Cryptography-Digest Digest #423, Volume #11 Sun, 26 Mar 00 09:13:01 EST
Contents:
Re: OAP-L3: Answer me these? (Guy Macon)
Re: http://www.cryptomat.com ([EMAIL PROTECTED])
Re: one-way hash functions with 256-bit output (David Crick)
Re: OAP-L3: Answer me these? (Anthony Stephen Szopa)
Re: OAP-L3: Who cares? No one's interested? (Anthony Stephen Szopa)
Re: OAP-L3: Answer me these? (Anthony Stephen Szopa)
Re: OAP-L3: Answer me these? (Anthony Stephen Szopa)
Re: OAP-L3: Answer me these? (Tim Tyler)
Observer 26/3/2000: "It's RIP basic human rights as 'worst UK legislation ever'
looms" ("NoSpam")
Sunday People 26/3/2000: "FORGET YOUR PASSWORD... END UP IN JAIL" ("NoSpam")
SCRAMDISK - Question on uncreating a scrambled partition or how to define a
arbitrary drive letter ("John-Erik Horn")
BBC R4's 'PM' on RIP Bill 24/3/00 (Real Audio or Windows Media) ("NoSpam")
Re: Gray Code like ([EMAIL PROTECTED])
Re: Method for time-altering keys ("Lyalc")
Re: Download Random Number Generator from Ciphile Software (Anthony Stephen Szopa)
Re: NIST publishes AES3 papers (Bruce Schneier)
Re: NIST publishes AES3 papers (Bruce Schneier)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: OAP-L3: Answer me these?
Date: 26 Mar 2000 05:10:34 EST
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Mok-Kong Shen)
wrote:
>
>Tim Tyler wrote:
>> It doesn't mean that you can't use a known plaintext attack to completely
>> recover the key, or that you can't send faked messages, or that you
>> can't profitably modify modify existing ones.
>>
>> With a straight OTP (with no signature scheme) you can do all these things.
>
>Sorry, I don't understand. What are you going to do in case you
>have the known plaintext and recover the key used to encrypt that
>plaintext? Since OTP never repeats keys, it doesn't help you to
>crack anything. (The said known plaintext has certainly been
>obtained by other means and that you have already. But you get
>nothing helping you for the future.) I am very interested to learn
>how you send faked messages in an OTP system. Could you please
>give some details. Further, the meaning of the last phrase is not
>clear for me. Would you please explain a little bit? Many thanks
>in advance.
You are assuming that your OTP encrypted message is delivered.
Think about this:
[1] The attacker inserts a known plaintext, which you encrypt
with your OTP and send.
[2] The attacker intercepts your ciphertext and prevents it from
being delivered.
[3] The attacker derives the OTP used to encrypt that message.
[4] The attacker sends his own message encrypted with that key.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: http://www.cryptomat.com
Date: Sun, 26 Mar 2000 10:12:24 GMT
> Nevertheless, it seems a fair amount of trouble to go through for a
> scam with little discernable reward, other than perhaps a list of
> email addresses of individuals interested in cryptanalysis. They are
> very much into anonymity - but perhaps that was not enough to prevent
> some large gentlemen in black suits driving Chevy Suburbans with
> black out windows with Maryland plates taking care of them?
They might also be the black-suited gentlemen themselves. Why bother
about collecting data when the companies send it in voluntarily?
Reminds me of a furtune-teller I once met, who first made me write one of
4 numbers on a paper he could not see. He then told me the correct number
I had choosen. In the moment, I was dazzled, but afterwards I recognized
that if one out of 4 people he addressed became customers who are
confident in his abilities, this wouldn't be such a bad ratio ;-)
I have sent them a relatively strong, non-standard encrypted cyphertext
with plaintext hints but none about the algorithm used. Let's see if they
are capable and willing to break it, even though I'm not in a key
position in a company.
Best regards,
Erich Steinmann
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: David Crick <[EMAIL PROTECTED]>
Subject: Re: one-way hash functions with 256-bit output
Date: Sun, 26 Mar 2000 11:04:07 +0000
stanislav shalunov wrote:
>
> Do we have secure 256-bit alternatives?
> Shouldn't one be devepoled and selected just like AES?
Tiger supports up to 192-bits and HAVAL up to 256.
