicated is something that is worthy of being exploited in
parallel. It brings forth at least some effects in short terms.
On the other hand I am not yet sure that an adequate revision of the
regulations could be easily formulated, unless they would release a
general ban on encryption in a manner similar to that in France
(I suspect that that could be pretty hard in at least some of the
33 countries.) And by the time such a revision is actually released,
the region outside of the 33, being supposedly currently the
crypo-technically underdeveloped part of the globe, will hopefully
be able to catch up in the field of cryptology so that people in
these countries -- assuming that their govenments remain sane --
will be able to communicate with themselves confidentially (even
though they may not do the same with people in the 33 countries owing
to a general crypto ban in the latter) without fearing of being
eavesdropped by the technically superior powers.
M. K. Shen
======================================================
M. K. Shen, Postfach 340238, D-80099 Muenchen, Germany (permanent)
+49 (89) 831939 (6:00 GMT)
[EMAIL PROTECTED] (subject to change)
http://www.stud.uni-muenchen.de/~mok-kong.shen/
(Last updated: 3rd January 1999. Origin site of
WEAK2-EX -- A Poorman's 56-bit Data Encryption Algorithm. (30 Dec 98)
WEAK3-EX -- A Layman's 56-bit Data Encryption Algorithm. (30 Dec 98)
WEAK4-EX -- Another Poorman's 56-bit Data Encryption Algorithm. (3 Jan
99)
Containing 2 mathematical problems with rewards totalling US$500.)
==============================================
Apply not techniques that you haven't fully understood. Use only
subprograms that you have thoroughly verified. Never blindly trust
what your colleagues claim. (a programmer advising novices, ~1970)
==============================================
Sunshine is the best disinfectant.
(citation of a citation in B. Schneier and D. Banisar, The Electronic
Privacy Papers. John-Wiley, New York, 1997.)
==============================================
The words of a man's mouth are as deep waters, and the wellspring
of wisdom as a flowing brook. (Proverbs 18:4)
A little that a righteous man hath is better than the riches of many
wicked. (Psalms 37:16)
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: What is left to invent?
Date: Fri, 08 Jan 1999 05:20:45 GMT
Mok-Kong Shen wrote:
> It is my humble opinion that it might be easier (and more promising)
> to find ways to realize sufficient security (despite the restriction)
> than to argue with the authority. But other people may think that the
> other way round is better.
I don't find realizing strong systems within the restrictions
to be very promising. Not that we couldn't do it, but any
victory would last only as long as it takes a federal agency
to promulgate revised regulations.
--Bryan
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On the Generation of Pseudo-OTP
Date: Fri, 08 Jan 1999 08:33:06 +0100
Darren New wrote:
>
> Not after you run the bitmap you photographed thru a cryptographic hash,
> I would expect.
So you assume that there exists a hash that is perfect??
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On the Generation of Pseudo-OTP
Date: Fri, 08 Jan 1999 08:30:24 +0100
Darren New wrote:
>
> > How do you KNOW that any particualr realization of a physical process
> > based on quantum theory is without bias?
>
> Because you tune it to be without bias. You adjust the halflife you
> expect to match the halflife you have, for example.
Have you ever encountered a physical device that is absolutely
perfect??
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On the Generation of Pseudo-OTP
Date: Fri, 08 Jan 1999 09:21:36 +0100
R. Knauer wrote:
>
> On Thu, 07 Jan 1999 18:00:11 +0100, Mok-Kong Shen
> <[EMAIL PROTECTED]> wrote:
>
> >An ideal OTP is totally secure but,
> >as I said above, is unfortunately an unobtainable theoretical
> >concept.
>
> I disagree. A TRNG can be made to crypto-grade specifications in that
> it would take more energy than exists in the Universe to break the
> OTP.
There is NO disagreement. You have an approximation to an ideal and
that approximation turns out to be good enough for the practice.
Still, it is an approximation (there is no EQUALITY).
>
> The main question is whether the text stream outputs all possible
> sequences of a given length equiprobably. Without that, all the
> antiskewing and decorreleation in the world will not patch it up.
