Cryptography-Digest Digest #458, Volume #12 Wed, 16 Aug 00 09:13:00 EDT
Contents:
Re: 1-time pad is not secure... (Tim Tyler)
Re: Unauthorized Cancel Messages (Guy Macon)
Re: OTP using BBS generator? (Mark Wooding)
Re: 1-time pad is not secure... (Tim Tyler)
Re: 215 Hz five-qubit quantum processor ("Trevor L. Jackson, III")
Re: WAP gateway to WWW - Will this configuration really fly from a security
perspective ? (Mark Currie)
Re: 215 Hz five-qubit quantum processor ("Trevor L. Jackson, III")
Re: New quantum computer - any details? (Gordon Walker)
Re: Unauthorized Cancel Messages ("Jamie")
Re: Looking for a DES or RSA chip with write-only key. (Mark Currie)
Re: Random Number Generator (Tim Tyler)
Re: Random Number Generator (Tim Tyler)
Re: OTP using BBS generator? (Mok-Kong Shen)
Re: OTP using BBS generator? (Mok-Kong Shen)
Re: OTP using BBS generator? (Mok-Kong Shen)
Re: Big Brother Is Reading Your E-Mail ("Tomas Rosa")
Re: 215 Hz five-qubit quantum processor ("Jamie")
----------------------------------------------------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: 1-time pad is not secure...
Reply-To: [EMAIL PROTECTED]
Date: Wed, 16 Aug 2000 11:07:04 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> This (in particular the word "only") is too strong. Yes, any hidden
:> variables that exists have to appear to aggregate to produce
:> random-looking events on various scales that have been measured, to
:> certain degrees of accuracy. This does not say how that should behave
:> on ranges about which no experiments have yet been performed, or when
:> considered to higher degrees of accuracy than existing experimants
:> have looked at.
: That's not it at all. The possibility of the existence of local
: hidden variables (that have any physical effect) has been ruled
: out altogether by a combination of theory and experiment.
Which only means that not all hidden varibles can be expected to have
purely local effects. Have I said that the hidden variables must be
local?
In fact local theories have /not/ been completely ruled out - instead,
we know that /if/ physics is local, it's either either doing things
(much, much) faster than the speed of light, the toplology of space in
which it is behaving locally is very different to that normally percieved
- i.e. with many more dimensions - or it's accessing /large/ volumes of
information from "invisible" parallel worlds.
However, that's another story - one which would probably constitute a
digression here.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Namaste.
------------------------------
From: [EMAIL PROTECTED] (Guy Macon)
Subject: Re: Unauthorized Cancel Messages
Date: 16 Aug 2000 11:34:06 GMT
Ron B. wrote:
>
>On Tue, 15 Aug 2000 13:48:54 GMT, Ron B. <[EMAIL PROTECTED]> wrote:
>
>>It appears to me that someone is sending bogus cancel messages to
>>sci.crypt and the alt.security.* groups. My newsreader shows
>>several "This message is no longer available" messages for several
>>legitimate messages. This are clearly not anti-spam cancels as they
>>are new
>>responses to postings. Has anyone else seen this?
>
>I've contacted support at gte.net. It was a problem with the local
>server for my area.
>
I have a suggestion. It would have been better to describe the problem
that you are seeing and to raise the question of whether cancels are
the cause rather than assuming that you know the cause of the problem.
BTW, my news server/news reader combination is set to show me every byte
of every article and to ignore control messages, so when someone cancels
am article, I see the original and the cancel. All I have seen is the
usual amount of self-cancels followed by slightly edited versions, and
the usual spam and spam cancels from the usual sources.
------------------------------
From: [EMAIL PROTECTED] (Mark Wooding)
Subject: Re: OTP using BBS generator?
Date: 16 Aug 2000 11:38:39 GMT
John Savard <[EMAIL PROTECTED]> wrote:
> <[EMAIL PROTECTED]> wrote, in part:
>
> >Do I understand correctly that you claim that the cycle length of
> ><x_i> equals the cycle length of the parity bits (either the normal
> >definition or LSB)? Thanks.
