Cryptography-Digest Digest #975, Volume #10 Tue, 25 Jan 00 22:13:01 EST
Contents:
Re: Does RSA use real prime ? (Johnny Bravo)
Re: Does RSA use real prime ? (Johnny Bravo)
Re: finding gcd in the large multiplicative group... ([EMAIL PROTECTED])
Newbie to PGP: RSA vs DH/DSS ("Danny Johnson")
RE: XOR for bits, EOD for trits ("Manuel")
Re: LSFR (David Wagner)
Re: Ciphers for Parallel Computers (Tim Tyler)
Re: RSA v. Pohlig-Hellman (DJohn37050)
Re: How much does it cost to share knowledge? (David A Molnar)
Re: Court cases on DVD hacking is a problem for all of us (David A Molnar)
Re: "Trusted" CA - Oxymoron? (Charles Gallo)
Re: finding gcd in the large multiplicative group... (Taekyoung7)
Re: LSFR ("r.e.s.")
A Format for Cipher Challenges (John Savard)
Re: NIST, AES at RSA conference (John Savard)
Re: Java's RSA implimentation ("Trevor Jackson, III")
----------------------------------------------------------------------------
From: Johnny Bravo <[EMAIL PROTECTED]>
Subject: Re: Does RSA use real prime ?
Date: Tue, 25 Jan 2000 19:15:14 +0000
On Tue, 25 Jan 2000 18:35:08 GMT, Greg <[EMAIL PROTECTED]> wrote:
>
>
>> First off the primality testing on PGP is such that the
>> odds of you winning the lottery jackpot within 5 seconds
>> of being struck by lightning is a much more likely
>> occurence than a PGP chosen pair of primes containing
>> a composit number.
>
>And how remote is that? Is it as remote as someone winning the
>lottery in CA twice in one decade? That has happened. :)
The odds of your PGP primes not actually being prime are less than your
chance of being killed by an asteroid that destroys all human life on
Earth before you finish reading the next sentence of this post. If you
want a numerical value, at least 10^-44 and at most 10^-305, most likely
around 10^-80. The odds of picking the exact second of an event that
occurs once in a billion years are 3*10^-16.
Best Wishes,
------------------------------
From: Johnny Bravo <[EMAIL PROTECTED]>
Subject: Re: Does RSA use real prime ?
Date: Tue, 25 Jan 2000 19:19:59 +0000
On Tue, 25 Jan 2000 18:45:35 GMT, Greg <[EMAIL PROTECTED]> wrote:
>
>> The odds that a prime generated by PGP is not really prime
>> are lower than the chance that a meteor will crash into the
>> Earth and extinguish all life on the planet before you can
>> finish reading this reply.
>
>Well, I was going to ask you how remote of a chance that would
>be, but then I realized that even if a meteor did hit the earth,
>the time it would take for the event to extinguish all life
>would be greater than the time it took me to finish reading
>your post. :)
You could be hit by a stray bullet that kills you before you finish
reading the post; even if you don't die for two days, the bullet still was
the cause of death. :) I never said that the extinguishing would be
instantaneous. Just the chance that such an impact would occur before you
finished reading the message is roughly 10^64 times more likely than a
1024 bit PGP RSA key not containing two 512 bit primes.
Best Wishes,
Johnny Bravo
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: finding gcd in the large multiplicative group...
Date: Wed, 26 Jan 2000 00:22:43 GMT
Taekyoung7 wrote:
> Hi, all...may somebody answer my stupid question. Thanks...^^;
>
> Finding g.c.d. in the large multiplicative group is
> trivial,am I right?
How is it defined? In a group, every element has an
inverse, so in a multiplicative group, every element is a
divisor of every element.
> For example, if we have
> g^x*g^y1, g^x*g^y2, g^x*g^y3,...,g^x*g^yn (mod p)
> where g is a generator of a multiplicative group Zp^*
> and we try to find the gcd through the Euclidean
> algorithm, then...does the g.c.d.of them converge to
> g^x with n in its reasonable size. Am I right?
> (please note that x is chosen once at random and each
> y^i are also chosen at random in [2,p-1].)
Hmm. I don't follow the role of the (mod p), or what you
mean by "converge" and "with n in its reasonable size". Can
you give a precise definition of what you are looking for?
--Bryan
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Danny Johnson" <[email protected]>
Subject: Newbie to PGP: RSA vs DH/DSS
Date: Tue, 25 Jan 2000 18:42:53 -0600
=====BEGIN PGP SIGNED MESSAGE=====
Hash: SHA1
I've noticed that the Freeware PGP I downloaded and began using
yesterday (v6.5.2, from Network Associates) allow me to create and
use RSA and DH/DSS key sets. I've also noticed that at least one
person in this newsgroup had a line in his/her signature stating they
would only accept RSA. Why is this? Is one superior to the other?
