Cryptography-Digest Digest #441, Volume #12 Mon, 14 Aug 00 18:13:00 EDT
Contents:
Re: What is up with Intel? (lcs Mixmaster Remailer)
Re: Is this Diffie-Hellman modification safe? (tomstd)
Re: Is this Diffie-Hellman modification safe? ("George Harth")
Re: OTP using BBS generator? (Mok-Kong Shen)
Re: OTP using BBS generator? (Mok-Kong Shen)
Re: Crypto Related Professional Attitude (Mok-Kong Shen)
Re: Crypto Related Professional Attitude (Mok-Kong Shen)
Re: Crypto Related Professional Attitude (Mok-Kong Shen)
Re: Proposal of drafting rules of conduct of posting (JPeschel)
Re: Is this Diffie-Hellman modification safe? ("George Harth")
Re: WinACE encryption algorithm (tomstd)
Re: Just Curious. Are girls/women interested ("Paul Pires")
Diehard Troll detector. ("Paul Pires")
Re: Proposal of drafting rules of conduct of posting (tomstd)
Re: Diehard Troll detector. ("Paul Pires")
Re: chap authentication scheme? (Thomas Wu)
Bitwise mechanical cipher (Benjamin Goldberg)
Re: OTP using BBS generator? (Benjamin Goldberg)
Re: Proposal of drafting rules of conduct of posting ("Paul Pires")
Re: What is up with Intel? (Roger Schlafly)
Re: OTP using BBS generator? (Benjamin Goldberg)
----------------------------------------------------------------------------
Date: 14 Aug 2000 19:00:36 -0000
From: lcs Mixmaster Remailer <[EMAIL PROTECTED]>
Subject: Re: What is up with Intel?
Roger Schlafly wrote:
> lcs Mixmaster Remailer wrote:
> > A careful reading of the document reveals that Intel's version of the
> > bias remover uses three bits of state, rather than the two bit version
> > attributed to von Neumann. It is a genuine improvement.
>
> How is it better? IMO, Intel should have omitted the bias
> rejecter. It makes the chip unpredictable. It is easy to
> do a much better job of removing bias in software. I'd rather
> have the raw bits.
Actually many people prefer that their random numbers be unpredictable.
Chacun a son gout, I suppose...
As for how it is better, specifically it produces more efficient output,
with a smaller percentage of rejected bits, preserving more of the
entropy in the input.
With the bias remover, the chip produces very good quality random
numbers that pass standard statistical tests, as described in
http://www.cryptography.com/intelRNG.pdf. (We'll ignore the paranoids
who claim that the results are faked...) These results will be good
enough to be used directly in some applications.
Without the bias remover the chip would pass almost no tests.
A superficial reading would suggest that the RNG was crap since it
fails everything. Sophisticated reviewers would know to look deeper,
but it could still hurt the chip's acceptance if it got a reputatation
for producing bits that fail elementary randomness tests. So to some
extent this can be seen as a marketing requirement.
------------------------------
Subject: Re: Is this Diffie-Hellman modification safe?
From: tomstd <[EMAIL PROTECTED]>
Date: Mon, 14 Aug 2000 12:03:36 -0700
"George Harth" <[EMAIL PROTECTED]> wrote:
>Hi Tom,
>
>> >1. Alice sends Bob her username and requests a connection. No
>> password is
>> >sent at this stage.
>>
>> First weakness, the attacker now knows who is logining in to
the
>> computer.
>
>I see your point, but does this really matter if you know who
uses the
>system anyway?
Well let's consider I am connecting to mybank.com and I want to
do some work, I don't want nosy people to know that I am on,
except maybe my ISP...
It's ideal that in a private system you remain anonymous.
>> >2. Bob computes and sends Alice X, where:
>> > X = (power(g, x) mod n) xor h
>> >
>> >3. Alice computes and sends Bob Y, where:
>> > Y = (power(g, y) mod n) xor h
>>
>> I assume the password is known only by the server and the
>> client? Then why even use pk crypto?
>
>Yes. The password is stored in a file on the server side, and
entered at
>runtime by the user of the client. No passwords or keys are
stored on the
>client device (handhelds easily lost or stolen).
Still same idea.
>> >4. Bob computes and uses Z1 as his Blowfish key:
>> > Z1 = (power((Y xor h, x) mod n)
>>
>> You should really hash the bignum instead of truncating it.
>
>I'm sorry. I don't completely follow. The mod operation is
part of the
>original Diffie-Hellman algorithm. Is that the operation you
are referring
>to?
