Cryptography-Digest Digest #907, Volume #8 Thu, 14 Jan 99 18:13:04 EST
Contents:
Re: Help me with this crypto ! ([EMAIL PROTECTED])
Re: Chaitin Omega (Medical Electronics Lab)
Re: Irish school kid encryption (Bill Unruh)
Re: Metaphysics Of Randomness (John Savard)
Re: Metaphysics Of Randomness (R. Knauer)
Re: Chaitin Omega (R. Knauer)
Re: Practical True Random Number Generator ("John Feth")
Re: Practical True Random Number Generator (R. Knauer)
Re: Cayley-Purser algorithm? (Tim Smith)
Re: On the Generation of Pseudo-OTP ("John Feth")
Re: Sarah Flannery and the "Cayley-Purser" Algorithm (Jim Felling)
Re: Irish school kid encryption ("Michael Scott")
Re: On the Generation of Pseudo-OTP (Snowhare)
Re: Irish school kid encryption (Jim Gillogly)
Re: On the Generation of Pseudo-OTP (R. Knauer)
Contents of server gated certificates ("Dick Perkins")
Re: On the Generation of Pseudo-OTP (Terry Ritter)
Re: Cayley-Purser algorithm? (Mike Andrews)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Help me with this crypto !
Date: Thu, 14 Jan 1999 18:11:47 GMT
In article <[EMAIL PROTECTED]>,
Nicol So <[EMAIL PROTECTED]> wrote:
> Actually, I've seen a device that fits your description. It's a token
> for challenge/response authentication. When you use it for remote
> login, the remote system presents you with a "challenge" in the form of
> an 8(?)-digit number, which you'd enter into the token for the proper
> response.
>
> Are you trying to reverse engineer the box?
>
> Nicol
>
No, i will write a program that does the same as the box, because the
box is a really slow and i hate it.
>
============= Posted via Deja News, The Discussion Network ============
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: Chaitin Omega
Date: Thu, 14 Jan 1999 12:20:00 -0600
Darren New wrote:
>
> I'm looking at http://www.cs.auckland.ac.nz/CDMTCS/chaitin/belgium2.html
I haven't read this, but I'll conjecture on your question:
> In that lecture, Chaitin talks about Omega, the halting probability. He
> says "You have to have a probability associated with each computer
> program in order to talk about what is the probability that a computer
> program will halt." (Makes sense so far) He continues "One chooses each
> bit of the computer program by tossing a fair coin, so that an N-bit
> program will have probability 2^-N." Now, which is "the" computer
> program? First he talks about "each" computer program, then he talks
> about "the" computer program being chosen. He goes on to say "Once
> you've chosen the probability measure this way and you choose your
> general-purpose computer this will define a specific halting
> probability." I'm not following what he's trying to say.
"the" computer program you get is some number between 0 and N-1.
For example, Suppose you have a PIC microcontroller. Each instruction
takes 14 bits. Take N = 1400, and you get a 100 instruction
program for this microcontroller. If you use a fair coin, you'll
get some program with a probability of 2^1400 (a *very* big number!!).
Since we've chosen the cpu, we fix the halting probability for
that sequence of instructions. If we chose another cpu, that
used 16 bit instructions, then it would behave completely differently.
The odds are small the cpu will do anything that makes sense, but
one of the instructions might be SLEEP which would definitly halt
the program. It sounds like he's chosing the bit stream first,
then slapping it into a computer to see what happens. The same
bit stream will act differently on different cpu's, which is sort
of obvious, but it does determine "a specific halting probability".
> Is he saying that Omega is the probability that any selected program N
> bits long will halt? I don't follow why he needs to explain how to
> create a random program if he's trying to talk about "one looks at the
> ensemble of all possible computer programs."
More like "any selected string of N bits has a probability Omega that
it will halt on a given processor". The string of N bits is an
ensemble of all possible computer programs.
