Cryptography-Digest Digest #364, Volume #9 Fri, 9 Apr 99 20:13:03 EDT
Contents:
Re: True Randomness & The Law Of Large Numbers (John Briggs)
Re: Announce - ScramDisk v2.02h ("Harvey Rook")
Re: Wanted: Why not PKzip? (Jim Dunnett)
Re: Recommendation of books? ("Steven Alexander")
Re: True Randomness & The Law Of Large Numbers (R. Knauer)
Re: Douglas A. Gwyn : True Jerk (R. Knauer)
Comments on FileLockE? (Lee Jorgensen)
Re: True Randomness & The Law Of Large Numbers (Terry Ritter)
Re: Test vector repository--specifically, help with a broken Blowfish
implementation. (Jerry Coffin)
Re: True Randomness & The Law Of Large Numbers (Jerry Coffin)
Re: Wanted: Why not PKzip? ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (John Briggs)
Subject: Re: True Randomness & The Law Of Large Numbers
Date: 9 Apr 99 14:37:58 -0400
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (R. Knauer)
writes:
> On 9 Apr 99 07:51:43 -0400, [EMAIL PROTECTED] (John Briggs)
> wrote:
>
>>Since R. Knauer has responded to this article and has snipped the text
>>above without response, we can apparently take it that he agrees that
>>I was right and he was wrong and increasing significance does not
>>require exponentially increasing sample size.
>
> As I pointed out earlier, I was referring to the fact that the
> gaussian is an exponential which falls off very slowly, which means
> that in order to gain more significance you have to pay an
> exponentially greater price in terms of sample size.
And that statement is, as I pointed out, false.
> I did not intend for that comment to be a precise analytical
> statement, but just a qualitiative observation. I do recall reading in
> Triola's elementary statistics book that, in general, to double the
> level of confidence of a measurement you must get an order of
> magnitude larger sample.
That recollection is, as it stands, false.
What Triola probably said was that to double the accuracy of a
measurement at a fixed confidence level you need to quadruple the
sample size.
To add one significant figure to the accuracy at a fixed confidence
level (multiplying accuracy by 10) you need to multiply the sample
size by 100. It's a quadratic relationship.
That's not the same thing as increasing the confidence level.
> I do not care to chase down that specific reference, since I did not
> intend anything quantitatively precise by my original comment. I agree
> with your analysis for a specific test statistic, so let's move on,
> unless you think there is something fundamental to be gained by
> further discussion.
Your statement is not quantitatively wrong. It's qualitatively wrong.
Or, more likely, as above, the result of a confusion about which
quantity Triola was talking about.
> I focus entirely on the so-called "Monobit Test" in FIPS-140, which I
> reproduce here (we can take up other tests later):
>
> +++++
> A single bit stream of 20,000 consecutive bits of output from the
> generator is subjected to each of the following tests. If any of the
> tests fail, then the module shall enter an error state.
>
> The Monobit Test
>
> 1.Count the number of ones in the 20,000 bit stream. Denote this
> quantity by X.
>
> 2.The test is passed if 9,654 < X < 10,346.
> +++++
>
> Here are my questions.
>
> Assumming that the sample consists of 20,000 individual samples of one
> bit each (which is what "monobit" means):
>
> What is the exact statistical test being used and what are its
> parameters?
What is the test? You just described it yourself. Seems pretty
clear and unambiguous. It takes 20,000 bits of input and produces
1 bit of output. What more do you want?
What are its parameters?
Let's assume that you mean that the test defines a random variable
with a distribution that is a function of the joint distribution
of each of the 20,000 individual input variables. And you're asking
about the parameters that describe the distribution of this resulting
random variable. Ok. Even a non-expert like myself can provide some
answers on that basis.
Suppose that the 20,000 individual input samples are independent
and each has a distribution such that 0 and 1 are equally likely.
Then the probability of failing the test is roughly 0.0000003
And the probability of passing is roughly 0.9999997
If we apply values of 1 (for pass) and 0 (for fail) then
we have the distribution: {0 with probability 0.00000003
1 with probability 0.99999907}
That distribution has a mean of .99999997
And, if my calculations are correct, its standard deviation is .000173
Suppose that the 20,000 individual input samples are independent
but biased so that 1 is favored over 0 by a 51/49 ratio.
Then the probability of failing the test is roughly .0035
And the probability of passing is roughly 0.9965
Which gives us the distribution: {0 with probability 0.0035
1 with probability 0.9965}
That distribution has a mean of 0.9965 and standard deviation .06
There. Parameters.
> Mario Triola, the statitical expert recommended by one poster here,
> states that parametric tests cannot be used to determine true
> randomness. Is FIPS-140 employing a parametric test, and if so, what
> is the justification?
