Cryptography-Digest Digest #520
Cryptography-Digest Digest #520, Volume #14 Mon, 4 Jun 01 23:13:01 EDT Contents: Re: Best, Strongest Algorithm (gone from any reasonable topic) (Paul Pires) Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (Tom St Denis) Re: Def'n of bijection (Robert J. Kolker) Re: Def'n of bijection (Tom St Denis) Re: Best, Strongest Algorithm (gone from any reasonable topic) (SCOTT19U.ZIP_GUY) Re: Def'n of bijection (SCOTT19U.ZIP_GUY) Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P. Dulles / AKA Loki) (Eric Lee Green) Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P. Dulles / AKA Loki) (Eric Lee Green) Re: RSA's new Factoring Challenges: $200,000 prize. (Sergei Lewis) Re: Fast 8-bit mults on smartcards (Mark Wooding) Re: about DH parameters germain primes (Mark Wooding) Re: Keyed hash functions (Mark Wooding) Re: BBS implementation (Mark Wooding) Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P. (Trevor L. Jackson, III) Re: Welcoming another Anti-Evidence Eliminator stooge to USENET (P. (Trevor L. Jackson, III) From: Paul Pires [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Mon, 4 Jun 2001 18:03:52 -0700 Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Tom St Denis [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... : Tom St Denis [EMAIL PROTECTED] wrote: : : Tim Tyler [EMAIL PROTECTED] wrote in message : news:[EMAIL PROTECTED]... : : Tom St Denis [EMAIL PROTECTED] wrote: : : : Tim Tyler [EMAIL PROTECTED] wrote in message [BICOM vs Rijndael in CTR mode] : : : He explained it - you just didn't understand the explanation. : : : : : What explanation? All he does is flame me. : : : : This sort of thing, repeated several times now: : : : : DS And you never anwsered the FACT that a one byte ouput file : : DS from CTR mode (though you have no working program) would imediately : : DS lead an attacker to realize that the input file could only have : : DS come from 1 of 256 possible messages. With BICOM you have many : : DS many more messages. That alone makes it more secure. : : [snip] : : : His logic is flawed. He states a feature of BICOM then assumes its a : : security bonus. : : Knowledge that a message comes from a set of billions of possible key : selected messages, rather than a set of 256 possible key selected messages : *is* a feature that has an immediate impact on security. : : If you can narrow the plaintext down to one of 256 possibilities, then : that is already a significant leak of information about the message : contents. : OTP encrypted message. : C=110010001 : What is P? : (How long must this go on?) I don't know: Maybe until you realise that an OTP doesn't have perfect secrecy if it's dealing with finite files, and converting them to cyphertexts of the same length as the plaintexts? -- Ehrr? Why not? Length of Pt = Ct length = key length of random origin, only used once. It seems to me that that a Ct could be from any possible Plaintext of exactly the same size. Are you saying that just leaking the size is a lapse in perfect secrecy? Even if it was compressed, the plaintext is still the same size as the ciphertext. It's just that the plaintext is now a compressed volume. What am I missing? Paul __ |im |yler [EMAIL PROTECTED] Home page: http://alife.co.uk/tim/ -- From: Tom St Denis [EMAIL PROTECTED] Subject: Re: Help with Comparison Of Complexity of Discrete Logs, Knapsack, and Large Primes Date: Tue, 05 Jun 2001 01:12:20 GMT Gregory G Rose [EMAIL PROTECTED] wrote in message news:9fhb44$[EMAIL PROTECTED]... In article ebvtZ6S7AHA.201@cpmsnbbsa09, Joseph Ashwood [EMAIL PROTECTED] wrote: make things easy, RSA looks easy enough, once the Wide Trail Strategy has been developed it makes development fairly straight forward. OTOH What is this Wide Trail Strategy? I believe the term was invented by J.Daemen. The idea is to have small (or possible just efficient at a cost in security) sboxes but to try and make as many of them active w.r.t. to an attack as possible. See the Serpent, Rijndael, Noekeon, Crypton, Twofish or Khazad designs for example. Tom -- From: Tom St Denis [EMAIL PROTECTED] Subject: Re: Best, Strongest Algorithm (gone from any reasonable topic) Date: Tue, 05 Jun 2001 01:13:28 GMT Paul Pires [EMAIL PROTECTED] wrote in message news:AfWS6.11163$[EMAIL PROTECTED]... Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... Tom St Denis [EMAIL PROTECTED] wrote: : Tim Tyler [EMAIL PROTECTED] wrote in message news:[EMAIL
