Cryptography-Digest Digest #730, Volume #10 Mon, 13 Dec 99 07:13:01 EST
Contents:
Re: Are thermal diodes as RNG's secure (Bill Unruh)
Re: Insecure PRNG? (Mok-Kong Shen)
Re: Insecure PRNG? (Mok-Kong Shen)
Re: Insecure PRNG? (CLSV)
SecurityPlus! (JPeschel)
Simple newbie crypto algorithmn (Steven Siew)
Re: Are thermal diodes as RNG's secure (Guy Macon)
Re: Insecure PRNG? (Guy Macon)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Are thermal diodes as RNG's secure
Date: 13 Dec 1999 07:26:04 GMT
In <[EMAIL PROTECTED]> [EMAIL PROTECTED] (Lincoln Yeoh) writes:
]On 13 Dec 1999 01:34:18 GMT, [EMAIL PROTECTED] (Bill Unruh) wrote:
]>In <831142$s6l$[EMAIL PROTECTED]> [EMAIL PROTECTED] writes:
]>
]>>Is a termal diode being used as a RNG secure?
]>
]>If it is used properly. The big problem with hardware random number
]>generators is bias. You must cook theoutput to get rid of any effects of
]>the biases.
]How can we cook such output?
Eg, if you suspect that the output is not really random, but is
"partially" random, so that say a fraction f of the information really
is random,then you could feed say 128/f bits into a hash function like
MD5 and use the 128 bits of output. That output should be "fully"
random. There are whole theories as to how to distill the biases out of
partially random data.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Insecure PRNG?
Date: Mon, 13 Dec 1999 10:40:50 +0100
Douglas A. Gwyn wrote:
>
> Mok-Kong Shen wrote:
> > Does encrypting 2 charaters out of 100
> > results in twice the strength of encrypting 1 character out of 100?
>
> Just because Guy Macon doesn't have a good measure of cryptographic
> strength doesn't mean anything one way or another for the general
> issue of whether such a measure is possible. It is obvious, however,
> that your question would not fit into the framework of any valid
> measure.
I have expressed my opinion that a rigorous measure is not possible
and offered arguments. The lines you quoted is only a side remark
intended merely to say that the issue is not so simple as Mr. Macon
apparently has thought.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Insecure PRNG?
Date: Mon, 13 Dec 1999 10:40:55 +0100
Douglas A. Gwyn schrieb:
>
> Mok-Kong Shen wrote:
> > But what interests the user of encryption algorithms is the security
> > against all currently possible attacks. Since that 'context' is
> > difficult to deal with or ill-defined (since one is never sure to
> > know all these attacks) that's one reason why defining a standard
> > unit of strength of crypto algorithms is impossible in practice,
> > I believe.
>
> You're going about this the wrong way. You might as well say
> that, since it is impossible to know all the exact situations
> *any* real-world object will be subjected to, it is therefore
> impossible to say anything definite about the relative quality
> of different objects of the same kind. Yet in reality, we make
> such judgments all the time.
>
> What you're really lacking is a good theoretical basis for
> doing this for cryptosystems (or just for encryption algorithms);
> that doesn't mean that no good theory is possible, just that
> you're not (yet) aware of one.
Yes, in most situations of life one accepts, consciously or
unconsciously, compromises and doesn't demand 'exact solutions' even
in case these could be obtained (with sufficient expenditure). For
crypto applications the only thing special, in my view, is that there
may exist analysis methods that are kept secret from the public and
hence not available for evaluation independent of expenditure. Thus I
said previously that an examination of security needs in the end
one's own judgement and inevitably involves certain amout of
subjectivity. In other words, a rigorous, precise practical treatment
of the matter, which some crypto users seem nevertheless to desire
for fairly comprehensible psychological reasons, is not (or to be
correct, not yet) available.
M. K. Shen
------------------------------
From: CLSV <[EMAIL PROTECTED]>
Subject: Re: Insecure PRNG?
Date: Mon, 13 Dec 1999 10:22:39 +0000
Mok-Kong Shen wrote:
> Douglas A. Gwyn schrieb:
> > What you're really lacking is a good theoretical basis for
> > doing this for cryptosystems (or just for encryption algorithms);
> > that doesn't mean that no good theory is possible, just that
> > you're not (yet) aware of one.
