Cryptography-Digest Digest #799, Volume #9 Tue, 29 Jun 99 11:13:02 EDT
Contents:
Re: Project "Infinity" - replace 1 (one) with infinity ([EMAIL PROTECTED])
Re: PIII Random Number Generator? (Ed Yang)
Moore's Second "Law" Re: Moores Law (a bit off topic) (Robert Hettinga)
Moore's Second "Law" (was Re: Moores Law (a bit off topic)) (Robert Hettinga)
Re: The One-Time Pad Paradox ([EMAIL PROTECTED])
Re: trapdoor one way functions (Nicol So)
Re: Interesting RSA question ([EMAIL PROTECTED])
Re: Hardware RNG description ([EMAIL PROTECTED])
Test Sorry (Alex Mansurov)
Re: one time pad (Patrick Juola)
Re: DES-NULL attack (Andrew Haley)
RSA and Diffie-Hellmann (chicago)
Re: How do you make RSA symmetrical? (Bob Silverman)
Re: Why mirrors invert left-to-right (was: Kryptos article) (S.T.L.)
Re: PIII Random Number Generator? (Medical Electronics Lab)
Re: Quasigroup engryption (Medical Electronics Lab)
Re: trapdoor one way functions (S.T.L.)
Re: Tough crypt question: how to break AT&T's monopoly??? (JPeschel)
Re: Secure link over Inet if ISP is compromized. (Patrick Juola)
Re: Secure link over Inet if ISP is compromized. (Patrick Juola)
Re: Tough crypt question: how to break AT&T's monopoly??? (Christopher)
Re: A few questions on RSA encryption (Bob Silverman)
Re: DES versus Blowfish (Bruce Schneier)
Re: Secure link over Inet if ISP is compromized. (Gene Styer)
Re: trapdoor one way functions (Ed Yang)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Project "Infinity" - replace 1 (one) with infinity
Date: Tue, 29 Jun 1999 11:20:13 GMT
In article <[EMAIL PROTECTED]>,
"Markku 'Make' J. Saarelainen" <[EMAIL PROTECTED]> wrote:
> Just wondering, if anybody is working on any project to replace 1
(one)
> with infinity ....
Je ne comprend pas. De quoi est-ce-que vous parlez?
Seems my french is still in tact. What are you talking about dude?
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Ed Yang <[EMAIL PROTECTED]>
Subject: Re: PIII Random Number Generator?
Date: Tue, 29 Jun 1999 04:28:52 -1000
Mok-Kong Shen wrote:
>
> Douglas A. Gwyn wrote:
> >
> > Mok-Kong Shen wrote:
> > > ... Theories that are dependent on certain yet
> > > unproven assumptions do no better.
> >
> > That's nonsense -- random noise generators are based on *proven*
> > principles.
>
> How 'random' are these? Do you have a standard unit of meausre of
> 'randomness'?
>
> M. K. Shen
Yes, the unit of measure is the "knauer", which dimensionless,
since it measures non-deterministic bits per bits available.
The imaginary part of the knauer is called "true" and the real
part is called "written". The complex conjugate of the knauer,
when multiplied by the measured knauer value is called the
size of the random string.
--
Oxygen : Love It Or Leave It !
------------------------------
From: Robert Hettinga <[EMAIL PROTECTED]>
Subject: Moore's Second "Law" Re: Moores Law (a bit off topic)
Date: Tue, 29 Jun 1999 08:25:39 -0400
The fun part of all this physics talk regarding the limits of Moore's
"Law" is that the trend's ultimate limit, according to Moore himself in
Forbes (or Forbes ASAP) a few years ago, is almost certainly economic.
That is, the cost of a fab goes up by about an order of magnitude every
10 years or so, according to Moore. Forbes called this new observation
Moore's Second Law, for some reason. :-).
Right now we're looking at a fab cost on the order of 10^9, or
thereabouts. Intel Albuquerque, built a little while ago, for instance,
was $2.<something> billion, I think. I heard recently of a $6 or $7
billion fab.
