Cryptography-Digest Digest #27, Volume #11 Mon, 31 Jan 00 21:13:02 EST
Contents:
Re: Intel 810 chipset Random Number Generator (Michael Kagalenko)
Re: Intel 810 chipset Random Number Generator (Jerry Coffin)
Re: Intel 810 chipset Random Number Generator ("Trevor Jackson, III")
Re: Intel 810 chipset Random Number Generator (Michael Kagalenko)
Re: How to annoy the NSA & break almost any code ("A [Temporary] Dog")
Re: How to annoy the NSA & break almost any code (Steve K)
Re: Intel 810 chipset Random Number Generator ("james d. hunter")
Re: A question about odd grilles (John Savard)
Re: A question about odd grilles (John Savard)
Re: NIST, AES at RSA conference (John Savard)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Michael Kagalenko)
Crossposted-To: sci.physics
Subject: Re: Intel 810 chipset Random Number Generator
Date: 31 Jan 2000 23:58:56 GMT
Reply-To: [EMAIL PROTECTED]
lcs Mixmaster Remailer ([EMAIL PROTECTED]) wrote
]As a lurker here (and an anonymous one at that) I still must say that this
]has been one of the most unproductive debates I have read on sci.crypt.
]There is so much left unsaid, so much innuendo, so much allusion to
](unspecified) earlier messages, that communication is impossible.
]
]In what message does Michael Kagalenko define his entropy source?
]The closest I can find is
]http://www.deja.com/[ST_rn=ps]/getdoc.xp?AN=575544352, where he writes:
]
]> You can produce thermally random
]> data by measuring the clock drift against more precise clock (first
]> you'd have to find out the crystal frequency, of course). To elaborate
]> a bit, if t is precise time, and t' is the time measured by quartz
]> oscillator (reclaibrated by using t to avoid systematic drift),
]> then
]> <t-t'> = 0 (1)
]>
]> (<> stands for math. expectation), however, that does not
]> mean that there is no drift, but that drift in both directions is equiprobable
]> (the recalibration I mentioned above consists in making sure that (1)
]> holds)
]>
]> If the drift can be assumed to be brownian random walk,
]> the average square drift < (t-t')^2 > grows linearly with time
]>
]> < (t-t')^2 > = constant * t
]
]We have here a definition of "drift", and from this definition it
]does seem plausible that it would move as a random walk. The analog
]to particle position in Brownian motion is the total cumulative amount
]of drift so far. The total drift is equally likely to move up or down
](with a calibrated clock source), just as a particle undergoing a random
]walk is equally likely to move right or left.
]
]Hopefully that sheds light on the analogy with Brownian motion.
Yes, your summary is accuarate.
]However this is not a complete definition of the entropy extraction;
]Michael does not describe how he plans to go from this drift to produce
]random bits. Presumably though it involves the random change in the
]total drift amount. In that case we need a quantitative estimate of
]the degree of variability of crystal oscillation periods.
Again correct. However note, that I wrote about this too, but what
we had were blanket denials from sci.crypt regulars that the effect that
I described exists.
]According to http://www.eestech.com/eestech/oscill.html, there are a
]number of sources of transient variation in crystal frequency, including
]shock and acceleration effects, temperature variation, electromagnetic
]interference, and so on. It does not discuss any intrinsic variability
]or imprecision in the oscillation, but that is presumably of a smaller
]magnitude than, say, accelerating the crystal by 2 g's. (Otherwise the
]effects described on this web page would not be observable, being swamped
]by the intrinsic variability of crystal oscillation period.)
]
]Most of the effects listed there are of the order of one in 10^9.
]The thermal impact is potentially larger, but temperatures are unlikely to
]vary by more than a fraction of a degree over a relatively short period,
]bringing this effect down to roughly this magnitude as well.
]
]If we take this as an upper limit on the natural variability of the
]crystal frequency over short time periods, then a 100 MHz oscillator
]would count almost exactly the same number of clock periods every second.
]Only about one second in ten would there be a difference of even one cycle
]from the previous measurement. If we adjust the reference (perfect)
]clock to match our crystal, then clock drift will be only on the order
]of one tick per ten seconds.
]
]If we had a higher frequency clock this would be faster; a 1 GHz crystal
]might have a clock drift of one tick per second.
]
]Based on this Michael's critics appear to be correct, that quartz
]crystals are so stable that clock drift would occur at a very slow rate.
