Cryptography-Digest Digest #153, Volume #10 Wed, 1 Sep 99 11:13:03 EDT
Contents:
Re: public key encryption - unlicensed algorithm ("shivers")
Re: LFSRs in a5 (Maciej Maciejonek)
Re: What if RSA / factoring really breaks? (Helger Lipmaa)
Re: SHA-1 and Blowfish in portable 80x86 Assembler ("Eric W Braeden")
Re: Matrix Exponentiation (Bob Silverman)
Re: WT Shaw temporarily sidelined (SCOTT19U.ZIP_GUY)
Re: Schneier/Publsied Algorithms (Bruce Schneier)
Re: Web encryption, some references please.. (SCOTT19U.ZIP_GUY)
Re: Matrix Exponentiation (David A Molnar)
Re: RC4 question (Tom St Denis)
Re: One to One Compression updated (Tom St Denis)
Re: WinZip 7.0 ([ Dr. Jeff ])
Re: Matrix Exponentiation (Ulrich Elsner)
Re: Ciphertext disguised as plaintext? (newbie question) (Paul Koning)
Exponents in public key algorithms (Gaston Gloesener)
Re: Correction to Uhr Box Description
Re: Schneier/Publsied Algorithms (SCOTT19U.ZIP_GUY)
Re: Exponents in public key algorithms (Anton Stiglic)
Re: Ciphertext disguised as plaintext? (newbie question) (Tom St Denis)
Re: What if RSA / factoring really breaks? (Anton Stiglic)
Re: Exponents in public key algorithms (Anton Stiglic)
Re: Web encryption, some references please.. (Anton Stiglic)
Re: RC4 question ("Trevor Jackson, III")
Re: Exponents in public key algorithms (Tom St Denis)
----------------------------------------------------------------------------
From: "shivers" <[EMAIL PROTECTED]>
Subject: Re: public key encryption - unlicensed algorithm
Date: Tue, 31 Aug 1999 02:14:13 +0100
David A Molnar wrote in message <7qethp$fod$[EMAIL PROTECTED]>...
>shivers <[EMAIL PROTECTED]> wrote:
>> The main purpose is for the development of a _very_ secure online credit
>> card submission system - where the details stay encryption all the way
from
>> the user's desktop to the serving company's payment processing desk.
>
>Have you looked at the SET protocol ?
>
no, I've never heard of it - is it any good? I.e. strong and unlicensed?
Shane Wright
ProActive Computing
------------------------------
From: Maciej Maciejonek <[EMAIL PROTECTED]>
Subject: Re: LFSRs in a5
Date: Wed, 01 Sep 1999 12:21:01 +0200
Ian Goldberg wrote:
> In article <7ph40m$tj4$[EMAIL PROTECTED]>,
> Tom St Denis <[EMAIL PROTECTED]> wrote:
> >In article <[EMAIL PROTECTED]>,
> > Maciej Maciejonek <[EMAIL PROTECTED]> wrote:
> >> I'm looking for any information about LFSRs used in a5.
> >> I know that this binary stream cipher consist of three short Fibonacci
> >> LFSRs of sizes 19,22 and 23 respectively.
>
> Funnily enough, we (David Wagner, myself, and Lucky Green) just announced
> at the Crypto 99 rump session that we have a 2^16-time (read: real time)
> break of A5/2. (Implemented in code, and everything.)
>
> A5/2 is the (weaker) version of A5 used in a bunch of countries that weren't
> "cool" enough to get A5/1. (Australia uses A5/2, for example. Rumor has
> it that China is currently upgrading from A5/0 (identity cipher) to A5/2.
> Hong Kong, funnily enough, uses A5/1, since it was installed under British
> rule. There are a bunch of other A5/2 countries, but I don't have a list
> handy.)
>
> Here are the taps for the registers:
>
> /* Feedback taps, for clocking the shift registers.
