Re: smartcards, electronic ballots

[William Allen Simpson]

-BEGIN PGP SIGNED MESSAGE-

David Honig wrote:
> From "Ballot Proposal" version 1.3
> 
> 10 B DISPLAY
> (5) Election software shall print the selected choices on a fixed
> visible medium (such as paper), and shall require the voter to
> affirm those choices prior to electronic registration of the
> completed ballot.
> 
> I took this to mean that "what the machine thinks the voter chose
> is printed on paper" (for feedback/trust reasons).   Am I totally off?
> 
That's correct.  All the considered systems require some permanent 
audit record of the ballots.  This draft requires that the voter 
approve the record.  Thus, the printed record is primary, since the 
voter actually sees it and approves it.  Any electronic fudging can be 
detected and eliminated.

But, nobody is suggesting that the voter takes home the paper.  On the 
contrary, designs mentioned in meetings have the paper behind glass, 
not even touchable by voters.


> I wasn't clear on the architecture you have in mind ---I eventually
> figured out that you're requiring an online system with local and
> central real time reporting (mirroring) of votes.
> 
The Internet is big in legislators' eyes these days.  The network 
connection to a central (state) system is really the main motivation, 
as it allows the eRate funds to be used to run elections. 

Also, central state servers are needed to allow overseas electronic 
voting.  Too many trust relationships to have each base/embassy try 
to interact with every city or precinct.

And the mirroring keeps the locals from fudging the ballot counts.

Basically, I was asked, "Can the Internet be used to carry the votes, 
while still remaining secret?"  My answer is, "Yes, we already have 
SSL/TLS for confidentiality."  "What about ensuring votes only come 
from authorized places?"  "Easy, issue credentials for each machine, 
and use digital signatures on the ballots."  Etc, etc.

I've found a lot of support for open source software, because the 
politicians don't trust vendors or clerks.  They want lots of review. 
Especially with machines programmed by clerks.  And especially with all 
the campaign money that came in this cycle from so-called high-tech 
firms.  A compromised vendor would be a real problem for one party or 
another


> (Other architectures include standalone or LAN-only machines acting only as
> better voting-acquisition-machines; or a pure central server scheme like
> home internet voting.)
> 
There have been a lot of problems with stand-alone machines.  For 
example, in Florida, the recounts were supposed to actually re-run 
the ballots.  Instead, many places just looked at the counters without 
doing any real counting.  Also, elsewhere, machines have been found to 
be mis-programmed.  Etc, etc.

Home internet voting has a lot of problems, too, and is not being 
considered.  Just incremental improvements on the existing polling 
places and absentee ballots.  As you say, better vote acquisition -- 
evolution, not revolution.

The other thing is cost, cost, cost

Anyway, I've basically been answering a lot of questions for free, 
just as most of you are doing.  Admittedly, I've been given access to 
some reports and internal committee documents, but mostly I'm just 
trying to help them add security language.

I really think we've gone pretty far afield for this list.  Just send
messages to me privately, and I'll reply as I have time and interest.  
Thanks again.

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.1

iQCVAwUBOn4xmtm/qMj6R+sxAQElswQAwoZh8ZJ1sJFeQvpagdh2hJijtRNIONzD
Pae1EeCndFJwFfNHQFR87tOoNMNHCw+0Hf/IgUnYNrJVTr4WP8UJ1DAqdKS6Fw19
oLZ05hsaLvLgSwcGoR8WTkcr2emlkRzQ3vczGViPjlbNVPSptklN9nopQxFKe8HO
pGV9vquALz4=
=lZRn
-END PGP SIGNATURE-

Re: smartcards, electronic ballots

[Donald E. Eastlake 3rd]

From:  Ed Gerck <[EMAIL PROTECTED]>
Message-ID:  <[EMAIL PROTECTED]>
Date:  Sun, 04 Feb 2001 11:43:19 -0800
To:  David Honig <[EMAIL PROTECTED]>
Cc:  William Allen Simpson <[EMAIL PROTECTED]>, [EMAIL PROTECTED],
"John R. Levine" <[EMAIL PROTECTED]>, Ed Gerck <[EMAIL PROTECTED]>
References:  <[EMAIL PROTECTED]> 
<[EMAIL PROTECTED]>

>.>...
>> The voting apparatus may keep a serial record of each vote, in order, for
>> auditing purposes.
>
>No, it MUST not.  See the FEC standards on voting. The FEC standards also
>demand "storage alocation scrambling" in order to avoid even a serial order
>of storage.

