From: Niels Möller Date: Fri, 24 Nov 2006 22:27:07 +0000 (+0100) Subject: * testsuite/yarrow-test.c (test_main): Use gold-bug.txt as input X-Git-Tag: nettle_1.15_release_20061128~22 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=91e059459a1fb789d4748bdb7981187f2be6d1b1;p=thirdparty%2Fnettle.git * testsuite/yarrow-test.c (test_main): Use gold-bug.txt as input file, instead of rfc1750.txt. * testsuite/gold-bug.txt: New test input file for yarrow-test. The copyright on this short story by Edgar Allan Poe has expired. * testsuite/rfc1750.txt: Deleted file. Debian considers RFC:s non-free, and it was expired anyway. Replaced by gold-bug.txt. Rev: src/nettle/testsuite/gold-bug.txt:1.1 Rev: src/nettle/testsuite/rfc1750.txt:1.2(DEAD) Rev: src/nettle/testsuite/yarrow-test.c:1.15 --- diff --git a/testsuite/gold-bug.txt b/testsuite/gold-bug.txt new file mode 100644 index 00000000..be3a2a0b --- /dev/null +++ b/testsuite/gold-bug.txt @@ -0,0 +1,1598 @@ +Edgar Allan Poe + +The Gold-Bug + + +What ho! what ho! this fellow is dancing mad! +He hath been bitten by the Tarantula. + --All in the Wrong. + + +Many years ago, I contracted an intimacy with a Mr. William +Legrand. He was of an ancient Huguenot family, and had once been +wealthy: but a series of misfortunes had reduced him to want. To +avoid the mortification consequent upon his disasters, he left New +Orleans, the city of his forefathers, and took up his residence at +Sullivan's Island, near Charleston, South Carolina. + +This island is a very singular one. It consists of little else +than the sea sand, and is about three miles long. Its breadth at +no point exceeds a quarter of a mile. It is separated from the +mainland by a scarcely perceptible creek, oozing its way through a +wilderness of reeds and slime, a favorite resort of the marsh hen. +The vegetation, as might be supposed, is scant, or at least +dwarfish. No trees of any magnitude are to be seen. Near the +western extremity, where Fort Moultrie stands, and where are some +miserable frame buildings, tenanted, during summer, by the +fugitives from Charleston dust and fever, may be found, indeed, the +bristly palmetto; but the whole island, with the exception of this +western point, and a line of hard, white beach on the seacoast, is +covered with a dense undergrowth of the sweet myrtle so much prized +by the horticulturists of England. The shrub here often attains +the height of fifteen or twenty feet, and forms an almost +impenetrable coppice, burdening the air with its fragrance. + +In the inmost recesses of this coppice, not far from the eastern or +more remote end of the island, Legrand had built himself a small +hut, which he occupied when I first, by mere accident, made his +acquaintance. This soon ripened into friendship--for there was +much in the recluse to excite interest and esteem. I found him +well educated, with unusual powers of mind, but infected with +misanthropy, and subject to perverse moods of alternate enthusiasm +and melancholy. He had with him many books, but rarely employed +them. His chief amusements were gunning and fishing, or sauntering +along the beach and through the myrtles, in quest of shells or +entomological specimens--his collection of the latter might have +been envied by a Swammerdamm. In these excursions he was usually +accompanied by an old negro, called Jupiter, who had been +manumitted before the reverses of the family, but who could be +induced, neither by threats nor by promises, to abandon what he +considered his right of attendance upon the footsteps of his young +"Massa Will." It is not improbable that the relatives of Legrand, +conceiving him to be somewhat unsettled in intellect, had contrived +to instill this obstinacy into Jupiter, with a view to the +supervision and guardianship of the wanderer. + +The winters in the latitude of Sullivan's Island are seldom very +severe, and in the fall of the year it is a rare event indeed when +a fire is considered necessary. About the middle of October, 18--, +there occurred, however, a day of remarkable chilliness. Just +before sunset I scrambled my way through the evergreens to the hut +of my friend, whom I had not visited for several weeks--my +residence being, at that time, in Charleston, a distance of nine +miles from the island, while the facilities of passage and +repassage were very far behind those of the present day. Upon +reaching the hut I rapped, as was my custom, and getting no reply, +sought for the key where I knew it was secreted, unlocked the door, +and went in. A fine fire was blazing upon the hearth. It was a +novelty, and by no means an ungrateful one. I threw off an +overcoat, took an armchair by the crackling logs, and awaited +patiently the arrival of my hosts. + +Soon after dark they arrived, and gave me a most cordial welcome. +Jupiter, grinning from ear to ear, bustled about to prepare some +marsh hens for supper. Legrand was in one of his fits--how else +shall I term them?--of enthusiasm. He had found an unknown +bivalve, forming a new genus, and, more than this, he had hunted +down and secured, with Jupiter's assistance, a scarabaeus which he +believed to be totally new, but in respect to which he wished to +have my opinion on the morrow. + +"And why not to-night?" I asked, rubbing my hands over the blaze, +and wishing the whole tribe of scarabaei at the devil. + +"Ah, if I had only known you were here!" said Legrand, "but it's so +long since I saw you; and how could I foresee that you would pay me +a visit this very night of all others? As I was coming home I met +Lieutenant G----, from the fort, and, very foolishly, I lent him +the bug; so it will be impossible for you to see it until the +morning. Stay here to-night, and I will send Jup down for it at +sunrise. It is the loveliest thing in creation!" + +"What?--sunrise?" + +"Nonsense! no!--the bug. It is of a brilliant gold color--about +the size of a large hickory nut--with two jet black spots near one +extremity of the back, and another, somewhat longer, at the other. +The antennae are--" + +"Dey ain't NO tin in him, Massa Will, I keep a tellin' on you," +here interrupted Jupiter; "de bug is a goole-bug, solid, ebery bit +of him, inside and all, sep him wing--neber feel half so hebby a +bug in my life." + +"Well, suppose it is, Jup," replied Legrand, somewhat more +earnestly, it seemed to me, than the case demanded; "is that any +reason for your letting the birds burn? The color"--here he turned +to me--"is really almost enough to warrant Jupiter's idea. You +never saw a more brilliant metallic luster than the scales emit-- +but of this you cannot judge till to-morrow. In the meantime I can +give you some idea of the shape." Saying this, he seated himself +at a small table, on which were a pen and ink, but no paper. He +looked for some in a drawer, but found none. + +"Never mind," he said at length, "this will answer;" and he drew +from his waistcoat pocket a scrap of what I took to be very dirty +foolscap, and made upon it a rough drawing with the pen. While he +did this, I retained my seat by the fire, for I was still chilly. +When the design was complete, he handed it to me without rising. +As I received it, a loud growl was heard, succeeded by a scratching +at the door. Jupiter opened it, and a large Newfoundland, +belonging to Legrand, rushed in, leaped upon my shoulders, and +loaded me with caresses; for I had shown him much attention during +previous visits. When his gambols were over, I looked at the +paper, and, to speak the truth, found myself not a little puzzled +at what my friend had depicted. + +"Well!" I said, after contemplating it for some minutes, "this IS a +strange scarabaeus, I must confess; new to me; never saw anything +like it before--unless it was a skull, or a death's head, which it +more nearly resembles than anything else that has come under MY +observation." + +"A death's head!" echoed Legrand. "Oh--yes--well, it has something +of that appearance upon paper, no doubt. The two upper black spots +look like eyes, eh? and the longer one at the bottom like a mouth-- +and then the shape of the whole is oval." + +"Perhaps so," said I; "but, Legrand, I fear you are no artist. I +must wait until I see the beetle itself, if I am to form any idea +of its personal appearance." + +"Well, I don't know," said he, a little nettled, "I draw tolerably-- +SHOULD do it at least--have had good masters, and flatter myself +that I am not quite a blockhead." + +"But, my dear fellow, you are joking then," said I, "this is a very +passable SKULL--indeed, I may say that it is a very EXCELLENT +skull, according to the vulgar notions about such specimens of +physiology--and your scarabaeus must be the queerest scarabaeus in +the world if it resembles it. Why, we may get up a very thrilling +bit of superstition upon this hint. I presume you will call the +bug Scarabaeus caput hominis, or something of that kind--there are +many similar titles in the Natural Histories. But where are the +antennae you spoke of?" + +"The antennae!" said Legrand, who seemed to be getting +unaccountably warm upon the subject; "I am sure you must see the +antennae. I made them as distinct as they are in the original +insect, and I presume that is sufficient." + +"Well, well," I said, "perhaps you have--still I don't see them;" +and I handed him the paper without additional remark, not wishing +to ruffle his temper; but I was much surprised at the turn affairs +had taken; his ill humor puzzled me--and, as for the drawing of the +beetle, there were positively NO antennae visible, and the whole +DID bear a very close resemblance to the ordinary cuts of a death's +head. + +He received the paper very peevishly, and was about to crumple it, +apparently to throw it in the fire, when a casual glance at the +design seemed suddenly to rivet his attention. In an instant his +face grew violently red--in another excessively pale. For some +minutes he continued to scrutinize the drawing minutely where he +sat. At length he arose, took a candle from the table, and +proceeded to seat himself upon a sea chest in the farthest corner +of the room. Here again he made an anxious examination of the +paper, turning it in all directions. He said nothing, however, and +his conduct greatly astonished me; yet I thought it prudent not to +exacerbate the growing moodiness of his temper by any comment. +Presently he took from his coat pocket a wallet, placed the paper +carefully in it, and deposited both in a writing desk, which he +locked. He now grew more composed in his demeanor; but his +original air of enthusiasm had quite disappeared. Yet he seemed +not so much sulky as abstracted. As the evening wore away he +became more and more absorbed in reverie, from which no sallies of +mine could arouse him. It had been my intention to pass the night +at the hut, as I had frequently done before, but, seeing my host in +this mood, I deemed it proper to take leave. He did not press me +to remain, but, as I departed, he shook my hand with even more than +his usual cordiality. + +It was about a month after this (and during the interval I had seen +nothing of Legrand) when I received a visit, at Charleston, from +his man, Jupiter. I had never seen the good old negro look so +dispirited, and I feared that some serious disaster had befallen my +friend. + +"Well, Jup," said I, "what is the matter now?--how is your master?" + +"Why, to speak the troof, massa, him not so berry well as mought +be." + +"Not well! I am truly sorry to hear it. What does he complain +of?" + +"Dar! dot's it!--him neber 'plain of notin'--but him berry sick for +all dat." + +"VERY sick, Jupiter!--why didn't you say so at once? Is he +confined to bed?" + +"No, dat he aint!--he aint 'fin'd nowhar--dat's just whar de shoe +pinch--my mind is got to be berry hebby 'bout poor Massa Will." + +"Jupiter, I should like to understand what it is you are talking +about. You say your master is sick. Hasn't he told you what ails +him?" + +"Why, massa, 'taint worf while for to git mad about de matter-- +Massa Will say noffin at all aint de matter wid him--but den what +make him go about looking dis here way, wid he head down and he +soldiers up, and as white as a goose? And den he keep a syphon all +de time--" + +"Keeps a what, Jupiter?" + +"Keeps a syphon wid de figgurs on de slate--de queerest figgurs I +ebber did see. Ise gittin' to be skeered, I tell you. Hab for to +keep mighty tight eye 'pon him 'noovers. Todder day he gib me slip +'fore de sun up and was gone de whole ob de blessed day. I had a +big stick ready cut for to gib him deuced good beating when he did +come--but Ise sich a fool dat I hadn't de heart arter all--he +looked so berry poorly." + +"Eh?--what?--ah yes!--upon the whole I think you had better not be +too severe with the poor fellow--don't flog him, Jupiter--he can't +very well stand it--but can you form no idea of what has occasioned +this illness, or rather this change of conduct? Has anything +unpleasant happened since I saw you?" + +"No, massa, dey aint bin noffin onpleasant SINCE den--'twas 'FORE +den I'm feared--'twas de berry day you was dare." + +"How? what do you mean." + +"Why, massa, I mean de bug--dare now." + +"The what?" + +"De bug--I'm berry sartin dat Massa Will bin bit somewhere 'bout de +head by dat goole-bug." + +"And what cause have you, Jupiter, for such a supposition?" + +"Claws enuff, massa, and mouff, too. I nebber did see sich a +deuced bug--he kick and he bite eberyting what cum near him. Massa +Will cotch him fuss, but had for to let him go 'gin mighty quick, I +tell you--den was de time he must ha' got de bite. I didn't like +de look ob de bug mouff, myself, nohow, so I wouldn't take hold oh +him wid my finger, but I cotch him wid a piece oh paper dat I +found. I rap him up in de paper and stuff a piece of it in he +mouff--dat was de way." + +"And you think, then, that your master was really bitten by the +beetle, and that the bite made him sick?" + +"I don't think noffin about it--I nose it. What make him dream +'bout de goole so much, if 'taint cause he bit by the goole-bug? +Ise heered 'bout dem goole-bugs 'fore dis." + +"But how do you know he dreams about gold?" + +"How I know? why, 'cause he talk about it in he sleep--dat's how I +nose." + +"Well, Jup, perhaps you are right; but to what fortunate +circumstance am I to attribute the honor of a visit from you to- +day?" + +"What de matter, massa?" + +"Did you bring any message from Mr. Legrand?" + +"No, massa, I bring dis here pissel;" and here Jupiter handed me a +note which ran thus: + + +"MY DEAR ---- + +"Why have I not seen you for so long a time? I hope you have not +been so foolish as to take offense at any little brusquerie of +mine; but no, that is improbable. + +"Since I saw you I have had great cause for anxiety. I have +something to tell you, yet scarcely know how to tell it, or whether +I should tell it at all. + +"I have not been quite well for some days past, and poor old Jup +annoys me, almost beyond endurance, by his well-meant attentions. +Would you believe it?--he had prepared a huge stick, the other day, +with which to chastise me for giving him the slip, and spending the +day, solus, among the hills on the mainland. I verily believe that +my ill looks alone saved me a flogging. + +"I have made no addition to my cabinet since we met. "If you can, +in any way, make it convenient, come over with Jupiter. DO come. +I wish to see you TO-NIGHT, upon business of importance. I assure +you that it is of the HIGHEST importance. + +"Ever yours, + +"WILLIAM LEGRAND." + + +There was something in the tone of this note which gave me great +uneasiness. Its whole style differed materially from that of +Legrand. What could he be dreaming of? What new crotchet +possessed his excitable brain? What "business of the highest +importance" could HE possibly have to transact? Jupiter's account +of him boded no good. I dreaded lest the continued pressure of +misfortune had, at length, fairly unsettled the reason of my +friend. Without a moment's hesitation, therefore, I prepared to +accompany the negro. + +Upon reaching the wharf, I noticed a scythe and three spades, all +apparently new, lying in the bottom of the boat in which we were to +embark. + +"What is the meaning of all this, Jup?" I inquired. + +"Him syfe, massa, and spade." + +"Very true; but what are they doing here?" + +"Him de syfe and de spade what Massa Will sis 'pon my buying for +him in de town, and de debbil's own lot of money I had to gib for +em." + +"But what, in the name of all that is mysterious, is your 'Massa +Will' going to do with scythes and spades?" + +"Dat's more dan I know, and debbil take me if I don't b'lieve 'tis +more dan he know too. But it's all cum ob de bug." + +Finding that no satisfaction was to be obtained of Jupiter, whose +whole intellect seemed to be absorbed by "de bug," I now stepped +into the boat, and made sail. With a fair and strong breeze we +soon ran into the little cove to the northward of Fort Moultrie, +and a walk of some two miles brought us to the hut. It was about +three in the afternoon when we arrived. Legrand had been awaiting +us in eager expectation. He grasped my hand with a nervous +empressement which alarmed me and strengthened the suspicions +already entertained. His countenance was pale even to ghastliness, +and his deep-set eyes glared with unnatural luster. After some +inquiries respecting his health, I asked him, not knowing what +better to say, if he had yet obtained the scarabaeus from +Lieutenant G----. + +"Oh, yes," he replied, coloring violently, "I got it from him the +next morning. Nothing should tempt me to part with that +scarabaeus. Do you know that Jupiter is quite right about it?" + +"In what way?" I asked, with a sad foreboding at heart. + +"In supposing it to be a bug of REAL GOLD." He said this with an +air of profound seriousness, and I felt inexpressibly shocked. + +"This bug is to make my fortune," he continued, with a triumphant +smile; "to reinstate me in my family possessions. Is it any +wonder, then, that I prize it? Since Fortune has thought fit to +bestow it upon me, I have only to use it properly, and I shall +arrive at the gold of which it is the index. Jupiter, bring me +that scarabaeus!" + +"What! de bug, massa? I'd rudder not go fer trubble dat bug; you +mus' git him for your own self." Hereupon Legrand arose, with a +grave and stately air, and brought me the beetle from a glass case +in which it was enclosed. It was a beautiful scarabaeus, and, at +that time, unknown to naturalists--of course a great prize in a +scientific point of view. There were two round black spots near +one extremity of the back, and a long one near the other. The +scales were exceedingly hard and glossy, with all the appearance of +burnished gold. The weight of the insect was very remarkable, and, +taking all things into consideration, I could hardly blame Jupiter +for his opinion respecting it; but what to make of Legrand's +concordance with that opinion, I could not, for the life of me, +tell. + +"I sent for you," said he, in a grandiloquent tone, when I had +completed my examination of the beetle, "I sent for you that I +might have your counsel and assistance in furthering the views of +Fate and of the bug--" + +"My dear Legrand," I cried, interrupting him, "you are certainly +unwell, and had better use some little precautions. You shall go +to bed, and I will remain with you a few days, until you get over +this. You are feverish and--" + +"Feel my pulse," said he. + +I felt it, and, to say the truth, found not the slightest +indication of fever. + +"But you may be ill and yet have no fever. Allow me this once to +prescribe for you. In the first place go to bed. In the next--" + +"You are mistaken," he interposed, "I am as well as I can expect to +be under the excitement which I suffer. If you really wish me +well, you will relieve this excitement." + +"And how is this to be done?" + +"Very easily. Jupiter and myself are going upon an expedition into +the hills, upon the mainland, and, in this expedition, we shall +need the aid of some person in whom we can confide. You are the +only one we can trust. Whether we succeed or fail, the excitement +which you now perceive in me will be equally allayed." + +"I am anxious to oblige you in any way," I replied; "but do you +mean to say that this infernal beetle has any connection with your +expedition into the hills?" + +"It has." + +"Then, Legrand, I can become a party to no such absurd proceeding." + +"I am sorry--very sorry--for we shall have to try it by ourselves." + +"Try it by yourselves! The man is surely mad!