Watermarking...
Hi all, I was wondering if any of you have some pointers on the security of watermarking. In particular I am interested in public-key or asymmetric watermarking algorithms. Also, do you know of any free-to-use (opensource/etc.) implementation that can be used for research-test purposes ? -- Best Regards, Massimiliano Pala --o Massimiliano Pala [OpenCA Project Manager] ope...@acm.org project.mana...@openca.org Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332 PKI/Trust Laboratory Work Phone: +1 (603) 646-8734 --o People who think they know everything are a great annoyance to those of us who do. -- Isaac Asimov - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Watermarking...
On Tue, Apr 20, 2010 at 12:29 AM, Massimiliano Pala p...@cs.dartmouth.edu wrote: Hi all, I was wondering if any of you have some pointers on the security of watermarking. In particular I am interested in public-key or asymmetric watermarking algorithms. Ciao Massimiliano, You might be interesting in checking out the deliverables of BOWS contests at: http://bows2.gipsa-lab.inpg.fr/ and http://lci.det.unifi.it/BOWS/ Also, do you know of any free-to-use (opensource/etc.) implementation that can be used for research-test purposes ? -- Best Regards, Massimiliano Pala From a cursory look at bookmarks... - Peter Meerwald's implementation of digital image watermarking algorithms. - Microsoft Audio Watermarking Tool http://research.microsoft.com/en-us/downloads/885bb5c4-ae6d-418b-97f9-adc9da8d48bd/default.aspx Cheers, alfonso -- http://crypto.lo.gy - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
New protocol for cryptographically strong, accountable anonymous messaging
A student and I here at Yale have recently been developing an experimental protocol for cryptographically strong anonymous messaging within a small online group or virtual organization. We believe the protocol is (provably) resistant to both traffic analysis and anonymous denial-of-service or disruption by malicious or compromised group members, and supports applications requiring an exact 1-to-1 correspondence of members to messages in a given round, such as voting or assigning 1-to-1 pseudonyms. In its current form the protocol is intended only for small decentralized groups and is not scalable to large groups or providing mass anonymity as in Mixminion or Tor, and the protocol is suited only for non-interactive messaging or bulk file transfer due to high startup latencies, although we have some ideas for addressing these limitations in the future. We have placed a preliminary draft of the protocol (with some experimental results from a very preliminary and incomplete implementation) at the URL below, and would like to solicit analysis and feedback from interested cryptographers or distributed systems folks. Thanks, Bryan Accountable Anonymous Group Messaging http://arxiv.org/abs/1004.3057 Users often wish to participate in online groups anonymously, but misbehaving users may abuse this anonymity to spam or disrupt the group. Messaging protocols such as Mix-nets and DC-nets leave online groups vulnerable to denial-of-service and Sybil attacks, while accountable voting protocols are unusable or inefficient for general anonymous messaging. We present the first general messaging protocol that offers provable anonymity with accountability for moderate-size groups, and efficiently handles unbalanced loads where few members have much data to transmit in a given round. The N group members first cooperatively shuffle an NxN matrix of pseudorandom seeds, then use these seeds in N pre-planned DC-nets protocol runs. Each DC-nets run transmits the variable-length bulk data comprising one member's message, using the minimum number of bits required for anonymity under our attack model. The protocol preserves message integrity and one-to-one correspondence between members and messages, makes denial-of-service attacks by members traceable to the culprit, and efficiently handles large and unbalanced message loads. A working prototype demonstrates the protocol's practicality for anonymous messaging in groups of 40+ member nodes. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Quantum Key Distribution: the bad idea that won't die...
Via /., I saw the following article on ever higher speed QKD: http://www.wired.co.uk/news/archive/2010-04/19/super-secure-data-encryption-gets-faster.aspx Very interesting physics, but quite useless in the real world. I wonder why it is that, in spite of almost universal disinterest in the security community, quantum key distribution continues to be a subject of active technological development. Perry -- Perry E. Metzgerpe...@piermont.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Watermarking...
[Moderator's note: Please no top posting. --Perry] Hello Sandy, all, basically what I need is a library that will allow me to check for a watermark into an image/video/etc. It could be different algorithms for different media type - my work is not related to the algorithms themselves. The important issues are: * the algorithm(s) should be based on public key (asymmetric) * my program should be able to verify that a watermark exists and has been generated with a private key corresponding to a specific public key * an attacker should not be able to add a watermark that my app would recognize as valid (ie., the verification would fail when using my app's public key if an attacker tries to substitute the watermark) * if the watermark is removed/altered/substituted I should be able to detect it * the watermark should be invisible Do you know if/where can I find some libraries that provides me with some implementation of one or more algorithms that satisfy my needs ? I know there are a lot of publications about these algorithms, but I need a usable (also if not perfect) implementation.. preferably written in C/C++ Cheers, Max On 04/20/2010 09:49 AM, Sandy Harris wrote: What are your threat model and goals for the watermarking? Some watermarks -- like the photographer's copyright notice across a web picture -- are designed to be extremely visible. The whole idea is that if anyone steals the photo, everyone will know. For other threats, you might want a watermark to be completely invisible, perhaps even undetectable without some sort of key. Does it need to be tamper-resistant or unremovable? -- Best Regards, Massimiliano Pala --o Massimiliano Pala [OpenCA Project Manager] ope...@acm.org project.mana...@openca.org Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332 PKI/Trust Laboratory Work Phone: +1 (603) 646-8734 --o People who think they know everything are a great annoyance to those of us who do. -- Isaac Asimov - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Quantum Key Distribution: the bad idea that won't die...
