Cryptography-Digest Digest #365

```Cryptography-Digest Digest #365, Volume #10       Tue, 5 Oct 99 16:13:03 EDT

Contents:
Re: Compress before Encryption (SCOTT19U.ZIP_GUY)
Re: Perfect Shuffle Algorithm? (Randy Poe)
Re: Anybody implementing PKCS#11 using SSLeay? (Hideo Shimizu)
Re: 2^n - 1 = a * b (Peter L. Montgomery)
postdoctoral postitions available at Waterloo (Alfred John Menezes)
Re: RSA-512 Broken by Israelis (Tom)
Re: RSA-512 Broken by Israelis (Bob Silverman)
Re: factoring with quadratic sieve (Bob Silverman)
Re: radioactive random number generator (Herman Rubin)
Re: radioactive random number generator (Herman Rubin)
Re: EAR Relaxed? Really? ("karl malbrain")
Re: Newbie question:  RSA and Key Escrow ("Matt Atwood")
Re: Findkey (MLuttgens)
Re: True Random numbers (jerome)
Re: Is 128 bits safe in the (far) future? (SCOTT19U.ZIP_GUY)
Re: radioactive random number generator ("John E. Kuslich")

----------------------------------------------------------------------------

From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Compress before Encryption
Date: Tue, 05 Oct 1999 02:57:13 GMT

In article <tdaK3.5418\$[EMAIL PROTECTED]>, "Richard Parker"
<[EMAIL PROTECTED]> wrote:
>"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
>> Using "C" and "C'" for the forward and reverse mapping,
>>  for all m in V*: C(m) and C'(m) are well defined and in V*.
>>  for all m in V*: C'C(m) == m and CC'(m) == m.
>
>I agree.
>
>> Since V* is open-ended (and denumerably infinite), there are some
>> interesting questions about algorithm termination, etc.
>
>Yes, since V* is countably infinite the properties which we are
>discussing are not sufficient to guarantee that a compression
>algorithm will terminate.  Conventional adaptive Huffman compression,
>since for these algorithms the amount of expansion that can occur when
>an input is compressed can be proved to have a finite bound.
>
>It is, however, an interesting point.
>
>> I don't think the name "symmetric" properly captures the essence.
>> "Universal", "complete", or "covering" is closer..
>
>I don't think "complete" is a good choice, but I think there is an
>argument that makes use of both "symmetric" and "universal".  If David
>Scott's compression function C is used to define a binary relation
>
>  R = {<x,y> in V* x V* : y = C(x)}
>
>then, unlike conventional compression, the symmetric closure is
>
>  s(R) = V* x V* = U.
>
>So the distinguishing property of David Scott's scheme is that the
>symmetric closure of the compression relation is the universal
>relation on V*.
>
>I'm afraid that this doesn't really get me much closer to finding a
>convenient name for his scheme.  The phrase "symmetric-closure-
>universal compression" doesn't exactly roll off the tongue.
>
>-Richard
>
>

How about LDS compression for Latter Day Super Compression
does that have a better ring to it for you Mr. Parker

Take Care

David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS

------------------------------

From: Randy Poe <[EMAIL PROTECTED]>
Crossposted-To: sci.stat.math,sci.math
Subject: Re: Perfect Shuffle Algorithm?
Date: Mon, 04 Oct 1999 22:48:50 -0400

Douglas Zare wrote:
> Splitting a deck into two even stacks seems quite reasonable; numerous tricks
> require that one discreetly place a card into the nth position, though usually n
> is smaller. But perfect shuffles are relatively hard.

Nevertheless, I have read more than one magician's book
claiming that the perfect shuffle can be reliably learned,
and that it is the basis of a number of tricks. It doesn't
surprise me all that much, since many of the secrets
behind magic tricks at the professional level rely on
astonishing feats of precision and dexterity. To me,
the secret behind the trick is the really impressive
part.

I believe N=4 perfect shuffles return the deck to original
order.

I remember Kreskin once saying that many of his card
tricks relied on the ability to fan the deck and
instantly memorize the sequence.

- Randy

------------------------------

From: Hideo Shimizu <[EMAIL PROTECTED]>
Subject: Re: Anybody implementing PKCS#11 using SSLeay?
Date: Tue, 05 Oct 1999 13:25:48 +0900

See http://www.trustcenter.de/html/Produkte/TC_PKCS11/1494.htm

Hideo Shimizu
TAO, Japan

------------------------------

From: [EMAIL PROTECTED] (Peter L. Montgomery)
Subject: Re: 2^n - 1 = a * b
Date: Tue, 5 Oct 1999 05:14:38 GMT

In article <[EMAIL PROTECTED]>
[EMAIL PROTECTED] ( Doug Goncz ) writes:
>Which of the Mersenne prime possiblities which are not Mersenne primes have
>exactly two or three factors, other than 1 and self?