Cryptography-Digest Digest #520
Cryptography-Digest Digest #520, Volume #13 Mon, 22 Jan 01 02:13:01 EST
Contents:
Re: cryptographic tourism in Russia (stanislav shalunov)
Re: Where can I find software tools for Known-text decryption (Bob Silverman)
Re: KASUMI Analysis? (Was: Re: 3G crypto algorithms) (David Wagner)
Re: Comparison of ECDLP vs. DLP (David Wagner)
Re: JPEG infidelity for crypto (wtshaw)
Re: JPEG infidelity for crypto (wtshaw)
Re: using AES finalists in series? ("Douglas A. Gwyn")
Re: Transposition code (Richard Heathfield)
Re: Fitting Dynamic Transposition into a Binary World (John Savard)
Re: Transposition code (John Savard)
Re: cryptographic tourism in Russia (Steve Roberts)
Re: using AES finalists in series? (Bryan Olson)
Re: Dynamic Transposition Revisited (long) (Terry Ritter)
From: stanislav shalunov [EMAIL PROTECTED]
Subject: Re: cryptographic tourism in Russia
Date: 21 Jan 2001 22:48:24 -0500
Dido Sevilla [EMAIL PROTECTED] writes:
The US Government will not even let you visit the NSA; it's even more
doubtful that the Russian Government will allow you to visit GOST.
"NSA"? GOST is "GOsudarstvennyj STandart" (State Standard), and its
anologue in the U.S. would be ANSI, not NSA.
--
Stanislav Shalunov [EMAIL PROTECTED] Internet Engineer, Internet2
I never let school stand in the way of my education. -- Mark Twain
--
From: Bob Silverman [EMAIL PROTECTED]
Subject: Re: Where can I find software tools for Known-text decryption
Date: Mon, 22 Jan 2001 03:41:17 GMT
In article 946lft$tgq$[EMAIL PROTECTED],
[EMAIL PROTECTED] wrote:
It is my understanding that when you know some of the test in a file,
the rest of the file can be decrypted.
Sorry, but no. It can't.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com
http://www.deja.com/
--
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: KASUMI Analysis? (Was: Re: 3G crypto algorithms)
Date: 22 Jan 2001 03:57:24 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
Sam Simpson wrote:
Has anyone had a look at KASUMI, the 'new' block cipher to be used with
3GPP? Any comments or critical appraisal?
Yes, it is based on MISTY, a cipher that has been published for several
years in the academic literature. Thus, it seems likely to me that the
3GPP cipher, KASUMI, will provide a considerably higher assurance of
security than the GSM algorithms. (Of course, this is just speculation.)
--
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: Comparison of ECDLP vs. DLP
Date: 22 Jan 2001 03:59:51 GMT
Reply-To: [EMAIL PROTECTED] (David Wagner)
Paul Rubin wrote:
Really, statistical tests can only detect catastrophic RNG failures. They
won't detect a simply poorly seeded RNG.
Right. For instance, no statistical test would have detected the bad
RNG in the old (1995) versions of Netscape browsers and servers, because
that RNG was essentially equivalent to running the output of rand()
through MD5. See http://www.ddj.com/articles/1996/9601/9601h/9601h.htm
for details.
--
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: JPEG infidelity for crypto
Date: Sun, 21 Jan 2001 21:58:35 -0600
In article [EMAIL PROTECTED], Dido Sevilla
[EMAIL PROTECTED] wrote:
wtshaw wrote:
Along with GIF's, bitmaps on PC's and PICT's on Mac's are amongst
acceptable formats for faithfull bit representation, within available
resolution of the monitors, of course.