Asked and answered. Many times by many folks.
Because the FIPS-140 tests don't determine true randomness. Nor
do they claim to.
They can diagnose (with some conditional probability of error) certain
classes of nonuniform distributions.
Probably time I clammed up for another couple of months. No sense
contributing further to the trollage. Later.
John Briggs [EMAIL PROTECTED]
------------------------------
From: "Harvey Rook" <[EMAIL PROTECTED]>
Subject: Re: Announce - ScramDisk v2.02h
Date: Fri, 9 Apr 1999 11:31:40 -0700
Terry Ritter <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
> On 9 Apr 1999 11:10:56 GMT, in <7ekn80$kc1$[EMAIL PROTECTED]>, in
> sci.crypt [EMAIL PROTECTED] (Andrew Haley) wrote:
>
> >The answer is simple. Kerckhoff's maxim says that your attacker knows
> >the cryptosystem you're using, but does not know the key. If you're
> >using superencryption, your attacker knows which systems you're using.
>
> That's fine if you always use the same ciphers in the same order. But
> if the ciphers are dynamically selected by keying, or just dynamically
> selected frequently by communications under cipher, the attacker does
> *not* know "which systems you're using." Kerckhoff's maxim does not
> apply.
>
This is incorrect. By Kerchhoff's maxim, you have to assume your attacker
has a copy of your deciphering machine. If he has a copy of your deciphering
machine, the attacker can figure out the algorithm you use to select
ciphers.
Once he knows the algorithm used to select ciphers, super-encipherment
only doubles or triples the amount of time needed to brute force. You'd
be much better off adding an extra byte to your key.
> I suggest that each communication include a small encrypted control
> channel, over which a continuous conversation of what ciphers to use
> next takes place. This would be an automatic negotiation, somewhat
> like occurs in modern modems, from cipher selections approved by the
> users (or their security people).
>
> >Of course, your attacker must now analyze the compound cipher, which
> >is almost certainly harder to do than than attacking a single cipher.
>
> Yes. Even if each cipher used has known weaknesses, those may not be
> exploitable in the multi-ciphering case.
>
It's only harder by one or two orders of magnitude. Computers built 3 years
from now
will have enough power to compensate for this difference. Adding an extra
byte
to your key makes the problem harder by 4 to 8 orders of magnitude. This is
much
harder to attack, yet it's simpler and cleaner to analyze. Simple clean
systems, are
much less likely to have holes.
Unexpected weaknesses in ciphers designed by good cryptographers (Say
Rivest, or Schneier)
are very unlikely to appear. Remember DES, after 25 years of analysis, is
still only
vulnerable to a brute force attack. I'd be willing to bet that RC-6 and
TwoFish will withstand
the same scrutiny.
Security breaks down because of bad passwords and poor protocols. Not
because of cipher
weakness. Plan your system accordingly, or you are deluding yourself.
Harv
RedRook At Zippy The Yahoo Dot Com
Remove the Zippy The to send email.
------------------------------
From: [EMAIL PROTECTED] (Jim Dunnett)
Crossposted-To: comp.security.misc
Subject: Re: Wanted: Why not PKzip?
Date: Fri, 09 Apr 1999 19:00:18 GMT
Reply-To: Jim Dunnett
On 8 Apr 99 22:31:14 GMT, [EMAIL PROTECTED] wrote:
>In sci.crypt Green Adair <[EMAIL PROTECTED]> wrote:
>> Why would you not want to use PKZIP with a good pass_phrase?
>
>Because its encryption is incredibly weak (known plaintext).
Yes...but it will compress the file and give it a little
entropy.
And it's useful for archiving several files together.
(With or without a password).
--
Regards, Jim. | I am suspicious about those who love
olympus%jimdee.prestel.co.uk | humanity. I've noticed they become
dynastic%cwcom.net | terribly worried about Hottentots but
nordland%aol.com | don't actually like people they know.
marula%zdnetmail.com | - Brian Walden.
Pgp key: pgpkeys.mit.edu:11371
------------------------------
From: "Steven Alexander" <[EMAIL PROTECTED]>
Subject: Re: Recommendation of books?
Date: Fri, 9 Apr 1999 14:33:11 -0700
"Applied Cryptography", "Handbook of Applied Cryptography", and
"Cryptography:Theory and Practice"
find them at amazon.com or your local book store.
-steven
[EMAIL PROTECTED] wrote in message
<7ejlhi$8a$[EMAIL PROTECTED]>...
>Hello, could someone recommend a few books which are thorough in discussing
>all known authentication protocols, key exchange protocols, etc...
>
>Thanks.
>
>
>
>--
>---------------------------------------------------------------------
>www.clark.net/pub/sinecto/index.html (optimized dsp/math/image libs.)
