Cryptography-Digest Digest #400, Volume #11 Thu, 23 Mar 00 13:13:01 EST
Contents:
multiple encryption (Vlad)
Re: Applied Zero Knowledge Proof (Nelson Junior)
Re: Applied Zero Knowledge Proof (David A Molnar)
Re: new Echelon article (John Savard)
Re: Card shuffling (John Myre)
Re: Improvement on Von Neumann compensator? (John Savard)
Re: Download Random Number Generator from Ciphile Software (Tim Tyler)
Re: new Echelon article (John Savard)
Re: Do you think I'm ready? What do I need? (Jerry Coffin)
Re: multiple encryption (Jerry Coffin)
Re: Open source or not. (Was: Re: Planet Poker Claims...) (A. Prock)
Re: Applied Zero Knowledge Proof (Bob Silverman)
Re: Card shuffling (Scott Nelson)
Re: Applied Zero Knowledge Proof (Paul Rubin)
Re: Prime numbers? (newbie alert) (Bob Silverman)
Re: ecc equation (Bob Silverman)
Re: 2048 Bit Encryption? (Jerry Coffin)
----------------------------------------------------------------------------
From: Vlad <[EMAIL PROTECTED]>
Subject: multiple encryption
Date: Thu, 23 Mar 2000 16:00:26 GMT
Hello.
If I encrypt my data using short keys (40, 56) more then one time,
( 1 file is encrypting 40 times with 56 bit key ) how it can increase
the encryption level ?
What if I change the key every time I do my encryption (i.e. 40
cycles with 40 different keys). And what will be the equivalent length
of the one round encrypting key (1600 bit ?) in this case ?
Thanks.
Vladislav
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Nelson Junior <[EMAIL PROTECTED]>
Subject: Re: Applied Zero Knowledge Proof
Date: Thu, 23 Mar 2000 16:23:50 GMT
Bob,
Suppose I have an unique sequence of bits. I cannot change this
sequence, it is static.
So, I need a scheme to allow another party to confirm I have this
sequence without giving him the sequence itself.
Applied Use: This sequence is a computer representation of a fingerprint
(human finger).
Please excuse me for my English. My native language is portuguese.
Regards,
Nelson Junior
[]s
Nelson Junior
In article <8bdd43$ulq$[EMAIL PROTECTED]>,
Bob Silverman <[EMAIL PROTECTED]> wrote:
> In article <8bd8uh$por$[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] wrote:
> > Hi everybody,
> >
> > I'd like to solve a problem that the concept if the zero knowledge
> proof.
>
> This isn't a full or grammatically correct sentence. Please explain
> what you mean.
>
> Is
> > there a well-known public algorithm for it ?
> >
>
> What is 'it'?
>
> > My problem:
> >
> > Authentication via network using a biometrical system leads to
> simmetric key
> > problem. But I have a handicap: if someone hack the server and get
> the bio
> > stream, I cannot change it later, because it's related to a body
> part, and
> > cannot be modified.
> >
> > So, I need a way to prove the server I have that bio piece, without
> showing
> > him what piece of information I have.
>
> You can do a bit-commitment scheme if the data you need to prove
> is static.
>
> Otherwise you will need to explain more fully the structure of the
> information. What is it *exactly* that you are hiding?
>
> Do you know how to construct a ZKP? Schneier's book has some
> helpful guides. However, AFAIK, there is no textbook written on the
> subject.
>
> --
> Bob Silverman
> "You can lead a horse's ass to knowledge, but you can't make him
think"
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
>
--
===================
Nelson Junior
[EMAIL PROTECTED]
===================
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Applied Zero Knowledge Proof
Date: 23 Mar 2000 16:08:05 GMT
Bob Silverman <[EMAIL PROTECTED]> wrote:
> You can do a bit-commitment scheme if the data you need to prove
> is static.
He mentioned that he's working with a biometric identification system of
some kind. So the data may not be entirely static.
Something to look at in this case :
"A Fuzzy Commitment Scheme" Ari Juels and Marcus Wattenberg
Proceedings of 6th ACM Conference on Computer and Communications
Security
(I don't know a web reference off the top of my head, but it will be
in the ACM digital library)
they address the problems which pop up when dealing with data - like
fingerprint readings - which is not quite the same all the time.