>
>I find n = 4, 9, and 11, which are 3 * 5, 7 * 73, and 23 * 89, in casual play
>with a calculator.
>
>I can make use of n up to, say, 32.

http://www.cs.purdue.edu/homes/ssw/cun/index.html
has the factorizations of 2^n +- 1 for all n < 600 and many larger n.
It also has bases 3, 5, 6, 7, 10, 11, 12, albeit for smaller exponent ranges.
--
[EMAIL PROTECTED]    Home: San Rafael, California
Microsoft Research and CWI

------------------------------

From: [EMAIL PROTECTED] (Alfred John Menezes)
Subject: postdoctoral postitions available at Waterloo
Date: 5 Oct 1999 13:51:01 GMT

==========================================================================
POSTDOCTORAL POSITIONS IN CRYPTOGRAPHY AND QUANTUM COMPUTING

Centre for Applied Cryptographic Research
Department of Combinatorics and Optimization
University of Waterloo

Applications are invited for several one-year and two-year
postdoctoral positions in any area of cryptography or quantum
computing. Some of these positions are being funded through
the Applied Cryptography project, which is part of the MITACS
Network of Centres of Excellence.

A Ph.D. and proven ability, or the potential, for excellent
research is required. Responsibilities may include teaching
candidates will be joining a substantial research and training
centre in cryptography at the Centre for Applied Cryptographic
Research (CACR). Information about CACR personnel and activities
can be found at www.cacr.math.uwaterloo.ca

The normal starting date of the appointment is July 1, 2000, however
this can be changed on the applicant's request. A \$3,000/year travel
grant will be provided (with the possibility of more travel funds
subject to availability).

Interested individuals should send a curriculum vitae, 2 or 3
selected reprints/preprints, and the names of three references
to:     Professor Bill Cunningham, Chair
Cryptography PDFs
Department of Combinatorics and Optimization
Faculty of Mathematics
University of Waterloo

email: [EMAIL PROTECTED]
phone: (519) 888-4566 x3482
fax:   (519) 725-5441
http://math.uwaterloo.ca/CandO_Dept/homepage.html

Closing date for receipt of applications is March 15, 2000.
Some applications may be processed as they are received.
==========================================================================

==========================================================================
| Alfred Menezes        | Email: [EMAIL PROTECTED]                   |
| Department of C&O     | Phone: (519) 888-4567 x6934                    |
| University of Waterloo| Web page: www.cacr.math.uwaterloo.ca/~ajmeneze |
| Waterloo, Ontario     | Web page for Handbook of Applied Cryptography: |
| Canada N2L 3G1        |         www.cacr.math.uwaterloo.ca/hac/        |
| Centre for Applied Cryptographic Research: www.cacr.math.uwaterloo.ca  |
==========================================================================

------------------------------

From: [EMAIL PROTECTED] (Tom)
Subject: Re: RSA-512 Broken by Israelis
Date: Tue, 05 Oct 1999 17:37:30 GMT

Reminds me of the saying that a reporter is "an
expert on everything, yet knows nothing about
anything".

And of course, the PT Barnum theory.

OnTue, 5 Oct 1999 09:21:20 +0100, "Martin
Whitworth" <[EMAIL PROTECTED]> wrote:

>
>Tom St Denis wrote in message <7ta8mm\$ua9\$[EMAIL PROTECTED]>...
>>In article <7ta79g\$tbk\$[EMAIL PROTECTED]>,
>>  [EMAIL PROTECTED] wrote:
>>> Apparently the Israelis have broken RSA-512, the standard for internet
>>> banking, in less than 1 second.
>>>
>>>
>>http://www.sunday-times.co.uk/news/pages/tim/99/09/29/timintint02001.htm
>>> l?1341861
>>
>>Apparently that website sucks the big one.  Do you have excerpts you
>>would like to share with the group.
>>
>>Tom
>>
>>
>>Sent via Deja.com http://www.deja.com/
>
>FYI, Here is the 'offending' article:
>Cheers
>Martin
>
>
>No safety in numbers
>
>BEN HAMMERSLEY
>
>After an Israeli research institute said it could break Europe's banking
>codes in less than a second, a initiative has been launched that could
>result in unbreakable codes.
>
>The European Institute of Quantum Computing Network was launched on Monday,
>to bring companies and research labs throughout Europe together in the hope
>that the new technology - Quantum Computing - can be taken from the theory
>to the high street.