I have a key set from each method, but which should I use by default
for the best security? My apologies if this isn't the right group to
be asking....
- --
Through the modem, off the server, over the T1, past the frame-relay,
< < NOTHIN' BUT NET > >
Danny
[email protected].
- -Remove N.o.S.p.A.m. and every other dot to reply-
All <S><P><A><M> (or other unsolicited) messages will be forwarded to
[EMAIL PROTECTED], [EMAIL PROTECTED], PostMaster@(your
domain),
and WebMaster@(your domain). I may choose to give one (1) warning.
Public PGP Keys & other info: http://www.brightok.net/~dannyj/pgp/
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
iQA/AwUBOI5DCWhM79hb0hBhEQJerACg1FSSi+G5EI2fL53t/djspdnb+vMAoO5l
IIdS2sPrvNUvY3ehKJ7MZgRN
=Pf2I
=====END PGP SIGNATURE=====
------------------------------
From: "Manuel" <[EMAIL PROTECTED]>
Subject: RE: XOR for bits, EOD for trits
Date: Wed, 26 Jan 2000 01:06:47 +0100
[John Savard ]
> Probably most people would have just used noncarrying addition without
> even thinking of any alternatives.
Even more, this can be made in any basis: noncarrying addition but in =
any basis other than 2 or 3.
For example: 19, 24 two decimal numbers:
19 XOR(2) 24 =3D 10011 ^ 11000 =3D 01011 =3D 11
19 XOR(7) 24 =3D 25(7) ^ 33(7) =3D 51(7) =3D 36
I wonder if this can be used as a encoding method: XORing plain text =
with a key in a given sequence of basis; this will increase the length =
of the ciphertext but could be worthy.
--=20
+ Manuel Pancorbo
+ [EMAIL PROTECTED]
+ "...
+ M=E1s vale aprender una sola l=EDnea de Ciencia
+ que postrarse cien veces en oraci=F3n. (Cor=E1n)
+
+ Pli valoras lerni ech nur unu linion de Scienco
+ ol preghe genui cent fojojn. (Korano)
+ ..."
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: LSFR
Date: 25 Jan 2000 17:12:56 -0800
In article <86ldmq$goq$[EMAIL PROTECTED]>,
r.e.s. <[EMAIL PROTECTED]> wrote:
> The idea is to generalize the running-key generator used in the VIC
> cipher, which used a 10-digit decimal "register" for pen & paper use.
> Specifically, I want to find a set of register-lengths n, for each
> of which there is an "optimal" running-key generator of the form
>
> r(i) = r(i-n) + r(i-m) (mod 10), i = n, n+1, ...
>
> with r(0),...,r(n-1) initializing the register. (Here n > m > 0,
> and the register lengths of interest are 10 <= n <= 100.)
Well, it won't be secure, of course, unless you add some nonlinearity
somewhere. I hope that's ok.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Ciphers for Parallel Computers
Reply-To: [EMAIL PROTECTED]
Date: Wed, 26 Jan 2000 00:47:53 GMT
[EMAIL PROTECTED] wrote:
: Tim Tyler wrote
:> In other words, the paragraph I cited was not intended to apply to the
:> process of parallel searches, testing more than one key at a time.
: I think you still don't have it. The time to break a
: cryptosystem is defined by the best attack, and they claim
: that there is no known way to use parallel machines to
: reduce that time.
: The fact that we can parallelize brute-force key search has
: nothing to do with this issue. Look at the key size.
: Parallel brute-force will never be nearly as fast as serial
: LLL.
You're right - I obviously don't get it.
With a sufficiently parallel machine, you can apply lots of attacks at
once, starting them from different points, where possible. This is
virtually /bound/ to do better than just using a single attack on a
serial machine.
Also, you can apply the best known attack at the same time as (say) a
brute force keyspace search. Maybe the brute force key-search has little
chance of success - but it does have /some/ chance - and this will reduce
the average time to the break.
It seems to me that this implies that any claim that parallelism can't
possibly help attackers in a cyphersystem which allows keys to be
independently rejected has *got* to be false.
Parallelism will always help somewhat (up to about the point where all the
keys can be tested simultaneously, anyway), it's a matter of degree.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
Lottery: a tax on people who are bad at maths.
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: RSA v. Pohlig-Hellman
Date: 26 Jan 2000 01:30:07 GMT
Pohlig-Hellman is a way to attack a group and says that at least one of the
primes should be big. For DL systems, mod p a prime, this says p-1 should have
a lareg prime factor as p-1 is the order of the multiplicative group.
