Cryptography-Digest Digest #503, Volume #11 Thu, 6 Apr 00 20:13:01 EDT
Contents:
Re: Key exchange using Secret Key Encryption (zapzing)
Number 35, let there be Peace on earth (wtshaw)
introductory books suggestion ([EMAIL PROTECTED])
Re: GSM A5/1 Encryption ([EMAIL PROTECTED])
Re: lattice based cryptosystems (Helger Lipmaa)
Re: Q: Entropy (Xcott Craver)
Re: Sunday People 26/3/2000: "FORGET YOUR PASSWORD... END UP IN JAIL" (Secret
Squirrel)
Re: Sunday People 26/3/2000: "FORGET YOUR PASSWORD... END UP IN JAIL" (JimD)
Re: Sunday People 26/3/2000: "FORGET YOUR PASSWORD... END UP IN JAIL" (JimD)
Re: Is this code crackable? (JimD)
Re: Is this code crackable? (JimD)
Re: Stolen Enigma (JimD)
Re: Public|Private key cryptography? (Jerry Coffin)
Re: introductory books suggestion (David A Molnar)
Re: Q: Entropy (Mok-Kong Shen)
Re: Building a stream cipher? (newbie Question) ("Douglas A. Gwyn")
----------------------------------------------------------------------------
From: zapzing <[EMAIL PROTECTED]>
Subject: Re: Key exchange using Secret Key Encryption
Date: Thu, 06 Apr 2000 17:52:46 GMT
In article <8ce9oa$gru$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (John Savard) wrote in part:
> >
> >
> > That is only true if you have another channel to verify that your
> > intended recipient got your first message before you replied to the
> > second message. A man in the middle could still execute the complete
> > protocol with you, then pass the message along by executing the
> > complete protocol with the recipient.
> >
> > John Savard (jsavard<at>ecn<dot>ab<dot>ca)
> > http://www.ecn.ab.ca/~jsavard/crypto.htm
> >
>
> In another thread in sci.crypt Mike Rosing offered the following
> comment. I've copied it over for easy reference. If you wish to read
> the while thread please refer to thread : Massey-Omura Protocol & ECC
>
> I quote :
> "I originally thought it made it impossible too, but it ain't so.
> Let's
> take Harry, Ron and Malfor (from Harry Potter, my kids love it) and
> Harry
> trys to send a key to Ron with Malfor in the middle. Harry has e_h,
> d_h,
> Ron has e_r, d_r and Malfor has e_m, d_m. Harry sends to Ron, but
> Malfor
> intercepts. (e*d = 1 mod p) Let's see what happens:
> Harry Malfor Ron
> 1) e_h*P_h = P1 -> M e_m*P_m -> R
> 2) e_m*e_h*P_h <- M e_r*e_m*P_m <- R
> 3) d_h*e_m*e_h*P_h -> M d_m*e_r*e_m*P_m -> R
>
> at this point, Malfor can get the message P_h and Ron has the message
> P_m.
> So the man-in-the-middle can intercept the original message but has to
> fake
> it to the true receiver. If it's a private key, then Malfor knows
both
> keys and neither side knows they are compromised. Bad news.
>
> Koblitz proposed using digital signatures to solve this problem in "A
> Course in Number Theory and Cryptography". This means you have to
send
> much more data the first time since there are 2 components to the
> signature
> as well as the data being sent. However, since Massey-Omura uses a
> curve of
> known parameters, and you've got to use integer math to get the e and
d
> values,
> you have all the code subroutines. So Harry first sends P1 and the
> digital
> signature of the message burried in P_h. At the end, Ron can check if
> the
> signature matches. Since he has P_m and not P_h, it won't check.
>
> This whole thing is one way. So to eliminate man-in-the-middle you
have
> to send 2 keys, one from Harry to Ron and one from Ron to Harry.
> "
>
> It would seem that Massey-Omura Protocol coupled with the DS would at
> least allow a detection of intrusion if not the security against
> intrusion. I will now have to go look up the book suggested by Mike to
> understand it better.
>
It seems that M could defeat this *if* and only
if he (M) could insert his own digital signature
key into H (or R)'s database, so that what H
(or R) thought was the public key of R (or H)
was actually a public key that M made up for
this occasion. Is that the case?
If so, how do you suggest that H (or R) could
verify R (or H)'s public key while still
maintaining both of their anonymity?
