Cryptography-Digest Digest #956, Volume #12 Thu, 19 Oct 00 00:13:01 EDT
Contents:
Re: x509 (David Wagner)
Re: x509 (David Wagner)
Re: How about the ERIKO-CHAN cipher? (David Wagner)
Re: Kappa of different languages (JPeschel)
My comments on AES (Bruce Schneier)
("Frog2000")
Which "password" is best. ("Frog2000")
Re: Is it trivial for NSA to crack these ciphers? ("John A. Malley")
Re: SDMI Successfully Hacked (Mack)
Re: Which "password" is best. (Tom St Denis)
Re: srp-1.6.0 released (Thomas Wu)
Re: BIOS password, will it protect PC with PGPDisk against tampering ? (Guy Macon)
Re: x509 (Bryan Olson)
Re: BIOS password, will it protect PC with PGPDisk against tampering ? ("bubba")
Re: BIOS password, will it protect PC with PGPDisk against tampering ? ("Seeker")
Re: Rijndael implementations (Tim Tyler)
Re: pseudo random test (Tim Tyler)
Re: Counting one bits is used how? ("bubba")
Re: Comments wanted on NIST Rng Tests ("bubba")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: x509
Date: 19 Oct 2000 01:18:17 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
Bryan Olson wrote:
>David Wagner wrote:
>> For instance, MD4 is almost broken. Suppose someone extends
>> Dobbertin's techniques just a bit, enough to find pre-images
>> for MD4. Now you're smart: you stopped using MD4 ages ago,
>> and all your signatures take the form <m, "MD5", Sign(MD5(m))>.
>>
>> Under the above scenario, there is an attack. Let y = MD5(m). I use
>> my inversion algorithm to find a preimage m' of y under MD4. Now note
>> that <m', "MD4", Sign(MD5(m))> is a valid signature on m', which any
>> receiver will accept. But the original signer never intended for m'
>> to be signed! Therefore, the message integrity property is violated;
>> QED.
>
>But the algorithm ID protected under the signature does not
>prevent this attack.
Yes it does!
If your signature has the form <m, Sign(<"MD5",MD5(m)>)>, then
you will no longer be able to form a collision. In particular,
you can't form <m', Sign(<"MD4",MD5(m)>)> because you only have
a signature on the bit-string <"MD5",MD5(m)>, but not a signature
on the bit-string <"MD4",MD5(m)>.
Note: it is crucial that the hash algorithm identifier be _inside_
the signature, but _outside_ the hash. (In other words,
Sign(MD5("MD5",m)) is not secure, but Sign("MD5",MD5(m)) is.)
>Maybe. Your answer implies that we should put into a
>certificate a statement of what signature algorithm(s)
>(including hash) may be used with the subject public key.
This reduces the problem, but does not eliminate it entirely.
If any of the algorithms you list in your certificate get broken,
attacks become possible, and you need to revoke your cert.
In contrast, if you include the hash algorithm you used in each
signature, then you don't need to worry about any such attacks,
ever; you just need the hash function you _did_ use to resist attack.
Thus, including the algorithm identifier in the signature is much
more robust.
Is it possible you might be getting confused by the fact that what
we're signing is a certificate? The presence of both a certificate
for a key (PubK,PrivK) and a signature on a certificate using the
private key PrivK is potentially confusing, because we've got two
certificates playing a different role here. Let's agree to just
talk about signatures on arbitrary messages, and then maybe the risk
of confusion will be less? Is that ok?
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: x509
Date: 19 Oct 2000 01:19:47 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
Roger wrote:
>So can anyone tell me? Why aren't signature public keys
>always linked to a specific hash function in a cert?
I don't know. Linking public keys to a _single_ hash function
sounds like a good idea, and I don't see any reason not to do it.
(But it does require everyone to self-sign their certificates....)
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: How about the ERIKO-CHAN cipher?
Date: 19 Oct 2000 01:25:06 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
>Then you take your key, a 20-digit (or longer) integer, take its square
>root, and starting at the decimal point, you take every digit less than
>6 until you have as many digits as are in your message. Then you
>modulo-6-add this to the digits of your message.
