Cryptography-Digest Digest #69, Volume #9 Thu, 11 Feb 99 13:13:03 EST
Contents:
Re: 2048-bit block cipher ([EMAIL PROTECTED])
Re: Pentium III serial number - Why should webs be free? ("hapticz")
Re: An observation on sci.crypt (fungus)
Re: Random numbers generator and Pentium III (Kurt Wismer)
Re: hardRandNumbGen (Kurt Wismer)
Re: *** Where Does The Randomness Come From ?!? *** ([EMAIL PROTECTED])
Re: Who will win in AES contest ?? ([EMAIL PROTECTED])
Re: 2048-bit block cipher ("Wm. Toldt")
Re: What is left to invent? (R. Knauer)
Re: RNG Product Feature Poll (Paul Crowley)
Re: What is left to invent? (R. Knauer)
Re: RNG Product Feature Poll (R. Knauer)
Re: Threat Models: When You Can't Use a One-Time Pad (Patrick Juola)
Re: What is left to invent? (Patrick Juola)
Re: hardRandNumbGen (Patrick Juola)
Re: RNG Product Feature Poll (R. Knauer)
Re: RNG Product Feature Poll (R. Knauer)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: comp.security.misc
Subject: Re: 2048-bit block cipher
Date: Thu, 11 Feb 1999 12:21:15 GMT
Dear WTSHAW,
thank you very much for your explanations.
Something is not clear for me.
> own designs; I have felt that the basic core strength of an algorithm is
> poor if chaining is required for usefulness. Therefore, my comment, that
> the core algorithm is still the most important area of this cipher.
How you define a core part of algorithm and why chained encryption is
so bad?
Best regards
Alex
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: "hapticz" <[EMAIL PROTECTED]>
Subject: Re: Pentium III serial number - Why should webs be free?
Date: Thu, 11 Feb 1999 08:17:23 -0500
Crossposted-To: comp.sys.intel
the outrage is similar to knowing that once the wheel is invented it's time
for others to start SHARING, and not GOUGING their way into eternity+ACEAIQAhACEAIQ-
just cause its the first doesnt give the +ACI-inventor+ACI- carte blanche to reap
returns ad infinitum or even disproportionate gains against a hitherto
unknown populace+ACEAIQ- or even gains that are gauged against no other known
situations.
and it is a +ACI-commodity+ACI-??, come on+ACEAIQAhACE-... this stuff is merely a
wagging
of bits/zeroes from place to place+ACEAIQ-
are the people that dumb to believe that this stuff is an essential life
need? like food,water,shelter, or is being valued much too high in the first
place??
the frenzy of +ACI-newness+ACI- and +ACI-dazzling+ACI- has approached the techniques
used by
+ACI-snake oil salesemen+ACI- in years past
.
--
best regards
hapticz+AEA-email.msn.com
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: An observation on sci.crypt
Date: Thu, 11 Feb 1999 18:58:08 +0100
Emrul Islam wrote:
>
> <!doctype html public "-//w3c//dtd html 4.0 transitional//en">
> <html>
> Hello there,
> <br> Over the last few weeks I have noticed a real
> big increase in the number of articles being posted in this group, and
> also the cryptographic intellegence levels on average have gone up.
> <br>
<snip>
That's nice, but could you turn off the "post HTML" option in your
newsreader? :-)
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: [EMAIL PROTECTED] (Kurt Wismer)
Subject: Re: Random numbers generator and Pentium III
Date: Fri, 29 Jan 1999 05:57:53 GMT
R. Knauer ([EMAIL PROTECTED]) wrote:
: >Yes, there are many methods. Check out Marsaglia's DIEHARD and pLab's
: >Diaphony for the most advanced stuff. Simple autocorrelation and
: >ballance of 1's and 0's will also give you a few clues. If it can
: >pass all those tests, it's mathematically random.
: I give up. If people want to believe that crypto-grade randomness can
: be characterized by statistical tests, let them.
statistical tests can identify bias and temporal (or other) correlations,
which can be used to describe crypto-grade (as you call it) randomness
(ie. 0 bias, 0 temporal correlation, 0 [whatever else] correlation, etc)
before you discount the utility of statistical tests you should find out
about what people are mistaking for defining characteristics...
statistical tests quantify properties of random numbers, they don't test
definitions... that's the bump in the road people seem to be getting
caught on...
