Cryptography-Digest Digest #116, Volume #13 Tue, 7 Nov 00 18:13:01 EST
Contents:
Re: On obtaining randomness (Mok-Kong Shen)
Re: [newbie] Is PGP 7.0 hash extension secure? ("Thomas J. Boschloo")
Re: Psuedo-random number generator (David Schwartz)
Re: Hardware RNGs (David Schwartz)
Re: hardware RNG's (David Schwartz)
Re: Updated XOR Software Utility (freeware) Version 1.1 from Ciphile (Hawke)
Re: Brute force against DES (JPeschel)
A question about RSA (Chenghuai Lu)
Re: XOR Software Utility (freeware) available from Ciphile Software (Andre van
Straaten)
OAP-L3 v. 5.0 broken (was Re: Crypto Export Restrictions) (0xdeadbeef)
algorithms before 1939 ("Michal z Sopotu")
Re: XOR Software Utility (freeware) available from Ciphile Software (Andre van
Straaten)
Re: Updated XOR Software Utility (freeware) Version 1.1 from Ciphile Software (Tom
St Denis)
Re: A question about RSA (Tom St Denis)
Re: [newbie] Is PGP 7.0 hash extension secure? (Tom St Denis)
Re: XOR Software Utility (freeware) available from Ciphile Software (Tom St Denis)
Help Needed with Public Key Cryptography (Lee Hasiuk)
hacker...beware ("Gary")
Bluetooth E0 information? ([EMAIL PROTECTED])
Re: Brute force against DES ("Douglas A. Gwyn")
Re: [newbie] Is PGP 7.0 hash extension secure? ("Michael Young")
----------------------------------------------------------------------------
From: Mok-Kong Shen <[EMAIL PROTECTED]>
Subject: Re: On obtaining randomness
Date: Tue, 07 Nov 2000 20:13:53 +0100
Alan Rouse wrote:
>
> While we're waiting for the complete literary works of the human race
> to appear in digital form, we could settle for another source that is
> already available--the local CD store. Imagine how much entropy could
> be mined from the thousands of CD's at your local Media Play... enough
> to suffice as a onetime pad for a long long time, even with very
> conservative amounts of entropy being taken. And you don't even need a
> secure channel for exchanging bits!
Yes, the availability of immense amounts of digitalized
multimedia stuffs is even more promising for the realization
of the scheme than the now emerging e-books. Being ignorant
of the techniques involved, I don't know though whether
identical copies of the recordings can be guaranteed to
enable the communication partners to generate the same
pseudo-random stream but I guess it is so.
M. K. Shen
------------------------------
From: "Thomas J. Boschloo" <[EMAIL PROTECTED]>
Crossposted-To: alt.security.pgp
Subject: Re: [newbie] Is PGP 7.0 hash extension secure?
Date: Tue, 07 Nov 2000 21:25:50 +0100
[X-posted to ASP again, because the thread started there and because it
affects the users of PGP. I hope not to many cryptographers filter out
X-posts, I know they find PGP boring :) Flamewars, please stay in ASP, I
will read both groups anyway]
=====BEGIN PGP SIGNED MESSAGE=====
David Wagner wrote:
>
> >Recall that we are doing Hash(Key) || Hash('0'||Key), where || means
> >concatenation. SHA-1 will give you roughly 2^160 different outputs
> >for Hash(Key) as you run thorugh the 2^256 possible inputs. However
> >the second term, Hash('0'||Key), will also give you 2^160 outputs, and
> >these will be uncorrelatable to the outputs from the first hash.
>
> Note that the last statement is an unproven assumption, and there are
> reasons to be skeptical that you will ever get much more than a 160-bit
> security level from these types of constructions. That doesn't mean
> that the above is broken or an unreasonable implementation---if it only
> provides 160 bits, rather than 256 bits, of strength, there is probably
> no harm done---but don't assume you get something for nothing here.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I finally get the 'knack'. RIPEMD-160 has had extensive analysis and was
designed to be 160 bits secure. RIPEMD-320 hasn't had that analysis, but
might be 320 bits secure.
