ADMIN: No, I'm not dead...
I was away at a couple of trade shows and forgot to send a there will be some delays message before I left. The moderation backlog should start clearing later today. -- Perry E. Metzger[EMAIL PROTECTED] -- NetBSD: The right OS for your embedded design. http://www.wasabisystems.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Lucky's 1024-bit post [was: RE: objectivity and factoring analysis]
At 08:52 AM 04/24/2002 +0800, Enzo Michelangeli wrote: In particular, none of the naysayers explained me clearly why it should be reasonable to use 256-bit ciphers like AES with 1024-bit PK keypairs. Even before Bernstein's papers it was widely accepted that bruteforcing a 256-bit cipher requires computing power equivalent to ~16Kbit RSA or DH keys (and ~~512-bit ECC keys). Given that a cipher protects only one session, *Something* has to be the weakest link; calls for balance really come down to If Algorithm A is already the stronger part of the system, why should I waste extra time/work strengthening it instead of Algorithm B?. It doesn't hurt to make parts of the system stronger than necessary, unless there are other costs like limiting the sizes of the other keys that can fit in a UDP packet or whatever. And making the AES algorithm use longer-than-needed keys gives you some extra insurance against mathematical breakthroughs or other sorts of discovered weaknesses. The important issue about whether you can use X-bit block cyphers with Y-bit public-key cyphers is whether Y bits of PK can give you X good key bits. For Diffie-Hellman, the conventional wisdom seems to be that Y bits of public key gives you Y/2 bits of usable keying material, which means that 1024-bit DH is good enough for 256-bit AES. For RSA, I think you can protect almost up to pubkeylength bits of message, since the key generation happens separately from the public-key parts, but you're definitely into overkill range. So the question falls back to Is 1024 bits long enough?. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Pact Reached to Stop Pirating Of Digital TV Over the Internet
http://online.wsj.com/article_print/0,4287,SB1019779375174781800,00.html April 26, 2002 NEW MEDIA Pact Is Reached to Stop Pirating Of Digital TV Over the Internet By YOCHI J. DREAZEN and STEPHANIE STEITZER Staff Reporters of THE WALL STREET JOURNAL WASHINGTON -- Representatives from the entertainment and consumer-electronics industries told lawmakers that they have agreed on a system to keep digital television broadcasts from being pirated over the Internet. The agreement resolves a dispute that has contributed to the slow rollout of digital television. Top executives from content companies, including AOL Time Warner Inc., and TV makers such as Panasonic/Matsushita Electric Corp. of America told a House Energy and Commerce Committee panel that they had agreed on technical standards for a new watermark. The watermark would be embedded in all digital TV broadcasts, and TVs, computers and other devices would be designed to play only materials with the watermark. The executives said they planned to release the technical details of the agreement on May 17, at which time they would ask Congress to pass legislation ratifying the standards. There are many issues that are basically solved concerning the watermark, said Paul Liao, chief technology officer for Panasonic's American operations. The executives conceded that they remained far apart on a range of other digital copyright issues, including the nettlesome questions of how to prevent music and movies from being illegally distributed over the Internet and how to stop viewers from making and sharing digital copies of analog TV broadcasts. Still, resolving the digital-TV question is an important milestone that could boost the popularity of the highly touted technology, which has yet to catch on with the public. Broadcasters are supposed to convert all of their signals to digital, but that transition has been slowed by piracy concerns, the high cost of digital equipment and a paucity of digital content. News Corp. President Peter Chernin said that the watermark question was the single biggest issue slowing the spread of digital television, and predicted that the agreement would rapidly speed up this transition. Parts of the agreement remain controversial. Lawrence Blanford, the chief executive of Philips Consumer Electronics North America, said that Congress should set the standards itself to ensure that consumers' rights to record digital television broadcasts and make copies for their own legal use were protected. Most lawmakers, however, said they preferred to ratify agreements developed by the private sector. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Network Associates Drops McAfee Bid, Stocks Hit
