Cryptography-Digest Digest #437, Volume #12 Mon, 14 Aug 00 10:13:00 EDT
Contents:
Re: 1-time pad is not secure... (jkauffman)
Proposal of drafting rules of conduct of posting (Mok-Kong Shen)
Re: Crypto Related Professional Attitude (Safuat Hamdy)
Re: Playfair-Analyze ? ("Amical")
Re: Impossible Differentials of TC5 (tomstd)
Re: Big Brother Is Reading Your E-Mail (tomstd)
New Serpent Sboxes (tomstd)
Re: What is up with Intel? (Eric Lee Green)
Re: BBS and the lack of proof (Mark Wooding)
Help with Crypto ([EMAIL PROTECTED])
Re: New Serpent Sboxes (tomstd)
Re: What is up with Intel? ("Trevor L. Jackson, III")
Re: What is up with Intel? ("Trevor L. Jackson, III")
Re: Random Number Generator ([EMAIL PROTECTED])
Re: OTP using BBS generator? (Mark Wooding)
Re: Random Number Generator (Eric Lee Green)
Re: Random Number Generator ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: jkauffman <[EMAIL PROTECTED]>
Subject: Re: 1-time pad is not secure...
Date: Mon, 14 Aug 2000 06:02:42 -0700
so, in conclusion having listened to various posters, can we
agree that:
1) True randomness does exist in nature if we are to believe
current QM theory, which we will and if you don't like it go
talk to sci.physics.
2) In practice our measurements of this randomness are
subject to error, but we know what the upper limits on these
errors are.
3) We can measure randomness sufficiently well, although not
perfectly, to make breaking our RNG infeasable.
4) The OP was wrong.
* Sent from AltaVista http://www.altavista.com Where you can also find related Web
Pages, Images, Audios, Videos, News, and Shopping. Smart is Beautiful
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Proposal of drafting rules of conduct of posting
Date: Mon, 14 Aug 2000 14:44:02 +0200
Note: I was called attention to the fact that an issue
that is 'buried' in a thread about another issue is not
likely to be noticed by many. So the following is a
re-post of what I sent a few hours ago.
I have a suggestion. Wouldn't it be nice that we have
some thing that I temporarily term to be general rules of
conduct of posting to the group? (One rule could be e.g.
'Never use bad words', with a bit explanations.) If there
are a sufficient number of people who say 'yes' to the
proposal, we could arrange for a drafting committee for that
and have the results discussed, amended and finally voted
for in the large in the group. The rules could then be
posted, say, every week so that to those posters that don't
observe the rules the answer could be simply a pointer to
certain items in that article. Without wasting bandwidth
of the group, I suggest that those who say 'yes' e-mail
me one line. If the count goes up to twenty, I'll let
that fact be known and arrange that a subset of those
that respond constitute a drafting committee. (I'll also
post the count in 7 days, if the proposal fails.)
M. K. Shen
=========================
http://home.t-online.de/home/mok-kong.shen
------------------------------
From: Safuat Hamdy <[EMAIL PROTECTED]>
Subject: Re: Crypto Related Professional Attitude
Date: 14 Aug 2000 14:23:25 +0200
"Sam Simpson" <[EMAIL PROTECTED]> writes:
> Safuat Hamdy <[EMAIL PROTECTED]> wrote in message
> > I doubt that one can seriously learn anything in sci.crypt.
>
> I agree with most of your post, but I believe the above statement is
> a little harsh. From time to time "reals gems" are to be found on
> sci.crypt - [...]
May be, but those gems are that rare, and *real* gems *will* eventually
appear elsewhere too, so it is quite unlikely that a professional will read
sci.crypt in order to get informed. There are numerous information channels
(many of them admittedly not really open to the public, for good reason
though) that are much better than sci.crypt. The problem with those
channels (as with sci.crypt) is to keep nerds and trolls away in order to
maintain a reasonable signal-noise-ratio. With the advent of AOL,
CompuNerve and such this has obviously failed for sci.crypt. I've seen many
posters just claiming something (using the weirdest "arguments") where one
can almost always be sure that the authors are not really knowing what they
are talking about (using the words of Bob Silverman: they spread
misinformation). And look what they are "discussing" (meaning insulting
each other) about: OTP and such. And even if a professional (e.g. a "big
shot") comes along and participates and proves some false statement wrong,
often people are not willing to learn (most often because the deny to use
scientific and/or mathematical principles). Next, the initiatior of this
thread recommends using kill files. However, it sometimes appear that the
amount of junk grows faster than one can edit his/her kill file (actually I
have to adjust it at least once a week).