So SHA-1 is very likely 160 bits secure. As a 160 bit hash it has had
extensive analysis by many great cryptographers. Now PGP comes up with this
PGSHA-256 and, while it might be 256 bits secure, SHA-1 wasn't designed to
be 256 bits secure. It may even be the case that this 'PGSHA-256' algorithm
receives very little analysis, but even worse, it wasn't designed by renown
cryptographers so there is no philosophy behind it.
Take David Scott. Everybody knows his algorithm sucks, but it is very hard
for the crypto community to prove it to be insecure. Worse yet, if someone
points something out, David Scott 'improves' his algorithm until noone can
find anything wrong with it. But you still have an algorithm that wasn't
designed by a cryptographer that knew all the possible public attacks and
designed the algorithm to simple and resistant against these attacks.
I am not saying that PGSHA-160+ is not 100% secure (given enough entropy).
But it just isn't as secure as SHA-256 will be when it is finished. Just
because of the people who 'designed' it know more about cryptography than
the designers of PGP 7+ and OpenPGP <RFC 2440> (Which is co-written by Lutz
Donnershacke, who Sam Simpson thinks is a ... something dumb).
To avoid spreading FUD, I believe that there is no reason to believe that
the extension of SHA-1 by PGP is less secure than SHA-1 itself. (Like
DoubleXOR would be tremendiously insecure). And a 160 bit key, or even a 128
bit key is just impossible to brute force for the next 20 years (have to
take a look at <http://www.cryptosavvy.com> to get the exact numbers).
In Message-ID <[EMAIL PROTECTED]> Obfuscation wrote:
>
> If you are generating a random session key (as when encrypting to a
> public key), the PGP random number generator is used. The code for
> this is complicated and involves both hash and encryption transforms.
> It does not use the simple structure you are worried about.
Maybe this is even more worrying. I don't think you get much security by
making things 'complicated'. Just a pool with all the 'random' data you can
get your hands on concatanated, and then a simple SHA-256 hash would be more
convincing to me.
Scotty's code is also very complicated (and hard to understand) I seem to
have heard. That doesn't encourage crypto analysis on it.
What is fortunate here, is that a random stream of bits, doesn't have to be
'reproducable' like with the conventional (=symmetric) PGP password
algorithm. So it can easily be replaced by something like Yarrow (which also
looks complicated to a simple soul like myself ;-) or it could use the Intel
PIII RNG (I have an AMD Athlon upstairs, it has some 'analoge' instructions
with DSP's and things like that, also sounds very useful!).
In order to generate a large number to check against primality, you would
probably need a HUGE hash, like SHA-512 to form a 1024 bit RSA key. Or you
could just collect twice as much random material and do a SHA-256 on both.
Well, this has been very educative to me. Maybe I am too conservative on
this. Maybe I just need to shut the f*** up and start minding my own
business. I dunno. I only know that there are attacks against cyphers that
can reduce it's effective keylength (like the 40 bit algorithm in DVD, that
was reduced to 20 bits). Just recently I learned that there also are attacks
on hash functions (like MD4, which was broken). Other attacks are just
theoretical, like the attack on MD5, which doesn't reduce it's effective
length by much.
Thanks for all,
Thomas J. Boschloo
Den Helder, Holland
=====BEGIN PGP SIGNATURE=====
Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>
iQB5AwUBOghXIAEP2l8iXKAJAQHpigMdHacCLj2gtZ8/4yT7h/QtSfHaS1B3a8N0
XE1NohppguURv5P2d2Dx9368HpZz/fk3ra6LAnMXhuwamdJ5NXDGZuge12dBUYw1
AtatVqGp7mA8cC2qhh0XbTOa+/lwi0UM1OeiCQ==
=8IeQ
=====END PGP SIGNATURE=====
--
We live in the Matrix <http://www.whatisthematrix.com>
http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0x225CA009
Email: boschloo_at_multiweb_dot_nl
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: Psuedo-random number generator
Date: Tue, 07 Nov 2000 12:39:15 -0800
Guy Macon wrote:
>
> David Schwartz wrote:
> >
> >> Your program processes physical randomness, while he meant
> >> that a stream from a PRNG (often realized in software)
> >> can't contain more entropy than the key (seed), because all
> >> that is derived deterministically.
> >>
> >> M. K. Shen
> >
> > My point was simply that his stated claim:
> >
> >> > > Running a computer program cannot generate entropy.