> * These correspond to the primitive polynomials
> * x^19 + x^5 + x^2 + x + 1, x^22 + x + 1,
> * x^23 + x^15 + x^2 + x + 1, and x^17 + x^5 + 1. */
>
> #define R1TAPS 0x072000 /* bits 18,17,16,13 */
> #define R2TAPS 0x300000 /* bits 21,20 */
> #define R3TAPS 0x700080 /* bits 22,21,20,7 */
> #ifdef A5_2
> #define R4TAPS 0x010800 /* bits 16,11 */
> #endif /* A5_2 */
>
> What else would you like to know?
>
> >I have source code for it if that helps... ask in private email.
>
> Be careful; the "alleged A5/1" published in a number of places, including
> Applied Cryptography, is _not_ the correct algorithm. The taps are in the
> wrong place, for example.
>
> We'll be publishing the (real) A5/1 and A5/2 source (with test vectors),
> as well as the A5/2 break, as soon as we add some comments and can find
> an export-restricted site on which to host it.
>
> - Ian
I understand that primitive polynomial:
for LFSR1 x^19 + x^5 + x^2 + x + 1 (18,17,16,13)
for LFSR2 x^22 + x + 1, (21,20)
for LFSR3 x^23 + x^15 + x^2 + x + 1.(22,21,20,7)
What about clock control taps in these registers?
Bit 8 in first ( 0x100) , bit 10 ( 0x400) in second and third?
What about A5/2? When will You be publishing source?
------------------------------
From: Helger Lipmaa <[EMAIL PROTECTED]>
Subject: Re: What if RSA / factoring really breaks?
Date: Wed, 01 Sep 1999 11:38:25 +0000
JPeschel wrote:
> David J Whalen-Robinson <[EMAIL PROTECTED]>writes, in part:
>
> >Nobody is ready for that, but there are other algorithms to move to.
> >(DES would still be secure, and there are public key alternatives not
> >reliant on
> >factoring.)
>
> But DES is already insecure.
and there is no known one-way functions in the quantum setting (remember
that factoring is easy for quantum computers). it is a MAJOR open
research problem, I was talking to many quantum computer guys during the
latest AQIP workshop. Many of them admitted that this is an important
problem and they had thought about it. No one had even a candidate
function!
Helger Lipmaa
http://home.cyber.ee/helger
------------------------------
From: "Eric W Braeden" <[EMAIL PROTECTED]>
Subject: Re: SHA-1 and Blowfish in portable 80x86 Assembler
Date: Wed, 1 Sep 1999 08:15:01 -0400
Tom, the NASM home page you've referenced is no longer valid.
You know what it's supposed to be?
Tomas FRYDRYCH <Use-Author-Address-Header@[127.1]> wrote in message
news:[EMAIL PROTECTED]...
>
> If anyone is interested in checking out my Assembler
> implementation of SHA-1 and Blowfish (in EBC, CBC, CFB and
> OFB modes), with C interface, you will find it at
>
> http://www.frydrych.freeserve.co.uk/casm/casm.html
>
> You get a source code for the free portable assembler NASM and
> C header files -- you can compile it into whatever binaries you wish
> (Borland, MS, Linux, OS/2, et al.). My own tests (for what they are
> worth) show that the implementation is 2+ times faster than what
> an optimizing C compiler will achieve.
>
> Tomas
>
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: Matrix Exponentiation
Date: Wed, 01 Sep 1999 13:13:50 GMT
In article <[EMAIL PROTECTED]>,
Gary <[EMAIL PROTECTED]> wrote:
> Matrix Exponentiation (Mod 2)
>
> A is 32X32 Matrix (Mod 2), 1024 bits long
> Let N be any integer
>
> i) Given only A and A^N (A to the power of N), can N be calculated?
Yes.
> ii) Given A^N and N, can A be calculated?
Yes.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: WT Shaw temporarily sidelined
Date: Wed, 01 Sep 1999 14:07:31 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (don garrisan) wrote:
>Thanks for all the banter, guys.......... I have been taking copies of
>the posts for him to read.
>
>He is hoping to get back to the newsgroups ASAP, but the doctors
>weren't too keen on him using a laptop on Sunday.
