Cryptography-Digest Digest #47, Volume #12 Fri, 16 Jun 00 21:13:00 EDT
Contents:
Re: Extending LFSR...... (Joaquim Southby)
Re: oneway encryption for password (tomstd)
Re: Evidence Eliminator Dis-Information Center (tomstd)
Re: Extending LFSR...... (tomstd)
Re: small subgroups in Blum Blum Shub (Terry Ritter)
Re: Extending LFSR...... ("Brian McKeever")
Re: oneway encryption for password (John Savard)
Re: oneway encryption for password (Sisson)
Re: oneway encryption for password (tomstd)
Re: small subgroups in Blum Blum Shub (Bryan Olson)
Re: oneway encryption for password (Sisson)
Re: Comments/analysis requested: stream cipher derived from hash (David Hopwood)
RC4 key schedule weaknesses (was Re: salt length?) (David Hopwood)
Re: small subgroups in Blum Blum Shub (Terry Ritter)
----------------------------------------------------------------------------
From: Joaquim Southby <[EMAIL PROTECTED]>
Subject: Re: Extending LFSR......
Date: 16 Jun 2000 23:35:01 GMT
In article <8idjc1$srt$[EMAIL PROTECTED]> Simon Johnson,
[EMAIL PROTECTED] writes:
> The first question that struck me when i started reading about
>these is why mod 2? Surely if we picked another prime modulo we could
>find this primitive & irreducible polynomials, the max-period math
>should still work right?
>
>e.g. for a mod 257 system we could use:
>
>x^127 + x^17 + x^31 + x^2 mod 257
>
>would work out to be maximum length, and have a minimum period of
>257^127 where each element of the shift register has a maximum value of
>256?
>
>Does this actually work, or am i just sprinkling fairy dust?
>
I would have a couple of questions on how to convert the primitive
polynomial into use on the LFSR:
1) Since you are now using a modulo higher than 2, the coefficients of
each term in the primitive polynomial can be greater than 1. Since the
tap sequence of the LFSR is taken from the exponents, would there be a
difference in performance between two polynomials that have the same
exponents but different coefficients? (E.g., 215x^127 + 3x^17 + 7 mod
257 vs. 5x^17 + 111x^17 + 255 mod 257)
2) How is the feedback function implemented? It seems intuitive that it
would be the sum of the tap values mod n, but my intuition is often wrong.
------------------------------
Subject: Re: oneway encryption for password
From: tomstd <[EMAIL PROTECTED]>
Date: Fri, 16 Jun 2000 16:36:04 -0700
Sisson <[EMAIL PROTECTED]> wrote:
>hi,
>
>this all seems too hard... i don't understand it. i thought it
would an easy
>stepbystep encryption like RSA.
>
>i've got an idea for altering RSA to fit my needs though...
probably doesn't
>work. well, when creating an RSA public key, you must pick e,
and n is
>defined as the product of two primes, p&q. but what would
happen if you made
>n=7. then there would be no private key, and therefore there
would be no way
>of deciphering it... which is just what i want, isn't it?
>
>just encipher all the passwords... n could even equal the xth
prime, x being
>the day of the year (1-365). then if someone intercepted the
enciphered
>password, they could never find out the original password, and
effectively
>the enciphered password would change each day, and therefore
they couldn't
>foreword the enciphered password they found few days back...
>
>Is my reasoning correct, or there a massive flaw in my argument?
>
Um yea. Your idea is similer to Pohlig-Hellman Encryption which
is a variation of RSA, which is symmetric not asymmetric. The
idea is:
Find a large prime (>768 bits) called "p" and two values d, e
such that "de = 1 mod (p - 1)". Then to encrypt you use
C = P^e mod p
and to decrypt
P = C^d mod p
However, just by throwing away 'd' you can't make this system
secure. If you give out 'e' I can find 'd' easily. Also if you
use relatively small primes (like you suggested) it's trivially
breakable.
RSA on the otherhand only works when your modulus is composite
since it's believed the security is based on the intractability
of finding the inverse exponent (thus the order of the group, or
the prime factors). Even still RSA with moduli under 768 bits
is a really bad idea.
