Cryptography-Digest Digest #68, Volume #14 Tue, 3 Apr 01 14:13:00 EDT
Contents:
Re: AES VS. DES (Volker Hetzer)
Royalty free use of Mars (Sami)
Re: AES VS. DES (Volker Hetzer)
Re: RC4/ARC4 in hardware. (Volker Hetzer)
Re: Dynamic Substitution infringement? (Ken Savage)
Re: GCHQ turned me away...(we didn't think they understood) (Mok-Kong Shen)
Re: Data dependent arcfour via sbox feedback (Mok-Kong Shen)
Re: Dynamic Substitution infringement? (Mok-Kong Shen)
A group ? ("Jack Lindso")
Re: GCHQ turned me away...(we didn't think they understood) (newbie)
Re: Breaking a DES encrypted code. (Matthew Skala)
Re: GCHQ turned me away...(we didn't think they understood) (John Joseph Trammell)
Matrix PK idea? ("Tom St Denis")
QS and matrix step ("Tom St Denis")
Re: keys and random ("Henrick Hellström")
Re: A group ? (Mike Rosing)
Re: GCHQ turned me away...(we didn't think they understood) (John Savard)
Re: GCHQ turned me away...(we didn't think they understood) (John Savard)
Re: Data dependent arcfour via sbox feedback (John Savard)
Re: Data dependent arcfour via sbox feedback (Terry Ritter)
Re: Matrix PK idea? (Mike Rosing)
Re: Matrix PK idea? ("Tom St Denis")
----------------------------------------------------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: AES VS. DES
Date: Tue, 03 Apr 2001 17:27:28 +0200
Tom St Denis wrote:
>
> "Volker Hetzer" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > "Douglas A. Gwyn" wrote:
> > >
> > > Volker Hetzer wrote:
> > > > There are methods better than exhaustive key search.
> > >
> > > Actually, no, not under normal circumstances.
> > So, what do you consider "normal" circumstances?
>
> A "random" 256-bit key, using the cipher in CTR mode?
We were talking DES.
Greetings!
Volker
--
They laughed at Galileo. They laughed at Copernicus. They laughed at
Columbus. But remember, they also laughed at Bozo the Clown.
------------------------------
Subject: Royalty free use of Mars
From: [EMAIL PROTECTED] (Sami)
Date: Tue, 03 Apr 2001 15:17:30 GMT
I've been trying to confirm is Mars royalty free or not, meaning am I
free to use it in a shareware application? IBM's service responds and
has been responding several times, but they simply forward my question
to the experts who seem to have time to answer.
Regards,
Sami
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: AES VS. DES
Date: Tue, 03 Apr 2001 17:38:29 +0200
William Hugh Murray wrote:
>
> John Savard wrote:
>
> > On Tue, 03 Apr 2001 12:51:21 +0200, Volker Hetzer
> > <[EMAIL PROTECTED]> wrote, in part:
> > >"Douglas A. Gwyn" wrote:
> > >> Volker Hetzer wrote:
> >
> > >> > There are methods better than exhaustive key search.
> >
> > >> Actually, no, not under normal circumstances.
> >
> > >So, what do you consider "normal" circumstances?
> >
> > I think he meant, specifically, for DES.
> >
> > This is true; all methods for breaking single-DES with complexity less
> > than 2^56 require far larger amounts of known plaintext than is likely
> > to be obtained in practice for any one key.
> >
> > Particularly, say, if one is intercepting the radio transmissions of a
> > foreign military. You would be surprised how hard it is to transmit,
> > say, 2^32 blocks of chosen plaintext on their radios without anyone
> > noticing and changing the key.
I was under the impression that there were known plaintext attacks too.
What about other high throughput apps, like video satellite broadcasts?
Large databases on encrypted discs?
What are the current attacks and what effective keylength remains?
Once I heard the number of 47 Bit. is this for a chosen plaintext or a
known plaintext attack?
Greetings!
Volker
--
They laughed at Galileo. They laughed at Copernicus. They laughed at
Columbus. But remember, they also laughed at Bozo the Clown.
