Cryptography-Digest Digest #999, Volume #8 Fri, 29 Jan 99 15:13:05 EST
Contents:
Re: Random numbers generator and Pentium III (Mok-Kong Shen)
Re: Metaphysics Of Randomness (Medical Electronics Lab)
Re: Random numbers generator and Pentium III ("Trevor Jackson, III")
Re: Foiling 56-bit export limitations: example with 70-bit DES (Mok-Kong Shen)
Re: RNG bias considered harmful: NOT! (Medical Electronics Lab)
Re: Inforamtionpool sas&chiffrier (John Savard)
Need a program to study Cryptography : Help developing Cryptlab. (MENIER Clement)
Re: what do u think about this algorithm of mine? (wtshaw)
Re: Who will win in AES contest ?? ([EMAIL PROTECTED])
Re: Random numbers generator and Pentium III (Medical Electronics Lab)
Re: Who will win in AES contest ?? (Serge Vaudenay)
Re: Some more technical info on Pentium III serial number ("Roger Schlafly")
Re: what do u think about this algorithm of mine? (Jay Jakosky)
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Random numbers generator and Pentium III
Date: Fri, 29 Jan 1999 16:30:34 +0100
Patrick Juola wrote:
>
> In article <[EMAIL PROTECTED]>,
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> >R. Knauer wrote:
> >>
> >
> >> It is called "crypto-grade" to distinguish it from the other kinds of
> >> randomness that confuse this discussion.
> >>
> >> You do know the difference, don't you?
> >
> >Unless there are scientific tests to determine the 'crypto-grade'
> >in terms of figure of merits or the like in quantifiable terms
> >nobody (exepting perhaps you) will be able to know the difference!
>
> The belief that to be knowledge something must be objectively
> quantifiable is not science, but scientism.
But at least in natural sciences theories have to be supported
by experiments and experiments are based on measurements. You
certainly could say e.g. that determining a DNA sequence does not
result in a quantity (a real-valued number). But I suppose that
isn't the essence of the point we are disputing.
M. K. Shen
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: Metaphysics Of Randomness
Date: Fri, 29 Jan 1999 11:56:55 -0600
R. Knauer wrote:
> >I still claim the average joe user won't
> >have the equipment or the understanding to do the calibration.
>
> The average joe has no business in crypto.
The average joe should *use* crypto. If they use a TRNG, they
need something that tells them it's working or not. I still
say stats are a good way to see subtle problems which electronic
analysis won't see. That's sort of the heart of this discussion
(I think).
> >I disagree. I can look at the scope and see a valid signal that
> >"looks random".
>
> How does something "look" random? Remember that the output of many
> PRNGs "looks" random.
Agreed. The stock market "looks" random. It isn't tho, it's
the sum of many signals, so it's chaotic. Chaotic oscillators
look random too and have been used to create TRNG's. I'll define
that something "looks random" if I can't see any patterns in it.
That's arbitrary, but it's a place to start.
> The stats are worthless in terms of characterizing the crypto-grade
> randomness of a number. Remember that the output of many PRNGs
> "looks" random.
Let's not worry about PRNG's. I want to know how to get this
"crypto-grade" RNG without using any statistics.
> If it is a TRNG, it generates crypto-grade random numbers which are
> suitable for the porveably secure OTP system.
I see, a TRNG == crypto-grade random numbers, by definition.
So how do I know my TRNG is true?
> There are different kinds of randomness depending on the field of
> study. Chaitin's randomness is not the same as crypto-grade
> randomness. Statistical randomness is not the same as crypto-grade
> randomness.
That tells me what crypto-grade randomness isn't. How can you
demonstrate you have crypto-grade random bits coming from a
black box?
> But, what kind of randomness does the math say it is? If the math is
> incapable of saying that it is crypto-grade randomness, then it isn't
> anywhere close enough for crypto.
A while back someone suggested you have to look under the hood.
Let's assume we can do that and we're certain the bits are coming
from a known random process. If the math says it's not random,
are you saying it's still crypto grade random simply because
we're sure the source process is unpredicatble?
Patience, persistence, truth,
Dr. mike
------------------------------
Date: Fri, 29 Jan 1999 13:18:18 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Random numbers generator and Pentium III
Patrick Juola wrote:
> In article <[EMAIL PROTECTED]>,
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> >Patrick Juola wrote:
> >>
> >> In article <[EMAIL PROTECTED]>,
> >> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> >> >R. Knauer wrote:
> >> >>
> >> >
> >> >> It is called "crypto-grade" to distinguish it from the other kinds of
> >> >> randomness that confuse this discussion.
