Cryptography-Digest Digest #848, Volume #10 Thu, 6 Jan 00 07:13:01 EST
Contents:
Re: Unsafe Advice in Cryptonomicon (Steve K)
Re: RSA encrypt (Bill Unruh)
Re: Cryptography in Tom Clancy (Johnny Bravo)
Re: Please Comment: Modified Enigma (John Savard)
Re: Unsafe Advice in Cryptonomicon (John Savard)
Re: Unsafe Advice in Cryptonomicon (Paul Rubin)
Re: RSA encrypt (Bill Unruh)
Re: How about this for a "randomly" generated bitstream? (Scott Nelson)
Re: Truly random bistream (Dave Knapp)
Re: is signing a signature with RSA risky? (Pascal Scheffers)
Re: RSA encrypt (Paul Schlyter)
Siemens T52d Simulator (Frode Weierud)
Re: Square root attacks against DSA? (Paulo S. L. M. Barreto)
Re: Please Comment: Modified Enigma ([EMAIL PROTECTED])
Cryptography FAQ (01/10: Overview) ([EMAIL PROTECTED])
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Steve K)
Subject: Re: Unsafe Advice in Cryptonomicon
Date: Thu, 06 Jan 2000 06:27:57 GMT
On 06 Jan 2000 00:46:40 GMT, [EMAIL PROTECTED] (Andrew Woodward)
wrote:
>John Savard
>wrote:
>
>>Well, I finally finished the book.
>
>That really was a great book, I spent most of my vacation reading it.
>
Me too <grin>
>One problem with the VE phreak is that although ir can pick up the radio
>emmisions from the computer itcan not always tell what type of data they
>represent. The reason that the display is so easy to detect is because of the
>noticable pauses in emmisions during horizontal and other rastorings. However,
>no such pause or other distinguishing charecteristics should be present in the
>morse code output. Certainly there would be a timing pattern but this could be
>hidden by generating many different types of enternal morse code perhaps
>reading false information. Another posibility would be too load a large
>program while simultaniously outputting the morse code. It may create enough
>disturbance to hide the morse output.
Ah-yup, that made it a lot more believable than otherwise. In the
situation, though, I would be most concerned about someone making a
very high definition recording the RF noise with a *really good* set
of detector circuits, each custom-tuned to listen to individual
components: the serial bus and motherboard cache would be good
targets. Of course, the process of recovering the actual data being
processed would be far from easy, in the case mentioned, and I can
believe that the morse trick would work if nobody had published it...
Dang.
:o))
Steve K
---Continuing freedom of speech brought to you by---
http://www.eff.org/ http://www.epic.org/
http://www.cdt.org/
PGP key 0x5D016218
All others have been revoked.
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: RSA encrypt
Date: 6 Jan 2000 06:45:47 GMT
In <[EMAIL PROTECTED]> "Brice" <[EMAIL PROTECTED]> writes:
>I have a question about RSA.
>If I was to calculate M^d (M: message, d: secret key) and give it away for
>the modular step to be done by someone else (say), how easy would it be for
>that person to find what my secret key is since my public key is available
>to anyone ?
Absolutely trivial. On the other hand, the result of M^d has more
characters than there are atoms in the observable universe by a huge
factor. So I am not sure how you would give it to the other person.
------------------------------
From: [EMAIL PROTECTED] (Johnny Bravo)
Subject: Re: Cryptography in Tom Clancy
Date: Thu, 06 Jan 2000 01:40:36 GMT
On Wed, 05 Jan 2000 16:11:34 -0700, Shawn Willden <[EMAIL PROTECTED]>
wrote:
>I'm not sure which novel it was in (probably "Rainbow Six"), but there was
>a section in one of Clancy's recent novels in which the NSA brute-forced a
>128-bit key in a few hours. I don't mind some *minor* technical
>inaccuracies, but I groaned aloud at that one.
It is possible, the first key tried could decrypt the message. The
groaner is that they even tried to brute force a 128 bit key. Not
unless the security of the nation or an entire city is at risk, then
they don't have much to lose on such a long shot.
