Cryptography-Digest Digest #418, Volume #9 Sun, 18 Apr 99 19:13:03 EDT
Contents:
Re: Question on confidence derived from cryptanalysis. (Geoff Thorpe)
----------------------------------------------------------------------------
From: Geoff Thorpe <[EMAIL PROTECTED]>
Subject: Re: Question on confidence derived from cryptanalysis.
Date: Sun, 18 Apr 1999 18:48:37 -0400
Hello,
Terry Ritter wrote:
> >You want to sound a cautionary note that we all risk being naive and
> >over-confident in our "cryptanalytic testing" of ciphers - excellent
> >point and it is well taken.
>
> No, the point is NOT well-taken. It is ignored and brushed off as
> trivial and known. Then everyone sticks their head in the sand again
> until I bring it up again. This has happened for years.
Once again, we are in disagreement - philosophically and factually it
would appear. From your postings, I can understand why you think this,
but it is based on a premise I simply do not accept and will not no
matter how many times you repeat it. Namely, that repeated cryptanalytic
testing does not provide a measure of the tested strength of a cipher.
You often repeat claims to the effect or (a caveat as I'm not using your
exact words) "if you can't break it or prove it unbreakable then you
know nothing of the cipher's strength".
Abstract, extremist, conspiracy-theoretic poppycock.
I don't want to devolve into word games but it seems necessary here to
at least address our difference, although I doubt it will lead to a
"resolution" of that difference. Namely, the meaning of "strength". Me,
like I said in my previous post, I regard it as a practical measure, not
a theoretical one.
An algorithm is not implicitly "strong" - it is just an algorithm. It is
not strong "against attack" in any purely abstract sense (unless you can
prove it so; very unlikely in most cases for now it would seem). I
measure strength as a fuzzy quality with many fuzzy factors and am quite
happy to do so. You seem to find this objectionable and your puristic
approach, though obviously suitable for you, would be unacceptable and
impractical for me. Many other people too, I dare suggest, are in the
real world and have to "make calls" on such things rather than sitting
around contemplating their navals and espousing puristic and entirely
unhelpful messages of gloom. I prefer to be pragmatic than idealistic.
> >However, please do not go so far as to be
> >similarly naive yourself, and to play things out to an theoretical abyss
> >and expect us to follow you there.
>
> The abyss is there. By not following, you are in it.
You claim an abyss - and your justifications for it risk sending this
discussion into the "There is a god - No there isn't" realm ... that is
to say, our views seem axiomatically different and I don't expect one of
us to substantially sway the other. If you claim there is a God, and I
can't prove there isn't one, that does not imply that a God exists (for
me at least). I consider triple-DES to be pretty "strong" - but you
claim that we don't know how our "enemy" might be attacking it and our
inability to fundamentally crack it means little - it's no more "strong"
than anything else we haven't broken yet. I don't agree but I can't
PROVE you wrong. It does not mean you're right - and many people share
MY point of view on this. Please do not be so arrogant to state your
opinion as fact and to deride others for not agreeing.
> But the only thing being "measured" here is the open, academic
> analysis. The *real* experts do not play this way. We thus have no
> way to understand their capabilities. The strength value measured on
> academics cannot apply to the real problem.
perhaps this is because you're a little disgruntled with what you
clearly see as ivory tower academics who don't measure up to the
military resources or the hard-working "non-academics" of the world? Who
knows. I certainly have no time for such cold-war style conspiracy
theories - that somehow the knowledge present in military/intelligence
agencies or foreign unstable countries (do the US still call them
"commies"??) is probably so far distanced and disimilar to what is
available in the open as to make work, developments, and failures (to
break ciphers) in the open completely irrelevant when considering "the
enemy"'s corresponding work. They do not, as far as I know, take
new-borns into their underground caves and transform them into teenage
mutant ninja-cryptologists. In fact if I had to make a guess, I'd
probably say that "they" (to avoid the Men In Black paying me a visit)
would constitute the equivalent of a strong university research
department with a few hundred times the computing power (and a few
thousand times the budget). They're still the same species, again - as
far as I know.
I know such views are not so fashionable, but I really don't fear the
NSA and co's ability to be vastly more clever in punching through
theoretical walls that seem impossible to us in the public - I regard it
as a much greater risk that they have hidden agendas in the work that
they do, seem to have a lack of checks and balances to protect against
abuses (civil liberties and other such things), and technological
arsenal enabling impractical breaks (for the public) to be highly
practical ones.