Having said this, my first statement may appear to be harsh, but this
essentially is my experience with sci.crypt so far.
--
S. Hamdy | All primes are odd except 2,
[EMAIL PROTECTED] | which is the oddest of all.
|
unsolicited commercial e-mail | D.E. Knuth
is strictly not welcome |
------------------------------
From: "Amical" <[EMAIL PROTECTED]>
Subject: Re: Playfair-Analyze ?
Date: Mon, 14 Aug 2000 12:51:52 GMT
http://www.und.nodak.edu/org/crypto/crypto/resources.html
Lanaki Course or FM 34-40-2 are excellents.
------------------------------
Subject: Re: Impossible Differentials of TC5
From: tomstd <[EMAIL PROTECTED]>
Date: Mon, 14 Aug 2000 06:05:54 -0700
Ulrich Kuehn <[EMAIL PROTECTED]> wrote:
>tomstd wrote:
>
>> I am trying to figure out how to recover key bytes from the
>> cipher given that we are trying to send the generic (0, d)
input
>> difference through the cipher.
>
>That is also described in Knudsen's paper. But the key idea
usually with
>all these distinguishers is the following. Have a cryptosystem
with r
>rounds and a distinguisher for r-1 rounds. Then decrypt with a
trial
>last round subkey and check whether the distinguisher works.
>
>For an impossible differential, you send the input difference
down the
>cipher and then try the last round subkeys. Any key that
suggests the
>impossible output must be necessarily a wrong guess. After
sufficiently
>many plaintexts/ciphertexts and key guesses, only a single key
should be
>remaining.
So this means you must send the 128-bit difference
(0,0,0,0,0,0,0,0,0,0,0,0,0,0,d1,d2)
After the first 32-bit feistel we want an output difference of
(first round of the 64-bit feistel) The probability of this is
very low about ((2^-6)^5)^3 = 2^-90.
(0,0,0,0,0,0,0,0,0,0,0,0,d3,d4,d1,d2)
When the 32-bit right half gets xored to the 64 bit block at
this point we find the 128-bit difference is now
(0,0,0,0,0,0,0,0,d3,d4,d1,d2,d3,d4,d1,d2)
Then in the next round of the 64-bit feistel the left half
(d3,d4,d1,d2) will go into the 32-bit feistel. This is not the
required (0,0,d1,d2) as described by M.Wooding.
This is where I get confused....
Tom
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
Subject: Re: Big Brother Is Reading Your E-Mail
From: tomstd <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy,alt.security.pgp
Date: Mon, 14 Aug 2000 06:08:24 -0700
Michael Brown <[EMAIL PROTECTED]> wrote:
>jungle <[EMAIL PROTECTED]> wrote:
>> Samuel Hocevar wrote:
>> > jungle <[EMAIL PROTECTED]> wrote:
>> > > someone wrote:
>> > > > Someone else wrote:
>> > > >
>> > > > > This program broke the PGP encryption in two minutes
flat,
>> > > > > so you're not even safe with encryption.
>> > > >
>> > > > what program will broke PGP in 2 min flat ?
>> > >
>> > > If we told you, we'd have to kill you.
>> >
>> > I did not directed my question to you, but
>> >
>> Then tell me and come on and kill me! Big deal spout off and
say
>> nothing you twerps
>
>I write:
>
>I don't like to enter into flame wars, but PGP (or any
factoring based
>crypto algorithm) is incredibly weak if the two primes are
different in
>the LSBs. eg:
>bit 0 : Always 1 (primes are odd)
>bit 1 : If different here it's curtains
>bit 2 : Harder than bit 1, but still quite easy
>etc
>
>Two very similar primes (eg 1000 least significant bits
identical) would
>be still very hard to crack, though.
Um you mean primes that are numerically close together? Buzz
wrong bad idea. Tell me why or I will think you are a crank.
Geez ppl....
Tom
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
Subject: New Serpent Sboxes
From: tomstd <[EMAIL PROTECTED]>
Date: Mon, 14 Aug 2000 06:13:47 -0700
For something todo I made some serpent-like sboxes. They are no
better just different. Ideal for making families of serpent...
