Cryptography-Digest Digest #44, Volume #14 Fri, 30 Mar 01 12:13:01 EST
Contents:
Re: diffie hellman ("Tom St Denis")
Re: Support for 1536 bit RSA keys? ("Tom St Denis")
Re: diffie hellman ("Henrick Hellstr�m")
Re: Support for 1536 bit RSA keys? ("Tom St Denis")
Re: diffie hellman ("Tom St Denis")
Re: Malicious Javascript in Brent Kohler post (was: Re: Who is Brent K (Mok-Kong
Shen)
Re: Malicious Javascript in Brent Kohler post (was: Re: Who is Brent K Kohler?)
("-[tCs]-")
Re: diffie hellman ("Henrick Hellstr�m")
Re: Pseudo-random permutation generators (Mok-Kong Shen)
Re: AES - test vectors? (Simon Josefsson)
Re: Idea - (LONG) ("John A. Malley")
Re: Pseudo-random permutation generators ("Toby Sharp")
Re: diffie hellman ("Tom St Denis")
Re: Support for 1536 bit RSA keys? ("Sam Simpson")
Re: Support for 1536 bit RSA keys? ("Sam Simpson")
Re: diffie hellman ("Henrick Hellstr�m")
Re: Support for 1536 bit RSA keys? ("Simon Hunt")
Re: Support for 1536 bit RSA keys? ("Sam Simpson")
----------------------------------------------------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: diffie hellman
Date: Fri, 30 Mar 2001 15:51:29 GMT
"Henrick Hellstr�m" <[EMAIL PROTECTED]> wrote in message
news:9a27e7$60e$[EMAIL PROTECTED]...
> Use the formula a = 2**x mod p. x is the ephemeral private key. a is the
> ephemeral public key. You should use a secure (P)RNG to generate x.
>
> The other party generates y, calculates b = 2**y mod p and transmits b to
> you. You calculate K = b**x mod p. The other party calculates K = a**x mod
> p. K (or the hash value of K) is the shared session key.
>
> By using 2, you may substitute all multi precision multiplications for
shift
> left operations. There is little to gain by using 3 as the generator.
You can only use 2 if the subgroup generated is large enough. It may be
insecure.
> No, you don't really reduce security by using 2 as the generator. Suppose
> you use some other generator g instead. Then there is a number c such that
g
> = 2**c mod p. Let c' be the number such that c'c = 1 (mod (p-1)). That
would
> give you a = g**(c'x) mod p, b = g**(c'y) mod p, K = g**(c'xy) mod p, and
> your ephemeral private keys would in this case be x' = c'x mod (p-1), y' =
> c'y mod (p-1). If the attacker would be able to calculate x and y if 2 was
> used, then the attacker would most certainly be equally able to calculate
c
> and hence x' and y' if g was used.
This a) doesn't make sense and b) is wholly incorrect. If you have a 1024
bit p and the sub-group generated by 2 is only 64-bits wide then I could
find your private exponent (or a multiple thereof) easily.
Tom
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Support for 1536 bit RSA keys?
Date: Fri, 30 Mar 2001 15:52:44 GMT
"Simon Hunt" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Sorry Tom, I agree with Sam - if you look at NT/2000 there is a task
"System
> Idle Process" - it's called that because when a PC is not doing anything
> productive, the internationally recognised term is it's "Idling" - hence
> Idle Time. You don't stop the clock cycles on a PC when it's not being
used,
> it still runs at the same rate internally so there has to be something to
> chew up all those extra cycles - the Idle task.
>
> I think the original quote was completely technically correct- you don't
> know what the average utilization of all the distributed computers was -
it
> could have been a load of corporate mainframes with only 0.001 idle
process
> time - you are making an opinion based on your (under utilized) pc. Mine
for
> instance runs at 99% all the time due to the processes I run....
>
> give in on this one - the world is not with you :-)
Nope. I won't.
Given the 1000's of computers in distributed.net do you honestly believe
they are all SGI's making the next Pixar film?
Tom
------------------------------
From: "Henrick Hellstr�m" <[EMAIL PROTECTED]>
Subject: Re: diffie hellman
Date: Fri, 30 Mar 2001 17:55:06 +0200
"Tom St Denis" <[EMAIL PROTECTED]> skrev i meddelandet
news:5Y1x6.164265$[EMAIL PROTECTED]...
