Cryptography-Digest Digest #228, Volume #10 Mon, 13 Sep 99 13:13:02 EDT
Contents:
RSA Cryptography Today FAQ (1/1) ([EMAIL PROTECTED])
Re: primes in dh (Bob Deblier)
Re: Help on cryptanalysis (JPeschel)
Re: 13 reasons to say 'no' to public key cryptography (Eric Young)
Re: peekboo has a home now ("Shaun Wilde")
Re: Workshop on Elliptic Curve Cryptography (ECC '99) (Robert Harley)
Make a point on KRYPTOS ("collomb")
Re: "Posting Anonymously is the Sign of a Coward" (Barrett Richardson)
Re: Mystery inc. (Beale cyphers) (Curt Welch)
Re: shared modulus in diffie-hellman (Anton Stiglic)
Re: primes in dh (jerome)
Re: Make a point on KRYPTOS (Jim Gillogly)
Re: H.235 Keys from Passwords algorithm (Paul Koning)
Re: 13 reasons to say 'no' to public key cryptography (Paul Koning)
Re: primes in dh (Tom St Denis)
Re: peekboo has a home now (Tom St Denis)
Re: Mystery inc. (Beale cyphers) (John Savard)
Re: shared modulus in diffie-hellman (jerome)
Re: Help on cryptanalysis ("Douglas A. Gwyn")
Re: Help on cryptanalysis ("Douglas A. Gwyn")
Re: primes in dh (Kent Briggs)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED]
Crossposted-To:
talk.politics.crypto,alt.security.ripem,sci.answers,talk.answers,alt.answers,news.answers
Subject: RSA Cryptography Today FAQ (1/1)
Date: 13 Sep 1999 13:38:51 GMT
Reply-To: [EMAIL PROTECTED]
Archive-name: cryptography-faq/rsa/part1
Last-modified: 1997/05/21
An old version of the RSA Labs' publication "Answers to Frequently Asked
Questions about Today's Cryptography" used to be posted here until May
1997. These postings were not sponsored or updated by RSA Labs, and
for some time we were unable to stop them. While we hope the information
in our FAQ is useful, the version that was being posted here was quite
outdated. The latest version of the FAQ is more complete and up-to-date.
Unfortunately, our FAQ is no longer available in ASCII due to its
mathematical content. Please visit our website at
http://www.rsa.com/rsalabs/ to view the new version of the FAQ with your
browser or download it in the Adobe Acrobat (.pdf) format.
RSA Labs FAQ Editor
[EMAIL PROTECTED]
------------------------------
From: Bob Deblier <[EMAIL PROTECTED]>
Subject: Re: primes in dh
Date: Mon, 13 Sep 1999 15:50:11 +0200
Tom St Denis wrote:
> I decided instead of using DH for just key gen I will use it for pk instead.
> What happens is you make a key pair (x, g^x mod p) and give out the second.
> Whenever I want to talk to someone I take their public key and compute the
> normal g^xy mod p, since they have my public key ... etc... simple stuff.
>
> However to stop any people that are bent on thinking that they can easily be
> broken, can i get a somewhat large prime (say 1536 or 2048 bits?) please?
> Just to keep annoying people from saying 'hey 1024 is too small although it
> will never be broken, and it's probably easier just to break into the
> computer and steal the key out of memory .... etc"
>
> Thanks,
> Tom
Here's a (probable) 2048 safe prime. Both this number and (number - 1) / 2 are
probable primes, which simplifies the finding of a generator.
