Analyses of Mistake on Proof about Perfect Secrecy of One-time-pad
hel...@126.com
Yong WANG
School of Computer and Control, GuiLin University Of Electronic
Technology ,Guilin City, Guangxi Province , China, 541004
hel...@126.com
Abstract: This paper analyzes the proofs that one-time system is
perfectly secure, and confirms that they are wrong. The mistakes lie
in that the conditions of the probabilities are not the same when
using probability theory to compute the probabilities. One example is
shown to undress the mistakes and bring forth the need of compromise
of probabilities.
Keywords: one-time-pad, cryptography, perfect secrecy, probability,
unbreakable
1. Introduction
Shannon put forward the concept of perfect secrecy and proved that one-
time-pad (OTP) is perfectly secure [1, 2]. For a long time, OPT has
been thought to be unbreakable and is still used to encrypt high
security information. In literature [3], one example was given to
prove that OPT was not perfectly secure. In literature [4], detailed
analysis about the mistakes of Shannon's proof was given. It was
proven that more conditions were needed for OTP to be perfectly secure
and homophonic substitution enabled OTP to approach perfect
secrecy[5]. Literature [6] analyzed this problem and presented the
approach to disguise the length of plaintext. In literature [7], the
cryptanalysis method based on probability was presented to attack one-
time-pad. All the above studies analyzed Shannon's proof on the
problem. We know Shannon first proved that OTP was perfectly secure,
but his proof is very simple. Detailed proofs about perfect secrecy of
OTP were given by later scholars who used Shannon's proof for
reference. This paper aims to analyze these proofs other than
Shannon's and confirms that they are wrong.
2. Representative Proof about Perfect Secrecy of OTP
There are many proofs about perfect secrecy of OTP. Some proofs
directly draw the conclusion that all plaintexts are equally likely.
But it is obviously wrong, for the prior probabilities of all
plaintexts are seldom equally likely. Others are generally identical
with minor differences. The representative proof is as follows:
Theorem: OTP is perfectly secure.
Proof: Assume that M and C are n bits long.
then
P(M = x|C = y) =
P(M = xΛC = y) = P(M = x ΛK = (x⊕y))
= P(M = x)·P (K = (x⊕y)) (K is independent of M)
= P(M = x) ·2-n (K is chosen uniformly from bit strings of length n)
Also, P(C = y) =∑xP(M = xΛC = y)
=∑x P(M = x) ·2-n(∑x P(M = x)=1)
= 2-n (that is, each C is equally likely).
So, P(M = x|C = y) = = P(M = x)
3. Mistake Analyses on Proof
Shannon misused Bayes' formula, similarly the above proof misused
Bayes' formula. From P(M = x)·P (K = (x⊕y)) = P(M = x) ·2-n, we can
see the condition that the ciphertext y is a fixed value is never
considered when computing P(M = xΛC = y). We can get that result by
reductio ad absurdum. Suppose for fixed y, if P (K = (x⊕y))=2-n (that
is used in the proof, but indeed it is wrong. It is used just to get
wrong conclusion), we can get P(M = x|C = y)= 2-n because there is a
one-to-one correspondence between all the plaintexts and keys for the
fixed ciphertext in OTP. But it is obviously wrong, for the prior
probabilities of all plaintexts are seldom equally likely. So P(M =
x)·P (K = (x⊕y)) stand for the joint probability of x and y when y is
not fixed. But Shannon thought of the posterior probability as the
probability of plaintext when ciphertext had been intercepted, we can
see that there is a presupposition in P(M = x|C = y) that y is fixed,
but in P(M = x), P (K = (x⊕y)) and P(C=y), y is not fixed, otherwise
we can get obviously wrong results. In such way, the Bayes's formula
was misused for the probability was not on the same presupposition and
the equation does not come into existence.
In OTP there are complex and crytic conditions that influence the
probability of plaintext, key and ciphertext, so it is essential to
cognize all the conditions and carefully use probability theory. The
proof did not realize the crytic condition that ciphertext was a fixed
value (even though unknown) rather than a random variable.
4. Example Analyses on the Change of Probability
In order to make the mistakes recognized more distinctly, the
following example is given to show that OTP is not perfectly secure.
The plaintext space is M = (0, 1), according to the prior condition
that is generally the correspondence context, it is known beforehand
that the prior probability of plaintext being 0 is 0.9, while the
prior probability of plaintext being 1 is 0.1. The ciphertext space is
C = (0, 1) and the key space is K = (0, 1), with the keys being
equally likely. The cryptoalgorithm is OTP. Later the information is
obtained that the ciphertext is 0. When only the later information is
considered (regardless of the prior probability of plaintext), for the
fixed ciphertext, there is a one-to-one correspondence between all the
plaintexts and keys, so it can be concluded that the plaintexts are
equally likely, that is, the probability of plaintext being 1 is 0.5.
As the probability obtained above isn't consistent with the prior
probability, compromise is needed. The compromised posterior
probability of the plaintext would be between the two corresponding
probabilities of the two conditions. The compromised posterior
probability of the plaintext is not equal to the prior probability, so
OTP is not perfectly secure.
According to the mapping of M, K and C, the probabilities of M, K and
C are complicatedly interactional. In the above example, the
probability of plaintext changes when the ciphertext is fixed, even
though the ciphertext is unknown.
When only considering the fixed ciphertext and the equiprobability of
the key, we can see that all the plaintexts are equally likely for
there is a one-to-one correspondence between all the plaintexts and
keys for the fixed ciphertext. There is conflict between the prior
probability and the uniformly distributed probability gained above.
In order to make clear the inconsistency of probability in the example
and the need for fusion of the probability in this case, we can adopt
the combinations of different conditions for the following deduction
to analyze the existence of probability conflict.
For the above simple example about OTP, when considering the condition
that the ciphertext is 0, it can be easily concluded that the
probability of ciphertext being 0 is 1, and the probability of
ciphertext being 1 is 0. But according to the prior probability
distribution of plaintexts given and uniformly distributed keys, we
can easily find that the ciphertext is uniformly distributed, that is
to say, all ciphertext are equally likely. We can see the two
probability distributions of ciphertext in different conditions are
conflictive.
When only considering that the intercepted ciphertext is 0 and the
prior probability of plaintext is 0, we call P(M=0) is 0.9, and P(M=1)
is 0.1, the probability of the key being 0 we call P(K=0) is 0.9, and
P(K=1) is 0.1 because there is a one-to-one correspondence between the
plaintext and the key. However, according to the requirement of OTP,
the key is equiprobable, so conflict of the probabilities occurs as
before.
Such conflicts show that on different conditions we may draw
inconsistent probabilities, so it need fuse and compromise. The
probabilities obtained from different combinations of unilateral
conditions are inconsistent. Just like four irregular feet of a table,
there is always one foot that is turnup when the table is on the
horizontal ground. In literature [7], a formula was presented to fuse
the inconsistent probabilities.
5. Conclusion
The paper further confirms that there is a mistake in the proof about
perfect secrecy of OTP. From the above analyses, we can find that OTP
is not perfectly secure. In despite of that, it has good cryptographic
property. We can take measures to improve its security. The mistakes
may result from the limitations of information theory and probability
theory, which ignore the random uncertainty of probability and always
take probability as a fixed value, but not random variable [8, 9].
Reference
[1]. Bruce Schneier, Applied Cryptography Second Edition: protocols,
algorithms, and source code in C[M], John Wiley &Sons, Inc, 1996.
[2]. C. E. Shannon, Communication Theory of Secrecy Systems[J], Bell
System Technical journal, v.28, n. 4, 1949, 656-715.
[3]. Yong WANG, Security of One-time System and New Secure System
[J],Netinfo Security, 2004, (7):41-43
[4]. Yong WANG, Fanglai ZHU, Reconsideration of Perfect Secrecy,
Computer Engineering, 2007, 33(19)
[5]. Yong WANG, Perfect Secrecy and Its Implement [J],Network &
Computer Security,2005(05)
[6]. Yong WANG, Fanglai ZHU, Security Analysis of One-time System and
Its Betterment, Journal of Sichuan University (Engineering Science
Edition), 2007, supp. 39(5):222-225
[7]. Yong WANG, Shengyuan Zhou, On Probability Attack, Information
Security and Communications Privacy, 2007,(8):39-40
[8]. Yong WANG, On the Perversion of information's Definition,
presented at First National Conference on Social Information Science
in 2007, Wuhan, China, 2007.
[9]. Yong WANG, On Relativity of Probability, www.paper.edu.cn, Aug,
27, 2007.
The Project Supported by Guangxi Science Foundation (0640171) and
Modern Communication National Key Laboratory Foundation (No.
9140C1101050706)
Biography:
Yong WANG (1977-) Tianmen city, Hubei province, Male, Master of
cryptography, Research fields: cryptography, information security,
generalized information theory, quantum information technology. GuiLin
University of Electronic Technology, Guilin, Guangxi, 541004 E-mail:
hel...@126.com wang197...@sohu.com
Mobile 13978357217 fax: (86)7735601330(office)
School of Computer and Control, GuiLin University Of Electronic
Technology, Guilin City, Guangxi Province, China, 541004
Quadibloc
> There are many proofs about perfect secrecy of OTP. Some proofs
> directly draw the conclusion that all plaintexts are equally likely.
> But it is obviously wrong, for the prior probabilities of all
> plaintexts are seldom equally likely.
> Such conflicts show that on different conditions we may draw
> inconsistent probabilities, so it need fuse and compromise. The
> probabilities obtained from different combinations of unilateral
> conditions are inconsistent. Just like four irregular feet of a table,
> there is always one foot that is turnup when the table is on the
> horizontal ground. In literature [7], a formula was presented to fuse
> the inconsistent probabilities.
> The paper further confirms that there is a mistake in the proof about
> perfect secrecy of OTP. From the above analyses, we can find that OTP
> is not perfectly secure. In despite of that, it has good cryptographic
> property.
The thing about the one-time-pad is that, _a priori_, all *keys* are
equally likely. A posteriori, once an enciphered message is actually
sent, since not all plaintexts are equally likely, we have learned
something about the key. But we have learned nothing about the
probabilities of possible messages, and so the one-time-pad is
"perfectly secure" in the way that this is meant - if all keys are
completely random and independent.
John Savard
wangyong
>
> - Show quoted text -
I have received some opposite views, they show One-time pad has some
good property, I agree with that, but that is not perfect secrecy.
so when you opposite views are sent, make sure your views is based on
Shannon's definition of perfect secrecy.
Any opposite views are welcome.
Yong Wang
wangyong
wangyong
>
> - 显示引用的文字 -
shannon give a clear definition of perfect secrecy.
Quadibloc
> I have received some opposite views, they show One-time pad has some
> good property, I agree with that, but that is not perfect secrecy.
> so when you opposite views are sent, make sure your views is based on
> Shannon's definition of perfect secrecy.
I have double-checked that.
Shannon's definition of perfect secrecy is that the probability that a
message x was sent remains the same whether or not we know that
ciphertext y was sent which could have encoded message x.
There is one obvious way in which the one-time-pad could deviate from
this: if we know that ciphertext y is _shorter_ than message x, and no
other ciphertexts were transmitted. If ciphertext y is the same length
as message x, knowing it has been sent makes it possible that message
x was sent.
For the purposes of theoretical, rather than practical, proofs, this
factor is ignored. By "knowing that ciphertext y was sent" we will
henceforth mean knowing the *text* of ciphertext y, as opposed to
knowing that a message was sent having the same length as message y,
but without knowing the particular letters or numbers it is made up
of.
With this caveat, the one-time-pad does meet the criterion of perfect
secrecy.
The point that you make, that the probability of different messages x
is different a priori, because messages being sent will be coherent
text, not gibberish (and they won't be compressed using a perfect
compression scheme) is expressly accounted for by Shannon's definition
of perfect secrecy.
