Cryptography-Digest Digest #925, Volume #10 Tue, 18 Jan 00 22:13:01 EST
Contents:
Re: Question about factoring method. (Bob Silverman)
Re: Triple-DES and NSA??? (Bruno Wolff III)
Cryptographer's Calculator ([EMAIL PROTECTED])
Re: Triple-DES and NSA??? ("Tommy Lacroix")
Re: ECC vs RSA - A.J.Menezes responds to Schneier (Tom St Denis)
Re: free C crypto API (Tom St Denis)
Re: RSA survey (NFN NMI L.)
Java's RSA implimentation ([EMAIL PROTECTED])
Re: RSA survey (lordcow77)
Re: RSA survey ("Tommy Lacroix")
Re: RNG for OTPs during WWII (Paul Rubin)
Kryptos... Did they finish it? ("Heath Smith")
Re: ECC vs RSA - A.J.Menezes responds to Schneier (Greg)
Re: New Crypto Regulations ("Douglas A. Gwyn")
Re: New Crypto Regulations (wtshaw)
Re: New Crypto Regulations (wtshaw)
Re: New Crypto Regulations (wtshaw)
----------------------------------------------------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: Question about factoring method.
Date: Tue, 18 Jan 2000 21:11:38 GMT
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> Hi,
>
> I have several questions about the Quadratic Sieve method (and
> others).
>
> It requires two numbers x,y such that x^2 = y^2 mod N
And also x != +/- y mod N.
> and in such case pgcd(x-y,N) divides N. But if x = +/-y N then we
> cannot conclude. How often does this happen in the QS algorithm.
If N has two primes then x^2 = a has 4 solutions. Two of these will
be x and -x. In these cases the GCD will be 1. In the other two,
you succeed. Assuming that y^2 = a behaves 'randomly', the
probability is 1/2 that y is one of the non-trivial square roots.
If N has k prime factors, the probability that y is NOT a trivial
square root grows to (1-1/2^k).
>
> If we use r primes in the algorithm why do we try to find r+b
(where b
> is small)
> relations. Just r should be enough to find a linear dependency?
Actually r+1 will suffice. But in case the first one gives a trivial
factorization one wants a few more.
In any event, it is nearly impossible to stop EXACTLY after r+1
because the way the large primes combine is somewhat unpredictable.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Bruno Wolff III)
Crossposted-To: alt.privacy,alt.security
Subject: Re: Triple-DES and NSA???
Date: 18 Jan 2000 22:10:47 GMT
Reply-To: [EMAIL PROTECTED]
>From article <[EMAIL PROTECTED]>, by Jose Castejon-Amenedo
><[EMAIL PROTECTED]>:
>
> For all we know, the NSA's intervention made DES more (not less)
> robust than it would have otherwise been.
Except for limiting the keysize to 56 bits. This may have been done to allow
them to break it with special purpose hardware that would not typically been
available to most entities wanting to break messages encrypted with DES.
------------------------------
From: [EMAIL PROTECTED]
Subject: Cryptographer's Calculator
Date: Tue, 18 Jan 2000 22:08:44 GMT
Hello,
Just to let everyone know about some new features
we've added to CypherCalc:
CypherCalc is a full-featured, programmable
calculator designed for multi-precision integer
arithmetic. You can use CypherCalc to perform
"big number" math operations such as
exponentiation, modular multiplication, and
Montgomery math.
CypherCalc saves program development time by
providing a reliable source of known answers. You
can check your algorithms against CypherCalc's
results in seconds. Also included is a simple
scripting language that allows you to automate
repetitive calculations and algorithms.
The latest version includes a new CRC design tool
that can generate CRC lookup tables and check CRC
results. We've also improved the tool for
reformatting large numbers between applications,
such as your code editor and debugger.
Details for CypherCalc (including screen shots)
are at www.cyphercalc.com or contact us by email
at [EMAIL PROTECTED]
Also, the math engine behind CypherCalc is now
available as a separate module for use in your
applications. See www.cyphercalc.com/math for
details and downloads.