http://www.nytimes.com/reuters/technology/tech-tech-mcafee-networkassociates.html?dlbk=pagewanted=printposition=top April 25, 2002 Network Associates Drops McAfee Bid, Stocks Hit By REUTERS Filed at 7:49 p.m. ET NEW YORK (Reuters) - Computer security provider Network Associates Inc. (NET.N) on Thursday withdrew its offer to buy McAfee.com Corp. (MCAF.O) after it found accounting errors that could force it to restate financial results for 1999 and 2000. The news sent both companies' shares reeling. McAfee.com tumbled more than 24 percent, or $4.57, to close at $13.97 on the Nasdaq, where the stock was among the top percentage and net loss leaders. Network Associates lost 20 percent, or $4.86, to close at $18.89 on the New York Stock Exchange, where the stock was among the most active and biggest net losers. Network Associates, whose accounting practices are under investigation by the U.S. Securities and Exchange Commission, said it does not have a ``complete understanding'' of the facts yet and it is conducting an internal investigation to determine the scope and magnitude of the problems. Still, the company said it does not believe its 2001 results or 2002 guidance will require restatement. ``We're hopeful that it is limited to 1999 and 2000, although there are still no absolute assurances that it's not crept into other periods,'' Sterling Auty, an analyst with J.P Morgan said. He downgraded Network Associates stock to ''market-performer'' from ``buy'' when the SEC probe was unveiled, he noted. The accounting problems, which were spotted during the preparation of a ``routine'' amended tax filing, are likely to affect both revenue and expense figures, Network Associates officials said during a conference call. McAfee.com Chief Executive Srivats Sampath said the withdrawal of Network Associates' offer would not have any effect McAfee's day-to-day operations. ``What does it mean to us? In a nutshell, nothing,'' Sampath said on a conference call with analysts. The CEO also stressed that Network Associates' accounting problems would not have any effect on McAfee's own financial statements or guidance. ``It will have no effect whatsoever. We have separate accountants, separate books and separate outside counsel ... for all practical purposes we're a completely separate company,'' he told Reuters. WITHDRAWS OFFER Network Associates said its findings are unrelated to the SEC investigation. It said it told SEC staff about the probe and that it would report further findings in two to three weeks. It added that the inaccuracies appear only to affect the Network Associates side of the business, not McAfee, in which Network Associates owns a 75 percent stake after spinning the company off about 3 years ago. Network Associates, whose software guards against hackers and viruses, said it withdrew its offer for the anti-virus services company McAfee.com because it felt that McAfee shareholders needed complete information before tendering their shares. The offer was due to expire on Thursday. ``We have to withdraw the offer at this point because it's a stock-for-stock transaction,'' Samenuk said. ``The McAfee offer is done right now. Done.'' SWEETENED BID Earlier this month, McAfee.com accepted a sweetened bid of $224 million from Network Associates for the 25 percent stake of McAfee it does not already own. The offer would have given McAfee shareholders 0.78 of a share of Network Associates common stock for each outstanding Class A McAfee share. Asked if he would consider another offer from Network Associates, Sampath said he wouldn't rule it out but that he would only contemplate a deal once Network Associates had fully resolved its accounting problems. ``If they come back in two weeks I would be mildly irritated,'' he said. ``They need to go and get their act together ... and then let's come back and take a look at this.'' About one week after McAfee.com accepted the revised offer from Network Associates, Sampath filed documents with the U.S. Securities and Exchange Commission saying he planned to sell 200,000 common shares he owns in McAfee.com. The filing was released on Thursday. Network Associates, which competes with Symantec Corp. (SYMC.O), has been reorganizing its operations since Samenuk and Chief Financial Officer Steve Richards came on board in early 2001. Network Associates has said the ongoing SEC probe is focused on the company's practice in 2000 of booking revenues when products were shipped to distributors instead of when customers bought the products. Kevin Wagner, an analyst with Adams, Harkness Hill Inc., questioned why the problems were only coming to light now instead of last year after Samenuk and Richards arrived to clean up shop. ``They should have looked at this a bit more closely when they first came in,'' Wagner said. ``Why not sweep out all the cobwebs?'' -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting
Re: Gartner supports HK smart ID card use
Folks on this list might be interested in a National Research Council report on nationwide identity systems: http://books.nap.edu/html/id_questions/ --Steve Bellovin, http://www.research.att.com/~smb Full text of Firewalls book now at http://www.wilyhacker.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Is There a Quantum Mechanic in the House? (was: Lucky's 1024-bit post [was: RE: objectivity and factoring analysis])
At 05:52 PM 4/23/2002 Tuesday, Enzo Michelangeli wrote: [...] And if the reason for the 256 bits is the possible deployment, sometimes in the future, of quantum computers, well in that case we should stop using PK cryptography altogether. Hi Enzo! Disclaimer: I am not a quantum mechanic, and I find the whole subject, including quantum computation, deeply confusing. Also, the article I refer to -- an article in Science by the guy who came up with the original factoring result -- is an article that I haven't read, and wouldn't understand if I had. (Neither do I happen to know enough to give a proper citation.) Perhaps someone on this list can fill in some of these gaps, or let us know that I've badly misinterpreted the situation, which is quite possible. All that said, my understanding is that the plausible worst case news from quantum computing would probably not require us to give up PK crypto. My understanding is that the article I'd like to cite states something like the following: 1) Factoring is special because it's all pervasively about periodicities. The author's original factoring proposal took advantage of this in an essential way in order to show a potential exponential speedup. 2) For NP problems in general, since they are search trees with only polynomial depth to an answer but exponential fanout of choices, by using superposition, quantum computation may indeed be able to give an exponential speedup on the first phase of the search -- finding the answer. 3) The problem then is reporting the answer out. The superposition that found the answer co-exists with an exponential number of superpositions that don't. My understanding is that the paper is postulating an upper bound for search problems without peculiar special properties (like the periodicities of factoring) -- the most we can get is an order-of-square-root speedup on the problem as a whole. If the above description is approximately right, then the remaining question for PK is, can one design a PK system now whose trapdoor depends on a search problem that we can be confident cannot be transformed into one with the enabling peculiar properties? AFAIK, this question has not been examined. Btw, out of fear that quantum computation might destroy PK but not single-key, I worried about whether one could do cryptographic capabilities in such a world. http://www.erights.org/elib/distrib/captp/unibus.html is a protocol sketch of a distributed capability protocol that depends only on single-key cryptography. But I hope it will never be necessary. Text by me above is hereby placed in the public domain Cheers, --MarkM - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Lucky's 1024-bit post [was: RE: objectivity and factoring analysis]
Sorry, there's a mistake in my post, which makes the relationship finding phase look easier than it actually is. BTW, why did it take 5 days for that post to go through? On Wed, Apr 24, 2002 at 12:30:26PM -0700, Wei Dai wrote: Using a factor base size of 10^9, in the relationship finding phase you would have to check the smoothness of 2^89 numbers, each around 46 bits long. Obviously there are not 2^89 integers that are 46 bits long. Each of the numbers that need to be checked for smoothness is actually around 195 bits long. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Announce] GnuPG 1.0.7 released