When you use the number as your symmetric key make sure you hash
it first.
>> You make it harder then it needs to be. If the server and
>> client have a shared secret password simply do this
>>
>> 1. Make up a 128-bit string R
>> 2. Use K = hash(R || h) as your shared symmetric key.
>> 3. Transmit R to the server (or to the client as the case may
>> be).
>>
>> This requires no pk math and is considerably simpler.
>
>It certainly is simpler, but how does the server know which
user is
>attempting to logon without checking all user passwords until
it finds a
>match (assuming I don't send the username as you suggested I
shouldn't do
>above)? Every user has a different password and it is
important for the
>server to know whom it is speaking with.
The client can send hash(username || R) as well but as you
pointed out the server will have to find who that is.... it
depends if this is important or not. You could in some systems
send the username in the clear without any them there problems.
Tom
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: "George Harth" <[EMAIL PROTECTED]>
Subject: Re: Is this Diffie-Hellman modification safe?
Date: Mon, 14 Aug 2000 18:55:21 GMT
Thanks John. I'll give them a look.
BTW, the Stanford URL isn't working for me. I'll try it again later?
Cheers... George
"John Myre" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> George Harth wrote:
> >
> <snip protocol description>
>
> Are you familiar with SRP, and other "strong password
> authentication" methods? It's awfully tricky to design
> your own protocol. For instance, I recall in the SRP
> paper where they do something like what you suggest in
> xoring the hashed password. However, they chose to
> add (modulo the DH prime) instead of xoring, because the
> latter is not as secure.
>
> The really good protocols aren't any more complex
> than your setup, either.
>
> http://srp.stanford.edu/srp/
> http://www.IntegritySciences.com/
>
> JM
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: OTP using BBS generator?
Date: Mon, 14 Aug 2000 21:40:38 +0200
"Tony T. Warnock" wrote:
>
> "Trevor L. Jackson, III" wrote:
>
> > If so, it is similar to the reasons why one need not check for long stretches
> > of zeros in an OTP key. The odds of a significant fraction of the pad being
> > zero are so long that a sane attacker will not even inspect the ciphertext.
> > Of course an attacker who does notice a long stretch of intelligible cipher
> > text could argue that the odds against the text appearing accidentally are so
> > long that a null key pad is the simplest explanation.
> >
> > Are all opponents sane?
>
> If a long stretch of zeros (length to be determined later) occured in a OTP, I
> would assume the generator was broken. Rare events rarely happen. At some point
> one decides that the probablity of a cooked generator is greater than that of
> getting a string of zeros. The number is somewhere between 1 zero and 100 zeros.
I tend to partake your view. An error of the cipher operator
could also not be entirely neglected. A readable and reasonable
text is very surely plaintext (though it could be steganography
and the like). Further, how can the analyst 'really' know
that the sender employs OTP (independent of the issue that
ideal OTP doesn't exist (or determinable to exist) in practice)?
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: OTP using BBS generator?
Date: Mon, 14 Aug 2000 21:40:52 +0200
Mark Wooding wrote:
>
> In general, though, I suppose we should consider the strength of
> cryptosystems based on the integer factorization problem by the
> difficulty of factoring the most difficult sorts of composite numbers
> available, and then try to choose those sorts of composites. Currently,
> those really are just the products of pairs of random primes.
Could you conceive of any possibility of ever formally
characterizing the 'most difficult sort of composite numbers'?
Intuitively, I rather doubt that that could be done. Thanks.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Crypto Related Professional Attitude
Date: Mon, 14 Aug 2000 21:41:02 +0200
"Trevor L. Jackson, III" wrote:
>
> intensity and perversity of the machinations. Being intelligent is only loosely
> correlated with being rational.
But being educated should fairly be correlated with being
rational, I suppose.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Crypto Related Professional Attitude
Date: Mon, 14 Aug 2000 21:41:08 +0200
"Trevor L. Jackson, III" wrote:
>
> "Douglas A. Gwyn" wrote:
>
> > "Trevor L. Jackson, III" wrote:
> > > As for responsibility and maturity, it is not reasonable to expect these
> > > properties from humans.
> >
> > Sure it is, for civilized discourse. Indeed, many moderated newsgroups
> > enforce that requirement to some degree.
>
> Exactly. They force it upon the contributors because the contributors will
> not enforce it upon themselves. Gresham's law paraphrased: "Bad behavior
> drives good behavior out of circulation".
Indeed, in other contexts I have often found that in a
grouping of people the atmosphere can be 'determined' by
about 1% of the total number of persons.