> >> >>
> >> >> You do know the difference, don't you?
> >> >
> >> >Unless there are scientific tests to determine the 'crypto-grade'
> >> >in terms of figure of merits or the like in quantifiable terms
> >> >nobody (exepting perhaps you) will be able to know the difference!
> >>
> >> The belief that to be knowledge something must be objectively
> >> quantifiable is not science, but scientism.
> >
> >But at least in natural sciences theories have to be supported
> >by experiments and experiments are based on measurements.
>
> But experiments and measurements do not necessarily result in
> *proof* in any sort of formal sense, nor in a characterization of
> causes.
>
> A biologist may reliably believe that a certain class of mushrooms is poisonous
> without either being able to state *why* it's poisonous or being able
> to exactly characterize the class of non-poisonous mushrooms. He may
> also believe that another class is harmless, again, without knowing
> the chemical reason.
>
> He also may not know what chemical tests could be performed to determine
> if a given mushroom specimen were poisonous. Furthermore, he may not
> know that all mushrooms of a given class are poisonous for the same
> chemical reason, nor that all mushrooms *not* of that class are
> harmless.
>
> You could say that if one mushroom is poisonous and another
> is not, then there must be "scientific tests to determine [the
> harmlessness]... in quantifiable terms" on the basis of chemical assay.
>
> You would also be very wrong, very foolish, and quite possibly very
> dead.
Crap.
The only thing required of a scientific biologist (theoretical) is that he state
the theory by which he concludes that the mushrooms in question are piosonous or
not. The only thing requireed of a biologist (experimental) is that he state the
tests performed that led him to the conclusion that the mushrooms are poisonous or
not.
Neither of these actions constitutes "the scientific method", but a person who
refuses to do either can be clearly labeled unscientific. This is not because he
cannot explain why the mushrooms are piosonous, but because of his failure to
explain the basis for his beliefs that the mushrooms are piosonous or not.
Knauer appears to be failing this test.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Foiling 56-bit export limitations: example with 70-bit DES
Date: Fri, 29 Jan 1999 18:12:45 +0100
[EMAIL PROTECTED] wrote:
>
> In fact, my exposition shows more. It shows that:
>
> DES is a random cipher *at most* over 56-bits.
Just a question: Has this to do or nothing to do with the fact
that in a DES key there are only 56 effective bits?
M. K. Shen
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: RNG bias considered harmful: NOT!
Date: Fri, 29 Jan 1999 12:05:58 -0600
Trevor Jackson, III wrote:
> I disagree with this statement. A biased RNG is an imperfect one, but if it
> contain entropy (does not repeat) it has some use and thus value.
>
> Any good RNG design is going to assume as a matter of principle that there
> is some bias in the raw data. By processing the raw data we can distill out
> the entropy, reducing the volume of data, and produce useful RNG output.
>
> Consider the entropy density of the raw data. We do not have to insist on
> 100% density. If, as you suggest, the ratio is 1:4 ones to zeros but
> otherwise unpredictable, we can filter out the excess zeros. Taking the
> bits pair-wise, we discard those pairs with zero parity, and encode pairs
> with odd parity according to the leading bit. This process would reduce
> the volume by a factor of about 3 (25/8 actually) while raising the entropy
> density by a like factor.
This is all true and I need to rephrase what I meant. I'm
assuming I know my source process and can do the above post
processing to create uniform random bits which pass all stats
tests. As time goes on, I monitor the output of that and
notice a slight drift away from uniformity. At that point
I don't know my source process anymore. Either it's being
tampered with or something is failing.
If my RNG jumps from uniform distribution to 80/20 1's/0's, then
I haven't got a RNG anymore, at least for what it was supposed
to do. My point is that stats are useful to warn you that
something is wrong and you need to deal with it.
It's much easier to start with a uniform process and convert
it to uniform bits. But yes, I agree with you that you can
post process anything that has a biased source to subtract
out the bias. In fact, if the mathematicians can tell me how
to measure the signal that isn't random, I'll subtract it out
to make sure that only "random" bits get out of my hardware.
But that's pretty damn hard :-)
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Inforamtionpool sas&chiffrier
Date: Fri, 29 Jan 1999 17:13:54 GMT
[EMAIL PROTECTED] (John Savard) wrote, in part:
>I've glanced at a Pascal program for
>the M-125 on the site, but it seems not to be for the machine
>described, but for something resembling a T-52.
