Cryptography-Digest Digest #663, Volume #13 Fri, 9 Feb 01 14:13:00 EST
Contents:
Re: Bill Payne and Philippine RSA "break" (Mok-Kong Shen)
Re: Scramdisk, CDR and Win-NT ([EMAIL PROTECTED])
Re: Bill Payne and Philippine RSA "break" (Tom St Denis)
Re: Phillo's alg is faster than index calculus (Tom St Denis)
Re: OverWrite freeware completely removes unwanted files from hard drive (Richard
Herring)
Re: Bill Payne and Philippine RSA "break" (Mok-Kong Shen)
Re: Bill Payne and Philippine RSA "break" (Tom St Denis)
Re: crack my enkryption (neXussT)
Re: relative key strength private vs public key (Bob Silverman)
Re: UNIX Crypt for DOS (Bob Silverman)
Shortened signatures (Matt J)
Re: Factoring (and not the Philippino :) (DJohn37050)
Re: relative key strength private vs public key (DJohn37050)
Re: Bill Payne and Philippine RSA "break" (Mok-Kong Shen)
Re: Bill Payne and Philippine RSA "break" (John Myre)
Re: Disk Overwriting (Peter Gutmann)
Re: Phillo's alg is faster than index calculus ("Douglas A. Gwyn")
Re: Mod function ("Douglas A. Gwyn")
Re: CipherText patent still pending (John Myre)
Re: CipherText patent still pending ("Douglas A. Gwyn")
Re: CipherText: JavaScript final implementation ("Douglas A. Gwyn")
Re: NPC ("Douglas A. Gwyn")
Re: ECDSA certs (Mike Rosing)
Re: stateful modran: uniform distribution over [0,n) (Mike Rosing)
Re: Different cipher type ("Douglas A. Gwyn")
Re: Bill Payne and Philippine RSA "break" ("Douglas A. Gwyn")
Re: Factoring (and not the Philippino :) ("Douglas A. Gwyn")
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Bill Payne and Philippine RSA "break"
Date: Fri, 09 Feb 2001 13:28:12 +0100
lcs Mixmaster Remailer wrote:
>
> Ironically, the Philippine RSA "break" is a retread of an old bogus
> algorithm which was torn to shreds in the mists of sci.crypt's past.
[snip]
Analogously, bogus 'elementary proofs' of FLT continue to
prop up in sci.math. Perhaps the 'story' would have been
shorter or not have occured, had Rivest answered the person
very tersely or not at all.
M. K. Shen
------------------------------
Date: 9 Feb 2001 12:20:01 -0000
Subject: Re: Scramdisk, CDR and Win-NT
Crossposted-To: alt.security.scramdisk
From: [EMAIL PROTECTED]
"Sam Simpson" <[EMAIL PROTECTED]> wrote:
>As long as you accept that you can't 'write on the fly' to the disk, then
>'no', everything should work just fine.
>
>Basically you still need to create the SD container file on a hard drive,
>fill it full of files etc and then write the container to a CD-RW...But at
>this point the container is totally read-only. If you want to change files
>then you need to copy the .SVL back to a hard drive, change the files, then
>write the .SVL file back to a CD.
>
I have created a SD container directly on a CD-RW (utilizing all
available space), and it is NOT read-only. When the container is
mounted, I can add files to it, modify files on it, etc. I don't
know whether I could run a program from it, since I've never tried
that.
I am using Win ME, btw and not NT/2000, if that makes a difference.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Bill Payne and Philippine RSA "break"
Date: Fri, 09 Feb 2001 12:30:08 GMT
In article <[EMAIL PROTECTED]>,
lcs Mixmaster Remailer <[EMAIL PROTECTED]> wrote:
> Ironically, the Philippine RSA "break" is a retread of an old bogus
> algorithm which was torn to shreds in the mists of sci.crypt's past.
