Cryptography-Digest Digest #367, Volume #14 Wed, 16 May 01 15:13:00 EDT
Contents:
RE: Karnaugh Maps (Alexis Machado)
Re: OAP-L3: "The absurd weakness." (James Felling)
Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm) (wtshaw)
Re: Newbie Question: Crytography - Unlimited Inputs/Outputs? (John Savard)
Re: Not a realistic thing to do......Why? (James Felling)
Re: Best, Strongest Algorithm (SCOTT19U.ZIP_GUY)
Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm)
(SCOTT19U.ZIP_GUY)
Re: Evidence Eliminator works great. Beware anybody who claims it ("Thomas J.
Boschloo")
Re: FYI: Results on EM attacks on smart cards ("Josyula R. Rao")
Re: Newbie Question: Crytography - Unlimited Inputs/Outputs? (SCOTT19U.ZIP_GUY)
Re: extracting random bits from low-entropy data (Mark)
----------------------------------------------------------------------------
From: Alexis Machado <[EMAIL PROTECTED]>
Subject: RE: Karnaugh Maps
Date: Wed, 16 May 2001 13:11:00 -0400
>===== Original Message From jlcooke <[EMAIL PROTECTED]> =====
>Alexis Machado wrote:
>>
>> Hi Tom
>>
>> >===== Original Message From "Tom St Denis" <[EMAIL PROTECTED]> =====
>> >Ok here is my first attemp to optimizing a boolean decomposition . This
is
>> >the lsb of the TC15 sbox..
>> >
>> >dc ba 00 01 10 11
>> >-----------------------------------------
>> >00| 1 0 0 1
>> >01| 0 1 1 0
>> >10| 0 1 1 0
>> >11| 0 1 1 0
>> >
>> >y = ~(abcd) | (~cd)ab | bcd | acd
>> >y = ~(cd)(~(ab) | ab) | bcd | acd
>> >y = ~(cd) | bcd | acd
>> >
>> >I have the bits backwards i.e ba instead of ab since my program outputs
them
>> >that way.
>> >
>> >Can I optimize the last y statement any further? ( | means or, ~ means
>> >not)
>>
>> Using the identity
>>
>> ~a | ab = ~a | b
>>
>> y can be simplified a little more
>>
>> y = ~(cd) | bcd | acd = ~(cd) | b | acd = ~(cd) | b | a
> ^^^^^^^^^^^^^
>So you're saying:
> if {c,d}={0,0} or {0,1} or {1,0} ... wrong.
>or
> if b = 1 ... wrong.
>or
> if a = 1 ... wrong.
>
>\ba 00 01 11 10
>dc -----------
>00| 1 0 1 0
>01| 0 1 0 1
>11| 0 1 0 1
>10| 0 1 0 1
>
>Try this:
> y = (a^b) ^ ~(c|d)
>reads:
> "If a and b disagree, output 1. Unless c or d are both low, then
>inverse"
>which is what's really happening.
>
He asked if the **last y statement** could be optimized. The **last y
statement is*
~(cd) | bcd | acd = ~(cd) | b | a
Btw, the first expression
~(abcd) | (~cd)ab | bcd | acd
is a tautology :-(
---
Alexis
------------------------------
From: James Felling <[EMAIL PROTECTED]>
Crossposted-To: alt.hacker,talk.politics.crypto
Subject: Re: OAP-L3: "The absurd weakness."
Date: Wed, 16 May 2001 12:12:10 -0500
Anthony Stephen Szopa wrote:
> James Felling wrote:
> >
> > Anthony Stephen Szopa wrote:
> >
> > > James Felling wrote:
> > > >
> > > > Tom St Denis wrote:
> > > >
> > > > > "Anthony Stephen Szopa" <[EMAIL PROTECTED]> wrote in message
> > > > > news:3AF65E02.34D45
> >>(SNIP)
> > And if you believe that there is this bridge in NY you really need to buy.
>
> There must be a very good reason why you have chosen not to
> communicate.
I find the way you edited my original post deliberately misleading. You claim I
am not trying to comunicate?
I feel that the shoe is on the other foot here my friend.
>
>
> Can't you just take one point then and explain yourself. Just
> because you understand (?) what you mean you have not helped us
> to understand what you mean by communicating it.