What relation does this have to cryptography? Have you missed saying
something? Maybe your post should go to comp.dsp or
sci.image.processing. You've said nothing at all that discusses
cryptography and JPEG images.
This is important for stegnography, to illustate technical limitations as
means around them are addressed. I understand that there are some for
dishonorable reasons whop wish to cloud this area of crypto so as to
dissuade understanding of its potential. If you are unwilling to advance
in the field, don't try to stop others.
--
Some people say what they think will impress you, but ultimately
do as they please. If their past shows this, don't expect a change.
--
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: JPEG infidelity for crypto
Date: Sun, 21 Jan 2001 22:01:36 -0600
In article [EMAIL PROTECTED],
[EMAIL PROTECTED] (John Savard) wrote:
On Sun, 21 Jan 2001 17:03:18 +0800, Dido Sevilla [EMAIL PROTECTED]
wrote, in part:
What relation does this have to cryptography? Have you missed saying
something?
Well, the relation is obvious: simple forms of steganography, which
depend on preserving things like the LSB of every single pixel, don't
work with .JPG files.
You could complain that we already knew that, and that there are more
so
Cryptography-Digest Digest #520
Cryptography-Digest Digest #520, Volume #12 Thu, 24 Aug 00 01:13:00 EDT
Contents:
Provably secure stream cipher ([EMAIL PROTECTED])
Re: The DeCSS ruling (Barry Adams)
How to add 96 bits of key to DES ([EMAIL PROTECTED])
Re: How to add 96 bits of key to DES ([EMAIL PROTECTED])
A few big primes? (Michael Brown)
Re: SHA-1 program (cool!) (Benjamin Goldberg)
Re: Comment from Hardware Experts Please (Mack)
Re: blowfish problem ("Spud")
Re: A few big primes? ([EMAIL PROTECTED])
Re: Crypto Coprocessor on Javacard (Mack)
Re: Re-using CD-R discs (Mack)
Re: Testvectors for DES and 3xDES (Hideo Shimizu)
Re: blowfish problem ("Spud")
Re: Provably secure stream cipher ("Alexis Machado")
Re: New algorithm for the cipher contest (Mack)
From: [EMAIL PROTECTED]
Subject: Provably secure stream cipher
Date: Thu, 24 Aug 2000 03:13:36 GMT
Here is an idea for a somewhat slow provably secure (as long as the
underlying prng is statistically random, but need not wholely random).
Based (yet again) on the simple pair-wise decorrelated function
f(x) = ax + b
in GF(2^n) (n = 8, 32, 64 ...)
The idea is that the prng will make the (a, b) values for each 'x' that
is being encrypted. Since this is pairwise decorrelated and the values
(a, b) are made anew with each output this is provably secure if the
stream (a, b) is not guessable (in this case without any known stream).
The only big flaw is that if the attacker sends a stream of zeroes into
the cipher 'b' will be recovered. Any ideas? I could change it to be
f(x) = a(x + b) + c which would make the attack impossible to exploit,
but this requires three clockings per output...
And I was thinking of primarly doing this in GF(2^8) where the
multiplicative inverses could be stored in a LUT.
I think the prng could be a simple lagged fibonacci generator say
(83,258) or something... The key schedule could be a 16 - 258 type
function using a 16 stage LFSR as the expansion function
Any comments please?
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
--
From: Barry Adams [EMAIL PROTECTED]
Subject: Re: The DeCSS ruling
Date: 23 Aug 2000 22:33:13 -0500
On Wed, 23 Aug 2000 12:38:50 -0400, "Douglas A. Gwyn"
[EMAIL PROTECTED] wrote:
Jim Steuert wrote:
What about just plain curiosity? Can that be a legal reason for
reverse engineering?
[ About the legality of reverse engineering programs]
Should it be? Suppose you're curious what's in somebody's
house -- should that be a legal excuse for entering without
permission?
Thats a totally unapt analogy, if they a sell a device or software
to be installed in my house or my computer, then i should have every
right to know exactly what its doing, for my own security.