It is not required that the probability of all messages be equal, it
is only required that the probability is not affected by our knowledge
of the ciphertext. Then the ciphertext contributes no information.
John Savard
Kristian Gjųsteen
>It is not required that the probability of all messages be equal,
It seems likely that our friend is not talking about Shannon's
usual perfect secrecy, but the lesser-known perfect super-secrecy. To
achieve this kind of security, we must have that regardless of a priori
probability, the a posteriori message probability must be uniform. We
also have the usual statistical and computational variants.
Some argue, unconvincingly, that this security notion is useless and
unrealisable, since the adversary's knowledge shrinks after observing the
ciphertext, which is, they claim, impossible. This is clearly nonsense.
Of course it is possible. For easy examples, consider the average tabloid
newspaper, or any book by Derrida.
The work to design super-secret schemes follows two broad directions.
The first is the so-called amuse-and-misdirect approach. One example
is to prefix any message with the world's best joke (the one about
the camel and the ice-cream salesman), along with a hint of where to
find a better joke. The idea is that the cryptanalyst reads the joke,
falls of his chair laughing, then sees the hint and spends the rest of
the working day looking for the better joke on the Internet, forgetting
all about the cryptanalysis.
The second approach is the so-called enthuse-and-win. One example
uses double encryption, but in the outer encryption, you include your
political/religious/moral manifesto. The cryptanalys reads this text, is
enthused by the message, realises that it would be wrong to recover the
message and proceeds to burn all his notes, leading to victory and world
domination for the sender. There is a certain disagreement about which
manifesto is the most efficient, but clearly the sender can determine
this by a careful study of the cryptanalyst.
--
Kristian Gjųsteen
wangyong
Shannon's definition of perfect secrecy is that the probability that
a
message x was sent remains the same whether or not we know that
ciphertext y was sent which could have encoded message x.
There is one obvious way in which the one-time-pad could deviate from
this: if we know that ciphertext y is _shorter_ than message x, and
no
other ciphertexts were transmitted. If ciphertext y is the same
length
as message x, knowing it has been sent makes it possible that message
x was sent.
For the purposes of theoretical, rather than practical, proofs, this
factor is ignored. By "knowing that ciphertext y was sent" we will
henceforth mean knowing the *text* of ciphertext y, as opposed to
knowing that a message was sent having the same length as message y,
but without knowing the particular letters or numbers it is made up
of.
With this caveat, the one-time-pad does meet the criterion of perfect
secrecy.
----------what you discuss is your perfect secrecy
The point that you make, that the probability of different messages x
is different a priori, because messages being sent will be coherent
text, not gibberish (and they won't be compressed using a perfect
compression scheme) is expressly accounted for by Shannon's
definition
of perfect secrecy.
The prior is not equal to the posterior.
It is not required that the probability of all messages be equal, it
is only required that the probability is not affected by our
knowledge
of the ciphertext. Then the ciphertext contributes no information.
------I see the probability is indeed not affected by the ciphertext.
but by the whole cryptosystem.
but the probability is changed.
wangyong
usual perfect secrecy, but the lesser-known perfect super-secrecy. To
achieve this kind of security, we must have that regardless of a
priori
probability, the a posteriori message probability must be uniform. We
also have the usual statistical and computational variants.
what do you mean Shannon's
usual perfect secrecy and the lesser-known perfect super-secrecy
Unruh
>wangyong wrote:
>> I have received some opposite views, they show One-time pad has some
>> good property, I agree with that, but that is not perfect secrecy.
Sorry, it is perfect secrecy. IF what you are talking about is a One time
pad. If you are talking about something else, then of course that something
else may not have perfect secrecy.
>> so when you opposite views are sent, make sure your views is based on
>> Shannon's definition of perfect secrecy.
They are.
>I have double-checked that.
>Shannon's definition of perfect secrecy is that the probability that a
>message x was sent remains the same whether or not we know that
>ciphertext y was sent which could have encoded message x.
>There is one obvious way in which the one-time-pad could deviate from
>this: if we know that ciphertext y is _shorter_ than message x, and no
>other ciphertexts were transmitted. If ciphertext y is the same length
>as message x, knowing it has been sent makes it possible that message
>x was sent.
Then it is not a one time pad. Either part of the message will be
unencrypted or the pad is reused and is not "one time".
>For the purposes of theoretical, rather than practical, proofs, this
>factor is ignored. By "knowing that ciphertext y was sent" we will
>henceforth mean knowing the *text* of ciphertext y, as opposed to
>knowing that a message was sent having the same length as message y,
>but without knowing the particular letters or numbers it is made up
>of.
>With this caveat, the one-time-pad does meet the criterion of perfect
>secrecy.
>The point that you make, that the probability of different messages x
>is different a priori, because messages being sent will be coherent
>text, not gibberish (and they won't be compressed using a perfect
>compression scheme) is expressly accounted for by Shannon's definition
>of perfect secrecy.
>It is not required that the probability of all messages be equal, it
>is only required that the probability is not affected by our knowledge
>of the ciphertext. Then the ciphertext contributes no information.
Agreed.
Unruh
>Quadibloc <jsa...@ecn.ab.ca> wrote:
>>It is not required that the probability of all messages be equal,
>It seems likely that our friend is not talking about Shannon's
>usual perfect secrecy, but the lesser-known perfect super-secrecy. To
>achieve this kind of security, we must have that regardless of a priori
>probability, the a posteriori message probability must be uniform. We
>also have the usual statistical and computational variants.
I am not sure that this makes any sense. If I am in a military situation
the probability that the message concerns military rather than culinary
information is vastly higher. Nothing I can do to the encryption can change
that.
>Some argue, unconvincingly, that this security notion is useless and
>unrealisable, since the adversary's knowledge shrinks after observing the
>ciphertext, which is, they claim, impossible. This is clearly nonsense.
>Of course it is possible. For easy examples, consider the average tabloid
>newspaper, or any book by Derrida.
???
>The work to design super-secret schemes follows two broad directions.
>The first is the so-called amuse-and-misdirect approach. One example
>is to prefix any message with the world's best joke (the one about
>the camel and the ice-cream salesman), along with a hint of where to
>find a better joke. The idea is that the cryptanalyst reads the joke,
>falls of his chair laughing, then sees the hint and spends the rest of
>the working day looking for the better joke on the Internet, forgetting
>all about the cryptanalysis.
Ah, so if I shoot the cryptographer this is a supersecret scheme?
wangyong
usual perfect secrecy and the lesser-known perfect super-secrecy
you are windbaggary
Quadibloc
> I have cited from shannon's paper.
> what do you mean Shannon's
> usual perfect secrecy and the lesser-known perfect super-secrecy
What is meant is that it appears you have misunderstood the perfect
secrecy defined in Shannon's paper. The fact that the a priori
probabilities of messages is not equal does _not_ deny perfect secrecy
to the one-time pad.
John Savard
wangyong
====================That is what I should say the it appears you have
misunderstood the perfect
secrecy defined in Shannon's paper.
what 's more , you are windbaggary without any citing.
Quadibloc
> what 's more , you are windbaggary without any citing.
As the one reference that is germane - Shannon's paper - has already
been cited by you, I'm not clear what references I should add.
Whatever standard works on cryptography that are accessible to you
that deal with Shannon's proof shoud restate it and elucidate it.
Since Shannon's definition, as you quoted it, says that perfect
secrecy exists when the _a priori_ probabilities of plaintexts aren't
changed by having access to the text of a message, then, providing we
understand that to mean that "not having access" to the text still
allows one to know a message has been sent, and its length, then
(obviously) the one-time-pad provides perfect secrecy.
The fact that the _a priori_ probabilities of messages are not equal
(obviously) has nothing to do with whether or not perfect secrecy is
achieved. Thus, your proof that the one-time pad does not achieve
perfect secrecy as defined by Shannon is flawed.
A message may be sent from person A to person B.
If the message is 5 digits long, it will be the following messages
with the following probabilities:
01437 1%
02615 0.965%
03772 2.11%
...
94062 1.3%
...without loss of generality.
I am informed that a 5 digit message has, in fact, been sent from
person A to person B.
The message has been enciphered by the one-time-pad.
Thus, the _a priori_ probability of the key is 0.01% for every
combination from 00000 to 99999.
Now, I am told that the message sent is 24217.
After learning this fact, what do I now know? Assuming the one-time-
pad is applied using non-carrying addition of individual digits, the
probability of the _key_ has changed...
23820 1%
22602 0.965%
21545 2.11%
...
30255 1.3%
but the probability of the message plaintext has changed not at all.
That is because since there is no bias in the random key, it cannot
limit the possibilities of encipherment in such a way as to let the
enciphered message tell me anything about the plaintext.
This is exactly the condition of perfect secrecy as given by Shannon
and as quoted by you. So there is no flaw in the proof.
John Savard
Quadibloc
> After learning this fact, what do I now know? Assuming the one-time-
> pad is applied using non-carrying addition of individual digits, the
> probability of the _key_ has changed...
>
> 23820 1%
> 22602 0.965%
> 21545 2.11%
> ...
> 30255 1.3%
>
> but the probability of the message plaintext has changed not at all.
> That is because since there is no bias in the random key, it cannot
> limit the possibilities of encipherment in such a way as to let the
> enciphered message tell me anything about the plaintext.
Perhaps this portion of the proof may seem not rigorous.
Very well, let us take a simple example:
Let the probability of three messages be:
0 50%
1 20%
2 30%
and the key can be 0, 1, or 2 with uniform 33 1/3% probability for
each one.
I learn a one-digit message has been sent in this system.
There are 9 possibilities.
Their probabilities are: (0,0),(0,1),(0,2): 1/3 of 50%, (1,0),(1,1),
(1,2): 1/3 of 20%, (2,0),(2,1),(2,2): 10%.
For each value of the message digit, three of those possibilities
remain. One with original probability 1/3 of 50%, one with original
probability 1/3 of 20%, one with original probability 1/3 of 30% or
10%.
So the probabilities of the remaining possible message key pairs now
are multiplied by 3 by the elimination of the others - and, being
exactly proportional to the _a priori_ probabilities of the messages,
the result is the messages have the same probability.
John Savard
wangyong
your mistake is like shannon. you just use the probability of c is not
fixed. If fixed, the probability changed.
you mistake is just this paper discuss. see the paper clearly ,or you
can see
http://groups.google.com/group/sci.math/browse_thread/thread/df158aa13e6a94b4/0cb700e5358d2d1f
wangyong
John Savard
================your key is sometimes no bias in the random key
sometime the probability of the _key_ has changed...
are you find you are self-contradictory.
and your "the probability of the message plaintext has changed not at
all.
That is because since there is no bias in the random key, it cannot
limit the possibilities of encipherment in such a way as to let the
enciphered message tell me anything about the plaintext. " is not
strict.
since there is no bias in the random key, the plaintext is random and
changed.
Quadibloc
> your mistake is like shannon. you just use the probability of c is not
> fixed. If fixed, the probability changed.
Basically, I was trying to illustrate the proof used by Shannon with
an example.
One has a set of plaintext messages p, and a set of keys, k.
Encipherment is p + k = c, where p, k, and c all belong to the same
group under +. (Being a group is not required, one just needs a Latin
square, so there is an inverse operation.)
There is some probability distribution for the values of p. All the
possible values of k have equal probability.
So you have a big set of ordered pairs (p,k).
If you know what c is, then you only have a fraction of those ordered
pairs left as possible. You have *one* pair left for each p. And since
all the k's have equal probability, the *weighting function* on those
ordered pairs is uniform - so the probability of each remaining (p,k)
after learning c is the same as the probability of p before we
started.
If your result is different from this, Shannon didn't make a mistake.
You did.
John Savard
Quadibloc
> what 's more , you are windbaggary without any citing.
As the one reference that is germane - Shannon's paper - has already
wangyong
=========do you think the probability of K ==P, you just say all the
k's have equal probability,
If your result is different from this, Shannon didn't make a mistake.