If he wrote that they routinely break 128 bit keys in three hours,
then that is another story. <g>
Best Wishes,
Johnny Bravo
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Please Comment: Modified Enigma
Date: Thu, 06 Jan 2000 06:49:54 GMT
On Thu, 06 Jan 2000 00:54:17 GMT, [EMAIL PROTECTED] wrote:
>I wonder if someone can comment on the strength of the following simple
>cipher: Extend the enigma algorithm by variable rotor permutations. Each
>rotor permutation would be part of the key.
Making a rotor machine with the rotor wirings a part of the key is a
good idea.
But using an Enigma, with the fatal weakness of not enciphering a
letter to itself, is a bad idea.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/index.html
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Unsafe Advice in Cryptonomicon
Date: Thu, 06 Jan 2000 06:55:53 GMT
On Wed, 05 Jan 2000 21:03:05 +0100, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>This would mean sort of renascence
>of the classical devices. Or am I speculating on an entirely wrong
>track?
There are two problems.
Mechanical devices make noise, and that can be interpreted and
analyzed.
It is difficult to devise a mechanical device that would produce a
sufficiently strong cipher to be secure today.
Putting a digital computer inside a sealed box with walls of, say, 1/2
inch thick (12mm) solid aluminum is just so much easier. How to
communicate plaintext to it without that plaintext existing outside
the sealed box in any electrical form is, however, a problem.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/index.html
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: Unsafe Advice in Cryptonomicon
Date: 6 Jan 2000 07:27:28 GMT
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>In view of tempest related attacks, that I guess could only be
>eliminated in rather clumsy ways, it would appear reasonable to
>have some components of one's encryption system to be mechanical
>ones, hence without emissions. This would mean sort of renascence
>of the classical devices. Or am I speculating on an entirely wrong
>track?
There's a thriving commercial market in tamper resistant, electrically
shielded crypto equipment. I use some of it in my own work. See
http://www.ncipher.com for one vendor (there are many others). See
http://csrc.nist.gov/fips/fips1401.htm for info on the testing these
things must go through to get security certification.
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: RSA encrypt
Date: 6 Jan 2000 07:49:09 GMT
In <[EMAIL PROTECTED]> Frank the root <[EMAIL PROTECTED]>
writes:
]Paul Schlyter wrote:
]> One practical problem: how would you store the full M^d ? If we assume
]> M and d are both 512 bits (a minimum requrement -- 512-bit RSA can today
]> be cracked with some effort), then M^d would be approx 512*(2^512) = 6.8E+156
]> bits large. If you want to use M and d wihich each are 1024 bits, then
]> the full M^d would be approx 1024*(2^1024) = 1.8E+311 bits large.
]>
]> The entire universe contains about 1E+80 atoms. Thus, you'd need to
]> store 1E+77 (512-bit case) or 1E+231 (1024-bit case) in EACH ATOM OF
]> THE ENTIRE UNIVERSE to have space enough to store M^d.
]Hum... I'm a bit new to cryptography but I would like to know how RSA can encrypt
]and decrypt a message ( in equations: c = m^e mod n and m = c^e mod n ) if there
]is not enough atoms in the universe to complete the operation c^d?? It might
]sound you like stupid question to you but it would fill my curiosity a lot, tank
]you.
Because M^(a+b) mod N = ((M^a mod N)(M^b mod N))modN , and thus you can reduce
each exponentiation to a series of mutiplications all of which are
between numbers less than N and whose result is less than N.
------------------------------
From: [EMAIL PROTECTED] (Scott Nelson)
Subject: Re: How about this for a "randomly" generated bitstream?
Reply-To: [EMAIL PROTECTED]
Date: Thu, 06 Jan 2000 08:44:55 GMT
On 05 Jan 2000 21:35:17 EST, [EMAIL PROTECTED] (Guy Macon) wrote:
>(John McDonald, Jr.) wrote:
>(description of record player -> soundcard)
>
>>That is to say even if they knew you recorded the Philharmonic's
>>rendition of the William Tell Overture, they would need your actual
>>record, as well as player, and even then they would be off by at least
>>1% of the bits gathered. When you are speaking of 2^24 bits, 1% is a
>>fairly substantial number. If they are using another record on another
>>player they would be lucky if they were to get 25% of the bits you
>>gathered. And if they didn't know which song(s) you used, they would
>>be lucky to get 1% of the bits that you had.
>>
>>Does anyone have thoughts on this?