> On the contrary: I have shown several different approaches which are
> helpful for security even in an environment where we cannot assure
> ourselves of the strength of any particular cipher. What is really
> gloomy and unhelpful is this insistence that the only thing we can do
> is wait for the "experts" to certify a cipher so we can use it.
Exactly when did the experts certify triple-DES? If you're talking
standards (or Government) committees putting a seal on it then no
problem - I don't think anyone really thinks that gives the cipher an
overnight guarantee of "strength". And when the AES winner is announced
- I don't think anyone, including the author, will acknowledge that this
means anything more than - "well, it's lasted this far so hopefully it
will continue to hold out longer yet, and it seems to suit the
logistical needs well - performance, ease of implementation, etc".
As for the "experts" certifying a cipher ... I've yet to see a widely
referenced paper by a widely referenced author that claims a cipher to
be "secure" in any sense other than, "not insecure from the point of
attack of this particular piece of research". Most papers I've seen in
fact continue to add in the usual syntactical caveats even when most
reasonable humans would infer them automatically. In fact, lately
sci.crypt has demonstrated perfectly that the only ones claiming "100%
secure" are the boutique unknowns who insist on heated and irrational
accusations targetted at established technologies and technologists.
Generally I find that the "experts" tend to be quite cautious in their
own conclusions of their own products, ideas, and research.
> We hit on a cipher as hard as we can and then assume it to be strong
> and insist that we use that one cipher because it is "better tested"
> than anything new. The "better tested" part is probably true, but
> unless we know the capabilities of our Opponents, it hardly matters.
> We don't know how they hit, or how hard.
No, but that does not mean their abilities are completely independant of
ours. They probably grow up spoon-fed on the same academic literature
that "we" are, continue to kept up to date with "our" developments - and
may occasionally discover something before us, or even more radically -
something we don't discover at all. This does not mean they exist in
some parallel universe whereby our own work and conclusions can not be
used to make even educated guesses as to what "they" might be able to
achieve. That is simply naive and stubborn.
> I doubt that the historical record applies to ciphers in the same way
> it does other problems. Nature is not deliberately trying to confuse
> and hide. Cryptography has a completely different situation.
That is a very vague dismissal of my point - without even attempting to
justify your own statement, let alone why mine might have been wrong.
Mathematical problems - that is what I was referring to ... Fermat,
squaring the circle, approximating Pi, you name it - the same theme
arises and I think the model does say something relevant for
cryptography. Namely, lots of easily stated problems have easy
solutions, lots of complicated problems have easy or complicated
solutions (the remainder have no solutions), and there are a few pesky
problems that are easy to state but prove very difficult to break. Here
I mean, that the difficulty seems to stem not from any difficulty to
phrase or comprehend the question correctly, but from some intrinsic
"resilience" to attack (yes, using CONVENTIONAL methods of the time).
History DOES provides an argument that the longer those pesky problems
stay around, despite determined efforts to crack them - even developing
entire branches of maths around them, then the probability DOES go down
that someone is just going to slap their head and say "oops - damn, it
was so obvious - why didn't we try that before". Sure it can happen, but
like I said - we're talking probabilities and risk-management ... I
don't mind if the coming years bring deep deep advances in finite
algebra to the point that in 20 years, someone can break triple-DES with
a polynomial-like complexity on time, key-length, and known plain-texts.
But I will highly ticked off if someone discovers that despite years of
cryptanalysis, it's actually easy to break it using well established
techniques and we should have spotted it before (and the military
already had).
> >Let me ask the following - do you disagree with the following statement;
> >"History has demonstrated time and time again, that the longer a problem
> >resists the attack of academics, hobbyists, and mechanics - the
> >probability the problem can be broken using simple techniques that were
> >available at the time the problem was posed (or even comprehensible to
> >the people of that time) decreases."
>
> Yes, I disagree. Each cipher either can or can not be solved easily.
> A Boolean result is not a probability. We only get a probability when
> we have a wide variety of ciphers. And then of course we still do not
> know what that probability is.