>
> Bill Payne, now bothering cypherpunks regularly with his nutty self-filed
> legal case, first gained notoriety with his own algorithm to break RSA,
> available from:
>
> http://www.l0pht.com/pub/blackcrwl/encrypt/RSAISBRO.TXT
>
> It's the same basic algorithm: shift and xor N until you get a value of
> all 1's. And it doesn't work any better today than it did back then.
> As David Wagner wrote back in 1999 on sci.crypt,
>
> > Bill Payne's method was 100% bogus. (So bogus that I'm a bit embarassed
> > to even admit to having read it.) It had exponential time complexity,
> > and would probably perform even worse than trial division. In no way
> > does his "attack" justify the statement `RSA is broken'.
>
> Plus ca change...
>
So not only is it bogus, but it's not even new bogus? That's low.
Tom
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Phillo's alg is faster than index calculus
Date: Fri, 09 Feb 2001 12:31:02 GMT
In article <95sihh$a9h$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] wrote:
> If we have 2^k memory, we can do 2^k precomputations. Then we have 2^k
> special cases. That surely will speed up our computation. That's how the
> other cryptanalysis schemes work.
>
> Everyone is arguing that this method is not practical for large n. Yeah
> I know that. But index calculus is not practical either. So do you think
> this scheme can or cannot be faster than index calculus? (In case anyone
> is wondering, the implication of this question is that if it can, we
> need to increase our key size by another notch.)
>
> Nobody's up to the challenge so far. How disappointing.
I posted a chalenge for you that you have yet to take up.
Tom
Sent via Deja.com
http://www.deja.com/
------------------------------
From: [EMAIL PROTECTED] (Richard Herring)
Crossposted-To: talk.politics.crypto,alt.hacker,alt.conspiracy
Subject: Re: OverWrite freeware completely removes unwanted files from hard drive
Date: 9 Feb 2001 13:29:58 GMT
Reply-To: [EMAIL PROTECTED]
In article <[EMAIL PROTECTED]>, Anthony Stephen Szopa
([EMAIL PROTECTED]) wrote:
> Richard Heathfield wrote:
> >
> > Anthony Stephen Szopa wrote:
> > >
> > > OverWrite freeware completely removes unwanted files from hard drive
> >
> > I tried it and it didn't work. I got this error:
> >
> > ./OvrWrite.exe: Permission denied
> >
> > > and deleted data on magnetic media recoverable. Simply overwriting
> > > a file a few times is just not good enough.
> >
> Sounds like you need permission to use your own computer as you
> see fit. Someone you might know is not allowing you to run the
> program.
<fx>whhhhhhhhhhhhhhhhooooooooooooooooooooooosssssssssssssshhhhhhhhhhh!</fx>
> There is no such error message generated as a result of
> the OverWrite program.
Yes there is.
But here's a hint: it's not generated by MS Windows or MS DOS.
--
Richard Herring | <[EMAIL PROTECTED]>
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Bill Payne and Philippine RSA "break"
Date: Fri, 09 Feb 2001 14:56:07 +0100
Tom St Denis wrote:
>
[snip]
> So not only is it bogus, but it's not even new bogus? That's low.
I wouldn't go so far as to speculate that he knew and reproduced
the work of his 'predecessor'. In fact, I consider that to be
unlikely.
M. K. Shen
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Bill Payne and Philippine RSA "break"
Date: Fri, 09 Feb 2001 14:25:25 GMT
In article <[EMAIL PROTECTED]>,
Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
>
> Tom St Denis wrote:
> >
> [snip]
> > So not only is it bogus, but it's not even new bogus? That's low.
>
> I wouldn't go so far as to speculate that he knew and reproduced
> the work of his 'predecessor'. In fact, I consider that to be
> unlikely.
What are the chances that two people both invent the same scheme, both
believe they work without working out the numbers...?