This is a very good point to make. Basicly, the reason software is
so much harder than hardware is that the number of possible states
available to the software is 2^(number of bits in ram). For hardware
it's more like (2^number of wires on the board). The ensemble
is huge, and most of the possible states are useless. It's amazing
any of these things work at all!
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Irish school kid encryption
Date: 14 Jan 1999 17:44:14 GMT
In <[EMAIL PROTECTED]> [EMAIL PROTECTED] (Martin Miller)
writes:
>Check this link:
>http://slashdot.org/articles/99/01/13/0931237.shtml
Which is then a link to the BBC story. That's all
>And read the comments about the article, there is some more
>information...
As far as I could see, the comments ( ovr 100 ) are useless. Don't
bother.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Metaphysics Of Randomness
Date: Thu, 14 Jan 1999 19:26:07 GMT
[EMAIL PROTECTED] (R. Knauer) wrote, in part:
>But isn't the work factor part of obscurity - namely that if you did
>have enough time, energy and other resuorces at your disposal, you
>could discover the underlying scheme and break the cipher?
Not in the sense that "obscurity" is usually used. If a cipher has a
large work factor, then it is well designed; obscurity refers to a
poorly-designed cipher which needs to have the algorithm kept secret
as well.
One could say, if one wished, that *all* cryptography is security
through obscurity, since it depends on the opponent not knowing the
key. But that viewpoint is not useful.
John Savard
http://www.freenet.edmonton.ab.ca/~jsavard/index.html
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Metaphysics Of Randomness
Date: Thu, 14 Jan 1999 20:08:15 GMT
Reply-To: [EMAIL PROTECTED]
On Thu, 14 Jan 1999 19:26:07 GMT, [EMAIL PROTECTED]
(John Savard) wrote:
>One could say, if one wished, that *all* cryptography is security
>through obscurity, since it depends on the opponent not knowing the
>key.
That was my original point, admittedly somewhat philosophical.
> But that viewpoint is not useful.
What if the "key" is some small text string and some other parameters
like a name and some page parameters that point to "useful"
information that can be made into a secure key? What makes that key
any different from any other key in general, albeit not being in
conventional use?
I am not commenting here for pedantic purposes. I believe crypto is
overpopulated with glib one-liners that steer people away from a wider
appreciation for what is going on. The old cliche that "obscurity does
not mean security" is indeed correct, but only in a limited context,
like trying to hide the encryption method.
If I tell you that I am using a modified book cipher, and give you the
details of that modification, I still may be able to produce ciphers
that make you work hard to break.
For example let's say I chose the text in an online newspaper, and the
key is the specification of that newspaper, the page, column and
offset from the beginning of a paragraph. All that information needed
to construct a stream cipher is contained in that key.
Then I take the LSBs of the text stream (ignoring spaces, punctuation,
editing marks, etc.), antiskew it with known secure methods, and hash
the livin' bejeezuz out of it with other such prepared text streams,
which are also part of the key, and then use that in a stream cipher
where I have pre-encrypted the message with 128-bit IDEA, the session
key for which is embedded in the ciphertext. The hash is chosen from
those that are presumably secure. Two have been suggested thus far in
recent posts: CRC (16?) and LZ77.
How much work effort is it going to take to break that cryptosystem?
Bob Knauer
"Liberty lies in the hearts of men and women. When it dies there,
no constitution, no law, no court can save it."
--Justice Learned Hand
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Chaitin Omega
Date: Thu, 14 Jan 1999 19:41:05 GMT
Reply-To: [EMAIL PROTECTED]
On Thu, 14 Jan 1999 12:20:00 -0600, Medical Electronics Lab
<[EMAIL PROTECTED]> wrote:
>It sounds like he's chosing the bit stream first,
>then slapping it into a computer to see what happens.
He considers all possible programs p and computes the Halting
Probability as the sum over p for those programs that do halt. Each
program that halts adds a value 2^-|p| to that sum.
