Cryptography-Digest Digest #53, Volume #13 Tue, 31 Oct 00 03:13:01 EST
Contents:
Re: Searching for a good PRNG (Tom St Denis)
Re: Searching for a good PRNG (David Schwartz)
Re: RSA Multiprime (David A Molnar)
Is RSA provably secure under some conditions? (Jan Fedak)
Re: DMCA bans fair use (Jeff Makey)
Re: Searching for a good PRNG ([EMAIL PROTECTED])
Re: A new paper claiming P=NP (Peter Fairbrother)
Newbie about Rijndael ("mac")
Re: Open Request to Dr. Kaliski, Jr. at RSA Research - looking for your ("John A.
Malley")
Re: Newbie about Rijndael (SCOTT19U.ZIP_GUY)
Arbitrated signature scheme (conventional cryptosystem) (Jan Fedak)
Re: shared secret signing using a hash... (Anders Thulin)
Re: Is RSA provably secure under some conditions? (David A Molnar)
Re: XOR based key exchange protocol - flawed? (Mike Connell)
Re: Is RSA provably secure under some conditions? ("John A. Malley")
Re: Calculating the redudancy of english? ([EMAIL PROTECTED])
Re: XOR based key exchange protocol - flawed? (Mike Connell)
Re: XOR based key exchange protocol - flawed? (David Schwartz)
Re: Searching for a good PRNG (Mok-Kong Shen)
----------------------------------------------------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: Searching for a good PRNG
Date: Tue, 31 Oct 2000 02:35:45 GMT
In article <[EMAIL PROTECTED]>,
David Schwartz <[EMAIL PROTECTED]> wrote:
>
> Tom St Denis wrote:
> >
> > In article <[EMAIL PROTECTED]>,
> > David Schwartz <[EMAIL PROTECTED]> wrote:
> > >
> > > The point is that this is great for statistical randomness
but
> > useless
> > > for cryptographic randomness.
> >
> > Cryptographic purposes was not the OP intent AFAIK. So what's wrong
> > with my post?
>
> If you're right, this is all off-topic for sci.crypt. I prefer
to give
> the OP the benefit of the doubt. ;)
Well I was just answering the question.
(BTW I know what you're trying to say, I just like the fournmi lab
thingy)
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: Searching for a good PRNG
Date: Mon, 30 Oct 2000 18:50:02 -0800
Tim Tyler wrote:
>
> David Schwartz <[EMAIL PROTECTED]> wrote:
>
> : I like this quote too:
>
> : "In practice, to avoid any residual bias resulting from non-random
> : systematic errors in the apparatus or measuring process
> : consistently favouring one state, the sense of the comparison between T1
> : and T2 is reversed for consecutive bits."
>
> : How can XORing a bit stream with a known sequence of bits make it any
> : more or less random?
>
> It wasn't claimed to make it less random - the technique was claimed to
> "reduce bias".
>
> With the normal technical meaning of the term "bias" (applied on the
> level of bits), it looks like the scheme will work.
Would not odd bit numbers being more likely to be zeroes as much be
bias as all bits being more likely to be zeroes?
DS
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: RSA Multiprime
Date: 31 Oct 2000 02:43:35 GMT
Scott Contini <[EMAIL PROTECTED]> wrote:
> A neat thing? Are you kidding me? The so-called "multi-prime" variation
> of RSA is an entirely obvious generalization to RSA that every researcher
> knew about. Nobody ever patented the idea until Compaq since:
In particular, didn't Couvreur and Quisquateur publish a paper on
something very much like Compaq's result in 1983?
-David
------------------------------
From: [EMAIL PROTECTED] (Jan Fedak)
Subject: Is RSA provably secure under some conditions?
Date: Mon, 30 Oct 2000 22:53:28 +0000 (UTC)
Hello.
I wonder are there any conditions under which RSA is provably secure?
I've seen a small note saying something like RSA is provably secure if
public exponent is 2 or 3 but I'm not sure about it and I can't find the
reference any more.
Moreover, I've found some articles claiming that breaking RSA with low
public exponent is easier.
