Cryptography-Digest Digest #432, Volume #12 Sun, 13 Aug 00 17:13:01 EDT
Contents:
Re: Random Number Generator (Bill Unruh)
Re: Crypto Related Professional Attitude ("Wesley H. Horton")
Re: Crypto Related Professional Attitude (Mok-Kong Shen)
Re: Where should I hide the Key? (Ichinin)
Re: OTP using BBS generator? (Bryan Olson)
Re: OTP using BBS generator? (Bryan Olson)
Re: OTP using BBS generator? (David Hopwood)
Re: BBS and the lack of proof (David Hopwood)
Re: Crypto Related Professional Attitude ("Trevor L. Jackson, III")
Re: BBS and the lack of proof ("Trevor L. Jackson, III")
Re: Best AES candidates ?? Slow Skipjack might have advantage (John Savard)
Re: 1-time pad is not secure... (Simon Johnson)
Crypto T-shirts (Simon Johnson)
Re: Not really random numbers (Simon Johnson)
Re: Where should I hide the Key? (Simon Johnson)
Re: 1-time pad is not secure... (fvw)
Impossible Differentials of TC5 (tomstd)
Re: Updated stream cipher (Frank M. Siegert)
Re: OTP using BBS generator? (Terry Ritter)
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Bill Unruh)
Subject: Re: Random Number Generator
Date: 13 Aug 2000 18:16:54 GMT
In <8n0blf$4al$[EMAIL PROTECTED]> [EMAIL PROTECTED] writes:
>Do you think that there is no mapping of finite sets of natural
>numbers into set of infinite sets of natural numbers?
>Please evaluate this algorithm and you will believe.
Not with a finite state/memory machine. Your system has only a finite
set of internal states. Once they are used up, it repeats. It may take a
while but it will do so.
------------------------------
From: "Wesley H. Horton" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Crypto Related Professional Attitude
Date: Sun, 13 Aug 2000 13:30:01 -0500
Heck, I would be happy to see Cipher Deavours or Lou Kruh post here.
For some reason, If the internet had been around in the 40's I don't
think we would have seen much from Friedman, Kullback or Sinkov either .
. .
(I should add that Sinkov was kind enough to personally autograph a copy
of his book for me back in the early 80's. Needless to say, it is a
prized possession!)
Regards,
Wesley Horton
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Crypto Related Professional Attitude
Date: Sun, 13 Aug 2000 20:52:51 +0200
tomstd wrote:
>
> This post is for the professionals such as Biham, Rivest,
> Schneier, Wagner, Shamir, Coppersmith, etc...
>
> Why don't you guys ever participate even a little in sci.crypt?
First of all, the question is like a teacher in a class
asking those that are ABSENT to put up their hands!
Secondly, you could just as well ask those who are rich why
they don't frequent restaurants that offer menus at very
low prices for the poor folk. With the percentage of chaffs
to be found in the stuffs being posted, do you think that
it is appetizing enough for them to spend part of their
precious time to scan through the posts, let alone to
read them in detail and to write follow-ups?
In order to attract top researches to our group, we have
to make the discussion atmosphere interesting to them in
the first place, not only in purely scientific aspects,
like the selection of themes etc., but (just as, if not
more, important) also in the style of discussions. Not
very long time back, one not very seldom saw bunch of
bad words in posts. Since they wouldn't profit from us
(through learning something from us) anyway but it would
on the contrary be sort of beneficence for them to help
us (through answering our questions), do you think it
would be fun for them to read some of the posts that are
composed with little or no consideration of politeness
that is a matter that is self-evident in academic
discussions to which they are accustomed? Recently,
someone asked why no (or few) women participate in our
group. My guess was that the female sex is much more
sensitive to bad words than the male.
M. K. Shen
------------------------------
From: Ichinin <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: Where should I hide the Key?
Date: Sun, 13 Aug 2000 10:13:43 +0200
bbUFO wrote:
>
> where is the good place to store the encryption KEY?
