Cryptography-Digest Digest #903, Volume #11 Wed, 31 May 00 15:13:01 EDT
Contents:
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May (David Boothroyd)
Re: No-Key Encryption (Mok-Kong Shen)
Re: encryption without zeros (James Felling)
Re: CAST Sboxes -- need help (Mike Rosing)
Re: high speed public key crypto (Albert Yang)
Re: RIP Bill 3rd Reading in Parliament TODAY 8th May (Andru Luvisi)
Re: No-Key Encryption (James Felling)
Re: PGP wipe how good is it versus hardware recovery of HD? (jungle)
Re: Does it even matter? (Ichinin)
Re: Does it even matter? (Mike Rosing)
Democracy in Britain (Was:Re: RIP Bill 3rd Reading in Parliament TODAY 8th May)
("Fergus O'Rourke")
Re: DVD encryption secure? -- any FAQ on it (Mok-Kong Shen)
Re: No-Key Encryption (James Felling)
Low exponent DH (Ichinin)
Re: list of prime numbers ("Axel Lindholm")
Re: Is OTP unbreakable? ("Joseph Ashwood")
Re: Is OTP unbreakable?/Station-Station ("Joseph Ashwood")
Re: encryption without zeros (Bryan Olson)
Re: Low exponent DH (Anton Stiglic)
Re: Is OTP unbreakable?/Station-Station ([EMAIL PROTECTED])
Re: Does it even matter? (wtshaw)
Re: XTR (was: any public-key algorithm) ("Michael Scott")
Re: any public-key algorithm ("Eric Verheul")
Re: Sunday Times 30/4/2000: "MI5 builds new centre to read e-mails on the net"
(Jim)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (David Boothroyd)
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.politics.uk,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: Wed, 31 May 2000 18:09:42 +0000
In article <[EMAIL PROTECTED]>, "Scotty"
<[EMAIL PROTECTED]> wrote:
> David Boothroyd wrote in message ...
> >In article <[EMAIL PROTECTED]>, Andru Luvisi
> ><[EMAIL PROTECTED]> wrote:
> >> [EMAIL PROTECTED] (David Boothroyd) writes:
> >> [snip]
> >> > It is not a human rights violation. The s.19 certificate states that
> the
> >> > Bill complies with all the UK's human rights obligations.
> >> [snip]
> >>
> >> This is not a usenet post. This is a binding contract which you have
> >> already signed, stating that you must pay me US$1,000,000 on or before
> >> July 1st 2000.
> >
> >Very funny.
> >
> >A section 19 certificate is a statement by the Minister responsible for
> >the Bill which states whether or not it complies with the European
> >Convention on Human Rights. This statement is made on the advice of the
> >government's law officers. The terms of the European Convention are,
> >of course, those as drafted in the early 1950s and agreed internationally.
>
> Now that *is* funny, the notion that the government's law officers are
> independent.
I did not say that they were. They are employed by the government to give
legal advice, but like good legal advisers, they advise on what the law
says and not what they would like it to say.
> A section 19 certificate is little more than a rubber stamp. A
> section 19 certificate was even given for the original version in the
> e-commerce bill and that so blatantly violated the HRA they had to tone it
> down in the RIP bill.
It did not. It was not concerns over Human Rights issues which led to the
changes in the Electronic Commerce Bill.
> Yet there is still a vast weight of legal opinion (more highly respected
> than the government's own law officers),
Is this possible?
Are these mysterious givers of legal opinion in some way connected with
organisations who have always been against the Bill?
> that they are still wrong, and this Bill does *not* comply with the HRA.
>
> MPs of course are no problem, few if any understand the bill. They are for
> the most part lobby fodder who would never dream of voting against the
> government whatever it proposed. When was the last time your MP voted
> against their party (other than on a matter specifically affecting their
> constituency)?
My MP actually does so relatively frequently for an opposition Member,
but he is in his last Parliament.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: No-Key Encryption
Date: Wed, 31 May 2000 19:27:29 +0200
John Savard wrote:
> If * is commutative, the scheme is trivially breakable. If it is
> associative, it seems to at least have a property strongly resembling
> commutativity, but A*B could lose information about B instead.
>
> If * is associative, and M*A*B = M*B*A for any M,A,B, then the
> following procedure will find Q*A and Q*B for any Q, even if it
> doesn't find M:
>
> having intercepted M*A, M*A*B, M*B, evaluate Q*M*A*B, and divide it by
> M*A or by M*B.