You did.
=======It is you who make a mistake. the problem is complex than you
think.
John Savard
wangyong
=====just point out the place, but not windbaggary ,that is useless.
Whatever standard works on cryptography that are accessible to you
that deal with Shannon's proof shoud restate it and elucidate it.
Since Shannon's definition, as you quoted it, says that perfect
secrecy exists when the _a priori_ probabilities of plaintexts aren't
changed by having access to the text of a message, then, providing we
understand that to mean that "not having access" to the text still
allows one to know a message has been sent, and its length, then
(obviously) the one-time-pad provides perfect secrecy. The fact that
the _a priori_ probabilities of messages are not equal
(obviously) has nothing to do with whether or not perfect secrecy is
achieved. Thus, your proof that the one-time pad does not achieve
perfect secrecy as defined by Shannon is flawed.
======you are just windbaggary I am wrong,but why?
...without loss of generality.
======that is wrong and I have pointed out.
you just repeated a wrong proof a lot of time.It seems you are
designedly repeating. If my analysis is wrong, tell why,but
not just repeating the disproved proof.
your mistake is like shannon. you just use the probability of c is
not
fixed. If fixed, the probability changed.
Dav170627
> 30255 1.3%
>
>
> but the probability of the message plaintext has changed not at all.
> That is because since there is no bias in the random key, it cannot
> limit the possibilities of encipherment in such a way as to let the
> enciphered message tell me anything about the plaintext.
>
>
> This is exactly the condition of perfect secrecy as given by Shannon
> and as quoted by you. So there is no flaw in the proof.
>
>
> John Savard
> ================your key is sometimes no bias in the random key
> sometime the probability of the _key_ has changed...
>
> are you find you are self-contradictory.
> and your "the probability of the message plaintext has changed not at
> all.
> That is because since there is no bias in the random key, it cannot
> limit the possibilities of encipherment in such a way as to let the
> enciphered message tell me anything about the plaintext. " is not
> strict.
> since there is no bias in the random key, the plaintext is random and
> changed.
>
>
>
>
>
Is what you're trying to say is "if the key is biased then there is no
perfect security"?
biject
that the goal is sending messages
from person A to person B and hopefully person C who is listening in
will not be able to successfully
change or decipher the message sent. The problem is also that when one
proves anything in crypto
often little is proved since one assumes a large set of truths, Today
many proofs rest on how complex
the cipher is. Which is really not all that sound. In Shannon's view
it was pure informational which is
far sounder than todays stuff.
Here is a example "Perfect Secrecy" but with a high rate of failure.
Lets say you have an enemy that
is either going to attack city A or city B. Lets say you know that the
enemy is in contact with is agents
at most once every week and that you notice from past activity that
they send a message exactly 24 hours
before any attack otherwise the enemy sends no messages through this
path at all.
Lets assume the enemy has a large slow learning government overhead.
You know
that the message when its sent we be only one of these two messages
encrypted by OTP here is
what you do you build up your forces by allowing them to stock pile
and get ready for an attack. You
make city A look extremely weak compared to city B. You then move more
forces to city B. You lie to
your country's politicians telling then in "sercet" that you know city
B will be attacked. You then wait
a few weeks for you enemy to adjust its forces for the coming attack.
Your politcians being the typical
lying lowlifes that most politicians are leak to the enemy the "fact"
you only going to protect city B.
After a few weeks you learn that an encrypted one time pad message was
sent though the path
used when an attack comes in 24 hours. At this point you roll the dice
and send a message to your
army that an attack will come on city A in 24 hours. You still try to
prepare for an attack on B.
But even if that attack come to B you know the time.
The point of all this is that to "Really have Perfect OTP security"
once should be sending messages all
the time and that not only should they always be the same length they
should also mostly be the null
message.
Hay just my two cents worth.
David A. Scott
--
My Crypto code
http://bijective.dogma.net/crypto/scott19u.zip
http://www.jim.com/jamesd/Kong/scott19u.zip old version
My Compression code http://bijective.dogma.net/
**TO EMAIL ME drop the roman "five" **
Disclaimer:I am in no way responsible for any of the statements
made in the above text. For all I know I might be drugged.
As a famous person once said "any cryptograhic
system is only as strong as its weakest link"
Quadibloc
> The point of all this is that to "Really have Perfect OTP security"
> once should be sending messages all
> the time and that not only should they always be the same length they
> should also mostly be the null
> message.
>
> Hay just my two cents worth.
>
> David A. Scott
Welcome back.
Yes, this is true, to have secrecy that is perfect in practice, one
would need to do this - and, in fact, military systems (not "perfect",
as not based on a one-time key) are said to do exactly that.
But Shannon's definition of "perfect secrecy" specifically excluded
this.
John Savard
Quadibloc
> =========do you think the probability of K ==P, you just say all the
> k's have equal probability,
To take the example from your paper:
The message space is M={0,1}, where the message is 0 with probability
0.9, and the message is 1 with probability 0.1.
The key space is K={0,1}. The key has been chosen with a random
unbiased method: the _a priori_ probability of each key value MUST be
0.5.
At this point, we have four ordered pairs (m,k) with the following
probabilities:
(0,0) 0.45
(0,1) 0.05
(1,0) 0.45
(1,1) 0.05
We intercept C=0.
This eliminates some of the ordered pairs: we are left with only two
possibilities:
(0,0)
(1,1)
Because the key was produced by a true random method, we have no
reason to think one key is more likely than any other EXCEPT the
different probabilities of the plaintexts and the fact that we
intercepted C=0.
So the probabilities of the ordered pairs stay proportional to what
they were before we intercepted the ciphertext.
So we have
(0,0) 0.9
(1,1) 0.1
which means that the probability of the plaintext is still 0.9 for P=0
and 0.1 for P=1 (we have learned nothing about the plaintext,
Shannon's perfect secrecy is satisfied) but now the probability of the
key has changed, because of what we learned, to 0.9 for K=0 and 0.1
for K=1.
We learn only about the key because the key introduces no bias that
can teach us anything about the plaintext. This is simple, obvious,
and elementary. There is no "complicated interaction" between the
probabilities of message, key, and cipher.
Key probabilities must start out as flat; once the ciphertext is
learned, the key probabilities are derived from the plaintext
probabilities against what we know of the ciphertext. The plaintext
probabilities remain solid.
If the key probabilities were *not* flat, *then* you do not have
perfect security. That isn't the one-time-pad. That is an imperfect
keystream cipher. You only have a one-time-pad when the keystream is
totally unbiased, matching the ciphertext in length, applied correctly
to the ciphertext, and is perfectly random and unpredictable.
John Savard
Peter Pearson
> wangyong wrote:
>> =========do you think the probability of K ==P, you just say all the
>> k's have equal probability,
>
> To take the example from your paper:
> John Savard
John, you have the patience of a saint, but it's time to
give up on this one. You can spend hours writing clear and
cogent essays, but your interlocutor will dismiss them with
a quick and illogical one-liner that he doesn't even bother
to format intelligently. You can lead a horse to water, but
this horse doesn't want water; he wants confirmation of his
conviction that water does not exist.
--
To email me, substitute nowhere->spamcop, invalid->net.
Quadibloc
> John, you have the patience of a saint, but it's time to
> give up on this one. You can spend hours writing clear and
> cogent essays, but your interlocutor will dismiss them with
> a quick and illogical one-liner that he doesn't even bother
> to format intelligently.
I do note that when his original paper appeared in sci.math, lots of
people tried to explain to him why he was wrong, and he didn't listen
to them either. (It was also in sci.crypt, as I remember seeing it,
but under current conditions it would be hard to find again.)
I don't know how he could have managed to publish in a refereed
journal. Unless he has an uncle who is a general in the PLA.
But I can't completely fault him for the imperfections in his replies:
English is not his first language. His English is considerably better
than my nonexistent Mandarin.
John Savard
wangyong
>
> - Show quoted text -
I get different results under different condtions.
I do not trying to say is "if the key is biased then there is no
> perfect security"?-
wangyong
==========that is inconsistant withthat keys are uniform
We learn only about the key because the key introduces no bias that
can teach us anything about the plaintext. This is simple, obvious,
and elementary. There is no "complicated interaction" between the
probabilities of message, key, and cipher.
======you are windbaggary, I can also say:There is "complicated
interaction" between the
probabilities of message, key, and cipher.
Your excuse is not fit.
Key probabilities must start out as flat; once the ciphertext is
learned, the key probabilities are derived from the plaintext
probabilities against what we know of the ciphertext. The plaintext
probabilities remain solid.
====you are windbaggary,why The plaintext probabilities remain
solid.
your flat means weak or other ??????I can say key probabilities remain
solid. Indeed, the K and M are all not solid. so the compromise is
needed.
If the key probabilities were *not* flat, *then* you do not have
perfect security. That isn't the one-time-pad. That is an imperfect
keystream cipher. You only have a one-time-pad when the keystream is
totally unbiased, matching the ciphertext in length, applied
correctly
to the ciphertext, and is perfectly random and unpredictable.
=======your flat means weak or other ??????
I never talk about the case "That isn't the one-time-pad. That is an
imperfect
keystream cipher."
your results are lack of excuse.
wangyong
discussion in which both of you make a lot of mistakes.
Quadibloc
> I get different results under different condtions.
There are no "different conditions" for the one-time pad.
It is only a one-time pad if the key is truly random, truly uniform,
and applied so as to provide a space for the ciphertext that modifies
all the plaintext.
John Savard
Quadibloc
> On Nov 3, 10:35 pm, Quadibloc <jsav...@ecn.ab.ca> wrote:
> which means that the probability of the plaintext is still 0.9 for
> P=0
> and 0.1 for P=1 (we have learned nothing about the plaintext,
> Shannon's perfect secrecy is satisfied) but now the probability of
> the
> key has changed, because of what we learned, to 0.9 for K=0 and 0.1
> for K=1.
>
> ==========that is inconsistant withthat keys are uniform
No it isn't.
The probability of the key to start with was 1/2 for 0, and 1/2 for 1.
If, however, I sneak in to the enemy's safe, and see the enemy's one-
time key pad, the probability becomes 100% for the key that I actually
see.
There is no inconsistency - a key can be truly random, but I can
*learn* things about it.
When a plaintext message is sent using a key, and the plaintext
message is not uniformly distributed, then I learn something about
that key - but what I learn is not useful for narrowing down the
plaintext any more than my initial knowledge of the non-uniformity of
the plaintext - which is Shannon's perfect secrecy.
John Savard
wangyong
how i listen to the mistake views.They are disproved by me.
I don't know how he could have managed to publish in a refereed
journal. Unless he has an uncle who is a general in the PLA.
But I can't completely fault him for the imperfections in his
replies:
English is not his first language. His English is considerably better
than my nonexistent Mandarin.
=======If don't understand, you can tell me. just like me.
I often reply "it is hard to understand".
wangyong
>
> - Show quoted text -
I have never avioded any opposite views, but they are wrong.
wangyong
-----you are simple.I list more than six condtions combination.
just look
http://groups.google.com/group/sci.math/browse_thread/thread/df158aa13e6a94b4/60ae3974453a7620?lnk=raot#60ae3974453a7620
It is only a one-time pad if the key is truly random, truly uniform,
and applied so as to provide a space for the ciphertext that modifies
all the plaintext.
============It is hard to understand.
wangyong
--------------------just use your logic
since probability of k can change, how can you prove probability
of M can not change
wangyong
you can see my paper "on relativty of probability.
Quadibloc
> =====but do you admit you have made a lot of mistakes in discussion.
No; you're the one who has made the mistakes and is failing to admit
to them.
> how i listen to the mistake views.They are disproved by me.
You may have disproved something, but it wasn't what Shannon
successfully proved.
