Cryptography-Digest Digest #157, Volume #9 Sun, 28 Feb 99 02:13:03 EST
Contents:
Re: Define Randomness (Terry Ritter)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Define Randomness
Date: Sun, 28 Feb 1999 07:07:21 GMT
On Fri, 26 Feb 1999 15:48:34 GMT, in
<[EMAIL PROTECTED]>, in sci.crypt
[EMAIL PROTECTED] (R. Knauer) wrote:
>[...]
>Are you claiming that all inductive learning is not worthy of being
>called a PROOF?
No, I am not. But I *am* claiming that inductive reasoning is often
false, unlike deductive reasoning. We thus must be very, very careful
when we use induction, if we want correct results.
It is *often* FALSE to draw a conclusion about the whole based upon
some parts of the whole. This is of course what we do in statistics,
and may be seen as the reason for speaking in probabilities about the
results. But probabilities under 1.0 are not PROOF that every other
possibility has been ruled out. But that is what we want: We are
trying to rule out ANY POSSIBILITY AT ALL of weakness. At least that
is what PROVABLY "unbreakable" means to me.
Suppose we have a house with 20 rooms: After looking 2 rooms, can we
possibly hope "induce" the contents of the other 18? Of course not.
In this situation there is no reason for any particular room to
reflect any other. So conclusions which are based on a small subset
have no reason to be true. Induction should not be used here.
Suppose someone in a 20-room house committed murder, and we want to
find the weapon: Suppose we search 19 rooms without finding it; shall
we now say that we have "proven" to a 95% probability that the weapon
is not in the house? I suppose, but of what use is such a "proof"?
What we really want to know is whether the weapon is there,
*anywhere*. So as long as even *one* room remains unsearched, there
is no PROOF that the weapon is not there.
In cryptography we take even unimaginably small risks *very*
seriously. Even tiny probabilities of weakness are more than we are
willing to accept in normal ciphers. The acceptable probability of
finding a break is not 1 in 20 (which is more than 1 in 2**5), but
instead under 1 in 2**56. (Any key can be guessed, but it is clear
that 1 good key hidden in 2**56 bad ones is not good enough.) We are
not going to get that kind of probability by statistical induction.
>>I think "proof" means PROOF: a 100% iron-clad demonstration that no
>>other possibilities exist. This is *not* the same as proof *if* only
>>something else is what we hope and wish it to be.
>
>You are a dogmatist, namely only 100% dogmatic truth will suffice.
Sorry, name calling is not going to work here.
>You are excluding proofs arrived at by induction, such as recursively
>constructed proofs and experimental proofs. For example, in your
>system you could never accept that the speed of light is a constant,
>since there is no a priori reason to prove that it is.
Now that you mention it, I *would* like to see Michelson-Morley run at
astronomic scale in 3D.
>Never mind that there are very strong reasons, inductive reasons that
>come from both theory and experiment, that the speed of light is a
>constant, at least in a given locality in spacetime. Never mind that
>the constancy of the speed of light is contained in Maxwell's
>equations and is contained in the various measurements of the speed.
>
>For you the proof is not 100% iron clad, since there is always the
>*possibility* that the speed of light is not a constant.
>
>Best stay away from the empirical sciences and even certain parts of
>mathematics. Chaitin's Omega would be devastating to you, just like
>Godel's theorem was devastating to Herman Weyl.
I would say that if you are going to accept hand-waving as PROOF, best
stay away from cryptography. It will be devastating to you.
>>No. OTP systems are provably secure only in concept.
>
>I am maintaining that OTP systems can be made proveably secure to
>within an arbitrarily small amount of unsecurity. I am basing that
>claim on the existence of nearly perfect TRNGs and the existence of
>induction method(s) that can give one a "probabily approximately
>correct" result regarding that unsecurity.
You can "maintain" what you like, but let's see the proof: *How* will
you measure a constructed TRNG to conclude that it has sufficient
bit-independence, lack of correlations, biases, and any other possible
weakness? Just how will you measure and bound on every possible
"weakness," and how will you prove that such bounds are sufficient?
Then how will you measure a real device and show that it meets those
bounds, and will continue to do so?
The problem is not just collecting data to make a statistical
determination. The problem is that we can never run all the tests.
That is not an appropriate base for an inductive conclusion.