I wrote a simple xor cipher program back in 1998, i thought about this,
then decided to go with password encrypted keys on removable media (A:)
/Ichinin
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: OTP using BBS generator?
Date: Sun, 13 Aug 2000 19:31:43 GMT
Mok-Kong Shen wrote:
> Bryan Olson wrote:
> > The reductions from QR and factoring holds for the
> > unpredictability of the least significant bit (and a few
> > other bits at the low end according to more recent results).
> > All that the open question means is that even if one does
> > filter out short state cycles, one still has not proven a
> > long output cycle. This is only a problem for those who
> > thought the state-cycle test would prove security for each
> > possible key, and that would be nonsense even if we knew the
> > output cycle to be long.
>
> Exactly. If we KNEW the output cycle of LSB to be long!
And exactly as things are. We do not know if factoring is
hard in most cases, and a short cycle in the bit output is
one of arbitrarily many defects that might happen (in the
sense that we have not proven it can't) if factoring the
modulus turns out to be easy.
There's no particular reason to obsess over this one
possible defect, though if you think you might learn
something interesting by looking for cycles in the least
significant bit, by all means carry on.
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Bryan Olson <[EMAIL PROTECTED]>
Subject: Re: OTP using BBS generator?
Date: Sun, 13 Aug 2000 19:38:34 GMT
Terry Ritter wrote:
> Tim Tyler wrote:
>
> >[...]
> >AFAICS, BBS was never suppsed to be "absolutely secure" in the
> >first place. Saying a problem is as hard as factoring does not
> >provide any sort of "absolute security".
>
> The assumption is made that factoring is hard, so in that situation,
> BB&S should be "proven absolutely secure." Yet it is not. That is a
> contradiction. What we actually have is: "proven almost always
> secure."
False. Factoring is easy in some cases, and has some
non-zero probability of being efficient in any case.
Those are the cases in which BBS may be predictable.
> It is *not* sufficient that the assumptions be true: Even when the
> assumptions *are* true, BB&S *still* is weak every now and then.
Nope. When you allow the defect might appear, you allow
that factoring might be easy and have contradicted the
premise.
--Bryan
--
email: bolson at certicom dot com
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
Date: Mon, 14 Aug 2000 02:59:52 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: OTP using BBS generator?
=====BEGIN PGP SIGNED MESSAGE=====
"Trevor L. Jackson, III" wrote:
> lcs Mixmaster Remailer wrote:
[...]
> > BBS has all the security of the factoring problem, even when its seeds
> > are not checked for any special properties. They only have to be randomly
> > chosen. This is what is proven in BBS and the subsequent literature.
>
> If I understand this correctly it amounts to a claim that a rational attacker
> will not test for short cycles because the effort expended, when discounted by
> the odds of success, does not get him any closer to cracking the system than
> an equivalent amount of effort invested in a QR search.
Yes.
[...]
> Are all opponents sane?
No, but that doesn't matter - an attacker that uses an inefficient method of
factoring will not have any greater success probability (for a given amount
of work) than one that uses a more efficient method.
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOZdSiTkCAxeYt5gVAQE9+QgAzU88NptJnMejmiiATlxT2e4NcMFuod6U
y4Wy2o3gxL5guHCZlCL6t7y51bLdXekHYDKs4exy1Uenu01CLHayyy4XBvNmT6XH
kunIFGxCqe3VZ/A+67cYKH61vtkLl6hp4zcJJJiFV/Gu/mrWywmYK+izWq7cm46Z
XoCe0VIJ3btGRtMj/O6PSdqu58YzIbdTJfZweO6UJ8ik9YXENpZC3KCWjdVZPlGH
4LuDCJ80sQUZJjbUOmKQiCJYAbHw+VS8f2Td/OIP454mat2cZmlMkD0bNAbsiue9
Dr7V9p2d9GDi2XVIZEb//nSKedrJcue8Fv5BmpOFJ7nwa5VcgrxC3A==
=HNf2
=====END PGP SIGNATURE=====
------------------------------
Date: Mon, 14 Aug 2000 03:10:12 +0100
From: David Hopwood <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Subject: Re: BBS and the lack of proof
=====BEGIN PGP SIGNED MESSAGE=====
"Trevor L. Jackson, III" wrote:
> There appears to be a gap here. I'll try to approach from the other end.