> >
> > Is false. Actually, every physical process generates entropy,
> >contributing to the eventual heat death of the universe.
> >
>
> I think that you mean increases entropy, not generates entropy.
There is really no difference. The only way to increase the amount of
entropy is to generate more.
> You do realize that the definition of "Entropy" just changed from
> crypto usage to physics usage in mid-conversation, right?
Yes. The last sentence was really intended as a joke. Nevertheless,
computer programs can harvest entropy. Whether you think that means they
can generate it or not is an intersting question. Is there entropy in
the rate of radioactive decay if the rate is not measured?
DS
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: Hardware RNGs
Date: Tue, 07 Nov 2000 12:43:30 -0800
Alan Rouse wrote:
> To make illustration easier, let's take 160 bits from the input stream
> (same size as the output of SHA-1). An informed attacker would start
> guessing with all bits = 1. Then he would try all the possibilities
> with a single bit = 0. Then he would try all the possibilities with
> two bits = 0. etc. He would expect to find the actual input value in
> FAR FAR less than half of 2^160 attempts. Finding the input is the
> easiest way to find the output.
Right. You just have to make absolutely sure that the input has at
least as much entropy as you need in the output. But you don't have to
worry about exactly where that entropy is, what form it's in, or what
it's mixed with.
DS
------------------------------
From: David Schwartz <[EMAIL PROTECTED]>
Subject: Re: hardware RNG's
Date: Tue, 07 Nov 2000 12:42:09 -0800
Alan Rouse wrote:
>
> David Schwartz wrote:
> >However, you can measure the real physical randomness in the input
> >directly.
>
> That's not as easy as you make it sound. If a physical source produces
> a sequence of 100 consecutive 1's, does that mean it is nonrandom?
> The best you can do is to state the odds against that result coming
> from a random source. But the odds against any other specific 100-bit
> result from a random source are exactly the same. The Diehard
> randomness tests require something like 2.9 million 32-bit integers to
> draw conclusions, and even then those conclusions are debateable.
Some sources are difficult to measure. Some are easy.
If the output of an uncompensated crystal oscillator feeding a
multiplier varies by 8 parts per billion from second to second, and this
variation is consistent with the expected drift due to temperature
change, it's not difficult to conclude that the variation is, at least
in part, due to the temperature change. That and the fact that nobody
else could measure that temperature change is all you need.
DS
------------------------------
From: Hawke <[EMAIL PROTECTED]>
Crossposted-To: alt.freespeech,talk.politics.misc,talk.politics.crypto,alt.hacker
Subject: Re: Updated XOR Software Utility (freeware) Version 1.1 from Ciphile
Date: Tue, 07 Nov 2000 20:54:45 GMT
sorry for the massive crosspost...
too bad this software is winblows only.
it'd be nice to have an app like this in linux...
hawke
Anthony Stephen Szopa wrote:
>
> Updated XOR Software Utility (freeware) Version 1.1 from Ciphile
> Software
>
--
Make a few extra $$$.
Join http://www.processtree.com/?sponsor=29027
The rest of this signature is currently out of service.
------------------------------
From: [EMAIL PROTECTED] (JPeschel)
Subject: Re: Brute force against DES
Date: 07 Nov 2000 21:06:47 GMT
[EMAIL PROTECTED] writes:
>Sundial Services wrote:
>> And it was actually a pretty good demonstration of just
>> how strong the DES algorithm actually is.)
>
>More a demonstration of the poor state of public cryptanalysis.
Describe a good cryptanalytic attack on DES.
Joe
__________________________________________
Joe Peschel
D.O.E. SysWorks
http://members.aol.com/jpeschel/index.htm
__________________________________________
------------------------------
From: Chenghuai Lu <[EMAIL PROTECTED]>
Subject: A question about RSA
Date: Tue, 07 Nov 2000 16:21:51 -0500
Suppose we know n (= p * q), which is a multiple of two large primes,
and phi(n) where phi(x) is the Euler function. Can anybody give the
algorithm to find p and q in polynomial time?
Thanks.