>
> If finding Q*A for any Q lets you find A, then you can find M; this
> seems to be a serious weakness for any associative operator.
'*' is assumed to be associative. Doesn't now the equation
M*A*B=M*B*A for any M,A,B express commutativity of '*' ?
So '*' is assumed to be BOTH associative and commutative. Am I
understanding that correctly? Thanks.
M. K. Shen
------------------------------
From: James Felling <[EMAIL PROTECTED]>
Subject: Re: encryption without zeros
Date: Wed, 31 May 2000 12:14:22 -0500
lordcow77 wrote:
> Why not? ab//cd0000ef/g -> ab////cd/0/0/0/0ef//g
>
> * Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
> The fastest and easiest way to search and participate in Usenet - Free!
How about ab//cd0000ef/1 -> ab ////cd/1/1/1/1ef//1
or something along this line.
Rules as follows.
If character != 0 and !=/ then output character.
If character =0 output /1
If character =/ output //
Done.( it will expand the stream in proportion to the number of escape
characters and 0's in it so I would try to make the escape character a low use
character)
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: CAST Sboxes -- need help
Date: Wed, 31 May 2000 12:17:00 -0500
tomstd wrote:
> Problem is they don't explain how todo the walsh transform on
> huge arrays in a realistic amount of time, etc...
I don't think they did a walsh transform. Lots of statistics on
avalanch and diffusion and stuff.
> I sorta get the math (basics) but not enough to turn it into
> equivelent faster programs...
I didn't either. That's about the time ECC caught my attention
and I've been playing with it since. Now I'm off into EC without
the crypto. Makes for pretty pictures anyway :-)
Patience, persistence, truth,
Dr. mike
------------------------------
From: Albert Yang <[EMAIL PROTECTED]>
Subject: Re: high speed public key crypto
Date: Wed, 31 May 2000 17:25:02 GMT
There are two ways to go about this:
If it shows promise, we are like the math community, it's damn near
"Impossible" to "steal" an idea that is posted on sci.crypt and call it
your own. So don't worry about that. Second, publish it, put it out
into open domain, and then charge outragous amounts for consulting
fees. If it shows promise, someone will pay for your services. You'll
be KeyNote speaker at DefCon, women will follow you around, people will
beg you to start a company so they can work for you...
Or if it's not that compelling of an idea, but shows some promise or is
in a direction that nobody has taking a perspective on, it will help
another researcher come up with the holy grail, and if they do, they
will CERTAINLY site your work as the basis, and all the above items I
mentioned will still happen to you.
Curious minds want to know...
Albert
------------------------------
From: Andru Luvisi <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.politics.uk,uk.telecom
Subject: Re: RIP Bill 3rd Reading in Parliament TODAY 8th May
Date: 31 May 2000 10:14:56 -0700
[EMAIL PROTECTED] (David Boothroyd) writes:
[snip]
> > Yet there is still a vast weight of legal opinion (more highly respected
> > than the government's own law officers),
>
> Is this possible?
>
> Are these mysterious givers of legal opinion in some way connected with
> organisations who have always been against the Bill?
[snip]
Even if they are, that does not imply that their legal opinion was
influenced by their opposition to the bill. Their opposition may have
its roots in their legal opinion.
Andru
--
==========================================================================
| Andru Luvisi | http://libweb.sonoma.edu/ |
| Programmer/Analyst | Library Resources Online |
| Ruben Salazar Library |-----------------------------------------|
| Sonoma State University | http://www.belleprovence.com/ |
| [EMAIL PROTECTED] | Textile imports from Provence, France |
==========================================================================
------------------------------
From: James Felling <[EMAIL PROTECTED]>
Subject: Re: No-Key Encryption
Date: Wed, 31 May 2000 12:24:48 -0500
tomstd wrote:
> In article <[EMAIL PROTECTED]>, Michael Pellaton
> <[EMAIL PROTECTED]> wrote:
> >In the literature about cryptography I often read about the
> three
> >different types of encryption - symmentric, asymmetric and no-
> key
> >encryption. I found plenty implementations of the symmetric and
> the
> >asymmetric methode. Is there any implementation of no-key
> ecnryption
> >available?
> >
>
> No-key encryption doesn't make sense at all. Where did you hear
> about that?
>
> Tom
Rot-13 is no key, uuencoding, base-64, most compression methods, those type of
things -- it is usually not useful as an information hiding strategy but as a
modified data format to allow one some alternative benefit.
>
>
> * Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
> The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: jungle <[EMAIL PROTECTED]>
Subject: Re: PGP wipe how good is it versus hardware recovery of HD?
