Cryptography-Digest Digest #882, Volume #8 Mon, 11 Jan 99 11:13:03 EST
Contents:
Re: On the Generation of Pseudo-OTP (R. Knauer)
Re: Practical True Random Number Generator (R. Knauer)
Re: On the Generation of Pseudo-OTP (R. Knauer)
Re: Chosen-Signature Steganography (Signatory)
Re: On the Generation of Pseudo-OTP (R. Knauer)
Re: On the Generation of Pseudo-OTP (R. Knauer)
Re: On the Generation of Pseudo-OTP (Mok-Kong Shen)
EUROPEAN ECHELON ([EMAIL PROTECTED])
Re: On the Generation of Pseudo-OTP (Mok-Kong Shen)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: On the Generation of Pseudo-OTP
Date: Mon, 11 Jan 1999 14:14:37 GMT
Reply-To: [EMAIL PROTECTED]
On Mon, 11 Jan 1999 13:53:55 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>Similary there is no way to know for sure that hardware random
>numbers are really all that secure!
I do not agree.
A hardware TRNG can be designed to be totally fault tolerant. The
techniques of Triple Modular Redundancy (TMR) are well formulated.
Furthermore, the TRNG can be based on a physical process that is known
to be totally random, like radioactive decay. And it can be designed
to remove any traces of bias, like measuring timing intervals in two
directions.
Not all hardware TRNGs can be designed that way, but some can - to
within an arbitrary limit of precision that makes them practical.
>If you accept that a good pseudo-OTP can be useful on PRACTICAL
>grounds, then we don't have to argue.
First I do not accept that there is such a thing as a "pseudo-OTP". A
stream cipher is either an OTP or it is not an OTP. The term
"pseudo-OTP" is an oxymoron, and is very misleading. That's why
cryptographers reserve the term OTP to mean one and only one thing.
Just look at the extensive confusion that is caused by misusing the
term "random". By not bastardizing the term OTP, we avoid such a
situation as that which has befallen the term "random". Maybe the way
to emphasize this is to call the OTP a "crypto-grade OTP", like we are
now forced to call a "crypto-grade random number" to distinguish it
from all other uses of the term "random".
But that is really not necessary, since there is only one proper use
of the term "OTP" and that is the one all cryptographers agree on, as
described in Schneier's main book. Nowhere in that book do you see the
term "pseudo-OTP" - at least I have never seen it - because such misue
is not tolerable to cryptographers.
But overlooking that misleading terminology, I do suspect that one can
concoct some kind of extremely secure stream cipher, one which
approaches the proveable security of the OTP on a practical basis. The
one problem I can forsee at thisi juncture is that such a stream
cipher can never be proven to be secure, which leaves open the
possibility that it is not secure at all.
There are too many crytposystems that were believed to be very secure
only to be found insecure later. To date the ONLY proveably secure
classical cryptosystem is the OTP where the pad is generated by a
properly designed hardware TRNG.
Again the problem comes back to the inability to characterize a
particular crypto-grade random number formally. The best that can be
done is to take advantage of the intrinsic randomness in certain
quantum mechanical processes to guarantee that a TRNG generates secure
pads.
Put another way, if you claim that a given algorithmic scheme is
nearly perfectly secure in a practical sense, then you are going to
have an impossible task trying to prove it formally.
The best that could be done is to test your system experimentally, for
example by subjecting it to a series of Bayesian Attacks, and see how
it holds up. But even then there is no formal reason to believe with
certainty that it will always hold up to a given practical level in
the real world. There could be some hidden flaw waiting to manifest
itself, like a weak key that no one knows about, or some other
inherent weakness in the algorithmic procedure that the cryptanalyst
can exploit.
I still think that one major flaw with algorithmic schemes is the lack
of a suitable means to remove correlation. Since the bitstream is
calculated, there is a precise relationship between the bits which
means the bits are correlated. Trying to get rid of that correlation
is a major hurdle, so we are told by the experts. I have not heard of
any conclusive proof that strong mixing (cf. FIPS 140-1), for example,
is suitable to remove such correlations from bitstreams to a practical
level, that is, to a level sufficient to prevent a successful Bayesian
Attack.
Bob Knauer
"Anyone that can get elected, is not qualified to serve."