Hmm, I find it hard to believe that the security of block ciphers
could ever be determined precisely. Provable security could
possible be found in public key system.
> Yes, in most situations of life one accepts, consciously or
> unconsciously, compromises and doesn't demand 'exact solutions' even
> in case these could be obtained (with sufficient expenditure).
> For crypto applications the only thing special, in my view, is that there
> may exist analysis methods that are kept secret from the public and
> hence not available for evaluation independent of expenditure.
It does not matter, technically, if there are analysis methods
that are kept secret from the public or that they just haven't been
invented yet. There is nothing special about it.
> Thus I said previously that an examination of security needs in the end
> one's own judgement and inevitably involves certain amout of
> subjectivity.
As do all practical problems.
> In other words, a rigorous, precise practical treatment
> of the matter, which some crypto users seem nevertheless to desire
> for fairly comprehensible psychological reasons, is not (or to be
> correct, not yet) available.
I think, correct me if I'm wrong, that you have trouble with the
fact that most people concern themselves with finding new
upperbounds for the effort to break a cipher rather than attacking
the interesting problem of finding proper lowerbounds.
Regards,
Coen Visser
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: SecurityPlus!
Date: 13 Dec 1999 10:26:33 GMT
Part B of Casimir's essay, "The Cracking
of SecurityPlus!" is now up on my site.
Part C, source code and an executable
cracker, along with a few other treats,
is coming soon.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: [EMAIL PROTECTED] (Steven Siew)
Subject: Simple newbie crypto algorithmn
Date: 13 Dec 1999 11:17:30 GMT
It's sad to know that nowadays a lot of people held the NSA in such high
regards as to wrongly believe that they have god like powers in cryptography
and cryptoanalysis.
It's not uncommon to hear things like "All codes that have been invented so
far (with the exception of one time pads) have been broken by the NSA." or
even "Today it is impossible for a newbie with basic C programming experience
to write a crypto program that cannot be cracked by the NSA."
Because a lot of people does not have cryptography experience, they have
regarded cryptography as a black art. They believe that only crypto wizards
are capable of coming up with wierd crypto algorithmns which no basic mortals
are capable of understanding without devoting years to the studying of the
black arts.
That of course is total bullshit. Anyone with basic C programming skills and
basic high school maths can write a crypto algo that the whole world cannot
crack in less than 1000 years.
So I set about proving the above statement. In short I want to write a
crypto program with the following chracteristics:
1. The program must be simple and easy to understand. Thus the public can
see easily the strengths of the encryption.
2. The program must be cryptographically powerful enough not to be cracked
even by using all the computers in the world in less than a 1000 years.
3. No special knowledge of arcane cryptography is required. No maths more
difficult than that encountered in high school is required.
I have provided the source code below. I will explain what is needed to
compile and use the program.
There are two programs. The encryption program is called scramble and the
decryption program is called unscramble.
The programs were developed on a GNU/LINUX red hat 6.1 OS running on a
pentium II computer. The program will worked on both big endian and little
endian machines without changes to the source code.
To compile the program:
gcc -o scramble scramble.c
gcc -o unscramble unscramble.c
To use the program:
scramble key < originaltext > encryptedtext
unscramble key < encryptedtext > decipheredtext
Where key is a regular file which contains the key to the encryption. For my
program it is any regular file which has 607 or more bytes. For cryptography
security please ensure that the key file contains pure random bytes.
To test that the program works, use:
diff originaltext decipheredtext
or
cat originaltext | scramble key | unscramble key | less
It you need to generate a random key but you dont have a source of pure
random bytes then you can use the following trick.
gzip -9 bigfile
scramble bigfile.gz < bigfile.gz > key9
scramble key9 < key9 > key8
scramble key8 < key8 > key7
scramble key7 < key7 > key6
scramble key6 < key6 > key5
scramble key5 < key5 > key4
scramble key4 < key4 > key3
scramble key3 < key3 > key2
scramble key2 < key2 > key1
tail -c 607 key1 > key
rm key1 key2 key3 key4 key5 key6 key7 key8 key9
gunzip bigfile.gz
It will create a 607 bytes key file which should be almost completely
random.
How the program works?
The program uses permutation or "card shuffling" type tricks to encrypt the
original text (plaintext). It also makes use of XOR to further confuse the
attacker.