>
> "Henrick Hellstr�m" <[EMAIL PROTECTED]> wrote in message
> news:9a27e7$60e$[EMAIL PROTECTED]...
> > Use the formula a = 2**x mod p. x is the ephemeral private key. a is the
> > ephemeral public key. You should use a secure (P)RNG to generate x.
> >
> > The other party generates y, calculates b = 2**y mod p and transmits b
to
> > you. You calculate K = b**x mod p. The other party calculates K = a**x
mod
> > p. K (or the hash value of K) is the shared session key.
> >
> > By using 2, you may substitute all multi precision multiplications for
> shift
> > left operations. There is little to gain by using 3 as the generator.
>
> You can only use 2 if the subgroup generated is large enough. It may be
> insecure.
>
> > No, you don't really reduce security by using 2 as the generator.
Suppose
> > you use some other generator g instead. Then there is a number c such
that
> g
> > = 2**c mod p. Let c' be the number such that c'c = 1 (mod (p-1)). That
> would
> > give you a = g**(c'x) mod p, b = g**(c'y) mod p, K = g**(c'xy) mod p,
and
> > your ephemeral private keys would in this case be x' = c'x mod (p-1), y'
=
> > c'y mod (p-1). If the attacker would be able to calculate x and y if 2
was
> > used, then the attacker would most certainly be equally able to
calculate
> c
> > and hence x' and y' if g was used.
>
> This a) doesn't make sense and b) is wholly incorrect. If you have a 1024
> bit p and the sub-group generated by 2 is only 64-bits wide then I could
> find your private exponent (or a multiple thereof) easily.
But the subgroup is 1023 bits wide. The OP mentioned that a Germaine prime
was to be used.
--
Henrick Hellstr�m [EMAIL PROTECTED]
StreamSec HB http://www.streamsec.com
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: Support for 1536 bit RSA keys?
Date: Fri, 30 Mar 2001 15:59:22 GMT
"SCOTT19U.ZIP_GUY" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> [EMAIL PROTECTED] (Tom St Denis) wrote in
> <hb1x6.164137$[EMAIL PROTECTED]>:
>
>
> >
> >Ok smart arse try to factor this
> >
> >N =
> >8839143726083845882125258976826768843086739488346772188855474234625194373
> >213
> >0105906947037364319682243662953343134511945326982617559556366461785240346
> >27609
> >
> >If you can factor this 512-bit number within 5 years I will give you
> >100$. If you cannot I will assume you don't know what you are talking
> >about.
> >
>
> I have been confronted by assholes at work that made fast and loose
> statements about paying 100 bucks. Twice I did what they said. they
> didn't pay up. If some one comes up with a slick way of factoring
> and I use it you would say unfair. In short I know your offer is a lie.
I make alot more then 100$ a month... I could afford to pay up
>
>
> David A. Scott
> --
> SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE "OLD VERSIOM"
> http://www.jim.com/jamesd/Kong/scott19u.zip
> Scott famous encryption website **now all allowed**
> http://members.nbci.com/ecil/index.htm
> Scott LATEST UPDATED sources for scott*u.zip
> http://radiusnet.net/crypto/archive/scott/
> Scott famous Compression Page
> http://members.nbci.com/ecil/compress.htm
> **NOTE FOR EMAIL drop the roman "five" ***
> A final thought from President Bill: "The road to tyranny,
> we must never forget, begins with the destruction of the truth."
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: diffie hellman
Date: Fri, 30 Mar 2001 16:00:00 GMT
"Henrick Hellstr�m" <[EMAIL PROTECTED]> wrote in message
news:9a2a5j$8n3$[EMAIL PROTECTED]...
> "Tom St Denis" <[EMAIL PROTECTED]> skrev i meddelandet
> news:5Y1x6.164265$[EMAIL PROTECTED]...
> >
> > "Henrick Hellstr�m" <[EMAIL PROTECTED]> wrote in message
> > news:9a27e7$60e$[EMAIL PROTECTED]...
> > > Use the formula a = 2**x mod p. x is the ephemeral private key. a is
the
> > > ephemeral public key. You should use a secure (P)RNG to generate x.
> > >
> > > The other party generates y, calculates b = 2**y mod p and transmits b
> to
> > > you. You calculate K = b**x mod p. The other party calculates K = a**x
> mod
> > > p. K (or the hash value of K) is the shared session key.