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Crypto Related Professional Attitude
Date: Mon, 14 Aug 2000 21:42:23 +0200
Safuat Hamdy wrote:
>
[snip]
> > > I doubt that one can seriously learn anything in sci.crypt.
[snip]
> Having said this, my first statement may appear to be harsh, but this
> essentially is my experience with sci.crypt so far.
I think that time and again one has to agree with you.
M. K. Shen
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: Proposal of drafting rules of conduct of posting
Date: 14 Aug 2000 19:44:37 GMT
Mok-Kong Shen [EMAIL PROTECTED] writes, in part:
>Your opinion is certainly wellcome like any other. One
>of the underlying goal of the proposal is to find out
>what the majority of the group really thinks about some
>of the (in my view) very legere styles of discussions.
You originally talked about "bad language" so I included
"damn" in my answer. I don't think many would object to
"damn," but some might. Do we ban it?
One of the biggest problems in this sci.crypt, I think,
is name-calling: "idiot," "moron," "pompus jerk," and
a few more creative, but, still vacuous appellations.
Other kinds of personal attacks are useless to the group,
too. No one likes to be flamed, although, if you have
time on your hands, watching someone else's
flame war might be mildly amusing from time to time.
As another respondent said, there are already plenty
of FAQs covering personal attacks, but people don't
pay attention to them. Do we really need more guidelines
that will be ingored?
The professional cryptographers that don't post
here, like anyone else, probably wouldn't care to be
attacked personally, either. But I think the main
reason that some of them don't post is because of
time. It would be difficult for a working professional
cryptologist to find the time to carry on a drawn-out
discussion with an amateur over a techincal matter
that the amateur just doesn't understand.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: "George Harth" <[EMAIL PROTECTED]>
Subject: Re: Is this Diffie-Hellman modification safe?
Date: Mon, 14 Aug 2000 19:44:37 GMT
Thanks Tom, Joe, and John,
I think you have succesfully pushed me back in the right direction.
Cheers... George
------------------------------
Subject: Re: WinACE encryption algorithm
From: tomstd <[EMAIL PROTECTED]>
Date: Mon, 14 Aug 2000 13:16:35 -0700
"Marc Beckersjuergen" <[EMAIL PROTECTED]> wrote:
>> >The encryption is pretty tight,
>> >basically a 160 bit Blowfish code.
>>
>> "Basically"?
>>
>> "Basically"?
>>
>> (Uh-oh.)
>>
>> Can we take that to mean that you introduced some of your own
enhancements
>> to Blowfish that Bruce Schneier somehow overlooked?
>
>Hey, I'm just the webmaster, not the developer
>and I don't know squat about programming in general and
encryption in
>particular :-)
So do something smart and go get a developer? Geez...
Tom
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Just Curious. Are girls/women interested
Date: Mon, 14 Aug 2000 13:44:19 -0700
Mok-Kong Shen <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
>
>
> Roadkill wrote:
>
> > Mok-Kong Shen wrote:
> > >
> > > Paul Rubin wrote:
> > >
> > > > Off the top of my head, Jennifer Seberry, Shafi Goldwasser, Cynthia
> > > > Dwork, Hilary Orman, and yes, Dorothy Denning all come to mind.
> > > > All of them (usually) have the good sense not to post here though.
> > >
> > > Your last sentence is very noteworthy and should provide food for
> > > reflections.
> >
> > They could post under a cryptographicaly strong pseudonym, sign their
> > posts and later show that they posses the secret key of that nym. If
> > they want to. For instance, can you tell I am a girl cryptographer? No?
> > So can't I ;-O But seriously, you can build quite a strong reputation
> > using a nym. Just take a look at Stray Cat in a.p.a-s and a.s.p. He's
> > great! Even though he posts with X-No-Archive: yes and doesn't sign his
> > helpful posts.
> >
> > Keep hoping and maybe this group will have female input,
>
> It was not explicitly stated, but I suppose that Paul Rubin's post
> in this thread probably hinted that women might not be particularly
> enthusiastic with certain ways of discussion that one sometimes
> finds in internet groups, namely where bad words are used, etc.
> So I guess that maybe a little atmospheric change is required
> before your hope comes true.
>
> M. K. Shen
You know some sheltered "Girls". Most that I know of are tougher than I am
(I am afraid to put forth their names since they know where I live).
Just out of curiosity, I asked a notable female in the sucurity industry.
The answer I got was her observation that most of the postings to sci.crypt
appear to have more to do with penis measurement & relative ranking than in
intellectual discourse.