--Lance Bledsoe
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Practical True Random Number Generator
Date: Mon, 11 Jan 1999 12:53:35 GMT
Reply-To: [EMAIL PROTECTED]
On Sun, 10 Jan 1999 22:16:02 -0500, "Trevor Jackson, III"
<[EMAIL PROTECTED]> wrote:
>Sorry, I do not have references easily at hand. My statement was motivated by
>the assumption of a homogeneous gas medium all at the same temperature. The
>distribution of energy among the molecules is going to be fairly narrow.
For normal gases like in our atmosphere, the distribution of energy is
Maxwellian based on the law of equipartition of energy.
The equipartition of energy allocates 1/2 kT to each degree of
freedom, which results in a broad distribution of energy having a
Gaussian shape.
Bob Knauer
"Anyone that can get elected, is not qualified to serve."
--Lance Bledsoe
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: On the Generation of Pseudo-OTP
Date: Mon, 11 Jan 1999 14:23:47 GMT
Reply-To: [EMAIL PROTECTED]
On Mon, 11 Jan 1999 14:10:29 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>> With the OTP system, there are all possible messages of length N
>> "contained" in a given ciphertext, including all possible intelligible
>> messages. Each possible message, including the intelligible ones, are
>> equiprobable - that is what makes the OTP system proveably secure,
>> because the cryptanalyst has no rationale to pick any one particular
>> intelligible message over another. "Attack at dawn" is just as likely
>> the intended message as "Attack at dusk".
>If the real message is 'Attack at noon' and one XOR it with two
>texts (pseudo-OTP) 'Attack at dawn' and 'Attack at dusk', how
>does the analyst proceed?
I did not mean for "Attack at dawn" or "Attack at dusk" to be the
pads. I intended for them to be possible plaintexts.
Please restate your question in light of that.
>Referring to your phrase 'Only a number produced by a TRNG can be
>proved to be random', could you give the conrete proof algorithm??
I should rephrase that statement: "At present, only a properly
designed hardware TRNG based on a physical process known to be totally
random can generate crypto-grade random numbers suitable for the OTP
cryptosystem."
You might try to argue that physicists do not know for certain that
any given physical process is completely random, but then you need to
prove that assertion because it goes against a very large body of
evidence to the contrary.
Radioactive decay for certain isotopes is known to be completely
random based on a century of observations. If you sincerely believe
you can prove otherwise, I would suggest ordering your tux for the
Nobel Prize you will receive when you do it successfully.
Bob Knauer
"Anyone that can get elected, is not qualified to serve."
--Lance Bledsoe
------------------------------
From: Signatory <[EMAIL PROTECTED]>
Subject: Re: Chosen-Signature Steganography
Date: Mon, 11 Jan 1999 04:56:18 -1000
Bill Stewart wrote:
>David A Molnar wrote:
> > The idea here was spotted by Gus Simmons while working on
> > equipment to verify the Strategic Arms Limitation Treaty (SALT).
> > He called this sort of steganography a "Subliminal Channel".....
> I was wondering if anyone had thought of something useful to
> shove into 'em (software failure modes, anyone ?)
"Unfortunately, there _is_ something very useful to shove in them.
One of the prime users of DSA is expected to be the government,
since they're the main group interested in promoting signature algorithms
which can't also be used for encryption, so as digital signatures evolve
for government/citizen interactions, such as Drivers' Licenses, Tax
Smartcards,
Heath-Care Consumers' Licenses (er, insurance cards), etc., they'll
probably
use DSA.
This provides an opportunity to add subliminal data only visible to the
government,
e.g. your driver's license signature may indicate your political status
as a
licensed firearm holder, or drug user, or gay, or Jewish, or a government
worker,
or your passport indicating you're a member of a political group
interesting
to the FBI...
It's nothing they can't easily do in database lookups using your ID
number,
especially as police cars become more wired, but it's portable and
potentially secret.
Lurking..."
End of Bill's comments
Begin Signatory's response:
Yes, this is a serious situation: in 1999, common signature
standards cannot be separated from encryption/decryption
capabilities. You have raised some political consequences
of this deficiency, but my interests in sci.crypt are
only technical. The "chosen signature" technique which
I introduced in this forum is different from the
subliminal channel techniques discussed in Bruce's
tome and in the postscript document which you
can read below called "Simmons' Protocol Is Not
Free of Subliminal Channels" by Yvo Desmedt.
Those old techniques involve fixing the random
"k" in DSA, or creating malicious versions
of signature software, or a warden watching
you sign, or quadratic residues that are
utilized in manipulations that most college
graduates would fear to attempt.