Tom
Sent via Deja.com
http://www.deja.com/
------------------------------
From: [EMAIL PROTECTED] (neXussT)
Subject: Re: crack my enkryption
Date: Fri, 09 Feb 2001 14:50:55 GMT
thx goes out to David, who took my challenge and defeated my
enkryption, and gave me tips on improving it. Now i can move on and
build better alogorithms
neXussT
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: relative key strength private vs public key
Date: Fri, 09 Feb 2001 14:47:28 GMT
In article <[EMAIL PROTECTED]>,
Steve Portly <[EMAIL PROTECTED]> wrote:
>
<snip>
> > > large prime number composites
> >
> > Huh? What is a "prime number composite"?? Please explain.
>
> A composite of two numbers each of which is prime.
May I suggest that if you want to discuss this subject that it is better
not to invent new terminology, "on the fly"? Why is it necessarily the
case that your "prime number composite" only has 2 factors, for
example?
It is better to simply say "product of two primes".
> > > you may have noticed that the spacing between prime
> >> numbers grows quite large. Prime numbers only occur about one in a
> > hundred thousand
> > > numbers at current key sizes.
> >
> > Where did you get this piece of misinformation? The average
> > gap between primes for primes near a large integer n is about log n.
> > For 512 bit primes, this yields an average gap of 512 log 2 ~ 360
>
> True for spacing between primes to be greater than 100,000 you would
need
> to be near a very large prime and these are not being used to create
keys
> as far as I know.
This last sentence is not good English. I do not understanmd what you
are trying to say. Could you rephrase?
RSA keys are constructed (for 1024-bit keys) by finding two 512-bit
primes at random. This is easy and there are plenty of them.
Primes near "100,000" (as you put it) are not used in cryptography,
except perhaps peripherally, since systems built from them have
insufficient security. Or perhaps you meant something else???
> > > I am wondering if there might be some point in the
> > > future (30 years down the road) in which prime numbers are not as
an
> > attractive
> > > alternative for public key systems? Any math theory to prove
> > disprove this?
> >
> > 1) Alternative to what?
>
> Methods that do not require a continual expansion in the size of
primes.
Your reply assumes facts not in evidence. What continual expansion
do you refer to?
>
> >
> > 2) How do you propose to do away with needing them?
>
> Sometime in the future perhaps they will remove the prime requirement
from
> ECC.
Which prime requirement is that? The requirment that the public
base point have prime, or near prime order? This can never be
eliminated, otherwise one would have a "small subgroup" attack.
> > 4) You have failed to suggest a reason *why* you think they might
> > become unattractive.
>
> If finding primes magically becomes much easier for organized crime
> sometime in the future, then creating secure primes may be impossible
for
> consumer owned machines.
I'm not sure I understand this reasoning. Finding primes is ALREADY
easy, for you , for me, for organized crime, or for anyone else.
And what do you consider "secure primes"? You seem to be inventing
terminology again. What does "secure" mean in this context?
Why do you believe that easily finding primes
would make it hard for consumer owned machines?? What has one got to
do with the other?
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Bob Silverman <[EMAIL PROTECTED]>
Subject: Re: UNIX Crypt for DOS
Date: Fri, 09 Feb 2001 15:48:31 GMT
In article <nwLg6.402$[EMAIL PROTECTED]>,
"Matthew J. Ricciardi" <[EMAIL PROTECTED]> wrote:
> Sorry for the confusion. I am inquiring about the crypt(1) encryption
> function.
It is provided by the MKS toolkit, which runs under both NT and
WINDOZE.
--
Bob Silverman
"You can lead a horse's ass to knowledge, but you can't make him think"
Sent via Deja.com
http://www.deja.com/
------------------------------
From: Matt J <[EMAIL PROTECTED]>
Subject: Shortened signatures
Reply-To: [EMAIL PROTECTED]
Date: Sat, 10 Feb 2001 00:08:58 +0800
Is it possible to set up a verification scheme with shortened signatures?
I'm thinking along the lines of a 40 bit random data, and then a 40 bit
signature. The shortness is so that it is in a more "human-friendly" form.