--
-Chenghuai Lu ([EMAIL PROTECTED])
------------------------------
From: Andre van Straaten <[EMAIL PROTECTED]>
Subject: Re: XOR Software Utility (freeware) available from Ciphile Software
Crossposted-To: talk.politics.crypto,alt.hacker,talk.politics.misc
Date: Tue, 07 Nov 2000 21:43:20 GMT
In sci.crypt Richard Heathfield <[EMAIL PROTECTED]> wrote:
> Andre van Straaten wrote:
>>
>> In sci.crypt Richard Heathfield <[EMAIL PROTECTED]> wrote:
>> > [alt.freespeech snipped from crosspost - my news server hates free
>> > speech]
>>
> <snip>
>> > [...] I will happily post portable
>> > C source code to do this, on alt.crypto.sources (to avoid clogging up
>> > all the splendid newsgroups to which this was cross-posted).
> <snip>
>>
>> If you go to "Instructions" there is on the bottom a short sentence that
>> the process will stop when the end of the shortest file is reached.
> <grin> You don't think I'd actually run that program, do you?!?!?
If you own a Microsoft OS you might have indeed to be very careful.
I have only a Windows 95 on a dual-boot notebook which I use very rarely
and only for test purposes.
I use at home FreeBSD where even the kernel is Open Source (motto: Don't
trust an OS which you don't have sources for).
[My NGs I read from 2 different Solaris servers.]
> <snip>
>>
>> BTW: I couldn't find that NG "alt.crypto.sources". Even on Deja.com I
>> could find it.
> My mistake. news:alt.sources.crypto is correct. (The code's there now.)
Apropos Solaris servers: Unfortunately, they both (usenet.com +
verio.net) don't have "alt.sources.crypto", and Deja.com has only
"alt.sources".
This NG is indeed very crypto.
-- avs
Andre van Straaten
http://www.vanstraatensoft.com
______________________________________________
flames please to [EMAIL PROTECTED]
------------------------------
From: 0xdeadbeef <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto
Subject: OAP-L3 v. 5.0 broken (was Re: Crypto Export Restrictions)
Date: Tue, 07 Nov 2000 21:47:10 GMT
In article <[EMAIL PROTECTED]>,
Anthony Stephen Szopa <[EMAIL PROTECTED]> wrote:
>
> The onus is on you: That is if you have the intelligence and energy
> and interest.
>
> If not: forget about it.
>
OK. I take the challenge. I can break OAP-3 version 5.0 if it works as
your website says.
You do this: you take about 1 MB text file of English and add words
"Sincerely Yours, XXXXXXXXXXXXXXX" in 100 different places in it.
"XXXXXXXXXXXXXXX" is your secret code name with 15 letters and numbers.
You encrypt it with your program, but you use only 50 rows in your
tables. Then you put encrypted file on your Web site and post the URL.
After 30 days or earlier I post the secret name to this newsgroup.
Deal?
Sincerely Yours,
0xdeadbeef
--
Schroedinger's Bull:
0xdeadbeef = [EMAIL PROTECTED]
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Michal z Sopotu" <[EMAIL PROTECTED]>
Subject: algorithms before 1939
Date: Tue, 7 Nov 2000 23:02:35 +0100
Hi
I`m looking for some internet pages,magazines, books (or other sources) of
cipher/decipher algorithms used before 1939.
Michal
------------------------------
From: Andre van Straaten <[EMAIL PROTECTED]>
Subject: Re: XOR Software Utility (freeware) available from Ciphile Software
Crossposted-To: talk.politics.crypto,alt.hacker,talk.politics.misc
Date: Tue, 07 Nov 2000 22:02:37 GMT
In sci.crypt Tom St Denis <[EMAIL PROTECTED]> wrote:
> In article <[EMAIL PROTECTED]>,
> [EMAIL PROTECTED] (those who know me have no need of my
> name) wrote:
>> <8u58vu$bpe$[EMAIL PROTECTED]> divulged:
>> >How on earth did you make such a simple program take 155kb?
>>
>> ms windows + borland windowing and gui crapolla.
> Well using CYGWIN or LCCWIN32 a similar program would take about 5kb...
> Tom
gcc or g++ produce code of similar size, but I found a simple xor program for MS-DOS,
which I compiled over a year ago with Borland using the default switches, and it has
.. 68 kB.