The "chosen signature" method is the
easiest of all to use: just
create about 2^n signatures and
choose one which has n
binary bits in positions
defined by the key
and values that match
the message
fragment.
See:
http://www.cs.uwm.edu/~desmedt/foundations96.ps
from
http://www.itd.nrl.navy.mil/ITD/5540/ieee/CSFW96proceedings.html
and
http://www2.csl.sri.com/csfw/
But
emphasizing my
(apparently) original contribution
is not the only purpose of today's message.
People should be aware that there currently are
no mathematical proofs, or even useful techniques, for
describing trust, betrayal, subliminality, or liminality.
The situation is described succinctly in a 1986 essay by Don
Good entitled "The Foundations of Computer Security - We Need Some."
Rich people wish that the public could make digital signatures
without enabling free people to have privacy, but they cannot.
Someday, it should be possible, but like anonymous digital
cash, it would take interactive exchanges that are an
unpleasant burden on communications channels. The
Digital Signature Standard is designed to prevent
encryption/decryption capabilities by using a random "k".
This prevents the signature from being used as a One Time Pad
but it does not prevent the chosen signature technique or other
techniques for free people to use for privacy. The capacity of this
channel is limited by the work needed to try 2^n signatures: for a
32 bit message to appear in a single signature, billions of
signatures would need to be tried. But for a 32 bit
message to appear in 4 signatures would only
require about a thousand signatures.
Authentication handshakes which do
not use a randomly varying DSS
type of technique can be the
tool needed by laymen to
use an OTP system.
Mathematically,
there is no way yet to
generally describe public
signatures as a concept that
is separated from all
possible privacy
purposes. Prove
me wrong.
Signatory
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: On the Generation of Pseudo-OTP
Date: Mon, 11 Jan 1999 14:33:51 GMT
Reply-To: [EMAIL PROTECTED]
On Mon, 11 Jan 1999 14:16:29 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>> As a side note, it is my understanding that the techniques for
>> removing bias are proveably secure. Taking two consequitive bits and
>> filtering them according to a culling procedure as detailed in RFC1750
>> is touted as being totally effective in removing bias.
>'Touted as being totally effective' is certainly not identical
>to 'provably secure'.
I agree completely with your statement.
In fact I not only agree, I accept the conclusions of the
mathematicians like Greg Chaitin that such proveability is not
possible on a formal basis. IOW, it is impossible to prove total
security for algorithmic procedures formally. The best one can hope
for is what physicists must rely on - experimentatal proof.
With the advent of computers, experimental mathematics is a growing
field of study and comes none too soon on the heels of Godel's
Theorem, Turing's Halting Problem and Chaitin's Mathematical
Indeterminancy.
Pretty soon the only way to know if a mathematical proposition is true
is to test it on a computer.
>> The three enemies of streams are periodicity, bias and correlation.
>> Perodicity is presumably not present in digit expansions of
>> transcendental constants, bias can be removed to the level of
>> proveable security, so only correlation remains to be dealt with in a
>> proveably secure manner.
>If the above inequality were an equality, then you would be right.
I should have said "in a practical manner as proven by mathematical
experiment" - such as subjecting a given decorrelation scheme to a
Bayesian Attack to see if it can withstand it.
Remember that "proveably secure" does not have to be limited to formal
proof - experimental proof is an acceptable form of proof if conducted
properly. Otherwise there would be no body of knowledge known as
physics.
Bob Knauer
"Anyone that can get elected, is not qualified to serve."
--Lance Bledsoe
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: On the Generation of Pseudo-OTP
Date: Mon, 11 Jan 1999 15:03:11 GMT
Reply-To: [EMAIL PROTECTED]
On Mon, 11 Jan 1999 14:26:33 +0100, fungus
<[EMAIL PROTECTED]> wrote:
>> My personal interest is not in making actual physical devices, but in
>> trying to find a suitable software substitute, even if it is only
>> compliant with certain restrictions, or failing that, trying to
>> understand why such a software substitute is impossible to design.
>I think we've already been through this thousands of times here
>on sci.crypt, but here goes:
Aha! An Oldtimer from years past. I thought everyone who had
participated in those long-winded discussions a year ago had moved on.
>> There are those who maintain that a software substitute for physcial
>> TRNG can never be designed, because all software is algorithmic and
>> therefore cannot possible generate all possible sequences of a given
>> finite length equiprobably.
>Correct.