The idea is simple. The fastest growing maths function in high school maths
is factorial. A simple example is this. The number of ways a race of 7
runners can finish is 7! or 7*6*5*4*3*2*1 ways. The number of ways a deck of
52 cards can be shuffled is 52! And it grows very very very fast. If we
encrypt a 64kb file, we can do it by shuffling 65536 * 8 = 524288 bits. The
number of permutation is of course 524288! which is a big number. To say
524288! is a big number is an understatement.
Here are the source code to the programs.
< BEGIN FILE : scramble.c >
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
/* FIBP FIBQ alternative values for FIBP & FIBQ
607 273
1279 418 This is used to set up the fibonaci
2281 1029 sequence random number generator.
4423 2098 It should have a period of around
9689 4187 2^(FIBP-1)
*/
#define SIZE 65536
#define FIBP 607
#define FIBQ 273
unsigned char substitution[256];
unsigned char sbox1[256];
unsigned char sbox2[256];
int main(int argc,char **argv)
{ int fileread,stdread;
unsigned int fibseq=FIBP - 1;
unsigned int i;
unsigned char mesg_offset=0;
unsigned char fib[FIBP+1];
unsigned char oldbitbuffer[SIZE*8];
unsigned char newbitbuffer[SIZE*8];
unsigned char stdinbuffer[SIZE];
unsigned int order[SIZE*8];
FILE *fp;
if (argc != 2)
{ printf("scramble keyfile\n");
exit(0);
}
if ( (fp=fopen(argv[1],"r"))==NULL)
{ printf("Unable to open file %s\n",argv[1]);
exit(1);
}
/* Initialise FIBADD */
if (fread(fib,1,FIBP,fp) != FIBP)
{ printf("The key must be at least %d bytes\n",FIBP);
exit(1);
}
/* initialise all buffers */
memset(stdinbuffer,0,SIZE);
memset(oldbitbuffer,0,SIZE*8);
memset(newbitbuffer,0,SIZE*8);
stdread=1;
while (stdread)
{
stdread=fread(stdinbuffer,1,SIZE,stdin);
/* initialise substitution boxes */
for(i=0;i<256;i++) sbox1[i]=sbox2[i]=substitution[i]=i;
{ unsigned char temp,n;
for(i=0;i<256;i++) /* initialise sbox1 */
{ fibseq= ++fibseq % (FIBP+1);
fib[fibseq]= fib[(fibseq+1)%(FIBP+1)]
+ fib[(fibseq+(FIBP-FIBQ+1))%(FIBP+1)];
n=fib[fibseq];
temp=sbox1[i];
sbox1[i]=sbox1[n];
sbox1[n]=temp;
}
}
{ unsigned char temp,n;
for(i=0;i<256;i++) /* initialise sbox2 */
{ fibseq= ++fibseq % (FIBP+1);
fib[fibseq]= fib[(fibseq+1)%(FIBP+1)]
+ fib[(fibseq+(FIBP-FIBQ+1))%(FIBP+1)];
n=fib[fibseq];
temp=sbox2[i];
sbox2[i]=sbox2[n];
sbox2[n]=temp;
}
}
{ unsigned char temp,n;
for(i=0;i<256;i++) /* initialise substitution */
{ fibseq= ++fibseq % (FIBP+1);
fib[fibseq]= fib[(fibseq+1)%(FIBP+1)]
+ fib[(fibseq+(FIBP-FIBQ+1))%(FIBP+1)];
n=fib[fibseq];
temp=substitution[i];
substitution[i]=substitution[n];
substitution[n]=temp;
}
}
