Cryptography-Digest Digest #980, Volume #10 Wed, 26 Jan 00 13:13:01 EST
Contents:
Looking for ISAAC ("Jos� A. par�s")
Re: MIRDEK: more fun with playing cards. (Paul Crowley)
english word list (Keith A Monahan)
Re: A Format for Cipher Challenges ("Tim Wood")
Re: ECM Factoring and RSA Speed Ups (Tom St Denis)
Re: Strong stream ciphers besides RC4? (Tom St Denis)
Re: RSA survey (Tom St Denis)
Re: code still unbroken (Tom St Denis)
Re: Newbie to PGP: RSA vs DH/DSS (Doug Stell)
Re: Looking for ISAAC (John Myre)
Re: How much does it cost to share knowledge? (Keith A Monahan)
Re: Newbie to PGP: RSA vs DH/DSS ("Roger Schlafly")
Re: RSA v. Pohlig-Hellman ("Roger Schlafly")
3rd AES NIST conference (Keith A Monahan)
Re: Strong stream ciphers besides RC4? (Terry Ritter)
Re: Intel 810 chipset Random Number Generator (Scott Nelson)
Pencil & paper cipher question (Neil Bell)
Re: english word list (JPeschel)
Re: Intel 810 chipset Random Number Generator (Scott Nelson)
Re: Why did SkipJack fail? (David Wagner)
Re: Intel 810 chipset Random Number Generator (Terry Ritter)
Re: How much does it cost to share knowledge? (JPeschel)
----------------------------------------------------------------------------
From: "Jos� A. par�s" <[EMAIL PROTECTED]>
Subject: Looking for ISAAC
Date: Wed, 26 Jan 2000 13:04:43 +0100
some months ago, perhaps even two years or so, I found a web page about
ciphering where its author described a ciphering method he called ISAAC,
along with some others less powerful with names such as IBBA, etc.
As I lost the reference to that pages and I cannot find it with any search
engine, I wonder if any of you know something about that subject and could
possibly drop me a line with the information I am looking for or some other
clue.
Thanks
------------------------------
From: Paul Crowley <[EMAIL PROTECTED]>
Subject: Re: MIRDEK: more fun with playing cards.
Date: 26 Jan 2000 07:56:34 -0000
Johnny Bravo <[EMAIL PROTECTED]> writes:
> It wouldn't be hard to arrange to get the words for the passphrase from
> a shared source, like a national newspaper. While your opponents will
> also have the paper, it is like the diceware list. Having all the words
> isn't much of a help in picking which words to use.
No, the entropy is much smaller.
--
__
\/ o\ [EMAIL PROTECTED] Got a Linux strategy? \ /
/\__/ Paul Crowley http://www.hedonism.demon.co.uk/paul/ /~\
------------------------------
From: [EMAIL PROTECTED] (Keith A Monahan)
Subject: english word list
Date: 26 Jan 2000 14:20:11 GMT
If someone would be so kind as to post a link or two of where I can find
LARGE english language word lists, it would be appreciated.
I probably have a few someplace, and I KNOW I have links within my
bookmarks, but trying to find them when you need them is always
impossible.
Thanks in advance,
Keith
------------------------------
From: "Tim Wood" <[EMAIL PROTECTED]>
Subject: Re: A Format for Cipher Challenges
Date: Wed, 26 Jan 2000 14:45:43 -0000
Reply-To: "Tim Wood" <[EMAIL PROTECTED]>
Long enough ;-)
tim
<[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> How long should those messages be?
>
> Joseph Poe?
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: ECM Factoring and RSA Speed Ups
Date: Wed, 26 Jan 2000 14:36:43 GMT
In article <86m8hb$ogl$[EMAIL PROTECTED]>,
David A Molnar <[EMAIL PROTECTED]> wrote:
> DISCUSSION :
>
> Let's call that product of n_i's big N.
>
> The theorem tells us there is one number mod N which solves the
system of
> equations. That is, this solution (call it S) taken mod n_1 equals
a_1,
> taken mod n_2 equals a_2, and so on.
>
> The insight is that normally for RSA we compute m^e mod N , where N is
> the product of some distinct prime numbers (I will write a little
about
> what happens if they aren't distinct in a bit). Because the factors
of
> N are prime and distinct, they are relatively prime to each other.
> So this N can be expressed as a product of "pairwise relatively prime
> n_i's" and thus it fits the requirements of the theorem!
