--- /dev/null
+Edgar Allan Poe
+
+The Gold-Bug
+
+
+What ho! what ho! this fellow is dancing mad!
+He hath been bitten by the Tarantula.
+ --All in the Wrong.
+
+
+Many years ago, I contracted an intimacy with a Mr. William
+Legrand. He was of an ancient Huguenot family, and had once been
+wealthy: but a series of misfortunes had reduced him to want. To
+avoid the mortification consequent upon his disasters, he left New
+Orleans, the city of his forefathers, and took up his residence at
+Sullivan's Island, near Charleston, South Carolina.
+
+This island is a very singular one. It consists of little else
+than the sea sand, and is about three miles long. Its breadth at
+no point exceeds a quarter of a mile. It is separated from the
+mainland by a scarcely perceptible creek, oozing its way through a
+wilderness of reeds and slime, a favorite resort of the marsh hen.
+The vegetation, as might be supposed, is scant, or at least
+dwarfish. No trees of any magnitude are to be seen. Near the
+western extremity, where Fort Moultrie stands, and where are some
+miserable frame buildings, tenanted, during summer, by the
+fugitives from Charleston dust and fever, may be found, indeed, the
+bristly palmetto; but the whole island, with the exception of this
+western point, and a line of hard, white beach on the seacoast, is
+covered with a dense undergrowth of the sweet myrtle so much prized
+by the horticulturists of England. The shrub here often attains
+the height of fifteen or twenty feet, and forms an almost
+impenetrable coppice, burdening the air with its fragrance.
+
+In the inmost recesses of this coppice, not far from the eastern or
+more remote end of the island, Legrand had built himself a small
+hut, which he occupied when I first, by mere accident, made his
+acquaintance. This soon ripened into friendship--for there was
+much in the recluse to excite interest and esteem. I found him
+well educated, with unusual powers of mind, but infected with
+misanthropy, and subject to perverse moods of alternate enthusiasm
+and melancholy. He had with him many books, but rarely employed
+them. His chief amusements were gunning and fishing, or sauntering
+along the beach and through the myrtles, in quest of shells or
+entomological specimens--his collection of the latter might have
+been envied by a Swammerdamm. In these excursions he was usually
+accompanied by an old negro, called Jupiter, who had been
+manumitted before the reverses of the family, but who could be
+induced, neither by threats nor by promises, to abandon what he
+considered his right of attendance upon the footsteps of his young
+"Massa Will." It is not improbable that the relatives of Legrand,
+conceiving him to be somewhat unsettled in intellect, had contrived
+to instill this obstinacy into Jupiter, with a view to the
+supervision and guardianship of the wanderer.
+
+The winters in the latitude of Sullivan's Island are seldom very
+severe, and in the fall of the year it is a rare event indeed when
+a fire is considered necessary. About the middle of October, 18--,
+there occurred, however, a day of remarkable chilliness. Just
+before sunset I scrambled my way through the evergreens to the hut
+of my friend, whom I had not visited for several weeks--my
+residence being, at that time, in Charleston, a distance of nine
+miles from the island, while the facilities of passage and
+repassage were very far behind those of the present day. Upon
+reaching the hut I rapped, as was my custom, and getting no reply,
+sought for the key where I knew it was secreted, unlocked the door,
+and went in. A fine fire was blazing upon the hearth. It was a
+novelty, and by no means an ungrateful one. I threw off an
+overcoat, took an armchair by the crackling logs, and awaited
+patiently the arrival of my hosts.
+
+Soon after dark they arrived, and gave me a most cordial welcome.
+Jupiter, grinning from ear to ear, bustled about to prepare some
+marsh hens for supper. Legrand was in one of his fits--how else
+shall I term them?--of enthusiasm. He had found an unknown
+bivalve, forming a new genus, and, more than this, he had hunted
+down and secured, with Jupiter's assistance, a scarabaeus which he
+believed to be totally new, but in respect to which he wished to
+have my opinion on the morrow.
+
+"And why not to-night?" I asked, rubbing my hands over the blaze,
+and wishing the whole tribe of scarabaei at the devil.
+
+"Ah, if I had only known you were here!" said Legrand, "but it's so
+long since I saw you; and how could I foresee that you would pay me
+a visit this very night of all others? As I was coming home I met
+Lieutenant G----, from the fort, and, very foolishly, I lent him
+the bug; so it will be impossible for you to see it until the
+morning. Stay here to-night, and I will send Jup down for it at
+sunrise. It is the loveliest thing in creation!"
+
+"What?--sunrise?"
+
+"Nonsense! no!--the bug. It is of a brilliant gold color--about
+the size of a large hickory nut--with two jet black spots near one
+extremity of the back, and another, somewhat longer, at the other.
+The antennae are--"
+
+"Dey ain't NO tin in him, Massa Will, I keep a tellin' on you,"
+here interrupted Jupiter; "de bug is a goole-bug, solid, ebery bit
+of him, inside and all, sep him wing--neber feel half so hebby a
+bug in my life."
+
+"Well, suppose it is, Jup," replied Legrand, somewhat more
+earnestly, it seemed to me, than the case demanded; "is that any
+reason for your letting the birds burn? The color"--here he turned
+to me--"is really almost enough to warrant Jupiter's idea. You
+never saw a more brilliant metallic luster than the scales emit--
+but of this you cannot judge till to-morrow. In the meantime I can
+give you some idea of the shape." Saying this, he seated himself
+at a small table, on which were a pen and ink, but no paper. He
+looked for some in a drawer, but found none.
+
+"Never mind," he said at length, "this will answer;" and he drew
+from his waistcoat pocket a scrap of what I took to be very dirty
+foolscap, and made upon it a rough drawing with the pen. While he
+did this, I retained my seat by the fire, for I was still chilly.
+When the design was complete, he handed it to me without rising.
+As I received it, a loud growl was heard, succeeded by a scratching
+at the door. Jupiter opened it, and a large Newfoundland,
+belonging to Legrand, rushed in, leaped upon my shoulders, and
+loaded me with caresses; for I had shown him much attention during
+previous visits. When his gambols were over, I looked at the
+paper, and, to speak the truth, found myself not a little puzzled
+at what my friend had depicted.
+
+"Well!" I said, after contemplating it for some minutes, "this IS a
+strange scarabaeus, I must confess; new to me; never saw anything
+like it before--unless it was a skull, or a death's head, which it
+more nearly resembles than anything else that has come under MY
+observation."
+
+"A death's head!" echoed Legrand. "Oh--yes--well, it has something
+of that appearance upon paper, no doubt. The two upper black spots
+look like eyes, eh? and the longer one at the bottom like a mouth--
+and then the shape of the whole is oval."
+
+"Perhaps so," said I; "but, Legrand, I fear you are no artist. I
+must wait until I see the beetle itself, if I am to form any idea
+of its personal appearance."
+
+"Well, I don't know," said he, a little nettled, "I draw tolerably--
+SHOULD do it at least--have had good masters, and flatter myself
+that I am not quite a blockhead."
+
+"But, my dear fellow, you are joking then," said I, "this is a very
+passable SKULL--indeed, I may say that it is a very EXCELLENT
+skull, according to the vulgar notions about such specimens of
+physiology--and your scarabaeus must be the queerest scarabaeus in
+the world if it resembles it. Why, we may get up a very thrilling
+bit of superstition upon this hint. I presume you will call the
+bug Scarabaeus caput hominis, or something of that kind--there are
+many similar titles in the Natural Histories. But where are the
+antennae you spoke of?"
+
+"The antennae!" said Legrand, who seemed to be getting
+unaccountably warm upon the subject; "I am sure you must see the
+antennae. I made them as distinct as they are in the original
+insect, and I presume that is sufficient."
+
+"Well, well," I said, "perhaps you have--still I don't see them;"
+and I handed him the paper without additional remark, not wishing
+to ruffle his temper; but I was much surprised at the turn affairs
+had taken; his ill humor puzzled me--and, as for the drawing of the
+beetle, there were positively NO antennae visible, and the whole
+DID bear a very close resemblance to the ordinary cuts of a death's
+head.
+
+He received the paper very peevishly, and was about to crumple it,
+apparently to throw it in the fire, when a casual glance at the
+design seemed suddenly to rivet his attention. In an instant his
+face grew violently red--in another excessively pale. For some
+minutes he continued to scrutinize the drawing minutely where he
+sat. At length he arose, took a candle from the table, and
+proceeded to seat himself upon a sea chest in the farthest corner
+of the room. Here again he made an anxious examination of the
+paper, turning it in all directions. He said nothing, however, and
+his conduct greatly astonished me; yet I thought it prudent not to
+exacerbate the growing moodiness of his temper by any comment.
+Presently he took from his coat pocket a wallet, placed the paper
+carefully in it, and deposited both in a writing desk, which he
+locked. He now grew more composed in his demeanor; but his
+original air of enthusiasm had quite disappeared. Yet he seemed
+not so much sulky as abstracted. As the evening wore away he
+became more and more absorbed in reverie, from which no sallies of
+mine could arouse him. It had been my intention to pass the night
+at the hut, as I had frequently done before, but, seeing my host in
+this mood, I deemed it proper to take leave. He did not press me
+to remain, but, as I departed, he shook my hand with even more than
+his usual cordiality.
+
+It was about a month after this (and during the interval I had seen
+nothing of Legrand) when I received a visit, at Charleston, from
+his man, Jupiter. I had never seen the good old negro look so
+dispirited, and I feared that some serious disaster had befallen my
+friend.
+
+"Well, Jup," said I, "what is the matter now?--how is your master?"
+
+"Why, to speak the troof, massa, him not so berry well as mought
+be."
+
+"Not well! I am truly sorry to hear it. What does he complain
+of?"
+
+"Dar! dot's it!--him neber 'plain of notin'--but him berry sick for
+all dat."
+
+"VERY sick, Jupiter!--why didn't you say so at once? Is he
+confined to bed?"
+
+"No, dat he aint!--he aint 'fin'd nowhar--dat's just whar de shoe
+pinch--my mind is got to be berry hebby 'bout poor Massa Will."
+
+"Jupiter, I should like to understand what it is you are talking
+about. You say your master is sick. Hasn't he told you what ails
+him?"
+
+"Why, massa, 'taint worf while for to git mad about de matter--
+Massa Will say noffin at all aint de matter wid him--but den what
+make him go about looking dis here way, wid he head down and he
+soldiers up, and as white as a goose? And den he keep a syphon all
+de time--"
+
+"Keeps a what, Jupiter?"
+
+"Keeps a syphon wid de figgurs on de slate--de queerest figgurs I
+ebber did see. Ise gittin' to be skeered, I tell you. Hab for to
+keep mighty tight eye 'pon him 'noovers. Todder day he gib me slip
+'fore de sun up and was gone de whole ob de blessed day. I had a
+big stick ready cut for to gib him deuced good beating when he did
+come--but Ise sich a fool dat I hadn't de heart arter all--he
+looked so berry poorly."
+
+"Eh?--what?--ah yes!--upon the whole I think you had better not be
+too severe with the poor fellow--don't flog him, Jupiter--he can't
+very well stand it--but can you form no idea of what has occasioned
+this illness, or rather this change of conduct? Has anything
+unpleasant happened since I saw you?"
+
+"No, massa, dey aint bin noffin onpleasant SINCE den--'twas 'FORE
+den I'm feared--'twas de berry day you was dare."
+
+"How? what do you mean."
+
+"Why, massa, I mean de bug--dare now."
+
+"The what?"
+
+"De bug--I'm berry sartin dat Massa Will bin bit somewhere 'bout de
+head by dat goole-bug."
+
+"And what cause have you, Jupiter, for such a supposition?"
+
+"Claws enuff, massa, and mouff, too. I nebber did see sich a
+deuced bug--he kick and he bite eberyting what cum near him. Massa
+Will cotch him fuss, but had for to let him go 'gin mighty quick, I
+tell you--den was de time he must ha' got de bite. I didn't like
+de look ob de bug mouff, myself, nohow, so I wouldn't take hold oh
+him wid my finger, but I cotch him wid a piece oh paper dat I
+found. I rap him up in de paper and stuff a piece of it in he
+mouff--dat was de way."
+
+"And you think, then, that your master was really bitten by the
+beetle, and that the bite made him sick?"
+
+"I don't think noffin about it--I nose it. What make him dream
+'bout de goole so much, if 'taint cause he bit by the goole-bug?
+Ise heered 'bout dem goole-bugs 'fore dis."
+
+"But how do you know he dreams about gold?"
+
+"How I know? why, 'cause he talk about it in he sleep--dat's how I
+nose."
+
+"Well, Jup, perhaps you are right; but to what fortunate
+circumstance am I to attribute the honor of a visit from you to-
+day?"
+
+"What de matter, massa?"
+
+"Did you bring any message from Mr. Legrand?"
+
+"No, massa, I bring dis here pissel;" and here Jupiter handed me a
+note which ran thus:
+
+
+"MY DEAR ----
+
+"Why have I not seen you for so long a time? I hope you have not
+been so foolish as to take offense at any little brusquerie of
+mine; but no, that is improbable.
+
+"Since I saw you I have had great cause for anxiety. I have
+something to tell you, yet scarcely know how to tell it, or whether
+I should tell it at all.
+
+"I have not been quite well for some days past, and poor old Jup
+annoys me, almost beyond endurance, by his well-meant attentions.
+Would you believe it?--he had prepared a huge stick, the other day,
+with which to chastise me for giving him the slip, and spending the
+day, solus, among the hills on the mainland. I verily believe that
+my ill looks alone saved me a flogging.
+
+"I have made no addition to my cabinet since we met. "If you can,
+in any way, make it convenient, come over with Jupiter. DO come.
+I wish to see you TO-NIGHT, upon business of importance. I assure
+you that it is of the HIGHEST importance.
+
+"Ever yours,
+
+"WILLIAM LEGRAND."
+
+
+There was something in the tone of this note which gave me great
+uneasiness. Its whole style differed materially from that of
+Legrand. What could he be dreaming of? What new crotchet
+possessed his excitable brain? What "business of the highest
+importance" could HE possibly have to transact? Jupiter's account
+of him boded no good. I dreaded lest the continued pressure of
+misfortune had, at length, fairly unsettled the reason of my
+friend. Without a moment's hesitation, therefore, I prepared to
+accompany the negro.
+
+Upon reaching the wharf, I noticed a scythe and three spades, all
+apparently new, lying in the bottom of the boat in which we were to
+embark.
+
+"What is the meaning of all this, Jup?" I inquired.
+
+"Him syfe, massa, and spade."
+
+"Very true; but what are they doing here?"
+
+"Him de syfe and de spade what Massa Will sis 'pon my buying for
+him in de town, and de debbil's own lot of money I had to gib for
+em."
+
+"But what, in the name of all that is mysterious, is your 'Massa
+Will' going to do with scythes and spades?"
+
+"Dat's more dan I know, and debbil take me if I don't b'lieve 'tis
+more dan he know too. But it's all cum ob de bug."
+
+Finding that no satisfaction was to be obtained of Jupiter, whose
+whole intellect seemed to be absorbed by "de bug," I now stepped
+into the boat, and made sail. With a fair and strong breeze we
+soon ran into the little cove to the northward of Fort Moultrie,
+and a walk of some two miles brought us to the hut. It was about
+three in the afternoon when we arrived. Legrand had been awaiting
+us in eager expectation. He grasped my hand with a nervous
+empressement which alarmed me and strengthened the suspicions
+already entertained. His countenance was pale even to ghastliness,
+and his deep-set eyes glared with unnatural luster. After some
+inquiries respecting his health, I asked him, not knowing what
+better to say, if he had yet obtained the scarabaeus from
+Lieutenant G----.
+
+"Oh, yes," he replied, coloring violently, "I got it from him the
+next morning. Nothing should tempt me to part with that
+scarabaeus. Do you know that Jupiter is quite right about it?"
+
+"In what way?" I asked, with a sad foreboding at heart.
+
+"In supposing it to be a bug of REAL GOLD." He said this with an
+air of profound seriousness, and I felt inexpressibly shocked.