>
> For instance, your idea of "Mixamixfile is a subgroup of the
> generic permutation of 105 elements holding first element fixed."
> Explain this in some detail as to what exactly you mean and how
> this relates to your claims.
OK. I will define some terms here for you. And try to keep it simple. I will
rephrase in less formal notation.
Mix a mix file can be viewed as a special case of the following 'Generic
Method'.
Generic Method: Imagine the sets of 0-9 digits as cards. and the source file as
a giant stack of cards. you take the first 105cards off the stack, put the first
card on the table, then reorder the remaining cards in an arbitrary but known
manner, i.e find card 103, put it on top of the first card, then find card 10
put it down, and so on until you are out of cards from that original set of 105,
then pickup annother 105 cards from the big stack, and repeat.
This generic method is a more efficient mixing method that mix a mix file( by
orders of magnitude), because with the 105 cards under the generic method you
can get any possible order(104! possible orderings), and with mix a mix file you
only can get 14! possible orderings. However, since all possible results of mix
a mix file can be reproduced by this generic operation and that operation is a
group, mix a mixfile cannot be arbitrarially repeated with the expectation of
continued good results, it can at best contribute the randomness of the generic
operation.
>
>
> Just do this one point. Or choose perhaps a simpler one like,
> "Scramble is a group" and tell us what you mean and how this
> somehow supports your claims.
Scrambe is a group means the following.Given any key1 and key2, there exists a
key 3 such that Scramble(key1,Scramble(key2,S))= Scramble(key3,S).And it comutes
with all of your other methods. This is why I told you long ago that this method
should only be used 1X.(I am glad to see that you finally added my advice to
your helpfile, it is a welcome change)
>
>
> State your specific claim and describe what you mean by your
> description then show us how this supports your claim.
your methods can achieve good results, that much is true. However, Your methods
are not likely to evenly distribute your results across the space of all
possible results. Since Mix a mix file has fixed points, and is a special case
of a generic op, it must be used only in combination with other methods to
provide maximum security.
>
>
> I can't discuss what you are talking about if you cannot
> communicate it.
>
>
> Thank you.
Simply put, my assertions are as follows.
Firstly, your methods require excessive effort to achieve good results, since
they do not efficiently use the keying data that is input to them. Even given a
substantial amount of mixing, there will be sections of your files that will
have artifacts of the generation process. Far more so than other such stream
cyphers would have given an equivalent amount of keying data.(You have the stone
knives and bearskins of cryptography -- Your tools can and do work, they just
are less efficient than other more modern and efficient methods)
Secondly, your methodology for generating data results in points of compromise
not present in other methods.( i.e. the large files on your system are key
equivalent. With a modern stream cypher and a nice front end, I can memorize my
key, and never need to store key equivalent data anywhere.
Finally, it seems obvious to me that you do not have a deep understanding of the
operation of your own cyphersystem. For example, with mix a mixfile, the first
thing I saw, literally 30 seconds into reading the help file is that there was a
fixed point in mix a mix file, and 30 second later, I had thought of a minor
coding change that would fix that issue. Maybe you simply overlooked it, but a
flaw found after 1 minutes work should have been caught -- if only after the
first month of people criticising your program on the net. I wonder why you
made some of the choices you made (i.e. 14 seems to be a common number for you,
and does not seem to be an oprimal choice in some areas, in addition you seem
very insistent on the 0-9 'sets' being kept toether, even though this does
constitute something of a weakness. ( Do you know why? Study the Enigma for a
clue)
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm)
Date: Wed, 16 May 2001 10:49:07 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> SCOTT19U.ZIP_GUY <[EMAIL PROTECTED]> wrote:
>
> : No wonder violent crime is up in the UK you can't shoot
> : the bastards that break into you own house. [...]
>
> I believe shooting someone for breaking and entering would
> itself be regarded as a violent crime in the UK.
> --
But, in Texas for this and many other crimes, using justified deadly force
probably want even get you a formal police interview. Don't mess with
Texas or Texans.
--
George W. Bush is the weakest link...guh bye.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Newbie Question: Crytography - Unlimited Inputs/Outputs?
