Re: is breaking RSA at least as hard as factoring or vice-versa?

2006-04-08 Thread Max
Yet another paper on the topic:

Deterministic Polynomial Time Equivalence of Computing the RSA Secret
Key and Factoring
by Jean-Sebastien Coron and Alexander May
http://eprint.iacr.org/2004/208

Max

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Creativity and security

2006-04-08 Thread Anne Lynn Wheeler

Anne  Lynn Wheeler wrote:

the trivial case from nearly 10 years ago was the waiter in nyc
restaurant (something sticks in my mind it was the Brazilian restaurant
just off times sq) that had pda and small magstripe reader pined to the
inside of their jacket. At some opportunity, they would causally pass
the card down the inside of their lapel (doesn't even really have to
disappear anyplace). This was before wireless and 801.11 ... so the
magstripe images would accumulate in the pda until the waiter took a
break ... and then they would be uploaded to a PC and then to the
internet (hong kong was used as example) ... counterfeit cards would be
on the street (opposite side of the world), still within a few hours at
most.


supposedly new?

iPod used to store data in identity theft
http://news.com.com/2061-10789_3-6059128.html

from above ..

April 7, 2006 4:55 PM PDT

A 35-year-old identity theft suspect may have taken Apple Computer's 
mandate, Think Different, a little too far.


... snip ... above article references:

Beware the 'pod slurping' employee
http://news.com.com/Beware+the+pod+slurping+employee/2100-1029_3-6039926.html?tag=nl

... from above

Published: February 15, 2006, 10:29 AM PST

A U.S. security expert who devised an application that can fill an iPod 
with business-critical data in a matter of minutes is urging companies 
to address the very real threat of data theft.


... snip

and some conjecture about a possible MITM-attack ... using counterfeit 
card in conjunction with PDA wireless internet connection to a 
lost/stolen valid card at some remote location.

http://www.garlic.com/~lynn/aadsm22.htm#23 FraudWatch - ChipPin
http://www.garlic.com/~lynn/aadsm22.htm#29 Mecccano Trojans coming to a 
desktop near you


This is scenario where a card may be authenticated separately from its 
actual operation. The hypothetical MITM-attack is against a terminal's 
willingness to agree with the business rules in a valid card used for 
offline transactions. Since the attack is against the offline 
transaction business rules in a valid card, it may not even be necessary 
to obtain a lost/stolen valid card ... it may just be just necessary to 
obtain any valid card (say thru valid application using false 
information) ... the MITM counterfeit card uses any valid card for the 
authentication exchange ... and then proceeds with the rest of the 
transaction using its own business rules.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


wiretapping in Europe

2006-04-08 Thread Steven M. Bellovin
There's a long AP wire story on wiretapping in Europe; see
http://www.washingtonpost.com/wp-dyn/content/article/2006/04/08/AR2006040800529.html
There are a number of intriguing statements in the article.  For
example, in Italy 106,000 wiretaps were approved last year.  By
contrast, in the US there were only about about 1,700 wiretaps in 2004.
(That number does not include Foreign Intelligence Surveillance Act
wiretaps.  It is also unclear to me if the Italian number represents
calls tapped, as opposed to court orders issued, which is what
the US number represents.)

Italian prosecutors strongly defend the need for wiretaps, but called
the recent warrantless NSA wiretaps illegal under our judicial traditions.

A study at the Max Planck Institute said that Italy, followed by the
Netherlands, does the most wiretapping.  One of the authors said:

wiretaps are much more common on the European continent than in
Britain or the United States, where he said there is a more
institutionalized mistrust in the relationship between civil
society and a state-organized judiciary.

He said research showed that wiretaps are often used to support
weak cases and seldom help to achieve a guilty verdict.

The more wiretaps are used, the lower the conviction rates, he
said.


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Unforgeable Blinded Credentials

2006-04-08 Thread Ben Laurie
Adam Back wrote:
 On Tue, Apr 04, 2006 at 06:15:48AM +0100, Ben Laurie wrote:
 This illustrates a problem with multi-show credentials, that the holder
 could share his credential freely, and in some cases even publish it,
 and this would allow non-authorized parties to use it.  To avoid this,
 more complicated techniques are needed that provide for the ability
 to revoke a credential or blacklist a credential holder, even in an
 environment of unlinkability.  Camenisch and Lysyanskaya have done quite
 a bit of work along these lines, for example in
 http://www.zurich.ibm.com/%7Ejca/papers/camlys02b.pdf .
 So, for the record, has Brands.

 I agree that, in general, this is a problem with multi-show credentials
 (though I have to say that using a completely different system to
 illustrate it seems to me to be cheating somewhat).

 Brands actually has a neat solution to this where the credential is
 unlinkable for n shows, but on the (n+1)th show reveals some secret
 information (n is usually set to 1 but doesn't have to be). 
 