And here you've just completely misunderstood, I hope as an oversight
and not just to be provocative. I will agree that each cipher can or can
not be solved easily - depending on suitably pinned-down definitions of
"solved" and "easily". And yes that represents a boolean characteristic
of the algorithm (applies to implementation too). But I was talking
about the probability of that characteristic being true when it has not
yet been discovered and yet people have been working hard to find such
an "easy" "solution". If you really don't get this, rather than you just
not reading it carefully, let me wander down a STATS101 example ...
I have a coin - I can see that one side has "heads". I acknowledge that
the other side could either be a "tails", or someone has slipped me a
bogus coin and both sides are "heads". I will even (for the benefit of
the cipher-breaking metaphor) give the coin the benefit of the doubt
that most likely, the other side is a "tails". However, after flipping
the coin 4 times and it landing heads each time I'm starting to get a
little more confidence that someone has slipped me a bogus coin. 400
heads later I'm really beginning to feel that the coin is bogus, or I'm
incredibly unlucky. However, the other side of that coin was always a
head or a tail - but until we determine that the best we can get is a
(maybe conditional) probability. I'm not suggesting that we now have
quite the confidence in triple-DES that I would have after flipping 400
heads with my coin, but if you post a new cipher tomorrow - I WILL have
the same confidence in it (or less) than if I hadn't flipped the coin
yet.
> >It is all probabilities and risk management. Mr Schneier will hopefully
> >agree with me on that and I hope you do too (I hope anyone contributing
> >to the crypto-frameworks I will have to use day-to-day agree with that
> >also).
>
> This is particularly disturbing: You do not know the probabilities,
> and you do not know the risk, yet you would have us manage the
> situation using exactly these quantities. That is mad.
Do you insure your car? Do you know the probabilities or the risk? I
take a look at my driving, most others' driving, the risk (=trashing the
car with no insurance), the probabilities (guess work based on my
driving and others' too), the cost of insurance, and make a judgement
call. It's called risk management and it's also called the real world.
What information do I have on a brand-new cipher? I can probably
download a PDF and some source code. What information do I have on
triple-DES? It's still standing. I make a judgement call - don't call me
MAD for that. I think you're mad if don't see the distinction.
> I agree with a lot of handwave statements. I also take on the limits
> of the handwaves which are false. I am not against cryptanalysis; I
> think it should be used. I am against endowing it with mystical
> powers, and I am against the implication that this is how we know the
> strength of a cipher. Cryptanalysis gives us something, but not that.
> In particular, cryptanalysis does not really provide the confidence
> that others see in a "certified" result.
Mystical??? I think your sticking up your own strawmen here. Ask any
implementor out there - "is IDEA breakable?" - I expect the answer in
most cases to be - "dunno, it seems pretty strong". If so, they'd be
using the same definition of strong I use.
> >Would you have us believe that all things that are not absolute are
> >necessarily equal? God, this sounds like a debate on socialism all of a
> >sudden - my humblest apologies [;-)
>
> In ciphers, YES, I would have you so believe.
Well I think you're wrong. But I won't have you believe anything you
don't want to believe.
> Ciphers are distinctly different from other areas of experience. The
> problem is that our Opponents operate in secrecy. That means we
> actually do not know when our ciphers fail. But unless we know about
> failure, we cannot assess risk. Yet you and most others attempt to
> interpret risk as we do in areas where we know the risk.
Bull**** ... the risk is extremely well known; the risk is that someone
can break our symmetric ciphers like water biscuits. We all know that
risk - it's the probabilities that are open to debate. And I'm simply
saying that a cipher not falling over after an extended period of review
and all-out attack helps the probabilities. Wherever the probability is
not 0 or 1 (or exactly 0.5) there is room for a surprise - in risk
management you weigh up the probabilities with the effect of the
possible outcomes, and make the best judgement call you can from that.
Me, I'm going to stick with RSA and triple-DES for a while. If you can't
get a lot of worthwhile review of your technologies than that is a shame
and may be doing you and your ideas a horrible disservice - but
unfortunately as far as the real world is concerned, for now that DOES
make your technology a bigger risk than RSA and triple-DES. Sorry but
there it is.
> For example, we have some general feeling about the risk of driving
> our cars because we see failure announced on the news. Everybody
No I get a feeling of the risk because everyday I take the car out onto
the road and others fail to hit me almost every time. That's how I get a
general feeling for the risk.
