Cryptography-Digest Digest #685, Volume #10 Sun, 5 Dec 99 12:13:02 EST
Contents:
Re: Why Aren't Virtual Dice Adequate? ("r.e.s.")
NEMA missing a plugboard? (UBCHI2)
Re: NSA should do a cryptoanalysis of AES (wtshaw)
Re: 1 round Defeats Enigma attacks (David Wagner)
Re: NSA should do a cryptoanalysis of AES (wtshaw)
Re: 1 round Defeats Enigma attacks (UBCHI2)
Re: 1 round Defeats Enigma attacks (John Savard)
Re: Why Aren't Virtual Dice Adequate? (LVRWCT)
Re: NEMA missing a plugboard? (John Savard)
Re: Why Aren't Virtual Dice Adequate? (Guy Macon)
Re: Why Aren't Virtual Dice Adequate? (Guy Macon)
Re: Distribution of intelligence in the crypto field (CLSV)
Re: NSA should do a cryptoanalysis of AES (Sander Vesik)
Re: NSA should do a cryptoanalysis of AES (SCOTT19U.ZIP_GUY)
Re: Use of two separate 40 bit encryption schemes ([EMAIL PROTECTED])
Re: DNA based brute-force attacks? (Boaz Lopez)
The leading university of cryptography ([EMAIL PROTECTED])
Re: Elliptic Curve Public-Key Cryptography (Bodo Moeller)
Re: Elliptic Curve Public-Key Cryptography (DJohn37050)
Re: NSA should do a cryptoanalysis of AES, What Pi has taught us (Bruce Schneier)
Re: Distribution of intelligence in the crypto field (CLSV)
Re: The leading university of cryptography (David A Molnar)
Re: Quantum Computers and Weather Forecasting (Joseph Bartlo)
Re: NSA should do a cryptoanalysis of AES, What Pi has taught us (CLSV)
----------------------------------------------------------------------------
From: "r.e.s." <[EMAIL PROTECTED]>
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Date: Sat, 4 Dec 1999 23:23:32 -0800
"Trevor Jackson, III" <[EMAIL PROTECTED]> wrote ...
[...]
: The sender is using up his pad as he enciphers the message to
: each recipient. To authenticate each message he appends a signature
: to each plaintext. The signature can be any shared secret. The S
: (signature size) bits of pad following the portion just consumed will
: suffice. The sender enciphers the signature as part of the plaintext.
: On receipt of the message the receiver deciphers the plaintext normally,
: and compares the last S bits of the message to the next S bits of pad.
: If they match the message is authentic.
:
: Pad usage is identical at both ends: P bits for the plaintext and 2*S
: bits for the signature.
Under discussion is a scenario in which *identical* plaintext is sent
to two different recipients (perhaps through trickery by an agent).
What you describe adds a unique signature to the plaintext, so it is
not of this kind.
Also, incorporating additional ingredients such as a "shared secret",
is a nice example of what I was calling the "strengtheneing" of a
"pure OTP alone".
--
r.e.s.
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (UBCHI2)
Subject: NEMA missing a plugboard?
Date: 05 Dec 1999 07:31:29 GMT
Why did the designers of the NEMA rotor machine leave out the plugboard found
on the enigma. Wouldn't the plugboard dramatically increase the difficulty of
cryptanalysis of a rotor machine message?
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: NSA should do a cryptoanalysis of AES
Date: Sun, 05 Dec 1999 02:23:52 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Brian Chase) wrote:
>
> Speaking on matters of paranoia, my particular paranoid tendencies seem to
> note that Microsoft hires up quite a few of the computing history greats.
> I don't really see that they're making use of this talent as is evidenced
> by the really horrible quality products Microsoft puts out. The only
> conclusion I've been able to reach is that Microsoft hires these people to
> keep them off the market, doing otherwise productive work which might
> compete with Microsoft interests.
Microsoft did not originate that tactic but copied it, like most other
things it does
>
> The more I find out about the design weaknesses of Microsoft products, the
> more convinced I am that Microsoft's presence in this world is adversely
> effecting the progress of humanity. I really hate them.
>
Note that Microsoft has lots of folks leave them in disgust.
--
Love is blind, or at least figure that it has astigmatism.