>
>Monday he used my machine for a short while, but the hospital
>switchboard was frowning on our use of the phone line.
>
>talk about control freaks!
>
>BTW, Bill is an OLD FART!....early fifties
>
>for clues or just to get a taste of his usual style.....
>visit his web site www.RadioFreeTEXAS.com/wts/
>
>I will forward your messages to him tommorrow, and I too am hoping for
>a speedy recovery
>
>don garrisan
I visited the site. Interesting!
Don I will but a link to your site if you place one to mine is that
fair enough?
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: Re: Schneier/Publsied Algorithms
Date: Wed, 01 Sep 1999 13:15:29 GMT
On Tue, 31 Aug 1999 18:00:50 -0700 (PDT), Mixmaster
<[EMAIL PROTECTED]> wrote:
>Hello Bruce
>
>How is it posible that some of your published algorithms...2fish have bugs in your
>source code?
>
>There are only two possible explanations for this:
>1. A legitimate mistake was made...but no correction was ever published for it...or
>have you published the correction on your site..
>
>2. A deliberate bug was placed in your source code by some unknown person...
>
>Which leads me to this point:
>
>How can we in the crypto community EVER Trust any Publsihed Source Code without
>extensive testing and debugging... I wonder if you thought of this.
>
>Are there any published TEST VECTORS for your algorithms...and possibly other
>Algorithms...which treat the algorithm as a black box...etc...do you know of any such
>TEST VECTORS..
>
>But please Bruce...explain to us How is it that there are bugs in your own published
>algorithms...I did see some messages about this topic few months back..and have you
>made any corrections to them
I don't know of any bugs in the Twofish source code. Please let me
know what you found, and I will correct it immediately. Anything you
found would be pathological, though, since we have written many
different implementations of Twofish and they all interoperate. I am
very interested.
Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Web encryption, some references please..
Date: Wed, 01 Sep 1999 14:13:04 GMT
In article <7qh51m$mda3@SGI3651ef0>, "Sta" <nospam@nomail> wrote:
>Hello,
>
>I'd like to learn about the encryption protocols used on the www.
>Please, could you give me some starting references?
>
>maybe some links, books, articles...
>
>Thank you
>
>PD: No mail to avoid spam, please post to the group.
>
>
Try my hated and controversial site!!!
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Matrix Exponentiation
Date: 1 Sep 1999 12:39:28 GMT
Gary <[EMAIL PROTECTED]> wrote:
> Matrix Exponentiation (Mod 2)
> A is 32X32 Matrix (Mod 2), 1024 bits long
> Let N be any integer
> i) Given only A and A^N (A to the power of N), can N be calculated?
> ii) Given A^N and N, can A be calculated?
Have you considered diagonalizing this matrix? I think that **if the
matrix is not of some special form (e.g. nilpotent or projection)**,
this reduces to the equivalent problems for each of the elements on the
diagonal of the middle matrix in $P \Lambda P^{-1}$. Here P is the change
of basis matrix you get by finding the eigenvalues of A.
-David
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: RC4 question
Date: Wed, 01 Sep 1999 13:42:47 GMT
In article <[EMAIL PROTECTED]>,
"Trevor Jackson, III" <[EMAIL PROTECTED]> wrote:
>
>
> fungus wrote:
>
> > Red_Blue <[EMAIL PROTECTED]> wrote:
> > >
> > > Could someone please shed some light on the following issue:
> > >
> > > What is the difference in required brute force computing power for
> > > breaking RC4-40 vs. RC4-128 export (40 secret) keys?
> > >
> >
> > The difference is a factor of 2^(128-40) = 2^88.
> >
> > 2^88 is 300,000,000,000,000,000,000,000,000
> >
> > ie. RC4 128 is zillions of times more secure than RC4-40.
>
> I think the original question referred to the damaged form of RC4-128 in
> which the secret portion of the 128-bit key is only 40 bits long, the
> remainder being non-secret. The a brute force attack on the damaged
> RC4-128 is aimed at a keyspace exactly as large as the full keyspace of
> RC4-40.