+
+"This bug is to make my fortune," he continued, with a triumphant
+smile; "to reinstate me in my family possessions. Is it any
+wonder, then, that I prize it? Since Fortune has thought fit to
+bestow it upon me, I have only to use it properly, and I shall
+arrive at the gold of which it is the index. Jupiter, bring me
+that scarabaeus!"
+
+"What! de bug, massa? I'd rudder not go fer trubble dat bug; you
+mus' git him for your own self." Hereupon Legrand arose, with a
+grave and stately air, and brought me the beetle from a glass case
+in which it was enclosed. It was a beautiful scarabaeus, and, at
+that time, unknown to naturalists--of course a great prize in a
+scientific point of view. There were two round black spots near
+one extremity of the back, and a long one near the other. The
+scales were exceedingly hard and glossy, with all the appearance of
+burnished gold. The weight of the insect was very remarkable, and,
+taking all things into consideration, I could hardly blame Jupiter
+for his opinion respecting it; but what to make of Legrand's
+concordance with that opinion, I could not, for the life of me,
+tell.
+
+"I sent for you," said he, in a grandiloquent tone, when I had
+completed my examination of the beetle, "I sent for you that I
+might have your counsel and assistance in furthering the views of
+Fate and of the bug--"
+
+"My dear Legrand," I cried, interrupting him, "you are certainly
+unwell, and had better use some little precautions. You shall go
+to bed, and I will remain with you a few days, until you get over
+this. You are feverish and--"
+
+"Feel my pulse," said he.
+
+I felt it, and, to say the truth, found not the slightest
+indication of fever.
+
+"But you may be ill and yet have no fever. Allow me this once to
+prescribe for you. In the first place go to bed. In the next--"
+
+"You are mistaken," he interposed, "I am as well as I can expect to
+be under the excitement which I suffer. If you really wish me
+well, you will relieve this excitement."
+
+"And how is this to be done?"
+
+"Very easily. Jupiter and myself are going upon an expedition into
+the hills, upon the mainland, and, in this expedition, we shall
+need the aid of some person in whom we can confide. You are the
+only one we can trust. Whether we succeed or fail, the excitement
+which you now perceive in me will be equally allayed."
+
+"I am anxious to oblige you in any way," I replied; "but do you
+mean to say that this infernal beetle has any connection with your
+expedition into the hills?"
+
+"It has."
+
+"Then, Legrand, I can become a party to no such absurd proceeding."
+
+"I am sorry--very sorry--for we shall have to try it by ourselves."
+
+"Try it by yourselves! The man is surely mad!--but stay!--how long
+do you propose to be absent?"
+
+"Probably all night. We shall start immediately, and be back, at
+all events, by sunrise."
+
+"And will you promise me, upon your honor, that when this freak of
+yours is over, and the bug business (good God!) settled to your
+satisfaction, you will then return home and follow my advice
+implicitly, as that of your physician?"
+
+"Yes; I promise; and now let us be off, for we have no time to
+lose."
+
+With a heavy heart I accompanied my friend. We started about four
+o'clock--Legrand, Jupiter, the dog, and myself. Jupiter had with
+him the scythe and spades--the whole of which he insisted upon
+carrying--more through fear, it seemed to me, of trusting either of
+the implements within reach of his master, than from any excess of
+industry or complaisance. His demeanor was dogged in the extreme,
+and "dat deuced bug" were the sole words which escaped his lips
+during the journey. For my own part, I had charge of a couple of
+dark lanterns, while Legrand contented himself with the scarabaeus,
+which he carried attached to the end of a bit of whipcord; twirling
+it to and fro, with the air of a conjurer, as he went. When I
+observed this last, plain evidence of my friend's aberration of
+mind, I could scarcely refrain from tears. I thought it best,
+however, to humor his fancy, at least for the present, or until I
+could adopt some more energetic measures with a chance of success.
+In the meantime I endeavored, but all in vain, to sound him in
+regard to the object of the expedition. Having succeeded in
+inducing me to accompany him, he seemed unwilling to hold
+conversation upon any topic of minor importance, and to all my
+questions vouchsafed no other reply than "we shall see!"
+
+We crossed the creek at the head of the island by means of a skiff,
+and, ascending the high grounds on the shore of the mainland,
+proceeded in a northwesterly direction, through a tract of country
+excessively wild and desolate, where no trace of a human footstep
+was to be seen. Legrand led the way with decision; pausing only
+for an instant, here and there, to consult what appeared to be
+certain landmarks of his own contrivance upon a former occasion.
+
+In this manner we journeyed for about two hours, and the sun was
+just setting when we entered a region infinitely more dreary than
+any yet seen. It was a species of table-land, near the summit of
+an almost inaccessible hill, densely wooded from base to pinnacle,
+and interspersed with huge crags that appeared to lie loosely upon
+the soil, and in many cases were prevented from precipitating
+themselves into the valleys below, merely by the support of the
+trees against which they reclined. Deep ravines, in various
+directions, gave an air of still sterner solemnity to the scene.
+
+The natural platform to which we had clambered was thickly
+overgrown with brambles, through which we soon discovered that it
+would have been impossible to force our way but for the scythe; and
+Jupiter, by direction of his master, proceeded to clear for us a
+path to the foot of an enormously tall tulip tree, which stood,
+with some eight or ten oaks, upon the level, and far surpassed them
+all, and all other trees which I had then ever seen, in the beauty
+of its foliage and form, in the wide spread of its branches, and in
+the general majesty of its appearance. When we reached this tree,
+Legrand turned to Jupiter, and asked him if he thought he could
+climb it. The old man seemed a little staggered by the question,
+and for some moments made no reply. At length he approached the
+huge trunk, walked slowly around it, and examined it with minute
+attention. When he had completed his scrutiny, he merely said:
+
+"Yes, massa, Jup climb any tree he ebber see in he life."
+
+"Then up with you as soon as possible, for it will soon be too dark
+to see what we are about."
+
+"How far mus' go up, massa?" inquired Jupiter.
+
+"Get up the main trunk first, and then I will tell you which way to
+go--and here--stop! take this beetle with you."
+
+"De bug, Massa Will!--de goole-bug!" cried the negro, drawing back
+in dismay--"what for mus' tote de bug way up de tree?--d--n if I
+do!"
+
+"If you are afraid, Jup, a great big negro like you, to take hold
+of a harmless little dead beetle, why you can carry it up by this
+string--but, if you do not take it up with you in some way, I shall
+be under the necessity of breaking your head with this shovel."
+
+"What de matter now, massa?" said Jup, evidently shamed into
+compliance; "always want for to raise fuss wid old nigger. Was
+only funnin anyhow. ME feered de bug! what I keer for de bug?"
+Here he took cautiously hold of the extreme end of the string, and,
+maintaining the insect as far from his person as circumstances
+would permit, prepared to ascend the tree.
+
+In youth, the tulip tree, or Liriodendron tulipiferum, the most
+magnificent of American foresters, has a trunk peculiarly smooth,
+and often rises to a great height without lateral branches; but, in
+its riper age, the bark becomes gnarled and uneven, while many
+short limbs make their appearance on the stem. Thus the difficulty
+of ascension, in the present case, lay more in semblance than in
+reality. Embracing the huge cylinder, as closely as possible, with
+his arms and knees, seizing with his hands some projections, and
+resting his naked toes upon others, Jupiter, after one or two
+narrow escapes from falling, at length wriggled himself into the
+first great fork, and seemed to consider the whole business as
+virtually accomplished. The RISK of the achievement was, in fact,
+now over, although the climber was some sixty or seventy feet from
+the ground.
+
+"Which way mus' go now, Massa Will?" he asked.
+
+"Keep up the largest branch--the one on this side," said Legrand.
+The negro obeyed him promptly, and apparently with but little
+trouble; ascending higher and higher, until no glimpse of his squat
+figure could be obtained through the dense foliage which enveloped
+it. Presently his voice was heard in a sort of halloo.
+
+"How much fudder is got to go?"
+
+"How high up are you?" asked Legrand.
+
+"Ebber so fur," replied the negro; "can see de sky fru de top oh de
+tree."
+
+"Never mind the sky, but attend to what I say. Look down the trunk
+and count the limbs below you on this side. How many limbs have
+you passed?"
+
+"One, two, tree, four, fibe--I done pass fibe big limb, massa, 'pon
+dis side."
+
+"Then go one limb higher."
+
+In a few minutes the voice was heard again, announcing that the
+seventh limb was attained.
+
+"Now, Jup," cried Legrand, evidently much excited, "I want you to
+work your way out upon that limb as far as you can. If you see
+anything strange let me know."
+
+By this time what little doubt I might have entertained of my poor
+friend's insanity was put finally at rest. I had no alternative
+but to conclude him stricken with lunacy, and I became seriously
+anxious about getting him home. While I was pondering upon what
+was best to be done, Jupiter's voice was again heard.
+
+"Mos feered for to ventur pon dis limb berry far--'tis dead limb
+putty much all de way."
+
+"Did you say it was a DEAD limb, Jupiter?" cried Legrand in a
+quavering voice.
+
+"Yes, massa, him dead as de door-nail--done up for sartin--done
+departed dis here life."
+
+"What in the name of heaven shall I do?" asked Legrand, seemingly
+in the greatest distress.
+
+"Do!" said I, glad of an opportunity to interpose a word, "why come
+home and go to bed. Come now!--that's a fine fellow. It's getting
+late, and, besides, you remember your promise."
+
+"Jupiter," cried he, without heeding me in the least, "do you hear
+me?"
+
+"Yes, Massa Will, hear you ebber so plain."
+
+"Try the wood well, then, with your knife, and see if you think it
+VERY rotten."
+
+"Him rotten, massa, sure nuff," replied the negro in a few moments,
+"but not so berry rotten as mought be. Mought venture out leetle
+way pon de limb by myself, dat's true."
+
+"By yourself!--what do you mean?"
+
+"Why, I mean de bug. 'Tis BERRY hebby bug. Spose I drop him down
+fuss, an den de limb won't break wid just de weight of one nigger."
+
+"You infernal scoundrel!" cried Legrand, apparently much relieved,
+"what do you mean by telling me such nonsense as that? As sure as
+you drop that beetle I'll break your neck. Look here, Jupiter, do
+you hear me?"
+
+"Yes, massa, needn't hollo at poor nigger dat style."
+
+"Well! now listen!--if you will venture out on the limb as far as
+you think safe, and not let go the beetle, I'll make you a present
+of a silver dollar as soon as you get down."
+
+"I'm gwine, Massa Will--deed I is," replied the negro very
+promptly--"mos out to the eend now."
+
+"OUT TO THE END!" here fairly screamed Legrand; "do you say you are
+out to the end of that limb?"
+
+"Soon be to de eend, massa--o-o-o-o-oh! Lor-gol-a-marcy! what IS
+dis here pon de tree?"
+
+"Well!" cried Legrand, highly delighted, "what is it?"
+
+"Why 'taint noffin but a skull--somebody bin lef him head up de
+tree, and de crows done gobble ebery bit ob de meat off."
+
+"A skull, you say!--very well,--how is it fastened to the limb?--
+what holds it on?"
+
+"Sure nuff, massa; mus look. Why dis berry curious sarcumstance,
+pon my word--dare's a great big nail in de skull, what fastens ob
+it on to de tree."
+
+"Well now, Jupiter, do exactly as I tell you--do you hear?"
+
+"Yes, massa."
+
+"Pay attention, then--find the left eye of the skull."
+
+"Hum! hoo! dat's good! why dey ain't no eye lef at all."
+
+"Curse your stupidity! do you know your right hand from your left?"
+
+"Yes, I knows dat--knows all about dat--'tis my lef hand what I
+chops de wood wid."
+
+"To be sure! you are left-handed; and your left eye is on the same
+side as your left hand. Now, I suppose, you can find the left eye
+of the skull, or the place where the left eye has been. Have you
+found it?"
+
+Here was a long pause. At length the negro asked:
+
+"Is de lef eye of de skull pon de same side as de lef hand of de
+skull too?--cause de skull aint got not a bit oh a hand at all--
+nebber mind! I got de lef eye now--here de lef eye! what mus do
+wid it?"
+
+Let the beetle drop through it, as far as the string will reach--
+but be careful and not let go your hold of the string."
+
+"All dat done, Massa Will; mighty easy ting for to put de bug fru
+de hole--look out for him dare below!"
+
+During this colloquy no portion of Jupiter's person could be seen;
+but the beetle, which he had suffered to descend, was now visible
+at the end of the string, and glistened, like a globe of burnished
+gold, in the last rays of the setting sun, some of which still
+faintly illumined the eminence upon which we stood. The scarabaeus
+hung quite clear of any branches, and, if allowed to fall, would
+have fallen at our feet. Legrand immediately took the scythe, and
+cleared with it a circular space, three or four yards in diameter,
+just beneath the insect, and, having accomplished this, ordered
+Jupiter to let go the string and come down from the tree.
+
+Driving a peg, with great nicety, into the ground, at the precise
+spot where the beetle fell, my friend now produced from his pocket
+a tape measure. Fastening one end of this at that point of the
+trunk of the tree which was nearest the peg, he unrolled it till it
+reached the peg and thence further unrolled it, in the direction
+already established by the two points of the tree and the peg, for
+the distance of fifty feet--Jupiter clearing away the brambles with
+the scythe. At the spot thus attained a second peg was driven, and
+about this, as a center, a rude circle, about four feet in
+diameter, described. Taking now a spade himself, and giving one to
+Jupiter and one to me, Legrand begged us to set about digging as
+quickly as possible.
+
+To speak the truth, I had no especial relish for such amusement at
+any time, and, at that particular moment, would willingly have
+declined it; for the night was coming on, and I felt much fatigued
+with the exercise already taken; but I saw no mode of escape, and
+was fearful of disturbing my poor friend's equanimity by a refusal.
+Could I have depended, indeed, upon Jupiter's aid, I would have had
+no hesitation in attempting to get the lunatic home by force; but I
+was too well assured of the old negro's disposition, to hope that
+he would assist me, under any circumstances, in a personal contest
+with his master. I made no doubt that the latter had been infected
+with some of the innumerable Southern superstitions about money
+buried, and that his fantasy had received confirmation by the
+finding of the scarabaeus, or, perhaps, by Jupiter's obstinacy in
+maintaining it to be "a bug of real gold." A mind disposed to
+lunacy would readily be led away by such suggestions--especially if
+chiming in with favorite preconceived ideas--and then I called to
+mind the poor fellow's speech about the beetle's being "the index
+of his fortune." Upon the whole, I was sadly vexed and puzzled,
+but, at length, I concluded to make a virtue of necessity--to dig
+with a good will, and thus the sooner to convince the visionary, by
+ocular demonstration, of the fallacy of the opinion he entertained.
+
+The lanterns having been lit, we all fell to work with a zeal
+worthy a more rational cause; and, as the glare fell upon our
+persons and implements, I could not help thinking how picturesque a
+group we composed, and how strange and suspicious our labors must
+have appeared to any interloper who, by chance, might have stumbled
+upon our whereabouts.
+
+We dug very steadily for two hours. Little was said; and our chief
+embarrassment lay in the yelpings of the dog, who took exceeding
+interest in our proceedings. He, at length, became so obstreperous
+that we grew fearful of his giving the alarm to some stragglers in
+the vicinity,--or, rather, this was the apprehension of Legrand;--
+for myself, I should have rejoiced at any interruption which might
+have enabled me to get the wanderer home. The noise was, at
+length, very effectually silenced by Jupiter, who, getting out of
+the hole with a dogged air of deliberation, tied the brute's mouth
+up with one of his suspenders, and then returned, with a grave
+chuckle, to his task.
+
+When the time mentioned had expired, we had reached a depth of five
+feet, and yet no signs of any treasure became manifest. A general
+pause ensued, and I began to hope that the farce was at an end.
+Legrand, however, although evidently much disconcerted, wiped his
+brow thoughtfully and recommenced. We had excavated the entire
+circle of four feet diameter, and now we slightly enlarged the
+limit, and went to the farther depth of two feet. Still nothing
+appeared. The gold-seeker, whom I sincerely pitied, at length
+clambered from the pit, with the bitterest disappointment imprinted
+upon every feature, and proceeded, slowly and reluctantly, to put
+on his coat, which he had thrown off at the beginning of his labor.