Thanks, Jan
--
Jan Fedak talk:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
Linux - the ultimate NT Service Pack.
------------------------------
From: [EMAIL PROTECTED] (Jeff Makey)
Crossposted-To: talk.politics.crypto
Subject: Re: DMCA bans fair use
Date: Tue, 31 Oct 2000 04:41:44 +0000 (UTC)
In article <[EMAIL PROTECTED]>,
Roger Schlafly <[EMAIL PROTECTED]> wrote:
>The Copyright Office just declared that only two classes
>of works are exempted from prohibition against circumvention.
>They are:
[...]
> (2) Literary works, including computer programs and databases,
>protected by access control mechanisms that fail to permit access
>because of malfunction, damage or obsoleteness.
I predict that we will soon begin to hear stories about
access-control-protected works that have mysteriously been damaged.
The nature of the damage will be such that a licensed access device
will fail to properly provide access to the work, yet the copyrighted
material on the media will remain substantially intact.
I further predict that these stories will be followed by tales of
successful efforts to legally extract the copyrighted works from the
damaged media. These tales will no doubt go into great detail about
the damage to the media and the recovery procedure. For example, one
of these tales might include a sentence like this:
"If your DVD of _The_Matrix_ has a scratch exactly like figure A, you
can still watch it on your Linux box using the scratched_matrix.c
program even though it will no longer play in your DVD player."
:: Jeff Makey
[EMAIL PROTECTED]
Department of Tautological Pleonasms and Superfluous Redundancies Department
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Searching for a good PRNG
Date: Tue, 31 Oct 2000 04:46:11 GMT
Tom St Denis <[EMAIL PROTECTED]> wrote:
>> :> That may be a good URL - but to save people visiting it
>> :> unnecessarily, it is linked to a hardware RNG which you can access
>> :> over the web.
>>
>> : What is your point?
>>
>> I thought I had expressed it clearly. What is in need of
> clarification?
> Exactly why are hotbits not a good source of random bits?
I, at least, assumed he was simply saving people from starting up a
browser to see what it is. Similar to if I said _Shampoo Planet_ is a
good book and someone else clarified that by adding it's a modern
_Catcher in the Rye_.
--
Matt Gauthier <[EMAIL PROTECTED]>
------------------------------
Subject: Re: A new paper claiming P=NP
From: Peter Fairbrother <[EMAIL PROTECTED]>
Crossposted-To: comp.theory,sci.math,sci.op-research
Date: Tue, 31 Oct 2000 05:00:23 +0000
Regarding the $1M prize:
The people supposedly giving the prize made a not-quite-trivial mistake
regarding Poincare's Conjecture on their site. I tried to email them and
got:
"
This Message was undeliverable due to the following reason:
Each of the following recipients was rejected by a remote mail server.
The reasons given by the server are included to help you determine why
each recipient was rejected.
Recipient: <[EMAIL PROTECTED]>
Reason: <[EMAIL PROTECTED]>... User unknown
"
I clicked on a link. Desn't give me confidence.
--
Peter Fairbrother
[EMAIL PROTECTED]
------------------------------
From: "mac" <[EMAIL PROTECTED]>
Subject: Newbie about Rijndael
Date: Tue, 31 Oct 2000 06:41:34 +0100
Hello!
I'm a newbie with Rijndael, block ciphers and cryptology in general. I've
downloaded Mike Scott's C implementation from Rijndael's home site. I'm
trying to figure out how it works and I have one question. When I want to
encrypt a string of, say three characters(bytes), what do I have to fill up
the rest of the array(another 14 bytes). I had problems when passing just a
null terminated string that is much shorter that 16 bytes to encrypt/decrypt
block functions. It works fine when I pass a 16-byte long null terminated
array. I know this seems pretty dumb question to you, but I don't understand
everything what's happening in encryption/decryption functions and it's
killing me.
Thank you very much for any explanations, thoughts or code.
