Cryptography-Digest Digest #55, Volume #13 Tue, 31 Oct 00 07:13:01 EST
Contents:
Re: RSA Multiprime (Francois Grieu)
Re: XOR based key exchange protocol - flawed? (Mike Connell)
Legal reqiurements for CCTV watermarking (Andrew Cogger)
Re: Searching for a good PRNG (Tim Tyler)
Re: Searching for a good PRNG (Tim Tyler)
Re: Legal reqiurements for CCTV watermarking (Volker Hetzer)
3-dimensional Playfair? (Juergen Nieveler)
Re: Padding scheme? (Tim Tyler)
Re: BEST BIJECTIVE RIJNDAEL YET? (Tim Tyler)
Re: Newbie about Rijndael ("mac")
Re: DATA PADDING FOR ENCRYPTION (Tim Tyler)
From: Francois Grieu [EMAIL PROTECTED]
Subject: Re: RSA Multiprime
Date: Tue, 31 Oct 2000 11:20:23 +0100
[EMAIL PROTECTED] (Scott Contini) wrote:
The only thing more ridiculous than Compaq patenting this is
RSA Security licensing the patent.
Agreed, if true. I have not seen the patent claims, and do not
know the details of the cross-licensing agreements between Compaq
and RSA Security. I hope scientists still have some influence at
RSA security (Bob are you listening ?). I bet the net flow of cash
from Compaq to RSA Security will be remain non-negative.
I do fell it would be ridiculous to apply in 1999-2000 for a patent
claiming asymetric cryptography based on modular exponentiation
modulo a composite formed of 3 or more primes, with use of the
Chinese Remainder Theorem to perform the exponentiation. For
example, back in 1994, Solaic (a French Smart Card manufacturer,
now merged with Schlumberger) proposed to use of this technique
in a bid for the French "CPS" (a Smart Card for the health
practitioner, that can digitaly sign). This was seen as a
solution to implement 768 bit secret-key RSA operation on the
ST16F48 IC (however with execution time in the 30 seconds) to
circumvent the late availability of the ST16CF54 with
cryptoprocessor. Professor Jean-Jacques Quisquater actually proposed
the use of multiple primes, and I studied the implementation on an
8 bit processor. I still have the code fragments, and memos in
electronic form.
While (multiple primes) gives some speedups, it opens up the
(RSA) algorithm to possible new attacks: if a faster special
purpose algorithm than the elliptic curve method is invented,
then multi-prime RSA easily could become insecure.
Well, GNFS and even MPQS are faster than ECM for pratical purpose,
and all three are equaly efficient against two-prime and
multi-prime RSA. The product of 2 random 288 bit primes is just
as hard to factor as the product of 3 random 192 primes, and this
situation has not evolved in the last 20 years. Yes, it is
conceivable this could change, but it is also conceivable, and
IMHO more likely, that some other breakthru will be made on
factorisation or the discrete log problem over elliptic curves.
(ECC enables) somewhat efficient operation on 8-bit processors
without a coprocessor. If you're concerned about the speed of
private key operations, my recommendation is to use ECC (for
security concerns, use a randomly generated curve)
Have you any firm reference of ECC on 8 bits processors without a
coprocessor ? Certicom once proposed this on the 68HC05, but it
was apparently retracted. I do not know the reason, and still
wonder if attacks have been found (on the special field used, or
by power/timing attacks).
In summary, I think multiple primes is a useful idea, giving a
sizable (not dramatic) speed increase; but not a patentable one.
Francois Grieu
--
From: Mike Connell [EMAIL PROTECTED]
Subject: Re: XOR based key exchange protocol - flawed?
Date: 31 Oct 2000 11:40:28 +0100
David Schwartz [EMAIL PROTECTED] writes:
Mike Connell wrote:
Your second case doesn't work. The MITM can create any number of
anonymous personas.
Sure, they can.
So he can make you think that he is the person who
gave you all those stock tips even though he isn't.
Now you've lost me. How? In order to do that, they must present the
same public key as the 'real' guy has. For that public key to be
useful, they must compute the secret key that goes with it. Isn't that
hard?
Not at all, because he can trivially create any number of public keys
and private keys.
OK, here is my public key 0xfefefefecabba9efefe.123456. I am A. My
brother 'B' knows that my public key is 0xfefe
The MITM can create as many pairs as he wants. In order to impersonate
me to B, he must have my secret key. Why? Because in step 4 when B
sends me Xb encrypted with 0xfefe... only I can decrypt it.
This works because B knows my public key. If he didn't, and got a
message that said "I am A, and my key is 0x6660666...", he wouldn't
(shouldn't!) believe it.
The protocol doesn't attempt to convince the users that a given public
key is that of a given real-world indentity, only that t