b478a3fa33b1eac4ac8838ff8118999aacd9ea174143f0a9e06b68004836c63598897ae0e8738764659b3902926258df809a5453b50d57438a3c765b1ea9e64089606376fd6da94a43686d8e3fe574eb5b77d55d1b84a9de2dd96042938036837082f753f42296696a808e5df937a48c3b5ffe5c509752227b14c17f612d9950370337d62dcad7031071a3710b5ed7c59e061eb6540a8b108318f0334a6bd6780da6ebdc4988b658a42d8a57548019811f41af62aa463562c3cdd3db018a91fb956d6663ddea34c427935177611d3eaa883f1665eb036e3423dbfea9bafe81513dde34f3056d6014b081404ca205ba2858434d55b91764a2703e46578f9e254f
In case you don't have the algorithm for finding a generator (hope I remember
my math correctly)
Assuming you have a P where P = 2Q+1, and both P and Q are prime (like the one
above)
Step 1: Choose a random G with 1 < G < P-1
Step 2: If G^2 mod P equals 1 goto Step 1
Step 3: if G^Q mod P equals 1 goto Step 1
This is a simplification of a more general algorithm:
Assuming you have a prime P and the factorization of (P-1) = N =
p1^e1*p2^e2*...*pk^ek then:
Step 1: Choose a random G with 1 < G < P-1
Step 2: For i from 1 to k do the following:
Step 2.1: Compute b = G^(N/pi) mod P
Step 2.2: if b = 1 then goto Step 1
For more information, there's the excellent Handbook of Applied Cryptography by
Alfred J. Menezes.
Good luck
Bob Deblier
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: Help on cryptanalysis
Date: 13 Sep 1999 13:31:05 GMT
Kwong Chan" <[EMAIL PROTECTED]> writes:
>What other attacks can be applied on polyalphabetic ciphers?
>
>Does chosen-plaintext, differential cryptanalysis,
>linear cyptanalysis, etc., work?
Known- and chosen-plaintext attacks will work on
polyalphabetic ciphers, but they are really necessary
since a ciphertext-only attack will work.
Why bother with more difficult ways of finding a solution
when you already have two simple ones that work and require
only the enciphered message for the attack?
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: Eric Young <[EMAIL PROTECTED]>
Subject: Re: 13 reasons to say 'no' to public key cryptography
Date: Mon, 13 Sep 1999 23:38:21 +1000
Bill Unruh wrote:
>
> In <fxXC3.12943$[EMAIL PROTECTED]> "ME" <[EMAIL PROTECTED]> writes:
>
> >A bit on certificates and bandwidth.
> >In Australia, a 64k IDSN line can cost around $10,000/year.
>
> And in Canada a 2.5M ADSL line costs about $500/year. Surely Australia is
> not that far behind!
Less than 18 months ago the cost was about $10,000/year
(I'm not sure now). The telecommunication monopoly basically caused
ISDN to be stillborn. What is cute is that in Australia we do
not have timed local calls, so that one 56k modem can be kept
up for days at a cost of 25 cents (in the same city).
I seem to remember figures quoted 6 months back as ISDN
charges was 10% cost, 90% profit.
We key ISDN for the cost of a T1 link in the USA.
The battle to stifle cable modems has only just begun.
eric (slightly off topic).
------------------------------
From: "Shaun Wilde" <[EMAIL PROTECTED]>
Subject: Re: peekboo has a home now
Date: Mon, 13 Sep 1999 14:20:27 +0100
Source code - with a practical implementation . Yippee just what I beginner
like me needs.
--
Shaun Wilde
http://www.many-monkeys.co.uk
Tom St Denis wrote in message <7rh8mb$f1l$[EMAIL PROTECTED]>...
>If anyone wants to hack at it (or break it) give it a shot, the source is
>there.... I have to clean up the source a bit (it works relative to
C:\toms\
>on my hd) but if you just make a C:\toms directory it should compile with
>lcc-win32 with little trouble.
>
------------------------------
From: Robert Harley <[EMAIL PROTECTED]>
Subject: Re: Workshop on Elliptic Curve Cryptography (ECC '99)
Date: 13 Sep 1999 15:34:15 +0200
[EMAIL PROTECTED] (Alfred John Menezes) writes:
> You can read about the selection process for the primes in the NIST
> recommended prime fields in the technical report "Generalized Mersenne
> Numbers". The report is available from www.cacr.math.uwaterloo.ca
> under "Technical Reports".