--but stay!--how long +do you propose to be absent?" + +"Probably all night. We shall start immediately, and be back, at +all events, by sunrise." + +"And will you promise me, upon your honor, that when this freak of +yours is over, and the bug business (good God!) settled to your +satisfaction, you will then return home and follow my advice +implicitly, as that of your physician?" + +"Yes; I promise; and now let us be off, for we have no time to +lose." + +With a heavy heart I accompanied my friend. We started about four +o'clock--Legrand, Jupiter, the dog, and myself. Jupiter had with +him the scythe and spades--the whole of which he insisted upon +carrying--more through fear, it seemed to me, of trusting either of +the implements within reach of his master, than from any excess of +industry or complaisance. His demeanor was dogged in the extreme, +and "dat deuced bug" were the sole words which escaped his lips +during the journey. For my own part, I had charge of a couple of +dark lanterns, while Legrand contented himself with the scarabaeus, +which he carried attached to the end of a bit of whipcord; twirling +it to and fro, with the air of a conjurer, as he went. When I +observed this last, plain evidence of my friend's aberration of +mind, I could scarcely refrain from tears. I thought it best, +however, to humor his fancy, at least for the present, or until I +could adopt some more energetic measures with a chance of success. +In the meantime I endeavored, but all in vain, to sound him in +regard to the object of the expedition. Having succeeded in +inducing me to accompany him, he seemed unwilling to hold +conversation upon any topic of minor importance, and to all my +questions vouchsafed no other reply than "we shall see!" + +We crossed the creek at the head of the island by means of a skiff, +and, ascending the high grounds on the shore of the mainland, +proceeded in a northwesterly direction, through a tract of country +excessively wild and desolate, where no trace of a human footstep +was to be seen. Legrand led the way with decision; pausing only +for an instant, here and there, to consult what appeared to be +certain landmarks of his own contrivance upon a former occasion. + +In this manner we journeyed for about two hours, and the sun was +just setting when we entered a region infinitely more dreary than +any yet seen. It was a species of table-land, near the summit of +an almost inaccessible hill, densely wooded from base to pinnacle, +and interspersed with huge crags that appeared to lie loosely upon +the soil, and in many cases were prevented from precipitating +themselves into the valleys below, merely by the support of the +trees against which they reclined. Deep ravines, in various +directions, gave an air of still sterner solemnity to the scene. + +The natural platform to which we had clambered was thickly +overgrown with brambles, through which we soon discovered that it +would have been impossible to force our way but for the scythe; and +Jupiter, by direction of his master, proceeded to clear for us a +path to the foot of an enormously tall tulip tree, which stood, +with some eight or ten oaks, upon the level, and far surpassed them +all, and all other trees which I had then ever seen, in the beauty +of its foliage and form, in the wide spread of its branches, and in +the general majesty of its appearance. When we reached this tree, +Legrand turned to Jupiter, and asked him if he thought he could +climb it. The old man seemed a little staggered by the question, +and for some moments made no reply. At length he approached the +huge trunk, walked slowly around it, and examined it with minute +attention. When he had completed his scrutiny, he merely said: + +"Yes, massa, Jup climb any tree he ebber see in he life." + +"Then up with you as soon as possible, for it will soon be too dark +to see what we are about." + +"How far mus' go up, massa?" inquired Jupiter. + +"Get up the main trunk first, and then I will tell you which way to +go--and here--stop! take this beetle with you." + +"De bug, Massa Will!--de goole-bug!" cried the negro, drawing back +in dismay--"what for mus' tote de bug way up de tree?--d--n if I +do!" + +"If you are afraid, Jup, a great big negro like you, to take hold +of a harmless little dead beetle, why you can carry it up by this +string--but, if you do not take it up with you in some way, I shall +be under the necessity of breaking your head with this shovel." + +"What de matter now, massa?" said Jup, evidently shamed into +compliance; "always want for to raise fuss wid old nigger. Was +only funnin anyhow. ME feered de bug! what I keer for de bug?" +Here he took cautiously hold of the extreme end of the string, and, +maintaining the insect as far from his person as circumstances +would permit, prepared to ascend the tree. + +In youth, the tulip tree, or Liriodendron tulipiferum, the most +magnificent of American foresters, has a trunk peculiarly smooth, +and often rises to a great height without lateral branches; but, in +its riper age, the bark becomes gnarled and uneven, while many +short limbs make their appearance on the stem. Thus the difficulty +of ascension, in the present case, lay more in semblance than in +reality. Embracing the huge cylinder, as closely as possible, with +his arms and knees, seizing with his hands some projections, and +resting his naked toes upon others, Jupiter, after one or two +narrow escapes from falling, at length wriggled himself into the +first great fork, and seemed to consider the whole business as +virtually accomplished. The RISK of the achievement was, in fact, +now over, although the climber was some sixty or seventy feet from +the ground. + +"Which way mus' go now, Massa Will?" he asked. + +"Keep up the largest branch--the one on this side," said Legrand. +The negro obeyed him promptly, and apparently with but little +trouble; ascending higher and higher, until no glimpse of his squat +figure could be obtained through the dense foliage which enveloped +it. Presently his voice was heard in a sort of halloo. + +"How much fudder is got to go?" + +"How high up are you?" asked Legrand. + +"Ebber so fur," replied the negro; "can see de sky fru de top oh de +tree." + +"Never mind the sky, but attend to what I say. Look down the trunk +and count the limbs below you on this side. How many limbs have +you passed?" + +"One, two, tree, four, fibe--I done pass fibe big limb, massa, 'pon +dis side." + +"Then go one limb higher." + +In a few minutes the voice was heard again, announcing that the +seventh limb was attained. + +"Now, Jup," cried Legrand, evidently much excited, "I want you to +work your way out upon that limb as far as you can. If you see +anything strange let me know." + +By this time what little doubt I might have entertained of my poor +friend's insanity was put finally at rest. I had no alternative +but to conclude him stricken with lunacy, and I became seriously +anxious about getting him home. While I was pondering upon what +was best to be done, Jupiter's voice was again heard. + +"Mos feered for to ventur pon dis limb berry far--'tis dead limb +putty much all de way." + +"Did you say it was a DEAD limb, Jupiter?" cried Legrand in a +quavering voice. + +"Yes, massa, him dead as de door-nail--done up for sartin--done +departed dis here life." + +"What in the name of heaven shall I do?" asked Legrand, seemingly +in the greatest distress. + +"Do!" said I, glad of an opportunity to interpose a word, "why come +home and go to bed. Come now!--that's a fine fellow. It's getting +late, and, besides, you remember your promise." + +"Jupiter," cried he, without heeding me in the least, "do you hear +me?" + +"Yes, Massa Will, hear you ebber so plain." + +"Try the wood well, then, with your knife, and see if you think it +VERY rotten." + +"Him rotten, massa, sure nuff," replied the negro in a few moments, +"but not so berry rotten as mought be. Mought venture out leetle +way pon de limb by myself, dat's true." + +"By yourself!--what do you mean?" + +"Why, I mean de bug. 'Tis BERRY hebby bug. Spose I drop him down +fuss, an den de limb won't break wid just de weight of one nigger." + +"You infernal scoundrel!" cried Legrand, apparently much relieved, +"what do you mean by telling me such nonsense as that? As sure as +you drop that beetle I'll break your neck. Look here, Jupiter, do +you hear me?" + +"Yes, massa, needn't hollo at poor nigger dat style." + +"Well! now listen!--if you will venture out on the limb as far as +you think safe, and not let go the beetle, I'll make you a present +of a silver dollar as soon as you get down." + +"I'm gwine, Massa Will--deed I is," replied the negro very +promptly--"mos out to the eend now." + +"OUT TO THE END!" here fairly screamed Legrand; "do you say you are +out to the end of that limb?" + +"Soon be to de eend, massa--o-o-o-o-oh! Lor-gol-a-marcy! what IS +dis here pon de tree?" + +"Well!" cried Legrand, highly delighted, "what is it?" + +"Why 'taint noffin but a skull--somebody bin lef him head up de +tree, and de crows done gobble ebery bit ob de meat off." + +"A skull, you say!--very well,--how is it fastened to the limb?-- +what holds it on?" + +"Sure nuff, massa; mus look. Why dis berry curious sarcumstance, +pon my word--dare's a great big nail in de skull, what fastens ob +it on to de tree." + +"Well now, Jupiter, do exactly as I tell you--do you hear?" + +"Yes, massa." + +"Pay attention, then--find the left eye of the skull." + +"Hum! hoo! dat's good! why dey ain't no eye lef at all." + +"Curse your stupidity! do you know your right hand from your left?" + +"Yes, I knows dat--knows all about dat--'tis my lef hand what I +chops de wood wid." + +"To be sure! you are left-handed; and your left eye is on the same +side as your left hand. Now, I suppose, you can find the left eye +of the skull, or the place where the left eye has been. Have you +found it?" + +Here was a long pause. At length the negro asked: + +"Is de lef eye of de skull pon de same side as de lef hand of de +skull too?--cause de skull aint got not a bit oh a hand at all-- +nebber mind! I got de lef eye now--here de lef eye! what mus do +wid it?" + +Let the beetle drop through it, as far as the string will reach-- +but be careful and not let go your hold of the string." + +"All dat done, Massa Will; mighty easy ting for to put de bug fru +de hole--look out for him dare below!" + +During this colloquy no portion of Jupiter's person could be seen; +but the beetle, which he had suffered to descend, was now visible +at the end of the string, and glistened, like a globe of burnished +gold, in the last rays of the setting sun, some of which still +faintly illumined the eminence upon which we stood. The scarabaeus +hung quite clear of any branches, and, if allowed to fall, would +have fallen at our feet. Legrand immediately took the scythe, and +cleared with it a circular space, three or four yards in diameter, +just beneath the insect, and, having accomplished this, ordered +Jupiter to let go the string and come down from the tree. + +Driving a peg, with great nicety, into the ground, at the precise +spot where the beetle fell, my friend now produced from his pocket +a tape measure. Fastening one end of this at that point of the +trunk of the tree which was nearest the peg, he unrolled it till it +reached the peg and thence further unrolled it, in the direction +already established by the two points of the tree and the peg, for +the distance of fifty feet--Jupiter clearing away the brambles with +the scythe. At the spot thus attained a second peg was driven, and +about this, as a center, a rude circle, about four feet in +diameter, described. Taking now a spade himself, and giving one to +Jupiter and one to me, Legrand begged us to set about digging as +quickly as possible. + +To speak the truth, I had no especial relish for such amusement at +any time, and, at that particular moment, would willingly have +declined it; for the night was coming on, and I felt much fatigued +with the exercise already taken; but I saw no mode of escape, and +was fearful of disturbing my poor friend's equanimity by a refusal. +Could I have depended, indeed, upon Jupiter's aid, I would have had +no hesitation in attempting to get the lunatic home by force; but I +was too well assured of the old negro's disposition, to hope that +he would assist me, under any circumstances, in a personal contest +with his master. I made no doubt that the latter had been infected +with some of the innumerable Southern superstitions about money +buried, and that his fantasy had received confirmation by the +finding of the scarabaeus, or, perhaps, by Jupiter's obstinacy in +maintaining it to be "a bug of real gold." A mind disposed to +lunacy would readily be led away by such suggestions--especially if +chiming in with favorite preconceived ideas--and then I called to +mind the poor fellow's speech about the beetle's being "the index +of his fortune." Upon the whole, I was sadly vexed and puzzled, +but, at length, I concluded to make a virtue of necessity--to dig +with a good will, and thus the sooner to convince the visionary, by +ocular demonstration, of the fallacy of the opinion he entertained. + +The lanterns having been lit, we all fell to work with a zeal +worthy a more rational cause; and, as the glare fell upon our +persons and implements, I could not help thinking how picturesque a +group we composed, and how strange and suspicious our labors must +have appeared to any interloper who, by chance, might have stumbled +upon our whereabouts. + +We dug very steadily for two hours. Little was said; and our chief +embarrassment lay in the yelpings of the dog, who took exceeding +interest in our proceedings. He, at length, became so obstreperous +that we grew fearful of his giving the alarm to some stragglers in +the vicinity,--or, rather, this was the apprehension of Legrand;-- +for myself, I should have rejoiced at any interruption which might +have enabled me to get the wanderer home. The noise was, at +length, very effectually silenced by Jupiter, who, getting out of +the hole with a dogged air of deliberation, tied the brute's mouth +up with one of his suspenders, and then returned, with a grave +chuckle, to his task. + +When the time mentioned had expired, we had reached a depth of five +feet, and yet no signs of any treasure became manifest. A general +pause ensued, and I began to hope that the farce was at an end. +Legrand, however, although evidently much disconcerted, wiped his +brow thoughtfully and recommenced. We had excavated the entire +circle of four feet diameter, and now we slightly enlarged the +limit, and went to the farther depth of two feet. Still nothing +appeared. The gold-seeker, whom I sincerely pitied, at length +clambered from the pit, with the bitterest disappointment imprinted +upon every feature, and proceeded, slowly and reluctantly, to put +on his coat, which he had thrown off at the beginning of his labor. +In the meantime I made no remark. Jupiter, at a signal from his +master, began to gather up his tools. This done, and the dog +having been unmuzzled, we turned in profound silence toward home. + +We had taken, perhaps, a dozen steps in this direction, when, with +a loud oath, Legrand strode up to Jupiter, and seized him by the +collar. The astonished negro opened his eyes and mouth to the +fullest extent, let fall the spades, and fell upon his knees. + +"You scoundrel!" said Legrand, hissing out the syllables from +between his clenched teeth--"you infernal black villain!--speak, I +tell you!--answer me this instant, without prevarication!--which-- +which is your left eye?" + +"Oh, my golly, Massa Will! aint dis here my lef eye for sartain?" +roared the terrified Jupiter, placing his hand upon his RIGHT organ +of vision, and holding it there with a desperate pertinacity, as if +in immediate, dread of his master's attempt at a gouge. + +"I thought so!