He also concoctes some hairy two hundred page equation, a so-called
exponential diophantine equation, that has the property that for each
value of a parameter the equation either has a finite or an infinite
number of solutions and that result determines the one bit in Omega. I
will have to leave that as an exercise for the reader to figure out,
since I don't have a clue how he does it.
>The same
>bit stream will act differently on different cpu's, which is sort
>of obvious, but it does determine "a specific halting probability".
Chaitin uses the Universal Turing Machine (UTM) as his computer. He
wrote his UTM in a version of LISP he created.
>Basicly, the reason software is
>so much harder than hardware is that the number of possible states
>available to the software is 2^(number of bits in ram).
That's only true if you have a room full of monkeys typing in code at
typewriters.
>For hardware it's more like (2^number of wires on the board).
I think you are leaving out the "wires" inside the chips.
>The ensemble is huge, and most of the possible states are useless.
Unless it's a Windows program coded by monkeys.
>It's amazing any of these things work at all!
If you run MicroShaft products, they don't.
Bob Knauer
"Liberty lies in the hearts of men and women. When it dies there,
no constitution, no law, no court can save it."
--Justice Learned Hand
------------------------------
From: "John Feth" <[EMAIL PROTECTED]>
Subject: Re: Practical True Random Number Generator
Date: 14 Jan 1999 19:01:20 GMT
Gentlemen,
For an in depth discussion of the generation of random number strings from
radioactive decay go to:
http://www.fourmilab.ch/hotbits/
You can download long strings of radioactively generated random numbers
here and read in depth about the set up for producing them and the lengths
he goes to to exclude any deterministic effects due to half lives etc.
Regards,
John Feth
Mok-Kong Shen <[EMAIL PROTECTED]> wrote in article
<[EMAIL PROTECTED]>...
> KloroX wrote:
>
> >
> > The point mentioned in the original post is that the half-life is
> > finite, and therefore the interval t1 between decay 1 and 2 is
> > slightly shorter (statistically) than the interval t2 between decay 2
> > and 3. Thus, the result is slightly biased toward 0 if one generates a
> > 0 whenever t1 < t2. Reversing the rule in 50% of the measurements
> > removes this bias.
> >
> > As already mentioned, the bias in the original procedure is very small
> > if t1 and t2 are short (milliseconds) and the half-time long (hundreds
> > of years or more). The above fix is only of theoretical interest in
> > such a case.
>
> Thank you for clarifying a point that I have been arguing with
> Knauer. (I read this post of yours too late.)
>
> M. K. Shen
>
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: Practical True Random Number Generator
Date: Thu, 14 Jan 1999 20:10:23 GMT
Reply-To: [EMAIL PROTECTED]
On Thu, 14 Jan 1999 19:22:59 GMT, [EMAIL PROTECTED]
(John Savard) wrote:
>However, if someone can aim a TV camera at lava lamps, one could use
>some sort of optical sensing arrangement to look at, say, small dust
>particles in a heated liquid undergoing Brownian motion (registering
>the difference in molecular impacts from their sides).
Aha! The Milliken Oil Drop experiment goes hi-tech.
Bob Knauer
"Liberty lies in the hearts of men and women. When it dies there,
no constitution, no law, no court can save it."
--Justice Learned Hand
------------------------------
From: [EMAIL PROTECTED] (Tim Smith)
Subject: Re: Cayley-Purser algorithm?
Date: 14 Jan 1999 12:50:15 -0800
In article <77l3nr$55n$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
> William Whyte <[EMAIL PROTECTED]> wrote:
>> modulo n, n the product of 2 primes (ie an RSA number). The
>> security is therefore exactly the same as the security of an RSA key with
>> the same modulus.
>
>This is "proof by assertion". The fact that the algorithm uses SL(2, Z/NZ)
>where N = pq is not equivalent to proving that its security relies on
>factoring N.