+In the meantime I made no remark. Jupiter, at a signal from his
+master, began to gather up his tools. This done, and the dog
+having been unmuzzled, we turned in profound silence toward home.
+
+We had taken, perhaps, a dozen steps in this direction, when, with
+a loud oath, Legrand strode up to Jupiter, and seized him by the
+collar. The astonished negro opened his eyes and mouth to the
+fullest extent, let fall the spades, and fell upon his knees.
+
+"You scoundrel!" said Legrand, hissing out the syllables from
+between his clenched teeth--"you infernal black villain!--speak, I
+tell you!--answer me this instant, without prevarication!--which--
+which is your left eye?"
+
+"Oh, my golly, Massa Will! aint dis here my lef eye for sartain?"
+roared the terrified Jupiter, placing his hand upon his RIGHT organ
+of vision, and holding it there with a desperate pertinacity, as if
+in immediate, dread of his master's attempt at a gouge.
+
+"I thought so!--I knew it! hurrah!" vociferated Legrand, letting
+the negro go and executing a series of curvets and caracols, much
+to the astonishment of his valet, who, arising from his knees,
+looked, mutely, from his master to myself, and then from myself to
+his master.
+
+"Come! we must go back," said the latter, "the game's not up yet;"
+and he again led the way to the tulip tree.
+
+"Jupiter," said he, when we reached its foot, "come here! was the
+skull nailed to the limb with the face outward, or with the face to
+the limb?"
+
+"De face was out, massa, so dat de crows could get at de eyes good,
+widout any trouble."
+
+"Well, then, was it this eye or that through which you dropped the
+beetle?" here Legrand touched each of Jupiter's eyes.
+
+"'Twas dis eye, massa--de lef eye--jis as you tell me," and here it
+was his right eye that the negro indicated.
+
+"That will do--we must try it again."
+
+Here my friend, about whose madness I now saw, or fancied that I
+saw, certain indications of method, removed the peg which marked
+the spot where the beetle fell, to a spot about three inches to the
+westward of its former position. Taking, now, the tape measure
+from the nearest point of the trunk to the peg, as before, and
+continuing the extension in a straight line to the distance of
+fifty feet, a spot was indicated, removed, by several yards, from
+the point at which we had been digging.
+
+Around the new position a circle, somewhat larger than in the
+former instance, was now described, and we again set to work with
+the spade. I was dreadfully weary, but, scarcely understanding
+what had occasioned the change in my thoughts, I felt no longer any
+great aversion from the labor imposed. I had become most
+unaccountably interested--nay, even excited. Perhaps there was
+something, amid all the extravagant demeanor of Legrand--some air
+of forethought, or of deliberation, which impressed me. I dug
+eagerly, and now and then caught myself actually looking, with
+something that very much resembled expectation, for the fancied
+treasure, the vision of which had demented my unfortunate
+companion. At a period when such vagaries of thought most fully
+possessed me, and when we had been at work perhaps an hour and a
+half, we were again interrupted by the violent howlings of the dog.
+His uneasiness, in the first instance, had been, evidently, but the
+result of playfulness or caprice, but he now assumed a bitter and
+serious tone. Upon Jupiter's again attempting to muzzle him, he
+made furious resistance, and, leaping into the hole, tore up the
+mold frantically with his claws. In a few seconds he had uncovered
+a mass of human bones, forming two complete skeletons, intermingled
+with several buttons of metal, and what appeared to be the dust of
+decayed woolen. One or two strokes of a spade upturned the blade
+of a large Spanish knife, and, as we dug farther, three or four
+loose pieces of gold and silver coin came to light.
+
+At sight of these the joy of Jupiter could scarcely be restrained,
+but the countenance of his master wore an air of extreme
+disappointment. He urged us, however, to continue our exertions,
+and the words were hardly uttered when I stumbled and fell forward,
+having caught the toe of my boot in a large ring of iron that lay
+half buried in the loose earth.
+
+We now worked in earnest, and never did I pass ten minutes of more
+intense excitement. During this interval we had fairly unearthed
+an oblong chest of wood, which, from its perfect preservation and
+wonderful hardness, had plainly been subjected to some mineralizing
+process--perhaps that of the bichloride of mercury. This box was
+three feet and a half long, three feet broad, and two and a half
+feet deep. It was firmly secured by bands of wrought iron,
+riveted, and forming a kind of open trelliswork over the whole. On
+each side of the chest, near the top, were three rings of iron--six
+in all--by means of which a firm hold could be obtained by six
+persons. Our utmost united endeavors served only to disturb the
+coffer very slightly in its bed. We at once saw the impossibility
+of removing so great a weight. Luckily, the sole fastenings of the
+lid consisted of two sliding bolts. These we drew back--trembling
+and panting with anxiety. In an instant, a treasure of
+incalculable value lay gleaming before us. As the rays of the
+lanterns fell within the pit, there flashed upward a glow and a
+glare, from a confused heap of gold and of jewels, that absolutely
+dazzled our eyes.
+
+I shall not pretend to describe the feelings with which I gazed.
+Amazement was, of course, predominant. Legrand appeared exhausted
+with excitement, and spoke very few words. Jupiter's countenance
+wore, for some minutes, as deadly a pallor as it is possible, in
+the nature of things, for any negro's visage to assume. He seemed
+stupefied--thunderstricken. Presently he fell upon his knees in
+the pit, and burying his naked arms up to the elbows in gold, let
+them there remain, as if enjoying the luxury of a bath. At length,
+with a deep sigh, he exclaimed, as if in a soliloquy:
+
+"And dis all cum of de goole-bug! de putty goole-bug! de poor
+little goole-bug, what I boosed in that sabage kind oh style!
+Ain't you shamed oh yourself, nigger?--answer me dat!"
+
+It became necessary, at last, that I should arouse both master and
+valet to the expediency of removing the treasure. It was growing
+late, and it behooved us to make exertion, that we might get
+everything housed before daylight. It was difficult to say what
+should he done, and much time was spent in deliberation--so
+confused were the ideas of all. We, finally, lightened the box by
+removing two thirds of its contents, when we were enabled, with
+some trouble, to raise it from the hole. The articles taken out
+were deposited among the brambles, and the dog left to guard them,
+with strict orders from Jupiter neither, upon any pretense, to stir
+from the spot, nor to open his mouth until our return. We then
+hurriedly made for home with the chest; reaching the hut in safety,
+but after excessive toil, at one o'clock in the morning. Worn out
+as we were, it was not in human nature to do more immediately. We
+rested until two, and had supper; starting for the hills
+immediately afterwards, armed with three stout sacks, which, by
+good luck, were upon the premises. A little before four we arrived
+at the pit, divided the remainder of the booty, as equally as might
+be, among us, and, leaving the holes unfilled, again set out for
+the hut, at which, for the second time, we deposited our golden
+burdens, just as the first faint streaks of the dawn gleamed from
+over the treetops in the east.
+
+We were now thoroughly broken down; but the intense excitement of
+the time denied us repose. After an unquiet slumber of some three
+or four hours' duration, we arose, as if by preconcert, to make
+examination of our treasure.
+
+The chest had been full to the brim, and we spent the whole day,
+and the greater part of the next night, in a scrutiny of its
+contents. There had been nothing like order or arrangement.
+Everything had been heaped in promiscuously. Having assorted all
+with care, we found ourselves possessed of even vaster wealth than
+we had at first supposed. In coin there was rather more than four
+hundred and fifty thousand dollars--estimating the value of the
+pieces, as accurately as we could, by the tables of the period.
+There was not a particle of silver. All was gold of antique date
+and of great variety--French, Spanish, and German money, with a few
+English guineas, and some counters, of which we had never seen
+specimens before. There were several very large and heavy coins,
+so worn that we could make nothing of their inscriptions. There
+was no American money. The value of the jewels we found more
+difficulty in estimating. There were diamonds--some of them
+exceedingly large and fine--a hundred and ten in all, and not one
+of them small; eighteen rubies of remarkable brilliancy;--three
+hundred and ten emeralds, all very beautiful; and twenty-one
+sapphires, with an opal. These stones had all been broken from
+their settings and thrown loose in the chest. The settings
+themselves, which we picked out from among the other gold, appeared
+to have been beaten up with hammers, as if to prevent
+identification. Besides all this, there was a vast quantity of
+solid gold ornaments; nearly two hundred massive finger and ears
+rings; rich chains--thirty of these, if I remember; eighty-three
+very large and heavy crucifixes; five gold censers of great value;
+a prodigious golden punch bowl, ornamented with richly chased vine
+leaves and Bacchanalian figures; with two sword handles exquisitely
+embossed, and many other smaller articles which I cannot recollect.
+The weight of these valuables exceeded three hundred and fifty
+pounds avoirdupois; and in this estimate I have not included one
+hundred and ninety-seven superb gold watches; three of the number
+being worth each five hundred dollars, if one. Many of them were
+very old, and as timekeepers valueless; the works having suffered,
+more or less, from corrosion--but all were richly jeweled and in
+cases of great worth. We estimated the entire contents of the
+chest, that night, at a million and a half of dollars; and upon the
+subsequent disposal of the trinkets and jewels (a few being
+retained for our own use), it was found that we had greatly
+undervalued the treasure.
+
+When, at length, we had concluded our examination, and the intense
+excitement of the time had, in some measure, subsided, Legrand, who
+saw that I was dying with impatience for a solution of this most
+extraordinary riddle, entered into a full detail of all the
+circumstances connected with it.
+
+"You remember," said he, "the night when I handed you the rough
+sketch I had made of the scarabaeus. You recollect, also, that I
+became quite vexed at you for insisting that my drawing resembled a
+death's head. When you first made this assertion I thought you
+were jesting; but afterwards I called to mind the peculiar spots on
+the back of the insect, and admitted to myself that your remark had
+some little foundation in fact. Still, the sneer at my graphic
+powers irritated me--for I am considered a good artist--and,
+therefore, when you handed me the scrap of parchment, I was about
+to crumple it up and throw it angrily into the fire."
+
+"The scrap of paper, you mean," said I.
+
+"No; it had much of the appearance of paper, and at first I
+supposed it to be such, but when I came to draw upon it, I
+discovered it at once to be a piece of very thin parchment. It was
+quite dirty, you remember. Well, as I was in the very act of
+crumpling it up, my glance fell upon the sketch at which you had
+been looking, and you may imagine my astonishment when I perceived,
+in fact, the figure of a death's head just where, it seemed to me,
+I had made the drawing of the beetle. For a moment I was too much
+amazed to think with accuracy. I knew that my design was very
+different in detail from this--although there was a certain
+similarity in general outline. Presently I took a candle, and
+seating myself at the other end of the room, proceeded to
+scrutinize the parchment more closely. Upon turning it over, I saw
+my own sketch upon the reverse, just as I had made it. My first
+idea, now, was mere surprise at the really remarkable similarity of
+outline--at the singular coincidence involved in the fact that,
+unknown to me, there should have been a skull upon the other side
+of the parchment, immediately beneath my figure of the scarabaeus,
+and that this skull, not only in outline, but in size, should so
+closely resemble my drawing. I say the singularity of this
+coincidence absolutely stupefied me for a time. This is the usual
+effect of such coincidences. The mind struggles to establish a
+connection--a sequence of cause and effect--and, being unable to do
+so, suffers a species of temporary paralysis. But, when I
+recovered from this stupor, there dawned upon me gradually a
+conviction which startled me even far more than the coincidence. I
+began distinctly, positively, to remember that there had been NO
+drawing upon the parchment, when I made my sketch of the
+scarabaeus. I became perfectly certain of this; for I recollected
+turning up first one side and then the other, in search of the
+cleanest spot. Had the skull been then there, of course I could
+not have failed to notice it. Here was indeed a mystery which I
+felt it impossible to explain; but, even at that early moment,
+there seemed to glimmer, faintly, within the most remote and secret
+chambers of my intellect, a glow-wormlike conception of that truth
+which last night's adventure brought to so magnificent a
+demonstration. I arose at once, and putting the parchment securely
+away, dismissed all further reflection until I should be alone.
+
+"When you had gone, and when Jupiter was fast asleep, I betook
+myself to a more methodical investigation of the affair. In the
+first place I considered the manner in which the parchment had come
+into my possession. The spot where we discovered the scarabaeus
+was on the coast of the mainland, about a mile eastward of the
+island, and but a short distance above high-water mark. Upon my
+taking hold of it, it gave me a sharp bite, which caused me to let
+it drop. Jupiter, with his accustomed caution, before seizing the
+insect, which had flown toward him, looked about him for a leaf, or
+something of that nature, by which to take hold of it. It was at
+this moment that his eyes, and mine also, fell upon the scrap of
+parchment, which I then supposed to be paper. It was lying half
+buried in the sand, a corner sticking up. Near the spot where we
+found it, I observed the remnants of the hull of what appeared to
+have been a ship's longboat. The wreck seemed to have been there
+for a very great while, for the resemblance to boat timbers could
+scarcely be traced.
+
+"Well, Jupiter picked up the parchment, wrapped the beetle in it,
+and gave it to me. Soon afterwards we turned to go home, and on
+the way met Lieutenant G----. I showed him the insect, and he
+begged me to let him take it to the fort. Upon my consenting, he
+thrust it forthwith into his waistcoat pocket, without the
+parchment in which it had been wrapped, and which I had continued
+to hold in my hand during his inspection. Perhaps he dreaded my
+changing my mind, and thought it best to make sure of the prize at
+once--you know how enthusiastic he is on all subjects connected
+with Natural History. At the same time, without being conscious of
+it, I must have deposited the parchment in my own pocket.
+
+"You remember that when I went to the table, for the purpose of
+making a sketch of the beetle, I found no paper where it was
+usually kept. I looked in the drawer, and found none there. I
+searched my pockets, hoping to find an old letter, when my hand
+fell upon the parchment. I thus detail the precise mode in which
+it came into my possession, for the circumstances impressed me with
+peculiar force.
+
+"No doubt you will think me fanciful--but I had already established
+a kind of CONNECTION. I had put together two links of a great
+chain. There was a boat lying upon a seacoast, and not far from
+the boat was a parchment--NOT A PAPER--with a skull depicted upon
+it. You will, of course, ask 'where is the connection?' I reply
+that the skull, or death's head, is the well-known emblem of the
+pirate. The flag of the death's head is hoisted in all
+engagements.
+
+"I have said that the scrap was parchment, and not paper.
+Parchment is durable--almost imperishable. Matters of little
+moment are rarely consigned to parchment; since, for the mere
+ordinary purposes of drawing or writing, it is not nearly so well
+adapted as paper. This reflection suggested some meaning--some
+relevancy--in the death's head. I did not fail to observe, also,
+the FORM of the parchment. Although one of its corners had been,
+by some accident, destroyed, it could be seen that the original
+form was oblong. It was just such a slip, indeed, as might have
+been chosen for a memorandum--for a record of something to be long
+remembered, and carefully preserved."
+
+"But," I interposed, "you say that the skull was NOT upon the
+parchment when you made the drawing of the beetle. How then do you
+trace any connection between the boat and the skull--since this
+latter, according to your own admission, must have been designed
+(God only knows how or by whom) at some period subsequent to your
+sketching the scarabaeus?"
+
+"Ah, hereupon turns the whole mystery; although the secret, at this
+point, I had comparatively little difficulty in solving. My steps
+were sure, and could afford but a single result. I reasoned, for
+example, thus: When I drew the scarabaeus, there was no skull
+apparent upon the parchment. When I had completed the drawing I
+gave it to you, and observed you narrowly until you returned it.
+YOU, therefore, did not design the skull, and no one else was
+present to do it. Then it was not done by human agency. And
+nevertheless it was done.