I cannot see anything in there that is not utterly trivial.
But choosing such special moduli is another Really Bad Idea. They have
lots of special properties that randomly chosen ones would not have.
For instance composites of that form can be factored by the special
NFS whereas random composites almost never can. Many of them even
have algebraic factorisations.
Bye,
Rob.
------------------------------
From: "collomb" <[EMAIL PROTECTED]>
Subject: Make a point on KRYPTOS
Date: 13 Sep 1999 14:36:24 GMT
To make a point on KRYPTOS
Kryptos is a coded scultpure made up of characters which is, since ten
years, in the yard of the CIA Building at Langley Va. USA.
The enigma-monument comprises five series of characters and, in a separated
plot, a group of
characters which seam like a square of Vigenere, used as a tool by all
cryptographers in the world. The author of the sculpture is a
known American artist and the coding was carried out by a senior
cryptographer.
For some time an exchange of surperficial ideas develops, initially in the
Press and the TV, then on sci.crypt and by e-mail about the solution of
this enigma.
>From the very start, the conceptors claimed that this enigma was a
PUZZLE and that its resolution did not require a computer but only
paper and pencil.
Three experts cryptographers, working separately arrived
to find a partial solution for the first four series of characters, but
did not succeed in decoding the fifth series of 97 characters.
The sculptor declared in June 1999 at a newspaper of N.Y.: < that he
believes
that the final secret hidden in the text of Kryptos will never be
deciphered >.
A French cryptographer, who signs this message, claims on his side,
to have discovered, in a very different way, the final solution of the
puzzle, what includes
the totality of the five series of characters. This solution presents
astonishing and awkward aspects, at the present time, because it is based
on the book of the Revelation to John and its conception of the end of
times.
Thus, we see intervening in the final solution, prince GOG of the kingdom
of MAGOG, the snake of the Genesis and the Cross of Christ. The Cross
crushes the snake as one sees that in many religious figurations < for
example, on a Christ in Notre-Dame of Paris >
If this < French > solution had been revealed, a few years ago, it
would not have given place to the least objection, for, all it
contains, is in the Bible since two millenia. But today, times
have abruptly changed. With the end of the bimillennium,
many groups, illuminated or not, refer at the end of times and spread
their sometimes worrying literature in newspapers and on Internet.
My solution, published on Internet:
http://calvaweb.calvacom.fr/collomb /
suddenly cannot any more be < personna grata >.
But, it is necessary to look further. Why to claim today that
the fifth series of characters will be never discovered ?
It is not to insult the conceptors to think, that they could have
imagined several false ways, among which the most credible is
precisely to use the code Vigenere � That is the style of that kind of
game.
I think, we should not too seriously take this affair but rather like
an entertainment of specialists and thus I took it.
I wish a real discussion based on solid arguments.
[EMAIL PROTECTED]
------------------------------
From: Barrett Richardson <[EMAIL PROTECTED]>
Crossposted-To:
alt.fan.gburnore,alt.usenet.kooks,alt.privacy.anon-server,alt.privacy,alt.cypherpunks
Subject: Re: "Posting Anonymously is the Sign of a Coward"
Date: Mon, 13 Sep 1999 10:45:33 -0400
On 12 Sep 1999, Charlie Comsec wrote:
>
> >
> > Just include the ID and signature in the message body, like a PGP
> > signed message that also has the public key. Requests for the existance
> > of "usenet ID" can be sent to a listserver.
>
> Of course anyone is welcome to include information of that type in
> the body of a message. And if someone's ISP's server starts adding
> information to the *BODY* of a usenet post, the user would have to
> evaluate whether to continue using the services of that server.
>
> Allowing a server to alter the content of the body would dilute any
> accountability by the author for such content, however, since it
> opens up the possibility of servers adding message content without
> permission of the message's author. Why not include it as an
> X-Usenet-ID: line in the headers and leave the body alone?
