Cryptography-Digest Digest #979, Volume #8 Wed, 27 Jan 99 13:13:03 EST
Contents:
Some simple questions on ECC implementation ("Pedro F�lix")
Re: hardRandNumbGen (R. Knauer)
Re: hardRandNumbGen (R. Knauer)
Re: hardRandNumbGen (R. Knauer)
Re: hardRandNumbGen (Mok-Kong Shen)
Re: Pentium III... (handWave)
Re: hardRandNumbGen (Mok-Kong Shen)
Re: Some simple questions on ECC implementation (Safuat Hamdy)
Re: My comments on Intel's Processor ID Number ("Michael A. Greenly")
Re: hardRandNumbGen ("Trevor Jackson, III")
Re: Quadibloc III spec wrapped up... (John Savard)
Re: lexical analysis problem.... ([EMAIL PROTECTED])
Q: Obtaining session key (Mok-Kong Shen)
Re: hardRandNumbGen (R. Knauer)
Re: Brute Forcing DSS To Uncover The DH key ("Sam Simpson")
Re: hardRandNumbGen (R. Knauer)
Re: hardRandNumbGen (handWave)
Re: Random numbers from a sound card? (Mok-Kong Shen)
Re: hardRandNumbGen ("Trevor Jackson, III")
Re: hardRandNumbGen (Mok-Kong Shen)
Re: Random numbers from a sound card? (Mok-Kong Shen)
Re: hardRandNumbGen (R. Knauer)
Re: hardRandNumbGen (R. Knauer)
----------------------------------------------------------------------------
From: "Pedro F�lix" <[EMAIL PROTECTED]>
Subject: Some simple questions on ECC implementation
Date: Wed, 27 Jan 1999 15:51:00 -0000
I'm rather familiar with public-key systems based on the Integer
Factorization Problem and on the Discrete Logarithm problem over GF(p).
Namely, I have written an library to perform extended precision integer
manipulations.
I would like to extend the library to support ECC, so I have some few
questions:
1.What are the most used GFs in ECC: GF(2^m), GF(p) or GF(p^k)? (with p
prime >2), and what are the ranges of m, p and k (for a security equivalent
to 1024-bit RSA).
2.What are the "best" references (papers, book chapters, ...) on
SOFTWARE implementation of the operations on the GFs and on the
exponentiation kP (P is an EC point) (links to electronically available
copies would be very welcomed). In this point I'm specially interested on
the equivalent of the Montgomery residues over the fields GF(2^m) and
GF(p^k) (If such thing exist, which I think it does).
I thank you all in advance.
P. Felix
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: hardRandNumbGen
Date: Wed, 27 Jan 1999 16:47:58 GMT
Reply-To: [EMAIL PROTECTED]
On Wed, 27 Jan 1999 07:27:34 -1000, handWave <[EMAIL PROTECTED]>
wrote:
>Your sound card and software will need to comprehend the natural resonant
>frequencies of the bottle and filter out that repeating soundwave. A
>threshold for the clicks of a fall should be set to reject small resonant
>sounds. Multiple bounces after a fall may have similarities to previous
>bounces, so that should be rejected.
I suspect that all classical processes, even chaotic ones, suffer from
some kind of flaw as you describe. That's why I would only use quantum
processes for a TRNG.
Bob Knauer
"No Freeman shall ever be debarred the use of arms. The strongest
reason for the people to retain the right to keep and bear arms is,
as a last resort, to protect themselves against tyranny in government."
--Thomas Jefferson
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: hardRandNumbGen
Date: Wed, 27 Jan 1999 16:31:33 GMT
Reply-To: [EMAIL PROTECTED]
On Wed, 27 Jan 1999 16:59:03 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>If you make a metal sphere, there is a common definition of precision.
>What is the 'precision' you are referring to about your TRNG design?
>You have to define that 'precision' in scientific terms, in particular
>establish a 'unit' and provide a precise method to measure that
>'precision' in that unit. Before that, you have nothing.
You do that by analyzing the design, and performing certain tests on
the actual equipment to make sure it meets the design specifications.
One such test for a radioactive decay TRNG would be to measure the
radioactive decay before the interval measuring circuitry. If the
measurements yields results that you expect, there is no reason to
believe anything is wrong.
As far as the digital circuitry is concerned, logic analysis is what
you would use. You would put the digital circuits on a logic analyzer
and certify that they perform to design specifications using simulated
inputs. You would inject noise into the components and see if it had a
measureable effect on the output.