Date: Wed, 16 May 2001 17:37:56 GMT
On Wed, 16 May 2001 12:06:15 GMT, [EMAIL PROTECTED]
(John Savard) wrote, in part:
>On Wed, 16 May 2001 15:19:31 +0800, "news.singnet.com.sg"
><[EMAIL PROTECTED]> wrote, in part:
>>I read/heard somewhere that given an encryption system where the tester is
>>allowed an unlimited number of inputs and outputs, that the system itself
>>will always be possible to break. Is this true?
>Yes, if the key remains constant, one would think so: the tester would
>eventually get around to inputting, by accident, the same input as the
>original message, thus getting the corresponding ciphertext.
>In some encryption systems, though, in addition to the key, a random
>variable is generated by the encryption system and sent with the
>message to ensure no two messages will be enciphered the same way.
>But if the tester is allowed to choose an _unlimited_ number of
>inputs, and see the output, obviously he can repeat the original
>message as often as necessary until the random variable happens to be
>the same as its original value by accident.
Incidentally, this means that PGP (just like RIPEM, and other similar
programs) is "not secure", since the recipient's public key is ...
public. So one is "allowed" to make up an unlimited quantity of test
messages, encrypt them with the recipient's public key, and see which
one matches the actual message sent. But since the number of tries
required to achieve this is very large (actually, exhaustive search on
the key for the conventional encryption would be faster) no one is
worried about it.
So I guess it all boils down to the difference between being allowed
to do something, and actually being capable of doing it.
John Savard
http://home.ecn.ab.ca/~jsavard/frhome.htm
------------------------------
From: James Felling <[EMAIL PROTECTED]>
Subject: Re: Not a realistic thing to do......Why?
Date: Wed, 16 May 2001 13:05:39 -0500
Doug Kuhlman wrote:
> Keill Randor wrote:
> >
> <SNIP>
> > at's it's 'best' - (depending on how you look at it), not even God
> > would be able to crack it, or solve it - (i.e. if the key(s) and
> > ciphertext were known)...
> >
> <SNIP>
>
> Boy, I'd hate to be the intended recipient of that. If knowledge of the
> key(s) and ciphertext don't allow you to decrypt, what does?
>
> Doug
Might make a good hash though.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Best, Strongest Algorithm
Date: 16 May 2001 17:00:01 GMT
[EMAIL PROTECTED] (Joseph Ashwood) wrote in <uUaIVOY2AHA.274@cpmsnbbsa07>:
>
>"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
>news:[EMAIL PROTECTED]...
>> [EMAIL PROTECTED] (Joseph Ashwood) wrote in
>> <OXFxVM$1AHA.190@cpmsnbbsa07>:
>>
>> >
>> >"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
>> >news:[EMAIL PROTECTED]...
>> >> Actually when it comes to crypto [in the United States] the NSA
>> >> has the
>> >final word.
>> >
>> >That is to some degree correct. They are in a position to exert undue
>> >force on the decision. However the simple fact that the selection of
>> >Rijndael was well-founded in the original goals of the AES selection
>> >process, and that all the finalists were asked barring their own
>> >submission which should win, they all (except the Rijndael team of
>> >course) agreed that Rijndael was the preferred choice. So while the
>> >NSA may have had the final word, that word coincided with the
>> >publicly ascertained desires of the contestants themselves, some of
>> >the finest cryptanalysts in the world.
>>
>> Give me a break. Why don't you pat them on the back again. I
>> suspect the finest cryptananlysts are really in the NSA. The public
>> guys are only recognized because of the closed mutual admiration
>> society that they formed and want every one else to kiss there
>> asses. David Wagner for example couldn't even figure out how scott19u
>> works. And claimed his slide attack made mince meat of it. He was
>> wrong. Is he one in this class of finest cryptanalysts in
>> your view of the world he admitted he really never fully looked
>> at it. He can't even understand combilible source code.
>
>You seem to have missed the point. There were the AES selection process
>was done in public view, based heavily on public opinion. Of the
>finalists 3 were considered good enough to be AES; Rijndael, Serpent,
>Twofish, Rijndael is one of them, and it was selected. Based on the
>input of the involved Rijndael was first choice. Who I personally
>believe and do not believe to be among the world's best cryptanalysts
>has nothing to do with it, the simple observable facts of the matter are
>that the generally preferred algorithm by the public was chosen to be
>AES. From that view it does not matter is the NSA wanted Rijndael chosen
>or not.
No I did not miss the point. But I think you missed it.