>
>The institute was founded a few weeks after news leaked from the Israel's
>Weizmann Institute that it was using a mixture of quantum computing and
>special optical technology to break the RSA-512 code, the system used by the
>European banking system. It claims it has developed a hand-held device that
>can break the code in 12 microseconds.
>
>Quantum computing works by taking advantage of the peculiar characteristics
>of subatomic particles. Whereas a normal computer relies on a signal - or
>bit - being either on or off, a quantum bit can be both on and off at the
>same time. This unusual ability means a great deal more information can be
>stored. While a regular computer works through each sum one at a time, a
>quantum computer can do every operation at the same time.
>
>This, the EIQC says, offers, "not just incremental improvements, but a
>fundamental breakthrough" in computing power - enough for code-breaking,
>voice-recognition and translating computers to be simple to build.
>
>The second aspect of Quantum computing, however, will help to make
>information more secure. Using a feature called "quantum entanglement",
>information could be sent between two computers that could not be
>eavesdropped upon without the two computers' knowledge. Because quantum
>physics dictates that monitoring a subatomic particle changes its state; not
>only would an eavesdropper announce his presence, but the message would be
>garbled.
>
>"A hacker wouldn't know where to start," says Jonathan Curtis of Quantum
>Electronic Devices.
>
>As one member of EIQC, who wished to remain anonymous, predicts: "While
>quantum computers may be some time off, when they are available no
>communication will be secure unless it is quantum."
>
>
>

======
Just random thoughts

------------------------------

From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: RSA-512 Broken by Israelis
Date: Tue, 05 Oct 1999 14:36:15 GMT

In article <7ta79g\$tbk\$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Apparently the Israelis have broken RSA-512, the standard for internet
> banking, in less than 1 second.
>
> http://www.sunday-
times.co.uk/news/pages/tim/99/09/29/timintint02001.htm
> l?1341861
>
> Casey

I believe that P.T. Barnum is known for having made what is now
a very famous remark......

--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"

Sent via Deja.com http://www.deja.com/

------------------------------

From: Bob Silverman <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: factoring with quadratic sieve
Date: Tue, 05 Oct 1999 14:44:37 GMT

In article <7tb5cu\$pj1\$[EMAIL PROTECTED]>,
David A Molnar <[EMAIL PROTECTED]> wrote:
> In sci.crypt Bob Silverman <[EMAIL PROTECTED]> wrote:
> > With the proliferation of the Web,  have people forgotten how to use
> > a LIBRARY????
>

Yes. Indeed.  I agree.
But Math. Comp.  is one of the most widely circulated journals.

Furthermore, if I am truly interested in a subject and the local
library does not have a reference, I find that I am willing to spend
the time to find a library that does.

I often drive in to Cambridge to look up stuff in McKay.

I was only trying to make the observation that *in general* people
seem to expect everything to be on the Web and that if it is not, that
they can't be bothered to take the time to track stuff down at a
library.

Note that I also offerred to *send* a hard copy if only the poster
would send private email with his/her snail mail address.  So far, I
have heard nothing further.  This tells me that the person involved
really isn't that interested.

--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"

Sent via Deja.com http://www.deja.com/

------------------------------

From: [EMAIL PROTECTED] (Herman Rubin)
Crossposted-To: sci.electronics.design,sci.electronics.equipment
Subject: Re: radioactive random number generator
Date: 5 Oct 1999 10:53:00 -0500

In article <7tageg\$g66\$[EMAIL PROTECTED]>,
Michael Covington <[EMAIL PROTECTED]> wrote:
>I would think that for a true random distribution, you'd want to time three
>decay events, then output a 0 or a 1 depending on which is shorter, the
>interval between the first two or the latter two.

>That ought to always be distributed 50-50 regardless of how active the

How accurately do you get the time?  Analog computation is nowhere
near as precise as digital computation.  Also, there can be small
variations in the timer, and other minor problems.  It is easy to
come up with reasons why the intervals are not independent.

--
This address is for information only.  I do not claim that these views
are those of the Statistics Department or of Purdue University.