+
+"At this stage of my reflections I endeavored to remember, and DID
+remember, with entire distinctness, every incident which occurred
+about the period in question. The weather was chilly (oh, rare and
+happy accident!), and a fire was blazing upon the hearth. I was
+heated with exercise and sat near the table. You, however, had
+drawn a chair close to the chimney. Just as I placed the parchment
+in your hand, and as you were in the act of inspecting it, Wolf,
+the Newfoundland, entered, and leaped upon your shoulders. With
+your left hand you caressed him and kept him off, while your right,
+holding the parchment, was permitted to fall listlessly between
+your knees, and in close proximity to the fire. At one moment I
+thought the blaze had caught it, and was about to caution you, but,
+before I could speak, you had withdrawn it, and were engaged in its
+examination. When I considered all these particulars, I doubted
+not for a moment that HEAT had been the agent in bringing to light,
+upon the parchment, the skull which I saw designed upon it. You
+are well aware that chemical preparations exist, and have existed
+time out of mind, by means of which it is possible to write upon
+either paper or vellum, so that the characters shall become visible
+only when subjected to the action of fire. Zaffre, digested in
+aqua regia, and diluted with four times its weight of water, is
+sometimes employed; a green tint results. The regulus of cobalt,
+dissolved in spirit of niter, gives a red. These colors disappear
+at longer or shorter intervals after the material written upon
+cools, but again become apparent upon the reapplication of heat.
+
+"I now scrutinized the death's head with care. Its outer edges--
+the edges of the drawing nearest the edge of the vellum--were far
+more DISTINCT than the others. It was clear that the action of the
+caloric had been imperfect or unequal. I immediately kindled a
+fire, and subjected every portion of the parchment to a glowing
+heat. At first, the only effect was the strengthening of the faint
+lines in the skull; but, upon persevering in the experiment, there
+became visible, at the corner of the slip, diagonally opposite to
+the spot in which the death's head was delineated, the figure of
+what I at first supposed to be a goat. A closer scrutiny, however,
+satisfied me that it was intended for a kid."
+
+"Ha! ha!" said I, "to be sure I have no right to laugh at you--a
+million and a half of money is too serious a matter for mirth--but
+you are not about to establish a third link in your chain--you will
+not find any especial connection between your pirates and a goat--
+pirates, you know, have nothing to do with goats; they appertain to
+the farming interest."
+
+"But I have just said that the figure was NOT that of a goat."
+
+"Well, a kid then--pretty much the same thing."
+
+"Pretty much, but not altogether," said Legrand. "You may have
+heard of one CAPTAIN Kidd. I at once looked upon the figure of the
+animal as a kind of punning or hieroglyphical signature. I say
+signature; because its position upon the vellum suggested this
+idea. The death's head at the corner diagonally opposite, had, in
+the same manner, the air of a stamp, or seal. But I was sorely put
+out by the absence of all else--of the body to my imagined
+instrument--of the text for my context."
+
+"I presume you expected to find a letter between the stamp and the
+signature."
+
+"Something of that kind. The fact is, I felt irresistibly
+impressed with a presentiment of some vast good fortune impending.
+I can scarcely say why. Perhaps, after all, it was rather a desire
+than an actual belief;--but do you know that Jupiter's silly words,
+about the bug being of solid gold, had a remarkable effect upon my
+fancy? And then the series of accidents and coincidents--these
+were so VERY extraordinary. Do you observe how mere an accident it
+was that these events should have occurred upon the SOLE day of all
+the year in which it has been, or may be sufficiently cool for
+fire, and that without the fire, or without the intervention of the
+dog at the precise moment in which he appeared, I should never have
+become aware of the death's head, and so never the possessor of the
+treasure?"
+
+"But proceed--I am all impatience."
+
+"Well; you have heard, of course, the many stories current--the
+thousand vague rumors afloat about money buried, somewhere upon the
+Atlantic coast, by Kidd and his associates. These rumors must have
+had some foundation in fact. And that the rumors have existed so
+long and so continuous, could have resulted, it appeared to me,
+only from the circumstance of the buried treasures still REMAINING
+entombed. Had Kidd concealed his plunder for a time, and
+afterwards reclaimed it, the rumors would scarcely have reached us
+in their present unvarying form. You will observe that the stories
+told are all about money-seekers, not about money-finders. Had the
+pirate recovered his money, there the affair would have dropped.
+It seemed to me that some accident--say the loss of a memorandum
+indicating its locality--had deprived him of the means of
+recovering it, and that this accident had become known to his
+followers, who otherwise might never have heard that the treasure
+had been concealed at all, and who, busying themselves in vain,
+because unguided, attempts to regain it, had given first birth, and
+then universal currency, to the reports which are now so common.
+Have you ever heard of any important treasure being unearthed along
+the coast?"
+
+"Never."
+
+"But that Kidd's accumulations were immense, is well known. I took
+it for granted, therefore, that the earth still held them; and you
+will scarcely be surprised when I tell you that I felt a hope,
+nearly amounting to certainty, that the parchment so strangely
+found involved a lost record of the place of deposit."
+
+"But how did you proceed?"
+
+"I held the vellum again to the fire, after increasing the heat,
+but nothing appeared. I now thought it possible that the coating
+of dirt might have something to do with the failure: so I carefully
+rinsed the parchment by pouring warm water over it, and, having
+done this, I placed it in a tin pan, with the skull downward, and
+put the pan upon a furnace of lighted charcoal. In a few minutes,
+the pan having become thoroughly heated, I removed the slip, and,
+to my inexpressible joy, found it spotted, in several places, with
+what appeared to be figures arranged in lines. Again I placed it
+in the pan, and suffered it to remain another minute. Upon taking
+it off, the whole was just as you see it now."
+
+Here Legrand, having reheated the parchment, submitted it to my
+inspection. The following characters were rudely traced, in a red
+tint, between the death's head and the goat:
+
+
+"53++!305))6*;4826)4+)4+).;806*;48!8]60))85;1+8*:+(;:+*8!83(88)5*!;
+46(;88*96*?;8)*+(;485);5*!2:*+(;4956*2(5*-4)8]8*;4069285);)6!8)4++;
+1(+9;48081;8:8+1;48!85;4)485!528806*81(+9;48;(88;4(+?34;48)4+;161;:
+188;+?;"
+
+
+"But," said I, returning him the slip, "I am as much in the dark as
+ever. Were all the jewels of Golconda awaiting me upon my solution
+of this enigma, I am quite sure that I should be unable to earn
+them."
+
+"And yet," said Legrand, "the solution is by no means so difficult
+as you might be led to imagine from the first hasty inspection of
+the characters. These characters, as anyone might readily guess,
+form a cipher--that is to say, they convey a meaning; but then from
+what is known of Kidd, I could not suppose him capable of
+constructing any of the more abstruse cryptographs. I made up my
+mind, at once, that this was of a simple species--such, however, as
+would appear, to the crude intellect of the sailor, absolutely
+insoluble without the key."
+
+"And you really solved it?"
+
+"Readily; I have solved others of an abstruseness ten thousand
+times greater. Circumstances, and a certain bias of mind, have led
+me to take interest in such riddles, and it may well be doubted
+whether human ingenuity can construct an enigma of the kind which
+human ingenuity may not, by proper application, resolve. In fact,
+having once established connected and legible characters, I
+scarcely gave a thought to the mere difficulty of developing their
+import.
+
+"In the present case--indeed in all cases of secret writing--the
+first question regards the LANGUAGE of the cipher; for the
+principles of solution, so far, especially, as the more simple
+ciphers are concerned, depend upon, and are varied by, the genius
+of the particular idiom. In general, there is no alternative but
+experiment (directed by probabilities) of every tongue known to him
+who attempts the solution, until the true one be attained. But,
+with the cipher now before us, all difficulty was removed by the
+signature. The pun upon the word 'Kidd' is appreciable in no other
+language than the English. But for this consideration I should
+have begun my attempts with the Spanish and French, as the tongues
+in which a secret of this kind would most naturally have been
+written by a pirate of the Spanish main. As it was, I assumed the
+cryptograph to be English.
+
+"You observe there are no divisions between the words. Had there
+been divisions the task would have been comparatively easy. In
+such cases I should have commenced with a collation and analysis of
+the shorter words, and, had a word of a single letter occurred, as
+is most likely, (a or I, for example,) I should have considered the
+solution as assured. But, there being no division, my first step
+was to ascertain the predominant letters, as well as the least
+frequent. Counting all, I constructed a table thus:
+
+
+Of the character 8 there are 33.
+ ; " 26.
+ 4 " 19.
+ +) " 16.
+ * " 13.
+ 5 " 12.
+ 6 " 11.
+ !1 " 8.
+ 0 " 6.
+ 92 " 5.
+ :3 " 4.
+ ? " 3.
+ ] " 2.
+ -. " 1.
+
+
+"Now, in English, the letter which most frequently occurs is e.
+Afterwards, the succession runs thus: a o i d h n r s t u y c f g l
+m w b k p q x z. E predominates so remarkably, that an individual
+sentence of any length is rarely seen, in which it is not the
+prevailing character.
+
+"Here, then, we have, in the very beginning, the groundwork for
+something more than a mere guess. The general use which may be
+made of the table is obvious--but, in this particular cipher, we
+shall only very partially require its aid. As our predominant
+character is 8, we will commence by assuming it as the e of the
+natural alphabet. To verify the supposition, let us observe if the
+8 be seen often in couples--for e is doubled with great frequency
+in English--in such words, for example, as 'meet,' 'fleet,'
+'speed,' 'seen,' 'been,' 'agree,' etc. In the present instance we
+see it doubled no less than five times, although the cryptograph is
+brief.
+
+"Let us assume 8, then, as e. Now, of all WORDS in the language,
+'the' is most usual; let us see, therefore, whether there are not
+repetitions of any three characters, in the same order of
+collocation, the last of them being 8. If we discover repetitions
+of such letters, so arranged, they will most probably represent the
+word 'the.' Upon inspection, we find no less than seven such
+arrangements, the characters being ;48. We may, therefore, assume
+that ; represents t, 4 represents h, and 8 represents e--the last
+being now well confirmed. Thus a great step has been taken.
+
+"But, having established a single word, we are enabled to establish
+a vastly important point; that is to say, several commencements and
+terminations of other words. Let us refer, for example, to the
+last instance but one, in which the combination ;48 occurs--not far
+from the end of the cipher. We know that the ; immediately ensuing
+is the commencement of a word, and, of the six characters
+succeeding this 'the,' we are cognizant of no less than five. Let
+us set these characters down, thus, by the letters we know them to
+represent, leaving a space for the unknown--
+
+
+t eeth.
+
+
+"Here we are enabled, at once, to discard the 'th,' as forming no
+portion of the word commencing with the first t; since, by
+experiment of the entire alphabet for a letter adapted to the
+vacancy, we perceive that no word can be formed of which this th
+can be a part. We are thus narrowed into
+
+
+t ee,
+
+
+and, going through the alphabet, if necessary, as before, we arrive
+at the word 'tree,' as the sole possible reading. We thus gain
+another letter, r, represented by (, with the words 'the tree' in
+juxtaposition.
+
+"Looking beyond these words, for a short distance, we again see the
+combination ;48, and employ it by way of TERMINATION to what
+immediately precedes. We have thus this arrangement:
+
+
+the tree ;4(4+?34 the,
+
+
+or, substituting the natural letters, where known, it reads thus:
+
+
+the tree thr+?3h the.
+
+
+"Now, if, in place of the unknown characters, we leave blank
+spaces, or substitute dots, we read thus:
+
+
+the tree thr...h the,
+
+
+when the word 'through' makes itself evident at once. But this
+discovery gives us three new letters, o, u, and g, represented by
++, ?, and 3.
+
+"Looking now, narrowly, through the cipher for combinations of
+known characters, we find, not very far from the beginning, this
+arrangement,
+
+
+83(88, or egree,
+
+
+which plainly, is the conclusion of the word 'degree,' and gives us
+another letter, d, represented by !.
+
+"Four letters beyond the word 'degree,' we perceive the combination
+
+
+;46(;88.
+
+
+"Translating the known characters, and representing the unknown by
+dots, as before, we read thus:
+
+
+th.rtee,
+
+
+an arrangement immediately suggestive of the word thirteen,' and
+again furnishing us with two new characters, i and n, represented
+by 6 and *.
+
+"Referring, now, to the beginning of the cryptograph, we find the
+combination,
+
+
+53++!.
+
+
+"Translating as before, we obtain
+
+
+.good,
+
+
+which assures us that the first letter is A, and that the first two
+words are 'A good.'
+
+"It is now time that we arrange our key, as far as discovered, in a
+tabular form, to avoid confusion. It will stand thus:
+
+
+5 represents a
+! " d
+8 " e
+3 " g
+4 " h
+6 " i
+* " n
++ " o
+( " r
+; " t
+? " u
+
+
+"We have, therefore, no less than eleven of the most important
+letters represented, and it will be unnecessary to proceed with the
+details of the solution. I have said enough to convince you that
+ciphers of this nature are readily soluble, and to give you some
+insight into the rationale of their development. But be assured
+that the specimen before us appertains to the very simplest species
+of cryptograph. It now only remains to give you the full
+translation of the characters upon the parchment, as unriddled.
+Here it is:
+
+
+"'A good glass in the bishop's hostel in the devil's seat forty-one
+degrees and thirteen minutes northeast and by north main branch
+seventh limb east side shoot from the left eye of the death's head
+a bee-line from the tree through the shot fifty feet out.'"
+
+
+"But," said I, "the enigma seems still in as bad a condition as
+ever. How is it possible to extort a meaning from all this jargon
+about 'devil's seats,' 'death's heads,' and 'bishop's hostels'?"
+
+"I confess," replied Legrand, "that the matter still wears a
+serious aspect, when regarded with a casual glance. My first
+endeavor was to divide the sentence into the natural division
+intended by the cryptographist."
+
+"You mean, to punctuate it?"
+
+"Something of that kind."
+
+"But how was it possible to effect this?"
+
+"I reflected that it had been a POINT with the writer to run his
+words together without division, so as to increase the difficulty
+of solution. Now, a not overacute man, in pursuing such an object,
+would be nearly certain to overdo the matter. When, in the course
+of his composition, he arrived at a break in his subject which
+would naturally require a pause, or a point, he would be
+exceedingly apt to run his characters, at this place, more than
+usually close together. If you will observe the MS., in the
+present instance, you will easily detect five such cases of unusual
+crowding. Acting upon this hint I made the division thus:
+
+
+"'A good glass in the bishop's hostel in the devil's seat--forty-
+one degrees and thirteen minutes--northeast and by north--main
+branch seventh limb east side--shoot from the left eye of the
+death's head--a bee-line from the tree through the shot fifty feet
+out.'"
+
+
+"Even this division," said I, "leaves me still in the dark."
+
+"It left me also in the dark," replied Legrand, "for a few days;
+during which I made diligent inquiry in the neighborhood of
+Sullivan's Island, for any building which went by name of the
+'Bishop's Hotel'; for, of course, I dropped the obsolete word
+'hostel.' Gaining no information on the subject, I was on the
+point of extending my sphere of search, and proceeding in a more
+systematic manner, when, one morning, it entered into my head,
+quite suddenly, that this 'Bishop's Hostel' might have some
+reference to an old family, of the name of Bessop, which, time out
+of mind, had held possession of an ancient manor house, about four
+miles to the northward of the island. I accordingly went over to
+the plantation, and reinstituted my inquiries among the older
+negroes of the place. At length one of the most aged of the women
+said that she had heard of such a place as Bessop's Castle, and
+thought that she could guide me to it, but that it was not a
+castle, nor a tavern, but a high rock.
+
+"I offered to pay her well for her trouble, and, after some demur,
+she consented to accompany me to the spot. We found it without
+much difficulty, when, dismissing her, I proceeded to examine the
+place. The 'castle' consisted of an irregular assemblage of cliffs
+and rocks--one of the latter being quite remarkable for its height
+as well as for its insulated and artificial appearance. I
+clambered to its apex, and then felt much at a loss as to what
+should be next done.
+
+"While I was busied in reflection, my eyes fell upon a narrow ledge
+in the eastern face of the rock, perhaps a yard below the summit
+upon which I stood. This ledge projected about eighteen inches,
+and was not more than a foot wide, while a niche in the cliff just
+above it gave it a rude resemblance to one of the hollow-backed
+chairs used by our ancestors. I made no doubt that here was the
+'devil's seat' alluded to in the MS., and now I seemed to grasp the
+full secret of the riddle.