The start point has a lot less entropy than you think -
certainly less than 40 bits, you won't get more than
100000 bits of "true" randomness per second from that setup,
and those numbers are generous.
You might be able to get a full 2^24 bits, but I think
you'd want something better.
>
>It's easy to get much better than 25% randomness. Alas, a bit
>stream with 25% random bits and 75% predictable or biased bits
>seems to strike those who know a lot more crypto than I do as
>a serious weakness. I know hardware, and I am very confident
>that I can achieve a 99.X% [99.9? 99.99? 99.999?], and that I
>will never be able to prove 100%. Folks who know crypto better
>than I do tell me that they can not prove that 99.X% is good
>enough for certain crypto uses.
>
99.999999999999% is pretty easy to achieve if you're willing
to spend some time collecting and hashing the data.
99.99% isn't good enough for a lot of applications,
but unusually, crypto is more forgiving than most
other applications in this regard. For example,
if you pick a random 128 bit key with a biased
but 99.99% random source, it's still more than
127 bits of key. And it takes a lot of known plain
text to exploit a 0.01% bias in cipher text.
>> Problems with implementation?
>Use a microphone listening to traffic on a busy street instead
>of a recordx, and exclusive or the result with the best (most
>unbiased) pseudorandom generator available. Still not perfect,
>but much better.
Take a lot of samples of anything at all with at
least 16 bits of "accuracy" and hash with SHA1,
or run it through something like Yarrow
( http://www.counterpane.com/yarrow.html )
Still not perfect - but the error can
easily be made less than 1 part per 10^30
Scott Nelson <[EMAIL PROTECTED]>
------------------------------
From: Dave Knapp <[EMAIL PROTECTED]>
Subject: Re: Truly random bistream
Date: Thu, 06 Jan 2000 09:03:44 GMT
On Wed, 05 Jan 2000 19:54:15 GMT, [EMAIL PROTECTED]
(Jim) wrote:
>On 05 Jan 2000 08:42:10 GMT, [EMAIL PROTECTED] (TohuVohu) wrote:
>
>>I don't see why this is impossible. Isn't radioactive decay "random" enough
>>for this?
>
>Nothing is _absolutely_ random; no clock is _absolutely_ accurate;
>nothing can go from one level to another _absolutely_ instantaneously;
>etc; etc...
And there's no such thing as _perfect_ conductivity...
And there is no fluid with zero viscosity...
Oops.
-- Dave
------------------------------
From: [EMAIL PROTECTED] (Pascal Scheffers)
Subject: Re: is signing a signature with RSA risky?
Date: Thu, 06 Jan 2000 09:14:52 GMT
Okay, so signing a signature basically means sign-after-encryption,
with the difference that you are not encrypting with the public
exponent, but the private.
So when Alice signs Bobs signature, you get
(m^s_b mod n_b)^s_a mod n_a
Bob still knows his factorisation, so now it's even easier - all he
has to do is find another s_b, and he doesn't even have to tell the
world he did it, because nothing changes for the outside world.
Or is this a hard problem? I think it should be, but... I am
definitely not a mathematician.
Rgds.
------------------------------
From: [EMAIL PROTECTED] (Paul Schlyter)
Subject: Re: RSA encrypt
Date: 6 Jan 2000 09:53:58 +0100
In article <[EMAIL PROTECTED]>,
Frank the root <[EMAIL PROTECTED]> wrote:
> Paul Schlyter wrote:
>
>> One practical problem: how would you store the full M^d ? If we assume
>> M and d are both 512 bits (a minimum requrement -- 512-bit RSA can today
>> be cracked with some effort), then M^d would be approx 512*(2^512) = 6.8E+156
>> bits large. If you want to use M and d wihich each are 1024 bits, then
>> the full M^d would be approx 1024*(2^1024) = 1.8E+311 bits large.
>>
>> The entire universe contains about 1E+80 atoms. Thus, you'd need to
>> store 1E+77 (512-bit case) or 1E+231 (1024-bit case) in EACH ATOM OF
>> THE ENTIRE UNIVERSE to have space enough to store M^d.
>
> Hum... I'm a bit new to cryptography but I would like to know how RSA can
> encrypt and decrypt a message (in equations: c = m^e mod n and m = c^e mod n)
> if there is not enough atoms in the universe to complete the operation c^d??