Moore thinks that a $10 billion fab is a stretch, and that $100 billion
fabs are out of the question.
By comparison, the Freedom-Apollo programs were something like $74
billion in total and we can add an order of magnitude or so for
inflation since then to get a modern equivalent. The interstate
highways cost about the same in inflation-adjusted money.
The cost of anything, as always, is the foregone alternative.
Diminishing returns are a bitch.
Cheers,
RAH
--
Robert A. Hettinga <mailto: [EMAIL PROTECTED]>
Philodox Financial Technology Evangelism <http://www.philodox.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
------------------------------
From: Robert Hettinga <[EMAIL PROTECTED]>
Subject: Moore's Second "Law" (was Re: Moores Law (a bit off topic))
Date: Tue, 29 Jun 1999 08:26:29 -0400
The fun part of all this physics talk regarding the limits of Moore's
"Law" is that the trend's ultimate limit, according to Moore himself in
Forbes (or Forbes ASAP) a few years ago, is almost certainly economic.
That is, the cost of a fab goes up by about an order of magnitude every
10 years or so, according to Moore. Forbes called this new observation
Moore's Second Law, for some reason. :-).
Right now we're looking at a fab cost on the order of 10^9, or
thereabouts. Intel Albuquerque, built a little while ago, for instance,
was $2.<something> billion, I think. I heard recently of a $6 or $7
billion fab.
Moore thinks that a $10 billion fab is a stretch, and that $100 billion
fabs are out of the question.
By comparison, the Freedom-Apollo programs were something like $74
billion in total and we can add an order of magnitude or so for
inflation since then to get a modern equivalent. The interstate
highways cost about the same in inflation-adjusted money.
The cost of anything, as always, is the foregone alternative.
Diminishing returns are a bitch.
Cheers,
RAH
--
Robert A. Hettinga <mailto: [EMAIL PROTECTED]>
Philodox Financial Technology Evangelism <http://www.philodox.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: The One-Time Pad Paradox
Date: Tue, 29 Jun 1999 11:32:36 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (John Savard) wrote:
> Yes, and *that* is where both madness and insecurity lies.
But a OTP is provably secure. So maybe we are skeptic? Yes it would
be a good hint if the ciphertext is all ASCII, but the chances of that
happening...
The argument is split though. If it's an OTP then anything that comes
out is secure. Even ASCII becuase 'how' do you know that was the
plaintext. Your argument is that these weak types of streams could
occur and give really big hints into the plaintext (hence the irony or
paradox).
My argument is that the chances of getting such a keystream is very
very low. Most RNGs for such things come from sampling some analog
source (who carries alpha particals to watch them decay anyways?).
Most things like mic in jacks (thermal noise) have a good balance of
1's and 0's in the lsb (parity) so this shouldn't be a big problem.
Tom
--
PGP key is at:
'http://mypage.goplay.com/tomstdenis/key.pgp'.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Nicol So <[EMAIL PROTECTED]>
Subject: Re: trapdoor one way functions
Date: Tue, 29 Jun 1999 07:51:01 -0400
[EMAIL PROTECTED] wrote:
>
> In article <[EMAIL PROTECTED]>,
> Nicol So <[EMAIL PROTECTED]> wrote:
> > Are you sure exponentiation (defined over a suitable finite group) is
> > trapdoor one-way, instead of just one-way? What kind of trapdoor
> > information would allow you to compute discrete log fast?
>
> The DLP and IFP are both trapdoor one-way. ...
>
> DLP also has an inverse which is difficult to find. If it's defined as
> g^x mod n (x < n, g = generator). Then there is some log(g^x mod n) /
> log(g) which is hard to find (hence the problem). I am not sure if two
> different inputs will produce the same output (i.e two logs...) but I
> don't think there would be.
So, what's the trapdoor information?