>
> If for example you want to generate a pad with n bits, then the text
> stream generator must be capable of outputting all 2^n sequences
> equiprobably. If for some reason the output of a major fraction of
> those sequences is not possible due to some inherent limitation on
> natural language, then the text stream generator is unsuitable as a
> TRNG substitute.
>
> BTW, I assume you would use the LSB of the ACSII characters from the
> text source and then remove bias and correlation from that preliminary
> sequence. If you use higher order bits then you are gonna have real
> problems because now you are getting closer to the patterns inherent
> in natural language.
Please note that in NO place in my original post there were a claim
of the sort 'Hi, look, I have invented something exactly as good
as an ideal OTP!'. I was simply calling attention to a (I believe)
possibly fruitful way of obtaining something (I term it pseudo-OTP)
that could, on the assumption that suitable techniques (either
currently known as I sketched or yet to be developed or refined)
are applied, approximate an ideal OTP to some (for practical
purposes) satisfactory degree just as some good hardware devices
are supposedly already doing that way. I hope that this clears
up some misunderstandings. I don't doubt that much experiments
are needed in order to get really good pseudo-OTP.
>
> Why not just use music instead. Rap music should be completely random,
> even to higher order bits.
Music and voices are also good sources for use in similar sense
as the texts, if devices are available to digitalize them. Note that
I am not anti-hardware. A physical device may, if one wants, be
integrated in my proposed scheme.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Matt Brubeck)
Crossposted-To: sci.math,comp.theory
Subject: Re: coNP=NP Made Easier?
Date: Fri, 08 Jan 1999 00:30:19 -0800
In article <[EMAIL PROTECTED]>, rosi <[EMAIL PROTECTED]> wrote:
> Three things. First, you perhaps did not consider my other question.
> That is if NDTM is real, NP problems can be solved in P time.
Well, a nondeterministic Turing machine (NDTM) is a Turing machine which,
at a given state and input, may have several potential transitions.
Therefore it may not behave the same when given the same input more than
once. The NDTM is just a theoretical model of computation; a "real" NDTM
would be useless, since its output is unpredictable.
Given an instance of a decision problem, if the answer is "yes," an NDTM
may or may not accept, but if the answer is "no," then it definitely does
not accept. "NP time" means that there exists some NDTM for which there is
always a nonzero chance that the machine will halt with the correct answer
within a polynomial bound.
An equivalent model to the NDTM is a turing machine which guesses at a
potential solution, then checks to see whether the solution is correct.
For this machine, the definition of "NP time" is that the checking
algorithm must run in polynomial time. This definition turns out to be
equivalent to the above. Note that since it may have to check every
possible solution, this entire algorithm may actually take exponential
time to run.
There are still more equivalent ways of viewing nondeterministic running
times (NDTMs that always make the correct choice; NDTMs which are in
arbitrarily many states at once), but all are theoretical; none of them
allows a "real" machine to be constructed which is guaranteed to run in
polynomial time.
In short: NDTMs are theoretical constructs only.
Also, you'll find that under any of the above models, given an NP-time
algorithm for a problem is of no apparent help in constructing an NP-time
algorithm for its complement.
Side-note: Quantum computing, which is still largely theoretical, may
someday allow the construction of real devices which behave like
non-deterministic models of computation, and solve NP-hard problems in
polynomial time. However, this is still unclear; it also doesn't change
the theoretical bases for questions about P, NP, and coNP, though it does
change the practical consequences of the answers.
>But still,
>according to 'P by DTM', P!=NP. That does not conflict with what I
>tend to believe: NDTM solves a proper superset (again the assumption:
>NDTM is _ever_ real). Adopting such a notion, P!=NP does not offer any
>protection, which is not reconcilable with an NP-hard problem reducible
>to a cryptographic problem can be secure. Secondly, either way one says
>it, by DTM or by NDTM, coNP=NP is not affected. Once one side is P, the
>bound for it is a decision point for deciding the complement problem.
Unfortunately, no one has ever shown that either coNP or NP is equivalent
(or not equivalent) to P, though some of the best minds in the world have
tried.