Tom
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
Subject: Re: Evidence Eliminator Dis-Information Center
From: tomstd <[EMAIL PROTECTED]>
Crossposted-To:
alt.privacy,alt.privacy.anon-server,alt.security.pgp,comp.security.firewalls
Date: Fri, 16 Jun 2000 16:40:23 -0700
[EMAIL PROTECTED] wrote:
> First excuse me for posting on top.
>
> Let me just say that once in a while a program comes
along that can
>under the "right" circumstances make you HUMBLE like a newbie ,
and after
>reading this thread I downloaded it and ran it, while setting
it up I changed
>the DEFAULT of Netscape to my D drive and along the way I F**d
up BIG time I
>left a entry pointing to the root of d:\netscape and needless
to say I had
>NOT backed up in a BIG while ALL MY FAULT of course BUT I
almost cried I
>lost my Bookmarks and mail that was saved with passwords for
programs I've
>bought for the last 1 1/2 year I'm a humble man
again........now to email
>companies to get those passwords again!..... I just backed up
my documents
>recently and forgot once again to back up Netscape! ALL THE
BACKUPS I DO AT
>WORK EVERY DAY .........................it's a bitch getting
old!!!!!
>
> It's the BEST program I've used in a while it really
wipes good.
>
>be careful and as the old adage goes back up before using.......
>
Pardon me for saying this, but you are seriously in need of help.
I can't phantom a reason why any compotent person would go about
saying "I feel like wiping my hard disk today". Maybe you are
just playing too much with your computer. I mean I could goto
dos and type "FORMAT C:\" just to find out what it does... Or I
Could not.
Seek help my friend.
And to the other paranoids who think EE will save their day...
NOBODY CARES. I personally don't care what some faceless drone
has on their HD much more then I care to see fly mate.
If you have naughty files be smart and keep them on a floppy or
don't run FTP/HTTP daemons...
Tom
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
Subject: Re: Extending LFSR......
From: tomstd <[EMAIL PROTECTED]>
Date: Fri, 16 Jun 2000 16:47:01 -0700
Joaquim Southby <[EMAIL PROTECTED]> wrote:
>In article <8idjc1$srt$[EMAIL PROTECTED]> Simon Johnson,
>[EMAIL PROTECTED] writes:
>> The first question that struck me when i started reading
about
>>these is why mod 2? Surely if we picked another prime modulo
we could
>>find this primitive & irreducible polynomials, the max-period
math
>>should still work right?
>>
>>e.g. for a mod 257 system we could use:
>>
>>x^127 + x^17 + x^31 + x^2 mod 257
>>
>>would work out to be maximum length, and have a minimum period
of
>>257^127 where each element of the shift register has a maximum
value of
>>256?
>>
>>Does this actually work, or am i just sprinkling fairy dust?
>>
>I would have a couple of questions on how to convert the
primitive
>polynomial into use on the LFSR:
>
>1) Since you are now using a modulo higher than 2, the
coefficients of
>each term in the primitive polynomial can be greater than 1.
Since the
>tap sequence of the LFSR is taken from the exponents, would
there be a
>difference in performance between two polynomials that have the
same
>exponents but different coefficients? (E.g., 215x^127 + 3x^17
+ 7 mod
>257 vs. 5x^17 + 111x^17 + 255 mod 257)
>
>2) How is the feedback function implemented? It seems
intuitive that it
>would be the sum of the tap values mod n, but my intuition is
often wrong.
This is all wrong mathematically. Now I must caution I am new
here too.
But LFSRs are not based on "tap sequences" they are based on
primitive elements in GF(2^n) (n is the size of the lfsr in
bits). Similar to the fact that 45 is a primitive element in GF
(257). If you did 45 * 45 * ... * 45 you would eventually cycle
thru all elements.
Similar if you have a polynomial let's say x^4 + x + 1, and did
(x^4 + x + 1) * (x^4 + x + 1) ... you would cycle thru all
polynomials in GF(2^4) except the all zero polynomial.
One thing that confuses me is that x^4 + x + 1 is a 4-bit lfsr
(let's say it is...) what is the degree of the modulus? x^5? I
always thought that polynomials in GF(2^n) could have a degree
of at most (n-1) for example in sboxes of x^-1 mod p in GF(2^n)
the maximum degree of any element of the sbox is (n-1).
This would mean that 4 bit lfsr either have a degree of upto 3
or it's in GF(2^5)? i am loss.