When was it proved that the security of RSA depends on factoring? I thought
that this was still conjecture? Has someone proved that breaking RSA requires
factoring?
--Tim Smith
------------------------------
From: "John Feth" <[EMAIL PROTECTED]>
Subject: Re: On the Generation of Pseudo-OTP
Date: 14 Jan 1999 19:30:06 GMT
R. Knauer <[EMAIL PROTECTED]> wrote in article
<[EMAIL PROTECTED]>...
>
snip
> Could that be because trying to remove correlations with an
> algortihmic procedure is counterproductive, since such procedure
> itself can introduce correlations because it is algorithmic?
>
> After all, if one can compute the nth and n+1th state of an algorithm,
> there is a strong correlation between the two outputs.
>
> >The lack of such
> >a theory might make the topic somewhat difficult to discuss.
>
> Maybe that is the theory - that algorithmic decorrelation is
> impossible.
>
> Bob Knauer
Take any non zero string of say 1495 digits (m), create another string (c)
with the algorithm
c=MOD(m^e, pq)
where e is 23 and p and q are primes with a product 1500 digits long.
Increment m by one to get another string, and you will be the only person
in the universe who knows how the two strings are correlated.
By the way, you can demonstrate that the digits in either of the two
strings generated by the algorithm are randomly valued (uncorrelated) by
running an Allan Deviation on them.
Regards,
John Feth
------------------------------
Date: Thu, 14 Jan 1999 15:33:28 -0600
From: Jim Felling <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Sarah Flannery and the "Cayley-Purser" Algorithm
Assuming (and it is a BIG assumption) that this algorithm is secure and
equivalent to RSA (as far as the size of the numbers and is based on an
equivalent problem. Then what we worry about is not brute force, but factoring
based attacks. The key space on RSA is wompingly gigantic -- it is much more
effective to attack n=pq than to attack it with brute force, and any speedups
that the algorithm allows do not pay off by that kind of margin
Gabriel Knoy wrote:
> > Miss Flannery, 16, from Blarney, Co Cork, used matrices to
> > formulate an alternative to RSA, the current data protection
> > code, devised by three students at the Massachusetts
> > Institute of Technology in 1977. The result is an algorithm, a
> > mathematical blueprint, that is far faster than the RSA and
> > equally secure.
>
> Now, I may be way off target here, as I'm pretty new to this area
> of interest (I only got The Book 4 weeks ago), but how secure can it be?
>
> Take a very simplistic brute force attack, where an attempt to decrypt
> the message is made using every key in the known key space. I am
> assuming that her decryption method is as comparably faster than
> RSA's as her encryption method is (and it's a big assumption, I guess).
>
> Since her algorithm (from what little I've read on the BBC page) is
> based on matrix math, which is (i think?) computationally simpler
> than the math used in RSA's encryption, that would mean that more
> keys could be tested in a given period of time than could be if RSA
> were used. Additionally, it would probablly be cheaper to build a
> dedicated cracking machine (like the EFF built to crack DES),
> because I would suppose that the chips needed to do the matrix math
> might be less complex.
>
> That's my take on this, please don;t hesitate to tell me if I'm barking up
> the wrong tree :)
>
> Gabriel Knoy
------------------------------
From: "Michael Scott" <[EMAIL PROTECTED]>
Subject: Re: Irish school kid encryption
Date: Thu, 14 Jan 1999 19:41:36 -0000
This featured on Irish TV news last night, and in the background was a
blackboard.
Three things were visible on it.
1. n=p.q [MS - Ok we knew that)
2. C=XAX^(-1) [MS -Clearly matrix notation]
3.....and an observation that matrix multiplication doesn't commute, i.e. AB
is not equal to BA
Make of that what you will.
