Re: names to say in late september

2000-08-02 Thread Arnold G. Reinhold 

 From http://www.yahoo.com  8/2/2000 1pm

WASHINGTON (Reuters) - A federal judge ordered an emergency hearing 
on Wednesday on a privacy rights group's request for the immediate 
release of details on Carnivore, the Federal Bureau of 
Investigation's e-mail surveillance tool.

The Electronic Privacy Information Center (EPIC), in its 
application to the judge, accused the FBI and the U.S. Justice 
Department of breaching the law by failing to act on a request for 
fast-track processing of a Freedom of Information Act query about the 
snooping system.

The FBI told Congress last month that Carnivore is designed to 
intercept data from the electronic mail of a criminal suspect by 
monitoring traffic at an Internet service provider. EPIC wants the 
FBI to disclose how it works.

U.S. District Judge James Robinson set the hearing for 3:30 p.m. 
EDT (1930 GMT) at the federal courthouse in Washington.

Attorney General Janet Reno said last week that technical 
specifications of the system would be disclosed to a ``group of 
experts.''

Re: names to say in late september

2000-07-31 Thread Arnold G. Reinhold 

At 11:51 PM -0400 7/30/2000, dmolnar wrote:
>On Sun, 30 Jul 2000, Arnold G. Reinhold wrote:
>
>> By the way, I could not find the April 2000 RSA Data Security
>> Bulletin on three primes at
>> http://www.rsasecurity.com/rsalabs/bulletins/index.html  Is there a
>> better link?
>
>The link I had in mind was
>
>ftp://ftp.rsasecurity.com/pub/pdfs/bulletn13.pdf
>
>The discussion is an appendix to the discussion of RSA key lengths.
>Note that it is actually more general than just 3 primes; various
>combinations of number of primes and their length are discussed,
>along with security against known factoring algorithms.

Thanks. I hadn't gotten that far. The bulletin is actually available 
in the link I cited, in both pdf and html forms.

>
>Even if you may disagree with Silverman's assumptions about "safe"
>security levels, this is a very good place to start when looking at
>RSA with more than two factors. As for terminology, I would prefer to keep
>the RSA name and just modify it (e.g. "polyprime RSA," or better
>"3-384-prime RSA") to indicate that a modulus with more than two factors
>is in use.
>
>-David


It's not so much that I disagree with Silverman's assumptions about 
"safe" security levels, it's that they are just that: assumptions. 
Multiprime RSA is different from two-prime RSA, which is the version 
most researchers have studied over the years.  Silverman's numbers 
show that. Consumers have a right to know what they are getting, even 
in this arcane world of crypto (maybe especially in this world).

Suppose the 14 round version of Rijndael is adopted as AES and a few 
years down the road someone decides that he can make his encryption 
system a lot faster by using only 8 rounds. Would it be acceptable 
for him to call his cipher AES-8? I don't think so. On the other 
hand, "RSA" is RSA Security Inc.'s trademark and if they want to 
dilute it -- to whatever extent -- by allowing multiprime moudli, I 
suppose they can. That is why I think we need some nomenclature for 
each member of this class of algorithms that does not depend on RSA 
Security Inc.'s judgement, however informed it may be.

Arnold Reinhold

Re: names to say in late september

2000-07-31 Thread dmolnar 



On Sun, 30 Jul 2000, Arnold G. Reinhold wrote:

> By the way, I could not find the April 2000 RSA Data Security 
> Bulletin on three primes at 
> http://www.rsasecurity.com/rsalabs/bulletins/index.html  Is there a 
> better link?

The link I had in mind was 

ftp://ftp.rsasecurity.com/pub/pdfs/bulletn13.pdf

The discussion is an appendix to the discussion of RSA key lengths. 
Note that it is actually more general than just 3 primes; various
combinations of number of primes and their length are discussed,
along with security against known factoring algorithms. 