> Please indicate the point at which this sequence goes astray.
>
> (1) A BBS generator can have a short (traversable) cycle.
>
> (2) From (1): Given a short cycle, the output is predictable by traversal.
>
> (3a) From (2): Given predictable output enciphered messages can be deciphered.
>
> (3b) From (2): Given predictable output a QR solution is easy (as previously
> defined).
>
> (4) From (3b): short cycle imp-> predictable generator imp-> QR solution
> imp-> QR is not hard.
It is the last implication in this chain that is wrong. Being able to find a
QR solution *with negligable probability* does not imply that QR is not hard
(or more precisely, that the QR assumption does not hold).
- --
David Hopwood <[EMAIL PROTECTED]>
Home page & PGP public key: http://www.users.zetnet.co.uk/hopwood/
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see www.fipr.org/rip
=====BEGIN PGP SIGNATURE=====
Version: 2.6.3i
Charset: noconv
iQEVAwUBOZdU8DkCAxeYt5gVAQE4cgf9EO2TrejJ5FBmBz1tAacPMfDoYFC/nL0V
uXDcrPv75Rfp9G13fuVRXY9Hvyoo2NgEiY00c0Xfxw7mJaw9BN5Z9Abj1dqYeAx0
bOBdKDEabJAOFOggewmxKvtPZsNMWMbL+4XIbHkMrkuZ1eLV7+/E4nuuqBSxPrIT
qAUiZWcG36ouY07z0lE/M7fEi3RG8WLQkiHsNl2NhRf9uy2Vt9PMVkKFEEMmIW0O
iaowSujrVksKwYVfk6z3lOFbGh8Yox+NwXK/DgaxqdvA2efyiHgouDmHC8mVR/ib
hNI6MyL3vR82y2RgjQeHYBgunJlqBYtbVYwqtLyXOLv62LBhp95TAA==
=eMvy
=====END PGP SIGNATURE=====
------------------------------
Date: Sun, 13 Aug 2000 16:01:09 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: Crypto Related Professional Attitude
Bob Silverman wrote:
> In article <[EMAIL PROTECTED]>,
> "Trevor L. Jackson, III" <[EMAIL PROTECTED]> wrote:
> > Bob Silverman wrote:
> > >
> > > There is just too much nonsense posted here, too many who don't
> > > want to listen, too many who are convinced they are right even when
> > > presented evidence to the contrary and too many who just want to
> > > be contrary.
> >
> > Right. The place is populated by humans. What a waste.
>
> Except that in asking these people to relate their knowledge, you
> are asking to be placed in the role of *student*. As such, the
> posters would have a right to expect you to act as a *responsible and
> mature* student would. Too much of what is here is irresponsible
> blater.
Actually Tom StD made the original request.
As for the role played by the participants my personal position is that of a
student of the subject. Were I to interact with 1:1 with a leading
professional it would almost certainly be in the role of student:teacher.
As for responsibility and maturity, it is not reasonable to expect these
properties from humans. Since this newsgroup is a (virtual) place of academic
congress the behaviors evidenced here are typical of congresses in general.
Marketplaces (bazaars) are places of economic congress -- the interactions are
not sedate and measured as is typical of responsibility and maturity.
Similarly legislative congress is notoriously chaotic. C.f., Twain's
observation re watching the manufacture of laws and sausages.
The judgment "too much" is subjective. One's personal taste in animated
discussion or vigorous debate may throttle one's participation, but the
blather is inextricably entwined with the valuable contributions. As has
elsewhere been observed, sci.crypt.research has a very low incidence of
blather and a concomitant low density of valuable contributions.