------------------------------
From: [EMAIL PROTECTED] (David Wagner)
Subject: Re: 1 round Defeats Enigma attacks
Date: 5 Dec 1999 00:07:59 -0800
In article <[EMAIL PROTECTED]>,
UBCHI2 <[EMAIL PROTECTED]> wrote:
[...]
> use 1 round of transposition to superencipher an enigma encryption
[...]
Interesting idea, but this does still leave some weaknesses.
A crucial property of the Enigma is that it never enciphers
a letter to itself.
Consequently, the ciphertext will still be biased even after
the transposition, which is often an indication that traces of
the plaintext may be leaking through.
It's worth working out the details to see why this is true.
Imagine that the letter 'E' occurs in the plaintext with
frequency 1/10 (say).
We can ask with what frequency 'E' will occur in the ciphertext.
It is clear that an 'E' in the plaintext will never cause an
'E' in the ciphertext; thus, to get an 'E' in the ciphertext,
we must have an non-'E' letter in the plaintext.
Even if we assume that, apart from this property of never
enciphering a letter to itself, there are no other properties
to exploit, we still get a large bias in the ciphertext: we
expect (heuristically) that each non-'E' plaintext letter will
encipher to 'E' in the ciphertext with probability 1/25, and
non-'E' plaintext letters occur with frequency 9/10, so we
should see 'E's in the ciphertext with frequency about
9/10 * 1/25 = .036.
This is noticeably smaller than what you'd expect for a uniformly
random source (1/26 = .03846...).
Of course, similar properties will hold for the other letters.
In other words, letters that have unusually high frequency in
the plaintext will have noticeably lower-than-expected frequency
in the ciphertext, and vice versa. This can't be a good property.
This is already enough to distinguish Enigma ciphertexts from
truly random bitstreams, which is usually a bad sign; and it may
well point the way towards a full break of the cipher.
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Re: NSA should do a cryptoanalysis of AES
Date: Sun, 05 Dec 1999 02:36:13 -0600
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
> wtshaw <[EMAIL PROTECTED]> wrote:
> : In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote:
>
> :> Iron bars are also expensive. If iron bars were free, and no more hassle
> :> to lock and unlock than an ordinary door, I'm sure more people would use
> :> them, even if the attack they are protecting against (a lockpicking
> :> attack) are not known to be common.
>
> : Iron bars are cheap, and ugly.
>
> OK. I guess the problems are that they can't be unlocked from the
> outside, they refuse to work as a latch, and are more effort than
> necessary to lock, and aren't terribly child-friendly.
>
> Consequently, as a minimum, you likely need a secure keyed lock as well.
>
> Goodness knows where this leaves the analogy ;-)
The cost is in the installation, if you don't do it yourself. If they
were as crypto and someone else made and installed them, you should wonder
if they are as strong as they look, or just plastic.
> --
> __________
> |im |yler The Mandala Centre http://www.mandala.co.uk/ [EMAIL PROTECTED]
>
> Microsoft announces EDLIN for windows.
--
Love is blind, or at least figure that it has astigmatism.
------------------------------
From: [EMAIL PROTECTED] (UBCHI2)
Subject: Re: 1 round Defeats Enigma attacks
Date: 05 Dec 1999 09:20:09 GMT
Yes Enigma creates a bias because letters can't represent themselves. But that
flaw was used by the Bletchley Park cryptographers to confirm the location and
correctness of presumed plaintext cribs. The crib technique would fail on a
transposed encryption. Therefore, you have to indicate how the weakness could
be exploited.
Many subsequent rotor machines did not have the weakness of the enigma that you
note. Presumably tranposition would really strengthen those.
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: 1 round Defeats Enigma attacks
Date: Sun, 05 Dec 1999 08:59:35 GMT
On 04 Dec 1999 19:48:18 GMT, [EMAIL PROTECTED] (UBCHI2) wrote:
>If you use 1 round of transposition to superencipher an enigma encryption, you
>immediately counter the use of cribs, kisses and bombes. The weakness of the
>rotor machines is that they leave each character in the same order as in the
>plaintext.
If you just use one round of transposition, although Enigma output
already almost looks like random letters, there is at least some
possibility of an attack. With enough cribs, one might be able to try
multiple anagramming.