]This is an unsuitable source of random numbers, unless they are needed
]very rarely.
Please note, that yyou agreed with me on every account; I said
explicitely that I am not making any statements about practical
merits of this method of generating random data, but, rather, about
it being in principle feasible. Please note also that those critics
objected to the very possibility of the effect that I described. Given
that you agree with me, and differ with others, why do you say that
critics were correct ? There weren't and they aren't, and
Mr.Macon has just acknowledged that the effect that I described exists.
]There, was that so hard?
A lot of time could have been saved if those trying to argue against
my posts have actually read them, like you appear to have done.
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Crossposted-To: sci.physics
Subject: Re: Intel 810 chipset Random Number Generator
Date: Mon, 31 Jan 2000 17:06:28 -0700
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
[ ... ]
> > To put things another way: entropy is simply data that can't be
> > predicted. This is predicting what SHOULD be in the signal, and
> > getting rid of it. What's left is therefore what wasn't predicted --
> > IOW, entropy.
>
> Since all data is simply predictable, entropy can't be simply
> unpredictable data.
All data is simply predictable? Yes, I suppose it's easy to predict
binary data -- to the extent that "it'll be either a 1 or a 0" counts
as a prediction. You can even easily predict which of 1 or 0 it'll
be -- as long as you don't mind your prediction being wrong roughly
half the time if the data contains a great deal of entropy.
If, however, you're saying that you can give accurate predictions
about things like the time at which radioactive decay will take place
or the thermal noise in a resistor, then I hope you'll forgive me if
I'm a bit skeptical. I've certainly never heard of a way of doing
such a thing previously.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
Date: Mon, 31 Jan 2000 19:26:50 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: sci.physics
Subject: Re: Intel 810 chipset Random Number Generator
"james d. hunter" wrote:
> Jerry Coffin wrote:
> >
> > In article <8731lb$pg3$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> > says...
> >
> > [ ... ]
> >
> > > ]Well, I guess I'll admit I'm not sure what he's saying -- it appears
> > > ]to me that he frequently makes a claim in one direction about the
> > > ]theory, but then turns around and specifically disclaims having said
> > > ]anything about what would result from that theory.
> > >
> > > Uh-oh, now you are quite simply lying.
> >
> > No, I'm really not.
> >
> > > ]...including him, I'm reasonably certain.
> > >
> > > Well, nope - and I would appreciate it if you refrain from lying
> > > about matters on the premanent record at Deja.com
> >
> > In one case I said "it appears to me..." and in the other I said "I'm
> > reasonably certain." To claim that either is a lie requires that you
> > know that I thought something other than what I said. I find it a bit
> > humorous that you talk about others being insufficiently careful in
> > reading what you say, but then overlook things that stated this
> > clearly.
> >
> > > ]In any case, it seems to me that we're kicking a dead horse. It all
> > > ]comes down to one simple fact: a crystal oscillator is a lousy source
> > > ]of entropy. I'm reasonably certain that if you try to use crystal
> > > ]oscillators in something similar to the way he envisions, nearly all
> > > ]the entropy you get will be from other sources.
> > >
> > > Nope - that is incorrect. And you can't evven begin to assess that,
> > > until you figure out what effect I am talking about.
> >
> > Yes, I can. No matter what you think is creating the entropy you're
> > talking about, the simple fact is, that you can't use entropy that is
> > measurably and provably absent in the signal to start with.
> >
> > > ] Just for example, you
> > > ]could take two oscillators, run them at what was supposed to be 180
> > > ]degrees out of phase, mix the results (which should obviously cancel),
> > > ]and amplify the difference.
> >
> > > That has absolutely nothing with the method that I described several
> > > times over.
> >
> > You obviously didn't understand what I was saying: this is simply
> > talking about a way of isolating the entropy that's there. The source
> > or cause of the entropy is irrelevant.
> >
> > To put things another way: entropy is simply data that can't be
> > predicted. This is predicting what SHOULD be in the signal, and
> > getting rid of it. What's left is therefore what wasn't predicted --
> > IOW, entropy.
>
> Since all data is simply predictable, entropy can't be simply
> unpredictable data.
What is the basis for the assertion that all data is simply predictable?
It appears to be a definition rather than a conclusion. As a definition it is
at violent variance with every other usage I've ever seen.