>
>
Why would you call it RC4-128 if only 40 bits are the secret key? It's like
saying I use Blowfish with 256 bit keys (fine print: 255 bit salt). This is
one reason why so many confusions come out.
I think MS used a 88 bit salt to say the keys are 128-bits and make it sound
good. The truth is the key is still only 40 bits, no matter how much salt
you add on. And the truth is 32-bit salts would work fine anyways. The salt
has to be unique to each message sent under the same key only.
Tom
--
PGP 6.5.1 Key
http://mypage.goplay.com/tomstdenis/key.pgp
PGP 2.6.2 Key
http://mypage.goplay.com/tomstdenis/key_rsa.pgp
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: One to One Compression updated
Date: Wed, 01 Sep 1999 13:52:35 GMT
In article <7qe9kv$2vko$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> > [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY) wrote:
> >> I updated my "one to one" adaptive huffman compression
> >> routines. These are routines that treat any file as a compressed
> >> file or as an uncompressed file there are no headers. Would
> >> be of great use as a first pass before encryption see my
> >> compression page at
> >>
> >> http:/members.xoom.com/ecil/compress.htm
> >>
> >
> >Why?
> Why not?
Um, huffman compression has been around 30 years or more, then next year you
will get into shano-fano type methods, maybe even range coding who knows how
far you will advance.
First off you are not the first person to ever code statistical entropy
coders. I did some when I started programming 4 years ago (in C). Second,
why would I use a pathetic entropy coder (cuz most are) if I could use a
string matching algorithm like DEFLATE (or BWT used in bzip2). I am not
'dissing' your code, I am just saying entropy coders are a 'tack on' to get
an extra 2% of ratio. They are not the only means though.
So I ask again, why?
Tom
--
PGP 6.5.1 Key
http://mypage.goplay.com/tomstdenis/key.pgp
PGP 2.6.2 Key
http://mypage.goplay.com/tomstdenis/key_rsa.pgp
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] ([ Dr. Jeff ])
Subject: Re: WinZip 7.0
Date: Mon, 30 Aug 1999 11:59:01 -0700
In article <[EMAIL PROTECTED]>,
David Hamer <[EMAIL PROTECTED]> wrote:
>Can anyone point me towards a password-recovery utility - freeware
>or shareware - for WinZip v7.0 ??
Http://www.elcomsoft.com/azpr.html It's well worth the price
asked. You're welcome.
--
Dr. Jeff is not common so don't expect common courtesy from him.
If you don't like me, bite me. Be warned, however, I may bite back!
((N)) ((I)) ((T)) ((A)) ((L)) ((L)) ((I)) ((C)) ((A))
((F)) ((A)) ((N))
------------------------------
From: [EMAIL PROTECTED] (Ulrich Elsner)
Subject: Re: Matrix Exponentiation
Date: 1 Sep 1999 14:03:04 GMT
According to Gary <[EMAIL PROTECTED]>:
>Matrix Exponentiation (Mod 2)
>
>A is 32X32 Matrix (Mod 2), 1024 bits long; Let N be any integer
>
>i) Given only A and A^N (A to the power of N), can N be calculated?
Yes, if necessary by brute force (at least, _a_ N can be computed):
B=A, M=1; while B<>A^N do { B=B*A; M=M+1}
this finds the smallest N. (N may not be unique, e.g. look at the
Identity).
>ii) Given A^N and N, can A be calculated?
In general, no.
Let A^3 be zeros(3). Then A could be, e.g.
[ 0 1 0 [ 0 0 1
0 0 1 or 0 0 0
0 0 0 ] 0 0 0 ]
Regards,
Ulrich
--
Ulrich Elsner, Fak. fuer Mathematik, TU Chemnitz, D-09107 Chemnitz, Germany
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: Ciphertext disguised as plaintext? (newbie question)
Date: Wed, 01 Sep 1999 09:41:30 -0400
Matt Gibson wrote:
>
> (Apologies if this is an FAQ; I did read search the FAQ and Deja, but
> perhaps I was using the wrong terminology.)