( http://www.cs.technion.ac.il/~biham/Reports/Tiger/
and http://www.pscit.monash.edu.au/~yuliang/src/
respectively )
As has been noted in another thread, RIPEME-320 exists,
but "RIPEMD-256 and RIPEMD-320 are optional extensions
of, respectively, RIPEMD-128 and RIPEMD-160, and are
intended for applications of hash functions that require
a longer hash result without needing a larger security
level."
( www.esat.kuleuven.ac.be/~bosselae/ripemd160.html )
NIST/NSA are supposed to be working on SHA-2/DSS2.
And of course, the AES ciphers can themselves be used
as hash functions. Rijndael is the only cipher that
supports block lengths of > 128-bits, so it would
probably be the more ideal candidate in this respect.
David.
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: OAP-L3: Answer me these?
Date: Sun, 26 Mar 2000 03:20:00 -0800
"Douglas A. Gwyn" wrote:
>
> Tom St Denis wrote:
> > Your theory on your website is not very specific. Do you have a hidden page
> > or something with the required info?
>
> http://www.ciphile.com/theory.html
>
> Having finally gotten curious enough to look at it, I'll say
> two things:
>
> (1) The rotor-like stepping of the first mixfile allows standard
> techniques to be used in the cryptanalysis.
>
> (2) Whatever security the system has lies in the parameters of
> the process that generates the initial set of mixfiles. It
> wasn't clear to me what those parameters were, but I *think*
> it was the same as for "mix a mixfile", i.e. a 14-digit
> user-supplied integer. So that is the effective key length.
I am sorry but that is completely incorrect.
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: OAP-L3: Who cares? No one's interested?
Date: Sun, 26 Mar 2000 03:32:37 -0800
lordcow77 wrote:
>
> <sarcasm>
> Where can I download your wonderful new encryption software with
> a breakthrough algorithm that cannot ever be broken? I would
> love to use that same software that such competent and well-
> regarded companies as Microsoft use for their security purposes.
> I am truly glad that you have a coherent and detailed
> description of the methodology that your encryption algorithm on
> your web page that any software developer could create an
> interoperable implementation without the need for additional
> guidance.
> </sarcasm>
>
> * Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
> The fastest and easiest way to search and participate in Usenet - Free!
I have become aware of a characteristic of the software as currently
implemented that I had not realized before. I am quite convinced that
the next generation of OAP-L3 will generate much interest.
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: OAP-L3: Answer me these?
Date: Sun, 26 Mar 2000 03:25:22 -0800
Mok-Kong Shen wrote:
>
> Anthony Stephen Szopa wrote:
> >
> > Why should anyone tell you anything. You haven't listened for,
> > what is it now, over a year? And all you've had to do was read
> > a few legal size length pages from the Help Files. You sound
> > like a bum begging for money or a young child crying to have
> > its mother feed it when it is old enough to feed itself.
>
> From what you wrote, I infer that people haven't put enough
> energy to study your algorithm. Now an algorithm can be
> described on different levels, either with minute details or
> in abstracted forms that are more convenient for the readers
> when they first approach your stuff. (Compare successive
> refinements in top-down software design.) I like to recommend
> that, if you want to have your algorithm be seriously studied
> by many people, you should make the task of these as simple
> (and hence as palatable) as possible through first providing
> the most abstract form of your algorithm and subsequently the
> more refined ones. That way, you are most likely to achieve
> your goal of obtaining wide acceptance of your algorithm.
>
> I assume that you have already laid open all details that are
> necessary for others to examine. Otherwise there could be
> troubles. Incidentally, a couple of years ago, Bruce Schneier
> said that he was examining an encryption algorithm that is
> patent-pending (and hence not public) under NDA and that he
> intended to later publish a paper on that product. But I don't
> yet know whether the paper is already available.
>
> M. K. Shen
> ----------------------
> http://home.t-online.de/home/mok-kong.shen
Your advice seems sound.
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: OAP-L3: Answer me these?
Date: Sun, 26 Mar 2000 03:23:59 -0800
"Trevor L. Jackson, III" wrote:
>
> Anthony Stephen Szopa wrote:
>
> > "Trevor L. Jackson, III" wrote:
> > >
> > > Volker Hetzer wrote:
> > >
> > > > "Trevor L. Jackson, III" wrote:
> > > > > If no one finds any flaws in your product within 60
> > > > > days you keep my money, and you get to advertise the fact that you software
>is
> > > > > flawless. Otherwise I'll split your money with the people who find the flaws
> > > > > in your software.