Even if you may disagree with Silverman's assumptions about "safe"
security levels, this is a very good place to start when looking at 
RSA with more than two factors. As for terminology, I would prefer to keep
the RSA name and just modify it (e.g. "polyprime RSA," or better
"3-384-prime RSA") to indicate that a modulus with more than two factors
is in use. 

-David

Re: names to say in late september

2000-07-30 Thread Arnold G. Reinhold 

While the RSA/Security Dynamics second letter to the P1363 committee 
http://grouper.ieee.org/groups/1363/P1363/letters/SecurityDynamics2.jp 
g
pretty much alleviates my concerns about using the "RSA" name from a 
legal perspective, the two messages below demonstrate why I think an 
unambiguous generic name is also needed.

The RSA algorithm with a modulus that is the product of three primes 
is a different cryptographic algorithm from RSA with a modulus that 
is the product of two primes. In cryptography, a little bit different 
is like a little bit pregnant. In particular, the three prime 
approach appears more vulnerable to an advance in quadratic sieving 
than the two prime approach.  I am not saying three prime approach 
should never be used, just that its security must be evaluated 
separately.

That RSA Security Inc. is considering allowing the use of three prime 
moduli under the umbrella of the RSA name doesn't change the fact 
that this is a different design. I think it is important to have some 
nomenclature (triprime?) that reflects exactly which method is in 
use. If I had recommended to a client that they use a particular 
product based, in part, on the claim that they employed the RSA 
algorithm and it turned out later that they used a triprime modulus, 
I would be quite annoyed.

Also, someone sending a secret message using PKC depends on the 
security of the recipient's algorithm and keys.  With triprime 
moduli, there would not even be a change in algorithm to alert the 
sender. There needs to be some way to let people know what security 
they are getting. I am not aware of any efficient test to distinguish 
numbers with two factors from numbers with more than two. Does anyone 
know of one?

By the way, I could not find the April 2000 RSA Data Security 
Bulletin on three primes at 
http://www.rsasecurity.com/rsalabs/bulletins/index.html  Is there a 
better link?


Arnold Reinhold

At 1:06 PM -0700 7/28/2000, Steve Reid wrote:
>On Thu, Jul 27, 2000 at 03:00:16PM -0400, Arnold G. Reinhold wrote:
>> I like "Biprime Cryptography," or maybe "Biprime Public Key
>> Cryptography," where a biprime is defined as the product of two prime
>> numbers.  I doesn't get close to any trademark and it is descriptive
>> of the algorithm.
>
>Sounds like "composite modulus cryptography" which I think has been
>mentioned on the crypto lists before.
>
>"Biprime cryptography" is not really accurate, because RSA doesn't
>require that the modulus be the product of two primes. I seem to
>remember someone (I think it was Richard Schroeppel) a few years ago
>advocating RSA with a three-prime modulus. The idea was that having
>three primes instead of two would not weaken the algorithm in any
>practical way, but it could make CRT operations even faster. It
>wouldn't make the number field sieve any easier because the number of
>primes doesn't affect NFS workfactor. It would make (I think) the
>quadratic sieve more efficient, but at normal keysizes (1024 bits?) the
>three primes would all be large enough that quadratic sieve would still
>be less efficient than the number field sieve.

At 6:26 PM -0400 7/28/2000, dmolnar added:
>...
>Note that Compaq is trying to push this under the name "Multiprime."
>Bob Silverman has a nice analysis of the number of factors and size of
>factors vs. security tradeoff in the April 2000 RSA Data Security
>bulletin. It's only in the PDF version (or was), though.
>PKCS #1 is also being amended to allow for multiple distinct primes.
...

Re: names to say in late september

2000-07-28 Thread dmolnar 



On Fri, 28 Jul 2000, Steve Reid wrote:

> remember someone (I think it was Richard Schroeppel) a few years ago
> advocating RSA with a three-prime modulus. The idea was that having
> three primes instead of two would not weaken the algorithm in any
> practical way, but it could make CRT operations even faster. It

Note that Compaq is trying to push this under the name "Multiprime."
Bob Silverman has a nice analysis of the number of factors and size of
factors vs. security tradeoff in the April 2000 RSA Data Security
bulletin. It's only in the PDF version (or was), though. 
PKCS #1 is also being amended to allow for multiple distinct primes.