Date: Wed, 31 May 2000 13:28:39 -0400
do you dare to prove that it's not safe to wipe once ?
Richard Herring wrote:
>
> In article <[EMAIL PROTECTED]>, tomstd
>([EMAIL PROTECTED]) wrote:
>
> > Er, all you need todo is overwrite a file once to completely
> > kill the information.
>
> > Despite what others think, once you overwrite the information on
> > disk once or twice, it's completely gone. This is because the
> > hard disks are so dense there is no room for 'extra' noise.
>
> > The HD recovery attacks mainly would work on floppy disks since
> > each drive is not aligned the same (got this info from a
> > friend).
>
> There you are. It's perfectly safe to wipe once, because Tom's
> friend says so. If necessary you can stake your life on that fact.
do you dare to prove that it's not safe to wipe once ?
------------------------------
From: Ichinin <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Does it even matter?
Date: Tue, 30 May 2000 14:34:19 +0200
So...Do what everyone else does, start your own business, negotiate
a deal with RSA, it the .gov dont like it = Too bad.
Just a story:
A friend of mine went over the the stated, all he had was some
Design/Photoshop experience, he was just - VERY talented, now he's
doing webdesign, what's so different about working for RSA ?
(it's a commercial entity, not a spy agency) and why are they
demanding paper instead of proven knowledge?
Just a question,
Ichinin
(Yes, i still toast spammers!)
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: Does it even matter?
Date: Wed, 31 May 2000 12:30:49 -0500
dlk wrote:
>
> Tom,
>
> I'm no crypto-expert (way, way far from it!) but I'm a hell of coder and I
> know talent when I see it. You got it. Don't give up.
>
> Do:
>
> Finish high school.
[good stuff snipped]
Yup! to all of it. You shouldn't have too much trouble getting into
college. The university at Waterloo has lots of good technical programs
and one of the best crypto schools in the world. Busting your butt for
classes is not as much fun as coding, but it will pay off in the long
run.
So you can't post as often as you like, you can still visit now and
then.
Bummer for us, but that's kind of what life is about eh? With a degree
in your pocket you'll eat a hell of a lot better than without it!
Good luck!
Patience, persistence, truth,
Dr. mike
------------------------------
From: "Fergus O'Rourke" <[EMAIL PROTECTED]>
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,uk.telecom
Subject: Democracy in Britain (Was:Re: RIP Bill 3rd Reading in Parliament TODAY 8th
May)
Date: Wed, 31 May 2000 07:40:51 +0100
Axel wrote in message <8h1ep9$7cd$[EMAIL PROTECTED]>...
>In uk.legal Fergus O'Rourke <[EMAIL PROTECTED]> wrote:
>> Axel <[EMAIL PROTECTED]> wrote in message
>> news:8gus3n$63s$[EMAIL PROTECTED]...
>>> In uk.legal Fergus O'Rourke <[EMAIL PROTECTED]> wrote:
>>> > The best way to get a tyrannical government is not to vote
>>>
>>> Not when there are limitations on standing for election and how
>>> candidates are allowed to describe themselves.
>>>
>
>> Don't be silly
>
>I'm not being silly. Recent changes have allowed political parties to
>register their names and restrict use of such names in elections.
>Originally there was no description beside a candidate on a ballot form,
>then it was introduced, and now it has become regulated.
>
So what ?
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: DVD encryption secure? -- any FAQ on it
Date: Wed, 31 May 2000 19:56:33 +0200
"Casper H.S. Dik - Network Security Engineer" wrote:
> You can do bit-by-bit copying of DVD disks and they'll play in
> any player; no need to decrypt.
Are you sure? I am an ignorant of hardware, but I remember that
there were in the past diskettes that were intentionally damaged
somehow by the software manufacturer so that these couldn't be
copied. Wouldn't some parallel techniques work in the present case?
M. K. Shen
------------------------------
From: James Felling <[EMAIL PROTECTED]>
Subject: Re: No-Key Encryption
Date: Wed, 31 May 2000 12:43:34 -0500
Michael Pellaton wrote:
> It seems to me that I used the wrong name of a method of encryption.
> Maybe it's an error that occurred during translation from and to
> German (I have seen the word "no-key encryption" in at least two
> German books).
>
> I'd like to explain what I mean with "No-Key-Encryption" in a
> small example:
>
> Assume Alice wants to send a message to Bob.
