Cryptography-Digest Digest #524, Volume #11 Mon, 10 Apr 00 21:13:01 EDT
Contents:
Re: Encryption in Software... (Paul Koning)
Re: Blowfish constants (Paul Koning)
Re: computer specs, timing and PK Crypto (Mike Rosing)
Re: permutation polynomials (more) (Mike Rosing)
Re: Q: Entropy (Bryan Olson)
Re: GSM A5/1 Encryption (David A. Wagner)
Re: Mersenne RNG, RNG questions (David A. Wagner)
Number 36, Yes, we have no bananas. (wtshaw)
Re: Q: Entropy (Bryan Olson)
Modular functions in Stream Ciphers? ("Simon Johnson")
Re: Q: Inverse of large, sparse boolean matrix, anyone? (zapzing)
Re: Magnetic Remenance on hard drives. (zapzing)
Re: GSM A5/1 Encryption ([EMAIL PROTECTED])
Re: Simple, yet strong algorithm ("Simon Johnson")
Die Hard Test? ("Simon Johnson")
Re: DNA steganography ([EMAIL PROTECTED])
Re: Processing encrypted data (zapzing)
Re: Cost-effective computing? (Paul Rubin)
Re: Q: Petri nets (Darren New)
Re: Mersenne RNG, RNG questions ("Dann Corbit")
Re: Schoof's Algorithm ("Michael Scott")
Simulaneous exchange of secrets ("Patryk Gęborys")
DES (Nean Drake)
Re: OAP-L3: Semester 1 / Class #1 All are invited. (lordcow77)
----------------------------------------------------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: Encryption in Software...
Date: Mon, 10 Apr 2000 12:12:31 -0400
Kent Briggs wrote:
>
> Simon Johnson wrote:
>
> > Hasn't the export restriction been lifted?
> >
> > Or is that on Two_Fish?
>
> The U.S. export restrictions were loosened considerable in January but
> exported software over 64 bits in strength still requires a blessing
> from the BXA.
Not necessarily. In some cases all that is needed is notification
rather than approval.
Read the regulations for all the fine print. Consider hiring an export
regulations consultant.
paul
------------------------------
From: Paul Koning <[EMAIL PROTECTED]>
Subject: Re: Blowfish constants
Date: Mon, 10 Apr 2000 12:18:12 -0400
Tom St Denis wrote:
>
> Do the constants in blowfish [for the sbox/pbox] have to be pi?
If they were something else it wouldn't be blowfish, it would
be a blowfish variant.
The argument for magic constants like this based on pi or
other well-known numbers is that it's easy to argue that
the number wasn't chosen for the purpose of weakening the
cipher. If you pick a different number, you'd have to
defend your motivation for that particular number, and
if the motivation looks contrived people will get suspicious.
paul
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: computer specs, timing and PK Crypto
Date: Mon, 10 Apr 2000 11:05:56 -0500
Tom St Denis wrote:
> So if you have to pack the required 10ghz computer on the size of a x86
> motherboard [about a foot square]. Your memory would have to be around
> 10 cm^2, the cpu about 15 cm^2 and room to spare for the auxilary chips,
> components. Let's say you only need 2^64 bytes of memory for the attack
> [against 1024 bit rsa, which admitedly is not enough] that's at least
> 2^67 transistors..., each one would have to be about 10^-19 cm^2 in
> size, which is relatively dense.
>
> Again the limititation on size is most likely completely inaccurate, but
> my point about speed vs. size is valid. You can't have a comp that
> takes up an entire room with ram that works at 10ghz for cheap. Which
> of course is the goal.
Optical computing isn't that far away. Smaller is better of course, but
for a specialized machine we can trade off time and space to get better
overall results. 10 GHz would be a slow optical computer, but if it's
the size of a room (say 4x5x3 m) that might be the board level
transition
clock.
> While computers are always getting that much better, I dunno if we will
> get to what we need soon. For example the TB of ram that I was just
> informed of is only 2^40 bytes, that's 16.7 million times too little for
> my simple 2^64 statement. The avg desktop has 64mb of ram now, which is
> only 102.4 times that of 15 years ago.
