Cryptography-Digest Digest #917, Volume #13 Fri, 16 Mar 01 13:13:00 EST
Contents:
Re: About one-time pad ("Joseph Ashwood")
Re: on-the-fly encryption (Neil Couture)
Re: Quantum Computing & Key Sizes (Tony L. Svanstrom)
Re: Crypto idea ("Joseph Ashwood")
Re: Crypto idea ("Joseph Ashwood")
Re: Digital enveloppe ("Joseph Ashwood")
Re: Quantum Computing & Key Sizes ("Joseph Ashwood")
Re: Computing power in the world (Darren New)
Proper use of Rijndael with subsets (SCOTT19U.ZIP_GUY)
Re: SSL secured servers and TEMPEST (Frank Gerlach)
Re: Encryption software (Darren New)
Re: Random and RSA (br)
Factoring RSA (br)
Re: Potential of machine translation techniques? (Mok-Kong Shen)
Q: IP (Mok-Kong Shen)
Re: Q: IP (Ben Cantrick)
On cryptographically strong PRNGs as in the FAQ was Re: OverWrite: best wipe
software? ("Joseph Ashwood")
On cryptographically strong PRNGs as in the FAQ was Re: OverWrite: best wipe
software? ("Joseph Ashwood")
----------------------------------------------------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: About one-time pad
Date: Wed, 14 Mar 2001 13:11:13 -0800
[sent both in priate e-mail and to newsgroup (my news service is flaky so no
gaurentees it will show up)]
What you've built isn't a one time pad, unless it will never repeat, in
which case it's useless. What you need to do is the following:
Determine the maximum amount of information that will be translated in an
acceptable time period (1 month)
Generate 2 pads of that size
Each cgi maintains (on disk) a record of the last index it used to
send(starting at 0)
When sending the cgi first performs the OTP starting at location lastsent
(consuming from it's out buffer)
CGI sends x=lastsent&text=OTPEncryptedInformation
cgi adds length of sent message to lastsent and stores it.
to recieve the cgi consumes x bytes from the in buffer
performs the OTP decryption on the information
The only difference from yours is that
Changing this to make x a random start point is a bad idea, you could very
easily end up in a Vigenere type situation (where a OTP is used repeatedly),
which is easily broken. Avoiding it is difficult at best.
You might also want to look into other possibilities. Although a OTP is
provably secure it depends on provable randomness, considering that there is
actually a debate going on about whether or not anything in nature is truly
random this could pose a serious problem for security. It is generally
better to rely on computational security for things like this. What you may
want to do instead is make use of something like ciphersaber, it will be a
bit more compute intensive but the security will be much easier to manage.
This would lead to:
Once every time period distribute a small secret value S between the two
cgis.
When the time comes to encrypt, take the time T to enough precision to make
the time unique
post pend T to S to form K
key ARCFOUR with K
pull and discard 512 bytes from ARCFOUR
use ARCFOUR to encrypt
send x=current time, text = encrypted text
depending on what your servers will accept I'd recommend that you base-64
encode the data being transferred, cipher text isn't known for it respect of
reserved characters.
Joe
------------------------------
From: Neil Couture <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: on-the-fly encryption
Date: Fri, 16 Mar 2001 17:33:41 GMT
Christian Leber wrote:
> On Wed, 14 Mar 2001 00:55:10 GMT, Neil Couture <[EMAIL PROTECTED]>
> wrote:
>
> >It is always possible to Lock memory pages in memory so that the virtual
> >memory system does not swap them.
>
> No, it is a big problem for user space applications.
>
> Christian Leber
can you explain why or point to an url please? I do not have big experience
doing this with
BSD but with win32 it seems possible. maybge there are 'features' not written
anywhere..
Neil
------------------------------
Subject: Re: Quantum Computing & Key Sizes
From: [EMAIL PROTECTED] (Tony L. Svanstrom)
Date: Fri, 16 Mar 2001 17:37:32 GMT
Tony L. Svanstrom <[EMAIL PROTECTED]> wrote:
> Mike Rosing <[EMAIL PROTECTED]> wrote:
>
> > "Tony L. Svanstrom" wrote:
> > >
> > > Reading the answer... hmmm... binary code that you get in dead / not
> > > dead cats? ;-)
> >
> > Exactly. A lot of dead cats involved in quantum mechanics :-)
>
> Only if you "look" at them. =)
Woa... after sending that I got such a dorm-related flashback -
Something along the lines of "Do I need to clean this? Clean what?".