Nicol
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Interesting RSA question
Date: Tue, 29 Jun 1999 11:45:24 GMT
<snip>
You are missing something. If the modulus is 1024 bits then the 'block
length' is 1024 bits (well the modulus would have be > 2^1024). It
doesn't matter if there are 1004 zero bits from msb to lsb. The msg
still has the same number of bits.
By saying it baloons you are wrong. The plaintext/ciphertext always
remains the same size, even if there is only 20-bits of information in
the msg. That's why there is padding aswell/
Tom
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Hardware RNG description
Date: Tue, 29 Jun 1999 12:07:23 GMT
I am printing of your paper. I might actually try it out (could be
fun).
Tom
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Alex Mansurov <[EMAIL PROTECTED]>
Subject: Test Sorry
Date: Tue, 29 Jun 1999 19:53:04 +0700
Test only.Sorry, plz.
--
WBW,
Alex
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: one time pad
Date: 29 Jun 1999 09:22:23 -0400
In article <7l90dl$vp8$[EMAIL PROTECTED]>,
Greg Ofiesh <[EMAIL PROTECTED]> wrote:
>
>> > ...in theory are crackable given enough and
>> >proper resources (which WILL come in time).
>>
>> I see. And how much time do you anticipate until a brute-force
>> search of a 256-bit keyspace is practical.
>>
>> There are several other provably secure cyphers that are no
>> less impractical than a true OTP. As in, they're all next
>> door to useless in Real Life.
>
>Again, in theory.
Well, the provably secure cyphers are provably secure *in theory*;
you are referred (general handwave) to the literature. As is
the OTP.
> Now if you want to take this to the practicle, let
>me ask you, are you 100% certain (ready to bet your life on it) that
>the NSA does not yet have a working quantum computer or other highly
>advanced device that would make even a 1k bit keyspace very reasonable?
Who said anything about 1k bit keyspaces? Your ignorance is
showing.
But all that is irrelevant. I don't *NEED* to bet my life, because
I don't have any secrets that are worth my life. Nor, quite frankly,
do I believe that you do -- and if you do, then posting to sci.crypt
and asking naive questions is rather stupid; all "THEY" really need
is to grab you and apply thumbscrews until you tell them where you
store your OTPs. The NSA doesn't deploy its hypothetical quantum
improbability computers just for the hell of it; if there's something
of sufficient interest to The Man to justify dragging the NSA into it,
then you're probably already being watched by the FBI.
-kitten
------------------------------
From: [EMAIL PROTECTED] (Andrew Haley)
Subject: Re: DES-NULL attack
Date: 29 Jun 1999 13:20:00 GMT
Rob Warnock ([EMAIL PROTECTED]) wrote:
: Indeed. And let's not forget that Unix has been using *exactly* this
: method (DES-encrypt a constant "0" with a secret key) for its login
: password checking system since the early 1970's, and it hasn't been
: "broken" yet either (except by exhaustive search, or dictionary
: attacks on weak keys).
No, the UNIX password algorithm is much stronger than that. It uses
muliple iterations of a modified DES. This means, among other things,
that a dedicated DES-breaking hardware can't easily be used to break
UNIX passwords.
Andrew.
------------------------------
From: chicago <"gabriel. nock"@siemens.de>
Subject: RSA and Diffie-Hellmann
Date: Tue, 29 Jun 1999 12:58:19 +0200
I'm searching for an implementation of RSA and Diffie-Hellmann...
I only have a windows machine so i can't need a unix compressed file...
and I did'n find anything in /ftp:...applied-crypto/pub...
but where can i find it??
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: How do you make RSA symmetrical?
Date: Tue, 29 Jun 1999 13:18:55 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Gilad Maayan) wrote:
> I'll probably be hammered for my stupidity, as in previous posts, but
> I'm asking it anyway. Is there anyway to make RSA symmetrical? In
> other words, to take, say, a 64-bit message, encrypt it with a
> 1024-bit key and get a 64-bit cyphertext,
No, this is not possible. is M^e < N, then M is trivially recovered.