A command line program with about 25 lines of code.
(Where is the source code of that Borland compiler ?? \&/+@* ... rant ...)
;-)
-- avs
Andre van Straaten
http://www.vanstraatensoft.com
______________________________________________
flames please to [EMAIL PROTECTED]
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Crossposted-To: alt.freespeech,talk.politics.misc,talk.politics.crypto
Subject: Re: Updated XOR Software Utility (freeware) Version 1.1 from Ciphile Software
Date: Tue, 07 Nov 2000 22:04:29 GMT
In article <[EMAIL PROTECTED]>,
Hawke <[EMAIL PROTECTED]> wrote:
> sorry for the massive crosspost...
>
> too bad this software is winblows only.
> it'd be nice to have an app like this in linux...
You are kidding right?
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: A question about RSA
Date: Tue, 07 Nov 2000 22:03:55 GMT
In article <[EMAIL PROTECTED]>,
Chenghuai Lu <[EMAIL PROTECTED]> wrote:
> Suppose we know n (= p * q), which is a multiple of two large primes,
> and phi(n) where phi(x) is the Euler function. Can anybody give the
> algorithm to find p and q in polynomial time?
If you know phi(x) you need not factor.
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Subject: Re: [newbie] Is PGP 7.0 hash extension secure?
Date: Tue, 07 Nov 2000 22:09:02 GMT
In article <8u9jv3$ibj$[EMAIL PROTECTED]>,
[EMAIL PROTECTED] (David Wagner) wrote:
> John Myre wrote:
> >> Note that the last statement is an unproven assumption, and there
are
> >> reasons to be skeptical that you will ever get much more than a
160-bit
> >> security level from these types of constructions.
> >
> >What sort of reasons?
>
> Because the internal chaining value is just 160 bits wide, and because
> SHA1 was only designed for 160 bit strength.
This is just not true. Look at a perfect round function in a block
cipher. It's design (if it's a BFN) to have perfect security as a 2^
(n/2) function (i.e the round function) but is used to construct a
secure 2^n function (Luby-Rackoff construction).
If you used SHA1 as a round function I bet I could make a secure
(albeit slow) 320-bit primitive.
> There has been an instance where such "doubled" hash functions have
been
> broken with not too much more effort than their "single" version, if I
> recall correctly (I think it was Hans Dobbertin's work).
I agree that "hashing the hash" or some other trivial linear mixing is
normally not secure, but never say never!
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: Tom St Denis <[EMAIL PROTECTED]>
Crossposted-To: talk.politics.crypto,alt.hacker,talk.politics.misc
Subject: Re: XOR Software Utility (freeware) available from Ciphile Software
Date: Tue, 07 Nov 2000 22:06:56 GMT
In article <YH_N5.3261$[EMAIL PROTECTED]>,
Andre van Straaten <[EMAIL PROTECTED]> wrote:
> If you own a Microsoft OS you might have indeed to be very careful.
>
> I have only a Windows 95 on a dual-boot notebook which I use very
rarely
> and only for test purposes.
>
> I use at home FreeBSD where even the kernel is Open Source (motto:
Don't
> trust an OS which you don't have sources for).
> [My NGs I read from 2 different Solaris servers.]
Not that this isn't already OT, but do you honestly understand every
component of <insert your fav open source OS>? I keep hearing about
how wonderfull Linux is just because it's open source. Frankly you're
all missing the point. The reason Linux is suppose to be better is not
because it's open source, but because "real people" are making it.
Unfortunately I have yet to ever get Linux to recognize my video/sound
card so it's perfectly lame for my purposes... that's offtopic though...
Tom
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: [EMAIL PROTECTED] (Lee Hasiuk)
Subject: Help Needed with Public Key Cryptography
Date: Tue, 07 Nov 2000 22:24:20 GMT
Is there a way to use a public key crypto system to encrypt an 8 byte
long number, producing an 8 byte long result, while still maintaining
any degree of security (i.e. approximately what a symmetric cipher
would give with an 64-bit key)?
The application is trailware registration numbers, where a user pays
the vendor and supplies their 64-bit serial number (randomly generated
at install time), and they get back a 64-bit registration key. The
goal is to make it so that the registration key can't be generated
using only information on the end-user's system. I realize that
there are lots of other attacks possible on trialware applications,
and that this is just one small facet of the problem.
