Re: Lucky's 1024-bit post [was: RE: objectivity and factoring analysis
Wei Dai writes: Using a factor base size of 10^9, in the relationship finding phase you would have to check the smoothness of 2^89 numbers, each around 46 bits long. (See Frog3's analysis posted at http://www.mail-archive.com/cryptography%40wasabisystems.com/msg01833.html. Those numbers look correct to me.) If you assume a chip that can check one number per microsecond, you would need 10^13 chips to be able to complete the relationship finding phase in 4 months. Even at one dollar per chip this would cost ten trillion dollars (approximately the U.S. GDP). This is probably not the right way to approach the problem. Bernstein's relation-finding proposal to directly use ECM on each value, while asymptotically superior to conventional sieving, is unlikely to be cost-effective for 1024 bit keys. Better to extrapolate from the recent sieving results. http://citeseer.nj.nec.com/cavallar00factorization.html is the paper from Eurocrypt 2000 describing the first 512 bit RSA factorization. The relation-finding phase took about 8000 MIPS years. Based on the conventional asymptotic formula, doing the work for a 1024 bit key should take about 10^7 times as long or 80 billion MIPS years. For about $200 you can buy a 1000 MIPS CPU, and the memory needed for sieving is probably another couple of hundred dollars. So call it $500 to get a computer that can sieve 1000 MIPS years in a year. If we are willing to take one year to generate the relations then ($500 / 1000) x 8 x 10^10 is $40 billion dollars, used to buy approximately 80 million cpu+memory combinations. This will generate the relations to break a 1024 bit key in a year. If you need it in less time you can spend proportionately more. A $400 billion dollare machine could generate the relations in about a month. This would be about 20% of the current annual U.S. federal government budget. However if you were limited to a $1 billion budget as the matrix solver estimate assumed, the machine would take 40 years to generate the relations. BTW, if we assume one watt per chip, the machine would consume 87 trillion kWh of eletricity per year. The U.S. electricity production was only 3.678 trillion kWh in 1999. The $40 billion, 1-year sieving machine draws on the order of 10 watts per CPU so would draw about 800 megawatts in total, adequately supplied by a dedicated nuclear reactor. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RSA Hong Kong: Interest growing in smart cards
http://technology.scmp.com/cgi-bin/gx.cgi/AppLogic+FTContentServer?pagename=SCMP/Printacopyaid=ZZZVPVPXI0D Friday, May 3, 2002 Interest growing in smart cards ANH-THU PHAN The Hong Kong Government's plan to introduce digital identification cards starting from next year is raising the business community's interest in using similar smart card technology for controlling access to internal computer systems, according to Pierre Pang, Hong Kong territory manager for RSA Security. One of RSA's Hong Kong clients plans to implement a trial system for 500 users in September, using smart card technology to allow employees access to the company's computer system at their desktops and kiosks. The smart-card system could eventually be expanded to cover the company's 10,000 users. Mr Pang said his office received about 10 inquiries per week about smart-card technology, but widespread adoption would depend on prices of card-reading hardware coming down dramatically. RSA, which manufactures password-generating tokens and other computer security products, recently introduced a card that can be embedded with digital certificates, as well as add-on Java programs which can be used for digital purses and other applications. The company has also added a single sign-on software product that competes with Microsoft's Passport and Sun's Liberty Alliance Project. Such products are more in demand as companies move to grant employees and customers access to more information over Web interfaces, and as governments begin to offer more services to citizens through the Internet. With single sign-on, which is often based on open technologies such as Kerberos, users can access several programs or databases without having to key in user names and passwords many times. Systems administrators can theoretically set up and manage rules for granting access to information more easily. One possible stumbling block to the implementation of such single sign-on schemes is lack of user enthusiasm and concerns over security. A recent Gartner study estimated most users of Microsoft's Passport program did not know of or use the authentication features. However, Gary Lau, an RSA technical consultant, said user acceptance of single sign-on was low because the systems only required passwords and the perception was that password security was low. Once these systems required a second factor - such as a smart card, fingerprint or digital certificate - before access was granted then people would change their view of single sign-on. -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Press Reactions on GnuPP 1.1 Launch during CeBIT 2002
http://www.sicherheit-im-internet.de/themes/print.phtml?ttid=20tsid=199tdid=1679page=0 Press Reactions on GnuPP 1.1 Launch during CeBIT 2002 [ CeBIT Newsticker ]: Federal German Ministry of Economics Forces E-mail Encryption At the CeBIT the Federal German Ministry of Economics distributes for free the mail encryption program GnuPP 1.1 complete with manual. The mail roboter Adele shall provide a lead-in to the issue by practising the krypto mail communication together with the user. The Federal German Ministry of Economics is supporting the open source project GnuPP ( GNU Privacy Project) since the year 2000. With that the Ministry wants to provide the development of a cryptography infrastructure that does not depend on manufacturers, that is safe and corresponds to international standards. It would not be recommended to use standard software in security sensitive areas and the Ministry explicitly warns to do so in its press release . Only the open source principle allows the user to look at the complete programming of a software, and that means security to the greatest extent. Apart from the software the package of the Ministry contains a two-piece manual that is completely new written and designed. With the help of this manual even laypersons shall be able to clear the first hurdle of e-mail encryption. And something else is new: Adele ([EMAIL PROTECTED]), an exercise roboter for practising the procedure of encryption and decryption as often as the entry-level user will need it. Adele reacts to sent-in public keys and encrypted e-mails, sends its own public key, and answers to encrypted and decrypted incoming e-mails. In this way a dialog between correspondence partners is formed so that entry-level users can practise transactions of e-mail encryption like in real life and may gain confidence in the safety of this procedure. At the CeBIT one can get the GnuPP package (manual with CD-ROM) for free at the stands of the Federal German Ministry of Economics. During the