We've got a plot on the wall we update once a year. Costs have dropped
a
factor of 2 about once a year in $/Mips and #Mips has doubled every 18
months.
For the past 25 years we've been taking the data. Draw a straight line
on
a log graph and you'll be able to guess when a solution/cost point
happens.
Won't be cheap soon, but it will be eventually. It's pretty awesum
really.
Patience, persistence, truth,
Dr. mike
------------------------------
From: Mike Rosing <[EMAIL PROTECTED]>
Subject: Re: permutation polynomials (more)
Date: Mon, 10 Apr 2000 11:16:41 -0500
Tom St Denis wrote:
>
> Is it possible to have a permutation polynomial P(x) actually form a
> complete cycle? For example
>
> a = P(0)
> for i = 1 to 255 do
> a = P(a)
>
> And end up at (a = 0) at the end? [this is of course in Z(256)].
In principle yes, all you need is a primitive polynomial.
The higher the degree of the polynomial, the more non-linear it is.
I suppose you also want to pick it so you don't have any roots that
are integers in the range of your input, but that's not clearly
necessary. Looks like you're having fun in any case :-)
Patience, persistence, truth,
Dr. mike
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: Q: Entropy
Date: Mon, 10 Apr 2000 17:33:45 GMT
Mok-Kong Shen wrote:
>
> Many thanks. You are absolutely right. In fact we have in the
> past discussions already made it clear that Shannon entropy is a
> value for the source not for any particular given message.
The summation formula is the entropy of the source, but
the entropy of a specific message is also well-defined.
> Thus
> the value 0.391+0.115 computed by Bryan Olson is the entropy
> of the channel from Bob to Alice and has sense as such. It is
> however not appropriate to say that any message from Bob saying
> a card is an ace has 0.391 bit of entropy.
Right. That's the point I was making. I was following-up a
post that had stated,
| A "message" in that context is a total potential communication, the
| set of all possibilities for that message, not any individual concrete
| message.
While that post is correct that what /Applied Cryptography/
defines is the entropy of a variable ranging over "all
possibilities", my follow-up argued that the entropy of an
individual concrete message is also well-defined and useful.
In my example, the entropy of the message space is 0.391
bits. The two possible message texts carry 0.115 bits and
3.70 bits of information repectively.
> Am I right? If yes,
> then I suppose his 'paradox' given in a previous post is incorrect.
I gave no 'paradox'.
> (Note in particular that he employed 'entropy of message' several
> times.)
When referring to the set of messages with their
probabilities, I used "message space", not just "message".
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: GSM A5/1 Encryption
Date: 10 Apr 2000 10:02:51 -0700
You're right, GSM is a poor choice for sending high-bandwidth messages.
For reference, GSM uses frames that are 200 and some odd bits long.
Prepending and appending (say) 16 random bits would increase the frame
length by something like 15% (and decrease the overall bandwidth by
a similar fraction). This is a huge number for such a small benefit.
The GSM designers would scream, and rightly so.
Sure, it might not be so costly in other systems (not GSM). If you
weren't talking about GSM, next time you might do better at avoiding
confusion by saying so. (After all, the subject line on your note reads
"Re: GSM A5/1 Encryption".) Just a suggestion...
------------------------------
From: [EMAIL PROTECTED] (David A. Wagner)
Subject: Re: Mersenne RNG, RNG questions
Date: 10 Apr 2000 10:05:50 -0700
In article <[EMAIL PROTECTED]>,
James Thye <[EMAIL PROTECTED]> wrote:
> [...] claim a period of 2^19937 - 1, which is incredible.
It's not incredible. It's a trivial and routine exercise to
construct a RNG with periods like this (e.g., use a long LFSR).
Unfortunately, large period tells us very little about
cryptographic strength, and the latter is what really matters
(on sci.crypt).
------------------------------
From: [EMAIL PROTECTED] (wtshaw)
Subject: Number 36, Yes, we have no bananas.
Date: Mon, 10 Apr 2000 11:19:16 -0600
I promised something tropical, but no banana (used to be no cigar). The
algorith mis Banas, which works with bases 77/26/78. Base 78 is
interesting since it allows 3 sets of 26, ciphertext characters <a> to
<z>, (a) to (z), and [a] to [z]. From the card set algorithms, you might
think diamonds, hearts, and spades, but for drawing diamonds, circles and
squares are ok. Lower case looks better than upper case.