>
>>
>> >
>> >> [EMAIL PROTECTED] (Joseph Ashwood) wrote in
>> >> <envXT2m0AHA.274@cpmsnbbsa07>:
>> >
>> >[snip I said something about Rijndael]
>> >> The ciphers the NSA uses for the government are not open for
>> >> us to view. There is no reason to believe that Rijndael is any
>> >> where close to the secret ciphers the NSA uses.
>> >
>> >You'd be surprised how open they actually are. Not blatantly so, but
>> >we do have knowledge of key sizes, number of instructions, block
>> >sizes, cipher type, and sometimes knowledge of ancestry. Additionally
>> >we can gain more information by looking at the devices they purchase
>> >from the private sector for exactly these purposes. So no I don't
>> >know exactly what each cipher the government uses looks like, but I
>> >have a general idea that Rijndael is decent company for them, and
>> >quite likely their equal. The only concern that remains is the
>> >statement by Coppersmith during the AES process, stating that MARS
>> >was designed to protect against still classified forms of attack,
>> >attacks the other authors have no (public) knowledge of. I believe in
>> >the next few years this situation will change. We already have
>> >evidence that the public cryptanalytic activities are closing on the
>> >secret, and we have evidence that the attack on SKIPJACK was unknown
>> >to them, and that ECC took them by surprise. These indicate to me
>> >that the public knowledge is lacking mostly small portions of
>> >knowledge; bits and pieces from classified books, and the design of
>> >the current ciphers.
>>
>> And you belive that Coppersmith has knowledge that MARS was
>> designed againest all forms of attack even those that the government
>> says are classied.
>
>I never said "I believe . . . " I said "statement by Coppersmith . . ."
>these have different meanings.
>
>> I suspect SKIPJACK was designed weak. Don't forget it was for
>> the clipper chip to be used by all.
>
>Exactly why it didn't need to be designed weak, it was designed
>exclusively for use in tamper-resistant hardware. Has only an 80-bit
>key, and to make matters worse was to be always used with a Law
>Enforcement Access Field. Placed in that situation using a weak cipher
>would not have been reasonable, using a cipher of the correct strength
>would have been very reasonable.
>
Again it was weak on purpose. The Law Enforcment Access Field was
a tool to allow low law officals to use it but was not necessary for
the NSA to break it.
>> Just like vanilla RIJNDEAL has to be weak
>> the NSA would be foolish to allow a strong cipher for common people
>> to use.
>
>Then by your own arguments why have they allowed you to keep peddling
>your "strong" scottXu? If a strong cipher cannot be allowed to be in the
>hands of general citizens why are you allowed to continue? Please note
>that this does not constitute an endorsement of any cipher designed by D
>Scott.
>
They have not exactly allowed it to be peddled. There own BS boys
and Wagner stated it was weak. Its labled as snake oil by the so
called experts who never looked at it. So as strong as it is it is
highly unlikely that it will ever be used commerically. I am under
the impression even some of Ritters stuff which is better than the
AES crap has hit obstacles when on the verge of wide spread commerical
use. Sure there will be many people like me that have strong crypto
or who want to use solid crypto ideas. But they will be laughed at
and few will use them. Of course the big boys once in awhile to show
there skill will point out a newbie who wants to XOR a key repeatedly
over a text file and then proclaim look at this poor foolish ametuer
he knows nothing and should leave crypto to us proven crypto gods.
I think my ideas of bijective compression combined with bijective
encryption such that no input output pairs or sequences can easily
be found go a long way to solid crypto. Yet the big boys ignoring
the knowledge of Shannon don't seem to worry about designing crypto
packages that only allow one key to work. Any one who thinks about
it even you could most likely see the benefit of encryption that
can map any tested key back to plaintext that could have been
encrypted with that key. Why on earth would anyone want an
encryption method that gives the attacker the black and white
anwser as to wether or not the key used is correct. Especailly
if crypto has a major goal of hiding information from an attacker.
You should misled an attacker not point the way.
>> >
>> >> Rijndael will
>> >> only be implimented in modes the NSA can safely break.
>> >
>> >There is no evidence of that, and significant evidence to the
>> >contrary. Strictly speaking if you believe that Timmermans BICOM is
>> >a secure implementation of Rijndael then by your judgement there is
>> >an implementation of Rijndael in a secure mode, which violates your
>> >initial statement.