She doesn't percieve sci.crypt to be about cryptography at all but some
obscure male bonding rite.
Don't know how she got that idea.
I won't ask again...
Paul
>
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Diehard Troll detector.
Date: Mon, 14 Aug 2000 13:47:40 -0700
I have an Idea!
lets make up a random number test, call it "Diehard" put some impossible zip
file up for download that says it is 700K make the download actually 200K of
gibberish that won't unzip. And just to be perverse, let's mess with the ftp
site so that it only downloads at 90 bytes per second.
Now, when the troll tries to unzip it, give a warning message that the
download was bad, try again.
Once this is set up, ask how the troll does on these important tests and
snicker when he makes up statistics for a non-existing examination.
I know that this will be effective because it has kept me at bay for quite
awhile.
Help! What am I doing wrong? How can I get the diehard for DOS executable?
Paul
------------------------------
Subject: Re: Proposal of drafting rules of conduct of posting
From: tomstd <[EMAIL PROTECTED]>
Date: Mon, 14 Aug 2000 13:53:17 -0700
[EMAIL PROTECTED] (JPeschel) wrote:
>Mok-Kong Shen [EMAIL PROTECTED] writes, in part:
>
>>Your opinion is certainly wellcome like any other. One
>>of the underlying goal of the proposal is to find out
>>what the majority of the group really thinks about some
>>of the (in my view) very legere styles of discussions.
>
>You originally talked about "bad language" so I included
>"damn" in my answer. I don't think many would object to
>"damn," but some might. Do we ban it?
The word 'super' offends me too... don't ask why.
>One of the biggest problems in this sci.crypt, I think,
>is name-calling: "idiot," "moron," "pompus jerk," and
>a few more creative, but, still vacuous appellations.
>Other kinds of personal attacks are useless to the group,
>too. No one likes to be flamed, although, if you have
>time on your hands, watching someone else's
>flame war might be mildly amusing from time to time.
Hey "Pompous Jerk" is most suiting to the arrogant people with
alphabet soup that don't post here out of fear of discussion.
>As another respondent said, there are already plenty
>of FAQs covering personal attacks, but people don't
>pay attention to them. Do we really need more guidelines
>that will be ingored?
>
>The professional cryptographers that don't post
>here, like anyone else, probably wouldn't care to be
>attacked personally, either. But I think the main
>reason that some of them don't post is because of
>time. It would be difficult for a working professional
>cryptologist to find the time to carry on a drawn-out
>discussion with an amateur over a techincal matter
>that the amateur just doesn't understand.
If they can't explain their math to an avid amateur how can they
explain it to a software developer enough to implement it
securely?
Does this means that all cryptographers must write their own
software? So where is Rivest's version of PGP anyways?...
Seems like a conflict to me.
Tom
===========================================================
Got questions? Get answers over the phone at Keen.com.
Up to 100 minutes free!
http://www.keen.com
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Diehard Troll detector.
Date: Mon, 14 Aug 2000 13:57:50 -0700
Paul Pires <[EMAIL PROTECTED]> wrote in message
news:bYYl5.32184$[EMAIL PROTECTED]...
> I have an Idea!
Never mind. I got it. don't know what the problem was Probably a dead short
between the keyboard and the chair.
Paul
------------------------------
From: Thomas Wu <[EMAIL PROTECTED]>
Subject: Re: chap authentication scheme?
Date: 14 Aug 2000 14:04:13 -0700
[EMAIL PROTECTED] (Cryptocol) writes:
>
> A-CHAP was again:
>
> Alice <-- g^x -- Bob
> Alice -- (g^xg^v)^y, h(g^y) --> Bob
>
> safety guards : g^x == {-1,0,1}, (g^xg^v)^y == {-1,0,1}, [optionally h(g^y) ==
> h(1)]
> moduli : safe prime or secure prime!
The problem here is that both Alice and Bob store g^v, so that if someone
reads g^v from Bob's database, he can impersonate Alice to him. One of
the initial requirements was that the server verifiers not be password
equivalents.
> If I am not missing something, I think this protocol is at least secure against
> passive attacks only if Bob is Bob, i.e., A-CHAP is at least tapping-free.
>
> Note: A-CHAP is really abrubtly made on the basis of AMP but I think you or
> somebody could make much simpler and better protocol based on so-many secure
> password protocols or other secure schemes.
Why not try a simple DH/Elgamal approach:
0. Alice and Bob agree on g, p (DH parameters).
Alice knows the password r, Bob stores H(r).