>TMS320C3x/C4x/TMS320C6x, PowerPC, Pentium, Alpha, NT/Linux/Solaris/AIX
>
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: True Randomness & The Law Of Large Numbers
Date: Fri, 09 Apr 1999 21:42:31 GMT
Reply-To: [EMAIL PROTECTED]
On 9 Apr 99 14:37:58 -0400, [EMAIL PROTECTED] (John Briggs)
wrote:
>What is the test? You just described it yourself. Seems pretty
>clear and unambiguous. It takes 20,000 bits of input and produces
>1 bit of output. What more do you want?
The name of the kind of statistical test being used.
>What are its parameters?
>
> Let's assume that you mean that the test defines a random variable
> with a distribution that is a function of the joint distribution
> of each of the 20,000 individual input variables. And you're asking
> about the parameters that describe the distribution of this resulting
> random variable. Ok. Even a non-expert like myself can provide some
> answers on that basis.
It sure took long enough.
> Suppose that the 20,000 individual input samples are independent
> and each has a distribution such that 0 and 1 are equally likely.
That is the assumption of a uniform Bernoulli process.
> Then the probability of failing the test is roughly 0.0000003
I assume that comes from the Standard Normal (z) Distribution.
> And the probability of passing is roughly 0.9999997
> If we apply values of 1 (for pass) and 0 (for fail) then
> we have the distribution: {0 with probability 0.00000003
> 1 with probability 0.99999907}
> That distribution has a mean of .99999997
Good grief, now we are getting distributions of distributions. Where
will it ever end?
You seem to be saying that there is a distribution for the validity of
the original distribution. That seems highly irregular at first
glance.
> And, if my calculations are correct, its standard deviation is .000173
The standard deviation for what random variable?
> Suppose that the 20,000 individual input samples are independent
> but biased so that 1 is favored over 0 by a 51/49 ratio.
> Then the probability of failing the test is roughly .0035
> And the probability of passing is roughly 0.9965
> Which gives us the distribution: {0 with probability 0.0035
> 1 with probability 0.9965}
> That distribution has a mean of 0.9965 and standard deviation .06
>There. Parameters.
So what do they relate to? What is being parameterized? What is the
random variable of that parameterized distribution?
>> Mario Triola, the statitical expert recommended by one poster here,
>> states that parametric tests cannot be used to determine true
>> randomness.
I should have said: "parametric tests cannot be used to determine
non-randomness."
We all know that there are no tests of any kind to determine
randomness.
>> Is FIPS-140 employing a parametric test, and if so, what
>> is the justification?
>Asked and answered. Many times by many folks.
But not answered correctly.
>Because the FIPS-140 tests don't determine true randomness. Nor
>do they claim to.
See comment above.
>They can diagnose (with some conditional probability of error) certain
>classes of nonuniform distributions.
You use the word "diagnose". I have used the same term several times
myself. When I use it, I mean that one cannot determine with
reasonable certainty that a TRNG is not random. All statistical tests
can do os warn you that the TRNG is very likely to be non-random.
The distinction is whether such a diagnosis is to serve as a criterion
for outright rejection, or to serve as a diagnostic warning which
prompts further action separate from statistical testing.
>Probably time I clammed up for another couple of months.
Well, you will leave some questions unanswered above.
I note that you did not address my comments about the circular nature
of deciding non-randomness with statistical tests.
> No sense contributing further to the trollage.
There is no *primary* intent to troll. If, however, the so-called
experts decide to step in it, that's their problem.
Is every question you can't answer trollish to you?
Bob Knauer
"I am making this trip to Africa because Washington is an international city, just
like Tokyo,
Nigeria or Israel. As mayor, I am an international symbol. Can you deny that to
Africa?"
- Marion Barry, Mayor of Washington DC
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Douglas A. Gwyn : True Jerk
Date: Fri, 09 Apr 1999 21:12:01 GMT
Reply-To: [EMAIL PROTECTED]
On Fri, 9 Apr 1999 11:31:10 -0700, "Dann Corbit"
<[EMAIL PROTECTED]> wrote:
>Your choice of thread title suggests what about *you*?
It is you who needs to take a trip to the archives.
Some twit posted a header like the one above but with my name. I
ignored it. Gwyn deliberately posted to it to propagate it. I
responded in kind.
Get your facts straight before you stick your nose in someone else's
affairs. I am willing to let the matter end here, or we can continue
to propgate this post. The choice is yours.
Bob Knauer
"I am making this trip to Africa because Washington is an international city, just
like Tokyo,
Nigeria or Israel. As mayor, I am an international symbol. Can you deny that to
Africa?"
- Marion Barry, Mayor of Washington DC
------------------------------
From: Lee Jorgensen <[EMAIL PROTECTED]>
Subject: Comments on FileLockE?