entire fair the Ministry also provides presentations and advisory service for free. Federal German Ministry of Economics: pavilion11, stand D25 Pavillon D / 11, stands 76 and 5 Origin: tecCHANNEL Slasdot: Encryption For All Sponsored by German Govt. The German Ministry of Economics uses the CeBIT computer fair as a forum to propagate its GnuPP (Gnu Privacy Project -- I know, it is *not* GPG, but GPG is part of the package) encryption package to the public, giving away CD-roms with the package. The CeBIT press release can be found here. The download for those who can\'t make it to CeBIT is here. The package is available in English too, but the page itself has to be put through the (babel)fish, as usual. Finally a government that moves in the right direction ... [ Privacy Digest ]: The Federal German Ministry of Economics is supporting the open source project GnuPP ( GNU Privacy Project) since the year 2000. With that the Ministry wants to provide the development of a cryptography infrastructure that does not depend on manufacturers, that is safe and corresponds to international standards. It would not be recommended to use standard software in security sensitive areas and the Ministry explicitly warns to do so in its press release. Only the open source principle allows the user to look at the complete programming of a software, and that means security to the greatest extent.[ more... ] © copyright Sicherheit im Internet 2001, BMWi, BMI, BSI -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
now don't all barf at the same time please
--- begin forwarded text Status: U Date: Mon, 6 May 2002 21:30:54 +0100 To: [EMAIL PROTECTED] From: Fearghas McKay [EMAIL PROTECTED] Subject: now don't all barf at the same time please Reply-To: Usual People List [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] from the latest Apple developer newsletter: CDSA and OpenSSL (pdf) This concise white paper discusses the advantages of using Common Data Security Architecture (CDSA) in Mac OS X over OpenSSL in creating security-enabled applications. http://developer.apple.com/macos/pdf/CDSA_and_OpenSSL.pdf --- CDSA and OpenSSL Overview The foundation for cryptography and public key infractructure on OS X is the Common Data Security Architecture (CDSA). This is a layered set of security services and a cryptographic framework for creating security-enabled applications. In addition, Apple has created additional layers built on CDSA to provided simplified interfaces to CDSA for common security-related tasks. One cryptographic toolkit that is well known in the Unix community is OpenSSL. OpenSSL provides a general purpose cryptography library, as well as support for the Secure Sockets Layer (SSL) and Transport Layer Security (TLS). The functionality and security provided by the CDSA architecture is an improvement over that available through OpenSSL, and we would like to migrate away from using the OpenSSL library for doing cryptography or SSL. There are several advantages to using CDSA. It will improve the overall performance of the system by reducing the number of libraries that frameworks link against to do cryptography. In addition, it makes it easier to do export control paperwork. One of the largest user benefits will be in the area of certificate management, including certificates used by SSL. In addition, we are actively improving the performance of the algorithms in CDSA. Using CDSA has the additional benefit of insulating clients from the implementation of the algorithms. Many of the functions in OpenSSL vary algorithm by algorithm, making it difficult for clients to change algorithms. With the modular approach used in CDSA, new cryptographic modules can be written and deployed with no changes to client code. This also holds true for certificates. A client does not necessarily need to know if a given certificate is stored on disk or on a smartcard. Support for Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) is provided through the SecureTransport API set. One major advantage of the SecureTransport APIs is that they are designed so that key material does not have to be supplied as a parameter to the API. SecureTransport calls into CDSA to access keys via reference, which allows us to use keys based on tokens such as smartcards, which do not allow keys to be exported. One of the unique features of Apple's implementation of CDSA is the use of reference keys. The default Cryptographic Service Provider (CSP) talks to a root process called Security Server to perform actions with cryptographic keys. This allows the keys to be maintained in a separate address space from the client application, and also encourages developers to avoid using key material directly. This is essential if external cryptographic devices such as smartcards or hardware signing boxes are to be supported. OpenSSL will only be available in Darwin. We will be actively promoting the use of CDSA as a more secure and easy to use alternative to OpenSSL. Use of CDSA Clients who need to do cryptographic operations should use CDSA or the layered services above CDSA. Some common applications are encryption of data or hashing using such algorithms as SHA-1. A wide variety of algorithms are supported in our standard Cryptographic Service Provider (CSP). Some well known clients are the Keychain and the Encrypted Image feature of Disk Copy. Clients needing SSL functionality should use CFNetwork, or use SecureTransport directly. This will allow our users to get the benefits of a common certificate store. These benefits allow users to specify trust once, rather than in each application. In addition, certificates stored on tokens such as smartcards are supported automatically. SecureTransport has support for both client and server for TLS. The certificate APIs will also be used by third party developers of applications such as browsers and mail applications. Resources Sample code for using SecureTransport and for doing various types of cryptographic operations is available. This code is available on the latest developer CD or through the web site at http://developer.apple.com/macos/security.html. In addition, the apple-cdsa mailing list is a good resource for asking CDSA questions. Sign up at: http://lists.apple.com/mailman/listinfo/apple-cdsa The CDSA implementation is available in the open source repository, and so can be used from Darwin code. --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation
IBM Researchers to Unveil Crack in Cellphone Security
