Regarding using blinding to defend against timing attacks, and supposing
that a crypto library is going to have support for blinding:
- Should it do blinding for RSA signatures as well as RSA decryption?
- How about for ElGamal decryption?
- Non-ephemeral (static) DH key exchange?
-
John S. Denker writes:
The main thing the industry really had at stake in
this case is the zone locking aka region code
system.
I don't see much evidence for this. As you go on to admit, multi-region
players are easily available overseas. You seem to be claiming that the
industry's main goal
[I'm not happy with the tone of this, but I'm forwarding it as privacy
politics is pretty clearly on topic... --Perry]
For years we cypherpunks have been telling you people that you are
responsible for protecting your own privacy. Use cash for purchases, look
into offshore accounts, protect
Stefan Brands writes regarding http://eprint.iacr.org/2002/151/:
The paper shows some promise but, apart from being insecure, has other
drawbacks that should be addressed:
... My work... introduced by myself... my MIT press book...
In addition to various other drawbacks pointed out by of
It looks like Camenisch Lysyanskaya are patenting their credential
system. This is from the online patent applications database:
http://appft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO2Sect2=HITOFFp=1u=/netahtml/PTO/search-bool.htmlr=1f=Gl=50co1=ANDd=PG01s1=camenischOS=camenischRS=camenisch
Carl Ellison suggested an alternate way that TCPA could work to allow
for revoking virtualized TPMs without the privacy problems associated
with the present systems, and the technical problems of the elaborate
cryptographic methods.
Consider first the simplest possible method, which is just to
David Chaum gave a talk at the Crypto 2002 conference recently in which
he briefly presented a number of interesting ideas, including an approach
to digital cash which he himself said would avoid the ecash patents.
The diagram he showed was as follows:
Optimistic Authenticator
Eugen Leitl asked:
1) What's the name of the technique of salting/padding an small integer
I'm signing with random data?
You shouldn't need to salt/pad with random data, fixed data should be
OK.
2) If I'm signing above short (~1 kBit) sequences, can I sign them
directly, or am I
On Tue, 2 Jul 2002, Damien O'Rourke wrote:
I was just wondering if anyone knew where to get a good explanation of
Montgomery multiplication for the non-mathematician? I have a fair bit
of maths but not what is needed to understand his paper.
Bear replied:
Montgomery Multiplication is
Ross Anderson writes:
During my investigations into TCPA, I learned that HP has started a
development program to produce a TCPA-compliant version of GNU/linux.
I couldn't figure out how they planned to make money out of this. On
Thursday, at the Open Source Software Economics conference, I
Lucky Green writes regarding Ross Anderson's paper at:
http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/toulouse.pdf
I must confess that after reading the paper I am quite relieved to
finally have solid confirmation that at least one other person has
realized (outside the authors and proponents of
David Wagner describes a trick from Dan Bernstein to speed up
RSA signature verification with e = 3:
One of the nicest ideas from his work is easy to describe. In plain
RSA, s is a valid signature on m if H(m) = s^3 (mod n). Now suppose we
ask the signer to also supply an integer k such
Wei Dai writes:
Using a factor base size of 10^9, in the relationship finding phase you
would have to check the smoothness of 2^89 numbers, each around 46 bits
long. (See Frog3's analysis posted at
http://www.mail-archive.com/cryptography%40wasabisystems.com/msg01833.html.
Those numbers
For cpunxnews/cryptography:
Seems people missed this anonymous note about Dr Stefan Brands new
company http://www.credentica.com on cypherpunks -- interesting news
-- will Credentica persue ecash, private credentials, more liberal
licensing terms than digicash and ecash-technologies/infospace.
James Donald writes:
On Tue, Feb 26, 2002 at 02:04:16AM -, Frog3 wrote:
The cost [To factor RSA 1024] is the need to build a
machine that can do 53 billion simultaneous, independent
ECM factorizations for smoothness testing. It's not clear
how amenable this would be to hardware
David Wagner writes:
Bernstein's analysis is based on space*time as your cost metric.
What happens if we assume that space comes for free, and we use simply
time as our cost metric? Do his techniques lead to an improvement in
this case?
Bernstein basically treats memory and processing
More analysis of Dan Bernstein's factoring machine from
http://cr.yp.to/papers.html#nfscircuit;
The NFS algorithm has two phases. The first searches for coefficients
(a,b) from some interval which are relatively prime and which satisfy
two smoothness bounds. The smoothness is with respect to a
PHB:
PKI is in widespread use, it is just not that noticeable when you use it.
This is how it should be. SSL is widely used to secure internet payment
transactions.
PM:
HTTPS SSL does not use PKI.
Could someone define PKI (beyond just what it stands for, Public Key
Infrastructure)? It
Ted Tso writes:
It turns out that with the Intel 810 RNG, it's even worse because
there's no way to bypass the hardware whitening which the 810 chip
uses. Hence, if the 810 random number generator fails, and starts
sending something that's close to a pure 60 HZ sine wave to the
whitening
19 matches
Mail list logo