In Cambridge, Massachusetts, a preferential voting system is used
which is voting order depenent.  This requires that all ballots be
numbered so that can be processed in the same order on a recount or
else different results could occur because of the change in order.

>.>...

Re: smartcards, electronic ballots

[David Honig]

At 05:51 PM 2/4/01 -0500, William Allen Simpson wrote:
>-BEGIN PGP SIGNED MESSAGE-
>
>David Honig wrote:
>> 
>> If you give people a paper receipt with their votes on it
>> (as WAS's scheme mentions) then their votes can be bought or blackmailed.
>
>I'm unaware of how that interpretation might have arisen?  I don't see 
>anything in the proposed text that calls for a receipt to be given to 
>any voter, let alone a copy of their votes?

>From "Ballot Proposal" version 1.3

10 B DISPLAY
(5) Election software shall print the selected choices on a fixed
visible medium (such as paper), and shall require the voter to
affirm those choices prior to electronic registration of the
completed ballot.

I took this to mean that "what the machine thinks the voter chose
is printed on paper" (for feedback/trust reasons).   Am I totally off?

I wasn't clear on the architecture you have in mind ---I eventually
figured out that you're requiring an online system with local and
central real time reporting (mirroring) of votes.  

(Other architectures include standalone or LAN-only machines acting only as
better voting-acquisition-machines; or a pure central server scheme like
home internet voting.)




...
"What company did you say you were from, Mr. Hewlett?"
---Walt Disney to Bill Hewlett eetimes 22.01.01 p 32

 






  

Re: smartcards, electronic ballots

[Ed Gerck]

William Allen Simpson wrote:

> -BEGIN PGP SIGNED MESSAGE-
>
> I'm sorry for the second message, but I could not let the egregious
> error pass uncorrected:

:-) egregious ...

> Ed Gerck wrote:
> > The law does not allow it, and for good reasons as you mention.
> >...
> > > The voting apparatus may keep a serial record of each vote, in order, for
> > > auditing purposes.
> >
> > No, it MUST not.  See the FEC standards on voting. The FEC standards also
> > demand "storage alocation scrambling" in order to avoid even a serial order
> > of storage.
> >
> > > This is also mentioned in WAS's legislative text.
> >
> > which is a miconception, albeit a common one
> >
> Mr Gerck would do well to precisely specify the "law" which does not
> allow this?

California Election Code, for example.  In the US, there is NO federal jurisdiction on
election code -- as it became clear to Joe Doe after Florida. Pls also read about it in
Eva Waskell's article in The Bell, page 7, November 2000 issue, and also in Jim Hurd's
article in The Bell,page 6, July 2000 issue (both issues available at www.thebell.net 
in
the archives section),

> Mr Gerck would also do well to specify which FEC "standards" have the
> force and effect of law?

None -- and I never said so.  They are voluntary standards, but 40+ states have
decided to follow them and incorporate them in their laws.

> As to the matter of "law", the Congress is granted the power to set
> standards for its own election (Const Article I, Sections 4 and 5).
> The FEC isn't mentioned.

Indeed, this is what Article I, Section 4 says:  “The times, places, and manner of 
holding elections
for Senators and Representatives shall be prescribed in each State by the Legislature 
thereof;
but Congress may at any time by law make or alter such Regulations, except as to the 
Places
of chusing Senators.”

Thus, each individual state has exercised its right to administer elections in a 
manner reflecting
that state’s political, social and cultural make-up.  Although the Constitution 
clearly gives
Congress the authority to make or alter such state regulations, Congress has been very 
reluctant
to do so. However, Congress has intervened in state election procedures when, for 
example, they
gave women the right to vote and when they passed the Voting Rights Act. Nonetheless, 
states’
rights have taken precedence when it comes to conducting elections.

(sections above by Eva Waskell, ibid.)

> But the FEC proposed standards don't even consider networks, database
> replication with offsite storage, and as mentioned earlier, cryptographic security.

read the new drafts, already past first public meetings.  Read also the state 
documents.