Like in Peace, in Banas I both substitute and tranpose in the intermedate
base. Although the minimum block size would be four base 26 characters, I
implemented starting with 8 characters, in steps of 4, to a maximum size
of 24 letters, Banas 8 to Banas 24.
I did not substitute all of base 78, so I did it for 26 ciphertext
categrories, like <a>, (a), and [a], as "a" could be substituted to
another letter. I'll use these two sentences to make keys, and encrypt
the same with them.
The digits are cut in this 77 character plaintext set, so better spell the
digits. Another way was used in Tonk, where upper cases for 26 letters
were gone, and there were several equavalents for a space to get to 77
characters.
I did not substite all of base seven eight, so I did it for two six
ciphertext categrories, like <a>, (a), and [a], as "a" could be
substituted to another letter. I'll use these two sentences to make keys,
and encrypt the same with them.
Sub1(Bn): kelfpqwszctxm yganorjdbuhvi
Sub2(Bn): xdneighusojbk clvfprwyqtmza
Trans(Bn): febagchd
(t)<u>[b]<s>[y] (s)<x>(s)[s](y) (n)[z]<a>(a)(c) (r)[y](o)[q](w)
(y)[r]<r>(y)<f> [p][d]<w><q>[k] <s>(v)(i)<x>[w] [b]<c>[r](x)[r]
<m><y><v><x><c> <c><p>[g](g)[z] <a>[r]<t><p><i> <n><e>[x][o]<v>
[y]<p>(z)[k](n) [z][u]<s><u>(c) [y](r)<v>[l]<u> (w)<m><g><i>(c)
[p][r]<w>[z](v) <i><o><w>(y)(i) [u]<i><s><c><y> (p)[f](a)[z][r]
<y><l><b>(d)<z> (d)<q>[u][f](a) (x)[r]<y><k>(x) [t]<g>[x][y][w]
(s)(v)(i)<p>(c) (p)(d)(i)<a>(t) <b><s><k>[x]<b> (q)<n>(j)(d)[p]
(m)[u](x)(v)<x> (j)(l)(y)(e)<r> (c)(f)<i><r><w> [t][b]<q>(v)[t]
(o)(n)(h)(p)[m] <p>[h][e][w](p) [m](r)<v>(e)[y] <p>(n)[k](n)[z]
<n>[w]<k>(y)(x) (l)[t]<p>(u)[j] [p][v](v)<j>[l] <j><b>(x)(v)<a>
(w)<t>(y)<k>(w) <w><s>[u](x)(l) <z>(p)(m)<t>(y) <c>(d)(d)<x>(t)
<c><e><h>[g]<n> <x>[w][u][w](q) [z](r)<o>[x]
Pardon me if I don't post ciphertext for the rest of several algorithms
that generate the same type of output. However, I like the effect, so I
will dwell in this clearing in the forest for a while, and pick a few
similar algorithms to make live.
--
Doubt until you have poof, then doubt frequently. Descartes
%/^): [|]"! ?=)@~ ;)[]* :@\@} *#~}> ,=+)! .($`\
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: Q: Entropy
Date: Mon, 10 Apr 2000 17:50:10 GMT
Xcott Craver wrote:
> I don't think it was intended to sound paradoxical.
[...]
Right. You seem to have explained it better than
I did.
When will I learn not to use rhetorical questions on
usenet?
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Simon Johnson" <[EMAIL PROTECTED]>
Subject: Modular functions in Stream Ciphers?
Date: Mon, 10 Apr 2000 19:03:05 -0700
Is the the period of a stream cipher dependent on the range of the finite
field?
e.g. y= x mod (2^32) will produce a repeating sequence after a maximum
of(2^32)-1 outputs?
Thanxs,
S. Johnson
------------------------------
From: zapzing <[EMAIL PROTECTED]>
Subject: Re: Q: Inverse of large, sparse boolean matrix, anyone?
Date: Mon, 10 Apr 2000 17:56:21 GMT
In article <[EMAIL PROTECTED]>,
Gadi Guy <[EMAIL PROTECTED]> wrote:
>
> Hi,
>
> I've been looking around for this algorithm for a long
> while, can't find it in any books, journals or articles.