------------------------------
From: "John A. Malley" <[EMAIL PROTECTED]>
Subject: Re: Open Request to Dr. Kaliski, Jr. at RSA Research - looking for your
Date: Mon, 30 Oct 2000 22:20:25 -0800
David Wagner wrote:
>
> John A. Malley wrote:
> >Is any PRNG isomorphic/homomorphic to the multiplicative group Z*p
> >encrypted by a cipher isomorphic/homomorphic to the same multiplicative
> >group Z*p always predictable?
>
> What does it mean to say that a PRNG is homomorphic to a group G?
> Can you give a definition?
Let me try. What I meant to say was:
First, let a PRNG be a function prng() operating on the elements of a
group G, where G is
- the multiplicative group Z_p^*, or
- the group of points on an elliptic curve over a finite field, or
- or some other cyclic group
and prng() takes the elements of G to the elements of G, so prng() is a
homomorphism or an isomorphism. And let G be either isomorphic or
homomorphic to the multiplicative group Z_p^*
Let the cipher c() be a function operating on the elements of the same
group G, where G is isomorphic or homomorphic to the multiplicative
group Z_p^*, and c() is an isomorphism or a homomorphism.
Show there is an "analog" for the ciphertext-only attack on the output
of a LCG encrypted with ElGamal (as outline in the draft paper) for the
output of prng() enciphered by c() as defined on the group G?
That's the problem I gave myself (well, the first part of the problem.)
Does this explanation make sense? I'd appreciate your feedback, Dr.
Wagner.
Thanks in advance,
John A. Malley
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED] (SCOTT19U.ZIP_GUY)
Subject: Re: Newbie about Rijndael
Date: 31 Oct 2000 06:28:08 GMT
[EMAIL PROTECTED] (mac) wrote in <8tllvr$3hmj$[EMAIL PROTECTED]>:
>Hello!
>
>I'm a newbie with Rijndael, block ciphers and cryptology in general.
>I've downloaded Mike Scott's C implementation from Rijndael's home site.
>I'm trying to figure out how it works and I have one question. When I
>want to encrypt a string of, say three characters(bytes), what do I have
>to fill up the rest of the array(another 14 bytes). I had problems when
>passing just a null terminated string that is much shorter that 16 bytes
>to encrypt/decrypt block functions. It works fine when I pass a 16-byte
>long null terminated array. I know this seems pretty dumb question to
>you, but I don't understand everything what's happening in
>encryption/decryption functions and it's killing me.
>
>Thank you very much for any explanations, thoughts or code.
>
>
>
Try Matt Timermanns code it will handle 2 bytes fine
http://www3.sympatico.ca/mtimmerm/bicom/bicom.html
David A. Scott
--
SCOTT19U.ZIP NOW AVAILABLE WORLD WIDE
http://www.jim.com/jamesd/Kong/scott19u.zip
Scott famous encryption website **now all allowed**
http://members.xoom.com/ecil/index.htm
Scott LATEST UPDATED source for scott*u.zip
http://radiusnet.net/crypto/ then look for
sub directory scott after pressing CRYPTO
Scott famous Compression Page
http://members.xoom.com/ecil/compress.htm
**NOTE EMAIL address is for SPAMERS***
I leave you with this final thought from President Bill Clinton:
------------------------------
From: [EMAIL PROTECTED] (Jan Fedak)
Subject: Arbitrated signature scheme (conventional cryptosystem)
Date: Tue, 31 Oct 2000 02:23:32 +0000 (UTC)
Hello.
Here's what Selim G. Akl offers as an arbitrated signature scheme
(reprinted in W.Stallings: Practical Cryptography For Computer
Internetworks):
We have sender $S$, receiver $R$, arbitrator $A$.
Message $M$, metadata $m$ (containing nonce, at least).
Secret keys are written like this: $k_{AR}$ -- secret key for arbiter and
receiver.
1. Sender prepares $M' = (M, m)$.
2. She computes $h = H(M')$, $M$ is a secure hash function.
3. She computes $C = E_{k_{SA}}(m, h)$ and sends it along with
UNENCRYPTED $M$ to arbiter.
4. The arbitrator deciphers $C$, uses $m$ and $h$ for authentication and
validation.
5. If all goes ok, he prepares $M'' = (M', C, t, v)$ and sends
$E_{k_{RA}}(M'')$ to receiver.