+
+"The 'good glass,' I knew, could have reference to nothing but a
+telescope; for the word 'glass' is rarely employed in any other
+sense by seamen. Now here, I at once saw, was a telescope to be
+used, and a definite point of view, ADMITTING NO VARIATION, from
+which to use it. Nor did I hesitate to believe that the phrases,
+'forty-one degrees and thirteen minutes,' and 'northeast and by
+north,' were intended as directions for the leveling of the glass.
+Greatly excited by these discoveries, I hurried home, procured a
+telescope, and returned to the rock.
+
+"I let myself down to the ledge, and found that it was impossible
+to retain a seat upon it except in one particular position. This
+fact confirmed my preconceived idea. I proceeded to use the glass.
+Of course, the 'forty-one degrees and thirteen minutes' could
+allude to nothing but elevation above the visible horizon, since
+the horizontal direction was clearly indicated by the words,
+'northeast and by north.' This latter direction I at once
+established by means of a pocket compass; then, pointing the glass
+as nearly at an angle of forty-one degrees of elevation as I could
+do it by guess, I moved it cautiously up or down, until my
+attention was arrested by a circular rift or opening in the foliage
+of a large tree that overtopped its fellows in the distance. In
+the center of this rift I perceived a white spot, but could not, at
+first, distinguish what it was. Adjusting the focus of the
+telescope, I again looked, and now made it out to be a human skull.
+
+"Upon this discovery I was so sanguine as to consider the enigma
+solved; for the phrase 'main branch, seventh limb, east side,'
+could refer only to the position of the skull upon the tree, while
+'shoot from the left eye of the death's head' admitted, also, of
+but one interpretation, in regard to a search for buried treasure.
+I perceived that the design was to drop a bullet from the left eye
+of the skull, and that a bee-line, or, in other words, a straight
+line, drawn from the nearest point of the trunk 'through the shot'
+(or the spot where the bullet fell), and thence extended to a
+distance of fifty feet, would indicate a definite point--and
+beneath this point I thought it at least POSSIBLE that a deposit of
+value lay concealed."
+
+"All this," I said, "is exceedingly clear, and, although ingenious,
+still simple and explicit. When you left the Bishop's Hotel, what
+then?"
+
+"Why, having carefully taken the bearings of the tree, I turned
+homeward. The instant that I left 'the devil's seat,' however, the
+circular rift vanished; nor could I get a glimpse of it afterwards,
+turn as I would. What seems to me the chief ingenuity in this
+whole business, is the fact (for repeated experiment has convinced
+me it IS a fact) that the circular opening in question is visible
+from no other attainable point of view than that afforded by the
+narrow ledge upon the face of the rock.
+
+"In this expedition to the 'Bishop's Hotel' I had been attended by
+Jupiter, who had, no doubt, observed, for some weeks past, the
+abstraction of my demeanor, and took especial care not to leave me
+alone. But, on the next day, getting up very early, I contrived to
+give him the slip, and went into the hills in search of the tree.
+After much toil I found it. When I came home at night my valet
+proposed to give me a flogging. With the rest of the adventure I
+believe you are as well acquainted as myself."
+
+"I suppose," said I, "you missed the spot, in the first attempt at
+digging, through Jupiter's stupidity in letting the bug fall
+through the right instead of through the left eye of the skull."
+
+"Precisely. This mistake made a difference of about two inches and
+a half in the 'shot'--that is to say, in the position of the peg
+nearest the tree; and had the treasure been BENEATH the 'shot,' the
+error would have been of little moment; but 'the shot,' together
+with the nearest point of the tree, were merely two points for the
+establishment of a line of direction; of course the error, however
+trivial in the beginning, increased as we proceeded with the line,
+and by the time we had gone fifty feet threw us quite off the
+scent. But for my deep-seated impressions that treasure was here
+somewhere actually buried, we might have had all our labor in
+vain."
+
+"But your grandiloquence, and your conduct in swinging the beetle--
+how excessively odd! I was sure you were mad. And why did you
+insist upon letting fall the bug, instead of a bullet, from the
+skull?"
+
+"Why, to be frank, I felt somewhat annoyed by your evident
+suspicions touching my sanity, and so resolved to punish you
+quietly, in my own way, by a little bit of sober mystification.
+For this reason I swung the beetle, and for this reason I let it
+fall from the tree. An observation of yours about its great weight
+suggested the latter idea."
+
+"Yes, I perceive; and now there is only one point which puzzles me.
+What are we to make of the skeletons found in the hole?"
+
+"That is a question I am no more able to answer than yourself.
+There seems, however, only one plausible way of accounting for
+them--and yet it is dreadful to believe in such atrocity as my
+suggestion would imply. It is clear that Kidd--if Kidd indeed
+secreted this treasure, which I doubt not--it is clear that he must
+have had assistance in the labor. But this labor concluded, he may
+have thought it expedient to remove all participants in his secret.
+Perhaps a couple of blows with a mattock were sufficient, while his
+coadjutors were busy in the pit; perhaps it required a dozen--who
+shall tell?"
+++ /dev/null
-
-
-
-
-
-
-Network Working Group D. Eastlake, 3rd
-Request for Comments: 1750 DEC
-Category: Informational S. Crocker
- Cybercash
- J. Schiller
- MIT
- December 1994
-
-
- Randomness Recommendations for Security
-
-Status of this Memo
-
- This memo provides information for the Internet community. This memo
- does not specify an Internet standard of any kind. Distribution of
- this memo is unlimited.
-
-Abstract
-
- Security systems today are built on increasingly strong cryptographic
- algorithms that foil pattern analysis attempts. However, the security
- of these systems is dependent on generating secret quantities for
- passwords, cryptographic keys, and similar quantities. The use of
- pseudo-random processes to generate secret quantities can result in
- pseudo-security. The sophisticated attacker of these security
- systems may find it easier to reproduce the environment that produced
- the secret quantities, searching the resulting small set of
- possibilities, than to locate the quantities in the whole of the
- number space.
-
- Choosing random quantities to foil a resourceful and motivated
- adversary is surprisingly difficult. This paper points out many
- pitfalls in using traditional pseudo-random number generation
- techniques for choosing such quantities. It recommends the use of
- truly random hardware techniques and shows that the existing hardware
- on many systems can be used for this purpose. It provides
- suggestions to ameliorate the problem when a hardware solution is not
- available. And it gives examples of how large such quantities need
- to be for some particular applications.
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake, Crocker & Schiller [Page 1]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
-Acknowledgements
-
- Comments on this document that have been incorporated were received
- from (in alphabetic order) the following:
-
- David M. Balenson (TIS)
- Don Coppersmith (IBM)
- Don T. Davis (consultant)
- Carl Ellison (Stratus)
- Marc Horowitz (MIT)
- Christian Huitema (INRIA)
- Charlie Kaufman (IRIS)
- Steve Kent (BBN)
- Hal Murray (DEC)
- Neil Haller (Bellcore)
- Richard Pitkin (DEC)
- Tim Redmond (TIS)
- Doug Tygar (CMU)
-
-Table of Contents
-
- 1. Introduction........................................... 3
- 2. Requirements........................................... 4
- 3. Traditional Pseudo-Random Sequences.................... 5
- 4. Unpredictability....................................... 7
- 4.1 Problems with Clocks and Serial Numbers............... 7
- 4.2 Timing and Content of External Events................ 8
- 4.3 The Fallacy of Complex Manipulation.................. 8
- 4.4 The Fallacy of Selection from a Large Database....... 9
- 5. Hardware for Randomness............................... 10
- 5.1 Volume Required...................................... 10
- 5.2 Sensitivity to Skew.................................. 10
- 5.2.1 Using Stream Parity to De-Skew..................... 11
- 5.2.2 Using Transition Mappings to De-Skew............... 12
- 5.2.3 Using FFT to De-Skew............................... 13
- 5.2.4 Using Compression to De-Skew....................... 13
- 5.3 Existing Hardware Can Be Used For Randomness......... 14
- 5.3.1 Using Existing Sound/Video Input................... 14
- 5.3.2 Using Existing Disk Drives......................... 14
- 6. Recommended Non-Hardware Strategy..................... 14
- 6.1 Mixing Functions..................................... 15
- 6.1.1 A Trivial Mixing Function.......................... 15
- 6.1.2 Stronger Mixing Functions.......................... 16
- 6.1.3 Diff-Hellman as a Mixing Function.................. 17
- 6.1.4 Using a Mixing Function to Stretch Random Bits..... 17
- 6.1.5 Other Factors in Choosing a Mixing Function........ 18
- 6.2 Non-Hardware Sources of Randomness................... 19
- 6.3 Cryptographically Strong Sequences................... 19
-
-
-
-Eastlake, Crocker & Schiller [Page 2]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
- 6.3.1 Traditional Strong Sequences....................... 20
- 6.3.2 The Blum Blum Shub Sequence Generator.............. 21
- 7. Key Generation Standards.............................. 22
- 7.1 US DoD Recommendations for Password Generation....... 23
- 7.2 X9.17 Key Generation................................. 23
- 8. Examples of Randomness Required....................... 24
- 8.1 Password Generation................................. 24
- 8.2 A Very High Security Cryptographic Key............... 25
- 8.2.1 Effort per Key Trial............................... 25
- 8.2.2 Meet in the Middle Attacks......................... 26
- 8.2.3 Other Considerations............................... 26
- 9. Conclusion............................................ 27
- 10. Security Considerations.............................. 27
- References............................................... 28
- Authors' Addresses....................................... 30
-
-1. Introduction
-
- Software cryptography is coming into wider use. Systems like
- Kerberos, PEM, PGP, etc. are maturing and becoming a part of the
- network landscape [PEM]. These systems provide substantial
- protection against snooping and spoofing. However, there is a
- potential flaw. At the heart of all cryptographic systems is the
- generation of secret, unguessable (i.e., random) numbers.
-
- For the present, the lack of generally available facilities for
- generating such unpredictable numbers is an open wound in the design
- of cryptographic software. For the software developer who wants to
- build a key or password generation procedure that runs on a wide
- range of hardware, the only safe strategy so far has been to force
- the local installation to supply a suitable routine to generate
- random numbers. To say the least, this is an awkward, error-prone
- and unpalatable solution.
-
- It is important to keep in mind that the requirement is for data that
- an adversary has a very low probability of guessing or determining.
- This will fail if pseudo-random data is used which only meets
- traditional statistical tests for randomness or which is based on
- limited range sources, such as clocks. Frequently such random
- quantities are determinable by an adversary searching through an
- embarrassingly small space of possibilities.
-
- This informational document suggests techniques for producing random
- quantities that will be resistant to such attack. It recommends that
- future systems include hardware random number generation or provide
- access to existing hardware that can be used for this purpose. It
- suggests methods for use if such hardware is not available. And it
- gives some estimates of the number of random bits required for sample
-
-
-
-Eastlake, Crocker & Schiller [Page 3]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
- applications.
-
-2. Requirements
-
- Probably the most commonly encountered randomness requirement today
- is the user password. This is usually a simple character string.
- Obviously, if a password can be guessed, it does not provide
- security. (For re-usable passwords, it is desirable that users be
- able to remember the password. This may make it advisable to use
- pronounceable character strings or phrases composed on ordinary
- words. But this only affects the format of the password information,
- not the requirement that the password be very hard to guess.)
-
- Many other requirements come from the cryptographic arena.
- Cryptographic techniques can be used to provide a variety of services
- including confidentiality and authentication. Such services are
- based on quantities, traditionally called "keys", that are unknown to
- and unguessable by an adversary.
-
- In some cases, such as the use of symmetric encryption with the one
- time pads [CRYPTO*] or the US Data Encryption Standard [DES], the
- parties who wish to communicate confidentially and/or with
- authentication must all know the same secret key. In other cases,
- using what are called asymmetric or "public key" cryptographic
- techniques, keys come in pairs. One key of the pair is private and
- must be kept secret by one party, the other is public and can be
- published to the world. It is computationally infeasible to
- determine the private key from the public key [ASYMMETRIC, CRYPTO*].
-
- The frequency and volume of the requirement for random quantities
- differs greatly for different cryptographic systems. Using pure RSA
- [CRYPTO*], random quantities are required when the key pair is
- generated, but thereafter any number of messages can be signed
- without any further need for randomness. The public key Digital
- Signature Algorithm that has been proposed by the US National
- Institute of Standards and Technology (NIST) requires good random
- numbers for each signature. And encrypting with a one time pad, in
- principle the strongest possible encryption technique, requires a
- volume of randomness equal to all the messages to be processed.
-
- In most of these cases, an adversary can try to determine the
- "secret" key by trial and error. (This is possible as long as the
- key is enough smaller than the message that the correct key can be
- uniquely identified.) The probability of an adversary succeeding at
- this must be made acceptably low, depending on the particular
- application. The size of the space the adversary must search is
- related to the amount of key "information" present in the information
- theoretic sense [SHANNON]. This depends on the number of different
-
-
-
-Eastlake, Crocker & Schiller [Page 4]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
- secret values possible and the probability of each value as follows:
-
- -----
- \
- Bits-of-info = \ - p * log ( p )
- / i 2 i
- /
- -----
-
- where i varies from 1 to the number of possible secret values and p
- sub i is the probability of the value numbered i. (Since p sub i is
- less than one, the log will be negative so each term in the sum will
- be non-negative.)
-
- If there are 2^n different values of equal probability, then n bits
- of information are present and an adversary would, on the average,
- have to try half of the values, or 2^(n-1) , before guessing the
- secret quantity. If the probability of different values is unequal,
- then there is less information present and fewer guesses will, on
- average, be required by an adversary. In particular, any values that
- the adversary can know are impossible, or are of low probability, can
- be initially ignored by an adversary, who will search through the
- more probable values first.
-
- For example, consider a cryptographic system that uses 56 bit keys.
- If these 56 bit keys are derived by using a fixed pseudo-random
- number generator that is seeded with an 8 bit seed, then an adversary
- needs to search through only 256 keys (by running the pseudo-random
- number generator with every possible seed), not the 2^56 keys that
- may at first appear to be the case. Only 8 bits of "information" are
- in these 56 bit keys.
-
-3. Traditional Pseudo-Random Sequences
-
- Most traditional sources of random numbers use deterministic sources
- of "pseudo-random" numbers. These typically start with a "seed"
- quantity and use numeric or logical operations to produce a sequence
- of values.
-
- [KNUTH] has a classic exposition on pseudo-random numbers.
- Applications he mentions are simulation of natural phenomena,
- sampling, numerical analysis, testing computer programs, decision
- making, and games. None of these have the same characteristics as
- the sort of security uses we are talking about. Only in the last two
- could there be an adversary trying to find the random quantity.
- However, in these cases, the adversary normally has only a single
- chance to use a guessed value. In guessing passwords or attempting
- to break an encryption scheme, the adversary normally has many,
-
-
-
-Eastlake, Crocker & Schiller [Page 5]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
- perhaps unlimited, chances at guessing the correct value and should
- be assumed to be aided by a computer.
-
- For testing the "randomness" of numbers, Knuth suggests a variety of
- measures including statistical and spectral. These tests check
- things like autocorrelation between different parts of a "random"
- sequence or distribution of its values. They could be met by a
- constant stored random sequence, such as the "random" sequence
- printed in the CRC Standard Mathematical Tables [CRC].
-
- A typical pseudo-random number generation technique, known as a
- linear congruence pseudo-random number generator, is modular
- arithmetic where the N+1th value is calculated from the Nth value by
-
- V = ( V * a + b )(Mod c)
- N+1 N
-
- The above technique has a strong relationship to linear shift
- register pseudo-random number generators, which are well understood
- cryptographically [SHIFT*]. In such generators bits are introduced
- at one end of a shift register as the Exclusive Or (binary sum
- without carry) of bits from selected fixed taps into the register.