=)
/Tony
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Crypto idea
Date: Wed, 14 Mar 2001 16:33:14 -0800
"br" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> The computer is idiot. If it is not programmed for any pre-defined
> task, it can't distinguish between uggly and beautiful lady, english
> and foreign alphabets etc...
You obviously haven't studied learning algorithms, fuzzy logic, AI, etc. All
of these allow computers to judge things, to perform interesting tasks that
require something very akin to thought.
> So if I use two categories of symbols, which one has a property
> different than the other, the computer can't know that the message
> include two types differents.
Actually because any small amount of research would reveal what techniques
you're using any benefit from this would be quickly eliminated.
> I'm going to give you some samples.
> Let plain text in binary system : 001101
> Suppose that I want to send a message whithout send a key to my
> correspondant.
Not going to work for security, but I'll humor you a little.
> I send 249583. Every one understand that odd number is replaced by 1 and
> even by 0.
Ok, now you say that you already sent the key (even is, odd is). However
this won't be highly effective because, this is lsb steganography, and the
patterns will show through. To show this just take a PRNG output that passes
diehard, change the least significant bit to be a chosen message (something
that makes sense and has order like a normal plaintext), run it through
diehard, it fails.
> It's very easy to guess.
It's also very easy to break, you only have a 1 bit key.
> If I use open letters like l,u,r,s ... and closed letters like o, p, b,
> d, e. It's more difficult.
No it's exactly the same.
> It's impossible for cryptanalysts to find out
> the output when I know that creating two categories is infinite domain.
No, it's painfully easy.
> Cryptanalysis use dictionaries as way to find a solution.
No cryptanalysis is about finding information that you're not supposed to
have, in this case information that is hidden trivially.
> They suppose
> that the clear message is wrote without spelling mistakes.
No we simply assume that a plaintext is a plaintext. Do you really think
there are 2^48 different English plaintexts that would come out of DES for
the big attacks? You have a severe misunderstanding of how modern
cryptanalysis works.
> I can write a message like "I love you" as " Ay lov u" or "Ilovu"etc....
> So how cryptanalists could know before my specific spelling of I love
> you.
And every one of them would pass the ASCII test, which would eliminate all
but a very small number of possible decryptions.
> Using spelling mistakes is a good strategy against attackers.
No it's a braindead strategy, it will make absolutely no difference.
> Using "symbolic characters" with two differents properties too.
Will also be ineffective. Language has an amazing amount of structure, even
when it is misused and mispelled.
> So what if I use spelling mistakes combined with symbolic characters
> before encryption.
> 1.I convert "I love you" to " Ay lov u".
> 2.Then Ay lov u to (It's just an example) 101101....11
> 3. 101101... to +a-*c=...<>
> 4. Everyone can guess that I used mathemathical symbols for 1 and
> litteral symbols for 0.
> (the receiver has to program using two types and inserting in table the
> characters corresponding to one or zero and try to read twice to know
> symbols (one) et symbols (zero).
and every one have patterns of language to be exploited.
>
> I'm aware that it's impossible to use this system for commercial
> purposes. But for military or intelligence use, it's appropriate.
For anything it's foolish. As the joke goes:
The professor wrote these words on the board "Woman without her man is
nothing" and asked the class to puncuate it. "Woman, without her man, is
nothing" "Woman: without her, man is nothing"
Do you really want to be the butt of that joke?
> I apologize for my english, I hope it was clear.
Actually your examples were easier to decrypt than your text.
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Crypto idea
Date: Wed, 14 Mar 2001 16:50:17 -0800
"br" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> Factoring RSA help you to find the way to disclose the key, nothing
> more.
Finding the key is the *GOAL* of cryptanalysis when applied to keyed system,
like, well, RSA.
> I'm talking about cryptanalisis.
You are completely clueless about what cryptanalysis is, you seem to be
fairly clueless about everything regarding cryptography, and computer
security, and just about anything else you've typed about.
> You can't imagine before that I used
> two categories.
Would those categories be what you think you know and reality? Because they
are certainly completely unrelated.
> If I use two categories without telling to my recipient that the ugly
> laddy is 1 or 0, he can understand the difference between uggly laddy
> and beautiful laddy.
And I thought we were talking about cryptanalysis, not your pornography
collection.