/* precalculate bit shuffle order */
for(i=0;i<SIZE*8;i++) order[i]=i;
for(i=0;i<(stdread*8);i++)
{ unsigned int n,c,temp;
n=0;
for(c=0;c<4;c++)
{ fibseq= ++fibseq % (FIBP+1);
fib[fibseq]= fib[(fibseq+1)%(FIBP+1)]
+ fib[(fibseq+(FIBP-FIBQ+1))%(FIBP+1)];
n= (n << 8) | fib[fibseq];
}
n=n % (stdread * 8);
temp=order[i];
order[i]=order[n];
order[n]=temp;
}
/* Prescramble stdin with forward sbox1 scramble */
{ unsigned char last=0;
for(i=0;i<stdread;i++)
{ stdinbuffer[i]=sbox1[(stdinbuffer[i]+last)%256];
last=stdinbuffer[i];
}
}
/* Prescramble stdin with reverse sbox2 scramble */
{ int j;
unsigned char last=0;
for(j=stdread-1;j>=0;j--)
{ stdinbuffer[j]=sbox2[(stdinbuffer[j]+last)%256];
last=stdinbuffer[j];
}
}
/* convert bytes into bits, store in oldbitbuffer */
for(i=0;i<stdread;i++)
{ unsigned char b7,b6,b5,b4,b3,b2,b1,b0,offset;
fibseq= ++fibseq % (FIBP+1);
fib[fibseq]= fib[(fibseq+1)%(FIBP+1)]
+ fib[(fibseq+(FIBP-FIBQ+1))%(FIBP+1)];
offset=fib[fibseq];
fibseq= ++fibseq % (FIBP+1);
fib[fibseq]= fib[(fibseq+1)%(FIBP+1)]
+ fib[(fibseq+(FIBP-FIBQ+1))%(FIBP+1)];
stdinbuffer[i]= substitution[(stdinbuffer[i] + offset + mesg_offset)
% 256]
^ fib[fibseq];
mesg_offset=stdinbuffer[i];
b0=stdinbuffer[i]%2; stdinbuffer[i]=stdinbuffer[i]>>1;
b1=stdinbuffer[i]%2; stdinbuffer[i]=stdinbuffer[i]>>1;
b2=stdinbuffer[i]%2; stdinbuffer[i]=stdinbuffer[i]>>1;
b3=stdinbuffer[i]%2; stdinbuffer[i]=stdinbuffer[i]>>1;
b4=stdinbuffer[i]%2; stdinbuffer[i]=stdinbuffer[i]>>1;
b5=stdinbuffer[i]%2; stdinbuffer[i]=stdinbuffer[i]>>1;
b6=stdinbuffer[i]%2; stdinbuffer[i]=stdinbuffer[i]>>1;
b7=stdinbuffer[i]%2;
oldbitbuffer[i*8+0]=b7;
oldbitbuffer[i*8+1]=b6;
oldbitbuffer[i*8+2]=b5;
oldbitbuffer[i*8+3]=b4;
oldbitbuffer[i*8+4]=b3;
oldbitbuffer[i*8+5]=b2;
oldbitbuffer[i*8+6]=b1;
oldbitbuffer[i*8+7]=b0;
}
/* Scramble the bits */
for(i=0;i<(stdread*8);i++) newbitbuffer[i]=oldbitbuffer[order[i]];
/* convert bits into bytes */
for(i=0;i<stdread;i++)
{ unsigned char b7,b6,b5,b4,b3,b2,b1,b0;
b7=newbitbuffer[i*8+0];
b6=newbitbuffer[i*8+1];
b5=newbitbuffer[i*8+2];
b4=newbitbuffer[i*8+3];
b3=newbitbuffer[i*8+4];
b2=newbitbuffer[i*8+5];
b1=newbitbuffer[i*8+6];
b0=newbitbuffer[i*8+7];
stdinbuffer[i]= b7 << 7 |
b6 << 6 |
b5 << 5 |
b4 << 4 |
b3 << 3 |
b2 << 2 |
b1 << 1 |
b0 ;
}
fwrite(stdinbuffer,1,stdread,stdout);
}
fclose(stdin); fclose(stdout);
fclose(fp);
}
< END FILE : scramble.c >
< BEGIN FILE : unscramble.c >
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
/* FIBP FIBQ alternative values for FIBP & FIBQ
607 273
1279 418 This is used to set up the fibonaci
2281 1029 sequence random number generator.