>
Maybe for the scope of the "experiment" the comment header would be
a good place. I wouldn't want to do a major overhaul to see if
something is going to work.
> > > However, how does it address the concern about anonymity, especially
> > > where anonymous usenet posts start out as anonymous *E-MAIL*
> > > messages routed to a mail-to-news gateway where they are converted
> > > into usenet posts? If you implemented this at the gateway news
> > > server, for example, the only ID on an anonymous post would be that
> > > of the remailer used to send the message to the gateway.
> >
> > Well, it doens't address a mail gateway at all. As an initial idea,
> > it would be a integral part of news services for my customers if
> > implemented. I would be excercising some editorial control and
> > would want to be able to release information to the authorities
> > should a court action require it.
>
> If your users prefer to use a scheme like that, I would not
> object to it. It would be their choice.
Judging from the Freenix top1000 list, most people aren't using
remailers to post articles. There should be plenty of room
for experimentation.
>
> > How is information secured in transit with the mail-to-news
> > gateway?
>
> I'm not sure I understand your question. In transit *TO* the
> gateway, via email, or on usenet AFTER the server?
>
> > > The other problem is that it still does not facilitate a complete
> > > posting history on any REAL PERSON because there is no way to ensure
> > > that the person is only using one ID to post with.
> >
> > For my own customers, each user gets a usenet ID. I wouldn't
> > want random activity from the internet funneled through my
> > server with the initial draft. My own local users just get an
> > alternate newsreader to access if they want anonymity, and
> > they must authenticate to it.
>
> It would certainly represent an improvement from the notion that an
> ID from one medium, email, should accompany every usenet post. Of
> course, it wouldn't appease those who seem to be demanding a
> "repliable" address for purposes of proving "responsibility".
>
> > > Also, you said that "Messages are archived and made available
> > > on the server". Given the current popularity of concealing posts
> > > using the X-No-Archive header, do you now propose to make archiving
> > > mandatory?
> >
> > Well, possibly. It *is* public information. It depends on
> > how feasible it is to identity a pattern of abuse without it.
> > Shouldn't inhibit responsible users. Another question is how
> > available the archive should be publicly.
>
> An even bigger problem would be DEFINING abuse in an objective
> manner. 'Bots already exist which detect and remedy abuse based on
> objective standards like BI. But if you throw in subjective
> standards for "abuse", who is to evaluate that?
Good point. And will the ISP be come subject to the abuse it
is trying to spare its users and the usenet community in the
form of complaints and legal hassles is another question.
>
> Earlier you stated that you wanted the privilege of taking the
> totality of a person's posts to credit or discredit him. Given the
> short lifespan of posts on individual news servers, such a
> publicly-available archive would need to be maintained to facilitate
> that. That is unless you were only wishing that privilege for
> yourself, and not for netizens in general. But doing so would say
> that those who choose to avail themselves of the X-No-Archive header
> would lose the benefits of that privilege by using your server. Is
> that really a selling point for people to choose your ISP instead of
> another which does not implement such a scheme?
>
Well, treating the "experimental" server's users like any others would
simplify the experiment.
> - --
> Charlie Comsec <[EMAIL PROTECTED]>
>
------------------------------
Subject: Re: Mystery inc. (Beale cyphers)
From: [EMAIL PROTECTED] (Curt Welch)
Date: 13 Sep 1999 15:11:08 GMT
sha99y00000 <[EMAIL PROTECTED]> wrote:
> Though before I resign to a hoax, I'm going to test a few documents
> with Ed Rupp's theory and see if they throw up any anomalies.
As Jim already pointed out, you can't really prove a cypher is a hoax just
by analyzing the numbers. All good cyphers will look like ramdom numbers.
Either you can decode it, or you can't. If you say "It's a hoax", what
you are really saying is "I give up, it's too hard for me to figure out."
The key to breaking any cypher is to analyze it as many ways as possible,
and them come up with an encoding technique which matches _all_ the
characteristics of the numbers you have observed. For each guess you
make at an encoding technique, you look at what doesn't work, and try
to come up with a refinement to your guess which makes it fit the cypher
better. Repeat untill done.