We would welcome any comments or suggestions you
might have for making CypherCalc more useful to
cryptographers.
Regards,
Steve
EPS/Solutions
www.cyphercalc.com
[EMAIL PROTECTED]
===========================
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Tommy Lacroix" <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy,alt.security
Subject: Re: Triple-DES and NSA???
Date: Tue, 18 Jan 2000 17:27:07 -0500
FYI, max key sizes:
RC6 2048bits
TwoFish 256bits
Rinjdael 256bits
Mars 1248bits
BlowFish 448bits
_______________________________________________________
Tommy Lacroix ( [EMAIL PROTECTED] )
Administrateur de R�seau / Network Administrator
Communications Accessibles Montreal
"John Savard" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> On Sat, 15 Jan 2000 03:41:19 GMT, Greg <[EMAIL PROTECTED]> wrote:
>
> >Is Twofish a next generation work from Blowfish, or are they
> >similar in name only?
>
> I'd tend to say the latter, although others might dispute that.
>
> >And can one use a key size larger than 256 on Twofish?
>
> I'm not sure offhand, but I know several AES candidates do have
> additional key size flexibility beyond the mandatory key lengths of
> 128, 192, and 256 bits.
>
> John Savard (teneerf <-)
> http://www.ecn.ab.ca/~jsavard/index.html
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: ECC vs RSA - A.J.Menezes responds to Schneier
Date: Tue, 18 Jan 2000 23:24:10 GMT
In article <862jd8$ogd$[EMAIL PROTECTED]>,
Greg <[EMAIL PROTECTED]> wrote:
> In article <[EMAIL PROTECTED]>,
> JCA <[EMAIL PROTECTED]> wrote:
> > Greg wrote:
> >
> > > In article <85ve97$do2$[EMAIL PROTECTED]>,
> > > [EMAIL PROTECTED] wrote:
> > > > Alfred Menezes comments on B.Schneiers article comparing RSA vs
> ECC.
> > > >
> > > > Available at:
> > > > http://www.cacr.math.uwaterloo.ca/~ajmeneze/misc/cryptogram-
> > > article.html
> > > >
> > > > Comments?
> > >
> > > He goes on to say...
> > >
> > > The rough estimates of RSA key lengths for equivalent security
> > > are 3072 bits, 7680 bits, and 15630 bits. Imagine the
performance
> > > degradation incurred with RSA implementations at these key
sizes,
> > > even with e=3!!
> > >
> > > Exactly...
> >
> > While this is true, I can't help wondering if it has any value
> beyond
> > the
> > purely academic one?
>
> Yes, it could be. But on the other hand, if there are going to
> be any advancements against either, then ECC has a lot more room
> to grow than RSA/IFP.
>
> In fact, you can use 571 ECC field sizes today on your PC with
> reasonable performance. And this field size is likely to remain
> formidable even against a sub ex attack discovery- that is, such
> a discovery does not necessarily spell "exposure" right away.
>
> Can you say this about RSA? Is a 20k RSA key reasonable with PCs
> today? Or is a 3k RSA key likely to remain formidable in the face
> of the next advancement against RSA/IFP?
>
> That is how I see it. I see both being searched for weaknesses
> and if any can be found, it is just a matter of time.
The problem with this argument is that although the _time_ required to
solve a 1024 bit IFP will be available in 15 years or so [or more] the
_space_ will not be. Read Bobs article earlier in this thread.
I think once you hit 768+ bit RSA keys you are essentially secure. And
to be honest 768 bit keys are not that big, and not that slow. Even
with a pure C bignum package I can perform private RSA ops with a 1024
bit key in 2 seconds each... Not too too slow...
