] Thursday 25 December 2003, 17:13 Makka Time, 14:13 GMT
]
] Saudis swoop on DIY bomb guide
]
] Authorities in the kingdom have arrested five people after
] raiding computer shops selling compact disks containing
] hidden bomb-making instructions, a local newspaper reported
] on Thursday.
]
] Pol
R. A. Hettinga wrote:
From: "Tefft, Bruce" <[EMAIL PROTECTED]>
...
Where Big Brother Snoops on Americans 24/7
By TERESA HAMPTON & DOUG THOMPSON
...
>
Although employees who work in the building are supposed to keep their
presence there a secret, they regularly sport their DARPA id badges around
th
Ian Grigg wrote:
The phishing thing has now reached the mainstream,
epidemic proportions that were feared and predicted
in this list over the last year or two.
OK.
> For the first
time we are facing a real, difficult security
problem. And the security experts have shot
their wad.
The object
I wrote:
1) For starters, "identity theft" is a misnomer. My identity is my
identity, and cannot be stolen. The current epidemic involves
something else, namely theft of an authenticator ... or, rather,
breakage of a lame attempt at an authentication and/or
authorization scheme. See definiti
Way back on 05/20/2004 Ivan Krstic wrote:
Michael O. Rabin lectures on hyper-encryption and provably
everlasting secrets.
...
View here: http://athome.harvard.edu/dh/hvs.html
To my surprise, there has been no follow-up discussion
on this list.
(Hint: Most people on this list will want to sk
"J Harper" <[EMAIL PROTECTED]> wrote:
This barely deserves mention, but is worth it for the humor:
"Information Security Expert says SSL (Secure Socket Layer) is Nothing More
Than a Condom that Just Protects the Pipe"
http://www.prweb.com/releases/2004/7/prweb141248.htm
To which Eric Rescorla repl
Enzo Michelangeli wrote:
Can someone explain me how the "phishermen" escape identification and
prosecution? Gaining online access to someone's account allows, at
most, to execute wire transfers to other bank accounts: but in these
days anonymous accounts are not exactly easy to get in any country,
News article
http://news.bbc.co.uk/2/hi/americas/3528502.stm
says in part:
The BBC's Zaffar Abbas, in Islamabad, says it appears that US
investigators were able to unscramble information on the computers
after Pakistan passed on suspicious encrypted documents.
Ian Grigg wrote:
Read about one of their coding systems here:
http://www.thesmokinggun.com/archive/jihad13chap1.html
Perry wondered:
... if the document on the "Smoking Gun" website is even remotely
real. It is amazingly amateurish -- the sort of code practices that
were obsolete before the Secon
Jerrold Leichter <[EMAIL PROTECTED]> wrote:
The press will always focus on things people understand, and which
seem to have short-term relevance. If you're objecting to researchers
blowing their own horns ... well, that's the way the world works.
It's certainly been the way physics has had to wor
Jerrold Leichter wrote:
... the comments I've seen on this list and elsewhere have been much
broader, and amount to "QM secure bit distribution is dumb, it solves
no problem we haven't already solved better with classical
techniques."
Most of the comments on this list are more nuanced than that.
1) Here's an article from the New York Times.
The headline just about says it all. Reportedly
THEY want voice-over-internet users to pay for
the privilege of having their calls tapped.
> The Call Is Cheap. The Wiretap Is Extra.
http://www.theledger.com/apps/pbcs.dll/article?AID=/20040823/ZNYT01/40
Hi --
I don't fully understand the new attacks on the hash
functions (which I suppose is forgiveable, since the
papers don't seem to be available).
But here's a shot in the dark that seems promising at
first glance:
Given a message m, pad it to a length of at least one
block to form M. Then encryp
Jerry Leichter writes:
>> However ... *any* on-line algorithm falls to a Joux-style attack.