Herman Rubin, Dept. of Statistics, Purdue Univ., West Lafayette IN47907-1399
[EMAIL PROTECTED]         Phone: (765)494-6054   FAX: (765)494-0558

------------------------------

From: [EMAIL PROTECTED] (Herman Rubin)
Crossposted-To: sci.electronics.design,sci.electronics.equipment
Subject: Re: radioactive random number generator
Date: 5 Oct 1999 11:03:35 -0500

In article <[EMAIL PROTECTED]>, Tim Tyler  <[EMAIL PROTECTED]> wrote:
>In sci.crypt -Bodnar,B.L. <[EMAIL PROTECTED]> wrote:

>: Actually, there are some VERY good reasons for building a TRUE random number
>: generator based on radioactive decay (or some other naturally occurring
>: phenomenon).  The two which immediately come to mind are autocorrelation
>: elimination and the unsettling observation by Marsaglia that pseudorandom
>: numbers "fall mainly in the planes" (Marsaglia, G., "Random Numbers Fall
>: Mainly in the Planes", Natl. Acad. Sci. Proc., 61:, 1968, pages 25-28).

>Marsaglia's comments were directed primarily towards LCGs - which are
>known to display this type of regularity.

>: I have to worry about these effects ALL THE TIME while conducting Monte-Carlo
>: analysis of packet switching systems.

>Then you need a better random number generator.  Monte-Carlo simulations
>rarely require a cryptographically secure RNG, but sometimes require
>something a bit more sophisticated than an LCG.

It might or might not be the case.  There are simulations for which
quasi-random numbers, which do not even pretend to be random will do
much better.  The dependences in poor generators may not be important.

However, a slightly biased generator can still be extremely good for
cryptographic purposes, but quite poor for simulations, which often
have more than 10^10 trials.

>I you have a hardware RNG on hand, then by all means use it - but if you
>are finding correlations in your random number source, there may be a
>simpler way to fix them.

It is not correlations which are the problem, but more complicated
dependencies.  I would XOR a hardware and a software generator.

--
This address is for information only.  I do not claim that these views
are those of the Statistics Department or of Purdue University.
Herman Rubin, Dept. of Statistics, Purdue Univ., West Lafayette IN47907-1399
[EMAIL PROTECTED]         Phone: (765)494-6054   FAX: (765)494-0558

------------------------------

From: "karl malbrain" <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: EAR Relaxed? Really?
Date: Tue, 5 Oct 1999 10:01:06 -0700

Douglas A. Gwyn <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> karl malbrain wrote:
> > And breaking STATE SECRETS is a capital crime.
>
> Not in the US, which doesn't even have an analogue of the British
> Official Secrets Act.

Come on, I know you know more than that.  Any information stamped
CONFIDENTIAL, SECRET, TOP SECRET, EYES-ONLY COMPARTMENTALIZED, etc, carries
stiff penalties on revelation.  If revealed to another country it's
considered a CAPITAL crime.  It's what happened to Julius and Ethel (sp?)
Rosenberg in the 1950's.  Karl M

------------------------------

From: "Matt Atwood" <[EMAIL PROTECTED]>
Subject: Re: Newbie question:  RSA and Key Escrow
Date: Tue, 5 Oct 1999 13:23:12 -0400

Thanks very much!  I'm sure that that seems like a very basic question but I
couldn't figure out, at least from the fairly simple explanations given in
anything that I've read, how that problem would be avoided.  I do have a
couple more brief questions about that explanation though, if it's not too
much trouble.

1) Here n=LCM(p-1, q-1), right?
2) Say there are multiple escrow agencies - k of them.  Now suppose the
police have M1, M2, M3, etc, up to Mk.  Now they know that there exists some
constant C such that for some d1, C^d1=M1 mod n, and likewise for d2, d3,
etc., up to dk.  Why wouldn't this improve their chances at finding d?  I
mean, there are certain repeating patterns - i.e., modulo 10, the powers of
7 repeat 7, 9, 3, 1, 7, ....  The powers of 6 repeat 6, 6, 6, ....  So the
police might be able to deduce the values, modulo some cleverly chosen
number, of at least some of the di's.  And now say that the police wanted to
see several messages.  Wouldn't they need to have several different session
couldn't they theoretically figure out (given enough encrypted session keys
and a little bit of time in front of a nice government computer) what the
sum d of the di's would be, modulo some well-chosen integer?  Or would that
be impossible because the mathematics that would be needed to do this are
inconclusive?

Finally, I'd just like to say thanks very much for answering that first
question - it seemed like a real flaw in the system at first.

-Matt

------------------------------

From: [EMAIL PROTECTED] (MLuttgens)
Subject: Re: Findkey
Date: 05 Oct 1999 17:45:44 GMT

If the algorithm is not very good, finding the key should be easy.

Marcel Luttgens

------------------------------

From: [EMAIL PROTECTED] (jerome)
Subject: Re: True Random numbers
Date: Tue, 05 Oct 1999 18:00:57 GMT

OTP assumes to have a random key. http://www.ciphile.com doesnt say
much except it is "hot!" "new!" and obviously "bug free, too!"