>I have offered the radioactive TRNG as the nearly perfect TRNG, based
>on the proveable randomness of radioactive decay. I have offered a
>computational induction method as the way to determine the extent to
>which the OTP system can be said to be unsecure.
>>The *provably* secure OTP is a *theoretical* OTP -- and that is only
>>good for sending theoretical data.
>
>It is proveably secure on a practical level if you will accept
>inductive proof as legitimate.
Inductive reasoning must be kept under very tight control if it is to
be correct. Reasoning from a few cases to the whole is often invalid.
There has been quite a lot of talk about PROOF here. So how is it
that I find myself unconvinced? This seems odd, because the whole
idea of PROOF is that it be *compelling*. But I have yet to see even
a concise set of statements for what is known, what must be shown, and
how that will be done.
Why don't you try to set down this supposed PROOF? Write it out.
Note the assumptions.
Show me.
>The essence of all this is that if only an insignificant amount of
>information leaks from a cipher, then it cannot be broken as a
>practical matter. It does not have to be 100% unbreakable to be
>unbreakable.
You mean "almost unbreakable" is the same as "unbreakable"? I suppose
that you, like the Red Queen, intend to be the master of your words
instead of the other way 'round. Alas, I have a single definition for
"unbreakable," and it is "cannot be broken."
In this context, "broken" means an exposure beyond the security
claimed for the cipher. So if you don't claim much security, I
suppose it would never be "broken." But that was not my understanding
of your goals.
If you want to claim PROVEN, ABSOLUTE security as in "the only secure
cipher," then "unbreakable" becomes very clear and understandable. To
be "unbreakable" it must *indeed* be "100% unbreakable." Anything
other than this you need to qualify and quantify.
>>In practice, OTP's depend upon TRNG qualities which cannot be ASSUMED
>>and also cannot be PROVEN.
>
>You are correct, as far as your statement goes - with the word PROVEN
>meaning 100% proven. But so what? If I can send OTP ciphers that are
>95% proven secure by inductive methods, then how can you claim that
>you have broken my OTP ciphers?
If you had some way to measure that at most 5% of a message might be
revealed, at least you would have a PROOF of *something*.
But of what? Can we ever call a 5% exposure acceptable? Is this the
same vaunted "unbreakable" cipher that we started with? In what way
can we say "unbreakable" yet accept that it may be broken? What does
this sort of "unbreakable" mean?
I suppose it may be much easier to try to re-define "unbreakable" than
to accept that the "unbreakable" cipher is out of reach. But I think
I'll just use the old definition.
>The OTP system relies on several things for its proveable security,
>and one is that the key be as long as the message. That means that all
>possible intelligible messages can be decrypted by brute force. That
>is not the case with seeded PRNGs, where once the message gets
>significanlty longer than the unicity length, there is a vanishingly
>small probability that brute force will uncover more than one
>intelligible message.
Some practical RNG's do exist with internal states far in excess of
most message sizes: I have built them. For these, we can show that
every possible sequence (of some message length) *can* be produced by
the RNG. It is only when we use "small" keys that this property is
not retained, and that is because there can be at most as many
sequences as there are keys. Normally we expect that the key hashing
be of such a nature that no useful bias occurs in selecting the subset
of possible sequences.
So the advantage of the TRNG is not really that it can produce every
possible sequence. (For example, we could define a PRNG construction
which would grow until had more internal state than any message bound,
although we then have to key it.) Instead, the advantage of the TRNG
is that there *is* no internal state, so there is nothing there *to*
know. There is nothing to expose. There is nothing to find. There
is no short key.
>Most of the security of the OTP is contained in how it is constructed.
>If you send only a few bits of cipher, the requirements for the
>proveable security of the TRNG are greatly reduced. As you send more
>cipher bits the TRNG must be more secure. But unless you plan on
>encrytping an inordinate amount of data, the TRNG doesn't have to be
>100% proveably secure.
Does not being "100% provably secure" mean that we can't PROVE it to
100% levels, or that it is known to be a few percent insecure?
Normally, "a little bit insecure" is like "a little bit pregnant."
And how is this measured?
>Anyway, since you are going to ship the keystream on a CD, you will
>likely make it over a finite period, like one month, and then shut the
>TRNG down for a while.
The problem with shipping keystream on a CD every month is that we
have the most critical information for an entire month in *two* places
(assuming the cipher is for communications). Now we have to guard
*both* places, *all* the time. We have to pay the guards very well
and threaten them with death, because the true strength of the OTP
depends upon not just the data, but also the guards.
