Cryptography-Digest Digest #591, Volume #12 Fri, 1 Sep 00 13:13:00 EDT
Contents:
cryptology software ("Michal Kvasnicka")
Free crypto aplication (Piotr Kulinski)
Re: Patent, Patent is a nightmare, all software patent shuld not be (Steve Rush)
Re: QKD and The Space Shuttle (John Savard)
Re: QKD and The Space Shuttle (John Savard)
Re: test (John Savard)
Re: PGP 6.5.8 test: That's NOT enough !!! (@@)
Re: Remark on practical predictability of sequences ("John A. Malley")
Re: Free crypto aplication (JCA)
Re: RSA public exponent (Bob Silverman)
Re: "Warn when encrypting to keys with an ADK" (Robert Gifford)
Re: more on that neat prime generator (Bob Silverman)
Re: Idea for creating primes ("Scott Fluhrer")
Re: QKD and The Space Shuttle (Mary Shafer)
Re: Security in RSA 'e' (DJohn37050)
Re: Two quick practical questions (Maybe not scientific enough ;-) (Mike Rosing)
Re: crypto organisations & societies (Mike Rosing)
Barrett's reduction algorithm (Steve Bryan)
Re: Barrett's reduction algorithm (Roger Schlafly)
Re: 4x4 s-boxes (Terry Ritter)
Re: 96-bit LFSR needed (Mack)
----------------------------------------------------------------------------
From: "Michal Kvasnicka" <[EMAIL PROTECTED]>
Subject: cryptology software
Date: Fri, 1 Sep 2000 10:23:30 +0200
I am looking for Maple or Matlab cryptography and cryptoanalysis software.
Thanks in advance for any help,
Michal
--
Michal Kvasnicka
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (Piotr Kulinski)
Subject: Free crypto aplication
Date: Fri, 01 Sep 2000 12:13:19 GMT
Reply-To: [EMAIL PROTECTED]
Hello
Few months ago I created crypto app called SCA.
SCA is Crypto Application I wrote to encrypt,compress and / or base 64
process any files.It uses a really strong algorithms with cool key
lenght to protect data from "prying eyes" : DES (56 bits) , IDEA (128
bits) , Blowfish (256 bits version).
SCA uses an excellent crypto library (v. 2.3) by Wei Dai
This app is *absolutely free* for non-commercial use.
If someone is interested plase try this link
http://ns1.widzew.net/~cotton/
Any comment would be appreciate
Best regards
Peter
------------------------------
From: [EMAIL PROTECTED] (Steve Rush)
Subject: Re: Patent, Patent is a nightmare, all software patent shuld not be
Date: 01 Sep 2000 12:42:37 GMT
It seems that some terrorist has slipped an LSD bomb into the US Patent and
Trademark Office. That is as good an explanation as any for some of the
patents we've seen lately, and it has the advantage of not accusing the patent
examiners of accepting a huge bribe from the American Trial Lawyers
Association.
Can anyone come up with a better reason for granting patents on ideas -like
overlapping screen windows- that were in wide use for years before the patent
application?
==========================================================================
==============
If it's spam, it's a scam. Don't do business with Net abusers.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Crossposted-To: sci.space.shuttle,talk.politics.crypto
Subject: Re: QKD and The Space Shuttle
Date: Fri, 01 Sep 2000 12:59:12 GMT
On Thu, 31 Aug 2000 19:30:29 -0700, Mike Dicenso
<[EMAIL PROTECTED]> wrote, in part:
>On Fri, 1 Sep 2000, John Savard wrote:
>> http://www.boeing.com/defense-space/space/ius/
>> which will be used to boost Chandra into its proper orbit.
>That should be in the past tense, the mission was flown 23 July of last
>year. :)
As was noted on those web sites.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Crossposted-To: sci.space.shuttle,talk.politics.crypto
Subject: Re: QKD and The Space Shuttle
Date: Fri, 01 Sep 2000 13:00:50 GMT
On Fri, 01 Sep 2000 01:59:46 GMT, [EMAIL PROTECTED]
(John Savard) wrote, in part:
>On Thu, 31 Aug 2000 19:58:58 +0000, Alan
>Mackenzie<[EMAIL PROTECTED]> wrote, in part:
>>STS-93:
>The designation of a Shuttle mission.