At anyrate I think for the case of GF(p^n) you just need a
primitive polynomial modulo a irreductible polynomial in GF
(p^n+1) to make it work...
Tom
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: small subgroups in Blum Blum Shub
Date: Fri, 16 Jun 2000 23:51:10 GMT
On 16 Jun 2000 23:00:30 -0000, in
<[EMAIL PROTECTED]>, in sci.crypt lcs Mixmaster
Remailer <[EMAIL PROTECTED]> wrote:
>> Please define "breaking". :) To me, being able to guess the upcoming
>> bits with probability 1 because you already saw them earlier in the
>> cycle, *that* spells "broke". I don't know how I would go backwards from
>> knowing the sequence to knowing the factorization, but I do know I could
>> guess upcoming bits quite easily. :)
>
>Take a look at:
>http://x61.deja.com/[ST_rn=ps]/getdoc.xp?AN=572282072
I saw that when it came out, and a short summary is:
"it follows from the RSA assumption that finding short cycles is
impossible, for moduli large enough that factorization is
intractable."
and
"The advice to choose moduli with guaranteed long cycles, and to
choose seeds that way, is completely useless."
Oddly for useless advice, the last 2/3 of the BB&S published article
concerns just this issue. The response involves forming a special
construction for N which is guaranteed to have long cycles of a
computable length, and then finding an algorithm to traverse those
cycles of known length, to show that a long cycle has been selected.
Now, did Blum, Blum and Shub simply get carried away with their own
math abilities? Shall we assume that they were they so unaware of
their first results that they simply did not understand that 2/3 of
their work was "useless"?
The world gasps at such arrogance.
>It shows a way to factor RSA moduli if you can find short BBS cycles
>(or any cycles for that matter).
The cycles in an arbitrary primes construction will have various
lengths, but as far as I know, there are always some cycles of length
1 (which I call "degenerate"). I doubt they will be much help in
factoring N. But they undoubtedly *are* the weakest possible
"sequence" (which would be, in practice, a "constant").
It may be that some of those on the other side have not really
understood the weakness of a short cycle. BB&S type systems probably
would be used as the generator of the confusion sequence for stream
ciphers. The stream cipher requires its sequence to be random-like,
and *ALSO* to not repeat. But if the BB&S happens to be on a short
cycle, it *will* repeat, and *that* is a weakness. Sufficiently short
cycles *are* weak, and there simply is nothing to debate about it.
>It would be a miracle if we could get agreement on this issue though.
>Every time it comes up, the falsehoods fly.
Then I suggest that you follow the discussion and point out those
falsehoods in detail. That will be tricky for you, though, because
you are on the wrong side.
As I see it, the principle falsehood here is the suggestion that the
discussion pertains to practical security. It does not. In practice,
selecting a short cycle would indeed be very, very unlikely. But
"unlikely" is *not* the same as "impossible."
Instead, the discussion here is about the concept of "proof" itself:
I claim that if it is *POSSIBLE* to select a short cycle, it should be
self-evident that any *proof* of security must be false. The
alternative is a clear logic error -- an actual reasoning fault.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: "Brian McKeever" <[EMAIL PROTECTED]>
Subject: Re: Extending LFSR......
Date: Fri, 16 Jun 2000 16:54:51 -0700
"tomstd" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> You have to be careful with notation. If you want to use
> another base other then 2 your new polynomial is in GF(p^n)
> where p is a positive prime. For example GF(257^3) has a
> primitive polynomial "244x^3 + 131x^2 + 134x + 172".
Well, I think you are saying something different from what he's saying. In
both of your exmaples, the polynomials are over GF(257) (the coefficients
come from this field). While it is true that a representation of GF(p^n)
can be obtained from an irreducible nth degree polynomial over GF(p), this
is not exactly relevent (at this point).
> But you lose all the nice computer related properties when you
> use this as a basis for a new field. In GF(2^n) each cofficient
> takes a single bit, but in GF(257^n) each cofficient takes 9
> bits (0..256).
This is indeed the case.
> I am not sure about alot of the theory on LFSRs but it looks
> like they are just multiplying the LFSR by a primitive element
> in the field (degree higher then the size of the LFSR) to make
> the LFSR. In this case you would have to change simple addition
> from XOR to addition modulo 257, and multiplication would be a
> bit messier (you would use a index based shifting instead of a
> logical shift).