P ?= NP is the most famous open question in computational science.
> I want to make what I just said clear: 'tend to believe'
> only comes after NDTM being real.
Unfortunately, NDTMs are not real, or to the extent that they are, they
are no help in showing whether NP = coNP, because your basic assumptions
were those that only apply to deterministic automata.
Your previous attempts constructed an algorithm for a coNP problem out of
the algorithm for its complement in NP. Unfortunately, they relied on
gross misconceptions of the nature of nondeterministic Turing machines and
NP time.
> 1. You say it may take exp time. I think we agree that complexity
> theory (some may give a quantifier such as 'conventional') is conerned
> with the worst case scenario. The behaviour you descirbe which I
> believe is the same as 26 which Ilias adopted is problematic, im my
> opinion. It CAN blow any bound you put on it!
The important point here is that non-deterministic models of computation
behave in a fundamentally different way from deterministic models. We
don't talk about their complexity in the same way. That's why we have
"nondeterministic polynomial time" as a separate class from "polynomial
time."
The exact definitions of NP time are as described above. Perhaps the
easiest to comprehend from my limited explanations is the existance of the
polynomial-time "checking" algorithm (though it's not immediately obvious
that this is equivalent to the other definitions).
I'm a little surprised that you seem so unfamiliar with standard uses of
these terms and concepts. Perhaps you should take some more theocomp.
classes or brush up on your reading before tackling theorems like this
one.
> 2. You were a bit loose as well. You said:
> NP is obviously a superset of P ...
> I think we need a proof. If you meant that it is your belief,
> it cam belistened to as nother story.
This proof is trivial. Any problem which can be solved in polynomial time
by a deterministic turing machine can be solved in non-deterministic
polynomial time. Given a DTM for a problem, it is trivial to construct an
equivalent NDTM with the same run-time.
> One other thing I can not understand is: why it seems so easy to side
> with those who denounce 'coNP=NP'? Why there always seems something wrong
> with what I say? Why nobody, absolutely nobody said a single word when
> Ilias claimed that NDTM simply exists and we need not see a construction
> of it. Why no one so far has posted a single NDTM that solves (in a hypo-
> thetical way) the NP problems? Well, bluffing that it somehow solves them
> can deprive me from saying: when BluffBluff(S, i", n) < f(n), after f(n)
> we can conclude i" is not a subset sum of S?
The NP problems, by definition, are solvable by efficient nondeterministic
Turing machines. If no such NDTM existed, the problem would not be in NP.
By saying that a problem is in NP, we are saying that there is an NP-time
Turing machine to solve it. It's not necessary for us to prove that the
machine exists. It's just fine to assume the existance of such an
algorithm, if it has been shown that the problem is in NP. I believe that
SS has been shown in the literature to be in NP.
Existence proofs and examples of NDTMs can found for well-known NP
problems in algorithms and computational theory textbooks, references, and
journals. I see no need to waste bandwidth and time by typing in big
state/transition tables for NDTMs.
------------------------------
From: [EMAIL PROTECTED] (Lasse Reichstein Nielsen)
Crossposted-To: sci.math,comp.theory
Subject: Re: coNP=NP Made Easier?
Date: 8 Jan 1999 09:12:12 GMT
In <[EMAIL PROTECTED]> rosi <[EMAIL PROTECTED]> writes:
>Planar wrote:
>>
>> >From: rosi <[EMAIL PROTECTED]>
>>
>> > I first commit to what I adopt as the definition for the complexity
>> >class of P (which is quoted from "Handbook of Applied Cryptography" by
>> >Menezes et al):
>> > The complexity class P is the set of all decision problems
>> > that are solvable in polynomial time.
>>
>> Aha. Now we know where the problem is. The correct definition of P ^^
> Who? Who is/are this 'we'? Sure this 'we' know(s)?
>> would be more like this: ^^^^
> 'like'? You do mathematics in this 'like' manner?
>>
>> The complexity class P is the set of all decision problems
>> that are solvable in polynomial time BY DETERMINISTIC TURING
>> MACHINES.