4423 2098 It should have a period of around
9689 4187 2^(FIBP-1)
*/
#define SIZE 65536
#define FIBP 607
#define FIBQ 273
unsigned char substitution[256],oldsubstitution[256];
unsigned char sbox1[256],oldsbox1[256];
unsigned char sbox2[256],oldsbox2[256];
int main(int argc,char **argv)
{ int fileread,stdread;
unsigned int i;
unsigned int fibseq=FIBP - 1;
unsigned char mesg_offset=0;
unsigned char fib[FIBP+1];
unsigned char oldbitbuffer[SIZE*8];
unsigned char newbitbuffer[SIZE*8];
unsigned char stdinbuffer[SIZE];
unsigned int oldorder[SIZE*8],neworder[SIZE*8];
FILE *fp;
if (argc != 2)
{ printf("unscramble keyfile\n");
exit(0);
}
if ( (fp=fopen(argv[1],"r"))==NULL)
{ printf("Unable to open file %s\n",argv[1]);
exit(1);
}
/* Initialise FIBADD */
if (fread(fib,1,FIBP,fp) != FIBP)
{ printf("The key must be at least %d bytes\n",FIBP);
exit(1);
}
/* initialise all buffers */
memset(stdinbuffer,0,SIZE);
memset(oldbitbuffer,0,SIZE*8);
memset(newbitbuffer,0,SIZE*8);
stdread=1;
while (stdread)
{
stdread=fread(stdinbuffer,1,SIZE,stdin);
/* initialise substitution boxes */
for(i=0;i<256;i++) oldsbox1[i]=oldsbox2[i]=oldsubstitution[i]=i;
{ unsigned char temp,n; /* initialise sbox1 */
for(i=0;i<256;i++)
{ fibseq= ++fibseq % (FIBP+1);
fib[fibseq]= fib[(fibseq+1)%(FIBP+1)]
+ fib[(fibseq+(FIBP-FIBQ+1))%(FIBP+1)];
n=fib[fibseq];
temp=oldsbox1[i];
oldsbox1[i]=oldsbox1[n];
oldsbox1[n]=temp;
}
for(i=0;i<256;i++) sbox1[oldsbox1[i]]=i;
}
{ unsigned char temp,n; /* initialise sbox2 */
for(i=0;i<256;i++)
{ fibseq= ++fibseq % (FIBP+1);
fib[fibseq]= fib[(fibseq+1)%(FIBP+1)]
+ fib[(fibseq+(FIBP-FIBQ+1))%(FIBP+1)];
n=fib[fibseq];
temp=oldsbox2[i];
oldsbox2[i]=oldsbox2[n];
oldsbox2[n]=temp;
}
for(i=0;i<256;i++) sbox2[oldsbox2[i]]=i;
}
{ unsigned char temp,n; /* initialise substitution */
for(i=0;i<256;i++)
{ fibseq= ++fibseq % (FIBP+1);
fib[fibseq]= fib[(fibseq+1)%(FIBP+1)]
+ fib[(fibseq+(FIBP-FIBQ+1))%(FIBP+1)];
n=fib[fibseq];
temp=oldsubstitution[i];
oldsubstitution[i]=oldsubstitution[n];
oldsubstitution[n]=temp;
}
for(i=0;i<256;i++) substitution[oldsubstitution[i]]=i;
}
/* precalculate bit shuffle order */
for(i=0;i<SIZE*8;i++) oldorder[i]=i;
for(i=0;i<(stdread*8);i++)
{ unsigned int n,c,temp;
n=0;
for(c=0;c<4;c++)
{ fibseq= ++fibseq % (FIBP+1);
fib[fibseq]= fib[(fibseq+1)%(FIBP+1)]
+ fib[(fibseq+(FIBP-FIBQ+1))%(FIBP+1)];
n= (n << 8) | fib[fibseq];
}
n=n % (stdread * 8);
temp=oldorder[i];
oldorder[i]=oldorder[n];
oldorder[n]=temp;
}
for(i=0;i<(stdread*8);i++) neworder[oldorder[i]]=i;
/* convert bytes into bits, store in oldbitbuffer */
for(i=0;i<stdread;i++)
{ unsigned char b7,b6,b5,b4,b3,b2,b1,b0;
b0=stdinbuffer[i]%2; stdinbuffer[i]=stdinbuffer[i]>>1;
b1=stdinbuffer[i]%2; stdinbuffer[i]=stdinbuffer[i]>>1;
b2=stdinbuffer[i]%2; stdinbuffer[i]=stdinbuffer[i]>>1;
b3=stdinbuffer[i]%2; stdinbuffer[i]=stdinbuffer[i]>>1;
b4=stdinbuffer[i]%2; stdinbuffer[i]=stdinbuffer[i]>>1;
b5=stdinbuffer[i]%2; stdinbuffer[i]=stdinbuffer[i]>>1;
b6=stdinbuffer[i]%2; stdinbuffer[i]=stdinbuffer[i]>>1;
b7=stdinbuffer[i]%2;
oldbitbuffer[i*8+0]=b7;
oldbitbuffer[i*8+1]=b6;
oldbitbuffer[i*8+2]=b5;
oldbitbuffer[i*8+3]=b4;
