Unfortunately I can't remember the author, but there was a paper
showing that an encrypted counter was secure to use as IVs for CBC
mode. So encrypting a shorter random IV should also be secure.
Greg.
On 2010 Jun 2, at 9:36 , Ralph Holz wrote:
Dear all,
A colleague dropped in yesterday
On 2009 Oct 19, at 9:15 , Jack Lloyd wrote:
On Sat, Oct 17, 2009 at 02:23:25AM -0700, John Gilmore wrote:
DSA was (designed to be) full of covert channels.
And, for that matter, one can make DSA deterministic by choosing the k
values to be HMAC-SHA256(key, H(m)) - this will cause the k
On 2009 Aug 19, at 3:28 , Paul Hoffman wrote:
At 5:28 PM -0400 8/19/09, Perry E. Metzger wrote:
I believe attacks on Git's use of SHA-1 would require second pre-
image
attacks, and I don't think anyone has demonstrated such a thing for
SHA-1 at this point. None the less, I agree that it
Target collisions for MD5 can be calculated in seconds on a laptop,
based on just a small change in the first block of input. There was
also a semi-successful demo of MD5 certificate problems; you could
join the special wireless network, and any https connection would be
silently proxied
On 2009 Apr 30, at 4:31 , Perry E. Metzger wrote:
Eric Rescorla e...@networkresonance.com writes:
McDonald, Hawkes and Pieprzyk claim that they have reduced the
collision
strength of SHA-1 to 2^{52}.
Slides here:
http://eurocrypt2009rump.cr.yp.to/
837a0a8086fa6ca714249409ddfae43d.pdf
One of the earlier messages (I lost it) said that Philipp said that
there was information that could be used as a nonce. In that case, I
would recommend a stream cipher used to generate 133 bits at a time; if
the lump of bits represents an integer in the correct range, add it
modulo 10^40...
Philipp Gühring wrote:
Hi,
G'day Philipp,
I am searching for symmetric encryption algorithms for decimal strings.
Let's say we have various 40-digit decimal numbers:
2349823966232362361233845734628834823823
3250920019325023523623692235235728239462
0198230198519248209721383748374928601923
Hal Finney wrote:
So, you don't have a 133-bit block cipher lying around? No worries, I'll
sell you one ;-). Actually that is easy too. Take a trustworthy 128-bit
block cipher like AES. To encrypt, do:
1. Encrypt the first 128 bits (ECB mode)
2. Encrypt the last 128 bits (also ECB mode).
I
David Wagner wrote:
It's a brilliant piece of research. If you weren't at CRYPTO, you missed
an outstanding talk (and this wasn't the only one!).
Yes, the program chair and committee did a great job. Whatsisname? Oh,
yeah, David Wagner.
Greg.
, Greg Rose [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] wrote:
Basically the method focuses on terms of the polynomial in which
only one secret bit of the key appears, and many of the non-secret
bits. Using chosen (or lucky) plaintexts, vary all but one of the
non-secret bits
Steven M. Bellovin wrote:
Greg, assorted folks noted, way back when, that Skipjack looked a lot
like a stream cipher. Might it be vulnerable?
Hmmm, interesting. I'm getting increasingly closer to talking through my
hat, but...
Skipjack has an 8x8 S-box, so by definition the maximum degree
someone wrote:
what about RC4, the most important stream
cipher in the Internet world?
So I cornered Adi for a while. Of course he'd thought of almost
everything I wanted to ask.
You're not the first to think of RC4 (I confess I wasn't either). No, if
you try to express shuffling as a
James Muir wrote:
Greg Rose wrote:
Basically, any calculation with inputs and outputs can be represented as
an (insanely complicated and probably intractable) set of binary
multivariate polynomials. So long as the degree of the polynomials is
not too large, the method allows most
Perry E. Metzger wrote:
According to Bruce Schneier...
http://www.schneier.com/blog/archives/2008/08/adi_shamirs_cub.html
...Adi Shamir described a new generalized cryptanalytic attack at
Crypto today.
Anyone have details to share?
Stunningly smart, and an excellent and understandable
Perry E. Metzger wrote:
Greg Rose [EMAIL PROTECTED] writes:
His example was an insanely complicated theoretical LFSR-based stream
cipher; recovers keys with 2^28 (from memory, I might be a little
out), with 2^40 precomputation, from only about a million output
bits. They are working on applying
Erik Ostermueller wrote:
If I exchange messages with a system and the messages are encrypted with a
symmetric key, what further benefit would we get by using a MAC (Message
Authentication Code) along with the message encryption?
Being new to all this, using the encrytpion and MAC together seem
Perry E. Metzger wrote:
A wonderful place. I hope it manages to pull through.
http://resources.zdnet.co.uk/articles/imagegallery/0,102003,39415278,00.htm?r=234
There is a mechanism whereby US donors can send tax deductible donations
to the trust. Go to http://www.cafamerica.org and
At 10:44 -0700 2007/06/22, Ali, Saqib wrote:
...whereas the key distribution systems we have aren't affected by
eavesdropping unless the attacker has the ability to perform 2^128 or
more operations, which he doesn't.