Thanks,
-David
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: new Echelon article
Date: Thu, 23 Mar 2000 09:37:38 GMT
"Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote, in part:
>Mok-Kong Shen wrote:
>> ... German companies may expend money in
>> bribery in foreign (as against national) contracts and have tax
>> deductions too. From what you wrote above, I deduce that this is
>> forbidden by law in the US.
>Indeed, we have a general principle that assisting someone else
>in the commission of a crime is a crime in itself.
And that is a good general principle. Why Germany, and _most other
countries_, waive this principle in connection with bribing officials
in some countries is because there are countries in which the
government is in such a condition that there is no option but to give
in to demands for bribes if you want to do business.
Since the amount of foreign exchange a country recieves from its
exports _is_ a limiting factor in how many people may be employed in
that country (unless people who have money are somehow restricted from
using it to purchase imports), sources of foreign exchange cannot be
lightly foregone.
There are specific examples where import restrictions are
counter-productive, such as India's ban on importing gold. In general,
however, criticizing a country for protectionism is like criticizing a
man for mowing his own lawn, when he could pay someone to do it for
less an hour than he is paid at his regular job. Without first
checking if he as the option to make more money by working extra hours
or not.
John Savard (jsavard<at>ecn<dot>ab<dot>ca)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Card shuffling
Date: Thu, 23 Mar 2000 09:31:41 -0700
Mok-Kong Shen wrote:
>
> John Myre wrote:
> >
> > Not my point. The way you design a function should be based on
> > its purpose. I imagine I could think up a function that would
> > convince some people that it measures disorder. I also think
> > that better mathematicians could think up better functions. I
> > remain convinced that such an exercise is pointless without
> > specifying more carefully everything the function is for.
>
> One of the purposes was given in the very title of this thread,
> namely for evaluating a card deck.
But the only way to judge the worth of this "evaluation" that you
have given so far is to make sense, intuitively. My contention
is that no honest person wants such an evaluation.
> Since I was criticized for
> not having considered diverse aspects of actual game playing, I
> formulated the problem in a form appropriate for mathematics, in
> order to avoid unnecessary complications in discussions. I asked
> 'Can one .....?' and you answered 'Well, of course'. Doesn't that
> clearly mean you could pull out an answer right out of your sleeves?
No. "One can..." isn't the same as "I can...".
> You said further in the above you could think of a function.
Not precisely.
> Please
> try it. Never mind if it is less good as one from a mathematician.
But I'm not interested in it, at least as so far defined. Only
you are. I didn't mean to sound like I already knew how to do
it. I meant that finding ways to convince the majority of something
useless happens all the time.
> At least we could then have something to discuss on. You can choose,
> if you like, any (practical) application that best suit you for
> providing the example I requested. Should that range of choice be
> felt to be too big, then choose any one of the popular card games
> (thus better corresponding to the title of this thread).
In terms of games of chance (card games, dice games, whatever),
what I'd *like* to know is whether they are "fair". That is to
say, that the actual probabilities are the same as the purported
ones. For a card deck, that means "every order of the deck is
equally probable".
As has been pointed out: there is no function f(P) that can give
you that answer. It's not possible. Since every order of the
deck is possible, then any single ordering might occur from a
perfectly fair shuffling. Which means that any function f(P) that
gives a different answer for one shuffle than for another is
wrong!
> Why does the fact that only a minority understand the details of a
> theory matter in the present context? (To take an analogy, does a
> patient taking antibiotics need to understand the 'details' of how
> the bacteria get killed? Perhaps even part of the physicians don't
> have that knowledge at the level of molecular biology.) Even
> though 'the intuitive measures of randomness are quite often wrong',
> being able to obtain a function f despite that fact would at
> least be something useful at the beginning. (Anyway, if f corresponds
> to their 'wrong' intuition, they will buy it.)
And I don't care about functions merely because people
will buy them.
> 'Convincing to an ordinary person that it is disordered' is well
> sufficient (for my enquiry at least, see my previous posts). The big
> question remains how to find such a (not necessarily scientifically
> impecable) measure.
But my point is, there is no scientific meaning at all! Much
less an impeccable measure.
This is not mathematics, it is psychology.
This will be my last post on the subject (to any of those who
haven't killfiled me or this thread already...). I really, really,
need to start leaving bad enough alone.
John M.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Improvement on Von Neumann compensator?