For the spec-techs they are 4x4 sboxes where the inverse and
natural share being fully SAC compliant, BIC compliant (order 3)
a LP/DP max of 4. I used my newer sboxgen so the SAC test is in
fact more accurate.
The sboxes are at
http://www.geocties.com/tomstdenis/
Tom
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Subject: Re: What is up with Intel?
Date: Mon, 14 Aug 2000 13:17:34 GMT
Roger Schlafly wrote:
> lcs Mixmaster Remailer wrote:
> > A careful reading of the document reveals that Intel's version of the
> > bias remover uses three bits of state, rather than the two bit version
> > attributed to von Neumann. It is a genuine improvement.
>
> How is it better?
It allows Intel to patent something on the chip and then sue AMD if they
clone it. Should that not be obvious? What does functionality have to do
anything?
> IMO, Intel should have omitted the bias
> rejecter. It makes the chip unpredictable. It is easy to
> do a much better job of removing bias in software. I'd rather
> have the raw bits.
Intel operates under the premise that "Only the Paranoid Survive". 'nuff
said. Most new features on Intel chips are there because Intel could
patent them and thus keep others from cloning them, not because they add
any real functionality.
--
Eric Lee Green There is No Conspiracy
[EMAIL PROTECTED] http://www.badtux.org
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: BBS and the lack of proof
Date: 14 Aug 2000 13:18:03 GMT
Trevor L. Jackson, III <[EMAIL PROTECTED]> wrote:
>
> Mark Wooding wrote:
>
> > Yes. However, this glosses over the more difficult point of where you
> > get the cycle from. Given your previous numbers, we see that there's a
> > 2^{-224} probability of choosing one by accident, and no particularly
> > obvious better way. And certainly a normal user isn't going to be going
> > out of his way to use clever algorithms to find short cycles.
>
> Right, but we are discussing this from opposite perspectives. The
> verb "find" crops up again.
That's true. In this case, I didn't think it made much difference to
the meaning.
> > Note, however, that 2^{224} effort is considerably more than what's
> > required to factor 2048-bit numbers (extrapolating wildly from the
> > numbers given in Silverman's `A Cost-Based Security Analysis of
> > Symmetric and Asymmetric Key Lengths', RSA Security Bulletin 13).
> > So waiting for a short cycle to turn up by the user stumbling over
> > it isn't a clever attack, and factoring looks much better.
>
> This is a new claim (to me). Are you speculating or making a firm
> claim that factoring is much easier than searching for a short cycle?
> I was under the impression that the proof only showed cracking BBS was
> "at least as hard as" rather than "much worse than" factoring.
I've not seen or done the number theory; I'm relying on intuition a bit.
I'll try to do a little analysis later. In summary, my point is going
to be that accidentally using a traversable cycle is only one way of
discovering such a cycle, and finding such a cycle is only one way of
factoring, and I consider it doubtful that accidental discovery of a
traversable cycle is as easy as using heavyweight factoring methods such
as the number field sieve.
I think there's an analogy to be drawn here between another `required'
property of the initial seed: that it be relatively prime to the
modulus. Note that there are n - \phi(n) = n - (p - 1)(q - 1) = p + q
- 1 values less than n which have a common factor with n. One of these
is 0, which probably isn't interesting. All of the others will leak a
factor of n in use.
We can analyse the probability of leaking a factor in this way, if we
don't bother to check. Let's say that p and q are each k bits long, and
that n is therefore 2 k bits long. The probability of leaking a factor
is (p + q - 2)/n; taking (base-2) logs gives approximately k + 1 - 2 k =
1 - k. For a 1024-bit modulus n, the probability is then 2^{-511}.
But Silverman's analysis[1] shows that factoring a 1024-bit number is
approximately the same effort as a 2^{96} key search. So certainly an
adversary will prefer to crank up his factoring engine than compute GCDs
of your seeds with the modulus in the hope that you accidentally leak a
factor.
I believe that accidental use of a short cycle is similar to accidental
leaking of a factor. It's probably the case that finding elements on
short cycles is trivial when you know the factors. That's a very
different kettle of fish from accidentally using short cycle, though.
> If your claim mentioned above is firm and defensible, then it is
> reasonable to conclude that no attacker will waste time checking for
> short cycles because they can get better results by investing the
> effort in factoring.
>
> This appears to be the key issue.
I think that the claim's defensible, although I don't currently have the
maths. I'll take yet another squint at the BBS and VV papers and see
what happens.