1. Bob sends g^x
2. Alice sends g^y and S=r*(g^x)^y
To verify, Bob computes r'=S/(g^y)^x and sees if H(r') == H(r).
This just sends the password down the channel Elgamal encrypted with the
DH session key. This naive approach is essentially what ssh user
authentication does; it is totally vunlerable to fake server attacks,
since an impersonated server gets the password, but if people don't
notice this serious problem in ssh, you can probably "get away with it"
as well in a CHAP variant.
--
Tom Wu * finger -l [EMAIL PROTECTED] for PGP key *
E-mail: [EMAIL PROTECTED] "Those who would give up their freedoms in
Phone: (650) 723-1565 exchange for security deserve neither."
http://www-cs-students.stanford.edu/~tjw/ http://srp.stanford.edu/srp/
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Bitwise mechanical cipher
Date: Mon, 14 Aug 2000 21:11:17 GMT
After reading somewhat about the KL-7, and other machines which that got
me interested in, I've come up my own idea for a mechanical cipher, and
I'd like your opinions as to it's security.
Instead of enciphering letters directly, it takes in two electrical
inputs, and either swaps or doesn't swap them, depending on the rotor
positions. There are 5 rotors, with 43, 47, 53, 59, and 61 gear teeth
respectively. All rotors are stepped once for each bit, and are in fact
in direct contact with each other (and of course turn in alternate
directions). For each gear tooth, there are 2 inputs on the left, and 2
outputs on the right. The inputs are either wired directly across, or
else swapped. The outputs from one rotor go to the inputs of the next
rotor. Each rotor has a fixed wiring, with nearly equal number of
swaps/non swaps, which were chosen by drawing black and white marbles at
random from a bag. The initial positions of the rotors are, of course,
the key. Larger and rotors may be used, provided that the rotors have
relatively prime number of teeth, and the total number of rotor teeth is
least 2**8, and the total number of positions is at least 2**16.
If the enemy gets ahold of a cipher machine, it should be fixable by
simply making and sending out new rotors.
The unicity distance for determining wirings with a known starting
position is twice the number of gears on the second largest rotor.
A rewirable rotor, size 11..31, might also be advisable, though making
it turn at the same rate as the other rotors might be a bit difficult.
--
"There's a mathematical reason not to trust Christians... The Buddhists
believe that human lives repeat. The atheists believe that human lives
terminate. That means that the Christians must believe that humans are
irrational."
- Matt Katinas
"Not necessarily... they could think that humans are imaginary."
- Rob Pease, in response to the above
"Of course Christians think humans are irrational: They believe humans
are transcendental, and all transcendentals are irrational. I suppose
that all we can be certain of is that humans are complex."
- Me, in response the the above
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: OTP using BBS generator?
Date: Mon, 14 Aug 2000 21:11:21 GMT
Terry Ritter wrote:
[snip]
> The need to check for short cycles is to avoid actually *using* a
> short cycle and traversing that cycle, which is UNARGUABLY weak. Let
> me say that again:
> * THERE IS NO QUESTION that short cycles do exist in BB&S.
Agreed.
> * THERE IS NO QUESTION that if we select x0 at random, sooner or
> later we *WILL* select a short cycle.
Agreed. But, will it happen in the lifetime of the universe?
> * THERE IS NO QUESTION but that if we use and traverse a short cycle,
> that *IS* insecure.
Agreed. But, if it occurs two universe-lifetimes from now, should
I worry?
[snip]
> Your idea is wrong. It is not true that factoring is unconditionally
> hard. Factoring is easy when a factor is leaked. That is what the
> reduced BB&S does when it uses a short cycle. So if we want to depend
> upon factoring being hard, we had better arrange to not use a short
> cycle.
Hmm, in your short cycle example (PQ=1081, and the cycle length 11, I
believe), how do we learn the factors of PQ from the LSBs of that cycle?
--
"There's a mathematical reason not to trust Christians... The Buddhists
believe that human lives repeat. The atheists believe that human lives
terminate. That means that the Christians must believe that humans are
irrational."
- Matt Katinas
"Not necessarily... they could think that humans are imaginary."
- Rob Pease, in response to the above
"Of course Christians think humans are irrational: They believe humans
are transcendental, and all transcendentals are irrational. I suppose
that all we can be certain of is that humans are complex."
