Cryptography-Digest Digest #727, Volume #11 Sun, 7 May 00 20:13:02 EDT
Contents:
Re: SBOX using boolean logic (Tom St Denis)
RC5 question (Pred.)
Re: Fresco transmits my name ("David J. Ruck")
Re: An argument for multiple AES winners ("Simon Johnson")
Re: Newbie question about primes (S. T. L.)
Re: How does PGP passphrase produce the session key ? (Bill Unruh)
Re: SSL? ("Simon Johnson")
Is there a Commercially Available Tranposition Program (UBCHI2)
Re: hardware sboxes (Tim Tyler)
Re: RC5 question (Tom St Denis)
Re: hardware sboxes (Tom St Denis)
Re: How does PGP passphrase produce the session key ? (Clive Jones)
Re: zeroknowledge.com and freedom.net - Snake oil? (Robert Guerra)
Re: How does PGP passphrase produce the session key ? (Tom St Denis)
Re: How does PGP passphrase produce the session key ? ([EMAIL PROTECTED])
Re: RC5 question (Pred.)
Re: Fresco transmits my name (was: Spammed after just visiting a site) (Clive Jones)
Re: Fresco transmits my name (was: Spammed after just visiting a site) (Clive Jones)
sboxgen update (Tom St Denis)
Re: RC5 question (Tom St Denis)
Re: mod function? (Tom St Denis)
Re: Fresco transmits my name (Tim Tyler)
----------------------------------------------------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: SBOX using boolean logic
Date: Sun, 07 May 2000 21:17:29 GMT
Mok-Kong Shen wrote:
>
> Tom St Denis wrote:
>
> > It appears that my sboxes are not bijective. Now I have a question: Is
> > it even possible to make a bijective sbox using just boolean
> > expressions? I am pretty sure it is. If so, what conditions must I
> > meet (i.e number of variables, etc..).
>
> I have the impression that you are doing the task in the unfavourable,
> if not wrong, direction. You can prescrible the mapping between the
> input and output with whatever properties you want. Then there is a
> well-established technique called boolean optimization that the circuit
> design engineer applies to determine the implementation that is
> optimal for production purpose.I believe that, since hardware prices
> now have diminished enormously compared to decades ago, it
> wouldn't matter much even if the optimization is not carried to the
> extreme. In short, you don't have to bother about the circuits.
> Otherwise you would lose your attention to the properties you
> want to give to your S-boxes. (Compare with the case where an
> author of a book worries about how his book will get technically
> printed at the printing house!)
The purpose of my exercise was to try and make random boolean
expressions and test for the properties I wanted...
I know now I should have gone from table to expression.
Tom
------------------------------
From: Pred. <[EMAIL PROTECTED]>
Subject: RC5 question
Date: Sun, 07 May 2000 21:12:45 GMT
Hi.
I read a paper on RC5 and it states that the key expansion process has
a certain degree of onewayness.
What does this is mean? Is it or is it not possible to derive the key
from the S-table by other means than brute force?
The reason I ask is that the paper describes attacks in which the goal
is to find the S-table. But the attack is not always good if it's very
difficult to get from S to the secret key. This because it's not
possible - I think - to figure out the key selection process if you
only have the S-table.
- Pred
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Crossposted-To: comp.sys.acorn.misc
From: "David J. Ruck" <[EMAIL PROTECTED]>
Subject: Re: Fresco transmits my name
Date: Sun, 7 May 2000 20:19:36 +0100
In article <[EMAIL PROTECTED]>, Tim Tyler
<URL:mailto:[EMAIL PROTECTED]> wrote:
> In sci.crypt David J. Ruck <[EMAIL PROTECTED]> wrote:
> : At any time chip manufacturors can generally produce a very small yeild of
> : CPU's running at double or more the normal clock rate [...] but this
> : will have no impact what so-ever on key cracking. The sort of things
> : the NSA have are hypercubes of 30,000 (possibly a lot more now) general
> : processors for brute force cracking, and specialist super computers
> : with ALU's optimised for certain algorithm's and mathematical functions
> : such as factorisation.
>
> My understanding is that none of this is remotely likely to help
> with a straightforwards search through a 2^128 keyspace. That makes
> this particular possibility one of the most /unlikely/ ones, IMO.
If you are truely dealing with a 2^128 keyspace, in most cases only 40 bits
will be unknown (any US exported encryption software) and that can be broken
in a matter of hours by such equipment. As Mark Wooding shows in his post
*true* large keys are effectively impossible to break with the current level
of technology.