> > > > Of course, this only works if he posts the source code that he actually uses.
> > >
> > > I don't see the problem. If he posts flawed code he forfeits. If he posts
>flawless
> > > code (har), he can reasonably claim the code he did not post was equally
>flawless.
> >
> > If I knew we were all going to have such a great time, I'd have
> > brought out the barbecue and some ice cold beer.
>
> My offer stands. You have not responsded. Should I interpret your lack of response
>to
> mean that you decline the offer?
Let's wait and see the flaws come rolling in.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: OAP-L3: Answer me these?
Reply-To: [EMAIL PROTECTED]
Date: Sun, 26 Mar 2000 12:26:25 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
:> : [EMAIL PROTECTED] wrote:
:> :> There _is_ such thing as a bit flipping attack against [OTPs] [...]
:> : To my humble knowledge, the Vernam OTP, if it is an ideal one
:> : (i.e. satisfying all the theoretical assumptions, though
:> : unfortunately not practically obtainable), is perfectly
:> : secure according to a theorem of Shannon. Thus it can't be the
:> : case that there is any viable attack. [...]
:>
:> It's true that you can't extract any information from the message body.
:>
:> It doesn't mean that you can't use a known plaintext attack to completely
:> recover the key, or that you can't send faked messages, or that you
:> can't profitably modify modify existing ones.
:>
:> With a straight OTP (with no signature scheme) you can do all these things.
: Sorry, I don't understand. What are you going to do in case you
: have the known plaintext and recover the key used to encrypt that
: plaintext? [...]
XOR the known-plaintext with the cyphertext. Volia - the key drops out.
: Since OTP never repeats keys, it doesn't help you to
: crack anything. (The said known plaintext has certainly been
: obtained by other means and that you have already. But you get
: nothing helping you for the future.) [...]
Indeed.
: I am very interested to learn how you send faked messages in an OTP system.
Intercept a message, recover the key using a known-plaintext attack, and
then compose and transmit your own message using that key.
You will need to ensure that the recipient gets you message and /doesn't/
get the original one - something that's practical if, for example you
control the communications channel between the parties involved.
As has been mentioned, use of signatures can be effective in preventing
this from happening.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
9 out of 10 men who tried Camels prefer women.
------------------------------
From: "NoSpam" <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,uk.politics.censorship
Subject: Observer 26/3/2000: "It's RIP basic human rights as 'worst UK legislation
ever' looms"
Date: Sun, 26 Mar 2000 14:22:23 +0100
http://www.newsunlimited.co.uk/observer/business/story/0,3879,150984,00.html
It's RIP basic human rights as 'worst UK legislation ever' looms
Free speech on the net: special report
John Naughton
Sunday March 26, 2000
To LSE for a conference on the Interior Ministry's Regulation of
Investigatory Powers (RIP) Bill, currently in Committee in the Mother of
Parliaments. Readers of this column will know that, among other things, this
odious piece of legislation reverses the ancient principle of natural
justice that says that a person should be pre sumed innocent until proven
guilty.
Specifically, the bill stipulates that if a message or device traced to you
contains encrypted data, you can be required by a statutory order to hand
over the key needed to decrypt that data. If you have lost or forgotten that
key, you will be presumed to be guilty of an offence and required to prove
to a court that you have indeed lost or forgotten it. If convicted, you will
go down for two years.
This, of course, raises the question: how do you prove that you have
forgotten something? When taxed with this, Charles Clarke, the junior
minister charged with shepherding this attack on liberty through the
Commons, repeated the official mantra. 'The Bill,' quoth he, 'creates a
defence for an individual who has forgotten or mislaid a key or password. It
is true that he or she must prove the defence, but they need to do that only
on the balance of probabilities.'
Ah, that magic phrase, 'balance of probabilities'. And how, pray, is that to
be assessed? By the use of lie-detectors in British courts? Clarke was
repeatedly pressed on this at the conference, but declined to be drawn.
Instead he intoned the 'balance of probabilities' mantra like a speak-your-
weight machine on valium.
In the circumstances, there seemed little point in drawing his attention to
a celebrated judgment in Canada's Supreme Court that held: 'If an accused is
required to prove some fact on the balance of probabilities to avoid
conviction, the provision violates the presumption of innocence because it
permits a conviction in spite of a reasonable doubt in the mind of the trier
of fact as to the guilt of the accused' (Reg v Whyte (1988) 51 DLR (4th)
481).