------------------------------
From: Volker Hetzer <[EMAIL PROTECTED]>
Subject: Re: RC4/ARC4 in hardware.
Date: Tue, 03 Apr 2001 17:42:21 +0200
Matt Hayes wrote:
>
> I'm aware that quite a number of people believe that the RC4 algorithm isn't
> particularly suited to hardware but the idea interests me nonetheless.
The problem is that it requires feedback and can't IMHO be pipelined.
Today I'd probably prefer AES in Counter mode for high speed apps because
it can give you 128Bit per clock cycle and you can easily have 2^n units running
in parallel if you choose the proper starting values for the counters and fix
the n least significant bits.
Greetings!
Volker
--
They laughed at Galileo. They laughed at Copernicus. They laughed at
Columbus. But remember, they also laughed at Bozo the Clown.
------------------------------
From: Ken Savage <[EMAIL PROTECTED]>
Subject: Re: Dynamic Substitution infringement?
Date: Tue, 03 Apr 2001 15:40:12 GMT
Tom St Denis wrote:
> > In a recent [still active] thread about an RC4 variant, there was some
> > discussion about what kinds of things infringe on Terry Ritter's patent.
> >
> > I would like some comments on what people believe should be covered by
> > the patent, and what shouldn't. Also, I would like to see some
> > suggestions on what might be the simplest infringing cipher or cipher
> > component.
> >
> > Here's one suggestion:
> >
> > byte mix2(byte x, byte y) {
> > static bool state = 0;
> > byte output;
> > output = state ? (x+y) : (x^y);
> > state ^= output & 1;
> > return output;
> > }
> >
> > Does this infringe on the Dyn Sub patent?
>
> I dunno but you realize that your state boolean and your mixing in the lsb
> are all xor-linear?
Nobody said it was a GOOD cipher ;) Just whether having a toggle
(combiner)
would violate it... If you throw a lookup table in there, then
DEFINITELY!
byte mix2( x, y )
{
static int stateIndex = 0; // "First source"
static int state[] = { 1, 0 }; // Ooooh, complicated!
output = state[stateIndex] ? (x+y) : (x^y); // (x,y) pair "second
source"
...
}
Gimme a break. There's GOT to be some form of prior art on this. Maybe
it's time to look into data compression and/or error correction patents
to find them...
Ken
}
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: GCHQ turned me away...(we didn't think they understood)
Date: Tue, 03 Apr 2001 17:49:42 +0200
John Savard wrote:
>
> Mok-Kong Shen<[EMAIL PROTECTED]> wrote:
>
> >It is not clear what the OP meant by their turning him
> >away.
>
> To me, it was obvious. The GCHQ failed to express interest in some
> sort of deal or agreement whereby the OP would keep his new
> unbreakable cipher secret so that the GCHQ could continue reading
> people's mail.
>
> Sounds like the mentality of a lot of people who post to this group:
> "I've just come up with the world's first totally unbreakable cipher
> (not counting the OTP)" and so on. It is not surprising that the GCHQ
> had a lack of interest, considering that nearly everybody else also
> lacks interest in this sort of thing.
Maybe it's due to my poor understanding of English. I guess
namely that 'GCHQ turned someone away' might imply that it
wrote him a letter, explaining (with whatever reason) its
disinterest. In that case it would be interesting to know
the formulation of the answer. I guess though, that it
simply ignored the stuff (i.e. no reaction), which doesn't
signify anything in my view (also in accordance to your
view, if I don't err).
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Data dependent arcfour via sbox feedback
Date: Tue, 03 Apr 2001 17:59:03 +0200
John Savard wrote:
>
> [EMAIL PROTECTED] (Terry Ritter) wrote:
>
> >Next, from the Dynamic Substitution patent, the 6th paragraph under
> >the Objects and Advantages section:
>
> >"Another object of this invention is to provide a mechanism or process
> >by which two confusion sources can be combined to produce a
> >more-complex confusion result which may be used by some other combiner
> >mechanism."