If you analize the numbers and find nothing other than what you would
expect for pure random numbers, then you have little to work with. The
less random the numbers are, the more you have to work with. The
alphabetic strings that appear when #1 is decoded with the DOI is far
from random so that's a _big_ clue to the encoding. Ed's table theory
is one example of an encoding technique that could explain the alphabetic
strings. But like I said, there are problems that are not answered by
the theory - so it needs further refinement. But my gut instinct tells me
the theory is on the right track to the solution.
--
Curt Welch http://CurtWelch.Com/
[EMAIL PROTECTED] Webmaster for http://NewsReader.Com/
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: shared modulus in diffie-hellman
Date: Mon, 13 Sep 1999 11:32:16 -0400
Tom St Denis wrote:
> Is it ok to use a shared modulus in diffie-hellman... IF the precomputation
> stage is considered infeasible?
>
Yes it's o.k. use a large p prime modulo, say 2048 bits.
>
> I think it's GF(2^n) where with precomputation you can solve any DL right?
> What if I use a large prime modulus?
>
I see you read Schneir's book....
There are attacks that use precomputation, Baby-step Giant-step for instance,
that work for a general group. If you are in a group G_n, some attacks
rely on the fact that you know the factorization of n (for example the Pohlig-
Hellman algorithm). If n=pq and p-1 has a small factors, one can use
Pollard's
factoring algorithm, and thus use the Pohlig-Hellman algorithm, this is why we
recommend p-1 have large factors.
>
The big green book from Menezes, van Oorschot and Vanstone have some sections
about such attacks.
as
------------------------------
From: [EMAIL PROTECTED] (jerome)
Subject: Re: primes in dh
Date: 13 Sep 1999 16:04:31 GMT
Reply-To: [EMAIL PROTECTED]
On Mon, 13 Sep 1999 01:59:33 GMT, Tom St Denis wrote:
>Does anybody have a large prime modulus for dh handy (in hex or decimal).
see rfc2412 appendix E about oakley
------------------------------
From: Jim Gillogly <[EMAIL PROTECTED]>
Subject: Re: Make a point on KRYPTOS
Date: Mon, 13 Sep 1999 16:12:21 +0000
collomb wrote:
> From the very start, the conceptors claimed that this enigma was a
> PUZZLE and that its resolution did not require a computer but only
> paper and pencil.
Please provide a reference for this. I haven't seen any statement
from either Sanborn or Scheidt that would indicate this.
--
Jim Gillogly
Mersday, 22 Halimath S.R. 1999, 16:11
12.19.6.9.10, 3 Oc 18 Mol, First Lord of Night
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: H.235 Keys from Passwords algorithm
Date: Mon, 13 Sep 1999 11:27:46 -0400
Medical Electronics Lab wrote:
>
> Douglas Clowes wrote:
> >
> > Section 10.3.2 of ITU-T H.235 states in part:
> >
> > The encryption key is length N octets (as indicated by the AlgorithmID), and
> > is formed as follows:
> > - If password length = N, Key = password;
> > - if password length < N, the key is padded with zeros;
> > - if password length > N, the first N octets are assigned to the key,
> > then the N + Mth octet of the password is XOR'd to the Mmod(N)th octet (for
> > all octets beyond N) (i.e. all "extra" password octets are repeatedly folded
> > back on the key by XORing).
> >
> > is it just me, or is this less than secure for generating keys to be used in
> > algorithms like RC2, DES, 3DES, MD5, SHA1?
>
> SHA is a hash, so that doesn't matter.
I assume he meant keyed hashes (e.g., "HMAC").
Anyway, yes, clearly that text was written by someone who just
doesn't understand the topic...
paul
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: 13 reasons to say 'no' to public key cryptography
Date: Mon, 13 Sep 1999 11:41:34 -0400
Thierry Moreau wrote:
>
> I once wrote this opinion statement
> (http://www.connotech.com/13reas.htm) entitled "Thirteen Reasons to Say
> 'No' to Public Key Cryptography." It might be a starting point for some
> interesting discussions in sci.crypt.