(An aside: Why do I keep seeing this suggestion? What is its
appeal?)
I don't recommend to use square roots. If you reveal every digit
of the square root, it is very easy to recover the key with a short
stretch of known keystream by using continued fractions. What makes
you think that just omitting some of the digits is enough to patch
things up to prevent generalizations of this attack from working?
How do you know there isn't some crazy lattice attack, for instance?
Have you done any mathematical analysis at all? This stuff is very
subtle, and you should spend an order of magnitude more time on analysis
than you do on design.
This general methodology -- the original scheme is broken, so you add
a minimal patch until you yourself can't break it, and maybe repeat
a couple of times if the revisions get broken, too -- well, it strikes
me as a pretty risky way to design ciphers. It's a mindset, but IMHO
it's important.
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Date: 19 Oct 2000 01:28:01 GMT
Subject: Re: Kappa of different languages
[EMAIL PROTECTED] writes:
>I'm searching for the Kappa of different languages like
>english, french, german, turkish etc.
>Can anyone point me to a ressource about this?
I think a web search of "kappa test german english..."
should find the information you want. But you might
wish to run your own kappa or IC tests on language
samples that you yourself collect.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: Bruce Schneier <[EMAIL PROTECTED]>
Subject: My comments on AES
Date: Wed, 18 Oct 2000 20:32:44 -0500
Recently there was a thread where people discussed my scant comments
on AES. Those who expected them to appear in Crypto-Gram were
correct:
http://www.counterpane.com/crypto-gram-0010.html#8
I also commented on the NSA's comments on AES:
http://www.counterpane.com/crypto-gram-0010.html#9
Bruce
**********************************************************************
Bruce Schneier, Counterpane Internet Security, Inc. Tel: 408-556-2401
3031 Tisch Way, Suite 100PE, San Jose, CA 95128 Fax: 408-556-0889
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: "Frog2000" <[EMAIL PROTECTED]>
Subject:
Date: Wed, 18 Oct 2000 22:06:09 -0400
I have been "kicking around various ideas for encryption. I have tried to
get some random-passwords generated. In picking a password, which one of
the 2 below would you chose, and why? I am testing stream ciphers based on
cellular transform methods.
Thanx.
Password 1
0n~gv3,1=bBz&!LalIweDx(JQ$_\jN@u:O%X^t}p#SV?y]2T7GW+odYRc
Password 2
RrL?tJc_'A=an3V~$e(;:+vo@Tl24%yqm!\FSXKpz&DW^#5HIN
--
http://welcome.to/speechsystemsfortheblind
http://www.MintMail.com/?m=18251
------------------------------
From: "Frog2000" <[EMAIL PROTECTED]>
Subject: Which "password" is best.
Date: Wed, 18 Oct 2000 22:08:03 -0400
Sorry for the repost, but I didn't think anyone would bother to read the one
where I forgot to put a subject.
I have been "kicking around various ideas for encryption. I have tried to
get some random-passwords generated. In picking a password, which one of
the 2 below would you chose, and why? I am testing stream ciphers based on
cellular transform methods.
Thanx.
Password 1
0n~gv3,1=bBz&!LalIweDx(JQ$_\jN@u:O%X^t}p#SV?y]2T7GW+odYRc
Password 2
RrL?tJc_'A=an3V~$e(;:+vo@Tl24%yqm!\FSXKpz&DW^#5HIN
--
http://welcome.to/speechsystemsfortheblind
http://www.MintMail.com/?m=18251
--
http://welcome.to/speechsystemsfortheblind
http://www.MintMail.com/?m=18251
------------------------------
From: "John A. Malley" <[EMAIL PROTECTED]>
Subject: Re: Is it trivial for NSA to crack these ciphers?
Date: Wed, 18 Oct 2000 19:13:42 -0700
"Stephen M. Gardner" wrote:
>
> "John A. Malley" wrote:
>
> > The original question from Mr. Gardener didn't place
> > any qualifiers on that group of scientists other than (1) security
> > clearances and (2) no open community peer review/awareness of their
> > work.