- Me, in response the the above
------------------------------
From: "Paul Pires" <[EMAIL PROTECTED]>
Subject: Re: Proposal of drafting rules of conduct of posting
Date: Mon, 14 Aug 2000 14:10:48 -0700
tomstd <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> [EMAIL PROTECTED] (JPeschel) wrote:
> >Mok-Kong Shen [EMAIL PROTECTED] writes, in part:
> >
> >>Your opinion is certainly wellcome like any other. One
> >>of the underlying goal of the proposal is to find out
> >>what the majority of the group really thinks about some
> >>of the (in my view) very legere styles of discussions.
> >
> >You originally talked about "bad language" so I included
> >"damn" in my answer. I don't think many would object to
> >"damn," but some might. Do we ban it?
>
> The word 'super' offends me too... don't ask why.
>
> >One of the biggest problems in this sci.crypt, I think,
> >is name-calling: "idiot," "moron," "pompus jerk," and
> >a few more creative, but, still vacuous appellations.
> >Other kinds of personal attacks are useless to the group,
> >too. No one likes to be flamed, although, if you have
> >time on your hands, watching someone else's
> >flame war might be mildly amusing from time to time.
>
> Hey "Pompous Jerk" is most suiting to the arrogant people with
> alphabet soup that don't post here out of fear of discussion.
I guess this is why they make youngsters so cute. It's so that you don't
just kill them out of hand.
I have followed this thread and you are not offering this insult in response
to some rude posting from the jerk but as an evaluation of the motivation
behind their not posting. Strong language for an acusation based on
supposition. You even managed to disparage their accomplishments at the same
time. At least Don Rickles is funny.
Paul
>
> >As another respondent said, there are already plenty
> >of FAQs covering personal attacks, but people don't
> >pay attention to them. Do we really need more guidelines
> >that will be ingored?
> >
> >The professional cryptographers that don't post
> >here, like anyone else, probably wouldn't care to be
> >attacked personally, either. But I think the main
> >reason that some of them don't post is because of
> >time. It would be difficult for a working professional
> >cryptologist to find the time to carry on a drawn-out
> >discussion with an amateur over a techincal matter
> >that the amateur just doesn't understand.
>
> If they can't explain their math to an avid amateur how can they
> explain it to a software developer enough to implement it
> securely?
>
> Does this means that all cryptographers must write their own
> software? So where is Rivest's version of PGP anyways?...
>
> Seems like a conflict to me.
>
> Tom
>
>
> -----------------------------------------------------------
>
> Got questions? Get answers over the phone at Keen.com.
> Up to 100 minutes free!
> http://www.keen.com
>
------------------------------
From: Roger Schlafly <[EMAIL PROTECTED]>
Subject: Re: What is up with Intel?
Date: Mon, 14 Aug 2000 14:11:27 -0700
CMan wrote:
> I thought the idea was to be unpredictable.
Yes, the random bits should be unpredictable. But you cannot
reliably determine if the function is even present. The CPUID
instruction doesn't work because a support chip is used.
Once you run the function, you cannot tell how long it is
going to take, or whether your result is going to be ruined
by another task trying to get random bits.
------------------------------
From: Benjamin Goldberg <[EMAIL PROTECTED]>
Subject: Re: OTP using BBS generator?
Date: Mon, 14 Aug 2000 21:18:59 GMT
lcs Mixmaster Remailer wrote:
>
[snip]
>
> If you can find short cycles, you can factor the value. You have
> x^2 = y^2 mod n, so (x^2 - y^2) = 0 mod n, so (x-y)(x+y) is a multiple
> of n, and if you take the gcd of x-y and/or x+y with n you have a good
> chance of finding a factor.
>
> In your example, you have that 46*46 = 1035*1035 = 1035, mod 1081.
> Now we can do the gcd of the modulus with 1035-46. gcd(1081,989)
> = 23, which is one of the factors! We've factored the modulus.
But the attacker never sees 1035, only it's least significant bit,
repeated many times. The attacker doesn't see X[0], either, I don't
believe.
> In general, if you can find short cycles, you can factor. Hence if
> you believe factoring is hard, you believe that short cycles can't be
> found.
> That's the bottom line.
--
"There's a mathematical reason not to trust Christians... The Buddhists
believe that human lives repeat. The atheists believe that human lives
terminate. That means that the Christians must believe that humans are
irrational."
- Matt Katinas
"Not necessarily... they could think that humans are imaginary."
- Rob Pease, in response to the above
"Of course Christians think humans are irrational: They believe humans
are transcendental, and all transcendentals are irrational. I suppose
that all we can be certain of is that humans are complex."
- Me, in response the the above
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