>
> Are there any automatic encryption systems which produce a ciphertext
> which appears, at least to a casual glance, to be a plaintext? Is there
> a word for a system like this?
Yes. Look up "steganography". (Literally "hidden writing".)
paul
------------------------------
From: Gaston Gloesener <[EMAIL PROTECTED]>
Subject: Exponents in public key algorithms
Date: Wed, 01 Sep 1999 13:57:23 GMT
I really hope not to fall in with an FAQ question, but I did not see it
there so i ask it here.
Recently I am diggin into non licenses public key algorithm and stepped
onto the El-Gamal Algorithm. This as the others use exponetiation while
calculating the keys.
In this example a number (N) has to be choosen which should be quite
large. My book speaks about 1024 bits minumum. Later on other numbers
(g,x) have to be choosen which should be smaller than the first one (N)
but I believe they should still be very large. Especially the on which
is used as secret key (x).
Now later in the calculation you come to soming like g^x mod p.
My problem is understanding how this works in reality. Since x is the
secret key it should be very large (1024 bits?).
Suposing that g has n bits, the result of g^x will have at maximum
n*2^1024 bits which is a dramatic high value and cannot be handled
during the encryption.
Could anyone point me out how this does work ?
Thanks a lot,
Gaston.
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] ()
Subject: Re: Correction to Uhr Box Description
Date: 1 Sep 99 13:56:22 GMT
Frode Weierud ([EMAIL PROTECTED]) wrote:
: On a somewhat more negative point is the speculations in the article about
: what some of the abbreviation on the Uhr label mean. I am afraid to say
: that I think the explanations given are more than far-fetched.
I have no knowledge of that matter. But he notes that, since there are no
written instructions for the Uhr box, perhaps it was turned to the next
position after a period of time.
Since there is the label with a two-letter indicator system, which is
again pictured in the article, I would have thought that it was *obvious*
that a random position is chosen for each message, and an indication of
the position is sent as part of the indicator.
I am surprised that an unnecessarily simplistic wiring was chosen for the
device; but perhaps I shouldn't be. The history of cryptology is replete
with ciphers designed by people who lacked the mathematical or other
sophistication to exploit what those who came later would see as "obvious"
room for improvement.
John Savard
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Schneier/Publsied Algorithms
Date: Wed, 01 Sep 1999 15:13:49 GMT
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Bruce Schneier)
wrote:
>On Tue, 31 Aug 1999 18:00:50 -0700 (PDT), Mixmaster
><[EMAIL PROTECTED]> wrote:
>
>>Hello Bruce
>>
>>How is it posible that some of your published algorithms...2fish have bugs in
> your source code?
>>
>>There are only two possible explanations for this:
>>1. A legitimate mistake was made...but no correction was ever published for
> it...or have you published the correction on your site..
>>
>>2. A deliberate bug was placed in your source code by some unknown person...
>>
>>Which leads me to this point:
>>
>>How can we in the crypto community EVER Trust any Publsihed Source Code
> without extensive testing and debugging... I wonder if you thought of this.
>>
>>Are there any published TEST VECTORS for your algorithms...and possibly other
> Algorithms...which treat the algorithm as a black box...etc...do you know of
> any such TEST VECTORS..
>>
>>But please Bruce...explain to us How is it that there are bugs in your own
> published algorithms...I did see some messages about this topic few months
> back..and have you made any corrections to them
>
>I don't know of any bugs in the Twofish source code. Please let me
>know what you found, and I will correct it immediately. Anything you
>found would be pathological, though, since we have written many
>different implementations of Twofish and they all interoperate. I am
>very interested.
>
>Bruce
>
I THINK THE QUESTION WAS TO TECHNICAL FOR MR "BS" HIMSELF
THE GUY ASKED FOR TEST VECTORS. SURELY YOU HAVE SOME
LIKE THE ONES I USE IN MY GLOAT CONTEST. THE KIND OF CONTEST
THAT YOUR WEAK METHOD COULD NOT RUN USING ANY OF YOUR
FAVORITE "FIPS" 3 LETTER CHAINNING METHODS.