>
> The message is M = 10101100
> Alice has a private key A = 11011001
> Bob has a private key B = 00010111
>
> Now, Alice encrypts her message with her private key
> M XOR A = Ma = 01110101
>
> and sends Ma to Bob. Bob can't decrypt the message, but he can
> encrypt it again using his key
> Ma XOR B = Mab = 01100010
>
> Now Bob sends Mab back to Alice. She decrypts it with her key A
> Mab XOR A = Mb = 10111011
>
> and again sends it to Bob who is now able to decrypt the Message
> with his key
> M = Mb XOR B = 10101100
>
> Maybe the methode should be called "no public key" or "no key
> exchange" encryption.
>
> It allows two people or systems to communicate safely without knowing
> anything about eachother except for the fact that it uses the
> same encryption system.
>
> I know that XOR is a very weak encryption methode and I just used it
> to show what I mean with "No-Key encryption" in an easy way.
>
> Now, what's the proper English name for what I described above?
> Where is it used?
> Are there any well-known implementations?
>
> Thanks for your help
>
> Michael Pellaton
>
> Michael Pellaton wrote:
> >
> > In the literature about cryptography I often read about the three
> > different types of encryption - symmentric, asymmetric and Nop-Key
> > encryption. I found plenty implementations of the symmetric and the
> > asymmetric methode. Is there any implementation of no-key ecnryption
> > available?
This is insecure as it is written as XOR is an easy to reverse operation
-- an alternative form where
E is a keyed cypher that forms an abelian group. i.e. E(key1,E(key2, M)) =
E(key2, E(key1, M)). Modular exponentiation mod p jumps to mind, but any
hard to reverse operation with this property will do.
then Alice sends message E(KA,M) to Bob who sends E(KB, E(KA, M)) back.
then Alice sends Decrypt(KA,E(KB, E(KA,M))) = Decrypt(KA, E(KA, E(KB, M))
= E(KB,M) to Bob who decrypts it.
This allows two private keys to be used to send the message -- no one has
their keys revealed, and the message is transfered between them.
------------------------------
From: Ichinin <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Low exponent DH
Date: Tue, 30 May 2000 14:45:37 +0200
Hi.
One short (?) question:
If i ONLY need to protect a secret for a few hours/week's
or so, what is the lowest size of a Diffie Hellman keypair
i can use? *
(* It's a speed thing, I'm quite paranoid so i'm going to
regenerate keys a little now and then.)
Are there any info/lists/recommendations on this anywhere?
Regards,
Ichinin
(Inspite of a certain someone-employed-by-a-big-companys remarks
i've got it to work with 1024(+) bit keys in VB as well as C++)
___________________________________________
(Spammers have been warned...)
------------------------------
From: "Axel Lindholm" <[EMAIL PROTECTED]>
Subject: Re: list of prime numbers
Date: Wed, 31 May 2000 19:55:06 +0200
"Paul Koning" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> True. But that would be a severely defective implementation. No proper
> implementation uses special form primes like that.
Ofcourse it would be a major flaw, only a complete moron would try to base
an RSA system on mersenneprimes! The only thing I wanted to show with this
is that the RSA system to investigate, most likely, has a smaller list of
generatable primes than all primes < 150 digits.
To take a slightly more realistic situation one could guess that the primes
are based on 2p'+1, which is supposed to be more secure than others (I don't
know why). Maybe even p' is generated using that format, then the list
shrinks quite good even if it's still unpractical.
Thanks,
Axel Lindholm
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Is OTP unbreakable?
Date: Wed, 31 May 2000 11:29:43 -0700
[snip part about lack of security against known plaintext attack]
> But I would think that this weakness is true for any authentication
> scheme.
Actually it's not. Take for example doing the following pseudocode:
key=shared secret
for each block of data
key = DES(key, block of data)
end for
checksum = key
This authenticator is not subject to known-plaintext attacks, it is fairly
efficient, collision resistent, etc. And the operations are all well known,
pretty much any 2 of us could go from that to compatible verification
mechanisms in 20 minutes.
Joe
------------------------------
From: "Joseph Ashwood" <[EMAIL PROTECTED]>
Subject: Re: Is OTP unbreakable?/Station-Station
Date: Wed, 31 May 2000 11:30:05 -0700
I think now's a good time to put my 2 <insert local small currency here> in.