--
"some speak the sounds but speak in silent voices
like radio is silent though it fills the air with noises
its transmissions bring submission as ya mold to the unreal
mad boy grips the microphone wit' a fistful of steel"
------------------------------
From: [EMAIL PROTECTED] (Kurt Wismer)
Subject: Re: hardRandNumbGen
Date: Fri, 29 Jan 1999 05:48:38 GMT
R. Knauer ([EMAIL PROTECTED]) wrote:
: Learn what crypto-grade randomness is. The concept is deceptively
: simple once you understand it. But first you have to give up all other
: definitions of randomness from other fields like statistics.
: The key to understanding is that randomness depends on the generation
: process, not the numbers themselves. The number 000...0 fails all
: sorts of statistical tests, but can be a random number if it is
: generated by a TRNG. Until you analyze the method of generation, you
: cannot know.
this is the definition i've used for years... strangely, nothing i ever
learned in statistics ever suggested i was wrong...
--
"some speak the sounds but speak in silent voices
like radio is silent though it fills the air with noises
its transmissions bring submission as ya mold to the unreal
mad boy grips the microphone wit' a fistful of steel"
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: sci.skeptic,sci.philosophy.meta
Subject: Re: *** Where Does The Randomness Come From ?!? ***
Date: Fri, 05 Feb 1999 11:51:07 GMT
In article <[EMAIL PROTECTED]>,
Medical Electronics Lab <[EMAIL PROTECTED]> wrote:
> Seisei Yamaguchi wrote:
> >
> > Hi, this is Seisei.
> >
> > Ron Cecchini <[EMAIL PROTECTED]> wrote:
> > >The first step is to try to *define* "true randomness"!
> >
> > That's right.
> > Randomness and unforeseeableness are not identical.
> > And, I think it's non existent randomness.
> >
>
> Howdy Seisei,
>
> I agree with you. Everything is signal, it's just that
> we don't always know where the signal came from or how
> it got to where we could "see" it. The purpose for
> crypto is merely to create something which no one
> can know, no matter what their resources. That would
> be my definition of "true random".
>
> Patience, persistence, truth,
> Dr. mike
>
Th question is, given some data, eg:
gdmvkzcexmgzczt
How do you tell whether it is compleely random or
merely encrypted in some way unknown to you ?
In decrypting a message, there is ususally some
at least some knowledge of the encryption technique,
but it seems to me that a random string cannot be
distinguished from an arbitrarily encrypted message
in the absence of obvious redundancy.
(think of it as a kind of Turing test).
Regards,
Peter D Jones
Brighton, UK
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Who will win in AES contest ??
Date: Fri, 29 Jan 1999 07:25:53 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David Hamilton) wrote:
> (snip)
>
Earlier in this thread, you said:
> Don't use David A. Scott's software. There is evidence that it is almost
> certainly weaker than, eg, PGP. See message-ID:
> <[EMAIL PROTECTED]> in the thread 'Re: Encryption Basics'
> posted in sci.crypt on 19th December for details.
>
> David Hamilton. Only I give the right to read what I write and PGP allows me
>
I should know better than to anwser your posts since you are a sick
man. But since you claimed to have proof I tried to look up using
Deja News the article you quoted. At least when I click on the blue
part it goes to an error message. Oh well so much for your so called
proof.
Actually if one uses PGP where one uses the PGP to encypt a message
in its normal mode. It first encrypts a random (so called random)
session key and then uses that key to do standard encryption of the
plain text file which is usually first compressed. But what is not
highly advertised is this is a "zero entropy" encryption method
meaning that if one tries to break it by what ever means. If you
have a test session key then you know exactly if you can decode
the message. Security relies only on the hopes that the reverse
solution of the attacker is slow. If one uses a "high entrop"
"all or nothing encryption" like scott19u the seeds of the solution
are not there. In other words even if you have a quantam or quark
computer and reach a solution. The odds are that it is a wrong
solution. These concepts are to hard for Mr Hamilton let him
stick to the "zero entropy" methods the fool has no understanding
of this basic concept.