I'm not having much luck trying to figure out what the purpose
of your document is.
It discusses various issues surrounding PKI (which is not the
same as public key cryptography) and some non-issues (such as
chosen ciphertext attack, which is trivially avoided and not
an issue in any real implementation).
If the message is "PKI does not solve all problems trivially",
well, yes, I agree. That's been known for decades. Meanwhile,
however, public key crypto is a very useful tool that does its
job better than the alternative in many cases. (Consider PK based
authentication vs. symmetric-key key server based schemes such
as Kerberos.) That too has been well known for some time.
I notice the text says "no conclusion is easily drawn from the
assortment of observations reported...". Right. So why did
you put the title ("reasons to say 'no'...") on there? That title
directly contradicts your disclaimer. If you want to say
"no" 13 times, would you care to offer alternative approaches?
With supporting reasoning as to why they are better in large
scale real world settings?
paul
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: primes in dh
Date: Mon, 13 Sep 1999 16:13:35 GMT
In article <[EMAIL PROTECTED]>,
Bob Deblier <[EMAIL PROTECTED]> wrote:
> Here's a (probable) 2048 safe prime. Both this number and (number - 1) / 2 are
> probable primes, which simplifies the finding of a generator.
>
>
>b478a3fa33b1eac4ac8838ff8118999aacd9ea174143f0a9e06b68004836c63598897ae0e8738764659b3902926258df809a5453b50d57438a3c765b1ea9e64089606376fd6da94a43686d8e3fe574eb5b77d55d1b84a9de2dd96042938036837082f753f42296696a808e5df937a48c3b5ffe5c509752227b14c17f612d9950370337d62dcad7031071a3710b5ed7c59e061eb6540a8b108318f0334a6bd6780da6ebdc4988b658a42d8a57548019811f41af62aa463562c3cdd3db018a91fb956d6663ddea34c427935177611d3eaa883f1665eb036e3423dbfea9bafe81513dde34f3056d6014b081404ca205ba2858434d55b91764a2703e46578f9e254f
Whoa... how did you make that? I don't think I want a moudlus that big since
I am using the output of sha-1 to make the key anyways. Do you have the
source or exe for the program (to make the prime) avail? I will stick to
this modulus for now though since I don't have any source to make one (I
could build some but I am busy now).
>
> In case you don't have the algorithm for finding a generator (hope I remember
> my math correctly)
>
> Assuming you have a P where P = 2Q+1, and both P and Q are prime (like the one
> above)
Q is the modulus? (since modulus - 1 / 2 must be prime ?)
> Step 1: Choose a random G with 1 < G < P-1
> Step 2: If G^2 mod P equals 1 goto Step 1
> Step 3: if G^Q mod P equals 1 goto Step 1
>
> This is a simplification of a more general algorithm:
Can I iterate this to find one or is there a more efficient method? I just
need a single generator. So I iterate this from G = 2 to n can I expect to
find a generator soon?
Well tonight and tommorow night I will be working on peekboo. I want to
change the modulus and I think I can do it with djgpp+lip. I will try to
make a generator program as well ...
Thanks for the info.
BTW the record is about 395 bits for DLP? Would a 768 bit modulus be worth
it?
(all new to me :) )
Tom
--
damn windows... new PGP key!!!
http://people.goplay.com/tomstdenis/key.pgp
(this time I have a backup of the secret key)
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: peekboo has a home now
Date: Mon, 13 Sep 1999 16:02:29 GMT
In article <7ritlk$[EMAIL PROTECTED]>,
"Shaun Wilde" <[EMAIL PROTECTED]> wrote:
> Source code - with a practical implementation . Yippee just what I beginner
> like me needs.
If you have any questions about the source (any at all) just ask me directly
at '[EMAIL PROTECTED]'. I don't mind helping.