Unfortunately this legal case seems to have involved both
a possible intent to cause malicious mischief or abet
criminal activity (theft), and the more intellectual issue
of right to attack cryptosystems. One way to look at the
latter is that the DVD vendors chose to use a difficult
puzzle (CSS) as their primary means of protecting their
rights to control use of their property. It's much like
depending on a lock to keep people out of one's house --
it keeps unskilled honest people out, but provides little
protection against skilled people and career criminals.
Once again a totally unapt analogy. CSS does not
even protect against coping. So we not even talking
about software/media copyright "theft". What CSS does
it prevent a DVD I have bought from running on any player
that is not made by a manufacturer with an licease. I see
absolute no legal president as to way the should have such
a right over media i have legally optained.
Funny enough DeCSS isn't actually the threat the movie industries
power grab, what is the fact that many players which bypass the
regional lock have been made available for sale (include the
playstation 2)
We use other means such as social and legal sanctions to
address the latter.
Quid custodes ipso custodian
--
From: [EMAIL PROTECTED]
Subject: How to add 96 bits of key to DES
Date: Thu, 24 Aug 2000 03:37:00 GMT
Here's a neat trick that takes normal 16-round DES and adds 96 bits to
the key.
Change all the sboxes from "y = S1(x)" to
y = (c(S1((ax + b) mod 64)) + d) mod 16
Where a,b are in {0,1}^6 and c,d are in {0,1}^4.
Each sbox can have log2((64)(63) + (16)(15)) bits of entropy added
since the values (a,b,c,d) can be anything except that (a,c) cannot be
zero.
Since the inputs into the second decorrelation simply (cx' + d) are not
known the function should (?) be secure from standard diff/linear
attacks.
And this does not slow down standard des since the sboxes can be
precomptuted with this in mind.
Please comment.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
---
Cryptography-Digest Digest #520
Cryptography-Digest Digest #520, Volume #11 Sun, 9 Apr 00 19:13:01 EDT
Contents:
Re: Skipjack algorithm. (CLSV)
Re: Turing machine ("John A. Malley")
Re: Blowfish constants (lordcow77)
Re: GSM A5/1 Encryption (David A. Wagner)
Re: GSM A5/1 Encryption (David A. Wagner)
Security model for blinded-key recipient-hiding encryption (David Hopwood)
Re: Q: Entropy (Xcott Craver)
From: CLSV [EMAIL PROTECTED]
Subject: Re: Skipjack algorithm.
Date: Sun, 09 Apr 2000 23:13:54 +0200
[EMAIL PROTECTED] wrote:
I've implemented the Skipjack algorithm in assembler, and the win32 dll +
source are at
http://ingrato.penguinpowered.com/~fastwalker - thanks if you would check it out,
and give me comments.
It is claimed Skipjack provides insufficient security due to its short (80 bit) key,
my question is
has anyone examined the security of Skipjack used with larger than 80 bit (1024 bits
is possible) keys?
Instinct tells me a 1024 bit key varient of Skipjack would be exponetionally more
secure, however I seem
to remember reading that an implementation of DES using independent subkeys for a
total 768 bit key did
little for it's security, this is perplexing and warrents explanation.
Another Question, would a longer key varient of Skipjack (considering the
ease with which this is accomplished
and the fact that the algorithm is not changed) be a possible AES candidate? I'd
much rather use a strengthened version
of what the government uses then any AES candidate to date. Thanks.
One of the official remarks on the algorithm is
that the length of its keys can not be extended.
I don't know where I read it but if you look for
it you probably can find it. This is possibly the
optimal length for this cipher. It might as well
be one of the (secret) design criteria.
Regards,
CLSV
--
From: "John A. Malley" [EMAIL PROTECTED]
Subject: Re: Turing machine
Date: Sun, 09 Apr 2000 14:18:34 -0700
The B-Machine sounds like Alan Turing's "B-type unorganized machine" of
1948. It's described in a paper titled "Intelligent Machinery" written
while Turing worked at the National Physical Laboratory in London,
England. Sir Charles Darwin ( grandson of the "evolutionary" Darwin ),
the lab's director, dismissed it as a "schoolboy essay." This paper
was not published until 1968 - years after Turing's death.