------------------------------
Date: Sun, 13 Aug 2000 16:27:42 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Subject: Re: BBS and the lack of proof
Mark Wooding wrote:
> Trevor L. Jackson, III <[EMAIL PROTECTED]> wrote:
>
> > There appears to be a gap here. I'll try to approach from the other
> > end. Please indicate the point at which this sequence goes astray.
> >
> > (1) A BBS generator can have a short (traversable) cycle.
>
> I'll buy that.
>
> > (2) From (1): Given a short cycle, the output is predictable by
> > traversal.
>
> Yes. However, this glosses over the more difficult point of where you
> get the cycle from. Given your previous numbers, we see that there's a
> 2^{-224} probability of choosing one by accident, and no particularly
> obvious better way. And certainly a normal user isn't going to be going
> out of his way to use clever algorithms to find short cycles.
Right, but we are discussing this from opposite perspectives. The verb "find"
crops up again.
The fundamental issue is whether the user should go out of his way to _avoid_
short cycles in order to eliminate the possibility that an attacker might
detect a short cycle that the user chose inadvertently.
>
>
> From the attacker's point of view, waiting for a user to accidentally
> use a short cycle is 2^{224} effort, but at least it doesn't cost much,
> and he can watch telly while he's waiting for a short cycle to turn up.
OK.
>
>
> Note, however, that 2^{224} effort is considerably more than what's
> required to factor 2048-bit numbers (extrapolating wildly from the
> numbers given in Silverman's `A Cost-Based Security Analysis of
> Symmetric and Asymmetric Key Lengths', RSA Security Bulletin 13). So
> waiting for a short cycle to turn up by the user stumbling over it isn't
> a clever attack, and factoring looks much better.
This is a new claim (to me). Are you speculating or making a firm claim that
factoring is much easier than searching for a short cycle? I was under the
impression that the proof only showed cracking BBS was "at least as hard as"
rather than "much worse than" factoring.
N.B., whether it's clever or not, the attacker has a very limited set of
samples in comparison to the suggested incidence of short cycles (which was a
WAG). Checking for short cycles may be a worthwhile effort for the attacker.
If your claim mentioned above is firm and defensible, then it is reasonable to
conclude that no attacker will waste time checking for short cycles because
they can get better results by investing the effort in factoring.
This appears to be the key issue.
>
>
> The (Vazirani and Vazirani) security warranty only says `as difficult as
> factoring'. Worrying about things harder than factoring probably isn't
> a good use of braincells.
>
> Now, I don't know whether your numbers are right, but they pass a quick
> plausibility test this early in the morning.
They weren't supposed have any rigor, just suggestive sizes.
>
>
> > (3a) From (2): Given predictable output enciphered messages can be
> > deciphered.
>
> Yes.
>
> >
> > (3b) From (2): Given predictable output a QR solution is easy (as
> > previously defined).
>
> Yes.
>
> > (4) From (3b): short cycle imp-> predictable generator imp-> QR
> > solution imp-> QR is not hard.
>
> That depends. We have certainly found the relationship that finding a
> short cycle is no easier than the quadratic residuosity problem, since
> we can solve the latter easily given the former (and, indeed, we can
> factor too). The big question now is how we interpret that.
>
> I'll start talking about factoring now, rather than QRP. It doesn't
> make a great deal of difference: the only way we know of solving QRP is
> to factor anyway, and the argument about BBS doesn't change that.
>
> I start with the assumption, because it seems a good one, that factoring
> is hard. If finding short cycles in a BBS is at least as hard as
> factoring, that's good enough for me. We've proven a reduction. Now
> all I need to do is worry about how hard factoring really is.
>
> Maybe cycle-finding is a good way of factoring. I doubt it; it's
> certainly not where the factoring experts are looking to solve the
> problem.
>
> > In your conclusion you used the opposite sequence, starting with QRP
> > difficulty as an assumption and concluding that predicting the
> > generator is hard.
>
> Yes, indeed. That's what Blum, Blum and Shub's 1982 paper tells us.
Which generator -- the raw or filtered (no short cycles) one? I thought the
original paper recommended an extensive set of filters on initial state.
