Cryptography-Digest Digest #402, Volume #12 Thu, 10 Aug 00 17:13:00 EDT
Contents:
Re: Physical RNG ("Trevor L. Jackson, III")
Re: Secrets and Lies: New Book by Schneier ("Jeff Moser")
Re: OTP using BBS generator? (John Myre)
Re: 1-time pad is not secure... (Sander Vesik)
Re: Random Number Generator (David A. Wagner)
Re: 1-time pad is not secure... ("CMan")
Perfect double hashing of known data set ("Jim Idle")
Re: 1-time pad is not secure... (Frank Gifford)
Re: Secrets and Lies: New Book by Schneier (jungle)
Re: Key in ASCII ?? ("Trevor L. Jackson, III")
Re: BBS and the lack of proof (Mok-Kong Shen)
Re: Multiple encryption passes (ArchimeDES)
Re: 1-time pad is not secure... ("Trevor L. Jackson, III")
Re: BBS and the lack of proof ("Trevor L. Jackson, III")
newbie question on DH in SSL (Ken Tomei)
Re: Destruction of CDs (Dave Ashley)
Re: RNG from fish tank aerator ("Trevor L. Jackson, III")
newbie question on public key lengths (Ken Tomei)
Re: 1-time pad is not secure... (Scott Nelson)
Re: Destruction of CDs (Mickey McInnis)
Re: IDEA's current security (David A. Wagner)
Re: OTP using BBS generator? (Terry Ritter)
Re: OTP using BBS generator? (Terry Ritter)
----------------------------------------------------------------------------
Date: Thu, 10 Aug 2000 15:48:20 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Physical RNG
Anthony Stephen Szopa drooled:
> Ed wrote:
> >
> > Hello,
> >
> > I'm searching for a physical random number generator.
> > But I've have important constraint :
> > - it should be plugged in a PCI bus
> > - it should be useable under Solaris system ( or Unix system)
> >
> > If you know a physical RNG that don't match these criteria,
> > it could help me.
> >
> > Please send any information to : [EMAIL PROTECTED]
> >
> > Edouard DESSIOUX
> > Everbee
>
> You obviously want to generate random numbers.
>
> You cannot do any better than:
>
> Go to http://www.ciphile.com and download a shareware copy of
> OAR-L3: Original Absolutely Random - Level3 random number
> generator software.
>
> Go to the Downloads Currently Available web page.
>
> Or you can get OAP-L3: Original Absolute Privacy - Level3 encryption
> software package shareware.
>
> You should check this software out.
>
> A.S.
Wipe your mouth Tony, your drippings are offensive.
------------------------------
From: "Jeff Moser" <[EMAIL PROTECTED]>
Subject: Re: Secrets and Lies: New Book by Schneier
Date: Thu, 10 Aug 2000 14:45:01 -0500
Mr Schneier,
Is it possible to post PS form of the book (of a few chapters) like the
Handbook of Applied Cryptography?
I shall give a small background of myself..
I received Applied Cryptography in 1998 as a Christmas present from my
sister and since then, I have become a great fan of cryptography. I'll be
attending Purdue University in West Lafayette as a freshman this fall in
Math and Computer Science. I am paying my own way through college, so I
can't spend too much on extras outside of books for classes, tuition, and
dorm fees.
Your books are especially popular here (at Purdue), as Applied Cryptography
is usually always checked out by someone. I'm sure "Secrets and Lies" will
be on reserve for a long while after it's published. (I'll be reserving it
most definitely if I can as well as asking Santa for a copy like in '98)
If electronic publishing is not viable or possible, I can understand. I just
thought I'd try to explain a view from your younger readers.
Thank you for your time,
Jeff
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: OTP using BBS generator?
Date: Thu, 10 Aug 2000 13:47:13 -0600
Terry Ritter wrote:
<snip>
> * THERE IS NO QUESTION that if we select x0 at random, sooner or
> later we *WILL* select a short cycle.