Turing described Connectionism (a.k.a. neural networks) in that paper
some 10 years before Rosenblatt's paper in 1958. In Turing's B-type
unorganized machine, every neuron connected to every neuron, unlike the
3-layer back-propogation neural nets or the Kohonen topological neural
net sheets so prominent in today's NN research/development.
See the excellent article in the April, 1999 Scientific American, "The
Lost Brainstorms of Alan Turing."
John A. Malley
[EMAIL PROTECTED]
[EMAIL PROTECTED] wrote:
In article SZCH4.23924$[EMAIL PROTECTED],
"Stou Sandalski" tangui [EMAIL PROTECTED] wrote:
Oh and I read a long time ago somewhere about this machine I think it
was
called a B-Machine (or something similar) designed (theoreticaly) by a
mathematician from early this century (I think) and it looked to me
like a
neuro-network (the b-machine had states like organized or trained and
unorganized). I remember there was some kind of device attached to it
that
theoreticaly could be used to solve any problem (you know the...
assume a
device such that can solve any problem in the universe, deal) Does
anyone
have any clue what this is? I would realy realy like to learn more
about it
but I can't find where i read it orignaly.
You might be thinking of Bayesian networks or something related to them.
I have heard of things like the Helmholtz Machine but I don't know
anything about this "machine".
Sent via Deja.com http://www.deja.com/
Before you buy.
--
Subject: Re: Blowfish constants
From: lordcow77 [EMAIL PROTECTED]
Date: Sun, 09 Apr 2000 14:52:49 -0700
In article [EMAIL PROTECTED], Tom St Denis
[EMAIL PROTECTED] wrote:
Do the constants in blowfish [for the sbox/pbox] have to be
pi? Can
they just be sum(0, 1024, C) where 'C' is some odd constant?
That would
space some space in the library...
Why do you insist on inventing your own notation for some very
simple concepts? "sum(0, 1024, C)" has absolutely no standard
meaning at all. It's possible to guess from context that you
mean incrementing each successive S-box entry by some constant,
but why can't you just say that? Similarly, why do you always
refer to the construction of the PRNG described in Knuth's TAOCP
as Alg. M? "Alg. M" means nothing except in context, and if you
provide the context, why can't you just use a more descriptive
name? Takin
Cryptography-Digest Digest #520
Cryptography-Digest Digest #520, Volume #10 Sun, 7 Nov 99 10:13:03 EST
Contents:
Re: How protect HDisk against Customs when entering Great Britain (That guy...from
that show!)
Passwords - the weak link (Raddatz Peter)
Re: Best Asymetric Key System? (David A Molnar)
Re: Passwords - the weak link
Re: How protect HDisk against Customs when entering Great Britain (Dave Hazelwood)
Re: Best Asymetric Key System? (fungus)
Re: PGP Cracked ? (fungus)
Re: addition chains ? (Paul Rubin)
What sort of noise should encrypted stuff look like? (Lincoln Yeoh)
Re: PGP Cracked ? (zentara)
Project announce: Yet another encryptor for chat (transaprent IRC and ICQ support)
([EMAIL PROTECTED])
XOR Knapsacks (Oh no! not again?) ("Gary")
Re: Lenstra on key sizes (Mok-Kong Shen)
Re: The Code Book Mailing List ("Trevor Jackson, III")
Re: Best Asymetric Key System? (Tom St Denis)
Does OpenSSL work under Windows98? ("Yuriy Stul")
Re: How protect HDisk against Customs when entering Great Britain ("Scotty")
Re: Lenstra on key sizes (Tom St Denis)
Re: Best Asymetric Key System? (Tom St Denis)
From: That guy...from that show! [EMAIL PROTECTED]
Crossposted-To:
alt.security.pgp,comp.security.pgp.discuss,comp.security.pgp.tech,alt.privacy,alt.privacy.anon-server
Subject: Re: How protect HDisk against Customs when entering Great Britain
Date: 6 Nov 1999 04:31:38 -
Reply-To: [EMAIL PROTECTED]
On Sat, 06 Nov 1999 02:36:40 GMT , [EMAIL PROTECTED] (Menial Roky)
wrote
pgp651 [EMAIL PROTECTED] wrote:
To all offended by my cross posting, I'm very sorry for what you are
feeling.
