### Re: [cryptography] What's the state of the art in factorization?

On 23/04/2010 11:57, Paul Crowley wrote: [2] http://www.cs.umd.edu/~jkatz/papers/dh-sigs-full.pdf My preferred signature scheme is the second, DDH-based one in the linked paper, since it produces shorter signatures - are there any proposals which improve on that? There is RSA or Rabin using

### What's the state of the art in digital signatures? Re: What's the state of the art in factorization?

By the way, the general idea of One Hundred Year Security as far as digital signatures go would be to combine digital signature algorithms. Take one algorithm which is bog standard, such as ECDSA over NIST secp256r1 and another which has strong security properties and which is very different from

### Re: What's the state of the art in factorization?

On Thu, 22 Apr 2010, Zooko O'Whielacronx wrote: There is some interesting work in public key cryptosystems that reduce to a *random* instance of a specific problem. Here is a very cool one: http://eprint.iacr.org/2009/576 ... Unless I misunderstand, if you read someone's plaintext without

### Re: What's the state of the art in factorization?

On Thu, 22 Apr 2010, Zooko O'Whielacronx wrote: On Wed, Apr 21, 2010 at 5:29 PM, Samuel Neves sne...@dei.uc.pt wrote (on the cryptography@metzdowd.com list): [2] http://www.cs.umd.edu/~jkatz/papers/dh-sigs-full.pdf As one of the authors of the above paper, I have an obvious interest in this

### Re: [cryptography] What's the state of the art in factorization?

Jonathan Katz wrote: [2] http://www.cs.umd.edu/~jkatz/papers/dh-sigs-full.pdf On the other hand, there is one published scheme that gives a slight improvement to our paper (it has fewer on-line computations): it is a paper by Chevallier-Mames in Crypto 2005 titled An Efficient CDH-Based

### Re: [cryptography] What's the state of the art in factorization?

On Fri, Apr 23, 2010 at 3:57 AM, Paul Crowley p...@ciphergoth.org wrote: My preferred signature scheme is the second, DDH-based one in the linked paper, since it produces shorter signatures - are there any proposals which improve on that? http://eprint.iacr.org/2007/019 Has one. Caveat

### What's the state of the art in digital signatures? Re: What's the state of the art in factorization?

On Thu, Apr 22, 2010 at 12:40 PM, Jonathan Katz jk...@cs.umd.edu wrote: On Thu, 22 Apr 2010, Zooko O'Whielacronx wrote: Unless I misunderstand, if you read someone's plaintext without having the private key then you have proven that P=NP! … The paper you cite reduces security to a

### Re: What's the state of the art in digital signatures? Re: What's the state of the art in factorization?

On Wed, 28 Apr 2010, Zooko O'Whielacronx wrote: Anyway, although this is not one, there do exist proposals for public key crypto schemes where breaking the scheme implies solving a worst case instance of a supposedly hard problem, right? Not to worst-case hardness of an NP-complete problem,

### Re: What's the state of the art in factorization?

On Apr 21, 2010, at 7:29 PM, Samuel Neves wrote: EC definitely has practical merit. Unfortunately the patent issues around protocols using EC public keys are murky. Neither RSA nor EC come with complexity proofs. While EC (by that I assume you mean ECDSA) does not have a formal security

### Re: What's the state of the art in factorization?

Victor Duchovni wrote: On Tue, Apr 20, 2010 at 08:58:25PM -0400, Thierry Moreau wrote: The DNS root may be qualified as a high valued zone, but I made the effort to put in writing some elements of a risk analysis (I have an aversion for this notion as I build *IT*controls* and the consultants

### Re: What's the state of the art in factorization?

Jerry Leichter wrote: On Apr 21, 2010, at 7:29 PM, Samuel Neves wrote: EC definitely has practical merit. Unfortunately the patent issues around protocols using EC public keys are murky. Neither RSA nor EC come with complexity proofs. While EC (by that I assume you mean ECDSA) does not

### Re: What's the state of the art in factorization?

* Thierry Moreau: For which purpose(s) is the DNS root signature key an attractive target? You might be able to make it to CNN if your spin is really good. - The Cryptography Mailing List Unsubscribe by sending unsubscribe

### Re: What's the state of the art in factorization?

Florian Weimer wrote: * Thierry Moreau: For which purpose(s) is the DNS root signature key an attractive target? You might be able to make it to CNN if your spin is really good. Thanks for this feedback. No, no, and no. No, because I asked the question as a matter of security analysis

### Re: What's the state of the art in factorization?

* Thierry Moreau: Florian Weimer wrote: * Thierry Moreau: For which purpose(s) is the DNS root signature key an attractive target? You might be able to make it to CNN if your spin is really good. But even without this self-restraint, there would be no spin for a CNN story. Dedication to

### Re: What's the state of the art in factorization?

On Wed, Apr 21, 2010 at 8:49 PM, Jerry Leichter leich...@lrw.com wrote: There are some concrete complexity results - the kind of stuff Rogoway does, for example - but the ones I've seen tend to be in the block cipher/cryptographic hash function spaces. Does anyone one know of similar kinds

### Re: What's the state of the art in factorization?

On Wed, Apr 21, 2010 at 5:29 PM, Samuel Neves sne...@dei.uc.pt wrote (on the cryptography@metzdowd.com list): [2] http://www.cs.umd.edu/~jkatz/papers/dh-sigs-full.pdf I've been looking at that one, with an eye to using it in the One Hundred Year Cryptography project that is being sponsored by

### Re: What's the state of the art in factorization?

On Tue, Apr 20, 2010 at 08:58:25PM -0400, Thierry Moreau wrote: The DNS root may be qualified as a high valued zone, but I made the effort to put in writing some elements of a risk analysis (I have an aversion for this notion as I build *IT*controls* and the consultants are hired to

### Re: What's the state of the art in factorization?

On 21-04-2010 02:40, Victor Duchovni wrote: EC definitely has practical merit. Unfortunately the patent issues around protocols using EC public keys are murky. Neither RSA nor EC come with complexity proofs. While EC (by that I assume you mean ECDSA) does not have a formal security proof,

### Re: What's the state of the art in factorization?

The state of the art in factorization is the same as for, e.g., the factorization of RSA-768 [1] --- there haven't been many advances in the number field sieve algorithm itself. The current effort, as Bernstein puts it, is in speeding up smoothness detection, as part of the relation collection

### Re: What's the state of the art in factorization?

Perry E. Metzger wrote: I was alerted to some slides from a talk that Dan Bernstein gave a few days ago at the University of Montreal on what tools will be needed to factor 1024 bit numbers: http://cr.yp.to/talks/2010.04.16/slides.pdf I had the opportunity to listen to Prof. Dan Bernstein