Further, if M is 64 bits then M^e mod N won't be 64 bits as well.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (S.T.L.)
Subject: Re: Why mirrors invert left-to-right (was: Kryptos article)
Date: 29 Jun 1999 14:17:36 GMT
<<and has nothing to do with the bilateral symmetry we've come to expect
of our images.>>
That's because you still insist on rotating yourself _around the side to_ "map"
yourself next to your mirror image. You think (as I do) in bilaterally
symmetric ways. A creature with a bilateral symmetry that runs from the ground
up, but at a 45-degree angle, will probably map himself next to his mirror
image in such a way that he sees the mirror do even weirder stuff (rotations
and such). A spherical creature with 4 differently colored dots on it will have
no reason to choose any particular way to map itself to its mirror image and
will actually recognize that front-back is truly being inverted. Unlike a
human, which seems to have a hell of a time recognizing this.
As you say:
<<In most
people's conception, this involves a (real or imaginary) observation
performed from a certain position and with a certain (preferred)
orientation.>>
The certain preferred orientation that YOU are using is simply thus: you and
your mirror image (in this imaginary observation) have both your feet on the
same floor and have your front-sides in the same direction. Therefore
left-right is inverted.
<<if he's obviously
not bilaterally symmetric (say, because of some costumes he's wearing). >>
G'uh. He has been bilaterally symmetric all his life and therefore choose to
map himself next to his mirror image in such a way that L-R is *still* reversed
because it seems more "natural" than having up and down reversed.
<<and has nothing to do with the bilateral symmetry we've come to expect
of our images.>>
Of course not. It has everything to do with the mapping process.
-*---*-------
S.T.L. ===> [EMAIL PROTECTED] <=== BLOCK RELEASED! 2^3021377 - 1 is PRIME!
Quotations: http://quote.cjb.net Main website: http://137.tsx.org MOO!
"Xihribz! Peymwsiz xihribz! Qssetv cse bqy qiftrz!" e^(i*Pi)+1=0 F00FC7C8
E-mail block is gone. It will return if I'm bombed again. I don't care, it's
an easy fix. Address is correct as is. The courtesy of giving correct E-mail
addresses makes up for having to delete junk which gets through anyway. Join
the Great Internet Mersenne Prime Search at http://entropia.com/ips/ Now my
.sig is shorter and contains 3379 bits of entropy up to the next line's end:
-*---*-------
Card-holding member of the Dark Legion of Cantorians, the Great SRian
Conspiracy, the Triple-Sigma Club, the Union of Quantum Mechanics, the
Holy Order of the Catenary, and People for Ethical Treatment of Digital
Tierran Organisms
Avid watcher of "World's Most Terrifying Causality Violations", "World's
Scariest Warp Accidents", "When Tidal Forces Attack: Caught on Tape",
and "When Kaons Decay: World's Most Amazing CP Symmetry Breaking Caught
On [Magnetic] Tape"
Patiently awaiting the launch of Gravity Probe B and the discovery of M39
Physics Commandment #5: Thou Shalt Not Remain At Rest Inside An Ergosphere.
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: PIII Random Number Generator?
Date: Tue, 29 Jun 1999 09:03:57 -0500
Ed Yang wrote:
> Yes, the unit of measure is the "knauer", which dimensionless,
> since it measures non-deterministic bits per bits available.
> The imaginary part of the knauer is called "true" and the real
> part is called "written". The complex conjugate of the knauer,
> when multiplied by the measured knauer value is called the
> size of the random string.
:-) You've been lurking too long. We could have used this
a few months ago!
Patience, persistence, truth,
Dr. mike
------------------------------
From: Medical Electronics Lab <[EMAIL PROTECTED]>
Subject: Re: Quasigroup engryption
Date: Tue, 29 Jun 1999 09:00:02 -0500
[EMAIL PROTECTED] wrote:
> here's a good question. where exactly do you look for better security?