John Savard
Quadibloc
> --------------------just use your logic
> since probability of k can change, how can you prove probability
> of M can not change
Ah:
The probability of k starts out equal. Otherwise, it isn't a one-time-
pad. And if it isn't a one-time-pad, then indeed the secrecy is not
perfect.
So we have this set of ordered pairs (p,k). Learning the ciphertext
eliminates a bunch of (p,k) possibilities. The set that remains has
*one copy of every possible p* and *one copy of every possible k*.
Because there is nothing else learned at this point, the probability
of each ordered pair remains proportional to its original probability
before we learned c. (Also required is the case where p, k, and c all
belong to the same set: for example, 1000-digit numbers.)
So now we derive the new probabilities of the p's and k's from the
probabilities of the ordered pairs.
And the probability of the remaining (p,k) pair is the same as that
which the original p had. So we learned something about k, but nothing
about p.
Only the case where all the k's started out with equal probablity is
the one where we learn nothing about p, and have perfect secrecy - but
only that case is the one-time pad.
John Savard
Quadibloc
> -----you are simple.I list more than six condtions combination.
For those six conditions, the correct answers are:
1) Only the _a priori_ probabilities of the plaintext are known.
Then those are the probabilities: p=0, 0.9; p=1, 0.1
2) Only the fact that the one-time pad is used is known.
k=0, 0.5; k=1, 0.5. c=0, 0.5; c=1, 0.5.
And one could sort of say that
p=0, 0.5; p=1, 0.5
is the only reasonable assumption.
3) The ciphertext is known, and so is the fact that the one-time pad
is used, but nothing is known about the plaintext.
c=0, 1.0.
If you assume
p=0, 0.5; p=1, 0.5
then you have
k=0, 0.5; k=1, 0.5
4) The _a priori_ probabilities of the plaintext are known, and the
fact that the one-time-pad is used is known.
Then those are the probabilities: p=0, 0.9; p=1, 0.1
k=0, 0.5; k=1, 0.5. c=0, 0.5; c=1, 0.5.
5) One knows that a message has been in fact transmitted.
This is outside of the system of Shannon's proof, and doesn't change
any probabilities from case 4.
6) One knows both the _a priori_ probabilities of the plaintext, and
the contents of the ciphertext.
c=0, 1.0
p=0, 0.9; p=1, 0.1
k=0, 0.9; p=1, 0.1
There is no "between 0.9 and 0.5". I don't know where you're getting
this from, but it's simply a mistake.
And it is only case 6 that is the subject of Shannon's proof - that
case 6 doesn't give probabilities for the plaintext different from
case 4, about which nothing need be proved.
John Savard
wangyong
==========it is no use to prate, give you reason.
wangyong
--------------------when c is fixed is considered, the probability of
k is not equal, as you have admit.
since that, how can you get the probability by the k is equal,
In that case, k and P is not independant, but you get the probability
from that condition.
can you reconsider how you get the probabilities, you will find you
are self-contradictory
wangyong
>
> - -
When only considering the fixed ciphertext and the equiprobability of
key, we can gain that plaintexts are equally likely for there is a
one-
to-one correspondence between all the plaintexts and keys for fixed
ciphertext. There is conflict between the prior probability and the
uniformly distributed probability gained above.
In order to understand the inconsistency of probability in the
example
and the need for fusion of the probabilities in this case, we adopt
the combinations of different conditions for the following deduction
to analyze the existence of probability conflict.
For our simple example about OTP, when considering the condition that
ciphertext is 0, the probability of ciphertext being 0 is 1, and the
probability of ciphertext being 1 is 0. But according to the prior
probability distribution of plaintexts given and uniformly
distributed
keys, we can easily find that ciphertext is uniformly distributed,
that is to say, all ciphertext are equally likely. We can see the two
probability distributions of ciphertext in different conditions are
conflictive.
When only considering that the intercepted ciphertext is 0 and prior
probability of plaintext being 0 we call P(M=0) is 0.9, and prior
probability of plaintext being 1 we call P(M=1) is 0.1, the
probability of key being 0 we call P(K=0) is 0.9, and the probability
of key being 1 we call P(K=1) is 0.1 because there is a one-to-one
correspondence between all the plaintexts ands keys. However,
according to the requirement of OTP, all the keys are equally likely,
so conflict of the probabilities occurs as before.
Such conflicts show that under different conditions we may draw
inconsistent probabilities, so it needs to fuse and compromise. The
probabilities obtained by the different combinations of unilateral
conditions are inconsistent. That is to say, the conditions in OPT
can
not coexist. When all the conditions are considered, some of the
conditions must change, so it is not proper to use these conditions
when computing the final posterior probability. It likes four
irregular feet of a same table. There is always one foot that is
turnup when the table is on the horizontal ground. If the four feet
should touch the horizontal ground at the same time, distortion would
happen. In literature [7], formula was presented to fuse the
inconsistent probabilities.
Quadibloc
> --------------------when c is fixed is considered, the probability of
> k is not equal, as you have admit.
> since that, how can you get the probability by the k is equal,
> In that case, k and P is not independant, but you get the probability
> from that condition.
> can you reconsider how you get the probabilities, you will find you
> are self-contradictory
No, I am not contradicting myself. You are confusing the _a priori_
probability of k, which must be equal, for it to be a one-time pad,
and the probability after one learns c.
If you are careful not to get the two mixed up, then one sees that
with the probability of k starting out equal, learning p changes the
probability of k but not of p, just as given in Shannon's proof.
John Savard
Quadibloc
> Such conflicts show that under different conditions we may draw
> inconsistent probabilities, so it needs to fuse and compromise. The
> probabilities obtained by the different combinations of unilateral
> conditions are inconsistent. That is to say, the conditions in OPT
> can
> not coexist. When all the conditions are considered, some of the
> conditions must change, so it is not proper to use these conditions
> when computing the final posterior probability. It likes four
> irregular feet of a same table. There is always one foot that is
> turnup when the table is on the horizontal ground. If the four feet
> should touch the horizontal ground at the same time, distortion would
> happen. In literature [7], formula was presented to fuse the
> inconsistent probabilities.
Whatever formulae may have been presented in reference [7], either it
is wrong, or you have understood it wrong.
Your claim that there is a contradiction in the one-time pad - if that
is what you claim - is simply wrong.
Of course, the six conditions are different cases of knowledge, so if
you just mean that the case "the ciphertext is known" and the case
"the ciphertext is not known" do not coexist, that is true.
And it is precisely *because* they don't coexist that we can say:
Given a plaintext probability of p=0, 0.9 and p=1, 0.1, and a key
probability of k=0, 0.5 and k=1 0.5 because of the likelihood of the
two possible communications, and the fact that the key was made by
flipping a coin, things happen.
The person sending the message looks at the key to encipher the
message. So the probability of the key now changes for that person
from 50% each way to 100% for the correct key - and that person knows
the message to send, so the probability of the correct message is 100%
also.
This does not change the fact that we don't know the message or key,
so different cases do coexist in that different people know different
things.
The message turns out to be 0.
So either p=0, k=0 or p=1, k=1.
Knowing the key was made by flipping a coin, and that p=0 normally
obtains 90% of the time, what happens?
Shannon and I claim that what happens is:
One learns nothing about the plaintext; its probability with this new
knowledge remains 90% for 0, 10% for 1. But we've learned about the
key; having seen that the key was used on a message and it resulted in
0 for ciphertext, it must also be 90% for 0 and 10% for 1.
Since knowing the ciphertext "does not coexist" with not knowing the
ciphertext, there is no inconsistency in learning about the key, and
so we don't go back and change the _a priori_ probabilities of the
key. They are absolutely fixed and immutable - the key _was_ made by
flipping a coin, or it is not the one-time-pad. Saying otherwise
appears to have been your mistake.
The a priori key probabilities are weighting factors for the ordered
pairs, and knowing the ciphertext limits the possible ordered pairs of
plaintext and key such as to affect the chances of the plaintext not
at all - this is Shannon's proof, which I have already restated.
John Savard
Quadibloc
> In literature [7], formula was presented to fuse the
> inconsistent probabilities.
I see that you are one of the co-authors of reference [7].
However, it has dawned on me that there *is* one assumption that was
hidden in my restatement of Shannon's proof.
When I say that the c=0 with probability 100%, I mean for the
interception of a single message.
It is assumed that if this happens for 100 days in a row, about 50% of
the time the cipher is 0, and 50% of the time the cipher is 1, so that
despite knowing that the plaintext is 0 90% of the time, and 1 10% of
the time, we have nothing to contradict our knowledge of the a priori
probability of the key.
If we intercepted 100 independent messages, and 90% of them were 0 and
10% of them were 1, yes, then perfect secrecy would break down, and we
would be justified in concluding (or at least suspecting) that our
enemy is transmitting plaintext because the ink washed off of his one-
time pads or something.
But the assumption is instead that the overall context confirms that
the one-time pad is in use and working properly, so on a day when the
ciphertext is 0, we know only that the plaintext probabilities were
0.9 and 0.1 and the key probabilities were 0.9 and 0.1... and on a day
when the ciphertext is 1, we know only that the plaintext
probabilities were 0.9 and 0.1 and the key probabilities were 0.1 and
0.9.
Perhaps it is an exaggeration to call this sort of secrecy "perfect",
but that is what is meant.
John Savard
Dav170627
>
> I get different results under different condtions.
> I do not trying to say is "if the key is biased then there is no
>> perfect security"?-
>
From your ongoing debate with JS (and by the way, you have insulted him
several times in your posts, despite his politeness to you) are you
implying that if the adversary has an idea of the probabilities of the
plain text then an OTP fails?
Dav170627
Wangyong,
I ask in seriousness this question "has any professional mathematician
working as a mathematician agreed with you?"
Dav170627
I think I've got it.
Wangyong is claiming that if you already know the likely probability of
a particular message being sent, then a OTP fails to hide that (and for
what it is, he is correct). He then draws a very long bow and claims
that this means Shannon's proof was incorrect (and here Wangyong is very
wrong).
The situation he describes is a triviality. If an adversary knows the
probability of a particular message being sent, then no encryption or
stego scheme can protect it. The adversary doesn't even need to
intercept the message. Since he knows the probability of each message he
just looks it up and then acts.
If I might paraphrase the practical result of Shannon's proof - "a OTP
does not allow the adversary to find out any *new* information from the
message" Knowing beforehand the probability of a particular message
being sent is not related to Shannon's proof or the failure of any
crypto system.
Wangyong is getting all excited about what to every one else is a
"given" (i.e. already known)
Quadibloc
> I think I've got it.
>
> Wangyong is claiming that if you already know the likely probability of
> a particular message being sent, then a OTP fails to hide that (and for
> what it is, he is correct). He then draws a very long bow and claims
> that this means Shannon's proof was incorrect (and here Wangyong is very
> wrong).
>
> The situation he describes is a triviality. If an adversary knows the
> probability of a particular message being sent, then no encryption or
> stego scheme can protect it. The adversary doesn't even need to
> intercept the message. Since he knows the probability of each message he
> just looks it up and then acts.
>
> If I might paraphrase the practical result of Shannon's proof - "a OTP
> does not allow the adversary to find out any *new* information from the
> message" Knowing beforehand the probability of a particular message
> being sent is not related to Shannon's proof or the failure of any
> crypto system.
>
> Wangyong is getting all excited about what to every one else is a
> "given" (i.e. already known)
This is what I originally thought. But then he would have understood
his mistake when it was pointed out to him.
Looking at his original paper, I am beginning to suspect that he has
made a different mistake.
He claims that knowing a particular ciphertext means that the
statement that plaintext probabilities are not uniform is
_inconsistent_ with the statement that a one-time-pad, with uniform
key probabilities, is in use.
If one plugs in statistical and probability formulas *without
thinking*, one can treat the fact that "the ciphertext of one
particular message is 0" as if it were "I received 100 consecutive
messages, their indicators indicated they were enciphered with
different sheets of the one-time pad, and *all* of them had the
ciphertext 0".