> > >
> > > By using 2, you may substitute all multi precision multiplications for
> > shift
> > > left operations. There is little to gain by using 3 as the generator.
> >
> > You can only use 2 if the subgroup generated is large enough. It may be
> > insecure.
> >
> > > No, you don't really reduce security by using 2 as the generator.
> Suppose
> > > you use some other generator g instead. Then there is a number c such
> that
> > g
> > > = 2**c mod p. Let c' be the number such that c'c = 1 (mod (p-1)). That
> > would
> > > give you a = g**(c'x) mod p, b = g**(c'y) mod p, K = g**(c'xy) mod p,
> and
> > > your ephemeral private keys would in this case be x' = c'x mod (p-1),
y'
> =
> > > c'y mod (p-1). If the attacker would be able to calculate x and y if 2
> was
> > > used, then the attacker would most certainly be equally able to
> calculate
> > c
> > > and hence x' and y' if g was used.
> >
> > This a) doesn't make sense and b) is wholly incorrect. If you have a
1024
> > bit p and the sub-group generated by 2 is only 64-bits wide then I could
> > find your private exponent (or a multiple thereof) easily.
>
>
> But the subgroup is 1023 bits wide. The OP mentioned that a Germaine prime
> was to be used.
Why not just use a group as large as possible?
Tom
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Crossposted-To: alt.drugs.pot,rec.radio.swap,rec.running,rec.sport.skating.ice.figure
Subject: Re: Malicious Javascript in Brent Kohler post (was: Re: Who is Brent K
Date: Fri, 30 Mar 2001 18:09:08 +0200
I Can Help wrote:
>
[snip]
> Agreed - I have really never been able to find any USEFUL need for
> HTML (much less JavaScript) in a newsreader. They should all just block
> the code.
I am not quite sure of that. If you have complicated
mathematical formulae, you could use HTML to advantage.
I haven't acquainted myself with that, it is anyway a
feature contained in the newer XML specifications, I
believe.
M. K. Shen
------------------------------
From: "-[tCs]-"
Crossposted-To: alt.drugs.pot,rec.radio.swap,rec.running,rec.sport.skating.ice.figure
Subject: Re: Malicious Javascript in Brent Kohler post (was: Re: Who is Brent K
Kohler?)
Date: Fri, 30 Mar 2001 17:15:41 +0100
On Fri, 30 Mar 2001 18:09:08 +0200, Mok-Kong Shen
<[EMAIL PROTECTED]> shed a beam of light on us:
>
>
>I Can Help wrote:
>>
>[snip]
>> Agreed - I have really never been able to find any USEFUL need for
>> HTML (much less JavaScript) in a newsreader. They should all just block
>> the code.
>
>I am not quite sure of that. If you have complicated
>mathematical formulae, you could use HTML to advantage.
>I haven't acquainted myself with that, it is anyway a
>feature contained in the newer XML specifications, I
>believe.
>
>M. K. Shen
How often would you use scripted mathematical formulae in news group
postings? Creating a web page and linking to it would probably be a
more useful solution.
-=Cornelis
--
____ __ ___
___(_ _) _) __) ___
(___) )(( (_\__ \(___)
(__)\__|___/
= = =
Narc Narc (��)�
"Better bongs than bombs"
= = =
"On Usenet nobody can hear you scream..." - Satan
============================================
This message is made out of 100% recycled and happy electrons
------------------------------
From: "Henrick Hellstr�m" <[EMAIL PROTECTED]>
Subject: Re: diffie hellman
Date: Fri, 30 Mar 2001 18:17:27 +0200
"Tom St Denis" <[EMAIL PROTECTED]> skrev i meddelandet
news:442x6.164285$[EMAIL PROTECTED]...
>
> "Henrick Hellstr�m" <[EMAIL PROTECTED]> wrote in message
> > But the subgroup is 1023 bits wide. The OP mentioned that a Germaine
prime
> > was to be used.
>
> Why not just use a group as large as possible?
The premise stated in the OP was that p is a 1024 bit Germaine prime. Hence
the largest subgroup is 1023 bits wide, since its order is (p-1)/2. The
group Z*(p) itself is 1024 bits wide. I am not sure I understand what you
are suggesting.