Hal Finney wrote:
... hashes that support incremental hashing, as any useful hash surely must,
If you insist on being able to hash exceedingly long strings
(i.e. longer than your storage capacity) here is a
bear wrote:
H2(H1) = H1( H1(M) xor H1( TT( M)))
I think that was intended to be something like
H2(M) = H1( H1(M) xor H1( TT( M)))
^
TT denotes some trivial transformation
(I propose swapping high and low halves
of the first block). H1 is a conventional
hash function and H2
I agree with 99% of what Hal Finney wrote. I won't repeat
the parts we agree on.
But let's discuss these parts:
how much harder?
Well, probably a lot. Finding a regular B2 collision in a perfect
160 bit hash compression function takes 2^80 work. Finding a double
collision like this is essentiall
Hadmut Danisch wrote:
It can be easily shown that there is no lossless
compression method which can effectively compress every possible
input.
OK.
... I need a book about computer science or encoding theory,
which explicitely says that this is impossible, in a way that a person
unexperienced in co
I wrote:
4) Don't forget the _recursion_ argument. Take their favorite
algorithm (call it XX). If their claims are correct, XX should
be able to compress _anything_. That is, the output of XX
should _always_ be at least one bit shorter than the input.
Then the compound operation XX(XX(...)) sh
I wrote
>> the Bi are the input blocks:
>> (IV) -> B1 -> B2 -> B3 -> ... Bk -> H1
>> (IV) -> B2 -> B3 -> ... Bk -> B1 -> H2
>>then we combine H1 and H2 nonlinearly.
(Note that I have since proposed a couple of improvements,
but I don't think they are relevant to the present remarks.)
David Wa
Matt Crawford wrote:
>>Plus a string of log(N) bits telling you how many times to apply the
>>decompression function!
>>Uh-oh, now goes over the judge's head ...
Hadmut Danisch wrote:
The problem is that if you ask for a string of log(N) bits, then
someone else could take this as a proof that this
Eric Rescorla wrote:
Uh, you've just described the ephemeral DH mode that IPsec
always uses and SSL provides.
I'm mystified by the word "always" there, and/or perhaps by
the definition of Perfect Forward Secrecy. Here's the dilemma:
On the one hand, it would seem to the extent that you use
ephemer
OK, let me ask a more specific question. Actually, let me
put forth some hypotheses about how I think it works, and
see if anyone has corrections or comments.
0) I'm not sure the words Perfect Forward Secrecy convey what
we mean when we talk about PFS. Definition 12.16 in HAC suggests
_break-back
Fredrik Henbjork wrote:
Alice has:
1. A system which does processing of encrypted network streams.
Alice wants the following from Bob:
2. A test system for the processing system in 1. This system is going
to be used to decide if the processing system in 1 is working
(processing) as it should.
Thi
Florian Weimer wrote:
Would you recommend to switch to /dev/urandom (which doesn't block if
the entropy estimate for the in-kernel pool reaches 0), and stick to
generating new DH parameters for each connection,
No, I wouldn't.
> or ...
generate them once per day and use it for several connections?
I wrote:
>>If the problem is a shortage of random bits, get more random bits!
Florian Weimer responded:
We are talking about a stream of several kilobits per second on a busy
server (with suitable mailing lists, of course). This is impossible
to obtain without special hardware.
Not very special, a
Udhay Shankar N wrote:
I just got a batch of spam: perfectly justified blocks of random-looking
characters. Makes me wonder if somebody is trying to train Bayesian
filters to reject PGP messages.
Another hypothesis: Cover traffic, to defeat traffic analysis.
The procedure: send N copies. N-M o
Enzo Michelangeli wrote:
>
> This "entropy depletion" issue keeps coming up every now and then, but I
> still don't understand how it is supposed to happen.
Then you're not paying attention.
> If the PRNG uses a
> really non-invertible algorithm (or one invertible only with intractable
> complexity
I wrote:
>> Taking bits out of the PRNG *does* reduce its entropy.
Enzo Michelangeli wrote:
By how much exactly?
By one bit per bit.