>
> I believe I do, or at least I make a weaker claim that still shows the
> cycle length of the parity bits has to be long.
I believe this assertion to be incorrect.
> it follows that certain cycle lengths are not possible. Now, if the
> cycle length for the generator as a whole is pq, for p and q prime,
Yes, but it isn't: it's a factor of \lambda(\lambda(n)).
> That the parity bit will be unbiased would also require advanced math
> to show, but since it's been proven "hard to predict", that would
> imply that such a proof does exist.
Indeed, the difficulty of prediction implies the lack of bias as a
trivial corollary.
-- [mdw]
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: 1-time pad is not secure...
Reply-To: [EMAIL PROTECTED]
Date: Wed, 16 Aug 2000 11:39:12 GMT
Douglas A. Gwyn <[EMAIL PROTECTED]> wrote:
: Tim Tyler wrote:
:> As far as physics goes, science does not appear to be in any sort of
:> position to make proclamations on the issue of whether true
:> randomness exists. The issue relates to issues on the very edge of
:> theoretical physics - an area where not everything is known. The
:> issue could easily go either way on some distant future occasion.
: No, it can't. Since you claim to have special insight into this
: matter, please explain what is wrong with Bell+Aspect [...]
Nothing's "wrong" with it. I have no argument with EPR experiments,
Bell's inequality, or the Aspect experiment.
However, they don't have the implications you seem to think for
the possibility of physical determinism.
Instead, they disprove locality. Any hidden variables can't be
conventionally local - unless the speed-of-light limit (or some
other conditions) are violated.
: Or, if as seems much more likely to me, you don't know enough to
: *have* a valid opinion, then please keep such opinions to
: yourself, instead of spreading misinformation.
I estimate my knowledge of physics to be at a very low level, compared
with (say) yours. However I know enough to conclude that in this
instance I have a pretty reasonable grasp of the situation.
I'm somewhat suprised to encounter such militant defenders of the random.
How can anyone possibly be so certain that the world is not embedded in a
digital computer?
: In matters of fundamental physics, your personal intuition is worth
: less than nothing.
A good general maxim - for all folks.
:> In the face of all this, the idea that we can actually implement
:> the ideal OTP - and apply the security proof that comes with it -
:> seems doomed.
: Seems doomed to *you*.
Well, yes, naturally all of my posts are IMHO.
: The main practical problem with an OTP system, as has been observed
: many times before (including the sci.crypt FAQ, as I recall) is the
: matter of key distribution, and the second most significant problem is
: ensuring non-reuse of key material. Generating secure random bit
: streams is not a big problem; [...]
Whoah. Where have I debated any of this?
My concern is with proofs of unbreakable security, not with the idea
that you can get a reasonably good OTP for use in cryptography most of
the time.
Failures in key distribution are certainly the number one cause of
non-randomness (i.e. predictability) in OTPs.
: [..] "we" (the crypto community as a whole, evidently not including
: you) know how to do it, and in fact it is routine practice. [...]
You seem to mis-understand - or at least mis-state - my position. I don't
think OTPs are useless or worthless. I just think that they're not
without their own share of problems.
To *ignore* these (as, for example Bruce Scheiner does in AC when he
writes "Beleive it or not there's a perfect encryption scheme." - p.15,
2nd ed.) is not sensible.
: Just because you don't personally know something doesn't mean
: that that which you do not know cannot be true.
Indeed not.
: Better to be silent and be thought ignorant than to speak and be seen
: to be a fool.
Well, I'm sufficiently confident of my intellect to have few fears of
being a fool. I'm sometimes wrong, though - and generally want to
learn when this is the case.
For example, in the future new physics may make the possibility of
randomness more and more likely. Alternatively we may find wholly
deterministic underpinning to physics. Either occurrence would turn
my current agnosticism about the issue into largely pedantry.
