Re: overcoming ecash deployment problems (Re: all about transferable off-line ecash)

[A. Melon]

Tim May <[EMAIL PROTECTED]> wrote:
> On Thursday, April 11, 2002, at 06:59  AM, Mike Rosing wrote:
> > But the reason we have AC today is because Tesla requested no
> > royalties on his motor/generator.  Something for Brands to think
> > about.
> 
> No, we have AC because AC works better than DC in home wiring
> situations.

Hmmm.  I always thought the reason we went with AC was because at the
time, DC power couldn't cut it.  They couldn't find any way to reliably
transfer DC power more than a half mile or so from the power plant, and
when trying to demonstrate it in NYC couldn't even get DC power all the
way up a multi-story building.

Tesla's AC power solved this problem, after which Edison and his backers
started some kind of smear campaign saying that DC was safer and such.

Mr Anonymous

Re: all about transferable off-line ecash (Re: Brands off-line tech)

[A. Melon]

Peter Trei writes:
> Speaking for myself and a few friends and relations, we'd
> be perfectly happy to use them, if they were available.

A good place to get Sacagawea dollars is from the stamp machine at your
local post office.  Put in a $20 bill and buy as small an amount of
stamps as you can, and many of the machines will give you golden dollars
in change.  Make sure you check the machine first; it should be labeled
about what kind of change it gives.  Otherwise you'll be hauling around
dozens of quarters.

Choate's header stripping address

[A. Melon]

I have added Choate's header stripping cpunks address (I won't lie and 
call it an anonymizer) to my killfile, as 95% of all traffic through it 
has been spam previously. Apparently, Jimbo left a mailto: link on a 
website somewhere, and it got harvested.

Now, Mr. CACL is evading my killfiles by using his "anonymizer". Perhaps 
he has realized that most of us have plonked him a long time ago, and 
this is his way of forcing his Slashdot headlines on us?

For those few of you who have been using that address to post to the 
list whose comments are actually interesting, you may wish to find an 
alternative method. Real cypherpunks use real remailers.

RE: 1024-bit RSA keys in danger of compromise

[A. Melon]

> Here's a real question: if you could build a special purpose machine
> to do 1024 bit RSA keys (that is, factor a 1024 bit number), how much
> would that help with discrete logs in a safe prime field?

Solving discrete logs via NFS is structurally similar to factoring.
You start off with a factor base and generate a large number of
relations among the elements in that set.  You then look for a linear
dependency among these relations, which amounts to solving a large matrix.
Since the techniques are similar, Dan Bernstein's ideas probably apply
to both cases.

However there are some significant differences, mostly in the second
phase, the matrix reduction.  The matrix solution in the case of
factoring is over GF(2).  This means that all the elements are 0's and
1's, that "addition" is just XOR, and that "multiplication" is just AND.
This simplifies the problem and Bernstein uses a trick to speed up matrix
multiplication in this field.

Bernstein's insight is that matrix multiplication in GF(2) is essentially
just a matching problem.  When you have two 1's being multiplied together,
you keep them; if either one is a 0, you can eliminate that.  During the
addition, if you have two matching elements, they cancel; if they are
unlike elements, they produce a 1.  So what he does is to put the data
into a giant sorting engine.  This brings the corresponding elements
close together.  Then a couple of passes of these matching rules gives
the result.

The matrix solution for discrete log is over a larger field, the size of
the large prime that divides p-1; 1023 bits for a strong 1024 bit key.
You don't have just 0's and 1's, and you no longer have simple matching
rules.  The field operations are non-trivial.

This will have several effects.  First, the cells of the solver will have
to be larger; in addition to storing row and column numbers, they have to
store a large numeric value.  Second, the cells will have to include much
more complex logic; instead of just comparing with their neighbors and
looking for matches, they have to do modular multiplication and addition.
And third, the algorithm will change during the addition phase; a series
of values have to be added together, rather than just counting whether
there are an even or odd number.  This probably doesn't increase the
asymptotic number of steps, though.

So the matrix solver will be considerably larger, but if the factoring
version were buildable, the DL version probably could be built as well.
Given the increased complexity of the cell, from doing ANDs of ~40 bit
numbers to doing modular multiplication of ~1000 bit values, a very rough
guess is that it will be 1000 times more expensive.  It may be possible
to compensate for this greater cost by using a smaller factor base.

The first phase in both algorithms involves finding numbers smooth over a
factor base, so again the success of a factoring engine probably implies
that the discrete log machine would work, too.

Summing up, Bernstein's techniques would require some modification for
solving discrete logs, and the details of the asymptotic analysis would
probably not be exactly the same, but broadly speaking the same general
techniques would apply.  If his machine factors 1024 bit numbers at
some reasonable expense, 1024 bit discrete log keys would have to be
considered unsafe as well.