>
> I need to create a large (N = O(10000)) boolean matrix which
> has a small number (n = O(3)) of ones in each row, and its
> inverse.
>
> Real methods (such as Gauss elimination) don't work.
>
> Can anybody supply a good algorithm for this?
>
The inverse of such a matrix will generally not
be sparse. Unless the matrix is singular,
gaussian elimination *will* work to find the
inverse. You have to use sufficiently accurate
floating point math and/or some more sophisticated
pivoting techniques. Try pivoting for accuracy.
(That means, when you elimiate a variable, try
finding a variable to eliminate that leads to
the least uncertainty in the values of the
other coefficients).
You could also use some iterative techniques
to refine your initial solution. Consult any
reference on "Linear Algebra".
I would be intrigued to know how this
application is to be used for cryptography?
--
Do as thou thinkest best.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: zapzing <[EMAIL PROTECTED]>
Subject: Re: Magnetic Remenance on hard drives.
Date: Mon, 10 Apr 2000 18:09:38 GMT
In article <8cnj0g$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (Guy Macon) wrote:
> In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
(jungle) wrote:
>
> >any names & links of shops that will accept & recover data
> >multi pass wiped by pgp software ?
>
> Absence of evidence is not evidence of absence.
>
> It could very well be that such techniques exist and are classified.
> The fact that the US military does not approve a multi pass wipe by
> pgp software as being sufficient is indirect evidence (but not proof)
> of this theory.
>
That's exactly what they want you to think.
--
Do as thou thinkest best.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: GSM A5/1 Encryption
Date: Mon, 10 Apr 2000 18:09:34 GMT
In article <8cqfd8$l8b$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David A. Wagner) wrote:
> In article <8co9rg$[EMAIL PROTECTED]>,
> Guy Macon <[EMAIL PROTECTED]> wrote:
> > [EMAIL PROTECTED] (David A. Wagner) wrote:
> > >With a (modern) strong cipher, there's no need to avoid it,
> > >because (modern) strong ciphers are supposed to remain unbreakable
> > >even if the adversary has some known plaintext.
> >
> > I disagree based on philosophy. One should do both.
>
> One is cheap and easy and does not require you to change the rest
> of the system. (using a strong cipher)
> Typically, the other is expensive [*] and tricky and require extensive
> changes to the entire rest of the system. (avoiding known plaintext)
> Doing both is usually unnecessary and extraneous.
>
Just some thoughts of the top of my head...wonder if it is that tricky..
You measure the S/N of a frame, if its below a certain threshold
You discard it as a Silent frame...i.e. dont encrypt it at all
Or you stuff it with random nos and encrypt it...
The reverse process at the other end....
Whats wrong with that...
I would like your opinion as to what you think is a suitable ( "strong")
stream cipher for something like a GSM crypto system. As I said in my
previous post, one Euro company has developed a strong GSM crypto
phone..but they are using a block cipher for some strange
reason ( the only reason I can think of is that they are
using a crypto core which has an embeded symmetric algo)...interested in
your comments....
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Simon Johnson" <[EMAIL PROTECTED]>
Subject: Re: Simple, yet strong algorithm
Date: Mon, 10 Apr 2000 19:18:03 -0700
I have strugled with VB, but u can create a weaken TEA.
If you change the magic delta constant to something low like '127' and take
out the shifts ( I have no idea how much this weakens it ), you can create a
64-bit key version of TEA.
This function takes 16-bit inputs (algorithm supplied to create these).