David A. Scott
http://cryptography.org/cgi-bin/crypto.cgi/Misc/scott19u.zip
http://members.xoom.com/ecil/index.htm
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: "Wm. Toldt" <[EMAIL PROTECTED]>
Subject: Re: 2048-bit block cipher
Date: Thu, 11 Feb 1999 05:42:23 -1000
[EMAIL PROTECTED] wrote:
>
> Dear Wm.Toldt,
>
> thank you very much for your kindly
> advertisement of my RSA study.
>
> I am doubt that in this case my own attack can work
> while there are double chained encryption and
> permutation of words.
>
> Best wishes.
>
> Alex
Yes it would, chaining does not involve more keys. Your RSA Null Security
Strategy is used by analogy, but every key is used instead of every
plaintext to make an inverse table. By trying every key, chaining
provides NO extra protection nor does permutation of words. If this
strategy cannot work for the 2048 bit scheme, then you are admitting it
would not work for RSA with 2048 bit keys. Do you now admit this? Or do
you want a more detailed trouncing?
> In article <[EMAIL PROTECTED]>,
> "Wm. Toldt" <[EMAIL PROTECTED]> wrote:
> > [EMAIL PROTECTED] wrote:
> > >
> > > In article <[EMAIL PROTECTED]>,
> > > "Wm. Toldt" <[EMAIL PROTECTED]> wrote:
> > > > It is trivial to break your algorithm. If you want to know how, just ask.
> > >
> > > Dear Wn.Toldt,
> > >
> > > It would be very nice of you if you can
> > > expend your statement.
> > >
> > > Thank you in advice.
> > >
> > > Regards
> > > Alex
> >
> > This cryptanlysis is called Alex Null Security, and it is based on the
> > RSA Null Security cryptanalysis described at :
> >
> > http://www.online.de/home/aernst/RSA.html
> >
> > Here is how it is done: following the method shown above, all you need is
> > the ciphertext and a copy of the program for this algorithm. Then just
> > make a table of possible plaintexts decrypted using all possible keys.
> > Then use this as an inverse map. When you find a key that gives a
> > meaningful plaintext, make a note of that as a possible correct key.
> >
> > For RSA Null Security this was described as:
> > "How to decrypt a message knowing a public key
> >
> > Suppose a public key (n,e) is known.
> >
> > 1.Using the public key encrypt the set {0,1,2,�,n-1} to get a
> >
> > Permutation P.
> >
> > 2. Using the permutation P or it inverse decrypt a message"
> >
> > I want to thank Alex for providing the prototype for breaking the 2048
> > bit algorithm in the title of this post.
> >
>
> -----------== Posted via Deja News, The Discussion Network ==----------
> http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: What is left to invent?
Date: Thu, 11 Feb 1999 15:03:51 GMT
Reply-To: [EMAIL PROTECTED]
On Wed, 10 Feb 1999 11:10:33 -0600, Jim Felling
<[EMAIL PROTECTED]> wrote:
>At last a posting I can totally agree with. I have never claimed that
>statistical testing was sufficient to certify a TRNG, merely necessary to
>insure that your TRNG was at least a RNG.(as far as the testing could
>determine)
Statistical testing does not insure that the TRNG is a RNG for
purposes of crypto. A PRNG with poor security can pass those tests.
The only thing that statistical testing can do is reject presumably
unsecure RNGs.
Bob Knauer
"It is not a matter of what is true that counts, but a matter of
what is perceived to be true."
--Henry Kissinger
------------------------------
From: Paul Crowley <[EMAIL PROTECTED]>
Subject: Re: RNG Product Feature Poll
Date: 11 Feb 1999 09:24:30 -0000
"Trevor Jackson, III" <[EMAIL PROTECTED]> writes:
> I believe this nomenclature issue is worthy of attention. But
> choosing one word to imply the properties of independence and flat
> distribution is probably a mistake. "Equidistributed" does not
> necessarily mean independent. "Independent" does not necessarily mean
> equidistributed.
unbiased?
--
__
\/ o\ [EMAIL PROTECTED] http://www.hedonism.demon.co.uk/paul/ \ /
/\__/ Paul Crowley Upgrade your legacy NT machines to Linux /~\
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: What is left to invent?