Paul: Here you are assuming that key exchange has already taken place.
But
At 17:58 -0500 2006/11/08, Leichter, Jerry wrote:
No, SHA-1 is holding on (by a thread) because of differences in the
details of the algorithm - details it shares with SHA-256. I
don't think anyone will seriously argue that if SHA-1 is shown to
be as vulnerable as we now know ND5 to be, then
At 19:13 -0500 2006/10/17, Travis H. wrote:
So I was reading about the OTP system (based on S/Key) described in RFC 2289.
It basically hashes a secret several times (with salt to individualize
it) and stores
the value that the correct password will hash to.
Now my question is, if we restrict
At 17:05 -0400 2006/10/12, Steven M. Bellovin wrote:
This is a very interesting suggestion, but I suspect people need to be
cautious about false positives. MP3 and JPG files will, I think, have
similar entropy statistics to encrypted files; so will many compressed
files.
Actually, no. I have
At 14:33 -0400 2006/09/28, Leichter, Jerry wrote:
|
VMS has for years had a simple CHECKSUM command, which had a variant,
CHECKSUM/IMAGE, applicable only to executable image files. It knew
enough about the syntax of executables to skip over irrelevant metadata
like link date and time. (The
So, there is at least one top-level CA installed in some common
browsers (I checked Firefox) that uses exponent-3. It is Starfield
Technologies Inc. Starfield Class 2 CA. There may well be
others... I only looked far enough to determine that that was a
problem.
So the next question becomes,
At 19:02 +1000 2006/09/14, James A. Donald wrote:
Suppose the padding was simply
010101010101010 ... 1010101010101 hash
with all leading zeros in the hash omitted, and four
zero bits showing where the actual hash begins.
Then the error would never have been possible.
I beg to differ. A
At 23:40 +1200 2006/09/14, Peter Gutmann wrote:
But wait, there's more! From what I understand of the attack, all you need
for it to work is for the sig.value to be a perfect cube. To do this, all you
need to do is vary a few of the bytes of the hash value, which you can do via
a simple
At 15:26 +0200 2006/08/23, Erik Zenner wrote:
Hi all!
At the rump session of Crypto 2006, we started the chasing the Rabbit
contest. Dan Bernstein was so kind as to present the slides on our
behalf. The details of the contest are given below; they can also be
downloaded from
At 16:29 -0600 2006/06/08, John R. Black wrote:
It is taught by good people, but I find it a bit strange they are all
Microsoft employees. This is perhaps because U. Wash doesn't have any
cryptographers.
I hardly think that you can discount the skills of Josh Beneloh and
Brian
At 20:34 -0600 2006/06/06, John R. Black wrote:
On Tue, Jun 06, 2006 at 01:57:25AM -0700, Udhay Shankar N wrote:
http://it.slashdot.org/article.pl?sid=06/06/04/1311243
It is taught by good people, but I find it a bit strange they are all
Microsoft employees. This is perhaps because U.
At 1:41 -0600 2006/04/02, Travis H. wrote:
So I'm reading up on unconditionally secure authentication in Simmon's
Contemporary Cryptology, and he points out that with RSA, given d,
you could calculate e (remember, this is authentication not
encryption) if you could factor n, which relates the
At 22:09 -0500 2006/03/22, John Denker wrote:
Aram Perez wrote:
* Can you add or increase entropy?
Shuffling a deck of cards increases the entropy of the deck.
As a minor nit, shuffling *in an unpredictable manner* adds entropy,
because there is extra randomness being brought into the
At 01:33 2005-11-01 -0600, Travis H. wrote:
The latest hashes, such as SHA-1, gave up on Feistel.
Not so... the SHA family are all unbalanced Feistel structures.
Basically, for SHA-1 a complex function of 4 words and key material
(in this case expanded data to be hashed) is combined with the
or two.
Greg.
Greg RoseINTERNET: [EMAIL PROTECTED]
Qualcomm Incorporated VOICE: +1-858-651-5733 FAX: +1-858-651-5766
5775 Morehouse Drivehttp://people.qualcomm.com/ggr/
San Diego, CA 92121 232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081
as a price setting precedent.
They (NSA) did pay, and they (Certicom) did stick it in our faces.
See, eg., http://www.eweek.com/article2/0,1895,1498136,00.asp . Did
you miss this at the time?
Greg.
Greg RoseINTERNET: [EMAIL PROTECTED]
Qualcomm Incorporated
.
(*) actually each layer reduces the space of output keys slightly; not
enough to matter in practice, but it is actually infinitesimally worse than
just doing the hash.
Greg.
Greg RoseINTERNET: [EMAIL PROTECTED]
Qualcomm Incorporated VOICE: +1-858-651-5733
disclosure...
or not.