> knows the risk of flying because we see the disaster reported. Crypto
> failure is not reported, so we assume that risk is low. That is a
> faulty assumption. We do not know the risk. But in any security
> analysis we necessarily must assume the risk is real.
Sure it's reported, as long as it is discovered by someone who reports
such things. So the risk is that crypto fails, but fails in secrecy (and
noone else independently reaches the same discovery and reports it). If
the people who break these things without reporting it have skills
completely independant of ours, or a large order of magnitude greater,
then our failure to break it is independent of their failure or success.
Otherwise, our failure to break it DOES decrease the chances that they
have. The risk IS real, but the probability is not unrelated to our own
abilities. That is just not the real world.
> Yes, those are the formal claims. And then we see everyone putting
> their eggs in the basket of a single cipher (or small fixed group of
> ciphers) once again. The formal claims are not really what is being
> transmitted: What people see is a "certified" cipher which everyone
> should use instead of "uncertified" ciphers. In fact it is openly
> argued that "uncertified" ciphers have more risk, without being able
> to quantify that risk. While I would hope every cipher would get as
> much analysis as it could get, the "certification" of one cipher does
> not give us what we need. All it would take is a failure of that one
> cipher for us to lose everything we try to protect.
Exactly why do you, or many other designers, put multiple stages in a
cipher design. I'm guessing it's so that the cipher is at least as
strong as the strongest element in the chain (assuming the symbolic
"chain" here is serial and not parallel, otherwise someone can go around
rather than through that element).
The continuum between a cipher using different cryptographic primitives,
and a protocol (eg SSL) supporting multiple ciphers is purely one of
packaging and patents. In fact, allowing multiple ciphers is perhaps
weaker because once a cipher is broken, you need to ensure that you
"switch" that cipher off ... whereas a cipher with multiple different
stages means cracking one stage just weakens it a bit (and probably
causes a bit of a panic to get people off that cipher before it falls
down totally).
Perchance, how do you propose that extensible, scalable, and
interoperable computer network systems be built around an indefinate
length-list of ciphers - many having not undergone much analysis - and
with all the inevitable problems of entities not agreeing on ciphers
that they both have implemented. Some kind of distributed object model?
But wait, you'd have to secure the underlying comms for THAT with
something and that means getting people to agree once again ... Perhaps
you want to bring the discussion above these petty real-world
considerations?
> On the contrary, if you cannot interpret the way those conclusions are
> mis-taken -- even in this group, even by you -- it is you who misses
> the point.
Tell me where, especially if I've done it. I have higher hopes for
something that has received a lot of review and is still standing than
something that has not. So does nature, it's called natural selection.
Pick a metaphor and run with it ... If a lion cub survives the first X
months of life (low probability) then its chances of living to the age
of Y improve greatly. etc etc etc.
> I disagree with Schneier. I will agree that it is contest between
> cryptographer and HIDDEN cryptanalyst. But it is no race because we
> do not know what the hidden guys can do. This is about like calling
And they are after all some alien race having developed an entire
society of thought and process so vastly different to our own that our
own results (or lack of) give no indication whatsoever as to their
foreign abilities?
> AES a "contest," when the rules are hidden so the winner can be chosen
> in a smoke-filled back room. This is not to mention the fact that
> patented ciphers were kept out, yet another decision influenced by
> Schneier which just happens to benefit him. Just a coincidence.
What were we discussing again? You said no matter how long a cipher
stands up to public scrutiny and analysis, until it's broken or proved
secure we have no more right to trust it than anything else. I
disagreed. Now apparently AES is rigged??? These posts are long enough
without that kind of divergence.
> >> Cryptanalysis does NOT give us an indication of how much effort our
> >> Opponent will have to spend to break the cipher. Yet that is exactly
> >> what the cryptanalytic process would like us to believe: That is why
> >
> >I disagree - your point of view has some merit but is no more valid than
> >the polar opposite statement.
>
> Hardly: The polar opposite does not provide a motive to alter the
> usual recumbent attitude and actually change the way we do business.
> Relying on any one cipher is a risk, and the extent of that risk is
> not known. Because the risk is unknown, it hardly makes sense to say
> that the experts have done all they can so we should trust the result.
So you would have us all jump from one cipher to the next, making
interoperability and standardisation nigh on impossible because all out
attack on a few select (and widely discussed) algorithms will tell us
nothing? No thanks. This is one sure way to guarantee that "they"
definately CAN break a good percentage of our traffic.