Date: Thu, 23 Mar 2000 09:43:33 GMT
[EMAIL PROTECTED] (Guy Macon) wrote, in part:
>It has been suggested (and implemented by Intel) that a Von Neumann
>compensator
I'm feeling mischevious today. I'll throw out the suggestion that we
should call it just a Neumann compensator. It's unfair to
Austro-Hungarians to identify their ethnic origin, et cetera.
John Savard (jsavard<at>ecn<dot>ab<dot>ca)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
Crossposted-To: talk.politics.crypto
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Download Random Number Generator from Ciphile Software
Reply-To: [EMAIL PROTECTED]
Date: Thu, 23 Mar 2000 16:46:28 GMT
In sci.crypt Joseph Ashwood <[EMAIL PROTECTED]> wrote:
:> Perhaps someone else may have some other purpose in mind
:> such as using it to pick their lucky lotto numbers.
: Sorry, unlike some people I'm good enough at math to know
: that it's pointless.
Lotteries are /sometimes/ worth playing; if you need more money than you
have more than you fear losing what you've got. In fact sometimes,
roll-overs can actually make lotteries worth playing full stop.
As far as RNGs go, in many lotteries, you have to share the winnings
with other people who pick the same numbers as you. When this happens
it makes some sense to try to pick your numbers in a particular way
on the grounds that most people will pick 5, 13, 23, 27 as "lucky
numbers". That makes these popular numbers numbers to be avoided.
If you /try/ and choose randomly, you'll probably play non-randomly -
in a manner that you share with other people. The same will happen if
you stick pins in your card. Use of a RNG may not /quite/ be optimal -
but is likely to be a pretty good way to attempt to maximise your
winnings under these sort of circumstances.
--
__________
|im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
The show-off is always shown-up in the show-down.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Crossposted-To: talk.politics.crypto
Subject: Re: new Echelon article
Date: Thu, 23 Mar 2000 10:02:41 GMT
Paul Koning <[EMAIL PROTECTED]> wrote, in part:
>As for "laws that forbid ... encryption" -- what laws are those?
>There are of course regulations that disallow encryption of ham
>radio signals, but that doesn't carry over to other radio services.
They do also embrace CB radio and marine band, I'm quite sure, and
those are a more applicable comparison to cellular telephones than
amateur radio.
John Savard (jsavard<at>ecn<dot>ab<dot>ca)
http://www.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: Do you think I'm ready? What do I need?
Date: Thu, 23 Mar 2000 10:01:19 -0700
In article <8b9l12$og7$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
[ ... ]
> Do you think I should attempt higher-level algorithms before I've gotten
> into calculus or wait? I think I could handle it but there are alot of
> skills I'm missing
Calculus isn't particularly applicable to most cryptography. For
cryptography, you're probably better off studying discrete math and
number theory.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Subject: Re: multiple encryption
Date: Thu, 23 Mar 2000 10:01:23 -0700
In article <[EMAIL PROTECTED]>,
[EMAIL PROTECTED] says...
[ ... ]
> Without the meet in the middle attack, you can add ln(x) bits to the
> encryption, where X is the number of different encryptions used, when
> compared to a brute force attack. 40 different keys adds roughly 5 bits,
> 8 bits for 64 keys. It only ramps down from there, you are better off
> using a stronger cipher if possible.
> A 56 bit cipher would be equivalent to a message encrypted 65536 times
> with a 40 bit cipher using 65536 different keys in a brute force attack.
> And the 65536 keys of 40 bits would require 320k of key to be transmitted
> in advance. If you have this much available transmitted ahead of time,
> and the messages are short enough, a one time pad would be far more
> secure.
This sounds somewhat suspect to me -- it contradicts not only what
common sense seems to indicate, but virtually everything I've ever
read or heard about multiple encryption as well. Probably the most
common example is 3DES -- used correctly, it's generally believed
that 3DES provides the equivalent of a 112-bit key.
By the figuring you've given above, triple-encryption would incrase
the effective key size by approximately 1 bit. The circumstances
would have to be extremely well-defined before a 1-bit increase in
effective key-size was worth caring about at all -- a change of one
bit only means doubling the time necessary to exhaust the key space.
This buys you a matter of months of time during which a cipher could
be considered somewhat safe.
At least by most people's estimatation, that's not the situation with
3DES at all: while DES has been broken, I don't know of anything that
would even lead one to believe that there's likely to be a reasonable
attack on 3DES at all.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
From: [EMAIL PROTECTED] (A. Prock)
Crossposted-To: rec.gambling.poker
Subject: Re: Open source or not. (Was: Re: Planet Poker Claims...)