Greg.
Greg RoseINTERNET: [EMAIL PROTECTED]
Qualcomm Incorporated VOICE: +1-858-651-5733 FAX: +1-858-651-5766
5775 Morehouse Drivehttp://people.qualcomm.com/ggr/
San Diego, CA 92121 232B EC8F 44C6 C853 D68F E107 E6BF
this kind of
attack (whether they'd found it or not). We don't have a good analysis of
the data-expansion part, but I'm pretty sure that it'll defeat the Wang
attacks.
Greg.
Greg RoseINTERNET: [EMAIL PROTECTED]
Qualcomm Incorporated VOICE: +1-858-651-5733 FAX
load for primality testing.
I must be misunderstanding. Surely. Please?
Greg.
Greg RoseINTERNET: [EMAIL PROTECTED]
Qualcomm Incorporated VOICE: +1-858-651-5733 FAX: +1-858-651-5766
5775 Morehouse Drivehttp://people.qualcomm.com/ggr/
San
I wrote:
Phil Hawkes' paper on the SHA-2 round function has just been
posted as
Eprint number 207. It contains rather a lot of detail, unlike
some of the
other papers on the subject of hash function collisions.
At 14:17 2004-08-23 -0400, Trei, Peter wrote:
Could you possibly post a direct
Phil Hawkes' paper on the SHA-2 round function has just been posted as
Eprint number 207. It contains rather a lot of detail, unlike some of the
other papers on the subject of hash function collisions.
Greg.
Greg RoseINTERNET: [EMAIL PROTECTED]
Qualcomm
In the light of day and less inebriated, I'd like to clarify some of what I
wrote last night, and maybe expand a bit. My original account wasn't what
I'd like to think of as a record for posterity.
Greg.
At 13:11 2004-08-18 +1000, Greg Rose wrote:
Xiaoyun Wang was almost unintelligible
At 00:49 2004-08-19 +1000, Greg Rose wrote:
There has been criticism about the Wang et. al paper that it doesn't
explain how they get the collisions. That isn't right. Note that from the
incorrect paper to the corrected one, the delta values didn't change.
Basically, if you throw random numbers
is really message M and a random delta).
But I could also be mistaken on this.
Greg.
Greg RoseINTERNET: [EMAIL PROTECTED]
Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199
Level 3, 230 Victoria Road, http://people.qualcomm.com/ggr
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Greg RoseINTERNET: [EMAIL PROTECTED]
Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199
Level 3, 230 Victoria Road, http
about it,
depending which version of the story you've heard. Since he works for the
German NSA-equivalent, I guess he would take this seriously.
Greg.
Greg RoseINTERNET: [EMAIL PROTECTED]
Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199
incentive does a miscreant have to
reprogram hundreds or thousands of other
cars???
Until recently, when viruses and worms started to be used to assist
spamming, what incentive did a miscreant have to invade hundreds or
thousands of computers?
Greg.
Greg Rose
At 15:41 2004-06-19 -0400, Perry E. Metzger wrote:
http://news.bbc.co.uk/1/hi/technology/3804895.stm
No real new info, but some good background. Several familiar names,
such as Ross Anderson, are interviewed.
Gee, a pity they can't calculate 2^128 correctly.
Greg.
Greg Rose
, indicating
it is not widespread.
iang
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Greg Rose INTERNET: [EMAIL PROTECTED]
Qualcomm Australia
,
and there are block ciphers (such as FEAL, same vintage as RC4) that aren't
even vaguely secure.
Greg.
Greg Rose INTERNET: [EMAIL PROTECTED]
Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199
Level 3, 230 Victoria Road,http
dbm uses essentially this philosophy, but the
tree is not binary; rather each node stores up to one disk block's worth of
pointers. Nodes split when they get too full. When the point is to handle a
lot of data, this makes much more sense.
Hope that helps,
Greg.
Greg Rose
. Adding (and checking) correct padding
(eg. OAEP or PSS, see the PKCS standards) makes it extremely unlikely that
there will be a cube root for the attack to work on.
Others may want to correct me or elaborate further, but I think that's correct.
regards,
Greg.
Greg Rose
this attack is not going to cost
much more than a cellphone (without subsidies). Patenting the attack
prevents the production of the radio shack (tm) gsm scanner, so that it
at least requires serious attackers, not idle retirees or jealous teenagers.
Greg.
Greg Rose
compromised by this attack.
Greg.
Greg Rose INTERNET: [EMAIL PROTECTED]
Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199
Level 3, 230 Victoria Road,http://people.qualcomm.com/ggr/
Gladesville NSW 2111232B EC8F 44C6
)
Greg Rose INTERNET: [EMAIL PROTECTED]
Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199
Level 3, 230 Victoria Road,http://people.qualcomm.com/ggr/
Gladesville NSW 2111232B EC8F 44C6 C853 D68F E107 E6BF CD2F 1081 A37C
53 matches
Mail list logo