>>
> Where did you get that? Where did you quote from? From one of your
>own volumes?
I first saw it in "Computational Complexity" (Christos H. Papadimitriou,
Addison-Wesley 1994, page 34). He defiend TIME(f(n)) to be the class of
languages decidable by a /determinsitic/ turing machine in time bounded
by O(f(n)), and goes on to define P as the union over all natural k of
TIME(n^k). This is the usual definition of P (and very much "like" the
above, being equivalent to it), and if you decide to define P as all
problems decidable in polynomial time by any accessible method, then
that's your choice, but I belive you mistaken if you assume that
everybody else defines P any other way than the above.
> Interesting typo or omission by M. et. al.
> Cryptographic stuff depends on P!=NP for its security. Now, even
>NDTM's are real, P!=NP. But what security?
If you refer to Quantum Computers, then they are /not/ NDTM's (as far as
is known). They can solve /some/ NP problems in polynomial time, but so
far no polynomial solution of NP-hard problems using quantum computing
have been found (AFAIK). The class of quantum-polynomial problems might
be a proper subset of NP, but proving that would prove P!=NP.
If you assume that NDTMs exist, and that P is the class of decision
problems decidable in polynomial time by any accessible method, then
I don't see why you don't just say that P=NP directly (unless... what is
your definition of NP?)
> The mechanism's existence (i.e. P=NP) trivially implies NP=coNP
> ^^^^^^^^^^^^^^^^^^^^
Sure, if P=NP then P=coNP too (if P is closed under complement, which it
is with the usual definition), and so trivially NP=coNP
> I guess the people who talk about the dependency of crypto efforts
>on P!=NP must not know what they are talking about. Only you do. (Or
>'we' do/does?)
>> > I here also commit my understanding of the definition. As long as
>> >the problem is solvable in polynomial time, be via DTM or NDTM, it is
>> >in P.
>>
>> And this is equivalent (for people who know the correct definition of
>> P and NP) to claiming P = NP.
> I guess you are also a complexity theory super guru. Show us the
>equivalence, which would be your daily cup of tea.
Well, we need the definition of NP then. If we cannot use the usual one
(as we don't for P), what then should we use? Any decision problem where
there exist a proof that is checkable in polynomial time (be it via DTM
or NDTM)? (yes, that is equivalent to your definition of P)
/L 'another one of 'we'?'
--
Lasse Reichstein Nielsen - [EMAIL PROTECTED]
This message may be reproduced freely for non commercial purposes.
"... but where do you want to go tomorrow?"
------------------------------
From: Tom <[EMAIL PROTECTED]>
Subject: Re: Chosen-Signature Steganography
Date: Fri, 08 Jan 1999 01:20:29 -1000
Matthias Bruestle wrote:
> With the given set of signatures there are 1000 possible results.
>
> > But the analyst is not done yet. Suppose the plaintext is really
> > "my phone number is 1 212 783 8378".
>
> The analyst who has tried out all possible 3 digit pins has then
> 1000 possible plaintexts and one of them is "my phone number is
> 1 212 783 8378". Very likely, that he thinks that this is the
> correct plaintext.
>
> Mahlzeit
Yes there was an error in the math but also in yours. The first letter of
plaintext "m" was using a 6 digit key to get a 6 bit plaintext from a
chosen signature. Of the million possible plaintexts, 1/26 of them were
the letter "m" and 1/26 of them were "n" and also every other possible
letter was found at random with wrong keys.
The second letter "y" had a new 6 digit key and it also found "y" in
38,000 wrong keys. Also "o" was found in 38,000 wrong keys.
How do you know "my" is the first word is the right plaintext after
searching 2 million keys and how do you know that "no" is the wrong
plaintext after that search? Will you not use the protocol to confirm
correctness of the result?
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On the Generation of Pseudo-OTP
Date: Fri, 08 Jan 1999 09:51:42 +0100
R. Knauer wrote:
>
> There is no such thing as a Perfect Circle either, even in mathematics
> (since there are non-computable numbers in Mathematics, there are
> non-computable numbers on the locus of a Perfect Circle which means
> that much of that locus is undefined formally). But that did not
> prevent the invention of the wheel.