>
> Any thoughts about the period?
All the theorems still apply - primitive polynomial implies a period of
p^n -1 (and the zero fixed point).
> tom
Brian
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: oneway encryption for password
Date: Sat, 17 Jun 2000 00:19:54 GMT
On Fri, 16 Jun 2000 06:26:24 GMT, Sisson <[EMAIL PROTECTED]>
wrote, in part:
>so where are the details of how to implement SHA-1 hash? is there a website i
>should goto?
My web site describes SHA-1; however, for passwords, it would
generally be considered overkill. Using the password as a DES key to
encrypt a constant value or a modified form of itself is probably
sufficient for most applications.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/
------------------------------
From: Sisson <[EMAIL PROTECTED]>
Subject: Re: oneway encryption for password
Date: Sat, 17 Jun 2000 00:30:52 GMT
tomstd wrote:
> Um yea. Your idea is similer to Pohlig-Hellman Encryption which
> is a variation of RSA, which is symmetric not asymmetric. The
> idea is:
>
> Find a large prime (>768 bits) called "p" and two values d, e
> such that "de = 1 mod (p - 1)". Then to encrypt you use
>
> C = P^e mod p
>
> and to decrypt
>
> P = C^d mod p
>
> However, just by throwing away 'd' you can't make this system
> secure. If you give out 'e' I can find 'd' easily. Also if you
> use relatively small primes (like you suggested) it's trivially
> breakable.
>
> RSA on the otherhand only works when your modulus is composite
> since it's believed the security is based on the intractability
> of finding the inverse exponent (thus the order of the group, or
> the prime factors). Even still RSA with moduli under 768 bits
> is a really bad idea.
ok, fine then! i believe you are correct, but say i encrypt a number
using my system, could you crack it? u say its trivial
C=M^e (mod N) e=7, n=13, M=plaintext, C=ciphertext
the ciphertext is 122
Challenge: find the plaintext. normally you would go about this by
finding n's prime factors... but there aren't any!
>From Spendabuck
------------------------------
Subject: Re: oneway encryption for password
From: tomstd <[EMAIL PROTECTED]>
Date: Fri, 16 Jun 2000 17:24:16 -0700
[EMAIL PROTECTED] (John Savard) wrote:
>On Fri, 16 Jun 2000 06:26:24 GMT, Sisson
<[EMAIL PROTECTED]>
>wrote, in part:
>
>>so where are the details of how to implement SHA-1 hash? is
there a website i
>>should goto?
>
>My web site describes SHA-1; however, for passwords, it would
>generally be considered overkill. Using the password as a DES
key to
>encrypt a constant value or a modified form of itself is
probably
>sufficient for most applications.
Um what do you think LOPHT crack is? I would use a salt of some
sort to thwart dictionary style attacks.
Or perhaps use a hash ,... hehehe
Tom
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: small subgroups in Blum Blum Shub
Date: Sat, 17 Jun 2000 00:22:47 GMT
Terry Ritter wrote:
>
> Nicol So
>
> >Terry Ritter wrote:
> >>
> >> lordcow77
> >> >Essentially, the existence of exploitable cycles in BBS would
> >> >neccesarily lead to an efficient algorithm for decomposing RSA
> >> >moduli into primes. As such, if you believe that the factoring
> >> >of numbers in that range is a difficult problem, you need not
> >> >loose sleep over the miniscule probability that you will land in
> >> >a short cycle. The nonsense about choosing "strong primes" or
> >> >good initialization values is a remnant to the past where it was
> >> >thought that a relatively small prime (if well chosen) would be
> >> >adaquately strong.
> >>
> >> I think your interpretation is wrong, and I recommend the BB&S
paper
> >> to you:
> >>
> >> Blum, L., M. Blum and M. Shub. 1983. Comparison of Two
Pseudo-Random
> >> Number Generators. Advances in Cryptology: CRYPTO '82 Proceedings.
> >> Plenum Press: New York. 61-78.
[...]