I'd say, _under the hypothesis that the one-way
function can't be broken and other attacks fail_, exactly zero; in the
real world, maybe a little more.
If you said
Jerrold Leichter asked:
random number generator this way. Just what *is*
good enough?
That's a good question. I think there is a good answer. It
sheds light on the distinction of pseudorandomness versus
entropy:
A long string produced by a good PRNG is conditionally
compressible in
I wrote:
>>
A long string produced by a good PRNG is conditionally
compressible in the sense that we know there exists a
shorter representation, but at the same time we believe it
to be conditionally incompressible in the sense that the
adversaries have no feasible way of finding a shorter
represe
Ben Laurie wrote:
Given recent discussion, this is perhaps a good moment to point at a
paper I wrote a while back on PRNGs for Dr. Dobbs, where, I'll bet, most
of you didn't read it.
http://www.apache-ssl.org/randomness.pdf
I just took a look at the first couple of pages.
IMHO it has much room f
Zooko O'Whielacronx wrote:
I would love to have an information-theoretic argument for the security
of my PRNG, but that's not what we have,
Yes, and I'd like my goldfish to ride a bicycle, but he can't.
The P in PRNG is for Pseudo, and means the PRNG is relying
on computational intractability, not
Referring to http://www.apache-ssl.org/randomness.pdf
I wrote:
>>I just took a look at the first couple of pages.
>>IMHO it has much room for improvement.
David Wagner responded:
I guess I have to take exception. I disagree. I think Ben Laurie's
paper is quite good. I thought your criticisms mis
Ben Laurie wrote:
The point I am trying to make is that predictability is in the eye of
the beholder. I think it is unpredictable, my attacker does not.
I still cannot see how that can happen to anyone unless
they're being willfully stupid. It's like something out
of Mad Magazine: White Spy accep
John Kelsey wrote:
If your attacker (who lives sometime in the future, and may
have a large budget besides) comes up with a better model to
describe the process you're using as a source of noise, you
could be out of luck. The thing that matters is H(X| all
information available to the attacker),
Ed Gerck wrote:
Let me comment, John, that thermal noise is not random
When did you figure that out? If you'd been paying attention,
you'd know that I figured that out a long time ago.
First of all, the phrase "not random" is ambiguous. I said
Some people think “random” should denote 100% entropy
Steven M. Bellovin wrote:
Are there any commercial link-layer encryptors for Ethernet available?
I know that Xerox used to make them, way back when, but are there any
current ones, able to deal with current speeds (and connectors)?
Several people have made suggestions involving IPsec,
which were
On 06/27/05 00:28, Dan Kaminsky wrote:
... there exists an acceptable solution that
keeps PC's with persistent stores secure. A bootable CD from a bank is
an unexpectedly compelling option
Even more compelling is:
-- obtain laptop hardware from a trusted source
-- obtain software from a tru
On 07/01/05 13:08, Charles M. Hannum wrote:
Most implementations of /dev/random (or so-called "entropy gathering
daemons") rely on disk I/O timings as a primary source of randomness.
... I believe it is readily apparent that such exploits could be
written.
So don't do it that way.
Vastly b
On 07/03/05 15:19, Dan Kaminsky wrote:
> So the funny thing about, say, SHA-1, is if you give it less than 160
> bits of data, you end up expanding into 160 bits of data, but if you
> give it more than 160 bits of data, you end up contracting into 160 bits
> of data. This works of course for any
I am reminded of a passage from Buffy the Vampire Slayer.
In the episode "Lie to Me":
BILLY FORDHAM: I know who you are.
SPIKE: I know who I am, too. So what?
My point here is that knowing who I am shouldn't be a
crime, nor should it contribute to enabling any crime.
Suppose you k
On 07/13/05 12:15, Perry E. Metzger wrote:
However, I would like to make one small subtle point.
... the use of widely known pieces of information about
someone to identify them.
Yes, there are annoying terminology issues here.