Cheers,

Ed Gerck

Re: smartcards, electronic ballots

[William Allen Simpson]

-BEGIN PGP SIGNED MESSAGE-

I'm sorry for the second message, but I could not let the egregious 
error pass uncorrected:

Ed Gerck wrote:
> The law does not allow it, and for good reasons as you mention. 
>...
> > The voting apparatus may keep a serial record of each vote, in order, for
> > auditing purposes.
> 
> No, it MUST not.  See the FEC standards on voting. The FEC standards also
> demand "storage alocation scrambling" in order to avoid even a serial order
> of storage.
> 
> > This is also mentioned in WAS's legislative text.
> 
> which is a miconception, albeit a common one
> 
Mr Gerck would do well to precisely specify the "law" which does not 
allow this?

Mr Gerck would also do well to specify which FEC "standards" have the 
force and effect of law?

The only document of which I am aware is the very old FEC "performance 
and test standards for punchcard, marksense, and direct recording 
electronic voting systems", january, 1990.  Never mandated, and no 
congressional appropriation for implementation.

He might be referring to chapter 4, section 4.5, page 47, where "parity 
and checksums" are required for integrity, and "the unit must 
incorporate multiple memories in the machine itself and in its 
programmable memory devices," and these "stored images of each ballot 
must protect the integrity of the data and the anonymity of each voter, 
by such means as storage location scrambling."

He might note that the subject of cryptography does not seem to be 
mentioned.  He might also note that for punchcards and marksense, 
no "scrambling" occurs.  

Moreover, he might note that the system audit requirements later in 
the same chapter (page 49) require "a complete, indestructable archival 
record of all system activity related to the vote tally."  That is to 
accomplish a "reconstruction" of the election process (repeated several 
times).  Audit data is to be serialized by a "date-and-time stamp" and 
"preserved during any interruption of power" (page 50).

As to the matter of "law", the Congress is granted the power to set 
standards for its own election (Const Article I, Sections 4 and 5). 
The FEC isn't mentioned.

But the FEC proposed standards don't even consider networks, database 
replication with offsite storage, and as mentioned earlier, 
cryptographic security.

'nuff said.

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.1

iQCVAwUBOn37BNm/qMj6R+sxAQGgeAQAm/nj4Ro4zcLALFhIdyggFCSQphIZ3NhH
xunAksi9GyDghK7uQh8KcOZ2b16t3KEsheenmFDmx6ZDUENgnUeY7SCfyH0Egen6
2A8WS5VApivaFcV3PPCQx4/voPamaS8b5NcnDCz7ow8PYWl/bTp5vicxibjnEGpB
VuQeAms8cUY=
=njYh
-END PGP SIGNATURE-

Re: smartcards, electronic ballots

[William Allen Simpson]

-BEGIN PGP SIGNED MESSAGE-

David Honig wrote:
> 
> If you give people a paper receipt with their votes on it
> (as WAS's scheme mentions) then their votes can be bought or blackmailed.

I'm unaware of how that interpretation might have arisen?  I don't see 
anything in the proposed text that calls for a receipt to be given to 
any voter, let alone a copy of their votes?

Perhaps there is some confusion in the interoperability requirement 
that electronic ballots be stored in a printable US-ASCII format.  

Why?  Because nobody (other than mathematicians) trusts the machines! 
The threat model is (1) the machines won't work correctly, and then 
(2) the clerks will try to steal the election, and nobody will be able 
to tell for sure, because the machines are unreliable.

Specifying the interface also promotes competition for different 
components of the systems.

The requirement arises from the need for "transparency" -- the votes 
need to look like votes to humans.  The auditors need to compare the 
recorded votes.  Everything points to a simple textual requirement.

For some odd reason, the legislative staff seems to intuitively 
understand the trust paradigm that we often struggle to elucidate:
machines don't vote/spend/publish, people do.  

The use of digital signatures is to ensure that the MACHINE is 
authorized, not the humans.  The use of human readable text is to 
ensure that HUMANS can audit the result.

That means that blinded signature schemes and smartcards and fancy 
unauditable and/or uninspectable equipment are not on the table.

Anyway, this thread has gone off into rampant speculation. 

I asked for assistance in review of the technical cryptographic 
terminology.  I've received that, and I've passed the recommendations 
on to the appropriate parties.  Thank you very much.  

