Cryptography-Digest Digest #865, Volume #8 Fri, 8 Jan 99 08:13:05 EST
Contents:
Re: Chosen-Signature Steganography (Tom)
Re: Birthday Attack calculations. (Matthew Skala)
Re: RSA-Modulus decomposition (James Pate Williams, Jr.)
Re: On leaving the 56-bit key length limitation ([EMAIL PROTECTED])
Re: On the Generation of Pseudo-OTP (R. Knauer)
Re: ScramDisk - password size - high ASCII ([EMAIL PROTECTED])
RSA-Modulus decomposition ([EMAIL PROTECTED])
Re: On the Generation of Pseudo-OTP (R. Knauer)
Re: On the Generation of Pseudo-OTP (R. Knauer)
Re: On the Generation of Pseudo-OTP (R. Knauer)
Re: Chosen-Signature Steganography (Matthias Bruestle)
Re: RSA-Modulus decomposition ([EMAIL PROTECTED])
OCX/DLL wanted ("Jonas Westberg")
Re: On the Generation of Pseudo-OTP (R. Knauer)
Re: What is left to invent? (R. Knauer)
----------------------------------------------------------------------------
From: Tom <[EMAIL PROTECTED]>
Subject: Re: Chosen-Signature Steganography
Date: Fri, 08 Jan 1999 01:26:28 -1000
David A Molnar wrote:
>
> Nicko van Someren <[EMAIL PROTECTED]> wrote:
>
> > The idea here was spotted by Gus Simmons while working on
> > equipment to verify the Strategic Arms Limitation Treaty (SALT).
> > He called this sort of steganography a "Subliminal Channel".
> > He presented a paper on it at Crypto'83 (from memory, it might
> > have been '82).
>
> Yes, this. He also went on to do a fair amount of work in this area.
> I went looking for papers on "subliminal channels" and found
> that there's an IEEE Transactions on Specific Areas in Computing
> with an article on "The History of Subliminal Channels" by Simmons.
>
> also a paper on whether a subliminal-channel free sig or crypto scheme
> is possible, but I haven't read that yet.
>
> I was wondering if anyone had thought of something useful to
> shove into 'em (software failure modes, anyone ?) , and looks
> like yes.
>
> -David
Yes, this is where a side channel is a useful concept. The plaintext
message can tell someone a large amount of info, like the name of a bank,
its branch, phone number, address, and account number. The signature can
hold a tiny secret number like a PIN.
------------------------------
From: [EMAIL PROTECTED] (Matthew Skala)
Subject: Re: Birthday Attack calculations.
Date: 7 Jan 1999 19:07:20 -0800
In article <[EMAIL PROTECTED]>,
Fred Van Andel <[EMAIL PROTECTED]> wrote:
>For a 256 bit hash you will need to create more than 2^128 hashes
>before the odds of a collision reach 50%.
>
>Do You know how long that will take on my 486-66. Or even a planet
>full of computers for that matter. The indirect evidence is the ONLY
>indication of collision resistance.
You forget that in Mr. Scott's universe, an attack on a keyspace of size
2^128 is trivial for the NSA and a matter of a few months work for a
dedicated amateur.
--
The third girl had an upside-down penguin on Matthew Skala
her stomach, so the doctor told her, "I'll Ansuz BBS
examine you for free, if you and your (250) 472-3169
boyfriend will debug my Web server." http://www.islandnet.com/~mskala/
------------------------------
From: [EMAIL PROTECTED] (James Pate Williams, Jr.)
Subject: Re: RSA-Modulus decomposition
Date: Fri, 08 Jan 1999 10:39:01 GMT
Reply-To: [EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
>It is very easy to find decomposition of a
>modulus to it�s primes.
What is the computational complexity of your attack in terms of the
bit length of the modulus (n = pq).
==Pate Williams==
[EMAIL PROTECTED]
http://www.mindspring.com/~pate
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: On leaving the 56-bit key length limitation
Date: Fri, 08 Jan 1999 10:28:01 GMT
Ed Gerk wrote:
[Replying to Bryan Olson]
> I note that you wrote:
>
> "...unicity distance only ensures that more than one possible decryption
> exists"
>
> and, also:
>
> "A cryptanalyst may still get large amounts of useful information."
>
> BOTH are wrong.
Obviously we disagree, and this is not a matter of opinion.
[...]