--- begin forwarded text Status: U To: [EMAIL PROTECTED] From: Werner Koch [EMAIL PROTECTED] Organisation: g10 Code GmbH Lines: 285 User-Agent: Gnus/5.090006 (Oort Gnus v0.06) Emacs/20.7 (i386-debian-linux-gnu) Subject: [Announce] GnuPG 1.0.7 released Sender: [EMAIL PROTECTED] Date: Tue, 30 Apr 2002 12:07:55 +0200 Hello! The GNU Privacy Guard (GnuPG) is GNU's tool for secure communication and data storage. It is a complete and free replacement of PGP and can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. This new release has a lot of features beyond OpenPGP which will be included in a soon to be published RFC2440 successor. Version 1.0.7 has been released yesterday and is available at most mirrors (see below) now. If you can't get it from a mirror, use the primary location: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.0.7.tar.gz (2.3MB) ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.0.7.tar.gz.sig Due to some new translations and the work we did over the last 11 months, the diff against 1.0.6 is somewhat large: ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.0.6-1.0.7.diff.gz (1.3MB) MD5 checksums of the above files are: d8b36d4dfd213a1a1027b1877acbc897 gnupg-1.0.7.tar.gz 99d92e0658972b42868d7564264797ad gnupg-1.0.6-1.0.7.diff.gz Some new things in this version: * Secret keys are now stored and exported in a new format which uses SHA-1 for integrity checks. This format renders the Rosa/Klima attack useless. Other OpenPGP implementations might not yet support this, so the option --simple-sk-checksum creates the old vulnerable format. * The default cipher algorithm for encryption is now CAST5, default hash algorithm is SHA-1. This will give us better interoperability with other OpenPGP implementations. * Symmetric encrypted messages now use a fixed file size if possible. This is a tradeoff: it breaks PGP 5, but fixes PGP 2, 6, and 7. Note this was only an issue with RFC-1991 style symmetric messages. * Photographic user ID support. This uses an external program to view the images. * Enhanced keyserver support via keyserver plugins. GnuPG comes with plugins for the NAI LDAP keyserver as well as the HKP email keyserver. It retains internal support for the HKP HTTP keyserver. * Nonrevocable signatures are now supported. If a user signs a key nonrevocably, this signature cannot be taken back so be careful! * Multiple signature classes are usable when signing a key to specify how carefully the key information (fingerprint, photo ID, etc) was checked. * --pgp2 mode automatically sets all necessary options to ensure that the resulting message will be usable by a user of PGP 2.x. * --pgp6 mode automatically sets all necessary options to ensure that the resulting message will be usable by a user of PGP 6.x. * Signatures may now be given an expiration date. When signing a key with an expiration date, the user is prompted whether they want their signature to expire at the same time. * Revocation keys (designated revokers) are now supported if present. There is currently no way to designate new keys as designated revokers. * Permissions on the .gnupg directory and its files are checked for safety. * --expert mode enables certain silly things such as signing a revoked user id, expired key, or revoked key. * Some fixes to build cleanly under Cygwin32. * New tool gpgsplit to split OpenPGP data formats into packets. * New option --preserve-permissions. * Subkeys created in the future are not used for encryption or signing unless the new option --ignore-valid-from is used. * Revoked user-IDs are not listed unless signatures are listed too or we are in verbose mode. * There is no default comment string with ascii armors anymore except for revocation certificates and --enarmor mode. * The command primary in the edit menu can be used to change the primary UID, setpref and updpref can be used to change the preferences. * Fixed the preference handling; since 1.0.5 they were erroneously matched against against the latest user ID and not the given one. * RSA key generation. * Merged Stefan's patches for RISC OS in. See comments in scripts/build-riscos. * It is now possible to sign and conventional encrypt a message (-cs). * The MDC feature flag is supported and can be set by using the updpref edit command. * The status messages GOODSIG and BADSIG are now returning the primary UID, encoded using %XX escaping (but with spaces left as spaces, so that it should not break too much) * Support for GDBM based keyrings has been
Re: Lucky's 1024-bit post
