LibTomCrypt v1.15 was released today. Lots of changes
[http://libtomcrypt.org/changes.txt] and fixes in this release. Note
that the documentation is not complete and will be updated within a
month or so (I have the OLPC work to start this weekend...).

Recent changes include the addition of the SEED and KASUMI block
ciphers, F9 and XCBC MAC and PKCS #1 v1.5 support. The ciphers/MACs
were added to further support TLS and 3GPP providers. Fixes include
build failures, and overflow in PMAC, portability fixes (anubis,
sober-128), and new callbacks for ciphers.

Available at: http://libtomcrypt.org

For those not in the know, LibTomCrypt is a free public domain
cryptographic library for C developers. It provides a variety of
standards conforming cryptographic primitives from ciphers, hashes,
MACs, to public key operations. It's written in portable C code, and
is very configurable for size and speed. I give it out for free, and
am supported by a variety of users who submit bug fixes and new code.
It is a project under active development and open for feedback from
users.

Future plans: Finish the manual. :-)

LibTomCrypt v1.15 was released today. Lots of changes
[http://libtomcrypt.org/changes.txt] and fixes in this release. Note
that the documentation is not complete and will be updated within a
month or so (I have the OLPC work to start this weekend...).

Recent changes include the addition of the SEED and KASUMI block
ciphers, F9 and XCBC MAC and PKCS #1 v1.5 support. The ciphers/MACs
were added to further support TLS and 3GPP providers. Fixes include
build failures, and overflow in PMAC, portability fixes (anubis,
sober-128), and new callbacks for ciphers.

Available at: http://libtomcrypt.org

For those not in the know, LibTomCrypt is a free public domain
cryptographic library for C developers. It provides a variety of
standards conforming cryptographic primitives from ciphers, hashes,
MACs, to public key operations. It's written in portable C code, and
is very configurable for size and speed. I give it out for free, and
am supported by a variety of users who submit bug fixes and new code.
It is a project under active development and open for feedback from
users.

Future plans: Finish the manual. :-)

LibTomCrypt v1.15 was released today. Lots of changes
[http://libtomcrypt.org/changes.txt] and fixes in this release. Note
that the documentation is not complete and will be updated within a
month or so (I have the OLPC work to start this weekend...).

Recent changes include the addition of the SEED and KASUMI block
ciphers, F9 and XCBC MAC and PKCS #1 v1.5 support. The ciphers/MACs
were added to further support TLS and 3GPP providers. Fixes include
build failures, and overflow in PMAC, portability fixes (anubis,
sober-128), and new callbacks for ciphers.

Available at: http://libtomcrypt.org

For those not in the know, LibTomCrypt is a free public domain
cryptographic library for C developers. It provides a variety of
standards conforming cryptographic primitives from ciphers, hashes,
MACs, to public key operations. It's written in portable C code, and
is very configurable for size and speed. I give it out for free, and
am supported by a variety of users who submit bug fixes and new code.
It is a project under active development and open for feedback from
users.

Future plans: Finish the manual. :-)

I have a question regarding Xiaoyun Wang's paper "How to Break MD5 and Other
Hash Functions" (Eurocrypt 2005).

When Mr. Wang talks about the conditions for the non-zero bits in Step Eight
(pp7-8 where he gives an example of how to get a set of sufficient
conditions that ensure that
the differential characteristic holds) it says in 1. (a) iii that DELTA
c(2,1) equals 0. But the corresponding equation says

c'2=c2[7,8,9,10,11,-12,-24,-25,-26,27,28,29,30,31,32,1,2,3,4,5,-6]

I guess, I just don't really get it, but wouldn't that mean that c(2,1)=1
and c'(2,1)=0 and hence DELTA c(2,1)=1?

I would be very thankful, if anyone could help me, since no person I've
asked so far
could tell me what I probably misunderstand.

Thanks in advance!

Kind regards,

Dennis Komm

Dear fellow cryptologists,
I turn to the cryptologic public, because I experienced unfair and
incorrect review procedures at IACR sponsored workshops, and the IACR
board of directors seems to be unwilling or unable to react adequately
to my formal complaints.

I submitted two papers to CHES 2006, and these two papers got three
reviews each. There is firm evidence that none of the six reviewers had
bothered to read completely the paper they had to review . It is
obvious that it is impossible to judge the merits of a scientific paper
one has not read.

Fast Software Encryption 2007

March 26-28
Luxembourg city, Luxembourg

Web-page: http://lacs.uni.lu/fse2007/

IACR

Call for Papers

FSE 2007 is the 14th annual Fast Software Encryption workshop, for the
sixth year sponsored by the International Association for Cryptologic
Research (IACR). Original research papers on symmetric cryptology are
invited for submission to FSE 2007. The workshop concentrates on fast
and secure primitives for symmetric cryptography, including the design
and analysis of block ciphers, stream ciphers, encryption schemes, hash
functions, and message authentication codes (MACs), analysis and
evaluation tools.
Important dates

Submission deadline December 11, 2006

Notification of decision January 31, 2007

Pre-proceedings version deadline February 20, 2007

Workshop March 26 - 28, 2007

"Amitabh Saxena" gmail.com> (06-08-15 11:07:10):

If I understood your question, a few very basic ones: You can prove a
number to be composite without knowing anything about its factors (and
being practically unable to discover anything about them). You can
prove certain functions to be invertible, without being able to actually
invert them (practically).

The problem is: To be able to prove membership without proving
knowledge, naturally there is no knowledge needed to prove this
(otherwise you would prove knowledge at the same time). In other words:
Your help, probably as the knower, isn't needed for the proof of
membership. One can do it alone.

Well, one other example: You can prove a number to _not_ be a quadratic
residue. This is a proof of membership. However, there is no knowledge
to prove in this case, so I think, this isn't what you're looking for.

Apologies in advance if you receive multiple copies of this announcement.

-Ralf

================================================================================

CLC2006 - Workshop on Codes and Lattices in Cryptography

September 25th-27th, 2006
Technische Universitaet Darmstadt

================================================================================

Organizers:

Johannes Buchmann - Alexander May - Ulrich Vollmer

================================================================================

Confirmed Speakers:

Can anyone give an example of "proof of membership" that is NOT a
"proof of knowledge". (The proofs of Quadratic Residue, Graph
Isomorphism, Hamiltonian cycle, etc are all proofs of membership and
proofs of knowledge at the same time.)

In other words, I want an example of a proof that enables a verifier to
be "convinced" that a given graph has a hamiltonian cycle, yet at the
same time does not allow the verifier to extract the cycle even after
having "Rewind" access to the prover.

The same could be done for Quadratic residues (i.e. being convinced
that a given x is indeed a QR mod n, yet at the same time, not allowing
extraction of the sq. root of x)

Let the distributions {(u, x)} and {(u, * )} be computationally
indistinguishable. Here * represents a random string, while x is
related to u.

Let there exist an algorithm A that takes as input an element from the
first distribution and outputs a value v,

i.e. A(u, x) = v

Can I assume that there exists another algorithm B that takes in as
input simply u and outputs v with almost the same probability that
algorithm A outputs v on inputs (u, x).

i.e. B(u) = v

In other words, I want to assume that the second input to algorithm A
does not give any additional advantage in computing v. I am claiming
that this should hold because of the indistinguishability of the two
distribtions.

Is my claim true? If this is false, can anyone provide a counter
example? Any references to similar problems would also be nice.

Thanks in advance.
Rgds