From gpaharenko at gmail.com Wed Apr 7 17:00:18 2010
From: gpaharenko at gmail.com (Gleb Paharenko)
Date: Thu, 8 Apr 2010 00:00:18 +0300
Subject: [cryptography] Cryptography embargo countries
Message-ID:
Dear colleagues.
Please could you tell if OperaMini on mobile phone, which supports SSL may
be a subject of criminal prosecution for cryptography embargoe countries
(e.g. Syria). List of countries I've found at:
http://schools.becta.org.uk/upload-dir/downloads/*data*_*encryption*.doc
--
Best regards.
Gleb Pakharenko.
http://gpaharenko.livejournal.com
http://www.linkedin.com/in/gpaharenko
+380503116172
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From kevin.w.wall at gmail.com Thu Apr 8 00:32:29 2010
From: kevin.w.wall at gmail.com (Kevin W. Wall)
Date: Thu, 08 Apr 2010 00:32:29 -0400
Subject: [cryptography] Call to review OWASP ESAPI crypto code
Message-ID: <4BBD5C5D.9080108@gmail.com>
The Open Web Application Security Project (OWASP) is a 501(c)(3)
not-for-profit worldwide charitable organization focused on improving
the security of application software and all of OWASP's materials are
available under a free and open source software licenses.
The next release candidate of OWASP's Enterprise Security API (ESAPI)
for Java (ESAPI-2.0-rc6) has recently been released. This is the
second complete release candidate that contains the completely revamped
symmetric encryption and the first release candidate with completed user
documentation om this regard.
Before we make an official 2.0 release, we would like the completely
redesigned symmetric encryption in ESAPI to be reviewed by professional
cryptographers or security professionals with expertise in cryptography.
It shouldn't take too much time as the code-base is really fairly small--
slightly over 3900 LOC (including comments and blank lines) or approximately
1725 non-commentary source lines.
Anyhow, if you are willing to help without charge to OWASP, you can find
more details at:
http://www.owasp.org/index.php/Request_to_review_ESAPI_2.0_crypto
Thanks in advance to those of you who can help.
-kevin--
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents." -- Nathaniel Borenstein, co-creator of MIME
From zookog at gmail.com Thu Apr 22 13:40:44 2010
From: zookog at gmail.com (Zooko O'Whielacronx)
Date: Thu, 22 Apr 2010 11:40:44 -0600
Subject: [cryptography] What's the state of the art in factorization?
In-Reply-To: <4BCF8A5D.7030806@dei.uc.pt>
References: <87y6gi5dr9.fsf@snark.cb.piermont.com>
<4BCE4DB1.2040109@connotech.com>
<20100421014035.GD24404@np305c2n2.ms.com> <4BCF8A5D.7030806@dei.uc.pt>
Message-ID:
On Wed, Apr 21, 2010 at 5:29 PM, Samuel Neves wrote
(on the cryptography at metzdowd.com list):
> [2] http://www.cs.umd.edu/~jkatz/papers/dh-sigs-full.pdf
I've been looking at that one, with an eye to using it in the One
Hundred Year Cryptography project that is being sponsored by Google as
part of the Google Summer of Code (see recent discussions on the
tahoe-dev archives for April 2010 [1]).
Later I discovered this paper [2] which appears to be an improvement
on that one in terms of performance (see Table 1 in [2]) while still
having a tight reduction to the Computational Diffie-Hellman (CDH)
problem. Strangely, this paper [2] doesn't appear to have been
published anywhere except as an eprint on eprint.iacr.org. I wonder
why not. Is there something wrong with it?
I still have some major questions about the funky "hash into a curve"
part of these schemes. I'm hoping that [3] will turn out to be wrong
and a nice simple dumb efficient hack will be secure for these
particular digital signature schemes.
Of course if the newfangled schemes which reduce to a random instance
of a classic hard problem work out, that would provide an even
stronger assurance of long-term safety than the ones that reduce to
CDH. See for example the paper [4] that I mentioned previously on the
cryptography at metzdowd.com mailing list. Unless I misunderstand, if you
can break that scheme by learning someone's plaintext without knowing
their private key, then you've also proven that P=NP!
Unfortunately that one in particular doesn't provide digital
signatures, only public key encryption, and what I most need for the
One Hundred Year Cryptography project is digital signatures.
Regards,
Zooko
[1] http://allmydata.org/pipermail/tahoe-dev/2010-April/date.html
[2] http://eprint.iacr.org/2007/019
[3] http://eprint.iacr.org/2009/340
[4] http://eprint.iacr.org/2009/576
From zookog at gmail.com Thu Apr 22 14:18:34 2010
From: zookog at gmail.com (Zooko O'Whielacronx)
Date: Thu, 22 Apr 2010 12:18:34 -0600
Subject: [cryptography] What's the state of the art in digital signatures?