Tom
--
damn windows... new PGP key!!!
http://people.goplay.com/tomstdenis/key.pgp
(this time I have a backup of the secret key)
Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Mystery inc. (Beale cyphers)
Date: Mon, 13 Sep 1999 16:12:53 GMT
[EMAIL PROTECTED] (Curt Welch) wrote, in part:
>As Jim already pointed out, you can't really prove a cypher is a hoax just
>by analyzing the numbers. All good cyphers will look like ramdom numbers.
>Either you can decode it, or you can't. If you say "It's a hoax", what
>you are really saying is "I give up, it's too hard for me to figure out."
There were two papers; one was decoded, and implied the second one was
coded in the same general system. So one can prove that this was not
the case, and additionally, as the papers were encoded at a given date
in the past, one can eliminate from consideration such methods as DES
encryption.
John Savard ( teneerf<- )
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: [EMAIL PROTECTED] (jerome)
Subject: Re: shared modulus in diffie-hellman
Date: 13 Sep 1999 16:15:27 GMT
Reply-To: [EMAIL PROTECTED]
On Mon, 13 Sep 1999 11:18:14 GMT, Tom St Denis wrote:
>Is it ok to use a shared modulus in diffie-hellman... IF the precomputation
>stage is considered infeasible?
IPsec uses more or less the same modulus (5 differents ones wiht different
size).
>I think it's GF(2^n) where with precomputation you can solve any DL right?
i would be really interested by informations about the precomputation
phase. complexity in time and space.
>What if I use a large prime modulus?
rfc2412.E
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Help on cryptanalysis
Date: Mon, 13 Sep 1999 15:29:34 GMT
Kwong Chan wrote:
> What other attacks can be applied on polyalphabetic ciphers?
If the enciphering alphabets are related by offsets,
which is usually the case for a periodic polyalphabetic,
then "symmetry of position" is a powerful tool (direct
symmetry if the plain component is the same as the cipher
component, indirect symmetry otherwise)
.
> Does chosen-plaintext, differential cryptanalysis,
> linear cyptanalysis, etc., work?
Chosen plaintext would certainly work against a periodic
polyalphabetic, since you could choose (for period 5):
AAAAABBBBBCCCCCDDDDDEEEEE... as the chosen plaintext and
thereby obtain the complete set of enciphering alphabets.
"Differential" and "linear" C/A in the sense of the
recently published attacks against block ciphers have
very little application in C/A of traditional systems.
There is a general technique known as "depth reading"
that involves the use of multiple messages (or
sections of messages) aligned so that the same enciphering
alphabet was used for all the messages, at each position.
(Think of stacking the texts such that each column is
enciphered with a monoalphabetic substitution.) One can
apply the underlying source monoalphabetic statistical
model to each column, and n-gram model across columns,
to help crack the encipherment.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Help on cryptanalysis
Date: Mon, 13 Sep 1999 15:20:21 GMT
Tom St Denis wrote:
> When you find the period you are essentially doing a linear attack.... :)
Since that doesn't seem correct on the surface,
perhaps you should explain why.
------------------------------
From: Kent Briggs <[EMAIL PROTECTED]>
Subject: Re: primes in dh
Date: Mon, 13 Sep 1999 16:54:14 GMT
Tom St Denis wrote:
> I decided instead of using DH for just key gen I will use it for pk instead.
> What happens is you make a key pair (x, g^x mod p) and give out the second.
> Whenever I want to talk to someone I take their public key and compute the
> normal g^xy mod p, since they have my public key ... etc... simple stuff.
You may want to look at my Puffer program
(http://www.briggsoft.com/puffer.htm). It uses Diffie-Hellman in a
store-and-forward mode for a public key cryptosystem with digital signatures
similar to the way PGP works. It doesn't include source but there is a text
file that documents all the protocols and file formats.
--
Kent Briggs, [EMAIL PROTECTED]
Briggs Softworks, http://www.briggsoft.com
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