Encryption routine:
Function Fe (v0,v1,k0,k1,k2,k3)
for i = 1 to 32
v0 = (v0 + ((v1 + k0) xor ((127*i) + v1) xor (v1+k1))) mod (2^16)
v1 = (v1 + ((v0 + k2) xor ((127*i) + v0) xor (v0 + k3))) mod (2^16)
next i
End Function
'Decrypt Function'
Function Fd (v0,v1,k0,k1,k2,k3)
For i = 32 to 1 step -1
v1 = (v1 + ((v0 + k2) xor ((127*i) + v0) xor (v0+k3))) mod (2^16)
v1 = v1 + (2^16) mod (2^16) 'mod function produces negatives, this
counters that.
v0 = (v0 + ((v1 + k0) xor ((127*i) + v1) xor (v1+k1))) mod (2^16)
v0 = v0 + (2^16) mod (2^16)
Next i
End Function
'Take string of x-length and turn convert to number (if text is base256)
Function B10(num)
c=1
for i = len(num) to 1 step -1
B10 = B10 + (asc(mid(num,i,1))*c)
next i
End Function
'Take number and convert to base256
Function B256(num)
a=num
Do while a>0
base256 = chr( a mod 256) & base256
a = a \ 256 'divide and truncate.
Loop
End Function
Use two characters at a time to generate a 16-bit digit.... I'll leave the
rest to u :)
------------------------------
From: "Simon Johnson" <[EMAIL PROTECTED]>
Subject: Die Hard Test?
Date: Mon, 10 Apr 2000 19:26:50 -0700
What is this test. And where can i get it from.
I presume its for testing the quality of pesudo random streams?
How does it work?
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: DNA steganography
Date: Mon, 10 Apr 2000 18:17:04 GMT
In article <SNeI4.3228$[EMAIL PROTECTED]>,
"Stou Sandalski" <tangui [EMAIL PROTECTED]> wrote:
> Where are you going to put the dna? if you try to "implement" it
inside an
> organism, the thing might not survive or if its allready living might
> develop cancer or some other types of genetic disorders because
introns
> don't code for amino acids, but they are not useless they serve some
kind of
> purpose. Introns control gene activity and probably do other stuff
they
> haven't discovered. In the fruit fly for example the difference
between male
> and female is (mostly) based on what is treated as an intron and what
an
> exon.
>
DNA-based computing & cryptosystems are not implemented inside
organisms- you might want to search the internet for info on these
subjects. Info is encoded in the DNA & maybe introns could help with
this, be encoded themselves, or serve some other function.
I'd bet the writers of the "X files" episode got the idea or the
inspiration for the idea from someone who knows IT or biology. (I might
try to track down the source.) I wonder how much or how often technology
has appeared in sci-fi before appearing in reality. (In one of the "Star
Trek TNG" episodes, the android Data used a [bogus] fractal-based
cryptosystem.)
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: zapzing <[EMAIL PROTECTED]>
Subject: Re: Processing encrypted data
Date: Mon, 10 Apr 2000 18:41:13 GMT
In article <8ckm0h$nhn$[EMAIL PROTECTED]>,
David A Molnar <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] wrote:
>
> > What are the homomorphic encryption schemes that you know?
>
> Straight RSA is mulitplicatively homomorphic, but you don't want to
use
> it due to various other problems. You want at least a semantically
secure
> homomorphic encryption scheme.
>
> Yevgeniy Dodis has pointed out these semantically secure encryption
> schemes :
>
> * the semantically secure variant of Elgamal
>
> * Goldwasser and Micali's quadratic residue scheme
>
> * Josh Benaloh's homomorphic encryption scheme
>
> A paper by Naccache and Stern from the 1998 ACM CCS also describes
> a semantically secure public key cryptosystem, and mentions some
> previous work. It is found at :
> http://www.gemplus.fr/smart/r_d/publications/crypto12.htm
>
> I seem to recall that there is also a scheme of this type due to
> Pascal Pailler, but I can't find a reference at the moment.
>
> > It's possible to make also LOGIC operations on encrypted data (like
> > AND,OR,NOT)?.
>
> I see no reason why not. On the other hand, I don't know of any scheme
> which does this off the top of my head.
>
If this is true then it might be jsut what I
Have been looking for all my life (well, for a
long time at least). Could this sort of scheme
be used to, say, write an encrytpion program
such that the encrypting machine itself has
no idea what it is encrypting? I am thinking
that the message could be encrypted in the
homomorphic encryption scheme, and then it
could be ported to another computer that
would reencrypt it with another scheme, using
homomorphic operations. Has this ever been done?
--
Do as thou thinkest best.
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Paul Rubin)
Subject: Re: Cost-effective computing?