Re: What's the state of the art in factorization?
Message-ID:
By the way, the general idea of One Hundred Year Security as far as
digital signatures go would be to combine digital signature
algorithms. Take one algorithm which is bog standard, such as ECDSA
over NIST secp256r1 and another which has strong security properties
and which is very different from ECDSA. Signing is simply generating a
signature over the message using each algorithm in parallel.
Signatures consist of both of the signatures of the two algorithms.
Verifying consists of checking both signatures and rejecting if either
one is wrong.
Since the digital signature algorithms that we've been discussing such
as [1] are related to discrete log/Diffie-Hellman and since an
efficient implementation would probably be in elliptic curves, then
those are not great candidates to pair with ECDSA in this combiner
scheme.
Unfortunately I haven't stumbled on a digital signature scheme which
has good properties (efficiency, simplicity, ease of implementation)
and which is based on substantially different ideas and which isn't
currently under patent protection (therefore excluding NTRUSign).
Any ideas?
[1] http://eprint.iacr.org/2007/019
Regards,
Zooko
From jkatz at cs.umd.edu Thu Apr 22 22:18:38 2010
From: jkatz at cs.umd.edu (Jonathan Katz)
Date: Thu, 22 Apr 2010 22:18:38 -0400 (EDT)
Subject: [cryptography] What's the state of the art in factorization?
In-Reply-To:
References: <87y6gi5dr9.fsf@snark.cb.piermont.com>
<4BCE4DB1.2040109@connotech.com>
<20100421014035.GD24404@np305c2n2.ms.com> <4BCF8A5D.7030806@dei.uc.pt>
Message-ID:
On Thu, 22 Apr 2010, Zooko O'Whielacronx wrote:
> On Wed, Apr 21, 2010 at 5:29 PM, Samuel Neves wrote
> (on the cryptography at metzdowd.com list):
>> [2] http://www.cs.umd.edu/~jkatz/papers/dh-sigs-full.pdf
As one of the authors of the above paper, I have an obvious interest in
this thread. =)
> Later I discovered this paper [2] which appears to be an improvement
> on that one in terms of performance (see Table 1 in [2]) while still
> having a tight reduction to the Computational Diffie-Hellman (CDH)
> problem. Strangely, this paper [2] doesn't appear to have been
> published anywhere except as an eprint on eprint.iacr.org. I wonder
> why not. Is there something wrong with it?
While I don't know of any attack, the proof of security does not appear to
be correct.
On the other hand, there is one published scheme that gives a slight
improvement to our paper (it has fewer on-line computations): it is a
paper by Chevallier-Mames in Crypto 2005 titled "An Efficient CDH-Based
Signature Scheme with a Tight Security Reduction".
From paul at ciphergoth.org Fri Apr 23 05:57:09 2010
From: paul at ciphergoth.org (Paul Crowley)
Date: Fri, 23 Apr 2010 10:57:09 +0100
Subject: [cryptography] What's the state of the art in factorization?
In-Reply-To:
References: <87y6gi5dr9.fsf@snark.cb.piermont.com> <4BCE4DB1.2040109@connotech.com> <20100421014035.GD24404@np305c2n2.ms.com>
<4BCF8A5D.7030806@dei.uc.pt>
Message-ID: <4BD16EF5.7000001@ciphergoth.org>
Jonathan Katz wrote:
>>> [2] http://www.cs.umd.edu/~jkatz/papers/dh-sigs-full.pdf
> On the other hand, there is one published scheme that gives a slight
> improvement to our paper (it has fewer on-line computations): it is a
> paper by Chevallier-Mames in Crypto 2005 titled "An Efficient CDH-Based
> Signature Scheme with a Tight Security Reduction".
My preferred signature scheme is the second, DDH-based one in the linked
paper, since it produces shorter signatures - are there any proposals
which improve on that?
Incidentally, the paper doesn't note this but that second scheme has a
non-tight reduction to the discrete log problem in exactly the way that
Schnorr does.
--
__
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/
From zookog at gmail.com Fri Apr 23 09:33:27 2010
From: zookog at gmail.com (Zooko O'Whielacronx)
Date: Fri, 23 Apr 2010 07:33:27 -0600
Subject: [cryptography] What's the state of the art in factorization?
In-Reply-To: <4BD16EF5.7000001@ciphergoth.org>
References: <87y6gi5dr9.fsf@snark.cb.piermont.com>
<4BCE4DB1.2040109@connotech.com>
<20100421014035.GD24404@np305c2n2.ms.com> <4BCF8A5D.7030806@dei.uc.pt>
<4BD16EF5.7000001@ciphergoth.org>
Message-ID:
On Fri, Apr 23, 2010 at 3:57 AM, Paul Crowley wrote:
>
> My preferred signature scheme is the second, DDH-based one in the linked
> paper, since it produces shorter signatures - are there any proposals which
> improve on that?
http://eprint.iacr.org/2007/019
Has one. Caveat lector.