>
> In that case, RC4 does infringe the Dynamic Substitution patent,
> unless this object was nowhere included in the claims.
Further, as I pointed out in another follow-up, many
schemes in Chap. 16 and 17 of Schneier's AC combine two
or more pseudo-random streams, i.e. two (or more) confusion
sources, to produce a stream that is presumably stronger.
i.e. a more-complex confusion result. Are these not in
clear and unambiguious conflict with the patent?
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Dynamic Substitution infringement?
Date: Tue, 03 Apr 2001 18:08:17 +0200
Ken Savage wrote:
>
> Nobody said it was a GOOD cipher ;) Just whether having a toggle
> (combiner)
> would violate it... If you throw a lookup table in there, then
> DEFINITELY!
Before clarifying the real applicability of the patent
in issue, it's unnecessary to worry that you could have
violated anything by using lookup tables, which people
have been using since decades in crypto. See parallel
discussions.
M. K. Shen
------------------------------
From: "Jack Lindso" <[EMAIL PROTECTED]>
Subject: A group ?
Date: Tue, 3 Apr 2001 18:18:04 +0200
Hey, to all I'm just starting to learn cryptology and i've gotten to the
need of
finding out :
if we know that F(P,K1)==>C1
and F(C1,K2)==>C2 {C1!=C2}
then can we find K3 such that F(P,K3)=C2
Cheers.
------------------------------
From: newbie <[EMAIL PROTECTED]>
Subject: Re: GCHQ turned me away...(we didn't think they understood)
Date: Tue, 03 Apr 2001 12:48:06 -0300
Mister Mok-Kong Shen,
Read this article :
http://www.isi.ee.ethz.ch/publications/massey_cd/pdf/BI316.pdf
It was written in 1990.
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Matthew Skala)
Subject: Re: Breaking a DES encrypted code.
Date: 3 Apr 2001 09:33:01 -0700
In article <99t820$3bao$[EMAIL PROTECTED]>,
Mark G Wolf <[EMAIL PROTECTED]> wrote:
>Well I ain't no expert at this stuff, but it seems to me that it would be
>much more difficult. Informational people are kind of wacky any ways. The
>time and energy it takes to do all of this stuff is kind of wasteful to
>begin with. Kinda reminds of Colonel Flag from MASH. Although he was
>amusing.
One of the rules of the crypto game is that you don't get to choose what
methods your adversary is allowed to use. If your adversary has the
resources to break your encryption by doing a brute-force key search with
a chi-square test to recognize the correct plaintext, then you must assume
that your adversary *will* do that (or something even stronger) - whether
you think it's "wacky" or not. If you don't even pay attention to that
threat because you think it's "wasteful" or "much more difficult" (despite
being within your adversary's capabilities), then you lose for sure.
--
Matthew Skala
[EMAIL PROTECTED] :CVECAT DELENDA EST
http://www.islandnet.com/~mskala/
------------------------------
From: [EMAIL PROTECTED] (John Joseph Trammell)
Subject: Re: GCHQ turned me away...(we didn't think they understood)
Date: Tue, 03 Apr 2001 17:03:22 GMT
On Tue, 03 Apr 2001 12:48:06 -0300, newbie <[EMAIL PROTECTED]> wrote:
> http://www.isi.ee.ethz.ch/publications/massey_cd/pdf/BI316.pdf
Are any versions of this available that *don't* crash my browser?
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Matrix PK idea?
Date: Tue, 03 Apr 2001 17:22:43 GMT
Here we go. You find a prime p (preferable a s.g prime) Then you make up a
RxR matrix which is a generator in Zp^R space (somehow). Then you perform
DH like normal using matrices.
i.e R=2 you have
( )^x
([ G11 G12 ])
y = ([ G21 G22 ])
( )
The idea is that the adding of terms hinders the usage of index calculus (as
I know it) for each of the terms of the G matrix i.e
[G11 G12]^2
[G21 G22]
=
[G11 G12][G11 G12]
[G21 G22][G21 G22]
=
[G11G11 + G12G21 G11G12 + G12G22]
[G21G11 + G22G21 G21G12 + G22G22]
Then all the terms are taken modulo the prime.
