John Young | 17 Aug 18:53 2015

CNSS Issues Memo on Shift to Quantum-Resistant Cryptography

CNSS Advisory Memo on Use of Public Standards for Secure Sharing of Information Among NatSec Systems 08/11/15

This Advisory expands on the guidance contained in CNSS Policy No. 15, National Information Assurance Policy on the Use of Public Standards for the Secure Sharing of Information Among National Security Systems (Reference a). Based on analysis of the effect of quantum computing on Information Assurance (IA) and IA-enabled Information Technology (IT) products, the policy
cryptography mailing list
Ron Garret | 7 Aug 00:13 2015

Announcing a command-line version of SC4

SC4 is my attempt to produce a minimalist and super-easy-to-use replacement for PGP using TweetNaCl as the
core crypto.  The original SC4 was a web application.  Since crypto in the browser makes a lot of people
queasy, I have produced a command-line version written in Python.  It uses the C TweetNaCl library (the web
version obviously had to use a Javascript port).  Python is only used to implement the UI.  You can find
SC4-PY, along with the original web version of SC4, on github:

NOTE: This is an ALPHA release.  It has undergone only very cursory testing (I would really appreciate some
help with that, actually).  The web version of SC4 has been audited, but the Python version has not (though
it was mostly ported directly from the Javascript implementation, so it should not have any gaping holes).

Feedback of all sorts very much appreciated.

Dave Horsfall | 6 Aug 08:02 2015

Book of possible interest

Spreading the word, as it were...  The list is where RTTY idiots like me 
hang out.

Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."
Watson never said: "I think there is a world market for maybe five computers."

---------- Forwarded message ----------
Date: Wed, 05 Aug 2015 09:57:13 -0400
From: Jim Reeds
To: greenkeys <at> 
Subject: [GreenKeys] Book of possible interest

I am a long-time lurker, and have just helped publish a book that might be 
of interest to list members:

Breaking Teleprinter Ciphers at Bletchley Park: An edition of I.J. Good, 
D. Michie and G. Timms: General Report on Tunny with Emphasis on 
Statistical Methods (1945)"

 James A. Reeds (Editor), Whitfield Diffie (Editor), J. V. Field (Editor)

IEEE/Wiley Press, July 2015.

for details.)


Jim Reeds

Florian Weimer | 5 Aug 22:35 2015

Word-boundary-sensitive hashing

Suppose I have a sequence of words over some alphabet, and I want to
compute a cryptographically secure hash over that.  Simply
concatenating the hashes to form a single word does not work because
the word boundaries might have been meaningful and not implicit in the
inputs, and then you have second preimages etc.  I guess this is why
we have DER, among other reasons.

I've been asked to provide some citation for this observation, but I
can't find a proper reference.  Any suggestions?
Patrick Pelletier | 4 Aug 06:29 2015

no, don't advertise that you support SSLv2!

I was on an e-commerce site today, and was horrified when I saw the 
following badge:

Did they still have SSLv2 enabled?  I checked, and luckily they don't:

So, it's not as bad as their badge claims, but still, they only get a 
C.  (They support only one version: TLS 1.0.)  I would've thought a big 
Web property like Yahoo could do better.  :(

John Young | 30 Jul 16:52 2015

William Friedman's 1955 Crypto AG visit reports draft and final redactions

William Friedman's 1955 draft Crypto AG visit report shows text
redacted in final version and vice versa. Two versions compared: (20MB)
cryptography mailing list
John Young | 27 Jul 00:38 2015

Varoufakis claims had approval to plan parallel banking system for Greece

Varoufakis claims had approval to plan parallel banking system for Greece

Allegedly aided by Columbia University IT professor  to design a hack 
of existing taxation systems.

Columbia Computer Science Faculty
Puneet Bakshi | 25 Jul 20:01 2015

What is the format to add multiple signatures (Would PKCS#7 work?)


I want to add multiple signatures to a document. Which PKCS standard can be used? Can PKCS#7 signature has the capability to add multiple signatures to a document?

cryptography mailing list
Filip Paun | 10 Jul 22:15 2015

RSA signatures without padding

Suppose I have a message M for which I generate an RSA-2048 digital signature as follows:

  H = SHA-256(M)
  S = H^d mod N

Assume N = p*q is properly generated and d is the RSA private key. 

And I verify the signature as follows:

  S^e mod N == H'

where H' is the SHA-256 of the message to be authenticated. Assume e is the RSA public key.

Since I've not used any padding then are there any flaws with the above approach? What if e = 3? What if e = 2^16+1?

Your guidance is much appreciated.

Thank you,
cryptography mailing list
John Young | 9 Jul 16:12 2015
Marcel | 9 Jul 08:25 2015

Supersingular Isogeny DH


taken the key exchange protocol De Feo, Jao and Plot in

The public parameter are:
Elliptic curve E over finite field F_q, Torsion subgroup <P_A, Q_A> =
E[l_A] of E(F_q)

The Parameter for the key exchange for Alice are:
two random numbers m_A, n_A to compute the isogeny with kernel:
K_A := [m_A] P_A + [n_A] Q_A

So my question is, why do i need to random values m_A and n_A to compute
the torsiongroup E[l_A] and respectively the kernel K_A ?

Why does is not suffice to use only 1 point to generate E[l_A] and
Kernel K_A ?