The idea of using CRT is due to Couvreur and Quisquater, as far as I
know...although I haven't read the original paper and don't know if they
suggested multiple primes or not. 

-David

Re: names to say in late september

2000-07-28 Thread Steve Reid 

On Thu, Jul 27, 2000 at 03:00:16PM -0400, Arnold G. Reinhold wrote:
> I like "Biprime Cryptography," or maybe "Biprime Public Key 
> Cryptography," where a biprime is defined as the product of two prime 
> numbers.  I doesn't get close to any trademark and it is descriptive 
> of the algorithm.

Sounds like "composite modulus cryptography" which I think has been
mentioned on the crypto lists before.

"Biprime cryptography" is not really accurate, because RSA doesn't
require that the modulus be the product of two primes. I seem to
remember someone (I think it was Richard Schroeppel) a few years ago
advocating RSA with a three-prime modulus. The idea was that having
three primes instead of two would not weaken the algorithm in any
practical way, but it could make CRT operations even faster. It
wouldn't make the number field sieve any easier because the number of
primes doesn't affect NFS workfactor. It would make (I think) the
quadratic sieve more efficient, but at normal keysizes (1024 bits?) the
three primes would all be large enough that quadratic sieve would still
be less efficient than the number field sieve.

RE: names to say in late september

2000-07-28 Thread John Kennedy 

Having listened to ANSI X9F.1 and IEEE P1363 working groups argue for years
about naming/renaming nearly to the point of absurdity,
I thought I would point out what RSA's lawyers said on the record about the
name:

http://grouper.ieee.org/groups/1363/P1363/letters/SecurityDynamics.jpg
http://grouper.ieee.org/groups/1363/P1363/letters/SecurityDynamics2.jpg

-John Kennedy
(The usual disclaimers apply...)




To:   [EMAIL PROTECTED]
Subject:  RE: names to say in late september




> From: Rodney Thayer [mailto:[EMAIL PROTECTED]]
>
> Many companies trade mark their company name.  I've heard the
> term 'rsa' pre-dates the company, so I assume they didn't do
> that.  I don't see it on the web site.
>
Trademarking the company name and trademarking the algorithm name is
different.

It seems RSA (the company) has trademarked RSA (the algorithm), although
recently.

>From  (there may be more RSA algorithm trademarks, these are
just the first two I came across:
-
Word Mark: RSA

Re: names to say in late september

2000-07-28 Thread Matt Crawford 

> What shall we call that-public-key-algorithm-that-will-not-be-
> patent-protected in late September?  we should not use a
> trademarked or copyrighted term, in my opinion.

I think that "RSA" has gone the way of "Aspirin" and "Zipper".
If some lawyers try to make trouble about it, just put the initis
into alphabetical order!

Re: names to say in late september

2000-07-28 Thread William Allen Simpson 

-BEGIN PGP SIGNED MESSAGE-

This was an issue last year.  We've covered the same ground that was 
covered elsewhere last year, including the same proposed names.

Having been awakend by a thunderstorm, I took a little time to check 
on progress over in IEEE.  The latest letter that I found, in 
http://grouper.ieee.org/groups/1363/P1363/patents.html, says:

"... we do not intend to rely on our trademark rights in the RSA 
brand to prevent the use of ... the terms 'RSA public key', 'RSA 
private key', and 'RSA key pair'."

I think we are relatively safe.  I think we are even safer satisfying 
their concerns in their final paragraph by adding explicit language to 
documentation saying:

   "Due to the acrimonious nature of previous interactions, we don't 
   use any products sourced from, licensed from, or endorsed by, 
   RSA Data Security, Inc."