Question: Do such G matrices exist (i.e generators). Can you use a variant
of the square-mult method to compute this?
--
Tom St Denis
---
http://tomstdenis.home.dhs.org
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: QS and matrix step
Date: Tue, 03 Apr 2001 17:37:03 GMT
I think I understand QS enough to implement it but one hold back. I get
that you are trying to find linearly dependent rows in the matrix but
doesn't gaussing not give you a sum of all zeroes like they show in the
examples? In HAC they say add rows 1,3,5 (I think) such that T1+T3+T5=0?
Do you augment the matrix with an identity then gauss the left half and then
use the right? err... I dunno!!!
--
Tom St Denis
---
http://tomstdenis.home.dhs.org
------------------------------
From: "Henrick Hellström" <[EMAIL PROTECTED]>
Subject: Re: keys and random
Date: Tue, 3 Apr 2001 19:45:00 +0200
"Mark Wooding" <[EMAIL PROTECTED]> skrev i meddelandet
news:[EMAIL PROTECTED]...
> Henrick Hellström <[EMAIL PROTECTED]> wrote:
> > "Mark Wooding" <[EMAIL PROTECTED]> skrev i meddelandet
> > news:[EMAIL PROTECTED]...
[snip]
> I claim, therefore, that you wasted almost an hour finding your Sophie-
> Germain prime.
>
> (By the way, I think you struck lucky when you found a 2048 S-G prime in
> under an hour. I've waited longer than that for 1024-bit S-G primes.)
One hour is expendable, as long as you don't make a habit of it. I did the
search during my lunch hour, so it was done in "idle time". ;-)
To be more precise, I used the following algorithm. There might be better
ones, but the reference information might indicate whether I struck lucky or
not:
1. Generate random Q, such that Q is odd and 2**4046 < Q < 2**4047;
2. Repeat Q := Q + 2; Until Q = 5 (mod 6);
3. While not TrialDiv2(Q) do Q := Q + 6;
4. P := 2Q+1;
5. If not TrialDiv(P) then goto 2.
6. If not (2**Q = -1 (mod P)) then goto 1.
7. If not Miller-Rabin(Q,6) then goto 1.
I used Steak with a 256 bit vector as PRNG at step 1.
The function TrialDiv(X) returns true if X is not divisible by any small
prime.
The function TrialDiv2(X) calculates a series of R(j) = X mod
p(i(j))*p(i(j)+1)*...*p(i(j+1)-1), where for each j the product of primes is
a 32 bit unsigned integer and the function returns true if no R(j) is such
that either R(j) or 2R(j)+1 is divisible by some of the corresponding small
primes.
Because of the construction of TrialDiv2 at step3, only a few candidates are
caught at step 5. Hence step 5 might be omitted.
Step 6 is a provable prime test of P, provided that Q is a prime. This is
the fastest reliable test in this context, and it ensures that 2 is a
generator of Z*(P). A full Miller-Rabin test of P would be redundant, since
Q will be tested separately. Since Q is almost as large as P, it is
significantly faster to perform this test before the full Miller-Rabin test
of Q.
Most of the candidates are caught by the trial division tests. The
calculation of 2**Q mod P takes approximately 250 ms using semi optimized
Pascal code.
I repeated the test and found one prime after only 30 seconds, and another
after 10 minutes and 2372 repetitions of step 6. I don't think I struck
lucky.
[snip]
> > > Performance in use is also better, since your exponents are shorter.
> >
> > I might have missed something, but I don't think this is an issue. You
> > don't have to use exponents that are as wide as the order of the group
> > you move in.
>
> True, but you might as well have a smaller group here. The attacks are
> still square-root in the maximum exponent.
If you have a smaller group, you don't have the option to increase the size
of the exponents without changing the prime or the generator. In this
respect p = 2*q+1 primes are the most flexible. That's my point.
--
Henrick Hellström [EMAIL PROTECTED]
StreamSec HB http://www.streamsec.com
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: A group ?