> > > In your conclusion you used the opposite sequence, starting with QRP
> > > difficulty as an assumption and concluding that predicting the
> > > generator is hard.
> >
> > Yes, indeed. That's what Blum, Blum and Shub's 1982 paper tells us.
>
> Which generator -- the raw or filtered (no short cycles) one? I
> thought the original paper recommended an extensive set of filters on
> initial state.
The raw generator. The paper is presented as a comparison of two
generators, 1/P and x^2 mod N. It first establishes some interesting
properties of the 1/P generator, showing that it can be predicted given
a certain relatively small amount of output. It then establishes the
unpredictability of the (raw) x^2 mod N generator by showing that (a)
any advantage in predicting the generator yields a similar advantage in
deciding quadratic residuosity, and (b) that this latter advantage can
be amplified arbitrarily, hence solving QRP.
The paper then enters a discussion of cycle lengths, showing that the
cycle length is a divisor of \lambda(\lambda(n)), and discusses how to
find elements with exactly this cycle length.
Finally, it asks
questions about the simultaneous security of various bits of the x_i.
> I read the paper several years ago with the conclusion that I was not
> competent to judge it. I do not fear that the paper is wrong, but I
> do fear that it can be misinterpreted. Thus I appreciate the
> opportunity to investigate the issues at a speed comensurate with my
> comprehension. Thanks for the patience.
No problem. I consider this subthread to be a particularly rewarding
and interesting part of the general BBS discussion.
[1] Silverman gives higher equivalent symmetric key lengths for given
modulus sizes than Lenstra and Verheul, which is why I'm using his
paper rather than theirs.
-- [mdw]
------------------------------
From: [EMAIL PROTECTED]
Subject: Help with Crypto
Date: Mon, 14 Aug 2000 13:13:10 GMT
I need some help or direction with a mathimatcal problem. It is a form
off algorithiam(?) or very simply caculation.
This has been bugging me for some month so I thought it was time to
sort this puzzle out.. All ideas welcome
Example
86501042403 known answe 6608
94403375942 know answer 3676
Regards
[EMAIL PROTECTED]
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Subject: Re: New Serpent Sboxes
From: tomstd <[EMAIL PROTECTED]>
Date: Mon, 14 Aug 2000 06:22:08 -0700
the url is
http://www.geocities.com/tomstdenis/
I missed an 'i'
Tom
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
Date: Mon, 14 Aug 2000 09:32:33 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: What is up with Intel?
John Savard wrote:
> On Sun, 13 Aug 2000 16:54:23 -0700, tomstd
> <[EMAIL PROTECTED]> wrote, in part:
>
> >On page four of the IntelRNG.pdf from cryptography.com they said
> >intel is patentning the von neuman rejector i.e with [0,0] and
> >[1,1] output nothing, output 0 for [1,0] and 1 for [0,1] which
> >hopefully lowers bias towards any given bit.
>
> >This idea is what 50 years old? How on earth can Intel patent
> >it?
>
> Nobody felt the need to do it in hardware before, so Intel can patent
> _that_ idea. But they can't patent von Neumann rejection in software
> for the reason you note.
I expect that this will fail the obviousness test.
------------------------------
Date: Mon, 14 Aug 2000 09:38:06 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: What is up with Intel?
lcs Mixmaster Remailer wrote:
> > On page four of the IntelRNG.pdf from cryptography.com they said
> > intel is patentning the von neuman rejector i.e with [0,0] and
> > [1,1] output nothing, output 0 for [1,0] and 1 for [0,1] which
> > hopefully lowers bias towards any given bit.
>
> A careful reading of the document reveals that Intel's version of the
> bias remover uses three bits of state, rather than the two bit version
> attributed to von Neumann. It is a genuine improvement.
Wider filters have been around "forever". They were even discussed here in
sci.crypt last year.
There may be something special about the patented device, but width cannot be
the only aspect that was improved.
Is there a reference available?
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Random Number Generator
Date: Mon, 14 Aug 2000 13:30:48 GMT
In article <4XPk5.20290$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> [EMAIL PROTECTED] wrote:
> > Do you think that there is no mapping of finite sets of natural
> > numbers into set of infinite sets of natural numbers?
> > Please evaluate this algorithm and you will believe.