Oh, yes:
<upturned nose>
STS stands for Space Transportation System, the *official* name of
that which is _colloquially_ known as the "Space Shuttle".
</upturned nose>
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: test
Date: Fri, 01 Sep 2000 13:05:40 GMT
On Fri, 01 Sep 2000 02:59:26 GMT, [EMAIL PROTECTED] wrote, in part:
>In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] wrote:
>> test
>> Love, Jim
>You passed. Please post tests to alt.test
I'm astonished: checking the header fields, the test post to which you
replied does not appear to be a forgery.
Jim Walsh is best known as a poster to talk.politics.china, in which
his posts in defense of liberty, and critical of the Beijing
dictatorship, have made him the target of vicious personal attacks
from a number of apologists for the butchers of Tienanmen and
conquerors of Tibet.
As a consequence, I would have expected him to know better than to
send a test message to sci.crypt, but I wouldn't have put it past his
opponents to send a forged one in his name.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: @@
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: PGP 6.5.8 test: That's NOT enough !!!
Date: Fri, 01 Sep 2000 14:12:37 +0100
On Thu, 31 Aug 2000 09:33:18 GMT, Ron B. <[EMAIL PROTECTED]> wrote:
>+-----BEGIN PGP SIGNED MESSAGE-----
>+Hash: SHA1
>+
>+On 30 Aug 2000 22:09:54 -0700, [EMAIL PROTECTED] (Rich Wales) wrote:
>+
>+>Philip Stromer wrote:
<snipped>
>+>You could, of course, carefully analyse each encrypted message you
>+>receive for unexplained recipient info (which might represent an
>+>unauthorized ADK). This is, however, not easy to do -- and even if
>+>you manage to do it, the best you can hope for is to discover an
>+>intrusion after at least one message sent to you has been
>+>compromised.
<snipped>
>+Not easy to do? When decrypting a message, PGP shows the keys that
>+the message is encrypted to. Even if it is a key not on the ring it
>+will show "unknown key". This is automatic. Hardly "not easy to do".
>+
>+-----BEGIN PGP SIGNATURE-----
>+Version: PGP 6.5.8
Yes, but toooo..... late. When yer see that second key, head for the hills.
------------------------------
From: "John A. Malley" <[EMAIL PROTECTED]>
Subject: Re: Remark on practical predictability of sequences
Date: Fri, 01 Sep 2000 07:37:50 -0700
Mok-Kong Shen wrote:
>
[ snip ]
> So your result does confirm that ElGamal as a cipher is not
> absolutely perfect in my humble view.
That's an interesting application of the results.
I agree.
>
> Another point of practical nature is why one wants to
> encipher a stream from a LCPRNG. If one wants to obtain
> a stream difficult to predict (and then use it for other
> purpose) using fast running LCPRNGs, one can mix a number
> of these and perform diverse means of 'scrambling',
> always bearing in mind that a theoretical unpredictability
> exactly comparable to the ideal OTP is never attainable
> in practice.
The cryptological properties of that mixing/scrambling function taking n
predictable PRNGs into one unpredictable PRNG output are at the heart of
the matter. The analysis of the ElGamal-encrypted LCG as a secure PRNG
is just an example of one predictable PRNG fed into a "scrambling"
function in an attempt to create an unpredictable PRNG output.
Has anyone established the necessary and sufficient mathematical
characteristics required of a mixing/scrambling function taking n
predictable PRNGs into one unpredictable PRNG output? Many researchers
point to one-way functions as the scrambler of choice. Few (if any) have
I read that discuss the characteristics of the mixing function - but
that's probably because I'm not looking in the right journals/web sites.
(If anyone knows of such papers please tell me. Thanks.) This is an
interesting area for analysis!
>(For a concrete example of a compound PRNG
> built on top of LCPRNGs in this sense see my web page.)
I will.
> If one likes, one can treat such a post-processed output
> from fast generators with an encryption algorithm, in the
> hope of further quality improvement. But one must again
> remember (from principle) that the output may be better
> or even much better but nonetheless never perfect.