In the _Handbook of Applied Cryptography_ (_HAC_)
-- on page 38
Perry E. Metzger wrote:
We need a term for this sort of thing -- the steel tamper
resistant lock added to the tissue paper door on the wrong vault
entirely, at great expense, by a brilliant mind that does not
understand the underlying threat model at all.
Anyone have a good phrase in mind that
Adam Shostack wrote:
Here's a thought:
"Putting up a beware of dog sign, instead of getting a dog."
That's an interesting topic for discussion, but I don't think
it answers Perry's original question, because there are plenty
of situations where the semblence of protection is actually a
cost-ef
Victor Duchovni wrote:
So wouldn't the world be a better place if we could all agree on a
single such library? Or at least, a single API. Like the STL is for C++.
Yes, absolutely, but who is going to do it?
One could argue it has already been done.
There exists a widely available, freely
Jerrold Leichter mentioned that:
a self-
signed cert is better than no cert at all: At least it can be used in an
SSH-like "continuity of identity" scheme.
I agree there is considerable merit to a "continuity of identity"
scheme.
But there are ways the idea can be improved. So let's discu
I've been following this thread for a couple of weeks now, and so
far virtually none of it makes any sense to me.
Back on 10/12/2005 Travis H. wrote:
I am thinking of making a userland entropy distribution system, so
that expensive HWRNGs may be shared securely amongst several machines.
What e
Travis H. wrote:
Part of the problem is using a packet-switched network; if we had
circuit-based, then thwarting traffic analysis is easy; you just fill
the link with random garbage when not transmitting packets.
OK so far ...
There are two problems with this; one, getting
enough random
In the context of:
>>If your plaintext consists primarily of small packets, you should set the MTU
>>of the transporter to be small. This will cause fragmentation of the
>>large packets, which is the price you have to pay. Conversely, if your
>>plaintext consists primarily of large packets, yo
Ben Laurie wrote:
Good ciphers aren't permutations, though, are they? Because if they
were, they'd be groups, and that would be bad.
There are multiple misconceptions rolled together there.
1) All of the common block ciphers (good and otherwise) are permutations.
To prove this, it suffices t
[EMAIL PROTECTED] wrote:
From what I understand simple quantum computers can easily brute-force attack
RSA keys or other
types of PK keys.
My understanding is that quantum computers cannot "easily" do anything.
As the saying goes:
"We can factor the number 15 with quantum computers. We
Dave Howe wrote:
Hmm. can you selectively blank areas of CD-RW?
Sure, you can. It isn't s much different from rewriting any
other type of disk.
There are various versions of getting rid of a disk file.
1) Deletion: Throwing away the pointer and putting the blocks back
on the free lis
Anne & Lynn Wheeler wrote:
is there any more reason to destroy a daily key after it as been used
than before it has been used?
That's quite an amusing turn of phrase. There are two ways to
interpret it:
*) If taken literally, the idea of destroying a key _before_ it is
used is truly an inge
I forgot to mention in my previous message:
It is worth your time to read _Between Silk and Cyanide_.
That contains an example of somebody who thought really
hard about what his threat was, and came up with a system
to deal with the threat ... a system that ran counter to
the previous conventiona
On Sat, 11 Feb 2006 12:36:52 +0100, Simon Josefsson said:
>> Yet, I agree it is poor design to [exit] in a library.
I agree, it is a poor design.
Werner Koch retorted:
I disagree strongly here. Any code which detects an impossible state
or an error clearly due to a programming error by t
David Wagner wrote:
This just shows the dangers of over-generalization.
One could make an even stronger statement about the dangers of
making assumptions that are not provably correct.
Of course, we have to decide which is more important: integrity,
or availability.
That is a false dicho
James A. Donald wrote:
The correct mechanism is exception handling.
Yes, I reckon there is a pretty wide consensus that exceptions
provide a satisfactory solution to the sort of problems being
discussed in this thread.