http://online.wsj.com/article_print/0,4287,SB1020716403163610240,00.html May 7, 2002 EUROPEAN BUSINESS NEWS IBM Researchers to Unveil Crack in Cellphone Security By KEVIN J. DELANEY Staff Reporter of THE WALL STREET JOURNAL New, speedier ways to exploit cellphone security gaps could potentially allow hackers to bill calls and services to an unsuspecting user's account, say researchers at International Business Machines Corp. The latest IBM findings, to be unveiled Tuesday, add to the evidence the earliest version of security for handsets using the Global System for Mobile Communications standard, or GSM, is less effective than its founders might have hoped. But its impact on consumers is expected to be limited. The IBM technique requires a hacker to take physical possession of a phone for a few minutes, something its owner may well notice. In addition, some cellular operators have upgraded the security used in the handsets and programmed their systems to quickly root out this sort of fraud. --- ANATOMY OF A HACK Following are the steps to clone a SIM card. IBM estimates the first three can be performed in less than two minutes. 1. Remove SIM card, found under the battery, from cellphone. 2. Place card in a card reader attached to a personal computer or laptop. 3. Run software that queries the SIM card about its identity, monitoring the cardÕs power consumption and radio wave emissions until the authentication algorithm is cracked. 4. Clone the SIM card using the encrypted authentication key. Sources: IBM and WSJ research - IBM has an interest in sounding the alarm. It developed technology to protect against the kind of hacker attack it is outlining and will offer to license that to cellphone makers. But its research appears to set a record in the speed of a successful attack on a subscriber identity module, or SIM, card used to secure GSM wireless communications. Such an attack would allow a hacker to access the encrypted keys in SIM cards, the inexpensive computer chips inserted into handsets that safeguard and authenticate a user's identity so a phone can access cellular networks. By copying a stolen key onto a blank card, a hacker can pretend to be the original user and in theory charge calls and services to the user's account. GSM is the dominant wireless standard, representing an estimated 70% of the digital cellular market. Roughly 380 million SIM cards with a total value around $1.4 billion were sold last year, according to market research firm Frost Sullivan. IBM's researchers say they can crack a SIM card in one to two minutes by querying it seven times about its identity. Techniques outlined in 1998 academic research on holes in the SIM card system required about eight hours and 150,000 queries. IBM's attack requires only a card reader, which can purchased for well under $45, an ordinary personal computer and some specialized software. Bad guys are smart enough to do this, says Charles Palmer, department group manager of Security, Privacy, and Cryptography at IBM Research in Yorktown Heights, N.Y. But SIM-card makers say the effects of any such finding are minimal. IBM performed its tests on the oldest version of SIM-card-authentication technology -- COMP128, version one. The manufacturers have already begun shipping cards that use version two and version three technology, which they say haven't yet been hacked. The historical algorithm used for GSM is weak and has been known to be weak for many years, says Xavier Chanay, vice president for mobile communications at SchlumbergerSema, the world's largest SIM card maker, in Montrouge, France. The risk is really minimal that any large-scale fraud develops. SchlumbergerSema estimates about half of SIM cards in Asia and North America and less than 30% in Europe rely on the security standard that IBM cracked. Gemplus SA, the No. 2 SIM card maker, says about 50% to 60% of all cards in use rely on it. The two companies say they continue to sell SIM cards using version one, though the bulk of their shipments involve versions two or three. The so-called partitioning attacks IBM used work by monitoring the power consumption and radio emissions of SIM cards as a computer queries them about their identities. From that, IBM's system can figure out what the SIM card was doing while being queried and nail down the algorithm it uses to safeguard its identity. Some operators have added extra layers of security against fraud based on such an attack, alerting them if more than one card with the same identity is using their networks. But security holes will develop into a bigger issue as it becomes possible for more consumers to use wireless handsets to make purchases that appear as charges on their phone bills. Already, soda vending machines, tram ticket offices, and parking meters in Scandinavia and elsewhere have been outfitted with m-cash test systems. An official at the GSM Association, a trade group representing
IBM report cites cell phone hacking risks
IBM report cites cell phone hacking risks By Robert Lemos Staff Writer, CNET News.com May 7, 2002, 4:45 PM PT http://news.com.com/2100-1040-901920.html IBM researchers released a report Tuesday showing that some cell phones' security cards could be cloned in minutes, letting hackers make calls and route charges to the cloning victim's account. The hacking technique studied by the researchers, known as a partitioning attack, analyzes power fluctuations in a phone's security identification module (SIM) card, allowing an attacker to divine the security codes stored inside. However, the technique only works on the first-generation of global system for mobile communications (GSM) phones and requires that the attacker have physical access to the phone for at least a minute or two. ... The technique, to be outlined in a paper that will be presented at the IEEE Symposium on Security and Privacy next week, requires a computer, a SIM card reader and the right program. The program asks the target card seven specific questions, and it analyzes the signals from the card to determine how it's processing the queries. By analyzing the electromagnetic field changes and power fluctuations, the researchers can divine the card's cryptographic identity. ... Once a card is cloned, the password, generally a four-digit PIN, is necessary to unlock the information. Yet, a thief could easily try all 10,000 combinations with the newly cloned card. - The paper appears to be, Partitioning Attacks: Or How to Rapidly Clone Some GSM Cards Josyula R. Rao (IBM Watson Research Center), Pankaj Rohatgi (IBM Watson Research Center), Stephane Tinguely (EPFL, Lausanne), Helmut Scherzer (IBM Germany) to be presented at the 2002 IEEE Symposium on Security and Privacy. http://www.ieee-security.org/TC/SP02/sp02index.html -- M Taylor http://www.mctaylor.com/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
FW: NTFS and PGP interact to expose EFS encrypted data