> The computer no.
I'm fairly sure your computer knows where your pornography collection is.
Even if it doesn't the parts involved are distincive enough to be scanned
for.
> A cryptanalist can't imagine
> before attack what categories I had used unless he has the key.
All he has to do is identify that you used two categories, and compress
those to 1 and 0 (simple huffman encoding), and he has found either the
plaintext or it's inverse, your scheme is completely broken.
> If he
> try to test all the he has to see (physically) every ouptut.
What output, I've narrowed it down to 2 outputs, gee that's gonna be hard to
sort out.
> So, it's impossible.
> Even if he use all dictionaries.
Who needs a dictionary. Just used the world's most basic compression
algorithm, and poof outcomes the plaintext.
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Digital enveloppe
Date: Wed, 14 Mar 2001 16:44:24 -0800
"br" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
Quite frankly, you're clueless.
> It's a way to send a message that only the authorized recipient could
> read.
No it's a way to send minorly obfuscated information, something that is
continually undone, reference Windows CE password storage.
> Without password or Pin.
Which is *exactly* the problem.
> The recipient has just to use the same software.
Which is the other problem, you are relying on the ability of your program
to not be debugged, decompiled, or completely taken apart. That simply can't
be done, just look at the contents of any Warez site for proof.
> Sample : If I send you a simple message the first time and you answer me
> using the same software. You don't need any password to read my message.
> And vice versa.
Which means that the key will be fixed (more confirmation with regards to
what was above), which is the prime problem that happens.
> [every]one can read the message. Only [every] computer. You can[] read
the
> message [on] other computers.
Now those statements are correct.
> I hope it was clear.
You were completely wrong, but clear.
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Quantum Computing & Key Sizes
Date: Wed, 14 Mar 2001 16:57:11 -0800
A quantum computer has the ability to process in massive parellel. Each
qubit is in some mix of 0s and 1s, to get an output from a QC you either
observe and get a random selection from that set (the Cat hypothesis), or
you force them all to the same value and then observe to get a fixed output.
They really are quite interesting in theory, however the reality of them
seems to be somewhat lacking. Shor's algorithm makes use of this to perform
factoring in polynomial time. We could actually simulate the operations of a
quantum computer using a regular computer, however that takes severely
exponential time (a k qubit machine would take 2^k operations per
q-operation to simulate).
Joe
"Simon Johnson" <[EMAIL PROTECTED]> wrote in message
news:98os2n$bto$[EMAIL PROTECTED]...
> How does this work? Whats special about a quantum computer can it make
> guesses or something???
>
> Simon.
>
>
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Subject: Re: Computing power in the world
Date: Fri, 16 Mar 2001 17:40:25 GMT
Paul Schlyter wrote:
> In article <[EMAIL PROTECTED]>, Darren New <[EMAIL PROTECTED]> wrote:
> >> What is the up-to-date estimate of the total computing power in the world
> >> in mips-years?
> >
> > mips-years would be mips * years, right? That doesn't sound like a useful
> > measurement.
> >
> > MIPS by itself is the number of instructions you can execute in a given
> > length of time. What does multiplying it by years get you?
>
> 1 MIP = 1 million instructions per second
>
> 1 MIP-year = numer of seconds in a year * 1 million instructions
>
> Thus:
>
> 1 MIP-year = 31556952000000 instructions = ca 3.15E+13 instructions
But in what sense is this an estimate of computing power? Does it make sense
to say "I have 3E13 instructions of computing power?" What happens when
I've run 1E13 instructions? Do I now only have 2E13 instructions left? As I
execute instructions, are they now dead? :-)
(I realize my question of "what does multiplying it by years get you" is
ambiguous. I meant it to be "why do you want to multiply by years?")
--
Darren New / Senior MTS & Free Radical / Invisible Worlds Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Proper use of Rijndael with subsets
Date: 16 Mar 2001 17:31:50 GMT
I will see if cut and paste from word pad working
but if it is here is an example of something slow
but shows how one could encrypt 1-1 with out gaps
in either direction from one chacter set to another
using RIJNDAEL with full block 128bit 256bit key
encryption. The encryption is done in Matts
BICOM pointer from my page rest are at my site.
One can also do authenucation in a 1-1 way.