We could encipher the CD data, or similarly, keep it in a safe. But
then, if the enciphered result is available, all we need to do to
break the OTP is to break the protecting cipher (or the safe). Which
means, of course, that all the claims about unbreakability are gone.
And then we must never even send the same *plaintext* to more than one
destination. For if we do, and plaintext becomes available from one
site, and The Opponents intercept the message to other sites, they
will know each key used, and can re-write the messages at will.
How do we quantify these dangers? Since they are inherent in the OTP,
how is using one of them *not* "breaking" the OTP? How can we call
such a design *really* "unbreakable" *even* *if* the keying sequence
is absolutely perfect? Does "breaking" only apply to predicting the
sequence? Is the user data thus irrelevant to measuring strength?
>When you restart it, it will be in a slightly
>different environment, so the 2nd keystream will be different from the
>1st one in subtle ways. That makes the cryptanalyst's job much harder,
>since now he must begin collecting information from the start again.
>
>One poster has repeatedly suggested shutting the TRNG down
>deliberately to reset its environment and average out any slight
>imbalances in its behavior.
That would be Dr. Rubin.
I agree that combining multiple sequences (throwing information away,
as we do in any sort of post-process hash) can hide the patterns we
fear may exist. (I am less sure that we must do this day-by-day or
shut down first.) I see XOR as the minimum possible CRC.
If we had some quantitative measure of the quality of the TRNG
sequence, I think we could make some statements about the quality of
resulting hashed sequences. But I don't think we have that measure,
or at least not one which we can use in practice.
>>This is not to say that an OTP cannot be secure in practice. I am
>>sure it can. But I am fairly sure that it cannot be PROVEN for a real
>>system.
>
>If you accept inductive proof, then it can be proven within an
>arbitrarily small error. That's good enough for all but the most
>impractical situations.
Fine. Define a measure of overall "strength" which applies to any
possible attack. Quantify the amount of strength we need. Conduct
quantitative experiments on equipment to show how much strength that
equipment has. Show the equipment is within bounds. Then prove those
results will apply to future operation. No problem.
Show me.
>>It is false reasoning to concentrate on potential strength to the
>>exclusion of operational problems. If the OTP really was "the best"
>>cipher, everyone would be using it. They aren't. This is not because
>>they have never heard of it. This is because most people consider the
>>requirements for secure OTP use to be essentially impractical. I
>>think they are right.
>
>I am focusing on security only from an analytical point of view. The
>notorious problems with the actual OTP system are not under
>consideration.
And yet you wish to move a theoretical proof of "strength," into the
practical world of a physical TRNG. But why would one do this other
than to claim some sort of proof of strength in practice?
I think you want the ultimate cryptographic goal -- The Unbreakable
Cipher. But you don't want to discuss actually using this cipher,
because the very thing which you would rely upon to make it
"unbreakable" is also what makes it risky and impractical for most use
-- which is to say, "breakable."
>I have, however, as have others here, suggested using other methods
>than a hardware Trng to generate keystreams, which circumvent the
>problems with orthodox OTP ciphers.
Unfortunately, many of the problems with orthodox OTP ciphers are not
how we generate the running key, but the fact that we have a key which
is as large as the message, and which must be both transmitted to the
other end and held in complete secrecy.
>One is to use a text stream and
>hash it to death to distill any entropy it has. That text could be
>keyed to just about anything on the Internet or in print. IOW, all a
>correspondent would have to do is provide a code book (memorized) that
>selected the text for the current session based on some short session
>key.
>
>You, among others, seem to agree that if the proper hash is selected,
>then this method is very secure within practical limits.
I think a hash of text can be made to have full "entropy" in practice,
if we can select from a wide enough body of text. (But if the text is
known, and the hash is known, the result will be known, which is
precisely what we wish to avoid.)
But this is hardly the same as defining security limits, measuring
closeness to those limits, and thus claiming security on the basis of
measured values. We do not have those measures. We do not have that
proof.
>>I am aware of no PROOF that some other TRNG cannot be as good.
>
>OK, then one of the best. I do not believe that one can make a more
>random TRNG than one that is based on radioactive decay.