<snip>
No.
If an event has sufficiently low probability, then it is perfectly
sane and reasonable to design a system assuming it will never
happen. The system will have a finite lifetime. Depending on
the actual probabilities, it is certainly possible that the
unlikely will in fact fail to happen at all.
JM
------------------------------
From: Sander Vesik <[EMAIL PROTECTED]>
Subject: Re: 1-time pad is not secure...
Date: 10 Aug 2000 19:54:32 GMT
Tumbleweed <[EMAIL PROTECTED]> wrote:
> It should have been dead before Heisenberg, I have even read that Newton
> made a statement (not that I could point to a source) that not all events
> are predicable in detail simply because some bodies will have velocities
> measured as an irrational numbers, and therefore can only be computed to a
> particular but not perfect detail. I wonder how it arose in the first place
> since the maths around at Newton's time was enough to disprove this, wasn't
> it?
Why would irrational numbers matter? You would just carry out all
intermediate computations symbolically and then compute to arbitrary
precision?
Remember, Newton lived in "pre-chaos" world.
> Joe
--
Sander
FLW: "I can banish that demon"
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: Random Number Generator
Date: 10 Aug 2000 08:49:26 -0700
In article <8mtu40$9ck$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
> - 57% Avalanche Effect
Uhh... Was this algorithm supposed to be cryptographically secure?
If so, this number should scream out for attention: either you did
your avalanche tests incorrectly, or it seems likely that your algorithm
is unsuitable for cryptographic uses.
> - 760Kbyte/sec performance
Slower than Triple-DES counter-mode, in other words?
------------------------------
From: "CMan" <[EMAIL PROTECTED]>
Subject: Re: 1-time pad is not secure...
Date: Thu, 10 Aug 2000 13:07:39 -0700
I have noticed a fractal pattern in the frequency distribution of one time
pad discussions on this newsgroup.
Like weather patterns, these discussions crop up, raise a lot of dust and
finally deteriorate into "oh yeah, so's yer old man".
The average length is about 50 messages but often they buzz on for hundreds
of off topic discussions. Nice source of entropy actually.
JK
--
CRAK Software
http://www.crak.com
Password Recovery Software
QuickBooks, Quicken, Access...More
Spam bait (credit E. Needham):
root@localhost
postmaster@localhost
admin@localhost
abuse@localhost
webmaster@localhost
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote in message news:8mth1u$vpt$[EMAIL PROTECTED]...
> Here's a different viewpoint.
>
> I think all the crypto-books are wrong. One-time pad is only secure
> based on the assumption that random numbers do exist.
>
> But can you prove that random numbers really exist? No.
> Can you generate truely random numbers? No.
>
> It's like 1/x tends to zero but you'll never get zero, if you use
> enough bytes to hold the number.
>
> One-time pad is only computationally secure, no difference than any
> other systems. The key-generating process may be duplicated, if not
> exactly, to some probability. And because the key is so long, getting
> at least a portion of the key right will be easier than in systems with
> a shorter key.
>
> Get the picture? You can duplicate the key-generating parameters:
> computer model, OS, PRNG, date, time, location, hardware, software,
> room temperature, humidity, magnetic field... The list goes on and on.
> Then the longer the key, the higher possibility that you'll get
> something right.
>
> --Sisi
>
>
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
From: "Jim Idle" <[EMAIL PROTECTED]>
Subject: Perfect double hashing of known data set
Date: Thu, 10 Aug 2000 13:05:20 -0700
Apoligies if this is not quite the right newsgourp for this but I suspected
some people here might know the answer to this:
Using a fixed length 256 byte string, in which each byte can take the value
0x00 to 0xFB, is it possible to construct two hashing algorithms under the
following contraints:
1) That for all possible inputs, the algorithms will not produce the same
hash pair for two different inputs (note that if the output were two small
numbers [for the sake of argument] then 4,5 and 5,4 are not considered the
same pair);
2) That the two algorithms produce an output that collectively is less than
(256*8)-1 bits;
This isn't meant to be a compression (other than not using more bits than we
started with) or encryption BTW, just a hash. I can't find anything
definitive on the Internet on this, but apologies if this is covered
somewhere, any pointers gratefully received (any algorithms even more
gratefully received). the question arose throuh discussion of hashing
friends and I cannot decide the answer definitvely and hoped that someone
here might be able to.