Date: Fri, 09 Apr 1999 17:32:20 -0500
Has anyone looked at, or reviewed FileLockE from Zephyr Technologies?
(http://www.zephyrtech.com)
I'm thinking of purchasing it, however, I've become wary of 'snake oil'
type
products.
The Security appears sound, but then again, I'm no cryptographer.
If anyone has any information on this program, I'd appreciate it.
--
Lee Jorgensen, Programmer/Analyst - Bankoe Systems, Inc.
mailto:[EMAIL PROTECTED] <-- reverse moc
mailto:[EMAIL PROTECTED] <-- reverse ten
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: True Randomness & The Law Of Large Numbers
Date: Fri, 09 Apr 1999 23:44:22 GMT
On Fri, 9 Apr 1999 17:02:15 -0600, in
<[EMAIL PROTECTED]>, in sci.crypt
[EMAIL PROTECTED] (Jerry Coffin) wrote:
>In article <[EMAIL PROTECTED]>,
>[EMAIL PROTECTED] says...
>
>[ ... ]
>
>> >Now, from a viewpoint of cryptanalysis, we can divide the generator
>> >used into one of two groups: those for which we are able to correlate
>> >numbers, and those for which we can't.
>>
>> Bit bias plays an important role in true random number generation too.
>> Normally you do not lump bit bias in with correlation because they are
>> not related.
>
>Yes, my terminology was poor. I'd intended to give the idea of the
>cryptanalyst being able to infer any sort of predictable
>characteristics, regardless of the exact nature of the predictability
>found.
Nah, "correlation" is very acceptable terminology. "Bit-bias" is a
specific case of strings of length 1 correlating to constants.
In general, we can assume strings of arbitrary length, with arbitrary
correlating functions (linear, or nonlinear in all its forms), against
constants, string positions, or ever-more-complex constructions. Any
predictable relationship reasonably can be called a "correlation."
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: Test vector repository--specifically, help with a broken Blowfish
implementation.
Date: Fri, 9 Apr 1999 17:02:06 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
[ ... ]
> Sorry, but the C and C++ standard only says that sizeof(int) <= sizeof(long).
> Compile and run the statement
Both the C and C++ standards give minimum ranges for each integer
type. Though given in terms of ranges they must be able to represent,
they basically come out to:
type bits
char 8
short 16
int 16
long 32
Of course, implementations are free to increase any of these as
they see fit. For example, the compilers I know of for Crays use 8
bits for char, and 64 bits for everything else. They must retain the
basic ordering so any char must be able to fit in an int, any int in a
long, and so on. It's arguable that int must be larger than char --
though never specified directly, it's difficult or impossible to make
all the I/O stuff work correctly otherwise.
------------------------------
From: [EMAIL PROTECTED] (Jerry Coffin)
Subject: Re: True Randomness & The Law Of Large Numbers
Date: Fri, 9 Apr 1999 17:02:15 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
[ ... ]
> >Now, from a viewpoint of cryptanalysis, we can divide the generator
> >used into one of two groups: those for which we are able to correlate
> >numbers, and those for which we can't.
>
> Bit bias plays an important role in true random number generation too.
> Normally you do not lump bit bias in with correlation because they are
> not related.
Yes, my terminology was poor. I'd intended to give the idea of the
cryptanalyst being able to infer any sort of predictable
characteristics, regardless of the exact nature of the predictability
found.
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: comp.security.misc
Subject: Re: Wanted: Why not PKzip?
Date: Fri, 09 Apr 1999 23:52:57 GMT
Our programs Navaho Lock and Navaho Zipsafe both offer compression and
encryption and the are easy-to-use, fast, and secure. You can drag any
file, folder, digital image, even an executable into the drop are and it
will be easily encrypted and compressed.
Check them out at
http://www.navaholock.com
In article <[EMAIL PROTECTED]>,
Jim Dunnett wrote:
> On 8 Apr 99 22:31:14 GMT, [EMAIL PROTECTED] wrote:
>
> >In sci.crypt Green Adair <[EMAIL PROTECTED]> wrote:
> >> Why would you not want to use PKZIP with a good pass_phrase?
> >
> >Because its encryption is incredibly weak (known plaintext).
>
> Yes...but it will compress the file and give it a little
> entropy.
>
> And it's useful for archiving several files together.
> (With or without a password).
>
> --
> Regards, Jim. | I am suspicious about those who love
> olympus%jimdee.prestel.co.uk | humanity. I've noticed they become
> dynastic%cwcom.net | terribly worried about Hottentots but
> nordland%aol.com | don't actually like people they know.
> marula%zdnetmail.com | - Brian Walden.
> Pgp key: pgpkeys.mit.edu:11371
>
>
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