I quite often find it helpful to attempt to address exactly what your
adversary is capable of. Since we're considering an environment capable of
justifying using a OTP, we must assume that our information is worth a
nearly astronomical amount. Given this we can make assumptions about the
best an attacker will use against us. Basically if it's worth that much
money, people will do anything the need to. Including hiring
hackers/crackers/unethical software engineers to write trojan horses (how
bad would Melissa have been if the designer had thought to deliver a payload
of Back Orifice?) that would allow closer access. They will gladly hire
burglars to break in and steal your OTP, they will insert a small device
along your telephone wire to broadcast your (encrypted) texts to them, then
they will do whatever MITM attacks they wish and send it along your wire.
These are very possible with the technology of years ago, it's certainly
easy enough now. There are a massive number of additional attacks that I'm
sure they'd come up with. It would definitely take more than just a
straightforward OTP to protect against the attacks.
Joe
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: encryption without zeros
Date: Wed, 31 May 2000 18:30:32 GMT
David Hopwood wrote:
> ... with probability less than 2^-63 for each block.
I believe we can make an even stronger assertion.
Let f be a permutation on 1..n and consider some m
with 1<m<n. Now we define f' over the domain 1..m as:
f'(x) = f^k(x) where k is the smallest positive
integer such that f^k(x) is in 1..m.
We've seen that f' exists and is a permutation on 1..m.
Now I claim that if f is a random permutation on 1..n, (that
is a choice such that each permutation on the domain is
equally likely) then the corresponding f' is a random
permutation on 1..m.
I don't have a neat proof, but to see why it's true,
consider generating a random permutation by a sequence of
(equal probability) random choices without replacement. If
there are out-of-bounds choices in our pool, we can just
throw them out when they appear and choose again; their
presence doesn't effect the probabilities of the final
choices.
Thus the procedure for avoiding zeros is in some sense
perfect. If the original permutation is random, or
indistinguishable from random, then so is the generated
permutation. Under the random cipher model, the probability
of cycling back to the start is 1/255^8.
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Anton Stiglic <[EMAIL PROTECTED]>
Subject: Re: Low exponent DH
Date: Wed, 31 May 2000 14:47:04 -0400
Ichinin wrote:
>
> Hi.
>
> One short (?) question:
>
> If i ONLY need to protect a secret for a few hours/week's
> or so, what is the lowest size of a Diffie Hellman keypair
> i can use? *
>
> (* It's a speed thing, I'm quite paranoid so i'm going to
> regenerate keys a little now and then.)
So you probably want to work in a fix group (fix a prime p,
preferably a safe prime: one where q:= (p-1)/2 is also prime),
and a fixed generator of the subgroup of order q.
Then, you can chose your DH exponents to be of some size N.
Other than the attacks on the whole group or sub groups (like
computing discreet logs via the number field Sieve algorithm),
there is an attack that can find z
given g^z in 2^(N/2) when one knows that z is in some interval
[a, a+N] (the Pollard lambda algorithm). So if you choose
exponents z of size N, one could find z given only g^z in
2^(N/2) work time (it's like doing a brute force on N/2 bits).
If you think that someone can't brute force 60 bits, then you
are o.k. if you pick 120 bits exponents (make sure to have a
good p though, like 1024 bits...).
Of course, there is allot more things to consider when wanting
to implement a secure DH agreement.
For more details on the specific Pollard lambda attack, see
Pollard, J. M. Monte Carlo methods for index computation (mod p).
mathematics of Computation 32, 243 (July 1978), 918-924.
Anton
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Is OTP unbreakable?/Station-Station
Date: Wed, 31 May 2000 18:42:32 GMT
[Apologies for formatting.]
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> Many such assumptions are widely accepted. Assert 1+1=2, and
> there will be few naysayers.
There will be few naysayers, in part because most of us have seen a
proof of 1+1=2 based entirely on Peano postulates, or on constructions
of set theory, and most of us are willing to grant the Peano postulates,
or set theory.
(I don't require going the Whitehead approach in Principia Mathematica
to prove 1+1=2; but I don't mind granting some postulates that seem
obvious in order to save 318 pages. :)
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: Does it even matter?
Date: Wed, 31 May 2000 12:11:54 -0600
In article <[EMAIL PROTECTED]>, tomstd
<[EMAIL PROTECTED]> wrote:
> As some of you may already know, I was offered a job with RSA
> this summer (in San Mateo) working on some software. Sounds
> great seems like people appreciate my work, obviously since I am
> not even done high school.
>
> Of course they hype me up about the job, get me all excited.
>
> And what happends (thru no fault of RSA) big old mr government
> steps in and acts like a dolt. I can't get the job because I
> don't have a "post-secondary education diploma with three years
> work experience". Super, if I had a job, why would I move 3000
> miles to work in the states?
