Newsgroups: sci.crypt
Path: msuinfo!caen!hellgate.utah.edu!lanl!cs.sandia.gov!mccurley
From: mccurley@cs.sandia.gov (Kevin S. McCurley)
Subject: Re: Pretty Good (tm) Privacy
Message-ID: <1992Jan21.000214.17043@cs.sandia.gov>
Sender: usenet@cs.sandia.gov (Another name for news)
Organization: Sandia National Laboratories, Albuquerque, NM
References: <1992Jan19.061618.59212@cs.cmu.edu> <1992Jan19.233024.18884rcain@netcom.COM> <1992Jan20.005818.24626nagle@netcom.COM>
Date: Tue, 21 Jan 92 00:02:14 GMT

In article <1992Jan20.005818.24626nagle@netcom.COM> nagle@netcom.COM
(John Nagle) writes: 
>Several other suggested techniques were also shot down.  Most recently, 
>techniques using digital logarithms have been shown to be vulnerable.

Aaarrgh.  Like many things that appear on usenet, this is a wild
exaggeration.  Let's not lump discrete logarithms in with knapsack
systems, as there is very little similarity in their supposed
"vulnerability".  The recent claims on vulnerability of discrete
logarithms have been known to people working in the area for a while.
It no more breaks discrete-logarithm based systems than the number
field sieve factoring algorithm breaks RSA (which is to say it
doesn't).  NFS just shows that there are some primes for which
discrete logarithms MIGHT be solved in practice more easily, based on
some asymptotic estimates that bear little relation to reality. One
thing that is pretty clear is that the set of primes for which this is
possible is extremely thin.

In 1990 I published a survey paper "The Discrete Logarithm Problem"
(pages 49-74 of Cryptology and Computational Number Theory, American
Mathematical Society, Proceedings of Symposia in Applied Mathematics,
volume 42).  In this paper I offered $100 for the solution to a
problem that can be solved by computing discrete logarithms for a
129-digit prime that might lend itself to attack by the number field
sieve.  I still haven't had to pay off on this, even though it is
about the same size as quite a few numbers that have been factored by
the number field sieve, and much smaller than the 155-digit number
factored by Lenstra and Manasse.  It's probably easier than factoring
the RSA challenge number from the 1970's Scientific American article,
but this is only because I chose the stupid form that I did.  I might
someday have to pay on this one, but that still won't say much about
the "vulnerability" of discrete logarithms.  It's very easy to come up
with a prime for which the application of the NFS algorithm looks
completely hopeless without a significant new idea for the algorithm.

Kevin McCurley
Sandia National Laboratories