> As a side remark, when I first read your reply to my original message I
> recalled how often I am still amused by the "hollier than thou" attitude I
> can see on the Internet...the same feeling I had when I read another reply of
> yours, also in this forum.
>
> I say this because IMO, in a public debate by e-mail one should very seldom
> declare that something is "wrong", since there are always so many
> things the sender did not perhaps say and so many things I could not ask right
> then. So, I seldom find myself in a position where I feel justified in all
> fairness to say that something is "wrong" -- I will rather say "misleading",
> "confusing", "obscure" or even "ambiguous".
As a side response I again disagree, this time on a matter of
opinion. In a technical discussion one should phrase one's
positions so that they are definitely true or false. This
holds even when one takes a stance on another's position.
There is nothing inappropriate in reporting that a result is
wrong. The best response to a disagreement is to present
precise quantitative reasoning to show that one's position
is correct.
So back to the technical issue. I note that you merely repeat
your position that I'm wrong. You present no argument for your
side, and have simply deleted all of mine. I will present one
of mine again:
Consider the situation in which the message space has several
plausible messages, but the conditional probabilities, given the
ciphertext, show that "Attack at dawn with 3000 men." has a
probability of 0.599999, and "Attack at dawn with 3006 men"
has a probability of 0.399999. Using Shannon's formula for
entropy, I calculate the equivocation of the plaintext is
0.97 bits. Shannon defined the unicity distance as the number
of intercepted characters for which the equivocation in the
plaintext is very close to 0. 0.97 bits is not very close to
zero, therefore unicity has not been reached.
I claimed that an attacker may get useful information from
the ciphertext even if he does not have enough ciphertext to
reach unicity. You, Ed, stated that I was wrong. The above
example is of course contrived, but nevertheless, the
conditional probabilities are possible. The attacker does
not have enough ciphertext to reach unicity. The attacker
does obtain a great deal of useful information from the
ciphertext. My claim that you quoted above, "A cryptanalyst
may still get large amounts of useful information." is true.
> So, please see my remark above -- when I affirmed that your declarations were
> "BOTH wrong" -- as an exception, which I only use when the mistake is twice
> confirmed. Please do not see it as a sign of unpolitedness or arrogance.
No problem; I'll take it as a technical position. But as such
a mere affirmation seems inadequate. I challenge you to back
up your claim that my position, defended in the argument above,
is wrong.
> If you browse to http://www.mcg.org.br/uncity.txt you will see the new version
> of the posting (list: thanks for all comments and also those in private) and
> there you will be able to read what Shannon actually wrote, and my comments on
> it:
>
> |Shannon [Sha49] defined "unicity distance" (hereafter, "n") as the
> |least amount of plaintext which could be uniquely deciphered from the
> |corresponding ciphertext -- given unbounded resources by the
> |attacker. The "amount" of plaintext (i.e., "n") can be measured in any
> |units the user may find convenient, such as bits, bytes, letters,
> |symbols, etc. Actually, Shannon used "letters" in his paper.
> |
> | NOTE: Please note that "unicity distance" is actually not a
> | "distance". It is not a metric function and does not satisfy the
> | intuitive properties we ascribe to distance. Thus, to reduce
> | confusion, from now on I will only use the term "unicity".
> |
> |In few words, "unicity" is the least message length that can be
> |uniquely deciphered. As we will see, this number depends on several
> |factors -- some explicit, most implicit.
What Shannon actually wrote??? The longest quote of Shannon
in the above is all of two words.
> Thus, for the sake of dialogue, it might be better for you to get in synch
> with Shannon before we talk about what I am revisiting in that exposition.
Good idea. Does Shannon think an attacker can get useful
information from ciphertext without having enough of it to
reach unicity?
There are some systems that are perfect - the enemy is
no better off after intercepting any amount of material
than before. Other systems, although giving him some
information, do not yield a unique "solution" to the
intercepted cryptograms.
[...]
It is natural to define /perfect secrecy/ by the condition
that, for all /E/ the /a posteriori/ probabilities are equal
to the /a priori/ probabilities independently of the values
of these. In this case, intercepting the message has given
the cryptanalyst no information. Any action of his which
depends on the information contained in the cryptogram
cannot be altered, for all of his probabilities as to what
the cryptogram contains remain unchanged. On the other hand,
if the condition is /not/ satisfied there will exist situations
in which the enemy has certain /a priori/ probabilities, and
certain key and message choices may occur for which the enemy's
probabilities do change. This in turn may affect his actions
and thus perfect secrecy has not been obtained.