As far as I know, we have not reached any certaintly that our vision
of fundamental physics is the final one. Indeed AFAIK, everone thinks
is not.
I don't think we have a good base to make statements about whether the
laws of physics include fundamentally random elements, what with us not
knowing what the fundamental laws of physics are.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Namaste.
------------------------------
Date: Wed, 16 Aug 2000 07:53:21 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: comp.arch
Subject: Re: 215 Hz five-qubit quantum processor
I think Godel v. Russell established the fact that this is not possible.
Russell wanted to show that all of math was consistently derived from a small
set of foundation premises. Godel showed that math is incomplete in the sense
that not all truths can be deduced from the premises. Godel used a special kind
of theorem that implied something like "This theorem is false". When you run
that through a prover you get an undecidable result -- like talking to a person
who says "I always lie".
This can be made quite personal. For instance, "Steve Newman cannot
consistently defend the truth of this theorem." If you act as a manual theorem
prover, how will you resolved the truth/falsity of it?
Steve Newman wrote:
> In article <8nctf9$5tf$[EMAIL PROTECTED]>, [EMAIL PROTECTED] (Paul
> Rubin) wrote:
>
> > The class of problems a quantum computer can probablistically solve in
> > P-time is called QBP. It's believed to be larger than P but it still
> > is no larger than NP. Factoring and other search-type problems sit
> > inside QBP, but sorry, the classical halting problem is still undecidable.
>
> How much larger than P?
>
> It occurred to me some years back that with the appropriate "magic
> box", you could trivially implement a theorem prover for arbitrary
> theorems. Simply generate all possible strings up to a certain
> length, and run each string through a theorem checker to see if it
> constitutes a proof for the theorem. This requires a theorem
> checker, but that's not hard to write.
>
> Could this algorithm be implemented in a (sufficiently advanced)
> quantum computer? Presumably the length of the theorem would be
> bounded by some value proportional (at best) to the number of bits
> supported by the computer. Still, this would be a heck of a thing
> if it worked.
>
> Computers have already caught up with human chess players... maybe
> in a few more decades, mathematicians will succumb?
>
> (Seems unlikely somehow, but still an interesting thought.)
>
> -- Steve Newman
------------------------------
Subject: Re: WAP gateway to WWW - Will this configuration really fly from a security
perspective ?
From: [EMAIL PROTECTED] (Mark Currie)
Date: 16 Aug 2000 11:51:30 GMT
In article <5jfm5.3586$[EMAIL PROTECTED]>, [EMAIL PROTECTED] says...
>
>>"Mark Currie" <[EMAIL PROTECTED]> wrote in message
<snip>
>> Perhaps if the Telco's were to get ITSEC-E4-high approval for their SIM's,
>>this
>
>What does ITSEC-E4... prove? For me, the most interesting parts are not in
>such reports, since they are incomplete.
>
ITSEC basically certifies the correctness of the design. The "E4-high" part
means "high security" which means that they will do penetration testing. This
includes SPA, DPA, chemical, temperature, physical, etc. A good combination is
to get both ITSEC-E4-high as well as ZKA approval. The ZKA approval involves
checking the implementation security as well following the chain-of-trust.
Common Criteria, as far as I know, is like a combination of the European
standards and the American NIST standards like FIPS140 but, once again as far
as I know, CC does not include the implementation and delivery security aspects
that are part of ZKA approval.
You are right that approvals/certifications don't prove that a module is
secure, but I would far rather trust a module that has gone through this than
one that has not, even if the suppliers have had *lots* of experience.
Mark
------------------------------
Date: Wed, 16 Aug 2000 08:04:33 -0400
From: "Trevor L. Jackson, III" <[EMAIL PROTECTED]>
Crossposted-To: comp.arch
Subject: Re: 215 Hz five-qubit quantum processor
Tim Shoppa wrote:
> Of course, none of this [qbits] will ever help run Linux or Microsoft
> Windows,
> so you're right, this is such a fundamental change in computation
> that it won't matter except to those who are already computing off
> the desktop.