-
- For example:
-
- +----+ +----+ +----+ +----+
- | B | <-- | B | <-- | B | <-- . . . . . . <-- | B | <-+
- | 0 | | 1 | | 2 | | n | |
- +----+ +----+ +----+ +----+ |
- | | | |
- | | V +-----+
- | V +----------------> | |
- V +-----------------------------> | XOR |
- +---------------------------------------------------> | |
- +-----+
-
-
- V = ( ( V * 2 ) + B .xor. B ... )(Mod 2^n)
- N+1 N 0 2
-
- The goodness of traditional pseudo-random number generator algorithms
- is measured by statistical tests on such sequences. Carefully chosen
- values of the initial V and a, b, and c or the placement of shift
- register tap in the above simple processes can produce excellent
- statistics.
-
-
-
-
-
-
-Eastlake, Crocker & Schiller [Page 6]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
- These sequences may be adequate in simulations (Monte Carlo
- experiments) as long as the sequence is orthogonal to the structure
- of the space being explored. Even there, subtle patterns may cause
- problems. However, such sequences are clearly bad for use in
- security applications. They are fully predictable if the initial
- state is known. Depending on the form of the pseudo-random number
- generator, the sequence may be determinable from observation of a
- short portion of the sequence [CRYPTO*, STERN]. For example, with
- the generators above, one can determine V(n+1) given knowledge of
- V(n). In fact, it has been shown that with these techniques, even if
- only one bit of the pseudo-random values is released, the seed can be
- determined from short sequences.
-
- Not only have linear congruent generators been broken, but techniques
- are now known for breaking all polynomial congruent generators
- [KRAWCZYK].
-
-4. Unpredictability
-
- Randomness in the traditional sense described in section 3 is NOT the
- same as the unpredictability required for security use.
-
- For example, use of a widely available constant sequence, such as
- that from the CRC tables, is very weak against an adversary. Once
- they learn of or guess it, they can easily break all security, future
- and past, based on the sequence [CRC]. Yet the statistical
- properties of these tables are good.
-
- The following sections describe the limitations of some randomness
- generation techniques and sources.
-
-4.1 Problems with Clocks and Serial Numbers
-
- Computer clocks, or similar operating system or hardware values,
- provide significantly fewer real bits of unpredictability than might
- appear from their specifications.
-
- Tests have been done on clocks on numerous systems and it was found
- that their behavior can vary widely and in unexpected ways. One
- version of an operating system running on one set of hardware may
- actually provide, say, microsecond resolution in a clock while a
- different configuration of the "same" system may always provide the
- same lower bits and only count in the upper bits at much lower
- resolution. This means that successive reads on the clock may
- produce identical values even if enough time has passed that the
- value "should" change based on the nominal clock resolution. There
- are also cases where frequently reading a clock can produce
- artificial sequential values because of extra code that checks for
-
-
-
-Eastlake, Crocker & Schiller [Page 7]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
- the clock being unchanged between two reads and increases it by one!
- Designing portable application code to generate unpredictable numbers
- based on such system clocks is particularly challenging because the
- system designer does not always know the properties of the system
- clocks that the code will execute on.
-
- Use of a hardware serial number such as an Ethernet address may also
- provide fewer bits of uniqueness than one would guess. Such
- quantities are usually heavily structured and subfields may have only
- a limited range of possible values or values easily guessable based
- on approximate date of manufacture or other data. For example, it is
- likely that most of the Ethernet cards installed on Digital Equipment
- Corporation (DEC) hardware within DEC were manufactured by DEC
- itself, which significantly limits the range of built in addresses.
-
- Problems such as those described above related to clocks and serial
- numbers make code to produce unpredictable quantities difficult if
- the code is to be ported across a variety of computer platforms and
- systems.
-
-4.2 Timing and Content of External Events
-
- It is possible to measure the timing and content of mouse movement,
- key strokes, and similar user events. This is a reasonable source of
- unguessable data with some qualifications. On some machines, inputs
- such as key strokes are buffered. Even though the user's inter-
- keystroke timing may have sufficient variation and unpredictability,
- there might not be an easy way to access that variation. Another
- problem is that no standard method exists to sample timing details.
- This makes it hard to build standard software intended for
- distribution to a large range of machines based on this technique.
-
- The amount of mouse movement or the keys actually hit are usually
- easier to access than timings but may yield less unpredictability as
- the user may provide highly repetitive input.
-
- Other external events, such as network packet arrival times, can also
- be used with care. In particular, the possibility of manipulation of
- such times by an adversary must be considered.
-
-4.3 The Fallacy of Complex Manipulation
-
- One strategy which may give a misleading appearance of
- unpredictability is to take a very complex algorithm (or an excellent
- traditional pseudo-random number generator with good statistical
- properties) and calculate a cryptographic key by starting with the
- current value of a computer system clock as the seed. An adversary
- who knew roughly when the generator was started would have a
-
-
-
-Eastlake, Crocker & Schiller [Page 8]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
- relatively small number of seed values to test as they would know
- likely values of the system clock. Large numbers of pseudo-random
- bits could be generated but the search space an adversary would need
- to check could be quite small.
-
- Thus very strong and/or complex manipulation of data will not help if
- the adversary can learn what the manipulation is and there is not
- enough unpredictability in the starting seed value. Even if they can
- not learn what the manipulation is, they may be able to use the
- limited number of results stemming from a limited number of seed
- values to defeat security.
-
- Another serious strategy error is to assume that a very complex
- pseudo-random number generation algorithm will produce strong random
- numbers when there has been no theory behind or analysis of the
- algorithm. There is a excellent example of this fallacy right near
- the beginning of chapter 3 in [KNUTH] where the author describes a
- complex algorithm. It was intended that the machine language program
- corresponding to the algorithm would be so complicated that a person
- trying to read the code without comments wouldn't know what the
- program was doing. Unfortunately, actual use of this algorithm
- showed that it almost immediately converged to a single repeated
- value in one case and a small cycle of values in another case.
-
- Not only does complex manipulation not help you if you have a limited
- range of seeds but blindly chosen complex manipulation can destroy
- the randomness in a good seed!
-
-4.4 The Fallacy of Selection from a Large Database
-
- Another strategy that can give a misleading appearance of
- unpredictability is selection of a quantity randomly from a database
- and assume that its strength is related to the total number of bits
- in the database. For example, typical USENET servers as of this date
- process over 35 megabytes of information per day. Assume a random
- quantity was selected by fetching 32 bytes of data from a random
- starting point in this data. This does not yield 32*8 = 256 bits
- worth of unguessability. Even after allowing that much of the data
- is human language and probably has more like 2 or 3 bits of
- information per byte, it doesn't yield 32*2.5 = 80 bits of
- unguessability. For an adversary with access to the same 35
- megabytes the unguessability rests only on the starting point of the
- selection. That is, at best, about 25 bits of unguessability in this
- case.
-
- The same argument applies to selecting sequences from the data on a
- CD ROM or Audio CD recording or any other large public database. If
- the adversary has access to the same database, this "selection from a
-
-
-
-Eastlake, Crocker & Schiller [Page 9]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
- large volume of data" step buys very little. However, if a selection
- can be made from data to which the adversary has no access, such as
- system buffers on an active multi-user system, it may be of some
- help.
-
-5. Hardware for Randomness
-
- Is there any hope for strong portable randomness in the future?
- There might be. All that's needed is a physical source of
- unpredictable numbers.
-
- A thermal noise or radioactive decay source and a fast, free-running
- oscillator would do the trick directly [GIFFORD]. This is a trivial
- amount of hardware, and could easily be included as a standard part
- of a computer system's architecture. Furthermore, any system with a
- spinning disk or the like has an adequate source of randomness
- [DAVIS]. All that's needed is the common perception among computer
- vendors that this small additional hardware and the software to
- access it is necessary and useful.
-
-5.1 Volume Required
-
- How much unpredictability is needed? Is it possible to quantify the
- requirement in, say, number of random bits per second?
-
- The answer is not very much is needed. For DES, the key is 56 bits
- and, as we show in an example in Section 8, even the highest security
- system is unlikely to require a keying material of over 200 bits. If
- a series of keys are needed, it can be generated from a strong random
- seed using a cryptographically strong sequence as explained in
- Section 6.3. A few hundred random bits generated once a day would be
- enough using such techniques. Even if the random bits are generated
- as slowly as one per second and it is not possible to overlap the
- generation process, it should be tolerable in high security
- applications to wait 200 seconds occasionally.
-
- These numbers are trivial to achieve. It could be done by a person
- repeatedly tossing a coin. Almost any hardware process is likely to
- be much faster.
-
-5.2 Sensitivity to Skew
-
- Is there any specific requirement on the shape of the distribution of
- the random numbers? The good news is the distribution need not be
- uniform. All that is needed is a conservative estimate of how non-
- uniform it is to bound performance. Two simple techniques to de-skew
- the bit stream are given below and stronger techniques are mentioned
- in Section 6.1.2 below.
-
-
-
-Eastlake, Crocker & Schiller [Page 10]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
-5.2.1 Using Stream Parity to De-Skew
-
- Consider taking a sufficiently long string of bits and map the string
- to "zero" or "one". The mapping will not yield a perfectly uniform
- distribution, but it can be as close as desired. One mapping that
- serves the purpose is to take the parity of the string. This has the
- advantages that it is robust across all degrees of skew up to the
- estimated maximum skew and is absolutely trivial to implement in
- hardware.
-
- The following analysis gives the number of bits that must be sampled:
-
- Suppose the ratio of ones to zeros is 0.5 + e : 0.5 - e, where e is
- between 0 and 0.5 and is a measure of the "eccentricity" of the
- distribution. Consider the distribution of the parity function of N
- bit samples. The probabilities that the parity will be one or zero
- will be the sum of the odd or even terms in the binomial expansion of
- (p + q)^N, where p = 0.5 + e, the probability of a one, and q = 0.5 -
- e, the probability of a zero.
-
- These sums can be computed easily as
-
- N N
- 1/2 * ( ( p + q ) + ( p - q ) )
- and
- N N
- 1/2 * ( ( p + q ) - ( p - q ) ).
-
- (Which one corresponds to the probability the parity will be 1
- depends on whether N is odd or even.)
-
- Since p + q = 1 and p - q = 2e, these expressions reduce to
-
- N
- 1/2 * [1 + (2e) ]
- and
- N
- 1/2 * [1 - (2e) ].
-
- Neither of these will ever be exactly 0.5 unless e is zero, but we
- can bring them arbitrarily close to 0.5. If we want the
- probabilities to be within some delta d of 0.5, i.e. then
-
- N
- ( 0.5 + ( 0.5 * (2e) ) ) < 0.5 + d.
-
-
-
-
-
-
-Eastlake, Crocker & Schiller [Page 11]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
- Solving for N yields N > log(2d)/log(2e). (Note that 2e is less than
- 1, so its log is negative. Division by a negative number reverses
- the sense of an inequality.)
-
- The following table gives the length of the string which must be
- sampled for various degrees of skew in order to come within 0.001 of
- a 50/50 distribution.
-
- +---------+--------+-------+
- | Prob(1) | e | N |
- +---------+--------+-------+
- | 0.5 | 0.00 | 1 |
- | 0.6 | 0.10 | 4 |
- | 0.7 | 0.20 | 7 |
- | 0.8 | 0.30 | 13 |
- | 0.9 | 0.40 | 28 |
- | 0.95 | 0.45 | 59 |
- | 0.99 | 0.49 | 308 |
- +---------+--------+-------+
-
- The last entry shows that even if the distribution is skewed 99% in
- favor of ones, the parity of a string of 308 samples will be within
- 0.001 of a 50/50 distribution.
-
-5.2.2 Using Transition Mappings to De-Skew
-
- Another technique, originally due to von Neumann [VON NEUMANN], is to
- examine a bit stream as a sequence of non-overlapping pairs. You
- could then discard any 00 or 11 pairs found, interpret 01 as a 0 and
- 10 as a 1. Assume the probability of a 1 is 0.5+e and the
- probability of a 0 is 0.5-e where e is the eccentricity of the source
- and described in the previous section. Then the probability of each
- pair is as follows:
-
- +------+-----------------------------------------+
- | pair | probability |
- +------+-----------------------------------------+
- | 00 | (0.5 - e)^2 = 0.25 - e + e^2 |
- | 01 | (0.5 - e)*(0.5 + e) = 0.25 - e^2 |
- | 10 | (0.5 + e)*(0.5 - e) = 0.25 - e^2 |
- | 11 | (0.5 + e)^2 = 0.25 + e + e^2 |
- +------+-----------------------------------------+
-
- This technique will completely eliminate any bias but at the expense
- of taking an indeterminate number of input bits for any particular
- desired number of output bits. The probability of any particular
- pair being discarded is 0.5 + 2e^2 so the expected number of input
- bits to produce X output bits is X/(0.25 - e^2).
-
-
-
-Eastlake, Crocker & Schiller [Page 12]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
- This technique assumes that the bits are from a stream where each bit
- has the same probability of being a 0 or 1 as any other bit in the
- stream and that bits are not correlated, i.e., that the bits are
- identical independent distributions. If alternate bits were from two
- correlated sources, for example, the above analysis breaks down.
-
- The above technique also provides another illustration of how a
- simple statistical analysis can mislead if one is not always on the
- lookout for patterns that could be exploited by an adversary. If the
- algorithm were mis-read slightly so that overlapping successive bits
- pairs were used instead of non-overlapping pairs, the statistical
- analysis given is the same; however, instead of provided an unbiased
- uncorrelated series of random 1's and 0's, it instead produces a
- totally predictable sequence of exactly alternating 1's and 0's.
-
-5.2.3 Using FFT to De-Skew
-
- When real world data consists of strongly biased or correlated bits,
- it may still contain useful amounts of randomness. This randomness
- can be extracted through use of the discrete Fourier transform or its
- optimized variant, the FFT.
-
- Using the Fourier transform of the data, strong correlations can be
- discarded. If adequate data is processed and remaining correlations
- decay, spectral lines approaching statistical independence and
- normally distributed randomness can be produced [BRILLINGER].
-
-5.2.4 Using Compression to De-Skew
-
- Reversible compression techniques also provide a crude method of de-
- skewing a skewed bit stream. This follows directly from the
- definition of reversible compression and the formula in Section 2
- above for the amount of information in a sequence. Since the
- compression is reversible, the same amount of information must be
- present in the shorter output than was present in the longer input.
- By the Shannon information equation, this is only possible if, on
- average, the probabilities of the different shorter sequences are
- more uniformly distributed than were the probabilities of the longer
- sequences. Thus the shorter sequences are de-skewed relative to the
- input.
-
- However, many compression techniques add a somewhat predicatable
- preface to their output stream and may insert such a sequence again
- periodically in their output or otherwise introduce subtle patterns
- of their own. They should be considered only a rough technique
- compared with those described above or in Section 6.1.2. At a
- minimum, the beginning of the compressed sequence should be skipped
- and only later bits used for applications requiring random bits.
-
-
-
-Eastlake, Crocker & Schiller [Page 13]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
-5.3 Existing Hardware Can Be Used For Randomness
-
- As described below, many computers come with hardware that can, with
- care, be used to generate truly random quantities.
-
-5.3.1 Using Existing Sound/Video Input
-
- Increasingly computers are being built with inputs that digitize some
- real world analog source, such as sound from a microphone or video
- input from a camera. Under appropriate circumstances, such input can
- provide reasonably high quality random bits. The "input" from a
- sound digitizer with no source plugged in or a camera with the lens
- cap on, if the system has enough gain to detect anything, is
- essentially thermal noise.
-
- For example, on a SPARCstation, one can read from the /dev/audio
- device with nothing plugged into the microphone jack. Such data is
- essentially random noise although it should not be trusted without
- some checking in case of hardware failure. It will, in any case,
- need to be de-skewed as described elsewhere.
-
- Combining this with compression to de-skew one can, in UNIXese,
- generate a huge amount of medium quality random data by doing
-
- cat /dev/audio | compress - >random-bits-file
-
-5.3.2 Using Existing Disk Drives
-
- Disk drives have small random fluctuations in their rotational speed
- due to chaotic air turbulence [DAVIS]. By adding low level disk seek
- time instrumentation to a system, a series of measurements can be
- obtained that include this randomness. Such data is usually highly
- correlated so that significant processing is needed, including FFT
- (see section 5.2.3). Nevertheless experimentation has shown that,
- with such processing, disk drives easily produce 100 bits a minute or
- more of excellent random data.