You are relying on two facts:
1) Quantum mechanical processes result in random events - otherwise
physics wouldn't work;
2) Digital circuits are incredibly robust - otherwise computers
wouldn't work.
You can bet the NSA has a TRNG that is certified to be completely
secure in a practical sense, where the work effort to break it would
be more than the energy in the Universe.
Bob Knauer
"No Freeman shall ever be debarred the use of arms. The strongest
reason for the people to retain the right to keep and bear arms is,
as a last resort, to protect themselves against tyranny in government."
--Thomas Jefferson
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: hardRandNumbGen
Date: Wed, 27 Jan 1999 16:17:41 GMT
Reply-To: [EMAIL PROTECTED]
On 27 Jan 1999 10:30:16 -0500, [EMAIL PROTECTED] (Patrick Juola)
wrote:
>But this is unsurprising. I can't tell you the gas mileage by looking
>at the color of the paint, either.
There were certain colors that were used exclusively on the Volkswagen
Beetle. That would have given you a strong enough clue to infer the
gas mileage, assuming standard operating conditions.
Bob Knauer
"No Freeman shall ever be debarred the use of arms. The strongest
reason for the people to retain the right to keep and bear arms is,
as a last resort, to protect themselves against tyranny in government."
--Thomas Jefferson
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: hardRandNumbGen
Date: Wed, 27 Jan 1999 16:16:24 +0100
R. Knauer wrote:
>
> But why should applying the Bayesian Test to presumably random numbers
> be any different? (I think I know why - one is a statistical test, the
> other is a probability survey.)
What is a 'probability survey'? Any literature reference?
M. K. Shen
------------------------------
From: handWave <[EMAIL PROTECTED]>
Subject: Re: Pentium III...
Date: Wed, 27 Jan 1999 07:09:41 -1000
Marty Levy wrote:
>
> Does anyone know the mechanism Intel plans to use to put the infamous serial
> numbers on Pentium III chips? I wasn't aware that Pentiums had any
> non-volitaile memory (other than ROM) on board. The only practical systems I
> can think of is to use a fuse or laser repair type scheme.
When I worked at Intel I showed them how to make EPROM cells using the
ordinary microprocessor wafer fabrication process. In 1986 I drew the
"single poly EPROM cell" on the CAD system, had it processed on a test
wafer, tested it, and it worked. I told the marketing department about
it. I wrote it up in my patent notebook. I told them to use it as a
serial number for the 80386, for key storage and for fabrication lot
tracking for process analysis.
The first generation of EPROM cells during the 1970's also used a single
polycrystaline silicon layer. I have not seen the pentoid three, but I
expect that it uses this memory cell. It is better than a fuse because it
does not explode and crater the top oxides which protect the chip from
chemical contamination. Ask Larry Palley at Intel. Or Kurt Robinson at
Intel. They know I did these things, and they should send me a royalty
check. They know my name, even if sci.crypt does not.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: hardRandNumbGen
Date: Wed, 27 Jan 1999 17:55:15 +0100
R. Knauer wrote:
>
> On Wed, 27 Jan 1999 16:59:03 +0100, Mok-Kong Shen
> <[EMAIL PROTECTED]> wrote:
>
> >If you make a metal sphere, there is a common definition of precision.
> >What is the 'precision' you are referring to about your TRNG design?
> >You have to define that 'precision' in scientific terms, in particular
> >establish a 'unit' and provide a precise method to measure that
> >'precision' in that unit. Before that, you have nothing.
>
> You do that by analyzing the design, and performing certain tests on
> the actual equipment to make sure it meets the design specifications.
>
> One such test for a radioactive decay TRNG would be to measure the
> radioactive decay before the interval measuring circuitry. If the
> measurements yields results that you expect, there is no reason to
> believe anything is wrong.
>
> As far as the digital circuitry is concerned, logic analysis is what
> you would use. You would put the digital circuits on a logic analyzer
> and certify that they perform to design specifications using simulated
> inputs. You would inject noise into the components and see if it had a
> measureable effect on the output.
It is important to know what the specifications ARE. Certainly
things like the dimensions of the apparatus don't have too much
bearing in the present context. Now what are the specifications that
ensures a crypto-grade TRNG? These specifications must contain
certain numerical values in terms of certain units. Then one can
test the actual product to see whether the specifications are
fulfilled. As long as one can't define 'crypto-grade' in terms
of certain units precisely, there is NO way to write up such
specifications as you proposed.