>
> So normally we compute m^e mod N. The theorem says that once we have
> m^e, we could "break it up" to find its "representative" modulo each
of
> the factors of N. That is, we could find out what m^e mod n_1 is,
> what m^e mod n_2 is, and so on. So far this is nothing new or
interesting.
>
> The thing is, we can also go "the other way." The theorem tells us
that it
> is possible to do the following :
>
> 1. Compute m^e mod n_1, m^e mod n_2 , ... m^e mod n_k separately.
> Each of these takes O(n_i^3) operations.
>
> In the theorem, each of these values corresponds to the a_i's on
the
> right hand side of the === sign.
>
> 2. Combine all these values together to get one single value S mod N,
> which will _also_ be m^3 mod N !
>
> To see this, imagine that you set up the congruences
>
> m === a_i mod n_i
>
> and now you cube both sides. You now have
>
> m^3 === a_i^3 mod n_i
>
> so we see that this "breaking apart" doesn't mess with our
exponentiation.
>
> So far we only have a statement of existence. This would be useless
> without a fast way of finding that single value S. Note that we have
> to be able to find S faster than just doing an exponentiation mod N.
>
> Fortunately, the Handbook also gives Gauss's algorithm for finding
> the value of S. It's on the bottom of p.68 again. Reproduced here,
> it tells us :
>
> GAUSS'S ALGORITHM
> The solution S described above can be computed as
> k
> S = Sum a_i P_i M_i mod N
> i=1
>
> where P_i = N/n_i (where n_i is a factor of big N)
>
> and M_i = P_i^{-1} mod n_i .
>
> --------------------------
> DISCUSSION
>
> To make this concrete, let's say we have an RSA modulus N = pqr ,
> p q and r all prime. Now say we have m^e.
>
> a_1 = m^e mod p
> a_2 = m^e mod q
> a_3 = m^e mod r
>
> Now we combine them together by Gauss's algorithm :
>
> S = a_1 * qr * [ (qr)^-1 mod p ] all taken mod n
> + a_2 * pr * [ (pr)^-1 mod q ] all taken mod n
> + a_3 * pq * [ (pq)^-1 mod r ] all taken mod n
>
> and if everything goes well, this S is the value of m^e we wanted.
> The m^d case is similar. So you have now computed the RSA encryption
> of a message using 3 small exponentiations instead of 1 big one.
>
> Note that you can precompute all of the N_i and M_i terms. If you
> do that, then this is just 3 mults and 3 additions. Which is not
> much overhead. If you work out the percentages in terms of bit
operations,
> I think you'll see there's an appreciable speed improvement over
> just doing the single exponentiation.
>
> I think I got 37% last time I went through this, but it's been a
while and
> I don't remember what assumptions I made.
>
> You do need to know the factorization of n in order to do this, it
seems.
> Whether or not that's important depends on your application. I suppose
> this makes most sense if you have a low e and a high d, because then
> you can make back the ground lost in buying a faster encryption.
>
> Does this make it any more clear? (Did I screw up anywhere?)
>
> Thanks,
> -David
Well it's not encryption that I am worried about it's decryption.
So you first break the exponent up?
d1 = d mod (p-1)
d2 = d mod (q-1)
Then you break up the message 'C = ciphertext = M^e mod pq'
m1 = C mod q
m2 = C mod p
It's the last step I don't get. I thought it would be something like
M = (m1^d1)(m2^d2) mod pq
Tom
[btw thanks for helping]
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Strong stream ciphers besides RC4?
Date: Wed, 26 Jan 2000 14:47:47 GMT
In article <[EMAIL PROTECTED]>,
Albert Yang <[EMAIL PROTECTED]> wrote:
> I'm looking for a strong stream cipher that isn't copyrighted. I seem
> to see a large choice of block ciphers, but very few stream ciphers...
>
> Albert
>
You can use Algorithm M, if you have appropriate underlying RNG's.
You could construct a stream cipher in 10 minutes using two Lagged
Fibonacii generators [lag >= 50 at least]. The only issue left is the
key schedule . The state size is normally large (i.e around 1000
bytes) so you have to expand a smaller key. You could use another LFSR
or Generator :)
I would suggest if you used this system to dump the first outputs...
Also with this construction you can output 32 bits, 16 bits .. .etc
whatever your wordsize is on the computer. It's very versatile.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: RSA survey
Date: Wed, 26 Jan 2000 14:54:46 GMT
In article <[EMAIL PROTECTED]>,
Jimmy Doughan <[EMAIL PROTECTED]> wrote:
> Many of us use crypto tokens which don't even use the CPU. US Govt
agencies are
> asking for 4096.