>
> I don't care what you say about my as long as you spell my name right.
> ;-)
>
My apologies, Mr. Gardner - I must have accepted my spellchecker's
suggestion on that occurrence without looking!
John A. Malley
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Mack)
Date: 19 Oct 2000 02:36:32 GMT
Subject: Re: SDMI Successfully Hacked
>http://www.theregister.co.uk/content/1/14057.html
>
>
>
Summary. SDMI seems to have
received a number of entries which
broke all of the technologies offered.
They claim only 450 entries were made.
This may be 450 successful entries.
I made one of those that I 'think' should
have passed but received a negative result.
It appears that all of the watermarks were
successfully removed by at least
some of the entrants.
SMDI is officially claiming they don't know
if any were successful. I suspect they
are trying to get out of paying the $10k.
Not that it is a lot of money after you
split it 450 ways which seems to
be the way it will be distributed.
But it is certainly a show that the
effort was doomed from the start.
Officially - SDMI is alive and well
and may remain that way.
Unofficially - It didn't have a prayer.
SDMI is deader than roadkill on the 610
loop in Houston, TX.
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Which "password" is best.
Date: Thu, 19 Oct 2000 02:57:33 GMT
In article <[EMAIL PROTECTED]>,
"Frog2000" <[EMAIL PROTECTED]> wrote:
> Sorry for the repost, but I didn't think anyone would bother to read
the one
> where I forgot to put a subject.
>
> I have been "kicking around various ideas for encryption. I have
tried to
> get some random-passwords generated. In picking a password, which
one of
> the 2 below would you chose, and why? I am testing stream ciphers
based on
> cellular transform methods.
>
> Thanx.
>
> Password 1
>
> 0n~gv3,1=bBz&!LalIweDx(JQ$_\jN@u:O%X^t}p#SV?y]2T7GW+odYRc
>
> Password 2
>
> RrL?tJc_'A=an3V~$e(;:+vo@Tl24%yqm!\FSXKpz&DW^#5HIN
Neither.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Thomas Wu <[EMAIL PROTECTED]>
Subject: Re: srp-1.6.0 released
Date: 18 Oct 2000 20:11:14 -0700
Philip MacKenzie <[EMAIL PROTECTED]> writes:
>
> SRP 1.5.2 is ***vulnerable*** to active attacks by
> corrupt/spoofing servers!!!! That is, a spoofing server
> can obtain enough information to launch an offline-dictionary
> attack on a user, without the user even realizing it!
> If you do not upgrade, you will be using software that
> is potentially **weaker than ssh**, which is a shame since the
Actually, since ssh is also vulnerable to active attacks by
spoofing servers, it's potentially **as weak as** ssh UserAuth,
but never weaker than.
> whole point of SRP was to alleviate some of the security
> issues associated with ssh - in particular, vulnerability
> to spoofing server attacks.
Yep, upgrade to 1.6.0. I am working with the commercial vendors
to ensure that the new code makes it into their software.
--
Tom Wu * finger -l [EMAIL PROTECTED] for PGP key *
E-mail: [EMAIL PROTECTED] "Those who would give up their freedoms in
Phone: (650) 723-1565 exchange for security deserve neither."
http://www-cs-students.stanford.edu/~tjw/ http://srp.stanford.edu/srp/
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: BIOS password, will it protect PC with PGPDisk against tampering ?
Date: 19 Oct 2000 03:24:09 GMT
>When you need to protect PC [ win95/98 is running on it ] against physical
>tampering [ to sneak into PC some backdoor software, software key loggers,
>replacements of encryption binaries ... ] on PC that has wide & open
>physical access to it, what would be the most cost effective solution ?
>
>The people in question are using & are customized with encryption for
>e-mail, PGP and with hard disk encryption, PGPdisk.
>
>They have good protection in case of virus infection, the online active
>VShield is intercepting all disk activities.