A 768 bit RSA key is only about 3 lines...
biqxzZr4ALLhaWaaaaeaaaaaaHbaRLE85jvE2ybEq10b3UZ4R3BjjAU15r0HSjcEMMatoh
dJUH6pFt9jMNE}mw5B0k}fAAXpwLpHAFmhZy{VGuuT}PM1jTbTHgJvGtrEcz9ZF{a1S6mx
{suQLpcXxpIRbOTZaaeqaaaaa
More like that to be exact... [that's a key from Peekboo III].
While ECC is tighter it's harder to understand and implement for the
average programmer. I think a good cryptographer will realize the
merit in both though.
Tom
--
[EMAIL PROTECTED]
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: free C crypto API
Date: Tue, 18 Jan 2000 23:27:08 GMT
In article <862jhk$ohd$[EMAIL PROTECTED]>,
Greg <[EMAIL PROTECTED]> wrote:
>
> > Well I decided to release CB a bit early. I am looking for
> > comments/suggestions/improvements.
> >
> > Basically CB is a complete crypto API. It can make/use RSA crypto,
> > symmetric crypto, has data compression, a RNG, base64 routines and
> more.
> >
> > It doen't read/write PGP messages/keys since that was not part of
the
> > plan.
> >
> > I am using CB in my Peekboo III release [which is gonna rock].
> >
> > All of this is free!!!
>
> I downloaded a copy of your stuff and noticed that you did not
> ask me anything. Where is the server located?
I will not dignify that. I was hoping for real discussion about
working on CB [i.e bugs or what have not]. This group has some of the
smartest people in the world yet they can't stay on task.
Did you have any troubles building CB on your computer?
Tom
--
[EMAIL PROTECTED]
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (NFN NMI L.)
Subject: Re: RSA survey
Date: 19 Jan 2000 00:00:51 GMT
4096 bits. 8192 would make me feel better, though.
S.T.L.
------------------------------
From: [EMAIL PROTECTED]
Subject: Java's RSA implimentation
Date: Tue, 18 Jan 2000 23:59:51 GMT
Hi all.
Is anyone aware of any effort to analyse the RSA implementation in Java;
specifically focusing on key generation.
Does Java use a table of primes? If so, how big is the table?
Otherwise how good is it's prime number generation routines ie. what is
the probability of a generated number not being prime.
Thanks.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: lordcow77 <[EMAIL PROTECTED]>
Subject: Re: RSA survey
Date: Tue, 18 Jan 2000 16:05:06 -0800
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (NFN NMI L.) wrote:
> 4096 bits. 8192 would make me feel better, though.
> S.T.L.
You're absolutely clueless. A 1024 bit modulus is more than enough.
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: "Tommy Lacroix" <[EMAIL PROTECTED]>
Subject: Re: RSA survey
Date: Tue, 18 Jan 2000 19:37:14 -0500
Considering that the government says that 1024 should be safe enough, I
would go for 8192 bits or longer (I always go a few times over government
recommendation, except when they say 0 .. =o)
_______________________________________________________
Tommy Lacroix
Administrateur de R�seau / Network Administrator
Communications Accessibles Montreal
"Tom St Denis" <[EMAIL PROTECTED]> wrote in message
news:85vklp$j08$[EMAIL PROTECTED]...
> Just a quick survey... What size of RSA key would you feel safe with
> for your crypto needs?
>
> [ignoring the symmetric side of things...]
>
> I ask just to get a feel for things as I write Peekboo III [my freeware
> crypto program].
>
> BTW if you check out Peekboo II and have comments let me and the group
> know. I hope this doesn't seem like spam... the source is online as
> well so it can be slightly educational.
>
> BTWx2 as a added bonus I will be releasing a free crypto API [in C] in
> a few days. It will be up at http://www.dasoft.org/tom/cb.html in a
> few days... All free stuff!!!