[Shannon, C. E. "Communication Theory of Secrecy Systems", Bell
Systems Technical Journal, vol. 28, pp. 656-715, 1949]
> Before you do that, I better stop here since I have already exhausted my quota
> of "wrongs" that civil rules of dicourse tell me should be employed in a
> mutually profitable dialogue.
If it's up to me, I grant you all the "wrongs" you could use
in a lifetime. I'd much prefer you meet a quota of mathematical
reasoning than avoid exceeding one of perceived impropriety.
--Bryan
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: On the Generation of Pseudo-OTP
Date: Fri, 08 Jan 1999 11:30:54 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 08 Jan 1999 08:30:24 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>Have you ever encountered a physical device that is absolutely
>perfect??
Have you ever encountered a written statement that is Absolutely
Perfect?
For example, is the written statement you just made Absolutely
Perfect?
Bob Knauer
"The American Republic will endure, until politicians realize they
can bribe the people with their own money."
--Alexis de Tocqueville
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: ScramDisk - password size - high ASCII
Date: Fri, 08 Jan 1999 10:52:51 GMT
In article <[EMAIL PROTECTED]>,
Brad Aisa <[EMAIL PROTECTED]> wrote:
> Jim Rollins wrote:
>
> > I understand that bigger is better, when it comes to passwords, and that
> > the more random a password is the less successful a dictionary attack
> > will be. For the moment however, let us forget the ease with which a
> > short password could be calculated. My first question is, does the
> > length of the password have any effect on the randomness of the encoded
> > volume? Put another way, will a ScramDisk volume with a short password
> > be any less subject to decryption than a volume with a long password? I
> > believe the name for the type of attack I'm thinking of is
> > cryptoanalysis, a direct attack upon the contents of the encoded file.
>
> I cannot speak for ScramDisk in particular (though I have evaluated it,
> and consider it and excellent product),
Thanks.
> however any serious
> cryptographic system worth its salt :) either "hashes" or otherwise
> scrambles its passwords, before using them as keys, or uses a cipher
> whose ciphertext is relatively random with respect to any arbitrary
> key.
I can confirm that ScramDisk uses a hash (SHA-1 to be specific) to compress an
arbitrary length passphrase into a fixed width 160-bit digest.
Cheers,
Sam Simpson
Comms Analyst
-- http://www.hertreg.ac.uk/ss/ for ScramDisk hard-drive encryption & Delphi
Crypto Components. PGP Keys available at the same site.
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED]
Subject: RSA-Modulus decomposition
Date: Fri, 08 Jan 1999 10:06:43 GMT
Hello all,
It is very easy to find decomposition of a
modulus to it�s primes.
Let n=pq be a modulus. Let m be a least
message for which m^2 mod n = m.
Then m-1 is p or q.
For more details please refer to
www.online.de/home/aernst/RSA.html
or follow the link 'RSA-NULL Security' at
www.online.de/home/aernst
Regards
Alex
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: On the Generation of Pseudo-OTP
Date: Fri, 08 Jan 1999 11:47:29 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 08 Jan 1999 01:23:28 GMT, Darren New <[EMAIL PROTECTED]>
wrote:
>> A patent? Hmm... Is that how our tax dollars are being wasted?
>I fail to see what patents have to do with wasted tax dollars.
Hmm... sounds like a political statement to me.
>> Turbulence in a bulk fluid is not quantum mechanical at the
>> macroscopic level, so I question whether it is random on that basis.
>I was just pointing out that there are random processes that aren't QM
>in nature, also.
And I was just pointing out that you need to prove that statement.
Macroscopic chaos does not necessarily mean crypto-grade randomness.
The fact that the weather can be predicted to a good level of
approximation for the first few days is a good indication chaos is not
random.
>> Chaotic, yes, but is it really random? There could be long wavelength
>> correlations inherent in the geometry of a lava lamp that would
>> introduce non-random features.
>Not after you run the bitmap you photographed thru a cryptographic hash,
>I would expect.
A year ago we discussed the use of a hash to introduce randomness into
bit sequences (e.g. antiskew), and concluded that because a hash is an
algorithmic procedure, it cannot be counted on to produce crypto-grade
randomness required for the OTP cryptosystem.
Remember that crypto-grade randomness is not a property of the number.
There is no formal way to decide that a number is random, nor is there
a formal way to make a number random.