can you explain how to you produce such key ?

On Mon, 04 Oct 1999 23:17:07 -0700, Anthony Stephen Szopa wrote:
>
>Listen to me:  OAP-L3 is a very practical "OTP" implementation.
>
>No complaints have been received by those who have Version 4.2
>SHAREWARE.
>
>http://www.ciphile.com
>
>You should get a copy.

------------------------------

From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Crossposted-To: comp.security.pgp.discuss,alt.security.pgp
Subject: Re: Is 128 bits safe in the (far) future?
Date: Tue, 05 Oct 1999 18:56:35 GMT

In article <7td6bm\$jg9\$[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>From article <7tcue1\$13qq\$[EMAIL PROTECTED]>, by [EMAIL PROTECTED]
> (SCOTT19U.ZIP_GUY):
>>>
>>>I believe that you can turn off compression if that is what you are asking.
>>      No that is not what I asked. What I asked was will it be better designed
>> so as not to a compress that aids an attacker to break the system.
>
>Compression doesn't have that big of an effect on cracking a code. As long as
>it doesn't provide known plaintext when there otherwise would be. Its main
>benefit is shrinking the message size.
Its main benefit is making the mesage smaller. However all most all
compression schenes in use add information that is valuable to the breaking
of the encrypted message. IN some cases so much information is added that
the attacker need nor no anything about the message to recover it. This is why
one must be careful about the compression used.
>
>>>You don't want to use both RSA and DH since you get more bang for your buck
>>>using one of these with a longer key than using both.
>>    But if one is broken but if one does not know which. Why not have the
>> option to use both. You can't get more bang for the buck if one is weak and
>> you don't know which it is?
>
>RSA and DH are related and if one falls, it is likely the other will too.
>If you are specifically worried about algorithm weaknesses you can encrypt
No this not necessaarly ture. RSA can fail if factoring is easy. But iy
would take something different to break DH.

David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
http://members.xoom.com/ecil/index.htm
NOTE EMAIL address is for SPAMERS

------------------------------

From: "John E. Kuslich" <[EMAIL PROTECTED]>
Crossposted-To: sci.electronics.design,sci.electronics.equipment
Subject: Re: radioactive random number generator
Date: Tue, 05 Oct 1999 11:32:11 -0700

Actually, the idea is brilliant!!

Even better, feed the thermal noise into an oscillator driven by a strange
attractor or other chaos mechanizm.

The effect is like thousands of Bejing Butterflies.  We are talking hurricanes
in Miami!!

JK

John Larkin wrote:

> Boris Kazak wrote:
> >
> > jjlarkin wrote:
> > >
> > > Radioactive decay is not only messy to implement, it produces a random
> > > pulse train, hardly suitable for turning into nicely distributed
> > > gausian noise.
> > >
> > > A zener diode is a great noise generator. Bias a 10-volt zener at about
> > > 0.5 ma, and you'll get nice wideband noise across it. Amplitude will be
> > > about 300 nv per root Hz (300 nv times the square root of the bandwidth
> > > of the following amplifier). If the amp has a decent highpass response
> > > (ie, cut out low-frequency 1/f noise) the result will be excellently
> > > random gausian noise with very low autocorrelation for reasonable
> > > sample rates. Just digitize it, or slice it and clock into a shift
> > > register.
> > >
> > > If you want perfect 1:0 balance and even lower autocorrelation, stir
> > > the zener's random output into the guts of a pseudo-random shift
> > > register.
> > >
> > > easy!
> > >
> > > John
> > -----------------------
> >    And one more elegant idea - feed the output of this Zener diode
> > into a Voltage Controlled Oscillator, feed the output of this VCO
> > into a flip-flop, and at any time when needed sample a random bit.
> >
> > Best wishes       BNK
>
> Boris,
>
> actually, that would probably increase the autocorrelation, since the
> VCO will tend to oscillate about an average frequency.
>
> John
>
> --
> ******************************************************************h
>
> John Larkin, President           phone 415 753-5814   fax 753-3301
> Highland Technology, Inc
> 320 Judah Street                 [EMAIL PROTECTED]
> San Francisco, CA 94122          http://www.highlandtechnology.com

--
John E. Kuslich
CRAK Software
http://www.crak.com

------------------------------

The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:

Internet: [EMAIL PROTECTED]

You can send mail to the entire list (and sci.crypt) via:

Internet: [EMAIL PROTECTED]

End of Cryptography-Digest Digest
******************************
```