oldbitbuffer[i*8+4]=b3;
oldbitbuffer[i*8+5]=b2;
oldbitbuffer[i*8+6]=b1;
oldbitbuffer[i*8+7]=b0;
}
/* Unscramble the bits */
for(i=0;i<(stdread*8);i++) newbitbuffer[i]=oldbitbuffer[neworder[i]];
/* convert bits into bytes */
for(i=0;i<stdread;i++)
{ unsigned char b7,b6,b5,b4,b3,b2,b1,b0,offset,nextaddoff;
b7=newbitbuffer[i*8+0];
b6=newbitbuffer[i*8+1];
b5=newbitbuffer[i*8+2];
b4=newbitbuffer[i*8+3];
b3=newbitbuffer[i*8+4];
b2=newbitbuffer[i*8+5];
b1=newbitbuffer[i*8+6];
b0=newbitbuffer[i*8+7];
stdinbuffer[i]= b7 << 7 |
b6 << 6 |
b5 << 5 |
b4 << 4 |
b3 << 3 |
b2 << 2 |
b1 << 1 |
b0 ;
fibseq= ++fibseq % (FIBP+1);
fib[fibseq]= fib[(fibseq+1)%(FIBP+1)]
+ fib[(fibseq+(FIBP-FIBQ+1))%(FIBP+1)];
offset=fib[fibseq];
fibseq= ++fibseq % (FIBP+1);
fib[fibseq]= fib[(fibseq+1)%(FIBP+1)]
+ fib[(fibseq+(FIBP-FIBQ+1))%(FIBP+1)];
nextaddoff=stdinbuffer[i];
stdinbuffer[i]= substitution[stdinbuffer[i] ^ fib[fibseq]]
+ 256 - offset + 256 - mesg_offset;
mesg_offset=nextaddoff;
}
/* Undo reverse prescramble */
{ unsigned char newlast,last=0;
int j;
for(j=stdread-1;j>=0;j--)
{ newlast=stdinbuffer[j];
stdinbuffer[j]= sbox2[stdinbuffer[j]] + 256 - last;
last=newlast;
}
}
/* Undo forward prescramble */
{ unsigned char newlast,last=0;
for(i=0;i<stdread;i++)
{ newlast=stdinbuffer[i];
stdinbuffer[i]= sbox1[stdinbuffer[i]] + 256 - last;
last=newlast;
}
}
fwrite(stdinbuffer,1,stdread,stdout);
}
fclose(stdin); fclose(stdout);
fclose(fp);
}
< END FILE : unscramble.c >
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Are thermal diodes as RNG's secure
Date: 13 Dec 1999 06:46:09 EST
In article <831phk$clg$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Tom St Denis) wrote:
>A diode lets current pass thru a circuit [or line] in a certain
>direction only. They have a 'cutoff' voltage where it will not let
>current passing, acting as a open circuit [ if the voltage is below ].
>If the voltage is above it will let it pass, and if it's at the voltage
>they can behave randomly.
>
>If I interpred this properly a 'noisy' diode circuit is a diode which
>is fed 'just' enough voltage to maintain the noisy open/close state.
I guess you weren't paying attention when the following was posted
here seven years ago... ;)
(for reasons that I am too tired to explain right now, a 6.3 volt
Zener is a better choice than the 9.1 volt listed. Note that the
diode is conducting while the voltage is in what you thought was the
"blocking" direction.)
Newsgroups: sci.crypt
Subject: Simple hardware RNG
Message-ID: <[EMAIL PROTECTED]>
From: [EMAIL PROTECTED] (Peter Gutmann)
Date: Thu, 22 Oct 1992 07:07:17 GMT
Organization: Computer Science Dept. University of Auckland
Lines: 92
The following is a simple hardware noise generator which you can throw together
using junk box parts in about 10 minutes. It's based on thermal noise in a
zener diode, and is powered by its own supply to reduce the chance of noise
from the computers supply being coupled in.
There are three stages to the circuit:
1. The noise generator, a reverse-biased zener. The random motion of
electrons inside it causes random fluctuations in the voltage across it.