THE GUY EVEN CPITALIZED """"TEST VECTORS""" MORE THAN ONCE
BUT I GUESS YOUR BRAIN OVER LOOKED IT. MAYBE THE USE OF
CAPITAL LETTERS MADE IT TO HARD TO READ. HOW THE HELL DO
YOU EXPECT HIM TO FIND THE ERRORS IF YOU CAN'T SEEM TO HAVE
THE ABILITY TO ANWSER DIRECT QUESTION PUT TO YOU. DO YOU
HAVE """TEST VECTORS""" FOR THE GUY OR NOT???
SURELY THE "nsa" COULD SUPPLY SOME THAT WOULD SATISFY EVERY
BODY OR ARE YOU TRYING TO HIDE CERTAIN FACTS. BECASUE I SUSPECT
YOU CAN READ THE LETTER. AND THE LETTER PLAINLY ASKED FOR
"""""""""" TEST VECTORS """"""""" HEY WAKE UP
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Exponents in public key algorithms
Date: Wed, 01 Sep 1999 10:25:23 -0400
First of all, the security lies solely on N, you have to choose a number N
such that the discret log problem in (DLP) n a group G of order N is
difficult,
and then just follow what the protocol says.
To realy understand ElGamal, you should look up an understand what
the DLP is (see any good crypto book).
x should be picked at random, it makes no sens to ask it to be large (in
fact,
if you just choose large x's, and don't choose them randomly in G, you are
reducing the security of your system.)
For the exponentiation, you have to use a special algorithm, somethimes
called "successive squaring method, see Knuth 1981, vol 2, page 441 for
example.
Anton
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Ciphertext disguised as plaintext? (newbie question)
Date: Wed, 01 Sep 1999 13:46:13 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Matt Gibson) wrote:
> (Apologies if this is an FAQ; I did read search the FAQ and Deja, but
> perhaps I was using the wrong terminology.)
>
> Are there any automatic encryption systems which produce a ciphertext
> which appears, at least to a casual glance, to be a plaintext? Is there
> a word for a system like this?
It's called Stenagraphy (or something like that). Look it up.
Tom
--
PGP 6.5.1 Key
http://mypage.goplay.com/tomstdenis/key.pgp
PGP 2.6.2 Key
http://mypage.goplay.com/tomstdenis/key_rsa.pgp
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: What if RSA / factoring really breaks?
Date: Wed, 01 Sep 1999 10:33:53 -0400
> and there is no known one-way functions in the quantum setting (remember
> that factoring is easy for quantum computers). it is a MAJOR open
> research problem, I was talking to many quantum computer guys during the
> latest AQIP workshop. Many of them admitted that this is an important
> problem and they had thought about it. No one had even a candidate
> function!
Yes, but there is quantum cryptography, that enables a public secret key
exchange
between Alice and Bob, in which if Oscar gets any info on the key, Alice and
Bob
will know about it and try again. They then use the one time pad.
Brassard and Bennet are the inventors.
see http://www.CS.McGill.CA/~crepeau/CRYPTO/Biblio-QC.html
for refs.
anton
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Exponents in public key algorithms
Date: Wed, 01 Sep 1999 10:28:36 -0400
>
>
> Well first off the private exponent has to be large for several reasons. The
> first is to eliminate simple guessing. I believe there are other real
> reasons, which maybe Bob can answer.
This makes no sens, you can start simple guessing with numbers close to N,
instead
of close to 0, or numbers close to N/c, what helps you then?
as
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Web encryption, some references please..
Date: Wed, 01 Sep 1999 10:36:29 -0400
There is a book that introduces crypto and it's utilisation on the
internet:
Stallings, Cryptography and network security, Prentice Hall, 1998.
It's not bad.
For more detail on any specific subject, search the web, there are
RFC and plenty of other info out there!