ENJOY
I hope this spaces out correctly on this Post
But basiclly I put together a set a batch files
using a series of my porgrams and matts so that
simple encryption useing RIJNDAEL could be used
from a set of files made only of characters in
condtion set 1. To an encrypted file of charters
in condtion set 2. These mapping are done such
that any file of condtion set 1 maps to a unique
file in condition set 2. And like wise any collection
of symbols of condition set 2 when decrypted would
map to unique file in comdition set 1
EXAMPLE:
Below is dump of file I would like to see encrypted
it would be x.q0 after the batch program enca.bat runs
0000 20 44 45 41 52 5F 4D 41 52 59 5F 48 49 5F 48 4F * DEAR_MARY_HI_HO*
0010 57 5F 41 52 45 5F 59 4F 55 5F 49 5F 4D 49 53 53 *W_ARE_YOU_I_MISS*
0020 5F 59 4F 55 5F 56 45 52 59 5F 56 45 52 59 5F 4D *_YOU_VERY_VERY_M*
0030 55 43 48 5F 4C 4F 56 45 5F 4A 4F 48 4E 0D 0A 0D *UCH_LOVE_JOHN...*
0040 0A . . . . . . . . . . . . . . . *.*
number of bytes is 65
Below is same file but the characters not in condtion set
one are removed so this is file that I am really encrypting
it is in x.q0a
0000 44 45 41 52 5F 4D 41 52 59 5F 48 49 5F 48 4F 57 *DEAR_MARY_HI_HOW*
0010 5F 41 52 45 5F 59 4F 55 5F 49 5F 4D 49 53 53 5F *_ARE_YOU_I_MISS_*
0020 59 4F 55 5F 56 45 52 59 5F 56 45 52 59 5F 4D 55 *YOU_VERY_VERY_MU*
0030 43 48 5F 4C 4F 56 45 5F 4A 4F 48 4E . . . . *CH_LOVE_JOHN*
number of bytes is 60
This is the file after running
enca.bat inputfile aztec
note "aztec" password for the example
0000 75 5F 5F 5F 66 44 65 5F 75 53 53 5F 5F 5F 53 53 *u___fDe_uSS___SS*
0010 5F 53 53 5F 53 75 73 5F 5F 53 44 53 59 5F 44 44 *_SS_Sus__SDSY_DD*
0020 5F 44 75 41 5F 53 72 75 5F 53 54 66 4E 75 44 53 *_DuA_Sru_STfNuDS*
0030 53 44 66 66 75 66 5F 5F 53 44 5F 53 53 75 44 5F *SDffuf__SD_SSuD_*
0040 66 77 44 5F 41 61 75 66 66 44 66 66 66 68 53 5F *fwD_AauffDfffhS_*
0050 66 6B 5F 44 66 75 75 66 5F 44 5F 72 64 . . . *fk_Dfuuf_D_rd*
number of bytes is 93
This is condition set 1. In the file cond1.das
Notice I made E and T double. Why not they are
the most common 2 letters in english
0000 5F 41 42 43 44 45 45 46 47 48 49 4A 4B 4C 4D 4E *_ABCDEEFGHIJKLMN*
0010 4F 50 51 52 53 54 54 55 56 57 58 59 5A . . . *OPQRSTTUVWXYZ*
number of bytes is 29
This is condtion set 2. file cond2.das notice that
I picked some letters doubled why not. This will
but a bais in the output. Most crypto experts will
see D and S repeated and think its a toy puzzle cipher
so they will not look furhter.
0000 5F 41 42 43 44 44 45 46 47 48 49 4A 4B 4C 4D 4E *_ABCDDEFGHIJKLMN*
0010 4F 50 51 52 53 53 54 55 56 57 58 59 5A 5F 61 62 *OPQRSSTUVWXYZ_ab*
0020 63 64 65 66 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 *cdeffghijklmnopq*
0030 72 73 74 75 75 76 77 78 79 7A . . . . . . *rstuuvwxyz*
number of bytes is 58
Following enca.bat
echo off
set finput=%1
set password=%2
del x.q*
copy %finput% x.q0
h2comaf.exe x.q0 x.q1 cond1.das
h2uncaf.exe x.q1 x.q0a cond1.das
rem x.q0a is acataul file to be ecnrypted
rem it is only allowed character in cond1.con
rem so the eol handing gone.
rem x.q1 is compressed file last byte not = all zeros.