That why there are two approaches being tried on each side of the atlantic.
The US with its 90% share of the worlds software market has opted for not
providing true strong encryption, using a veriety of back doors, key
recovery, and control over certification authorities.
The UK and other European countries, lacking any control software (thanks to
their policy of destroying our native industry, in favor of the US) and not
having the same protection of an individuals privacy enshirned in their
constitutions, has had to resort to draconian bills which seak to force
people to surrender their keys on request.
In the UK's case this means without having to provide any justifcation,
indeed it would be an offense for anyone to tell you why you must surrender
your key. It makes the last major large scale abuse of civil liberties in
this coutry, internment without trial, look like a lunchtime school
detension.
---druck
------------------------------
From: "Simon Johnson" <[EMAIL PROTECTED]>
Subject: Re: An argument for multiple AES winners
Date: Sun, 7 May 2000 22:44:45 -0700
Mok-Kong Shen <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
> I remember to have learned some time ago from
> discussions in this group that having multiple AES
> winners has the advantage of better coping with
> the case that one winner is eventually found to
> have certain weakness that is hiterto not
> discovered.
Hmmmm, I kinda think that would defy the point of having a standard, having
multiple standards is a contradiction. If the AES was compromised, I believe
NIST would drop the standard, and start looking for a entries for a
replacement from scratch. (This has no factual basis, but would be logical,
as it would be unfair to award '2nd' place etc....)
> It just occurs to me that the same applies in
> respect of hidden patent claims. If there are e.g.
> three AES winners, the chance of all of them have
> hidden patent claims is likely to be fairly small.
> So if NIST is not able to insure (free of charge)
> the absence of hidden patent claims to prevent
> the potential catastrophe of users worldwide
> having to pay someday patent loyalities, letting
> there to be multiple AES winners is definitely
> a good idea.
A scary situation, but I think if someone did attempt this, it would damage
their crediability so much that they would never be trusted again. I think
the companies involved in the AES have too much to loose by using attempting
this, and therefore they won't. Moreover, I think NIST would throw them out,
since one of its specification is that the algorithm be freely availible,
was it not?
> BTW, I like to ask at this opportunity a probably
> dumb question. Is it certain that AES will be
> freely available to all people of the world?
> Would its use be restricted to applications such
> as banking and also confined to the 'friendly'
> nations? How about the Wassenaar Arrangements?
Yes I believe it would, and even if it wasn't (available worldwide) , I very
much doubt that would stop anyone for very long.
> Thanks.
>
> M. K. Shen
> ---------------------------------
> http://home.t-online.de/home/mok-kong.shen
>
------------------------------
From: [EMAIL PROTECTED] (S. T. L.)
Subject: Re: Newbie question about primes
Date: 07 May 2000 21:46:35 GMT
<<Could someone point me at a good source (or is there a quick explanation)
for the obvious time difference between creating a prime compared to
factoring one, since I thought in order to determine if a number was prime,
you had to factor it?>>
Yes, it would suck hard to have to baby trial divide a number to determine
whether it's prime. Fortunately for us, there are ways to get around that and
do a probable primality test. The concept of a probable primality test is
important - we can perform a process on a number which will tell us one of two
things:
A) This number is composite, but you still don't know what the factors are.
B) This number is prime or it's one of a small class of composites that gets
past this test.
(Hence the name "probable" primality test). The problem of composites not
being identified by a probable primality test _is_ a problem. For "weak
pseudoprimality testing", such as the Fermat test, which is done using a
certain number as a base, not only are there numbers which will be missed while
using, say, base 3, there are really nasty ones known as Carmichael numbers
that are composite but will not be identified as such for almost ALL bases!
Argh. However, there is a strong pseudoprimality test, the Rabin-Miller test,
for which no Carmichael-ish numbers exist. Run 25 Rabin-Miller tests on a
number and it is more probable that a cosmic ray screwed up your calculations
than the chance of a number passing all the tests and still being composite.
-*---*-------
S.T. "andard Mode" L. ***137***
STL's Wickedly Nifty Quotation Collection: http://quote.cjb.net
------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Crossposted-To: alt.security.pgp,comp.security.pgp.tech
Subject: Re: How does PGP passphrase produce the session key ?