Clarke belongs to a government which claims that it wants to make the UK the
best place in the world for e-commerce. It was interesting then to hear a
question from a chap who works for AT&T and is responsible for the security
and integrity of the networks of several large banks and financial
institutions. He holds lots of decryption keys as a result of that
responsibility, and has a contractual obligation to his clients to protect
their secrets.
Under the terms of the RIP Bill, he can be required to disclose those keys
to a duly authorised goon - but he is also legally forbidden to reveal to
his clients that their secrecy has thereby been compromised. As he spoke,
you could see Clarke opening and shutting his mouth like a stunned carp. The
only sound to be heard was the noise of online banks stampeding to leave the
country.
With the exception of the original Official Secrets Act, rushed through in a
single afternoon in 1911, the RIP Bill is probably the worst piece of
legislation ever laid before Parliament. It proposes to give the Interior
Minister the kinds of powers Robert Mugabe can only fantasise about. (In
fact it was claimed at the conference that the only other country in the
world proposing legislation like this is Zimbabwe.)
The Bill proposes the violation of what any civilised society would regard
as elementary human rights (presumption of innocence, the right to a fair
trial, protection of privacy and freedom from random surveillance, to name
just four). It does so under the breathtaking assertion that these abuses
are necessary to bring the UK in line with the European Convention on Human
Rights. And it will be law by October.
www.fipr.org/rip#media
------------------------------
From: "NoSpam" <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,uk.politics.censorship
Subject: Sunday People 26/3/2000: "FORGET YOUR PASSWORD... END UP IN JAIL"
Date: Sun, 26 Mar 2000 14:24:39 +0100
http://www.people.co.uk/shtml/NEWS/P28S1.shtml
FORGET YOUR PASSWORD... END UP IN JAIL
INTERNET FURY AT STRAW
BIG Brother wants to know your computer password - and he'll throw you in
jail if you don't tell him.
Home Secretary Jack Straw aims to make it a criminal offence to refuse to
tell police or secret services the way into your personal computer.
And you could go down for two years, even if you've only forgotten the vital
word.
Under the Regulation of Investigatory Powers Bill, any data you have stored
will be presumed to be incriminating unless you can prove otherwise. Civil
liberties groups are furious over the controversial new legislation, which
is part of the Government's bid to crack down on computer fraud, internet
terrorism and child porn.
The Lib Dems' internet spokesman Dr Vincent Cable said: "There are genuine
concerns about why MI5 need this degree of control. This is a very large
hammer to crack a small nut."
A spokesman for the Internet lobby group Foundation for Internet Policy
Research said: "This is a really draconian law.
"If you forget your password you'll be up before a court trying to prove
it - and then it will depend on how respectable you look.
"The Internet and e-commerce is just starting to boom in Britain now, and
people will only realise later they have lost out."
America, France, Ireland and Germany have already rejected similar laws.
www.fipr.org/rip#media
------------------------------
From: "John-Erik Horn" <[EMAIL PROTECTED]>
Subject: SCRAMDISK - Question on uncreating a scrambled partition or how to define a
arbitrary drive letter
Date: Sun, 26 Mar 2000 15:21:01 +0200
Hello All!
Tried out Scramdisk today. It's quite alright. I have two questions that I
cannot answer in the manual (read it completely).
How can I force Scramdisk to define the scrambled partition as drive E. for
example?
If this is not possible, I would like to restore that partition back to an
unscrambled drive.
Scramdisk 2.02h
Win 98 on a PII 350
I have successfully created a scrambled partition (was my drive E:), now it
shows up as the last drive (N:) and the preferred drive definition has no
effect.
Thanks.
J-E
------------------------------
From: "NoSpam" <[EMAIL PROTECTED]>
Crossposted-To:
uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,uk.politics.censorship,uk.media.radio.bbc-r4
Subject: BBC R4's 'PM' on RIP Bill 24/3/00 (Real Audio or Windows Media)
Date: Sun, 26 Mar 2000 14:28:21 +0100
BBC Radio 4 'PM' 24/3/00: Branwen Jeffreys reports on the Regulation of
Investigatory Powers (RIP) Bill (5m 13s as Real Audio or Windows Media)
www.fipr.org/rip#media
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Gray Code like
Date: 26 Mar 2000 13:36:17 GMT
> Note that (apart from the leading zeros), this pattern mirrors the
> internal state of a maximal-period LFSR.