If you begin by making that mistake, then you do have an inconsistency
to deal with. And you can point to all sorts of *valid* work done on
probabilities and Bayesian statistics and what-have-you to confirm
that you are "right"!
Of course, if one uses his example, a plaintext that is 0 90% of the
time, and 1 10% of the time, and one notes that one intercepts a
_single message_ that is 0, in the _overall context_ of many messages
that are randomly 0 and 1 - which is the only case Shannon was talking
about - then the single message doesn't provide evidence that the one-
time pad is broken, so there is no "inconsistency" of the type he
discusses.
Messages will be randomly 0 and 1 half the time regardless of what the
probabilities of the two plaintexts are, the only thing that changes
is the degree of correlation between the key and the ciphertext!
John Savard
Phil Carmody
> Dav170627 wrote:
> > I think I've got it.
> >
> > Wangyong is claiming that if you already know the likely probability of
> > a particular message being sent, then a OTP fails to hide that (and for
> > what it is, he is correct). He then draws a very long bow and claims
> > that this means Shannon's proof was incorrect (and here Wangyong is very
> > wrong).
> >
> > The situation he describes is a triviality. If an adversary knows the
> > probability of a particular message being sent, then no encryption or
> > stego scheme can protect it. The adversary doesn't even need to
> > intercept the message. Since he knows the probability of each message he
> > just looks it up and then acts.
> >
> > If I might paraphrase the practical result of Shannon's proof - "a OTP
> > does not allow the adversary to find out any *new* information from the
> > message" Knowing beforehand the probability of a particular message
> > being sent is not related to Shannon's proof or the failure of any
> > crypto system.
> >
> > Wangyong is getting all excited about what to every one else is a
> > "given" (i.e. already known)
>
> This is what I originally thought. But then he would have understood
> his mistake when it was pointed out to him.
>
> Looking at his original paper, I am beginning to suspect that he has
> made a different mistake.
You're a brave and stolid man, John, I salute you!
> He claims that knowing a particular ciphertext means that the
> statement that plaintext probabilities are not uniform is
> _inconsistent_ with the statement that a one-time-pad, with uniform
> key probabilities, is in use.
Apparently so.
> If one plugs in statistical and probability formulas *without
> thinking*, one can treat the fact that "the ciphertext of one
> particular message is 0" as if it were "I received 100 consecutive
> messages, their indicators indicated they were enciphered with
> different sheets of the one-time pad, and *all* of them had the
> ciphertext 0".
I tried not thinking. I still can't do that though!
> If you begin by making that mistake, then you do have an inconsistency
> to deal with. And you can point to all sorts of *valid* work done on
> probabilities and Bayesian statistics and what-have-you to confirm
> that you are "right"!
>
> Of course, if one uses his example, a plaintext that is 0 90% of the
> time, and 1 10% of the time, and one notes that one intercepts a
> _single message_ that is 0, in the _overall context_ of many messages
> that are randomly 0 and 1 - which is the only case Shannon was talking
> about - then the single message doesn't provide evidence that the one-
> time pad is broken, so there is no "inconsistency" of the type he
> discusses.
>
> Messages will be randomly 0 and 1 half the time regardless of what the
> probabilities of the two plaintexts are, the only thing that changes
> is the degree of correlation between the key and the ciphertext!
I suggest we give Eve a copy of the key, so that she can
check that herself. :-D
Phil
--
Dear aunt, let's set so double the killer delete select all.
-- Microsoft voice recognition live demonstration
Quadibloc
wrote:
> You're a brave and stolid man, John, I salute you!
Why, thank you.
But if you *really* want to see an example of my perseverance in
attempting to clear up the misconceptions of a confused soul...
Google the phrase "astrological geometry" in the group
sci.astro.amateur. This should help lead you to the saga wherein I
tried to fathom the difficulties of an individual who claimed that
Newton (and Flamsteed) created terrible confusion, and trampled on the
beautiful insights of Copernicus, Kepler, Galileo, (and Huyghens) by
advancing such perverse notions as the "sidereal day".
Some fruit came out of this: I was motivated to construct the page
http://www.quadibloc.com/science/eot.htm
which explains, perhaps more fully and clearly than other pages, why
sundials differ from mechanical clocks in the time they tell.
John Savard
Phil Carmody
> On Nov 5, 6:57 am, Phil Carmody <thefatphil_demun...@yahoo.co.uk>
> wrote:
> > You're a brave and stolid man, John, I salute you!
>
> Why, thank you.
>
> But if you *really* want to see an example of my perseverance in
> attempting to clear up the misconceptions of a confused soul...
>
> Google the phrase "astrological geometry" in the group
> sci.astro.amateur. This should help lead you to the saga wherein I
> tried to fathom the difficulties of an individual who claimed that
> Newton (and Flamsteed) created terrible confusion, and trampled on the
> beautiful insights of Copernicus, Kepler, Galileo, (and Huyghens) by
> advancing such perverse notions as the "sidereal day".
I know it's not the particular thread you're referring to, which
I've also found, but this jumped out at me:
"It's hard to argue with something whose meaning is not even
comprehensible."
How many times, and in how many contexts, could that be said
on usenet each day :-) Hundreds. Thousands, probably.
...
"You freaks,and I do not say that lightly,are the worse kind of
creatures for while you manage to present yourselves as 'astronomers'
you actually the most destructive group on the planet"
:-D
> Some fruit came out of this: I was motivated to construct the page
>
> http://www.quadibloc.com/science/eot.htm
>
> which explains, perhaps more fully and clearly than other pages, why
> sundials differ from mechanical clocks in the time they tell.
I kind-of got a bit bogged down in the middle of that, but the
three little graphs at the very bottom basically say everything
needed to explain the matter. I'm surprised there can be up to 17
minutes deviation in sundial-noon from clock-noon, that's an eye-
opener. Of course, don't those two components move relative to
each other, and so the third will change its shape over time
(is that the 22000 year cycle? I forget, it's been such a long time
since I looked into such things.)
Woh, we're way off topic now!
Quadibloc
wrote:
> Of course, don't those two components move relative to
> each other, and so the third will change its shape over time
> (is that the 22000 year cycle? I forget, it's been such a long time
> since I looked into such things.)
The anomalistic year (the time between successive perihelia in the
Earth's orbit) and the tropical year are indeed unequal.
However, the 22,000 year cycle - by which I assume you mean the
precession of the equinoxes, which gives us the "Age of Aquarius" -
results from the discrepancy between the tropical year and the
sidereal year (the time of the Earth's orbit considered relative to
the stars).
John Savard
Phil Carmody
Too many years... ;-)
wangyong
you just think shannon is right,but all of you except one read through
shannon's paper or my papers.
you are so addlepated for you do not what is shannon's result.
his posterior probability of plaintext is uniform.I have mentioned in
my papers.
wangyong
my question.
If you are careful not to get the two mixed up, then one sees that
with the probability of k starting out equal, learning p changes the
probability of k but not of p, just as given in Shannon's proof.
====It is a waste of time to repeat, just tell what is wrong with my
disproving
wangyong
wangyong
> Whatever formulae may have been presented in reference [7], either it
> is wrong, or you have understood it wrong.
> Your claim that there is a contradiction in the one-time pad - if that
> is what you claim - is simply wrong.
> Of course, the six conditions are different cases of knowledge, so if
> you just mean that the case "the ciphertext is known" and the case
> "the ciphertext is not known" do not coexist, that is true.
>
> And it is precisely *because* they don't coexist that we can say:
>
> Given a plaintext probability of p=0, 0.9 and p=1, 0.1, and a key
> probability of k=0, 0.5 and k=1 0.5 because of the likelihood of the
> two possible communications, and the fact that the key was made by
> flipping a coin, things happen.
>
> The person sending the message looks at the key to encipher the
> message. So the probability of the key now changes for that person
> from 50% each way to 100% for the correct key - and that person knows
> the message to send, so the probability of the correct message is 100%
=============you are uneducated about cryptography, If K is known,
cryptorgarphy is useless.
> This does not change the fact that we don't know the message or key,
> so different cases do coexist in that different people know different
> things.
people???
> The message turns out to be 0.
>
> So either p=0, k=0 or p=1, k=1.
>
> Knowing the key was made by flipping a coin, and that p=0 normally
> obtains 90% of the time, what happens?
happens?
> Shannon and I claim that what happens is:
>
> One learns nothing about the plaintext; its probability with this new
> knowledge remains 90% for 0, 10% for 1. But we've learned about the
> key; having seen that the key was used on a message and it resulted in
> 0 for ciphertext, it must also be 90% for 0 and 10% for 1.
>
> Since knowing the ciphertext "does not coexist" with not knowing the
> ciphertext, there is no inconsistency in learning about the key, and
> so we don't go back and change the _a priori_ probabilities of the
> key. They are absolutely fixed and immutable - the key _was_ made by
> flipping a coin, or it is not the one-time-pad. Saying otherwise
> appears to have been your mistake.
>
> The a priori key probabilities are weighting factors for the ordered
> pairs, and knowing the ciphertext limits the possible ordered pairs of
> plaintext and key such as to affect the chances of the plaintext not
> at all - this is Shannon's proof, which I have already restated.
If you do not admit the probabilities changes when c is fixed, the
probability of k should be 0.5, but not 0,9,
If you admit the probabilities change when c is fixed, but you are
wrong for you just get the probability distribution from that
condition.
wangyong
===========the question is not clear.
he just make lots of mistakes.
In shannon definition , if get the c have different probability of M,
then OPT is not perfect.
wangyong
>
> - -
of course.
wangyong
wangyong
> i have been insult a lot of times, you just not admit.
True gold does not fear fire
it is no use just prating, you can list the distribution when c is
fixed, If you can, your will take mistake.and i will tell you why
mistake.
Quadibloc
> ====It is a waste of time to repeat, just tell what is wrong with my
> disproving
Well, how about this statement:
>Shannon misused Bayes' formula, similarly the above proof misused
> Bayes' formula.
Shannon's proof does not make use of Bayesian statistics.
There are times when it is a mistake not to use Bayesian statistics.
When the Space Shuttle Challenger was destroyed, with all aboard, by
the malfunction of a solid rocket booster, I saw Jesco von Putkammer
on television saying that, even were the chance of the Shuttle having
an accident one in a million, it _could_ still happen on the 25th
flight.
Although this may be true, if we do not _know_ what the chance of a
Shuttle disaster is, it is a mistake not to learn from experience.
But there are also times when Bayesian statistics does not apply.
Shannon was speaking of a theoretical situation with an ideal one-time
pad.
So when one ciphertext is received with c=0, we are not to think that
this is like the case of receiving one hundred ciphertexts in a row,
on different days, with different message indicators (showing they are
from different leaves of the one-time pad) all of which have c=0, only
different in that with only one message, the standard deviation is
larger.
Instead, we are to assume that this one message with c=0 occurs in a
context where half the messages have been c=1, and the other half c=0,
on the days around that message. So there is no evidence to disturb
the _a priori_ probability of the key, that remains solid.
When we make this assumption - which is part of Shannon's proof,
though perhaps unstated - then we know perfectly well that if k=0 and
k=1 occur with equal probability, and with total randomness, that is
consistent with c=0 and c=1 occuring with equal probability and with
total randomness.
Whether p=0 and p=1 are equally probable, or p=0 is 90% of the time or
99.9% of the time. Because if p=0 always, then the ciphertext would be
the key - but the key has the characteristic of k=0 and k=1 with equal
probability and total randomness.
The only thing that can change if plaintext probabilities are not
uniform is the correlation between key and ciphertext *in this
situation*.
I used an example of someone not using Bayesian statistics when he
should have.
In a game of Mah Jongg, there are four players, and one of them wins.
Someone who, each time he is not a winner, concludes that the winner
was cheating, even though he wins the usual amount of time, treats
losing once as if it is like losing over and over. That is the mistake
of using Bayesian statistics to excess.