>
> You know, from what I can see, alot of people have evaluated this
> algorithm, and your block cipher and found problems with both. Not to
> mention your discrete log solver. ;)
>
> What I'd really like to know is how does this generator compare to the
> one in your quasi-one time pad cipher (AESC or AOTP or whatever it's
> called now). Did you take to heart any of the critisisms on it before
> launching into developing this?
Yes, I do.
But as you know some criticisms are not friendly or are not professional
enough. Some one should take a bit deeper looks in the problem. All replays
are superficial. Not many from you spend time with algorithm design but have
fan with criticism. At the same time I have a lot of visitors of my Web,
which download all my algorithms and do not waist time in abusing some one
here. Please don't shame my. I sell nothing.
Regards.
Alex.
>
> --
> Matt Gauthier <[EMAIL PROTECTED]>
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: OTP using BBS generator?
Date: 14 Aug 2000 13:44:16 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> Two dumb questions: (1) Isn't it that in employing a product of two
> large primes for PK one has to check that there are certain properties
> other than size that are to be fulfilled?
Depends who you talk to. Some will waffle on about `strong primes' and
suchlike; others will tell you just to generate random primes. I think
that the random primes people are right.
The purpose of `strong primes' is to protect against a (known) few
special-purpose factoring algorithms which work well when the factors
have certain special (but actually rather rare) forms. There's not a
lot of point in doing this sort of protection, because the general
number field sieve, which has been our best factoring algorithm for
quite a while now, doesn't care about the forms of the factors, just how
large the product you're trying to factor actually is.
It may be the case that we find new useful special-purpose factoring
algorithms which attack factors of particular (but nonetheless
relatively common) forms. In this case, we might want to use `strong'
primes, but the strength properties we'll want probably won't be the
ones we ensured in our old `strong' primes.
> (2) Since some large numbers are evidently easy to factor, what does
> an assumption of hardness of factoring (without further
> qualifications) imply? I mean one probably has to characterize theryby
> the type of numbers being considered (namely those that are hard to
> factor according to some definite quantifiable measure) that one
> assumes to be dealing with for the presentation containing that
> assumption.
In the current environment, random primes are no worse than any others
of the same size, so we really do just think about the size of the
factors.
In general, though, I suppose we should consider the strength of
cryptosystems based on the integer factorization problem by the
difficulty of factoring the most difficult sorts of composite numbers
available, and then try to choose those sorts of composites. Currently,
those really are just the products of pairs of random primes.
-- [mdw]
------------------------------
From: Eric Lee Green <[EMAIL PROTECTED]>
Subject: Re: Random Number Generator
Date: Mon, 14 Aug 2000 13:44:58 GMT
Runu Knips wrote:
> [EMAIL PROTECTED] wrote:
> > Let me ask you how can man implement permutation
> > of bits not using Assembler?
>
> But you're able to program in Delphi which allows
> exactly that (as well as C) !
Not to mention that permutation of bits is exactly what is done inside
every Feistel-network cipher. You ought to have forwarded the poor sod
to http://www.nist.gov/aes for examples of how it is done.
> > There are no weakness and holes in this algorithm.
>
> If I would get that many comments on one of my
> algorithms I would be very thankful. But you,
> blessed by so many comments, just drop everything
> people tell you. Hey accepting help and advice
> from others is an important form of wisdom and
> greatness !
At first I thought that this twit had to be fifteen years old to make a
statement such as "There are no weakness and holes in this algorithm."
Given that even crypto gods like Rivest produce flawed algorithms from
time to time, it was the most arrogant statement that I have encountered
in eons. When I had to write a PRNG because the existing ones would not
work in my particular application, I carefully examined the literature,
looked at existing PRNG's, and used existing crytographic-quality
components to build my PRNG -- but I make no claims such as "there are
no holes or weakness" in Ocotillo. There are, and some of them you could
drive a truck through. Probably the only claim that anybody can ever
make for any algorithm is "the weaknesses of this algorithm are not
important in my particular application". But statements such as "there
are no holes and weaknesses" tell me immediately that a) this person
will never be a "real" cryptographer ("real" cryptographers possess a
professional paranoia that says "there is always a hole or weakness, I
just haven't found it yet"), and b) this person probably is a jerk of
major proportions. Not the kind of impression I would want to make in a
forum that will be archived by deja.com for years (I certainly would not
hire this person for any job more demanding than toilet cleaning).
> People have prooved your algorithm is wrong, so
> why don't you try to fix its faults ?
