On 13.07.17 16:04, Mok-Kong Shen wrote:
> Am 13.07.2017 um 14:08 schrieb Karl.Frank:
>> On 13.07.17 13:29, Mok-Kong Shen wrote:
>>> Am 13.07.2017 um 11:39 schrieb Karl.Frank:
>>>> On 13.07.17 08:36, Mok-Kong Shen wrote:
>>>>> Am 13.07.2017 um 02:15 schrieb Karl.Frank:
>>>>>> On 12.07.17 22:44, Mok-Kong Shen wrote:
>>>>>>> Am 12.07.2017 um 18:44 schrieb Karl.Frank:
>>>>>>>> On 12.07.17 17:37, Mok-Kong Shen wrote:
>>>>>>>>> Am 11.07.2017 um 22:01 schrieb William Unruh:
>>>>>>>>>> You are repeating yourself. Do you think that if you say it three
>>>>>>>>>> times
>>>>>>>>>> (as with the Bellman) it will suddenly become worthwhile?
>>>>>>>>>> As I have said, this is a horrible scheme. text has many long
>>>>>>>>>> range
>>>>>>>>>> correlations (from charater pairs to paragraphs, etc) , which
>>>>>>>>>> would
>>>>>>>>>> mess up the random stream. (make it non-random).
>>>>>>>>>> Bad idea.
>>>>>>>>>> And you might want to look at what Shannon and others actually
>>>>>>>>>> did.
>>>>>>>>>>
>>>>>>>>>> Note that even if the letters really were completely random, your
>>>>>>>>>> method
>>>>>>>>>> of combining them would make the output non-random.
>>>>>>>>>
>>>>>>>>> See the reference I gave of the paper about entropy and the test
>>>>>>>>> statistic of Maurer's test.
>>>>>>>>>
>>>>>>>> Did it ever occur to you that verifying randomness only by the
>>>>>>>> Maurer
>>>>>>>> test is not sufficient?
>>>>>>>>
>>>>>>>> What about ENT, test for bias or, much more important, Pierre
>>>>>>>> L'Ecuyer's
>>>>>>>> TestU01 suite?
>>>>>>>>
>>>>>>>> In the past I have already demonstrated that one of your PRNG's,
>>>>>>>> namely
>>>>>>>> PERMPOLYPRNG which passed the Maurer test, is massively flawed.
>>>>>>>
>>>>>>> The unfortunate situation with PRN generation in general is that
>>>>>>> there
>>>>>>> are lots of different tests. I don't have expertise in such and use
>>>>>>> just
>>>>>>> one test for the sake of convenience. Further, my targeted users,
>>>>>>> the
>>>>>>> common people who need security protection of their personal
>>>>>>> communications, have only very limited volumes, so cryptanalytical
>>>>>>> risks
>>>>>>> associated with assumptions of large volumes of encrypted materials
>>>>>>> are
>>>>>>> not intimidating for them IMHO.
>>>>>>>
>>>>>>> M. K. Shen
>>>>>>
>>>>>> It is not an unfortunate situation. In contrast these test suites
>>>>>> are of
>>>>>> great help in revealing weak or even totally useless PRNG's for the
>>>>>> common people - let alone in terms of cryptography.
>>>>>>
>>>>>> So now you're promoting another cryptographic scheme for the
>>>>>> obfuscation
>>>>>> of your little sisters diary? - as Bruce Schneier called it once.
>>>>>
>>>>> If the volume of materials available for analyze is small, then
>>>>> exploiting tiny biases would be more difficult, isn't it?
>>>>>
>>>> Depending on how heavy the bias of the PRNG in question is. You might
>>>> notice that the most recent break of RC4 was basically managed with
>>>> very
>>>> tiny ciphertexts.
>>>
>>> I don't yet know that recent break. How tiny? Could you give a
>>> reference?
>>>
>> Just tiny short 16-character cookies.
>>
>> http://www.rc4nomore.com/
>>
>> http://www.youtube.com/watch?v=d8MtmKrXlKQ
>>
>> http://www.rc4nomore.com/vanhoef-usenix2015.pdf
>>
>>
>>> BTW, you wrote earlier:
>>> "In the past I have already demonstrated that one of your PRNG's,
>>> namely PERMPOLYPRNG which passed the Maurer test, is massively flawed."
>>> The latest version of that software is 3.1, so at least its first
>>> version was fairly unsatisfactory even to myself. However, all the
>>> revisions were based on thoughts of myself, not of any other person. It
>>> can certainly not be excluded that even the latest version may indeed
>>> be "massively flawed". But where is your "demonstration"?? I just
>>> checked and found that the thread in the group where PERMPOLYPRNG is
>>> published is exceptionally short and all posts in it were from me and
>>> not from any other person.
>>>
>> Over here are some visual results displaying the massive bias as well as
>> the source code and test tools used
>> http://www.freecx.co.uk/crypto/cryptanalysis/PERMPOLYPRNG/
>>
>> Especially these two images are mostly interesting in regards of
>> displaying the bias
>>
>> http://www.freecx.co.uk/crypto/cryptanalysis/PERMPOLYPRNG/permpolyprng_1MB.bin_rnd.jpg
>>
>>
>> http://www.freecx.co.uk/crypto/cryptanalysis/PERMPOLYPRNG/permpolyprng_4MB.bin_rnd.jpg
>>
>>
>>
>>
>> The original posting is over here
>> http://s13.zetaboards.com/Crypto/single/?p=8045140&t=7392575
>
> Ok, I forgot that history, as it laid quite a time back. From the date
> of that post of yours, you were testing version 1.0 not the later
> versions.
>
> I dont have the opinion that any crypto scheme be justified only by its
> passing a single statistical test. When some other plausible reasoning
> are available in the positive direction, then such a test gives in my
> view substantial support for its goodness. Formal proof of security
> would be ideal, but in practice that's a difficult to attain goal.
> I can't remember/know now how much work I had spent to check version
> 1.0 with Maurer's test and whether I might have done mistakes there and
> so any bad behavior of Version 1.0 should not be interpreted to be
> non-sensitiveness of Maurer's test. In fact, in the current case of
> TESTCOMBINE-SP, certain arguments seemed to indicate that its resulting
> sequences would be fairly biased though Maurer's test came out always to
> be ok and I started to doubt the sensitivity of Maurer's test. But, if
> my later computations are correct, this can be explained by the fact
> that the underlying factors of the said arguments turned out not to
> be strong enough in their influence in practice and hence Maurer's test
> can't be blamed in that context.
>
Any PRNG used for cryptographic purpose *HAS* to *pass* *all* of these
very harsh and intense tests for randomness quality, especially TestU01
"crush" and "big crush". This is the first ever measurement that a PRNG
designer has to take very seriously. If a proposed CSPRNG does not pass
these test it has to be dropped or re-designed, because a *failure* of
these test *indicate* a *non-random* *output* no matter what one
believes are the plausible reasons why it would still be "sufficiently
random" for cryptographic purposes.