>
> I like to stress that the above comments in no way
> diminish the theoretical merits of your paper.
Thank you.
John A. Malley
[EMAIL PROTECTED]
------------------------------
From: JCA <[EMAIL PROTECTED]>
Subject: Re: Free crypto aplication
Date: Fri, 01 Sep 2000 07:26:42 -0700
Free - for Windows. There are excellent crypto libraries available
out
there in source code.
Piotr Kulinski wrote:
> Hello
>
> Few months ago I created crypto app called SCA.
> SCA is Crypto Application I wrote to encrypt,compress and / or base 64
> process any files.It uses a really strong algorithms with cool key
> lenght to protect data from "prying eyes" : DES (56 bits) , IDEA (128
> bits) , Blowfish (256 bits version).
> SCA uses an excellent crypto library (v. 2.3) by Wei Dai
> This app is *absolutely free* for non-commercial use.
> If someone is interested plase try this link
> http://ns1.widzew.net/~cotton/
>
> Any comment would be appreciate
>
> Best regards
>
> Peter
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: RSA public exponent
Date: Fri, 01 Sep 2000 15:05:03 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Mack) wrote:
> >According to John Matzen <jmatzen(at)origin(d0t)ea(d0t)com>:
<snip>
> There are now better attacks than the one you describe. Not
> having the papers in front of me right now I won't go into specifics
> except to say that the current recommendation is a public key length
> that is greater than 1/4 the length of the modulus.
No. This is the SECOND time you have made this same wrong
pronouncement. It is the *private key* which must be long, and
NOT the public exponent.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Robert Gifford <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp,comp.security.pgp.discuss
Subject: Re: "Warn when encrypting to keys with an ADK"
Date: Fri, 01 Sep 2000 11:09:12 -0400
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
Good morning Rich,
A valid ADK, one placed into PGP by the employer, is accounted for in
the signed message when transmitted.
This valid ADK is not outside the signed area, and when using a key
to encrypt a msg, a warning comes on the screen to let the operator
know that a valid ADK is being used (when the warning option is
turned on).
A tampered ADK on the other hand that is attached to the message is
outside the signed area, and can be found and filtered with
"PGPrepair". Also the latest version of PGP will ignore the attached
ADK, and not encrypt with it.
The only valid questions left are: (1) will PGP (in ref. to personal
versions) in the future put the capability on every copy of PGP that
will warn the operator a ADK is being used, and the ability to filter
it on personal versions; (2) can a ADK somehow be placed into a
commercial version with out the employer knowing about it?
Even though it appears that no great damage has been done with this
loop hole, in reference to the tampered attached ADK, it not only
raises question about PGP, but the process could probably be directed
to any form of public key encryption process.
Think about it??
Hey.....
Robert L. Gifford
=====BEGIN PGP SIGNATURE=====
Version: PGP 6.5.8
iQA/AwUBOa/EwoxbWD2QV9QpEQJ9lACfWizw/oc+MCRBHpMmU1LRig8/2GUAnjBx
X8s5fg3k/YHTBZjwPPLAmTeJ
=qFJK
=====END PGP SIGNATURE=====
Rich Wales wrote:
>
> Phil Harrison wrote:
>
> > I would suggest that you enable the ADK column in PGP
> > keys and see if any keys in your keyring have an ADK.
> > If so, then make sure that it is supposed to be there.
> > Better still is to get the hotfix.
>
> Another reason to get the fix is that, even if you enable the ADK
> column (which shows whether a key has an ADK), this doesn't help you
> distinguish a key with a legitimate ADK from a key with two ADK's
> (one of which is legitimate, but the other is not).
>
> > Then they must also get the additional key onto the
> > keyring of the sender.
>
> I'm curious about this requirement. In order to get ADK's to work --
> especially in situations where companies want to make them mandatory
> (such as by configuring their mail servers to block incoming or out-
> going encrypted messages that aren't accessible via the company's ADK)
> -- it seems to me that one would want/need PGP to fetch the ADK auto-
> matically from a key server (or, at least, prompt the sender that the
> ADK is needed and ask for permission to go get it).