Date: 23 Mar 2000 17:10:29 GMT
According to Tony L. Svanstrom <[EMAIL PROTECTED]>:
>Mike Caro writes:
>> you've got to admit that publishing gives scoundrels some minor
>> advantage over not publishing.
>
>Nope, I don't, and not many would agree with you.
I think that security through obscurity gives a very *false*
sense of security. It's true that it might be harder for a
malicous person to break the RNG, but it's also true that it
means that you must always be on the lookout for someone who's
broken it without your knowledge.
If the algorithm is "open" then you are much more likely to
have a non-malicious person notify you that the code can be
broken, and if a malicous person breaks the code you can
have much more confidence that a non-malicious person will
break it sooner.
If I remember right, THIS is what happened at Planet Poker.
Some set of people broke the code and used this to bilk players
out of money. Some other set of people pointed out *exactly*
how it could be broken, and all wrongs were righted.
If someone has broken the *new* number generator, what faith
can I have that they aren't going to bilk players out of
potential profits for months or years to come?
- Andrew
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: Applied Zero Knowledge Proof
Date: Thu, 23 Mar 2000 17:08:15 GMT
In article <8bdge3$2h4$[EMAIL PROTECTED]>,
Nelson Junior <[EMAIL PROTECTED]> wrote:
> Bob,
>
> Suppose I have an unique sequence of bits. I cannot change this
> sequence, it is static.
>
> So, I need a scheme to allow another party to confirm I have this
> sequence without giving him the sequence itself.
Just apply any standard bit commitment scheme. See Schneier's book.
>
> Please excuse me for my English. My native language is portuguese.
Please accept *my* sincere apology. I did not realize this when I
first posted.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Scott Nelson)
Subject: Re: Card shuffling
Reply-To: [EMAIL PROTECTED]
Date: Thu, 23 Mar 2000 17:20:19 GMT
On Thu, 23 Mar 2000 03:30:29 GMT, DMc <[EMAIL PROTECTED]> wrote:
>On Wed, 22 Mar 2000 23:38:26 GMT, [EMAIL PROTECTED] (Scott Nelson)
>wrote:
>
>>Randomness is a negative property.
>
>I have no idea what you mean. Negative property?
>
What I meant by negative property is that
randomness isn't a thing, it's a lack of a thing.
I.e.
Randomness means without pattern, without order,
lacking predictability, not repeatable, unbiased.
Worse, randomness is generally used meaning
lacking all properties.
Since there are infinitely many possible properties,
testing for a lack of all of them is hard.
>>That being said, It's possible to pick almost any property and
>>method for assigning to a deck a number corresponding to that
>>property. The probability of that number being assigned to a
>>fully randomized deck can be calculated, and a comparison made.
>
>>For example, order the deck, then shuffle it. Now count the number
>>of cards that are in sequence. Call it the "sequence value." The
>>probability of a particular sequence value is roughly;
>>
>>0: 0.37
>>1: 0.37
>>2: 0.18
>>3: 0.06
>>4: 0.015
>>5: 0.003
>>6: 0.0005
>>7: 0.00001
>>
>I think the first few rifflings of a new, or intentionally ordered,
>deck is far too limited in circumstances to be of much general
>discussion value.
>
I agree. And as if that weren't enough,
I further limited the examination of the deck
to a single property of that deck.
To wit, the number of cards which remained together
after the shuffle.
>Also, the resulting state of a riffled deck has no analysis value
>by itself. The difference between it and the previous state is the
>beginning of some possible analysis value.
>
That's why I suggested ordering the deck as the first step.
>Choosing to focus solely on riffling extracted from a more complete
>process of riffling, cutting, dealing, playing, card collecting, and
>then back to riffling makes this discussion very much like determining
>how many angels can fit on the head of a pin.
>
Yes, but you have to start somewhere.
I chose to start with a single property,
and how that property changes from a known state after shuffling.
(I start with an ordered deck, and then examine the difference
between that ordered deck, and the deck after shuffling.)
If you want to offer a more complete analysis,
or a better definition, I'd love to see it.