Thanks,
Jimi
------------------------------
From: [EMAIL PROTECTED] (Frank Gifford)
Subject: Re: 1-time pad is not secure...
Date: 10 Aug 2000 16:00:17 -0400
In article <[EMAIL PROTECTED]>,
John Savard <[EMAIL PROTECTED]> wrote:
>In fact, any cipher which has the properties:
>
>- it operates on blocks with N possible values, and produces blocks
>with the same N possible values as output,
>
>- there are N possible keys (or a multiple of N!),
>
>- for every input block, all N values of the output block are
>possible, and are reached by an equal number of keys
I'll mark this as the 'requirement'. See below...
>is 'perfect' in the sense required. Hence, DES, where the regular key
>is a constant, and where the 'key' applied from the one-time-pad
>consists of two subkeys, one from an even round and one from an odd
>round, is 'perfect' in this sense.
>
>(One can also replace a specific 32 bits of each of these two subkeys
>instead of all 48; the middle four bits of every six. This has to do
>with the structure of the S-boxes and the expansion permutation.)
All you are showing is how to possibly increase the keysize of DES to 64
bits from 56. You are not showing that the above 'requirement' is true.
For example, I may have an output value (in hex): 0xdeadbeefdeadbeef.
Every 64 bit key using a modified DES will provide a valid decryption of
that string - but some keys may provide the same decryption for that
given block, just by coincidence.
Because there may be duplicates, that means there must be holes in the
plaintext, which "could" be enumerated, and that weakens the requirement
for a OTP. Now, not all possible plaintexts are "equally likely".
-Giff
--
Too busy for a .sig
------------------------------
From: jungle <[EMAIL PROTECTED]>
Subject: Re: Secrets and Lies: New Book by Schneier
Date: Thu, 10 Aug 2000 16:13:29 -0400
Jeff Moser wrote:
====
> I received Applied Cryptography in 1998 as a Christmas present from my
> sister
====
> Your books are especially popular here (at Purdue), as Applied Cryptography
> is usually always checked out by someone. I'm sure "Secrets and Lies" will
> be on reserve for a long while after it's published. (I'll be reserving it
> most definitely if I can as well as asking Santa for a copy like in '98)
you need to ask santa to read this forum, then ...
------------------------------
Date: Thu, 10 Aug 2000 16:22:39 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Key in ASCII ??
Guy Macon wrote:
> Trevor L. Jackson, III wrote:
[snip to focus on fundamental issue]
>
> >The actual estimate means you can successfully predict the next
> >character of a text stream about half the time.
>
> That cuts the bits entropy per character in half. It doesn't reduce
> the bits entropy per character to one.
Let's try again. No matter how large the symbol set is, if I can predict the next
symbol with 50% probability, then that symbol contains one bit of information. In
this context information, entropy, disorder, uncertainty, and surprise are
synonyms. The fact that a symbol has more than one bit used in its representation
is an indication that the information density is lower than unity.
The trivial example is a fair coin flip. Since there are two states and the flips
are independent, the result contains one bit of information.
Given an fair 8-sided die each roll generates three bits of information. An unfair
die produces less by Shannon's fundamental definition of information which is the
sum of the logarithms of the probabilities. Trivial examples: given odds of
50:50:0:0:0:0:0:0 the die obviously produces only one bit. Given odds of
25:25:25:25:0:0:0:0 the die produces two bits. Exercise for reader: how big does
the "1" face have to be to produce only one bit if the other seven sides all have
the same odds?