> It might sound you like stupid question to you but it would fill my curiosity
> a lot, tank you.
This is possible because:
(m * m * m * ... * m) mod n = (...((m * m) mod n) * m) mod n) * ... * m) mod n
i.e. after each multiplication, a modulus reduction is done. By doing the
modulus reductions as soon as possible, no intermediate result will exceed
2*N bits for an N-bit RSA computation. A multiplication immediately followed
by a modulus reduction is called a "modular multiplication".
A m^e mod n computation can be performed by (on the average) 1.5*Ne
modular multiplications, where Ne is the number of bits in e, the exponent.
This also show why small exponents (3, 17 or 65537) are popular in the
public RSA key: the RSA computation will be much faster for these small
exponents.
--
================================================================
Paul Schlyter, Swedish Amateur Astronomer's Society (SAAF)
Grev Turegatan 40, S-114 38 Stockholm, SWEDEN
e-mail: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED]
WWW: http://hotel04.ausys.se/pausch http://welcome.to/pausch
------------------------------
From: [EMAIL PROTECTED] (Frode Weierud)
Subject: Siemens T52d Simulator
Date: 6 Jan 2000 10:41:51 GMT
Reply-To: [EMAIL PROTECTED]
Hi all,
For those of you interested in cipher machines I have the following
announcement:
The Cipher Simulation Group (CSG) has just released a computer
simulation of the Siemens T52d cipher machine, also known as
the Siemens Geheimschreiber.
Two papers that describe the successes and problems of Bletchley Park and
Swedish Intelligence in attacking the Geheimschreiber machines have now
been published in the proceedings of the Conference on Coding Theory,
Cryptography, and Number Theory held at the U.S. Naval Academy during
October 25-26, 1998. The proceedings are titled: "Coding Theory and
Cryptography: From Enigma and Geheimschreiber to Quantum Theory" and are
published on Springer Verlag, 2000, ISBN: 3-540-66336-3. More information
is available at the Springer Verlag Web site at URL:
http://www.springer.de/cgi-bin/search_book.pl?isbn=3-540-66336-3
The two papers that deal with the Siemens T52 machines are:
Weierud, Frode; "Sturgeon, The FISH BP Never Really Caught",
pp. 18-52,
and
Ulfving, Lars and Weierud, Frode; "The Geheimschreiber Secret",
pp. 62-100.
The Siemens T52d simulator can be downloaded from the my Web site at:
http://home.cern.ch/~frode/crypto/simula/t52/index.html
The other CSG Web sites will be updates shortly.
Frode
--
Frode Weierud Phone : +41 22 7674794
CERN, SL, CH-1211 Geneva 23, Fax : +41 22 7679185
Switzerland E-mail : [EMAIL PROTECTED]
WWW : home.cern.ch/~frode
------------------------------
From: Paulo S. L. M. Barreto <[EMAIL PROTECTED]>
Subject: Re: Square root attacks against DSA?
Date: 6 Jan 2000 02:43:22 -0800
In article <[EMAIL PROTECTED]>, Serge Vaudenay says...
>Why don't you try to solve y=g^x instead?
In article <[EMAIL PROTECTED]>, David Hopwood says...
>If I understand correctly, because g has order q in Z_p*, the Pollard rho
>and lambda algorithms working in Z_p* will find collisions with effort
>dependent on the square root of this order, not the square root of p.
In article <[EMAIL PROTECTED]>, Don Johnson
says...
>Pollard rho works in ANY group, in particular the subgroup of order q.
Sorry for not replying sooner, I was following a thread on this same subject in
the coderpunks list. I'll reply to all of these comments at once, as their
contents are similar.
There's an additional limitation I didn't write down in my original question.
Assume the attacker has access to the public parameters (p, q, g) and the
signature (r, s) alone, not directly to the public key. This is the case, say,
if the public parameters are shared by all users of an authentication system,
the signatures are printed on a bill or invoice, but verification is only done
through a restricted access terminal. As pointed out in in the coderpunks list,
this has the same effect as using a MAC, since the "public" key acts as a shared
secret.