>>
>>Note that a sequence value of 1 doesn't _prove_ the deck was well
>>shuffled, or poorly shuffled, but it does at least provide some
>>measure. If the shuffler knows what our method is, and can choose
>>the order of the deck, he is almost certain to be able to defeat
>>the analysis. For example, simply reversing the order of the cards
>>would result in a sequence value of 0, which is "good" but the deck
>>is hardly well shuffled.
>>
>I do not agree.
Are you disagreeing with my statement that
a sequence value of 1 doesn't prove the deck is well shuffled,
that a shuffler who can stack the deck can defeat the analysis,
or that a deck which is reversed in order is not well shuffled?
>On your probability scale all possible sequences, or
>lack of sequences, will total 1. Of course, you may have a mental
>picture of what you mean by a sequence value of 0, and the
>reversible card ordering which will cause that 0. I am interested in
>seeing such an example from you.
>
I defined "sequence value" as the number of
cards which are in sequence.
Assume the deck is ordered;
Ac 2c 3c 4c 5c 6c 7c 8c 9c Tc Jc Qc Kc -
Ad 2d 3d 4d 5d 6d 7d 8d 9d Td Jd Qd Kd -
Ah 2h 3h 4h 5h 6h 7h 8h 9h Th Jh Qh Kh -
As 2s 3s 4s 5s 6s 7s 8s 9s Ts Js Qs Ks
By definition this has a sequence value of 51.
That is, 51 of the cards are followed by the
next card in sequence.
Now reverse the order of the deck;
Ks Qs Js Ts 9s 8s 7s 6s 5s 4s 3s 2s As -
Kh Qh Jh Th 9h 8h 7h 6h 5h 4h 3h 2h Ah -
Kd Qd Jd Td 9d 8d 7d 6d 5d 4d 3d 2d Ad -
Kc Qc Jc Tc 9c 8c 7c 6c 5c 4c 3c 2c Ac
That has a sequence value of 0.
That is, 0 of the cards are followed by
the next card in sequence.
Here's a an example of a sequence value of 1.
Tc 7d Th Qd 9h 3s Js 2h 9c Jc 4c 8d 5c -
Kc Qs Qh 2c 8c 4h Ks As 6c Jd 8h 2d Td -
5d 7s 7c 9s Ah Qc Kd 3d 4d 5h 7h Ac Kh -
Ts Ad 6h 5s 6s 9d 3h Jh 2s 3c 8s 4s 6d
The 5s is followed by the 6s,
but no other cards are followed by the next
card in sequence.
As you pointed out, if one chooses a random permutation,
the probability that it will have a sequence value
between 0 and 51 inclusive, is 1.
As I pointed out, if one chooses a random permutation,
the probability that it will have a sequence value
greater than 8 is very small - less than .1%.
If one chooses a permutation by an unknown process
and the sequence value is greater than 8,
then there's good reason to doubt the randomness
of the choosing process. If you repeat the process
ten times, and get a sequence value greater than 8
all ten times, then it's even more likely that
the choosing process is not random.
Scott Nelson <[EMAIL PROTECTED]>
- Don't forget to vote on sci.crypt.random-numbers
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: Applied Zero Knowledge Proof
Date: 23 Mar 2000 17:23:49 GMT
In article <8bd8uh$por$[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> wrote:
>Hi everybody,
>
>I'd like to solve a problem that the concept if the zero knowledge proof. Is
>there a well-known public algorithm for it ?
>
>My problem:
>
>Authentication via network using a biometrical system leads to simmetric key
>problem. But I have a handicap: if someone hack the server and get the bio
>stream, I cannot change it later, because it's related to a body part, and
>cannot be modified.
>
>So, I need a way to prove the server I have that bio piece, without showing
>him what piece of information I have.
>
>Any ideas ?
There's no need to mess with ZKP's. Just use a conventional
challenge-response protocol with a conventional cipher.
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: Prime numbers? (newbie alert)
Date: Thu, 23 Mar 2000 17:18:10 GMT
In article <[EMAIL PROTECTED]>,
proton <[EMAIL PROTECTED]> wrote:
>
> Would a prime number instead of an ordinary number
> be better for creating randomness?
>
What do you mean by this????
What scheme are you thinking of when you say "ordinary number"?
If one is using (say) a PRNG based on (say) a Fibonacci generator
or linear congruential [then combined with something else], prime
numbers are indeed better because they create longer periods.
They are also essential for (say) the Blub-Blum-Shub generator.