Date: 10 Apr 2000 18:50:11 GMT
In article <[EMAIL PROTECTED]>, Jim Gillogly <[EMAIL PROTECTED]> wrote:
>"Cheap" for me doesn't extend to $10M+. Let's say $5K-100K. I'll do a Web
>search on PVM, unless you have a good starting URL handy.
>
>> So, what's your locality?
>
>I'd been thinking loosely coupled, but for something like a massive matrix
>reduction at the end of a factoring exercise perhaps I'll need the tighter
>version. I understand one of the top factorers is working on a variant that
>can be done on workstations, though, so perhaps that's no longer going to be
>a major constraint.
$5k and $100k are a lot different from each other. For $5k you
can't afford much custom development of anything, so all you can
do is buy some PC's and network them together if needed. For $100k
you have a lot more options; you could even build something like
Deep Crack, maybe minus the custom VLSI.
If you're specifically interested in factoring, from what I've heard
(I'm no expert), the bottleneck in sieving is memory latency rather
than raw MIPS. So you might be better off with a bunch of single
board computers with (say) StrongARM processors and fast SRAM, than
workstations with DRAM that are nominally faster.
Other types of problems (double-DES meet-in-the-middle attack;
some approaches to integer discrete logs) are memory intensive, and
still others (RC5-64) need just plain cpu cycles.
So I don't think there's a single answer to your question. It
very much depends on what types of problems you want to attack.
Even at fairly close to your cost levels, the best solution for
single-DES turned out to involve fully custom VLSI (Deep Crack).
For Sussman and Wisdom's problem of showing Pluto's orbit is chaotic
(that involved numerically integrating something like a billion
years of simulated solar system dynamics) using mid-90's technology,
they built some single board computers around Weitek floating point
coprocessors IIRC, and ran the calculation for something like a year.
The equivalent MIPS in workstations of the era would have cost much
more than they could afford to tie up for that long.
Anyway it's probably worth reading their papers about their hardware
approaches to the problem.
------------------------------
From: Darren New <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Q: Petri nets
Date: Mon, 10 Apr 2000 18:51:23 GMT
Mok-Kong Shen wrote:
> Thanks. As said, I am yet surprised that Petri nets don't even get
> mentioned in the textbooks on automata.
That seems odd too. I think they're much more popular in european academia
than US academia. At least, I never heard about them except from exchange
professors. Networking books are more likely to have it than theory books, I
would think.
--
Darren New / Senior MTS / Invisible Worlds Inc.
San Diego, CA, USA (PST). Cryptokeys on demand.
Everybody is unique:
that's why we all have different numbers.
------------------------------
From: "Dann Corbit" <[EMAIL PROTECTED]>
Subject: Re: Mersenne RNG, RNG questions
Date: Mon, 10 Apr 2000 12:07:38 -0700
"Tim Tyler" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> James Thye <[EMAIL PROTECTED]> wrote:
>
> : Put quickly: Does anyone have any opinions of Mersenne Twister PRNG?
>
> : I've been looking for a repeatable PRNG (same sequence of PRNGs can be
> : generated given the same starting seeds). I've recently ran across the
> : Mersenne Twister PRNG (no I'm not affliated with them in any way). It
> : claim a period of 2^19937 - 1, which is incredible. [...]
>
> I believe Sean Luke (see http://www.cs.umd.edu/users/seanl/gp/) recently
> mentioned that use of the MT was contraindicated for stream cypher
> applications. I /presume/ this means that it does not adequately
> resist active attack.
>
> : Second question: Can a questionable PRNG be improved by XORing its
> : output with a cryptographic based PRNG, or would the new period be the
> : Greatest Common Multiple of their respective periods?
>
> The new period is not guaranteed to exceed the *least* common multiple
> (http://hissa.nist.gov/dads/HTML/lestcmmnmltp.html).
>
> This doesn't mean that XORing two near random streams together doesn't
> normally produce an output which is closer to randomness than either
> alone, though.
>
> I wonder what can be done to encourage questions like this to appear in
> sci.crypt.random-numbers... ;-)
The Mersenne Twister postscript papers that describe the algorithm
*specifically* say that it is not cryptographically secure to someone who
knows the algorithm.
