Re: Intel to also add RNG

2010-07-13 Thread Francois Grieu
 On 12/07/2010 22:13, Eric Murray wrote:/
 On Mon, Jul 12, 2010 at 03:37:45PM -0400, Paul Wouters wrote:
 On Mon, 12 Jul 2010, Eric Murray wrote:

 Then there's FIPS- current 140 doesn't have a provision for HW RNG.
 They certify software RNG only, presumeably because proving a HW RNG to be
 random enough is very difficult.   So what's probably the primary market
 (companies who want to meet FIPS) isn't available.
 So you can do HWRNG - SWRNG - Fips ?
 Last FIPS cert I did (140-2, a couple years ago), it was SWRNG only. 
 X9.62 or FIPS 186 or X9.31 or SP 800-90.

 I couldn't even use a HW RNG for the seed.  /dev/random was acceptable.

The Smart Card industry uses True RNG a lot. There, a common line of
thought is to use:
- a hardware RNG, which raw output (perhaps biased) is directly
accessible for testing purposes (only), so that the software can check
it in depth at startup and from time to time to ascertain that it is at
least generating a fair amount of entropy
- followed by appropriate post-processing in hardware (so as to gather
entropy at all time), acting as a mixer/debiaser:; e.g. something LFSR-based
- followed by a crude software test (e.g. no bit stuck)
- optionally followed by software postprocessing (the subject is
debated; this software has to be proven to not include weakness, and the
hardware + crude software test is certified to eliminate such weakness,
so why bother, some say)

There is a standard, known as AIS31, on evaluating True RNG, which
de-facto enforces the first three steps
which references

For German-reading audience, the page linking to that is
Google does good work when fed with AIS31.

  Fran├žois Grieu

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to

Re: [cryptography] What's the state of the art in factorization?

2010-07-11 Thread Francois Grieu
 On 23/04/2010 11:57, Paul Crowley wrote:

 My preferred signature scheme is the second, DDH-based one in the
 linked paper, since it produces shorter signatures - are there any
 proposals which improve on that?
There is RSA or Rabin using a signature scheme with message recovery.
With a public modulus of n bits, and a hash of h bits, signing a message
adds only h bits, as long as
- the message to sign is at least (n-h) bits and
- you do not care about spending a few modular multiplication to recover
some (n-h) bits of the message [where few is 17, 2 or 1 for popular
public exponents e of 65537, 3, 2]

This is standardized by ISO/IEC 9796-2 (which add a few bits of overhead
to h, like 16 when n is a multiple of 8).
It is used (with a deprecated and not-quite-perfect option set of
ISO/IEC 9796-2) in many applications where size matters, in particular
EMV Smart Cards, and the European Digital Tachograph.

With e=2 and the newer (randomized) schemes of ISO/IEC 9796-2, you get
security provably related to factoring or breaking the hash.

  Fran├žois Grieu

[I suddenly got a batch of old messages, and wonder what is the
appropriate list address]

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to

Significance of Schnorr's Factoring Integers in Polynomial Time?

2009-05-10 Thread Francois Grieu
At the rump session of Eurocrypt 2009,
Claus P. Schnorr reportedly presented slides titled Average Time Fast
SVP and CVP Algorithms: Factoring Integers in Polynomial Time

I hardly understand 1/4 of the mathematical notation used, and can't
even be sure that the thing is not a (very well done) prank.

Anyone one the list dare make a comment / risk an opinion?

  Francois Grieu

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to