On a second look, what confused me were the arrays giving the notches
on the wheels: the program puts four notches on a wheel. The diagrams
on his site seem to show many more notches than that.
And, instead of the 31 characters enciphered being the conventional
5-level-code characters, with the null character omitted, a 31
character alphabet, with J standing for space, and W, Y, and I think
some other letters omitted, but with the digits from 2 to 9 added.
The program uses only five rotors instead of ten. (I finally got
around to try running it, which answered many questions more simply.)
There is a claim on the site that, because the punched card provides
arbitrary interconnections, this machine, unlike an Enigma, can
represent a letter by itself. From what I see in the description, I
think this may be an error; however, it is clearly true that the
plugboard substitution _itself_ is not reciprocal, a weakness of the
original Enigma without the Uhr Box.
John Savard
http://www.freenet.edmonton.ab.ca/~jsavard/index.html
------------------------------
From: MENIER Clement <[EMAIL PROTECTED]>
Subject: Need a program to study Cryptography : Help developing Cryptlab.
Date: Fri, 29 Jan 1999 19:31:05 +0100
Hi everyone,
You'd like to study Cryptography but you often regret that you can't
find a program which can give you in once all the function to study
correctly Cryptography. You'd like to practice yourself by developping
some cryptographic programs.
Well this is for you:
I am developping a program cryptlab (Cryptograhic Laboratory) which
will give a learner and even a more expert some basic functions to try
his new theory. If you are interested by it send an e-mail to
[EMAIL PROTECTED]
Lots of developping has to be done (only basic encryption is yet
supported ( statistics , Vigenere, shift, Affine, ...) are supported.
If you fell like helping the cryptographic community by ginving ti a
reliable program help developping this free program.
MENIER Clement.
E-Mail: [EMAIL PROTECTED]
"A little brain damage can't hurt".
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: what do u think about this algorithm of mine?
Date: Fri, 29 Jan 1999 09:12:44 -0600
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Klaus Rohde) wrote:
>
> you take byte n of a text stream and XOR it with byte n of the key to
> produce byte n of the cipher text.
>
There is no going back to square one, because that is where you are. At
least you are on the board. Now, see if you can advance your token.
--
A much too common philosophy:
It's no fun to have power....unless you can abuse it.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Who will win in AES contest ??
Date: Fri, 29 Jan 1999 17:40:06 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Bauerda) wrote:
> >Do you want to say which of the entries the USA NSA can break? Have you any
> >evidence (or is this just your opinion)?
>
> For what type of attack? I bet they couldn't break Magenta, if I they had to
> do a ciphertext only attack on a very short message. If they can break Loki
> with a chosen key, chosen plaintext attack, but I don't allow them to chose
the
> key or the plaintext, does it count? If they can break Scott19u with an
attack
> requiring only 2^300 know-plaintexts (which is allowable because of the block
> size...), does it count?
>
> David Bauer
Well since you where nice enough to mention scott19u I thought I
would comment. If one had a chossen plain text attack that lead to
a correct key then some third party should store that information
so it would be available in the general study of ciphers. Even
RSA is considered weak against choosen plaintext attacks which
is one reason its main use is to pass random session keys and
not used to encrypt the whole message. Also since it is "zero
entropy" it already has its seeds of destruction contained inside.
The anwser is it all depends on how it is used. What is weak one
way is strong in another. It took me some time to decide to change
scott16 even though PAUL ONIONS showed it was weak to a single
choosen plain text attack. Because I felt one needed a very special
kind of file and I felt in real life it would be hard to get
an enemy to encrypt the special file. Besides the all or nothing
nature of the method was immune to files that have a "choosen
plain text" that is inserted inside a long message. But I do
learn and realized that todays crypto society likes to place
greaet value in such things. Not sure CASIO has learned it yet.
One reason I was slow to change was that no one could solve
the cash contests that I had so I did not widen my viewpoint
for a while CASIO my do the same.
So I made it immune to "choosen plain text file attack" this
lead to farhter tests of the original properites of scott16 where
I noticed through the use of the DIEHARD TESTS that the odd
lenght files had an incease in appeartent randomness over the
even length files when only a few passes occurred. The odd
length files had this rotation at each pass. So after more
testing added rotation to the even passes.