> >lordcow77's interpretation is correct. The safety of using randomly
> >chosen primes of appropriate sizes is built into the underlying
> >intractability assumption. To put things in perspective, the whole
point
> >of using cryptography is to reduce the probability of "bad things
> >happening" to some acceptably low level, say 2^{-L} for some
> >sufficiently large L. (There's no defense against dumb luck on the
part
> >of the adversary). Not using special primes may affect the value of L
> >for a given choice of security parameter (so you may have to adjust
your
> >security parameter), but it does not affect the asymptotic behavior
of
> >security as a function of the security parameter.
>
> "To put things in perspective," I suggest you try to follow my
> reasoning before trying to refute it.
I think you didn't understand lordcow77's or Nicol So's
reasoning. They are correct. The long-cycle analysis in
the BBS paper is interesting but not the major result.
> As you would have seen had you actually read and understood my
> comments, the statement in question was:
>
> >> >The nonsense about choosing "strong primes" or
> >> >good initialization values is a remnant to the past where it was
> >> >thought that a relatively small prime (if well chosen) would be
> >> >adaquately strong.
>
> And that is nonsense. I am unaware of any such "thoughts." Exactly
> where do you disagree, and what is your evidence?
You are unaware of the refutation of the notion of "strong
primes" for factorization-based systems? The logic here is
the same: we do not worry about special cases, other than to
choose our keys so that they are of negligible probability.
Falling into a short cycle from a random starting point is
no more likely than falling into a factorization. The major
result of the BBS paper is that prediction of the sequence
is intractable under the assumption that factoring the
modulus is also intractable.
> On the other hand, the larger question of X^2 mod N security (not part
> of my earlier comments) is swept under your asymptotic rug. But real
> systems are *not* asymptotic. All real BB&S systems *do* have short
> cycles. And short cycles *are* weak. Yes, it is unlikely to select a
> short cycle at random. But unless the BB&S prescriptions are
> followed, that is *only* "unlikely" and *not* "impossible." In
> contrast, the BB&S prescriptions *guarantee* that one does not use a
> short cycle, and that is a qualitative difference.
Users of a broken system don't care if the system was broken
by calculating the state or finding a cycle. We cannot
reduce the chance of failure to zero, so we settle for
vanishingly unlikely.
On a different issue, the weakest point in the "proof" of
security is of course the assumption of the intractability
of factoring.
> As I see it, the issue is *not* strength in practice, it is instead
> the claim to have a provably secure system. I think we can accept
> that all cryptography is vulnerable to opponents choosing the right
> key at random. But I claim that no system can be provably secure if
> it includes the possibility of selecting and using weakness, no matter
> how small that possibility may be.
That's a misunderstanding of the consequent of the proof.
BBS does not provide a proof of a secure system in that
sense whether one filters for cycle length or not.
If we cannot tolerate any chance of "using weakness, no
matter how small", then we must join the newbies who object
to the one-time pad on the grounds that a truly random pad
*might* be all zero.
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Sisson <[EMAIL PROTECTED]>
Subject: Re: oneway encryption for password
Date: Sat, 17 Jun 2000 00:38:16 GMT
Whoops!
Sisson wrote:
> C=M^e (mod N) e=7, n=13, M=plaintext, C=ciphertext
> the ciphertext is 122
WRONG! the ciphertext is 7.
did an error in my calculations. also, you can't use bruteforce to break
it, because n would equal a huge prime in the actual tests...
>From Spendabuck
------------------------------
Date: Fri, 16 Jun 2000 20:41:20 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Crossposted-To: sci.crypt.random-numbers
Subject: Re: Comments/analysis requested: stream cipher derived from hash
=====BEGIN PGP SIGNED MESSAGE=====
Benjamin Goldberg wrote:
> Tim Tyler wrote:
> > OTOH, if H contains a small quantity of entropy, you can /potentially/
> > defeat an attacker who has learned the state by accumulating the
> > entropy - and then performing the infamous "catastrophic reseeding".
> >
> > If you dripple the entropy into the system as you go along then the
> > attacker can perform the "state following" attack to maintain his
> > knowledge of the internal state by repeated guesswork.
>
> I have a PRNG which has 260 words of state, and each call uses 8 words,
> changes 5 words, and outputs one word. If my 'dribble' of state isn't
> added where it directly affects a particular call, I don't think an
> attacker can use repeated guesswork.
