Cryptography-Digest Digest #257, Volume #9 Sat, 20 Mar 99 18:13:03 EST
Contents:
dongle, encryption ("DOREL Verlags GmbH & Co. KG")
Re: Random Walk (Medical Electronics Lab)
Re: One-Time-Pad program for Win85/98 or DOS (R. Knauer)
Re: pRNG that is "predictable to the left"? (Paul Onions)
Re: Random Walk (R. Knauer)
Re: SHS (Sha) ([EMAIL PROTECTED])
Re: SHS (Sha) ([EMAIL PROTECTED])
Re: Testing Algorithm (hash) (David A Molnar)
Splitting privtae keys ([EMAIL PROTECTED])
Re: The Magic Screw, Non-Secret Encryption, and the Latest WIRED (wtshaw)
Re: Quantum PRNG ([EMAIL PROTECTED])
Scramdisk (zom)
Re: pRNG that is "predictable to the left"? ("Steve Myers")
Re: a little math please (Thomas Pornin)
Re: One-Time-Pad program for Win85/98 or DOS (Jim Dunnett)
Re: One-Time-Pad program for Win85/98 or DOS (Jim Dunnett)
Re: One-Time-Pad program for Win85/98 or DOS (R. Knauer)
Re: One-Time-Pad program for Win85/98 or DOS (R. Knauer)
Re: Splitting privtae keys (David A Molnar)
----------------------------------------------------------------------------
From: "DOREL Verlags GmbH & Co. KG" <[EMAIL PROTECTED]>
Subject: dongle, encryption
Date: Sat, 20 Mar 1999 18:08:42 +0100
Hello!
Does anyone have experience with hardware dongles and their particular
encryption methods?
I want to find out which type of dongle resp. the encrytion method used
would be the saved way to protect software against unauthorized using it.
Each manufacture claims to have the best and savest protection method. :-|
Could anyone help me please?
Regards, Oliver
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: Random Walk
Date: Sat, 20 Mar 1999 12:18:47 -0600
R. Knauer wrote:
> There is no statistical test to decide if a keystream is crypto-grade
> random. Therefore ALL applications of statistical tests for that
> purpose are inappropriate and their results misinterpreted.
So the only thing you really know is that "crypto-grade random"
does not exist, specifically because you can not prove it's
existance. All you can prove with statisitcs is that something
is obviuosly not random. Within some bound, using statistics,
you can say something is "probably random".
> Good statisticians, just like good physicists, know that it is
> misguided to characterize crypto-grade randomness with statistical
> tests. But that does not stop the false worship at the altar of
> statistical testing in crypto.
So why don't you build us a "crypto-grade random" generator
and prove it is that without using statistics tests. I bet
there are a lot of people around the world who'd be *very*
interested!
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Crossposted-To: alt.security,alt.privacy
Subject: Re: One-Time-Pad program for Win85/98 or DOS
Date: Sat, 20 Mar 1999 15:57:41 GMT
Reply-To: [EMAIL PROTECTED]
On Sat, 20 Mar 1999 12:19:48 GMT, [EMAIL PROTECTED] wrote:
>>Why is the OTP system proveable secure?
>Does that have anything todo with the large number of valid keys? (pads...)
It has to do with the fact that any key is equiprobable, therefore any
decryption of any given cipher is equiprobable, consistent with the
length of the ciphertext. Since all decryptions are equiprobable, the
cryptanalyst cannot decide which one if the intended message.
>>It depends on how many messages of what length you plan to send.
>Shouldn't you only end one message, then use another pad? Just like with RC4?
That is not the point. If the message is shorter than the unicity
distance, the key need not be as strong as when the message is longer
than the unicity distance. With the OTP system, since the message and
the key are the same length, the key must be completely crypto-grade
random.
In another sense, if you only plan on sending one message ever, the
keypad does not need to be as cryptographically strong as when you
plan on sending a large number of long messages. The reason is that
with one short message there is insufficient data for the cryptanalyst
to exploit any weaknesses in the keystream.
Do you know what ther term "crypto-grade random" means, other than
meeting the requirements for the proveably secure OTP system?
HINT: Crypto-grade randomness is not based on statistical testing of
the keystream.
Bob Knauer
"Every government always exercises the maximum amount of power its
rulers feel the people will stand for without revolting."