Mike Scott
------------------------------
Subject: Re: On the Generation of Pseudo-OTP
From: [EMAIL PROTECTED] (Snowhare)
Date: Thu, 14 Jan 1999 19:51:54 GMT
=====BEGIN PGP SIGNED MESSAGE=====
Nothing above this line is part of the signed message.
In article <[EMAIL PROTECTED]>,
R. Knauer <[EMAIL PROTECTED]> wrote:
>On Thu, 14 Jan 1999 03:53:08 GMT, [EMAIL PROTECTED] (Snowhare)
>wrote:
>
>>Would you believe there is now a project to map the interior of the
>>Earth using neutrinos?
>
>When it comes to spending OPM, I can believe anything. Fermi suggested
>building a cyclotron that circled the earth in orbit.
This is being done much less expensively than that - they are using
the existing neutrino detectors in a creative way.
>What I cannot understand was shutting down the Supercollider project -
>and I followed that saga from beginning to end, since I live in Texas.
Politics. Which is why not only was it shutdown, but the hole was
ordered filled (which cost almost as much as finishing it would
have). It's probably ok in the long run since it upped the research
into plasma wave accelerators (not that that particular fact would
have affected the political wars - the SSC was dead the moment the
Republican majority took office regardless) which should be able to
do the same work for orders of magnitude less cost. We hope. :/
Benjamin Franz
=====BEGIN PGP SIGNATURE=====
Version: 2.6.2
iQCVAwUBNp5LTejpikN3V52xAQGFIQQAuTU/pN/vs2bsl3UvKfXt5Ky+yTW8IHON
iDyUWC5mhAI6E0DFEkteZzXgGDj0eusae304UfMbqdAFP5rzsUyRSqR+440b20wz
sMmxGKSkUo5r8btjyM9xMC+tR7bP8fvY9jxF22q6uepUSVbUFf2h0wTk81wnNrB4
PSmWGHzST+0=
=Rn5R
=====END PGP SIGNATURE=====
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Irish school kid encryption
Date: Thu, 14 Jan 1999 10:57:48 -0800
Reply-To: [EMAIL PROTECTED]
Bill Unruh wrote:
>
> In <[EMAIL PROTECTED]> [EMAIL PROTECTED] (Martin Miller)
>writes:
> >Check this link:
> >http://slashdot.org/articles/99/01/13/0931237.shtml
> As far as I could see, the comments ( ovr 100 ) are useless. Don't
> bother.
Not quite -- William Whyte of Baltimore-Zergo doled out a few more
snippets of information well down the list, including:
WW> The numbers are RSA numbers, but the algorithm isn't RSA,
WW> for all the reasons you give. The strength comes from the
WW> difficulty of finding square roots modulo N if you don't
WW> know the factorisation of N.
WW>
WW> On the intellectual property issue, everything is yet to be
WW> decided. Any IP decisions will be taken in consultation
WW> between Sarah and ourselves.
WW>
WW> On the issue of trusting an algorithm that hasn't been
WW> fully studied, obviously we're with the majority on this
WW> one. I wouldn't use an algorithm that I didn't have good
WW> reason to feel confident with and I wouldn't expect anyone
WW> else to.
and (regarding vulnerability to known- or chosen-plaintext):
WW> No; as with ElGamal encryption, there's a one-time random
WW> nonce generated for each encryption. Also, the algorithm as
WW> it stands is simply the encryption engine. It leaves open
WW> the question of how the data is padded before encryption,
WW> and that's how algorithms like RSA reduce the potency of
WW> chosen plaintext attacks.
The media interest has clearly taken Miss Flannery and Baltimore-Zergo
by surprise, and there will presumably be a hiatus as she gets over her
cold and B-Z gets their ducks lined up.