>However, if you design a PRNG with a massive number of possible
>seeds then it can be useful for cryptography. Such algorithms
>*already exist*, and are commonly called
><SHOUT> **** STREAM CIPHERS **** </SHOUT>
This gets to the crux of the quandry I am trying to expose. There are
two opposing hypotheses. One states the following. The other follows
after it.
Hypothesis One:
Is having a "massive number of seeds" sufficient to make a given
stream cipher practically secure? Can such a cipher withstand a
Bayesian Attack?
The problem with such a stream cipher is that the number of possible
sequences is limited to the number of seeds that can be constructed.
By definition, a seed is much smaller than the length of the resulting
bitstream.
If one used such a bitstream, then there would be only one possible
intelligible plaintext message contained in the ciphertext, since all
other intelligible plaintexts would not be possible due to the limited
number of sequences output by a seeded bitstream generator.
IOW, if the cryptanalyst determines that you are using a seeded
bitstream generator where the seed length is considerably smaller than
the length of your ciphertext, and he comes across an intelligible
plaintext message in your ciphertext that is consistent with his
probablistic analysis, then it is the only possible intelligible
message because it exceeds the unicity distance considerably.
This is not the case with an OTP, because the key is as long as the
plaintext.
Hypothesis Two:
The problems states above can be circumvented by certain kinds of
streams obtained from the digit expansions of transcendental
constants, suitably mixed to remove correlations, because those
sources are not subjected to the limitations of seeded bitstreams.
All possible bitstreams are capable of being output equiprobably
because there is no inherent limitation when several of them are
strongly mixed.
[More comments on Hypothesis Two are below.]
>Nope, definitely not a good idea. Numbers like pi are infinitely
>long but are not random.
Define what you mean by random in the context of finite digit
expansions. Then prove, or at least defend, your assertion using that
definition in that context.
If you mean non-random because such digit expansions are calculable,
then I fully agree. That is why further refinement is in order. The
only reason to consider digit expansions of transcendental numbers is
that they are purportedly not periodic nor biased. That leaves only
correlation to deal with (not that bias is all that difficult to
handle).
If one were to generate several digit expansions using different
offsets for various transcendental constants and strongly mix them (as
in FIPS 140-1), would your statement still be valid? If so, why?
Put another way, why would such a method of producing bitstreams limit
the number of possible sequences from its maximum for a given finite
length and/or why would such sequences not be equiprobable?
Is there a reason to believe that if I chose an arbitrary offset into
the digit expansion of Pi, that the sequence that is generated from
that offset is not one of all possible sequences of that length, and
that it is equiprobable with all of those other possible sequences? If
not, what is it about the digit expansion of Pi that causes such
limitations?
Bob Knauer
"Anyone that can get elected, is not qualified to serve."
--Lance Bledsoe
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On the Generation of Pseudo-OTP
Date: Mon, 11 Jan 1999 16:35:46 +0100
R. Knauer wrote:
>
> On Mon, 11 Jan 1999 13:53:55 +0100, Mok-Kong Shen
> <[EMAIL PROTECTED]> wrote:
>
> >Similary there is no way to know for sure that hardware random
> >numbers are really all that secure!
>
> I do not agree.
>
> A hardware TRNG can be designed to be totally fault tolerant. The
> techniques of Triple Modular Redundancy (TMR) are well formulated.
> Furthermore, the TRNG can be based on a physical process that is known
> to be totally random, like radioactive decay. And it can be designed
> to remove any traces of bias, like measuring timing intervals in two
> directions.
>
> Not all hardware TRNGs can be designed that way, but some can - to
> within an arbitrary limit of precision that makes them practical.
So please give a FORMAL and rigorous proof of the security! Does
'arbitrary limit of precision' mean an approximation or perfectness??
>
> >If you accept that a good pseudo-OTP can be useful on PRACTICAL
> >grounds, then we don't have to argue.
>
> First I do not accept that there is such a thing as a "pseudo-OTP". A
> stream cipher is either an OTP or it is not an OTP. The term
> "pseudo-OTP" is an oxymoron, and is very misleading. That's why
> cryptographers reserve the term OTP to mean one and only one thing.
An OTP can be used in stream encoding. Since an (ideal) OTP is
NOT obtainable, the sentence 'A stream cipher is .... ' has no
practical meaning, unless you substitute 'OTP' with 'an approximation
of OTP'. Well, after arguing so long on this terminogy point,
let me know whether you are against something like 'an intended
approximation to an ideal OTP' in place of 'pseudo-OTP'. If yes
please list the reasons. If no then please use an text editor to
do the replacement of the phrase 'pseudo-OTP' in my original post,
so that we don't need to waste time on this terminology point.