-- Alongside Night
------------------------------
From: Paul Onions <[EMAIL PROTECTED]>
Subject: Re: pRNG that is "predictable to the left"?
Date: Sat, 20 Mar 1999 15:44:53 +0000
Paul Onions wrote:
>
> I think an easier proof that Scott's construction can't exist is simply to show
>that:-
>
...
>
Oops. My apologies to Scott Fluhrer for assuming he'd proposed the
construction, it was actually Christoph Haenle.
Sorry about that...
Paul(o)
--
Paul Onions [EMAIL PROTECTED]
PGP 2.6.3 key available
D704688BEFBF2D5D 546BC1D603E2A8E0
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Random Walk
Date: Sat, 20 Mar 1999 19:28:37 GMT
Reply-To: [EMAIL PROTECTED]
On Sat, 20 Mar 1999 12:18:47 -0600, Medical Electronics Lab
<[EMAIL PROTECTED]> wrote:
>> There is no statistical test to decide if a keystream is crypto-grade
>> random. Therefore ALL applications of statistical tests for that
>> purpose are inappropriate and their results misinterpreted.
>So the only thing you really know is that "crypto-grade random"
>does not exist, specifically because you can not prove it's
>existance.
That does not follow at all.
A crypto-grade random number is very well defined in term of the
process that creates it. A crypto-grade random number is one that is
produced by a TRNG.
> All you can prove with statisitcs is that something
>is obviuosly not random. Within some bound, using statistics,
>you can say something is "probably random".
You cannot even do that reliably.
The sequence "0000000000" is crypto-grade random if it is produced by
a TRNG. Yet it would fail statistical tests.
BTW, the use of the phrase "probably random" shows exactly why
statisitcal tests are not reliable for certifying crypto-grade
randomness. The frequency interpretation of probability only obtains
in the limit of infinite sequences. Even very long finite sequences
defy the frequency interpretation of probability. A single reading of
Feller (op. cit.) will convince you of that - check out the chapters
on Bernoulli processes, random walk and diffusion processes.
>So why don't you build us a "crypto-grade random" generator
>and prove it is that without using statistics tests. I bet
>there are a lot of people around the world who'd be *very*
>interested!
This has been discussed so many times that the only thing that a "lot
of people around the world" would do is get bored. Check the deja vu
archives with keyword "radioactive" for the several posts on this very
matter.
In summary, you must build a TRNG which is based on a true random
quantum mechanical process such as radioactive decay. Classical
chaotic systems are not guaranteed to be random, as weather
forecasters will point out.
Then you must build a scientific piece of equipment, one that can
withstand peer review audits. That equipment must be proven out at
every subsystem level using accepted techniques to demonstrate that
the subsystem is performing according to the design criteria. You must
provide internal subsystem diagnostics which are designed to alert you
to a *potential* malfunction. Included in these diagnostics are two
statistical tests on the output, namely to test for all 0s and all 1s.
Those two conditions represent a common failure mode for digital
electronics, namely a shorted or floating output respectively.
BTW, there is a writeup of a radioactive TRNG called "HotBits". I am
somewhat surprised that a regular like you to sci.crypt is unaware of
it. Look for it at: http://www.fourmilab.ch/hotbits/
Bob Knauer
"Every government always exercises the maximum amount of power its
rulers feel the people will stand for without revolting."
-- Alongside Night
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: SHS (Sha)
Date: Sat, 20 Mar 1999 19:42:15 GMT
> lacking detail? %-) this was the best description I was able to find,
> good explanations with many examples.
> I wrote an implementation of SHA just a few days ago, I think its source code
> is rather easy to understand (compared to the other SHA source codes I
> have found on the net), if you want me to send it to you let me know.
Well I am used to the simplicity of Dr. Rivest. Oh well. I like clear step
by step examples. There wasn't.
If you could provide clean documented (read: commented) source code, I would
like to see it.
Thanks,
Tom
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: SHS (Sha)
Date: Sat, 20 Mar 1999 19:44:43 GMT
> The full spec including test vectors is here:
>
> http://www.itl.nist.gov/div897/pubs/fip180-1.htm
that's the one. The problem is I can't read the sub-script text. If anyone
has a .TXT translation I could use that.