In the West, at least, Bayesian statistics are controversial. Not that
learning from experience is not valid, but that it is felt they do not
have a rigorous mathematical basis; that within the traditional
science of probability, one can speak of statistics showing us facts
with a certain standard deviation _if_ we know the _a priori_
probabilities exactly, and, since the probabilities change with
different _a priori_ probabilities, there is no mathematical formula
for the case where we don't know the _a priori_ probabilities. So the
non-Bayesian case is usually assumed, and cases where Bayesian
statistics are used are the ones that are explicitly noted.
John Savard
Dav170627
wangyong
you can just list your proof,
wangyong
> wangyong wrote:
> > ====It is a waste of time to repeat, just tell what is wrong with my
> > disproving
>
> Well, how about this statement:
-------------the place of my disprovement is after the proof
wangyong
you say bayes is controversial, then the proof using it is untrust????
Shannon use bayes to prove a theorem. before he prove OPT is perfect
Dav170627
Dav170627
> On 11 5 , 7 50 , Dav170627 <eat...@tpg.com.au> wrote:
>> <snip>
>>
>>
>>
>>> I get different results under different condtions.
>>> I do not trying to say is "if the key is biased then there is no
>>>> perfect security"?-
>> From your ongoing debate with JS (and by the way, you have insulted him
>> several times in your posts, despite his politeness to you) are you
>> implying that if the adversary has an idea of the probabilities of the
>> plain text then an OTP fails?
>
> ===========the question is not clear.
My question is properly and simply phrased.
> he just make lots of mistakes.
No, you have tried to insult him.
wangyong
>
> - -
Wangyong is claiming that if you already know the likely probability
of
a particular message being sent, then a OTP fails to hide that (and
for
what it is, he is correct). He then draws a very long bow and claims
that this means Shannon's proof was incorrect (and here Wangyong is
very
wrong).
======why
The situation he describes is a triviality. If an adversary knows the
probability of a particular message being sent, then no encryption or
stego scheme can protect it. The adversary doesn't even need to
intercept the message. Since he knows the probability of each message
he
just looks it up and then acts.
If I might paraphrase the practical result of Shannon's proof - "a
OTP
does not allow the adversary to find out any *new* information from
the
message" Knowing beforehand the probability of a particular message
being sent is not related to Shannon's proof or the failure of any
crypto system.
Wangyong is getting all excited about what to every one else is a
"given" (i.e. already known)
========== i have analyzed the different meanings,
http://groups.google.com/group/sci.math/browse_thread/thread/df158aa13e6a94b4/60ae3974453a7620#60ae3974453a7620
Quadibloc
> you say bayes is controversial, then the proof using it is untrust????
I'm afraid that I really wouldn't be able to clear this up any more
for you over USENET.
Because what I have said probably, as you begin to understand it more,
will look like I am first saying that because Shannon thought that
Bayes was full of garbage, then not using Bayesian statistics does not
make his proof wrong.
Since Bayesian statistics are now accepted, this might seem as though
we could speed astronauts to Mars by finding someone who thinks Newton
is full of garbage, because then gravity would not apply.
And then as you read further into what I have said, I explain more
fully and say that it is just that Bayesian statistics are subtle.
They only work on Tuesdays, and it is because Shannon was talking
about one-time pads on Wednesdays, his proof was correct.
At this point, you might well ask me what I am smoking.
So I cannot be the one to explain this to you. You are writing
published papers with a co-author even, so I must conclude you are
either a student or instructor at a place of advanced learning. So,
hopefully there is someone there who is old and wise and learned in
probability theory, and can clear up the matter because when you are
in his presence, he can answer each of your questions right away.
John Savard
wangyong
Just dicuss my problem and shannon's.
I'm afraid that I really wouldn't be able to clear this up any more
for you over USENET.
Because what I have said probably, as you begin to understand it
more,
will look like I am first saying that because Shannon thought that
Bayes was full of garbage, then not using Bayesian statistics does
not
make his proof wrong.
yongwang =====but do you see shannon's paper, he just used bayes.
Since Bayesian statistics are now accepted, this might seem as though
we could speed astronauts to Mars by finding someone who thinks
Newton
is full of garbage, because then gravity would not apply.
And then as you read further into what I have said, I explain more
fully and say that it is just that Bayesian statistics are subtle.
They only work on Tuesdays, and it is because Shannon was talking
about one-time pads on Wednesdays, his proof was correct.
yongwang =====the problem seem to be out of prior problem.
At this point, you might well ask me what I am smoking.
yongwang =====no problem
So I cannot be the one to explain this to you. You are writing
published papers with a co-author even, so I must conclude you are
either a student or instructor at a place of advanced learning. So,
hopefully there is someone there who is old and wise and learned in
probability theory, and can clear up the matter because when you are
in his presence, he can answer each of your questions right away.
yongwang =====not nessary
just discuss my papers.
wangyong
proof, so I ask:"
are your proof is like the following,If so, my reply is correct, you
just use the probabiltiy when the c is not fixed.
In your favourite example of plaintext probabilities
> P(M=0) = 0.9 P(M=1) = 0.1
> P(K=0) = 0.5 P(K=1) = 0.5
> the following events (plaintext,key,cyphertext) occur with
> the following probabilities:
> (0,0,0) 0.45
> (0,1,1) 0.45
> (1,0,1) 0.05
> (1,1,0) 0.05
> Now you insist on using a "fixed" cyphertext.
> There are two possibilities for a fixed cyphertext; let's treat
> one after the other:
> 1) C=0:
> Note: This cyphertext occurs with probaility 0.45 + 0.05 = 0.5
> The conditional probability of plaintext M=0 is 0.45/(0.45+0.05) =
> 0.9
> The conditional probability of key K=0 is 0.45/(0.45+0.05) = 0.9
> Just divide "hit probabilities by "allowed" probabilities.
> 2) C=1:
> Note: This cyphertext occurs with probaility 0.45 + 0.05 = 0.5
> The conditional probability of plaintext M=0 is 0.45/(0.45+0.05) =
> 0.9
> The conditional probability of key K=0 is 0.05/(0.45+0.05) = 0.1
> Just divide "hit probabilities by "allowed" probabilities.
> Conclusion
Quadibloc
> you say bayes is controversial, then the proof using it is untrust????
>
> Shannon use bayes to prove a theorem. before he prove OPT is perfect- Hide quoted text -
I'm afraid that I won't be able to explain this to you over USENET.
Because if you understood better what I was saying, but not perfectly,
it still would not make sense.
First, it looks like I am saying that because Shannon thought Bayes
was full of garbage, his proof is right even if it contradicts Bayes.
To hear that, you might remark that this is a nice trick. Maybe if
someone thinks Newton is full of garbage, they could ignore gravity,
and we could have astronauts on Mars next year!
And then I correct myself and say, no, it's just that Bayesian
statistics are subtle. So they work only on Tuesday, and Shannon was
talking about Wednesday.
At this point, you might ask me what I am smoking.
So it is no use for me to try to be the one who explains this to you.
Since you are writing papers together with other researchers, you are
presumably either a student or an instructor at an institute of higher
learning. So there should be someone there who is old and wise, and
understands well the subtleties of statistics and probability.
Such a one will be able to answer your questions immediately, and get
to the heart of the point that needs to be explained.
John Savard
Dav170627
> just discuss my papers.
Sure. I'll do that, but you won't like it because your paper if faulty
and you are wrong.
From the link you posted (given below)
you make the following statements -
"(1) Considering the information that cryptanalysts got beforehand, we
can get P1(M=0)=0.9, P1(M=1)=0.1"
"(4) Considering the information that cryptanalysts got beforehand and
the cryptosystem, we can get P4(M=0)=0.9, P4(M=1)=0.1 for the
cryptosystem does not impact on the probability of plaintext. "
"(5) Considering the information that cryptanalysts got beforehand, the
cryptosystem and unknown but fixed ciphertext, we can get that P5(M=0)
is between 0.9 and 0.5 and P5(M=1) is between 0.1 and 0.5 after compromise."
There *is no such thing* as cryptanalysis with, as you describe it, "the
information that cryptanalysis got beforehand" - which is central to all
your claims.
It is not possible for *any* crypto system to hide information that the
adversary already knows. Or if you prefer there is no crypto system
that can hide "the information that cryptanalyst got beforehand". To
work such a system would have to stop the cryptanalyst from recalling
the information that he already knows. Maintaining this position is
naive, uniformed and impossible.
The last part of your point (5) i.e. "unknown but fixed ciphertext, we
can get that P5(M=0) is between 0.9 and 0.5 and P5(M=1) is between 0.1
and 0.5 after compromise." Is rubish. You need to learn about basic
probability because what you know is wrong.
wangyong
> > just discuss my papers.
>
> Sure. I'll do that, but you won't like it because your paper if faulty
> and you are wrong.
>
> From the link you posted (given below)
>
>
> you make the following statements -
>
> " 1 Considering the information that cryptanalysts got beforehand, we
> can get P1(M=0)=0.9, P1(M=1)=0.1"
>
> " 4 Considering the information that cryptanalysts got beforehand and
> the cryptosystem, we can get P4(M=0)=0.9, P4(M=1)=0.1 for the
> cryptosystem does not impact on the probability of plaintext. "
>
> " 5 Considering the information that cryptanalysts got beforehand, the
> cryptosystem and unknown but fixed ciphertext, we can get that P5(M=0)
> is between 0.9 and 0.5 and P5(M=1) is between 0.1 and 0.5 after compromise."
>
> There *is no such thing* as cryptanalysis with, as you describe it, "the
> information that cryptanalysis got beforehand" - which is central to all
> your claims.
>
> It is not possible for *any* crypto system to hide information that the
> adversary already knows. Or if you prefer there is no crypto system
> that can hide "the information that cryptanalyst got beforehand". To
> work such a system would have to stop the cryptanalyst from recalling
> the information that he already knows. Maintaining this position is
> naive, uniformed and impossible.
>
> The last part of your point (5) i.e. "unknown but fixed ciphertext, we
> can get that P5(M=0) is between 0.9 and 0.5 and P5(M=1) is between 0.1
> and 0.5 after compromise." Is rubish. You need to learn about basic
> probability because what you know is wrong.
Sure. I'll do that, but you won't like it because your paper if
faulty
and you are wrong.
From the link you posted (given below)
http://groups.google.com/group/sci.math/browse_thread/thread/df158aa1...
you make the following statements -
" 1 Considering the information that cryptanalysts got beforehand,
we
can get P1(M=0)=0.9, P1(M=1)=0.1"
" 4 Considering the information that cryptanalysts got beforehand
and
the cryptosystem, we can get P4(M=0)=0.9, P4(M=1)=0.1 for the
cryptosystem does not impact on the probability of plaintext. "
" 5 Considering the information that cryptanalysts got beforehand,
the
cryptosystem and unknown but fixed ciphertext, we can get that
P5(M=0)
is between 0.9 and 0.5 and P5(M=1) is between 0.1 and 0.5 after
compromise."
There *is no such thing* as cryptanalysis with, as you describe it,
"the
information that cryptanalysis got beforehand" - which is central to
all
your claims.
===========you should see the paper to know why I use that but not
prior probaiblity, for prior probability has different meanings.
It is not possible for *any* crypto system to hide information that
the
adversary already knows. Or if you prefer there is no crypto system
that can hide "the information that cryptanalyst got beforehand". To
work such a system would have to stop the cryptanalyst from recalling
the information that he already knows. Maintaining this position is
naive, uniformed and impossible.
=======do not impose your mistake on me
The last part of your point (5) i.e. "unknown but fixed ciphertext,
we
can get that P5(M=0) is between 0.9 and 0.5 and P5(M=1) is between
0.1
and 0.5 after compromise." Is rubish. You need to learn about basic
probability because what you know is wrong.