--I knew it! hurrah!" vociferated Legrand, letting +the negro go and executing a series of curvets and caracols, much +to the astonishment of his valet, who, arising from his knees, +looked, mutely, from his master to myself, and then from myself to +his master. + +"Come! we must go back," said the latter, "the game's not up yet;" +and he again led the way to the tulip tree. + +"Jupiter," said he, when we reached its foot, "come here! was the +skull nailed to the limb with the face outward, or with the face to +the limb?" + +"De face was out, massa, so dat de crows could get at de eyes good, +widout any trouble." + +"Well, then, was it this eye or that through which you dropped the +beetle?" here Legrand touched each of Jupiter's eyes. + +"'Twas dis eye, massa--de lef eye--jis as you tell me," and here it +was his right eye that the negro indicated. + +"That will do--we must try it again." + +Here my friend, about whose madness I now saw, or fancied that I +saw, certain indications of method, removed the peg which marked +the spot where the beetle fell, to a spot about three inches to the +westward of its former position. Taking, now, the tape measure +from the nearest point of the trunk to the peg, as before, and +continuing the extension in a straight line to the distance of +fifty feet, a spot was indicated, removed, by several yards, from +the point at which we had been digging. + +Around the new position a circle, somewhat larger than in the +former instance, was now described, and we again set to work with +the spade. I was dreadfully weary, but, scarcely understanding +what had occasioned the change in my thoughts, I felt no longer any +great aversion from the labor imposed. I had become most +unaccountably interested--nay, even excited. Perhaps there was +something, amid all the extravagant demeanor of Legrand--some air +of forethought, or of deliberation, which impressed me. I dug +eagerly, and now and then caught myself actually looking, with +something that very much resembled expectation, for the fancied +treasure, the vision of which had demented my unfortunate +companion. At a period when such vagaries of thought most fully +possessed me, and when we had been at work perhaps an hour and a +half, we were again interrupted by the violent howlings of the dog. +His uneasiness, in the first instance, had been, evidently, but the +result of playfulness or caprice, but he now assumed a bitter and +serious tone. Upon Jupiter's again attempting to muzzle him, he +made furious resistance, and, leaping into the hole, tore up the +mold frantically with his claws. In a few seconds he had uncovered +a mass of human bones, forming two complete skeletons, intermingled +with several buttons of metal, and what appeared to be the dust of +decayed woolen. One or two strokes of a spade upturned the blade +of a large Spanish knife, and, as we dug farther, three or four +loose pieces of gold and silver coin came to light. + +At sight of these the joy of Jupiter could scarcely be restrained, +but the countenance of his master wore an air of extreme +disappointment. He urged us, however, to continue our exertions, +and the words were hardly uttered when I stumbled and fell forward, +having caught the toe of my boot in a large ring of iron that lay +half buried in the loose earth. + +We now worked in earnest, and never did I pass ten minutes of more +intense excitement. During this interval we had fairly unearthed +an oblong chest of wood, which, from its perfect preservation and +wonderful hardness, had plainly been subjected to some mineralizing +process--perhaps that of the bichloride of mercury. This box was +three feet and a half long, three feet broad, and two and a half +feet deep. It was firmly secured by bands of wrought iron, +riveted, and forming a kind of open trelliswork over the whole. On +each side of the chest, near the top, were three rings of iron--six +in all--by means of which a firm hold could be obtained by six +persons. Our utmost united endeavors served only to disturb the +coffer very slightly in its bed. We at once saw the impossibility +of removing so great a weight. Luckily, the sole fastenings of the +lid consisted of two sliding bolts. These we drew back--trembling +and panting with anxiety. In an instant, a treasure of +incalculable value lay gleaming before us. As the rays of the +lanterns fell within the pit, there flashed upward a glow and a +glare, from a confused heap of gold and of jewels, that absolutely +dazzled our eyes. + +I shall not pretend to describe the feelings with which I gazed. +Amazement was, of course, predominant. Legrand appeared exhausted +with excitement, and spoke very few words. Jupiter's countenance +wore, for some minutes, as deadly a pallor as it is possible, in +the nature of things, for any negro's visage to assume. He seemed +stupefied--thunderstricken. Presently he fell upon his knees in +the pit, and burying his naked arms up to the elbows in gold, let +them there remain, as if enjoying the luxury of a bath. At length, +with a deep sigh, he exclaimed, as if in a soliloquy: + +"And dis all cum of de goole-bug! de putty goole-bug! de poor +little goole-bug, what I boosed in that sabage kind oh style! +Ain't you shamed oh yourself, nigger?--answer me dat!" + +It became necessary, at last, that I should arouse both master and +valet to the expediency of removing the treasure. It was growing +late, and it behooved us to make exertion, that we might get +everything housed before daylight. It was difficult to say what +should he done, and much time was spent in deliberation--so +confused were the ideas of all. We, finally, lightened the box by +removing two thirds of its contents, when we were enabled, with +some trouble, to raise it from the hole. The articles taken out +were deposited among the brambles, and the dog left to guard them, +with strict orders from Jupiter neither, upon any pretense, to stir +from the spot, nor to open his mouth until our return. We then +hurriedly made for home with the chest; reaching the hut in safety, +but after excessive toil, at one o'clock in the morning. Worn out +as we were, it was not in human nature to do more immediately. We +rested until two, and had supper; starting for the hills +immediately afterwards, armed with three stout sacks, which, by +good luck, were upon the premises. A little before four we arrived +at the pit, divided the remainder of the booty, as equally as might +be, among us, and, leaving the holes unfilled, again set out for +the hut, at which, for the second time, we deposited our golden +burdens, just as the first faint streaks of the dawn gleamed from +over the treetops in the east. + +We were now thoroughly broken down; but the intense excitement of +the time denied us repose. After an unquiet slumber of some three +or four hours' duration, we arose, as if by preconcert, to make +examination of our treasure. + +The chest had been full to the brim, and we spent the whole day, +and the greater part of the next night, in a scrutiny of its +contents. There had been nothing like order or arrangement. +Everything had been heaped in promiscuously. Having assorted all +with care, we found ourselves possessed of even vaster wealth than +we had at first supposed. In coin there was rather more than four +hundred and fifty thousand dollars--estimating the value of the +pieces, as accurately as we could, by the tables of the period. +There was not a particle of silver. All was gold of antique date +and of great variety--French, Spanish, and German money, with a few +English guineas, and some counters, of which we had never seen +specimens before. There were several very large and heavy coins, +so worn that we could make nothing of their inscriptions. There +was no American money. The value of the jewels we found more +difficulty in estimating. There were diamonds--some of them +exceedingly large and fine--a hundred and ten in all, and not one +of them small; eighteen rubies of remarkable brilliancy;--three +hundred and ten emeralds, all very beautiful; and twenty-one +sapphires, with an opal. These stones had all been broken from +their settings and thrown loose in the chest. The settings +themselves, which we picked out from among the other gold, appeared +to have been beaten up with hammers, as if to prevent +identification. Besides all this, there was a vast quantity of +solid gold ornaments; nearly two hundred massive finger and ears +rings; rich chains--thirty of these, if I remember; eighty-three +very large and heavy crucifixes; five gold censers of great value; +a prodigious golden punch bowl, ornamented with richly chased vine +leaves and Bacchanalian figures; with two sword handles exquisitely +embossed, and many other smaller articles which I cannot recollect. +The weight of these valuables exceeded three hundred and fifty +pounds avoirdupois; and in this estimate I have not included one +hundred and ninety-seven superb gold watches; three of the number +being worth each five hundred dollars, if one. Many of them were +very old, and as timekeepers valueless; the works having suffered, +more or less, from corrosion--but all were richly jeweled and in +cases of great worth. We estimated the entire contents of the +chest, that night, at a million and a half of dollars; and upon the +subsequent disposal of the trinkets and jewels (a few being +retained for our own use), it was found that we had greatly +undervalued the treasure. + +When, at length, we had concluded our examination, and the intense +excitement of the time had, in some measure, subsided, Legrand, who +saw that I was dying with impatience for a solution of this most +extraordinary riddle, entered into a full detail of all the +circumstances connected with it. + +"You remember," said he, "the night when I handed you the rough +sketch I had made of the scarabaeus. You recollect, also, that I +became quite vexed at you for insisting that my drawing resembled a +death's head. When you first made this assertion I thought you +were jesting; but afterwards I called to mind the peculiar spots on +the back of the insect, and admitted to myself that your remark had +some little foundation in fact. Still, the sneer at my graphic +powers irritated me--for I am considered a good artist--and, +therefore, when you handed me the scrap of parchment, I was about +to crumple it up and throw it angrily into the fire." + +"The scrap of paper, you mean," said I. + +"No; it had much of the appearance of paper, and at first I +supposed it to be such, but when I came to draw upon it, I +discovered it at once to be a piece of very thin parchment. It was +quite dirty, you remember. Well, as I was in the very act of +crumpling it up, my glance fell upon the sketch at which you had +been looking, and you may imagine my astonishment when I perceived, +in fact, the figure of a death's head just where, it seemed to me, +I had made the drawing of the beetle. For a moment I was too much +amazed to think with accuracy. I knew that my design was very +different in detail from this--although there was a certain +similarity in general outline. Presently I took a candle, and +seating myself at the other end of the room, proceeded to +scrutinize the parchment more closely. Upon turning it over, I saw +my own sketch upon the reverse, just as I had made it. My first +idea, now, was mere surprise at the really remarkable similarity of +outline--at the singular coincidence involved in the fact that, +unknown to me, there should have been a skull upon the other side +of the parchment, immediately beneath my figure of the scarabaeus, +and that this skull, not only in outline, but in size, should so +closely resemble my drawing. I say the singularity of this +coincidence absolutely stupefied me for a time. This is the usual +effect of such coincidences. The mind struggles to establish a +connection--a sequence of cause and effect--and, being unable to do +so, suffers a species of temporary paralysis. But, when I +recovered from this stupor, there dawned upon me gradually a +conviction which startled me even far more than the coincidence. I +began distinctly, positively, to remember that there had been NO +drawing upon the parchment, when I made my sketch of the +scarabaeus. I became perfectly certain of this; for I recollected +turning up first one side and then the other, in search of the +cleanest spot. Had the skull been then there, of course I could +not have failed to notice it. Here was indeed a mystery which I +felt it impossible to explain; but, even at that early moment, +there seemed to glimmer, faintly, within the most remote and secret +chambers of my intellect, a glow-wormlike conception of that truth +which last night's adventure brought to so magnificent a +demonstration. I arose at once, and putting the parchment securely +away, dismissed all further reflection until I should be alone. + +"When you had gone, and when Jupiter was fast asleep, I betook +myself to a more methodical investigation of the affair. In the +first place I considered the manner in which the parchment had come +into my possession. The spot where we discovered the scarabaeus +was on the coast of the mainland, about a mile eastward of the +island, and but a short distance above high-water mark. Upon my +taking hold of it, it gave me a sharp bite, which caused me to let +it drop. Jupiter, with his accustomed caution, before seizing the +insect, which had flown toward him, looked about him for a leaf, or +something of that nature, by which to take hold of it. It was at +this moment that his eyes, and mine also, fell upon the scrap of +parchment, which I then supposed to be paper. It was lying half +buried in the sand, a corner sticking up. Near the spot where we +found it, I observed the remnants of the hull of what appeared to +have been a ship's longboat. The wreck seemed to have been there +for a very great while, for the resemblance to boat timbers could +scarcely be traced. + +"Well, Jupiter picked up the parchment, wrapped the beetle in it, +and gave it to me. Soon afterwards we turned to go home, and on +the way met Lieutenant G----. I showed him the insect, and he +begged me to let him take it to the fort. Upon my consenting, he +thrust it forthwith into his waistcoat pocket, without the +parchment in which it had been wrapped, and which I had continued +to hold in my hand during his inspection. Perhaps he dreaded my +changing my mind, and thought it best to make sure of the prize at +once--you know how enthusiastic he is on all subjects connected +with Natural History. At the same time, without being conscious of +it, I must have deposited the parchment in my own pocket. + +"You remember that when I went to the table, for the purpose of +making a sketch of the beetle, I found no paper where it was +usually kept. I looked in the drawer, and found none there. I +searched my pockets, hoping to find an old letter, when my hand +fell upon the parchment. I thus detail the precise mode in which +it came into my possession, for the circumstances impressed me with +peculiar force. + +"No doubt you will think me fanciful--but I had already established +a kind of CONNECTION. I had put together two links of a great +chain. There was a boat lying upon a seacoast, and not far from +the boat was a parchment--NOT A PAPER--with a skull depicted upon +it. You will, of course, ask 'where is the connection?' I reply +that the skull, or death's head, is the well-known emblem of the +pirate. The flag of the death's head is hoisted in all +engagements. + +"I have said that the scrap was parchment, and not paper. +Parchment is durable--almost imperishable. Matters of little +moment are rarely consigned to parchment; since, for the mere +ordinary purposes of drawing or writing, it is not nearly so well +adapted as paper. This reflection suggested some meaning--some +relevancy--in the death's head. I did not fail to observe, also, +the FORM of the parchment. Although one of its corners had been, +by some accident, destroyed, it could be seen that the original +form was oblong. It was just such a slip, indeed, as might have +been chosen for a memorandum--for a record of something to be long +remembered, and carefully preserved." + +"But," I interposed, "you say that the skull was NOT upon the +parchment when you made the drawing of the beetle. How then do you +trace any connection between the boat and the skull--since this +latter, according to your own admission, must have been designed +(God only knows how or by whom) at some period subsequent to your +sketching the scarabaeus?" + +"Ah, hereupon turns the whole mystery; although the secret, at this +point, I had comparatively little difficulty in solving. My steps +were sure, and could afford but a single result. I reasoned, for +example, thus: When I drew the scarabaeus, there was no skull +apparent upon the parchment. When I had completed the drawing I +gave it to you, and observed you narrowly until you returned it. +YOU, therefore, did not design the skull, and no one else was +present to do it. Then it was not done by human agency. And +nevertheless it was done. + +"At this stage of my reflections I endeavored to remember, and DID +remember, with entire distinctness, every incident which occurred +about the period in question. The weather was chilly (oh, rare and +happy accident!), and a fire was blazing upon the hearth. I was +heated with exercise and sat near the table. You, however, had +drawn a chair close to the chimney. Just as I placed the parchment +in your hand, and as you were in the act of inspecting it, Wolf, +the Newfoundland, entered, and leaped upon your shoulders. With +your left hand you caressed him and kept him off, while your right, +holding the parchment, was permitted to fall listlessly between +your knees, and in close proximity to the fire. At one moment I +thought the blaze had caught it, and was about to caution you, but, +before I could speak, you had withdrawn it, and were engaged in its +examination. When I considered all these particulars, I doubted +not for a moment that HEAT had been the agent in bringing to light, +upon the parchment, the skull which I saw designed upon it. You +are well aware that chemical preparations exist, and have existed +time out of mind, by means of which it is possible to write upon +either paper or vellum, so that the characters shall become visible +only when subjected to the action of fire. Zaffre, digested in +aqua regia, and diluted with four times its weight of water, is +sometimes employed; a green tint results. The regulus of cobalt, +dissolved in spirit of niter, gives a red. These colors disappear +at longer or shorter intervals after the material written upon +cools, but again become