>
> Just look at the extensive confusion that is caused by misusing the
> term "random". By not bastardizing the term OTP, we avoid such a
> situation as that which has befallen the term "random". Maybe the way
> to emphasize this is to call the OTP a "crypto-grade OTP", like we are
> now forced to call a "crypto-grade random number" to distinguish it
> from all other uses of the term "random".
>
> But that is really not necessary, since there is only one proper use
> of the term "OTP" and that is the one all cryptographers agree on, as
> described in Schneier's main book. Nowhere in that book do you see the
> term "pseudo-OTP" - at least I have never seen it - because such misue
> is not tolerable to cryptographers.
Why do you think that hardware noice is the 'only one proper use
of the term "OTP" '? Please substantiate the word 'proper'. And
why 'only'? If that term 'pseudo-OTP' has never been used before, as
you claimed, then the chance of confusion is much less than in the
case where it had been previously used in other senses, isn't it?
>
> But overlooking that misleading terminology, I do suspect that one can
> concoct some kind of extremely secure stream cipher, one which
> approaches the proveable security of the OTP on a practical basis. The
> one problem I can forsee at thisi juncture is that such a stream
> cipher can never be proven to be secure, which leaves open the
> possibility that it is not secure at all.
Practical security is not identical to theoretical security. Practical
security is relative to the risk and the cost of securing a certain
level of security. There is always some uncertainty (factors
unforeseen, etc.) and subjectiveness (because a measure of 'strength'
can't be rigorously defined). It's like deciding what measures you
are going to take in order to prevent thieves breaking into your
house. Crypto schemes of different strengths can be useful in
different environments. Even if an (ideal) OTP were obtainable,
it wouldn't be useful if it costs far too much to get that.
>
> There are too many crytposystems that were believed to be very secure
> only to be found insecure later. To date the ONLY proveably secure
> classical cryptosystem is the OTP where the pad is generated by a
> properly designed hardware TRNG.
I said (to how many times?) that an ideal OTP is NOT obtainable and
that hardware gives an APPROXIMATION only and that software, if
suitably designed, has a CHANCE of delivering an APPROXIMATION
in similar manner.
>
> Again the problem comes back to the inability to characterize a
> particular crypto-grade random number formally. The best that can be
> done is to take advantage of the intrinsic randomness in certain
> quantum mechanical processes to guarantee that a TRNG generates secure
> pads.
>
> Put another way, if you claim that a given algorithmic scheme is
> nearly perfectly secure in a practical sense, then you are going to
> have an impossible task trying to prove it formally.
I (to how many times?) said that I was simply putting up a (possibly)
useful scheme. No claim was EVER made that it is really good.
NO proof of the sort you mentioned IS necessary, since it is NEVER
intended to deliver perfect security.
>
> The best that could be done is to test your system experimentally, for
> example by subjecting it to a series of Bayesian Attacks, and see how
> it holds up. But even then there is no formal reason to believe with
> certainty that it will always hold up to a given practical level in
> the real world. There could be some hidden flaw waiting to manifest
> itself, like a weak key that no one knows about, or some other
> inherent weakness in the algorithmic procedure that the cryptanalyst
> can exploit.
Can you give good literature references to 'Bayesian Attacks'?
Are these 'systematically' applicable to ALL ciphers, even without
knowing the underlying algorithms?
>
> I still think that one major flaw with algorithmic schemes is the lack
> of a suitable means to remove correlation. Since the bitstream is
> calculated, there is a precise relationship between the bits which
> means the bits are correlated. Trying to get rid of that correlation
> is a major hurdle, so we are told by the experts. I have not heard of
> any conclusive proof that strong mixing (cf. FIPS 140-1), for example,
> is suitable to remove such correlations from bitstreams to a practical
> level, that is, to a level sufficient to prevent a successful Bayesian
> Attack.
Every method in practice is non-perfect from the very beginning.
But you can remove correlation through permutation, substitution,
etc. I listed in my orignal post some of what I believe (not sure!)
to be promising in reducing (not entirely remove) the correlations.
Taking every second or third character of a text also reduces the
correlations. Let a bunch of characters be taken from a large number
of texts and put these into a buffer and shuffle it. The result
can be expected to have less correlations than in the original texts.
Note that every practical method can only give an approximation.