>
> Anyways, I am beginning to think my research is pointless since
> well I would rather focus on my school now and prepare for the
> exciting job as a mop-jocky.
>
> It has been nice chatting with you guys, maybe I will come back
> some time.
>
> Tom
>
Where ever you are, you may have the chance to check in. You appear to
have acquired a severe case of cryptocuriousity; the good news is that it
is one "illness" that does not go away, but will tend to travel with you.
--
If a privacy policy is longer that 250 words, it is already
deceptive; the longer the more deceptive.
------------------------------
From: "Michael Scott" <[EMAIL PROTECTED]>
Subject: Re: XTR (was: any public-key algorithm)
Date: Wed, 31 May 2000 19:56:27 +0100
Eric Verheul <[EMAIL PROTECTED]> wrote:
>Hey, don't forget XTR now! It has all the computational and
>communicational benefits of ECC (and more) but it's security is based
>on the DL problem in GF(p^6), i.e. a sixth field extension of a basic
>field of size 160-170 bits. Which is considered rock solid like that
>of RSA. Moreover, it parameter and key generation is very fast .....
>See www.ecstr.com for a detailed description.
>
Good to see that extension-field cryptography is back. The basic idea is to
find a construction over GF(p^n), which gives RSA-equivalent security of
n*lg(p) bits. One nice idea is to use a 32-bit prime p, which leads to some
really fast systems, as 32-bit arithmetic can be used.
But does anyone remember LUC and its discrete log.variants? It worked over
GF(p^2) and also had a fast algorithm for exponentiation. However it was
rubbished by the cryptographic community ( in part due to some exaggerated
claims) and not widely used. The problem is some uncertainty that the
discrete log problem over GF(p^n) is really as hard as over GF(q), for a
prime q approximately n*lg(p) bits in length. In the XTR paper this is
mentioned at the bottom of page 16 ".. the latter problem is believed to be
as hard as the DL ....", and some heavy duty personal communications are
used for back-up (Coppersmith, Schirokauer), but the small doubt still
remains.
However if XTR is a good idea, then so was LUC-DH.
Mike Scott
------------------------------
From: "Eric Verheul" <[EMAIL PROTECTED]>
Subject: Re: any public-key algorithm
Date: Wed, 31 May 2000 20:04:23 +0200
> I just skimmed it. I see one comment that it is faster than DL,
> but the comparison in sect. 4.4 is only to RSA and ECC, not DL.
> Seems odd, since XTR is really a variation on DL.
Then I suggest you start reading the paper.
> I also didn't understand the key size comparisons, where you
> claim XTR is competitive with ECC. You compare XTR over GF(p^6)
> to ECC over GF(p), where p is around 2^170. ISTM an EC public
> key is 170+1=171 bits plus whatever is needed for shared
> parameters. But XTR need at least 1 (and maybe 3) elements
> of GF(p^2), so at least 340 bits are needed, plus shared
> parameters. So I don't see how XTR is competitive unless you
> always send the shared parameters.
Then I suggest you start reading the paper. BTW keys in ECC are 340 bits
too,
unless you want to do a square root caclulation each time...
Eric
------------------------------
From: [EMAIL PROTECTED] (Jim)
Crossposted-To:
uk.media.newspapers,uk.legal,alt.security.pgp,alt.privacy,uk.politics.parliament,uk.politics.crime,talk.politics.crypto,alt.ph.uk,alt.conspiracy.spy,alt.politics.uk
Subject: Re: Sunday Times 30/4/2000: "MI5 builds new centre to read e-mails on the
net"
Date: Wed, 31 May 2000 17:59:22 GMT
Reply-To: Jim
On Tue, 30 May 2000 12:14:16 +0100, Bob <[EMAIL PROTECTED]> wrote:
>Ian B wrote:
>
>> Why, if you are using secure encryption (whatever that may be), you
>> could send a copy to the spooks and they still would not be able to
>> read it.
>
>Unless they've broken that encryption algorithm :^) I personally
>don't believe all the "they've broken PGP!!" FUD that paranoid
>types spout because PGP is very strong, but it is *just possible*
>bearing in mind how widely it's used, so better to be safe than
>sorry and put in some extra layers between "them" and you if you're
>doing something REALLY interesting and/or illegal.
They haven't broken it. At least not up until April 1999 they
hadn't.
In any case, if they had there'd be little point bringing in this
silly R.I.P. thing.
--
amadeus at netcomuk.co.uk
nordland at lineone.net
g4rga at thersgb.net
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