Regards,
Zooko
From jamesd at echeque.com Fri Apr 23 21:48:58 2010
From: jamesd at echeque.com (James A. Donald)
Date: Sat, 24 Apr 2010 11:48:58 +1000
Subject: [cryptography] What's the state of the art in factorization?
In-Reply-To: <4BD16EF5.7000001@ciphergoth.org>
References: <87y6gi5dr9.fsf@snark.cb.piermont.com> <4BCE4DB1.2040109@connotech.com> <20100421014035.GD24404@np305c2n2.ms.com> <4BCF8A5D.7030806@dei.uc.pt>
<4BD16EF5.7000001@ciphergoth.org>
Message-ID: <4BD24E0A.6020003@echeque.com>
> Jonathan Katz wrote:
>>>> [2] http://www.cs.umd.edu/~jkatz/papers/dh-sigs-full.pdf
>> On the other hand, there is one published scheme that
>> gives a slight improvement to our paper (it has fewer
>> on-line computations): it is a paper by Chevallier-Mames
>> in Crypto 2005 titled "An Efficient CDH-Based Signature
>> Scheme with a Tight Security Reduction".
On 2010-04-23 7:57 PM, Paul Crowley wrote:
> My preferred signature scheme is the second, DDH-based one
> in the linked paper, since it produces shorter signatures -
> are there any proposals which improve on that?
If you want shorter signatures, the proposed scheme does not
beat the Boneh, Lynn and Shacham proposal "Short Signatures
from the Weil Pairing", which the Chevallier-Mames paper
mentions and cites.
From paul at ciphergoth.org Sat Apr 24 02:20:34 2010
From: paul at ciphergoth.org (Paul Crowley)
Date: Sat, 24 Apr 2010 07:20:34 +0100
Subject: [cryptography] What's the state of the art in factorization?
In-Reply-To: <4BD24E0A.6020003@echeque.com>
References: <87y6gi5dr9.fsf@snark.cb.piermont.com> <4BCE4DB1.2040109@connotech.com> <20100421014035.GD24404@np305c2n2.ms.com> <4BCF8A5D.7030806@dei.uc.pt> <4BD16EF5.7000001@ciphergoth.org>
<4BD24E0A.6020003@echeque.com>
Message-ID: <4BD28DB2.8050001@ciphergoth.org>
James A. Donald wrote:
> If you want shorter signatures, the proposed scheme does not
> beat the Boneh, Lynn and Shacham proposal "Short Signatures
> from the Weil Pairing", which the Chevallier-Mames paper
> mentions and cites.
Sure, but that depends on the existence of GDH groups, which seems a
little less conservative than the assumption that DDH is hard in Z*_p or
in for example a NIST elliptic curve.
--
__
\/ o\ Paul Crowley
/\__/ www.ciphergoth.org
From coderman at gmail.com Mon Apr 26 03:37:36 2010
From: coderman at gmail.com (coderman)
Date: Mon, 26 Apr 2010 00:37:36 -0700
Subject: [cryptography] What's the state of the art in digital
signatures? Re: What's the state of the art in factorization?
In-Reply-To:
References:
Message-ID:
On Thu, Apr 22, 2010 at 11:18 AM, Zooko O'Whielacronx wrote:
> By the way, the general idea of One Hundred Year Security as far as
> digital signatures go would be to combine digital signature
> algorithms. Take one algorithm which is bog standard, such as ECDSA
> ... and another which has strong security properties
> and which is very different from ECDSA. ...
>
> Unfortunately I haven't stumbled on a digital signature scheme which
> has good properties...
try McEliece cryptosystem with QC-LDPC coding or other improved and
hardened variant that suites your purposes.
one caveat - a cryptographically strong, very plentiful hardware
entropy source is required for any kind of usable key generation. but
we all have those embedded on our processor die now, right? ... :P
another benefit McEliece QC-LDPC can be made very fast on modern cores
and GPU kernels.
From sneves at dei.uc.pt Wed Apr 28 20:39:49 2010
From: sneves at dei.uc.pt (Samuel Neves)
Date: Thu, 29 Apr 2010 01:39:49 +0100
Subject: [cryptography] What's the state of the art in
digital signatures? Re: What's the state of the art in factorization?
In-Reply-To:
References:
Message-ID: <4BD8D555.5060605@dei.uc.pt>
Perhaps McEliece wouldn't be the best example. The only "practical"
signature scheme based on the syndrome decoding hardness would be CFS,
which requires giant keys (to avoid information-set decoding attacks and
generalized birthday attacks) and is ridiculously slow to sign
(factorial(t) decoding tries in average, t at least 10).