M. K. Shen
------------------------------
From: Safuat Hamdy <[EMAIL PROTECTED]>
Subject: Re: Some simple questions on ECC implementation
Date: 27 Jan 1999 17:48:51 +0100
"Pedro F�lix" <[EMAIL PROTECTED]> writes:
> 2.What are the "best" references (papers, book chapters, ...) on
> SOFTWARE implementation of the operations on the GFs and on the
> exponentiation kP (P is an EC point) (links to electronically available
> copies would be very welcomed). In this point I'm specially interested on
> the equivalent of the Montgomery residues over the fields GF(2^m) and
> GF(p^k) (If such thing exist, which I think it does).
recently there has been an announcement about a new book:
Michael Rosing, Implementation of the ECC (or the like),
Manning Publications
--
S. Hamdy | All primes are odd except 2,
[EMAIL PROTECTED] | which is the oddest of all.
|
unsolicited commercial e-mail | D.E. Knuth
is strictly not welcome |
------------------------------
From: "Michael A. Greenly" <[EMAIL PROTECTED]>
Subject: Re: My comments on Intel's Processor ID Number
Date: Wed, 27 Jan 1999 10:55:11 -0600
The processor ID may not have any practical cryptographic value but it
can still be useful. For example in software development it could be
used to produce GUID's for use with COM/OLE etc... In this case the
primary concern is to produce a unique number which no one will
duplicate on accident.
I suspect that there are many other situations where it would be a
practical means to prevent accidental collisions.
--
Mike Greenly
[EMAIL PROTECTED]
------------------------------
Date: Wed, 27 Jan 1999 12:02:57 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: hardRandNumbGen
Mok-Kong Shen wrote:
> R. Knauer wrote:
> >
>
> > By analyzing the design. With correct design one can make a TRNG
> > random to within an arbitrarily high level of precision.
> >
> > If the TRNG is certified to produce crypto-grade random numbers to a
> > level of precision that ensures that it would take an impossible
> > amount of work to make it vulnerable, then that is "perfect" in a
> > practical sense.
> >
> > If the ball bearings in your car's wheels are spherical enough so that
> > they do not tear up the bearing races, that is "perfect" enough in a
> > practical sense.
> >
> > Being obsessed over the fact that there is no such thing as a Perfect
> > TRNG or a Perfect Sphere in the real world is a waste of time at the
> > practical level. There are more important considerations that affect
> > security - like having someone steal your pad.
>
> If you make a metal sphere, there is a common definition of precision.
> What is the 'precision' you are referring to about your TRNG design?
> You have to define that 'precision' in scientific terms, in particular
> establish a 'unit' and provide a precise method to measure that
> 'precision' in that unit. Before that, you have nothing.
Now this is an issue worthy of intense thought and debate (emphasis on
thought please). I believe this breaks into two subtopics, one
fundamentally describing the unit of measure and the other describing the
measurement methodology.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Quadibloc III spec wrapped up...
Date: Wed, 27 Jan 1999 16:42:42 GMT
[EMAIL PROTECTED] (John Savard) wrote, in part:
>Well, Quadibloc III has finally recieved the blessings of a recent
>inspiration.
Never say never...I found a mistake in Quadibloc II which I've fixed,
and this changed Quadibloc III as well, since it covered a procedure
common to both ciphers, the initial dividing of the key into two
halves to create shift registers.
John Savard
http://www.freenet.edmonton.ab.ca/~jsavard/index.html
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: lexical analysis problem....
Date: Wed, 27 Jan 1999 16:46:45 GMT
> I'm looking for a quick way of finding all words whose letters add up to 111.
[...]
>
> All possible permutaions would range bewteen words 111 letters long (all A's
> being an example) and words at least 5 letters long (max value of 4 letters
> long is ZZZZ which is 104). Since I'm looking for real words in the English
> dictionary I have placed an upper bound on the word length to 15 letters.
You have lost me a bit here. When you have made your list you will have to
check it against words in a dictionary file. Why don't you just search the
dictionary file from beginning to end. Every time you find a word greater
than five characters in length you 'AND' each ASCII character of the word
with 1F (hexadecimal) and add them together, if they add to 111 (decimal) you
add the word to your list?
Does this exercise has a real-life application or is it simply academic?
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Q: Obtaining session key
Date: Wed, 27 Jan 1999 16:26:13 +0100
I like very much to know whether the following scheme of obtaining
session keys has particular disadvantages or weakness/problems:
Hash all previously processed plaintexts. Encrypt the hash with
a masterkey to obtain the current session key.