apparent upon the reapplication of heat. + +"I now scrutinized the death's head with care. Its outer edges-- +the edges of the drawing nearest the edge of the vellum--were far +more DISTINCT than the others. It was clear that the action of the +caloric had been imperfect or unequal. I immediately kindled a +fire, and subjected every portion of the parchment to a glowing +heat. At first, the only effect was the strengthening of the faint +lines in the skull; but, upon persevering in the experiment, there +became visible, at the corner of the slip, diagonally opposite to +the spot in which the death's head was delineated, the figure of +what I at first supposed to be a goat. A closer scrutiny, however, +satisfied me that it was intended for a kid." + +"Ha! ha!" said I, "to be sure I have no right to laugh at you--a +million and a half of money is too serious a matter for mirth--but +you are not about to establish a third link in your chain--you will +not find any especial connection between your pirates and a goat-- +pirates, you know, have nothing to do with goats; they appertain to +the farming interest." + +"But I have just said that the figure was NOT that of a goat." + +"Well, a kid then--pretty much the same thing." + +"Pretty much, but not altogether," said Legrand. "You may have +heard of one CAPTAIN Kidd. I at once looked upon the figure of the +animal as a kind of punning or hieroglyphical signature. I say +signature; because its position upon the vellum suggested this +idea. The death's head at the corner diagonally opposite, had, in +the same manner, the air of a stamp, or seal. But I was sorely put +out by the absence of all else--of the body to my imagined +instrument--of the text for my context." + +"I presume you expected to find a letter between the stamp and the +signature." + +"Something of that kind. The fact is, I felt irresistibly +impressed with a presentiment of some vast good fortune impending. +I can scarcely say why. Perhaps, after all, it was rather a desire +than an actual belief;--but do you know that Jupiter's silly words, +about the bug being of solid gold, had a remarkable effect upon my +fancy? And then the series of accidents and coincidents--these +were so VERY extraordinary. Do you observe how mere an accident it +was that these events should have occurred upon the SOLE day of all +the year in which it has been, or may be sufficiently cool for +fire, and that without the fire, or without the intervention of the +dog at the precise moment in which he appeared, I should never have +become aware of the death's head, and so never the possessor of the +treasure?" + +"But proceed--I am all impatience." + +"Well; you have heard, of course, the many stories current--the +thousand vague rumors afloat about money buried, somewhere upon the +Atlantic coast, by Kidd and his associates. These rumors must have +had some foundation in fact. And that the rumors have existed so +long and so continuous, could have resulted, it appeared to me, +only from the circumstance of the buried treasures still REMAINING +entombed. Had Kidd concealed his plunder for a time, and +afterwards reclaimed it, the rumors would scarcely have reached us +in their present unvarying form. You will observe that the stories +told are all about money-seekers, not about money-finders. Had the +pirate recovered his money, there the affair would have dropped. +It seemed to me that some accident--say the loss of a memorandum +indicating its locality--had deprived him of the means of +recovering it, and that this accident had become known to his +followers, who otherwise might never have heard that the treasure +had been concealed at all, and who, busying themselves in vain, +because unguided, attempts to regain it, had given first birth, and +then universal currency, to the reports which are now so common. +Have you ever heard of any important treasure being unearthed along +the coast?" + +"Never." + +"But that Kidd's accumulations were immense, is well known. I took +it for granted, therefore, that the earth still held them; and you +will scarcely be surprised when I tell you that I felt a hope, +nearly amounting to certainty, that the parchment so strangely +found involved a lost record of the place of deposit." + +"But how did you proceed?" + +"I held the vellum again to the fire, after increasing the heat, +but nothing appeared. I now thought it possible that the coating +of dirt might have something to do with the failure: so I carefully +rinsed the parchment by pouring warm water over it, and, having +done this, I placed it in a tin pan, with the skull downward, and +put the pan upon a furnace of lighted charcoal. In a few minutes, +the pan having become thoroughly heated, I removed the slip, and, +to my inexpressible joy, found it spotted, in several places, with +what appeared to be figures arranged in lines. Again I placed it +in the pan, and suffered it to remain another minute. Upon taking +it off, the whole was just as you see it now." + +Here Legrand, having reheated the parchment, submitted it to my +inspection. The following characters were rudely traced, in a red +tint, between the death's head and the goat: + + +"53++!305))6*;4826)4+)4+).;806*;48!8]60))85;1+8*:+(;:+*8!83(88)5*!; +46(;88*96*?;8)*+(;485);5*!2:*+(;4956*2(5*-4)8]8*;4069285);)6!8)4++; +1(+9;48081;8:8+1;48!85;4)485!528806*81(+9;48;(88;4(+?34;48)4+;161;: +188;+?;" + + +"But," said I, returning him the slip, "I am as much in the dark as +ever. Were all the jewels of Golconda awaiting me upon my solution +of this enigma, I am quite sure that I should be unable to earn +them." + +"And yet," said Legrand, "the solution is by no means so difficult +as you might be led to imagine from the first hasty inspection of +the characters. These characters, as anyone might readily guess, +form a cipher--that is to say, they convey a meaning; but then from +what is known of Kidd, I could not suppose him capable of +constructing any of the more abstruse cryptographs. I made up my +mind, at once, that this was of a simple species--such, however, as +would appear, to the crude intellect of the sailor, absolutely +insoluble without the key." + +"And you really solved it?" + +"Readily; I have solved others of an abstruseness ten thousand +times greater. Circumstances, and a certain bias of mind, have led +me to take interest in such riddles, and it may well be doubted +whether human ingenuity can construct an enigma of the kind which +human ingenuity may not, by proper application, resolve. In fact, +having once established connected and legible characters, I +scarcely gave a thought to the mere difficulty of developing their +import. + +"In the present case--indeed in all cases of secret writing--the +first question regards the LANGUAGE of the cipher; for the +principles of solution, so far, especially, as the more simple +ciphers are concerned, depend upon, and are varied by, the genius +of the particular idiom. In general, there is no alternative but +experiment (directed by probabilities) of every tongue known to him +who attempts the solution, until the true one be attained. But, +with the cipher now before us, all difficulty was removed by the +signature. The pun upon the word 'Kidd' is appreciable in no other +language than the English. But for this consideration I should +have begun my attempts with the Spanish and French, as the tongues +in which a secret of this kind would most naturally have been +written by a pirate of the Spanish main. As it was, I assumed the +cryptograph to be English. + +"You observe there are no divisions between the words. Had there +been divisions the task would have been comparatively easy. In +such cases I should have commenced with a collation and analysis of +the shorter words, and, had a word of a single letter occurred, as +is most likely, (a or I, for example,) I should have considered the +solution as assured. But, there being no division, my first step +was to ascertain the predominant letters, as well as the least +frequent. Counting all, I constructed a table thus: + + +Of the character 8 there are 33. + ; " 26. + 4 " 19. + +) " 16. + * " 13. + 5 " 12. + 6 " 11. + !1 " 8. + 0 " 6. + 92 " 5. + :3 " 4. + ? " 3. + ] " 2. + -. " 1. + + +"Now, in English, the letter which most frequently occurs is e. +Afterwards, the succession runs thus: a o i d h n r s t u y c f g l +m w b k p q x z. E predominates so remarkably, that an individual +sentence of any length is rarely seen, in which it is not the +prevailing character. + +"Here, then, we have, in the very beginning, the groundwork for +something more than a mere guess. The general use which may be +made of the table is obvious--but, in this particular cipher, we +shall only very partially require its aid. As our predominant +character is 8, we will commence by assuming it as the e of the +natural alphabet. To verify the supposition, let us observe if the +8 be seen often in couples--for e is doubled with great frequency +in English--in such words, for example, as 'meet,' 'fleet,' +'speed,' 'seen,' 'been,' 'agree,' etc. In the present instance we +see it doubled no less than five times, although the cryptograph is +brief. + +"Let us assume 8, then, as e. Now, of all WORDS in the language, +'the' is most usual; let us see, therefore, whether there are not +repetitions of any three characters, in the same order of +collocation, the last of them being 8. If we discover repetitions +of such letters, so arranged, they will most probably represent the +word 'the.' Upon inspection, we find no less than seven such +arrangements, the characters being ;48. We may, therefore, assume +that ; represents t, 4 represents h, and 8 represents e--the last +being now well confirmed. Thus a great step has been taken. + +"But, having established a single word, we are enabled to establish +a vastly important point; that is to say, several commencements and +terminations of other words. Let us refer, for example, to the +last instance but one, in which the combination ;48 occurs--not far +from the end of the cipher. We know that the ; immediately ensuing +is the commencement of a word, and, of the six characters +succeeding this 'the,' we are cognizant of no less than five. Let +us set these characters down, thus, by the letters we know them to +represent, leaving a space for the unknown-- + + +t eeth. + + +"Here we are enabled, at once, to discard the 'th,' as forming no +portion of the word commencing with the first t; since, by +experiment of the entire alphabet for a letter adapted to the +vacancy, we perceive that no word can be formed of which this th +can be a part. We are thus narrowed into + + +t ee, + + +and, going through the alphabet, if necessary, as before, we arrive +at the word 'tree,' as the sole possible reading. We thus gain +another letter, r, represented by (, with the words 'the tree' in +juxtaposition. + +"Looking beyond these words, for a short distance, we again see the +combination ;48, and employ it by way of TERMINATION to what +immediately precedes. We have thus this arrangement: + + +the tree ;4(4+?34 the, + + +or, substituting the natural letters, where known, it reads thus: + + +the tree thr+?3h the. + + +"Now, if, in place of the unknown characters, we leave blank +spaces, or substitute dots, we read thus: + + +the tree thr...h the, + + +when the word 'through' makes itself evident at once. But this +discovery gives us three new letters, o, u, and g, represented by ++, ?, and 3. + +"Looking now, narrowly, through the cipher for combinations of +known characters, we find, not very far from the beginning, this +arrangement, + + +83(88, or egree, + + +which plainly, is the conclusion of the word 'degree,' and gives us +another letter, d, represented by !. + +"Four letters beyond the word 'degree,' we perceive the combination + + +;46(;88. + + +"Translating the known characters, and representing the unknown by +dots, as before, we read thus: + + +th.rtee, + + +an arrangement immediately suggestive of the word thirteen,' and +again furnishing us with two new characters, i and n, represented +by 6 and *. + +"Referring, now, to the beginning of the cryptograph, we find the +combination, + + +53++!. + + +"Translating as before, we obtain + + +.good, + + +which assures us that the first letter is A, and that the first two +words are 'A good.' + +"It is now time that we arrange our key, as far as discovered, in a +tabular form, to avoid confusion. It will stand thus: + + +5 represents a +! " d +8 " e +3 " g +4 " h +6 " i +* " n ++ " o +( " r +; " t +? " u + + +"We have, therefore, no less than eleven of the most important +letters represented, and it will be unnecessary to proceed with the +details of the solution. I have said enough to convince you that +ciphers of this nature are readily soluble, and to give you some +insight into the rationale of their development. But be assured +that the specimen before us appertains to the very simplest species +of cryptograph. It now only remains to give you the full +translation of the characters upon the parchment, as unriddled. +Here it is: + + +"'A good glass in the bishop's hostel in the devil's seat forty-one +degrees and thirteen minutes northeast and by north main branch +seventh limb east side shoot from the left eye of the death's head +a bee-line from the tree through the shot fifty feet out.'" + + +"But," said I, "the enigma seems still in as bad a condition as +ever. How is it possible to extort a meaning from all this jargon +about 'devil's seats,' 'death's heads,' and 'bishop's hostels'?" + +"I confess," replied Legrand, "that the matter still wears a +serious aspect, when regarded with a casual glance. My first +endeavor was to divide the sentence into the natural division +intended by the cryptographist." + +"You mean, to punctuate it?" + +"Something of that kind." + +"But how was it possible to effect this?" + +"I reflected that it had been a POINT with the writer to run his +words together without division, so as to increase the difficulty +of solution. Now, a not overacute man, in pursuing such an object, +would be nearly certain to overdo the matter. When, in the course +of his composition, he arrived at a break in his subject which +would naturally require a pause, or a point, he would be +exceedingly apt to run his characters, at this place, more than +usually close together. If you will observe the MS., in the +present instance, you will easily detect five such cases of unusual +crowding. Acting upon this hint I made the division thus: + + +"'A good glass in the bishop's hostel in the devil's seat--forty- +one degrees and thirteen minutes--northeast and by north--main +branch seventh limb east side--shoot from the left eye of the +death's head--a bee-line from the tree through the shot fifty feet +out.'" + + +"Even this division," said I, "leaves me still in the dark." + +"It left me also in the dark," replied Legrand, "for a few days; +during which I made diligent inquiry in the neighborhood of +Sullivan's Island, for any building which went by name of the +'Bishop's Hotel'; for, of course, I dropped the obsolete word +'hostel.' Gaining no information on the subject, I was on the +point of extending my sphere of search, and proceeding in a more +systematic manner, when, one morning, it entered into my head, +quite suddenly, that this 'Bishop's Hostel' might have some +reference to an old family, of the name of Bessop, which, time out +of mind, had held possession of an ancient manor house, about four +miles to the northward of the island. I accordingly went over to +the plantation, and reinstituted my inquiries among the older +negroes of the place. At length one of the most aged of the women +said that she had heard of such a place as Bessop's Castle, and +thought that she could guide me to it, but that it was not a +castle, nor a tavern, but a high rock. + +"I offered to pay her well for her trouble, and, after some demur, +she consented to accompany me to the spot. We found it without +much difficulty, when, dismissing her, I proceeded to examine the +place. The 'castle' consisted of an irregular assemblage of cliffs +and rocks--one of the latter being quite remarkable for its height +as well as for its insulated and artificial appearance. I +clambered to its apex, and then felt much at a loss as to what +should be next done. + +"While I was busied in reflection, my eyes fell upon a narrow ledge +in the eastern face of the rock, perhaps a yard below the summit +upon which I stood. This ledge projected about eighteen inches, +and was not more than a foot wide, while a niche in the cliff just +above it gave it a rude resemblance to one of the hollow-backed +chairs used by our ancestors. I made no doubt that here was the +'devil's seat' alluded to in the MS., and now I seemed to grasp the +full secret of the riddle. + +"The 'good glass,' I knew, could have reference to nothing but a +telescope; for the word 'glass' is rarely employed in any other +sense by seamen. Now here, I at once saw, was a telescope to be +used, and a definite point of view, ADMITTING NO VARIATION, from +which to use it. Nor did I hesitate to believe that the phrases, +'forty-one degrees and thirteen minutes,' and 'northeast and by +north,' were intended as directions for the leveling of the glass. +Greatly excited by these discoveries, I hurried home, procured a +telescope, and returned to the rock. + +"I let myself down to the ledge, and found that it was impossible +to retain a seat upon it except in one particular position. This +fact confirmed my preconceived idea. I proceeded to use the glass. +Of course, the 'forty-one degrees and thirteen minutes' could +allude to nothing but elevation above the visible horizon, since +the horizontal direction was clearly indicated by the words, +'northeast and by north.' This latter direction I at once +established by means of a pocket compass; then, pointing the glass +as nearly at an angle of forty-one degrees of elevation as I could +do it by guess, I moved it cautiously up or down, until my +attention was arrested by a circular rift or opening in the foliage +of a large tree that overtopped its fellows in the distance. In +the center of this rift I perceived a white spot, but could not, at +first, distinguish what it was. Adjusting the focus of the +telescope, I again looked, and now made it out to be a human skull. + +"Upon this discovery I was so sanguine as to consider the