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.1

iQCVAwUBOn3cf9m/qMj6R+sxAQEChQP+MT1queIoc8YSlkCvmDMyTMRKO2Hz4pQ9
xgj6T0roFy5MRIExj0wLzO/DUtb8T+nsZeeHPADmQCM7u6dIqSWFYD+I3DiiAyJc
goICR8j9phqUESkeu2S5bl7uRySr/KxROBBUMLjfxtbYQFCpwLVfnEVg/I+DTorH
CWeI7K5WIm0=
=2Dkb
-END PGP SIGNATURE-

Re: smartcards, electronic ballots

[Dan Geer]

As seems universally the case in security design, there must
be ugly tradeoffs.  In particular (and without quoting acres
of prior material), the proposed requirements for verifiability
and non-coercibility are at odds and one must yield to the
other.  Paper systems make this tradeoff by, on the one hand,
the polling booth (non-coercibility once within) and, on the
other hand, the supervision of the counting process by opponents
(verifiability by proxy), at a cost of zero technology.  Bettering
this in the real world is challenging.

--dan

==
as used here

verfiability
  -- voter may verify that his vote counted as he intended it to count
non-coercibility
  -- voter cannot be compelled to show how he voted, during or after

proposition:
 If the voter can verify, then he can be coerced to do so.
contrapositive:
 If voter cannot be coerced, then he cannot verify.

==

Re: electronic ballots

[Arnold G. Reinhold]

At 1:01 PM -0500 2/4/2001, John Kelsey wrote:
>-BEGIN PGP SIGNED MESSAGE-
>
>At 11:02 PM 1/27/01 -0500, William Allen Simpson wrote:
>
>...
>>"Arnold G. Reinhold" wrote:
>>> There are a lot of reasons why open source is desirable,
>>> but it does simply the job for an attacker.
>
>>I disagree.  Security by obscurity is never desirable.
>
>Right.  This is doubly important in this application, where
>the big threat is insider fraud.  The people we're really
>worried about doing some kind of large-scale fraud are
>the ones being trusted to man voting stations, transport
>ballots, count votes, and certify elections.  Outsiders
>who've read through the source code looking for buffer
>overflow bugs aren't likely to have the access needed to
>mount an attack.
>

I feel like I am being quoted out of context here.  I was not 
suggesting closed source, but proposing a new type  of compiler that 
produce obfuscated object code under a key. This could make an 
attackers job more difficult, particularly in the narrow time window 
of an election.

In the attack model I am addressing, the people who man the voting 
stations would be supplied with malware tools based on just such an 
analysis of the source code. Under my scheme they could not rely 
knowing the exact object code they will encounter. The compilation 
key or keys would be published after the election, allowing the 
object code used in the field to be compared with the source.


At 10:38 AM -0800 2/4/2001, David Honig wrote:
>On Banning Video Cameras From Voting Places
>
>The voting apparatus may keep a serial record of each vote, in order, for
>auditing purposes.  This is also mentioned in WAS's legislative text.  Now,
>if an evil vote buyer had someone recording who entered which booth
>and also had access to the audit records, the correlation lets them
>buy or blackmail votes.  Note that this requires only *one* conspirator if
>that conspirator is a poll worker with a concealed camera.
>

One doesn't need a concealed camera. There is nothing to stop a poll 
watcher from keeping written notes of the time when each voter votes. 
In fact, here in Massachusetts the election officials are required to 
call out the name of each voter when they get their ballots and when 
they turn them in.

Arnold Reinhold

Re: smartcards, electronic ballots

[John R. Levine]

> The voting apparatus may keep a serial record of each vote, in
> order, for auditing purposes.  This is also mentioned in WAS's
> legislative text.

Good lord no.  Here in NY, the inspectors write down each voter's name
on a log sheet with the names numbered in order, and write down the
numbers in the voter book to make it easier to cross-check who voted.
The log sheet has four or five NCR copies so that party poll watches
can have copies.  (The poll watchers use them to cross-check their
list of registered voters so they know hasn't voted and so know who to
call and remind them.)  Obviously, the ballot is only secret because
the equipment does NOT track the order in which votes were cast.

Call me a sort of a Luddite, but I would like a system where you vote
by pushing buttons of some sort, then the machine prints up a paper
ballot with your choices on it in an OCR font or something else that
is easily readable by both people and machines, and you can either
release the ballot into the box if it's right, or put it into a
discard pile and try again.  Then the machine forgets everything, and
they count the paper ballots to see who won.