If it is treated in literature, then a reference would be sufficient.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: hardRandNumbGen
Date: Wed, 27 Jan 1999 16:12:42 GMT
Reply-To: [EMAIL PROTECTED]
On 27 Jan 1999 10:21:56 -0500, [EMAIL PROTECTED] (Patrick Juola)
wrote:
>But I charge by the hour, and it would,
>of course, be improper of me to give you any results until after I've
>examined the entire sequence.
>Still want me to test that infinite sequence for you?
Sure! As long as I only have to pay you when the test is completed.
:-)
>Probably. By the time you get up to the upper reaches of what we
>can do with PRNGs, the information leak over reasonably-sizes
>samples is pretty infinitesimal.
Is there a way to measure that - to give confidence limits?
>Having only reasonably-sized
>amounts of funding, computing power, and patience at my disposal,
>there's a limit to what can be detected -- and if I get something
>that's indistinguishable from random by this test, then I'm probably
>willing to pass it as a "good" RNG.
I assumed that you had all the existing resources at your disposal
that you wanted - like the NSA has.
>a complexity curve looking
>something like this :
>
> _/
> _/
> _/
> _/
> _/
> _/
>/
What is a "complexity curve" and how do you generate one?
References please, including web sites if possible.
>The problem is that the Bayesian attack only works if I know -- or
>can guess -- the type of bias likely to be in your generator.
So, the Bayesian attack is not all that powerful against stream
ciphers *in general*. You have to provide the first hypothesis to get
it started. And if you cannot provide a decent hypothesis, then the
Bayesian attack is worthless.
>On the other hand, if I can get a copy of your code, I can just read
>the code and determine your biases. But you can't rely on keeping
>your code secret....
I can rely on keeping it just as secret as I keep my keys. If my code
has been compromised, so have my keys.
>But we're running into serious funding difficulties here.
Not if you are the NSA. There is no such thing as a funding difficulty
when you have access to OPM.
>More a question about finite vs. infinite data. Bayes' Theorem lets you
>refine hypotheses about biases that you've already made. Conventional
>statistics just let you test for the presence or absence of a visible
>bias. As any statistician will tell you, you can't prove the absence
>of an effect by statistical means. You can just prove that it
>didn't show up in your experiment and therefore was less than the
>sensitivity of your test.
Crypto-grade randomness has the negative property that it is
non-deterministic. Statistical tests cannot prove the absence of
determinism in numbers. That is why they cannot be used to
characterize randomness from the numbers themselves.
>Of course, with infinite data, you can develop "tests," in the loosest
>possible sense, of infinite sensitivity.
The sequence 111... with an infinite number of 1s is not a random
number. An infinte random number has no bit bias. Finite random
numbers can have bit bias. Therefore the finite sequnece 111...1 can
be a random number. After all, it is one sequence from a TRNG.
>But this isn't helpful.
It is helpful perhaps when proving theorems. Whether that is of value
to the working cryptanalyst is another matter. Maybe when quantum
computers come online it will be useful.
Bob Knauer
"No Freeman shall ever be debarred the use of arms. The strongest
reason for the people to retain the right to keep and bear arms is,
as a last resort, to protect themselves against tyranny in government."
--Thomas Jefferson
------------------------------
From: "Sam Simpson" <[EMAIL PROTECTED]>
Subject: Re: Brute Forcing DSS To Uncover The DH key
Date: Wed, 27 Jan 1999 17:01:13 -0000
No...The DH & DSS portions of PGP keys are entirely separate, so breaking
one of the keys doesn't affect the security of the other.
I have written a PGP DH vs PGP RSA FAQ, which covers points like this - it
may be worth a browse (SIG in my URL).
Cheers,
Sam Simpson
Comms Analyst
-- http://www.hertreg.ac.uk/ss/ for ScramDisk hard-drive encryption & Delphi
Crypto Components. PGP Keys available at the same site.
John Doe wrote in message ...
>Would it be possible to brute force the DSS in PGP to uncover the
>information to brak the security of the DH key?
>
>
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: hardRandNumbGen
Date: Wed, 27 Jan 1999 15:30:54 GMT
Reply-To: [EMAIL PROTECTED]
On Wed, 27 Jan 1999 15:38:29 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>Excellent! Then tell me HOW to get such a physical device that
>PROVABLY is capable of generating all possible sequences of a given
>finite length equiprobalbly.
By analyzing the design. With correct design one can make a TRNG
random to within an arbitrarily high level of precision.
If the TRNG is certified to produce crypto-grade random numbers to a
level of precision that ensures that it would take an impossible
amount of work to make it vulnerable, then that is "perfect" in a
practical sense.