I read the paper several years ago with the conclusion that I was not
competent to judge it. I do not fear that the paper is wrong, but I do fear
that it can be misinterpreted. Thus I appreciate the opportunity to
investigate the issues at a speed comensurate with my comprehension. Thanks
for the patience.
>
>
> > It appears that this conclusion contradicts item (2). Yet item (2) is
> > a simple deduction from item (1). So either a BBS generator cannot
> > have short cycles or the deduction from (1) to (2) is flawed. Which
> > is it?
>
> The assumption in 2 is the problem.
>
> -- [mdw]
------------------------------
From: [EMAIL PROTECTED] (John Savard)
Subject: Re: Best AES candidates ?? Slow Skipjack might have advantage
Date: Sun, 13 Aug 2000 20:37:32 GMT
On Sun, 13 Aug 2000 19:18:34 +0200, Quisquater <[EMAIL PROTECTED]>
wrote, in part:
>Well, a slow key setup is not enough for hindering brute-force search,
>you also need to have the following property: having one (or several)
>complete key setup values is not an advantage to compute faster the key
>setup values of other (related) keys in software and/or in hardware
>(think here about the hardware implementation of DES using pipelining for
>the 16 rounds).
Of course, the way Blowfish works, it does meet that criterion, since
only a very tiny part of the key setup is performed before the entire
key has become involved.
John Savard
http://home.ecn.ab.ca/~jsavard/crypto.htm
------------------------------
Subject: Re: 1-time pad is not secure...
From: Simon Johnson <[EMAIL PROTECTED]>
Date: Sun, 13 Aug 2000 13:30:35 -0700
I always thought 'randomness' can been seen as a limit.....
What i mean by this is that once a system of equations or
algorithm eventually reaches a point at which all know techiques
of analysis fail and the system makes the quantum-leap from
being a bearly predictable sequence to a random one.
Cryptography sits right on the fence of this limit. The reason
is we have two conflicting factors. One is performance, the
other is cryptographic strength. Its very easy to build a strong
cipher, with poor performance; its equally easy to build a
blasingly fast cipher with poor cryptographic strength.
Saying there isn't 'real' randomness is rubbish. Quantum physics
says there is and i'm not gonna argue with that. At the end of
the day, the security of the OTP is based on trust that the
source is perfectly random. Wether it truely is or isn't is
irrelevent; its the belief that the cipher-text was enciphered
under the OTP construction that determines its security.
After all if you can't prove a source isn't random, then it must
therefore be random, and the argument stands.
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
Subject: Crypto T-shirts
From: Simon Johnson <[EMAIL PROTECTED]>
Date: Sun, 13 Aug 2000 13:36:37 -0700
Does anyone know if an incredibly sad person, like me, could
aquire crypto-shirts. I'm looking for something like Blowfish,
RC6, Twofish..... Just generally a good t-shirt?
Simon Johnson
======
Yes i'm as sad as they come.
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
Subject: Re: Not really random numbers
From: Simon Johnson <[EMAIL PROTECTED]>
Date: Sun, 13 Aug 2000 13:50:31 -0700
How about this:
Pick a large prime,p. Pick another large prime, Q. Find two
primitives, one in GF(p) and one in GF(q), call these numbers a
& b repectivly . Then iterate the following:
c=(c*a) mod p
d =(d*b) mod q
output stream-byte = (c+d) mod 256
N.B. intial values for c & d are 1.
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
Subject: Re: Where should I hide the Key?
From: Simon Johnson <[EMAIL PROTECTED]>
Date: Sun, 13 Aug 2000 13:43:30 -0700
If u want to check wether the key supplied by the user is
correct, to decrypt the file.... try a CRC or a SHA-1.
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: [EMAIL PROTECTED] (fvw)
Subject: Re: 1-time pad is not secure...
Reply-To: [EMAIL PROTECTED]
Date: Sun, 13 Aug 2000 20:51:49 GMT
<[EMAIL PROTECTED]>
([EMAIL PROTECTED]):
>After all if you can't prove a source isn't random, then it must
>therefore be random, and the argument stands.