Don Johnson
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: How much does it cost to share knowledge?
Date: 26 Jan 2000 01:27:49 GMT
Jimmy Doughan <[EMAIL PROTECTED]> wrote:
> What is a NIST reservation? I have my own reservations about NIST, but
> I'll discuss them later.
I would guess that this means a reservation for the 3rd AES Conference?
Ah, yes,
http://csrc.nist.gov/encryption/aes/round2/conf3/aes3conf.htm#registration
lists student registration at $300. That doesn't include the hotel room.
I don't think it includes registration at FSE2000, does it? Then student
registration for the both of them is $600. At least FSE2000 is offering
scholarships :
http://www.counterpane.com/fse-scholarships.html
The page says that first decisions have already been made, but some funds
may still be available. Maybe it's not too late to apply?
Thanks,
-David
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Court cases on DVD hacking is a problem for all of us
Date: 26 Jan 2000 01:18:41 GMT
Bill Unruh <[EMAIL PROTECTED]> wrote:
> Wasn't Norway also the country whose police acted as the Church of
> Scientology toadies in shutting down an annonymous remail?
If you're thinking of anon.penet.fi and Helsingus, then I think the
country was Finland.
-David
------------------------------
From: Charles Gallo <[EMAIL PROTECTED]>
Crossposted-To:
alt.privacy,alt.security.pgp,comp.security.pgp,comp.security.pgp.discuss
Subject: Re: "Trusted" CA - Oxymoron?
Reply-To: [EMAIL PROTECTED]
Date: Wed, 26 Jan 2000 01:35:12 GMT
On Tue, 25 Jan 2000 09:01:42 -0500, Papa Bear
<[EMAIL PROTECTED]> wrote:
<snip>
>Note that in neither case does it matter *who* I am, only that by
>using the key I can prove that I have the authority to request or
>agree to whatever it is that I am signing. In fact (unless other
>factors are involved) it makes no difference whether "I" am an
>anonymous nym, a known person, or on of several authorized officers of
>a corporation, it is still a question of identity, not identification!
>
>Dave E.
Dave,
And there is the other question - Does it really matter to me
your "Meat Space" ID? Or is it more important that I'm dealing with
"Papa Bear". Heck, if there was a SECURE way for you to prove to me
that you're Papa Bear, I'd be willing to sign to THAT ID, but not
necessarily that your "Dave". For instance, I'm sending you this from
[EMAIL PROTECTED] - I might be able to prove that I'm me, but
could I prove to you that I'm [EMAIL PROTECTED] ? You might
be willing to sign one, but not the other! I've had clients (I'm a
software developer), who I've never met. I know them as bits on the
other end of a modem. and a voice on the phone, along with a check in
the mail. No I really care if the guys real name is Neil? No, I care
that he has the right to change the work order, and he pays me on time
Charlie
-- PGP Key on Request
For the Children RKBA!
------------------------------
From: [EMAIL PROTECTED] (Taekyoung7)
Subject: Re: finding gcd in the large multiplicative group...
Date: 26 Jan 2000 01:37:42 GMT
Thanks a lot...
I agree with g^x*g^r on first trial. However, if we try with some more
experiments, finally we can get to g^x.
For example, on first trial g^x*g^r1 for g^x*g^y1, g^x*g^y2,
g^x*g^y3,...,g^x*g^yn, on second trial g^x*g^r2 for g^x*g^y1, g^x*g^y2,
g^x*g^y3,...,g^x*g^y(n-1), and so on in reasonable time. Then we can obtain
g^x*g^r1,...,g^x*g^rm where m is reasonable in size. Let's try to find gcd
among them...and so on...then g^x could be found but who can know it is g^x?
g^x is the most frequently coming since it always comes out when at least one
pair of g^y is relatively prime to each other.
hmm...I think it is not so difficult to get to g^x. I would appreciate your
comment.
Thank you so much.
------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Subject: Re: LSFR
Date: Tue, 25 Jan 2000 17:42:28 -0800
"David Wagner" <[EMAIL PROTECTED]> wrote
: r.e.s. <[EMAIL PROTECTED]> wrote:
: > The idea is to generalize the running-key generator used in the VIC
: > cipher, which used a 10-digit decimal "register" for pen & paper use.
: > Specifically, I want to find a set of register-lengths n, for each
: > of which there is an "optimal" running-key generator of the form
: >
: > r(i) = r(i-n) + r(i-m) (mod 10), i = n, n+1, ...