If the ball bearings in your car's wheels are spherical enough so that
they do not tear up the bearing races, that is "perfect" enough in a
practical sense.
Being obsessed over the fact that there is no such thing as a Perfect
TRNG or a Perfect Sphere in the real world is a waste of time at the
practical level. There are more important considerations that affect
security - like having someone steal your pad.
One thing is for sure - just because there is no such thing as a
Perfect TRNG is no excuse to fall back on PRNGs for the OTP
cryptosystem.
>Secondly, your equiprobability is not at all sufficient.
I never said it was. I said that the TRNG must be *CAPABLE* of:
1) Outputting all possible sequences of a given finite length; and
2) Outputting each of them equiprobably.
>If the said given finite length is 2, is a physical device outputting
>0001101100011011..... a TRNG?????
Sure, why not - if you group the number above in 2-bit sequences:
00 01 10 11 00 01 10 11
Pad1: 00
Pad2: 01
Pad3:10
....
Pad8: 11
Bob Knauer
"No Freeman shall ever be debarred the use of arms. The strongest
reason for the people to retain the right to keep and bear arms is,
as a last resort, to protect themselves against tyranny in government."
--Thomas Jefferson
------------------------------
From: handWave <[EMAIL PROTECTED]>
Subject: Re: hardRandNumbGen
Date: Wed, 27 Jan 1999 07:27:34 -1000
Kazak, Boris wrote:
>
> Terry Ritter wrote:
> >
>
> >
> > Large signal phenomena are precisely those which are best described
> > mathematically. It is the tiny signals (which must compete with
> > thermal noise and transients from capacitive, inductive, and
> > electromagnetic coupling) which are difficult to model well.
> >
> -------------------
> Let's be practical...
>
> Consider such a simple system:
>
> HHHHHHHHHHHHHHHH
> HH H MMM
> HH H MMMMM
> HH OOOOOOOOOO H MMMMM
> HH OOOOOOOOOOOO H MMM
> HHHHHHHHHHHHHHHH
>
> where HH is a Housing (just a glass or plastic bottle), OO are Objects
> (a pseudo-scientific baptism for 100-200 peas or beans), MM is a
> Microphone.
> Now if we start rotating the Housing around its horizontal axis,
> the Objects will produce a loud Random Rattle, and the Microphone will
> transmit this rattle to the sound card. My questions are:
>
> How many Objects are needed
One.
>and what must be the speed of
> rotation that will assure the True Randomness?
If the bottle is smooth inside, rotating is not as good as shaking it.
Shaking by hand is like a coin toss: it is the result of a complex
process that has never been repeated exactly during human history.
> What estimates can be given for Degree of Correlation and
> for Period of Repetition, depending on the system parameters?
Your sound card and software will need to comprehend the natural resonant
frequencies of the bottle and filter out that repeating soundwave. A
threshold for the clicks of a fall should be set to reject small resonant
sounds. Multiple bounces after a fall may have similarities to previous
bounces, so that should be rejected.
>
> The System is not patented, it is hereby placed in the public
> domain.
>
> Respectfully BNK
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Random numbers from a sound card?
Date: Wed, 27 Jan 1999 17:46:44 +0100
R. Knauer wrote:
>
> On Wed, 27 Jan 1999 16:44:40 +0100, Mok-Kong Shen
> <[EMAIL PROTECTED]> wrote:
>
> >If the word 'IS' is employed in a context without the connotation
> >of 'EXISTS' then it is NOT misleading, otherwise it IS misleading.
>
> You are beginning to sound just like Bill Clinton:
>
> "It all depends on what the meaning of the word 'is' is."
That way clearly stated in my previous post, quoted below:
But to say there IS (in the sense of EXISTS) something
perfect can be misleading.
A word can have a multitude of meanings. I was prudent enough
to put the parentheses above to make sure that there could be
no misunderstanding. I regret that my attempt was appraently
not successful.
M. K. Shen
------------------------------
Date: Wed, 27 Jan 1999 12:13:29 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: hardRandNumbGen
R. Knauer wrote:
> On 27 Jan 1999 10:21:56 -0500, [EMAIL PROTECTED] (Patrick Juola)
> wrote:
>
> >On the other hand, if I can get a copy of your code, I can just read
> >the code and determine your biases. But you can't rely on keeping
> >your code secret....
>
> I can rely on keeping it just as secret as I keep my keys. If my code
> has been compromised, so have my keys.