 I think they shows are linkable, but if you show more than allowed
 times, all of the attributes are leaked, including the credential
 secret key and potentially some identifying information like your
 credit card number, your address etc.

I could be wrong, but I'm pretty sure they're unlinkable - that's part
of the point of Brands' certificates.

 The main use I think is to have 1-show, where if you show more than 1
 time your identity is leaked -- for offline electronic cash with fraud
 tracing.  But as you say the mechanism generalizes to multiple show.
 
 This obviously gives a disincentive against sharing if the secret
 information is well chosen (such as here's where to go to arrest
 the guy).
 
 Well the other kind of disincentive was a credit card number.  My
 suggestion was to use a large denomination ecash coin to have
 anonymous disincentives :) ie you get fined, but you are not
 identified.

The problem with that disincentive is that I need to sink the money for
each certificate I have. Clearly this doesn't scale at all well.

Cheers,

Ben.

-- 
http://www.links.org/

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Unforgeable Blinded Credentials

2006-04-08 Thread Ben Laurie
Christian Paquin wrote:
 Adam Back wrote:
 On Tue, Apr 04, 2006 at 06:15:48AM +0100, Ben Laurie wrote:
 Brands actually has a neat solution to this where the credential is
 unlinkable for n shows, but on the (n+1)th show reveals some secret
 information (n is usually set to 1 but doesn't have to be). 

 I think they shows are linkable, but if you show more than allowed
 times, all of the attributes are leaked, including the credential
 secret key and potentially some identifying information like your
 credit card number, your address etc.
 
 In Brands' system, multiple uses of a n-show credential are not linkable
 to the issuing (i.e. they are untraceable), but they are indeed linkable
 if presented to the same party: the verifier will recognize the
 credential when re-used. This is useful for limited pseudonymous access
  to accounts or resources. If you want showing unlinkability, better get
 n one-show credentials (simpler and more efficient).

That's only true if the credential contains any unblinded unique data,
surely?

Cheers,

Ben.

-- 
http://www.links.org/

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Unforgeable Blinded Credentials

2006-04-08 Thread Adam Back
On Sat, Apr 08, 2006 at 07:53:37PM +0100, Ben Laurie wrote:
 Adam Back wrote:
  [about Brands credentials]
  I think they shows are linkable, but if you show more than allowed
  times, all of the attributes are leaked, including the credential
  secret key and potentially some identifying information like your
  credit card number, your address etc.
 
 I could be wrong, but I'm pretty sure they're unlinkable - that's part
 of the point of Brands' certificates.

No they are definitely mutually linkable (pseudonymous), tho obviously
not linkable to the real identity at the issuer.

 Christian Paquin wrote:
  In Brands' system, multiple uses of a n-show credential are not linkable
  to the issuing (i.e. they are untraceable), but they are indeed linkable
  if presented to the same party: the verifier will recognize the
  credential when re-used. This is useful for limited pseudonymous access
   to accounts or resources. If you want showing unlinkability, better get
  n one-show credentials (simpler and more efficient).
 
 That's only true if the credential contains any unblinded unique data,
 surely?

No.  It arises because the credential public key is necessarily shown
during a show.  (The credential public key is blinded during
credential issue so its not linkable to issue).  So you can link
across shows simply by comparing the credential public key.

Its hard to blind the public key also.  I thought thats what you were
talking about in a previous mail where you were saying about what
could be done to make things unlinkable.  (Or maybe trying to find the
same property you thought Brands had ie unlinkable multi-show, for
Chaums credentials.)


Note with Brands credentials you can choose: unlimited show, 1-show or
n-show.  To do 1-show or n-show you make some formula for initial
witness that is fair and verifiable by the verifier, so there are only
n allowed IWs, and consequently if you reuse one it leaks two shows
with the same IW which allows the credential private key to be
recovered.  ie its just a trick to define a limited number of allowed
(and verifier verified) IWs -- IW is a sort of commitment by the
credential owner in the show protocol.

So there is something compact that the verifier can send
somewhere and it can then collate them and notice when a show is  n
shows (presuming there are multiple verifiers and you want to impose n
shows across all of them).


 Adam Back wrote:
  Well the other kind of disincentive was a credit card number.  My
  suggestion was to use a large denomination ecash coin to have
  anonymous disincentives :) ie you get fined, but you are not
  identified.
 
 The problem with that disincentive is that I need to sink the money for
 each certificate I have. Clearly this doesn't scale at all well.

No I mean put the same high value ecash coin in all of your offline
limited show credentials / offline ecash coins.

eg say you can choose to hand over $100 and retain your anonymity even
in event of double-spending offline ecash coins, or over-using
limited-show credentials.


I was curious about the Chameleon credential as they claim to work
with Brands credentials, I wrote to one of the authors to see if I
could get an electronic copy, but no reply so far.


Note also about your earlier comments on lending deterrence,
ultimately I think you can always do online lending.

Adam

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]