>
>>In fact, if we *have* a TRNG, presumably it *must* be as good as any
>>other, unless we are to start measuring (and defining!) the quality of
>>each TRNG. Without such quality specifications, your claim might
>>imply that no other source of randomness can possibly be called a
>>TRNG.
>
>I am proposing that one can characterize a TRNG by using inductive
>methods to attempt to break test ciphers produced by that TRNG.
And I am proposing that you try it.
Show me.
>If one
>can quantify the amount of information that leaks from the ciphers,
>then one would have a way to quantify the cryptographic strength of
>the TRNG.
One *cannot* in a general sense "quantify the amount of information
that leaks." The best one can do is to show probability reductions on
the basis of particular message probability. (Even this would use
some statistical approximation to the TRNG, which may not be accurate
at message size or future time.) At best, it makes sense to talk
about specific results for specific messages.
But if the results depend upon the message, in what way can we hope to
apply them to a system which can accept *any* message?
But suppose we can: What *you* want to do is to use strength data
from particular cases to imply results about the whole, but -- even if
we could measure strength -- it is useless unless we can reach
probabilities like 1 in 2**56. This should require 2**112
measurements, which is impossible -- and all this depends upon having
such a measure which we do not.
And where is the probability that a message was weak but this was not
found by a cryptographer, and so the message counted in error as
"unbreakable"? Can we reduce *this* below 1 in 2**56?
>>There are sources of quantum randomness other than radioactivity.
>
>Are they proveably quantum random - like radioactive decay is? If so,
>then they qualify.
>
>Another consideration is if the quantum process can be isolated from
>sources of noise. The reverse breakdown in a semiconductor junction
>may be proveably random, but it is of little use if it is overwhelmed
>by ambient noise.
Junction breakdown is a like a continuous sequence of little
avalanches. This is an advantage over detectors which perform a
complete avalanche breakdown and then must charge up to fire again.
Junction breakdown is a substantially higher level signal than
resistive Johnson noise, which itself is large enough to be reliably
detected and used.
>>And
>>the use of radioactivity as the random source implies substantial
>>negative baggage: This includes non-zero danger from the source,
>>cost, size, and detector qualities. Other sources may not carry this
>>much negative baggage. Note that this is the same sort of issue we
>>have with the OTP itself.
>
>It is assumed that the resources are available to cope with the
>difficulties. The only entity that would need such a TRNG would also
>be one that could afford to handle the practical details of building
>it, certifying it, and maintaining it.
>
>For my purposes PGP suffices, so I have no need for a bullet-proof
>TRNG. But a large corporation which has to communicate trade secrets
>all the time may have a need for such a TRNG. If so, they have the
>resources to obtain one.
>
>>But if we are using radioactivity, and wish to show that we are
>>measuring that and not something else, we should have some way of
>>"turning it off," so we can see the result of the processing section
>>absent stimulation. We would like to do this automatically, so we can
>>check frequently, and that probably means having a moving mechanical
>>assembly to block the radioactive source from the detector.
>
>Or better yet, a means of removing the source to a distant shielded
>vault. I would think that one could do that periodically without much
>of a problem.
>
>>But if we
>>use diode noise, we can just turn it off, or turn it down, or turn it
>>up, and each time measure the results. So in this case we can be
>>quite sure of the source of noise, and the capabilities of our
>>detector.
>
>I have no fundamental objections to using diode noise as a source of
>randomness, as long as you can demonstrate that it is quantum in
>nature and not just classical chaos, and that it is reasonably free
>from ambient noise.
And what would you describe as "classical chaos"? Do you disagree
when we say that the ping-pong ball systems used in lotteries are
unpredictable?
>One advantage of radioactive decay is that it is known to be a
>completley independent process - that is, the decay of one nucleus is
>completely independent of the state of the other nuclei around it. I
>wonder to what extent you can say that for diode noise?
But your theoretical advantage does not necessarily extend into and
through the detector. Can you *show* that the act of detecting the
decay byproduct is *also* "completely independent"? Can you PROVE it?
>>>Both are proveably secure when implemented properly.
>
>>There is no such proof, either for the OTP, or a radioactive TRNG.
>
>Not 100% dogmatic proof, but there is proof available.
Instead of "dogmatic," I prefer "deductive." As in Science.
>BTW, the quantum mechanical process underlying radioactive decay,
>namely spontaneous emission caused by vacuum fluctuations, is known to
>be completely quantum random both theoretically and experimentally.