Hardly. One can change keys arbitrarily. Once cannot change code so often
(here code == algorithm not .EXE).
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: hardRandNumbGen
Date: Wed, 27 Jan 1999 18:01:00 +0100
R. Knauer wrote:
>
> On Wed, 27 Jan 1999 16:52:30 +0100, Mok-Kong Shen
> <[EMAIL PROTECTED]> wrote:
>
> >Where is the proof of 'if the generation process is hardware then
> >it is crypto-grade, otherwise it is not'??
>
> There is no proof of the first part, since PRNGs can be implemented in
> H/W, like shift register PRNGs.
>
> The proof of the second part comes from an analysis of what makes a
> PRNG behave the way it does. It is based on an algorithm, which means
> that its output is deterministic, and that means that there could be
> vulnerability in using it. For example, if it did not output all
> possible sequences of a given finite length equiprobably but started
> repeating the sequneces, then it fails the definition for a TRNG.
>
> If a PRNG only puts out a few sequences most of the time, then it is
> obviously worthless. That takes care of the equiprobable part of the
> TRNG specification.
>
> Assuming that the outputs of the PRNG are equiprobable, if the PRNG is
> seeded with a number of length K that is smaller than the output
> needed to encrypt the message of length N, then it can only generate
> as many sequences as the seed will allow, which is not the same as all
> possible sequences.
>
> If K<N, then only 2^K possible plaintexts are contained in the
> ciphertext, instead of 2^N. That makes the cryptanalyst's job a lot
> easier, especially when the message is longer than the unicity
> distance. In that case, there is only 1 plaintext that is
> intelligible. When the cryptanalyst finds it, he knows with certainty
> that it is the intended message. That is not the case when using a pad
> that is generated from a TRNG, where the full 2^N outputs possible.
Please note I don't claim PRNGs are good. I simply doubt that
hardward generators are good because I have no tools to determine
that they are good, except by using statistical tools.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Random numbers from a sound card?
Date: Wed, 27 Jan 1999 16:44:40 +0100
R. Knauer wrote:
>
> On Wed, 27 Jan 1999 14:56:34 +0100, Mok-Kong Shen
> <[EMAIL PROTECTED]> wrote:
>
> >But to say there IS (in the sense of EXISTS) something
> >perfect can be misleading.
>
> Does a Perfect Circle EXIST?
>
> If you say is does, is that misleading?
If the word 'IS' is employed in a context without the connotation
of 'EXISTS' then it is NOT misleading, otherwise it IS misleading.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: hardRandNumbGen
Date: Wed, 27 Jan 1999 15:40:53 GMT
Reply-To: [EMAIL PROTECTED]
On 27 Jan 1999 09:51:46 -0500, [EMAIL PROTECTED] (Patrick Juola)
wrote:
>In article <[EMAIL PROTECTED]>,
>Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>>Secondly, your equiprobability is not at all sufficient. If
>>the said given finite length is 2, is a physical divice outputting
>>0001101100011011..... a TRNG?????
>The fact that you're repeatedly asking the same dumb question does,
>however, suggest that you're not really interested in the answer.
The answer that the poster wants to hear is: Because TRNGs are not
Perfect, PRNGs are just as good.
What he fails to appreciate is that there is a fundamental difference
between a TRNG and a PRNG. That is because he fails to realize that a
crypto-grade random number is characterized by the generation process,
not the number itself.
IOW, according to the poster, regardless of whether a number is
generated by a TRNG or a PRNG, if it passes some statistical tests
(that only work on infinite numbers), then it makes no difference what
the method of generation is.
Maybe there needs to be a law that a student must take cryptography
before statistics. :-)
Bob Knauer
"No Freeman shall ever be debarred the use of arms. The strongest
reason for the people to retain the right to keep and bear arms is,
as a last resort, to protect themselves against tyranny in government."
--Thomas Jefferson
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: hardRandNumbGen
Date: Wed, 27 Jan 1999 15:43:43 GMT
Reply-To: [EMAIL PROTECTED]
On Wed, 27 Jan 1999 16:12:44 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>> The fact that you're repeatedly asking the same dumb question does,
>> however, suggest that you're not really interested in the answer.
>The origninal purpose is evidently: Since there can't be an good
>answer, one can't claim hardware sequences are always to be preferred
>to software sequences.
See! What did I tell you.
Bob Knauer
"No Freeman shall ever be debarred the use of arms. The strongest
reason for the people to retain the right to keep and bear arms is,
as a last resort, to protect themselves against tyranny in government."
--Thomas Jefferson
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