If caller has provided a mechanism to handle the failure, that
mechanism
Matt Crawford wrote:
I so often get irritated when non-physicists discuss entropy. The word
is almost always misused.
Yes, the term "entropy" is often misused ... and we have seen some
remarkably wacky misusage in this thread already. However, physicists
do not have a monopoly on correct u
Aram Perez wrote:
* How do you measure entropy? I was under the (false) impression that
Shannon gave a formula that measured the entropy of a message (or
information stream).
Entropy is defined in terms of probability. It is a measure of
how much you don't know about the situation. If by
John Kelsey wrote:
As an aside, this whole discussion is confused by the fact that there
are a bunch of different domains in which entropy is defined. The
algorithmic information theory sense of entropy (how long is the
shortest program that produces this sequence?) is miles away from the
infor
I wrote:
>>With some slight fiddling to get the normalization right, 1/2
>>raised to the power of (program length) defines a probability
>>measure. This may not be "the" probability you want, but it
>>is "a" probability, and you can plug it into the entropy definition.
John Kelsey wrote:
No,
osen input program will output that string.
So this is clearly a probability distribution (with some technicalities
regarding issues of program lengths being glossed over here) as John
Denker says. However to go from this to a notion of entropy is more
questionable.
Not really questionable. If
Erik Zenner wrote:
0 occurs with probability 1/2
each other number from 1 to 2^{160}+1 happens with
probability 2^{-161}.
Is anyone aware of whether (and where) this was
discussed in the literature, or what other approaches are taken?
This particular problem is contrived or at least exagg
Ed Gerck wrote:
In Physics, Thermodynamics, entropy is a potential [1].
That's true in classical (19th-century) thermodynamics, but not
true in modern physics, including statistical mechanics. The
existence of superconductors and superfluids removes all doubt
about the absolute zero of entrop
In the context of
>> 0 occurs with probability 1/2
>> each other number from 1 to 2^{160}+1 happens with
>> probability 2^{-161}.
I wrote:
> This ... serves to illustrate, in an exaggerated way, the necessity
> of not assuming that the raw data words are IID (independent and identically
> distr
Hal Finney wrote in part:
... Attempts to embed sensitive secrets in credentials don't work because there
are no sensitive
secrets today. You could use credit card numbers or government ID numbers (like US SSN) but in
practice such numbers are widely available to the black hat community.
The
Hadmut Danisch wrote:
is anyone aware of a general and precise definition of the term
'principal' (as a noun) in the context of security?
Its use in security does not AFAICT differ from its use in
other contexts, notably law and finance.
I don't see why it is necessary to look beyond an ordin
Andrea Pasquinucci wrote:
>
> http://www.idquantique.com/products/quantis.htm
>
> "Quantis is a physical random number generator exploiting an elementary
> quantum optics process. Photons - light particles - are sent one by one
> onto a semi-transparent mirror and detected. The exclusive events
James A. Donald wrote:
>
> And if you want to obtain noise from quantum
> indeterminacy, shot noise is much more convenient.
> Instead of photons going through a half silvered mirror,
> and randomly being reflected or not, you rely on
> electrons randomly winding up at the base or the
> collecto
Dave Korn asked:
> Is it *necessarily* the case that /any/
> polynomial of log N /necessarily/ grows slower than N?
Yes.
Hint: L'Hôpital's rule.
> if P(x)==e^(2x)
That's not a polynomial.
x^Q is a polynomial. Q^x is not.
---
On 12/22/2006 01:57 PM, Alex Alten wrote:
> I'm curious as to why the cops didn't just pull the plugs right away.
Because that would be a Bad Idea. In a halfway-well-designed
system, cutting the power would just do the secret-keepers' job
for them.
> It would probably
> take a while (minutes,
On 01/05/2007 10:53 AM, Paul Hoffman wrote:
> You could take an IPsec stack and repurpose it down one layer in the
> stack. At least that way you'll know the security properties of what you
> create.