fin2int.exe x.q1 x.q2
rem x.q2 can be any 8-bit byte file so ready for bicom
bicom.exe -p %password% x.q2 x.q3
rem x.q3 can be any 8-bit byte file
int2fin.exe x.q3 x.q4
rem x.q4 any 8-bit byte file last byte not = all aeros
h2uncsf.exe x.q4 x.q5 cond2.das
rem at this point any file of character set in cond2.con
rem is possible x.q5 is the output file
following deca.bat
echo off
set finput=%1
set password=%2
del x.w*
copy %finput% x.w5
echo off
rem following reverse of enca.bat
h2comsf.exe x.w5 x.w4 cond2.das
fin2int.exe x.w4 x.w3
bicom -d -p %password% x.w3 x.w2
int2fin.exe x.w2 x.w1
h2uncaf.exe x.w1 x.w0 cond1.das
rem x.w0 is final output file in charters cond1.das
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: Frank Gerlach <[EMAIL PROTECTED]>
Subject: Re: SSL secured servers and TEMPEST
Date: Fri, 16 Mar 2001 18:34:00 +0100
>
>
> Analog media, like tape may be possible - are there any media that can store
> 2Ghz of bandwidth.
May calculation was as follows: a Video Signal has about 5 MHz of Bandwith. Just
split that 2 GHz signal into 2000/5=400 5 MHz bands, transform them into the
0..5 MHz base band and then you "just" need 400 VCRs to store the signal. If you
strip a VCR (Video Cassette Recorder) of all unecessary stuff and mount it in
racks, those 400 VCRs should fit into a 32 metric ton truck trailer. Of course,
there must be a very precise phase signal recorded on every tape and the motors
should be high quality to assure low phase jitter.
Have two trucks, one is monitoring, while the other is loading fresh tapes in a
safe location.
After some days of monitoring you airlift the tapes with a C-141 to wherever
your acres of processing power are.
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Subject: Re: Encryption software
Date: Fri, 16 Mar 2001 17:44:36 GMT
> What makes you belive the person you meet at the Cipherpunks meeting
> is who he says he is. He may claim to be Jack. But you don't know Jack.
Every meeting, IETF has a keysigning party. It's quite well organized and
efficient.
--
Darren New / Senior MTS & Free Radical / Invisible Worlds Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
------------------------------
From: br <[EMAIL PROTECTED]>
Subject: Re: Random and RSA
Date: Fri, 16 Mar 2001 12:42:11 -0400
Try this algo to factor N.
Let S= (10^k) - 1
for k=N to (n/2) step -1
Let c=gcd(S,N)
if c<>1 or c<>N then c is a solution.
I know that it's hard to hudge number but try it I think that you will
find a solution in less than an hour.
I'm not kidding.
"Tony L. Svanstrom" wrote:
>
> br <[EMAIL PROTECTED]> wrote:
>
> > Factoring N is it so hard?
>
> Try it!
>
> /Tony
------------------------------
From: br <[EMAIL PROTECTED]>
Subject: Factoring RSA
Date: Fri, 16 Mar 2001 12:46:59 -0400
Try this algo to factor N.
Let S= (10^k) - 1
for k=N to (n/2) step -1
Let c=gcd(S,N)
if c<>1 or c<>N then c is a solution.
It's hard to compute hudge number. But with computers able to manage a
hudge number, it's feasible.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Potential of machine translation techniques?
Date: Fri, 16 Mar 2001 18:46:20 +0100
Mike Rosing wrote:
>
> Mok-Kong Shen wrote:
> >
> > I heard on the other hand that there are successful
> > translation software between Japanese and English.
>
> Yeah, but it's not all that successful! I spent a week with a
> guest from Japan who had a hand held translator and a Mac with
> a translator. It took us 5 minutes per concept on a good day,
> and trying whole sentences was very funny. Without the translator,
> it would have been much, much more difficult so they are definitly
> useful. But a long ways from being "successful".
I have no experience but I have the conjecture that what
you met with probably doesn't correspond to the (forefront
of) state of the art. There is one software system,
Verbomil, that claims to provide mobile phone users with
simultaneous dialog interpretation services for restricted
topics in three languages, German, English and Japanese.