--- begin forwarded text Status: U From: Somebody Subject: FW: NTFS and PGP interact to expose EFS encrypted data Date: Thu, 9 May 2002 10:22:22 +0100 Thread-Topic: NTFS and PGP interact to expose EFS encrypted data To: [EMAIL PROTECTED] -Original Message- From: Somebody Else Sent: 09 May 2002 09:23 Subject: FW: NTFS and PGP interact to expose EFS encrypted data FYI. One wonders why M$ couldn't engineer a disk encryption system that didn't depend on user-visible temp files... Somebody Else's .sig -Original Message- From: rjones Sent: 08 May 2002 20:34 To: Russ.Cooper; bugtraq Cc: rjones Subject: NTFS and PGP interact to expose EFS encrypted data NTFS and PGP interact to expose EFS encrypted data © 2002 Ry Jones, Airgap Networks. Summary: NTFS, a feature of Windows XP, supports an encrypted attribute. PGP 7.0.3 Freeware, a product of Network Associates, supports wiping files as they are deleted. If you enable file wiping and then set the encrypted attribute on a folder, copies of the contents are left un-encrypted on the file system. Details: As explorer works it's way through the file system encrypting the contents, it first renames the source file to a name in the format of EFSn.TMP where n is an increasing series of integers starting at 0. It then encrypts the file into a target file with the same name as the original. The permissions on the temp file are set to a very restrictive level; the temp file is then deleted. However, if you have set PGP to wipe deleted files, it appears PGP intercepts the deletion of the file. PGP, running as the user, has insufficient privilege to delete the file, and leaves the temp file in place. Anyone who recovers the hard drive can take ownership of these temp files and read them. Also, in the default setting, hidden files are not shown in explorer, so a user may not be aware that the temp files exist at all. Any administrator may take ownership of the temp files and read the data. Repro: 1: create a directory efs-pgp-interaction-bug. Copy a text file into the directory. 2: right click on the PGP icon. Set the Automatically wipe on delete flag. Click OK. 3: right click on the efs-pgp-interaction-bug directory in explorer. Click properties, advanced, and check the Encrypt contents to secure data flag. Click OK, OK. 4: double click on efs-pgp-interaction-bug. If you have set the show hidden files and folders flag (tools, folder options, view, show hidden files and folders, OK) you well see the EFSn.TMP files. Attempting to open the temp files will result in an error (depending on application). Vim reports [Permission Denied]. 5: hit the backspace key. Right click on the efs-pgp-interaction-bug directory. Select sharing and security; select security, advanced. Check the replace permission entries on all child objects check box and click OK. Click Yes, OK. 6: Re-open efs-pgp-interaction-bug and right click on the temp file (EFS0.TMP). Select Open With, Notepad. View your file. Workaround: Do not enable PGP's Wipe Deleted Files option if you are using Encrypted NTFS. Vendor Response: This issue has been resolved, and a hot fix for PGP Desktop Security v7.0.x, PGP Corporate Desktop v7.1.x and PGPfreeware v7.0.x (all for Windows 2000) is available at http://www.nai.com/naicommon/download/upgrade/upgrades-patch.asphttp://www.nai.com/naicommon/download/upgrade/upgrades-patch.asp. Users should be aware that Win2K EFS does NOT wipe the contents of files that are encrypted according to the steps above. The PGP Wipe Free Space feature to ensure that the clear text has been wiped. Discovered: 10 MAR 2002 Sent to vendors: 17 MAR 2002 Submitted to NTBugtraq, Bugtraq: 08 MAY 2002 Thanks to: Russ of NTBugtraq for driving the issue with Microsoft and NAI much more effectively than I ever would have. There never would have been a resolution without his efforts. -BEGIN PGP SIGNATURE- Version: PGP 7.0.4 iQA/AwUBPNl9sxLoz2rGojSMEQIqXACg0CbHJHJOm0bh9gqBfr5HvdIz+ZAAn2Ve HOJ1qt1tkX7wnU5qpQxOOXiU =0LBF -END PGP SIGNATURE- Various nested incriminating .sigs elided... --- end forwarded text -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Edinburgh Financial Cryptography Engineering 2002 - CFP
The Third Edinburgh Financial Cryptography Engineering Conference 28-29 June, 2002 The Signet Library Parliament Square Edinburgh, Scotland C A L L F O R P R E S E N T A T I O N S Edinburgh is again host to the international *engineering* conference on Financial Cryptography. Individuals and companies active in the field are invited to present and especially to demonstrate Running Code that pushes forward the state of the art. STATEMENT OF INTENT In spite of the excesses and tragedies of the Great Dot Com era, we have come to the realization that the Internet, Commerce, and Technology are inextricably related. We are therefore gathered together to study, as a community, the application of Cryptograpy and Information Security to the world of Finance. For it is Finance that drives Commerce, and Commerce, in the modern era, is based on the 'net. This is a technical, practical meet. Presentations of demonstrable technology in the field of Financial Cryptography are invited. As this is a practical conference, we are hoping to accept every demonstrator. THE RULES OF ENGAGEMENT This conference is about implementations. Presentations are required to demonstrate working code within the first five minutes. Note that we are delighted to accept proposals from work-in-progress projects. If your demo crashes while honorably attempting to execute, the crowd will still love you. THE VENUE Our Venue is the Upper Library, within the Signet Library, which is a listed building housing the Society of Writers to Her Majesty's Signet. This exclusive conference venue is located in the centre of Edinburgh, within the Royal Mile. ADMINISTRATION Included in the conference admission will be breakfast, lunch and tea coffee breaks. Also included will be the conference dinner in a local Edinburgh establishment. The conference administration will block-book a convenient hotel in the centre of town. Details to be advised. NEXT STEPS FOR PRESENTERS 1. Save the dates 28/29 June 2002, Friday and Saturday on your calendar. It is good to plan on a few extra days, and especially, leaving on the day after, Sunday, will help to get the best fares. 2. Prepare your presentation. Check the evolving programme at http://www.efce.net/programme.html. Propose your presentation by mailing the Programme Chair, Rodney Thayer, at [EMAIL PROTECTED] 3. Book passage to Edinburgh. Don't forget to stay a few days on either side to see the sights. Check the site for Locatives and Logistics. 4. Work on your presentation. Remember, the main rule is that you demo working code. 5. Get your budget approved / allocated / applied for. Whilst a commercial conference, accepted presenters will pay a deeply discounted fee, to be announced in a forthcoming release. For planning purposes, 200 GBP (approximately 300 dollars or 320 euros) should cover presenter's admission; the hotel should be about 100 GBP ($150 or E160) per night. Also include travel and incidentals in your budget. 6. The call for delegates -- attendees who do not present -- will by published at a later date. If there is someone in your organisation who needs to survey the state of the financially cryptographic art, they can attend as a delegate. For planning purposes, 500 GBP ($750 or E800) should cover the delegate's admission. 7. If you think the conference can benefit your organisation, consider sponsoring. Contact the Sponsorship Chair Fearghas McKay, [EMAIL PROTECTED] for more details. 8. Keep an eye on the conference web site (www.efce.net) for evolving details. EFCE2002 COMMITTEE Fearghas McKay General and Sponsorship Chair[EMAIL PROTECTED] Rodney Thayer Programme Chair [EMAIL PROTECTED] Rachel Willmer Finance Chair[EMAIL PROTECTED] SPONSORSHIP EFCE is supported by these companies active in Financial Cryptography: * Intertrader Ltd, an Edinburgh-based e-payments middleware and applications company. http://www.intertrader.com/ * Declarator.net, a supplier of Distributed Trust Appliances. http://www.declarator.net/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Vulnerability Is Discovered in Security for Smart Cards