Wei Dai writes: Using a factor base size of 10^9, in the relationship finding phase you would have to check the smoothness of 2^89 numbers, each around 46 bits long. (See Frog3's analysis posted at http://www.mail-archive.com/cryptography%40wasabisystems.com/msg01833.html. Those numbers look correct to me.) If you assume a chip that can check one number per microsecond, you would need 10^13 chips to be able to complete the relationship finding phase in 4 months. Even at one dollar per chip this would cost ten trillion dollars (approximately the U.S. GDP). This is probably not the right way to approach the problem. Bernstein's relation-finding proposal to directly use ECM on each value, while asymptotically superior to conventional sieving, is unlikely to be cost-effective for 1024 bit keys. Better to extrapolate from the recent sieving results. http://citeseer.nj.nec.com/cavallar00factorization.html is the paper from Eurocrypt 2000 describing the first 512 bit RSA factorization. The relation-finding phase took about 8000 MIPS years. Based on the conventional asymptotic formula, doing the work for a 1024 bit key should take about 10^7 times as long or 80 billion MIPS years. For about $200 you can buy a 1000 MIPS CPU, and the memory needed for sieving is probably another couple of hundred dollars. So call it $500 to get a computer that can sieve 1000 MIPS years in a year. If we are willing to take one year to generate the relations then ($500 / 1000) x 8 x 10^10 is $40 billion dollars, used to buy approximately 80 million cpu+memory combinations. This will generate the relations to break a 1024 bit key in a year. If you need it in less time you can spend proportionately more. A $400 billion dollare machine could generate the relations in about a month. This would be about 20% of the current annual U.S. federal government budget. However if you were limited to a $1 billion budget as the matrix solver estimate assumed, the machine would take 40 years to generate the relations. BTW, if we assume one watt per chip, the machine would consume 87 trillion kWh of eletricity per year. The U.S. electricity production was only 3.678 trillion kWh in 1999. The $40 billion, 1-year sieving machine draws on the order of 10 watts per CPU so would draw about 800 megawatts in total, adequately supplied by a dedicated nuclear reactor. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Lucky's 1024-bit post
On Wed, May 01, 2002 at 01:37:09AM +0200, Anonymous wrote: This is probably not the right way to approach the problem. Bernstein's relation-finding proposal to directly use ECM on each value, while asymptotically superior to conventional sieving, is unlikely to be cost-effective for 1024 bit keys. Better to extrapolate from the recent sieving results. Yes, good point. For about $200 you can buy a 1000 MIPS CPU, and the memory needed for sieving is probably another couple of hundred dollars. So call it $500 to get a computer that can sieve 1000 MIPS years in a year. You need a lot more than a couple of hundred dollars for the memory, because you'll need 125 GB per machine. See Robert Silverman's post at http://groups.google.com/groups?hl=enselm=8626nu%24e5g%241%40nnrp1.deja.comprev=/groups%3Fq%3D1024%2Bsieve%2Bmemory%26start%3D20%26hl%3Den%26scoring%3Dd%26selm%3D8626nu%2524e5g%25241%2540nnrp1.deja.com%26rnum%3D21 According to pricewatch.com, 128MB costs $14, so each of your sieving machines would cost about $14000 instead of $500. If we are willing to take one year to generate the relations then ($500 / 1000) x 8 x 10^10 is $40 billion dollars, used to buy approximately 80 million cpu+memory combinations. ($14000 / 1000) x 8 x 10^10 is $1.1 trillion. So my earlier estimate for a $10 trillion 4-month machine was only off by a factor of 3, which is a nice coincidence. :) (Too bad about the memory, otherwise you can get your sieving machine almost for free by writing a worm to take over half of the Internet, which currently has about 190 million hosts.) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[Fwd: E-Money]
-- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff ---BeginMessage--- This gem of crypto-related news seems to have slipped by unobserved... UK leads e-Money revolution By IT Analysis Posted: 29/04/2002 at 15:41 GMT It is not everyday that the United Kingdom is seen to be leading the European Union (EU), never mind the rest of the world, but on Saturday April 27 2002-E Day--Britain became the first member state to implement the EU directive covering the issuing of electronic money. The British, of course, responded to this momentous event with traditional disinterest. snip full story at: http://www.theregister.co.uk/content/23/25070.html Cheers, Bob. ---End Message---