If you would read the mentioned thread from the beginning you will
realised that my intention on starting it was my critique that the
Maurer test is seemingly not reliable, as even the keystream output of
one of the most miserably designed cipher algorithms, namely the
Crystalline cipher, passes the Maurer test. This indicates in my view
the importance not to rely solely on this result but always run the
whole bunch of available test tools.

Just one example of the Crystalline output by the Maurer test
http://www.freecx.co.uk/crypto/cryptanalysis/Crystalline/maurer-test-result_10MB.txt

....and that's what the simple test for bias reveals
http://www.freecx.co.uk/crypto/cryptanalysis/Crystalline/bias-result_(8)_10MB.txt

Both test results are based on the same keystream.

Not sure if the latest version of your PERMPOLYPRNG or TESTCOMBINE-SP
would pass these test.

> M. K. Shen
>>
>>
>>
>>> M. K. Shen
>>>>
>>>>
>>>>> Views could indeed be entirely different. Schneier demanded also that
>>>>> one who is interested in crypto should first be proficient in
>>>>> analyzing
>>>>> the diverse classical schemes. If everyone follows that advice, I am
>>>>> quite sure that a non-trivial percentage of persons currently in the
>>>>> crypto groups would have been absent because they haven't yet been
>>>>> able
>>>>> to finish the work that they are required to do.
>>>>>
>>>> This would hold mostly true for you then.
>>>>
>>>>
>>>>> M. K. Shen
>>>>>
>>>>
>>>>
>>>
>>
>>
>

--
cHNiMUBACG0HAAAAAAAAAAAAAABIZVbDdKVM0w1kM9vxQHw+bkLxsY/Z0czY0uv8/Ks6WULxJVua
zjvpoYvtEwDVhP7RGTCBVlzZ+VBWPHg5rqmKWvtzsuVmMSDxAIS6Db6YhtzT+RStzoG9ForBcG8k
G97Q3Jml/aBun8Kyf+XOBHpl5gNW4YqhiM0=