Ideally, one would like a transposition system which both has a secret
key, and which also has a good indicator system so that every message
is transposed differently.
Then, not only the Enigma, but other nearly-secure systems that have
the weakness of not enciphering a letter to itself, can become much
more secure. For example, the Bazeries cylinder (Jefferson wheel
cipher, strip cipher).
------------------------------
From: LVRWCT <[EMAIL PROTECTED]>
Subject: Re: Why Aren't Virtual Dice Adequate?
Crossposted-To: sci.math
Date: Sun, 05 Dec 1999 01:41:11 -0800
Good old QBasic did all this random stuff using the date time funcion
of the computer. Therefore, the user was the random element. Just as
in any coin toss.
-LVRWCT
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: NEMA missing a plugboard?
Date: Sun, 05 Dec 1999 09:05:12 GMT
On 05 Dec 1999 07:31:29 GMT, [EMAIL PROTECTED] (UBCHI2) wrote:
>Why did the designers of the NEMA rotor machine leave out the plugboard found
>on the enigma. Wouldn't the plugboard dramatically increase the difficulty of
>cryptanalysis of a rotor machine message?
The NEMA had four rotors plus a reflecting rotor; and the rotors in
use were chosen from a set of several. As the British Typex
illustrates, an extra rotor or two is as good as a plugboard.
Also, the way in which the rotors moved was very irregular.
That made the machine strong enough that the physical awkwardness of a
plugboard could be avoided.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Date: 05 Dec 1999 06:34:33 EST
In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Trevor Jackson, III) wrote:
>See previous post.
>
>There is NO possible protection againt the Karnak Attack. From this we
>should conclude that all encryption is insecure? I think not.
Your previous post got cut off somewghere in the middle.
Could you repost it?
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Crossposted-To: sci.math
Subject: Re: Why Aren't Virtual Dice Adequate?
Date: 05 Dec 1999 06:49:51 EST
In article <82cdea$66j$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (r.e.s.) wrote:
>It would be smart of him not to, but the scenario asked about
>earlier in the thread, and the only one I've been discussing
>in this exchange, is one in which he does so (perhaps through
>some trickery by an agent?).
Great. You found a scenario where an OTP plus a really stupid user
allows a forged message. I can do that too. The scenario we are
talking about NOW [note] in this thread is now one in which both
sides publish their keys and all plaintext on their web pages.
Shall I conclude that all encryption methods are insecure? None
of them survive the stupidity I just mentioned.
Note: The topic of a thread is what most of the participants
are talking about. There exists no topic police to force
everyone into the limited scenario you have chosen as the
"official" topic.
Let me be blunt. When you say that an OTP is insecure, you
are dead wrong by the standards of a reasonable person.
A reasonable person would see the identical text problem as
a restriction, not an insecurity.
------------------------------
From: CLSV <[EMAIL PROTECTED]>
Subject: Re: Distribution of intelligence in the crypto field
Date: Sun, 05 Dec 1999 12:06:49 +0000
David A Molnar wrote:
>
> CLSV <[EMAIL PROTECTED]> wrote:
> > A strange bit of information from the CV of
> > Gian-Carlo Rota:
> You would expect the NSA to ask the "father of combinatorics" to
> work on their problems, wouldn't you ?
Yes, I didn't expect it being advertized 'though.
> > http://www-math.mit.edu/~rota/cv.txt
> > Security Clearances:
> > Top Secret Clearance (Air Force) 1969-1971.
> > Q - Clearance (DOE), 1966-.
> > SI - Clearance (NSA), 1981-.
This changes the question of how much intelligence
people are concerned with crypto into how much cryptographers
(& smart combinatorists :-) are working for intelligence
agencies.
Regards,
Coen Visser
------------------------------
From: Sander Vesik <[EMAIL PROTECTED]>
Subject: Re: NSA should do a cryptoanalysis of AES
Date: 5 Dec 1999 12:16:56 GMT
Johnny Bravo <[EMAIL PROTECTED]> wrote:
> This was my point, with all these other easier ways to get your
> information, the NSA would not be willing to risk the destruction of
> the US economy by letting the banking system use a known weak cipher
> just so the can read your email.