>
> Do the commercial Windows versions of PGP 5/6 do this? Or do they
> simply skip over an ADK reference in a recipient's key if the ADK is
> not present in the sender's keyring? If the ADK is skipped for this
> reason, is the sender notified?
>
> > Finally they must hope that the sender does not notice
> > that there was an ADK there and does not check with the
> > recipient.
>
PGP 2.6+ key generated 2000-08-26; all previous encryption keys
REVOKED.
> RSA, 2048 bits, ID 0xFDF8FC65, print 2A67F410 0C740867 3EF13F41 528512FA
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: more on that neat prime generator
Date: Fri, 01 Sep 2000 15:14:34 GMT
In article <8olqpe$i89$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> I was thinking, you could start lower, making 128-bit primes with my
> method
"My" method? How strange of you to claim ownership of something
that is well known and has been so for some time.
Might I suggest you do a literature search? Look up "Maurer"
and "Shawe-Taylor".
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Scott Fluhrer" <[EMAIL PROTECTED]>
Subject: Re: Idea for creating primes
Date: Fri, 1 Sep 2000 08:42:57 -0700
Mok-Kong Shen <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> Scott Fluhrer wrote:
> >
>
> > Simple: 2 is a factor of p-1, so start there, at k=(p-1)/2. And, with
that
> > k, if g^k mod p is anything other than 1 or -1, we know (Fermat's Little
> > Theorem) that p wasn't prime. Most composites will fail that test, and
that
> > test is approximately as expensive as running a single iteration of
> > Miller-Rabin.
>
> If g^((p-1)/2) mod p is -1 and g^(p-1) mod p is 1, one has
> to do further tests as stated in the original post. Eventually
> these may fail either because g is the wrong one or because p
> is not prime. Do you happen to have references showing how
> small/big these (non-productive) efforts are (in particular
> with respect to an arbitrary p of the sort considered here
> which can be prime or composite)? Thanks.
Well, I don't have any references handy, but here's my reasoning:
if g^(p-1) = 1 mod p, and p is not prime, then p is a pseudoprime with
respect to g, and pseudoprimes are known to be relatively uncommon
if g^(p-1)/2 = -1 mod p, and g is not a generator, then g is within some
subgroup of size (p-1)/q, for some odd q that is a factor of p-1. Now, if
you remember Tom's original definition, he specified that p-1 was a product
of 2 and a set of 128 bit primes, and hence the smallest q can be is about
2**128. That means that the subgroup is so small compared to the entire
group that a random g has virtually no chance at being within such a
subgroup.
--
poncho
------------------------------
From: Mary Shafer <[EMAIL PROTECTED]>
Crossposted-To: sci.space.shuttle,talk.politics.crypto
Subject: Re: QKD and The Space Shuttle
Date: 01 Sep 2000 08:57:04 -0700
Markus Mehring <[EMAIL PROTECTED]> writes:
> Sometimes, apart from that it's mostly nautical miles, the sensible
> rest of the world uses kilometers instead. :)
Even otherwise completely metric countries use knots for airspeed,
nautical miles for distance, and feet for altitude in aviation. I
suspect that referring to satellite altitude in miles is a
continuation of this practice.
--
Mary Shafer
[EMAIL PROTECTED] Of course I don't speak for NASA
Senior Handling Qualities Research Engineer
NASA Dryden Flight Research Center, Edwards, CA
For non-aerospace mail, use [EMAIL PROTECTED] please
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Date: 01 Sep 2000 16:28:43 GMT
Subject: Re: Security in RSA 'e'
Use of a small e reduces the number of primes possible due to the need for
gcd(e,p-1) = 1. Also, half the high order bits of d are known if e =3, for
example. This is all discussed in ANSI X9.31. If you want to be conservative,
use a 64-bit e.
Don Johnson
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: Two quick practical questions (Maybe not scientific enough ;-)
Date: Fri, 01 Sep 2000 11:19:44 -0500
Darren New wrote:
>
> Is there a good place to get a simple implementation of SHA-1, or some other
> well-known, standard, trusted hash? I'm looking for a function in C, Java,
> Tcl, or something like that, just for testing out some algorithms that make
> use of it. Even an executable that I can pipe something through to get the
> hash would be adequate for now. This is just a proof-of-concept so far, so
> easy is better than fast/flexible/etc. Hopefully a version that'll work on
> Windows and UNIX both would be nice. I've seen a Java source posted here,
> but all the source code I found looked like it relied on a whole bunch of
> superclass frameworks and such.