In a mirror :-)
Security is a concept. An ideal. What do you need security for?
Random nuts walking the streets or military disciplined assasins?
"better" is very relative to the threat.
Note: I live in Madison, it's hard to tell the rehab asylum guys
from the politicians from the students. Random nuts are harder
to defend against!
Patience, persistence, truth,
Dr. mike
------------------------------
From: [EMAIL PROTECTED] (S.T.L.)
Subject: Re: trapdoor one way functions
Date: 29 Jun 1999 14:22:02 GMT
<<In the case of RSA you can
find the private key by factoring the modulus and building the keys.
If they work then voila. You would have to check out how they cracked
RSA-140 and such cause I am not sure....>>
Cracking RSA in the orthodox way always involves factoring the modulus: that is
how they cracked RSA140 - using the General Number Field Sieve across a bunch
of computers. There are thus two problems that would be nice to have solved:
A) IS FACTORING INTRINSICALLY DIFFICULT? This question has plagued
mathematicians for centuries.
B) Even if factoring is hard, is there a way to break RSA that is easier than
factoring?
Most people conjecture that the answers to A and B are Hell Yes and No, in that
order. :-D
-*---*-------
S.T.L. ===> [EMAIL PROTECTED] <=== BLOCK RELEASED! 2^3021377 - 1 is PRIME!
Quotations: http://quote.cjb.net Main website: http://137.tsx.org MOO!
"Xihribz! Peymwsiz xihribz! Qssetv cse bqy qiftrz!" e^(i*Pi)+1=0 F00FC7C8
E-mail block is gone. It will return if I'm bombed again. I don't care, it's
an easy fix. Address is correct as is. The courtesy of giving correct E-mail
addresses makes up for having to delete junk which gets through anyway. Join
the Great Internet Mersenne Prime Search at http://entropia.com/ips/ Now my
.sig is shorter and contains 3379 bits of entropy up to the next line's end:
-*---*-------
Card-holding member of the Dark Legion of Cantorians, the Great SRian
Conspiracy, the Triple-Sigma Club, the Union of Quantum Mechanics, the
Holy Order of the Catenary, and People for Ethical Treatment of Digital
Tierran Organisms
Avid watcher of "World's Most Terrifying Causality Violations", "World's
Scariest Warp Accidents", "When Tidal Forces Attack: Caught on Tape",
and "When Kaons Decay: World's Most Amazing CP Symmetry Breaking Caught
On [Magnetic] Tape"
Patiently awaiting the launch of Gravity Probe B and the discovery of M39
Physics Commandment #5: Thou Shalt Not Remain At Rest Inside An Ergosphere.
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: Tough crypt question: how to break AT&T's monopoly???
Date: 29 Jun 1999 14:33:22 GMT
> [EMAIL PROTECTED] writes:
>For a twist, what if the ciphertext were part of the binary itself. If
>there is no separation of program and data, would that be restricted? It
>certainly isn't a general purpose cipher program anymore, and is arguably
>more message than program.
>
That's what I thought I was talking about, programs like Puffer & Norton
Secret Stuff allow you to create encrypted, self-extracting binaries.
The thread was going in a couple directions, though. Someone
had been talking, I think, about a hacking zip file to use better encryption.
Maybe Bill was talking about that. Damned if I know -- these threads
always get confusing.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Secure link over Inet if ISP is compromized.
Date: 29 Jun 1999 09:27:55 -0400
In article <7l9p68$o09$[EMAIL PROTECTED]>,
Gene Sokolov <[EMAIL PROTECTED]> wrote:
>Let's assume that Alice and Bob both have dial-up Internet accounts. They
>want to establish a secure channel.