May 13, 2002 Vulnerability Is Discovered in Security for Smart Cards By JOHN MARKOFF SAN FRANCISCO, May 12 - Two University of Cambridge computer security researchers plan to describe on Monday an ingenious and inexpensive attack that employs a $30 camera flashgun and a microscope to extract secret information contained in widely used smart cards. The newly discovered vulnerability is reason for alarm, the researchers said, because it could make it cost-effective for a criminal to steal information from the cards. Smart cards are used for dozens of different applications, including electronic identity protection, credit and debit cards and cellular phone payment and identity systems. The Cambridge researchers said they had discussed their discovery with a number of card manufacturers, and several had acknowledged the vulnerability. One company reported that its security testing teams had already considered types of attacks similar to the one mounted by the Cambridge team and that they believed their products were not vulnerable. ... http://www.nytimes.com/2002/05/13/technology/13SMAR.html - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Pact Reached to Stop Pirating Of Digital TV Over the Internet
R. A. Hettinga writes: http://online.wsj.com/article_print/0,4287,SB1019779375174781800,00.html April 26, 2002 NEW MEDIA Pact Is Reached to Stop Pirating Of Digital TV Over the Internet By YOCHI J. DREAZEN and STEPHANIE STEITZER Staff Reporters of THE WALL STREET JOURNAL WASHINGTON -- Representatives from the entertainment and consumer-electronics industries told lawmakers that they have agreed on a system to keep digital television broadcasts from being pirated over the Internet. The agreement resolves a dispute that has contributed to the slow rollout of digital television. Top executives from content companies, including AOL Time Warner Inc., and TV makers such as Panasonic/Matsushita Electric Corp. of America told a House Energy and Commerce Committee panel that they had agreed on technical standards for a new watermark. The watermark would be embedded in all digital TV broadcasts, and TVs, computers and other devices would be designed to play only materials with the watermark. It's not a watermark. It's a single bit. All the technical people involved in the process know that it isn't a watermark. Perhaps these reporters are just using watermark because they're used to applications of watermarking along these lines, or perhaps someone used watermarking as a metaphor. But there's no watermark here, just a redistribution control bit. This proposal is a government mandate to ban digital TV receivers unless they are robust (non-user-serviceable) and provide only Approved Outputs and Approved Recording Methods for broadcasts in which that bit is present. The executives said they planned to release the technical details of the agreement on May 17, at which time they would ask Congress to pass legislation ratifying the standards. That's still true. We are working with many organizations which oppose this legislation to make it clear that there is no broad consensus here. (The agreement on which this article is reporting is an agreement between the MPAA, two DRM consortia, and several computer manufacturers. That's hardly all the affected industries -- never mind consulting consumers!) You don't have to wait until May 17 to read the technical details, though. The very latest draft of the rules proposed by this group: http://www.eff.org/IP/Video/HDTV/20020510_bpdg_compliance_rules.pdf It doesn't make sense unless you also have an enforcement mechanism which makes it illegal to sell a device which doesn't comply with this standard: http://www.eff.org/IP/Video/HDVT/20020215_bpdg_ce_it_rider.html http://www.eff.org/IP/Video/HDTV/20020215_bpdg_mpaa_rider.html (Software is included too.) Again, the idea here is that digital terrestrial broadcast TV, which uses an open standard called ATSC, is insufficiently secure for Hollywood studios. Therefore, they have proposed that legislation require DRM for the digital outputs of TV receivers, and they have proposed that all existing products which record these broadcasts in open formats, or merely output them in open formats, be banned. So, under these rules, you can't have an ATSC tuner card for your PC unless the card and all its software are robust against your accessing the TV signal itself. This has a great deal in common with SCMS, the copy-control system mandated under the Audio Home Recording Act, but this mandate draws on lessons learned since then and includes computer products and software. The most significant thing about this legislative proposal is that it's the first of three compromises intended to replace the CBDTPA, according to no less an authority than Jack Valenti: But we want to narrow the focus of the bill as the legislative process moves forward. What needs to happen is we all sit down together in good-faith negotiations and come to some conclusions on how we can construct a broadcast flag (for keeping digital TV content off the Internet), on how we plug the analog hole (allowing people to record digital content off older televisions and other devices), and how we deal with the persistent and devilish problem of peer-to-peer. http://news.com.com/2008-1082-875394.html If your organization is interested in helping fight this proposal, please contact us, and quickly. -- Seth Schoen Staff Technologist[EMAIL PROTECTED] Electronic Frontier Foundationhttp://www.eff.org/ 454 Shotwell Street, San Francisco, CA 94110 1 415 436 9333 x107 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum crypto broken?
[EMAIL PROTECTED] [EMAIL PROTECTED] wrote: This article leads one to believe that one can eavesdrop without being detected and with nearly 5/6ths confidence of the data on a quantum crypto communication. This is in contrast to the claim to fame of quantum crypto that the receiver will know if there is an eavesdropper. (This is what makes quantum crypto work when all public key crypto gets broken.) On a sidenote, keep in mind that a success rate of 5/6th is not nearly good enough to successfully copy (intercept) multiple photons (bits). 5/6 = 83% per bit gives you (5/6)^8 = 23% confidence per byte, or (5/6)^16 = 5% for 2 bytes, or even (5/6)^128 = 7E-9% for 16 bytes which clearly is not as alarming as the 5/6th look in the first place; real world transmissions would surely be large enough to get that interception confidence rate down. On the other hand, that confidence rate may well be expected to get much better than 5/6th by the time we actually use quantum crypto in the real world. Cheers, Dan -- Daniel Roethlisberger [EMAIL PROTECTED] PGP Key ID 0x8DE543ED with fingerprint 6C10 83D7 2BB8 D908 10AE 7FA3 0779 0355 8DE5 43ED - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum crypto broken?
