Re: MD6 withdrawn from SHA-3 competition

2009-07-05 Thread "Hal Finney"
attacks as Rivest proposed, how many candidates have offered such a proof, in variants fast enough to beat SHA-2? Hal Finney - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Question about Shamir secret sharing scheme

2009-10-04 Thread "Hal Finney"
ll then reveal whether S is even or odd, defeating the privacy of the scheme. Hal Finney - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: AES-GMAC as a hash

2009-09-04 Thread "Hal Finney"
it in GMAC is because the polynomial variable is secret, it is based on the key. So you don't know how things are being combined. But with a known key and IV, there would be no security at all. It would be linear like a CRC. Hal Finney --

Re: SHA-1 in 2**52

2009-06-16 Thread "Hal Finney"
continuing our search for more differential paths with a maximum number of auxiliary paths." (Rather than, "we are abandoning our search for more differential paths and working to try to find a real collision using this one." ;) Hal Finney -

Re: Shamir secret sharing and information theoretic security

2009-02-23 Thread "Hal Finney"
to be, there would be a y value corresponding to each possible v value. Learning a share tells you nothing about v, and in general Shamir sharing, learning all but one of the needed shares similarly tells you nothing about the secret. Hal Finney --

Re: Certainty

2009-08-25 Thread "Hal Finney"
Very amusing demo. Google for "trojan message attack" to find details, or read: www.di.ens.fr/~bouillaguet/pub/SAC2009.pdf slides (not too informative): http://rump2009.cr.yp.to/ccbe0b9600bfd9f7f5f62ae1d5e915c8.pdf Hal Finney --

Ultimate limits to computation

2009-08-12 Thread "Hal Finney"
favorable as this. Here is a posting I made to cypherpunks in 2004: To: cypherpu...@al-qaeda.net Date: Wed, 4 Aug 2004 11:04:15 -0700 (PDT) From: h...@finney.org ("Hal Finney") Subject: Re: On what the NSA does with its tech MV writes: > Yes. They can't break a 128 bit key.

Re: MD6 withdrawn from SHA-3 competition

2009-07-07 Thread Chen Ke-Fei Lin
At 10:39 AM -0700 7/4/09, Hal Finney wrote: >But how many other hash function candidates would also be excluded if >such a stringent criterion were applied? Or turning it around, if NIST >demanded a proof of immunity to differential attacks as Rivest proposed, >how many candidates

Re: Bitcoin v0.1 released

2009-01-24 Thread Bill Frantz
h...@finney.org ("Hal Finney") on Saturday, January 24, 2009 wrote: >Countermeasures by botnet operators would include moderating their take, >perhaps only stealing 10% of the productive capacity of invaded computers, >so that their owners would be unlikely to notice. Th

Re: Popular explanation of fully homomorphic encryption wanted

2009-06-17 Thread Jack Lloyd
On Tue, Jun 16, 2009 at 09:31:36AM -0700, "Hal Finney" wrote: > Udhay Shankar N quotes wikipedia: > > The question was finally resolved in 2009 with the development of the > > first true fully homomorphic cryptosystem. The scheme, constructed by > > Craig Gentry, e

Re: MD6 withdrawn from SHA-3 competition

2009-07-06 Thread Paul Hoffman
At 10:39 AM -0700 7/4/09, Hal Finney wrote: >But how many other hash function candidates would also be excluded if >such a stringent criterion were applied? Or turning it around, if NIST >demanded a proof of immunity to differential attacks as Rivest proposed, >how many candidates

Small-key DSA variant

2009-08-25 Thread "Hal Finney"
obably do have to boost the key size up to accommodate this issue. But it could still probably be smaller than for even ECDSA keys. Anyway, that's the concept. Does anyone recognize it? Hal Finney - The Cryptograp

MD5 considered harmful today, SHA-1 considered harmful tomorrow

2009-01-09 Thread Dustin D. Trammell
On Tue, 2008-12-30 at 11:51 -0800, "Hal Finney" wrote: > Therefore the highest priority should be for the six bad CAs to change > their procedures, at least start using random serial numbers and move > rapidly to SHA1. As long as this happens before Eurocrypt or whenever > th

Re: MD6 withdrawn from SHA-3 competition

2009-07-07 Thread Josh Rubin
Paul Hoffman wrote: > At 10:39 AM -0700 7/4/09, Hal Finney wrote: > >> But how many other hash function candidates would also be excluded if >> such a stringent criterion were applied? Or turning it around, if NIST >> demanded a proof of immunity to differential at