enigma +solved; for the phrase 'main branch, seventh limb, east side,' +could refer only to the position of the skull upon the tree, while +'shoot from the left eye of the death's head' admitted, also, of +but one interpretation, in regard to a search for buried treasure. +I perceived that the design was to drop a bullet from the left eye +of the skull, and that a bee-line, or, in other words, a straight +line, drawn from the nearest point of the trunk 'through the shot' +(or the spot where the bullet fell), and thence extended to a +distance of fifty feet, would indicate a definite point--and +beneath this point I thought it at least POSSIBLE that a deposit of +value lay concealed." + +"All this," I said, "is exceedingly clear, and, although ingenious, +still simple and explicit. When you left the Bishop's Hotel, what +then?" + +"Why, having carefully taken the bearings of the tree, I turned +homeward. The instant that I left 'the devil's seat,' however, the +circular rift vanished; nor could I get a glimpse of it afterwards, +turn as I would. What seems to me the chief ingenuity in this +whole business, is the fact (for repeated experiment has convinced +me it IS a fact) that the circular opening in question is visible +from no other attainable point of view than that afforded by the +narrow ledge upon the face of the rock. + +"In this expedition to the 'Bishop's Hotel' I had been attended by +Jupiter, who had, no doubt, observed, for some weeks past, the +abstraction of my demeanor, and took especial care not to leave me +alone. But, on the next day, getting up very early, I contrived to +give him the slip, and went into the hills in search of the tree. +After much toil I found it. When I came home at night my valet +proposed to give me a flogging. With the rest of the adventure I +believe you are as well acquainted as myself." + +"I suppose," said I, "you missed the spot, in the first attempt at +digging, through Jupiter's stupidity in letting the bug fall +through the right instead of through the left eye of the skull." + +"Precisely. This mistake made a difference of about two inches and +a half in the 'shot'--that is to say, in the position of the peg +nearest the tree; and had the treasure been BENEATH the 'shot,' the +error would have been of little moment; but 'the shot,' together +with the nearest point of the tree, were merely two points for the +establishment of a line of direction; of course the error, however +trivial in the beginning, increased as we proceeded with the line, +and by the time we had gone fifty feet threw us quite off the +scent. But for my deep-seated impressions that treasure was here +somewhere actually buried, we might have had all our labor in +vain." + +"But your grandiloquence, and your conduct in swinging the beetle-- +how excessively odd! I was sure you were mad. And why did you +insist upon letting fall the bug, instead of a bullet, from the +skull?" + +"Why, to be frank, I felt somewhat annoyed by your evident +suspicions touching my sanity, and so resolved to punish you +quietly, in my own way, by a little bit of sober mystification. +For this reason I swung the beetle, and for this reason I let it +fall from the tree. An observation of yours about its great weight +suggested the latter idea." + +"Yes, I perceive; and now there is only one point which puzzles me. +What are we to make of the skeletons found in the hole?" + +"That is a question I am no more able to answer than yourself. +There seems, however, only one plausible way of accounting for +them--and yet it is dreadful to believe in such atrocity as my +suggestion would imply. It is clear that Kidd--if Kidd indeed +secreted this treasure, which I doubt not--it is clear that he must +have had assistance in the labor. But this labor concluded, he may +have thought it expedient to remove all participants in his secret. +Perhaps a couple of blows with a mattock were sufficient, while his +coadjutors were busy in the pit; perhaps it required a dozen--who +shall tell?" diff --git a/testsuite/rfc1750.txt b/testsuite/rfc1750.txt deleted file mode 100644 index 56d478c7..00000000 --- a/testsuite/rfc1750.txt +++ /dev/null @@ -1,1683 +0,0 @@ - - - - - - -Network Working Group D. Eastlake, 3rd -Request for Comments: 1750 DEC -Category: Informational S. Crocker - Cybercash - J. Schiller - MIT - December 1994 - - - Randomness Recommendations for Security - -Status of this Memo - - This memo provides information for the Internet community. This memo - does not specify an Internet standard of any kind. Distribution of - this memo is unlimited. - -Abstract - - Security systems today are built on increasingly strong cryptographic - algorithms that foil pattern analysis attempts. However, the security - of these systems is dependent on generating secret quantities for - passwords, cryptographic keys, and similar quantities. The use of - pseudo-random processes to generate secret quantities can result in - pseudo-security. The sophisticated attacker of these security - systems may find it easier to reproduce the environment that produced - the secret quantities, searching the resulting small set of - possibilities, than to locate the quantities in the whole of the - number space. - - Choosing random quantities to foil a resourceful and motivated - adversary is surprisingly difficult. This paper points out many - pitfalls in using traditional pseudo-random number generation - techniques for choosing such quantities. It recommends the use of - truly random hardware techniques and shows that the existing hardware - on many systems can be used for this purpose. It provides - suggestions to ameliorate the problem when a hardware solution is not - available. And it gives examples of how large such quantities need - to be for some particular applications. - - - - - - - - - - - - -Eastlake, Crocker & Schiller [Page 1] - -RFC 1750 Randomness Recommendations for Security December 1994 - - -Acknowledgements - - Comments on this document that have been incorporated were received - from (in alphabetic order) the following: - - David M. Balenson (TIS) - Don Coppersmith (IBM) - Don T. Davis (consultant) - Carl Ellison (Stratus) - Marc Horowitz (MIT) - Christian Huitema (INRIA) - Charlie Kaufman (IRIS) - Steve Kent (BBN) - Hal Murray (DEC) - Neil Haller (Bellcore) - Richard Pitkin (DEC) - Tim Redmond (TIS) - Doug Tygar (CMU) - -Table of Contents - - 1. Introduction........................................... 3 - 2. Requirements........................................... 4 - 3. Traditional Pseudo-Random Sequences.................... 5 - 4. Unpredictability....................................... 7 - 4.1 Problems with Clocks and Serial Numbers............... 7 - 4.2 Timing and Content of External Events................ 8 - 4.3 The Fallacy of Complex Manipulation.................. 8 - 4.4 The Fallacy of Selection from a Large Database....... 9 - 5. Hardware for Randomness............................... 10 - 5.1 Volume Required...................................... 10 - 5.2 Sensitivity to Skew.................................. 10 - 5.2.1 Using Stream Parity to De-Skew..................... 11 - 5.2.2 Using Transition Mappings to De-Skew............... 12 - 5.2.3 Using FFT to De-Skew............................... 13 - 5.2.4 Using Compression to De-Skew....................... 13 - 5.3 Existing Hardware Can Be Used For Randomness......... 14 - 5.3.1 Using Existing Sound/Video Input................... 14 - 5.3.2 Using Existing Disk Drives......................... 14 - 6. Recommended Non-Hardware Strategy..................... 14 - 6.1 Mixing Functions..................................... 15 - 6.1.1 A Trivial Mixing Function.......................... 15 - 6.1.2 Stronger Mixing Functions.......................... 16 - 6.1.3 Diff-Hellman as a Mixing Function.................. 17 - 6.1.4 Using a Mixing Function to Stretch Random Bits..... 17 - 6.1.5 Other Factors in Choosing a Mixing Function........ 18 - 6.2 Non-Hardware Sources of Randomness................... 19 - 6.3 Cryptographically Strong Sequences................... 19 - - - -Eastlake, Crocker & Schiller [Page 2] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - 6.3.1 Traditional Strong Sequences....................... 20 - 6.3.2 The Blum Blum Shub Sequence Generator.............. 21 - 7. Key Generation Standards.............................. 22 - 7.1 US DoD Recommendations for Password Generation....... 23 - 7.2 X9.17 Key Generation................................. 23 - 8. Examples of Randomness Required....................... 24 - 8.1 Password Generation................................. 24 - 8.2 A Very High Security Cryptographic Key............... 25 - 8.2.1 Effort per Key Trial............................... 25 - 8.2.2 Meet in the Middle Attacks......................... 26 - 8.2.3 Other Considerations............................... 26 - 9. Conclusion............................................ 27 - 10. Security Considerations.............................. 27 - References............................................... 28 - Authors' Addresses....................................... 30 - -1. Introduction - - Software cryptography is coming into wider use. Systems like - Kerberos, PEM, PGP, etc. are maturing and becoming a part of the - network landscape [PEM]. These systems provide substantial - protection against snooping and spoofing. However, there is a - potential flaw. At the heart of all cryptographic systems is the - generation of secret, unguessable (i.e., random) numbers. - - For the present, the lack of generally available facilities for - generating such unpredictable numbers is an open wound in the design - of cryptographic software. For the software developer who wants to - build a key or password generation procedure that runs on a wide - range of hardware, the only safe strategy so far has been to force - the local installation to supply a suitable routine to generate - random numbers. To say the least, this is an awkward, error-prone - and unpalatable solution. - - It is important to keep in mind that the requirement is for data that - an adversary has a very low probability of guessing or determining. - This will fail if pseudo-random data is used which only meets - traditional statistical tests for randomness or which is based on - limited range sources, such as clocks. Frequently such random - quantities are determinable by an adversary searching through an - embarrassingly small space of possibilities. - - This informational document suggests techniques for producing random - quantities that will be resistant to such attack. It recommends that - future systems include hardware random number generation or provide - access to existing hardware that can be used for this purpose. It - suggests methods for use if such hardware is not available. And it - gives some estimates of the number of random bits required for sample - - - -Eastlake, Crocker & Schiller [Page 3] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - applications. - -2. Requirements - - Probably the most commonly encountered randomness requirement today - is the user password. This is usually a simple character string. - Obviously, if a password can be guessed, it does not provide - security. (For re-usable passwords, it is desirable that users be - able to remember the password. This may make it advisable to use - pronounceable character strings or phrases composed on ordinary - words. But this only affects the format of the password information, - not the requirement that the password be very hard to guess.) - - Many other requirements come from the cryptographic arena. - Cryptographic techniques can be used to provide a variety of services - including confidentiality and authentication. Such services are - based on quantities, traditionally called "keys", that are unknown to - and unguessable by an adversary. - - In some cases, such as the use of symmetric encryption with the one - time pads [CRYPTO*] or the US Data Encryption Standard [DES], the - parties who wish to communicate confidentially and/or with - authentication must all know the same secret key. In other cases, - using what are called asymmetric or "public key" cryptographic - techniques, keys come in pairs. One key of the pair is private and - must be kept secret by one party, the other is public and can be - published to the world. It is computationally infeasible to - determine the private key from the public key [ASYMMETRIC, CRYPTO*]. - - The frequency and volume of the requirement for random quantities - differs greatly for different cryptographic systems. Using pure RSA - [CRYPTO*], random quantities are required when the key pair is - generated, but thereafter any number of messages can be signed - without any further need for randomness. The public key Digital - Signature Algorithm that has been proposed by the US National - Institute of Standards and Technology (NIST) requires good random - numbers for each signature. And encrypting with a one time pad, in - principle the strongest possible encryption technique, requires a - volume of randomness equal to all the messages to be processed. - - In most of these cases, an adversary can try to determine the - "secret" key by trial and error. (This is possible as long as the - key is enough smaller than the message that the correct key can be - uniquely identified.) The probability of an adversary succeeding at - this must be made acceptably low, depending on the particular - application. The size of the space the adversary must search is - related to the amount of key "information" present in the information - theoretic sense [SHANNON]. This depends on the number of different - - - -Eastlake, Crocker & Schiller [Page 4] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - secret values possible and the probability of each value as follows: - - ----- - \ - Bits-of-info = \ - p * log ( p ) - / i 2 i - / - ----- - - where i varies from 1 to the number of possible secret values and p - sub i is the probability of the value numbered i. (Since p sub i is - less than one, the log will be negative so each term in the sum will - be non-negative.) - - If there are 2^n different values of equal probability, then n bits - of information are present and an adversary would, on the average, - have to try half of the values, or 2^(n-1) , before guessing the - secret quantity. If the probability of different values is unequal, - then there is less information present and fewer guesses will, on - average, be required by an adversary. In particular, any values that - the adversary can know are impossible, or are of low probability, can - be initially ignored by an adversary, who will search through the - more probable values first. - - For example, consider a cryptographic system that uses 56 bit keys. - If these 56 bit keys are derived by using a fixed pseudo-random - number generator that is seeded with an 8 bit seed, then an adversary - needs to search through only 256 keys (by running the pseudo-random - number generator with every possible seed), not the 2^56 keys that - may at first appear to be the case. Only 8 bits of "information" are - in these 56 bit keys. - -3. Traditional Pseudo-Random Sequences - - Most traditional sources of random numbers use deterministic sources - of "pseudo-random" numbers. These typically start with a "seed" - quantity and use numeric or logical operations to produce a sequence - of values. - - [KNUTH] has a classic exposition on pseudo-random numbers. - Applications he mentions are simulation of natural phenomena, - sampling, numerical analysis, testing computer programs, decision - making, and games. None of these have the same characteristics as - the sort of security uses we are talking about. Only in the last two - could there be an adversary trying to find the random quantity. - However, in these cases, the adversary normally has only a single - chance to use a guessed value. In guessing passwords or attempting - to break an encryption scheme, the adversary normally has many, - - - -Eastlake, Crocker & Schiller [Page 5] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - perhaps unlimited, chances at guessing the correct value and should - be assumed to be aided by a computer. - - For testing the "randomness" of numbers, Knuth suggests a variety of - measures including statistical and spectral. These tests check - things like autocorrelation between different parts of a "random" - sequence or distribution of its values. They could be met by a - constant stored random sequence, such as the "random" sequence - printed in the CRC Standard Mathematical Tables [CRC]. - - A typical pseudo-random number generation technique, known as a - linear congruence pseudo-random number generator, is modular - arithmetic where the N+1th value is calculated from the Nth value by - - V = ( V * a + b )(Mod c) - N+1 N - - The above technique has a strong relationship to linear shift - register pseudo-random number generators, which are well understood - cryptographically [SHIFT*]. In such generators bits are introduced - at one end of a shift register as the Exclusive Or (binary sum - without carry) of bits from selected fixed taps into the register. - - For example: - - +----+ +----+ +----+ +----+ - | B | <-- | B | <-- | B | <-- . . . . . . <-- | B | <-+ - | 0 | | 1 | | 2 | | n | | - +----+ +----+ +----+ +----+ | - | | | | - | | V +-----+ - | V +----------------> | | - V +-----------------------------> | XOR | - +---------------------------------------------------> | | - +-----+ - - - V = ( ( V * 2 ) + B .xor. B ... )(Mod 2^n) - N+1 N 0 2 - - The goodness of traditional pseudo-random number generator algorithms - is measured by statistical tests on such sequences. Carefully chosen - values of the initial V and a, b, and c or the placement of shift - register tap in the above simple processes can produce excellent - statistics. - - - - - - -Eastlake, Crocker & Schiller [Page 6] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - These sequences may be adequate in simulations (Monte Carlo - experiments) as long as the sequence is orthogonal to the structure - of the space being explored. Even there, subtle patterns may cause - problems. However, such sequences are clearly bad for use in - security applications. They are fully predictable if the initial - state is known. Depending on the form of the pseudo-random number - generator, the sequence may be determinable from observation