Tom
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Testing Algorithm (hash)
Date: 20 Mar 1999 20:17:49 GMT
[EMAIL PROTECTED] wrote:
> Thanks for the feedback. No I performed some entropy tests on the output and
> it bombed. Well I am getting "Applied Crytography" soon (for my b-day), and I
> hope to pick up some stuff from there.
_Applied Cryptography_ is an excellent b-day present. Whomever it is
that's giving it to you has good taste. :-)
-David Molnar (also got AC as a b-day present a while back)
------------------------------
From: [EMAIL PROTECTED]
Subject: Splitting privtae keys
Date: Sat, 20 Mar 1999 20:42:41 GMT
I am trying to find a way to divide a large private key (e.g. 1024 )
into one large piece and another small piece (e.g. 128), such that the
owner of the key holds the small piece, and some other party holds the
large piece. When the key is needed, the 2 pieces are recombined on the
owner machine to a complete key.
Does anybody know any algorithms which perform such an operation?
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: The Magic Screw, Non-Secret Encryption, and the Latest WIRED
Date: Tue, 16 Mar 1999 20:01:01 -0600
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote:
> If I were king,
> nobody would be allowed to work on creating crypto systems until
> after he has cracked several really tough ones.
You present too high a barrier. It is best to promote thought in all
areas of crypto than to limit people to following in someone else's wake.
Too much of the technical thinking is narrowly supportive of too few ideas
already. You sentence people to enter races predominated by only a few.
I suggest that people start more races in various directions, into
uncharted territory if they so desire.
Narrowness of crypto thinking seems prejudicial and parochial. While
understand the mainstream, as it is, may be useful, it does not define
what is possible. The tendency is to restrict the genera to being only
defined in terms of certain algorithms rather than generalizing concepts
into scientific truths.
Surely, one can learn a great deal by doing rather than just following
along, with more or less required attention, but people do learn in
different ways. Breaking something can be illustrative of weaknesses
surely enough, but there are almost infinite ways to make algorithms too
hard to break given single human effort. Breaking a few chosen algorithms
may not correlate well at all with the ability to visualize a useful
strong one.
--
It's a game within a game within a game.--Gen. Odom
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Quantum PRNG
Date: Sat, 20 Mar 1999 20:59:45 GMT
> My question is whether such simulations of quantum random number
> generation are as close as one can get to true random number
> generation from a deterministic machine. If so, what are their
> significance to crypto.
>
> Bob Knauer
>>>>>>>>>>>>>>
Neutronic Technologies Corporation has a CORE processor that is
paradoxically a classically wavelet analog computation device and
a quantum computing device in the NDS. All this is done in
a simple NPN transistor which gets extremely cold and occassionally
explodes like a firecraker due to quantum superpositions.
http://www.neutronicstechcorp.com
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (zom)
Subject: Scramdisk
Date: Sat, 20 Mar 1999 21:13:48 GMT
Please help,
I was using Scramdisk 2.02C to wipe my free space on my drive
when my computer locked up. All my files are ok but I have lost about
2GB of free space. What is weird is that the files on C drive are
only using 3.65 GB which sounds right but the properties says that
5.28 GB is used of a 6.02 GB Fujitsu EIDE drive. W95 OEM2, 200 MB
container file is used.
------------------------------
From: [EMAIL PROTECTED] ("Steve Myers")
Subject: Re: pRNG that is "predictable to the left"?
Date: 20 Mar 99 21:48:00 GMT
Paul Onions wrote in message <[EMAIL PROTECTED]>...
>Steve Myers wrote:
>I think an easier proof that Scott's construction can't exist is simply to
show that:-
>
> G predictable to left => G not pseudo-random
This shows that if G is pseudo-random, then G is unpredictable to the left.
While definitely true, I didn't prove it because I thought it was immediate,
at least I felt that it was the direction of the iff statement which was
likely to be believed. But thanks for filling in the sketch of the other
direction, it is good for completeness, as you mention.
Steve
------------------------------
From: [EMAIL PROTECTED] (Thomas Pornin)
Subject: Re: a little math please
Date: 20 Mar 1999 12:45:16 GMT
According to <[EMAIL PROTECTED]>:
> So basically there are 256! / 128! combinations?
No, there are 256! / (128! * 128!) combinations.
> Can you estimate that number please?