>
>The possible problem of less protected exposure exists when booting process
>is transferring access from DOS to WIN operating system. This time all can
>be suspended, software added to not encrypted disks [ win95/98 is not
>running from encrypted disk ], executables replaced, software installed.
>They are very comfortable with PGPDisk encryption and would like to stay
>with it when possible.
>
>One of the first option that has been suggested, is BIOS password. It is
>very short, about 5 characters long, but it could created about 60 minutes
>buffer.
>
> From description how the PC is used, users are estimating that window of
>intrusion could be no longer than 60 minutes, except the PC is stolen. In
>the event of stolen PC, data is protected by PGPdisk.
>
>The solution they are willing to consider would be in the area of knowing
>that tampering occurred instead, when prohibitively expensive, preventing of
>tampering with.
Easy. Go to [ http://www.dirtcheapdrives.com/ ], click on "Dataport"
[ http://www.dirtcheapdrives.com/welcome_pages/dataport_w/index.html ]
and take your drive with you when you leave. You can even get a clean
drive to leave in there for the attacker tp waste time on.
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: x509
Date: Thu, 19 Oct 2000 03:18:34 GMT
David Wagner wrote:
> Bryan Olson wrote:
> >But the algorithm ID protected under the signature does not
> >prevent this attack.
>
> Yes it does!
>
> If your signature has the form <m, Sign(<"MD5",MD5(m)>)>, then
> you will no longer be able to form a collision.
Ah, I see. You're pointing out the advantage of a form such
as PKCS-1. Unfortunately...
> Note: it is crucial that the hash algorithm identifier be _inside_
> the signature, but _outside_ the hash.
We're talking about an X.509 certificate, which has the
algorithm identifier as one of fields of the "to be signed"
structure. Here "signed" is the entire hash-and-do-math
operation (and the algorithm identifier names the signature
algorithm, not just the hash). The certificate standard does
not assume or recognize that hashing is a different step from
what a cryptologist might call signing.
[...]
> Is it possible you might be getting confused by the fact that what
> we're signing is a certificate? The presence of both a certificate
> for a key (PubK,PrivK) and a signature on a certificate using the
> private key PrivK is potentially confusing, because we've got two
> certificates playing a different role here. Let's agree to just
> talk about signatures on arbitrary messages, and then maybe the risk
> of confusion will be less? Is that ok?
No, the question was specifically about the repeated algorithm
identifier in an X.509 certificate. It appears first as one
of the data fields in the text that will be hashed/signed. It
appears again completely outside the signature.
Your post did remind me of the recent thread on hash identifiers:
http://x69.deja.com/[ST_rn=ps]/viewthread.xp?AN=648697069.2
The X.509 signature algorithm identifier is of the useless form.
--Bryan
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "bubba" <[EMAIL PROTECTED]>
Subject: Re: BIOS password, will it protect PC with PGPDisk against tampering ?
Date: Thu, 19 Oct 2000 03:39:04 GMT
Backdoor BIOS passwords for many computers can be found on the
net. In addition, I doubt many BIOS password schemes involve
modern encryption algorithms. But your worry seems legitimate. I
could build a PGP replacement executable that operated normally
and correctly, except that it maintained a stealth list of all passwords
entered.
"pgp651" <Use-Author-Address-Header@[127.1]> wrote in message
news:[EMAIL PROTECTED]...
> -----BEGIN PGP SIGNED MESSAGE-----
>
> When you need to protect PC [ win95/98 is running on it ] against physical
> tampering [ to sneak into PC some backdoor software, software key loggers,
> replacements of encryption binaries ... ] on PC that has wide & open
> physical access to it, what would be the most cost effective solution ?
>
> The people in question are using & are customized with encryption for
> e-mail, PGP and with hard disk encryption, PGPdisk.
>
> They have good protection in case of virus infection, the online active
> VShield is intercepting all disk activities.
>
> The possible problem of less protected exposure exists when booting
process
> is transferring access from DOS to WIN operating system. This time all can
> be suspended, software added to not encrypted disks [ win95/98 is not
> running from encrypted disk ], executables replaced, software installed.