Actually, they would. For starter, consider Pearl Habor. Then note that it
would not be 'destroying US economy' but just inflicting harm to electronic
business worldwide, with the exception that if they see any signs of it being
preached, they have the option of 'confidentially' giving US companies a
head start of several days.
You are also forgetting that 'law enforcment' backdoors in banking software
have been criminally exploited before.
> Best Wishes,
> Johnny Bravo
--
Sander
There is no love, no good, no happiness and no future -
these are all just illusions.
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: NSA should do a cryptoanalysis of AES
Date: Sun, 05 Dec 1999 15:00:29 GMT
In article <[EMAIL PROTECTED]>, "Douglas A. Gwyn" <[EMAIL PROTECTED]> wrote:
>"Douglas A. Gwyn" wrote:
>> ... Similarly for one-on-one compression, which at
>> best foils brute-force key searching, which should not be
>> feasible for any good system anyway.
>
>I should point out that this was specifically addressing the
>"one-on-one" aspect; precompression in general does foil more
>sophisticated cryptanalytic attacks by reducing the statistical
>clues that might otherwise "shine through" the encryption.
Precompression is meant to foil more sophisticated cryptanalytic
attacks by reducing the statistical clues that might otherwise
"shine through" the encryption. But the fact is most compression
schemes leak so much information that they may be opening up
more weakness than they hid. If one is not using a one-on-one
compressor you are weakening the over all system.
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website NOT FOR WIMPS
http://members.xoom.com/ecil/index.htm
Scott rejected paper for the ACM
http://members.xoom.com/ecil/dspaper.htm
Scott famous Compression Page WIMPS allowed
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Use of two separate 40 bit encryption schemes
Date: Sun, 05 Dec 1999 14:45:13 GMT
In article <[EMAIL PROTECTED]>,
Shawn Willden <[EMAIL PROTECTED]> wrote:
> Eric Lee Green wrote:
>
> > Shawn Willden wrote:
> > > double encryption to 41 bits. However, if you triple-encrypt your
packets
> > > with 40-bit DES before transmitting them, you can get 80-bit
> > > strength (you
> > > can use either two or three 40-bit keys, but if you use two
> > > keys, make
> > > sure to alternate their usage).
> >
The output of a 40 bit program can be fed back in under a different key
to achieve the 3DES effect. No program on the computer would be capable
of more than 40 bit encrypt/decrypt but the effective key can length can
be 80/120/160/..., cool eh.
Also, a bit of 'whitening' can add a huge amount of strength against
exhaustive search. To whiten take two 64 bit keys and XOR one with the
plaintext and then the ciphertext with the other.
ciphertest = K2^DES40(K1^plaintext)
Agasint exhaustive search, a 40 bit encryption with 64 bit whitening
should yield about 108 bits of key strenth. Whitening does little
against differential/linear cryptanalysis though. Since DES is more or
less secure against differential/linear analysis, whitening would
probably give you security against everyone but major governments.
--Matthew
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Boaz Lopez <[EMAIL PROTECTED]>
Subject: Re: DNA based brute-force attacks?
Date: Sun, 05 Dec 1999 07:34:25 -1000
Brian Chase wrote:
>
> I know there's lots of talk about using quantum computing to break crypto
> problems, but has there been much discussion of using DNA based computing
> to do the same? There's a 1994 article from _Science_ which discusses
> using DNA to solve the traveling salesman problem.
>
> An online version of the article is available at:
> http://www.hks.net/~cactus/doc/science/molecule_comp.html
>
> Does anyone know of work being done to break crypto using these types of
> techniques? Or are there fundamental problems with crypto that make them
> unlikely candidates for being solved with DNA computing?
>
> -brian.
> --
> --- Brian Chase | [EMAIL PROTECTED] | http://world.std.com/~bdc/ -----
> For these reasons, and hundreds of others, I am forced to conclude that a
> virtual frog is not as much fun as an actual frog. -- K.
http://www.inet-one.com/cypherpunks/dir.98.07.27-98.08.02/msg00017.html
Dr. L. Adleman did some research on DNA crypto.
See the link above. Adleman is the A in RSA.