Windows on qbits: the system uses all but five bits to keep track of itself
(backtracking from crashes)
------------------------------
From: Gordon Walker <[EMAIL PROTECTED]>
Subject: Re: New quantum computer - any details?
Date: Wed, 16 Aug 2000 13:08:11 +0100
On Tue, 15 Aug 2000 10:05:20 -0700, "Ed Suominen"
<[EMAIL PROTECTED]> wrote:
>Time for bigger keys
Surely if quantum computers become practical there is no realistic key
length that will provide security? An entirely new variety of
encryption would be required would it not?
--
Gordon Walker
------------------------------
From: "Jamie" <[EMAIL PROTECTED]>
Subject: Re: Unauthorized Cancel Messages
Date: Wed, 16 Aug 2000 13:13:02 +0100
Outlook.... choose "properties" from a menu (right click on the message is
easiest) and choose the "details" tab... if you dont see enough then you can
choose to see the whole message source
Jamie
"fvw" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> <ckfm5.49440$[EMAIL PROTECTED]> ([EMAIL PROTECTED]):
> >
> >fvw <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]...
> >> <mXem5.48638$[EMAIL PROTECTED]> ([EMAIL PROTECTED]):
> >> >It happens to my posts. They don't linger as long as most. I my case,
> >it's
> >> >probably a plus. I think it is just different behavior for different
> >> >servers.
> >>
> >> Hmm, is your newsreader setting an Expires: header?
> >
> >I'd love to answer that question. First one for me, how would I know?
> >I'm pulling newsgroups up in outlook. I looked at all the options and
> >settings and nothing rings a bell.
>
> n/m, it's a stupid question, I can check for myself... If you posted
> the message this is a followup to with the same newsreader on the same
> machine you always do, it isn't setting any expires headers. Most
> newsreaders have the option of 'view headers' when you're looking at
> a message. I'm don't know how to do that in outlook though :-(.
>
> --
>
> Frank v Waveren
> [EMAIL PROTECTED]
> ICQ# 10074100
------------------------------
Subject: Re: Looking for a DES or RSA chip with write-only key.
From: [EMAIL PROTECTED] (Mark Currie)
Date: 16 Aug 2000 12:11:21 GMT
I would not recomend *burning-in* of keys. The Pijnenburg chips - PCC101 (DES)
& PCC201 (Exponentiator) have write-only key registers that (I think) can be
retained with a battery after power-down.
Mark
In article <[EMAIL PROTECTED]>, ronb.cc@usu@edu says...
>
>I'm looking for a DES or RSA chip with one unique quality - I want to be able
>to burn the key into the thing and have it permanant and non-readable... in
>some physical fashion, the key on the chip needs to be inaccessible. Is there
>any IC out there that does this, or am I going to have to go to the drawing
>boards on this one?
>
> rOn (note the email address munging.)
>
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Random Number Generator
Reply-To: [EMAIL PROTECTED]
Date: Wed, 16 Aug 2000 11:55:41 GMT
[EMAIL PROTECTED] wrote:
: Procedure Reflection truncates the state. 50% of information resulted
: in procedure Arithm is lost. So, lose of information is my way to
: randomness.
No!
"lose of information" is the way to high *order*. It leads directly away
from randomness, and towards very highly ordered states.
The expected period of a reversible generator is typically much larger
than that of an irreversible one. Look at LCGs and LFSRs. Each state has
a unique predecessor. They're reversible. No information is lost.
There's a good reason for doing things this way. Throwing away the
entropy present in your seed is usually a bad idea.
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Namaste.