Because that would imply that his code is not perfect? Or that he had to
lift a finger and do his homework? Reminds me of a programmer my boss
had to fire a couple of years ago, I (the senior programmer at the
consulting firm) had been assigned to look at why his code was running
so slow (taking 40 seconds to save a screenful of grades into the grades
database!), I looked at his code, noted that a) it was totally
uncommented, and b) it was re-writing the entire bloody database rather
than caching the original screenful of data in memory and re-writing
only the changes. Told him he needed to document for each subroutine
what it did, what its inputs were, and what its outputs were, and that
he needed write only changed data instead of updating every bloody
record that was displayed on the screen. He basically gave me the finger
(though he had been in the meeting where my boss had assigned me the
task of diagnosing the performance problem, and he had been assigned the
task of fixing it after I made my recommendations!), saying that he was
doing it right and if I wanted the code changed do it myself. My thought
at that moment was, "if I have to do it myself, why do we need you on
staff?". My boss came to the same conclusion. Poof. Gone. One arrogant
jerk with too high of self-importance quotient gone. I'm sure that
anybody else who's been in this industry for more than a few months has
encountered similar jerks. Alas, there seems to be an unlimited supply
of them, some of them smarter than others (that kid was stupid, last one
I met had a PhD but was totally useless in a team environment). The only
factor that is in common between all of them is that they are always
right, and everybody else is always wrong.
--
Eric Lee Green There is No Conspiracy
[EMAIL PROTECTED] http://www.badtux.org
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Random Number Generator
Date: Mon, 14 Aug 2000 13:39:32 GMT
In article <[EMAIL PROTECTED]>,
"Trevor L. Jackson, III" <[EMAIL PROTECTED]> wrote:
> Between this and Szopa I'm guessing the moon is full.
>
�� ��� ���� �����.
�� �� �������� ����� ����� ����� ���������.
���� ������ �� ���������� � �������� ��� ������� ��
������.
���� ��� ����� �����.
��� �� ������ ������.
������� ���������.
� ����� � ��� ���� �����.
> [EMAIL PROTECTED] wrote:
>
> > In article <[EMAIL PROTECTED]>,
> > Jerry Coffin <[EMAIL PROTECTED]> wrote:
> > > In article <8mtu40$9ck$[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> > > says...
> > > > Alex Random Number Generator
> > > >
> > > > The objective of this algorithm is to map finite
> > > > key/seed to an infinite sequence of random bytes.
> > >
> > > This, of course, is impossible.
> >
> > Do you think that there is no mapping of finite sets of natural
> > numbers into set of infinite sets of natural numbers?
> > Please evaluate this algorithm and you will believe.
> >
> > >
> > > > - 16 byte Key/Seed
> > > > - 57% Avalanche Effect
> > > > - 760Kbyte/sec performance
> > > > - 64 Kbyte generated random string shows Null ZIP
> > > > compression
> > >
> > > A 16-byte key is large enough that although the sequence must
> > > eventually repeat, it shouldn't happen soon enough to care about.
> > > We've already gone over (in almost ridiculous detail) how stupid it
> > > is to make statements about performance without qualifying the
> > > statement as to the situation in which that particular level of
> > > performance was obtained. Avalanche normally applies to ciphers, not
> > > PRNGs, so it's hard to even guess at what you mean by "57% avalanche
> > > effect", though unless you're measuring something _really_ unusual,
> > > 57% is probably a pretty BAD number to get: for most obvious things
> > > you'd measure, you'd want outputs as close to either 50 or 100% as
> > > possible, and only numbers within .001 or so of those would be good
> > > enough to keep from rejecting the generator outright.
> > >
> >
> > Thank you. Please let to do some more investigations.
> >
> > > > - The probability to find in random sequence 0/1
> > > > value bits is exactly 50%
> > >
> > > This shows a lack of bias, but that's a long ways from being a
> > > comprehensive test of a PRNG.
> > >
> >
> > Please check it yourelf.
> >
> > > You PRNG fails some of the FIPS 140-2 tests fairly regularly. It
> > > fails quite a few of the DieHard tests very consistently. Your PRNG
> > > is clearly NOT suitable for cryptographic use.
> >
> > It is only your assumption. Let us proof it.
> >
> > Regards.
> > Alex.
> >
> > >
> > > --
> > > Later,
> > > Jerry.
> > >
> > > The Universe is a figment of its own imagination.
> > >
> >
> > Sent via Deja.com http://www.deja.com/
> > Before you buy.
>
>
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