>
>Theoretically it comes about as a second order perturbation process
>from the equations of quantum mechanics. Experimentally it is seen
>that the time decay is first order exponential and the Mossbauer
>spectrum is Lorentzian, both of which show that the process is quantum
>random. (The Fourier transform of a simple exponential is a Lorentzian
>and the 2nd order perturbation equations have a Lorentzian shape).
>
>>It is easy to PROVE the theoretical construct. But once we pass from
>>theoretical perfection into practical reality we gain overwhelming
>>requirements for test and measurement which all must be met before we
>>can claim PROOF.
>
>Have you ever used a wheel in your engineering work?
>
>If so, how could you have tolerated the fact that it was not perfectly
>circular? If you are like most other engineers you realized that you
>did not need a "perfect" wheel to implement your design. One that is
>"probabily approximately correct" in terms of circularity would
>suffice.
Let's see how the analogy plays out:
First, for a wheel, we can identify the requirements for a particular
application. Then we can understand "imperfection," and so quantify
the implications imperfection would have on the application (e.g., how
much bounce can we accept). We can then place bounds on how correct
each wheel must be. Then we can actually measure wheels to see if
they are acceptable or not.
*None* of this is possible with the TRNG: We first are unable to say
how much imperfection is allowed, not the least because we cannot
define or measure "imperfection." So we cannot place bounds on the
imperfection. And beyond having no defined measure, we cannot
possibly try in practice all the ways something can go wrong. So we
don't know how good it needs to be and we also don't know how good it
is. I'd say that's a somewhat different situation.
The issue for you is to make the TRNG production process just as
tractable as wheel-making. When you can, then you will have a
reasonable analogy.
>To make sure it is "probabily approximately circular", you would
>conduct a series of measurements, such as measurements of the
>diameter. Since you cannot possibly measure ALL diameters around the
>wheel, you have to measure a finite sample. If you do the measurements
>in a certain way, that is, you measured in a systematic manner like at
>equal angular intervals, you start to notice a pattern that you get
>almost exactly the same answer all the time.
>
>You cannot make the next step if you did the measurements in a poorly
>constructed manner like measuring only one quadrant. But because you
>conducted the measurements on a uniform sample, which is consistent
>with the hypothesis that defects would be distributed uniformly, and
>you found very few defects, you concluded that to within a small error
>the wheel is circular.
>
>This method of inductive proof relies on your ability to propose a
>reasonable hypothesis and then test it. If your data confirm the
>hypothesis, then there is a level of confidence that the hypothesis is
>correct - that is, you have just engaged in pac-learning. The
>hypothesis in this case is that any significant deviations from
>curcularity would be uniformly distributed. That of couse depends on
>how the wheel is made - this hypothesis assumes it was turned on a
>lathe and therefore had approximate rotational symmetry.
>
>I see no reason in principle that the same general scheme cannot be
>applied to proving the security of stream ciphers, once the proper
>hypotheses can be formulated and the appropriate test ciphers
>constructed.
Then you need to look again.
One reason the inductive method does not work is that the measures you
propose for the TRNG depend upon specific plaintexts. Unless you
restrict the plaintexts for the system to be "similar" to those, your
results cannot be correctly extrapolated to the whole. I doubt we can
quantitatively know what "similar" is, or what the bounds for such
similarity might be.
>I am not capable of carrying out that program, since I am merely an
>Informed Layman (tm). But surely some crypto genius has already done
>it and is currently pulling down a cushy 6 figures salary at the NSA.
>Or perhaps he is pulling down a 7 figures salary at some huge
>multinational corporation, like a worldwide oil company, that has to
>have proveable security. Whatever.
What you want is simply not possible. Of *course* you can't do it:
*Nobody* is pulling down *that* salary.
>>Certainly we can measure closeness with respect to any particular
>>test, but we cannot hope to run all possible tests. So we cannot
>>prove the machine does what we would like to think it should.
>
>The single most important test is the Unbreakability Test. Certainly
>techniques for breaking stream ciphers are known and can be
>categorized formally into a heiracrchy that is reasonably complete.
That is blatantly false.
>IOW, the known list of ways to break stream ciphers is reasonably
>exhaustive.
No.
>If so, then these ways to break stream ciphers could be
>cast into hypotheses which can be measured for their "probable
>approximate correctness" using computational induction technique.