I've looked at RSA, but it appears that the encryted data is typically
the same length as the modulus. For a reasonable modulus size, say
512 bits, that would make the registration keys too long. Is there a
way to use RSA but to only send a portion of the encrypted data, but
still be able to check that portion using the public key? Perhaps
there's something better suited to my application.
It's somewhat important that the algorithm be cheap or free and that
the code used to check the registration numbers be small. Again, RSA
is perfect, because it is free and since the largest part of the code
is the key generation, and that isn't necessary in the code which
checks the numbers.
Thanks for your help!
Lee Hasiuk
[EMAIL PROTECTED]
------------------------------
From: "Gary" <[EMAIL PROTECTED]>
Crossposted-To:
alt.lang.basic,alt.permaculture,alt.surfing,alt.surfing.europe.uk,aus.computers.linux,comp.os.linux.setup
Subject: hacker...beware
Date: Wed, 8 Nov 2000 09:45:05 +1100
The following person (who posts on the above newsgroups)has been detected by
my firewall as attempting to hack into my system. He/she has been reported
to the isp concerned and details are as follows.
Name E-mail address Date Thread Newsgroup
Vic Drastik [EMAIL PROTECTED] 00/04/20 comp.lang.basic.misc
Mongolian Horde [EMAIL PROTECTED] 00/01/05 alt.surfing
*Lauren* [EMAIL PROTECTED] 99/11/06 alt.music.moffatts
Mongolian Horde [EMAIL PROTECTED] 99/11/05 alt.surfing
Mongolian Horde [EMAIL PROTECTED] 99/11/05
Location of 203.101.94.94:
Country = Australia
Region = New South Wales
City = Sydney
Standard network info
[ nslookup (1): ip=203.101.94.94, hostname=async93-wol-isp-1.nas.one.net.au]
------------------------------
From: [EMAIL PROTECTED]
Subject: Bluetooth E0 information?
Date: Tue, 07 Nov 2000 22:26:39 GMT
I'm trying to collect as much Cryptoanalysis on the E0 Algorithm used in
Bluetooth as possible. I'll throw everything up on a webpage once I
sift through the stuff, and and catagorize it all in a digestable form.
So any information you have about the Algorithm, and the security of E0
would be greatly appreciated, especially cryptoanalysis.
Thanks.
Albert
Sent via Deja.com http://www.deja.com/
Before you buy.
------------------------------
From: "Douglas A. Gwyn" <[EMAIL PROTECTED]>
Subject: Re: Brute force against DES
Date: Tue, 7 Nov 2000 21:56:44 GMT
JPeschel wrote:
> [EMAIL PROTECTED] writes:
> >Sundial Services wrote:
> >> And it was actually a pretty good demonstration of just
> >> how strong the DES algorithm actually is.)
> >More a demonstration of the poor state of public cryptanalysis.
> Describe a good cryptanalytic attack on DES.
Whether or not I know one (and could divulge it if I did)
is irrelevant to my point, which is that there has not
been any public *proof* of the "strength" of DES, just
some negative results of attempts to break it. The same
could have been said of systems like Enigma until recently.
That didn't mean they were "strong" systems.
------------------------------
From: "Michael Young" <[EMAIL PROTECTED]>
Subject: Re: [newbie] Is PGP 7.0 hash extension secure?
Date: Tue, 7 Nov 2000 17:46:40 -0500
>There has been an instance where such "doubled" hash functions have been
>broken with not too much more effort than their "single" version, if I
>recall correctly (I think it was Hans Dobbertin's work).
In what way was it "broken", what hash function was it, and how
was the extension performed? Can you provide a reference?
For this specific application, finding collisions and pre-images
does not necessarily help. While those issues might constitute
a "break" for signatures, it doesn't here.
Specifically, do you know of any usable pattern among all
the values H(0|x) for all (specially-formed) x that produce
the same H(x)? Finding one such x is just not interesting;
there should be many (roughly #x/#H, 2^96 in this case).
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and sci.crypt) via:
Internet: [EMAIL PROTECTED]
End of Cryptography-Digest Digest
******************************