> They are very comfortable with PGPDisk encryption and would like to stay
> with it when possible.
>
> One of the first option that has been suggested, is BIOS password. It is
> very short, about 5 characters long, but it could created about 60 minutes
> buffer.
>
> From description how the PC is used, users are estimating that window of
> intrusion could be no longer than 60 minutes, except the PC is stolen. In
> the event of stolen PC, data is protected by PGPdisk.
>
> The solution they are willing to consider would be in the area of knowing
> that tampering occurred instead, when prohibitively expensive, preventing
of
> tampering with.
>
> Any suggestions would be welcomed.
> Thank, pgp651
>
> ~~~
> This PGP signature only certifies the sender and date of the message.
> It implies no approval from the administrators of nym.alias.net.
> Date: Wed Oct 18 21:20:41 2000 GMT
> From: [EMAIL PROTECTED]
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
>
> iQEVAwUBOe4ULk5NDhYLYPHNAQHS4wf/UX9w24DKG8AtZZBfgs9trLpZY+YrgeUb
> hOJSlhK6jdbxgXnxqu/vRjMi8AsQRuei21uRLRmKj7jwLlIZLlMpNtaCrl6bSKkN
> E3aIXTKtye3rc2B4ANMd08iXOEjw145yMMSi76N9gyc0TiVFUvIGti+LZuTQ76Hm
> wKTCDuZqaC8luSj/mvB+2QLWBn/ixwEAKMElzUjT1aoMkjWMxcoxuWImAtAbUoJ7
> DnWhBKKqGAHpbHdv8W586jz+sMxOWMUJORq4MPpKuWokpIdaKoih9Wfbwuj7pBX9
> iFmwHj595dBJTYtltTgny68h+S4Qp5WeeyxJn05GfCpU4X+z3SSEFg==
> =0UiU
> -----END PGP SIGNATURE-----
------------------------------
From: "Seeker" <[EMAIL PROTECTED]>
Subject: Re: BIOS password, will it protect PC with PGPDisk against tampering ?
Date: Thu, 19 Oct 2000 03:38:03 GMT
> One of the first option that has been suggested, is BIOS password. It is
> very short, about 5 characters long, but it could created about 60 minutes
> buffer.
The window of protection on BIOS passwords is more like 5 minutes.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Rijndael implementations
Reply-To: [EMAIL PROTECTED]
Date: Thu, 19 Oct 2000 02:39:00 GMT
Benjamin Goldberg <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> Benjamin Goldberg <[EMAIL PROTECTED]> wrote:
:> : Tim Tyler wrote:
:> :> Paul Schlyter <[EMAIL PROTECTED]> wrote:
:> :> :Java is also designed to to execute on only one single
:> :> :architecture, the Java virtual machine, while C was designed to
:> :> :execute on many different architectures.
:> :>
:> :> There's no difference between C and Java in this respect.
:> :> [if there's a difference it's that] C is often shipped in compiled
:> :> form, while Java is almost always compiled on the target machine at
:> :> some stage before being executed.
:>
:> : Untrue, UNLESS you are considering just-in-time compiling to be
:> : compiling.
:>
:> Well, naturally I am consideri[]ng "just-in-time compiling" to be
:> compiling.
:>
:> See the "compiling" there in the name? It is there with good reason.
: I was considering "compiling" to mean .java -> .class, whereas you're
: considering "compiling" to mean [parts of a] .class -> platform
: dependent machine code.
Both qualify as "compiling" - and both are commonly referenced by the term.
: And, if you are considering that... you might want to know that some
: .java->.class compilers will also do the .class-> platform dependent
: code, for the machine they're on, and include that in the .class file
: for faster execution on the targeted platform.
This seems likely to be a mistaken notion. Any such inclusion would
violate the Java class file specification - not to mention Java's class
verification framework.