------------------------------
From: Tim Tyler <[EMAIL PROTECTED]>
Subject: Re: Random Number Generator
Reply-To: [EMAIL PROTECTED]
Date: Wed, 16 Aug 2000 11:58:14 GMT
[EMAIL PROTECTED] wrote:
: James Felling <[EMAIL PROTECTED]> wrote:
:> How does it do vs. DIEHARD?
: I am sorry but I didn't understand your question.
: Would you like repeating it in extended form?
Not a good sign :-/
Have you tried visiting http://stat.fsu.edu/~geo/diehard.html ...?
--
__________ Lotus Artificial Life http://alife.co.uk/ [EMAIL PROTECTED]
|im |yler The Mandala Centre http://mandala.co.uk/ Namaste.
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: OTP using BBS generator?
Date: Wed, 16 Aug 2000 14:32:00 +0200
Mark Wooding wrote:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> > These facts, together with David Hopwood's information that BBS left
> > 'explicitly' open the question of the relationship between the said
> > two types of cycles lengths, seem to sufficiently justify the
> > conjecture that there is somewhere a theory GAP in BBS's proof of
> > security, in my guess probably on the path from the difficulty of
> > predicting the direct output to the congruence relation to the
> > difficulty of predicting the LSB. (There is, as far I am aware, NO
> > clear-cut and useful relationship between these two types of entities
> > in general!)
>
> There is a useful relationship between the two types. Note that the
> period length of the parity sequence must be a factor of the period
> length of the <x_i> sequence.
>
> A thought has struck me. Please stop me if it turns out to be hopelessy
> wrong. If it isn't, it will (a) sort out the parity sequence period,
> and (b) reduce the effort required to find BBS moduli with long periods.
> I can't believe that nobody's trodden this ground before: my abilities
> as a number theorist are somewhat limited.
>
> My inspiration is the work of Lim and Lee on attacking discrete log
> systems over GF(p).
>
> \newcommand{\pimax}{\pi_{\mathrm{max}}}
>
> The <x_i> period, usually notated as \pi, we know to be a factor of
> \pimax = \lambda(\lambda(n)) = \lambda(\lcm(p - 1, q - 1)).
>
> Let p = 2 p_0 p_1 p_2 ... p_k + 1 and q = 2 q_0 q_1 q_2 ... q_l + 1 be
> two prime numbers, where the p_i and q_i are primes greater than some
> given threshold t_0. Primes of such a form can be found fairly readily,
> by constructing a pool of smaller primes and analysing the products of
> all appropriately sized combinations, as described in Lim and Lee's
> paper. Then \lcm(p - 1, q - 1) = 2 p_0 p_1 p_2 ... p_k q_0 q_1 q_2
> ... q_l.
>
> Going down another level, choose each of the p_i and q_i to be
> Sophie-Germain or Lim-Lee primes as well (depending on how small your
> numbers are by this point): ensure that each p_i has the form 2 \prod
> r_i + 1, where the r_i are all greater than some threshold t_1.
>
> We end up in the situation that \pimax is twice the product of a number
> of primes whose minimum size is strictly greater than our bound t_1. We
> know that the period \pi any *parity* sequence must be a factor of
> \pimax. But the only small prime factor of \pimax is 2, and we can
> easily check for periods of length 2. By choosing t_1 = 2^{128}, for
> example, we can ensure that a cycle found either has period 2 or longer
> than 2^{128}, which is obviously impractical to traverse.
>
> I still think it's a waste of time trying, by the way. I'm just trying
> to clarify the field a little.
I am (at least at the moment) not in a position to comment.
>From superficial look it does seem interesting. So why not
persuing it a bit further? Could you please give a pointer
to the paper of Lim and Lee?
> > This issue is evidently EXTREMELY important, for otherwise the
> > 'provably security' of BBS would have been a simple FICTION!
>
> No. You've misunderstood the proof almost completely.