------------------------------
From: [EMAIL PROTECTED] (Michael Kagalenko)
Crossposted-To: sci.physics
Subject: Re: Intel 810 chipset Random Number Generator
Date: 1 Feb 2000 00:03:41 GMT
Reply-To: [EMAIL PROTECTED]
Jerry Coffin ([EMAIL PROTECTED]) wrote
]In article <8731lb$pg3$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
]says...
]
][ ... ]
]
]> ]Well, I guess I'll admit I'm not sure what he's saying -- it appears
]> ]to me that he frequently makes a claim in one direction about the
]> ]theory, but then turns around and specifically disclaims having said
]> ]anything about what would result from that theory.
]>
]> Uh-oh, now you are quite simply lying.
]
]No, I'm really not.
]
]> ]...including him, I'm reasonably certain.
]>
]> Well, nope - and I would appreciate it if you refrain from lying
]> about matters on the premanent record at Deja.com
]
]In one case I said "it appears to me..." and in the other I said "I'm
]reasonably certain." To claim that either is a lie requires that you
]know that I thought something other than what I said. I find it a bit
]humorous that you talk about others being insufficiently careful in
]reading what you say, but then overlook things that stated this
]clearly.
I have nothing to add to my earlier statement that you are a dishonest person.
Your weaseling above simply confirms this.
]> ]In any case, it seems to me that we're kicking a dead horse. It all
]> ]comes down to one simple fact: a crystal oscillator is a lousy source
]> ]of entropy. I'm reasonably certain that if you try to use crystal
]> ]oscillators in something similar to the way he envisions, nearly all
]> ]the entropy you get will be from other sources.
]>
]> Nope - that is incorrect. And you can't evven begin to assess that,
]> until you figure out what effect I am talking about.
]
]Yes, I can.
Well, no, you can't. It is basic logic.
] No matter what you think is creating the entropy you're
]talking about, the simple fact is, that you can't use entropy that is
]measurably and provably absent in the signal to start with.
That's palinly wrong, and a number of people in this thread
appear to have realized this. You are simply ignorant in these
matters, and are trying to make up for that with lying.
]> ] Just for example, you
]> ]could take two oscillators, run them at what was supposed to be 180
]> ]degrees out of phase, mix the results (which should obviously cancel),
]> ]and amplify the difference.
]
]> That has absolutely nothing with the method that I described several
]> times over.
]
]You obviously didn't understand what I was saying: this is simply
]talking about a way of isolating the entropy that's there. The source
]or cause of the entropy is irrelevant.
Another basic logical error - you can not "isolate entropy" unless you
know the way in which it is present.
]To put things another way: entropy is simply data that can't be
]predicted. This is predicting what SHOULD be in the signal, and
]getting rid of it. What's left is therefore what wasn't predicted --
]IOW, entropy.
]
]To put things yet another way, you're simply separating the signal
]into two parts: the basic oscillation at the rated frequency of the
]crystal (which obviously isn't entropy at all) and whatever else
]happens to be in the signal.
]
]In reality, _most_ of what's left won't usually be real entropy
]though: it'll be things like distortion products from the amplifier
]and oscillator circuits. Most the entropy that IS there will
]originate from sources outside the crystal, such as the resistors in
]the oscillator and amplifier.
]
]However, entropy was there in the input will mostly still be there in
]the output. It doesn't really matter whether you think the entropy
]originates from Brownian motion, resistor noise or witchcraft; this is
]simply a method of isolating the predictable from the unpredictable
]parts of the signal.
------------------------------
From: "A [Temporary] Dog" <[EMAIL PROTECTED]>
Subject: Re: How to annoy the NSA & break almost any code
Date: Mon, 31 Jan 2000 19:24:19 -0500
On Mon, 31 Jan 2000 06:07:46 GMT, [EMAIL PROTECTED] wrote:
>You can probably annoy the NSA by spreading
>this news.
Yea, but you can annoy them more by ringing the doorbell and running
away before they answer. The NSA hates that.
- A (Temporary) Dog |"Intelligent, reasonable
The Domain is *erols dot com* |people understand that -
The Name is tempdog |unfortunately, we're dealing
http://users.erols.com/tempdog/ |with elected officials"
Put together as name@domain | - name withheld
------------------------------
From: [EMAIL PROTECTED] (Steve K)
Subject: Re: How to annoy the NSA & break almost any code
Date: Tue, 01 Feb 2000 00:54:03 GMT
On Mon, 31 Jan 2000 19:24:19 -0500, "A [Temporary] Dog"
<[EMAIL PROTECTED]> wrote:
>On Mon, 31 Jan 2000 06:07:46 GMT, [EMAIL PROTECTED] wrote:
>
>>You can probably annoy the NSA by spreading
>>this news.