There is also the "R-free" attach, where
M just does everything that R would do,
and (in the case of an e-commerce exchange)
takes the money and runs. As before, M would
have to find some way to decieve H into thinking
that a public key M made up was actually
R's key. If M could control all of H's
communications then M could do that.
> Thank you for you time, as well as others whom have replied.
>
> Petang
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
>
--
Do as thou thinkest best.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Number 35, let there be Peace on earth
Date: Thu, 06 Apr 2000 12:03:54 -0600
This algorithm was an awkward child since I was doing several new things.
Peace 15, really named for the Peace River, acquires plaintext in base 53
and delivers ciphertext in base 118.
Knowing that I like to stay with lower ascii characters, I got to base 118
thusly: Figure there are 94 printable characters. If you reassign two of
them to be used with composite characters, you have 92 noncomposite ones
with 26 composite one. The ciphertext set uses brackets [] around upper
case letters. There are lots of options for getting beyone the 94 barrier
this way, to ever really high bases.
Peace 15 uses base 24 as an intermediate base, including both substitution
and transponsition at the b24 stage. Relative substitution, represented
by characters other than those actually substituted, is used with base 53
in Peace 15.
Considering that there are 53, 24 and 15 characters in all the keys, I'll
make some from this sentence:
Sub1(Pe): eqaLbfUhMOtEcxyVrivjYP=zABdwkQIClpNJDWsuRSmFXnGgoZKHT
Sub2(Pe): xpntldeqmoiujavwkfrgbshc
Trans(Pe): bckijfmganohdle
The encrypted form of the same sentence is:
F%s|kGq7QP =7IX[O]USt*[R] [E][H]`8[D]I[R]\`8 Y[A]&UUy=%p[J]
q[M]gNh[M][L]J7M iP@Qi[D]j[F]h8 -H[T]<lGn[M][Q]t )uQF4}z=kY
&[S]sd[S]A&[M]6h
The decrypted form is identical to the original plaintext. The decryption
routine will even accept group bracketed groups, so [E][H] is equivalent
to [EH] in ciphertext.
This seems like lots of strangeness, doesn't it? The idea is that there
are many unclaimed worlds in crypto, enough to either make your head spin
(Linda Blair?) or areas that are so completely off the beaten track that
you can wander around in such a wilderness that you choose. Useful?
Well, perhaps yes, perhaps not, but these things do increase our options.
Consider the *need* some feel to get ascii text into binary. You should
surely see that on a numeric level, 118 characters is more filling of 128
than 96. There are still bettter ways, as there are also *many* ways; my
notes hold lots of them, as occasionally some should dribble forth amidst
whatever else I choose to implement. I try not to be dissuaded with so
many options, but I intend to plod on.
Next up is an application with a tropical flavor.
--
Given all other distractions, I'd rather be programming.
%/^): [|]"! ?=)@~ ;)[]* :@\@} *#~}> ,=+)! .($`\
------------------------------
From: [EMAIL PROTECTED]
Subject: introductory books suggestion
Date: Thu, 06 Apr 2000 18:46:53 GMT
I am an Electrical Engg. graduate, starting out on cryptography &
cryptology. I need some references to introductory books on
cryptography, bearing in mind I have a good background in algebra &
introductory coding theory, hence I would prefer a mathematically-neat
book with theorems, lemmas & proofs. Suggestions, kind senors &
senoritas?
"I chose that id
because I love Metal music
& it's dying out"
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: GSM A5/1 Encryption
Date: Thu, 06 Apr 2000 18:53:46 GMT
In article <8cg0s0$css$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David A. Wagner) wrote:
> In article <8cc3hq$[EMAIL PROTECTED]>, Gregory G Rose
<[EMAIL PROTECTED]> wrote:
> > Biryukov/Shamir/Wagner have the combined technique
> > that Tom mentioned, however it assumes *known
> > plaintext*. While I agree that it means A5/1 is
> > cryptographically broken, known plaintext for a
> > voice call is pretty hard to arrange, what with
> > vocoder compression and stuff happening to the
> > signal. [...] It is this difficulty which
> > accounts for the crypto people saying it is broken
> > and the telephone people saying it isn't.
>
> I agree strongly with Greg Rose. If you care about
> practical impact, you should be very careful about
> the assumptions that cryptographers often make. I
> thought maybe I could comment a bit further on the
> topic, though.
>
> Probably only the telephone people know for sure
> whether the necessary known plaintext can be obtained
> in practice, but unfortunately, many of them in the
> GSM industry have an interest in persuading people
> that the system is secure, so it's not obvious how
> to take some of the statements from the GSM folks.