-- 
John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869
[EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, 
Member, Provisional board, Coalition Against Unsolicited Commercial E-mail

Re: smartcards, electronic ballots

[Ed Gerck]

David Honig wrote:

> >First of all, that's not "privacy", that's "anonymity".
> >
> >We have voter registration precisely so that we know who the voters
> >are!  We are not changing voter registration
> >
> > Ed Gerck wrote:
> >>4. Fail-safe privacy in universal verifiability. If the
> >>   encrypted ballots are successfully attacked, even with
> >>court order, the voter’s name must not be revealed. In
>
> On Keeping Votes Secret
>
> If you give people a paper receipt with their votes on it
> (as WAS's scheme mentions) then their votes can be bought or blackmailed.
> Now, this may be an acceptable *tradeoff* (trust gained from paper trail
> vs. increased succeptability to coercion), that's not for me to decide.

The law does not allow it, and for good reasons as you mention.  Also, proposals
to print the vote usually advance it as the "silver bullet" solution.  This is a
fatal mistake because to increase realibility in communications it is much better to
have a number of independent channels than one "strong" channel (Shannon,
tenth theorem).

> One potential solution is to make the 'receipts' readily forgable --something
> anyone could print up at home, on ordinary commercial blank paper.  Such
> ready counterfeiting would deter vote buying and blackmail.

Not really. The buyer might be waiting outside the precinct, the seller might not
be able to fake it (technically -- think about the "digital divide" issues just to
have a computer), the election official might also get in collusion, etc.

> On Banning Video Cameras From Voting Places
>
> The voting apparatus may keep a serial record of each vote, in order, for
> auditing purposes.

No, it MUST not.  See the FEC standards on voting. The FEC standards also
demand "storage alocation scrambling" in order to avoid even a serial order
of storage.

> This is also mentioned in WAS's legislative text.

which is a miconception, albeit a common one

>  Now,
> if an evil vote buyer had someone recording who entered which booth
> and also had access to the audit records, the correlation lets them
> buy or blackmail votes.  Note that this requires only *one* conspirator if
> that conspirator is a poll worker with a concealed camera.

Yes, this is one of the reasons. It could also be the election official.

Cheers,

Ed Gerck

Re: smartcards, electronic ballots

[David Honig]

>First of all, that's not "privacy", that's "anonymity". 
>
>We have voter registration precisely so that we know who the voters 
>are!  We are not changing voter registration
>
>4. Fail-safe privacy in universal verifiability. If the
>encrypted ballots are successfully attacked, even with
>court order, the voter’s name must not be revealed. In

On Keeping Votes Secret

If you give people a paper receipt with their votes on it
(as WAS's scheme mentions) then their votes can be bought or blackmailed.
Now, this may be an acceptable *tradeoff* (trust gained from paper trail
vs. increased succeptability to coercion), that's not for me to decide.
One potential solution is to make the 'receipts' readily forgable --something
anyone could print up at home, on ordinary commercial blank paper.  Such
ready counterfeiting would deter vote buying and blackmail.

On Banning Video Cameras From Voting Places

The voting apparatus may keep a serial record of each vote, in order, for
auditing purposes.  This is also mentioned in WAS's legislative text.  Now, 
if an evil vote buyer had someone recording who entered which booth
and also had access to the audit records, the correlation lets them
buy or blackmail votes.  Note that this requires only *one* conspirator if
that conspirator is a poll worker with a concealed camera.

There should be little free-speech problem with this; political signs
are already banned within X feet of polling places.

David Honig

...
"What company did you say you were from, Mr. Hewlett?"
---Walt Disney to Bill Hewlett eetimes 22.01.01 p 32

 






  

Re: electronic ballots

[John Kelsey]

-BEGIN PGP SIGNED MESSAGE-

At 11:02 PM 1/27/01 -0500, William Allen Simpson wrote:

...
>"Arnold G. Reinhold" wrote:
>> There are a lot of reasons why open source is desirable,
>> but it does simply the job for an attacker.

>I disagree.  Security by obscurity is never desirable.

Right.  This is doubly important in this application, where
the big threat is insider fraud.  The people we're really
worried about doing some kind of large-scale fraud are
the ones being trusted to man voting stations, transport
ballots, count votes, and certify elections.  Outsiders
who've read through the source code looking for buffer
overflow bugs aren't likely to have the access needed to
mount an attack.