Any way back to your question the answers is it all depends
but any attack can lead to new methods. While at the same time
I don't think I would call 2^300 choosen plain texts attacks
a break since enven wiht the AES candidates that could have
a key of 256 bits one needs to try only 2^256 keys and that
fact is not taken as a break of them. Also would like to
thank REDBURN for the observation that the key selection
for a large key based on a random uniform file has a bias.
For the truly concened there is a fix at my site but even
without the fix the entorpy is equilavent to a perfect
key encryption method using over 2^8,000,000 keys and
this is far above any AES candidate. The next realease
of a socttNu product will use this method in a routine
to maximize the key entropy of a large uniform random
file if used. But if people have trouble following my
clear cut straight forward GNU DGJPP C coding in 19u
just wait it will get more fun.
David Scott
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
http://members.xoom.com/ecil/index.htm
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: Random numbers generator and Pentium III
Date: Fri, 29 Jan 1999 12:36:06 -0600
R. Knauer wrote:
> +++++
> Crypto-grade randomness is necessary to make the OTP system proveably
> secure. A crypto-grade random number is generated by a True Random
> Number Generator (TRNG), which is a device capable of generating all
> possible sequences of a given finite length equiprobably.
> +++++
>
> Now tell us, what is so difficult about that?
This is what I've been looking for. My previous post had it
correct, TRNG = crypto-grade random. Now, the definition of
TRNG includes "all possible sequences of a given finite length
equiprobably". Now, how do you measure this? With stats of
course. Very simple stats at that, you only need to check that
the output has 1/0 in 50/50(%), 11/10/01/00 in 25/25/25/25 and
so on for as many bits as you want.
I'm sure you'll want to modify this somewhat because a simple
counter can output all possible sequences of a given finite
length equiprobably. So can an LFSR, in Zech logarithm order.
Clearly these aren't RNG's, but they meet the above criteria.
BTW, a OTP is proveably secure, so that part of the definition
is superfluous.
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED] (Serge Vaudenay)
Subject: Re: Who will win in AES contest ??
Date: 29 Jan 1999 19:14:41 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Hironobu Suzuki) writes:
|>
|> I think it's very difficult to compare between serpent and twofish
|> because serpent has more rounds than twofish. It means serpent is
|> stronger than twofish. I guess if serpent's rounds become shrink,
|> serpent is fast as well as twofish (and serpent is strong as well as
|> twofish). But I appreciate serpent's philosophy that cipher should be
|> stronger and should have safety margin than we thought.
|>
In my point of view Serpent is nicer than Twofish. Twofish looks like
a collection of random tricks taken from other ciphers. Although quite
conservative, Serpent has a simple design paradigm.
Serge
------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,comp.sys.intel
Subject: Re: Some more technical info on Pentium III serial number
Date: Fri, 29 Jan 1999 10:34:05 -0800
Paul Rubin wrote in message ...
>It sounds to me like Intel is going to release browser controls
>(Netscape plug-in and Explorer ActiveX control) that read the serial
>number. They could distribute the controls through their own web
>site, or possibly get Micro$oft to include the controls in Windoze
>N+1. DHTML script on random web pages could then invoke the controls
>to put the numbers into hidden form fields that would be sent as part
>of the next GET or POST. The controls could even open their own IP
>connections back to the web server. This is all quite possible even
>today, without any participation from browser vendors or W3C. The
>main problem is social-engineering the users to accept the plug-ins.
>It looks like Intel has failed at this pretty badly already.
Ok, that is all plausible, but what do the users get out of it?
A serial number by itself would have been innocuous, but Intel's
plan seemed to be to force users to do something that they
really don't want to do. The more I hear about this, the more
insidious it sounds.
------------------------------
From: Jay Jakosky <[EMAIL PROTECTED]>
Subject: Re: what do u think about this algorithm of mine?
Date: Fri, 29 Jan 1999 11:58:37 -0800
Hasn't anyone seen a parody before? Amazing number of duped, albeit helpful,
responses.
Truly J.
Klaus Rohde wrote:
> i don't know anything about encryption, but one day i was thinking about
> it and had an idea for an algorithm which, as far as i can see, is
> unbreakable.
>
> you take byte n of a text stream and XOR it with byte n of the key to
> produce byte n of the cipher text.
>
> to me this seem's unbreakable, because by applying the right key any
> cipher text can be decoded into literally anything of the same length,
> meaning that unless someone has the key, they can't gain anything out of
> the cipher text.
>
> any thoughts or ideas (or proof that what im saying is nonsense) would be cool.
>
> :-) peter
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
