Newsgroups: sci.crypt
Path: cactus.org!ritter
From: ritter@cactus.org (Terry Ritter)

Subject: Re: IBM-PC random generator, source included
Message-ID: <1992Jun26.231556.4588@cactus.org>
Organization: Capital Area Central Texas UNIX Society, Austin, Tx
References: <1992Jun23.080147.15804@cactus.org> <2808@accucx.cc.ruu.nl>
+           <1992Jun26.080402.27283@ncar.ucar.edu>
Date: Fri, 26 Jun 1992 23:15:56 GMT


 In <1992Jun26.080402.27283@ncar.ucar.edu> prz@sage.cgd.ucar.edu
 (Philip Zimmermann) writes:

>Suppose we assume that Nico's generator produced 1 bit of "true" randomness
>for every, say, 3 bits of actual output.  In other words, the output is
>impure randomness, with 1/3 of true randomness buried somewhere in the
>output stream, with the other two thirds of output bits being predictible
>by some highly sophisticated modeling of the physical system.  (my ratio
>of 3-to-1 is just an arbitrary assumption for this example).

>Okay, so let's collect 384 bits of Nico's output and reduce it to 128 bits
>by running it through MD5.  We have thus captured the true randomness
>that is holographically smeared through his output and distilled it down
>with MD5 to the essential undiluted randomness.  We aren't just using
>MD5 to mix it up-- we are using it to distill it down.


 Phil is apparently somewhat less jaded than myself.

 1. I see no reason to assume that Nico's generator produces
    any bits of "true" randomness whatsoever.

 2. Simply because some complex process somehow converts 384
    bits to 128 bits is no reason to believe that it has somehow
    captured the "essential" randomness in any special way.

    If we want every bit of the output to depend on every
    bit of the input we could use CRC's.

 3. If "holographic smear" is, by itself, a virtue, it's
    easy enough to transform to some other domain with FFT,
    Walsh-Hadamard, or related transformations.  Then we can
    "distill it down" by using a subset of the output.
    However, I see no reason to believe that data which are
    mostly structured are going to be less structured in a
    transformed domain.

    The problem with MD5 is that we know very little about
    the technology used to create it, and, thus, the limits
    and dangers of using that technology to produce a hash.

    We have a similar problem with DES, and that is almost
    two decades old.  Yes, these transformations look complex,
    but that is part of the problem.  Their complexity may just
    make it difficult for us to *see* their weaknesses.


 ---
 Terry Ritter    ritter@cactus.org