Now that I've reread it I realise that an unsuccessful duplication does not necessarily mean discovery. Which makes my last post look kinda .. wrong. -Dan -- Daniel Roethlisberger [EMAIL PROTECTED] PGP Key ID 0x8DE543ED with fingerprint 6C10 83D7 2BB8 D908 10AE 7FA3 0779 0355 8DE5 43ED - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
new RFCs
as noticed on RFC distribution list: RFC 3278 on Use of ECC Algorithms in CMS RFC 3279 on Algorithms and Identifiers RFC 3280 on Internet X.509 Public Key Infrastructure RFC 3281 on An Internet Attribute Certificate replace N's below with RFC number to fetch: ftp://ftp.rfc-editor.org/in-notes/rfc.txt - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum crypto broken?
Quantum Key Distribution involves a step called Privacy Amplification, which is essentially hashing down the bits that were received to a smaller number to account for the possibility that an eavesdropper knows some of them. The essential point is that the two parties must estimate the amount of information that could have been gained by an eavesdropper; errors are one component of this estimation process. Another component is the probability that the single photon sent was really more than one photon --- typical weak coherent links send multiple photons signifcantly often. It is important to realize that eavesdropping is a probabilistic operation --- when an attacker who measures a photon and retransmits it there is some probability (as much as 50% in a noise-free system) that no error will be induced. (Essentially, this happens when the attacker's choice of basis matches the sender's choice of basis.) Thus, there can be no absolute guarantee of security, only probability bounds. This is really no different from traditional cryptography, as an attacker has a 1 in 2^1024 chance of guessing a 1024 bit RSA key with a trivial strategy. Slutsky et al discuss the issue of deciding how many bits to hash down in the context of desiring to bound the probability that an attacker will have gained some amount of information about the bits that remain after privacy amplification. Slutsky's paper can be found at http://kfir.ucsd.edu/papers/defense.pdf See reference 11 for a discussion of privacy amplification. This paper addresses individual attacks, in which a probe interacts with each photon and then a measurement is made on the probe. Collective and joint attacks in which multiple (sequential) photons are measured together are more complicated. Greg Troxel [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: objectivity and factoring analysis
On Fri, 26 Apr 2002, Anonymous wrote: These estimates are very helpful. Thanks for providing them. It seems that, based on the factor base size derived from Bernstein's asymptotic estimates, the machine is not feasible and would take thousands of years to solve a matrix. If the 50 times smaller factor base can be used, the machine is on the edge of feasibility but it appears that it would still take years to factor a single value. One thousand years = 10 iterations of Moore's law plus one year. Call it 15-16 years? Or maybe 20-21 since Moore's seems to have gotten slower lately? Bear - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Quantum crypto broken?
(Greg and I work on the same project ...) The Oxford announcement doesn't present quite the risk implied. Cloning in their case results in an energy loss of 1/2 which is easily detected through various means including error rate. You have to conserve of energy ... For a quick discussion on the no-cloning theory see http://physics.about.com/library/weekly/aa070101a.htm A notional QKD system can tolerate about a 15% error rate (14.86% to be exact) before mutual information becomes an issue. (For transmissions of 100 qbits) 5/6ths represents an error rate of 16% above that of the baselined quantum system even if energy weren't conserved. (Back of the envelope ...) For the system we're building, cutting power in half, greater probability of absorbtion, etc., yields another 20% error making _at least_ 36% error on top of the baselined system. There is a lot of math and implementation detail which I won't go into but the physical and mathematical proofs indicate that this is not a threat. If perfect cloning were possible this would be a _very_ different universe. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Greg Troxel Sent: Monday, May 13, 2002 8:42 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Quantum crypto broken? Quantum Key Distribution involves a step called Privacy Amplification, which is essentially hashing down the bits that were received to a smaller number to account for the possibility that an eavesdropper knows some of them. The essential point is that the two parties must estimate the amount of information that could have been gained by an eavesdropper; errors are one component of this estimation process. Another component is the probability that the single photon sent was really more than one photon --- typical weak coherent links send multiple photons signifcantly often. It is important to realize that eavesdropping is a probabilistic operation --- when an attacker who measures a photon and retransmits it there is some probability (as much as 50% in a noise-free system) that no error will be induced. (Essentially, this happens when the attacker's choice of basis matches the sender's choice of basis.) Thus, there can be no absolute guarantee of security, only probability bounds. This is really no different from traditional cryptography, as an attacker has a 1 in 2^1024 chance of guessing a 1024 bit RSA key with a trivial strategy. Slutsky et al discuss the issue of deciding how many bits to hash down in the context of desiring to bound the probability that an attacker will have gained some amount of information about the bits that remain after privacy amplification. Slutsky's paper can be found at http://kfir.ucsd.edu/papers/defense.pdf See reference 11 for a discussion of privacy amplification. This paper addresses individual attacks, in which a probe interacts with each photon and then a measurement is made on the probe. Collective and joint attacks in which multiple (sequential) photons are measured together are more complicated. Greg Troxel [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Lucky's 1024-bit post