------------------------------
From: [EMAIL PROTECTED]
Subject: The leading university of cryptography
Date: Sun, 05 Dec 1999 16:06:45 GMT
Which university, in the US or elsewhere, is by your opinion the best
when it comes to cryptography. I know Alfred Menezes and Doug Stinson
both works for the University of Waterloo, Ontario, Canada. Is The
Massachusetts Institute of Technology (MIT) any good when it comes to
cryptography - In Europe MIT is often mentioned as one of the best
engineering universities.
Thanks a lot!
Martin
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Bodo Moeller)
Subject: Re: Elliptic Curve Public-Key Cryptography
Date: 5 Dec 1999 16:21:02 GMT
DJohn37050 <[EMAIL PROTECTED]>:
> [EMAIL PROTECTED] (Bodo Moeller):
>> DJohn37050 <[EMAIL PROTECTED]>:
>>> [...] When e = 3, one knows half the bits of the private exponent.
>>> This does not allow an attack by itself, but could be used to
>>> synchronize a power attack, for example.
>>> [...] If the private key is encrypted using a symmetric cipher,
>>> this means I give the adversary some known plaintext/ciphertext
>>> pairs, this is undesirable.
>> There is no need to store d or to use it for decryption; using the
>> Chinese Remainder Theorem, all you need is the factors p, q
>> and d's residues modulo p - 1 and modulo q - 1.
>> Many implementations keep d around with the rationale that it can be
>> computed from the other numbers, anyway; if the known plaintext in the
>> upper part of d is considered a problem, then it's an implementation
>> problem, not an inherent problem of small-exponent RSA.
> The point is not that it cannot be addressed or maybe is already inadvertantly
> addressed.
> The point is that now you are getting into implementation details with a kicker
> that says if you have d or implement using d, then they may be concerns, but
> almost no one thinks of that. An adversary attacks a specific system with
> specific quirks.
Your concerns are _only_ about specific implementations, they apply to
such implementations, but not to RSA per se. Just as well you can
expect to find public parameters in the symmetrically encrypted data,
together with the secret part -- for RSA, n and e; for DL-based
systems, the group specification (i.e. a prime p, or an elliptic
curve), generator, and public element. Such known plaintext exists in
various fielded systems, and can be avoided. There's nothing special
about RSA's d.
------------------------------
From: [EMAIL PROTECTED] (DJohn37050)
Subject: Re: Elliptic Curve Public-Key Cryptography
Date: 05 Dec 1999 16:28:31 GMT
For DL/EC set of public domain parameters, they only need to be coupled to the
private key value, they do not need to be encrypted. This is able to be done
by using a MAC, for example, and symmetric encrypting the private key, which
appears random. That is, it is easy to do in a natural straightforward way.
For RSA, there are these other quirky possible concerns. d and all its
derivatives must be private, but portions may not be secret, which is not
straightforward.
Don Johnson
------------------------------
From: [EMAIL PROTECTED] (Bruce Schneier)
Subject: Re: NSA should do a cryptoanalysis of AES, What Pi has taught us
Date: Sun, 05 Dec 1999 16:33:40 GMT
On Sat, 04 Dec 1999 02:21:10 GMT, albert <[EMAIL PROTECTED]> wrote:
>If we know that the NSA broke an algorithm, it would be in their best
>interest to share that information; because as much resources as they have,
>they cannot beat distributed knowledge.
Not necessarily. There are other differences that you have to
consider:
1. Funding. The NSA has much more funding than the distributed
academic world.
2. Focus. The NSA can apply a focus that the distributed academic
world cannot. "You dozen people. Go into that room, shut the door,
and don't come out until you've broken RC4. I don't care if it takes
five years." That kind of focus will never happen in the distributed
academic world, where people work on what they want to work on, and
the coin of the realm is an academic paper.
These differences, to me, mean that it is more likely for the NSA to
solve difficult, important, problems, and more likely for the
distributed academic world to come up with wacky, cool, interesting
ideas.
Bruce
**********************************************************************
Bruce Schneier, Counterpane Internet Security, Inc. Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
------------------------------
From: CLSV <[EMAIL PROTECTED]>
Subject: Re: Distribution of intelligence in the crypto field
Date: Sun, 05 Dec 1999 16:40:02 +0000
"Douglas A. Gwyn" wrote:
>
> David A Molnar wrote:
> > You would expect the NSA to ask the "father of combinatorics" to
> > work on their problems, wouldn't you ?