============do not just prate, as probabiliity do not discuss this
problem,the result is getten from a compromise.
wangyong
it seems you just repeat.
wangyong
>
> Sure. I'll do that, but you won't like it because your paper if faulty
> and you are wrong.
>
> From the link you posted (given below)
>
>
> you make the following statements -
>
> " 1 Considering the information that cryptanalysts got beforehand, we
> can get P1(M=0)=0.9, P1(M=1)=0.1"
>
> " 4 Considering the information that cryptanalysts got beforehand and
> the cryptosystem, we can get P4(M=0)=0.9, P4(M=1)=0.1 for the
> cryptosystem does not impact on the probability of plaintext. "
>
> " 5 Considering the information that cryptanalysts got beforehand, the
> cryptosystem and unknown but fixed ciphertext, we can get that P5(M=0)
> is between 0.9 and 0.5 and P5(M=1) is between 0.1 and 0.5 after compromise."
>
> There *is no such thing* as cryptanalysis with, as you describe it, "the
> information that cryptanalysis got beforehand" - which is central to all
> your claims.
>
> It is not possible for *any* crypto system to hide information that the
> adversary already knows. Or if you prefer there is no crypto system
> that can hide "the information that cryptanalyst got beforehand". To
> work such a system would have to stop the cryptanalyst from recalling
> the information that he already knows. Maintaining this position is
> naive, uniformed and impossible.
>
> The last part of your point (5) i.e. "unknown but fixed ciphertext, we
> can get that P5(M=0) is between 0.9 and 0.5 and P5(M=1) is between 0.1
> and 0.5 after compromise." Is rubish. You need to learn about basic
> probability because what you know is wrong.
the fllowing tell how i get that in point (5)
When only considering the fixed ciphertext and the equiprobability of
key, we can gain that plaintexts are equally likely for there is a
one-
to-one correspondence between all the plaintexts and keys for fixed
ciphertext. There is conflict between the prior probability and the
uniformly distributed probability gained above.
In order to understand the inconsistency of probability in the
example
and the need for fusion of the probabilities in this case, we adopt
the combinations of different conditions for the following deduction
to analyze the existence of probability conflict.
For our simple example about OTP, when considering the condition that
ciphertext is 0, the probability of ciphertext being 0 is 1, and the
probability of ciphertext being 1 is 0. But according to the prior
probability distribution of plaintexts given and uniformly
distributed
keys, we can easily find that ciphertext is uniformly distributed,
that is to say, all ciphertext are equally likely. We can see the two
probability distributions of ciphertext in different conditions are
conflictive.
When only considering that the intercepted ciphertext is 0 and prior
probability of plaintext being 0 we call P(M=0) is 0.9, and prior
probability of plaintext being 1 we call P(M=1) is 0.1, the
probability of key being 0 we call P(K=0) is 0.9, and the probability
of key being 1 we call P(K=1) is 0.1 because there is a one-to-one
correspondence between all the plaintexts ands keys. However,
according to the requirement of OTP, all the keys are equally likely,
so conflict of the probabilities occurs as before.
Such conflicts show that under different conditions we may draw
inconsistent probabilities, so it needs to fuse and compromise. The
probabilities obtained by the different combinations of unilateral
conditions are inconsistent. That is to say, the conditions in OPT
can
not coexist. When all the conditions are considered, some of the
conditions must change, so it is not proper to use these conditions
when computing the final posterior probability. It likes four
irregular feet of a same table. There is always one foot that is
turnup when the table is on the horizontal ground. If the four feet
should touch the horizontal ground at the same time, distortion would
happen. In literature [7], formula was presented to fuse the
inconsistent probabilities.
Dav170627
cryptography that protects from "the information that cryptanalyst got
beforehand" and that was your words and meaning is correct(that is, that
interpretation fits all your other posts etc in sci.maths and sci.crypt)
Your concept and idea have no merit. Be an adult, accept it. Work on
the problem more if you think it helps, and then re-present it.
Einstein
Let me add my 10 cents to this
Using 8 bit keys for this figure, the chances of any specific outcome
is 1 in 256 when randomly generated. If we use 64 bytes and 8 bit keys
we then have a possible random capability of every possible key being
represented 8 times. However of course this is not what will happen if
the system is truly random... BUT the chances of ongoing increases/
decreases in the occurrences of a specific key we have to examine the
statistics that it could occur in such a 64 byte cipher pad. After a
certain specific point (I wont worry myself with the details here,
needless to say someone else can do it) we have a possibility to say
it is near impossible for that to be occurring. So we then can know if
the outputted (after enciphering) data is tainted. And we know the
probabilities of any specific letter combination if we use it on say
100 copies of every newspaper, 10,000 student papers, and 10,000
letters sent home. With enough statistical information we might be
able to run it with a statistical probabilities function to examine a
means to bring it within a certain specific margin for probabilities
in the original key countered with the probabilities in the text
format.
However, I stress, it is exceptionally easy to ruin this attack.
Simple put numbers and characters in between letters in obvious plain
text in a random manner. The user can still filter our all nonsensical
information with ease, and read the one-time pad to his/her's heart
desire, with no possibility of identifying a statistical pattern
anymore (Since they could have 1 to 32 bytes as the nonsense
information). Only a brute force application, which would return ALL
possible outcomes (Therefore a certain amount of gibberish results,
and a certain amount of plausible, but incorrect results, and 1
correct result) could work. So then we are talking total information
capable of being held by the 1 time cipher system. Clearly one with
say, about 10,000 bytes, would be easier to break than one with
100,000 bytes. And one with 1,000 bytes could be done by a single team
in a single day. (Team based upon the idea that a statistical program
requiring some sort of minor text pattern, such as finding the word
"The" in the text, even if separated by numbers and characters.Then
having the teams read the plain text results that have enough
statistical patterns resulting to discard or require further
analysis... until such a point they have a number of possible correct
outcomes filtered against their knowledge of real world events). Of
course I doubt that they can get the true information so long as the
ciphering force is aware of such attempts could be made. Indeed after
adding random characters, encrypting via other encryption means (That
are kept to knowledge of each holder of the pad) and then passing the
pad along it's route (where it is intercepted, copied, and let to
continue) would destroy the possibility of pattern recognition in
brute forcing, requiring additional efforts to be done to decrypt via
all decryption routines known, then brute forcing after each one. This
would of course take so much time as to render it pretty much the
impossible to decipher system in the world.
An additional layer of security could be done as well:
1) Generate plain text required
2) Add random characters by hand that will not interupt the flow of
the message.
3) Encrypt it via any non-size increasing encryption system so long as
the 1 time pad the other person has knows this encryption will be
placed and has the correct info.
4) Use it on the 1 time pad
5) Encrypt the results of the 1 time pad using a replacement system
that generates extra size to the actual 1 time pad, from 1.1 to 10 to
100 times the size.
Result is the 'opposing force' can no longer mathematically have a
chance versus the ciphered data.
Dav170627
Where is TSD?
John E. Hadstate
"Dav170627" <eat...@tpg.com.au> wrote in message
news:13j4cgg...@news.supernews.com...
>
> Where is TSD?
I think he got tired of being joe-jobbed, falsely-accused of
criminal acts, and otherwise shat-upon. He obviously didn't
need us and apparently decided to spend his time in more
profitable pursuits. Good on him!
Phil Carmody
Shame. No-one with more than half a brain thought Tom was
ever guilty of anything more than being young and brash,
and sometimes those weren't negative traits at all.
Phil
--
Dear aunt, let's set so double the killer delete select all.
-- Microsoft voice recognition live demonstration
wangyong
>
> - -
There is no compromise. You are wrong.
=========why, that is dispove by me, do not just prate.
There is no such thing as
cryptography that protects from "the information that cryptanalyst
got
beforehand" and that was your words and meaning is correct(that is,
that
interpretation fits all your other posts etc in sci.maths and
sci.crypt)
============It is your stupid view,but not me.
Your concept and idea have no merit. Be an adult, accept it. Work
on
the problem more if you think it helps, and then re-present it
====do not just prate,
If i am wrong, tell why,
i have pointed out you are wrong.
wangyong
It is so hard to understant.
wangyong
It seems All your tricks have been exhausted.
just insult. I see the people who lost just insult the winner.
wangyong
wrote:
It seems All your tricks have been exhausted.
Einstein
Ok fine, here let me do this for you
8 characters
12345678
We now make a 64 point 1 time pad from these, assuming random (Using
randombetween function in openoffice.org which is not perfectly
random, but good enough at this juncture, more math later)
8 1 1 6 5 3 5 8
4 6 6 7 5 7 7 1
4 8 7 7 3 2 4 8
8 1 2 1 6 6 2 6
7 4 8 4 4 2 2 3
3 8 3 4 5 1 5 2
8 8 7 1 6 1 4 7
4 4 3 5 7 8 8 3
Therefore on this table 1 occurs 8 times, 2 occurs 6 times, 3 occurs 7
times, 4 occurs 10 times, 5 occurs 6 times, 6 occurs 7 times, 7 occurs
9 times, and 8 occurs 11 times. The highest variation is 8, which
occurs 11 times, and the lowest variation is both 2 and 5, which both
occur 6 times. Statistically the chances of getting a single 1, or
single 8, are infinitasmally low. Also with have 64 total of them is
extremely unlikely.... a 1 in 8^64 chance in fact. So we have a median
range to which they can occur and be reasonable. We can discount
anything with 3 or less outcomes as being 'ciphered' and 16 or more as
being ciphered in probability. Not certainty, but merely probability.
Now if we are Hiding the value 123412341234 and 5678 are never used in
our 'plaintext'. Since we are not using the entire 64 sized one time
pad we can do some unique things to help us hide our values. We can
enter, by hand, a difference of 51652738 47561826 73654551 26737847
We have only still used half the outcomes, but that is ok. Now since
this is a simple numbers one, we can just add our values to the above
values (on a 1 to 8 scale) to get a new figure in the place
5 2 7 3 7 2 8 8
1 5 3 5 4 2 6 6
3 3 5 4 7 7 1 1
2 7 1 4 5 6 6 5
7 4 8 4 4 2 2 3
3 8 3 4 5 1 5 2
8 8 7 1 6 1 4 7
4 4 3 5 7 8 8 3
Now we have 7 total 1's, 6 total 2's, 8 total 3's, 10 total 4's, 9
total 5's, 5 total 6's, 8 total 7's and 8 total 8's. So now we have no
'imbalance' to which we can apply our knowledge on. We cannot easily
infer our 123412341234 message out of these, even if we know that if
there is a 1, there must be a 2 right after it (as in Q and U in
English (US) language).
It may be possible to infer patterns on it if you have a large
differentiation of information on the pad, and you might be able to
even attempt to decipher it then.
1 1 1 2 1 2 3 4
5 8 1 2 5 6 7 1
7 1 4 2 3 8 5 1
4 2 2 1 1 2 7 8
1 1 7 6 3 8 1 2
1 5 3 2 7 1 1 7
2 1 4 3 2 6 1 3
1 4 1 6 3 1 2 1
This for instance has a severe skew for the outcomes of 1, and even
that of a few other numbers, in total. Some outcomes are with in
margins. Yet we can possibly try to attempt to crack (with brute
force) based upon the statistical improbabilities. However this is
like saying I can cut 4% off of the total amount of guessing I need to
do. At best, if working from a full plain text, and with some samples
of the authors writings for what he is going to cipher (10,000 in my
opinion, of his writings) then you can make a good calculated assault
with a 50% reduction in total variations of the potential hidden text
inside there.
However even so you will have many MANY false flags... IE possible
outcomes that match his writing style, could be the information he is
sending, but there is 2^1000 more such outcomes... if the initial one
time pad is large enough. This becomes a difficult outcome then
requiring knowledge of what he would be writing about... which narrows
it to maybe 2^10 outcomes... still an insane and sickly number for
trying to decipher accurately what he would be saying. And a minimal
effort at encryption of any sort, or simply adding random unused
characters inside the plaintext, would render any advantages of
deciphering it to null and void. Then you have (Total characters
allowed by the one time pad)^(Total number of characters built into
the one time pad)
So if it is an 8 bit pad base for characters, and the user has decided
he needs 10,000 characters (Thus requiring if a computer based matrix
14 bits, or 16384 outcomes) you then have 64^16384 possible outcomes.