On Tue, 30 Apr 2002 at 17:36:29 -0700, Wei Dai wrote: On Wed, May 01, 2002 at 01:37:09AM +0200, Anonymous wrote: For about $200 you can buy a 1000 MIPS CPU, and the memory needed for sieving is probably another couple of hundred dollars. So call it $500 to get a computer that can sieve 1000 MIPS years in a year. You need a lot more than a couple of hundred dollars for the memory, because you'll need 125 GB per machine. See Robert Silverman's post at http://groups.google.com/groups?hl=enselm=8626nu%24e5g%241%40nnrp1.deja.comprev=/groups%3Fq%3D1024%2Bsieve%2Bmemory%26start%3D20%26hl%3Den%26scoring%3Dd%26selm%3D8626nu%2524e5g%25241%2540nnrp1.deja.com%26rnum%3D21 According to pricewatch.com, 128MB costs $14, so each of your sieving machines would cost about $14000 instead of $500. Silverman's comment makes sense; the memory needed is probably proportional to the size of the factor base, and going from 512 to 1024 bits would plausibly increase the factor base size by at least 11 bits, corresponding to a memory increase of a factor of ~ 2500 as he says. If the 512 bit factorization used 50 MB per node for the sieving then that would require extreme amounts of per node memory for 1024 bits. But how about using disk space instead of RAM for most of this? Seems like a sieve algorithm could have relatively linear and predictable memory access patterns. With a custom read-ahead DMA interface to the disk it might be possible to run at high speed using only a fraction of the RAM, acting as a disk buffer. A 125 GB disk costs a few hundred dollars, so that might bring the node cost back down to the $1000 range. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.6d beta 1 released
OpenSSL version 0.9.6d released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.6d of our open source toolkit for SSL/TLS. This new OpenSSL version is mostly a bugfix release and incorporates at least 23 changes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES). The most significant changes are: o Various SSL/TLS library bugfixes. o Fix DH parameter generation for 'non-standard' generators. We consider OpenSSL 0.9.6d to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.6d is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ [1] OpenSSL comes in the form of two distributions this time. The reasons for this is that we want to deploy the external crypto device support but don't want to have it part of the normal distribution just yet. The distribution containing the external crypto device support is popularly called engine, and is considered experimental. It's been fairly well tested on Unix and flavors thereof. If run on a system with no external crypto device, it will work just like the normal distribution. The distribution file names are: o openssl-0.9.6d.tar.gz [normal] o openssl-engine-0.9.6d.tar.gz [engine] Yours, The OpenSSL Project Team... Mark J. Cox Richard LevitteAndy Polyakov Ralf S. Engelschall Bodo MöllerHolger Reif Dr. Stephen Henson Ulf Möller Geoff Thorpe Ben Laurie Lutz Jänicke - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: objectivity and factoring analysis
On Mon, 13 May 2002, bear wrote: One thousand years = 10 iterations of Moore's law plus one year. Call it 15-16 years? Or maybe 20-21 since Moore's seems to have gotten slower lately? Moore's law is about integration density. That has zero to do with problem-specific system performance. That one is indeed lagging. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Quantum crypto broken?
On Fri, Apr 26, 2002 at 09:36:22AM -0500, [EMAIL PROTECTED] wrote: Would anybody with more knowledge care to comment on this? This article leads one to believe that one can eavesdrop without being detected and with nearly 5/6ths confidence of the data on a quantum crypto communication. This is in contrast to the claim to fame of quantum crypto that the receiver will know if there is an eavesdropper. (This is what makes quantum crypto work when all public key crypto gets broken.) This is a result from the non-cloning theorem and is well studied in Quantum Cryptography. Even though a practical realization which hits the theoretical limit is quite impressive. A simpliefied introduction to the consequences of imperfect cloning of quantum states in QKD is found in a recent paper of Gisin et. al. called Quantum Cryptography and was published in the Review of Modern Physics (sorry no exact citation - i have only the pre-print). Back to the problem: The 16% in which the cloning is wrong, introduce a QBER (equiv to the classical Bit Error Rate (BER)) in the Quantum channel. Since a system without an eavesdropper has QBERs of about a few percent this makes it possible to detect the eavesdropper. [in the case the cloned photon is sent to Bob - in the other case, where the cloned photon is used for a measurment, the information gathered by Eve is simply reduced to 84%] If you use the Wigner protocol, this should also prevent a violation of the Bell inequalities. (is there a paper which shows the relation between QBER and the Bell inequalities ?) I think it has been shown that if the information that Eve gathered is less than the information of Bob, then it is possible to create a secret key through privacy amplification. This is important since it tells us that even if our Eavesdropper reduces the cloning attempts (which reduces the QBER) it is not possible to reconstruct the key. Summery: Eve either intruduces enough QBER to detect her, or she does not get enough information to reconstruct the key Result: QC is not broken but it makes the job harder and the achievable QKD bitrates lower Hannes -- - Hannes R. Boehm - Institute of Experimental Physics University of Vienna Botzmanngasse 5 1090 Wien Austria web : http://www.quantum.univie.ac.at/ email: [EMAIL PROTECTED] - email: [EMAIL PROTECTED] web : http://hannes.boehm.org PGP : http://hannes.boehm.org/hannes-pgp.asc - msg02092/pgp0.pgp Description: PGP signature
Re: Pact Reached to Stop Pirating Of Digital TV Over the Internet
