True Random Number Generator
in [Cryptography]
|
From: unruh on 11 Feb 2010 13:48 On 2010-02-10, Mok-Kong Shen <mok-kong.shen(a)t-online.de> wrote: > bmearns wrote: > [snip] > > I don't question that you "understand" quantum effects are strictly > random. I question however which academic paper has "rigorously" proved > that they are strictly random. Max Born's famous footnote for which he won the Nobel Prize. Quantum mechanics is a theory with certain assumptions. One of those assumptions is the probabilistic nature of quantum mechanics. Since in logic, "If A then A" is always true. The more relevant question is whether or not quantum mechanics describes the real world, and that is not a issue of "proof". It is an issue of experiments, of trying to find examples in which the hypothesis fails, of gaining faith by numerous cases that the hypothesis is correct. And the evidence is very strong. > > Thanks, > > M. K. Shen > > >
From: Mok-Kong Shen on 11 Feb 2010 15:12 bmearns wrote: [snip] > So to paraphrase, an attacker has no less chance of simply guessing > the plaintext than they do successfully decrypting the ciphertext, > which is exactly what unruh and myself said. Is this because the > ciphertext has 1 Shannon per bit? No, it's because the ciphertext has > 1 Shannon per bit-of-plaintext, which is also what I stated (and > illustrated) in my last post. Are you aware of the context of the use of OTP? At least in the way Shannon introduced the issue, it is used to xor the plaintext bits. So certainly the number of plaintext bits exactly equals the number of ciphertext bits. I thought that was clearly a commonly adopted basis for argument and needs no mentioning. But you seemed to have other conceptions of your own, like that a ciphertext bit could eventually have more than one bit of entropy, as you wrote in the other post. M. K. Shen
From: Mok-Kong Shen on 11 Feb 2010 15:49 unruh wrote: > Max Born's famous footnote for which he won the Nobel Prize. > Quantum mechanics is a theory with certain assumptions. One of those > assumptions is the probabilistic nature of quantum mechanics. Since in > logic, "If A then A" is always true. > > The more relevant question is whether or not quantum mechanics describes > the real world, and that is not a issue of "proof". It is an issue of > experiments, of trying to find examples in which the hypothesis fails, > of gaining faith by numerous cases that the hypothesis is correct. > And the evidence is very strong. Thank you very much for the valuable informations. To be frank, I in fact do "believe", though I am a layman in physics, that one can obtain extremely superb (i.e. better than anything else in the world) randomness from suitably tapping sources of quantum phenomena. Maybe such sources are "in fact" "absolutely" random, though one couldn't "know" that in the current state of scientific knowledge. (I deduce "one couldn't know" simply from the fact that, quantum theory, like relativity theory, is yet a "theory", even though no physist seems to have any doubt of it.) That's why I argued with others in the thread, saying that there can't be an "exact" proof of "perfect" randomness in the literature in the sense of an exact proof e.g. in Euclidean geometry. I also wrote in responses to others, saying that this is also of no "practical" relevance, because in tapping a perfect random source, assuming that such exists, the "unavoidable" technical imperfection in the apparatus employed would deteriorate the quality by some epsilon amount, resulting in a not 100.0% perfect randomness. So the "perfect" OTP is a theoretical (though very useful and important) concept. But, unfortunately, as often occurs in our group, there has been much misunderstanding in argumentations and hence much unnecessary materials in the posts. (I don't exclude that I myself may be as responsible for that as others. But I think it would be better that I stop following up in this thread now.) M. K. Shen
From: bmearns on 11 Feb 2010 17:13 On Feb 11, 3:12 pm, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote: > bmearns wrote: > > [snip] > > > So to paraphrase, an attacker has no less chance of simply guessing > > the plaintext than they do successfully decrypting the ciphertext, > > which is exactly what unruh and myself said. Is this because the > > ciphertext has 1 Shannon per bit? No, it's because the ciphertext has > > 1 Shannon per bit-of-plaintext, which is also what I stated (and > > illustrated) in my last post. > > Are you aware of the context of the use of OTP? At least in the way > Shannon introduced the issue, it is used to xor the plaintext bits. So > certainly the number of plaintext bits exactly equals the number of > ciphertext bits. I thought that was clearly a commonly adopted basis > for argument and needs no mentioning. But you seemed to have other > conceptions of your own, like that a ciphertext bit could eventually > have more than one bit of entropy, as you wrote in the other post. > > M. K. Shen You're still pulling a red-herring (meaning instead of actually addressing the core argument, you're focusing on essentially irrelevant details). You're also apparently not "listening" to what I'm saying and incorrectly attributing things to me which I did not say, which I very much don't appreciate. The output of my hypothetical cipher was not limited to 100 bits (in fact, it very explicitly has 200 bits), and therefore not limited to 100 Shannons. In the specific case where an XOR is used (which is almost always what an OTP means, though I don't know that it necessarily has to), then yes, as I've already stated twice, it would be limited to 100 Shannons. But, as I've also already stated and you've also already ignored, my argument was for the general case in which you don't know what operation is being used to mix the plaintext and key. In the general case where the output is at least 110 bits and the mixing operation is unknown, the absolute maximum entropy the output could have would be 110 Shannons. But don't bother with any of that, because the real point of contention, which you've twice refused to address, is that the hypothetical cipher I described has perfect security, 200 bits of cipher text data, and less than 200 bits of entropy in the ciphertext. It therefore does not have full-entropy, but still offers perfect security, which you earlier claimed was not possible. Please either address this or concede that you were wrong, and please do so without wrongly attributing incorrect statements to me. -Brian
From: bmearns on 11 Feb 2010 17:16
On Feb 11, 3:49 pm, Mok-Kong Shen <mok-kong.s...(a)t-online.de> wrote: > unruh wrote: > > Max Born's famous footnote for which he won the Nobel Prize. > > Quantum mechanics is a theory with certain assumptions. One of those > > assumptions is the probabilistic nature of quantum mechanics. Since in > > logic, "If A then A" is always true. > > > The more relevant question is whether or not quantum mechanics describes > > the real world, and that is not a issue of "proof". It is an issue of > > experiments, of trying to find examples in which the hypothesis fails, > > of gaining faith by numerous cases that the hypothesis is correct. > > And the evidence is very strong. > > Thank you very much for the valuable informations. To be frank, I in > fact do "believe", though I am a layman in physics, that one can obtain > extremely superb (i.e. better than anything else in the world) > randomness from suitably tapping sources of quantum phenomena. Maybe > such sources are "in fact" "absolutely" random, though one couldn't > "know" that in the current state of scientific knowledge. (I deduce > "one couldn't know" simply from the fact that, quantum theory, like > relativity theory, is yet a "theory", even though no physist seems to > have any doubt of it.) That's why I argued with others in the thread, > saying that there can't be an "exact" proof of "perfect" randomness in > the literature in the sense of an exact proof e.g. in Euclidean > geometry. I also wrote in responses to others, saying that this is also > of no "practical" relevance, because in tapping a perfect random source, > assuming that such exists, the "unavoidable" technical imperfection in > the apparatus employed would deteriorate the quality by some epsilon > amount, resulting in a not 100.0% perfect randomness. So the "perfect" > OTP is a theoretical (though very useful and important) concept. > But, unfortunately, as often occurs in our group, there has been > much misunderstanding in argumentations and hence much unnecessary > materials in the posts. (I don't exclude that I myself may be as > responsible for that as others. But I think it would be better that > I stop following up in this thread now.) > > M. K. Shen You still haven't explained how imperfections in apparatus necessarily leads to deterioration of the randomness it captures. -Brian |