> Yeah, but he really ought not to be listing his clearances on a
> public forum. For one thing, it makes him a target for anyone
> who might want to exploit his access to nuclear and other
> sensitive material, terrorists for example.
I don't know if he did it himself. Maybe it was part of
a tribute to him. Somebody is paying attention because the page
is not accessible anymore. Unfortunately they did not only remove
his CV but also the rest of his homepage which could have some
historic value.
From:
http://www.mit.edu:8008/charon.mit.edu/obits/299
Full obituary of Gian-Carlo Rota
CAMBRIDGE, Mass.--Massachusetts Institute of Technology professor
Gian-Carlo Rota, an internationally respected mathematician and
philosopher
who was known for his love of teaching, died of heart failure in his
home
earlier this week. He was 66. [...]
Regards,
Coen Visser
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: The leading university of cryptography
Date: 5 Dec 1999 16:58:11 GMT
[EMAIL PROTECTED] wrote:
> Which university, in the US or elsewhere, is by your opinion the best
> when it comes to cryptography. I know Alfred Menezes and Doug Stinson
> both works for the University of Waterloo, Ontario, Canada. Is The
> Massachusetts Institute of Technology (MIT) any good when it comes to
> cryptography - In Europe MIT is often mentioned as one of the best
> engineering universities.
I'm not sure if you can pick out a single university which is "best" in
cryptography. The reason is that different places seem to have different
"styles" or "approaches" to cryptography. Which you consider "better"
at some point comes down to what you think is more worthwhile research.
Both Waterloo and MIT are very strong. MIT has Rivest, Micali, and
Goldwasser as professors, and a large group of scarily smart
graduate students. So yes, MIT is "pretty good" to put it mildly.
Plus many related fields, such as math and computational complexity
theory, are also very strong.
You might try looking at a list of cryptographers (David Wagner has one
on his site, so does Kevin McCurley) and picking out those whose work you
admire. Then see where they are located. That will probably tell you more
than I can about which universities are strongest in the kind of crypto
you like.
-David
(deferring the question of "how do you know what you like?" for now)
------------------------------
From: Joseph Bartlo <[EMAIL PROTECTED]>
Crossposted-To: sci.physics,sci.geo.meteorology
Subject: Re: Quantum Computers and Weather Forecasting
Date: Sun, 05 Dec 1999 11:55:14 -0500
Trevor Jackson, III wrote:
> Apostrophe is spelled that way.
I made no mention of my quality as a speller.
Joseph
------------------------------
From: CLSV <[EMAIL PROTECTED]>
Subject: Re: NSA should do a cryptoanalysis of AES, What Pi has taught us
Date: Sun, 05 Dec 1999 17:08:57 +0000
Bruce Schneier wrote:
> albert <[EMAIL PROTECTED]> wrote:
> >If we know that the NSA broke an algorithm, it would be in their best
> >interest to share that information; because as much resources as they have,
> >they cannot beat distributed knowledge.
> Not necessarily. There are other differences that you have to
> consider:
> 1. Funding. The NSA has much more funding than the distributed
> academic world.
What part of the NSA budget would be spend on cryptologic research?
I think most of the multi-billion dollar funding is spend on operational
costs, building and operating satelites. The total funding of
researchers
in the "open" crypto field could as well be greater than the money
any single crypto agency spends on crypto research. When you consider
the
latest factoring achievement there seem to be enough computational
resources in the open community if you have a convincing idea.
> 2. Focus. The NSA can apply a focus that the distributed academic
> world cannot. [...]
Certainly true. But the responsibilities are different too.
> These differences, to me, mean that it is more likely for the NSA to
> solve difficult, important, problems, and more likely for the
> distributed academic world to come up with wacky, cool, interesting
> ideas.
Now electronic security is becoming more important for the "open"
community (e-commerce, privacy, electronic voting, ...), academic
and commercial researchers have some important items to focus on.
On the other hand, the fast development of the Internet have taken the
government (security) agencies a bit by surprise. So they'll have to
come up with more wacky, cool solutions.
Regards,
Coen Visser
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