Anyway, the goal is to attack the system given only the data mentioned above (so
this is a rather t6heoretical question). It's not even necessary to assume q is
small (index calculus faces the same problems as Pollard if y is unknown). My
motivation for this question was that it is necessary to have *some* quantity of
form g^u mod p to start an attack like Shanks or Pollard rho or lambda, but DSA
only provides g^k mod p mod q (Schnorr provides hash (m || g^k mod p), which
poses a similar problem), given that y is kept secret.
Why would one use such a setting instead of a (simpler and more efficient) MAC?
A possible scenario is that the verifier lacks the computational power to break
the signer's public key and so remains unable to sign new messages (this would
not be true in a conventional MAC scheme).
So the central question is: is DSA (Schnorr, etc.) resistant to signature-only
attacks?
Best wishes,
Paulo Barreto.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Please Comment: Modified Enigma
Date: Thu, 06 Jan 2000 11:26:00 GMT
> Enigma is a joke to crack for my desktop.
Please note that I DID NOT suggest Enigma with known rotor permutations, but
the rotor permutation as part of the KEY. As far as I understand it, the
british could only break enigma because they got the (fixed-permutation)
rotors from the polish secret service. Although today's electronic computing
power is significantly stronger, a simple brute-force attack won't do it,
even for our friend Lt. General Hayden: there are 26!^3==6.5*10^79 possible
Permutations, assuming 3 rotors. This equals a binary key length of 265 bits
(compared to 168 for 3DES)...
Regarding RC4, I do not think one can practically operate it on paper (think
about the calculus and the 256 (!) pieces of paper you have to play with :-))
)
My scheme would still be complex and timeconsuming ( I do not propose it for
the battlefield), mainly at the rotor construction time (you must be quite
precise..), but it would be usable. Instead of playing with 256 pieces of
paper (RC4) , you just have to rotate the circles..
I was expecting some clues for a statistics-based attack from you...
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Crossposted-To: talk.politics.crypto,sci.answers,news.answers,talk.answers
Subject: Cryptography FAQ (01/10: Overview)
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: 06 Jan 2000 11:57:56 GMT
Archive-name: cryptography-faq/part01
Last-modified: 1999/06/27
This is the first of ten parts of the sci.crypt FAQ. The parts are
mostly independent, but you should read this part before the rest. We
don't have the time to send out missing parts by mail, so don't ask.
Notes such as ``[KAH67]'' refer to the reference list in the last part.
Disclaimer: This document is the product of the Crypt Cabal, a secret
society which serves the National Secu---uh, no. Seriously, we're the
good guys, and we've done what we can to ensure the completeness and
accuracy of this document, but in a field of military and commercial
importance like cryptography you have to expect that some people and
organizations consider their interests more important than open
scientific discussion. Trust only what you can verify firsthand.
And don't sue us.
Many people have contributed to this FAQ. In alphabetical order:
Eric Bach, Steve Bellovin, Dan Bernstein, Nelson Bolyard, Carl Ellison,
Jim Gillogly, Mike Gleason, Doug Gwyn, Luke O'Connor, Tony Patti,
William Setzer. We apologize for any omissions.
Archives: sci.crypt has been archived since October 1991 on
ripem.msu.edu, though these archives are available only to U.S. and
Canadian users. Another site is rpub.cl.msu.edu in /pub/crypt/sci.crypt/
from Jan 1992.
The sections of this FAQ are available via anonymous FTP to rtfm.mit.edu
as /pub/usenet/news.answers/cryptography-faq/part[xx]. The Cryptography
FAQ is posted to the newsgroups sci.crypt, talk.politics.crypto,
sci.answers, and news.answers every 21 days.
The fields `Last-modified' and `Version' at the top of each part track
revisions.
1999: There is a project underway to reorganize, expand, and update the
sci.crypt FAQ, pending the resolution of some minor legal issues. The
new FAQ will have two pieces. The first piece will be a series of web
pages. The second piece will be a short posting, focusing on the
questions that really are frequently asked.
In the meantime, if you need to know something that isn't covered in the
current FAQ, you can probably find it starting from Ron Rivest's links
at <http://theory.lcs.mit.edu/~rivest/crypto-security.html>.
If you have comments on the current FAQ, please post them to sci.crypt
under the subject line Crypt FAQ Comments. (The crypt-comments email
address is out of date.)