Only IF the connection from the 'difficulty' pertaining
to the output of the cogruence relation to the 'difficulty'
pertaining to LSB is seamless logically. I don't know yet
for sure whether this is true. I said previously that my
math knowledge is very unlikly to be sufficient to
properly understand the original article of BBS. (So my
'misunderstanding' isn't a issue here.) But I do want
an expert to explicitly confirm that there is no gap,
notwithstanding the fact pointed out by David Hopwood.
> > I like to take this opportunity to once again point out the importance
> > of experimentally checking the statistical properties of the LSB of
> > BBS, in ways EXACTLY as every other PRNG ever used in practice has
> > been checked.
>
> > (What qualifies BBS to be an 'exception' in this??)
>
> The fact that breaking it is reducible to factoring the modulus.
We have to be careful, don't we? At least one (or perhaps
more) of the experts in the group has admitted that he
hasn't read/mastered BBS's article in full. Should we
'believe' the math there is o.k., simply because BBS
have big names?? Hundreds of proofs of FLT were found to
be wrong, among them many by professors. (I happen to
possess one 'proof' formally published in a big
publishing company before WWII by a math prof of the
Univ of Berlin.) If no one has yet done an extensive
series of checks on the statistical qualities (not
only cycle length!) of LSB of BBS, then it is HIGH time
to have someone to do it! We people in crypto have to
be especially prudent, don't we? (BTW, wasn't you that
said in another thread to the effect that it isn't
entirely sure from the outset that some posts in the
group bearing the names of certain specialists are
really from them?)
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: OTP using BBS generator?
Date: Wed, 16 Aug 2000 14:32:08 +0200
Mark Wooding wrote:
>
> Mok-Kong Shen <[EMAIL PROTECTED]> wrote:
>
> > My problem is in knowing the (rough) path of attaining that knowledge,
> > without having to deeply study the BBS article which I guess is way
> > beyond my capability. My thought is this: BBS must proceed from the
> > properties of the congruence relation to that of the LSB. They
> > presumably could have first established that finding cycles of the
> > direct output of the congruence relation is no easier than factoring.
>
> The BBS paper establishes the reduction to the quadratic residuosity
> problem only, not to factoring. The reduction to factoring was done
> afterwards by Vazirani and Vazirani (Crypto '84, I think).
>
> > Since there is a gap in proceeding from the cycles of this kind to the
> > cycles of LSB, I conjecture there could be some difficulties of
> > continuing from the above point to establish that finding cycles of
> > LSB is no easier than factoring.
> >
> > Looking from another perspective, what does 'finding cycles in LSB'
> > mean? If the distribution of cycles lengths of LSB is (of course I
> > don't know) is such that the majority of cycles are very short, then
> > encountering a cycle would be easy. So I conjecture that one has to be
> > able to say something definite about the distribution of cycle lengths
> > of LSB, if one can prove that finding cycles of the LSB is no easier
> > than factoring.
>
> No. The proof is much more general than that. It shows that *any*
> method of predicting the generator's output allows you to factor.
>
> [There is no `gap'.]
I am certainly ready to acknowledge your expertise. But,
being conservative (see what I wrote in a parallel
follow-up answering you), I like to see at least one
another expert confirming that the connection from
the difficulty of finding short cycles of LSB to the
difficulty of factoring is 'completely' seamless.
BTW, I questioned previously what does 'short' in
'finding short cycles' mean. Could you say something
about that now, for that concept is essential here,
isn't it?
>
> > Why is it then, as David Hopwood said, that BBS leave the issue of the
> > connection between the cycles of the direct output of the congruence
> > relation and the cycles of LSB explicitly to be an open question? I
> > surmise that that gap or open question must have some non-trivial
> > bearing on the present issue.
>
> Not really. The actual cycle analysis is interesting but fundamentally
> unimportant. (Although see my other article which shows how to obtain a
> lower bound on parity cycle lengths and generate moduli without the
> expense of finding the `special' numbers.)
>
> The analysis of cycle lengths and distributions is *independent* of the
> proof that prediction of the generator is as hard as factoring.