Then they are just as ignorant as the newbie users who think those keys
are actually needed.
Your computer will spontaneously sing showtunes when you are blue
before keys above 1024 bits are required...
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: code still unbroken
Date: Wed, 26 Jan 2000 14:51:58 GMT
In article <388e30d8$0$[EMAIL PROTECTED]>,
"Chuck Davis" <[EMAIL PROTECTED]> wrote:
> No spam, no gimmicks, no nothing . . . just an honest challenge at
> www.discovervancouver.com. It's a code, and whoever breaks it wins
money.
> It's nearly $3,000. No commercial tie-ins, honest! The prize goes up
one
> cent a minute.
>
> Chuck Davis
maybesomeoneshouldreadthefaqbeforepostingnonsensethatnobodyintheirrightm
indwouldreadanyways.readthefaqplease.trytopostsomethingevenremotelyscien
tificnexttime,haveanicedayandcomeagain.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Doug Stell)
Subject: Re: Newbie to PGP: RSA vs DH/DSS
Date: Wed, 26 Jan 2000 15:24:50 GMT
>I've noticed that the Freeware PGP I downloaded and began using
>yesterday (v6.5.2, from Network Associates) allow me to create and
>use RSA and DH/DSS key sets. I've also noticed that at least one
>person in this newsgroup had a line in his/her signature stating they
>would only accept RSA. Why is this? Is one superior to the other?
>I have a key set from each method, but which should I use by default
>for the best security? My apologies if this isn't the right group to
>be asking....
As far as the open world knows, the algorithms have about the same
security for the same key lengths. However, there are some differences
that may motivate someone to have a preference.
RSA key lengths are unbounded, which may be the reason for choosing
it. The public key can be bound to the recipient, so that the sender
has some level of assurance about who can read the message. When using
RSA, the sender chooses the symmetric key.
DH key legths are also unbounded. When using ephemeral DH, both
parties contribute to the symmetric key. However, an ephemeral key
can't be bound to an individual. A fixed key is a bad idea. Therefore,
DH alone probably isn't a good choice for confidentiality with
authentication. (More below.)
DSS is a signature algorithm and the key size is bounded by the
standard, altough the math works for longer keys. P is limited to 1024
bits and Q is limited to 160 bits. DSS is a signature/authentication
algorithm, which doesn't make it useful for confidentiality
DH/DSS combined is a good choice in which both algorithms do what they
do best. However, the key-length limits may steer someone away from
it.
My personal choice would be something like MQV or KEA. KEA is a dual
DH, offering both random contribution to the symmetric key by both
parties and authentication. Although its spec suggests using the
size-limited DSS keys, the math works with longer keys. Remember that
KEA was classified as the Type 2 algorithm of choice, until 18 months
ago, which speaks well for it.
RSA, while a good choice, would not be on my list. It is rumored that
the US Gov't doesn't use RSA (not for patent-related reasons), which
gives me an uncomfortable clue.
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Looking for ISAAC
Date: Wed, 26 Jan 2000 08:24:59 -0700
How about:
http://burtleburtle.net/bob/rand/isaac.html
John M.
------------------------------
From: [EMAIL PROTECTED] (Keith A Monahan)
Subject: Re: How much does it cost to share knowledge?
Date: 26 Jan 2000 15:50:04 GMT
Hey Tom,
$300 (or $485 regular) is really a somewhat fair and reasonable price.
I typically attend other technical conferences for work and they are
somewhere in the $1500-$2000 range. Remember, this is New York City so
everything is higher and the New York Hilton is one of the better
hotels in the area.
I'm not trying to justify their prices but I'll bet you they aren't
making as much off it as you think.
Besides, with this being a 'niche' type conference, there won't be as
many reservations as there would be at say, a $50 computer show.
With all this being said, I'm hoping my company is going to send me
up there for a few days -- and they will be the ones paying for it.
When I told my boss, $485, his response was, "Is that it? Hell, expenses
will be more than that." Usually, its the other way around -- or closer
anyways.
Keith
Tom St Denis ([EMAIL PROTECTED]) wrote:
: I just got an reservation card from NIST today. 300 bucks for student
: reservation? What the f'!@#% for? I will most likely just sit their
: and take notes/etc...
: I think they are being a bit arrogant there.
: For some of you 300 bucks [US none-the-less] may seem perfectly fine,
: but for a student [and a canadian at that] it's completely insane.