The signature would be brute forceable, however breaking isn't considered a
problem (not worth the effort). However can I create a short signature with
a long private key (which isn't brute forceable)?
I can't think of any solutions which would work, but I guess it probably
can be done?
Cheers,
Matt Johnston.
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Date: 09 Feb 2001 16:50:46 GMT
Subject: Re: Factoring (and not the Philippino :)
I had some similar ideas but you have taken them farther then I have. For RSA
if e = 3 then p (and q) = 2 mod 3 which gives more info about the values and
may help in disambiguation, that is, is another formula to potentially use.
Don Johnson
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Date: 09 Feb 2001 16:56:45 GMT
Subject: Re: relative key strength private vs public key
For what it is worth, I am also failing to understand. Primes are GOOD, large
primes are essential to RSA, DSA, ECC.
Don Johnson
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Bill Payne and Philippine RSA "break"
Date: Fri, 09 Feb 2001 18:19:19 +0100
Tom St Denis wrote:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
> >
> >
> > Tom St Denis wrote:
> > >
> > [snip]
> > > So not only is it bogus, but it's not even new bogus? That's low.
> >
> > I wouldn't go so far as to speculate that he knew and reproduced
> > the work of his 'predecessor'. In fact, I consider that to be
> > unlikely.
>
> What are the chances that two people both invent the same scheme, both
> believe they work without working out the numbers...?
That chance is in my humble view ample. Turn the clock back
a number of centuries and ask what would be the chance of
two people coming at the same time to the idea that the sun
revolved about the earth. There have been genuine scientific
inventions and results of research that are virtually the
same and that were made public at approximately the same
time, without that the people involved knew the work of
one another. The announcement of the same invention may
even be separated by years, yet really independently worked
out. This happened in particular not infrequently in those
earlier periods where, due to language barriers, papers in
one country were practically unknown to another country.
For example, the Russian literatures. Only in more recent
times the situation has been ameriorated through reviews,
e.g. Mathematical Reviews. Still, these can by nature not
cover everything that is worthwhile to be taken up.
It is anyway inutile to speculate on personal motivations
in cases as the present. And, like what is the principle
in justice, one should never incriminate others with pure
'theory' and without any concrete evidences. What is
sensible for the utilization of our time is to examine
objectively whether the material in question is of
sufficient scientific value/interest, which, as it turned
out, has to be answered clearly negatively.
M. K. Shen
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: Bill Payne and Philippine RSA "break"
Date: Fri, 09 Feb 2001 10:25:03 -0700
Tom St Denis wrote:
<snip>
> What are the chances that two people both invent the same scheme, both
> believe they work without working out the numbers...?
<snip>
High.
Ask your teachers if their students keep making the
same dumb mistakes, year after year.
JM
------------------------------
From: [EMAIL PROTECTED] (Peter Gutmann)
Subject: Re: Disk Overwriting
Date: Fri, 09 Feb 2001 17:44:16 -0000
Kat Hopwood <[EMAIL PROTECTED]> writes:
>Ideally, disk controllers would have a feature that guarantees to
>commit all writes to the disk surface (with a notification when that
>has been completed), and operating systems would make this available
>to applications. I'm not holding my breath, though.
The SCSI command set supports this via the Force Unit Access flag which...
well, the name sort of says it all. Unfortunately Iomega's Zip drives have a
bug in the firmware which causes them to silently discard all writes when this
bit is asserted (!!), so it's not something you can use without a great deal of
care. If you know you're not going to encounter Iomega hardware it's not hard
to write a simple program which sends the appropriate ASPI commands to the SCSI
device to write/overwrite data on the media.
Peter.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Phillo's alg is faster than index calculus
Date: Fri, 9 Feb 2001 16:54:16 GMT
Mok-Kong Shen wrote:
> Anyway, what is the exact definition of a positive assertion?
Usually it is taken to mean the assertion that something exists.