Table of Contents
=================
1. Overview
2. Net Etiquette
2.1. What groups are around? What's a FAQ? Who am I? Why am I here?
2.2. Do political discussions belong in sci.crypt?
2.3. How do I present a new encryption scheme in sci.crypt?
3. Basic Cryptology
3.1. What is cryptology? Cryptography? Plaintext? Ciphertext? Encryption? Key?
3.2. What references can I start with to learn cryptology?
3.3. How does one go about cryptanalysis?
3.4. What is a brute-force search and what is its cryptographic relevance?
3.5. What are some properties satisfied by every strong cryptosystem?
3.6. If a cryptosystem is theoretically unbreakable, then is it
guaranteed analysis-proof in practice?
3.7. Why are many people still using cryptosystems that are
relatively easy to break?
3.8. What are the basic types of cryptanalytic `attacks'?
4. Mathematical Cryptology
4.1. In mathematical terms, what is a private-key cryptosystem?
4.2. What is an attack?
4.3. What's the advantage of formulating all this mathematically?
4.4. Why is the one-time pad secure?
4.5. What's a ciphertext-only attack?
4.6. What's a known-plaintext attack?
4.7. What's a chosen-plaintext attack?
4.8. In mathematical terms, what can you say about brute-force attacks?
4.9. What's a key-guessing attack? What's entropy?
5. Product Ciphers
5.1. What is a product cipher?
5.2. What makes a product cipher secure?
5.3. What are some group-theoretic properties of product ciphers?
5.4. What can be proven about the security of a product cipher?
5.5. How are block ciphers used to encrypt data longer than the block size?
5.6. Can symmetric block ciphers be used for message authentication?
5.7. What exactly is DES?
5.8. What is triple DES?
5.9. What is differential cryptanalysis?
5.10. How was NSA involved in the design of DES?
5.11. Is DES available in software?
5.12. Is DES available in hardware?
5.13. Can DES be used to protect classified information?
5.14. What are ECB, CBC, CFB, and OFB encryption?
6. Public-Key Cryptography
6.1. What is public-key cryptography?
6.2. How does public-key cryptography solve cryptography's Catch-22?
6.3. What is the role of the `trapdoor function' in public key schemes?
6.4. What is the role of the `session key' in public key schemes?
6.5. What's RSA?
6.6. Is RSA secure?
6.7. What's the difference between the RSA and Diffie-Hellman schemes?
6.8. What is `authentication' and the `key distribution problem'?
6.9. How fast can people factor numbers?
6.10. What about other public-key cryptosystems?
6.11. What is the `RSA Factoring Challenge?'
7. Digital Signatures
7.1. What is a one-way hash function?
7.2. What is the difference between public, private, secret, shared, etc.?
7.3. What are MD4 and MD5?
7.4. What is Snefru?
8. Technical Miscellany
8.1. How do I recover from lost passwords in WordPerfect?
8.2. How do I break a Vigenere (repeated-key) cipher?
8.3. How do I send encrypted mail under UNIX? [PGP, RIPEM, PEM, ...]
8.4. Is the UNIX crypt command secure?
8.5. How do I use compression with encryption?
8.6. Is there an unbreakable cipher?
8.7. What does ``random'' mean in cryptography?
8.8. What is the unicity point (a.k.a. unicity distance)?
8.9. What is key management and why is it important?
8.10. Can I use pseudo-random or chaotic numbers as a key stream?
8.11. What is the correct frequency list for English letters?
8.12. What is the Enigma?
8.13. How do I shuffle cards?
8.14. Can I foil S/W pirates by encrypting my CD-ROM?
8.15. Can you do automatic cryptanalysis of simple ciphers?
8.16. What is the coding system used by VCR+?
9. Other Miscellany
9.1. What is the National Security Agency (NSA)?
9.2. What are the US export regulations?
9.3. What is TEMPEST?
9.4. What are the Beale Ciphers, and are they a hoax?
9.5. What is the American Cryptogram Association, and how do I get in touch?
9.6. Is RSA patented?
9.7. What about the Voynich manuscript?
10. References
10.1. Books on history and classical methods
10.2. Books on modern methods
10.3. Survey articles
10.4. Reference articles
10.5. Journals, conference proceedings
10.6. Other
10.7. How may one obtain copies of FIPS and ANSI standards cited herein?
10.8. Electronic sources
10.9. RFCs (available from [FTPRF])
10.10. Related newsgroups
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