: That's like 450 or so CDN.
: So if anyone related to nist is reading I have a message for you "Get
: real!"
: Sorry but had to be said.
: Tom
: Sent via Deja.com http://www.deja.com/
: Before you buy.
------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Subject: Re: Newbie to PGP: RSA vs DH/DSS
Date: Wed, 26 Jan 2000 06:57:42 -0800
Danny Johnson <[email protected]> wrote in message
news:86lfv3$qm0$[EMAIL PROTECTED]...
> I've noticed that the Freeware PGP I downloaded and began using
> yesterday (v6.5.2, from Network Associates) allow me to create and
> use RSA and DH/DSS key sets. I've also noticed that at least one
> person in this newsgroup had a line in his/her signature stating they
> would only accept RSA. Why is this? Is one superior to the other?
> I have a key set from each method, but which should I use by default
> for the best security? My apologies if this isn't the right group to
> be asking....
Some people have versions of PGP that only accept one key type
(RSA or DH/DSS). Both are considered secure if the key size is
large enough. The record breaks are 512 bits for RSA and 283 bits
for DH/DSS, so you will probably want larger keys. Preference
is largely a matter of taste.
------------------------------
From: "Roger Schlafly" <[EMAIL PROTECTED]>
Subject: Re: RSA v. Pohlig-Hellman
Date: Wed, 26 Jan 2000 07:20:56 -0800
Greg <[EMAIL PROTECTED]> wrote in message
news:86lbo7$612$[EMAIL PROTECTED]...
> I was reading through one of counterpane's web pages on the RSA
> patent. And it said basically that the Pohlig-Hellman is one
> good prior art to challenge the RSA patent with.
There is some dispute about this. There was going to be a
court case on this, but the challenger was paid to destroy
the evidence.
> Then I thought about the quote they used from Dr Rivest:
>
> "To gain additional protection against sophisticated
> factoring algorithms, both (p-1) and (q-1) should
> contain large prime factors and gcd(p-1,q-1) should
> be small."
This advice is now considered snake oil. There was a
reason for it at the time he wrote that, but that reason
no longer exists. Nevertheless, the advice lives on in
certain standards.
------------------------------
From: [EMAIL PROTECTED] (Keith A Monahan)
Subject: 3rd AES NIST conference
Date: 26 Jan 2000 16:06:56 GMT
Anyone planning on attending? I'm hoping I can make it. I'll bet
most of it is going to be over my head, but I'm going to try and
grasp what I can.
Keith
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Strong stream ciphers besides RC4?
Date: Wed, 26 Jan 2000 16:42:42 GMT
On Wed, 26 Jan 2000 14:47:47 GMT, in <86n1eh$bki$[EMAIL PROTECTED]>, in
sci.crypt Tom St Denis <[EMAIL PROTECTED]> wrote:
>[...]
>You can use Algorithm M, if you have appropriate underlying RNG's.
We have been over this several times. Previously, for example:
>>On Thu, 08 Jul 1999 02:39:42 GMT, in <7m131d$uti$[EMAIL PROTECTED]>,
>>in sci.crypt [EMAIL PROTECTED] wrote:
>>>[...]
>>>The goal is to use the RNG and not reveal the current internal state.
>>>Algorithm M is a good example of this (Also in AC just after
>>>LFSRs...).
>>Hmmm....
>>1. Retter, C. 1984. Cryptanalysis of a MacLaren-Marsaglia System.
>>Cryptologia. 8(2): 97-108.
>>2. Retter, C. 1985. A Key-Search Attack on MacLaren-Marsaglia
>>Systems. Cryptologia. 9(2): 114-130.
>>3. Letters to the Editor. 1984. Cryptologia. 8(4): 374-378.
You can wish and hope all you want, but Algorithm M is still not
secure. Sorry.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Scott Nelson)
Crossposted-To: sci.physics
Subject: Re: Intel 810 chipset Random Number Generator
Reply-To: [EMAIL PROTECTED]
Date: Wed, 26 Jan 2000 17:05:49 GMT
On Wed, 26 Jan 2000 05:55:08 GMT, [EMAIL PROTECTED] (Terry Ritter) wrote:
>
>On 26 Jan 2000 03:38:26 GMT, in <86lq7i$lr2$[EMAIL PROTECTED]>, in
>sci.crypt [EMAIL PROTECTED] (Michael Kagalenko) wrote:
>
>>[...]