Anton
------------------------------
Date: Wed, 01 Sep 1999 11:05:15 -0400
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: RC4 question
Tom St Denis wrote:
> In article <[EMAIL PROTECTED]>,
> "Trevor Jackson, III" <[EMAIL PROTECTED]> wrote:
> >
> >
> > fungus wrote:
> >
> > > Red_Blue <[EMAIL PROTECTED]> wrote:
> > > >
> > > > Could someone please shed some light on the following issue:
> > > >
> > > > What is the difference in required brute force computing power for
> > > > breaking RC4-40 vs. RC4-128 export (40 secret) keys?
> > > >
> > >
> > > The difference is a factor of 2^(128-40) = 2^88.
> > >
> > > 2^88 is 300,000,000,000,000,000,000,000,000
> > >
> > > ie. RC4 128 is zillions of times more secure than RC4-40.
> >
> > I think the original question referred to the damaged form of RC4-128 in
> > which the secret portion of the 128-bit key is only 40 bits long, the
> > remainder being non-secret. The a brute force attack on the damaged
> > RC4-128 is aimed at a keyspace exactly as large as the full keyspace of
> > RC4-40.
> >
> >
>
> Why would you call it RC4-128 if only 40 bits are the secret key? It's like
> saying I use Blowfish with 256 bit keys (fine print: 255 bit salt). This is
> one reason why so many confusions come out.
>
> I think MS used a 88 bit salt to say the keys are 128-bits and make it sound
> good. The truth is the key is still only 40 bits, no matter how much salt
> you add on. And the truth is 32-bit salts would work fine anyways. The salt
> has to be unique to each message sent under the same key only.
For Marketing reasons they need to be able to claim 128-bit strength. For export
reasons they need to have 40-bit strength. So they implement real RC4-128. With
128-bit keys. But the ciphertext has 88 bits of the key attached. Thus they
gain the best of both worlds. They really are shipping true RC4-128. But the
strength is identical to RC4-40.
They only do this kind of thing (fraud) because it works.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Exponents in public key algorithms
Date: Wed, 01 Sep 1999 14:07:57 GMT
In article <7qjbbs$ij2$[EMAIL PROTECTED]>,
Gaston Gloesener <[EMAIL PROTECTED]> wrote:
> I really hope not to fall in with an FAQ question, but I did not see it
> there so i ask it here.
>
> Recently I am diggin into non licenses public key algorithm and stepped
> onto the El-Gamal Algorithm. This as the others use exponetiation while
> calculating the keys.
>
> In this example a number (N) has to be choosen which should be quite
> large. My book speaks about 1024 bits minumum. Later on other numbers
> (g,x) have to be choosen which should be smaller than the first one (N)
> but I believe they should still be very large. Especially the on which
> is used as secret key (x).
>
> Now later in the calculation you come to soming like g^x mod p.
>
> My problem is understanding how this works in reality. Since x is the
> secret key it should be very large (1024 bits?).
>
> Suposing that g has n bits, the result of g^x will have at maximum
> n*2^1024 bits which is a dramatic high value and cannot be handled
> during the encryption.
>
> Could anyone point me out how this does work ?
Well first off the private exponent has to be large for several reasons. The
first is to eliminate simple guessing. I believe there are other real
reasons, which maybe Bob can answer.
The generator 'g' has to only be a primitive generator mod p (or have very
very large sub-groups). This is to ensure that g^x mod p is a function (i.e
one to one) and there are no collisions mod p. This way your public part
(PUBLIC = g^x mod p) is unique to x.
Next you have to realize that g^x mod p is not one operation but hundreads.
It's (g*g)*(g*......)) (all mod p) for example g^x mod p for x = 3, would be
(((g * g) mod p) * g) mod p
See the 'additive chaining' or 'multiply-and-square' method for ideas on how
this can be done reasonably efficiently.
Tom
--
PGP 6.5.1 Key
http://mypage.goplay.com/tomstdenis/key.pgp
PGP 2.6.2 Key
http://mypage.goplay.com/tomstdenis/key_rsa.pgp
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