Date: 7 May 2000 22:05:40 GMT
In <o_hR4.13146$[EMAIL PROTECTED]> "Thierry FALISSARD"
<[EMAIL PROTECTED]> writes:
>I know the passphrase is hashed to produce the session key
>(I am interested here only in conventional encryption).
?? No. The passphrase is hashed toproduce the key for the IDEA cypher
which unlocks the private key stored on the disk. It has nothing to do
with the session key (which I call the key used to encrypt the actual
messages, and which is sent with the message encrypted with RSA/DHE).
>If the passphrase is hashed by MD5, the size of the hash will be 128 bits.
>If the encryption algorithm is 3DES, 168 bits of key are required.
------------------------------
From: "Simon Johnson" <[EMAIL PROTECTED]>
Subject: Re: SSL?
Date: Sun, 7 May 2000 23:17:22 -0700
Simon Johnson <[EMAIL PROTECTED]> wrote in message
news:8f4mmu$clj$[EMAIL PROTECTED]...
> I've found it perplexing to create a protocol where two computers can
aggree
> on some random key without Eve or Mallory getting hold of it.
>
> I was wondering how SSL does it?
I think it uses Public | Private cryptography, so i'll change my question:
Is there a way Alice & Bob can exchange keys, such that Eve or Mallory,
cannot intercept them. The best protocol I can do, can still be hacked by
Mallory: Here are the Details:
Alice has a legitimate account on Bob's machine. Bob allows Alice to set a
password. Alice doesn't want Bob, or his machine, to know her password.. Yet
bob wants to be assured its really Alice using his machine, this protocols
aim is to solve that problem.
Setting up for use:
1.) Alice sits at Bob's computer and generates a good password, K. She then
generates a random-number, R. She contatenates R and a cryptographically
secure hash of K. She then uses the same hashing function on this
contatenated string. Alice then stores R and this hash in the password
database, next to her username, Alice.
H(R & H(K))
Login use.
1.) Alice sends her username to Bob. Bob send her the random number, R, out
of the database. Alice then computes H(K), using the same Algorithm as on
Bob's computer, and remebers it until the end of the protocol. She then
continues to produce H(R & H(K)). She uses this as a key to a stream cipher,
k0.
2.) Bob recalls H(R & H(K)) and uses that as a key to an identical stream
cipher to Alice's, k0.
3.) Alice encrypts H(K) using k0 and sends it to Bob.
E_k0 (H(k))
4.) Bob decrypts Alice's message and contatenates it with the random number
in the database. He then computes H(R&H(k)), if this hash matches the one in
the database, then Alice = Alice. If not, protocol ends.
5.) Bob generates a 'random' number to Alice. Alice generates her own
'random' number and XORs the two to produce a new, R. She then sends this
back to Bob, encrypted.
R=R_a XOR R_b --> E_k0(R)
6.)Bob stores the decrypted random number in the database. Alice computes
H(R&H(K)) and sends it to Bob, encrypted. Bob decrypts this and stores this
hash in his database.
------------------------------
From: [EMAIL PROTECTED] (UBCHI2)
Subject: Is there a Commercially Available Tranposition Program
Date: 07 May 2000 22:17:51 GMT
I am looking to purchase a program that can do columnar transpositions of text
automatically. Is there such a program on the market?
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: hardware sboxes
Reply-To: [EMAIL PROTECTED]
Date: Sun, 7 May 2000 22:18:27 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
: I modified my program so that it does this
: for x = 0 to n
: do
: do randomize(f[x]) while not is_sac(f[x])
: while not is_nonlinear(f[x]);
: if (bijective(f[0..x]) increment x
: And I get three of the four 4x1 sboxes in my test, but I can never seem
: to find a fourth...
As far as I know, there are several possibilities:
* No 4x4 box satisfies all these constraints simultaneously;
* Such boxes are very rare;
* The method of attempting to find the 4x1 boxes one-at-a-time has a
high probability of descending into a cul-de-sac.
You've probably considered the first two options - the third one
is speculation on my part.
If I understand this correctly, I'm not sure if the:
"if (bijective(f[0..x]) increment x" section will work very well. Won't
this create a sort of biased result, with the earlier generated subsets of
the final result being themselves bijections, and having no depencence on
the "later" bits?
I have an unfinished program which does something very similar to what
you're trying to do - though I have not implemented a SAC test. If I were
to do this, I might be in a better position to comment.
FWIW, the order I use is to first create a bijection (using a shuffle),
and then test the functions that compose it for non-linearity, etc. If
the tests fail I do a little bit more shuffling - and then continue with
the tests.