--
Henrick Hellstr�m [EMAIL PROTECTED]
StreamSec HB http://www.streamsec.com
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Pseudo-random permutation generators
Date: Fri, 30 Mar 2001 18:14:38 +0200
Toby Sharp wrote:
>
> Can anyone explain how to construct a pseudo-random permutation generator,
> perhaps from a pseudo-random sequence generator? Speed is the foremost
> issue; the output will not be available to an attacker, so does not need to
> be cryptographically secure in the sense of cracking it from fragmented
> output.
In the 'general' case, there appears to be nothing
better than the algorithm of Durstenfeld (see Knuth vol. 2)
in practice.
M. K. Shen
------------------------------
From: Simon Josefsson <[EMAIL PROTECTED]>
Subject: Re: AES - test vectors?
Date: 30 Mar 2001 18:21:50 +0200
[EMAIL PROTECTED] (Marc) writes:
> Hi. I'm trying to get an AES implementation to work. However, I don't
> understand the test vector format from the AES web page. The file
> "ecb_e_m.txt" begins like this this:
>
> I=0
> KEY=00000000000000000000000000000000
> PT=00000000000000000000000000000000
> CT=C34C052CC0DA8D73451AFE5F03BE297F
This is calculated by feeding the cryptotext back into the ECB
encryption as plaintext 10,000 times, starting with the given PT and
always using the same KEY.
> I=1
> KEY=C34C052CC0DA8D73451AFE5F03BE297F
> PT=C34C052CC0DA8D73451AFE5F03BE297F
> CT=0AC15A9AFBB24D54AD99E987208272E2
This is the next round, and it simply uses the last cryptotext from
the previous 10,000 rounds as key during all iterations and the last
cryptotext as the initial plaintext.
> When I encrypt PT=00000000000000000000000000000000 with
> KEY=00000000000000000000000000000000 in 128/128 mode I get something
> different than CT=C34C052CC0DA8D73451AFE5F03BE297F. Am I reading the
> file wrong or is my implementation wrong?
What do you get? If you get CT=66E94BD4EF8A2C3B884CFA59CA342B2E I
think you only did 1 round instead of 10,000.
> Can anyone send me a binary snapshot of the BYTESUB 256byte lookup table?
> I don't know if my implementation calculates it correctly or not.
Here's what I use:
(defconst rijndael-S
[ 99 124 119 123 242 107 111 197 48 1 103 43 254 215 171 118
202 130 201 125 250 89 71 240 173 212 162 175 156 164 114 192
183 253 147 38 54 63 247 204 52 165 229 241 113 216 49 21
4 199 35 195 24 150 5 154 7 18 128 226 235 39 178 117
9 131 44 26 27 110 90 160 82 59 214 179 41 227 47 132
83 209 0 237 32 252 177 91 106 203 190 57 74 76 88 207
208 239 170 251 67 77 51 133 69 249 2 127 80 60 159 168
81 163 64 143 146 157 56 245 188 182 218 33 16 255 243 210
205 12 19 236 95 151 68 23 196 167 126 61 100 93 25 115
96 129 79 220 34 42 144 136 70 238 184 20 222 94 11 219
224 50 58 10 73 6 36 92 194 211 172 98 145 149 228 121
231 200 55 109 141 213 78 169 108 86 244 234 101 122 174 8
186 120 37 46 28 166 180 198 232 221 116 31 75 189 139 138
112 62 181 102 72 3 246 14 97 53 87 185 134 193 29 158
225 248 152 17 105 217 142 148 155 30 135 233 206 85 40 223
140 161 137 13 191 230 66 104 65 153 45 15 176 84 187 22]
"Rijndael S-box.")
------------------------------
From: "John A. Malley" <[EMAIL PROTECTED]>
Subject: Re: Idea - (LONG)
Date: Fri, 30 Mar 2001 08:18:21 -0800
Mok-Kong Shen wrote:
>
[snip]
> I don't yet understand. My point was that, if you change
> you four variable length messages to constant length ones,
> as I indicated in my follow-up, then the encryption
> becomes a normal block encryption (the characteristic
> of a block encryption is that it transforms a constant
> number of bits to the same number of bits, in the present
> case 2). So with that change you obtain a block cipher.
> All the computations about probabilities remains the same.
> In other words, your statements relating to Shannon
> and his perfect security in the case of your original
> example translates to the modified example unchanged.
Yes, that's true. XORing the random key with the plaintext string is an
algorithm to achieve this perfect secrecy, but that's not the algorithm
I wanted to address.