>
>Alice <--> ISP-A <--> Internet <--> ISP-B <--> Bob
>
>Do I understand this correctly, assuming that *all* their data is passed
>through ISP-A and ISP-B, there is absolutely no way to ensure secure
>communication between them if either of the ISP is controlled by the
>adversary? Alice and Bob would need another trusted channel to exchange data
>before secure Internet link can be established.
What is ``The Adversary'' capable of? If all the Adversaries are likely
to do is passively eavesdrop, then Alice and Bob can execute something
like the Diffie-Hellman key exchange to obtain a shared secret and
use that as the key in a secure cypher.
If the adversary is capable of tampering with packets, then Alice can't
communicate with Bob (or indeed at all) because ISP-A can simply drop
all of her packets on the floor.
-kitten
------------------------------
From: [EMAIL PROTECTED] (Patrick Juola)
Subject: Re: Secure link over Inet if ISP is compromized.
Date: 29 Jun 1999 09:29:29 -0400
In article <7l9v84$r1g$[EMAIL PROTECTED]>,
Gene Sokolov <[EMAIL PROTECTED]> wrote:
>
>Jean Marc Dieu <[EMAIL PROTECTED]> wrote in message
>news:7l9pq9$e54$[EMAIL PROTECTED]...
>> I guess this is the aim of public key cryptography, if we consider ISP-A
>and
>> ISP-B as "dangerous" as the internet.
>
>How can public key cryptography be a solution here? Please read the original
>post again - *all* data is exchanged over what is assumed a compromized
>channel. If Alice sends Bob her public key or starts DH key exchange
>procedure, how does Bob know the data comes from Alice and not her
>compromized ISP?
Confirm that Bob and Alice obtained the same DH key.
PGPfone uses a step of ``biometric identification'' for this, to which
you are referred (waves hands vaguely in the direction of Boulder, Colorado.)
-kitten
------------------------------
From: [EMAIL PROTECTED] (Christopher)
Subject: Re: Tough crypt question: how to break AT&T's monopoly???
Date: Tue, 29 Jun 1999 10:01:49 -0400
In article <7l9v2c$ngk$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Bill
Unruh) wrote:
_ In <[EMAIL PROTECTED]>
[EMAIL PROTECTED] (JPeschel) writes:
_
_ ]>[EMAIL PROTECTED] (Bill Unruh) writes:
_
_
_ ]>It would be trivial to write such a program. It would also, under the US
_ ]>regualtions be illegal to send such an email outside the USA without a
_ ]>license.
_
_ ]Bill where in EAR is the tranmission of a message that can be decrypted
_ ]restricted? A one-way communication by a self-extracting encrypted
file is not
_
_ The message is not restricted. The decryption program however is
_ restricted. Ie, as long as you did not send the self extracting program
_ along with the encrypted file, you would be OK. However that self
_ extracting program would probably get you into hot water.
For a twist, what if the ciphertext were part of the binary itself. If
there is no separation of program and data, would that be restricted? It
certainly isn't a general purpose cipher program anymore, and is arguably
more message than program.
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: A few questions on RSA encryption
Date: Tue, 29 Jun 1999 13:32:52 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Gilad Maayan) wrote:
> I have a couple of questions on RSA, I hope someone will be able to
> help.
>
> 1. I haven't been able to find any information on the relationship
> between the number of bits encrypted by RSA, and the level of security
> obtained. Let's say you're encrypting 20 bits with a 512 or 1024 bit
> key. Is the small size of the plaintext relevant?
No.
> Will the encrypted
> message be easier to crack than, say, an entire document encoded by
> the same RSA key?
No.
>
> 2. Would it be at all possible to break an RSA cyphertext, knowing
> neither the secret key, the public key, or the modulus?
Clearly yes, since it is a finite problem. Of course, it might take
you a while.....
>
> 3. Would it be possible to extrapolate an RSA key from a cyphertext,
> if the plaintext was known?
Once again, Yes. It is possible. But one must now solve a discrete
log problem over a (large!) finite ring. This will take a while.
etc. etc.
<snip>
May I suggest the following?