A crypto-grade random number is the output from a TRNG, which is a
physical device capable of generating all possible sequences of a
given finite length equiprobably. That capability comes from the
intrinsic randomness of the physical process upon which the TRNG is
based.
Furthermore chaos does not imply randomness, at least not for purposes
of the OTP cryptosystem.
>I think a photomultiplier (or whatever one for beta decay measurement is
>called) has enough amplification to not be affected by minor
>fluctuations in the power feeding the coils.
Coils? Has the design of the PM tube changed all that much since I
first used one? Why doesn't anyone tell me these things.
If anything, a photomultiplier is incredibly sensitive to external
electromagnetic interference. Just ask the folks at Precision Mica who
make exotic mu-metal shields for use with PM tubes.
>And yes, you could use a fluroscope with a computer watching the screen,
>for example. :>
Mr. Wizard Strikes!
>Nuff said.
If you say so.
Bob Knauer
"The American Republic will endure, until politicians realize they
can bribe the people with their own money."
--Alexis de Tocqueville
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: On the Generation of Pseudo-OTP
Date: Fri, 08 Jan 1999 11:55:04 GMT
Reply-To: [EMAIL PROTECTED]
On Thu, 07 Jan 1999 18:42:44 -0800, "Kevin G. Rhoads"
<[EMAIL PROTECTED]> wrote:
>Therefore any number with a periodic (insert number base of one's
>choice) digit expansion is NOT transcendental.
OK, how does one define "transcendental" as a practical matter without
having to rely on a circular definition? IOW, how do I know that ln(2)
is transcendental?
>QED (with rigorous parts elided -- easiest is proof by construction,
>showing how to construct a rational representation given the
>repeating digit expansion. Should anyone truly be interested,
>I can sketch those proof steps.
Please do. I for one am interested in understanding how the properties
of PRNG do and do not apply to digit expansions of transcendental
constants.
For example, one of the primary rules about a PRNG is that it is
periodic, whereas as you just stated the digit expansion of a
transcendental is not periodic. Yet a digit expansion is an
algorithmic procedure that can be carried out on a finite state
machine (computer) just like a PRNG. What makes the two different in
that regard?
>[Only my bachelor's was in
>theoretical math, I switched to EE/CS in grad. school])
Smart move. One thing the world does not need is another unemployed
academic.
>(Linearity is a convenient fiction.)
So is most of mathematics a convenient fiction. :-)
Ever run into a Perfect Circle in reality?
Bob Knauer
"The American Republic will endure, until politicians realize they
can bribe the people with their own money."
--Alexis de Tocqueville
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: On the Generation of Pseudo-OTP
Date: Fri, 08 Jan 1999 12:22:00 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 08 Jan 1999 09:21:36 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>Please note that in NO place in my original post there were a claim
>of the sort 'Hi, look, I have invented something exactly as good
>as an ideal OTP!'.
I realize that. But I am pointing out that by using the term "pseudo
OTP", you are implying that it is a good approximation to an actual
OTP.
There is a *fundamental* difference between a natural language text
stream - however you doctor it - and the output of a TRNG.
>I was simply calling attention to a (I believe)
>possibly fruitful way of obtaining something (I term it pseudo-OTP)
And it is that usage to which I object, not on pedantic grounds but
because it is fundamentally incorrect usage.
>that could, on the assumption that suitable techniques (either
>currently known as I sketched or yet to be developed or refined)
>are applied,
We already discussed/debated that whole matter a year ago and
concluded that a text cipher, no matter how you buggered it, is still
fundamentally different from an OTP generated by a TRNG.
>approximate an ideal OTP
One cannot "approximate" an OTP per se. One can approximate the
unbreakability, perhaps.
I think what you are trying to say is that it may be possible to
concoct a text stream cipher that is, to a very good degree of
approximation, as good as an OTP.
>to some (for practical
>purposes) satisfactory degree just as some good hardware devices
>are supposedly already doing that way.
That remains to be proven. The discussion a year ago raised serious
doubts with respect to text streams. The problem was how to remove the
inherent correlations in the least significant bits selected for the
bit sequence. I proposed using the decorrelation methods described by
Schneier in his main book, but others claimed that such methods did
not remove text stream correlations, even if the stream were
antiskewed first.
>I hope that this clears
>up some misunderstandings. I don't doubt that much experiments
>are needed in order to get really good pseudo-OTP.
I still object to the use of the term "pseudo-OTP" as being
fundamentally incorrect.