But if you appropriately 'concatenate' a number of such approximations,
then the resulting sequence will very likely have a better quality
than each of the methods applied alone. To make a analogon, look
how the water from you tap has been purified from some not very
clean source. A series of different kinds of filtering processes
are involved, each augmenting the function of the others. Still the
water you get is NOT 100% free of bacteria or toxical substances, but
is nearly so and in consequence you can consume it without fear
of getting ill. Distilled water is of much better quality, but even
that is not 100% pure H2O. Depending on your use, you'll decide to
use water from the tap or the distilled water from your pharmacy.
If you are running an idustrial firm, you may consider whether
it is cheaper to obtain water from an independent source, with
less filtering, etc. It all depends on the application.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED]
Subject: EUROPEAN ECHELON
Date: Mon, 11 Jan 1999 15:33:27 GMT
KEY WORD RECOGNITION IS NOT NECESSARY IN SWITZERLAND:
- EACH PUBLIC PHONE IS TAPPING (hotel, cafe,...)
- EACH GSM IN STANDBYE IS PERIODIC TRACED/MAPPED
- EACH CALL ON BUSY LINE IS LISTED
- EACH CALL IS LISTED (CLIP ACTIVITED)
- 1 LINE PER ONE THOUSAND IS TAPPED
http://jya.com/gsm-snoop.htm
http://jya.com/gsm-scandal.htm
===============================
5% PHONE-TAPPING IS VOCAL RECOGNITION IN GERMANY
BND PHONE-TAPPING HELP CRIMINAL ORGANISATIONS (SICILIAN MAFIA)
http://www.ii-mel.com/interception
http://jya.com/eu-wash.htm
===============================
ONE FRENCH AUTHORIZATION PERMITS TO TAP 100 000 lines in France Telecom
(source CNIL)
French Echelon:
http://jya.com/echelon-go.htm
================================
Europ Union STOA RAPPORT:
http://www.europarl.eu.int/dg4/stoa/en/publi/166499/execsum.htm
__________________________________
http://www.ii-mel.com/interception
__________________________________
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On the Generation of Pseudo-OTP
Date: Mon, 11 Jan 1999 16:46:50 +0100
R. Knauer wrote:
>
> On Mon, 11 Jan 1999 14:10:29 +0100, Mok-Kong Shen
> <[EMAIL PROTECTED]> wrote:
>
> >> With the OTP system, there are all possible messages of length N
> >> "contained" in a given ciphertext, including all possible intelligible
> >> messages. Each possible message, including the intelligible ones, are
> >> equiprobable - that is what makes the OTP system proveably secure,
> >> because the cryptanalyst has no rationale to pick any one particular
> >> intelligible message over another. "Attack at dawn" is just as likely
> >> the intended message as "Attack at dusk".
>
> >If the real message is 'Attack at noon' and one XOR it with two
> >texts (pseudo-OTP) 'Attack at dawn' and 'Attack at dusk', how
> >does the analyst proceed?
>
> I did not mean for "Attack at dawn" or "Attack at dusk" to be the
> pads. I intended for them to be possible plaintexts.
>
> Please restate your question in light of that.
Yes. These are plain texts. Here I use these as given, i.e. applying
no techniques of removing correlations, only that I XOR the given
plain texts and use the resulting sequence as a 'pseudo-OTP' to
encrypt the message 'Attack at noon' through an XOR.
>
> >Referring to your phrase 'Only a number produced by a TRNG can be
> >proved to be random', could you give the conrete proof algorithm??
>
> I should rephrase that statement: "At present, only a properly
> designed hardware TRNG based on a physical process known to be totally
> random can generate crypto-grade random numbers suitable for the OTP
> cryptosystem."
The problem is with 'totally' in the phrase 'totally random'.
Since true randomess cannot be proved of any given sequence with
a computable algorithm, you can have at best 'almost totally random'
NOT 'totally random'!
>
> You might try to argue that physicists do not know for certain that
> any given physical process is completely random, but then you need to
> prove that assertion because it goes against a very large body of
> evidence to the contrary.
It is evidently the job of those who claim that something is (really)
random to prove that, not the other way round. Those who claim the
existence of UFO, for instance, has to prove that. It is not the
job of the others to prove the non-existence of UFO.
>
> Radioactive decay for certain isotopes is known to be completely
> random based on a century of observations. If you sincerely believe
> you can prove otherwise, I would suggest ordering your tux for the
> Nobel Prize you will receive when you do it successfully.
Covered above.
M. K. Shen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