That is a Good Idea that can be used in a wide range of
situations. Here is some additional deta
On 01/17/2007 06:07 PM, Allen wrote:
> The whole issue of entropy is a bit vague for me - I don't normally work
> at that end of things - so could you point to a good tutorial on the
> subject, or barring having a reference handy, could you give an overview?
Entropy is defined in terms of probab
On 01/18/2007 03:13 PM, David Wagner wrote:
> In article <[EMAIL PROTECTED]> you write:
>> The /definition/ of entropy is
>>
>> sum_i P_i log(1/P_i) [1]
>>
>> there the sum runs over all symbols (i) in the probability
>> distribution, i.e. over all symbols in the ensembl
This discussion will progress more smoothly and more rapidly
if we clarify some of the concepts and terminology.
There are at least four concepts on the table:
1) At one extreme, there is 100% entropy density, for example
32 bits of entropy in a 32-bit word. I'm talking about real
physics
Previously I said we need to speak more carefully about these
things. Let me start by taking my own advice:
Alas on 09/14/2013 12:29 PM, I wrote:
> a) In the linux "random" device, /any/ user can mix stuff into the
> driver's pool. This is a non-privileged operation. The idea is that
> it can't
On 09/15/2013 03:49 AM, Kent Borg wrote:
> When Bruce Schneier last put his hand to designing an RNG he
> concluded that estimating entropy is doomed. I don't think he would
> object to some coarse order-of-magnitude confirmation that there is
> entropy coming in, but I think trying to meter entro
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/25/2013 04:59 AM, Peter Gutmann wrote:
> Something that can "sign a new RSA-2048 sub-certificate" is called a CA. For
> a browser, it'll have to be a trusted CA. What I was asking you to explain
> is
> how the browsers are going to deal wit
On 10/10/2013 02:20 PM, Ray Dillinger wrote:
> split the message stream
> into channels when it gets to be more than, say, 2GB per day.
That's fine, in the case where the traffic is heavy.
We should also discuss the opposite case:
*) If the traffic is light, the servers should generate cover tr
On 06/25/2007 08:23 PM, Greg Troxel wrote:
> 1) Do you believe the physics? (Most people who know physics seem to.)
Well, I do happen to know a thing or two about physics. I know
-- there is quite a lot you can do with quantum physics, and
-- there is quite a lot you cannot do with quantum
On 07/01/2007 05:55 AM, Peter Gutmann wrote:
One threat model (or at least failure mode) that's always concerned me deeply
about QC is that you have absolutely no way of checking whether it's working
as required. With any other mechanism you can run test vectors through it,
run ongoing/continuo
On 07/10/2007 01:59 AM, Florian Weimer wrote:
It's also an open question whether network operators subject to
interception requirements can legally offer built-in E2E encryption
capabilities without backdoors.
I agree. It's a tricky question; see below
JI responded:
You probably meant devi
For years, the Election Integrity Committee of the Pima County
Democratic Party has been trying to improve the security of the
elections systems used in local elections. The results include:
-- a dozen or so suggestions that they made were actually accepted
and implemented by the county.
-- th
Hi Folks --
I was wondering to what extent the folks on this list have taken
a look the PunchScan voting scheme:
http://punchscan.org/
The site makes the following claims:
>> End-to-end cryptographic independent verification, or E2E, is a
>> mechanism built into an election that allows voter
On 12/13/2007 08:23 PM, Taral wrote:
> On 12/12/07, John Denker <[EMAIL PROTECTED]> wrote:
>> Several important steps in the process must be carried out in
>> secret, and if there is any leakage, there is unbounded potential
>> for vote-buying and voter coercion.
>
&
On 12/23/2007 08:24 PM, ' =JeffH ' wrote:
> 2008: The year of hack the vote?
Shouldn't that be:
2008: Another year of hack the vote yet again?