When applying these definitions to text we treat each character in sequence and
subtract from its numeric representation the degree by which we can predict the
value. Trivial example: In a numeric string consisting of repeated binary digits
we have the equivalent of the fair coin toss if the bits are independent and
uniformly distributed.
Example of structural context: In a numeric string composed of pairs of digits
where the leading digit is always zero or one and the trailing digit is always two
or three we need two bits to minimally represent each digit, but the information
carried by each digit is still only one bit. If all of the information is crammed
into the leading digit (by using four pair of digits such as 00,11,22,33, or 00,
10, 20, 30) you still need two bits to hold each digit, but each digit (on average)
has only one bit of information -- this is because the _pairs_ only have two bits
of information.
These examples have obvious forms of redundancy. English text also has a great
deal of redundancy. One can estimate it statistically, using the preceding text to
condition the prediction of the next character.
With respect to your dictionary search, single words are not English text. There
is insufficient context to limit the information to a single bit per character.
After all, there are far more than 256 eight-letter words in English. However, a
random sequence of eight-letter words is hardly English text.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: BBS and the lack of proof
Date: Thu, 10 Aug 2000 22:37:24 +0200
lordcow77 wrote:
>
> tomstd <[EMAIL PROTECTED]> wrote:
> >Therefore I submit that all BBS generators have a period under
> >10, prove me wrong without empiracle evidence.
> >
>
> IF all BBS generators have a period under 10, we can factor and
> decide quadratic residiousity for any composite. We select a non
> quadratic residue x such that Jacobi(x/n)=-1. We feed this x
> into the BBS generator, obtaining a first value of x_1 and use
> the guaranteed short cycle to find an x_prime leading back to
> x_1. x is a square root of x_1 mod n, as is x_prime. x!=x_prime
> because one is a QR and the other is not; this tells us that
> x^2=x_prime^2 mod n, the same relationship that we seek to
> obtain in the QFS or NFS. GCD(x-x_prime,n) will be a factor of
> n. We can factor n and consequently we can decide quadratic
> residiousity for n using your short cycle in *constant time*.
> Thus, computational complexity theory is turned upside down, you
> collect your Fields medal, you quickly become the richest person
> on this planet, and win everlasting fame.
>
I think one should clearly state to what, the direct output
of the congruence relation OR the LSB, the term 'period'
refers. According to David Hopwood, the BBS article left open
the issue of the relation between the periods of these
two types of entities. So there is apparently a gap in the
theory, since having huge periods of the direct output
of the congruence relation does NOT automatically mean huge
periods of LSB. As long as that gap is not filled, we can't
apparently jump from the hardness of factoring to the
property of LSB. For, if LSB turns out to have very short
periods most of the time or have other poor statistical
qualities, e.g. failing the serial test, then such sequences
are simply not usable for cryto applications, no matter how
much valuable theoretical stuffs the BBS article contains.
M. K. Shen
------------------------------
From: ArchimeDES <[EMAIL PROTECTED]>
Subject: Re: Multiple encryption passes
Date: Thu, 10 Aug 2000 20:29:36 GMT
On Wed, 09 Aug 2000 16:25:52 GMT, [EMAIL PROTECTED] (Terry Ritter) wrote:
[...snip..-]
>>Security by obscurity?
>>Hmmm, the security of a cryptosystem is not given by the secrecy of
>>the algorithm used, only by the secrecy of the key (Principle of
>>Kerckoffs).
>
>Presumably, cipher selection would be part of the key.
>
>It would be known that the system used multiple different ciphers.
>The group of ciphers from which some would be selected also might be
>known. But the particular ciphers selected for use at a particular
>time need not be known, because that could (should) be keyed.
But in this way if I the attacker could guess the algorithm used, it's
possible isn't it?, would know something new about the key used...
ArchimeDES
===========================================
for mail remove SPAMDIE from address
------------------------------
Date: Thu, 10 Aug 2000 16:33:41 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: 1-time pad is not secure...