$t$ is time of receipt
$v$ is validation result (ok/not ok)
Firstly, I find it a bit too complicated. Secondly, I think it's
insecure. $M$ is transmitted unencrypted and anyone can guess $m$
(metadata tend to be easy to guess) and compute $M'$ and $h$.
The enemy then knows $C$, $m$ and $h$ and can easily obtain $k_{SA}$.
I've simplified it a bit and I'd love to know what you think of it:
1. Sender prepares $M' = (M, m)$.
2. She computes $h = H(M')$, $M$ is a secure hash function.
3. She computes $C = E_{k_{SA}}(M', h)$ and sends it to arbitrator.
4. The arbitrator deciphers $C$, uses $m$ and $h$ for authentication and
validation.
5. If all goes ok, he prepares $M'' = (M', C, t, v)$ and sends
$E_{k_{RA}}(M'')$ to receiver.
I'm not too sure why I should send $v$ -- IMHO if message is invalid
arbitrator can just dump it and the valid messages would always have
I_AM_OK in $v$...
What do you think of my modification? Is it going to work or have I
overlooked something?
Thank you, Jan
--
Jan Fedak talk:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
Linux - the ultimate NT Service Pack.
------------------------------
From: Anders Thulin <[EMAIL PROTECTED]>
Subject: Re: shared secret signing using a hash...
Date: Tue, 31 Oct 2000 07:19:24 GMT
"Tony L. Svanstrom" wrote:
> $data = 'this is the string';
> $signature = md5_base64 "[this is the secret] $data";
For more on that particular topic, try RFC1828 and RFC2104.
--
Anders Thulin [EMAIL PROTECTED] 040-10 50 63
Telia Prosoft AB, Box 85, S-201 20 Malm�, Sweden
------------------------------
From: David A Molnar <[EMAIL PROTECTED]>
Subject: Re: Is RSA provably secure under some conditions?
Date: 31 Oct 2000 07:05:38 GMT
Jan Fedak <[EMAIL PROTECTED]> wrote:
> Hello.
> I wonder are there any conditions under which RSA is provably secure?
> I've seen a small note saying something like RSA is provably secure if
> public exponent is 2 or 3 but I'm not sure about it and I can't find the
> reference any more.
If the public exponent is 2 (or actually, any even number), then the
scheme is usually called Rabin. In this case, the problem of breaking the
scheme is provably equivalent to factoring.
Unfortunately, we don't know how to prove factoring is hard.
> Moreover, I've found some articles claiming that breaking RSA with low
> public exponent is easier.
Some attacks are indeed easier if the public exponent is low. Check out
"Twenty Years of Attacks on RSA" on Dan Boneh's web page
(http://www.theory.stanford.edu/~dabo) for a much better overview than I
can give here. Most of these attacks can be thwarted by good padding,
like Bellare and Rogaway's OAEP.
You should ask always what *exactly* is meant by "provably secure" in
these kinds of claims. In particular, what does "secure" mean and is any
problem assumed to be hard? There are various different notions floating
around. Which is why this is a contentious issue whenever it comes up
here...
-David
------------------------------
From: Mike Connell <[EMAIL PROTECTED]>
Subject: Re: XOR based key exchange protocol - flawed?
Date: 31 Oct 2000 09:03:14 +0100
[EMAIL PROTECTED] writes:
> Mike Connell <[EMAIL PROTECTED]> writes:
> > Call the faked Pa value Pa', and the faked Xa value Xa', that means,
> > after step 4:
> >
> > a computes XOR of Pa Pb Xa Xb
> > b computes XOR of Pa' Pb Xa' Xb
> >
> > so the attacker must create Pa' and Xa' so that
> >
> > Pa' XOR Xa' == Pa XOR Xa
> >
> > I dont see how this can be done when the attacker doesn't know
> > Xa. Could you expand a little on this attack?
>
> He doesn't have to do this. The MITM computes one key with respect
> to A, and a different key with respect to B. He runs your whole
> protocol separately with respect to A and B. At the end he shares
> a key with A, and shares a different key with B.