At 11:31 AM -0400 4/20/10, Perry E. Metzger wrote: I wonder why it is that, in spite of almost universal disinterest in the security community, quantum key distribution continues to be a subject of active technological development. You hit it: almost. As long as a few researchers are interested, and there is money to be thrown down the drain^w^w^wat them, there will be active development. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: What's the state of the art in factorization?
The state of the art in factorization is the same as for, e.g., the factorization of RSA-768 [1] --- there haven't been many advances in the number field sieve algorithm itself. The current effort, as Bernstein puts it, is in speeding up smoothness detection, as part of the relation collection process. Both the RSA-768 factorization paper and a previous one by the same authors [2] try to predict the effort needed for a 1024-bit prediction, which is estimated to be around 1000 times harder than a 768-bit modulus. [1] estimates to number of operations in the RSA768 factorization to be in the ballpark of 2^67 instructions: a thousand times harder puts this on about 2^77, which puts it in the realm of doable, but very hard, even for a well funded organization. We also have to take into account the logistics of doing such a factorization. Unlike an elliptic curve discrete logarithm computation, that takes (relatively) negligible storage and communication, the number field sieve requires massive amounts of data, and the linear algebra step could become (even more of) a problem. Best regards, Samuel Neves [1] http://eprint.iacr.org/2010/006 [2] http://eprint.iacr.org/2009/389 On 20-04-2010 16:45, Perry E. Metzger wrote: I was alerted to some slides from a talk that Dan Bernstein gave a few days ago at the University of Montreal on what tools will be needed to factor 1024 bit numbers: http://cr.yp.to/talks/2010.04.16/slides.pdf It has been a couple of years since there has been serious discussion on the list on this topic, and especially in the light of various technical decisions being undertaken on the size of DNS signing keys for high valued zones (like root), I was curious as to whether anyone had any interesting comments on the state of the art in factorization. Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: Watermarking...
On 19 Apr 2010, at 23:29, Massimiliano Pala wrote: Hi all, I was wondering if any of you have some pointers on the security of watermarking. In particular I am interested in public-key or asymmetric watermarking algorithms. Also, do you know of any free-to-use (opensource/etc.) implementation that can be used for research-test purposes ? I found: http://techrepublic.com.com/1324-4-55.html PKI based Semi-Fragile Watermark for Visual Content Authentication Chamidu Atupelage, Koichi Harada, Member, ACM of use and easily hacked up. Dw - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: What's the state of the art in factorization?
Perry E. Metzger wrote: I was alerted to some slides from a talk that Dan Bernstein gave a few days ago at the University of Montreal on what tools will be needed to factor 1024 bit numbers: http://cr.yp.to/talks/2010.04.16/slides.pdf I had the opportunity to listen to Prof. Dan Bernstein talk last Friday morning. I was very glad to see him as I respect his dedication to crypto maths, algorithm implementation, and very applied studies of computation complexity. The slides are pretty much representative of his talk. New material starts on slide 17. If you are familiar with the contents of slides 1-16 and elliptic curve methods (I am not), then you should appreciate the contents of slides 17 up to 45. Slides 46 to 47 deal with the computation speedups available with graphics processors. In the audience, there seemed to be some who followed the presentation more than I did but Dan made a great talk even for people like me. It has been a couple of years since there has been serious discussion on the list on this topic, and especially in the light of various technical decisions being undertaken on the size of DNS signing keys for high valued zones (like root), I was curious as to whether anyone had any interesting comments on the state of the art in factorization. According to my records, the state-of-the-art is reference Joppe W. Bos, Marcelo E. Kaihara, Thorsten Kleinjung, Arjen K. Lenstra, and Peter L. Montgomery, On the Security of 1024-bit RSA and 160-bit Elliptic Curve Cryptography, version 2, August 7, 2009, 18 pages (published on pages 43-60 in Comments on the Transition Paper available at http://csrc.nist.gov/groups/ST/key_mgmt/documents/Transition_comments_7242009.pdf, which was listed at http://csrc.nist.gov/groups/ST/key_mgmt/index.html). plus this talk last Friday (and references). From these, you have to do your homework in guesswork about your actual enemy's power. In the Intaglio NIC project white paper I contributed towards the deployment of an alternate source for signed official DNS root data, I had to refer to the state-of-the-art. See http://www.intaglionic.org/doc_indep_root_sign_proj.html#TOC:3.6 (document section 3.6 Early Project Decisions about Protection Level). The DNS root may be qualified as a high valued zone, but I made the effort to put in writing some elements of a risk analysis (I have an aversion for this notion as I build *IT*controls* and the consultants are hired to cost-justify avoiding their deployments, basically -- but I needed a risk analysis as much as a chief financial officer needs an economic forecast in which he has no faith.) The overall conclusion is that the DNS root need not be signed with key sizes that would resist serious brute force attacks. See http://www.intaglionic.org/doc_indep_root_sign_proj.html#TOC:C. (document annex C. Risk Analysis Elements for DNSSEC Support at the Root). By the way, state-of-the-art in factorization is just a portion of the story. What about formal proofs of equivalence between a public key primitive and the underlying hard problem. Don't forget that the USG had to swallow RSA (only because otherwise its very *definition* of public key cryptography would have remained out-of-sync with the rest) and is still interested in having us adopt ECDSA. So, yes, it's always good to ask questions. I usually complain that one seldom gets a simple answer for a simple question addressed to a specialist. I don't feel I provided a simple answer, but I don't claim to be a specialist. Regards, - Thierry Moreau Perry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com