> Doesn't that achieves your goal of finding a block
> cipher under the said context of Shannon?
No, but I didn't make myself clear in my original post. I did with a
follow-up to my reply to Prof. Wagner.
Let me present it again, :-)
Can a product cipher (or specifically a Feistel cipher) block cipher
algorithm with perfect secrecy exist?
Elaborating -
Can we construct a block cipher with perfect secrecy by cascading
substitution and transposition "units" in some sequence? Or with a
Feistel cipher? Will the resulting algorithm yield that particular set
of permutation mappings such that each message is mapped to each
cryptogram in just one of the maps (and thus by just one of the possible
keys.)
If this cannot be done with a product cipher or Feistel cipher then we
(possibly) establish some fundamental limits on the achievable secrecy
of a block cipher algorithm.
John A. Malley
[EMAIL PROTECTED]
------------------------------
From: "Toby Sharp" <[EMAIL PROTECTED]>
Subject: Re: Pseudo-random permutation generators
Date: Fri, 30 Mar 2001 17:22:39 +0100
I don't have that reference. Can you summarize the algorithm?
TIA,
Toby.
Mok-Kong Shen <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> Toby Sharp wrote:
> >
> > Can anyone explain how to construct a pseudo-random permutation
generator,
> > perhaps from a pseudo-random sequence generator? Speed is the foremost
> > issue; the output will not be available to an attacker, so does not need
to
> > be cryptographically secure in the sense of cracking it from fragmented
> > output.
>
> In the 'general' case, there appears to be nothing
> better than the algorithm of Durstenfeld (see Knuth vol. 2)
> in practice.
>
> M. K. Shen
------------------------------
From: "Tom St Denis" <[EMAIL PROTECTED]>
Subject: Re: diffie hellman
Date: Fri, 30 Mar 2001 16:25:55 GMT
"Henrick Hellstr�m" <[EMAIL PROTECTED]> wrote in message
news:9a2bfg$aeu$[EMAIL PROTECTED]...
> "Tom St Denis" <[EMAIL PROTECTED]> skrev i meddelandet
> news:442x6.164285$[EMAIL PROTECTED]...
> >
> > "Henrick Hellstr�m" <[EMAIL PROTECTED]> wrote in message
> > > But the subgroup is 1023 bits wide. The OP mentioned that a Germaine
> prime
> > > was to be used.
> >
> > Why not just use a group as large as possible?
>
>
> The premise stated in the OP was that p is a 1024 bit Germaine prime.
Hence
> the largest subgroup is 1023 bits wide, since its order is (p-1)/2. The
> group Z*(p) itself is 1024 bits wide. I am not sure I understand what you
> are suggesting.
The problem is if g is a generator modulo a s.g prime p, then g^(p-1/2) != 1
and g^(p-1)=1 and g^2 != 1 all is well meaning g is a generator.
The sub-groups of a s.g prime have orders, 0, 2, and (p-1)/2
Because I was an idiot I overlooked that all except 0 and 1/-1 belong to
(p-1)/2
Sorry.
Tom
------------------------------
From: "Sam Simpson" <[EMAIL PROTECTED]>
Subject: Re: Support for 1536 bit RSA keys?
Date: Fri, 30 Mar 2001 17:28:45 +0100
I think Tom alluded to the point, and my response was something like:
"Rivest predicted that a 129-bit factorization would take 40-quadrillion
years whereas in reality it took just 8 months using idle cycles on
computers around the globe. I'd say it pays to be cautious with keylengths."
Breaking RSA keys of a specific key size (e.g. 1024-bits, whatever) could be
the result of a combination of:
1) More powerful processors to break the keys (e.g. QC, DNA computing or
simply better processors due to natural improvement in engineering
techniques - whatever).
2) More processors (e.g. if every TV set includes the equiv of a 1Ghz
Athlon sometime (not totally theoretical - think MPG decoding or something)
then the number of available computing power increases)
3) Better algorithms.
The original RSA129 challenge was only broken because of a combination of
the above. Does that mean that 1024-bit keys can be broken?
No.
Cryptographers know all the above, that's why Lenstra, Odlyzko, Schneier etc
make statements to the effect of "use 2048-bit keys for long term security".
--
Regards,
Sam
http://www.scramdisk.clara.net/
Simon Hunt <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> One point nobody has made is that if (somehow) a way of breaking a 1024
bit
> key is discovered, then because of the supposed mathematical impossibility
> of the task they will have probably discovered a way of breaking ANY RSA
> key, no matter it's size.