>
> Now when A sends to B, the MITM intercepts, decrypts using the key he
> shares with A, and re-encrypts using the key he shares with B. This
> is standard operating procedure for an MITM.
>
This is an attack on the communication channel *after* the key
exchange protocol. Both A and B know they are talking to C, and they
both have secret keys shared with C. In other words, the key exchange
protocol worked correctly - twice. The fact that C can't be trusted is
another matter ;)
What I had in mind as a MITM attack against a key exchange protocol is
something like the following,
protocol is
1. a -> b : Pa
2. a <- b : Pb
3. a -> b : K
where K is the key. Clearly C can intercept the K at 3 and read
it. Thus A and B will believe they are talking to each other, and that
only the other knows K, whereas they are both talking to C, who knows
K, and can read/modify all data between A and B.
best wishes,
Mike.
--
Mike Connell [EMAIL PROTECTED] +46 (0)31 772 8572
[EMAIL PROTECTED] http://www.flat222.org/mac/ icq: 61435756
------------------------------
From: "John A. Malley" <[EMAIL PROTECTED]>
Subject: Re: Is RSA provably secure under some conditions?
Date: Mon, 30 Oct 2000 23:50:25 -0800
David A Molnar wrote:
[snip]
>
> Some attacks are indeed easier if the public exponent is low. Check out
> "Twenty Years of Attacks on RSA" on Dan Boneh's web page
> (http://www.theory.stanford.edu/~dabo) for a much better overview than I
> can give here. Most of these attacks can be thwarted by good padding,
> like Bellare and Rogaway's OAEP.
>
> You should ask always what *exactly* is meant by "provably secure" in
> these kinds of claims. In particular, what does "secure" mean and is any
> problem assumed to be hard? There are various different notions floating
> around. Which is why this is a contentious issue whenever it comes up
> here...
>
> -David
Yes, some notions of "provable security" are subject to change. Check
out "The Random Oracle Methodology, Revisited" by Ran Canetti, Oded
Goldreich and Shai Halevi, dated October 11, 2000 at the LANL on-line
archive but originally appeared in the Proceedings of 30th Annual ACM
Symposium on the Theory of Computing, pages 209-218, May 1998, ACM:
http://xxx.lanl.gov/abs/cs.CR/0010019
They show a most marvelous thing: There exist signature and encryption
schemes that are secure in the Random Oracle Model but for which any
_implementation_ of the random oracle results in insecure schemes. The
fact that a scheme is secure in the Random Oracle Model cannot be taken
as evidence or indication to the security of possible implementations of
this scheme. Evaluating schemes with the Random Oracle Model rules out
some, but not all, insecure schemes.
Made my jaw drop.
Gosh, the math in the paper itself made my jaw drop. Still reading it,
do not yet completely understand their proofs but I'm working on it.
John A. Malley
[EMAIL PROTECTED]
------------------------------
From: [EMAIL PROTECTED]
Subject: Re: Calculating the redudancy of english?
Date: Tue, 31 Oct 2000 07:46:22 GMT
In article <8tkosd$84d$[EMAIL PROTECTED]>,
Simon Johnson <[EMAIL PROTECTED]> wrote:
> How does one calculate the redudancy of english?
>
This is covered in detail by Shannon in a very early
paper (title something like "The Entropy of Printed
English"). The basic idea is very simple - get the
smartest people you can find, have them guess an
English text letter by letter, and see how many tries
it takes to get each letter right on the average.
The good thing about this approach is that it catches
redundancy of all forms - letter, word, phrase,
and even literary style. It's an upper bound since
an even smarter person might do better. I think
the end result was 1-2 bits per character for the
texts he tried.
Lou Scheffer
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Mike Connell <[EMAIL PROTECTED]>
Subject: Re: XOR based key exchange protocol - flawed?