If you're not sure what can be included in class files, there are many
specification documents around, e.g.:
http://java.sun.com/docs/books/vmspec/html/ClassFile.doc.html
Plenty of compilers produce native executable code - but I have yet to
hear of any that add proprietary extensions to the class file format
in order to do so.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ http://av.com/
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: pseudo random test
Reply-To: [EMAIL PROTECTED]
Date: Thu, 19 Oct 2000 02:52:25 GMT
Jacques Th�riault <[EMAIL PROTECTED]> wrote:
: Tim Tyler <[EMAIL PROTECTED]> wrote:
:> Posting binary data to non-binary usenet groups is liable to get you
:> lynched.
: I didn't realized that this news group was you property or that you were
: the sci.crypt POLICEMAN....
It sounds like there are still some other things you don't realise ;-|
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Free gift.
------------------------------
From: "bubba" <[EMAIL PROTECTED]>
Subject: Re: Counting one bits is used how?
Date: Thu, 19 Oct 2000 03:44:05 GMT
All "real" computers seem to have this instruction, including
Digital Equipment Corp's Compaq Alpha, and Intel's Itanium
Merced. Hey AMD,...
"Tim Tyler" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> "Peter van der Linden" <[EMAIL PROTECTED]> wrote in message
> news:8sgehk$2eha$[EMAIL PROTECTED]...
>
> > How does counting the number of 1 bits in a word
> > relate to crypto?
> >
> > Just curious about why this seemingly recondite instruction
> > pops up in various instruction sets. How is it useful?
>
> I'm not sure about cryptography - but it makes for a fast, bitwise "~=" -
> which may well have uses in cryptanalysis.
>
> ``There was a strange instruction on Cybers called the Population Count
> instruction.
> It returned the number of "1" bits in the argument. It was rumored that
> this instruction
> was added to Cybers by the designer, Seymour Cray, at the request of the
> National Security Agency (NSA). There is some validity to this rumor,
but
> it may
> never be proven.'' - http://w3.uwyo.edu/~jimkirk/cyber_era.html says.
>
> The instruction is sometimes known as the "NSA instruction" as a
> consequence -
> no doubt to the irritation of those who were brought up to believe that
the
> NSA instruction should perform a "Nibble Swap" on the "Accumulator".
>
> One alternative looks something like:
>
> #define BITCOUNT(x) (((BX_(x)+(BX_(x)>>4)) & 0x0F0F0F0F) % 255)
> #define BX_(x) ((x) - (((x)>>1)&0x77777777) \
> - (((x)>>2)&0x33333333) \
> - (((x)>>3)&0x11111111))
>
> ;-)
> --
> __________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
> |im |yler The Mandala Centre http://mandala.co.uk/ Namaste.
>
>
>
>
------------------------------
From: "bubba" <[EMAIL PROTECTED]>
Crossposted-To: sci.crypt.random-numbers
Subject: Re: Comments wanted on NIST Rng Tests
Date: Thu, 19 Oct 2000 03:52:27 GMT
Brice,
This group moves at a slower pace than many. Do not think your message
is going unnoticed, though. If you are referring to the same C code that I
recollect, I believe there were some objections to the fact that it was
released in a form most suitable to equipment made by a single company,
Sun Microsystems. Also, some of the example runs seemed out of date.
<[EMAIL PROTECTED]> wrote in message news:8sk372$jqm$[EMAIL PROTECTED]...
> Thank you for your input. I am sure a lot of you experts must have some
> comments too on the subject. I would very much appreciate your input on
> that subject.
>
> Thank you.
>
> Brice.
>
> In article <[EMAIL PROTECTED]>,
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> >
> >
> > [EMAIL PROTECTED] wrote:
> > >
> >
> > > Have you got any views, comments on this test suite given by NIST?
> How
> > > does it compare to DIEHARD? Is it likely to become a standard in
> testing
> > > Rngs for cryptographic applications?
> >
> > I have not used the suite but it seems to be based on lots
> > of careful work with knowledge of existing packages like
> > Diehard and hence can be expected to be superior to these.
> > To the last question, my estimate is yes (if not a standard
> > then so much employed that it will be defacto one).
> >
> > M. K. Shen
> >
>
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