> Users should insist on having and using a wide and growing variety of
> ciphers. The fact is that these ciphers cannot be as well "certified"
> as any one cipher. But since "certification" cannot be complete, the
> possibility of failure even in such a cipher should not be ignored.
No, but sound risk management should weigh up the fact that the more
homegrown, back-country, and un-analysed ciphers you employ, the more
certain you can be that you're using something some of the time that can
be broken without trouble. Conversely, you are right that using one
simple cipher can be a risk also. However, a well designed cipher
should, I hope, rely on at least a couple of stages based on some
effectively independant design ideas - achieving much the same thing as
stringing 2 or more independent ciphers end on end. I am not a cipher
designer however so I will yield to those who are to comment further on
this idea.
While we're on the subject ... it seems most crypto protocols (SSL,
PKCS#7/SMIME, OpenPGP? - not sure about that one) employ a bank of
ciphers. And to be honest, if say 3 ciphers get through the AES process
intact and all exhibit excellent performance or implementation
characteristics ... I dare say the 2 that don't "win" will still get
their fair share of implementation. If this one can be optimized well
for smart-cards, but that one is much better for high-throughput
implementations, the industry (not Government agencies) will push its
considerable weight in that direction. I just don't think anyone should
use the 128-bit cipher I came up with during an episode of the X-files
just because you say in theory it's as strong as triple-DES until
someone breaks either one of them.
> But if one were to use that cipher in multiple ciphering along with
> two others (selected, say, by a random message key), we get the best
> of both worlds, at the cost of somewhat reduced throughput.
And this can't be achieved within ONE cipher? When you start talking
multiple algorithms, you instantly start talking interoperability and
standardisation headaches. You also increase the number of "pieces" in
your puzzle when simplicity is far preferable. I see a security by
obscurity argument in here somewhere ...
> >dramatic fashion. I do not mean that evolving cryptanalysis work
> >provides increasing confidence in brand-new ciphers and what-not, rather
> >that as one cipher builds up a catalogue of evolving cryptanalysis work
> >against it that we DO have a decreasing probability that THAT cipher
> >will fall over in show-stopper fashion.
>
> We know no such thing. We have no idea how many attacks there may be
> in theory, so cannot judge how many of those we know. All we know is
> that we know more than we used to, which is no probability at all.
wrong. We know that existing attacks have failed to bust that cipher so
far, and we know how much time/effort it stood up to. Let's assume
(reasonably) that "the enemy" is privvy to all our documented techniques
- then, what we know forms part of their arsenal. Then, we know that
THAT proportion of their arsenal has been failing for some time to break
the cipher too. This gives us better chances than if we're not even
being sure if our own could break it with a little time and effort.
> >And it currently isn't? What exactly does the open publication of
> >research, countless conferences, news-groups, mail-lists, web-sites,
> >open-source projects, etc amount to other than a dynamic and interactive
> >process?
>
> The usual refusal to re-analyze a corrected work.
You sound bitter. Please answer the question with some explanation,
justification, or even a reference - or move on ... perhaps you think
that because the (US?) Government runs everything that political rather
than industrial considerations pave the way? Well, I have a lot more
faith in the industry and innovative people than you do if that's the
case.
> >Also, thousands of hobbyists and professionals all doing their
> >damndest to break each others ciphers gives me personally some
> >confidence in the value of "standing the test of time".
>
> There is no such standing without knowing real results. We have no
> idea how many tests are made, with what background and effort, and
> have no idea what the results were. This "test of time" is an
> illusion.
I see ... so the mystical men in black theory, put forward without
evidence, should be allowed to dictate our thinking? All things,
including ciphers, are relative. For the purposes of this post (now
quite a huge one) I really don't care any more if "they" (the spooky
people) have broken anything or not ... the fact is that on our side of
the fence we've got reason to rate certain ciphers as having been tested
more rigorously than others, and that (in lieu of ANY useful information
about the spooky people) is what I intend to use in my decision making.
> protection we want. We do not know if the cipher has already been
> penetrated and is being read by our Opponents just as easily as by the
> recipient. We do not know. And without knowing, we are unable to
> assess risk, or build either confidence or trust.
translation: "Without knowing if it is true or false, we cannot assess
the probability as to whether it is true or false".