..^^^...^
There is every reason to believe that the 2000 presidential
election was stolen. A fair/honest/lawful
Hi Folks --
I have been asked to opine on a system that requires a
"two-person login". Some AIX documents refer to this as
a "common method of increasing login security"
http://www.redbooks.ibm.com/redbooks/pdfs/sg245962.pdf
However, I don't think it is very common; I get only five hits
from
On 01/29/2008 11:34 AM, The Fungi wrote:
> I don't think it's security theater at all, as long as established
> procedure backs up this implementation in a sane way. For example,
> in my professional life, we use this technique for commiting changes
> to high-priority systems. Procedure is that tw
I quote from
http://www.washingtonpost.com/wp-dyn/content/article/2008/02/06/AR2008020604763_pf.html
By Ellen Nakashima
Washington Post Staff Writer
Thursday, February 7, 2008; A01
> The seizure of electronics at U.S. borders has prompted protests from
> travelers who say they now weigh
This is an important discussion
The threats are real, and we need to defend against them.
We need to consider the _whole_ problem, top to bottom. The
layers that could be subverted include, at a minimum:
-- The cpu chip itself (which set off the current flurry of
interest).
-- The boot rom
On 07/23/2008 12:44 AM, Steven M. Bellovin wrote:
>> Niels Provos has a web page up with some javascript that automatically
>> checks if your DNS caching server has been properly patched or not.
>>
>> http://www.provos.org/index.php?/pages/dnstest.html
>>
>> It is worth telling people to try.
>>
>
In 1951, John von Neumann wrote:
> Any one who considers arithmetical methods of producing random digits
> is, of course, in a state of sin.
That may or may not be an overstatement.
IMHO it all depends on what is meant by "random". The only notion
of randomness that I have found worthwhile is
On 09/20/2008 12:09 AM, IanG wrote:
> Does anyone know of a cheap USB random number source?
Is $7.59 cheap enough?
http://www.geeks.com/details.asp?invtid=HE-280B&cat=GDT
For that you get a USB audio adapter with mike jack, and
then you can run turbid(tm) to produce high-quality randomness.
On 09/29/2008 05:13 AM, IanG wrote:
> My assumptions are:
>
> * I trust no single source of Random Numbers.
> * I trust at least one source of all the sources.
> * no particular difficulty with lossy combination.
> If I have N pools of entropy (all same size X) and I pool them
> together with
On 10/24/2008 01:12 PM, Jack Lloyd wrote:
> is a very different statement from saying that
> lacking such an attacker, you can safely assume your 'pools of
> entropy' (to quote the original question) are independent in the
> information-theoretic sense.
The question, according to the origina
On 10/24/2008 03:40 PM, Jack Lloyd wrote:
> Perhaps our seeming disagreement is due to a differing interpretation
> of 'trusted'. I took it to mean that at least one pool had a
> min-entropy above some security bound. You appear to have taken it to
> mean that it will be uniform random?
Thanks, t
On 10/25/2008 04:40 AM, IanG gave us some additional information.
Even so, it appears there is still some uncertainty as to
interpretation, i.e. some uncertainty as to the requirements
and objectives.
I hereby propose a new scenario. It is detailed enough to
be amenable to formal analysis. The
Alas on 10/25/2008 01:40 PM, I wrote:
> To summarize: In the special sub-case where M=1, XOR
> is as good as it gets. In all other cases I can think
> of, the hash approach is much better.
I should have said that in the special sub-case where
the member word has entropy density XX=100% _or_ i
On 10/28/2008 09:43 AM, Leichter, Jerry wrote:
> | We start with a group comprising N members (machines or
> | persons). Each of them, on demand, puts out a 160 bit
> | word, called a "member" word. We wish to combine these
> | to form a single word, the "group" word, also 160 bits
> | in le
On 08/01/2009 02:06 PM, Jerry Leichter wrote:
> A while back, I evaluated a
> technology that did it best to solve a basically insoluble problem: How
> does a server, built on stock technology, keep secrets that it can use
> to authenticate with other servers after an unattended reboot?
This
1 - 100 of 117 matches
Mail list logo