of a - short portion of the sequence [CRYPTO*, STERN]. For example, with - the generators above, one can determine V(n+1) given knowledge of - V(n). In fact, it has been shown that with these techniques, even if - only one bit of the pseudo-random values is released, the seed can be - determined from short sequences. - - Not only have linear congruent generators been broken, but techniques - are now known for breaking all polynomial congruent generators - [KRAWCZYK]. - -4. Unpredictability - - Randomness in the traditional sense described in section 3 is NOT the - same as the unpredictability required for security use. - - For example, use of a widely available constant sequence, such as - that from the CRC tables, is very weak against an adversary. Once - they learn of or guess it, they can easily break all security, future - and past, based on the sequence [CRC]. Yet the statistical - properties of these tables are good. - - The following sections describe the limitations of some randomness - generation techniques and sources. - -4.1 Problems with Clocks and Serial Numbers - - Computer clocks, or similar operating system or hardware values, - provide significantly fewer real bits of unpredictability than might - appear from their specifications. - - Tests have been done on clocks on numerous systems and it was found - that their behavior can vary widely and in unexpected ways. One - version of an operating system running on one set of hardware may - actually provide, say, microsecond resolution in a clock while a - different configuration of the "same" system may always provide the - same lower bits and only count in the upper bits at much lower - resolution. This means that successive reads on the clock may - produce identical values even if enough time has passed that the - value "should" change based on the nominal clock resolution. There - are also cases where frequently reading a clock can produce - artificial sequential values because of extra code that checks for - - - -Eastlake, Crocker & Schiller [Page 7] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - the clock being unchanged between two reads and increases it by one! - Designing portable application code to generate unpredictable numbers - based on such system clocks is particularly challenging because the - system designer does not always know the properties of the system - clocks that the code will execute on. - - Use of a hardware serial number such as an Ethernet address may also - provide fewer bits of uniqueness than one would guess. Such - quantities are usually heavily structured and subfields may have only - a limited range of possible values or values easily guessable based - on approximate date of manufacture or other data. For example, it is - likely that most of the Ethernet cards installed on Digital Equipment - Corporation (DEC) hardware within DEC were manufactured by DEC - itself, which significantly limits the range of built in addresses. - - Problems such as those described above related to clocks and serial - numbers make code to produce unpredictable quantities difficult if - the code is to be ported across a variety of computer platforms and - systems. - -4.2 Timing and Content of External Events - - It is possible to measure the timing and content of mouse movement, - key strokes, and similar user events. This is a reasonable source of - unguessable data with some qualifications. On some machines, inputs - such as key strokes are buffered. Even though the user's inter- - keystroke timing may have sufficient variation and unpredictability, - there might not be an easy way to access that variation. Another - problem is that no standard method exists to sample timing details. - This makes it hard to build standard software intended for - distribution to a large range of machines based on this technique. - - The amount of mouse movement or the keys actually hit are usually - easier to access than timings but may yield less unpredictability as - the user may provide highly repetitive input. - - Other external events, such as network packet arrival times, can also - be used with care. In particular, the possibility of manipulation of - such times by an adversary must be considered. - -4.3 The Fallacy of Complex Manipulation - - One strategy which may give a misleading appearance of - unpredictability is to take a very complex algorithm (or an excellent - traditional pseudo-random number generator with good statistical - properties) and calculate a cryptographic key by starting with the - current value of a computer system clock as the seed. An adversary - who knew roughly when the generator was started would have a - - - -Eastlake, Crocker & Schiller [Page 8] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - relatively small number of seed values to test as they would know - likely values of the system clock. Large numbers of pseudo-random - bits could be generated but the search space an adversary would need - to check could be quite small. - - Thus very strong and/or complex manipulation of data will not help if - the adversary can learn what the manipulation is and there is not - enough unpredictability in the starting seed value. Even if they can - not learn what the manipulation is, they may be able to use the - limited number of results stemming from a limited number of seed - values to defeat security. - - Another serious strategy error is to assume that a very complex - pseudo-random number generation algorithm will produce strong random - numbers when there has been no theory behind or analysis of the - algorithm. There is a excellent example of this fallacy right near - the beginning of chapter 3 in [KNUTH] where the author describes a - complex algorithm. It was intended that the machine language program - corresponding to the algorithm would be so complicated that a person - trying to read the code without comments wouldn't know what the - program was doing. Unfortunately, actual use of this algorithm - showed that it almost immediately converged to a single repeated - value in one case and a small cycle of values in another case. - - Not only does complex manipulation not help you if you have a limited - range of seeds but blindly chosen complex manipulation can destroy - the randomness in a good seed! - -4.4 The Fallacy of Selection from a Large Database - - Another strategy that can give a misleading appearance of - unpredictability is selection of a quantity randomly from a database - and assume that its strength is related to the total number of bits - in the database. For example, typical USENET servers as of this date - process over 35 megabytes of information per day. Assume a random - quantity was selected by fetching 32 bytes of data from a random - starting point in this data. This does not yield 32*8 = 256 bits - worth of unguessability. Even after allowing that much of the data - is human language and probably has more like 2 or 3 bits of - information per byte, it doesn't yield 32*2.5 = 80 bits of - unguessability. For an adversary with access to the same 35 - megabytes the unguessability rests only on the starting point of the - selection. That is, at best, about 25 bits of unguessability in this - case. - - The same argument applies to selecting sequences from the data on a - CD ROM or Audio CD recording or any other large public database. If - the adversary has access to the same database, this "selection from a - - - -Eastlake, Crocker & Schiller [Page 9] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - large volume of data" step buys very little. However, if a selection - can be made from data to which the adversary has no access, such as - system buffers on an active multi-user system, it may be of some - help. - -5. Hardware for Randomness - - Is there any hope for strong portable randomness in the future? - There might be. All that's needed is a physical source of - unpredictable numbers. - - A thermal noise or radioactive decay source and a fast, free-running - oscillator would do the trick directly [GIFFORD]. This is a trivial - amount of hardware, and could easily be included as a standard part - of a computer system's architecture. Furthermore, any system with a - spinning disk or the like has an adequate source of randomness - [DAVIS]. All that's needed is the common perception among computer - vendors that this small additional hardware and the software to - access it is necessary and useful. - -5.1 Volume Required - - How much unpredictability is needed? Is it possible to quantify the - requirement in, say, number of random bits per second? - - The answer is not very much is needed. For DES, the key is 56 bits - and, as we show in an example in Section 8, even the highest security - system is unlikely to require a keying material of over 200 bits. If - a series of keys are needed, it can be generated from a strong random - seed using a cryptographically strong sequence as explained in - Section 6.3. A few hundred random bits generated once a day would be - enough using such techniques. Even if the random bits are generated - as slowly as one per second and it is not possible to overlap the - generation process, it should be tolerable in high security - applications to wait 200 seconds occasionally. - - These numbers are trivial to achieve. It could be done by a person - repeatedly tossing a coin. Almost any hardware process is likely to - be much faster. - -5.2 Sensitivity to Skew - - Is there any specific requirement on the shape of the distribution of - the random numbers? The good news is the distribution need not be - uniform. All that is needed is a conservative estimate of how non- - uniform it is to bound performance. Two simple techniques to de-skew - the bit stream are given below and stronger techniques are mentioned - in Section 6.1.2 below. - - - -Eastlake, Crocker & Schiller [Page 10] - -RFC 1750 Randomness Recommendations for Security December 1994 - - -5.2.1 Using Stream Parity to De-Skew - - Consider taking a sufficiently long string of bits and map the string - to "zero" or "one". The mapping will not yield a perfectly uniform - distribution, but it can be as close as desired. One mapping that - serves the purpose is to take the parity of the string. This has the - advantages that it is robust across all degrees of skew up to the - estimated maximum skew and is absolutely trivial to implement in - hardware. - - The following analysis gives the number of bits that must be sampled: - - Suppose the ratio of ones to zeros is 0.5 + e : 0.5 - e, where e is - between 0 and 0.5 and is a measure of the "eccentricity" of the - distribution. Consider the distribution of the parity function of N - bit samples. The probabilities that the parity will be one or zero - will be the sum of the odd or even terms in the binomial expansion of - (p + q)^N, where p = 0.5 + e, the probability of a one, and q = 0.5 - - e, the probability of a zero. - - These sums can be computed easily as - - N N - 1/2 * ( ( p + q ) + ( p - q ) ) - and - N N - 1/2 * ( ( p + q ) - ( p - q ) ). - - (Which one corresponds to the probability the parity will be 1 - depends on whether N is odd or even.) - - Since p + q = 1 and p - q = 2e, these expressions reduce to - - N - 1/2 * [1 + (2e) ] - and - N - 1/2 * [1 - (2e) ]. - - Neither of these will ever be exactly 0.5 unless e is zero, but we - can bring them arbitrarily close to 0.5. If we want the - probabilities to be within some delta d of 0.5, i.e. then - - N - ( 0.5 + ( 0.5 * (2e) ) ) < 0.5 + d. - - - - - - -Eastlake, Crocker & Schiller [Page 11] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - Solving for N yields N > log(2d)/log(2e). (Note that 2e is less than - 1, so its log is negative. Division by a negative number reverses - the sense of an inequality.) - - The following table gives the length of the string which must be - sampled for various degrees of skew in order to come within 0.001 of - a 50/50 distribution. - - +---------+--------+-------+ - | Prob(1) | e | N | - +---------+--------+-------+ - | 0.5 | 0.00 | 1 | - | 0.6 | 0.10 | 4 | - | 0.7 | 0.20 | 7 | - | 0.8 | 0.30 | 13 | - | 0.9 | 0.40 | 28 | - | 0.95 | 0.45 | 59 | - | 0.99 | 0.49 | 308 | - +---------+--------+-------+ - - The last entry shows that even if the distribution is skewed 99% in - favor of ones, the parity of a string of 308 samples will be within - 0.001 of a 50/50 distribution. - -5.2.2 Using Transition Mappings to De-Skew - - Another technique, originally due to von Neumann [VON NEUMANN], is to - examine a bit stream as a sequence of non-overlapping pairs. You - could then discard any 00 or 11 pairs found, interpret 01 as a 0 and - 10 as a 1. Assume the probability of a 1 is 0.5+e and the - probability of a 0 is 0.5-e where e is the eccentricity of the source - and described in the previous section. Then the probability of each - pair is as follows: - - +------+-----------------------------------------+ - | pair | probability | - +------+-----------------------------------------+ - | 00 | (0.5 - e)^2 = 0.25 - e + e^2 | - | 01 | (0.5 - e)*(0.5 + e) = 0.25 - e^2 | - | 10 | (0.5 + e)*(0.5 - e) = 0.25 - e^2 | - | 11 | (0.5 + e)^2 = 0.25 + e + e^2 | - +------+-----------------------------------------+ - - This technique will completely eliminate any bias but at the expense - of taking an indeterminate number of input bits for any particular - desired number of output bits. The probability of any particular - pair being discarded is 0.5 + 2e^2 so the expected number of input - bits to produce X output bits is X/(0.25 - e^2). - - - -Eastlake, Crocker & Schiller [Page 12] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - This technique assumes that the bits are from a stream where each bit - has the same probability of being a 0 or 1 as any other bit in the - stream and that bits are not correlated, i.e., that the bits are - identical independent distributions. If alternate bits were from two - correlated sources, for example, the above analysis breaks down. - - The above technique also provides another illustration of how a - simple statistical analysis can mislead if one is not always on the - lookout for patterns that could be exploited by an adversary. If the - algorithm were mis-read slightly so that overlapping successive bits - pairs were used instead of non-overlapping pairs, the statistical - analysis given is the same; however, instead of provided an unbiased - uncorrelated series of random 1's and 0's, it instead produces a - totally predictable sequence of exactly alternating 1's and 0's. - -5.2.3 Using FFT to De-Skew - - When real world data consists of strongly biased or correlated bits, - it may still contain useful amounts of randomness. This randomness - can be extracted through use of the discrete Fourier transform or its - optimized variant, the FFT. - - Using the Fourier transform of the data, strong correlations can be - discarded. If adequate data is processed and remaining correlations - decay, spectral lines approaching statistical independence and - normally distributed randomness can be produced [BRILLINGER]. - -5.2.4 Using Compression to De-Skew - - Reversible compression techniques also provide a crude method of de- - skewing a skewed bit stream. This follows directly from the - definition of reversible compression and the formula in Section 2 - above for the amount of information in a sequence. Since the - compression is reversible, the same amount of information must be - present in the shorter output than was present in the longer input. - By the Shannon information equation, this is only possible if, on - average, the probabilities of the different shorter sequences are - more uniformly distributed than were the probabilities of the longer - sequences. Thus the shorter sequences are de-skewed relative to the - input. - - However, many compression techniques add a somewhat predicatable - preface to their output stream and may insert such a sequence again - periodically in their output or otherwise introduce subtle patterns - of their own. They should be considered only a rough technique - compared with those described above or in Section 6.1.2. At a - minimum, the beginning of the compressed sequence should be skipped - and only later bits used for applications requiring random bits. - - - -Eastlake, Crocker & Schiller [Page 13] - -RFC 1750 Randomness Recommendations for Security December 1994 - - -5.3 Existing Hardware Can Be Used For Randomness - - As described below, many computers come with hardware that can, with - care, be used to generate truly random quantities. - -5.3.1 Using Existing Sound/Video Input - - Increasingly computers are being built with inputs that digitize some - real world analog source, such as sound from a microphone or video - input from a camera. Under appropriate circumstances, such input can - provide reasonably high quality random bits. The "input" from a - sound digitizer with no source plugged in or a camera with the lens - cap on, if the system has enough gain to detect anything, is - essentially thermal noise. - - For example, on a SPARCstation, one can read from the /dev/audio - device with nothing plugged into the microphone jack. Such data is - essentially random noise although it should not be trusted without - some checking in case of hardware failure. It will, in any case, - need to be de-skewed as described elsewhere. - - Combining this with compression to de-skew one can, in UNIXese, - generate a huge amount of medium quality random data by doing - - cat /dev/audio | compress - >random-bits-file - -5.3.2 Using Existing Disk Drives - - Disk drives have small random fluctuations in their rotational speed - due to chaotic air turbulence [DAVIS]. By adding low level disk seek - time instrumentation to a system, a series of measurements can be - obtained that include this randomness. Such data is usually highly - correlated so that significant processing is needed, including FFT - (see section 5.2.3). Nevertheless experimentation has shown that, - with such processing, disk drives easily produce 100 bits a minute or - more of excellent random data. - - Partly offsetting this need for processing is the fact that disk - drive failure will normally be rapidly noticed. Thus, problems with - this method of random number generation due to hardware failure are - very unlikely. - -6. Recommended Non-Hardware Strategy - - What is the best overall strategy for meeting the requirement for - unguessable random numbers in the absence of a reliable hardware - source? It is to obtain random input from a large number of - uncorrelated sources and to mix them with a strong mixing function. - - - -Eastlake, Crocker & Schiller [Page 14] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - Such a function will preserve the randomness present in any of the - sources even if other quantities being combined are fixed or easily - guessable. This may be advisable even with a good hardware source as - hardware can also fail, though this should be weighed against any - increase in the chance of overall failure due to added software - complexity. - -6.1 Mixing Functions - - A strong mixing function is one which combines two or more inputs and - produces an output where each output bit is a different complex non- - linear function of all the input bits. On average, changing any - input bit will change about half the output bits. But because the - relationship is complex and non-linear, no particular output bit is - guaranteed to change when any particular input bit is changed. - - Consider the problem of converting a stream of bits that is skewed - towards 0 or 1 to a shorter stream which is more random, as discussed - in Section 5.2 above. This is simply another case where a strong - mixing function is desired, mixing the input bits to produce a - smaller number of output bits. The technique given in Section 5.2.1 - of using the parity of a number of bits is simply the result of - successively Exclusive Or'ing them which is examined as a trivial - mixing function immediately below. Use of stronger mixing functions - to extract more of the randomness in a stream of skewed bits is - examined in Section 6.1.2. - -6.1.1 A Trivial Mixing Function - - A trivial example for single bit inputs is the Exclusive Or function, - which is equivalent to addition without carry, as show in the table - below. This is a degenerate case in which the one output bit always - changes for a change in either input bit. But, despite its - simplicity, it will still provide a useful illustration. - - +-----------+-----------+----------+ - | input 1 | input 2 | output | - +-----------+-----------+----------+ - | 0 | 0 | 0 | - | 0 | 1 | 1 | - | 1 | 0 | 1 | - | 1 | 1 | 0 | - +-----------+-----------+----------+ - - If inputs 1 and 2 are uncorrelated and combined in this fashion then - the output will be an even better (less skewed) random bit than the - inputs. If we assume an "eccentricity" e as defined in Section 5.2 - above, then the output eccentricity relates to the input eccentricity - - - -Eastlake, Crocker & Schiller [Page 15] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - as follows: - - e = 2 * e * e - output input 1 input 2 - - Since e is never greater than 1/2, the eccentricity is always - improved except in the case where at least one input is a totally - skewed constant. This is illustrated in the following table where - the top and left side values are the two input eccentricities and the - entries are the output eccentricity: - - +--------+--------+--------+--------+--------+--------+--------+ - | e | 0.00 | 0.10 | 0.20 | 0.30 | 0.40 | 0.50 | - +--------+--------+--------+--------+--------+--------+--------+ - | 0.00 | 0.00 | 0.00 | 0.00 | 0.00 | 0.00 | 0.00 | - | 0.10 | 0.00 | 0.02 | 0.04 | 0.06 | 0.08 | 0.10 | - | 0.20 | 0.00 | 0.04 | 0.08 | 0.12 | 0.16 | 0.20 | - | 0.30 | 0.00 | 0.06 | 0.12 | 0.18 | 0.24 | 0.30 | - | 0.40 | 0.00 | 0.08 | 0.16 | 0.24 | 0.32 | 0.40 | - | 0.50 | 0.00 | 0.10 | 0.20 | 0.30 | 0.40 | 0.50 | - +--------+--------+--------+--------+--------+--------+--------+ - - However, keep in mind that the above calculations assume that the - inputs are not correlated. If the inputs were, say, the parity of - the number of minutes from midnight on two clocks accurate to a few - seconds, then each might appear random if sampled at random intervals - much longer than a minute. Yet if they were both sampled and - combined with xor, the result would be zero most of the time. - -6.1.2 Stronger Mixing Functions - - The US Government Data Encryption Standard [DES] is an example of a - strong mixing function for multiple bit quantities. It takes up to - 120 bits of input (64 bits of "data" and 56 bits of "key") and - produces 64 bits of output each of which is dependent on a complex - non-linear function of all input bits. Other strong encryption - functions with this characteristic can also be used by considering - them to mix all of their key and data input bits. - - Another good family of mixing functions are the "message digest" or - hashing functions such as The US Government Secure Hash Standard - [SHS] and the MD2, MD4, MD5 [MD2, MD4, MD5] series. These functions - all take an arbitrary amount of input and produce an output mixing - all the input bits. The MD* series produce 128 bits of output and SHS - produces 160 bits. - - - - - - -Eastlake, Crocker & Schiller [Page 16] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - Although the message digest functions are designed for variable - amounts of input, DES and other encryption functions can also be used - to combine any number of inputs. If 64 bits of output is adequate, - the inputs can be packed into a 64 bit data quantity and successive - 56 bit keys, padding with zeros if needed, which are then used to - successively encrypt using DES in Electronic Codebook Mode [DES - MODES]. If more than 64 bits of output are needed, use more complex - mixing. For example, if inputs are packed into three quantities, A, - B, and C, use DES to encrypt A with B as a key and then with C as a - key to produce the 1st part of the output, then encrypt B with C and - then A for more output and, if necessary, encrypt C with A and then B - for yet more output. Still more output can be produced by reversing - the order of the keys given above to stretch things. The same can be - done with the hash functions by hashing various subsets of the input - data to produce multiple outputs. But keep in mind that it is - impossible to get more bits of "randomness" out than are put in. - - An example of using a strong mixing function would be to reconsider - the case of a string of 308 bits each of which is biased 99% towards - zero. The parity technique given in Section 5.2.1 above reduced this - to one bit with only a 1/1000 deviance from being equally likely a - zero or one. But, applying the equation for information given in - Section 2, this 308 bit sequence has 5 bits of information in it. - Thus hashing it with SHS or MD5 and taking the bottom 5 bits of the - result would yield 5 unbiased random bits as opposed to the single - bit given by calculating the parity of the string. - -6.1.3 Diffie-Hellman as a Mixing Function - - Diffie-Hellman exponential key exchange is a technique that yields a - shared secret between two parties that can be made computationally - infeasible for a third party to determine even if they can observe - all the messages between the two communicating parties. This shared - secret is a mixture of initial quantities generated by each of them - [D-H]. If these initial quantities are random, then the shared - secret contains the combined randomness of them both, assuming they - are uncorrelated. - -6.1.4 Using a Mixing Function to Stretch Random Bits - - While it is not necessary for a mixing function to produce the same - or fewer bits than its inputs, mixing bits cannot "stretch" the - amount of random unpredictability present in the inputs. Thus four - inputs of 32 bits each where there is 12 bits worth of - unpredicatability (such as 4,096 equally probable values) in each - input cannot produce more than 48 bits worth of unpredictable output. - The output can be expanded to hundreds or thousands of bits by, for - example, mixing with successive integers, but the clever adversary's - - - -Eastlake, Crocker & Schiller [Page 17] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - search space is still 2^48 possibilities. Furthermore, mixing to - fewer bits than are input will tend to strengthen the randomness of - the output the way using Exclusive Or to produce one bit from two did - above. - - The last table in Section 6.1.1 shows that mixing a random bit with a - constant bit with Exclusive Or will produce a random bit. While this - is true, it does not provide a way to "stretch" one random bit into - more than one. If, for example, a random bit is mixed with a 0 and - then with a 1, this produces a two bit sequence but it will always be - either 01 or 10. Since there are only two possible values, there is - still only the one bit of original randomness. - -6.1.5 Other Factors in Choosing a Mixing Function - - For local use, DES has the advantages that it has been widely tested - for flaws, is widely documented, and is widely implemented with - hardware and software implementations available all over the world - including source code available by anonymous FTP. The SHS and MD* - family are younger algorithms which have been less tested but there - is no particular reason to believe they are flawed. Both MD5 and SHS - were derived from the earlier MD4 algorithm. They all have source - code available by anonymous FTP [SHS, MD2, MD4, MD5]. - - DES and SHS have been vouched for the the US National Security Agency - (NSA) on the basis of criteria that primarily remain secret. While - this is the cause of much speculation and doubt, investigation of DES - over the years has indicated that NSA involvement in modifications to - its design, which originated with IBM, was primarily to strengthen - it. No concealed or special weakness has been found in DES. It is - almost certain that the NSA modification to MD4 to produce the SHS - similarly strengthened the algorithm, possibly against threats not - yet known in the public cryptographic community. - - DES, SHS, MD4, and MD5 are royalty free for all purposes. MD2 has - been freely licensed only for non-profit use in connection with - Privacy Enhanced Mail [PEM]. Between the MD* algorithms, some people - believe that, as with "Goldilocks and the Three Bears", MD2 is strong - but too slow, MD4 is fast but too weak, and MD5 is just right. - - Another advantage of the MD* or similar hashing algorithms over - encryption algorithms is that they are not subject to the same - regulations imposed by the US Government prohibiting the unlicensed - export or import of encryption/decryption software and hardware. The - same should be true of DES rigged to produce an irreversible hash - code but most DES packages are oriented to reversible encryption. - - - - - -Eastlake, Crocker & Schiller [Page 18] - -RFC 1750 Randomness Recommendations for Security December 1994 - - -6.2 Non-Hardware Sources of Randomness - - The best source of input for mixing would be a hardware randomness - such as disk drive timing affected by air turbulence, audio input - with thermal noise, or radioactive decay. However, if that is not - available there are other possibilities. These include system - clocks, system or input/output buffers, user/system/hardware/network - serial numbers and/or addresses and timing, and user input. - Unfortunately, any of these sources can produce limited or - predicatable values under some circumstances. - - Some of the sources listed above would be quite strong on multi-user - systems where, in essence, each user of the system is a source of - randomness. However, on a small single user system, such as a - typical IBM PC or Apple Macintosh, it might be possible for an - adversary to assemble a similar configuration. This could give the - adversary inputs to the mixing process that were sufficiently - correlated to those used originally as to make exhaustive search - practical. - - The use of multiple random inputs with a strong mixing function is - recommended and can overcome weakness in any particular input. For - example, the timing and content of requested "random" user keystrokes - can yield hundreds of random bits but conservative assumptions need - to be made. For example, assuming a few bits of randomness if the - inter-keystroke interval is unique in the sequence up to that point - and a similar assumption if the key hit is unique but assuming that - no bits of randomness are present in the initial key value or if the - timing or key value duplicate previous values. The results of mixing - these timings and characters typed could be further combined with - clock values and other inputs. - - This strategy may make practical portable code to produce good random - numbers for security even if some of the inputs are very weak on some - of the target systems. However, it may still fail against a high - grade attack on small single user systems, especially if the - adversary has ever been able to observe the generation process in the - past. A hardware based random source is still preferable. - -6.3 Cryptographically Strong Sequences - - In cases where a series of random quantities must be generated, an - adversary may learn some values in the sequence. In general, they - should not be able to predict other values from the ones that they - know. - - - - - - -Eastlake, Crocker & Schiller [Page 19] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - The correct technique is to start with a strong random seed, take - cryptographically strong steps from that seed [CRYPTO2, CRYPTO3], and - do not reveal the complete state of the generator in the sequence - elements. If each value in the sequence can be calculated in a fixed - way from the previous value, then when any value is compromised, all - future values can be determined. This would be the case, for - example, if each value were a constant function of the previously - used values, even if the function were a very strong, non-invertible - message digest function. - - It should be noted that if your technique for generating a sequence - of key values is fast enough, it can trivially be used as the basis - for a confidentiality system. If two parties use the same sequence - generating technique and start with the same seed material, they will - generate identical sequences. These could, for example, be xor'ed at - one end with data being send, encrypting it, and xor'ed with this - data as received, decrypting it due to the reversible properties of - the xor operation. - -6.3.1 Traditional Strong Sequences - - A traditional way to achieve a strong sequence has been to have the - values be produced by hashing the quantities produced by - concatenating the seed with successive integers or the like and then - mask the values obtained so as to limit the amount of generator state - available to the adversary. - - It may also be possible to use an "encryption" algorithm with a - random key and seed value to encrypt and feedback some or all of the - output encrypted value into the value to be encrypted for the next - iteration. Appropriate feedback techniques will usually be - recommended with the encryption algorithm. An example is shown below - where shifting and masking are used to combine the cypher output - feedback. This type of feedback is recommended by the US Government - in connection with DES [DES MODES]. - - - - - - - - - - - - - - - - -Eastlake, Crocker & Schiller [Page 20] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - +---------------+ - | V | - | | n | - +--+------------+ - | | +---------+ - | +---------> | | +-----+ - +--+ | Encrypt | <--- | Key | - | +-------- | | +-----+ - | | +---------+ - V V - +------------+--+ - | V | | - | n+1 | - +---------------+ - - Note that if a shift of one is used, this is the same as the shift - register technique described in Section 3 above but with the all - important difference that the feedback is determined by a complex - non-linear function of all bits rather than a simple linear or - polynomial combination of output from a few bit position taps. - - It has been shown by Donald W. Davies that this sort of shifted - partial output feedback significantly weakens an algorithm compared - will feeding all of the output bits back as input. In particular, - for DES, repeated encrypting a full 64 bit quantity will give an - expected repeat in about 2^63 iterations. Feeding back anything less - than 64 (and more than 0) bits will give an expected repeat in - between 2**31 and 2**32 iterations! - - To predict values of a sequence from others when the sequence was - generated by these techniques is equivalent to breaking the - cryptosystem or inverting the "non-invertible" hashing involved with - only partial information available. The less information revealed - each iteration, the harder it will be for an adversary to predict the - sequence. Thus it is best to use only one bit from each value. It - has been shown that in some cases this makes it impossible to break a - system even when the cryptographic system is invertible and can be - broken if all of each generated value was revealed. - -6.3.2 The Blum Blum Shub Sequence Generator - - Currently the generator which has the strongest public proof of - strength is called the Blum Blum Shub generator after its inventors - [BBS]. It is also very simple and is based on quadratic residues. - It's only disadvantage is that is is computationally intensive - compared with the traditional techniques give in 6.3.1 above. This - is not a serious draw back if it is used for moderately infrequent - purposes, such as generating session keys. - - - -Eastlake, Crocker & Schiller [Page 21] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - Simply choose two large prime numbers, say p and q, which both have - the property that you get a remainder of 3 if you divide them by 4. - Let n = p * q. Then you choose a random number x relatively prime to - n. The initial seed for the generator and the method for calculating - subsequent values are then - - 2 - s = ( x )(Mod n) - 0 - - 2 - s = ( s )(Mod n) - i+1 i - - You must be careful to use only a few bits from the bottom of each s. - It is always safe to use only the lowest order bit. If you use no - more than the - - log ( log ( s ) ) - 2 2 i - - low order bits, then predicting any additional bits from a sequence - generated in this manner is provable as hard as factoring n. As long - as the initial x is secret, you can even make n public if you want. - - An intersting characteristic of this generator is that you can - directly calculate any of the s values. In particular - - i - ( ( 2 )(Mod (( p - 1 ) * ( q - 1 )) ) ) - s = ( s )(Mod n) - i 0 - - This means that in applications where many keys are generated in this - fashion, it is not necessary to save them all. Each key can be - effectively indexed and recovered from that small index and the - initial s and n. - -7. Key Generation Standards - - Several public standards are now in place for the generation of keys. - Two of these are described below. Both use DES but any equally - strong or stronger mixing function could be substituted. - - - - - - - - -Eastlake, Crocker & Schiller [Page 22] - -RFC 1750 Randomness Recommendations for Security December 1994 - - -7.1 US DoD Recommendations for Password Generation - - The United States Department of Defense has specific recommendations - for password generation [DoD]. They suggest using the US Data - Encryption Standard [DES] in Output Feedback Mode [DES MODES] as - follows: - - use an initialization vector determined from - the system clock, - system ID, - user ID, and - date and time; - use a key determined from - system interrupt registers, - system status registers, and - system counters; and, - as plain text, use an external randomly generated 64 bit - quantity such as 8 characters typed in by a system - administrator. - - The password can then be calculated from the 64 bit "cipher text" - generated in 64-bit Output Feedback Mode. As many bits as are needed - can be taken from these 64 bits and expanded into a pronounceable - word, phrase, or other format if a human being needs to remember the - password. - -7.2 X9.17 Key Generation - - The American National Standards Institute has specified a method for - generating a sequence of keys as follows: - - s is the initial 64 bit seed - 0 - - g is the sequence of generated 64 bit key quantities - n - - k is a random key reserved for generating this key sequence - - t is the time at which a key is generated to as fine a resolution - as is available (up to 64 bits). - - DES ( K, Q ) is the DES encryption of quantity Q with key K - - - - - - - - -Eastlake, Crocker & Schiller [Page 23] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - g = DES ( k, DES ( k, t ) .xor. s ) - n n - - s = DES ( k, DES ( k, t ) .xor. g ) - n+1 n - - If g sub n is to be used as a DES key, then every eighth bit should - be adjusted for parity for that use but the entire 64 bit unmodified - g should be used in calculating the next s. - -8. Examples of Randomness Required - - Below are two examples showing rough calculations of needed - randomness for security. The first is for moderate security - passwords while the second assumes a need for a very high security - cryptographic key. - -8.1 Password Generation - - Assume that user passwords change once a year and it is desired that - the probability that an adversary could guess the password for a - particular account be less than one in a thousand. Further assume - that sending a password to the system is the only way to try a - password. Then the crucial question is how often an adversary can - try possibilities. Assume that delays have been introduced into a - system so that, at most, an adversary can make one password try every - six seconds. That's 600 per hour or about 15,000 per day or about - 5,000,000 tries in a year. Assuming any sort of monitoring, it is - unlikely someone could actually try continuously for a year. In - fact, even if log files are only checked monthly, 500,000 tries is - more plausible before the attack is noticed and steps taken to change - passwords and make it harder to try more passwords. - - To have a one in a thousand chance of guessing the password in - 500,000 tries implies a universe of at least 500,000,000 passwords or - about 2^29. Thus 29 bits of randomness are needed. This can probably - be achieved using the US DoD recommended inputs for password - generation as it has 8 inputs which probably average over 5 bits of - randomness each (see section 7.1). Using a list of 1000 words, the - password could be expressed as a three word phrase (1,000,000,000 - possibilities) or, using case insensitive letters and digits, six - would suffice ((26+10)^6 = 2,176,782,336 possibilities). - - For a higher security password, the number of bits required goes up. - To decrease the probability by 1,000 requires increasing the universe - of passwords by the same factor which adds about 10 bits. Thus to - have only a one in a million chance of a password being guessed under - the above scenario would require 39 bits of randomness and a password - - - -Eastlake, Crocker & Schiller [Page 24] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - that was a four word phrase from a 1000 word list or eight - letters/digits. To go to a one in 10^9 chance, 49 bits of randomness - are needed implying a five word phrase or ten letter/digit password. - - In a real system, of course, there are also other factors. For - example, the larger and harder to remember passwords are, the more - likely users are to write them down resulting in an additional risk - of compromise. - -8.2 A Very High Security Cryptographic Key - - Assume that a very high security key is needed for symmetric - encryption / decryption between two parties. Assume an adversary can - observe communications and knows the algorithm being used. Within - the field of random possibilities, the adversary can try key values - in hopes of finding the one in use. Assume further that brute force - trial of keys is the best the adversary can do. - -8.2.1 Effort per Key Trial - - How much effort will it take to try each key? For very high security - applications it is best to assume a low value of effort. Even if it - would clearly take tens of thousands of computer cycles or more to - try a single key, there may be some pattern that enables huge blocks - of key values to be tested with much less effort per key. Thus it is - probably best to assume no more than a couple hundred cycles per key. - (There is no clear lower bound on this as computers operate in - parallel on a number of bits and a poor encryption algorithm could - allow many keys or even groups of keys to be tested in parallel. - However, we need to assume some value and can hope that a reasonably - strong algorithm has been chosen for our hypothetical high security - task.) - - If the adversary can command a highly parallel processor or a large - network of work stations, 2*10^10 cycles per second is probably a - minimum assumption for availability today. Looking forward just a - couple years, there should be at least an order of magnitude - improvement. Thus assuming 10^9 keys could be checked per second or - 3.6*10^11 per hour or 6*10^13 per week or 2.4*10^14 per month is - reasonable. This implies a need for a minimum of 51 bits of - randomness in keys to be sure they cannot be found in a month. Even - then it is possible that, a few years from now, a highly determined - and resourceful adversary could break the key in 2 weeks (on average - they need try only half the keys). - - - - - - - -Eastlake, Crocker & Schiller [Page 25] - -RFC 1750 Randomness Recommendations for Security December 1994 - - -8.2.2 Meet in the Middle Attacks - - If chosen or known plain text and the resulting encrypted text are - available, a "meet in the middle" attack is possible if the structure - of the encryption algorithm allows it. (In a known plain text - attack, the adversary knows all or part of the messages being - encrypted, possibly some standard header or trailer fields. In a - chosen plain text attack, the adversary can force some chosen plain - text to be encrypted, possibly by "leaking" an exciting text that - would then be sent by the adversary over an encrypted channel.) - - An oversimplified explanation of the meet in the middle attack is as - follows: the adversary can half-encrypt the known or chosen plain - text with all possible first half-keys, sort the output, then half- - decrypt the encoded text with all the second half-keys. If a match - is found, the full key can be assembled from the halves and used to - decrypt other parts of the message or other messages. At its best, - this type of attack can halve the exponent of the work required by - the adversary while adding a large but roughly constant factor of - effort. To be assured of safety against this, a doubling of the - amount of randomness in the key to a minimum of 102 bits is required. - - The meet in the middle attack assumes that the cryptographic - algorithm can be decomposed in this way but we can not rule that out - without a deep knowledge of the algorithm. Even if a basic algorithm - is not subject to a meet in the middle attack, an attempt to produce - a stronger algorithm by applying the basic algorithm twice (or two - different algorithms sequentially) with different keys may gain less - added security than would be expected. Such a composite algorithm - would be subject to a meet in the middle attack. - - Enormous resources may be required to mount a meet in the middle - attack but they are probably within the range of the national - security services of a major nation. Essentially all nations spy on - other nations government traffic and several nations are believed to - spy on commercial traffic for economic advantage. - -8.2.3 Other Considerations - - Since we have not even considered the possibilities of special - purpose code breaking hardware or just how much of a safety margin we - want beyond our assumptions above, probably a good minimum for a very - high security cryptographic key is 128 bits of randomness which - implies a minimum key length of 128 bits. If the two parties agree - on a key by Diffie-Hellman exchange [D-H], then in principle only - half of this randomness would have to be supplied by each party. - However, there is probably some correlation between their random - inputs so it is probably best to assume that each party needs to - - - -Eastlake, Crocker & Schiller [Page 26] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - provide at least 96 bits worth of randomness for very high security - if Diffie-Hellman is used. - - This amount of randomness is beyond the limit of that in the inputs - recommended by the US DoD for password generation and could require - user typing timing, hardware random number generation, or other - sources. - - It should be noted that key length calculations such at those above - are controversial and depend on various assumptions about the - cryptographic algorithms in use. In some cases, a professional with - a deep knowledge of code breaking techniques and of the strength of - the algorithm in use could be satisfied with less than half of the - key size derived above. - -9. Conclusion - - Generation of unguessable "random" secret quantities for security use - is an essential but difficult task. - - We have shown that hardware techniques to produce such randomness - would be relatively simple. In particular, the volume and quality - would not need to be high and existing computer hardware, such as - disk drives, can be used. Computational techniques are available to - process low quality random quantities from multiple sources or a - larger quantity of such low quality input from one source and produce - a smaller quantity of higher quality, less predictable key material. - In the absence of hardware sources of randomness, a variety of user - and software sources can frequently be used instead with care; - however, most modern systems already have hardware, such as disk - drives or audio input, that could be used to produce high quality - randomness. - - Once a sufficient quantity of high quality seed key material (a few - hundred bits) is available, strong computational techniques are - available to produce cryptographically strong sequences of - unpredicatable quantities from this seed material. - -10. Security Considerations - - The entirety of this document concerns techniques and recommendations - for generating unguessable "random" quantities for use as passwords, - cryptographic keys, and similar security uses. - - - - - - - - -Eastlake, Crocker & Schiller [Page 27] - -RFC 1750 Randomness Recommendations for Security December 1994 - - -References - - [ASYMMETRIC] - Secure Communications and Asymmetric Cryptosystems, - edited by Gustavus J. Simmons, AAAS Selected Symposium 69, Westview - Press, Inc. - - [BBS] - A Simple Unpredictable Pseudo-Random Number Generator, SIAM - Journal on Computing, v. 15, n. 2, 1986, L. Blum, M. Blum, & M. Shub. - - [BRILLINGER] - Time Series: Data Analysis and Theory, Holden-Day, - 1981, David Brillinger. - - [CRC] - C.R.C. Standard Mathematical Tables, Chemical Rubber - Publishing Company. - - [CRYPTO1] - Cryptography: A Primer, A Wiley-Interscience Publication, - John Wiley & Sons, 1981, Alan G. Konheim. - - [CRYPTO2] - Cryptography: A New Dimension in Computer Data Security, - A Wiley-Interscience Publication, John Wiley & Sons, 1982, Carl H. - Meyer & Stephen M. Matyas. - - [CRYPTO3] - Applied Cryptography: Protocols, Algorithms, and Source - Code in C, John Wiley & Sons, 1994, Bruce Schneier. - - [DAVIS] - Cryptographic Randomness from Air Turbulence in Disk - Drives, Advances in Cryptology - Crypto '94, Springer-Verlag Lecture - Notes in Computer Science #839, 1984, Don Davis, Ross Ihaka, and - Philip Fenstermacher. - - [DES] - Data Encryption Standard, United States of America, - Department of Commerce, National Institute of Standards and - Technology, Federal Information Processing Standard (FIPS) 46-1. - - Data Encryption Algorithm, American National Standards Institute, - ANSI X3.92-1981. - (See also FIPS 112, Password Usage, which includes FORTRAN code for - performing DES.) - - [DES MODES] - DES Modes of Operation, United States of America, - Department of Commerce, National Institute of Standards and - Technology, Federal Information Processing Standard (FIPS) 81. - - Data Encryption Algorithm - Modes of Operation, American National - Standards Institute, ANSI X3.106-1983. - - [D-H] - New Directions in Cryptography, IEEE Transactions on - Information Technology, November, 1976, Whitfield Diffie and Martin - E. Hellman. - - - - -Eastlake, Crocker & Schiller [Page 28] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - [DoD] - Password Management Guideline, United States of America, - Department of Defense, Computer Security Center, CSC-STD-002-85. - (See also FIPS 112, Password Usage, which incorporates CSC-STD-002-85 - as one of its appendices.) - - [GIFFORD] - Natural Random Number, MIT/LCS/TM-371, September 1988, - David K. Gifford - - [KNUTH] - The Art of Computer Programming, Volume 2: Seminumerical - Algorithms, Chapter 3: Random Numbers. Addison Wesley Publishing - Company, Second Edition 1982, Donald E. Knuth. - - [KRAWCZYK] - How to Predict Congruential Generators, Journal of - Algorithms, V. 13, N. 4, December 1992, H. Krawczyk - - [MD2] - The MD2 Message-Digest Algorithm, RFC1319, April 1992, B. - Kaliski - [MD4] - The MD4 Message-Digest Algorithm, RFC1320, April 1992, R. - Rivest - [MD5] - The MD5 Message-Digest Algorithm, RFC1321, April 1992, R. - Rivest - - [PEM] - RFCs 1421 through 1424: - - RFC 1424, Privacy Enhancement for Internet Electronic Mail: Part - IV: Key Certification and Related Services, 02/10/1993, B. Kaliski - - RFC 1423, Privacy Enhancement for Internet Electronic Mail: Part - III: Algorithms, Modes, and Identifiers, 02/10/1993, D. Balenson - - RFC 1422, Privacy Enhancement for Internet Electronic Mail: Part - II: Certificate-Based Key Management, 02/10/1993, S. Kent - - RFC 1421, Privacy Enhancement for Internet Electronic Mail: Part I: - Message Encryption and Authentication Procedures, 02/10/1993, J. Linn - - [SHANNON] - The Mathematical Theory of Communication, University of - Illinois Press, 1963, Claude E. Shannon. (originally from: Bell - System Technical Journal, July and October 1948) - - [SHIFT1] - Shift Register Sequences, Aegean Park Press, Revised - Edition 1982, Solomon W. Golomb. - - [SHIFT2] - Cryptanalysis of Shift-Register Generated Stream Cypher - Systems, Aegean Park Press, 1984, Wayne G. Barker. - - [SHS] - Secure Hash Standard, United States of American, National - Institute of Science and Technology, Federal Information Processing - Standard (FIPS) 180, April 1993. - - [STERN] - Secret Linear Congruential Generators are not - Cryptograhically Secure, Proceedings of IEEE STOC, 1987, J. Stern. - - - -Eastlake, Crocker & Schiller [Page 29] - -RFC 1750 Randomness Recommendations for Security December 1994 - - - [VON NEUMANN] - Various techniques used in connection with random - digits, von Neumann's Collected Works, Vol. 5, Pergamon Press, 1963, - J. von Neumann. - -Authors' Addresses - - Donald E. Eastlake 3rd - Digital Equipment Corporation - 550 King Street, LKG2-1/BB3 - Littleton, MA 01460 - - Phone: +1 508 486 6577(w) +1 508 287 4877(h) - EMail: dee@lkg.dec.com - - - Stephen D. Crocker - CyberCash Inc. - 2086 Hunters Crest Way - Vienna, VA 22181 - - Phone: +1 703-620-1222(w) +1 703-391-2651 (fax) - EMail: crocker@cybercash.com - - - Jeffrey I. Schiller - Massachusetts Institute of Technology - 77 Massachusetts Avenue - Cambridge, MA 02139 - - Phone: +1 617 253 0161(w) - EMail: jis@mit.edu - - - - - - - - - - - - - - - - - - - - -Eastlake, Crocker & Schiller [Page 30] - diff --git a/testsuite/yarrow-test.c b/testsuite/yarrow-test.c index e2e97a8b..e18d0e8f 100644 --- a/testsuite/yarrow-test.c +++ b/testsuite/yarrow-test.c @@ -70,16 +70,16 @@ test_main(void) uint8_t digest[SHA256_DIGEST_SIZE]; const uint8_t *expected_output - = decode_hex_dup("06ca66b204a92939 e75e09e11922153e" - "a2391000e0686da4 c7d27afb37a4630f"); + = decode_hex_dup("85fe6afb5bd627f3 ea20a6127038d3da" + "69e880a6ecbbb7d8 3514d967a2c4c0d4"); const uint8_t *expected_input - = decode_hex_dup("fec4c0767434a8a3 22d6d5d0c9f49c42" - "988ce8c159b1a806 29d51aa40c2e99aa"); + = decode_hex_dup("e0596cf006025506 65d1195f32a87e4a" + "5c354910dfbd0a31 e2105b262f5ce3d8"); const uint8_t *expected_seed_file - = decode_hex_dup("87213a8a863a91f9 0e776c01e0d7c3a8" - "6b2ecf9977b06da5 34f3df8375918ac9"); + = decode_hex_dup("3b7ad33dcd577048 b9e0cbc70b5ca12d" + "5882be29c964a3a6 ea79fdbfa06299dc"); unsigned c; unsigned t; @@ -108,11 +108,11 @@ test_main(void) assert(!yarrow256_is_seeded(&yarrow)); - input = open_file("rfc1750.txt"); + input = open_file("gold-bug.txt"); if (!input) { - fprintf(stderr, "Couldn't open `rfc1750.txt', errno = %d\n", + fprintf(stderr, "Couldn't open `gold-bug.txt', errno = %d\n", errno); return EXIT_FAILURE; }