--
Jim Gillogly
23 Afteryule S.R. 1999, 18:49
12.19.5.15.8, 8 Lamat 1 Muan, Second Lord of Night
------------------------------
From: [EMAIL PROTECTED] (R. Knauer)
Subject: Re: On the Generation of Pseudo-OTP
Date: Thu, 14 Jan 1999 20:21:53 GMT
Reply-To: [EMAIL PROTECTED]
On 14 Jan 1999 19:30:06 GMT, "John Feth" <[EMAIL PROTECTED]>
wrote:
>Take any non zero string of say 1495 digits (m), create another string (c)
>with the algorithm
>c=MOD(m^e, pq)
>where e is 23 and p and q are primes with a product 1500 digits long.
>Increment m by one to get another string, and you will be the only person
>in the universe who knows how the two strings are correlated.
Is that proveable? If so, is it written up anywhere, like on the Web?
Or is it perhaps buried somewhere in Schneier's voluminous main book?
>By the way, you can demonstrate that the digits in either of the two
>strings generated by the algorithm are randomly valued (uncorrelated) by
>running an Allan Deviation on them.
What is an Allan Deviation? Is it written up anywhere, like on the
Web? Or is it perhaps buried somewhere in Schneier's voluminous main
book?
BTW, you seem to be inferring that you can test for crypto-grade
randomness by a formal procedure applied to one instance of such a
number. That is not permitted according to the many discussions of
last year, where the prevailing expert opinion was that the only way
to characterize a crypto-grade random number (for the OTP) is to
characterize the generator, called a TRNG. We also concluded that the
only suitable TRNG was a hardware device based on a random physical
process from the realm of quantum mechanics, such as radioactive
decay.
Do you know something differently that we should know?
Bob Knauer
"Liberty lies in the hearts of men and women. When it dies there,
no constitution, no law, no court can save it."
--Justice Learned Hand
------------------------------
From: "Dick Perkins" <[EMAIL PROTECTED]>
Subject: Contents of server gated certificates
Date: 12 Jan 1999 16:34:39 GMT
I have been unable to discover the contents of server gated certificates
(and step up certificates if they're not the same thing). Is there a
specification for them anywhere? If not, can anyone tell me what they
contain or how to extract one from a browser. I'm particularly interested
in whether there's any cryptography used to ensure that such a certificate
is authentic.
Dick Perkins
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: On the Generation of Pseudo-OTP
Date: Thu, 14 Jan 1999 22:32:11 GMT
On Thu, 14 Jan 1999 13:28:12 GMT, in
<[EMAIL PROTECTED]>, in sci.crypt
[EMAIL PROTECTED] (R. Knauer) wrote:
>On Thu, 14 Jan 1999 03:07:30 GMT, [EMAIL PROTECTED] (Terry Ritter) wrote:
>
>>RFC 1750 describes fairly well-known techniques, and there is
>>remarkably little "proof" argument there.
>
>It does describe hashing too.
>
>>I claim that any good hash should be a good randomness mixer,
>>especially when more goes into it than comes out. While RFC 1750 does
>>not mention CRC mixing, I often argue that a linear CRC hash
>
>I trust you mean CRC 16. If so, its implementation via lookup table is
>very easy.
CRC16 is a particular polynomial for 16-bit CRC's, which is a little
small. I guess the most popular nowadays is CRC32. Any CRC for any
polynomial is very easy by lookup. I often use 31-bit CRC's in
crypto.
>>provides a fine mixing for really random streams.
>
>I am confused. If the streams are random to begin with, why would they
>need to be combined by a hash? DO you mean "almost random streams"
>except they have corrrelation that needs to be removed - like the LSBs
>of text or the bit expansion of pi might be, or the output of a
>well-designed LFSR?
A randomness machine is often not the evenly-distributed full-entropy
source we desire for cryptography. The point of the hashing is to
accumulate sufficient uniqueness to produce a full-entropy value. One
problem is knowing how much to accumulate, especially if the "entropy"
from the machine can vary through time.
Linear mixing is not going to hide linear characteristics; neither XOR
nor CRC are going to hide LFSR correlations in a cryptographic sense.