>
> Consequently you could build such sequences of any given length by using
> the tap sequence for a maximal-period LFSR, starting from the "...001"
> state and prepending the "...000" state to the list.
Or, if the implementation is in hardware, detect when all but the MS bit
is zero and invert the feedback path. (This can be done using a nor gate
or a counter that counts when zeros are entering the LFSR and is reset by
a one entering)
Thus 1000...0 feeds a 0 into the LSB
and 0000...0 feeds a 1 into the LSB.
This also obviates the need to preset the LFSR to avoid the all zeros
state.
Keith
http://www.cix.co.uk/~klockstone
------------------------
'Unwise a grave for Arthur'
-- The Black Book of Carmarthen
------------------------------
From: "Lyalc" <[EMAIL PROTECTED]>
Subject: Re: Method for time-altering keys
Date: Sun, 26 Mar 2000 23:46:46 +1000
A critical benefit arises from the suggestion to add time bits to the user's
pass phrase.
This adds a "specific use" element to the use of the password (or any other
shared secret), increasing the ease of replay detection.
And, it's used in several environments today - and in the future.
Lyal
Adam Durana wrote in message ...
>
>I think I follow even though your explanation could be better. But what is
>the point of doing this? Letting the time affect the key just seems like a
>weakness, i.e. if someone knows what time the key was made they know some
of
>the key bits, or the ordering of the bits depending on what your method
>does. I still can't think of a case where you would want a key to be
>affected by the time it was created, unless you can derive that time from
>the key without giving away the key. Keys that expire are interesting but
>this method does not do that. Also why even bother reordering the bits?
>Just attach the output of time(0) to the end of the passphrase the user
>provided.
>
>And I do suggest you read "the statistical report analysis for time
>sensitive PF417 gJq10 data proccessing routine".
>
>- Adam
>
>
------------------------------
From: Anthony Stephen Szopa <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: Download Random Number Generator from Ciphile Software
Date: Sun, 26 Mar 2000 05:25:32 -0800
Taneli Huuskonen wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> In <NjoB4.48416$[EMAIL PROTECTED]> "Tom St Denis"
> <[EMAIL PROTECTED]> writes:
>
> >What is the period of the generator?
>
> If I understand the documentation right, it's of the order of (10!)^2,
> which should be large enough for most purposes. However, there is a
> flaw in the algorithm that makes it definitely unsuitable for serious
> cryptographic purposes and might affect its use for large-scale
> simulation too. Basically, the generator first initializes three arrays
> of 10! permutations of 0..9 each. Denote the i'th permutations in these
> arrays by a_i, b_i and c_i, respectively. Then, on round i, the
> generator produces the number c_i (b_i (c_i (a_i (i mod 10)))), when
> 0 <= i < 10! . When k * 10! <= i < (k+1) * 10!, the permutations
> a_{(i+k) mod 10!}, b_{i mod 10!} and c_{i mod 10!} are used instead.
> If one had access to the raw digit stream, there would be a rather
> trivial way to break the code, given maybe a couple hundred million
> known digits - the only thing that changes between round i and
> round i+10! is the permutation a_i. However, these digits are
> transformed into a stream of bytes by grouping them into triplets,
> dividing by 3 and discarding anything exceeding 255. This makes it more
> difficult to attack the cipher, possibly preventing an amateur such as
> myself from breaking it.
>
> Taneli Huuskonen
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3i
> Charset: noconv
>
> iQB1AwUBONavAQUw3ir1nvhZAQF7aAL8C5E9CiPZ2+R09U36x/0/KeQguoUqFnqZ
> 7Dj1Tee71DYpgpf+VwczxnlHuIPWH2wfzc4hlywCxbRVHvZUTXFHjm39LrlMlNw2
> 7OqJrJUtv1by6PlIELUbGAKmpBzNH9fi
> =nq2d
> -----END PGP SIGNATURE-----
> --
> I don't | All messages will be PGP signed, | Fight for your right to
> speak for | encrypted mail preferred. Keys: | use sealed envelopes.
> the Uni. | http://www.helsinki.fi/~huuskone/ | http://www.gilc.org/
I'm not sure I understand exactly what your are hinting at but I have a
good idea. Let me point something out.
First, you are not dealing with three files of arrays only when
generating the random output digits. (The following is taken from
the Theory Help file.)