Guy Macon wrote:
> Mike Calder wrote:
>
> >It may be unpredictable, but does that make it random?
>
> For use as the key in a one time pad, isn't unpredictable good enough?
Necessary in fact. If the sequence is truly random but predictable it is
worthless. A truly random sequence is predictable if it has been revealed --
using it as a key counts as revelation.
------------------------------
Date: Thu, 10 Aug 2000 16:36:09 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: BBS and the lack of proof
Mark Wooding wrote:
> tomstd <[EMAIL PROTECTED]> wrote:
>
> > Among many BBS is thought to be a prng that is as secure as at least
> > factoring the associated modulus. However... nobody really knows
> > anything about the generated bits or the period of them.
>
> Predicting the output of a BBS generator mod n is proven to be as
> difficult as deciding quadratic residuosity mod n. If the period is
> short enough for you to traverse a cycle, you'll be able to predict the
> generator's output. Hence, traversing a cycle is at least as hard as
> deciding quadratic residuosity. QED.
Are you sure it is the traversal of a cycle rather than the finding of a cycle
to traverse that is equivalent? Can you mention a reference that makes this
distinction?
------------------------------
From: Ken Tomei <[EMAIL PROTECTED]>
Subject: newbie question on DH in SSL
Date: Thu, 10 Aug 2000 13:36:01 -0700
Hello,
Could someone please explain to me how the two global Diffie-Hellman
paramters are exchanged when DH is used in the SSL protocol? Does the
client generate these and send them to the server along with its
calculated public key? I haven't been able to find a clear explanation
in any text. Any help is much appreciated.
Thanks,
Ken
------------------------------
From: Dave Ashley <[EMAIL PROTECTED]>
Subject: Re: Destruction of CDs
Date: Thu, 10 Aug 2000 20:33:43 GMT
Well, these other posts were interesting.
a)Scratching : +, easy to do, -, probably least reliable.
b)Microwaving : +, uses equipment that everyone has, -, toxic fumes,
residues, not sure I'd want to do that in one I used for food.
c)Shredding : +, pretty reliable, -, if you are in the business of
warehousing or selling nuclear secrets or some other endeavor where the
NSA is likely to throw a lot of effort at it, you might not be safe.
d)Incinerating : +, seems 100% reliable, -, toxic fumes and residues.
e)One method that hasn't been suggested is essentially to mill off the
reflection layer (a wire brush would do), then melt (but dont' burn) the
reflection layer remains down to a monolithic blob. This eliminates the
fumes, and the remaining coasters may be recyclable.
My general suggestion is to tailor the mechanism to the activity you are
in:
Love letters: scratching.
Credit card numbers: shredding.
Dope dealing: incineration.
Murder-for-hire: incineration.
Illegal arms trading: incineration plus encasing the remains in a block
of concrete and dropping it in the ocean with a depth of at least 10,000
feet.
Selling nuclear secrets: incineration and depositing the remains in an
active volcano.
Dave.
In article <[EMAIL PROTECTED]>,
Thomas Kellar <[EMAIL PROTECTED]> wrote:
> There was a thread on this topic a couple of weeks ago.
> I received an advertisement for a device that shreds
> CDs. If anyone is interested the company name/address is
>
> Schleicher & Co. of America, Inc.
> 5715 Clyde Rhyne Dr.
> Sanford, NC 27330-9909
>
> ph: 1 800 775 7570 email: [EMAIL PROTECTED]
>
> They claim their "501 CD shredder" can eliminate 800 to
> 1200 CDs or credit cards per hour.
>
> A disinterested party. (Actually uninterested, I would burn them
> myself.)
>
> Thomas
> --
> w8twk Freelance Systems Programming http://www.fsp.com
>
>
--
====================================
Dave Ashley, [EMAIL PROTECTED]
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Date: Thu, 10 Aug 2000 16:40:29 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: RNG from fish tank aerator
I've used this. It works well, but if you leave it running there are blank
spots in the data stream (someone turned off the lights that night ;-).