My intention was is to receive help from 2 groups of people [ Privacy
PGP
]. I do not consider cross posting to be bad when someone need help.
You could at least tell us which newsgroup you are actually reading, so
that we can go directly to that group and be sure of reaching you without
having to cross-post to six different newsgroups.
That would be rather stupid.
a) Others wouldn't know if the question was answered. Duplicate answers
would result in unneccessary usenet traffic.
b) If an incorrect answer is given, most people are locked out of
correcting it
c) The post was appropriate to all of the groups it was crossposted to.
d) If you wanted to be sure of reaching him, and didn't want to crosspost,
there's this new thing we call 'e-mail'. It's the latest rage. Check it
out ya bonehead.
--
From: Raddatz Peter [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Subject: Passwords - the weak link
Date: Sat, 06 Nov 1999 21:25:04 -0800
I'm a relative Newbie to Cryptography, but after doing some research I
seem to come full circle to the same result. - "The weak link to ANY
encryption algo is the PASSWORD."
Here, in this Newsgroup, I've always seen the quote "what if your enemy
has access to the same program that you are using...". Well, that being
the case then any algo is just as weak as any other because it is
susceptible to a password attack.
Provided that the user is using one of the AES compliant algos it should
be equally secure or insecure.
Given the same program and the cipher an attack on the password should
be able to decrypt the file in question. There is a finite number of
combinations of chars, nums other symbols that 256 symbols can yield.
With today's highspeed computers these combinations should be able to be
explored in no time flat.
What am I missing here?
Peter Raddatz
--
From: David A Molnar [EMAIL PROTECTED]
Subject: Re: Best Asymetric Key System?
Date: 7 Nov 1999 05:38:42 GMT
Tom St Denis [EMAIL PROTECTED] wrote:
I think ELGAMMA is the buzzword of the month now.
YM Elgamal HTH,
-David
--
From: [EMAIL PROTECTED] ()
Subject: Re: Passwords - the weak link
Date: 7 Nov 99 06:21:37 GMT
Raddatz Peter ([EMAIL PROTECTED]) wrote:
: I'm a relative Newbie to Cryptography, but after doing some research I
: seem to come full circle to the same result. - "The weak link to ANY
: encryption algo is the PASSWORD."
: With today's highspeed computers these combinations should be able to be
: explored in no time flat.
In the latest issue of Crypto-Gram, Bruce Schneier, author of the
acclaimed book "Applied Cryptography", made the same point - that
passwords of a reasonable size for typical computer users to memorize are
the weak link.
However, although "today's highspeed computers" can try every possible
40-bit key in a short time, or even, with specialized equipment, every
possible 56-bit key in a few weeks, the combinations made by even sixteen
characters - if each one could be any of 256 possible values - correspond
to a 128-bit key, which would take immensely longer to try.
But instead of trying to memorize 16 characters with arbitrary values, o
Cryptography-Digest Digest #520
Cryptography-Digest Digest #520, Volume #9Sun, 9 May 99 13:13:04 EDT
Contents:
Re: DES cracked in hardware? ("Douglas A. Gwyn")
Re: True Randomness The Law Of Large Numbers ("Douglas A. Gwyn")
How was this key constructed? ("Tim Stoner")
Re: How was this key constructed? (Jim Gillogly)
Re: True Randomness The Law Of Large Numbers (R. Knauer)
Re: Factoring breakthrough? ([EMAIL PROTECTED])
Re: Scramdisk/Norton query ("hapticz")
Scramdisk: Security flaw in VxD? ([EMAIL PROTECTED])
From: "Douglas A. Gwyn" [EMAIL PROTECTED]
Subject: Re: DES cracked in hardware?