Look, I used the same term a year ago and got my stuff jumped from all
quarters. And I ended up agreeing with those critics because the point
they were making had very fundamental significance.
The fact that it took some thousand to get it right is a measure of
how confusing this topic can be, largely due to prejudices that come
from learning statistical mathematics.
>Music and voices are also good sources for use in similar sense
>as the texts, if devices are available to digitalize them. Note that
>I am not anti-hardware.
I was thinking of a music CD.
>A physical device may, if one wants, be
>integrated in my proposed scheme.
A music CD represents the data that comes from physical devices,
namely musical instruments and associated electronics, and therefore
is different from a natural language text stream. There is enough
music to download on the Internet to make text unnecessary as a source
for a stream cipher.
Also, human speech might work. It might turn out that one of the best
sources of randomness is a political speech, like a debate on the
floor of congress. The recent impeachment debates in the House could
very well be a very rich source of complete randomness for decades to
come.
Or if you want to engage in irony, use the speeches that were given in
the congressional debate over key length legislation. IOW, use the
politicians own verbalizations to encrypt unbreakable messages. :-)
Bob Knauer
"The American Republic will endure, until politicians realize they
can bribe the people with their own money."
--Alexis de Tocqueville
------------------------------
From: [EMAIL PROTECTED] (Matthias Bruestle)
Subject: Re: Chosen-Signature Steganography
Date: Fri, 8 Jan 1999 11:43:42 GMT
Mahlzeit
Tom ([EMAIL PROTECTED]) wrote:
> How do you know "my" is the first word is the right plaintext after
> searching 2 million keys and how do you know that "no" is the wrong
> plaintext after that search? Will you not use the protocol to confirm
> correctness of the result?
There are not 2 million keys there are only 1000 keys which give
1000 possible plaintexts.
The attacker tries out every PIN from 000 to 999 and get's for each
PIN a plaintext.
They look probaly something like this:
h74xkjg386g76d342jcv363h7u48fjrh7
g7g8hui4h49z67gfgw03j69chskr8zh58
f64jb8 ug96h349f7b8 hzfi60h837h79
vu 8h679gv834h9uj7834hiv9ugh69e7v
my phone number is 1 212 783 8378
fg8ggh3498679g74bnih8 785hj9hj73g
Slecting the right message from 1000 can be even done by a human.
Mahlzeit
endergone Zwiebeltuete
--
PGP: SIG:C379A331 ENC:F47FA83D I LOVE MY PDP-11/34A, M70 and MicroVAXII!
--
Wenn Freiheit ueberhaupt etwas bedeutet, dann das Recht, den Menschen
zu sagen, was sie nicht hoeren wollen. -- George Orwell (Eric Blair)
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: RSA-Modulus decomposition
Date: 8 Jan 99 13:07:52 GMT
In sci.crypt [EMAIL PROTECTED] wrote:
> It is very easy to find decomposition of a
> modulus to it�s primes.
> Let n=pq be a modulus. Let m be a least
> message for which m^2 mod n = m.
> Then m-1 is p or q.
Even easier. Find m as the least inteter so that m^2 = 0 mod n
Then m is the smaller of p and q.
(all you said was search for a factor of n ... start with m=1 and go until
you get m^2=0 mod n or m^2=m mod n? The universe will be dark (all the
stars burnt out) before you factor a 1000 bit n that way)
------------------------------
From: "Jonas Westberg" <[EMAIL PROTECTED]>
Subject: OCX/DLL wanted
Date: Fri, 8 Jan 1999 14:07:18 +0100
Please let me know if you know of any Components that can be used in Visual
Basic applications (OCX/DLL).
- Public Key Algorithm (RSA key generation, encryption and signing)
- Secret Key Algorithm (free block- or fiestelchipher like CAST)
Thanks....
Jonas Westberg
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: On the Generation of Pseudo-OTP
Date: Fri, 08 Jan 1999 12:57:38 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 08 Jan 1999 09:51:42 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>Since you have accepted that an ideal can only be approximated in the
>real world,
I knew that many decades ago.
>But one
>has also to take into account the expense, the technique, etc.
>available in a given application environment and a PRNG normally
>costs practically nothing.
That is one motive for considering an alternative to both the PRNG and
the TRNG - like what we are discussing here.
>Your 'by definition' evidently refers to an IDEAL random number
>generator, which (almost 'by definition') can't exist in the real
>world. If the bias of a physical device is strong enough, it is
>well conceivable that all kinds of statistical anomalies could
>occur.