This has pros and cons compared to what you're doing, but I /suspect/
there are more pros than cons - since bijections are relatively rare,
while non-linearity is fairly common.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Be good, do good.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: RC5 question
Date: Sun, 07 May 2000 22:43:39 GMT
"Pred." wrote:
>
> Hi.
>
> I read a paper on RC5 and it states that the key expansion process has
> a certain degree of onewayness.
>
> What does this is mean? Is it or is it not possible to derive the key
> from the S-table by other means than brute force?
It means given as many words as you want (not all of them) getting any
other is hard todo reliably.
> The reason I ask is that the paper describes attacks in which the goal
> is to find the S-table. But the attack is not always good if it's very
> difficult to get from S to the secret key. This because it's not
> possible - I think - to figure out the key selection process if you
> only have the S-table.
The S Table is essentially the private key. So if the key schedule is
one-way you have to brute the input key.
Tom
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: hardware sboxes
Date: Sun, 07 May 2000 22:46:58 GMT
Tim Tyler wrote:
>
> Tom St Denis <[EMAIL PROTECTED]> wrote:
>
> : I modified my program so that it does this
>
> : for x = 0 to n
> : do
> : do randomize(f[x]) while not is_sac(f[x])
> : while not is_nonlinear(f[x]);
> : if (bijective(f[0..x]) increment x
>
> : And I get three of the four 4x1 sboxes in my test, but I can never seem
> : to find a fourth...
>
> As far as I know, there are several possibilities:
>
> * No 4x4 box satisfies all these constraints simultaneously;
> * Such boxes are very rare;
> * The method of attempting to find the 4x1 boxes one-at-a-time has a
> high probability of descending into a cul-de-sac.
>
> You've probably considered the first two options - the third one
> is speculation on my part.
The last one is the case actually. As I get more progressive it's
impossible to find a fourth.
> If I understand this correctly, I'm not sure if the:
> "if (bijective(f[0..x]) increment x" section will work very well. Won't
> this create a sort of biased result, with the earlier generated subsets of
> the final result being themselves bijections, and having no depencence on
> the "later" bits?
>
> I have an unfinished program which does something very similar to what
> you're trying to do - though I have not implemented a SAC test. If I were
> to do this, I might be in a better position to comment.
>
> FWIW, the order I use is to first create a bijection (using a shuffle),
> and then test the functions that compose it for non-linearity, etc. If
> the tests fail I do a little bit more shuffling - and then continue with
> the tests.
>
> This has pros and cons compared to what you're doing, but I /suspect/
> there are more pros than cons - since bijections are relatively rare,
> while non-linearity is fairly common.
In my SBOXGEN program I just make random permutations by shuffling the
numbers 0..x, then I test the sbox as a whole, it's much faster and
reliable. See
http://www.tomstdenis.com/sboxgen.c
Tom
------------------------------
From: [EMAIL PROTECTED] (Clive Jones)
Crossposted-To: alt.security.pgp,comp.security.pgp.tech
Subject: Re: How does PGP passphrase produce the session key ?
Date: 8 May 2000 00:00:00 +0100
In article <[EMAIL PROTECTED]>,
Tom St Denis <[EMAIL PROTECTED]> wrote:
>He is talking about conventional encryption which has nothing todo with
>that. Basically all you do is this.
>
>K' = MD5(password + salt)
>K = F(K')
>
>Where F() is some non-linear function of K' to make the n-bit K.
Where the hash output size is less than the required key size, I
believe the key is actually generated from:
MD5(salt + password) + MD5(salt + zero_byte + password)
--Clive.
------------------------------
From: Robert Guerra <[EMAIL PROTECTED]>
Subject: Re: zeroknowledge.com and freedom.net - Snake oil?
Date: Sun, 07 May 2000 23:29:19 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(Steve) wrote:
>On 7 May 2000 09:20:32 -0700, [EMAIL PROTECTED]
>(David A. Wagner) wrote:
>
>>In article <8f2nt6$[EMAIL PROTECTED]>,
>>Guy Macon <[EMAIL PROTECTED]> wrote:
>>> I am interested in a Canadian company called Zero-Knowledge Systems
>>> [...]
Apart from thier www site at www.zks.net, you can find a wealth of
information about them on the cypherpunks list archives
(http://www.inet-one.com/cypherpunks/)
The company has been involved in a great deal of privacy advocacy and
has many reputable people working for them.
