Regarding using blinding to defend against timing attacks, and supposing
that a crypto library is going to have support for blinding:
- Should it do blinding for RSA signatures as well as RSA decryption?
- How about for ElGamal decryption?
- Non-ephemeral (static) DH key exchange?
- Ephemer
Tom St Denis writes:
> What is the benefit of having leading/trailing bits fixed? As far as I
> know it doesn't make any form of index calculus attack any harder to
> apply.
The Handbook of Applied Cryptography, http://www.cacr.math.uwaterloo.ca/hac/,
has a chapter on efficient implementations wh
The New York Times is reporting at
http://www.nytimes.com/2003/01/14/technology/14CND-PIRACY.html that
the Recording Industry Association of America, along with two computer
and technology industry trade groups, has agreed not to seek new
government regulations to mandate technological controls for
John S. Denker writes:
> The main thing the industry really had at stake in
> this case is the "zone locking" aka "region code"
> system.
I don't see much evidence for this. As you go on to admit, multi-region
players are easily available overseas. You seem to be claiming that the
industry's mai
[I'm not happy with the tone of this, but I'm forwarding it as privacy
politics is pretty clearly on topic... --Perry]
For years we cypherpunks have been telling you people that you are
responsible for protecting your own privacy. Use cash for purchases, look
into offshore accounts, protect your
Stefan Brands writes regarding http://eprint.iacr.org/2002/151/:
> The paper shows some promise but, apart from being insecure, has other
> drawbacks that should be addressed:
>
> ... My work... introduced by myself... my MIT press book...
>
> In addition to various other drawbacks pointed out by
Peter Biddle writes:
> Pd is designed to fail well - failures in SW design shouldn't result in
> compromised secrets, and compromised secrets shouldn't result in a BORE
> attack.
Could you say something about the sense in which Palladium achieves
BORE ("break once run everywhere") resistance? It
It looks like Camenisch & Lysyanskaya are patenting their credential
system. This is from the online patent applications database:
http://appft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&p=1&u=/netahtml/PTO/search-bool.html&r=1&f=G&l=50&co1=AND&d=PG01&s1=camenisch&OS=camenisch&RS=came
Bill Frantz writes, regarding the possibility that the Palladium
architecture could be designed to resist the use of encrypted
code:
> All general purpose computers require a way to move data space to code
> space to support compilation.
Well, this is usually done by storing the data to the dis
Paul Crowley asks: > I'm informed that malware authors often go to some
lengths to prevent > their software from being disassembled. Could they
use Palladium for > this end? Are there any ways in which the facilities
that Palladium > and TCPA provide could be useful to a malware author
who wants
Carl Ellison suggested an alternate way that TCPA could work to allow
for revoking virtualized TPMs without the privacy problems associated
with the present systems, and the technical problems of the elaborate
cryptographic methods.
Consider first the simplest possible method, which is just to pu
Ben Laurie writes:
> Note that the scheme as described (and corrected) is vulnerable to
> marking by the bank, and so is not anonymous. This is discussed and
> fixed in my paper on Lucre
> (http://anoncvs.aldigital.co.uk/lucre/theory2.pdf).
Actually the scheme described based on Chaum's talk
David Chaum gave a talk at the Crypto 2002 conference recently in which
he briefly presented a number of interesting ideas, including an approach
to digital cash which he himself said would "avoid the ecash patents".
The diagram he showed was as follows:
Optimistic Authenticator
Eugen Leitl asked:
> 1) What's the name of the technique of salting/padding an small integer
>I'm signing with random data?
You shouldn't need to salt/pad with random data, fixed data should be
OK.
> 2) If I'm signing above short (~1 kBit) sequences, can I sign them
>directly, or am I
On Tue, 2 Jul 2002, Damien O'Rourke wrote:
> I was just wondering if anyone knew where to get a good explanation of
> Montgomery multiplication for the non-mathematician? I have a fair bit
> of maths but not what is needed to understand his paper.
Bear replied:
> Montgomery Multiplication is e
Ross Anderson writes:
> During my investigations into TCPA, I learned that HP has started a
> development program to produce a TCPA-compliant version of GNU/linux.
> I couldn't figure out how they planned to make money out of this. On
> Thursday, at the Open Source Software Economics conference,
Lucky Green writes regarding Ross Anderson's paper at:
http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/toulouse.pdf
> I must confess that after reading the paper I am quite relieved to
> finally have solid confirmation that at least one other person has
> realized (outside the authors and proponents
David Wagner describes a trick from Dan Bernstein to speed up
RSA signature verification with e = 3:
> One of the nicest ideas from his work is easy to describe. In plain
> RSA, s is a valid signature on m if H(m) = s^3 (mod n). Now suppose we
> ask the signer to also supply an integer k such t
Wei Dai writes:
> Using a factor base size of 10^9, in the relationship finding phase you
> would have to check the smoothness of 2^89 numbers, each around 46 bits
> long. (See Frog3's analysis posted at
> http://www.mail-archive.com/cryptography%40wasabisystems.com/msg01833.html.
> Those number
For cpunxnews/cryptography:
Seems people missed this anonymous note about Dr Stefan Brands new
company http://www.credentica.com on cypherpunks -- interesting news
-- will Credentica persue ecash, private credentials, more liberal
licensing terms than digicash and ecash-technologies/infospace.
(
James Donald writes:
> On Tue, Feb 26, 2002 at 02:04:16AM -, Frog3 wrote:
> > The cost [To factor RSA 1024] is the need to build a
> > machine that can do 53 billion simultaneous, independent
> > ECM factorizations for smoothness testing. It's not clear
> > how amenable this would be to har
David Wagner writes:
> Bernstein's analysis is based on space*time as your cost metric.
> What happens if we assume that space comes for free, and we use simply
> time as our cost metric? Do his techniques lead to an improvement in
> this case?
Bernstein basically treats memory and processing el
More analysis of Dan Bernstein's factoring machine from
http://cr.yp.to/papers.html#nfscircuit.;
The NFS algorithm has two phases. The first searches for coefficients
(a,b) from some interval which are relatively prime and which satisfy
two smoothness bounds. The smoothness is with respect to a
PHB:
> PKI is in widespread use, it is just not that noticeable when you use it.
> This is how it should be. SSL is widely used to secure internet payment
> transactions.
PM:
> HTTPS SSL does not use PKI.
Could someone define PKI (beyond just what it stands for, Public Key
Infrastructure)? It l
Adam Back wrote:
> To elaborate on this slightly. There are inherent reasons why
> steganography is harder than encryption: the arms race of hiding data
> in noise is based on which side (the hider vs the detecter) has the
> best understanding of the characteristics of the host signal. The
> pro
Adam Back writes:
> Also it's interesting to note that it appears from Niels Provos and
> Peter Honeymans paper that none of the currently available stego
> encoding programs are secure. They have broken them all (at least I
> recognise the main stego programs available in their list of systems
>
Ted Tso writes:
> It turns out that with the Intel 810 RNG, it's even worse because
> there's no way to bypass the hardware "whitening" which the 810 chip
> uses. Hence, if the 810 random number generator fails, and starts
> sending something that's close to a pure 60 HZ sine wave to the
> whiten
27 matches
Mail list logo