>
> Anyway, from the information I've received, it
> looks like the required known plaintext may indeed
> be available to the cryptanalyst. Although it is
> hard to make any definitive statements, as far as
> I can tell, yes, the attacks do seem as though
> they may be workable in real life.
>
> The key is to look at silence frames. I'm told
> that they are often encoded as some constant: every
> frame of silence in the call gets encoded to the
> same thing. I don't personally know whether this
> is correct or not, but if it is, it makes it look
> like required known plaintext may be available.
> The rest of my comments will be predicated on the
> correctness of this assumption.
Are you talking about gsm encoding as in vodec or encrypting
the silent frame ? I assume that this frame is also
encrypted like all frames ( since its all real time anyway).
My question, is if you were to design a voice encryption system,
how would you go about overcomming this weekness and
susceptibility to attack (cf Silence Frames). Its strange, I have
not encountered any details of this problem by the secure phone
manufacturers....Could this be the Akilis heal ..?
as a sideline, A5 encryption is only used to the Base Station, so any
exit over landlines or other hops is not encrypted.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Helger Lipmaa)
Subject: Re: lattice based cryptosystems
Date: 6 Apr 2000 19:29:26 GMT
David A Molnar ([EMAIL PROTECTED]) wrote:
: Hi,
: I'm wondering which lattice based cryptosystems are out there. So far
: I know of
: * NTRU (not explicitly related to any of the "normal" lattice problems,
: but close enough to fit)
Something close to NTRU (based on sparse polynomials) was also recently
proposed by Shparlinski, Lieman, Banks, ... See, e.g.,
http://www.comp.mq.edu.au/~igor/Publ.html, publ 86.
: * Goldwasser, Goldreich, Halevi (broken)
: * Ajtai-Dwork (broken)
: * Cai-Cusick
: * R. Fischlin and JP Seifert "Tensor-based trapdoors for CVP"
: * McEliece (using the analogy between codewords and lattices...)
There's at least one analoguous cryptosystem by Gabidulin published
in Eurocrypt '91 and cryptanalysed by Gibon in Eurocrypt '96.
: anything else?
: Thanks much,
: -David Molnar
Helger Lipmaa
http://www.tcm.hut.fi/~helger
------------------------------
From: [EMAIL PROTECTED] (Xcott Craver)
Subject: Re: Q: Entropy
Date: 6 Apr 2000 19:29:04 GMT
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
>The following citatation, however, contradicts you claim that
>entropy is not in the sequence:
>
> Schneier, p.233: Formally, the amount of information in a
> message M is measured by the entropy of a message, denoted
> by H(M).
First of all, if you want a strict definition of entropy,
read a book on Information Theory. Cryptography texts give
it a passing mention, and sometimes an imprecise one.
Secondly, H(M) is a function not of a single specific message
m, but of the random variable M. It is a function of the
probability distribution over all possible sequences m, and it
makes no sense to speak of the (Shannon) Entropy of a specific
message, unless you're trying to _estimate_ the entropy, by
estimating the distribution from a particular sample path.
You should be able to see this simply from the definition of
Entropy. It is not a function of a bit string or input symbol,
but only of distributions on those signals.
Now, (Shannon) Entropy isn't the only measure of information, and
Kolmogorov complexity does provide a measure of information
for a specific message. The word "entropy," by itself, unqualified,
in an information-theoretic context, however, means Shannon entropy;
the term should not simply be used to mean any old measure of
information, but rather this one very clearly defined measure
in which H(X) depends on the distribution of X, and is not
a function of a specific value.
>M. K. Shen
-S
------------------------------
Date: 6 Apr 2000 07:54:11 -0000
Subject: Re: Sunday People 26/3/2000: "FORGET YOUR PASSWORD... END UP IN JAIL"
From: Secret Squirrel <[EMAIL PROTECTED]>
>> It's farther gone than you seem to realize. Consider the close
>> analogy with the so-called "smart gun" legislation that gun haters
>> have recently proposed. Maryland is on the brink of passing a law
>> requiring such technology (which has not been developed beyond the
>> laboratory stage yet) in every handgun sold within a few years.
>> The obvious goal, which of course differs from the stated goal, is
>> simply to prevent sales, or failing that, to reduce the positive
>> value of guns to the point that people won't want them any more.
>
> The scariest thing about "smart guns", is that police are exempted. If
> they are so great the police should have them, since quite a few police
> officers are killed with their own weapons, and not just in suicide
> either. When it is reliable enough for the cops to trust their lives to
> it, I'll consider it.