I'd like to use this opportunity to scream violently. If you can't prove
a source isn't random, then it is either random, _or (inclusive or) you
are not capable of proving every random source random_. Let's not forget
that last one please.
--
Frank v Waveren
[EMAIL PROTECTED]
ICQ# 10074100
------------------------------
Subject: Impossible Differentials of TC5
From: tomstd <[EMAIL PROTECTED]>
Date: Sun, 13 Aug 2000 13:47:41 -0700
Ok so the basic input difference is (0, d) and the output
difference cannot be (0, d)? Am I right here? (talking about
TC5)
In order to send that through a round though the difference
would have to be a valid input difference for the 64-bit feistel
and so on, so we get
(0,0,0,0,0,0,0,0,0,0,0,0,d1,d2,d3,d4)
But then the 64-bit input (0,0,0,0,d1,d2,d3,d4) must allow
d1=d2=0 so that the impossible differential remains in the 32-
bit feistel so now the 128-bit difference is
(0,0,0,0,0,0,0,0,0,0,0,0,0,0,d3,d4)
Then I am not sure about the 16-bit feistel now... but it seems
like we need (d3,d4) -> (D1,D2) with a probability of 1.
Is that hard todo? I am not sure off the top of my head...
please help!
Tom
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: [EMAIL PROTECTED] (Frank M. Siegert)
Subject: Re: Updated stream cipher
Date: Sun, 13 Aug 2000 21:06:45 GMT
On 12 Aug 2000 18:35:24 -0700, [EMAIL PROTECTED]
(David A. Wagner) wrote:
>All that is well and good, except that it turns out that the above
>attack doesn't work. The key schedule chooses S5keyfield[][].v so that
>it forms a permutation of the 256 elements with a single cycle, and this
>permutation is never altered. Therefore, you can never enter the short
>cycle, because the condition S5field[x][y].v = (x,y) never holds.
Yes, this is one needed property of the vectors otherwise the 'walk'
would not extend over all elements. Due to this propery applying the
'swap' mechanism to the vectors (to change the permutation during
generation time) would actually weaken the method therefore I let them
unchanged for the whole run.
------------------------------
From: [EMAIL PROTECTED] (Terry Ritter)
Subject: Re: OTP using BBS generator?
Date: Sun, 13 Aug 2000 21:08:16 GMT
On Sun, 13 Aug 2000 19:38:34 GMT, in <8n6tfq$hoi$[EMAIL PROTECTED]>, in
sci.crypt Bryan Olson <[EMAIL PROTECTED]> wrote:
>Terry Ritter wrote:
>[...]
>> It is *not* sufficient that the assumptions be true: Even when the
>> assumptions *are* true, BB&S *still* is weak every now and then.
>
>Nope. When you allow the defect might appear, you allow
>that factoring might be easy and have contradicted the
>premise.
And that, of course, is my point precisely, as it has been for some
time:
Since "pretend" BB&S does *not* check for short cycle operation, it
allows the defect to occur. By not checking, it does not help assure
that the assumption ("factoring is hard") holds, which means that
"pretend" BB&S has the potential weakness of using a short cycle *in*
*addition* to any other weaknesses it may have.
In contrast, real BB&S *does* check for short cycles, so the defect
cannot occur, and the assumption ("factoring is hard") *is* protected
(for those cases), so no short cycle weakness can exist. Since I am
unaware of any other specific way in which the mathematical structure
can expose factoring information, closing that hole would seem to be a
desirable goal.
The difference, while probably not a significant weakness in practice,
is the difference between zero chance and a sweepstakes chance. But
the practical distinction is between an absolute guarantee of no short
cycle weakness, and the lack of such a guarantee. Not only do I
prefer the guarantee, I view the absence as a design defect. Note the
correspondence between this view and the reply above.
---
Terry Ritter [EMAIL PROTECTED] http://www.io.com/~ritter/
Crypto Glossary http://www.io.com/~ritter/GLOSSARY.HTM
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