David Kuestler wrote:
> Just a thought along the lines of 'lavarand' ( and probably cheaper )
> how about generating random numbers by videoing the air bubble stream
> from a fish tank aerator ?
------------------------------
From: Ken Tomei <[EMAIL PROTECTED]>
Subject: newbie question on public key lengths
Date: Thu, 10 Aug 2000 13:41:43 -0700
I've looked through a few texts for a direct answer to this without much
luck, thought someone in this newsgroup could help. Is the precision of
a public key always fixed? In other words, if I'm using a 1024-bit RSA,
does that mean that all parameters (mod, exp, etc.) are exactly 1024-bit
with the MSB set to 1? Or is the 1024-bit a maximum limitation, meaning
they could range anywhere from 1 to 1024 bits? Please let me know.
Thanks,
Ken
------------------------------
From: [EMAIL PROTECTED] (Scott Nelson)
Subject: Re: 1-time pad is not secure...
Reply-To: [EMAIL PROTECTED]
Date: Thu, 10 Aug 2000 20:50:03 GMT
On Thu, 10 Aug 2000 06:11:11 GMT, [EMAIL PROTECTED] wrote:
>Here's a different viewpoint.
>
>I think all the crypto-books are wrong. One-time pad is only secure
>based on the assumption that random numbers do exist.
>
[snip]
That's a pretty good troll - I'd give it about a 75% chance
of producing more than 15 follow-ups, and a less than 10% chance
that you'll need to say anything on the subject ever again.
Of course, you could have cross-posted it to sci.crypt.random-numbers,
so I can only give it a 6 out of 10.
Scott Nelson <[EMAIL PROTECTED]>
------------------------------
From: [EMAIL PROTECTED] (Mickey McInnis)
Subject: Re: Destruction of CDs
Date: 10 Aug 2000 20:34:27 GMT
Reply-To: [EMAIL PROTECTED]
In article <8muh90$qg8$[EMAIL PROTECTED]>, "Martin 'SirDystic' Wolters"
<[EMAIL PROTECTED]> writes:
|> I read about destroying CDs something like that:
|> Don't microwave your CDs,because it causes
|> toxic gas. Put at least two big scratches on the
|> reflection layer instead. What do you people here
|> think about this method?
|>
|>
There's lots of error correction on CD's.
Some CD readers seem to do better error correction than others.
Radial scratches tend to leave short gaps in the track that the
reader can compensate for. Audio CD players vary widely in ability
to deal with scratches, so maybe data CD's do, too.
Scratches along a track leave longer gaps, but you might be able to
read the data between scratches.
There are increasing levels of security depending on your perceived
threat.
I would expect snapping the CD in two pieces with the crack
running through the center hole would be a good start. Protect
your eyes while doing this. It does tend to send out shrapnel.
Make sure the tiny pieces don't go somewhere you won't like them
being. This should keep casual snoopers from reading your data.
It also makes it readily visible which CD's are "trash".
Throw one piece in the trash, throw the other piece in a secure
drawer for some length of time to make it a little harder to
get both pieces.
Make more pieces for more security.
Mix pieces from many disks.
Put the pieces from one disk into multiple batches for disposal.
Dispose at different times or even different places.
Melting/burning would be better, but I would be concerned about toxic
byproducts. Stir the resultant puddle or ashes.
--
Mickey McInnis - [EMAIL PROTECTED]
--
All opinions expressed are my own opinions, not my company's opinions.
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: IDEA's current security
Date: 10 Aug 2000 10:13:26 -0700
Runu Knips <[EMAIL PROTECTED]> wrote:
> There is not much cryptanalysis of Twofish around, for example.
Oh, I don't know about that. I know you were just trying to pick a
random example, but I suspect you could have picked a better example. :-)
I'd say Twofish is getting about as much attention as any of the other
AES finalists, which is to say, quite a lot, given the limited time frame.