Other than this, I am not sure what you mean. Your question is so
vague, that I am not even sure that you know what you mean.
> I've also understood how the RSA algorithm works
> as its explained in the crypto faq. But I still dont
> understand *why* it works
It works because if N=pq and e are public, then
M^e Mod N is invertible because e has a multiplicative inverse mod
phi(N). The rest follows from Lagrange's theorem.
What further "why" are you looking for?
> And to those who immediately thinks I should go buy
> a book: I cant afford books at the the moment..
See: http://www.rsasecurity.com/rsalabs/faq
>
> Heh, one final warning too. My math skills arent all
> that good. I barely understood the short RSA description
> in the crypto faq and managed to verify it on my own
> (with alittle bit of help from `bc' =))
Therefore the first thing you need to do is improve your math
skills. Start with any good book on elementary number theory.
How did you 'verify' that RSA is correct using bc?
The best one could do is verify some examples. But this is not
the same as verifying the math.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: ecc equation
Date: Thu, 23 Mar 2000 17:23:39 GMT
In article <HXnC4.63163$[EMAIL PROTECTED]>,
"Tom St Denis" <[EMAIL PROTECTED]> wrote:
>
> Joseph Ashwood <[EMAIL PROTECTED]> wrote in message
> news:e8ZJ7yJl$GA.154@cpmsnbbsa02...
> > > Hmmm.... I wonder what elliptic curves over the complex
> > plain could
> > > do for crypto :-)
> > Since there are multiple planes that could be called complex
> > (my knowledge of the specific terminology in the realm is
> > not even shaky, so pardon if this is mistake).
May I suggest that if you don't have the knowledge to answer the
question that you not try to answer???
A Weirstrass curve over C would be (essentially) useless.
Why? Because if you extend the field over which you are working
to ALL of C, then the field in which you work contains all the roots
of the right hand side of the curve.
OTOH, it is possible to use elliptic curves over a FINITE extension of
Q (rather than its full closure) if the finite extension does NOT
contain roots of the cubic.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Jerry Coffin <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: Re: 2048 Bit Encryption?
Date: Thu, 23 Mar 2000 10:33:28 -0700
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
says...
[ ... ]
> OAP-L3 is not susceptible to factoring attacks.
For the moment, I'll call this part A. AFAIK, it's a true statement.
> If you want to crack OAP-L3 encrypted messages you must guess
> a key, process it to generate OTPs, then attempt to decrypt
> the message using these OTPs.
For the moment, I'll call this part B. The problem is that you're
assuming that there are only two attacks on ciphers: factoring and
exhaustion of key-space.
In reality, the opposite is tue: up until quite recently when DH,
RSA, etc., were invented, factoring was not a way of attacking any
cipher. Despite this, people managed to attack LOTS of ciphers quite
sucessfully for many years before public-key encryption had been
invented.
> This is quite a computationally intensive process
> for each and every possible key.
But only if it's necessary. The thing you really should realize is
that it's been _proven_ that you can't guarantee security unless the
key is at least at large as the data being encrypted. As long as the
key is smaller than the data to be encrypted, there's at least the
possibility that somebody can find a shortcut to break the cipher
with less effort than exhausting the key space. In some cases,
people search for _years_ without finding such an attack, but
eventually somebody finds such a thing.
Just for one example, a long time ago there was a cipher that was
believed to be quite secure. People had tried to attack it for some
time, and nobody had found a way. A few people had figured up the
amount of time it would take for a brute-force attack, and figured
the sun would have exhuasted its supply of hydrogen well before such
an attack could be completed. Clearly the cipher was _extremely_
secure.
Only a few years later, a couple of people DID find an attack on it,
and gave a presentation on their attack. Once the attack was found,
breaking the cipher was so easy that they demonstrated breaking it,
using an Apple II (a 1 MHz, 8-bit processor, for those too young to
remember it) during a presentation that lasted around an hour...
Factoring not being involved does NOT for a moment mean that an
attack cannot be found on your cipher. In some cases (e.g. DES)
attacks are found that are mostly of theoretical interest. If NOT
attack of any sort (even a purely theoretical one) has been found, it
generally indicates exactly one thing: nobody's bothered to look at
your algorithm enough for _anybody_ (especially you) to have even a
vague notion of what level of security it may or may not provide.
--
Later,
Jerry.
The universe is a figment of its own imagination.
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
