From: Michael Wilson <0005514706@mcimail.com>
Date: Sat, 2 Jul 94 18:05:16 PDT
To: Cypherpunks <cypherpunks@toad.com>
Subject: Reply to Tim May's comments
Message-ID: <42940703010324/0005514706NA2EM@mcimail.com>
MIME-Version: 1.0
Content-Type: text/plain


Tim May wrote (reply comments offset by leading '***'):

Subject:  Re: 'Black' budget purchases
 
Michael Wilson writes:

> The data from the Maryland Procurement Office that is stored in certain 
> databases (and removed from others, as I have just discovered when I checked) 
> provides the complete 'black' budget purchases of the intelligence community, 
> not just their purchases of supercomputers.  Such raw data goes a long way 
> towards confirming other bits of intelligence, such as the establishment by 
NSA 
> of its own chip manufacturing facility owing to a lack of trust in 
undocumented 
> sections of commercial silicon.  This data is useful beyond knowing the 
numbers 

That the NSA contracted National Semiconductor to build a facility
on-site has been common knowledge since 1989-90. The fab is not state
of the art (i.e., is not 1.8 micron or better) and is believed to be
used for the very reasonable purpose of producing keying material in a
secure environment (ROMs, PROMs, fuse-linked micros, PLAs, etc.). It
is unlikely--but possible--that high-performance micros are being
manufactured there.

*** We were tracking NSA purchases of material over a decade ago; as for their 
usage of the technology, my statement was simply that they felt, after serious 
analysis, that they couldn't trust commercial silicon.  The issue was trust, not
computation power.

> of supercomputers available (although it does help provide an upper boundary 
on 
> raw processing power, useful for quantifying tolerances).
> 
> What we find interesting regarding the number of supercomputers at NSA is what
> they do to the keyspace; a supposition of ours from the early period of 
> commercial public key was an attack on the domain of potential keys.  Given a 
> known keylength, a powerful systematic search for primes that fit that range 
> can, over time, begin to damage the strength of the system.  Careful analysis 
of

This is nonsense. A typical 1024-bit RSA system uses p and q close to
512 bits each, e.g., 511 and 513. Whatever.

Now a 512-bit number is a 150-plus decimal digit number. About .5-1%
of all of these numbers are prime (by the Prime Number Theorem, or
somesuch...about 1/N of all N-digit numbers are prime, as I recall).

How big a keyspace is this to start searching "systematically"?
Considering that there are "only" about 10^73 particles of all kinds
in the entire universe (based on our best estimate of the size of the
universe, the density of galaxies, gas clouds, etc.), this means that
if every particle in the universe were searching for and recording the
primes they discovered, each particle would have to store 10^77
primes!

So much for "a powerful systematic search for primes that fit that
range."

*** You assume that your selection of primes is random; it is the case, 
particularly in the initial usages of public-key systems, that attacks could be 
made on keyspaces based on the prime generation method.  A point that 
number-crunch jockeys tend to forget is that psychology and systems analysis 
provide greater in-roads against secure systems than brute force.

> technical resource also allows one to speculate--are CM platforms (pardon the 
> pun) used for exhaustive systematic search for keys, while Cray systems are 
used
> for attacks on the keyspace?  Differentiation of parallel versus scalar 
> processing towards attack domains is interesting.

"Parallel versus scalar processing"? Parallelism means nothing at
these scales...see the above point.

*** Your point is orthogonal to our point.  The two systems are used for 
different attacks--parallelism can be used for exhaustive search, such as for 
DES keys, while scalar processing can be used for testing primality.

> Michael Wilson
> Managing Director, The Nemesis Group
> The Adversary


--Tim May

*** TNG