>
> > If a bit sequence has grave statistical defects, then that can be
> > readily exploited by the opponent, he wouldn't then need any
> > 'polynomial' time or what not for doing the analysis. Or am I missing
> > something?
>
> Hence the proof shows that *either* factoring is surprisingly easy *or*
> a BBS generator has no such defects. In your toy examples, factoring is
> too easy.
It is the strange (simple) pattern in there that troubles
me. For we can't simply through hand waving ignore the
potential possibility that such patterns could also
occur for LSB of moduli that are difficult to factor.
(Any grave defects in serial correlations could have
severe/fatal consequences.)
M. K. Shen
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: OTP using BBS generator?
Date: Wed, 16 Aug 2000 14:32:12 +0200
John Savard wrote:
>
> <[EMAIL PROTECTED]> wrote, in part:
> >John Savard wrote:
> >> Since the BBS modulus can't be a power of two, I don't think you have
> >> to worry about that.
>
> >Do I understand correctly that you claim that the cycle
> >length of <x_i> equals the cycle length of the parity bits
> >(either the normal definition or LSB)? Thanks.
>
> I believe I do, or at least I make a weaker claim that still shows the
> cycle length of the parity bits has to be long.
>
> Essentially, since the modulus is the product of odd primes or an odd
> prime, or something like that,
>
> and the parity bit has two possible values,
>
> and the seed is not allowed to be zero,
>
> it follows that certain cycle lengths are not possible. Now, if the
> cycle length for the generator as a whole is pq, for p and q prime,
> proving that the parity bit can't have a cycle length of p or a cycle
> length of q would require advanced math, it IS clear that no other
> cycle length for the parity bit less than pq is possible.
>
> That the parity bit will be unbiased would also require advanced math
> to show, but since it's been proven "hard to predict", that would
> imply that such a proof does exist.
There are two points. First is the terminology. Do you
use the normal term, i.e. counting the number of 1's in
<x_i>, or do you use LSB for 'parity'? Second, do you
negate the possiblity of the cycle length of 'parity'
(according to one of the definitions above) being
smaller than the cycle length of <x_i>? Thanks.
M. K. Shen
------------------------------
From: "Tomas Rosa" <[EMAIL PROTECTED]>
Crossposted-To: alt.privacy,alt.security.pgp
Subject: Re: Big Brother Is Reading Your E-Mail
Date: Wed, 16 Aug 2000 13:32:13 +0200
"Michael Brown" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]...
> Currently, I can do a 12 bit by hand, an I'm writing up a word documant
> to be posted soon. If you want to see an old and not-complete version in
> XL form go to:
> http://members.fortunecity.com/mibro/rsa.xls
> My copy of Netscape doesn't want to download it directly, but any
> downloader such as GetRight or NetVampire does it fine.
>
snip
Well, you are trying to reverse the Wallace-tree adder scheme. Are you
willing to give only a describtion of this process in your future document,
or will you also suply us with some analysis from mathematical point of
view - the estimated complexity as a function of the bitlength and
properties of factors? Otherwise your method will forever stay only in the
position of nice logic-based game.
good luck (you will need it, because it could be expected you will run into
the trubble, soon)
Tom
------------------------------
From: "Jamie" <[EMAIL PROTECTED]>
Crossposted-To: comp.arch
Subject: Re: 215 Hz five-qubit quantum processor
Date: Wed, 16 Aug 2000 13:35:31 +0100
<snip>
> Of course, none of this will ever help run Linux or Microsoft Windows,
> so you're right, this is such a fundamental change in computation
> that it won't matter except to those who are already computing off
> the desktop.
Isn't MS Windows a simulation of a quantum machine?
You can never tell which application the "operating system" is going to
crash until you try to use it.
Linux, while remarkably efficient at performing certain specific tasks,
takes much to long to set up, recompile the kernal and close down to be used
for practial problem solving.
Jamie
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
