So long as a password is used, an observer cannot distinguish the sequence from an ordinary and well-shuffled pack of cards – giving the same plausible deniability that Solitaire does. My method can be downloaded and used on a device not connected to a network, although of course the mere act of having/using software could possibly be detected (unless it is itself encrypted, perhaps!)

]]>https://www.schneier.com/academic/solitaire/

“…I designed it to allow field agents to communicate securely without having to rely on electronics or having to carry incriminating tools. An agent might be in a situation where he just does not have access to a computer, or may be prosecuted if he has tools for secret communication. But a deck of cards…what harm is that?”

]]>By contrast, “afterword” is analogous to “foreword” – it’s a page of prose that precedes or follows the main body respectively. I think a synonym is “postscript”; but that term nowadays is mostly associated with a page-description-language originally invented for laser printers.

So I claim that the meaning of “afterword” is quite distinct from either “after” or afterward”.

Hey, I don’t speak USAian very fluently; perhaps these words all mean the same thing in the USA. Dammit, I sometimes discover that I don’t even know British English; I like to be corrected when I’m wrong, so do pile in.

]]>Reversibility described even more simply. 🙂

Reversible: left bit shift with wraparound.

1100 becomes 1001, and 1001 only could have come from 1100. The same pairing holds for every possible permutation.

(at least partly) Irreversible: left bit shift with zero fill.

1100 becomes 1000. But 0100 would have also lead to 1000, so 1000 has no unique heritage.

You cannot have a unique reverse operation to “left shift with zero fill”, because you’d have to try to recover lost bits shifted off the side. And every process where any state could have more than one parent or more than one child suffers the same fate.

When an operation is reversible, every single state has one and only one parent, and one and only one child.

When it is irreversible, at least some of the states MUST have more than one parent, some MUST have more than one child, also some MUST have zero parents and some MUST have zero children. ^{[1]}

Incidentally, fellow hard scifi author Greg Egan ran afoul of this in a different way when he wrote Permutation City. 😉

In any event, irreversible processes cannot maintain full entropy because at least the first step must map more possibilities into fewer possibilities with at least some duplicates. Left Shift Zero Fill cuts the possibilities in half each time, for example.

Some processes can reach an equilibrium in entropy after one or more steps though, which is like a damage control compromise. For example the process “Add two, ignoring overflow, and then set right bit to zero” loses half it’s possible states in the first operation (all the odd numbers) but then immediately reaches a stable equilibrium where the *remainder* of states (the even numbers) can be considered reversible among themselves. EG you lose 1 bit of entropy and then stop losing more.

^{[1] Myhill, “The converse of Moore’s Garden-of-Eden theorem”, Proc. Amer. Math. Soc. 14 (1963), 685–686}

Would someone please explain what reversibility means in this context.

As @Jacob has explained you can end up in a state which you can not back out of uniquely.

You might think OK why is that important?

The point is firstly it leads to a reduced number of states in the generator, secondly it also lead to some measure of bias in the generator output because of it.

Most stream generaters have some bias, the most commonly mentioned is the Linear Feedback Shift Register (LFSR) that has one state either all zeros or all ones dependent on the feedback logic type used.

By a little thought experiment you can realise that the maximum length of all ones or all zeros the generator can produce is based on the number of it’s storage elements N that define the maximum state it can store 2^N for binary storage elements. Thus the maximum length output of zeros or ones would be with three state transitions,

- {0b100..00},{0b000..00},{0b000..01}

for zeros and the inverse for ones. That it is the length of zeros/ones is 3N-2. If however the storage can not produce either the all ones or all zero’s state than it drops to 2N-2 as the maximum for one of them, which is quite a chunk of bias. Whilst not all generators can be in those three states in sequence the general principle of bias due to missing states holds.

There is also another issue that I will mention but not try to justify. Whilst some generators can generate a significant number of their states (2^N-1 for the LFSR) many can not[1]. The underlying reason often being the need to have non-linear feedback (the LFSR can be broken with just 2N output bits due to it’s linear feedback). This has concequences in that you get shorter “cycles of states” some can be very short and there can also be a multiplicity of them. Thus you can end up with quite a weak generator that cycles through as few as one state (LFSR) or just a handfull of states.

It’s why some recommend using a counter that is known to only cycle through all possible states, followed by one or more non-linear mapping functions. Block ciphers often being considered as usefull mapping functions hence you end up with what is called “Counter Mode” which for AES you might see as AES128-CTR or AES-CTR (see NIST SP800-38A).

[1] Due to mechanical deficiences in the Enigma odometer movement it did not go into all states, there are one or two books around that describe how that deficiency actually helped in breaking the German use of Enigma.

]]>How many multiple Jokers involved these days with internet infrastructure and TLS?

]]>