-
- Partly offsetting this need for processing is the fact that disk
- drive failure will normally be rapidly noticed. Thus, problems with
- this method of random number generation due to hardware failure are
- very unlikely.
-
-6. Recommended Non-Hardware Strategy
-
- What is the best overall strategy for meeting the requirement for
- unguessable random numbers in the absence of a reliable hardware
- source? It is to obtain random input from a large number of
- uncorrelated sources and to mix them with a strong mixing function.
-
-
-
-Eastlake, Crocker & Schiller [Page 14]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
- Such a function will preserve the randomness present in any of the
- sources even if other quantities being combined are fixed or easily
- guessable. This may be advisable even with a good hardware source as
- hardware can also fail, though this should be weighed against any
- increase in the chance of overall failure due to added software
- complexity.
-
-6.1 Mixing Functions
-
- A strong mixing function is one which combines two or more inputs and
- produces an output where each output bit is a different complex non-
- linear function of all the input bits. On average, changing any
- input bit will change about half the output bits. But because the
- relationship is complex and non-linear, no particular output bit is
- guaranteed to change when any particular input bit is changed.
-
- Consider the problem of converting a stream of bits that is skewed
- towards 0 or 1 to a shorter stream which is more random, as discussed
- in Section 5.2 above. This is simply another case where a strong
- mixing function is desired, mixing the input bits to produce a
- smaller number of output bits. The technique given in Section 5.2.1
- of using the parity of a number of bits is simply the result of
- successively Exclusive Or'ing them which is examined as a trivial
- mixing function immediately below. Use of stronger mixing functions
- to extract more of the randomness in a stream of skewed bits is
- examined in Section 6.1.2.
-
-6.1.1 A Trivial Mixing Function
-
- A trivial example for single bit inputs is the Exclusive Or function,
- which is equivalent to addition without carry, as show in the table
- below. This is a degenerate case in which the one output bit always
- changes for a change in either input bit. But, despite its
- simplicity, it will still provide a useful illustration.
-
- +-----------+-----------+----------+
- | input 1 | input 2 | output |
- +-----------+-----------+----------+
- | 0 | 0 | 0 |
- | 0 | 1 | 1 |
- | 1 | 0 | 1 |
- | 1 | 1 | 0 |
- +-----------+-----------+----------+
-
- If inputs 1 and 2 are uncorrelated and combined in this fashion then
- the output will be an even better (less skewed) random bit than the
- inputs. If we assume an "eccentricity" e as defined in Section 5.2
- above, then the output eccentricity relates to the input eccentricity
-
-
-
-Eastlake, Crocker & Schiller [Page 15]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
- as follows:
-
- e = 2 * e * e
- output input 1 input 2
-
- Since e is never greater than 1/2, the eccentricity is always
- improved except in the case where at least one input is a totally
- skewed constant. This is illustrated in the following table where
- the top and left side values are the two input eccentricities and the
- entries are the output eccentricity:
-
- +--------+--------+--------+--------+--------+--------+--------+
- | e | 0.00 | 0.10 | 0.20 | 0.30 | 0.40 | 0.50 |
- +--------+--------+--------+--------+--------+--------+--------+
- | 0.00 | 0.00 | 0.00 | 0.00 | 0.00 | 0.00 | 0.00 |
- | 0.10 | 0.00 | 0.02 | 0.04 | 0.06 | 0.08 | 0.10 |
- | 0.20 | 0.00 | 0.04 | 0.08 | 0.12 | 0.16 | 0.20 |
- | 0.30 | 0.00 | 0.06 | 0.12 | 0.18 | 0.24 | 0.30 |
- | 0.40 | 0.00 | 0.08 | 0.16 | 0.24 | 0.32 | 0.40 |
- | 0.50 | 0.00 | 0.10 | 0.20 | 0.30 | 0.40 | 0.50 |
- +--------+--------+--------+--------+--------+--------+--------+
-
- However, keep in mind that the above calculations assume that the
- inputs are not correlated. If the inputs were, say, the parity of
- the number of minutes from midnight on two clocks accurate to a few
- seconds, then each might appear random if sampled at random intervals
- much longer than a minute. Yet if they were both sampled and
- combined with xor, the result would be zero most of the time.
-
-6.1.2 Stronger Mixing Functions
-
- The US Government Data Encryption Standard [DES] is an example of a
- strong mixing function for multiple bit quantities. It takes up to
- 120 bits of input (64 bits of "data" and 56 bits of "key") and
- produces 64 bits of output each of which is dependent on a complex
- non-linear function of all input bits. Other strong encryption
- functions with this characteristic can also be used by considering
- them to mix all of their key and data input bits.
-
- Another good family of mixing functions are the "message digest" or
- hashing functions such as The US Government Secure Hash Standard
- [SHS] and the MD2, MD4, MD5 [MD2, MD4, MD5] series. These functions
- all take an arbitrary amount of input and produce an output mixing
- all the input bits. The MD* series produce 128 bits of output and SHS
- produces 160 bits.
-
-
-
-
-
-
-Eastlake, Crocker & Schiller [Page 16]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
- Although the message digest functions are designed for variable
- amounts of input, DES and other encryption functions can also be used
- to combine any number of inputs. If 64 bits of output is adequate,
- the inputs can be packed into a 64 bit data quantity and successive
- 56 bit keys, padding with zeros if needed, which are then used to
- successively encrypt using DES in Electronic Codebook Mode [DES
- MODES]. If more than 64 bits of output are needed, use more complex
- mixing. For example, if inputs are packed into three quantities, A,
- B, and C, use DES to encrypt A with B as a key and then with C as a
- key to produce the 1st part of the output, then encrypt B with C and
- then A for more output and, if necessary, encrypt C with A and then B
- for yet more output. Still more output can be produced by reversing
- the order of the keys given above to stretch things. The same can be
- done with the hash functions by hashing various subsets of the input
- data to produce multiple outputs. But keep in mind that it is
- impossible to get more bits of "randomness" out than are put in.
-
- An example of using a strong mixing function would be to reconsider
- the case of a string of 308 bits each of which is biased 99% towards
- zero. The parity technique given in Section 5.2.1 above reduced this
- to one bit with only a 1/1000 deviance from being equally likely a
- zero or one. But, applying the equation for information given in
- Section 2, this 308 bit sequence has 5 bits of information in it.
- Thus hashing it with SHS or MD5 and taking the bottom 5 bits of the
- result would yield 5 unbiased random bits as opposed to the single
- bit given by calculating the parity of the string.
-
-6.1.3 Diffie-Hellman as a Mixing Function
-
- Diffie-Hellman exponential key exchange is a technique that yields a
- shared secret between two parties that can be made computationally
- infeasible for a third party to determine even if they can observe
- all the messages between the two communicating parties. This shared
- secret is a mixture of initial quantities generated by each of them
- [D-H]. If these initial quantities are random, then the shared
- secret contains the combined randomness of them both, assuming they
- are uncorrelated.
-
-6.1.4 Using a Mixing Function to Stretch Random Bits
-
- While it is not necessary for a mixing function to produce the same
- or fewer bits than its inputs, mixing bits cannot "stretch" the
- amount of random unpredictability present in the inputs. Thus four
- inputs of 32 bits each where there is 12 bits worth of
- unpredicatability (such as 4,096 equally probable values) in each
- input cannot produce more than 48 bits worth of unpredictable output.
- The output can be expanded to hundreds or thousands of bits by, for
- example, mixing with successive integers, but the clever adversary's
-
-
-
-Eastlake, Crocker & Schiller [Page 17]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
- search space is still 2^48 possibilities. Furthermore, mixing to
- fewer bits than are input will tend to strengthen the randomness of
- the output the way using Exclusive Or to produce one bit from two did
- above.
-
- The last table in Section 6.1.1 shows that mixing a random bit with a
- constant bit with Exclusive Or will produce a random bit. While this
- is true, it does not provide a way to "stretch" one random bit into
- more than one. If, for example, a random bit is mixed with a 0 and
- then with a 1, this produces a two bit sequence but it will always be
- either 01 or 10. Since there are only two possible values, there is
- still only the one bit of original randomness.
-
-6.1.5 Other Factors in Choosing a Mixing Function
-
- For local use, DES has the advantages that it has been widely tested
- for flaws, is widely documented, and is widely implemented with
- hardware and software implementations available all over the world
- including source code available by anonymous FTP. The SHS and MD*
- family are younger algorithms which have been less tested but there
- is no particular reason to believe they are flawed. Both MD5 and SHS
- were derived from the earlier MD4 algorithm. They all have source
- code available by anonymous FTP [SHS, MD2, MD4, MD5].
-
- DES and SHS have been vouched for the the US National Security Agency
- (NSA) on the basis of criteria that primarily remain secret. While
- this is the cause of much speculation and doubt, investigation of DES
- over the years has indicated that NSA involvement in modifications to
- its design, which originated with IBM, was primarily to strengthen
- it. No concealed or special weakness has been found in DES. It is
- almost certain that the NSA modification to MD4 to produce the SHS
- similarly strengthened the algorithm, possibly against threats not
- yet known in the public cryptographic community.
-
- DES, SHS, MD4, and MD5 are royalty free for all purposes. MD2 has
- been freely licensed only for non-profit use in connection with
- Privacy Enhanced Mail [PEM]. Between the MD* algorithms, some people
- believe that, as with "Goldilocks and the Three Bears", MD2 is strong
- but too slow, MD4 is fast but too weak, and MD5 is just right.
-
- Another advantage of the MD* or similar hashing algorithms over
- encryption algorithms is that they are not subject to the same
- regulations imposed by the US Government prohibiting the unlicensed
- export or import of encryption/decryption software and hardware. The
- same should be true of DES rigged to produce an irreversible hash
- code but most DES packages are oriented to reversible encryption.
-
-
-
-
-
-Eastlake, Crocker & Schiller [Page 18]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
-6.2 Non-Hardware Sources of Randomness
-
- The best source of input for mixing would be a hardware randomness
- such as disk drive timing affected by air turbulence, audio input
- with thermal noise, or radioactive decay. However, if that is not
- available there are other possibilities. These include system
- clocks, system or input/output buffers, user/system/hardware/network
- serial numbers and/or addresses and timing, and user input.
- Unfortunately, any of these sources can produce limited or
- predicatable values under some circumstances.
-
- Some of the sources listed above would be quite strong on multi-user
- systems where, in essence, each user of the system is a source of
- randomness. However, on a small single user system, such as a
- typical IBM PC or Apple Macintosh, it might be possible for an
- adversary to assemble a similar configuration. This could give the
- adversary inputs to the mixing process that were sufficiently
- correlated to those used originally as to make exhaustive search
- practical.
-
- The use of multiple random inputs with a strong mixing function is
- recommended and can overcome weakness in any particular input. For
- example, the timing and content of requested "random" user keystrokes
- can yield hundreds of random bits but conservative assumptions need
- to be made. For example, assuming a few bits of randomness if the
- inter-keystroke interval is unique in the sequence up to that point
- and a similar assumption if the key hit is unique but assuming that
- no bits of randomness are present in the initial key value or if the
- timing or key value duplicate previous values. The results of mixing
- these timings and characters typed could be further combined with
- clock values and other inputs.
-
- This strategy may make practical portable code to produce good random
- numbers for security even if some of the inputs are very weak on some
- of the target systems. However, it may still fail against a high
- grade attack on small single user systems, especially if the
- adversary has ever been able to observe the generation process in the
- past. A hardware based random source is still preferable.
-
-6.3 Cryptographically Strong Sequences
-
- In cases where a series of random quantities must be generated, an
- adversary may learn some values in the sequence. In general, they
- should not be able to predict other values from the ones that they
- know.
-
-
-
-
-
-
-Eastlake, Crocker & Schiller [Page 19]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
- The correct technique is to start with a strong random seed, take
- cryptographically strong steps from that seed [CRYPTO2, CRYPTO3], and
- do not reveal the complete state of the generator in the sequence
- elements. If each value in the sequence can be calculated in a fixed
- way from the previous value, then when any value is compromised, all
- future values can be determined. This would be the case, for
- example, if each value were a constant function of the previously
- used values, even if the function were a very strong, non-invertible
- message digest function.
-
- It should be noted that if your technique for generating a sequence
- of key values is fast enough, it can trivially be used as the basis
- for a confidentiality system. If two parties use the same sequence
- generating technique and start with the same seed material, they will
- generate identical sequences. These could, for example, be xor'ed at
- one end with data being send, encrypting it, and xor'ed with this
- data as received, decrypting it due to the reversible properties of
- the xor operation.
-
-6.3.1 Traditional Strong Sequences
-
- A traditional way to achieve a strong sequence has been to have the
- values be produced by hashing the quantities produced by
- concatenating the seed with successive integers or the like and then
- mask the values obtained so as to limit the amount of generator state
- available to the adversary.
-
- It may also be possible to use an "encryption" algorithm with a
- random key and seed value to encrypt and feedback some or all of the
- output encrypted value into the value to be encrypted for the next
- iteration. Appropriate feedback techniques will usually be
- recommended with the encryption algorithm. An example is shown below
- where shifting and masking are used to combine the cypher output
- feedback. This type of feedback is recommended by the US Government
- in connection with DES [DES MODES].
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake, Crocker & Schiller [Page 20]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
- +---------------+
- | V |
- | | n |
- +--+------------+
- | | +---------+
- | +---------> | | +-----+
- +--+ | Encrypt | <--- | Key |
- | +-------- | | +-----+
- | | +---------+
- V V
- +------------+--+
- | V | |
- | n+1 |
- +---------------+
-
- Note that if a shift of one is used, this is the same as the shift
- register technique described in Section 3 above but with the all
- important difference that the feedback is determined by a complex
- non-linear function of all bits rather than a simple linear or
- polynomial combination of output from a few bit position taps.
-
- It has been shown by Donald W. Davies that this sort of shifted
- partial output feedback significantly weakens an algorithm compared
- will feeding all of the output bits back as input. In particular,
- for DES, repeated encrypting a full 64 bit quantity will give an
- expected repeat in about 2^63 iterations. Feeding back anything less
- than 64 (and more than 0) bits will give an expected repeat in
- between 2**31 and 2**32 iterations!
-
- To predict values of a sequence from others when the sequence was
- generated by these techniques is equivalent to breaking the
- cryptosystem or inverting the "non-invertible" hashing involved with
- only partial information available. The less information revealed
- each iteration, the harder it will be for an adversary to predict the
- sequence. Thus it is best to use only one bit from each value. It
- has been shown that in some cases this makes it impossible to break a
- system even when the cryptographic system is invertible and can be
- broken if all of each generated value was revealed.
-
-6.3.2 The Blum Blum Shub Sequence Generator
-
- Currently the generator which has the strongest public proof of
- strength is called the Blum Blum Shub generator after its inventors
- [BBS]. It is also very simple and is based on quadratic residues.
- It's only disadvantage is that is is computationally intensive
- compared with the traditional techniques give in 6.3.1 above. This
- is not a serious draw back if it is used for moderately infrequent
- purposes, such as generating session keys.
-
-
-
-Eastlake, Crocker & Schiller [Page 21]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
- Simply choose two large prime numbers, say p and q, which both have
- the property that you get a remainder of 3 if you divide them by 4.
- Let n = p * q. Then you choose a random number x relatively prime to
- n. The initial seed for the generator and the method for calculating
- subsequent values are then
-
- 2
- s = ( x )(Mod n)
- 0
-
- 2
- s = ( s )(Mod n)
- i+1 i
-
- You must be careful to use only a few bits from the bottom of each s.
- It is always safe to use only the lowest order bit. If you use no
- more than the
-
- log ( log ( s ) )
- 2 2 i
-
- low order bits, then predicting any additional bits from a sequence
- generated in this manner is provable as hard as factoring n. As long
- as the initial x is secret, you can even make n public if you want.