Note that somebody is claiming patents on RIPEMD and SHA1, among many 
other problems.  I suppose that I shouldn't be surprised.  (heavy sigh)

Rodney Thayer wrote:
> However, given the, ah, acrimonious  nature of this corner of this
> marketplace,
> it seems prudent to consider another name.
> 

-BEGIN PGP SIGNATURE-
Version: PGP 6.5.1

iQCVAwUBOYFxLNm/qMj6R+sxAQHLZQP+OpGPlVHlhd/yLzYo4+kbDUwUypHaZFWT
zCpf+1gRNyMBB1cc2U5CmIN9/i4gnUHOTOb9LJY4GGWHzcl25g87yceTS1rJQu12
wau71YDinBJCbEYTI/VRr1J2XWdT4eIKn2n5NOT+lmhDv8szs3HNCXmOPo9lJQFF
415fSIeeQPw=
=13UZ
-END PGP SIGNATURE-

RE: names to say in late september

2000-07-28 Thread Heyman, Michael 

> From: Rodney Thayer [mailto:[EMAIL PROTECTED]]
> 
> Many companies trade mark their company name.  I've heard the 
> term 'rsa' pre-dates the company, so I assume they didn't do 
> that.  I don't see it on the web site.
> 
Trademarking the company name and trademarking the algorithm name is
different.

It seems RSA (the company) has trademarked RSA (the algorithm), although
recently.

>From  (there may be more RSA algorithm trademarks, these are
just the first two I came across:
-
Word Mark: RSA 

Goods and Services: IC 009. US 021 023 026 036 038. G & S: Computer software
to integrate cryptographic security features into software applications.
FIRST USE: 19950400. FIRST USE IN COMMERCE: 19950400 

Mark Drawing Code: (1) TYPED DRAWING 

Serial Number: 75703025 

Filing Date: May 11, 1999 

Published for Opposition: January 4, 2000 

Registration Number: 2335885 

Registration Date: March 28, 2000 

Owner: (REGISTRANT) RSA Data Security, Inc. CORPORATION DELAWARE 2955 Campus
Drive, Suite 400 San Mateo CALIFORNIA 944032507 

Assignment Recorded: ASSIGNMENT RECORDED 

Type of Mark: TRADEMARK 

Register: PRINCIPAL 

Live/Dead Indicator: LIVE 

and

Word Mark: RSA 

Goods and Services: IC 009. US 021 023 026 036 038. G & S: NON-PREDICTABLE
CODE CALCULATORS, NAMELY, COMPUTER HARDWARE AND COMPUTER SOFTWARE THAT
GENERATE SECURITY ACCESS CODES FOR ACCESSING HOST DATA BANK COMPUTERS; AND
COMPUTER SOFTWARE PROGRAMS THAT ISSUE AND MANAGE DIGITAL USER INDENTITIES
AND ACCESS PRIVILEGES FOR ELECTRONIC COMMERCE AND SECURITY 

Mark Drawing Code: (1) TYPED DRAWING 

Serial Number: 75697271 

Filing Date: May 4, 1999 

Files ITU: FILED AS ITU 

Published for Opposition: March 21, 2000 

Owner: (APPLICANT) RSA Data Security, Inc. CORPORATION DELAWARE 2955 Campus
Drive, Suite 400 San Mateo CALIFORNIA 944032507 

Assignment Recorded: ASSIGNMENT RECORDED 

Prior Registrations: 1855630;1857585 

Type of Mark: TRADEMARK 

Register: PRINCIPAL 

Live/Dead Indicator: LIVE

Re: names to say in late september

2000-07-28 Thread Rich Salz 

> However, given the, ah, acrimonious  nature of this corner of this
> marketplace, it seems prudent to consider another name.

RSADSI (or whatever their name was back then) once tried to get the IEEE
crypto committee to use a generic term, rather than their trademark for
the "RSA encryption system."  They were told to take a hike.  This was a
couple of years ago, perhaps John Gilmore remembers more details.

Using a different name will confuse the marketplace.  It also offers
unscrupulous salesmen an opportunity "oh, that's not the *real* RSA." 
Both of those are much greater risks then the risk of trademark
infringement. Especially since it's doubtful they'd win.

Let's stick with RSA.
/r$

Re: names to say in late september -- Rishad?

