### Re: Intel to also add RNG

On 12/07/2010 22:13, Eric Murray wrote:/ On Mon, Jul 12, 2010 at 03:37:45PM -0400, Paul Wouters wrote: On Mon, 12 Jul 2010, Eric Murray wrote: Then there's FIPS- current 140 doesn't have a provision for HW RNG. They certify software RNG only, presumeably because proving a HW RNG to be random enough is very difficult. So what's probably the primary market (companies who want to meet FIPS) isn't available. So you can do HWRNG - SWRNG - Fips ? Last FIPS cert I did (140-2, a couple years ago), it was SWRNG only. X9.62 or FIPS 186 or X9.31 or SP 800-90. I couldn't even use a HW RNG for the seed. /dev/random was acceptable. The Smart Card industry uses True RNG a lot. There, a common line of thought is to use: - a hardware RNG, which raw output (perhaps biased) is directly accessible for testing purposes (only), so that the software can check it in depth at startup and from time to time to ascertain that it is at least generating a fair amount of entropy - followed by appropriate post-processing in hardware (so as to gather entropy at all time), acting as a mixer/debiaser:; e.g. something LFSR-based - followed by a crude software test (e.g. no bit stuck) - optionally followed by software postprocessing (the subject is debated; this software has to be proven to not include weakness, and the hardware + crude software test is certified to eliminate such weakness, so why bother, some say) There is a standard, known as AIS31, on evaluating True RNG, which de-facto enforces the first three steps https://www.bsi.bund.de/cae/servlet/contentblob/478130/publicationFile/30270/ais31e_pdf.pdf which references https://www.bsi.bund.de/cae/servlet/contentblob/478152/publicationFile/30275/ais20e_pdf.pdf For German-reading audience, the page linking to that is https://www.bsi.bund.de/cln_174/DE/Themen/ZertifizierungundAkkreditierung/ZertifizierungnachCCundITSEC/AnwendungshinweiseundInterpretationen/AISITSEC/aisitsec_node.html Google does good work when fed with AIS31. François Grieu - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

### Re: [cryptography] What's the state of the art in factorization?

On 23/04/2010 11:57, Paul Crowley wrote: [2] http://www.cs.umd.edu/~jkatz/papers/dh-sigs-full.pdf My preferred signature scheme is the second, DDH-based one in the linked paper, since it produces shorter signatures - are there any proposals which improve on that? There is RSA or Rabin using a signature scheme with message recovery. With a public modulus of n bits, and a hash of h bits, signing a message adds only h bits, as long as - the message to sign is at least (n-h) bits and - you do not care about spending a few modular multiplication to recover some (n-h) bits of the message [where few is 17, 2 or 1 for popular public exponents e of 65537, 3, 2] This is standardized by ISO/IEC 9796-2 (which add a few bits of overhead to h, like 16 when n is a multiple of 8). It is used (with a deprecated and not-quite-perfect option set of ISO/IEC 9796-2) in many applications where size matters, in particular EMV Smart Cards, and the European Digital Tachograph. With e=2 and the newer (randomized) schemes of ISO/IEC 9796-2, you get security provably related to factoring or breaking the hash. François Grieu [I suddenly got a batch of old messages, and wonder what is the appropriate list address] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

### Significance of Schnorr's Factoring Integers in Polynomial Time?

At the rump session of Eurocrypt 2009, http://eurocrypt2009rump.cr.yp.to/ Claus P. Schnorr reportedly presented slides titled Average Time Fast SVP and CVP Algorithms: Factoring Integers in Polynomial Time http://eurocrypt2009rump.cr.yp.to/e074d37e10ad1ad227200ea7ba36cf73.pdf I hardly understand 1/4 of the mathematical notation used, and can't even be sure that the thing is not a (very well done) prank. Anyone one the list dare make a comment / risk an opinion? Francois Grieu - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com