A frank discussion on thier "freedom" program can be found on the CFP
2000 conference site. (www.cfp2000.org). Of particular interest is
http://www.cfp2000.org/papers/shostack.pdf
>What I found when I installed Freedom, is that it takes over the
>user's network port assignments in a manner that prevents
>firewall software from operating. You can run one or the other,
>but not both. Once I discovered this, I asked Freedom's tech
>support about it, and they confirmed my observation.
The latest update (april 2000) of the program (ver 1.2?) allows you to
better configure things if you already have a firewall in place.
--
Robert Guerra <[EMAIL PROTECTED]>
WWW Page <http://www.geocities.com/CapitolHill/3378>
Crypto & PGP Page <http://crypto.yashy.com/www>
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.tech
Subject: Re: How does PGP passphrase produce the session key ?
Date: Sun, 07 May 2000 23:29:41 GMT
Clive Jones wrote:
>
> In article <[EMAIL PROTECTED]>,
> Tom St Denis <[EMAIL PROTECTED]> wrote:
> >He is talking about conventional encryption which has nothing todo with
> >that. Basically all you do is this.
> >
> >K' = MD5(password + salt)
> >K = F(K')
> >
> >Where F() is some non-linear function of K' to make the n-bit K.
>
> Where the hash output size is less than the required key size, I
> believe the key is actually generated from:
> MD5(salt + password) + MD5(salt + zero_byte + password)
I would just chain it until you get enough bits, like
i[0] = salt
for i = 1 to n
O[i] = MD5(i + O[i - 1] + password)
Which is basically a counter mode hash output.
Tom
------------------------------
From: [EMAIL PROTECTED]
Crossposted-To: alt.security.pgp,comp.security.pgp.tech
Subject: Re: How does PGP passphrase produce the session key ?
Date: Sun, 07 May 2000 23:20:06 GMT
In article <o_hR4.13146$[EMAIL PROTECTED]>,
"Thierry FALISSARD" <[EMAIL PROTECTED]> wrote:
> I know the passphrase is hashed to produce the session key
Passphrase is hashed to produce the private key.
I do not believe the passphrase has anything to do with the session key
other than the fact the private key is used to encrypt the session key.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Pred. <[EMAIL PROTECTED]>
Subject: Re: RC5 question
Date: Sun, 07 May 2000 23:15:58 GMT
>It means given as many words as you want (not all of them) getting any
>other is hard todo reliably.
Hard to do or impossible (by other means than brute force) ?
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Clive Jones)
Crossposted-To: comp.sys.acorn.misc
Subject: Re: Fresco transmits my name (was: Spammed after just visiting a site)
Date: 8 May 2000 00:17:23 +0100
In article <[EMAIL PROTECTED]>,
James MacDonald <[EMAIL PROTECTED]> wrote:
>Moore's Law won't last forever.
It would be a brave man that attempted to predict when it will cease
to hold. How many decades has it worked for, now?
>If it's not limited by time, after a few iterations it begins to suggest
>the impossible. Silicon is limited in what you can do with it. Eventually,
>you will reach a ceiling on performance [...]
Moore's Law has survived many fundamental changes in the nature of
computer hardware that had not been dreamed of when it was first put
forward. I expect it to survive many more.
People are messing around with electron corrals, quantum computing,
optical computing, and so on. Maybe they'll come to something. Maybe
someone will have a better idea any day now.
>It's certain that computing power will advance over time. But not necessarily
>in silicon. Moore's Law takes no account of other yet-to-be-discovered forms
>of computing that may not involve transistor technology.
Oh, but it does. (-8
--Clive.
------------------------------
From: [EMAIL PROTECTED] (Clive Jones)
Crossposted-To: comp.sys.acorn.misc
Subject: Re: Fresco transmits my name (was: Spammed after just visiting a site)
Date: 8 May 2000 00:25:33 +0100
In article <[EMAIL PROTECTED]>,
James MacDonald <[EMAIL PROTECTED]> wrote:
> you can't prove via
>a cryptographic chain of trust that you are Mark Wooding of NSICT and not
>Agent Spook of the NSA if you generate your own key
It's a bit manual, but you can at least give out the CA key, signed by
your PGP key.
If a small clique wants to use SSL, this could be the best way.
--Clive.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: sboxgen update
Date: Sun, 07 May 2000 23:43:05 GMT
Working on my one good sbox maker program sboxgen.c, I added a Bit
Independance Criterion test.