>>
>> You miss the point. BICOM is not and will not be recognized by
>> the crypto gods as an implimation of Rijndeal for various reasons.
>
>Mostly because of your blatant misstatements about it.
And what are my blatant misstatements about BICOMs
use of Rijndael. Look don't be an ass point them out if
you think they exist.
>
>> One the people in charge don't seem to understand bijectiveity and
>> have even emailed me saying Matt could not do that.
>
>If you remember correctly I'm one of them. And I still stand by the
>statement that it is impossble to dependably compress the output of a
>good encryption function. At one point you specifically stated that
>BICOM could output a single byte output that was Rijndael encrypted,
>that always has been, and always will be the problem.
What the hell are you talking about. BICOM compresses before
it encrypts. And yes you can take any possible byte as an outfile
to it. And then decrypt it to 2**256 seperate input files. One for
each key. If you don't belive it you have a software virus of the
brain. Since its easy to run BICOM to check. But you would rather
spout the crap brain washed in your brain by the phony crypto gods
than to even test it a lillte bit. It people blind by years of tricky
phony knowledge of crypto that has lead people like you astray.
How many times do I have to say test it. Sure you can't test
it for 2**256 bit keys. But you could take a single byte your
choice of value and try 300 seperate keys. You could then see that
each of those keys maps to a different input file. That when
encrypted with the test key goes back to that file. But begining the
asshole you seem to be. I can see its most likely you will
continue to argue becasue of your blind flase faith.
rest of crap sniped since its obvious you missed the
boat a long time ago.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: ON-topic - UK crime statistics (was Re: Best, Strongest Algorithm)
Date: 16 May 2001 17:13:11 GMT
[EMAIL PROTECTED] (Darren New) wrote in <[EMAIL PROTECTED]>:
>"Trevor L. Jackson, III" wrote:
>> And in the U.S.
>
>Actually, it depends on the state. Murder is a state crime, not a fedral
>crime.
>
Actaully it usually is a state crime. But I think if you kill
a postal worker for example. Or even if you kill a normal person
if you forced them out of the country to the open ocean and drowned
them that might be a federal crime. A third possiblity I have
wondered about is if you placed a land mine say at four corners
(arizona, colorado, new mexico and Utah) which state would have
jursidication if the person who stepped on the land mine had equal
parts blown to all four states. Or would it be the Navahos from
the reservation.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: "Thomas J. Boschloo" <[EMAIL PROTECTED]>
Crossposted-To:
alt.privacy,alt.security.pgp,alt.security.scramdisk,alt.privacy.anon-server
Subject: Re: Evidence Eliminator works great. Beware anybody who claims it
Date: Wed, 16 May 2001 18:40:04 +0200
Shaun Hollingworth wrote:
> If anyone can Email me their address I'll drive down to Nottingham and
> tell them what I think.... EE had a fine reputation..... Which is now
> in tatters... Destroyed by those whose interests I would have thought
> would have been to protect it.
If they are indeed located in England, wouldn't the "Private Security
Industry Bill" put them out of bussiness once it becomes effective as a
law? <http://www.homeoffice.gov.uk/psib/index.htm>
Much as I dislike the internet laws being pushed and approved in
England, this one might actually give me a good laugh if it actually
works against such 'state of the art' guys <loads of sarcasm here>.
Thomas
--
"Software patents harm the flow of free information"
------------------------------
From: "Josyula R. Rao" <[EMAIL PROTECTED]>
Subject: Re: FYI: Results on EM attacks on smart cards
Date: Wed, 16 May 2001 14:23:37 -0400
Mike,
Thanks for your comments. We will label the graphs so that they are
intelligible to people not working in the area.
About your questions and suggestions: everything is fair game at this point.
We do have other results but as you can appreciate, disclosure can only be
done in a responsible manner.
Pankaj Rohatgi and JR Rao
"Mike Rosing" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> After reading the paper all the way thru, I was wondering about other
attacks.
> I'd classify these as "passive" because you're just listening to the
device.
> What about active EM attacks? Not the same as the failure mode attack
where
> you try to get a bit stuck, but more of a resonance mode method which may
> enhance the signal for each bit flip, or bypass good shielding by giving
> internal signals a good path to the outside world.
