Re: Raw RSA

2006-09-10 Thread John R. Black
 I don't follow.  For RSA, the only difference between encryption and
 decryption, and public and private key, and hence between chosen
 plaintext and chosen ciphertext, is the arbitrary naming of one of
 a pair of mutually-inverse values as the private key and the other
 as the public key.
   -- Jerry
  
Negative, Jerry.

There is a very big difference between which one you make public and
which one you make private.  The difference is that the public one
is given out to the world.

It is well known that if d (the RSA private exponent) is small enough,
it can be recovered via Wiener's continued fraction attack or the 
several extensions of it.  I think Wiener's attack worked if d  N^{1/4},
and Boneh (with Glenn Durfee) brought this up to N^{.292}.  There is
a conjecture that d needs to be  sqrt(N), but no one's come close to
proving this.

So it IS important which one you name as the private key: name the bigger
one! :)

john//

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


free e-voting software available?!

2006-06-15 Thread John R. Black

My department would like to conduct departmental votes in some automated way.
We're looking for free software, (or modestly-priced software) to do this.

Anyone know of such a thing?  I've done some searching without any luck.

We don't have the usual requirements of a full-blown voting package
(for example, we don't need to ensure that Alice cannot prove whom she
voted for later on; this is a typical requirement of voting schemes).

We are not voting on earth-shattering events, so it doesn't have to be
perfect.  We just want to improve on the email your votes to the secretary
approach.

If nothing suitable is out there, I'll likely get a student to write something
and put it into the public domain.

john//

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: U. Washington Crypto Course Available Online For Free

2006-06-09 Thread John R. Black
Oops, I forgot about Neal!  :embarrassed:

He's a top-notch mathematician, has a couple of books on crypto (or 
crypto-related topics) and even wrote a controversial article with Menezes
recently that was discussed on this mailing list.

But I don't think he teaches a crypto class at UW?!


On Tue, Jun 06, 2006 at 09:28:41PM -0700, Andrew Tucker wrote:
 No cryptographers at UW?  I think Neil Koblitz would disagree with that:  
 http://www.math.washington.edu/~koblitz/
 

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: U. Washington Crypto Course Available Online For Free

2006-06-09 Thread John R. Black

 It is taught by good people, but I find it a bit strange they are all
 Microsoft employees.  This is perhaps because U. Wash doesn't have any
 cryptographers.
 
 I hardly think that you can discount the skills of Josh Beneloh and 
 Brian LaMacchia.
 
Who is discounting?  I said they are good people but that they work
for Microsoft and not for the University of Washington.


 That changes in the fall: they hired an excellent young cryptographer
 named Yoshi Kohno.
 
 Damn, I was trying to hire Yoshi...
 
So were we (here at the University of Colorado).  So was everyone! :)

john//

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: U. Washington Crypto Course Available Online For Free

2006-06-06 Thread John R. Black
On Tue, Jun 06, 2006 at 01:57:25AM -0700, Udhay Shankar N wrote:
 http://it.slashdot.org/article.pl?sid=06/06/04/1311243
 
It is taught by good people, but I find it a bit strange they are all
Microsoft employees.  This is perhaps because U. Wash doesn't have any
cryptographers.

That changes in the fall: they hired an excellent young cryptographer
named Yoshi Kohno.

==
Prof. John R. Black   www.cs.colorado.edu/~jrblack
Computer Science 430 UCB   [EMAIL PROTECTED]
University of Colorado Office: +1-303-492-0573
Boulder, CO  80309  USA   Fax: +1-303-492-2844

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Status of attacks on AES?

2006-05-11 Thread John R. Black
 On 5/10/06, John R. Black [EMAIL PROTECTED] wrote:
 I skimmed this.  The start of the article says that after 3 rounds AES
 achieves perfect diffusion?!
 
 No, it says their old ASD could not distinguish encrypted data from
 random after 3 rounds.
 
 -- 
 Taral [EMAIL PROTECTED]
 You can't prove anything.
-- Gödel's Incompetence Theorem

- End forwarded message -


I was refering to this statement from the article:

Data inputs with a single-bit difference spread over the entire data
block or key and encrypted with the AES cannot be distinguished from
random after more than 2 rounds, which made many cryptographers
believe for many years that 3 rounds of the AES achieve complete
diffusion.

I don't think any cryptographer believed for 10 seconds that AES achieved
complete diffusion after three rounds if that means it cannot be
distinguished from random.  There is not only a distinguishing attack on
_FOUR_ rounds of AES, but a key-recovery attack.  And it was given in the
Rijndael spec, so certainly was known before the AES was even named.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Get a boarding pass, steal someone's identity

2006-05-10 Thread John R. Black

Perhaps the worst security hole I know of is with United Airlines EasyCheckIn
machines at the airport: you swipe a credit card and it does a fuzzy match
to find flyers that day whose name is close to yours.

My name is John Black.  I often get a menu to choose from: are you flying to 
Dulles?  To Frankfurt?  To Houston?  That's because there are several John
Black's flying that day from that airport.  It would be easy to mess with
other John Black reservations.

Worse, when I check in too early it can't find my reservation and comes up
with the closest thing: Tanya Blockwell came up recently in Indianapolis.
Once you pull up Tanya's itinerary, you have free rein over her travel plans:
you can change her seats, upgrade her (with her upgrade instruments), put
her on another flight, or cancel her reservation altogether.

I doubt United has any computer security people on their 65,000-person staff.
Not good.

john//

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Status of attacks on AES?

2006-05-10 Thread John R. Black
On Thu, May 04, 2006 at 10:30:40AM -0500, Marcos el Ruptor wrote:
 
 http://defectoscopy.com/forum/viewtopic.php?t=3
 
 Expect new attacks soon enough.
 
I skimmed this.  The start of the article says that after 3 rounds AES
achieves perfect diffusion?!

A simple square attack (that I teach in class in about 60 mins) recovers 
the key of 4-round AES with 256 chosen-plaintexts.  The six-round attack
isn't too much harder.

Square (the cipher that preceded Rijndael and is very similar) was 8 rounds
to get past the 6-round attack.  During the AES vetting process they went
to 10 rounds for extra assurance (as much as anyone gets assurances from
the black art of blockcipher design).

john//

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]