If I understand BIC properly the xor of any nx1 function should be
non-linear for it to pass BIC for any pair of unique functions in a
sbox. If the input is 'n' bits I look for a max absolute WT value of
2^(n-2) which (if I get this all) is ideally non-linear.
You can fetch the code at:
http://www.tomstdenis.com/sboxgen.c
I will read up on the FWT more and see if it will be more applicable to
my program then the WT. I assume the FWT is faster right?
Tom
--
Want your academic website listed on a free websearch engine? Then
please check out http://tomstdenis.n3.net/search.html, it's entirely
free
and there are no advertisements.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: RC5 question
Date: Sun, 07 May 2000 23:50:45 GMT
"Pred." wrote:
>
> >It means given as many words as you want (not all of them) getting any
> >other is hard todo reliably.
>
> Hard to do or impossible (by other means than brute force) ?
It's certainly not impossible, just very hard todo. There are no known
attacks on the RC5 key schedule.
Tom
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: mod function?
Date: Sun, 07 May 2000 23:58:02 GMT
[EMAIL PROTECTED] wrote:
>
> In article <[EMAIL PROTECTED]>, Mok-Kong Shen
><[EMAIL PROTECTED]> writes:
> >
> >
> > [EMAIL PROTECTED] wrote:
> >
> >>
> >>
> >> At the risk of oversimplifying, the debate is between:
> >>
> >> mod ( 8, 3 ) = 2 ( 8 has remainder 2 when divided by 3)
> >> mod ( 4, 3 ) = 1 ( 4 has remainder 1 when divided by 3)
> >>
> >> and
> >>
> >> mod ( 8, 4, 3 ) = false ( 8 and 4 do not have the same remainder when
> >> divided by 3 )
> >> mod ( 8, 5, 3 ) = true ( 8 and 5 have the same remainder when divided
> >> by 3 )
> >>
> >> In the first case, we're talking about a function with two arguments
> >> that returns a result of the same type as the operands.
> >>
> >> In the second case we're talking about a function with three arguments
> >> that returns a boolean result.
> >
> > Thanks for the clarification. I am afraid that the three arument mod
> > function is at least largely unknown (not previously used) in mathematics
> >...
>
> On the contrary. The primary meaning of "modulus" in mathematics is
> in the second sense. Though a mathematician would rarely be caught using
> it as a function of three variables. A mathematician would be more
> likely to use a notation like:
>
> 8 = 5 modulo 3
>
> Where the "modulo 3" part is read as an alteration to the equality operator.
Actually it means just this
8 = 5 + 3q
Of course 8 mod 3 = 2, not 5.
Tom
------------------------------
Crossposted-To: comp.sys.acorn.misc
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Fresco transmits my name
Reply-To: [EMAIL PROTECTED]
Date: Sun, 7 May 2000 23:26:29 GMT
In sci.crypt David J. Ruck <[EMAIL PROTECTED]> wrote:
: In article <[EMAIL PROTECTED]>, Tim Tyler
: <URL:mailto:[EMAIL PROTECTED]> wrote:
:> In sci.crypt David J. Ruck <[EMAIL PROTECTED]> wrote:
:> : At any time chip manufacturors can generally produce a very small yeild of
:> : CPU's running at double or more the normal clock rate [...] but this
:> : will have no impact what so-ever on key cracking. The sort of things
:> : the NSA have are hypercubes of 30,000 (possibly a lot more now) general
:> : processors for brute force cracking, and specialist super computers
:> : with ALU's optimised for certain algorithm's and mathematical functions
:> : such as factorisation.
:>
:> My understanding is that none of this is remotely likely to help
:> with a straightforwards search through a 2^128 keyspace. That makes
:> this particular possibility one of the most /unlikely/ ones, IMO.
: If you are truely dealing with a 2^128 keyspace, in most cases only 40 bits
: will be unknown (any US exported encryption software) and that can be broken
: in a matter of hours by such equipment.
I was assuming "128-bit SSL" was intended to refer to 128 bit keys.
If 40-bit keys are being used, the discussion seems rather pointless.
: As Mark Wooding shows in his post *true* large keys are effectively
: impossible to break with the current level of technology.
I don't think he showed anything like that. He asked which points people
felt were weak. While the possibility of brute-forcing a 128-bit keyspace
appears remote, the possibility of breaks in either the public cypher or
the symmetric one appear to me to be less unlikely.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Be good, do good.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