If one makes such an assertion without providing evidence to
back it up, a rational person feels free to ignore the assertion
rather than waste time trying to refute it.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Mod function
Date: Fri, 9 Feb 2001 16:58:17 GMT
Jerry Coffin wrote:
> Like most people who mention this patent, you're _grossly_ mis-
> characterizing it
Are we talking about the same patent? The one I had in mind
was the one involved in a case against Apple.
------------------------------
From: John Myre <[EMAIL PROTECTED]>
Subject: Re: CipherText patent still pending
Date: Fri, 09 Feb 2001 10:45:00 -0700
Mok-Kong Shen wrote:
<snip>
> So any pupil of crypto never gets to do an exercise of a
> design and hence will also have zero chance of making
> a good (or even half-good) one in his life and, as a
> consequence, all good ciphers that exist today ultimately
> die out (being no longer secure enough for the future
> computing power and techniques) after the current
> generation of crypto experts die out.
<snip>
You have consistently misinterpreted Bryan's posts, and
the response above is bizzare. The point has always
been that *analysis* is the truly valuable skill. It is,
in fact, the very skill we need in order to design good
ciphers.
Bad cipher designs are easy, we have a lot of them, they
are basically a waste of everyone's time. So how do we
learn the difference between useful and useless ciphers?
Through analysis. Therefore Bryan advocates an increase
in efforts to understand analysis.
It is rediculous exaggeration to extrapolate that opinion
and predict that no new good ciphers would ever exist.
Design without analysis does nothing useful. A design by
a novice that is analyzed by an expert is nearly as bad.
A novice that attempts analysis begins the process of
converting that novice into an expert - the very thing we
want.
JM
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: CipherText patent still pending
Date: Fri, 9 Feb 2001 17:13:38 GMT
Terry Ritter wrote:
> In some ways, the pharmaceutical analogy to cryptography is good. But
> our situation is that *we* *really* *don't* *know* the dangers of
> *any* of the ciphers we use, yet we use them anyway.
However, we have the analogue of clinical trials and feedback from
actual use by physicians. To continue the analogy, we don't throw
drugs out to the physicians expecting them to perform the clinical
trial phase for us. Prefiltering the possibilities is an
essential function that the pharmaceutical companies perform.
> Over 50 years of mathematical cryptography and 20+ years of intensive
> DES analysis have yet to produce *EVEN* *ONE* practical cipher in
> which there is a mathematical basis for knowing and trusting strength.
> That includes the OTP.
That only includes OTP because it might not be "practical" due
to its key distribution requirements. The OTP *algorithm* is
provably secure if its key is uniform-random.
In fact it is not hard to create secure crypto algorithms with
provable level of security (in terms I've described long ago).
What is hard is coming up with *practical* systems using such
algorithms. There is the fundamental problem that a short key
used for encryption of a long plaintext from a source with high
redundancy *must* be "insecure" according to information theory.
What one would like is to thwart all practical methods of attack
against the system; what one typically sees instead is a design
that thwarts just certain specific methods of attack *known* to
the designer.
> Is it really rational to wait and hope that the math guys will
> eventually find techniques to handle the ciphers we already have? Or
> is it more rational to continue to design new ciphers, thus opening
> the possibility that easier math can do what no math has so far done?
I don't see how continual design of new ciphers contributes
much to progress in the general theory of cryptanalysis, which
is after all what is essential for designing good cryptosystems.
It is *possible* that a radically new design will inspire some
breakthrough in cryptanalytic theory, but one can't count on it.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: CipherText: JavaScript final implementation
Date: Fri, 9 Feb 2001 17:17:34 GMT
> "Prichard, Chuck" wrote:
> Attachment is finally a proper implementation ...
It is against net etiquette to post an active script in
a net newsgroup. The proper approach is to put it on a
Web site and tell the newsgroup (once only) where to look
if we're interested; or else ask people to e-mail you for
further information.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: NPC
Date: Fri, 9 Feb 2001 17:24:45 GMT
Peter Shugalev wrote:
> So, what was wrong with knapsack-based PKE systems?