Best regards,
Samuel Neves
On 26-04-2010 08:37, coderman wrote:
> On Thu, Apr 22, 2010 at 11:18 AM, Zooko O'Whielacronx wrote:
>
>> By the way, the general idea of One Hundred Year Security as far as
>> digital signatures go would be to combine digital signature
>> algorithms. Take one algorithm which is bog standard, such as ECDSA
>> ... and another which has strong security properties
>> and which is very different from ECDSA. ...
>>
>> Unfortunately I haven't stumbled on a digital signature scheme which
>> has good properties...
>>
>
> try McEliece cryptosystem with QC-LDPC coding or other improved and
> hardened variant that suites your purposes.
>
> one caveat - a cryptographically strong, very plentiful hardware
> entropy source is required for any kind of usable key generation. but
> we all have those embedded on our processor die now, right? ... :P
>
> another benefit McEliece QC-LDPC can be made very fast on modern cores
> and GPU kernels.
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>
>
From zookog at gmail.com Thu Apr 29 01:51:23 2010
From: zookog at gmail.com (Zooko O'Whielacronx)
Date: Wed, 28 Apr 2010 23:51:23 -0600
Subject: [cryptography] What's the state of the art in digital signatures?
Re: What's the state of the art in factorization?
Message-ID:
On Thu, Apr 22, 2010 at 12:40 PM, Jonathan Katz wrote:
> On Thu, 22 Apr 2010, Zooko O'Whielacronx wrote:
>
>> Unless I misunderstand, if you read someone's plaintext without having
>> the private key then you have proven that P=NP!
?
> The paper you cite reduces security to a hard-on-average problem, whereas
> all that P \neq NP guarantees is hardness in the worst case.
I see. I did misunderstand. So although cracking the Lyubashevsky,
Palacio, Segev encryption scheme [1] doesn't mean that you've proven
P=NP, because NP is about worst-case rather than average-case, it
*does* mean that you've solved the subset sum problem for a random
instance. If you can do that for all keys that people use in real life
then you can solve the subset sum problem for almost all random
instances, which seems like it would still be a breakthrough in
complexity theory. If you can do it for only a few keys then this
means that the Lyubashevsky, Palacio, Segev scheme is susceptible to
"weak keys".
Is that right?
Anyway, although this is not one, there do exist proposals for public
key crypto schemes where breaking the scheme implies solving a worst
case instance of a supposedly hard problem, right?
Here is a recent paper which surveys several of them (all
lattice-based) and estimates secure key sizes: [2].
None of the signature schemes mentioned therein appear to have the
sort of efficiency that we are used to. For example the "ecdonaldp"
(ECDSA) signature schemes measured on
http://bench.cr.yp.to/results-sign.html have key sizes on the order of
tens of bytes, where the most efficient digital signature algorithm
described in [2] has key sizes on the order of thousands of bytes.
(And that one is a one-time signature scheme!)
Okay, so I'm still searching for a signature algorithm which has the
following properties (or as many of them as I can get):
1. efficient (signing time, verification time, key generation time,
key size, signature size)
2. some kind of strong argument that it really is secure (the gold
standard would be reduction to a worst-case instance of an NP-complete
problem)
or, if we can't have (2) then at least we want (3) and (4):
3. rather different from ECDSA, so that a breakthrough is unlikely to
invalidate both ECDSA and this other scheme at once
and
4. not known to be vulnerable to quantum computers
and finally but importantly:
4. easy to understand and to implement
Suggestions welcome!
Regards,
Zooko Wilcox-O'Hearn
[1] http://eprint.iacr.org/2009/576
[2] http://eprint.iacr.org/2010/137
From jkatz at cs.umd.edu Thu Apr 29 21:18:19 2010
From: jkatz at cs.umd.edu (Jonathan Katz)
Date: Thu, 29 Apr 2010 21:18:19 -0400 (EDT)
Subject: [cryptography] What's the state of the art in digital
signatures? Re: What's the state of the art in factorization?
In-Reply-To:
References:
Message-ID:
On Wed, 28 Apr 2010, Zooko O'Whielacronx wrote:
> Anyway, although this is not one, there do exist proposals for public
> key crypto schemes where breaking the scheme implies solving a worst
> case instance of a supposedly hard problem, right?
Not to worst-case hardness of an NP-complete problem, no. Quite the
contrary, there has been some body of work showing that a result of this
sort is unlikely. (Though, as with all things related to complexity theory
where our state of knowledge is so limited, such a statement must be taken
wit ha grain of salt. In any case, such a result is well beyond anything
we can currently prove.)
> 2. some kind of strong argument that it really is secure (the gold
> standard would be reduction to a worst-case instance of an NP-complete
> problem)
See above.