-
- An intersting characteristic of this generator is that you can
- directly calculate any of the s values. In particular
-
- i
- ( ( 2 )(Mod (( p - 1 ) * ( q - 1 )) ) )
- s = ( s )(Mod n)
- i 0
-
- This means that in applications where many keys are generated in this
- fashion, it is not necessary to save them all. Each key can be
- effectively indexed and recovered from that small index and the
- initial s and n.
-
-7. Key Generation Standards
-
- Several public standards are now in place for the generation of keys.
- Two of these are described below. Both use DES but any equally
- strong or stronger mixing function could be substituted.
-
-
-
-
-
-
-
-
-Eastlake, Crocker & Schiller [Page 22]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
-7.1 US DoD Recommendations for Password Generation
-
- The United States Department of Defense has specific recommendations
- for password generation [DoD]. They suggest using the US Data
- Encryption Standard [DES] in Output Feedback Mode [DES MODES] as
- follows:
-
- use an initialization vector determined from
- the system clock,
- system ID,
- user ID, and
- date and time;
- use a key determined from
- system interrupt registers,
- system status registers, and
- system counters; and,
- as plain text, use an external randomly generated 64 bit
- quantity such as 8 characters typed in by a system
- administrator.
-
- The password can then be calculated from the 64 bit "cipher text"
- generated in 64-bit Output Feedback Mode. As many bits as are needed
- can be taken from these 64 bits and expanded into a pronounceable
- word, phrase, or other format if a human being needs to remember the
- password.
-
-7.2 X9.17 Key Generation
-
- The American National Standards Institute has specified a method for
- generating a sequence of keys as follows:
-
- s is the initial 64 bit seed
- 0
-
- g is the sequence of generated 64 bit key quantities
- n
-
- k is a random key reserved for generating this key sequence
-
- t is the time at which a key is generated to as fine a resolution
- as is available (up to 64 bits).
-
- DES ( K, Q ) is the DES encryption of quantity Q with key K
-
-
-
-
-
-
-
-
-Eastlake, Crocker & Schiller [Page 23]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
- g = DES ( k, DES ( k, t ) .xor. s )
- n n
-
- s = DES ( k, DES ( k, t ) .xor. g )
- n+1 n
-
- If g sub n is to be used as a DES key, then every eighth bit should
- be adjusted for parity for that use but the entire 64 bit unmodified
- g should be used in calculating the next s.
-
-8. Examples of Randomness Required
-
- Below are two examples showing rough calculations of needed
- randomness for security. The first is for moderate security
- passwords while the second assumes a need for a very high security
- cryptographic key.
-
-8.1 Password Generation
-
- Assume that user passwords change once a year and it is desired that
- the probability that an adversary could guess the password for a
- particular account be less than one in a thousand. Further assume
- that sending a password to the system is the only way to try a
- password. Then the crucial question is how often an adversary can
- try possibilities. Assume that delays have been introduced into a
- system so that, at most, an adversary can make one password try every
- six seconds. That's 600 per hour or about 15,000 per day or about
- 5,000,000 tries in a year. Assuming any sort of monitoring, it is
- unlikely someone could actually try continuously for a year. In
- fact, even if log files are only checked monthly, 500,000 tries is
- more plausible before the attack is noticed and steps taken to change
- passwords and make it harder to try more passwords.
-
- To have a one in a thousand chance of guessing the password in
- 500,000 tries implies a universe of at least 500,000,000 passwords or
- about 2^29. Thus 29 bits of randomness are needed. This can probably
- be achieved using the US DoD recommended inputs for password
- generation as it has 8 inputs which probably average over 5 bits of
- randomness each (see section 7.1). Using a list of 1000 words, the
- password could be expressed as a three word phrase (1,000,000,000
- possibilities) or, using case insensitive letters and digits, six
- would suffice ((26+10)^6 = 2,176,782,336 possibilities).
-
- For a higher security password, the number of bits required goes up.
- To decrease the probability by 1,000 requires increasing the universe
- of passwords by the same factor which adds about 10 bits. Thus to
- have only a one in a million chance of a password being guessed under
- the above scenario would require 39 bits of randomness and a password
-
-
-
-Eastlake, Crocker & Schiller [Page 24]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
- that was a four word phrase from a 1000 word list or eight
- letters/digits. To go to a one in 10^9 chance, 49 bits of randomness
- are needed implying a five word phrase or ten letter/digit password.
-
- In a real system, of course, there are also other factors. For
- example, the larger and harder to remember passwords are, the more
- likely users are to write them down resulting in an additional risk
- of compromise.
-
-8.2 A Very High Security Cryptographic Key
-
- Assume that a very high security key is needed for symmetric
- encryption / decryption between two parties. Assume an adversary can
- observe communications and knows the algorithm being used. Within
- the field of random possibilities, the adversary can try key values
- in hopes of finding the one in use. Assume further that brute force
- trial of keys is the best the adversary can do.
-
-8.2.1 Effort per Key Trial
-
- How much effort will it take to try each key? For very high security
- applications it is best to assume a low value of effort. Even if it
- would clearly take tens of thousands of computer cycles or more to
- try a single key, there may be some pattern that enables huge blocks
- of key values to be tested with much less effort per key. Thus it is
- probably best to assume no more than a couple hundred cycles per key.
- (There is no clear lower bound on this as computers operate in
- parallel on a number of bits and a poor encryption algorithm could
- allow many keys or even groups of keys to be tested in parallel.
- However, we need to assume some value and can hope that a reasonably
- strong algorithm has been chosen for our hypothetical high security
- task.)
-
- If the adversary can command a highly parallel processor or a large
- network of work stations, 2*10^10 cycles per second is probably a
- minimum assumption for availability today. Looking forward just a
- couple years, there should be at least an order of magnitude
- improvement. Thus assuming 10^9 keys could be checked per second or
- 3.6*10^11 per hour or 6*10^13 per week or 2.4*10^14 per month is
- reasonable. This implies a need for a minimum of 51 bits of
- randomness in keys to be sure they cannot be found in a month. Even
- then it is possible that, a few years from now, a highly determined
- and resourceful adversary could break the key in 2 weeks (on average
- they need try only half the keys).
-
-
-
-
-
-
-
-Eastlake, Crocker & Schiller [Page 25]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
-8.2.2 Meet in the Middle Attacks
-
- If chosen or known plain text and the resulting encrypted text are
- available, a "meet in the middle" attack is possible if the structure
- of the encryption algorithm allows it. (In a known plain text
- attack, the adversary knows all or part of the messages being
- encrypted, possibly some standard header or trailer fields. In a
- chosen plain text attack, the adversary can force some chosen plain
- text to be encrypted, possibly by "leaking" an exciting text that
- would then be sent by the adversary over an encrypted channel.)
-
- An oversimplified explanation of the meet in the middle attack is as
- follows: the adversary can half-encrypt the known or chosen plain
- text with all possible first half-keys, sort the output, then half-
- decrypt the encoded text with all the second half-keys. If a match
- is found, the full key can be assembled from the halves and used to
- decrypt other parts of the message or other messages. At its best,
- this type of attack can halve the exponent of the work required by
- the adversary while adding a large but roughly constant factor of
- effort. To be assured of safety against this, a doubling of the
- amount of randomness in the key to a minimum of 102 bits is required.
-
- The meet in the middle attack assumes that the cryptographic
- algorithm can be decomposed in this way but we can not rule that out
- without a deep knowledge of the algorithm. Even if a basic algorithm
- is not subject to a meet in the middle attack, an attempt to produce
- a stronger algorithm by applying the basic algorithm twice (or two
- different algorithms sequentially) with different keys may gain less
- added security than would be expected. Such a composite algorithm
- would be subject to a meet in the middle attack.
-
- Enormous resources may be required to mount a meet in the middle
- attack but they are probably within the range of the national
- security services of a major nation. Essentially all nations spy on
- other nations government traffic and several nations are believed to
- spy on commercial traffic for economic advantage.
-
-8.2.3 Other Considerations
-
- Since we have not even considered the possibilities of special
- purpose code breaking hardware or just how much of a safety margin we
- want beyond our assumptions above, probably a good minimum for a very
- high security cryptographic key is 128 bits of randomness which
- implies a minimum key length of 128 bits. If the two parties agree
- on a key by Diffie-Hellman exchange [D-H], then in principle only
- half of this randomness would have to be supplied by each party.
- However, there is probably some correlation between their random
- inputs so it is probably best to assume that each party needs to
-
-
-
-Eastlake, Crocker & Schiller [Page 26]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
- provide at least 96 bits worth of randomness for very high security
- if Diffie-Hellman is used.
-
- This amount of randomness is beyond the limit of that in the inputs
- recommended by the US DoD for password generation and could require
- user typing timing, hardware random number generation, or other
- sources.
-
- It should be noted that key length calculations such at those above
- are controversial and depend on various assumptions about the
- cryptographic algorithms in use. In some cases, a professional with
- a deep knowledge of code breaking techniques and of the strength of
- the algorithm in use could be satisfied with less than half of the
- key size derived above.
-
-9. Conclusion
-
- Generation of unguessable "random" secret quantities for security use
- is an essential but difficult task.
-
- We have shown that hardware techniques to produce such randomness
- would be relatively simple. In particular, the volume and quality
- would not need to be high and existing computer hardware, such as
- disk drives, can be used. Computational techniques are available to
- process low quality random quantities from multiple sources or a
- larger quantity of such low quality input from one source and produce
- a smaller quantity of higher quality, less predictable key material.
- In the absence of hardware sources of randomness, a variety of user
- and software sources can frequently be used instead with care;
- however, most modern systems already have hardware, such as disk
- drives or audio input, that could be used to produce high quality
- randomness.
-
- Once a sufficient quantity of high quality seed key material (a few
- hundred bits) is available, strong computational techniques are
- available to produce cryptographically strong sequences of
- unpredicatable quantities from this seed material.
-
-10. Security Considerations
-
- The entirety of this document concerns techniques and recommendations
- for generating unguessable "random" quantities for use as passwords,
- cryptographic keys, and similar security uses.
-
-
-
-
-
-
-
-
-Eastlake, Crocker & Schiller [Page 27]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
-References
-
- [ASYMMETRIC] - Secure Communications and Asymmetric Cryptosystems,
- edited by Gustavus J. Simmons, AAAS Selected Symposium 69, Westview
- Press, Inc.
-
- [BBS] - A Simple Unpredictable Pseudo-Random Number Generator, SIAM
- Journal on Computing, v. 15, n. 2, 1986, L. Blum, M. Blum, & M. Shub.
-
- [BRILLINGER] - Time Series: Data Analysis and Theory, Holden-Day,
- 1981, David Brillinger.
-
- [CRC] - C.R.C. Standard Mathematical Tables, Chemical Rubber
- Publishing Company.
-
- [CRYPTO1] - Cryptography: A Primer, A Wiley-Interscience Publication,
- John Wiley & Sons, 1981, Alan G. Konheim.
-
- [CRYPTO2] - Cryptography: A New Dimension in Computer Data Security,
- A Wiley-Interscience Publication, John Wiley & Sons, 1982, Carl H.
- Meyer & Stephen M. Matyas.
-
- [CRYPTO3] - Applied Cryptography: Protocols, Algorithms, and Source
- Code in C, John Wiley & Sons, 1994, Bruce Schneier.
-
- [DAVIS] - Cryptographic Randomness from Air Turbulence in Disk
- Drives, Advances in Cryptology - Crypto '94, Springer-Verlag Lecture
- Notes in Computer Science #839, 1984, Don Davis, Ross Ihaka, and
- Philip Fenstermacher.
-
- [DES] - Data Encryption Standard, United States of America,
- Department of Commerce, National Institute of Standards and
- Technology, Federal Information Processing Standard (FIPS) 46-1.
- - Data Encryption Algorithm, American National Standards Institute,
- ANSI X3.92-1981.
- (See also FIPS 112, Password Usage, which includes FORTRAN code for
- performing DES.)
-
- [DES MODES] - DES Modes of Operation, United States of America,
- Department of Commerce, National Institute of Standards and
- Technology, Federal Information Processing Standard (FIPS) 81.
- - Data Encryption Algorithm - Modes of Operation, American National
- Standards Institute, ANSI X3.106-1983.
-
- [D-H] - New Directions in Cryptography, IEEE Transactions on
- Information Technology, November, 1976, Whitfield Diffie and Martin
- E. Hellman.
-
-
-
-
-Eastlake, Crocker & Schiller [Page 28]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
- [DoD] - Password Management Guideline, United States of America,
- Department of Defense, Computer Security Center, CSC-STD-002-85.
- (See also FIPS 112, Password Usage, which incorporates CSC-STD-002-85
- as one of its appendices.)
-
- [GIFFORD] - Natural Random Number, MIT/LCS/TM-371, September 1988,
- David K. Gifford
-
- [KNUTH] - The Art of Computer Programming, Volume 2: Seminumerical
- Algorithms, Chapter 3: Random Numbers. Addison Wesley Publishing
- Company, Second Edition 1982, Donald E. Knuth.
-
- [KRAWCZYK] - How to Predict Congruential Generators, Journal of
- Algorithms, V. 13, N. 4, December 1992, H. Krawczyk
-
- [MD2] - The MD2 Message-Digest Algorithm, RFC1319, April 1992, B.
- Kaliski
- [MD4] - The MD4 Message-Digest Algorithm, RFC1320, April 1992, R.
- Rivest
- [MD5] - The MD5 Message-Digest Algorithm, RFC1321, April 1992, R.
- Rivest
-
- [PEM] - RFCs 1421 through 1424:
- - RFC 1424, Privacy Enhancement for Internet Electronic Mail: Part
- IV: Key Certification and Related Services, 02/10/1993, B. Kaliski
- - RFC 1423, Privacy Enhancement for Internet Electronic Mail: Part
- III: Algorithms, Modes, and Identifiers, 02/10/1993, D. Balenson
- - RFC 1422, Privacy Enhancement for Internet Electronic Mail: Part
- II: Certificate-Based Key Management, 02/10/1993, S. Kent
- - RFC 1421, Privacy Enhancement for Internet Electronic Mail: Part I:
- Message Encryption and Authentication Procedures, 02/10/1993, J. Linn
-
- [SHANNON] - The Mathematical Theory of Communication, University of
- Illinois Press, 1963, Claude E. Shannon. (originally from: Bell
- System Technical Journal, July and October 1948)
-
- [SHIFT1] - Shift Register Sequences, Aegean Park Press, Revised
- Edition 1982, Solomon W. Golomb.
-
- [SHIFT2] - Cryptanalysis of Shift-Register Generated Stream Cypher
- Systems, Aegean Park Press, 1984, Wayne G. Barker.
-
- [SHS] - Secure Hash Standard, United States of American, National
- Institute of Science and Technology, Federal Information Processing
- Standard (FIPS) 180, April 1993.
-
- [STERN] - Secret Linear Congruential Generators are not
- Cryptograhically Secure, Proceedings of IEEE STOC, 1987, J. Stern.
-
-
-
-Eastlake, Crocker & Schiller [Page 29]
-\f
-RFC 1750 Randomness Recommendations for Security December 1994
-
-
- [VON NEUMANN] - Various techniques used in connection with random
- digits, von Neumann's Collected Works, Vol. 5, Pergamon Press, 1963,
- J. von Neumann.
-
-Authors' Addresses
-
- Donald E. Eastlake 3rd
- Digital Equipment Corporation
- 550 King Street, LKG2-1/BB3
- Littleton, MA 01460
-
- Phone: +1 508 486 6577(w) +1 508 287 4877(h)
- EMail: dee@lkg.dec.com
-
-
- Stephen D. Crocker
- CyberCash Inc.
- 2086 Hunters Crest Way
- Vienna, VA 22181
-
- Phone: +1 703-620-1222(w) +1 703-391-2651 (fax)
- EMail: crocker@cybercash.com
-
-
- Jeffrey I. Schiller
- Massachusetts Institute of Technology
- 77 Massachusetts Avenue
- Cambridge, MA 02139
-
- Phone: +1 617 253 0161(w)
- EMail: jis@mit.edu
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Eastlake, Crocker & Schiller [Page 30]
-\f
projects / thirdparty / nettle.git / commitdiff