5768658823449206338089748357862286887740211701975162032608436567264518750790
Quite large, as you can see.
--Thomas Pornin
------------------------------
From: [EMAIL PROTECTED] (Jim Dunnett)
Crossposted-To: alt.security,alt.privacy
Subject: Re: One-Time-Pad program for Win85/98 or DOS
Date: Sat, 20 Mar 1999 21:48:36 GMT
Reply-To: Jim Dunnett
On Fri, 19 Mar 1999 22:13:01 GMT, [EMAIL PROTECTED] (R. Knauer) wrote:
>On Fri, 19 Mar 1999 21:33:13 GMT, [EMAIL PROTECTED] (Jim
>Dunnett) wrote:
>
>>>Anyway guessing does not count for the OTP system. Do you know why?
>
>>No.
>
>Then you should learn why.
>
>HINT: Why is the OTP system proveable secure?
Because with good key (not necessarily 1000000% random) it
would be impossible reliably to predict any key byte.
Given that, any attempt at exhausting the keyspace only gives
you every possible (and impossible) text of that length.
>>But with OTP systems, the bytes only need to be sufficiently
>>random, not 100% random.
>
>Define "sufficiently random" in a non-circular manner.
Is there any way of measuring randomness? There are many ways of
generating key. Only an expensive hardware (noise-diode or
some such) will satisfy the terminally paranoid. Us others would
be satisfied with a system based on a computer. (Not PRNGs).
>HINT: It depends on how many messages of what length you plan to send.
Would have thought that, if you didn't EVER re-use any part of
the key, that wouldn't matter. If you did, then it's not OTP.
You must provide sufficient key for your message volume without
re-use of key.
--
Regards, Jim. | Life is something to do when
olympus%jimdee.prestel.co.uk | you can't sleep.
dynastic%cwcom.net |
nordland%aol.com | - Fran Lebowitz. 1946 -
marula%zdnetmail.com |
Pgp key: pgpkeys.mit.edu:11371
------------------------------
From: [EMAIL PROTECTED] (Jim Dunnett)
Crossposted-To: alt.security,alt.privacy
Subject: Re: One-Time-Pad program for Win85/98 or DOS
Date: Sat, 20 Mar 1999 21:48:37 GMT
Reply-To: Jim Dunnett
On Sat, 20 Mar 1999 15:57:41 GMT, [EMAIL PROTECTED] (R. Knauer) wrote:
>Do you know what ther term "crypto-grade random" means, other than
>meeting the requirements for the proveably secure OTP system?
>
>HINT: Crypto-grade randomness is not based on statistical testing of
>the keystream.
One man's idea of 'cryptp-grade-random' may not be quite as
exacting as another's, but may be sufficiently good to use
as OTP. (Or am I missing something?)
--
Regards, Jim. | Life is something to do when
olympus%jimdee.prestel.co.uk | you can't sleep.
dynastic%cwcom.net |
nordland%aol.com | - Fran Lebowitz. 1946 -
marula%zdnetmail.com |
Pgp key: pgpkeys.mit.edu:11371
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Crossposted-To: alt.security,alt.privacy
Subject: Re: One-Time-Pad program for Win85/98 or DOS
Date: Sat, 20 Mar 1999 22:49:28 GMT
Reply-To: [EMAIL PROTECTED]
On Sat, 20 Mar 1999 21:48:37 GMT, [EMAIL PROTECTED]
(Jim Dunnett) wrote:
>One man's idea of 'cryptp-grade-random' may not be quite as
>exacting as another's, but may be sufficiently good to use
>as OTP. (Or am I missing something?)
The prime objective is to prevent sufficient information from leaking
to permit the cryptanalyst to determine with reasonable certainty that
the message he uncovers is your intended message. If the keystream is
truly random, that is not possible for him to do, since all plaintexts
are equally likely. For a real world TRNG, which is bound to leak some
slight amount of information, the objective is to keep it from leaking
too much. The only way I know to do that is to determine that the TRNG
is designed correctly according to the (ideal) fundamental
specification for crypto-grade randomness. You cannot make that
decision from statistical tests on the output - you must do a design
audit on the TRNG itself and run diagnostics on each subsystem to make
as sure as possible that they are performing according to design
specification.