You can do a web search for SHA-1 or RIPEMD-160 to find several C
versions. Or you can get it directly from this file:
http://www.terracom.net/~eresrch/fast_onb/sha.c
>
> Secondly, is there a easy way to build some random numbers? Basically, I
> would think I'd need on the order of a few kilobytes of random bits, one
> time for each installation. It would need to be unpredictable, so doing
> something like hashing a counter won't work, but it's small, so doing
> something like watching the mouse would work. It also doesn't have to be
> especially secure for this proof-of-concept I'm doing, since I plan to use
> the random bits only as *part* of a key to a conventional cypher. Is this
> what /dev/random is for? Do "dd if=/dev/random of=..." would be an easy way
> to get such a file in a proof-of-concept system? Or does someone have a
> simple description of distilling the randomness out of mouse movements, as
> in the old "wiggle the mouse around until I tell you I have enough bits"
> kind of thing?
More ways than you can count :-) Look for "yarrow" on counterpane.com or
swipe the chunk of code from PGP that does exactly that. There's lots
of hardware methods too. You can roll your own from the following paper
if you're crazy enough: http://www.terracom.net/~eresrch/detecting_random.ps
Patience, persistence, truth,
Dr. mike
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: crypto organisations & societies
Date: Fri, 01 Sep 2000 11:24:00 -0500
Quisquater wrote:
>
> See http://www.iacr.org/bod.html
>
> All are prominent :-)
>
> Speaking now about the number of intelligible words/sec (mesured in
> shannon) they are able to output: Diffie, Landrock and Berson (random order)
> are the best ones :-)
>
> Another one is nsa (http://www.nsa.gov) BUT there are not international and
> their goal is:
> input: infinite shannon and public output: null shannon :-)
:-) Hey Jamie, you might want to talk with Msr. Quisquater too!
Patience, persistence, truth,
Dr. mike
------------------------------
From: Steve Bryan <[EMAIL PROTECTED]>
Subject: Barrett's reduction algorithm
Date: Fri, 01 Sep 2000 11:32:24 -0500
I've been trying to implement Barrett's reduction for computing r = x
mod m. In my particular case x is a 128 bit integer while m is somewhere
in the range of 16 bits. The only fairly explicit description I've found
is in chapter 14 of "Handbook of Applied Cryptograph". The description
there of multiple precision arithmetic for an arbitrary radix is quite
lucid and I have that implemented and tested successfully.
My specific problem is that as stated it appears that m can't be very
much smaller than x. Specifically if b is the radix then the k-1 digit
of m must be nonzero and b^2k should be larger than x. That would seem
to limit the stated algorithm to 32 bit integers whereas I want to apply
it to much larger numbers.
The good news is that brute force division (to obtain the remainder)
seems to be so fast that I might be able to use it. But I've not been
able to find any other explicit descriptions of Barrett's reduction
algorithm to see if it can be adapted.
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: Barrett's reduction algorithm
Date: Fri, 01 Sep 2000 09:44:34 -0700
Steve Bryan wrote:
> My specific problem is that as stated it appears that m can't be very
> much smaller than x. Specifically if b is the radix then the k-1 digit
> of m must be nonzero and b^2k should be larger than x. That would seem
> to limit the stated algorithm to 32 bit integers whereas I want to apply
> it to much larger numbers.
If you want to reduce numbers much bigger than b^2k, you need to
precomputer a bigger number. Eg, to reduce a 128-bit number with
m being 16 bits, the precomputed number should be about 128-16=102
bits.
Alternatively, you can do the reduction in multiple stages. Each
stage shortens the length of x.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: 4x4 s-boxes
Date: Fri, 01 Sep 2000 16:47:13 GMT
On Fri, 1 Sep 2000 08:41:18 GMT, in <[EMAIL PROTECTED]>, in
sci.crypt Tim Tyler <[EMAIL PROTECTED]> wrote:
>[EMAIL PROTECTED] wrote:
>: [EMAIL PROTECTED] (Mack) wrote:
>
>:> bent is usually used to refer to functions which have non-linearity
>:> which is maximum. They only occur on functions of 2n variables
>:> and are not balanced. You appear to be refering to nearly bent
>:> functions.