I think it is accepted that some kind of antiskewing must be employed
in a TRNG.
For example, in one design for a radioactive decay TRNG, the designer
removed bias by taking taking two measurements of the time between
decays and used that to create the output. Since decay intervals will
be distributed in an unbiased way, bias was effectively removed
without recourse to algorithmic procedures.
On a different point, I have not seen anyone criticize the algorithmic
methods of antiskewing such as those described in RFC1705 or
Schenier's main book. It is periodicity and correlation in stream
ciphers that people seem to be concerned about.
>I am not familiar with the term DES.
I think you mean DEG (Digit Expansion Generator), which is a method of
producing a stream that comes from digit expansion of a transcendental
constant like Pi.
>For Pi, the sequence appears
>to be satisfactorily random.
Once again I remind you that a number for crypto purposes is not
random per se. It is random for crypto purposes only because of the
way it is generated. There is no formal way to decide is a number is
random for crypto purposes.
>I remember having read someone saying
>that.
I also remind you that the term "random" has many different meanings
depending on the application. I have not seen anyone prove that the
digit expansion of Pi is random for purposes of crypto.
>So since there is no offset difficulty, I think Pi could
>function in the scheme I sketched just as well as a natural language
>text.
That remains to be proven.
Keep in mind that because one can calculate the nth and n+1th digits,
they are strongly correlated. That alone might be the undoing of the
DEG stream cipher.
>But apprarently
>Pi is the first and currently single instance where there is success.
That is not what I thought I read when following links on the BBP
method on the Web.
>Secondly, all transcendental
>functions mathematically known have, by definition, a least one
>(even if extremely awkward or costly) way of computing to an
>arbitrarily accuracy, i.e. obtaining as many significant digits as
>one wants, given the appropriate computing resources.
You seem to be missing the point here. I am not talking about
expansions of transcendental constants, I am talking about "digit
expansions".
A "digit expansion" is where you compute the nth digit without having
to calculate the previous n-1 digits. That permits you to effect a bit
stream by picking a very large offset where you begin the expansion,
beyond the range of already calculated values.
If someone knows the first billion digits of Pi and you use an offset
in that range for your digit expansion cipher, then it would be a
simple matter for a cryptanalyst to use it to find your offset - say
in a known plaintext attack.
But if the offset is very large, he would have to calculate all digits
all offsets until he found your offset, which I presume could be made
computationally infeasible for large enough offsets, especially if you
mixed the streams from several arbitrary transcendental constants
together.
>You may want a certain distribution
>and the question is how good is the expected approximation to that.
>For cryptological applications, I believe the ideal that is to be
>approximated is white noise, which means that the auto-correlation
>function has the value zero, except at a single point.
You persist in the false belief that you can characterize a
crypto-grade random number by formal means. That is a fundamental
error. There is no formal method to decide that a number is random for
crypto purposes. None, zip, nicht, nada.
If you want an insight of the implications of this, I recommend
reading the works of Greg Chaitin (op. cit.).
>> Remember that you cannot formally prove that a number is random, only
>> that it is not random. Just because a given number has no bias or
>> correlation does not mean that it is crypto-grade.
>Please compare the first part of my response of 07 Jan 18:00:11+0100.
I do not maintain nor refer to archives. Please state your response
here so I and the others following this thread can see it. Thanks.
>Why do you
>exclude software devices from capable of being good from the
>very beginning? If software devices can be made as good, then
>they have the advatange of being cheap.
I am not excluding "software devices" outright. I am rejecting PRNGs.
Digit Expansion Generators might have some merit if constructed
properly, although that remains to be seen. Stay tuned for further
developments as more people join this thread (hopefully).
Bob Knauer
"The American Republic will endure, until politicians realize they
can bribe the people with their own money."
--Alexis de Tocqueville
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: What is left to invent?
Date: Fri, 08 Jan 1999 13:00:10 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 8 Jan 1999 11:28:56 +1100, "Nick Payne"
<[EMAIL PROTECTED]> wrote:
>This reminds me of Lord Kelvin's pronouncement about a century ago that all
>of Physics had been discovered and all that was needed was a bit of tidying
>up around the edges...
He also calculated that the Earth should have cooled long ago. He did
not know about natural radiactive decay heating that stopped that from
happening.
Bob Knauer
"The American Republic will endure, until politicians realize they
can bribe the people with their own money."
--Alexis de Tocqueville
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