So, police are exempted from the laws imposed on the rest of us. No surprise
there. At least in the future we'll know where to get dumb guns when necessary.
------------------------------
From: [EMAIL PROTECTED] (JimD)
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,uk.politics.censorship
Subject: Re: Sunday People 26/3/2000: "FORGET YOUR PASSWORD... END UP IN JAIL"
Reply-To: JimD
Date: Thu, 06 Apr 2000 19:16:48 GMT
On Tue, 4 Apr 2000 09:53:15 +0100, "Owen Lewis" <[EMAIL PROTECTED]> wrote:
>Nevertheless and as you surmise, a decision not to vote may be better
>reasoned and as valid a choice than most votes cast.
Right! I could never vote Tory, and refuse to vote for the New
Labour Tories again. I think I'll stay at home next time.
(Ex Labour Party member)
--
Jim Dunnett.
dynastic at cwcom.net
He who laughs last doesn't
get the joke.
------------------------------
From: [EMAIL PROTECTED] (JimD)
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,uk.politics.censorship
Subject: Re: Sunday People 26/3/2000: "FORGET YOUR PASSWORD... END UP IN JAIL"
Reply-To: JimD
Date: Thu, 06 Apr 2000 19:16:47 GMT
On Wed, 5 Apr 2000 11:20:12 +0100, "A. Little" <[EMAIL PROTECTED]>
wrote:
>Incidentally, I have a feeling that inciting people not to vote is
>actually illegal in England.
And probably in Scotland and Wales as well....
--
Jim Dunnett.
dynastic at cwcom.net
He who laughs last doesn't
get the joke.
------------------------------
From: [EMAIL PROTECTED] (JimD)
Subject: Re: Is this code crackable?
Reply-To: JimD
Date: Thu, 06 Apr 2000 19:16:52 GMT
On Wed, 5 Apr 2000 17:15:21 +0100, "Jethro" <[EMAIL PROTECTED]> wrote:
>1198 wrote in message <[EMAIL PROTECTED]>...
>>If the key file can be safely sent to the other end without security
>problem
>>then there is no point of having any encrytion at all..
>
>I understand that.
>
>My intent (and I'm just playing around) was to physically hand the "PAD"
>(I've learned something already) on a floppy to my recipient, whom I see
>about every 6 months. The decrpyt program is also on the floppy. He can
>work completely off the floppy, keeping everything off his HD. The decrpyt
>program kills the encrpted file upon decryption.
By 'kills' we hope you mean 'wipes' and not just simply 'deletes' !!
>I email him an encrypted file perhaps once a week, he moves it to his floppy
>and decrypts. So he ends up with nothing on his HD (or, at the most the
>encrypted files) and on his floppy only the decrpyt program, the decrypted
>file(s) and the PAD.
>
>Everyone is saying you can only use the PAD one time, hence the name "One
>Time PAD". Is this simply because I cannot trust my recipient to follow my
>instructions?
Your correspondent should take measures to ensure that used key is
securely wiped as soon as the file has been satisfactorily decrypted.
That way it can't be re-used. However, the human element is the Achilles
heel of the one-time-pad system.
>If he were to follow my instructions, how would the code be breakable? The
>only email traffic would be the encrypted files. And if nothing but the
>encrypted files are on his HD, nobody could snoop his HD when he is on-line
>to find the PAD or any decrypted files to figure the PAD out.
Provided you both take care never to re-use any part of the pad,
and destroy used key, it can never be broken. Brute force crypt-
analysis will produce only every possible message of the length
of the ciphertext, and of course much garbage. Because some of
the possible texts will say 'yes' where others say 'no' it would
be quite impossible to decide which text was the genuine one.
Quite apart from the computer power needed to do this, and the
time it would take for a good-sized ciphertext, it just isn't
feasible, and no-one in his right mind would contemplate doing
it. They'd just visit you and torture the key out of you. (But
if you'd destroyed it, then even that would fail).
--
Jim Dunnett.
dynastic at cwcom.net
He who laughs last doesn't
get the joke.
------------------------------
From: [EMAIL PROTECTED] (JimD)
Subject: Re: Is this code crackable?
Reply-To: JimD
Date: Thu, 06 Apr 2000 19:16:53 GMT
On Thu, 6 Apr 2000 14:37:43 +0800, "1198" <[EMAIL PROTECTED]> wrote:
>
>Richard Herring wrote in message <8cf7sp$ekc$[EMAIL PROTECTED]>...