I had a BZX85 9V1 zener so I used that (or at least that's what I assume it
is - the lettering's worn off). You could probably use a special noise
diode if you can find one. A quick flip through about 2 feet of suppliers
catalogues hasn't turned up anything, and even then they're probably just
std. diodes which have passed some sort of noise certifying test.
2. An amplifier for the diode noise. The output from the zener is fairly low-
level, so I fed it through an op-amp. The diode noise is fed in through a
0.1uF capacitor to the 741, which is set up as a differential amplifier, ie
one which amplifies the difference in the signals at its two inputs.
3. A pulse shaper to get a nice square wave from the noise output of the 741,
fed in via another 0.1uF capacitor. You can use anything here, a schmitt
trigger or some sort of buffer - I ripped a 4049 out of a logic probe.
You can just use anything that can be wired up to buffer/clean up a signal.
Here's the circuit diagram ("schematic" to US people):
+9V
O-o----o-----------------------+
| | | Res.
| Res. | +-- 8.2M --+
| 100k | | | Schmitt trigger
| | Zener Cap. | Res. | |\ | or
Res. o--|BZY88<--o-- 0.1uF --)----- 10k --o--|- \ | Cap. Buffer
10k | 9V1 | | |Op- \--o-- 0.1uF ----|>----o-O
| Cap. Res. Pot. Res. |amp / |
| 0.1uF 68k 10k <-- 10k -----|+ / BZY88 5V1
0V | | | | |/ |
O-o----)-----------)-----------)-------------------------------------------o-O
| | | |
Res. | | | eg 741 eg 2 inverters
10k | | | from 4049
| | | |
O-o----o-----------o-----------+
-9V
The component values are very noncritical - I had a batch of 10k resistors left
over from an R-2R D/A converter (not that you can tell from looking at the
circuit :-), as well as a generic boxfull of 0.1uF decoupling capacitors. The
op-amp used was a 741, the buffer was two gates from a 4049 but you could wire
in just about anything.
If you were feeling really paranoid about noise from the computer PSU getting
into the circuit, you could feed the final signal through an optocoupler. I
just clipped it at 5V and fed it into the printer port "Ready" input. You
could probably get away with the 9V driving one of the serial port handshaking
signals if you don't have a printer port.
Ideally the generator should be powered by two 9V batteries. I never have any
that aren't flat so I used a conventional mains power supply.
The only thing which needs adjusting is the duty cycle, which can be changed by
varying the 10k pot. If you've got one, you can hook an oscilloscope to the
output of the op-amp and check for a 50/50 duty cycle. However a much more
precise measurement can be made by hooking the thing to your computer and
timing the duty cycle. The control afforded by the pot is a bit rough, it may
be better to substitute a multiturn one for better control. However the final
product will still drift a bit with temperature. It's probably easier to
compensate in software for any bias or drift in the signal. Alternatively you
could take advantage of the fact that buffers come six to a chip (4050) and use
an LM348 (quad 741) to get 4 bits at a time, with one bit in each pair set up
to cancel the bias on the second bit. If you were feeling really ambitious you
could get an octal buffer and two 348's and generate a byte at a time.
As to the performance of the circuit, for it's simplicity it performs amazingly
well. It may not use a NIST-certified noise generator, but it is a reasonably
good random noise generator, provided it's driven off it's own power supply,
has compensation for bias in the duty cycle, and possibly an optocoupler in the
output.
If anyone has any comments or improvements I'd be interested in hearing from
them. I'm also interested in any construction hints people have, or comments
on important details I've neglected to mention, or alternative components which
can be used - I've assumed some knowledge of electronics for this, I wasn't
quite sure what level to pitch it at. Finally, if anyone builds one of the
more ambitious setups (4 or 8 bits at a time) I'd be interested in what sort of
results they give.
Peter.
--
[EMAIL PROTECTED] || [EMAIL PROTECTED] || [EMAIL PROTECTED]
(In order of preference)
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Insecure PRNG?
Date: 13 Dec 1999 06:50:00 EST
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Mok-Kong Shen)
wrote:
>
>What I meant is a universally applicable standard measure (like 1
>metre) with which you can compare all algorithms. But even your
>example is problematical. Does encrypting 2 charaters out of 100
>results in twice the strength of encrypting 1 character out of 100?
>
Ah! I understand. I don't think that such a scale can be made
unless you know that you have the optimum method for decrypting
both messages.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
