Re: CCM Mode
On Thu, 15 Aug 2002, Housley, Russ wrote: > http://ftp.ietf.org/internet-drafts/draft-housley-ccm-mode-00.txt > > It contains a specification for an authenticated encryption mode. While this merging is alluded to in the OCB paper and elsewhere, I still found the idea of the CCM mode interesting. It is taking two separate modes and merging them into one. It is performing authentication (CBC-MAC) then encryption (CTR), and, while I have not seen the details of the security of this scheme, I imagine it is somewhat focused on the notions outlined in the Krawczyk papers last year. I think this "expansion" of modes is a beneficial move. Instead of allowing protocol designers to attempt to figure out the proper ways to merge authentication and encryption modes, modes are being designed that cover the proper use of both. This is a good thing. Of course, I am not ignoring modes like OCB that use "blended constructs" to perform both encryption and authentication. Such modes can achieve the benefits of "merged modes" with potentially more efficiency. -Andrew - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Quantum computers inch closer?
[I don't know what to make of this story. Anyone have information? --Perry] Quantum computer called possible with today's tech http://www.eet.com/story/OEG20020806S0030 MADISON, Wis. Researchers at the University of Wisconsin in Madison claim to have created the world's first successful simulation of a quantum-computer architecture that uses existing silicon fabrication techniques. By harnessing both vertical and horizontal tunneling through dual top and bottom gates, the architecture lays out interacting, 50-nanometer-square, single-electron quantum dots across a chip. "Our precise modeling elucidates the specific requirements for scalable quantum computing; for the first time we have translated the requirements for fault-tolerant quantum computing into the specific requirements for gate voltage control electronics in quantum dots," said professor Mark Eriksson of the university's Department of Physics. The group of researchers has concluded that existing silicon fabrication equipment can be used to create quantum computers, albeit at only megahertz speeds today due to the stringent requirements of its pulse generators. To achieve gigahertz operation, the group has pinpointed the device features that need to be enhanced to prevent leakage errors, and has already begun work on fabricating a prototype. "We believe that quantum computers are possible today with the component technologies we already have in place for silicon," Eriksson said. The team composed their quantum "bits" out of electron spin: up for "1," down for "0." Encoding bits in spins allows a single electron to represent either binary value, and because of the indeterminacy of quantum spins, they can represent both values during calculations to effectively create a parallel process. "Our technique may enable quantum computers to actually begin performing calculations that can't be performed any other way," Eriksson said. Others have demonstrated a few quantum dots interacting to perform calculations but Eriksson estimates that a million quantum bits (qubits) will be needed to create quantum computers that perform useful real-world applications. For that, silicon fabrication equipment offers the best solution, according to Eriksson. Eriksson's team matched silicon germanium fabrication capabilities to quantum-dot requirements. The result is an array of quantum dots, each of which houses a single electron, with electrostatic gates controlling qubit interactions. The team then optimized and exhaustively simulated the model, which it declared to be a successful design. The design constraints included reducing the population of electrons in quantum dots to one, while permitting tunable coupling between neighboring dots. The team met those conditions by employing both vertical and horizontal tunneling to first confine and then slightly alter the location of individual electrons. A back gate serving as the chip substrate acts as an electron reservoir from which quantum dots can draw their single electrons using vertical tunneling into the quantum-well layer. That layer acts as the vertical confinement barrier, with an insulator above and below it, enabling the vertical size of the quantum dots to be just big enough for one. A grid of top gates then provides the horizontal separation between dots by supplying electrostatic repulsion from above. The semiconductor layers were formed from strain-relaxed SiGe, except for the quantum-well layer, which was pure, strained silicon. The bottom gate was formed from a thick n-doped layer with a 10-nm, undoped tunneling barrier separating it from the 6-nm-thick quantum-well layer. Another 20-nm-thick tunnel barrier above the quantum-well layer separated it from the metallic top gates, the team reported. Researchers load the electrons into the quantum dots from below by adjusting the potentials on the top gates to induce an electron from the bottom gate to tunnel vertically up into the quantum-well layer. Once loaded, the electron stays in place because of the electrostatic force from the top gates. When the team weakens the force between selected quantum dots by adjusting the top gates between them, the adjacent dots are permitted to interact, thus enabling calculations to be made. The normal errors encountered during quantum calculations could mostly be corrected, according to Eriksson's simulations. Careful consideration of the simulations led the researchers to predict that leakage could be tuned out sufficiently by low temperatures combined with a modified heterostructure that allowed larger electrical fields. With existing fabrication techniques, the team estimates that a million-quantum-dot computer (1,024 x 1,024 array) could be built today and operated in the megahertz range. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Cryptographic privacy protection in TCPA