>
> as an example, a quantum computer takes the same amount of time (no time
at
> all!) to break a 64bit RSA key, as a 64 quadrillion bit RSA key...
>
> think about that!
>
> Simon.
>
> "Sam Simpson" <[EMAIL PROTECTED]> wrote in message
> news:ds%w6.2900$[EMAIL PROTECTED]...
> > Why not? If you can stomach the speed issues (e.g. key is a key signing
> CA
> > key used v. occasionally) and you can gather the entropy to produce such
a
> > large key...
> >
> > I'm sure people said the same kind of thing about 1500-bit keys when 512
> was
> > the de facto standard..........
> >
> > --
> > Regards,
> >
> > Sam
> > http://www.scramdisk.clara.net/
> >
> > Tom St Denis <[EMAIL PROTECTED]> wrote in message
> > news:Hl%w6.163951$[EMAIL PROTECTED]...
> > >
> > > "Sam Simpson" <[EMAIL PROTECTED]> wrote in message
> > > news:J0%w6.2868$[EMAIL PROTECTED]...
> > > > Tom St Denis <[EMAIL PROTECTED]> wrote in message
> > > > news:lA_w6.163933$[EMAIL PROTECTED]...
> > > > >
> > > > > <[EMAIL PROTECTED]> wrote in message
> > > > > news:Ne_w6.1530$[EMAIL PROTECTED]...
> > > > > > Thanks for reading this.
> > > > > >
> > > > > > I am trying to assess cryptographic toolkit, certificate
> generation
> > > > > software,
> > > > > > certificate validation software vendor support for 1536-bit RSA
> > keys.
> > > > > >
> > > > > > I expect good support for 1024-bit and 2048-bit keys as they are
> > > > > "standard" key
> > > > > > lengths. Should I expect such good support for 1536-bit keys?
> > > > >
> > > > > This is because you're a nutcase. Factoring is a hard job.
> "2048-bit
> > > > keys"
> > > > > are not standard ... they are for paranoids.
> > > >
> > > > "If 512-bit keys are insecure today, they were just as insecure last
> > > month.
> > > > Anyone implementing RSA should have moved to 1028-bit keys years
ago,
> > and
> > > > should be thinking about 2048-bit keys today. It's tiring when
people
> > > don't
> > > > listen to cryptographers when they say that something is insecure,
> > waiting
> > > > instead for someone to actually demonstrate the insecurity.".
> > >
> > > So let's use 10kbit rsa keys?
> > >
> > > Tom
> > >
> > >
> >
> >
>
>
------------------------------
From: "Sam Simpson" <[EMAIL PROTECTED]>
Subject: Re: Support for 1536 bit RSA keys?
Date: Fri, 30 Mar 2001 17:32:43 +0100
Tom St Denis <[EMAIL PROTECTED]> wrote in message
news:j71x6.164128$[EMAIL PROTECTED]...
>
> "Sam Simpson" <[EMAIL PROTECTED]> wrote in message
> news:9D0x6.3011$[EMAIL PROTECTED]...
> > Tom St Denis <[EMAIL PROTECTED]> wrote in message
> > news:tu0x6.164064$[EMAIL PROTECTED]...
> >
> > <SNIP>
> >
> > > If we can't factor 768-bit keys are 2048-bit ones better?
> >
> > To quote Schneier again: "If 512-bit keys are insecure today, they were
> just
> > as insecure last month. Anyone implementing RSA should have moved to
> > 1028-bit keys years ago, and should be thinking about 2048-bit keys
today.
> > It's tiring when people don't listen to cryptographers when they say
that
> > something is insecure, waiting instead for someone to actually
demonstrate
> > the insecurity."
> >
> > Or, to paraphrase: Tom *listen* to cryptographers.
>
> This line of thinking is inherantly flawed. 1024 bit keys will be
insecure
> 10 years from now (just assume) so that means they are insecure now?
Hey, we are getting somewhere:
The original poster indicated the data needs to be secured for 20 years!
--
Regards,
Sam
http://www.scramdisk.clara.net/
------------------------------
From: "Henrick Hellstr�m" <[EMAIL PROTECTED]>
Subject: Re: diffie hellman
Date: Fri, 30 Mar 2001 18:41:45 +0200
"Tom St Denis" <[EMAIL PROTECTED]> skrev i meddelandet
news:ns2x6.164325$[EMAIL PROTECTED]...