In order for people to post in sci.crypt.random-numbers, the ISP's will have
to start carrying that group. My ISP has nearly 50K newsgroups and that one
is not among them.
--
C-FAQ: http://www.eskimo.com/~scs/C-faq/top.html
"The C-FAQ Book" ISBN 0-201-84519-9
C.A.P. Newsgroup http://www.dejanews.com/~c_a_p
C.A.P. FAQ: ftp://38.168.214.175/pub/Chess%20Analysis%20Project%20FAQ.htm
------------------------------
From: "Michael Scott" <[EMAIL PROTECTED]>
Subject: Re: Schoof's Algorithm
Date: Mon, 10 Apr 2000 20:17:44 +0100
"Mike Rosing" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> It's not the access to code, it's the comprehension of the math. For
> those of us without a Phd in math, it's pretty thick going. As an
> example,
> figuring out the coefficients of the j-invariant q expansion is
> non-trivial
I found Volker Mueller's papers very useful as a starting point - see
www.informatik.th-darmstadt.de/TI/Mitarbeiter/vmueller.html
Also his thesis is very good and easy to follow - if you read German. I
don't, but was still able to get a lot out of it.
Mike Scott
> and even having a clue as to how far the expansion needs to be carried
> is
> not really described anywhere. For 256 and 512 bit calculations, what's
> a reasonable degree of q for j(tau)?
>
> Patience, persistence, truth,
> Dr. mike
------------------------------
From: "Patryk Gęborys" <[EMAIL PROTECTED]>
Subject: Simulaneous exchange of secrets
Date: Mon, 10 Apr 2000 21:21:26 +0200
Hi,
I'm looking for any papers about protocols for simultaneous exchange of
secrets. I've found a paragraph in Schneier's book ("Applied crypto"),but I
need more details.
Any suggestions will be appreciates.
Thanks,
Patryk
------------------------------
Subject: DES
From: [EMAIL PROTECTED] (Nean Drake)
Date: Mon, 10 Apr 2000 19:43:35 GMT
Recently, an online friend gave me an encrypted password of root access to
his school. He asked if I could help crack it. Well, I don't know much
about cryptography, so I read some faq's (some parts were comfusing to me).
I read the one that always starts out like: "This is part one of a ten part
FAQ..."
Well, it helped me understand about cryptography a bit, but not much in
decoding (NOTE: I'm not stupid, I'm not trying to crack it in my head), so
I read another file which explained shortly about shadowing the password
and the different parts of the encrypted (cyphertext?) password. This also
helped.
This friend of mine told me it's encrypted in DES-10. I've heard nothing
about that encryption (only DES). Does it mean encrypted in DES 10 tims
over? (I forget the technical term)
So this message comes down to this:
Can anyone be kind enough to tell or give me any more files on cryptography
that mayt help me more? I've really gotten interested in this
Cryptography/Hacking hobby since I got involved.
Thanks in advance...
--
××××××××××××××××××××
Nean
[EMAIL PROTECTED]
××××××××××××××××××××
------------------------------
Subject: Re: OAP-L3: Semester 1 / Class #1 All are invited.
From: lordcow77 <[EMAIL PROTECTED]>
Date: Mon, 10 Apr 2000 12:42:50 -0700
In article <[EMAIL PROTECTED]>, DMc
<[EMAIL PROTECTED]> wrote:
> Lordcow77 says "the nth iterate of a LCG can be calculated
based
>solely on the seed value to the generator." I gave A.S.S. a
seed value
>of 1 (one). So I invite lordcow77, or anyone else, to "modular
>exponentiate" this particular seed value "solely" and arrive at
any
>sort of sensible result.
Really, if you're going to troll, please do a less obvious job.
It is evident from context that one should know the parameters
of the LCG (although with enough output, one can easily derive
those as well).
>
> I passed this formula by a long time ago. It is one of those
things
>that is good theory, but of little practical use. It can only be
>calculated with a severely limited set of "k" values.
>
> For instance, the original problem I gave A.S.S requires
calculating
>16 807 ^ 1 073 741 824. That calculation result is way beyond
the
>limits of an "infinite" digits program I have. I leave myself
The result of a modular exponentiation can be calculated easily
using a square and multiply method, reducing at each stage.
* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