Set1 Set2 Set3 Set4 Set5 Num
6327491805 5382460791 1352094678 9275041683 4256083719 0
Here you see five array files: one in each column followed by the
output digit. This output digit is derived from the Set4 and Set5
arrays. Set4 is derived by using Set2 to index / transform Set3.
Derive Set5 but by using Set1 to index Set3.
Here begins new material:
For each output digit what can we assume we know? At most we
can assume we know the output digit (of course.) We can assume
we know which row the digit was generated from. We can assume
we know which element in Set5 was read to index Set4 to generate
the output digit.
Now, what do we NOT know? We do not know the Set5 array, the Set4
array, the Set3 array, the Set2 array, and the Set1 array.
What else? We know that the random output digit came from Set4 but
we do not know which element in Set4 it came from because although
we know which element was read from the array in Set5, we do not
what that read digit was.
We know that for any given state of the primary array files: Set1,
Set2, and Set3, there are unique states generated for Set4 and Set5
because these two sets are determined from the state of the primary
array files. Rotate Set3 and the state of the primary array files
change and this will change the state of Set4 and Set5. Also,
changing the usage will effectively change the state of the primary
set files and therefore the state of Set4 and Set5 will change
completely.
So for any given state you will not know any of the arrays in any
of the set files because with only the information we have this
other information cannot be deduced or inferred.
No MEANINGFUL relationship(s) such as the ones you suggest above can
be made. You can write the relationships symbolically, but knowing
only the data we assume we have, these relationships cannot be
quantified. They remain variables or place holders waiting for
values which cannot be determined.
Have I left anything out? Can we assume we know more or know less?
Conclusion:
You see, because the state of Set4 and Set5 change completely when
the state of the primary sets change, you only keep writing new and
unique relationships. In other words, you keep generating more
unique expressions or equivalently, more unique variable
relationships, with each state change. You cannot solve
simultaneous equations unless you have more equations than you have
variables.
This may be why the OAP-L3 random number generator is secure. You
cannot determine any relationships between any of the random output
numbers.
This is quite an interesting state of affairs.
Hypothesis:
Rule 1: Every computer random number generator can be described
mathematically. That is, each generation of a random number by the
computer random number generator can be described mathematically.
Rule 2: If a random number generator has bias, it can be shown by
proving mathematically that an expression describing the generation
of one specific random output number is equivalent to another
expression describing the generation of a second random output
number, and that these two numbers are equivalent or reveal some
other consistent relationship such as >, <, >=, <=. Determining
any of these relationships as being consistent could reduce
apparent entropy of the output from the random number generator.
(A relationship of != does not convey any useful information.)
A strong or secure computer random number generator should have as
much entropy as possible, or in other words, there should be few
or no discernible consistent relationships between expressions
describing generation of specific random output numbers.
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: Re: NIST publishes AES3 papers
Date: Sun, 26 Mar 2000 13:48:00 GMT
On 23 Mar 2000 20:50:27 -0800, [EMAIL PROTECTED]
(David A. Wagner) wrote:
>In article <OuL2vSKl$GA.241@cpmsnbbsa02>,
>Joseph Ashwood <[EMAIL PROTECTED]> wrote:
>> I still have my doubts about triple-DES, [...]
>
>Well, you are free to hold your own opinions, but
>triple-DES seems to be by far the most trusted cipher,
>if you poll folks in the field.
>
>The reason to go with triple-DES over an AES candidate
>is that triple-DES retains the decades of analysis on
>DES; AES candidates have received much less scrutiny
>(probably less than 1/10th as much analysis).
I agree. No public algorithm has received more scrutiny than DES. I
trust triple-DES over any of the AES candidates. And I believe that
will hold true for years. The AES candidates are still too new, and
have not been analyzed anywhere near as much.
Bruce
**********************************************************************
Bruce Schneier, Counterpane Internet Security, Inc. Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: Re: NIST publishes AES3 papers
Date: Sun, 26 Mar 2000 13:48:38 GMT
On 23 Mar 2000 15:36:06 GMT, [EMAIL PROTECTED] (DJohn37050) wrote:
>Only free if sole winner is not true. NIST has always said there might be many
>winners.
>Don Johnson
They have not always said that. They started saying that recently,
and hopefully it will not happen.
Bruce
**********************************************************************
Bruce Schneier, Counterpane Internet Security, Inc. Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