2000-07-28 Thread David Jablon 

About "Rishad", someone privately wrote:

> ... naming an algorithm designed by three jewish guys after
> an arabic word doesn't actually seem right to me...

Ha!  I thought about that ... for a minute or so.  But great
ideas like RSA must rise above irrelevant cultural boundaries.

But now that you mention it ... "algebra" itself is arabic.
Why not acknowledge the deep historic roots of this art, along with
these new practicioners, in the same breath.

There is a fitting irony here, too.  After all, this whole renaming party
is an effort to wrest control of the name of a thing away from the original
authors and their business affiliates.  This *is* a cultural change.
The whole free vs. patented crypto debate seems to be one of
the great religous wars in high tech today.

Rishad.  Jihad.  It kind of fits.

Of course, I say all this tongue-in-cheek, as one who refuses
to fight consistently on either side of this polarized debate.
I just don't get too hung up on these problems.

-- David

>At 02:27 PM 7/27/00 -0400, I wrote:
>>How about RISHAD?
>>
>>It's pronounceable, captures all three inventors in the same order
>>and equal proportions, and is already a name, with relevant connotations.
>>
>>The similar "Rashad" is listed as meaning "integrity of conduct", which seems
>>particularly appropriate. 
>>There is also "Rashid", "Rightly guided, Having the true Faith",
>>which neatly captures the history of zealous marketing behind this
>>method.  Perhaps other's know of the origins of the "Rishad" or other
>>forms, which for all I know could have completely different meanings.

>>At 07:05 AM 7/27/00 -0700, Rodney Thayer wrote:
>>>What shall we call
>>>that-public-key-algorithm-that-will-not-be-patent-protected in late
>>>September? ...

---
David P. Jablon
[EMAIL PROTECTED]
www.IntegritySciences.com

Re: names to say in late september

2000-07-27 Thread Rodney Thayer 

Many companies trade mark their company name.  I've heard the term 'rsa'
pre-dates
the company, so I assume they didn't do that.  I don't see it on
the web site.

However, given the, ah, acrimonious  nature of this corner of this
marketplace,
it seems prudent to consider another name.

[EMAIL PROTECTED] wrote:

> Why does the patent expiration mean the name must change?
> The patent is independant of any name/licensing issues.
>
> Calling it anything other than RSA is boneheaded.

Re: names to say in late september

2000-07-27 Thread rsalz 

Why does the patent expiration mean the name must change?
The patent is independant of any name/licensing issues.

Calling it anything other than RSA is boneheaded.

Re: names to say in late september

2000-07-27 Thread Ben Laurie 

Eric Murray wrote:
> 
> On Thu, Jul 27, 2000 at 07:05:38AM -0700, Rodney Thayer wrote:
> > What shall we call
> > that-public-key-algorithm-that-will-not-be-patent-protected in late
> > September?  we should not use a trademarked or copyrighted term, in my
> > opinion.
> > There was discussion of this a while ago, I think.  I don't recall what
> > was around.
> >
> > I suggest "Rivest Public Key", or 'RPKey'.
> 
> Too close to "RPK".
> 
> >  It's not the prettiest
> > buzzword I've ever
> > suggested, but is there something better to call it?
> 
> "The algorithm formerly known as RSA"?

That is, TAFKA, which is _so close_ to Kafka I don't know how anyone can
resist!

> 
> In Singh's "Code Book", he relates a story where Aldeman
> insisted to Rivest that his (Aldeman's) name be last on the paper...
> Ron had originally had it in alphabetically order.
> Perhaps "ASR" might then be appropriate?

Errr ... if you get the order right, you might see why he didn't want
it...

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

Coming to ApacheCon Europe 2000? http://apachecon.com/

Re: names to say in late september

2000-07-27 Thread David Jablon 

How about RISHAD?

It's pronounceable, captures all three inventors in the same order
and equal proportions, and is already a name, with relevant connotations.