Re: Bitcoin v0.1 released

2009-01-11 Thread "Hal Finney"
y with a few cents of compute time may be quite a good bet, with a payoff of something like 100 million to 1! Even if the odds of Bitcoin succeeding to this degree are slim, are they really 100 million to one against? Something to think about... Hal

Re: Certainty

2009-08-25 Thread Perry E. Metzger
h...@finney.org ("Hal Finney") writes: > Paul Hoffman wrote: >> Getting a straight answer on whether or not the recent preimage work >> is actually related to the earlier collision work would be useful. [...] > There was an amusing demo at the rump session though of a

Re: Zooko's semi-private keys

2009-07-22 Thread Jerry Leichter
On Jul 21, 2009, at 3:11 PM, Hal Finney wrote: The first is equivalent to: knowing g^(xy) is it impossible to deduce g^x, where y = H(g^x). Define Y = g^x, then y = H(Y) and g^(xy) = Y^H(Y). The question is then: Given Y^H(Y) can we deduce Y? To make a simple observation: H matters. If H

Re: AES-GMAC as a hash

2009-09-04 Thread Darren J Moffat
Hal Finney wrote: Darren J Moffat asks: Ignoring performance for now what is the consensus on the suitabilty of using AES-GMAC not as MAC but as a hash ? Would it be safe ? The "key" input to AES-GMAC would be something well known to the data and/or software. No, I don't t

Re: MD6 withdrawn from SHA-3 competition

2009-07-06 Thread Ray Dillinger
On Sat, 2009-07-04 at 10:39 -0700, "Hal Finney" wrote: > Rivest: > > Thus, while MD6 appears to be a robust and secure cryptographic > > hash algorithm, and has much merit for multi-core processors, > > our inability to provide a proof of security f

Re: Bitcoin v0.1 released

2009-01-24 Thread "Hal Finney"
their computers and clean them of botnet infestations. Countermeasures by botnet operators would include moderating their take, perhaps only stealing 10% of the productive capacity of invaded computers, so that their owners would be unlikely to notice. This kind of thinking quickly de

Re: Popular explanation of fully homomorphic encryption wanted

2009-06-16 Thread "Hal Finney"
aluation. In this form it is the pure, fully homomorphic encryption system which has been so long sought. Hal Finney - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: Ultimate limits to computation

2009-08-12 Thread Jerry Leichter
On Aug 11, 2009, at 2:47 PM, Hal Finney wrote: [Note subject line change] Jerry Leichter writes: Since people do keep bringing up Moore's Law in an attempt to justify larger keys our systems "stronger than cryptography," it's worth keeping in mind that we are approaching

Re: Bitcoin v0.1 released

2009-01-25 Thread Satoshi Nakamoto
Hal Finney wrote: > > * Spammer botnets could burn through pay-per-send email filters > > trivially > If POW tokens do become useful, and especially if they become money, > machines will no longer sit idle. Users will expect their computers to > be earning them money (a

Re: Proof of Work -> atmospheric carbon

2009-01-28 Thread "Hal Finney"
much power.) So the question from John's challenge remains open: is there a POW system which could be built solely on logically reversible computation? The computation has to be intrinsically time consuming, but with a short and quickly

Zooko's semi-private keys

2009-07-21 Thread "Hal Finney"
tion, but I can't see how to do it. (I also can't see how to go the other way, from a discrete log oracle to something that can solve this - seems like a hard problem.) Hal Finney - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Re: MD5 considered harmful today

2009-01-02 Thread Len Sassaman
On Tue, 30 Dec 2008, Hal Finney wrote: > > - The attack relies on cryptographic advances in the state of the art for >finding MD5 collisions from inputs with different prefixes. These advances >are not yet being published but will presumably appear in 2009. To insert

Re: Proof of Work -> atmospheric carbon

2009-01-28 Thread Jerry Leichter
On Jan 27, 2009, at 2:35 PM, Hal Finney wrote: John Gilmore writes: The last thing we need is to deploy a system designed to burn all available cycles, consuming electricity and generating carbon dioxide, all over the Internet, in order to produce small amounts of bitbux to get emails or

Hal Finney: Dying Outside

2009-10-07 Thread R.A. Hettinga
Less Wrong Dying Outside 59 HalFinney 05 October 2009 02:45AM A man goes in to see his doctor, and after some tests, the doctor says, "I'm sorry, but you have a fatal disease." Man: "That's terrible! How long have I got?" Doctor: "Ten." Man: "Ten