>>In article <[EMAIL PROTECTED]>, 1198 ([EMAIL PROTECTED])
>wrote:
>>> If the key file can be safely sent to the other end without security
>problem
>>> then there is no point of having any encrytion at all..
>>
>>Not so. You're assuming that a channel that is "safe" now will
>>always be safe.
>>
>
>
>Mind I ask is a channel be more secure than any encryption method could
>provide??
Usually is, but as someone mentioned, you only need the totally secure
channel once to exchange bulk key, then (all other things being equal)
you have a secure channel for EMail until you run out of key.
--
Jim Dunnett.
dynastic at cwcom.net
He who laughs last doesn't
get the joke.
------------------------------
From: [EMAIL PROTECTED] (JimD)
Subject: Re: Stolen Enigma
Reply-To: JimD
Date: Thu, 06 Apr 2000 19:16:53 GMT
On Thu, 6 Apr 2000 04:56:52 -0400, Anonymous Sender <[EMAIL PROTECTED]>
wrote:
>>> Apparently the stolen Enigma was an "Abwehr" Enigma, as
>>> described in a recent Cryptologia article. I can well
>>> believe that there are only 3 (or maybe now, 2) Abwehr
>>> Enigmas left in the world. A garden variety Wehrmacht
>>> Enigma, like my friend Fred bought a decade or so back,
>>> costs as much a new car, I suppose, and is no great rarity.
>>> But this one was different.
>>
>> Right. The stolen machine was an "Abwehr" 3 rotor Enigma serial number
>> G-312 . A full description and photographs of this machine are given
>> in David Hamer's article :G-312: An Abwehr Enigma", Cryptologia, Vol.
>> 24(1), January 2000."
>>
>> Hopefully, with the entire community alerted, the machine can be
>> recovered safe and sound.
>
>Hmmmm, history repeats itself as an Enigma machine is stolen. But
>aren't the thieves 60 years behind the curve? They can't be planning
>to actually USE it unless they already have a similar unit in their
>possesion. And why use a system that can be so easily broken now with
>the computer tools available?
You cannot be serious!!?? It wasn't stolen for its cryptographic
utility, but for the only thing that matters these day - to sell
for lotsa money!!
Anyway, they've arrested the thief, but it isn't clear whether
the machine was recovered. Seems likely it was, but as it's now
stale news, until the court case, who knows?
--
Jim Dunnett.
dynastic at cwcom.net
He who laughs last doesn't
get the joke.
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: Public|Private key cryptography?
Date: Thu, 6 Apr 2000 14:25:39 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
> What you are seriously missing is the fact that the SPACE required to
> factor +1000 bit numbers is insane [over 2^64] and is not possible.
> While you could sieve it faster, you couldn't contain the information
> required to solve the puzzle.
For all practical purposes, all of those are clearly well into the
future.
> So those statistics are meaningless. It's like saying a 300 bit
> symmetric-key is more secure then a 256 bit one, you can't search either
> so what's the point?
Two points. First of all, computers get faster all the time: at one
time, the 56-bit keyspace of DES wasn't practically searchable, but
it now is. An 80 or 100 bit keyspace currently isn't, but we're
right at the point that an 80-bit key is technically feasible, if too
expensive to be practical right now.
In addition, just as CPUs get faster over time, so also larger
memories become feasible over time. Right now, I've got 256
megabytes of RAM in my computer, which is far more than I could have
afforded even in hard-drive space only a few years ago.
They're not currently available, but a couple of companies have
already demonstrated that they can produce gigabit RAM chips. That
would mean being able to plug a gigabyte of RAM into a single DIMM
(or whatever) socket. At least a couple of companies have plans to
produce these for the open market within the next couple of years.
Right now, machines with gigabytes of RAM are big and expensive. I'm
betting that inside of five years I'll be able to buy one off the
shelf at a local retailer for under $1000US for a machine complete
with a couple gigabytes of RAM and a CPU that runs at a few
gigahertz. If you'll remember, about a year ago you posted a message
saying that machines that ran at a gigahertz were around 10 years
away.
That was wrong -- they're here now. Larger memory will happen the
same way: back when I was in college we used a Control Data mainframe
that had only 18-bit addressing, so it could work with a maximum of
256K of 60-bit words -- less than a megabyte total for a system that
routinely supported 250 to 300 users logged on at a time. The CPU
weighed a couple of tons and IIRC it ran at something like 10 MHz.