The similar "Rashad" is listed as meaning "integrity of conduct", which seems
particularly appropriate. 
There is also "Rashid", "Rightly guided, Having the true Faith",
which neatly captures the history of zealous marketing behind this
method.  Perhaps other's know of the origins of the "Rishad" or other
forms, which for all I know could have completely different meanings.

At 07:05 AM 7/27/00 -0700, Rodney Thayer wrote:
>What shall we call
>that-public-key-algorithm-that-will-not-be-patent-protected in late
>September?  we should not use a trademarked or copyrighted term, in my
>opinion.
>There was discussion of this a while ago, I think.  I don't recall what
>was around.
>
>I suggest "Rivest Public Key", or 'RPKey'.  It's not the prettiest
>buzzword I've ever
>suggested, but is there something better to call it?

I think you'd want to ask Ron about that first proposal, and it
seems unfair to omit Adi and Len.

-- David

Re: names to say in late september

2000-07-27 Thread Arnold G. Reinhold 

At 7:05 AM -0700 7/27/2000, Rodney Thayer wrote:
>What shall we call
>that-public-key-algorithm-that-will-not-be-patent-protected in late
>September?  we should not use a trademarked or copyrighted term, in my
>opinion.
>There was discussion of this a while ago, I think.  I don't recall what
>was around.
>
>I suggest "Rivest Public Key", or 'RPKey'.  It's not the prettiest
>buzzword I've ever
>suggested, but is there something better to call it?

I like "Biprime Cryptography," or maybe "Biprime Public Key 
Cryptography," where a biprime is defined as the product of two prime 
numbers.  I doesn't get close to any trademark and it is descriptive 
of the algorithm.

Arnold Reinhold

Re: names to say in late september

2000-07-27 Thread John Kelsey 

At 07:05 AM 7/27/00 -0700, Rodney Thayer wrote:
...
>I suggest "Rivest Public Key", or 'RPKey'.  It's not the prettiest
>buzzword I've ever
>suggested, but is there something better to call it?

There's already an RPK, which (if I recall correctly) is based on doing
Diffie-Hellman with shift registers.  So this might be confusing.

What about just expanding the acronym: The Rivest Shamir Adleman public key
system.

--John

Re: names to say in late september

2000-07-27 Thread William Allen Simpson 

Rodney Thayer wrote:
> 
> What shall we call
> that-public-key-algorithm-that-will-not-be-patent-protected in late
> September?  we should not use a trademarked or copyrighted term, in my
> opinion.

"The Public Key Algorithm Formerly Known as RSA"

In the usual academic tradition, it should continue to be called after 
the discoverers.  ARS would be nicely alphabetical.  There isn't much 
likelihood of confusion with Agricultural Research Service, Automation 
Research Systems Ltd, or Authorized Remarketing Supplier (checking the 
top google references).

And when you say it, it has a ring of truth about the 20 years that 
we've endured.

Meanwhile, what celebrations are planned?

Is there a conference we should all attend on the 20th/21st?  If one 
was organized, would folks come?

[EMAIL PROTECTED]
Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32

Re: names to say in late september

2000-07-27 Thread Eric Murray 

On Thu, Jul 27, 2000 at 07:05:38AM -0700, Rodney Thayer wrote:
> What shall we call
> that-public-key-algorithm-that-will-not-be-patent-protected in late
> September?  we should not use a trademarked or copyrighted term, in my
> opinion.
> There was discussion of this a while ago, I think.  I don't recall what
> was around.
> 
> I suggest "Rivest Public Key", or 'RPKey'.

Too close to "RPK".

>  It's not the prettiest
> buzzword I've ever
> suggested, but is there something better to call it?

"The algorithm formerly known as RSA"?

In Singh's "Code Book", he relates a story where Aldeman
insisted to Rivest that his (Aldeman's) name be last on the paper...
Ron had originally had it in alphabetically order.
Perhaps "ASR" might then be appropriate?

-- 
  Eric Murray http://www.lne.com/ericm  ericm at lne.com  PGP keyid:E03F65E5
Security consulting: secure protocols, security reviews, standards, smartcards.