Re: [Cryptography] Other Backdoors?
Thursday, October 10, 2013, Phillip Hallam-Baker wrote: > > [Can't link to FIPS180-4 right now as its down] > For the lazy among us, including my future self, a shutdown-proof url to the archive.org copy of the NIST FIPS 180-4 pdf: http://tinyurl.com/FIPS180-4 -David Mercer -- David Mercer - http://dmercer.tumblr.com IM: AIM: MathHippy Yahoo/MSN: n0tmusic Facebook/Twitter/Google+/Linkedin: radix42 FAX: +1-801-877-4351 - BlackBerry PIN: 332004F7 PGP Public Key: http://davidmercer.nfshost.com/radix42.pubkey.txt Fingerprint: A24F 5816 2B08 5B37 5096 9F52 B182 3349 0F23 225B ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] Other Backdoors?
I sarcastically proposed the use of GOST as an alternative to NIST crypto. Someone shot back a note saying the elliptic curves might be 'bent'. Might be interesting for EC to take another look at GOST since it might be the case that the GRU and the NSA both found a similar backdoor but one was better at hiding it than the other. On the NIST side, can anyone explain the reason for this mechanism for truncating SHA512? Denote H(0)′ to be the initial hash value of SHA-512 as specified in Section 5.3.5 above. Denote H(0)′′ to be the initial hash value computed below. H(0) is the IV for SHA-512/t. For i = 0 to 7 { (0)′′ (0)′ Hi = Hi ⊕ a5a5a5a5a5a5a5a5(in hex). } H(0) = SHA-512 (“SHA-512/t”) using H(0)′′ as the IV, where t is the specific truncation value. (end.) [Can't link to FIPS180-4 right now as its down] I really don't like the futzing with the IV like that, not least because a lot of implementations don't give access to the IV. Certainly the object oriented ones I tend to use don't. But does it make the scheme weaker? Is there anything wrong with just truncating the output? The only advantage I can see to the idea is to stop the truncated digest being used as leverage to reveal the full digest in a scheme where one was public and the other was not. -- Website: http://hallambaker.com/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography