Cryptography-Digest Digest #881, Volume #8 Mon, 11 Jan 99 09:13:02 EST
Contents:
DES Hardware Implementation!! (Samer EL HAJJ)
On the Generation of Pseudo-OTP ("Pratab Sivaprakasapillai (Dr)")
Re: --- sci.crypt charter: read before you post (weekly notice) ("hapticz")
Re: On the Generation of Pseudo-OTP (Mok-Kong Shen)
Re: On the Generation of Pseudo-OTP (Mok-Kong Shen)
Re: On the Generation of Pseudo-OTP (Mok-Kong Shen)
Re: On the Generation of Pseudo-OTP (R. Knauer)
Re: On the Generation of Pseudo-OTP (Mok-Kong Shen)
Re: On the Generation of Pseudo-OTP (Mok-Kong Shen)
Re: Why no Standard C/R Password Protocol? (Bryan Olson)
Re: On the Generation of Pseudo-OTP (Mok-Kong Shen)
Re: On the Generation of Pseudo-OTP (fungus)
Re: On the Generation of Pseudo-OTP (Mok-Kong Shen)
Re: On the Generation of Pseudo-OTP (Mok-Kong Shen)
Re: On the Generation of Pseudo-OTP (Mok-Kong Shen)
----------------------------------------------------------------------------
From: Samer EL HAJJ <[EMAIL PROTECTED]>
Crossposted-To: comp.arch.fpga
Subject: DES Hardware Implementation!!
Date: Mon, 11 Jan 1999 09:45:39 +0100
Hello!
I'm working on the hardware inmplementation (with VHDL into an FPGA) of
DES decryption.
after many searh I did not find any publication or example about this
topic.
Can anyone point me to some documentation on the subject?
Thanks in advance!!
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Samer EL HAJJ
DotCom-Communication Num�rique http://www.dotcom.fr
mailto:[EMAIL PROTECTED]
S@merWeb: http://www.chez.com/samerweb
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
------------------------------
From: "Pratab Sivaprakasapillai (Dr)" <[EMAIL PROTECTED]>
Subject: On the Generation of Pseudo-OTP
Date: Mon, 11 Jan 1999 17:04:34 +0800
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
======_=_NextPart_001_01BE3D41.6882AD29
Content-Type: text/plain
> -----Original Message-----
> From: [EMAIL PROTECTED] (R. Knauer) [SMTP:[EMAIL PROTECTED]]
> Posted At: Monday, January 11, 1999 2:06 AM
> Posted To: crypt
> Conversation: On the Generation of Pseudo-OTP
> Subject: Re: On the Generation of Pseudo-OTP
>
> On Sat, 09 Jan 1999 16:09:42 -0500, "Trevor Jackson, III"
> <[EMAIL PROTECTED]> wrote:
>
> >Is it your position that it is impossible to come up with such a
> correlation
> >removal technique? or that it is hard to do so and none is now
> known?
>
> Actually I am not qualified to maintain a position in that regard - I
> am only a messenger here. I am telling you what I was told by
> self-proclaimed cryptanaysts, namely that a correlation is
> fundamentally impossible to remove from streams by algorithmic means.
>
> If you can argue to the contrary, please do because a procedure that
> is proveably secure for removing correlation would be valuable in the
> construction of a TRNG that is not based on a physical process, such
> as digit expansion of transcendental constants or maybe even least
> significant bit streams from text or music.
>
> As a side note, it is my understanding that the techniques for
> removing bias are proveably secure. Taking two consequitive bits and
> filtering them according to a culling procedure as detailed in RFC1750
> is touted as being totally effective in removing bias.
>
> The three enemies of streams are periodicity, bias and correlation.
> Perodicity is presumably not present in digit expansions of
> transcendental constants, bias can be removed to the level of
> proveable security, so only correlation remains to be dealt with in a
> proveably secure manner.
>
> Bob Knauer
>
> "We hold that each man is the best judge of his own interest."
> --John Adams
======_=_NextPart_001_01BE3D41.6882AD29
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2232.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<BR>
<BR>
<UL>
<P><FONT SIZE=3D1 FACE=3D"Arial">-----Original Message-----</FONT>
<BR><B><FONT SIZE=3D1 FACE=3D"Arial">From: </FONT></B> <FONT =
SIZE=3D1 FACE=3D"Arial">[EMAIL PROTECTED] (R. Knauer) =
[SMTP:[EMAIL PROTECTED]]</FONT>
<BR><B><FONT SIZE=3D1 FACE=3D"Arial">Posted =
At:</FONT></B> <FONT SIZE=3D1 =
FACE=3D"Arial">Monday, January 11, 1999 2:06 AM</FONT>
<BR><B><FONT SIZE=3D1 FACE=3D"Arial">Posted =
To:</FONT></B> <FONT SIZE=3D1 =
FACE=3D"Arial">crypt</FONT>
<BR><B><FONT SIZE=3D1 =
FACE=3D"Arial">Conversation: </FONT></B> <FONT SIZE=3D1 =
FACE=3D"Arial">On the Generation of Pseudo-OTP</FONT>
<BR><B><FONT SIZE=3D1 =
FACE=3D"Arial">Subject: </FONT>=
</B> <FONT SIZE=3D1 FACE=3D"Arial">Re: On the Generation of =
Pseudo-OTP</FONT>
</P>
<P><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">On Sat, 09 Jan 1999 =
16:09:42 -0500, "Trevor Jackson, III"</FONT>
<BR><FONT COLOR=3D"#000000" SIZE=3D2 =
FACE=3D"Arial"><[EMAIL PROTECTED]> wrote:</FONT>
</P>
<P><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">>Is it your =
position that it is impossible to come up with such a =
correlation</FONT>
<BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">>removal =
technique? or that it is hard to do so and none is now =
known?</FONT>
</P>
<P><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">Actually I am not =
qualified to maintain a position in that regard - I</FONT>
<BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">am only a messenger =
here. I am telling you what I was told by</FONT>
<BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">self-proclaimed =
cryptanaysts, namely that a correlation is</FONT>
<BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">fundamentally =
impossible to remove from streams by algorithmic means.</FONT>
</P>
<P><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">If you can argue to =
the contrary, please do because a procedure that</FONT>
<BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">is proveably secure =
for removing correlation would be valuable in the</FONT>
<BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">construction of a =
TRNG that is not based on a physical process, such</FONT>
<BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">as digit expansion =
of transcendental constants or maybe even least</FONT>
<BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">significant bit =
streams from text or music.</FONT>
</P>
<P><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">As a side note, it =
is my understanding that the techniques for</FONT>
<BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">removing bias are =
proveably secure. Taking two consequitive bits and</FONT>
<BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">filtering them =
according to a culling procedure as detailed in RFC1750</FONT>
<BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">is touted as being =
totally effective in removing bias.</FONT>
</P>
<P><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">The three enemies of =
streams are periodicity, bias and correlation.</FONT>
<BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">Perodicity is =
presumably not present in digit expansions of</FONT>
<BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">transcendental =
constants, bias can be removed to the level of</FONT>
<BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">proveable security, =
so only correlation remains to be dealt with in a</FONT>
<BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">proveably secure =
manner.</FONT>
</P>
<P><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">Bob Knauer</FONT>
</P>
<P><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">"We hold that =
each man is the best judge of his own interest."</FONT>
<BR><FONT COLOR=3D"#000000" SIZE=3D2 FACE=3D"Arial">--John Adams</FONT>
</P>
</UL>
</BODY>
</HTML>
======_=_NextPart_001_01BE3D41.6882AD29==
------------------------------
From: "hapticz" <[EMAIL PROTECTED]>
Subject: Re: --- sci.crypt charter: read before you post (weekly notice)
Date: Mon, 11 Jan 1999 05:43:55 -0500
Crossposted-To: talk.politics.crypto
to hash, or not to hash !
is purity merely an ordered system, or is the perception of purity a human
creation? just as mathematics is.
--
best regards
[EMAIL PROTECTED]
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On the Generation of Pseudo-OTP
Date: Mon, 11 Jan 1999 13:27:44 +0100
R. Knauer wrote:
>
> > then I
> >suggest that you first keep all discussions tightly within the
> >bounds of the science of cryptology.
>
> I am pointing out that there is no formal procedure to decide that a
> number is truly random. That is about as "tightly bound" to crypto as
> it can get.
You thind that your t-shirt is within that bound???
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On the Generation of Pseudo-OTP
Date: Mon, 11 Jan 1999 13:34:27 +0100
Trevor Jackson,III wrote:
>
> You want concrete? Try this: Separate the fundamental physical process
> that one is measuring to capture truly unpredictable numbers, from the
> actual device performing the capture. Clearly we can find physical
> processes that are unbiased. Just as clearly it will be extremely
> difficult, though certainly feasible, to create an unbiased capture
> device.
>
> For purposes of this discussion, I propose that we stipulaed that
> "unbiased" means that whatever bias is present falls below some epsilon
> value that we can adjust as necessary. This assumption is almost
> mandatory when dealing with large volumes of numbers because the
> probability of getting forst order perfection (exactly the same number
> of zeros and ones) is fairly small, even from a theoretically "perfect"
> source.
>
> If the first 50 bits from the device are all ones do we have a biased
> device or an N-sigma event? I believe this question to be undecidable
> without further samples from the device.
You certainly neglect the fact that any physical oberservations
need be done through some apparatus and these can have measurement
errors. I am not a physicist, but I guess(!) a principle of
Heissenberg means that one can't get absolutely exact measurements.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On the Generation of Pseudo-OTP
Date: Mon, 11 Jan 1999 13:39:18 +0100
R. Knauer wrote:
>
> On Fri, 08 Jan 1999 15:11:49 +0100, Mok-Kong Shen
> <[EMAIL PROTECTED]> wrote:
>
> >You don't actually
> >compute the transcendental number but obtain a real number close
> >to it to within a certain accuracy after a certain number of steps.
>
> You still don't seem to understand what the concept of "digit
> expansion" is. There is no apporximation when you calculate the nth
> digit of Pi.
The method of Bowen works because an error analysis shows that
his algorithm delivers the correct digit at the desired position.
That's it.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: On the Generation of Pseudo-OTP
Date: Mon, 11 Jan 1999 12:03:55 GMT
Reply-To: [EMAIL PROTECTED]
On Sun, 10 Jan 1999 21:34:13 -0500, "Trevor Jackson, III"
<[EMAIL PROTECTED]> wrote:
>I, on the other hand, define an OTP as any cipher with a use-once property.
That is not how everyone else defines it. See Schneier, op. cit.
>Note that your definition excludes some classical ciphers that were attempts
>to create OTPs, such as the Russian cipher attacked by the Venona project.
The Russian OTP ciphers were not broken by the Venona project because
the pads weren't perfect but because the Russians reused the pads. If
the Russians had not reused the pads their OTP ciphers would have been
totally secure. That's why it took reuse to break them.
>> Based on considerations of people like Greg Chaitin, it is not
>> possible to prove the randomness of a number by formal procedures.
>> Only a number produced by a TRNG can be proved to be random, and
>> therefore suitable for the OTP.
>I suspect this is a mis-statement. One cannot prove a number to be random.
That's what I just said, as I have said many times before. I do not
understand how you could misconstrue my statement to mean otherwise.
>There are no intrinsic properties of a random number.
Except, according to you, that it have 100% entropy density. That is
an intrinsic property of the number.
>The only a priori unbreakable cipher is what you are calling an OTP
Yeah, me and everyone else call it that.
>and I am calling an OTP with 100% entropy density.
Are you absolutely certain that 100% entropy density is a sufficient
condition for a crypto-grade random number? It sounds like you are
trying to characterize the number itself with some intrinsic property.
Does the number 111...1 have 100% entropy density? It can be easily
reduced algorithmically to a considerable extent for any decent sized
length N, which means it has a lot of redundant information in it. I
thought such sequences would be characterized by low entropy.
Yet 111...1 is a perfectly valid, albeit extremely unlikely, output
from a (non-malfunctioning) TRNG. It is one of the possible sequences
of length N that is equiprobable with all other sequneces of that
length.
There is something about your entropy that is not quite right here. In
one of his papers, Chaitin dismisses such "low-entropy" sequences as
being "non-random" for purposes of his algorithmic information theory,
of which his algorithmic complexity theory is a subset. He dismisses
such sequences because they are reducible. That means his theory is
not applicable to the specification for a TRNG, since we all agree
that one cannot filter out "non-random" sequences from a TRNG if one
expects it to generate crypto-grade random numbers.
BTW, we keep talking about how it is impossible to decide formally
that a number is random, yet we imply that we can decide formally if
one is "non-random", e.g. one with excessive bias, etc. Yet those
numbers are also valid outputs from a TRNG and cannot be so classified
or the proveable security of a TRNG-based OTP cipher will be
compromised.
But there is a further consideration. If we insist that crypto-grade
random numbers are always produced by a TRNG, what about numbers that
are produced by certain algorithms that make them look like they were
so produced, such as digit expansions of transcendental constants
strongly mixed to remove any traces of correlation. If a cryptanalyst
performed a known plaintext attack on such a cipher he would get a
very "random" looking key out of it, and with no further evidence at
hand he would perhaps conclude that the key was generated by a TRNG.
Yet we know better.
Therefore the method of generation is also not sufficient to
characterize a crypto-grade random number, since we can fool the
cryptanalyst with our algorithmic gyrations.
So what is it that makes a number suitable for use in the OTP system,
the one that is proveably secure? Apparently it isn't any particular
characteristic of either the number itself or the method of
generation.
But what is left that causes the OTP cipher to be proveably secure?
>Not quite that fundamental. The figure of merit for this property is the
>density of the entropy represented in the key material.
Please elaborate on that in light of the comments above. It seems that
you are trying to characterize a crypto-grade random number by either
an intrinsic property of the number itself or by the method from which
it was generated.
BTW, we discussed all this a year ago and concluded that from the
point of view of the cryptanalyst, if he cannot mount a Bayesian
Attack successfully, he is forced to conclude that the cipher is an
OTP and cannot ever be broken. IOW, the characteristic we are looking
for that "causes" the OTP to be proveably secure is not found in the
number itself nor in the method of generation, but in its resistance
to a particular generic method of attack which takes many instances of
many different ciphertexts into account probabilistically.
So here we have it: Crypto-grade random numbers are defined as those
which foil a Bayesian Attack, regardless of their entropy density or
their method of generation. The reason for emphasis on the TRNG is
that it is a proveably secure method of generation - in principle
anyway. That is, if you generate your pads from a TRNG, is it
guaranteed the OTP ciphers are not susceptible to a Bayesian attack.
Whether that is true of other schemes, such as a highly modified text
cipher or the digit expansion of transcendental constants all strongly
mixed together, is another matter. In that latter case there might be
enough information leakage to give the cryptanalyst an inroad into
launching a successful Bayesian Attack.
Bob Knauer
"We hold that each man is the best judge of his own interest."
--John Adams
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On the Generation of Pseudo-OTP
Date: Mon, 11 Jan 1999 14:10:29 +0100
R. Knauer wrote:
> With the OTP system, there are all possible messages of length N
> "contained" in a given ciphertext, including all possible intelligible
> messages. Each possible message, including the intelligible ones, are
> equiprobable - that is what makes the OTP system proveably secure,
> because the cryptanalyst has no rationale to pick any one particular
> intelligible message over another. "Attack at dawn" is just as likely
> the intended message as "Attack at dusk".
If the real message is 'Attack at noon' and one XOR it with two
texts (pseudo-OTP) 'Attack at dawn' and 'Attack at dusk', how
does the analyst proceed?
> Based on considerations of people like Greg Chaitin, it is not
> possible to prove the randomness of a number by formal procedures.
> Only a number produced by a TRNG can be proved to be random, and
> therefore suitable for the OTP. Therefore no matter how you try, you
> will never be able to prove the total security of a stream cipher
> unless it is the OTP system. There is always that possibility, however
> small it may seem at the time, that a non-OTP stream cipher can be
> broken in principle. And even in practical terms too - since quantum
> computers may one day be able to analyze npn-OTP ciphers and ferret
> out the intended message.
Referring to your phrase 'Only a number produced by a TRNG can be
proved to be random', could you give the conrete proof algorithm??
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On the Generation of Pseudo-OTP
Date: Mon, 11 Jan 1999 14:16:29 +0100
R. Knauer wrote:
>
> As a side note, it is my understanding that the techniques for
> removing bias are proveably secure. Taking two consequitive bits and
> filtering them according to a culling procedure as detailed in RFC1750
> is touted as being totally effective in removing bias.
'Touted as being totally effective' is certainly not identical
to 'provably secure'.
>
> The three enemies of streams are periodicity, bias and correlation.
> Perodicity is presumably not present in digit expansions of
> transcendental constants, bias can be removed to the level of
> proveable security, so only correlation remains to be dealt with in a
> proveably secure manner.
If the above inequality were an equality, then you would be right.
M. K. Shen
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: Why no Standard C/R Password Protocol?
Date: Thu, 31 Dec 1998 02:26:21 -0800
John Savard wrote:
> why isn't there a nice,
> simple, non-proprietary standard for entering passwords over the
> Internet that doesn't require sending passwords in the clear?
Actually there are a few, they're just not widely implemented.
[...]
> 3) A hash is stored at the other end, using salt. Along with a key to
> a second keyed hash, the salt is also mentioned in the challenge
> message.
[...]
> There's still a loss of security. In the original case, where the
> communications line was secure, the password file didn't enable people
> to type the password
[...]
> The problem seems to require public-key cryptography:
[...]
> And that explains the lack of a simple non-proprietary standard. But
> perhaps I'm missing some simple idea, some way for A to prove to B
> that he knows something that B does not know, although B does know
> something derived from it.
There is a fairly satisfying solution that doesn't
use public key math. I'll only describe how the
login server verifies me (there's still a spoof the
server then the client attack).
The verifier stores h^1000(p+s), where h^1000 is the
1000-fold composition of the hash with itself, and
p+s is passphrase and salt. That is, it stores the
hash of the hash of the hash ... of the hash of the
passphrase and salt. The first time I log in, the
server challenges me with h^1000(p+s). I respond
with r = h^999(p+s). The server verifies that
h(r) = h^1000(p+s), and when it accepts my response,
it replaces h^1000(p+s) with r=h^999(p+s). The
second time I log in, it challenges me with
h^999(p+s) and so on.
I can log in 999 times (without revealing p+s),
before I have to choose a new salt, and re-establish
my password.
For more info see RFC 2289.
--Bryan
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On the Generation of Pseudo-OTP
Date: Mon, 11 Jan 1999 14:25:46 +0100
[EMAIL PROTECTED] wrote:
>
> Mok-Kong Shen wrote:
> >
> > However the context of my proposal is that one can only get
> > 56-bit cryptos (and very likely only software). So I think that even
> > a not so good approximation of an OTP helps to a certain degree, for
> > it can be used in conjunction with a 56-bit crypto software and
> > enhance its strength. We have to collect all useful things and
> > combine them, so that those who can only get 56-bit cryptos (those
> > outside of the 33 countries) can still obtain adequate security
> > in their communications.
> I think there are much better (simpler and more conservative) solutions:
>
> gnuPG (http://www.d.shuttle.de/isil/gnupg/) is a completely free and
> this way not restricted cryptographic package compatible to PGP (at the
> moment a beta version exists).
I am not familiar with that product. Could you say what is the
key length it uses?
>
> The developer of commercial cryptographic software are beginning to
> deliver
> their products from countries that don't restrict the export of
> cryptographic software.
>
> The solutions you try to find are only interesting as part of
> applications.
>
> So what do you want to do with your algorithm?
I sincerely hope that the region outside of the 33 countries will
very soon catch up in matters of crypto technology. My proposal
is intended only as (possibly) one of the short-term (provisory) ways
of solution.
M. K. Shen
------------------------------
From: fungus <[EMAIL PROTECTED]>
Subject: Re: On the Generation of Pseudo-OTP
Date: Mon, 11 Jan 1999 14:26:33 +0100
"R. Knauer" wrote:
>
> My personal interest is not in making actual physical devices, but in
> trying to find a suitable software substitute, even if it is only
> compliant with certain restrictions, or failing that, trying to
> understand why such a software substitute is impossible to design.
>
I think we've already been through this thousands of times here
on sci.crypt, but here goes:
> There are those who maintain that a software substitute for physcial
> TRNG can never be designed, because all software is algorithmic and
> therefore cannot possible generate all possible sequences of a given
> finite length equiprobably.
>
Correct.
However, if you design a PRNG with a massive number of possible
seeds then it can be useful for cryptography. Such algorithms
*already exist*, and are commonly called
<SHOUT> **** STREAM CIPHERS **** </SHOUT>
> The closest I can come to as a candidate is digit expansion of
> transcendental constants, after being presumably treated to remove
> correlation.
Nope, definitely not a good idea. Numbers like pi are infinitely
long but are not random.
--
<\___/>
/ O O \
\_____/ FTB.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On the Generation of Pseudo-OTP
Date: Mon, 11 Jan 1999 14:35:23 +0100
R. Knauer wrote:
> I remind you that you cannot decide by formal means if TRNG or its
> output is truly random, only that they are *not* truly random. The
> reason for this goes to the heart of number theory. (See Chaitin, op.
> cit.)
But on 10 Jan 17:58:07 you wrote:
Only a number produced by a TRNG can be proved to be random, and
therefore suitable for the OTP.
So how do you prove? By informal (hence in the strict sense
questionable) means, or what?
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On the Generation of Pseudo-OTP
Date: Mon, 11 Jan 1999 14:55:35 +0100
R. Knauer wrote:
> A crypto-grade random number is one which resists a successful
> Bayesian Attack. There is no more to it than that, other than to point
> out that a properly constructed TRNG will generate such numbers.
Let's see how you PROVE that random numbers obtained from hardware
noise 'resist Bayesian attacks' independent of the quality of
that (bias etc.).
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On the Generation of Pseudo-OTP
Date: Mon, 11 Jan 1999 14:59:11 +0100
R. Knauer wrote:
>
>
> I do not care what terminology is employed as long as is not
> misleading. In the case of the term "pseudo-OTP", I consider it very
> misleading because it implies that there are good OTPs and not so good
> OTPs.
Is a sequence obtained from hardware noise 'good OTP', 'not so good
OTP' or 'NOT OTP' according to your definition??
>
> There is only one possible OTP cryptosystem that deserves that name,
> which is referred to simply as the OTP cryptosystem because there is
> no other kind. All pretenders to the OTP are called Stream Ciphers.
> The term "pseudo-OTP" is an oxymoron.
And that 'only one possible OTP' does NOT exist in the real world,
unfortunately!!
M. K. Shen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
