### Re: another feature RNGs could provide

On Tue, Dec 27, 2005 at 11:34:15PM +, Ben Laurie wrote: If you don't have sufficient plain/ciphertext, then of course you can choose incorrect pairs. Yep - that's my point. The thing to note is that for an arbitrary permutation, knowing the image of n plaintexts tells you (almost) nothing

### Re: another feature RNGs could provide

On 12/26/05, Ben Laurie [EMAIL PROTECTED] wrote: Surely if you do this, then there's a meet-in-the middle attack: for a plaintext/ciphertext pair, P, C, I choose random keys to encrypt P and decrypt C. If E_A(P)=D_B(C), then your key was A.B, which reduces the strength of your cipher from 2^x

### Re: another feature RNGs could provide

On Tue, Dec 27, 2005 at 03:26:59AM -0600, Travis H. wrote: On 12/26/05, Ben Laurie [EMAIL PROTECTED] wrote: Surely if you do this, then there's a meet-in-the middle attack: for a plaintext/ciphertext pair, P, C, I choose random keys to encrypt P and decrypt C. If E_A(P)=D_B(C), then your

### Re: another feature RNGs could provide

On Dec 21, 2005, at 0:10, Ben Laurie wrote: Good ciphers aren't permutations, though, are they? Because if they were, they'd be groups, and that would be bad. A given cipher, with a given key, is a permutation of blocks. (Assuming output blocks and input blocks are the same size.) It may

### Re: another feature RNGs could provide

Matt Crawford wrote: On Dec 21, 2005, at 0:10, Ben Laurie wrote: Good ciphers aren't permutations, though, are they? Because if they were, they'd be groups, and that would be bad. A given cipher, with a given key, is a permutation of blocks. (Assuming output blocks and input blocks are the

### RE: another feature RNGs could provide

Actually, by definition, a cipher should be a permutation from the set of plaintexts to the set of ciphertexts. It has to be 1 to 1 bijective or it isn't an encryption algorithm. Therefore, if you want an ergodic sequence of size 2^N, a counter encrypted under an N bit block cipher will do it.

### Re: another feature RNGs could provide

Good ciphers aren't permutations, though, are they? Because if they were, they'd be groups, and that would be bad. Actually, by definition, a cipher should be a permutation from the set of plaintexts to the set of ciphertexts. It has to be 1 to 1 bijective or it isn't an encryption

### Re: another feature RNGs could provide

On 12/21/05, Perry E. Metzger [EMAIL PROTECTED] wrote: Good ciphers aren't permutations, though, are they? Because if they were, they'd be groups, and that would be bad. Actually, by definition, a cipher should be a permutation from the set of plaintexts to the set of ciphertexts. It has to

### Re: another feature RNGs could provide

Jack Lloyd wrote: On Mon, Dec 12, 2005 at 12:20:26AM -0600, Travis H. wrote: 2) While CTR mode with a random key is sufficient for creating a permutation of N-bit blocks for a fixed N, is there a general-purpose way to create a N-bit permutation, where N is a variable? How about picking a

### Re: another feature RNGs could provide

Ben Laurie [EMAIL PROTECTED] writes: Jack Lloyd wrote: On Mon, Dec 12, 2005 at 12:20:26AM -0600, Travis H. wrote: 2) While CTR mode with a random key is sufficient for creating a permutation of N-bit blocks for a fixed N, is there a general-purpose way to create a N-bit permutation, where N

### Re: another feature RNGs could provide

On Mon, 12 Dec 2005, Travis H. wrote: One thing I haven't seen from a PRNG or HWRNG library or device is an unpredictable sequence which does not repeat; in other words, a [cryptographically strong?] permutation. This could be useful in all Rich Schroeppel tells me his Hasty Pudding cipher

### Re: another feature RNGs could provide

On Mon, Dec 12, 2005 at 12:20:26AM -0600, Travis H. wrote: 2) While CTR mode with a random key is sufficient for creating a permutation of N-bit blocks for a fixed N, is there a general-purpose way to create a N-bit permutation, where N is a variable? How about picking a cryptographically