I haven't looked at your RNG in detail, but in principle this can be
correct. OTOH, it makes the resistance to state following attacks quite
difficult to analyse, because it depends on the detailed design of the
RNG. If you add entropy in chunks large enough that each chunk cannot be
guessed, then it is much more obvious that state following is prevented,
almost regardless of the RNG structure.
- --
David Hopwood <[EMAIL PROTECTED]>
PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOUqChzkCAxeYt5gVAQH1aggAzL/G+rbQBQLLRbTCuI+Lwu8VdNBskS7L
qWALOwqjNCxrT/7gcEL84KDuNcuqWCczdVpL5ePewAaVoR4hlD3aMz11Yu5uCMQT
fiPzn5qu2HvvcDoMQsm13vrdI7A52yBbGpjJu3TuY2bqU8k9G63w3gbs0KVDnHj0
U47sk3/0ZK/R0xKp3f0G/UG653N2hf/60jdTojeH+fjXm88dUZsvKYFsheCohPhx
KMiia/idx7TW7PEGkyXCEv5iEd+LMySe4BN911iDQHIvIVqc0CFLruprWxYpZog7
rkRqsJN05cZ+IQs8K+Yh9XcSklySnd+4MvY5S99MwSzGQ3dAkDKv6Q==
=PLy3
=====END PGP SIGNATURE=====
------------------------------
Date: Fri, 16 Jun 2000 21:29:28 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: RC4 key schedule weaknesses (was Re: salt length?)
=====BEGIN PGP SIGNED MESSAGE=====
Rex Stewart wrote:
> Could you (or anyone) give me a referance to something on
> the problems with the RC4's keyschedule problems?
Andrew Roos <[EMAIL PROTECTED]>,
A Class of Weak Keys in the RC4 Stream Cipher,
Preliminary draft, November 1997.
http://www.tik.ee.ethz.ch/~mwa/RC4/WeakKeys.txt
David Wagner,
Subject: Re: Weak Keys in RC4,
Posting to sci.crypt, September 26 1995.
(Message-ID: <447o1l$[EMAIL PROTECTED]>)
http://www.cs.berkeley.edu/~daw/my-posts/my-rc4-weak-keys
J. Kelsey, B. Schneier, D. Wagner,
"Key-Schedule Cryptanalysis of 3-WAY, IDEA, G-DES, RC4, SAFER, and
Triple-DES",
Advances in Cryptology - Crypto '96 Proceedings, pp. 237-251.
Springer-Verlag, August 1996.
http://www.counterpane.com/key_schedule.html
BTW, these references come from
http://www.users.zetnet.co.uk/hopwood/crypto/scan/
- --
David Hopwood <[EMAIL PROTECTED]>
PGP public key: http://www.users.zetnet.co.uk/hopwood/public.asc
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOUqOBjkCAxeYt5gVAQGtJwf9HyC6UfURw49/WufI/ltk1CBxqcplwTJJ
zq6HvQYFpVe181r89ihlqxycxmkjkI/6a1d0iXXm4NnhdmWE1ZNgndZJPNIbHym4
A9m9s0feiLTUDCjVTITxKj/bgr32WJbE1OTGIwhazZJc+J7Jtq/87Q2Qjt9JBnPO
Y3bEPNaEWa2T2hMEsogdiyj/OC3Elt5Lvjxzzfy40m9EIEF4AETX/9XS+hszZ23v
fdOyiPYlhMYH1nOMEAslQir78TuRgS6cGp38oj6b2Wz/puMuXrhvTtTltCl3QD0K
EZxeqYXZsBTPUyZzld/zRuB7IP63gJHa3IBjRAAchVQIHNwOQxPi9A==
=zKTV
=====END PGP SIGNATURE=====
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: small subgroups in Blum Blum Shub
Date: Sat, 17 Jun 2000 01:03:15 GMT
On Fri, 16 Jun 2000 23:51:10 GMT, in <[EMAIL PROTECTED]>,
in sci.crypt [EMAIL PROTECTED] (Terry Ritter) wrote:
>[...]
>The cycles in an arbitrary primes construction will have various
>lengths, but as far as I know, there are always some cycles of length
>1 (which I call "degenerate"). I doubt they will be much help in
>factoring N.
Looking at my old results, it appears that degenerate cycles are
located at values P and Q, and so actually might the most direct way
to factor N. If one could find them. One could not, in general.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