Date: Thu, 11 Feb 1999 15:05:56 GMT
Reply-To: [EMAIL PROTECTED]
On 10 Feb 1999 22:33:01 GMT, [EMAIL PROTECTED] (John Curtis) wrote:
>>As long as you can demonstrate that by doing an audit on the TRNG,
>>including diagnostics on its subsystems, then it is proveable secure
>>to a certain experimental level. To apprecitate that, you must
>>consider experimental proof as a valid form of proof.
>
> [Pardon the length of this post.]
> I agree with you 100% in this statement. The thing that
> concerns me is that we haven't really arrived at any kind
> of statement as to "how good is good enough" in a real,
> on the test bench, TRNG.
I have suggested that one use a TRNG to produce a number of test
ciphers and then attempt to break them using Bayesian inference
techniques, which presumably exploit any "leakage" of information.
I believe one can assign levels of confidence using the Bayesian
method.
Bob Knauer
"It is not a matter of what is true that counts, but a matter of
what is perceived to be true."
--Henry Kissinger
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: RNG Product Feature Poll
Date: Thu, 11 Feb 1999 16:46:56 GMT
Reply-To: [EMAIL PROTECTED]
On Wed, 10 Feb 1999 13:33:55 -0500, "Trevor Jackson, III"
<[EMAIL PROTECTED]> wrote:
>I believe this nomenclature issue is worthy of attention. But choosing one word
>to imply the properties of independence and flat distribution is probably a
>mistake. "Equidistributed" does not necessarily mean independent.
>"Independent" does not necessarily mean equidistributed.
Independence is a necessary but not sufficient condition for
ctypto-grade random numbers. The reason is that the ciphers will leak
information is the distribution of possible keys is not
equidistributed.
That's why the specification for a TRNG is that it be capable of
producing all possible finite sequences equiprobably. The concept of
equiprobability contains both equidistribution and independence.
Or so one would think, eh.
Bob Knauer
"It is not a matter of what is true that counts, but a matter of
what is perceived to be true."
--Henry Kissinger
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Threat Models: When You Can't Use a One-Time Pad
Date: 10 Feb 1999 08:27:44 -0500
In article <[EMAIL PROTECTED]>,
Darren New <[EMAIL PROTECTED]> wrote:
>R. Knauer wrote:
>> Truth is found in Reality. Falsity is a lack of Truth.
>
>Shame on you. Godel disproved this decades ago.
No, he didn't. Re-read his paper.
-kitten
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: What is left to invent?
Date: 10 Feb 1999 08:42:07 -0500
In article <[EMAIL PROTECTED]>,
R. Knauer <[EMAIL PROTECTED]> wrote:
>On Tue, 09 Feb 1999 04:07:13 GMT, [EMAIL PROTECTED] (Terry Ritter) wrote:
>
>>>> But there *is* *no* PROVABLY random source.
>
>>>That's not so;
>
>>That *is* so.
>
>Radioactive decay can be proved to be random to within an arbitrarily
>small error....
... subject to certain assumptions, yes. And, of course, this is
exactly the sort of statement you were criticizing earlier as being
insufficient out of the box to characterize a RNG.
-kitten
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: hardRandNumbGen
Date: 10 Feb 1999 08:53:19 -0500
In article <[EMAIL PROTECTED]>,
R. Knauer <[EMAIL PROTECTED]> wrote:
>On 8 Feb 1999 10:42:38 -0500, [EMAIL PROTECTED] (Patrick Juola)
>wrote:
>
>>>Therefore the very thing you are testing the RNG for, namely its
>>>suitability for use with the OTP system, is not determinable. You
>>>might be able to determine that a RNG is not suitable, but you cannot
>>>determine that an RNG is suitable.
>
>>No. There are two things you need to do to produce a certifiable
>>TRNG.
>
>I meant "you cannot determine that an RNG is suitable"... using
>statistical tests on the output.
>
>>One is to confirm that the device is, in fact, a "random number generator"
>>in the sense that it produces random bits. The main thing to confirm
>>then is that you can get an unbounded number of random (although not
>>necessarily equiprobable) bits out of the system.
>
>I do not know what you mean by "random" in that sentence. I will take
>it to mean "indeterminant".