>
> Even though there is no such thing as an Ideal TRNG, there is one in
> the real world which is crypto-grade for purposes of the OTP system.
Since you have accepted that an ideal can only be approximated in the
real world, I agree with you. I never claimed that a good PRNG can be
superior than a good physical random number generator. In fact I
think that the latter has a better chance of being made good. But one
has also to take into account the expense, the technique, etc.
available in a given application environment and a PRNG normally
costs practically nothing.
>
> >Did I say that 'a very good PRNG IS a TRNG'?? I said it approximates
> >a TRNG. How good it approximates depends on its quality.
>
> I still disagree with you. There is a *fundamental* difference between
> a PRNG and a TRNG.
>
> A PRNG cannot output all of the sequences of a given finite length,
> whereas a TRNG does (by definition). Not only that, the limited count
> of sequences that a PRNG does output are not necessarily equiprobable,
> whereas they are for a TRNG (by definition).
>
> You are using the term PRNG when you really mean Stream Generator. A
> PRNG has the distinguishing characteristic that it begins from a
> seeded state and is therefore repeatable if restarted from that same
> state. A TRNG does not begin from such a state and is therefore not
> repeatable.
Your 'by definition' evidently refers to an IDEAL random number
generator, which (almost 'by definition') can't exist in the real
world. If the bias of a physical device is strong enough, it is
well conceivable that all kinds of statistical anomalies could
occur.
>
> How a Digit Expansion Generator (DEG), like the BBP Pi algorithm or
> any other transcendental constant digit expansion algorithm, fits into
> all this is the question I have here.
>
> Does a DEG have periodicity? Are some periodic depending on the
> transcendental constant chosen but others not? If so, what are the
> selection criteria?
>
> A DEG is certainly repeatable when restarted from the same offset. But
> is the sequence it generates completely unpredictable, as long as its
> characteristics are kept secret?
I am not familiar with the term DES. For Pi, the sequence appears
to be satisfactorily random. I remember having read someone saying
that. So since there is no offset difficulty, I think Pi could
function in the scheme I sketched just as well as a natural language
text.
>
> >As already said, a TRNG is an ideal.
>
> As already stated I disagree with you in the same sense that a Perfect
> Circle is an ideal but that does not stop engineers from coming up
> with designs that work exceptionally well in the real world.
>
> Remember that there are fundamental limits on decryption - for example
> there is only so much energy in the Universe, and it takes energy to
> do decryption. It also takes memory in some cases, and there is only
> so much matter in the Universe (although the recent discovery of
> "Ghost Matter" makes that number much larger than currently known.)
Covered by what I wrote at the beginning about 'approximation'.
>
> >You can approximate it with
> >a well-designed physical device. But that has more or less bias
> >nontheless and is not PERFECT. A RFC on that (I don't have the number
> >at hand) treats the topic of dealing with the bias in a practically
> >useful way.
>
> RFC 1750. But that is not intended to be the last word on such an
> involved topic. Anyway if you are concerned about bias and
> correlation, test the output. In fact, part of the specification we
> discussed for a TRNG was to test the output in real time to make sure
> it is not outputting all 0s or all 1s - known as a Broken TRNG.
I ALSO hope that that is not the last word in science, or else we
would really get a PERFECT random number generator (and the field
of cryptology comes to an end).
> >If you use arbitrary offsets, you would get troubles in most cases
> >for practical computation.
>
> As I understand it, the BBP method relies on the ability to compute
> the nth digit for terms of the type 1/n. I suppose if you cannot
> express a given transcendental constant in terms of a series in 1/n,
> then you would have to look for other ways. I thought there were other
> ways than just the BBP method used for Pi initially.
>
> >The only exception known to me is Pi, for
> >which you can start to obtain the digits at an arbitrary position.
>
> Why is Pi the lone exception? Surely it is not so special that only it
> can be digit expanded.