>> It produces clock drift, which can be measured to produce numbers as random
>> as the thermal noise from a resistor.
>
>No. Quartz crystal oscillator noise produces phase *jitter*, which is
>*not* "drift." Jitter is a cycle-by-cycle period variation. Now, the
>jitter itself *could* be detected and used as randomness, because it
>is the direct result of noise. But that would require the ability to
>detect picosecond differences on a cycle-by-cycle basis at the
>oscillator frequency, e.g., 20 MHz, which would not be trivial.
>
It's not necessary to detect every difference,
so it doesn't have to be a cycle by cycle basis.
If you're taking samples every microsecond,
then the probability of a pico-second
variance falling on the boundary of a measurement is
approximately 1pSec / 1 uSec or 1 in a million.
In other words, if crystals have a 1 pico-second variance,
and you can sample every micro-second, then every million
samples has approximately 1 bit of useful entropy,
or about 1 bit per second.
Non trivial in the "amount of time needed" sense,
but it is trivial in the "amount of hardware needed" sense.
Scott Nelson <[EMAIL PROTECTED]>
------------------------------
From: Neil Bell <[EMAIL PROTECTED]>
Subject: Pencil & paper cipher question
Date: Wed, 26 Jan 2000 09:08:16 -0800
If one has a need for a reasonably secure pencil and paper cipher
that:
1. Cannot risk one time pad discovery
2. Cannot use mechanical aids
3. Prefers not to have to construct LENGTHY polyalphabetic tables
4. Knows transposition, playfair, 6x6 squares yielding digraphs, etc
5. Sends messages weekly, about 400 characters
6. CAn share short phrases, sentences or commonly known text
What combinations or multiple applications of these cipher techniques
would yield reasonable results?
Newbie
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: english word list
Date: 26 Jan 2000 17:31:58 GMT
[EMAIL PROTECTED] (Keith A Monahan) writes:
>If someone would be so kind as to post a link or two of where I can find
>LARGE english language word lists, it would be appreciated.
Try AccessData's site:
http://www.accessdata.com
http://www.accessdata.com/webster.zip
Good luck recovering your password!
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: [EMAIL PROTECTED] (Scott Nelson)
Crossposted-To: sci.physics
Subject: Re: Intel 810 chipset Random Number Generator
Reply-To: [EMAIL PROTECTED]
Date: Wed, 26 Jan 2000 17:34:20 GMT
On 26 Jan 2000 [EMAIL PROTECTED] (Michael Kagalenko) wrote:
>Terry Ritter ([EMAIL PROTECTED]) wrote
>]
>]Again, I missed the previous message...
>]On 25 Jan 2000 09:19:50 -0500, in <86kbe6$[EMAIL PROTECTED]>,
>]in sci.crypt [EMAIL PROTECTED] (Herman Rubin) wrote:
>]
>]>In article <86gd0n$qmf$[EMAIL PROTECTED]>,
>]>Michael Kagalenko <[EMAIL PROTECTED]> wrote:
>]
>]>>[...]
>]>> What I am pointing out that to the extent
>]>> that quartz crystal, any quartz crystal, dissipates mechanical energy,
>]>> it will produce thermally random noise, according to the flustuation-
>]>> dissipation theorem.
>]
>]And this random noise produces "jitter" which is normally-distributed,
>]tiny, bipolar, and independent on a cycle-by-cycle basis. This
>]affects the "bandwidth" of the signal, not frequency measurements
>]which cover many cycles of operation.
>
> As I pointed out before, you need some remedial reading on the
> statistical physics. Try Feinman's lectures about mathematics
> of brownian walk. May be, you'll understand that what you
> write is incorrect.
>
Thanks for the pointer. I read the whole thing from
cover to cover, and I still think you're wrong and
Terry is right. I suggest you read the Encyclopedia
Britannica. Please don't post again until you have a
full and complete understanding of everything in it.
I think everyone agrees there is noise in the system,
the question is how much noise, and how measurable
is the noise.
Scott Nelson <[EMAIL PROTECTED]>
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Why did SkipJack fail?
Date: 26 Jan 2000 09:33:13 -0800
In article <[EMAIL PROTECTED]>,
Jerry Coffin <[EMAIL PROTECTED]> wrote:
> Deep Crack was built in 0.8 micron chips running at 50 MHz. Today,
> simply due to improvements in chip technology, it would be quite
> reasonably to build a similar design in .18 micron technology, which
> would run at around 500 MHz. The move from .8 to .18 micron allows
> you to put around 20 times as many encryption engines in the same die
> area. The move from 50 to 500 MHz is another factor of 10. That
> means the same number of chips would build a machine roughly 200 times
> as fast today as it did then.