Dr. Mike wrote, patiently, persistently and truthfully: > > On Fri, 16 Aug 2002, AARG! Anonymous wrote: > > > Here are some more thoughts on how cryptography could be used to > > enhance user privacy in a system like TCPA. Even if the TCPA group > > is not receptive to these proposals, it would be useful to have an > > understanding of the security issues. And the same issues arise in > > many other kinds of systems which use certificates with some degree > > of anonymity, so the discussion is relevant even beyond TCPA. > > OK, I'm going to discuss it from a philosophical perspective. > i.e. I'm just having fun with this. Fine, but let me put this into perspective. First, although the discussion is in terms of a centralized issuer, the same issues arise if there are multiple issuers, even in a web-of-trust situation. So don't get fixated on the fact that my analysis assumed a single issuer - that was just for simplicity in what was already a very long message. The abstract problem to be solved is this: given that there is some property which is being asserted via cryptographic certificates (credentials), we want to be able to show possession of that property in an anonymous way. In TCPA the property is "being a valid TPM". Another example would be a credit rating agency who can give out a "good credit risk" credential. You want to be able to show it anonymously in some cases. Yet another case would be a state drivers license agency which gives out an "over age 21" credential, again where you want to be able to show it anonymously. This is actually one of the oldest problems which proponents of cryptographic anonymity attempted to address, going back to David Chaum's seminal work. TCPA could represent the first wide-scale example of cryptographic credentials being shown anonymously. That in itself ought to be of interest to cypherpunks. Unfortunately TCPA is not going for full cryptographic protection of anonymity, but relying on Trusted Third Parties in the form of Privacy CAs. My analysis suggests that although there are a number of solutions in the cryptographic literature, none of them are ideal in this case. Unless we can come up with a really strong solution that satisfies all the security properties, it is going to be hard to make a case that the use of TTPs is a mistake. > I don't like the idea that users *must* have a "certificate". Why > can't each person develop their own personal levels of trust and > associate it with their own public key? Using multiple channels, > people can prove their key is their word. If any company wants to > associate a certificate with a customer, that can have lots of meanings > to lots of other people. I don't see the usefullness of a "permanent > certificate". Human interaction over electronic media has to deal > with monkeys, because that's what humans are :-) A certificate is a standardized and unforgeable statement that some person or key has a particular property, that's all. The kind of system you are talking about, of personal knowledge and trust, can't really be generalized to an international economy. > > Actually, in this system the Privacy CA is not really protecting > > anyone's privacy, because it doesn't see any identities. There is no > > need for multiple Privacy CAs and it would make more sense to merge > > the Privacy CA and the original CA that issues the permanent certs. > > That way there would be only one agency with the power to forge keys, > > which would improve accountability and auditability. > > I really, REALLY, *REALLY*, don't like the idea of one entity having > the ability to create or destroy any persons ability to use their > computer at whim. You are suggesting that one person (or small group) > has the power to create (or not) and revoke (or not!) any and all TPM's! > > I don't know how to describe my astoundment at the lack of comprehension > of history. Whoever makes a statement about a property should have the power to revoke it. I am astounded that you think this is a radical notion. If one or a few entities become widely trusted to make and revoke statements that people care about, it is because they have earned that trust. If the NY Times says something is true, people tend to believe it. If Intel says that such-and-such a key is in a valid TPM, people may choose to believe this based on Intel's reputation. If Intel later determines that the key has been published on the net and so can no longer be presumed to be a TPM key, it revokes its statement. This does not mean that Intel would destroy any person's ability to use their computer on a whim. First, having the TPM cert revoked would not destroy your ability to use your computer; at worst you could no longer persuade other people of your trustworthiness. And second, Intel would not make these kind of decision on a whim, any more than the NY Times would publish libelous articles on a whim; doing so would risk destroying the company's rep
Re: employment market for applied cryptographers?
At 04:21 AM 8/16/02 -0400, dmolnar wrote: ... >Don't forget schedule pressure, the overhead of bringing in a contractor >to do crypto protocol design, and the not-invented-here syndrome. I think >all of these contribute to keeping protocol design in-house, regardless of >the technical skill of the parties involved. Also, designing new crypto protocols, or analyzing old ones used in odd ways, is mostly useful for companies that are offering some new service on the net, or doing some wildly new thing. Many of the obvious new things have been done, for better or worse, and few companies are able to get funding for whatever cool new ideas they may have for the net, good or bad. And without funding, people are a lot more likely to either decide to do the security themselves, apply openSSL and a lot of duct tape and hope for the best, or just ignore security. Sure, it may cost a lot later, but they're going broke *now*. >-David --John Kelsey, [EMAIL PROTECTED] // [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: employment market for applied cryptographers?
At 12:57 PM 8/16/02 -0400, Perry E. Metzger wrote: ... >I've seen very high rates of unemployment among people of all walks of >life in New York of late -- I know a lot of lawyers, systems >administrators, secretaries, advertising types, etc. who are out of >work or have been underemployed for a year or longer. I'm not sure >that it is just cryptographers. This is my experience, too. A huge number of the people I know around here (RTP area, mid-North Carolina) are out of work, or are worried that they soon will be. This set of people includes only one cryptographer (and he's got a job). >Always keep in mind when you hear the latest economic statistics that >measuring the size of the US economy, or the number of unemployed >people, is partially voodoo. Also that regions and industries can vary enormously in how their economy is going. Areas where a lot of jobs are in the computer or travel industries, for example, are going to have a lot of unemployment, as this area does. And also, it's important to note that most of us in this field might move to a different field (e.g., more general software development, teaching, etc.) rather than live without paychecks for a long time. Or might decide that now is the time to go back to school. Unemployment stats measure (if I'm remembering it right) only people who are not working, but are actively looking for work. (I don't know what definition is used to decide if you're really looking or not.) I feel very fortunate to still have a job, given all that's going on in this industry. >Perry --John Kelsey, [EMAIL PROTECTED] // [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]