Date: Sun, 09 May 1999 08:17:27 GMT
Keith Brodie wrote:
I think you can take it as a given that a DES cracker existed at
the time it was introduced, ...
I think not.
--
From: "Douglas A. Gwyn" [EMAIL PROTECTED]
Subject: Re: True Randomness The Law Of Large Numbers
Date: Sun, 09 May 1999 08:14:46 GMT
"R. Knauer" wrote:
Maybe in that instance 10,000 keys is an overkill - but whatever that
number is, it is certainly not 1. If you think 1-bit bias adequately
characterizes a TRNG process for the purposes of secure crypto, then
go ahead and run the FIPS-140 Monobit Test, but at least run it enough
times under varying circumstances so that you can see a decent
distribution, from which you can then infer the 1-bit bias
characteristic of the TRNG.
The FIPS-140 Monobit Test was never meant to certify the cryptographic
quality of the *algorithm*, just as one of a handful of simple checks
that are to be performed on presumed high-grade systems to detect when
they might have broken during operation.
Using the Monobit Test only once has no theoretical justification.
Claiming that you are measuring 20,000 samples of a single bit has no
meaning in terms of modeling the TRNG. What you want to do is to
characterize the overall generation process, not a single bit
operation (unless you plan on sending only 1-bit messages). You want
to see how the TRNG behaves for 10,000 bit keys, not 1 bit keys.
Sure, it has a very good theoretical justification. The required
key stream properties are such that a UBP is a very good model, and
the Monobit Test checks the actual data against one property of that
model. Sure, it doesn't check serial correlation properties, but it
is just one of a battery of tests; the other tests specified in
FIPS-140 check other properties. If you want to design a test that
checks all possible properties at once, be my guest -- it has been
suggested (off-line) that Maurer's universal test might be suitable.
So you must generate many 10,000 bit keys until you have a
sufficiently large sample of such keys. Maybe 1,000 such keys is
enough to get a distribution which will let you know with reasonable
certainty that the TRNG will generate crypto-secure 10,000 bit keys.
Unfortunately, by then the brokenness of the key generator has
allowed thousands of sensitive messages to be read by enemy
cryptanalysts. So, what can you do with only 20,000 sequential
bits?
Any one 10,000 bit key can be anomolous - that is what Feller and
Li Vitanyi have been trying to tell you.
Gee, we don't need them to tell us that, because it is exceedingly
obvious. The FIPS-140 key-stream-monitoring tests were designed so
that anomalies capable of generating a spurious warning in a
correctly operating generator would be rare enough to not be much
of a nuisance in the anticipated applications.
Therefore you cannot use just one time average from a single
sequence to infer anything about the ensemble average.
"I see no ensemble here." Just a specific instance of a generator
which might or might not be functioning properly.
--
From: "Tim Stoner" [EMAIL PROTECTED]
Subject: How was this key constructed?
Date: Sun, 9 May 1999 05:54:22 -0400
I deciphered the code by figuring out the key, but I don't know how the key
was constructed. I don't see any apparant pattern. Does anyone?
A V
B O
C M
D G
E Z
F U
G D
H P
I K
J T
K I
L Y
M C
N X
O B
P H
Q R
R Q
S W
T J
U F
V A
W S
X N
Y L
Z E
Might help to print out.
--
From: Jim Gillogly [EMAIL PROTECTED]
Subject: Re: How was this key constructed?
Date: Sun, 09 May 1999 06:48:49 -0700
Tim Stoner wrote:
I deciphered the code by figuring out the key, but I don't know how the key
was constructed. I don't see any apparant pattern. Does anyone?
- ABCDEFGHIJKLMNOPQRSTUVWXYZ
- VOMGZUDPKTIYCXBHRQWJFASNLE
The interesting thing about this is that it's a reciprocal key: A goes
to V, and V goes to A, and similarly for each pair of letters. One
way to get this kind of thing is to have an Enigma or other reciprocal
machine with its rotors stuck; or one might recover it from one
column of such a cipher machine in depth