This is surprising.
At the time Deep Crack was built, the designers deliberately
used "sub-optimal" (slightly older) chip technology, because
they were cheaper. Sure, they ran 2x slower, but if you can
buy 4x more of them, it's a net win. (I'm making the numbers
up, obviously.)
Did you remember to take this factor into account?
(BTW, I agree it's irrelevant for the present argument, and
for the sake of discussion of Skipjack, I'll gladly accept your
estimates -- I just figured I'd point it out.)
> Doing some figuring, that seems to come to around $200 million US to
> break SkipJack at a rate of one key per year -- an amount of money
> that quite a few large companies or most government agencies could
> afford fairly easily.
Interesting. These are the kind of numbers of interest.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Crossposted-To: sci.physics
Subject: Re: Intel 810 chipset Random Number Generator
Date: Wed, 26 Jan 2000 17:44:53 GMT
On Wed, 26 Jan 2000 17:05:49 GMT, in
<[EMAIL PROTECTED]>, in sci.crypt [EMAIL PROTECTED]
(Scott Nelson) wrote:
>On Wed, 26 Jan 2000 05:55:08 GMT, [EMAIL PROTECTED] (Terry Ritter) wrote:
>>
>>On 26 Jan 2000 03:38:26 GMT, in <86lq7i$lr2$[EMAIL PROTECTED]>, in
>>sci.crypt [EMAIL PROTECTED] (Michael Kagalenko) wrote:
>>
>>>[...]
>>> It produces clock drift, which can be measured to produce numbers as random
>>> as the thermal noise from a resistor.
>>
>>No. Quartz crystal oscillator noise produces phase *jitter*, which is
>>*not* "drift." Jitter is a cycle-by-cycle period variation. Now, the
>>jitter itself *could* be detected and used as randomness, because it
>>is the direct result of noise. But that would require the ability to
>>detect picosecond differences on a cycle-by-cycle basis at the
>>oscillator frequency, e.g., 20 MHz, which would not be trivial.
>>
>
>It's not necessary to detect every difference,
>so it doesn't have to be a cycle by cycle basis.
The key is that jitter does not accumulate. So even if we do not
detect *every* cycle, we must detect *particular* cycles. Or if our
sampling covers several cycles, we will expect to find *less*
variation, not more, which will make detection more difficult.
>If you're taking samples every microsecond,
>then the probability of a pico-second
>variance falling on the boundary of a measurement is
>approximately 1pSec / 1 uSec or 1 in a million.
>In other words, if crystals have a 1 pico-second variance,
>and you can sample every micro-second, then every million
>samples has approximately 1 bit of useful entropy,
>or about 1 bit per second.
>
>Non trivial in the "amount of time needed" sense,
>but it is trivial in the "amount of hardware needed" sense.
I would like to see that design; it doesn't sound at all trivial to
me. This sounds like we are opening a 1 psec window every 1 usec,
which requires its own precision clocks both for the sampling period
and the window, to say nothing of the non-trivial GHz logic for the
window detection.
If we really want to detect oscillator jitter, we might use a
phase-locked-loop (PLL) with a long-period loop filter. Then we might
use the phase detector to indicate when the sampled wave was early or
late. This would thus sense the polarity of the noise-jitter on a
cycle-by-cycle basis. But of course the phase detector itself would
be driven by the voltage-controlled-oscillator (VCO) in the PLL, which
would itself be affected by noise. In the end, the crystal oscillator
might well turn out to be the reference used to detect PLL noise.
And all this is vastly more than we need if we just want to detect
noise.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: How much does it cost to share knowledge?
Date: 26 Jan 2000 17:46:49 GMT
Tom St Denis [EMAIL PROTECTED] writes, in part:
>I think they are being a bit arrogant there.
>
How is charging a fee for a conference arrogant?
>For some of you 300 bucks [US none-the-less] may seem perfectly fine,
>but for a student [and a canadian at that] it's completely insane.
>That's like 450 or so CDN.
Yeah, 300 US bucks is about enough for a nice dinner and evening on the
town. (I'd take the night out over a conference.)
>
>So if anyone related to nist is reading I have a message for you "Get
>real!"
>
>Sorry but had to be said.
No, it didn't: it's nothing more than whining. If you want to go,
borrow some money from, as they say, the 'rents.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