bear writes: But you know, I really don't give much of a crap about commercial content anymore. Will this system get in my way if I try to make and distribute (and play and copy on standard hardware) a nice digital-video, digital-audio recording of a family wedding, or an original computer-generated movie, or a demo video for my buddy's band? 'Cause really, that's the problem as far as I'm concerned; if the system prevents people from making and distributing our *own* content with compatible hardware, then it has to be destroyed. Interfering with that use isn't a design feature of the current BPDG proposal. There is an effort to use legislation like this to begin to eradicate open-standards-only equipment from the market (Hollywood executives are calling CE equipment without DRM legacy equipment!), but there is no current clear proposal to ban support for open standards. There is the general risk that hardware could be required to assume by default that input data is copyrighted and being copied without permission (a guilty until proven innocent policy). A rule like that is not part of the current Hollywood-supported mandate, but might be at issue in the next round, which is meant to involve regulating analog-to-digital convertors. -- Seth Schoen Staff Technologist[EMAIL PROTECTED] Electronic Frontier Foundationhttp://www.eff.org/ 454 Shotwell Street, San Francisco, CA 94110 1 415 436 9333 x107 - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: objectivity and factoring analysis
At 9:45 AM -0700 on 5/13/02, bear wrote: One thousand years = 10 iterations of Moore's law plus one year. Call it 15-16 years? Or maybe 20-21 since Moore's seems to have gotten slower lately? Moore himself said in an article in Forbes a few years ago that the cost of fabs themselves would eventually bring a stop to Moore's Law. He couldn't see constructing a $100 billion dollar fab, and right now, fabs are in the $1-$10 billion dollar range and going up... He figured it to be the 20-teens or so for diminishing returns to finally catch up with Moore's Law, if I remember right. If a water shortage on Taiwan doesn't stop it dead in it's tracks this summer. ;-). Cheers, RAH -- - R. A. Hettinga mailto: [EMAIL PROTECTED] The Internet Bearer Underwriting Corporation http://www.ibuc.com/ 44 Farquhar Street, Boston, MA 02131 USA ... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience. -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Disk encryption standards (was: RE: Two ideas for random number g eneration]
Trei, Peter [EMAIL PROTECTED] writes: Bill: you might want to look at: www.siswg.org, which is looking at just this problem. Here's the meat of a couple messages I received about it: The IEEE Technical Committee on Information Assurance has started a standards project on storage encryption, covering encryption algorithms, integrity algorithms, and key management. A common criteria protection profile is also proposed. Jim Hughes (Storage Tek) is chair and invites cryptographers to participate in the project. This work potentially has wide application, from hard disk storage to PDAs. There's some discussion of these issues in the paper presenting my (broken) block cipher Mercy, which was meant for this application: http://www.ciphergoth.org/mercy/ -- __ Paul Crowley \/ o\ [EMAIL PROTECTED] http://www.ciphergoth.org/ /\__/ BiCon 2002 UK bisexual gathering: http://www.2002.bicon.org.uk/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
2nd Announcement for ECC 2002
--- begin forwarded text Status: U Date: Mon, 13 May 2002 11:40:56 -0400 To: ECC Invitees General List [EMAIL PROTECTED] From: Frances Hannigan [EMAIL PROTECTED] Subject: 2nd Announcement for ECC 2002 x-flowedTHE 6TH WORKSHOP ON ELLIPTIC CURVE CRYPTOGRAPHY (ECC 2002) University of Essen, Essen, Germany September 23, 24 25 2002 SECOND ANNOUNCEMENT May 13, 2002 ECC 2002 is the sixth in a series of annual workshops dedicated to the study of elliptic curve cryptography and related areas. The main themes of ECC 2002 will be: - The discrete logarithm and elliptic curve discrete logarithm problems. - Efficient parameter generation and point counting. - Provably secure cryptographic protocols for encryption, signatures and key agreement. - Efficient software and hardware implementation of elliptic curve cryptosystems. - Deployment of elliptic curve cryptography. It is hoped that the meeting will continue to encourage and stimulate further research on the security and implementation of elliptic curve cryptosystems and related areas, and encourage collaboration between mathematicians, computer scientists and engineers in the academic, industry and government sectors. SPONSORS Alcatel Canada Certicom Corp. CV Cryptovision EDIZONE GmbH Metris MITACS Philips Semiconductors Research Alliance Data Security NRW University of Essen University of Waterloo ORGANIZERS Gerhard Frey (University of Essen) Alfred Menezes (University of Waterloo) Scott Vanstone (University of Waterloo) Annegret Weng (University of Essen) CONFIRMED SPEAKERS Dan Bleichenbacher (Lucent Technologies, USA) Steven Galbraith (Royal Holloway College, UK) Kiran Kedlaya (University of California, Berkeley, USA) Alan Lauder(Oxford University, UK) Ansgar Lohoff (CV Cryptovision, Germany) Kumar Murty(University of Toronto, Canada) Kim Nguyen (Philips Semiconductors GmbH, Germany) Phong Nguyen (ENS, Paris, France) David Pointcheval (ENS, Paris, France) Takakazu Satoh (Saitama University, Japan) Gerhard Schabhueser(BSI,Germany) Rene Schoof(University of Rome, Italy) Frederik Vercauteren (Katholieke Universiteit Leuven, Belgium) CONFERENCE PROGRAMME There will be approximately 15 invited lectures (and no contributed talks), with the remaining time used for informal discussions. There will be both survey lectures as well as lectures on latest research developments. All lectures will be held on the campus of the University of Essen. Further details of the programme and lecture room will be provided in the third announcement. REGISTRATION There will be a registration fee this year of Euro 150 or $150 US (Euro 75 or $75 US for participants affiliated with a university). PLEASE REGISTER AS SOON AS POSSIBLE AS SPACE IS LIMITED FOR THIS WORKSHOP; REGISTRATION IS ON A FIRST-COME FIRST-SERVE BASIS. The deadline for registration has been set to Friday, September 14. To register, complete, in full, the attached REGISTRATION FORM and return it by e-mail to: [EMAIL PROTECTED] by mail to: Mrs. Julia Thiemann Institute for Experimental Mathematics Ellernstrasse 29 45326 Essen Germany Phone: +49/201/183-7656 Fax: +49/201/183-7669 cut from here- ECC 2002 CONFERENCE REGISTRATION FORM Fullname: _ Affiliation: _ Address: _ _ _ _ _ E-Mail Address: _ Telephone #: _ Mark your choice: Registration Fee:Euro 150 / $150 US Reduced Registration Fee (participants affiliated with a university): Euro 75 / $75 US Student Registration Fee (without conference banquet):Euro 40 / $40 US (Registration Fee Includes Banquet) Attending Banquet: Yes / No Vegetarian: Yes / No Extra Guest Banquet Fee: Euro 30 / $30 US Guest Vegetarian: Yes / No TOTAL REGISTRATION FEE: DM / $ US PAYMENT MUST BE MADE IN CASH OR TRAVELLER CHEQUES ON ARRIVAL AT THE RECEPTION DESK. NO CREDIT CARDS CAN BE ACCEPTED. Accommodation (please mark