(Of course, the cost etc. of the system could under
circumstances be an issue.) Note that this is speech
translation which is much more involved than mere text
translation. A pointer is:
W. Wahlster (ed), Verbomil: Foundations of speech-to-
Speech translation. Springer, 2000.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Q: IP
Date: Fri, 16 Mar 2001 18:46:12 +0100
Probably a very dumb question: If I connect to the internet
via a provider, do I have a fixed (and always same) IP
assigned by my ISP? I heard that ISPs assign (or may assign)
dynamically variable IPs to their customers. Is that right
or wrong? Thanks.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (Ben Cantrick)
Subject: Re: Q: IP
Date: 16 Mar 2001 11:00:31 -0700
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>Probably a very dumb question: If I connect to the internet
>via a provider, do I have a fixed (and always same) IP
>assigned by my ISP? I heard that ISPs assign (or may assign)
>dynamically variable IPs to their customers. Is that right
>or wrong? Thanks.
If you don't know for sure that you have a fixed IP, then you probably don't.
Practically speaking, IP addresses cost money. The ISPs pass this cost
on to their customers by making having a fixed IP address more expensive
than getting a dynamic one every time you connect. Also, if you want a fixed
IP, you generall have to request it specifically from your ISP. It
normally won't happen by accident.
-Ben
--
Ben Cantrick ([EMAIL PROTECTED]) | Yes, the AnimEigo BGC dubs still suck.
BGC Nukem: http://www.dim.com/~mackys/bgcnukem.html
The Spamdogs: http://www.dim.com/~mackys/spamdogs
http://civilliberty.miningco.com/library/weekly/aa090897.htm
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: On cryptographically strong PRNGs as in the FAQ was Re: OverWrite: best wipe
software?
Date: Thu, 15 Mar 2001 11:28:23 -0800
Crossposted-To: alt.hacker
Except I can give you an example of a PRNG that is not cryptographically
secure that meets the cannot compute forward requirement. To build a k-bit
stream from an N-bit key:
Cur = SHA-1(Key)
create a LIFO buffer
while(depth of LIFO less than k)
push 160-bit chunks consisting of the Cur
Cur = SHA-1(Cur)
wend
To retrieve a random value pull 160-bits out of the buffer, use all of them
I contend that unless SHA-1 is weak, you won't be able to predict the stream
in forward order, however in reverse order it is trivial and therefore not
cryptographically secure. I think the next time the FAQ gets updated this
needs to be changed to
> : For a source of bits to be cryptographically random, it must be
> : computationally impossible to predict what the Nth random bit will
> : be given complete knowledge of the algorithm or hardware generating
> : the stream and the sequence of 0th through N-1st
and the N+1 through L
> : bits, for all N
, and all L
> : up to the lifetime of the source.
This would be at least closer to correct.
Joe
> Here's a definition for cryptographically random data from the sci.crypt
> FAQ:
>
> : For a source of bits to be cryptographically random, it must be
> : computationally impossible to predict what the Nth random bit will
> : be given complete knowledge of the algorithm or hardware generating
> : the stream and the sequence of 0th through N-1st bits, for all N up
> : to the lifetime of the source.
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: On cryptographically strong PRNGs as in the FAQ was Re: OverWrite: best wipe
software?
Date: Thu, 15 Mar 2001 11:28:23 -0800
Crossposted-To: alt.hacker
Except I can give you an example of a PRNG that is not cryptographically
secure that meets the cannot compute forward requirement. To build a k-bit
stream from an N-bit key:
Cur = SHA-1(Key)
create a LIFO buffer
while(depth of LIFO less than k)
push 160-bit chunks consisting of the Cur
Cur = SHA-1(Cur)
wend
To retrieve a random value pull 160-bits out of the buffer, use all of them
I contend that unless SHA-1 is weak, you won't be able to predict the stream
in forward order, however in reverse order it is trivial and therefore not
cryptographically secure. I think the next time the FAQ gets updated this
needs to be changed to
> : For a source of bits to be cryptographically random, it must be
> : computationally impossible to predict what the Nth random bit will
> : be given complete knowledge of the algorithm or hardware generating
> : the stream and the sequence of 0th through N-1st
and the N+1 through L
> : bits, for all N
, and all L
> : up to the lifetime of the source.
This would be at least closer to correct.
Joe
> Here's a definition for cryptographically random data from the sci.crypt
> FAQ:
>
> : For a source of bits to be cryptographically random, it must be
> : computationally impossible to predict what the Nth random bit will
> : be given complete knowledge of the algorithm or hardware generating
> : the stream and the sequence of 0th through N-1st bits, for all N up
> : to the lifetime of the source.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