>
>Which brings up a question I was going to bring up earlier and have
>been waiting for the right place. We speak of the ills of bit-bias in
>terms of random number generation, but what if the generator were
>designed with a deliberate bias? As an analog (and only as an analog)
>imagine a symmetric polygonal die with one more 1 than 0. That would
>have a built in bias, yet each outcome of a throw would be
>indeterminant. So you subject the output of that die to a statistical
>test for bit-bias and it flunks. Now what?
Depends. If it's a really good generator with a known bias, there
are mathematical techniques that will allow me to strip out the bias
and produced an unbiased stream. So if I'm willing to embed the
hardware in some other equipment, it may be a good building block.
>Also, imagine actually using the output for an OTP and your attacker
>tries to figure out why the bits in the ciphers are biased. Will that
>do him any good? IOW, does using the pad from a deliberately biased
>RNG (which is otherwise completely indeterminant) leak any information
>that is useful for decrypting your ciphers?
Broadly speaking, yes. First, I can start decrypting at the most
probable key and work downwards from there. Second, I can produce
a probability (Bayes' theorem again) for every potential key, and
from that derive probabilities for various plaintexts. If you
send a message telling your broker either to "buy!" or "sell", but
one is overwhelmingly more probable than the other, that's a
potentially serious crack.
>It would seem that any bias, even bias that is deliberately introduced
>and accounted for, is going to weaken the random number generation
>process cryptographically, since in the limit that the bias becomes
>very large, you have a totally unsecure system? Yet the TNG is
>completely indeterminant from one throw of the die to the next
But you can strip out bias fairly easily -- gather bits in pairs, output
a 1 bit if the pair is 01, a zero bit if the pair is 10 and gather a
new pair otherwise. Yes, you waste about 75 percent of your generator
this way.... but bits are cheap.
-kitten
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: RNG Product Feature Poll
Date: Thu, 11 Feb 1999 16:57:24 GMT
Reply-To: [EMAIL PROTECTED]
On 10 Feb 1999 17:39:57 -0500, [EMAIL PROTECTED] (Herman Rubin)
wrote:
>If "equidistributed" means that all sequences have the same probability,
>it does imply independent.
I tended to agree with that yesterday, but today I am of the mind that
one must use the term "equiprobable" to make sure that independence is
included. A counter can be considered equidistributed, so that term is
too misleading for crypto.
>If it only means that the probability of
>each single bit being 0 is .5, not much follows from it. If the bits
>are independent with the same probability, one can remove the bias
>fairly easily.
The problem with doing that is now you are tampering with the output
of a TRNG, and that is not permitted. Once you start fooling around
with numbers algorithmically you alter any randomness that they might
have.
Bob Knauer
"It is not a matter of what is true that counts, but a matter of
what is perceived to be true."
--Henry Kissinger
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: RNG Product Feature Poll
Date: Thu, 11 Feb 1999 17:02:06 GMT
Reply-To: [EMAIL PROTECTED]
On 10 Feb 1999 17:35:03 -0500, [EMAIL PROTECTED] (Herman Rubin)
wrote:
>>A random number generator for use with the OTP cryptosystem must be
>>capable of generating all possible finite sequences equiprobably or
>>else the ciphers will leak information in a significant manner, making
>>them unsecure.
>Will the amount of information leaked be significant?
I do not know - I have been trying to get people to quantify that for
a long time now.
I have suggested that one use the TRNG to construct several test
ciphers and subject them to attacks which are known to break stream
ciphers, such as the Bayesian inference attack. You would think that
in so doing you could quantify any vulnerability.
>The amount of
>information in the exact number of 1's in a sequence of 10^6 bits is
>less than 12, so how useful would the information be? And what would
>the amount of leakage if only sequences which had this property were
>used?
You will have to ask the crypto experts.
>These bounds assume that the interceptor can actually use them.
>Let me ask the cryptographic experts here; how large a message would
>one need to have a reasonable chance at cracking it if the OTP used
>had bits with a known probability of .51, or even .6, of being 0?
Now we are getting somewhere - that is a good question. Now let's see
if the crypto experts can provide an answer.
Bob Knauer
"It is not a matter of what is true that counts, but a matter of
what is perceived to be true."
--Henry Kissinger
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