Today, that speed of CPU and amount of memory puts you somewhere
between a programmable calculator and a low-end Palm Pilot. Far from
supporting hundreds of users at a time, it's a usually going to be
one of several machines used by one person.
> I do agree that you can get by with smaller keys using ECC such as 160 ~
> 200 bit keys, but a 200 bit ECC key is not the same as a 20000bit RSA
> key like they would want you to believe.
Of course they're not "the same." The question is whether they're
roughly equivalent. It's true that nobody can reasonably plan on
factoring a 2048 but number today, but it's also true that nobody can
reasonably plan on doing a 200+ bit ECDL either. TTBOMK, the largest
ECDL problem solved yet was 108 bits, and that took around 4 months
with hundreds of computers (and that was so recent, I may be out of
place mentioning it -- I haven't seen an official, public annoucement
about it from Rob yet). A 200 bit ECDL problem is still quite a ways
out of reach.
OTOH, the real question in both cases is how soon it'll be practical
to attack one or the other. At least in my mind, that appears to
depend on whether CPU speed will grow at about the same speed as
memory size -- the future in factoring (at least by currently-known
methods) depends largely on memory size, while the future in ECDL
(again, by currently-known methods) depends more on CPU speed.
Looking back over time, it appears to me that if anything, memory
size is growing a _little_ faster than CPU speed. Doing a bit of
extrapolation on my own, it appears that these assumptions are based
on an assumption that they'll grow at the same speed. As such, it
looks to me like it's _probably_ making RSA look a little better than
it really is -- e.g. that it'll _probably_ be practical to break RSA
using a 2000-bit key a little bit sooner than it's practical to break
ECC using a 200-bit key. (In fairness, I'm pretty sure they were
trying to give rough estimates using round numbers, so nobody should
be surprised if they end up a _little_ off in one direction or the
other).
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: introductory books suggestion
Date: 6 Apr 2000 20:29:53 GMT
[EMAIL PROTECTED] wrote:
> cryptography, bearing in mind I have a good background in algebra &
> introductory coding theory, hence I would prefer a mathematically-neat
> book with theorems, lemmas & proofs. Suggestions, kind senors &
> senoritas?
Run, don't walk to Koblitz _A Course in Number Theory and Cryptography_.
Stop by the _Handbook of Applied Cryptography_ for a much broader
overview...including how to actually use the primitives you develop in
Koblitz.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Q: Entropy
Date: Thu, 06 Apr 2000 22:48:33 +0200
Xcott Craver schrieb:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> >
> >The following citatation, however, contradicts you claim that
> >entropy is not in the sequence:
> >
> > Schneier, p.233: Formally, the amount of information in a
> > message M is measured by the entropy of a message, denoted
> > by H(M).
>
> First of all, if you want a strict definition of entropy,
> read a book on Information Theory. Cryptography texts give
> it a passing mention, and sometimes an imprecise one.
>
> Secondly, H(M) is a function not of a single specific message
> m, but of the random variable M. It is a function of the
> probability distribution over all possible sequences m, and it
> makes no sense to speak of the (Shannon) Entropy of a specific
> message, unless you're trying to _estimate_ the entropy, by
> estimating the distribution from a particular sample path.
>
> You should be able to see this simply from the definition of
> Entropy. It is not a function of a bit string or input symbol,
> but only of distributions on those signals.
>
> Now, (Shannon) Entropy isn't the only measure of information, and
> Kolmogorov complexity does provide a measure of information
> for a specific message. The word "entropy," by itself, unqualified,
> in an information-theoretic context, however, means Shannon entropy;
> the term should not simply be used to mean any old measure of
> information, but rather this one very clearly defined measure
> in which H(X) depends on the distribution of X, and is not
> a function of a specific value.
You are clearly saying what I quoted can be misleading. Thank you.
It should be mentioned, however, that one occasionally does see
usage of the word 'entropy' in connection with Kolmogorov complexity
in scientific papers, without the difference from Shannon's
definition being mentioned.
BTW, I came across a paper which is at too high a level for me to
understand but which might interest some of you:
V. A. Uspenskii et al., Can an individual sequence of zeros
and ones be random? Russian Mathematical Surveys, Vol. 45:1
(1990), 121-189.
M. K. Shen
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Building a stream cipher? (newbie Question)
Date: Thu, 6 Apr 2000 19:34:35 GMT
Simon Johnson wrote:
> How do you contruct a resonable stream cipher?
> When i say this, I mean, to produce a pseudo-random stream of bytes.
Note that those are two different goals!
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