>
> Seems like a lot of research can be done on this :-)
>
> Patience, persistence, truth,
> Dr. mike
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Newbie Question: Crytography - Unlimited Inputs/Outputs?
Date: 16 May 2001 17:19:33 GMT
[EMAIL PROTECTED] (wtshaw) wrote in <jgfunj-1605011044560001@dial-245-
049.itexas.net>:
>In article <[EMAIL PROTECTED]>,
>[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
>
>> [EMAIL PROTECTED] (news.singnet.com.sg) wrote in
>> <9dt90f$jk3$[EMAIL PROTECTED]>:
>> >
>> >I read/heard somewhere that given an encryption system where the tester
>> >is allowed an unlimited number of inputs and outputs, that the system
>> >itself will always be possible to break. Is this true?
>> >
>Unlimited is a big quantity.
>>
>....
>>
>> Part of the game of crypto is to keep people goging down false
>> trails so the NSA can keep reading your mail. ANd so far the US
>> as gone a bang up job keeping people in the dard. And you will get
>> many beutiful responses saying that I am lying to you.
>>
>
>What Dave is saying is true to the extent that the essence of good crypto
>is deception. Use of it is the very thing that the BBW would growl is
>unfair and should not be except for his purposes. Politicians want to
>somehow dismiss scientific truths and preach that fighting is hopeless.
>In theory, what you suggest is always true, but the real world is not
>unlimited by a long shot, even those that want to think that they are in
>charge.
Yes Mr Shaw is stating part of what I meant to say. Excpet his
spelling grammer and puncuation is far better.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
http://www.jim.com/jamesd/Kong/scott19u.zip
My website http://members.nbci.com/ecil/index.htm
My crypto code http://radiusnet.net/crypto/archive/scott/
MY Compression Page http://members.nbci.com/ecil/compress.htm
**NOTE FOR EMAIL drop the roman "five" ***
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged or
something..
No I'm not paranoid. You all think I'm paranoid, don't you!
------------------------------
From: [EMAIL PROTECTED] (Mark)
Subject: Re: extracting random bits from low-entropy data
Date: Wed, 16 May 2001 18:41:17 +0000 (UTC)
[EMAIL PROTECTED] (Gregory G Rose) wrote in news:9dpf70$[EMAIL PROTECTED]:
> In article <[EMAIL PROTECTED]>,
> Mark <[EMAIL PROTECTED]> wrote:
>>How do I extract the entropy from low-entropy data to produce
>>high-quality random bits, assuming that I know a lower bound for the
>>amount of entropy in the input?
>>
>>For example, suppose I want 100 uniform random bits, and my source of
>>randomness is the conversation in a chat room. Making the assumption
>>that
>
> Other postings in this thread have given the
> correct answer, which is "use a standard hash
> function". However...
>
> What do you want to use this entropy for? ("What's
> the threat model?") You're attempting to derive
> entropy from essentially public information.
>
> Suppose, for example, that you want to use that to
> seed a pseudo-random number generator for a game, and
> it's important that the players not be able to
> know the output of the PRNG. Further suppose that
> the chat room is about the game, and that the
> players can be expected to see the conversation.
> Then the entropy to the other players is in fact
> much less than the expected hundred bits... they
> just have to take 50-line chunks from the log of
> the chat room, hash them, and see if the PRNG
> produces output consistent with that hash as the
> input. The measure of entropy, in this case, applies
> to one of a couple of hundred starting points for the
> 50-line hash, that is, less than 8 bits.
>
> It's impossible to tell from your question whether
> this distinction matters to you or not, but in
> practice it certainly can matter... during the
> Prohibition Era in the US, a number of book
> ciphers were broken by (I think) Elizabeth
> Friedman based purely on knowing what books were
> likely to be used. The entropy of the text was
> high in total, but the entropy of the *selection*
> of the text was low.
>
> Greg.
>
Yes I wanted random numbers for a game (bridge to be specific) and wanted
to use real random numbers instead of pseudo random numbers. (I.e., not
just use the "real" random number to seed a PRNG, but do away with the PRNG
altogether.) My motivation is less related to deliberate cryptographic
attacks, and more related to avoiding any *inadvertent* patterns in the
dealt hands.
Regarding your comments about security, it seems to me that using a non-
cryptographic PSRG opens oneself to attack by a clever player even if the
seed is totally random.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