: >
: > with r(0),...,r(n-1) initializing the register. (Here n > m > 0,
: > and the register lengths of interest are 10 <= n <= 100.)
:
: Well, it won't be secure, of course, unless you add some nonlinearity
: somewhere. I hope that's ok.
It's OK because that (unavoidable) aspect would be taken care
of in what I would call "post-processsing" of the the Fibonacci
generator's key-stream (e.g. introducing non-linearity). The
VIC cipher did this by tabling the key-stream and then using a
columnar transposition of the digits.
--
r.e.s.
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: A Format for Cipher Challenges
Date: Wed, 26 Jan 2000 01:36:13 GMT
It occurs to me that, since a known-plaintext attack is easier to
carry out than a ciphertext-only attack, there is a case for
presenting a message along with its plaintext, and asking people to
find the key.
However, it is possible that a key schedule could include a one-way
hash, that doesn't need to also be cracked if you've solved for the
subkeys - which are enough to let you read future messages in the same
key.
Hence, although challenge messages for ciphers that are any good are
pointless anyhow, I suppose that if one is presented to at least gain
evidence that a cipher isn't hopelessly weak, a more valid format for
a challenge might take this form:
_two_ encrypted messages, the plaintext of one being supplied, the
object being to supply the plaintext of the other, and the two being
encrypted with the same key (of course, since otherwise the first
message is pointless - a full description of the system is naturally
required).
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/index.html
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: NIST, AES at RSA conference
Date: Wed, 26 Jan 2000 01:46:52 GMT
On Tue, 25 Jan 2000 20:23:59 GMT, [EMAIL PROTECTED] (Terry Ritter) wrote,
in part:
>Well, yes and no: It's always nice to have more research. But
>usually research is directed to some extent along product lines. With
>little or no industry of cipher sales, I expect that there is minimum
>support for research and the development directed at new ciphers.
>The "current wisdom" seems to be that one good cipher is enough, and
>if this were possible I would agree. The problem is that -- absent a
>mathematical breakthrough -- we can never know if a cipher really is
>"good"; thus we can never get that "one good cipher."
>What all this means to me is that we dare not trust any single cipher,
>and that means we need a for-profit industry of continued cipher
>development with associated R&D.
As I've noted, it's rather difficult to stimulate demand for a product
by decree.
If there were a serious market for ciphers, though, the field could
still be stultified; one might have a choice between several patented
algorithms, none of which are really adequate ... but the claims of
whose patents cover pretty well all the primitives out of which an
adequate cipher could be constructed.
Cipher design tends to be disvalued because piling on intricate
combinations appears to be an activity that can almost be categorized
as play; cryptanalysis, on the other hand, is hard work, and does
produce an objective result; one either fails or succeeds in breaking
a cipher. As you've often noted, designing a cipher produces no such
objective proof that the design is secure.
Of course, my "warm and fuzzy" detector makes me far more concerned
that the security of financial transactions and the like might be
compromised by someone finding a way to crack RSA than by someone
finding a way to crack Triple-DES. Thus, letting a hundred
alternatives to Triple-DES bloom, while it can indeed be done in a
safe and sound fashion along the lines you have proposed, while at the
same time people refuse to give up the convenience of public-key
methods, and trust only three methods (D-H, RSA, and D-H done over the
elliptic curves) for it seems to be addressing the wrong problem.
And given the non-cryptographic security holes in real systems, others
feel that way for that reason. Here, though, I am less in agreement,
in that getting the lock on the front door so that we can forget about
it and turn to solving the real problems is still worthwhile.
John Savard (teneerf <-)
http://www.ecn.ab.ca/~jsavard/index.html
------------------------------
Date: Tue, 25 Jan 2000 21:18:31 -0500
From: "Trevor Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Java's RSA implimentation
Eric Lee Green wrote:
> Paul Schlyter wrote:
> > If there are no way to copy the array (except in a loop where each
> > array element is copied, one by one), arrays aren't first class
> > citizens in the language. That's the situation in C and C++.
>
> Interesting definition. By that definition, Python arrays don't qualify as
> "first class" either, since 'ary1=ary2' simply makes ary1 refer to the same
> array object that ary2 refers to (everything is an object in Python -- there
> are no "simple" variables). Perl's arrays do. Yet, as far as I can tell, both
> languages are roughly equivalent in their ability to manipulate arrays. The
> only thing that differs is that Python gives special treatment to "immmutable"
> variables (strings and numbers) and does a copy rather than a reference.
I believe the distinction is more than just aliasing. For example, a reference
counting implementation might make ary1 and ary2 refer to the same thing, but if
they support copy-on-write semantics, then they are effectively distinct.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