 --John Kelsey
   k.e.l.s.e.y.(dot).j.(at).i.x.(dot).n.e.t.c.o.m.(dot).c.o.m
PGP: 5D91 6F57 2646 83F9  6D7F 9C87 886D 88AF
  ``Slavery's most important legacy may be a painful insight
  into human nature and into the terrible consequences of
  unbridled power.'' --Thomas Sowell, _Race and Culture_


-BEGIN PGP SIGNATURE-
Version: PGPfreeware 6.5.1 Int. for non-commercial use

Comment: foo

iQCVAwUBOn2ZCyZv+/Ry/LrBAQEcRAP/cj27xAaLwl2eFU42EA27RNhKQiwGtKvL
8cC7owNGufK6dYNj8zvYwKwiiYWYwavZLM1K1+vNq5e6pYjAsXGYgN21xyWUFi8A
LhChruj8zCg0ybgZ5AICbdGHHL+S2u4Sga5Ai+uEtTHbXHUfCylbDq4YYtgeshld
2Cbe2Vgbh98=
=JVz4
-END PGP SIGNATURE-

Re: Pinoy math enthusiast finds fast way to decode RSA encryption

[Barry]

Quoting Marc Branchaud <[EMAIL PROTECTED]>:

> 
> Anyone know if there's any truth to this?
> 
>   Marc
> 
> 
> MANILA BULLETIN: http://www.mb.com.ph/INFO/2001-02/IT020201.asp
> 
> Pinoy math enthusiast finds fast way to decode RSA encryption
> At 03-02-01 02:27, Marc Branchaud wrote:

After finding his e-mail adres, I just asked him :

From: Leo <[EMAIL PROTECTED]> 
To: [EMAIL PROTECTED], [EMAIL PROTECTED] 
Subject: [Fwd: Re: RSA Broken ??] 

Dear Barry Wels,

For your information and further discussion and scrutiny.
Here is a copy of my communication with Ron Rivest.

The format of the illustration below seems to have been modified by
my email software. 

Best regards,
Leo



 Original Message 
Subject: Re: RSA Broken ??
Date: Sun, 04 Feb 2001 06:59:11 +0800
From: Leo <[EMAIL PROTECTED]>
To: Ron Rivest <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>


Dear Ron,


Thank you very much for the clarification and comprehensive explanation
of the
math concepts behind RSA.  I really appreciate the time you spend on
this
communications.


I just would like to get additional view and maybe some idea on
comparative speed
of the process I proposed of multiplying N by Y such that the product is
all bit 1 to
solve 2^X = 1 mod N.  This, I believe, is really a "NEW" approach to
find the
private key.  The "NEW" here is the Specific Use of 2 and
the Use of simple Add-Shift-Compare binary operations to find X.


To illustrate further:


Say N = 55 = 110111
By repeated addition and shifting, we arrive at Y = 19065 =
10010100001



110111 = bit 0 of Y = 1
   +
110111   = bit 3,2,1 of  Y = 100
   

  
0
 +
110111 = bit 4 of Y = 1
 
-
  
1010101
   +
110111   = bit 5 of Y = 1
  
---

1111
 +
110111 = bit 6 of Y = 1
   
-
  
11001
   +
110111   = bit 9,8,7 of Y = 100



1111
   +
110111   = bit 11, 10 of Y = 10
   
---
 100011
 +
110111= bit 14,13,12 of Y =
100
  
---

= 20
bits of 1, so X = 20


I believe this is a very fundamental function of a computer (add, shift
and compare).
Therefore, I believe this is a lot faster than a multiplication or
division factoring
approach.
I just don't have any clue on how to compare this speed with "number
sieves".
Although it seems like a factoring approach for N, the operation is
forward (addition)
and
one time (no trial and error).  So, I believe should be very fast.  My
estimate is at
least
= LOG(N,2) * 2 faster than division factoring.  To help me compare,
maybe, you can
give a clue on how fast is a "number sieve" approach compared with
simple division.


Again, thank you very much for your valuable time spent on this.  I
really appreciate it.


Best regards,
Leo



Ron Rivest wrote:


> Dear Leo --
>
> Thanks for the more detailed explanation of your approach to attacking
> RSA given in your emails (copied below).  For the reasons I will
> explain, and as you are perhaps aware, I think your approach is
> unlikely to work in practice against large RSA numbers.  It would be
> very premature or misleading to characterize RSA as "broken" based on
> your work to date.
>
> On the other hand, the strength of a cryptosystem can only be
> determined by subjecting it to extensive analysis and attack by all
> interested parties.  I encourage you (and others) to try and find a
> "shortcut" for breaking RSA faster than the known attacks (which also
> don't work in practice