>
> Tom
> --
> [EMAIL PROTECTED]
> http://peekboo.dasoft.org
>
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: RNG for OTPs during WWII
Date: 19 Jan 2000 01:55:27 GMT
In article <85u8bf$k4s$[EMAIL PROTECTED]>,
Bayard Randel <[EMAIL PROTECTED]> wrote:
>Just out of historic interest, would anyone happen to know what sort of RNGs
>would have typically been used by either Allied or Axis forces for OTP
>keystream generation ? dice, playing cards ?
Winterbotham discussed this in "The Ultra Secret". I vaguely recall
that dice were used, but I'm not sure.
------------------------------
From: "Heath Smith" <[EMAIL PROTECTED]>
Subject: Kryptos... Did they finish it?
Date: Tue, 18 Jan 2000 21:33:06 -0800
Has David Stein or Jim Gillogy finished the remainder of Kryptos?
I ran accross an interesting clip on the net where Sanborn was quoted:
How difficult is this puzzle? "Not very," Sanborn says. Not nearly as
difficult as his first encoded sculpture -- a work called "Kryptos" that he
reated for CIA headquarters in Langley, Va., in 1987. That code, created
with the help of a cryptographer, is so hard to break that the CIA "will
never figure it out," he says.
------------------------------
From: Greg <[EMAIL PROTECTED]>
Subject: Re: ECC vs RSA - A.J.Menezes responds to Schneier
Date: Wed, 19 Jan 2000 02:32:19 GMT
In article <862sm9$vdb$[EMAIL PROTECTED]>,
Tom St Denis <[EMAIL PROTECTED]> wrote:
> In article <862jd8$ogd$[EMAIL PROTECTED]>,
> Greg <[EMAIL PROTECTED]> wrote:
> > In article <[EMAIL PROTECTED]>,
> > JCA <[EMAIL PROTECTED]> wrote:
> > > Greg wrote:
> > >
> > > > In article <85ve97$do2$[EMAIL PROTECTED]>,
> > > > [EMAIL PROTECTED] wrote:
> > > > > Alfred Menezes comments on B.Schneiers article comparing RSA
vs
> > ECC.
> > > > >
> > > > > Available at:
> > > > > http://www.cacr.math.uwaterloo.ca/~ajmeneze/misc/cryptogram-
> > > > article.html
> > > > >
> > > > > Comments?
> > > >
> > > > He goes on to say...
> > > >
> > > > The rough estimates of RSA key lengths for equivalent security
> > > > are 3072 bits, 7680 bits, and 15630 bits. Imagine the
> performance
> > > > degradation incurred with RSA implementations at these key
> sizes,
> > > > even with e=3!!
> > > >
> > > > Exactly...
> > >
> > > While this is true, I can't help wondering if it has any value
> > beyond
> > > the
> > > purely academic one?
> >
> > Yes, it could be. But on the other hand, if there are going to
> > be any advancements against either, then ECC has a lot more room
> > to grow than RSA/IFP.
> >
> > In fact, you can use 571 ECC field sizes today on your PC with
> > reasonable performance. And this field size is likely to remain
> > formidable even against a sub ex attack discovery- that is, such
> > a discovery does not necessarily spell "exposure" right away.
> >
> > Can you say this about RSA? Is a 20k RSA key reasonable with PCs
> > today? Or is a 3k RSA key likely to remain formidable in the face
> > of the next advancement against RSA/IFP?
> >
> > That is how I see it. I see both being searched for weaknesses
> > and if any can be found, it is just a matter of time.
>
> The problem with this argument is that although the _time_ required to
> solve a 1024 bit IFP will be available in 15 years or so [or more] the
> _space_ will not be. Read Bobs article earlier in this thread.
>
> I think once you hit 768+ bit RSA keys you are essentially secure.
And
> to be honest 768 bit keys are not that big, and not that slow. Even
> with a pure C bignum package I can perform private RSA ops with a 1024
> bit key in 2 seconds each... Not too too slow...
>
> A 768 bit RSA key is only about 3 lines...