Date: 31 Oct 2000 09:13:10 +0100
Tom St Denis <[EMAIL PROTECTED]> writes:
> In article <[EMAIL PROTECTED]>,
> Mike Connell <[EMAIL PROTECTED]> wrote:
> >
> > Erm,... this is what I first wrote:
> >
> > #1. a -> b : Pa
> > #2. a <- a : Pb
> > #3. a -> b : (Xa)Pb
> > #4. a <- b : (Xb)Pa
> > #
> > #Then a and b compute the XOR of Pa,Pb,Xa,Xb. This gives them a
> > #substantional number of shared secret bytes to construct a session
> > #key from.
> >
> > I guess that it's technically not a step in the protocol itself, as
> it
> > is the result of the protocol. It is however, the entire point of
> > doing the protocol ;)
> >
> > > Also what is to stop me from faking being one side of the
> > > conversation? Unless a shared secret was negotiated before hand,
> > > nothing.
> >
> > Isn't that what you just did? The reason I dont think it will work is
> > that both parties have keybits, and the attacker can only get them
> > from one party. However, if you can point out where the flaw lies, I'd
> > be greatful ;)
>
> You're missing the point. Not one step of your protocal stops me from
> *completely* faking being one party. There is no trusted agent or
> secret secret shared previously. I.e it's stateless when the protocal
> begins.
>
Here's my public key Pa. Can you explain how you're going to hold a
conversation with B using the Pa, but without my private key?
If you mean that you can create Pc, and then claim that Pc is the
public key of A (who really has Pa), yes you can, but who would
believe you? Matching of identities to public keys is outside of the
key exchange protocol - with good reason: I considered this for use in
an identity based system where there are no identities outside of the
public keys.
best wishes,
Mike.
> >
> > > It's a friggin law of nature my friend.
> > > That is why things like EKE/etc... exist.
> > >
> >
> > Otway-Rees? [Modified] Needham-Schroeder?
>
> Law of nature says "you are you and I am me, then who is he?".
> Essentially you can *say* "I am me" but how do I know that?
>
> Tom
>
>
> Sent via Deja.com http://www.deja.com/
> Before you buy.
--
Mike Connell [EMAIL PROTECTED] +46 (0)31 772 8572
[EMAIL PROTECTED] http://www.flat222.org/mac/ icq: 61435756
http://www.flat222.org/Paranoia
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: XOR based key exchange protocol - flawed?
Date: Mon, 30 Oct 2000 23:59:48 -0800
Tom St Denis wrote:
> You're missing the point. Not one step of your protocal stops me from
> *completely* faking being one party. There is no trusted agent or
> secret secret shared previously. I.e it's stateless when the protocal
> begins.
The purpose of this protocol is to wind up with a shared secret between
the two parties. The only useful attack would be one that resulted in
the MITM knowing the shared secret. If the MITM winds up with a shared
secret with A, or the MITM winds up with a shared secret with B, he has
nothing useful. He can't use these two shared secrets to interfere with
the communication between A and B.
This assumes, of course, that the protocol later checks to be sure that
A and B do in fact share a secret.
DS
------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: Searching for a good PRNG
Date: Tue, 31 Oct 2000 09:00:33 +0100
Tom�s Perlines Hormann wrote:
> I am searching for a good PRNG in software, preferrable for FREE. I know
> that there is a big discussion going on about where to get possibly good
> PRN out of a computer (mouse, thermal noise, etc.)
I like to remark that P (pseudo) is normally referred to
those number sequences that are generated by deterministic
algorithms and are in principle always predictable, while
you are obviously looking for (in practice always non-perfect)
T (true) RNGs, software assisting you to retrieve randomness
in bits from presumably unpredictable physical process.
Depending on diverse factors, you may prefer PRNGs or TRNGs.
Each time the topic RNG props up, the discussion is
susceptible to be diverted to unpredictablility in quantum
mechanics and philosophical issues of that theory. If you
don't have the equipment/resources to really tap that quantum
unpredictability without being inadvertantly influenced
by not so truly random sources, then you certainly can never
get perfect randomness. If you can consequently realistically
lower the threshold of your requirement a bit, then you may
find that some very good PRNGs, which are more convenient
from implementation point of view, can often be satisfactory
for your purposes.
M. K. Shen
==========================
http://home.t-online.de/home/mok-kong.shen
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