And if not...?
>>Can we be 95% sure about any particular test? Yes. Can we be 95%
>>sure that we have run all possible tests? Only at small lengths where
>>we can enumerate all possible combinations.
>
>I would think that all the important ways to break stream ciphers have
>been discovered by now. Can you prove with certainty that they have
>not?
Please. It is *your* "proof." It is up to *you* to prove "with
certainty" that all possible attacks *have* been discovered.
(Since we do in fact see a continuing flow of new attacks, we might
reasonably suspect that there are many more out there as yet unknown.
Indeed, since attacks can have arbitrary complexity, there should be a
wide array of ever-more-complex attacks yet to be known. With respect
to the simple OTP, of course, they all come down to finding patterns
in the sequence. But there are more ways to look for patterns than
there are patterns.)
>>Can we be 95% sure that a particular TRNG produces greater than, say,
>>50% entropy for every particular byte? I don't know; maybe. But I
>>sure don't know how we PROVE future operation based on past data.
>
>The best you can do is characterize the actual ciphers in terms of
>their breakability. After all, that is what you are trying to prevent
>- you are trying to prevent your ciphers from being broken. So why not
>try to break them and use that as empirical evidence of their
>security? Seems simple enough, if you can cast the whole procedure
>into some kind of formalism.
Yes, it's "simple enough" if you have a total misconception of what
cryptanalysis is.
Just toss the cipher over the fence and get back strength results?
Then extrapolate those results to prove "strength" for any possible
message? I don't think so.
The problem is not just in finding those people or convincing them to
work for you, the problem is the actual testing itself: I believe it
is *impossible* to prove what you need by testing.
Do you think the guys who supposedly have this capability cannot
comprehend "proof by induction," and so are unaware that they have the
ability to certify a provably unbreakable cipher? If that capability
existed, we would be hearing about those proofs. We are not.
>>So if we are 95% sure that we have such a system, we could restrict
>>the plaintext to 4 bits per (mixed) byte, and have a 95% surely secure
>>OTP. Which is not PROOF, of course.
>
>BTW do you have posted on your web site the formulas for the amount of
>entropy per number of text bits? If so, what is the URL?
I normally assume one bit per character, which is more conservative
than usual. But there can be no such formula, and no fixed values.
The whole concept of "entropy" has major problems in practice: There
*is* and *can*be* no one correct result. Everything depends upon
context, and in reality we have different, partly-known, and dynamic
contexts. Everything also depends upon our model of the possibilities
(the "universe"): The better language results come from actual
experiments on how people use language. But we don't know yet how
that works. We don't know the model of language.
Suppose we wish to send a phrase as an yes/no answer. Suppose there
are about 5 different phrases we might use to convey the same result.
Is the entropy concerned with 1 out of 5, or 1 out of 2? Or is it
the entropy of the letters, in the context of all messages, or this
particular message? Character-level-entropy does not tell us about
word-level-entropy, sentence-level-entropy, or meaning-level-entropy.
All of this exists only in context.
>>I think you ascribe capabilities to cryptanalysts which they do not
>>have. I suggest that there is no magic here, and that if such
>>techniques exist, we should be able to learn them and use them. We
>>don't need to depend on the imaginary experts to solve the problem and
>>thus provide our "almost proof" for us.
>
>I do not believe that Patrick Juola was referring to imaginary proofs
>when he suggested using Bayesian induction to break stream ciphers.
I doubt that I disagree with Juola about this in any significant way.
While I believe Bayesian analysis can be useful, I also believe you
are expecting too much from it. It simply cannot do what you assume
it should. So bring out the whips and force it into line! But all
the whips you have are not going to make it do what it cannot do.
>>Once we get down to actually trying to do this, I suspect the size of
>>the problem and our limitations will make themselves clear. I suggest
>>that the goal is simply not do-able. But you start, and tell me how
>>it goes.
>
>I am unqualified to carry out that program. Maybe in another
>reincarnation. But I suspect that the math geniuses at the NSA have
>already figured that out.
I suspect differently.
>>OK, you start measuring and calculating. Start with experimental
>>PRNG's which can be controlled. Let me know.
>
>I wish I could.
You could *start*. And if you *did* start, you would have to confront
exactly the issues I have described and more. Just *starting* the
process of seriously trying an analysis should be much more
illuminating than continually arguing that you really are right.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