There is recently an article in Mathematical Intelligencer on
computation of e. There is nothing there for starting computing at a
given offset, if I don't err. Perhaps someday some mathematitians
find such methods for many transcendental functions. But apprarently
Pi is the first and currently single instance where there is success.
>
> >Of course, if some sequences have been computed to hundreds of
> >millions of digits and are available from a server, then that suffices
> >for practical purposes, i.e. for any practical offsets.
>
> Apparently you believe it is possible to digit expand transcendental
> constants other than Pi.
There are specially designed software packages for computing with
arbitrarily many digits. Of course they are very time-consuming
so that they are non-practical under circumstances. I don't
understand your last sentence. Firstly, which previous sentence of mine
is connected with your word 'believe'? Secondly, all transcendental
functions mathematically known have, by definition, a least one
(even if extremely awkward or costly) way of computing to an
arbitrarily accuracy, i.e. obtaining as many significant digits as
one wants, given the appropriate computing resources.
>
> >The output of a PRNG has a finite period length, even though it may be
> >very large. A transcendental constant does not have that, it is not
> >periodic.
>
> Is that always true? Someone a year ago claimed that it is not
> universally true.
Both are true. The first is evident. A terminating digit sequence
represent a rational number. So the second is also true.
>
> >But whether a finite subsequence of such a constant has
> >good statistical qualities could be a matter of concern for practice.
>
> Define "good statistical qualities"?
It depends on the application. You may want a certain distribution
and the question is how good is the expected approximation to that.
For cryptological applications, I believe the ideal that is to be
approximated is white noise, which means that the auto-correlation
function has the value zero, except at a single point.
>
> Remember that you cannot formally prove that a number is random, only
> that it is not random. Just because a given number has no bias or
> correlation does not mean that it is crypto-grade.
Please compare the first part of my response of 07 Jan 18:00:11+0100.
>
> >Yes. But again remember a TRNG is not strictly speaking obtainable
> >and that the best physical device only approximates it.
>
> And the best "approximations" are more than adequate for purposes of a
> totally secure OTP cryptosystem. The reason is that the TRNG relies on
> the intrinsic randomness of some physical process that is known to be
> totally random in the crypto sense. Radioactive decay is one such
> physical process.
Again, I never say that physical devices are bad. Why do you
exclude software devices from capable of being good from the
very beginning? If software devices can be made as good, then
they have the advatange of being cheap.
>
> >That is, one uses the leverage of one half of the key space to
> >render the brute force time to become a practically infeasible value
> >for the analyst. The price the user pays is some higher processing time.
>
> If the key is 56 bits in length, then at most there are 2^56 possible
> ciphertexts for a given message. If the message is longer than the
> uniticty distance (8.2 ASCII characters), only one human intelligible
> message will be be discovered in a brute force attack.
The crucial point is how long it takes to brute force. I have given
in one case the average expected time.
>
> I fail to see how other considerations play any part.
Please substantiate.
M. K. Shen
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Subject: Re: On the Generation of Pseudo-OTP
Date: Thu, 07 Jan 1999 17:37:37 GMT
> I understand a TRNG to be an IDEAL random number generator, with
> sequences absolutely unpredicable, in particular without any bias.
> Such a perfect thing simply can't exist in the real world, though
> the concept is useful.
Why do you say such a thing? Quantum physics is full of random events
that have no bias, and indeed no known way of even influencing them to
have a bias. Radioactive decay springs to mind. Modern devices
appropriate for a computer card are built with semiconductors
reverse-biased (i.e., "hooked up backwards") with the leakage caused by
individual quantum electron events measured to produce the random
numbers.
Heck, SGI (if I remember who properly) even has a patent on using lava
lamps to generate random numbers.
> > that must be taken in the construction of such a device. For example,
> > electromagnetic shielding is crucial, as any 50 or 60 cycle
> > alternating current noise pickup would introduce periodic patterns in
> > the output electronics.
If you use electronics, yes. I don't think you'd need to worry as much
if you used radioactivity.
--
Darren New / Senior Software Architect / MessageMedia, Inc.
"You could even do it in C++, though that should only be done
by folks who think that self-flagellation is for the effete."
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