Basically, a practical attack was found.
The design error seems to have been making an unwarranted
assumption; the idea as expressed was that the legitimate
recipient would have to solve an easy (superincreasing)
knapsack problem, while the eavesdropper would have to
solve a hard knapsak problem. However, appearances were
deceiving, as it turned out that the eavesdropper's work
was *not* equivalent to solving a general knapsack.
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: ECDSA certs
Date: Fri, 09 Feb 2001 12:18:40 -0600
Peter Gutmann wrote:
>
> Nigel Smart <[EMAIL PROTECTED]> writes:
>
> >Assuming the certs/plugin can be cheaply and easily installed
> >I will start signing my emails using ECDSA from tommorrow.
>
> Uhh... what's the point of signing messages with an algorithm noone uses?
>
> Peter.
to get more people to use it.
Patience, persistence, truth,
Dr. mike
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: stateful modran: uniform distribution over [0,n)
Date: Fri, 09 Feb 2001 12:33:42 -0600
Mok-Kong Shen wrote:
>
> Wei Dai wrote:
> I have some problems of understanding:
>
> (1) Your algirithm seems never to terminate.
Look again. It gets to the inner loop eventually.
Patience, persistence, truth,
Dr. mike
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Different cipher type
Date: Fri, 9 Feb 2001 17:36:45 GMT
Michael Brown wrote:
> "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote ...
> > Before spending much more time in this direction, read what Knuth
> > had to say about his youthful attempt at a "super-random" generator
> > (the Art of Computer Programming, Vol. 2: Seminumerical Algorithms).
> Unfortunately, I can't get hold of this book (don't have it and nor do local
> bookstores). Could you tell me what he had to say?
It ought to be in any reasonable computer science library.
Basically, he described an algorithm that tried to combine
"at random" several methods of pseudorandom generation,
with the idea that the result would be more random than the
individual methods. When he actually implemented it, right
away he found that it tended to get stuck in very short
cycles. The moral was, methods of generating random numbers
should not be designed at random.. Half of the book is
concerned with a careful investigation of pseudorandom number
generation.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Bill Payne and Philippine RSA "break"
Date: Fri, 9 Feb 2001 17:42:17 GMT
Tom St Denis wrote:
> What are the chances that two people both invent the same scheme, both
> believe they work without working out the numbers...?
Actually it is quite likely, for this method.
There are in fact some very important cryptanalytic algorithms
that work at the bit-representation level, one I know of being
just the sort of thing I might have come up with under similar
circumstances.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Factoring (and not the Philippino :)
Date: Fri, 9 Feb 2001 18:04:27 GMT
DJohn37050 wrote:
> if e = 3 then p (and q) = 2 mod 3 which gives more info about the values
I have some general thoughts about potential RSA cracking:
(1) N is computed from p and q, e and d are computed via z. It is
often said that cracking an RSA encryption is equivalent to factoring
N, but in practice one is faced with a known (N,e) and all that is
needed for a crack is *some* d' (not necessarily the d maintained
as a secret by the sender) that has the relevant inverse property,
not p and q. Is it a theorem that knowing (N,e,d) allows a fast
recovery of p and q? If not, then the notion that cracking RSA is as
hard as factoring needs to be rethought.
(2) Cracking RSA is not the same as merely being given N and
being asked to factor it. What we are actually given is (N,e)
*and* an algorithm for using them for arbitrary (controlled-PT)
encryptions. That means that we can "tickle" the system by
encrypting some suitable basis set, maybe the individual bits
1, 2, 4, 8, 16, etc., or a batch of small primes 2, 3, 5, 7, etc.,
or a randomly chosen set as in an index-calculus attack, or
whatever else might fit a particular attack.
(3) Why isn't the GCD applied to (N,e) and resultants of any use
in finding a d'? (I don't claim to be a number theorist; maybe
the answer is obvious to someone who is.)
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