Of which ALL are viable outcomes due to the fact nonstandard character
placement was used and encryption. Thus with a small amount of effort
added to the one time pad, all attempts to make 1 time pads more
'predictable' become null and void.
Quadibloc
> yongwang =====I do not want to waste time dicussing bayes in english,
> Just dicuss my problem and shannon's.
Well, I have explained to you where your mistake is in the paper -
it's in "case 6" - and I've explained what the mistake is.
If the one-time-pad is in use, then for the key, k=0 is probability
0.5, and k=1 is probability 0.5.
For many messages with unequal plaintext probabilities, what happens
is this:
If, as you give in your example, p=0 is probability 0.9 and p=1 is
probability 0.1, given the way the key behaves, c=0 has probability
0.5 and c=1 has probability 0.5.
The unequal probabilities of the plaintext don't affect this at all:
when plaintext is 0, the key is 0 yielding ciphertext 0 half the time,
and 1 yielding 1 half the time. When plaintext is 1, the key is 0
yielding ciphertext 1 half the time, and 1 yielding 0 half the time.
So the ciphertext looks *exactly the same* - 0 half the time, 1 half
the time - whether the plaintext is 0 90% of the time, 50% of the
time, or 10% of the time.
Given that, how are you going to learn anything about the plaintext
from the ciphertext?
On one particular day, the ciphertext will be 0. It could just as
easily have been 1.
The formula you use by which you derive a change in the probability of
the plaintext is *not applicable* to the circumstance of the one-time
pad. It is true that if the ciphertext had been 0 many times in a row,
you might have reason to suspect something strange was going on, and
to make inferences about the plaintext from that conclusion. But
Shannon's proof was explicitly not making claims about that type of
situation.
Your mistake is to use certain statistical formulas in places where
they don't work, because this is not what they are talking about.
John Savard
wangyong
just to use complex example.
wangyong
It seems you do not to know what is perfect secrecy, just use your
view.
Please tell a proof why the prior ===the posterior,
but not faraway from the problem ,
just use easy english, easy example. I donot find you get the prior
===the posterior,
wangyong
====I have disprove, do not repeat mistake.
If the one-time-pad is in use, then for the key, k=0 is probability
0.5, and k=1 is probability 0.5.
For many messages with unequal plaintext probabilities, what happens
is this:
If, as you give in your example, p=0 is probability 0.9 and p=1 is
probability 0.1, given the way the key behaves, c=0 has probability
0.5 and c=1 has probability 0.5.
The unequal probabilities of the plaintext don't affect this at all:
when plaintext is 0, the key is 0 yielding ciphertext 0 half the
time,
and 1 yielding 1 half the time. When plaintext is 1, the key is 0
yielding ciphertext 1 half the time, and 1 yielding 0 half the time.
=======I have tell you, you just use the probability when c is not
fixed,.you just fixed the probabaility of P, but the probability of p
is not fixed only by the prior.
So the ciphertext looks *exactly the same* - 0 half the time, 1 half
the time - whether the plaintext is 0 90% of the time, 50% of the
time, or 10% of the time.
Given that, how are you going to learn anything about the plaintext
from the ciphertext?
=====you just use the probability when c is not fixed, but when c is
intercpeted, c is fixed.
we can find the M and K are not indendant when c is fixed, but you get
the probability when M and K are indendant, that is your mistake, you
just repeat it a lot of time.
On one particular day, the ciphertext will be 0. It could just as
easily have been 1.
=====you just use the probability when c is not fixed, but when c is
intercpeted, c is fixed.
we can find the M and K are not indendant when c is fixed, but you get
the probability when M and K are indendant, that is your mistake, you
just repeat it a lot of time.
The formula you use by which you derive a change in the probability
of
the plaintext is *not applicable* to the circumstance of the one-time
pad. It is true that if the ciphertext had been 0 many times in a
row,
you might have reason to suspect something strange was going on, and
to make inferences about the plaintext from that conclusion. But
Shannon's proof was explicitly not making claims about that type of
situation.
=====tell why ,but not just prate.
Your mistake is to use certain statistical formulas in places where
they don't work, because this is not what they are talking about.
=========tell why ,but not just prate
=====you just use the probability when c is not fixed, but when c is
intercpeted, c is fixed.
we can find the M and K are not indendant when c is fixed, but you get
the probability when M and K are indendant, that is your mistake, you
just repeat it a lot of time.
wangyong
you never think the problem from the angle of decryption. including
the probability is so.
just insist and repeat the disproved views.
if you do not agree with me ,you can disprove my disprovement. but
not repeat your mistake.
what you do is infamous
Dav170627
> "John E. Hadstate" <jh11...@hotmail.com> writes:
>> "Dav170627" <eat...@tpg.com.au> wrote in message
>> news:13j4cgg...@news.supernews.com...
>>
>>> Where is TSD?
>> I think he got tired of being joe-jobbed, falsely-accused of criminal
>> acts, and otherwise shat-upon. He obviously didn't need us and
>> apparently decided to spend his time in more profitable pursuits.
>> Good on him!
>
> Shame. No-one with more than half a brain thought Tom was
> ever guilty of anything more than being young and brash,
> and sometimes those weren't negative traits at all.
>
> Phil
Yes, I miss the speedy way he dealt with some posts.
Quadibloc
> we can find the M and K are not indendant when c is fixed, but you get
> the probability when M and K are indendant, that is your mistake, you
> just repeat it a lot of time.
Yes, it is true. Plaintext plus key = ciphertext.
But the ciphertext for *one message* is fixed at 0. The ciphertext for
the bunch of messages we have been receiving is 0 and 1 with *equal
probability*, so we know (or think) that the opponent's one-time pad
is working properly.
If the plaintext were always 0 for ten days in a row, we would see, on
average, for ciphertext, five ones and five zeroes - and they would be
random.
If the plaintext were always 1 for ten messages in a row, we would see
the *same thing* for ciphertext - five ones and five zeroes, randomly
distributed.
They would be the opposite five ones and five zeroes, but how would we
tell that?
And therefore the ciphertext is the *same thing* for _any_ probability
distribution of the plaintext p - a random set of 0 and 1 messages,
just as random as the key was.
These are the facts. If you refuse to believe them, if you say I am
just prating and repeating myself, because I don't cast these ironclad
facts in the form of the equations you are misusing, that is your
problem.
Basically, you are mixing up the case where "one message has c=0, in a
situation where the overall distribution is still c=0 with 0.5
probability and c=1 with 0.5 probability", which is what Shannon was
talking about, and the case where "a message as c=0, tending to
confirm the hypothesis that c=0 with greater than 0.5 probability",
which only applies *if the opponent is not using the one-time pad*,
because _then_ it could happen that k=0 with greater than 0.5
probability too.
You are using a formula which applies only to the latter case. You
didn't make a mistake in arithmetic with the formula you had, you used
the wrong formula.
John Savard
Quadibloc
> wangyong wrote:
> > we can find the M and K are not indendant when c is fixed, but you get
> > the probability when M and K are indendant, that is your mistake, you
> > just repeat it a lot of time.
>
> Yes, it is true. Plaintext plus key = ciphertext.
>
> But the ciphertext for *one message* is fixed at 0. The ciphertext for
> the bunch of messages we have been receiving is 0 and 1 with *equal
> probability*, so we know (or think) that the opponent's one-time pad
> is working properly.
Essentially, "case 6" is not properly described. The real "case 6"
would be:
p=0 (0.9), 1 (0.1) (ensemble probability)
k=0 (0.5), 1 (0.5) (ensemble probability)
c=0 (0.5), 1 (0.5) (ensemble probability)
c=0 (1.0), 1 (0.0) (individual message probability)
Given that
p=0 (1.0) 1 (0.0)
and
p=0 (0.0) 1 (1.0)
are both fully consistent with the ensemble probabilities for c and k,
the individual message probability of c is not evidence for changing
the individual message probability of p from its ensemble value (hence
Shannon's perfect secrecy exists),
and instead we must conclude that
p=0 (0.9) 1 (0.1) (individual message probability)
k=0 (0.9) 1 (0.1) (individual message probability)
we only learn about the key, which is possible because the bias in the
plaintext implies a correlation between the ciphertext and the key.
John Savard
Quadibloc
> Essentially, "case 6" is not properly described. The real "case 6"
> would be:
>
> p=0 (0.9), 1 (0.1) (ensemble probability)
> k=0 (0.5), 1 (0.5) (ensemble probability)
> c=0 (0.5), 1 (0.5) (ensemble probability)
> c=0 (1.0), 1 (0.0) (individual message probability)
>
> Given that
>
> p=0 (1.0) 1 (0.0)
>
> and
>
> p=0 (0.0) 1 (1.0)
>
> are both fully consistent with the ensemble probabilities for c and k,
>
> the individual message probability of c is not evidence for changing
>
> and instead we must conclude that
>
> p=0 (0.9) 1 (0.1) (individual message probability)
> k=0 (0.9) 1 (0.1) (individual message probability)
>
> we only learn about the key, which is possible because the bias in the
> plaintext implies a correlation between the ciphertext and the key.
So, if one puts the fact that the probability of c=0 is 1, because one
has intercepted a message with ciphertext equal to zero, in an overall
context where the ensemble probability of ciphertexts being either 0
or 1 remains at 0.5 each, into a probability formula, that can be a
mistake, because the formula works with ensemble values.
So the answer you might get, saying that the probability of p=0 may
have changed from 0.9 to 0.5 simply means that had you been receiving
scads of messages, all with c=0, then the logical conclusion would be
(given that k=0 and k=1 are still with probability 0.5) that the
probability of p=0 and p=1 has changed to 0.5 each (so, as you say,
the perfect secrecy condition is not met)... and the enemy, for some
reason, is sending his key *as the message* all the time. Whenever the
plaintext is 0, he is using a one-time pad sheet with key 0, and when
the plaintext is 1, he is using a one-time pad sheet with key 1.
On the assumption that, because the one-time pad is meant to hide the
secret message, it is not *correlated* with the plaintext, this kind
of thing doesn't happen. The probability overall of c=0 and c=1 must
stay at 0.5 for each. But if you put c=0 at 1.0 probability into a
statistical formula, the formula can't complain - it can just say that
based on your sample size, the probability of p moves from 0.9 to 0.5.
The formula is doing its job, but you gave it a number that doesn't
mean what the formula takes it to mean.
John Savard
Phil Carmody
> On 11 8 , 8 12 , Phil Carmody <thefatphil_demun...@yahoo.co.uk>
> wrote:
> > "John E. Hadstate" <jh113...@hotmail.com> writes:
> >
> > > "Dav170627" <eat...@tpg.com.au> wrote in message
> > >news:13j4cgg...@news.supernews.com...
> >
> > > > Where is TSD?
> >
> > > I think he got tired of being joe-jobbed, falsely-accused of criminal
> > > acts, and otherwise shat-upon. He obviously didn't need us and
> > > apparently decided to spend his time in more profitable pursuits.
> > > Good on him!
> >
> > Shame. No-one with more than half a brain thought Tom was
> > ever guilty of anything more than being young and brash,
> > and sometimes those weren't negative traits at all.
>
> just insult. I see the people who lost just insult the winner.
Quite bizarre. The above is not an insult, it's a compliment.
If you really think you are the "winner", would you please
like to explain why every single poster in sci.math and
sci.crypt has disagreed with what you've posted about the
correctness of Shannon's proof. If Shannon himself was about,
I'm sure he'd disagree with you too.
Yes, yes, yes, maybe the whole world's wrong and only you're
right.
NOT!