The secret to a properly functioning TRNG lies in: 1) the quantum
mechanical random process that underlies the design; 2) the integrity
of the subsystems that take that randomness and translate it into the
keystream sequence. The HotBits TRNG is an example of good design.
Notice how the designer gets around the sticky problem of systematic
bias due to depletion of the radioactive source by flipping the
measurement each time. Even so, there are other sources of bias and
correlation that must be accounted for, such as detector deadtime.
You must build theTRNG like a piece of experimental scientific
equipment and certify its performance like any good experimentalist
would do.
Bob Knauer
"Every government always exercises the maximum amount of power its
rulers feel the people will stand for without revolting."
-- Alongside Night
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Crossposted-To: alt.security,alt.privacy
Subject: Re: One-Time-Pad program for Win85/98 or DOS
Date: Sat, 20 Mar 1999 22:56:15 GMT
Reply-To: [EMAIL PROTECTED]
On Sat, 20 Mar 1999 21:48:36 GMT, [EMAIL PROTECTED]
(Jim Dunnett) wrote:
>> Why is the OTP system proveable secure?
>Because with good key (not necessarily 1000000% random) it
>would be impossible reliably to predict any key byte.
>Given that, any attempt at exhausting the keyspace only gives
>you every possible (and impossible) text of that length.
I would put it this way: With a crypto-grade random number generator
(i.e., a "TRNG"), even one that is not 100% perfect, the objective is
to prevent the leakage of any information that would give the
cryptanalyst a reasonable certainty that a given plaintext is the
intended message.
>Is there any way of measuring randomness?
Not for finite strings.
>There are many ways of generating key. Only an expensive hardware (noise-diode or
>some such) will satisfy the terminally paranoid. Us others would
>be satisfied with a system based on a computer. (Not PRNGs).
How do you propose to use a computer to generate crypto-grade random
numbers? Computers are deterministic, which means the sequences that
they generate are pseudo-random. That means they are susceptible to
analytic attacks.
There is one class of PRNGs that the proponents claim are reasonbly
immune to traditional attacks, the so-called cyclotomic generators.
>>HINT: It depends on how many messages of what length you plan to send.
>Would have thought that, if you didn't EVER re-use any part of
>the key, that wouldn't matter. If you did, then it's not OTP.
It goes beyond mere reuse. If you have a generator that exposes a
pattern in 1 million bits, then it is not safe to use it to encrypt a
million bits of plaintext, whereas it might be reasonably safe to use
it to encrypt 1 thousand bits.
>You must provide sufficient key for your message volume without
>re-use of key.
You have to make sure that there is no discernable pattern in the
keystream that does get used.
Bob Knauer
"Every government always exercises the maximum amount of power its
rulers feel the people will stand for without revolting."
-- Alongside Night
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Splitting privtae keys
Date: 20 Mar 1999 22:34:40 GMT
[EMAIL PROTECTED] wrote:
> I am trying to find a way to divide a large private key (e.g. 1024 )
> into one large piece and another small piece (e.g. 128), such that the
> owner of the key holds the small piece, and some other party holds the
> large piece. When the key is needed, the 2 pieces are recombined on the
> owner machine to a complete key.
> Does anybody know any algorithms which perform such an operation?
How important is the size difference? Is there a particular reason
why the other party needs a 128 bit size piece?
(e.g. do they have a smart card or a magnetic stripe or some other
very low memory environment that can't handle something bigger)
There are several secret sharing schemes which would satisfy the
requirement that a key can be broken into 2 pieces and later recombined.
Applied Cryptography 2nd ed sec 23.2 gives three of them - Adi Shamir's
scheme using polynomials, George Blakely's vector-based scheme, and
a scheme with matrix multiplication and another that uses a prime field.
You may also want to look at "How To Build Robust Shared Control Systems"
in _Designs, Codes, and Cryptography_ vol 15 (december 1998, I think)
Ross Anderson, Cunsheng Ding, Tor Helleseth, Torleiv Klo\ve for an
example of a scheme that allows more than just splitting - you can
define explicitly which shares match up with which others. Plus it
uses codes, which are cool.
The december issue of Electronics Research Letters also had an article
on "Vector Space Secret Sharing Schemes", which is maybe only of interest
if you are looking for a midterm project that involves vector spaces.
I haven't thought about the size of the shares much yet.
hope this is a start...
-David Molnar
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