We've got half a dozen papers on Twofish analysis:
N. Ferguson, ``Impossible differentials in Twofish''.
J. Kelsey, ``Key separation in Twofish.''
L. Knudsen, ``Trawling Twofish (revisited)''.
F. Mirza, S. Murphy, ``An observation on the key schedule of Twofish''.
F. Mirza, S. Murphy, ``The key separation of Twofish''.
S. Murphy, M. Robshaw, ``Differential cryptanalysis, key-dependent S-boxes,
and Twofish''.
(I also know of other analysis of Twofish which has not yet been published.)
And then there's an entire book, devoted mostly to cryptanalysis of Twofish.
To me, that seems to add up to a fair bit of analysis on Twofish.
(By the way, Bruce Schneier's last name does not have a `d' in it.)
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: OTP using BBS generator?
Date: Thu, 10 Aug 2000 21:02:16 GMT
On Thu, 10 Aug 2000 13:51:58 -0500, in
<[EMAIL PROTECTED]>, in sci.crypt Doug Kuhlman
<[EMAIL PROTECTED]> wrote:
>Terry Ritter wrote:
>>
><SNIP>
>>
>> No; a "negligable probability" means that some probability remains.
>> And with random selection, that result will eventually occur.
>>
>You should know better than that. The probability that the sound of air
>coming through a naturally shaped tunnel will play the entire
>VeggieTales collection is non-zero, but it's not gonna happen in the
>lifetime of the universe. Same thing applies here.
Sorry, but *you* should know better than that. None of this is about
weakness in practice, it is about falsely appearing to claim strength
on the basis of mathematical proof. The short-cycle weakness is a
theoretical weakness in the sense that it almost never occurs in
practice. But it is a practical weakness in the sense that the reason
to use BB&S in practice is to achieve the results of the theoretical
claim. But theoretically, if long cycle operation is not guaranteed,
short cycle operation will occur, and the "proven secure" system will
be insecure, sooner or later.
>> That logic is wrong. If there is a possibility of choosing a short
>> cycle, that *will* happen, sooner or later. Then the attacker *can*
>> factor N, which contradicts the assumption.
>>
>You consistently confuse possibility with probability and claim that one
>is the other. Read above.
Nope, that seems to be *your* problem: Possibility and probability
are statistical terms. If something is *possible* under random
selection, it eventually *will* *happen*. This concept is important
and you need to understand it. The same concept occurs in computer
programming.
>> Were this to be explained as it really is, I doubt that many users
>> would be happy with the phrase "proven secure."
>>
>Well, if the other issues could be cleaned up (like how the size of the
>overall cycle corresponds with that of the LSB cycle), I think almost
>everyone would, if they really understood what "neglible" likelihood
>meant.
So, basically, you are fine with changing the current description of
"proven secure," to "proven to have a negligible likelihood of
weakness." That's not as straightforward as "almost always secure,"
but it is an improvement.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: OTP using BBS generator?
Date: Thu, 10 Aug 2000 21:05:33 GMT
On Thu, 10 Aug 2000 21:10:13 +0200, in
<[EMAIL PROTECTED]>, in sci.crypt Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>[...]
>(1) If indeed one could (though I doubt) quantitatively
>investigate the distribution of the cycle lengths of the
>output of the congruence relation, then one could assess
>the difference between the 'reduced' and the 'full' version
>in quantitative terms and hence allows the user to do his
>choice. Apparently, however, there is no way of doing that
>in theory conveniently, let alone in practice.
I think the math to do that does exist, for any particular N, and that
presumably can be generalized into a distribution for "N" in general.
But even if we do that we can't "guarantee" a secure system, and if
not, then why use BB&S at all?
I personally object to building ciphers with this sort of weakness,
for then we are depending upon randomness to not produce a particular
result when we know it might. That is weakness under our control; we
can't blame the opponent if we make it easy.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