Date: Tue, 03 Apr 2001 12:49:04 -0500
Jack Lindso wrote:
>
> Hey, to all I'm just starting to learn cryptology and i've gotten to the
> need of
> finding out :
> if we know that F(P,K1)==>C1
> and F(C1,K2)==>C2 {C1!=C2}
>
> then can we find K3 such that F(P,K3)=C2
Usually you can for most crypto related math. But it's not easy :-)
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: GCHQ turned me away...(we didn't think they understood)
Date: Tue, 03 Apr 2001 17:38:22 GMT
On Tue, 03 Apr 2001 12:48:06 -0300, newbie <[EMAIL PROTECTED]>
wrote, in part:
>Read this article :
>http://www.isi.ee.ethz.ch/publications/massey_cd/pdf/BI316.pdf
Of course, Proposition I is not really true, under some sneaky
conditions, which complicates proving multi-ciphering secure.
One can have a non-expanding and non-compressing pre-processing phase
that makes redundancy, if present in the input, more obvious and
convenient to the cryptanalyst to exploit.
It's a cute idea to modify Huffman coding so that each plaintext
symbol has multiple equivalents, some of different lengths, with those
one bit longer each being used half as often. However, claiming this
makes the processed plaintext "perfectly" random in any sense does not
seem correct; otherwise, it wouldn't be merely a preprocessing phase
for the input to the *real* cipher.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: GCHQ turned me away...(we didn't think they understood)
Date: Tue, 03 Apr 2001 17:40:29 GMT
On Tue, 03 Apr 2001 17:03:22 GMT, [EMAIL PROTECTED]
(John Joseph Trammell) wrote, in part:
>On Tue, 03 Apr 2001 12:48:06 -0300, newbie <[EMAIL PROTECTED]> wrote:
>> http://www.isi.ee.ethz.ch/publications/massey_cd/pdf/BI316.pdf
>Are any versions of this available that *don't* crash my browser?
Go to
http://www.isi.ee.ethz.ch/publications/massey_cd/dir/pdf.html
then from there you can right-click on the link labelled "An
information-theoretic approach to homophonic substitution" and
download the paper, reading it by running Acrobat Reader separately
from your browser.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Data dependent arcfour via sbox feedback
Date: Tue, 03 Apr 2001 17:44:20 GMT
On Tue, 03 Apr 2001 17:59:03 +0200, Mok-Kong Shen
<[EMAIL PROTECTED]> wrote, in part:
>Further, as I pointed out in another follow-up, many
>schemes in Chap. 16 and 17 of Schneier's AC combine two
>or more pseudo-random streams, i.e. two (or more) confusion
>sources, to produce a stream that is presumably stronger.
>i.e. a more-complex confusion result. Are these not in
>clear and unambiguious conflict with the patent?
Dynamic Substitution is a _particular way_ of combining two streams.
XORing them together does not conflict with his patent.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: Data dependent arcfour via sbox feedback
Date: Tue, 03 Apr 2001 17:56:48 GMT
On Tue, 03 Apr 2001 10:27:21 +0200, in
<[EMAIL PROTECTED]>, in sci.crypt Mok-Kong Shen
<[EMAIL PROTECTED]> wrote:
>Terry Ritter wrote:
>>
>
>>
>> Any sequence of data values is "a source." We can see this throughout
>> the patent, including: "A first data source and a second data source
>> are combined into a complex intermediate form or result. . . ." Note
>> the lack of description about the "ultimate" origin of any data
>> sequence treated as a "source."
>>
>> Also note that the body description and diagrams represent one example
>> of implementation, and do not limit the claims. This is patent law,
>> but to make it clearer, it is explicitly stated at the end of the body
>> text: "While my above descriptions contain many specificities, these
>> should not be construed as limitations to the scope of the invention,
>> but rather as an exemplification of a preferred embodiment thereof.
>> Many other variations are possible. Accordingly, the scope of the
>> invention should be determined not by the embodiments illustrated, but
>> by the appended claims and their legal equivalents."