So CRC mixing is really only appropriate for sources which have some
amount of "true" randomness which must be accumulated. CRC cannot
provide "a fine mixing" for LFSR's.
>>We could use a keyed Latin square combiner, or the combiner-based
>>ciphering structures I have been promoting for the past few years.
>
>Which are? I have never heard of those things.
http://www.io.com/~ritter/GLOSSARY.HTM#LatinSquareCombiner
http://www.io.com/~ritter/ARTS/PRACTLAT.HTM
http://www.io.com/~ritter/GLOSSARY.HTM#MixingCipher
http://www.io.com/~ritter/#MixTech
>Remember that the original objective here is to remove correlation
>from a bitstream such as the LSBs of text or the bit expansion of pi.
>It is assumed that those streams have been antiskewed before hand.
It may be that in order to know if one has removed a correlation, one
must first know what the correlation is. I am not sure that *any*
technique would remove *all* correlations under *all* circumstances.
But if we mix a lot of almost-random material into a small result, it
seems like we have a good chance of getting pretty random stuff out.
If you want a specific recommendation for re-mixing Pi, I would try
mixing 4 different probes into the sequence. Selecting the probe
positions (and even the probing, which might not be sequential or
increasing) is part of the key. Other parts of the key could set
shuffle some Latin squares for mixing; we could always use the same
squares, or vary them according to the sequence itself, or another
probe. We mix one pair, the other pair, then those results, and get a
random value out. Probing Pi seems like a lot of work.
>>I take no such an implication. I would say that one probably would
>>not expect a mathematical proof of the "strength" of mixing techniques
>>(indeed, if such a term applies) unless they are, in some sense,
>>perfect.
>
>How would one test for such perfection? How does one quantify the
>extent of that, like 99.9% perfect?
There is a remarkable lack of provable strength in cryptography.
>>Such as a Latin square.
>
>Which is?
http://www.io.com/~ritter/GLOSSARY.HTM#LatinSquare
At least with a Latin square we can say we get a balanced (unbiased)
result from each mixing port, for any value on the other port, in a
guaranteed absolute sense which does not depend upon infinite
sequences.
>[...]
>What other way is there to decorrelate a bitstream in a useful manner
>other than to do it by some algorithmic procedure, either on a
>computer or in dedicated hardware?
I'm not sure we can define "decorrelate" as more than a handwave
absent some *specific* correlation. But any such process would seem
to be algorithmic, yes. Even the comparison of two pulse periods is
"algorithmic."
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Mike Andrews)
Subject: Re: Cayley-Purser algorithm?
Date: 14 Jan 1999 21:50:50 GMT
Reply-To: [EMAIL PROTECTED]
Tim Smith ([EMAIL PROTECTED]) wrote in article
<77lla7$m13$[EMAIL PROTECTED]>:
: In article <77l3nr$55n$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
: > William Whyte <[EMAIL PROTECTED]> wrote:
: >> modulo n, n the product of 2 primes (ie an RSA number). The
: >> security is therefore exactly the same as the security of an RSA key with
: >> the same modulus.
: >
: >This is "proof by assertion". The fact that the algorithm uses SL(2, Z/NZ)
: >where N = pq is not equivalent to proving that its security relies on
: >factoring N.
: When was it proved that the security of RSA depends on factoring? I thought
: that this was still conjecture? Has someone proved that breaking RSA requires
: factoring?
The way I remember reading it, the conjecture (and it was a conjecture)
was that breaking RSA was *_no_harder_* than factoring. The (unspoken)
assumption had to do with factoring being a "hard" problem.
If factoring isn't "hard", then there's a lot of traffic out there for
the taking. And, of course, it may be "hard, until you know the trick".
--
Mike Andrews | speaking for himself
[EMAIL PROTECTED] (when it works) | posting work-related
else [EMAIL PROTECTED] | during work hours
Currently doing time as datacenter director | IAW ODOT policy
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