Get a book on the subject and read it. We are not being paid
to be your personal consultant or teacher.
Have people forgotten how to use the library?
I will be happy to answer any technical questions you might have that
are beyond the scope of a standard reference. But your questions
suggest that you have not yet done your homework. You lack a basic
understanding of what RSA is and how it works.
No flame intended.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: Re: DES versus Blowfish
Date: Tue, 22 Jun 1999 15:03:22 GMT
On Tue, 22 Jun 1999 12:25:19 GMT, [EMAIL PROTECTED] wrote:
>Doesn't Twofish itself have weak (?) whitening keys? Has that been
>addressed? Is it actually a weakness?
No. There are no weak Twofish keys. Mizra and Murphy published a
paper showing a property of the whitening keys, but there is no way to
turn that into an attack. And there are no "weak" keys that cause
that property to arise.
Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
Subject: Re: Secure link over Inet if ISP is compromized.
From: [EMAIL PROTECTED] (Gene Styer)
Date: 29 Jun 1999 09:19:45 -0400
In article <7l9v84$r1g$[EMAIL PROTECTED]>,
Gene Sokolov <[EMAIL PROTECTED]> wrote:
>Jean Marc Dieu <[EMAIL PROTECTED]> wrote in message
>news:7l9pq9$e54$[EMAIL PROTECTED]...
>> I guess this is the aim of public key cryptography, if we consider ISP-A
>and
>> ISP-B as "dangerous" as the internet.
>
>How can public key cryptography be a solution here? Please read the original
>post again - *all* data is exchanged over what is assumed a compromized
>channel. If Alice sends Bob her public key or starts DH key exchange
>procedure, how does Bob know the data comes from Alice and not her
>compromized ISP?
>
This is a major problem, especially since a man-in-the-middle attack is very
difficult to detect. I read (I can't remember the reference) an interesting
way to handle this...
Alice uses her private key to encrypt a random number to send to Bob
Bob also uses his private key to encrypt a random number for Alice
Alice sends _half_ her message to Bob
Bob replies with _half_ of his message
Alice sends the other half of her message
Bob replies with the other half of his message.
Alice and Bob each combine the two parts of the message to get the
random number the other one sent. This can then be used to generate
a symmetric key, or used in another way.
The key idea here is that Mike (the rascal who runs the ISP) can't properly
create the proper message since he only has half of the message when he is
required to create something.
Also note this assumes Alice and Bob have already exchanged public keys. With
man-in-the-middle attacks, that is a concern. I don't know if DH could be
modified to use something like this or not.
Eugene Styer
[EMAIL PROTECTED]
------------------------------
From: Ed Yang <[EMAIL PROTECTED]>
Subject: Re: trapdoor one way functions
Date: Tue, 29 Jun 1999 05:23:06 -1000
Nicol So wrote:
>
> [EMAIL PROTECTED] wrote:
> >
> > In article <[EMAIL PROTECTED]>,
> > Nicol So <[EMAIL PROTECTED]> wrote:
> > > Are you sure exponentiation (defined over a suitable finite group) is
> > > trapdoor one-way, instead of just one-way? What kind of trapdoor
> > > information would allow you to compute discrete log fast?
> >
> > The DLP and IFP are both trapdoor one-way. ...
> >
> > DLP also has an inverse which is difficult to find. If it's defined as
> > g^x mod n (x < n, g = generator). Then there is some log(g^x mod n) /
> > log(g) which is hard to find (hence the problem). I am not sure if two
> > different inputs will produce the same output (i.e two logs...) but I
> > don't think there would be.
>
> So, what's the trapdoor information?
>
> Nicol
The ElGamal cryptosystem uses the discrete log problem as
a hard step preventing adversaries from decrypting the message.
Exponentiation is the one way function, the trap door is the key.
If you know the key you can easily decrypt a message. Without
the key there is no trap door.
--
Oxygen : Love It Or Leave It !
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