>
>Yea, but you can annoy them more by ringing the doorbell and running
>away before they answer. The NSA hates that.
Don't forget the bag of dogshit. Use a little gasoline to make sure
it stays lit!
:o|
Steve
---Continuing freedom of speech brought to you by---
http://www.eff.org/ http://www.epic.org/
http://www.cdt.org/
PGP key 0x5D016218
All others have been revoked.
------------------------------
From: "james d. hunter" <[EMAIL PROTECTED]>
Crossposted-To: sci.physics
Subject: Re: Intel 810 chipset Random Number Generator
Date: Mon, 31 Jan 2000 20:36:04 -0500
Reply-To: [EMAIL PROTECTED]
Jerry Coffin wrote:
>
> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> says...
>
> [ ... ]
>
> > > To put things another way: entropy is simply data that can't be
> > > predicted. This is predicting what SHOULD be in the signal, and
> > > getting rid of it. What's left is therefore what wasn't
predicted --
> > > IOW, entropy.
> >
> > Since all data is simply predictable, entropy can't be simply
> > unpredictable data.
>
> All data is simply predictable? Yes, I suppose it's easy to predict
> binary data -- to the extent that "it'll be either a 1 or a 0" counts
> as a prediction. You can even easily predict which of 1 or 0 it'll
> be -- as long as you don't mind your prediction being wrong roughly
> half the time if the data contains a great deal of entropy.
Data is simply predictable because there is no such thing as
future data. "check's in the mail" virtual data is
simply a pigment of a mathematicians mind.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: A question about odd grilles
Date: Tue, 01 Feb 2000 01:32:13 GMT
On Mon, 31 Jan 2000 16:52:31 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote, in part:
>Sorry, I was wrong. My apology for having posted some nonsense.
We all make mistakes. I made a few as I stumbled my way to an
understanding of KEA in another thread.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/index.html
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: A question about odd grilles
Date: Tue, 01 Feb 2000 01:31:28 GMT
On Mon, 31 Jan 2000 16:22:01 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote, in part:
>If one has, for example, a turning grille of 7*7 that accepts the
>same amount of plaintext, than the 25th character of the plaintext
>IS (always) the 25th character of the ciphertext.
No, it isn't.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/index.html
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: NIST, AES at RSA conference
Date: Tue, 01 Feb 2000 01:45:02 GMT
On Mon, 31 Jan 2000 11:01:22 GMT, [EMAIL PROTECTED] (Terry Ritter) wrote,
in part:
>The statement is neither elegant nor refutation: Since I have never
>claimed that "all unprovable ciphers must be tripled," the apparent
>response is no response at all; it is instead the introduction of a
>"red herring." It is a deliberate attempt to mislead the reader about
>my position and somehow "win" the argument. It is but one example of
>why I no longer participate in discussions with that author.
>It is correct that there is no proof of strength. Multiple ciphering
>does not provide such a proof. Indeed I expect that no such proof is
>possible.
>But it is also correct that multiple ciphering is provably strong*er*
>in the sense of not allowing known-plaintext and defined-plaintext
>attacks on individual ciphers.
But the point he was trying to make, using "tripling" instead of a
detailed description of your multi-ciphering proposal, would be that
if the mathematical condition of unprovability is _itself_ cause for
concern
then no technique that does not yield a provably secure cipher removes
the cause for concern.
If the mathematical condition of unprovability is *not* cause for
concern by itself,
then what *other* arguments do you have for being out of step with
everyone else, by refusing to see the light and acknowledge that the
five AES finalists are all more secure than anyone could possibly
need?
If the statement "the AES finalists are not provably secure" ceases to
be a useful argument for strengthening them by a multi-ciphering
technique, what else is left? That is a legitimate question, even if
it smacks of argument by intimidation.
But there are responses. One of which might be to note that except for
MARS, we're dealing with ciphers using a single type of round.
I suspect, though, that if the multi-ciphering technique did become
widespread - in the sense of a program with that feature becoming the
_de facto_ standard, one goal you are hoping to achieve will not be
helped. Instead of developing a market for people purchasing different
cipher modules, the desire to have one's messages read by the intended
recipient might well lead to only the "free" cipher modules ever being
used.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/index.html
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