>
>: Ahem, according to "Perfect nonlinear Sboxes" by Kaisa Nyberg from
>: Eurocrypt '91, we have and I quote.
>
>: 2. Bent Functions
>
>: Let q be a positive integer and denote the set of integers modulo q by
>: Zq. Let "u = e^((2*pi*i)/q)" be the q'th root of unity in C, where i =
>: the imaginary number sqrt(-1). Let f be a function from the set Zn/q
>: of n-tuples of integers modulo q to Zq. Then the Fourier transform of
>: u^f is defined as follows
>
>: F(w) = 1/sqrt(q^n) * sum of (x in Zn/q) (u^(f(x) - w.x), for all w in
>: Zn/q.
>
>: Definition 2.1: A function F: Zn/q -> Zq is bent if |F(w)| = 1 for all
>: w.
>
>: ---endquote--
>
>: In this case for a 4x4 function we find that "1/sqrt(q^n)" is "1/sqrt
>: (2^4)" which is "1/4". Which means a WT output of '4' times 1/4 gives
>: us "1" and we have a bent function.
>
>Since your conclusion is fallacious, there must be an error in your
>reasoning - I'll try to track it down.
>
>AFAICS, the quotation you provide states matters correctly - Though I
>don't fully understand everything they say.
>
>Then we come to your argument - which I don't follow at all.
>
>You seem to talk about a WT "output" of 4. The WT outputs an array of
>values, which is often converted to a single digit in the form of a
>non-linearity figure.
>
>Bent functions have maximum non-linearity. A non-linearity of 4 is /not/
>the maximum possible value for a 4-input boolean function.
>
>The maximum non-linearity of such a function is 6. This corresponds to a
>WT with entries consisting entirely of +/-2. An example of the LUT of
>such a function is: {1 0 0 1 0 1 0 1 0 0 1 1 1 1 1 1}.
>4 doesn't appear to come into it.
>
>A bent function is one with maximum non-linearity.
>
>To quote from http://www.io.com/~ritter/GLOSSARY.HTM:
>
> "[...] all true bent sequences, are not balanced".
>
>I don't see how you can evade this fact.
Indeed, the reference itself does not support the idea that one can
have a bent sequence which is also balanced.
>From the "Perfect nonlinear S-boxes" article, in the Introduction, at
the top of p. 379 we have: "In section 4 we present an example [of]
how balancedness can be achieved without completely destroying the
original good property."
In section 4, at the middle of p. 384: "As a conclusion we can say
that the restriction to the inputs with nonzero first halves gives a
balanced and almost perfect nonlinear function." The key word here is
"almost."
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
From: [EMAIL PROTECTED] (Mack)
Subject: Re: 96-bit LFSR needed
Date: 01 Sep 2000 17:02:27 GMT
>Mack <[EMAIL PROTECTED]> wrote:
>
>: Half of it is indeed from that
>: source. The other half is from
>: Dr. Mike's polynomial program
>
>: I cobbled the two together.
>: Dr. mikes determines the
>: irreducibility very quickly.
>
>The combination sounds good ;-)
>
>I looked at Scott's program.
>It didn't seem to use a large integer library.
>
>It seemed to me that the time taken to factor the
>modulus was the primary factor limiting performance.
Not really it takes a shortcut. It has a table of
factors. Since it only handles numbers up to
2^1024 he only has to include the factorization of
1020 numbers.
>
>I liked the LFSR stepping - and the idea of simply
>testing all the periods that are factors, though.
That is the slow part. It is analogous to an integer
exponentiation (peasant style). By first eliminating the
non-irreducibles it speeds up the checking considerably.
ie. The number of checks is reduced by a factor of
in this case 820/33~25.
>
>Thanks for the reply - I'm happy to hear that
>something useful's come out of the code.
>--
>__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
> |im |yler The Mandala Centre http://mandala.co.uk/ Namaste.
Mack
Remove njunk123 from name to reply by e-mail
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