>>
>> And then we have the testimony from the claim itself:
>>
>> "
>> 1(b) change means, at least responsive to some aspect of said second
>> data source . . .
>> "
>>
>> Note the phrase "some aspect of," clearly indicating that the second
>> data source may be modified before being used in the "change means."
>>
>> But, if you don't like the word "source," perhaps you would prefer the
>> word "value":
>>
>> "
>> 15. A two-input one-output logic mechanism or design, which combines a
>> first input value with a second input value, including:
>>
>> (a) substitution means, potentially including a plurality of
>> storage means, for saving substitute values and translating said first
>> input value into an output value, and
>>
>> (b) change means, at least responsive to some aspect of said
>> second input value, for re-defining a proper subset of the substitute
>> values within said storage means, potentially after every substitution
>> operation.
>> "
>[snip]
>> I'm not happy with any mechanism claimed to be Dynamic Substitution
>> being inherently limited to a sequence of a particular length. It is
>> implied throughout the patent body that there is no such limitation.
>> Thus, I expect that the Dynamic Substitution patent distinguishes from
>> the described mechanism. I think you can probably use it without
>> patent implications.
>
>All this clearly shows that even a classical polyalphabetical
>substitution, combining a key stream with the plaintext
>stream to produce a ciphertext stream, would also be
>in conflict with the patent.
But polyalphabetic substitution does not "re-define . . . values," it
just selects a different subset.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: Matrix PK idea?
Date: Tue, 03 Apr 2001 12:51:46 -0500
Tom St Denis wrote:
>
> Here we go. You find a prime p (preferable a s.g prime) Then you make up a
> RxR matrix which is a generator in Zp^R space (somehow). Then you perform
> DH like normal using matrices.
>
> i.e R=2 you have
>
> ( )^x
> ([ G11 G12 ])
> y = ([ G21 G22 ])
> ( )
>
> The idea is that the adding of terms hinders the usage of index calculus (as
> I know it) for each of the terms of the G matrix i.e
>
> [G11 G12]^2
> [G21 G22]
> =
> [G11 G12][G11 G12]
> [G21 G22][G21 G22]
> =
> [G11G11 + G12G21 G11G12 + G12G22]
> [G21G11 + G22G21 G21G12 + G22G22]
>
> Then all the terms are taken modulo the prime.
>
> Question: Do such G matrices exist (i.e generators). Can you use a variant
> of the square-mult method to compute this?
Old idea Tom. Once you get to higher order constructs you get more tools
to break things with. A matrix of bits might be more useful, and finding
non-linear combinations would be fun. But not so easy, or it would have
been done already :-)
Patience, persistence, truth,
Dr. mike
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Matrix PK idea?
Date: Tue, 03 Apr 2001 18:01:21 GMT
"Mike Rosing" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Tom St Denis wrote:
> >
> > Here we go. You find a prime p (preferable a s.g prime) Then you make
up a
> > RxR matrix which is a generator in Zp^R space (somehow). Then you
perform
> > DH like normal using matrices.
> >
> > i.e R=2 you have
> >
> > ( )^x
> > ([ G11 G12 ])
> > y = ([ G21 G22 ])
> > ( )
> >
> > The idea is that the adding of terms hinders the usage of index calculus
(as
> > I know it) for each of the terms of the G matrix i.e
> >
> > [G11 G12]^2
> > [G21 G22]
> > =
> > [G11 G12][G11 G12]
> > [G21 G22][G21 G22]
> > =
> > [G11G11 + G12G21 G11G12 + G12G22]
> > [G21G11 + G22G21 G21G12 + G22G22]
> >
> > Then all the terms are taken modulo the prime.
> >
> > Question: Do such G matrices exist (i.e generators). Can you use a
variant
> > of the square-mult method to compute this?
>
> Old idea Tom. Once you get to higher order constructs you get more tools
> to break things with. A matrix of bits might be more useful, and finding
> non-linear combinations would be fun. But not so easy, or it would have
> been done already :-)
Ahh but doesn't the summations mess around with index calculus methods of
discrete logs?
Tom
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