> The sub-groups of a s.g prime have orders, 0, 2, and (p-1)/2
>
> Because I was an idiot I overlooked that all except 0 and 1/-1 belong to
> (p-1)/2
You were not such an idiot. 1,-1 are the members of the subgroup of order 2,
and that's the only other subgroup. But there are also approximately 2**1023
numbers not belonging to any subgroup, i.e. the discrete square roots of the
elements in the large subgroup. Hence, if 2 is a generator of Z*(P) and A =
2**X mod P, then by knowing A you will easily deduce the lsbit of X, but
that's about all. If this is a concern, then you might use 4 as generator
instead.
> Sorry.
By all means, but no need for that.
--
Henrick Hellstr�m [EMAIL PROTECTED]
StreamSec HB http://www.streamsec.com
------------------------------
From: "Simon Hunt" <[EMAIL PROTECTED]>
Subject: Re: Support for 1536 bit RSA keys?
Date: Fri, 30 Mar 2001 17:39:53 +0100
how do you determine that Ron's original quote..
It is of interest to note that Rivest predicted that
a
> 129-bit factorization would take 40-quadrillion years whereas in reality
it
> took just 8 months
> using idle cycles on computers around the globe
was refering to distributed.net? And again, you are arguing a technicality.
Distributed.net runs in idle time - the fact that you process more
information in idle time than non-idle time is irrelevant. It's
still ----idle time----
we are not talking about a car engine here!
Simon.
"Tom St Denis" <[EMAIL PROTECTED]> wrote in message
news:gZ1x6.164268$[EMAIL PROTECTED]...
>
> "Simon Hunt" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]...
> > Sorry Tom, I agree with Sam - if you look at NT/2000 there is a task
> "System
> > Idle Process" - it's called that because when a PC is not doing anything
> > productive, the internationally recognised term is it's "Idling" - hence
> > Idle Time. You don't stop the clock cycles on a PC when it's not being
> used,
> > it still runs at the same rate internally so there has to be something
to
> > chew up all those extra cycles - the Idle task.
> >
> > I think the original quote was completely technically correct- you don't
> > know what the average utilization of all the distributed computers was -
> it
> > could have been a load of corporate mainframes with only 0.001 idle
> process
> > time - you are making an opinion based on your (under utilized) pc. Mine
> for
> > instance runs at 99% all the time due to the processes I run....
> >
> > give in on this one - the world is not with you :-)
>
> Nope. I won't.
>
> Given the 1000's of computers in distributed.net do you honestly believe
> they are all SGI's making the next Pixar film?
>
> Tom
>
>
------------------------------
From: "Sam Simpson" <[EMAIL PROTECTED]>
Subject: Re: Support for 1536 bit RSA keys?
Date: Fri, 30 Mar 2001 17:49:10 +0100
Tom St Denis <[EMAIL PROTECTED]> wrote in message
news:hb1x6.164137$[EMAIL PROTECTED]...
<SNIP>
> Ok smart arse try to factor this
>
> N =
>
8839143726083845882125258976826768843086739488346772188855474234625194373213
> 0105906947037364319682243662953343134511945326982617559556366461785240346
> 27609
>
> If you can factor this 512-bit number within 5 years I will give you 100$.
> If you cannot I will assume you don't know what you are talking about.
That's the kind of "school boy" intelligence that Mark Wooding, Greg Rose,
Paul Crowley etc have commented on before and you've responded: " Is this
group just wildly incompetent or am I just in every killfile for trying to
be intelligent?"
If this post is indicative of you "trying to be intelligent", then you are
thicker than you appear. Personally, I think you are pretty bright (in
respect of maths / crypto), but lack developed reasoning and social
interaction skills. Perhaps you'll gain them with age??
Anyway, back to the thread:
All I've been doing is trying to make you provide reason for the wild
statements you have made in this thread. Note that all the way through I've
been providing citations to quotes by respected cryptographers - I haven't
seen this from you?
Who cares if *I* can break a 512-bit key - this group {is | should} be about
whether *anyone* can break a 512-bit key, which is clearly the case.
Regards,
Sam
http://www.scramdisk.clara.net/
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list by posting to sci.crypt.
End of Cryptography-Digest Digest
******************************