> You are forced into a basically unscientific approach because you have
> no way to measure the true strength of the designs. The very fact you
> are behaving this way tells us much about whether such designs can be
> trusted for what they are, or whether you would accept them being
> promoted as something they really are not. You would.
Who's talking about "TRUE STRENGTH" ... we already agree that until it's
proved secure or broken that we can't measure THAT, if in fact THAT
exists at all. If I'm being forced into a basically unscientific
approach - fine, I'm going for a pragmatic one instead - I'm talking
about "tested strength". You on the other hand would prefer to run away
from the issue and give no value to vast existing cryptanalytic work on
widely distributed ciphers because "the enemy might have already have
broken them". I simply do not think that's rational.
> >Perhaps this Darwinist philosophy is not to your liking but I'm afraid
> >it fits the model. If I have a studied knowledge of shooting, am good at
> >it myself, stay abreast of the most modern trends, and am widely
> >respected as an expert in the field - then I am probably as good a
> >person as any to suggest methods for staying out of the firing line.
>
> But in shooting -- as in most other activities -- one knows the
> result. Ciphers are fundamentally different in that one does not know
> whether they are working or not.
alteration: If for any key, it encrypts and can successfully decrypt,
then it is working. What we don't know is if someone "else" has broken
it, but "we" haven't yet. Unless you are overly paranoid, it is not
unreasonable to draw "probabilistic" conclusions relating the "their"
abilities and "ours". My point is even more straightforward than that -
if our people can break it, then of course they can too; if ours try but
can't, that improves our chances a little that "they" haven't. Not even
knowing whether "we" can crack it after a period of time is just opening
the probabilistic window wider than we should for anything we plan to
use.
> It is obvious that people are making the conclusion that cryptanalysis
> is certification, for there has been no effort to construct protocols
> which deal with the fact that we can have no confidence in the
> resulting cipher.
Well if I had NO confidence in the cipher, why would I be using it? I've
got loads of compressors and encoders I can call upon, why would I use a
cipher if I have no confidence in it doing it's job? Presumably, any
such constructed protocol would provide a safeguard against a cipher not
doing its job, that is encrypting with some degree of confidence. In
other words, your protocol would be a security protocol. Do you see
anything at all recursive here or is it just me?
[snipped lots of good stuff about your technologies, which I liked and
do not have any beef with at all]
> >(b) what kind of analysis has been (or could be) done on the/those
> >technology(ies).
>
> My new technologies have been ignored by academia, even when formally
> published in Cryptologia. Schneier has said that this is normal for
> patented technology. Of course, academics are compensated for the
> work they do; I am not.
Well, you'll have to settle that with him and the others if you can.
Like I said earlier, this may be doing you and your ideas a great
disservice, but as long as it stands that way - people DO have the right
to regard your ideas as "riskier" than the "rusted but not busted" ones.
> The fact that my work is not addressed probably has negative
> consequences for me. But it also means that academia has no
> background for dealing with these structures beyond what I have
> personally published. That may be insufficient, but it is all there
> is.
So all ciphers are innocent until proven guilty? Unfortunately, when
people's privacy and identity are at stake, ciphers (and other
cryptographic primitives) are guilty until the prosecution have failed
time and time again to get a conviction. It gets even worse, the cipher
is never truly innocent, it just has a slowly decreasing degree of
suspicion surrounding it.
> No, it implies that they have the same unknown risk: That of complete
> exposure. To not use one because we are afraid of that risk and then
> use the other which may have the same outcome is foolish.
So what are we to do? Anyway, are we talking here about the chances of a
cipher getting busted (ie the whole "strength" issue), or about the
effect it would have if it DOES get busted. Whatever you use (be it 3
"ciphers" strung in a line), call it a cipher and go back to square one
of the problem. If you keep changing ciphers, then you and I (and you
and everybody else) will not have interoperating systems.
> >You call them "delusions", I call them "reasoned and qualified critiques
> >open to public dissemination and review" - let's call the whole thing
> >off. (as the song goes).
>
> Which means?
One man's trash is another man's treasure ... insert any vaguely similar
cliche for the same effect. I think repeated attempts by many people to
break something and failing represents "tested strength". You think it
represents "delusions". What are we to do?
Cheers,
Geoff
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