>
> biqxzZr4ALLhaWaaaaeaaaaaaHbaRLE85jvE2ybEq10b3UZ4R3BjjAU15r0HSjcEMMatoh
> dJUH6pFt9jMNE}mw5B0k}fAAXpwLpHAFmhZy{VGuuT}PM1jTbTHgJvGtrEcz9ZF{a1S6mx
> {suQLpcXxpIRbOTZaaeqaaaaa
>
> More like that to be exact... [that's a key from Peekboo III].
>
> While ECC is tighter it's harder to understand and implement for the
> average programmer. I think a good cryptographer will realize the
> merit in both though.
I concur. But for the same reason I would never use a random
EC curve I could not see using a random prime. RSA relies on
this approach since primes are not "studied" ahead of use.
--
The only vote that you waste is the one you never wanted to make.
RICO- we were told it was a necessary surrender of our civil liberties.
Asset Forfeiture- the latest inevitable result of RICO.
http://www.ciphermax.com/book
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: New Crypto Regulations
Date: Tue, 18 Jan 2000 16:41:09 GMT
JPeschel wrote:
> "Douglas A. Gwyn" [EMAIL PROTECTED] writes:
> >To the extent that people think a democracy is desirable,
> >the US ideal of government that promotes individual rights
> >has already died.
> This is, of course, pessimistic nonsense.
No, it isn't. A democracy is merely a slowed-down version of mob rule.
Mobs aren't known for watching out for individual rights.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: New Crypto Regulations
Date: Tue, 18 Jan 2000 21:06:53 -0600
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn"
<[EMAIL PROTECTED]> wrote:
> John Savard wrote:
> > Democracy in the United States may have a bad cold, but it isn't
> > terminal.
>
> To the extent that people think a democracy is desirable,
> the US ideal of government that promotes individual rights
> has already died.
It is not dead as long as so many see it as a live promise that must be
kept. If there is no hope there is no life. If some feel they have won
is destroying what people will go into battle for, they have
underestimated their adversaries, us.
--
To prevent the comprimise of with the most common configuration
of computers is something like preventing a sculptor from being too original. If a
computer design is corruptable, it will be.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: New Crypto Regulations
Date: Tue, 18 Jan 2000 21:11:17 -0600
In article <860cil$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Guy
Macon) wrote:
> In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (wtshaw) wrote:
> >
> >Here is my simple proposed regulation: If you know a county or individual
> >is on unfriendly terms with our country, is on a list as an enemy or
> >realistic potential enemy, do not trade, sell, or funinsh any information
> >to them. If they are publically defined as bad kind of folks, you will be
> >in big trouble under laws against trading with an enemy and may even be
> >punished as a traitor, conspiring to help known criminals as you become
> >one yourself, or acting really, really stupid for which you will be
> >publically denounced as as stupid as would any offical caught with their
> >pants down. If in doubt, the government should be able to tell you the
> >status of the intended receiver, investigate the threat for you, or become
> >a direct party in the transaction so as to catch them redhanded.
> >
>
> Alas, a case can be made that such barriers support despots and hurt
> the common people who are under their tyranny.
That twist is mere rationalization for doing wrong if used. Justice
require using good sense, which is at the root of the situation in the
first place.
--
To prevent the comprimise of with the most common configuration
of computers is something like preventing a sculptor from being too original. If a
computer design is corruptable, it will be.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: New Crypto Regulations
Date: Tue, 18 Jan 2000 21:16:42 -0600
In article <[EMAIL PROTECTED]>, "Trevor Jackson, III"
<[EMAIL PROTECTED]> wrote:
....
> It is only arguments based upon principle that have the power to eliminate
> justifications for limiting freedom. Practical, pragmatic arguments lead to
> compromise. In the realm of freedom, all compromises are losses.
Compromise can be good, when irrationality must be surrendered as not
meaningful, not to be equated with idealism caught leading one toward
positive goals.
--
To prevent the comprimise of with the most common configuration
of computers is something like preventing a sculptor from being too original. If a
computer design is corruptable, it will be.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
