Leandro Meiners lmein...@gmail.com quotes:
For example, by specifying an HMACOutputLength of 1, only one bit of the
signature is verified. This can allow an attacker to forge an XML signature
that will be accepted as valid.
This excessive generality is a serious problem in way too many crypto

Assume for a moment that we have a random number generator which is
non-uniform, and we are using it to generate a key.
What I'd like to do is characterize the work factor involved in
brute-force search of the key space, assuming that the adversary
has knowledge of the characteristics of the

By the way, we've recently been planning our next crypto-capabilities
design for the TahoeLAFS secure distributed filesystem. This
involves deciding whether a 192-bit elliptic curve public key is
strong enough, as well as subtler and more unusual issues involving
embedding keys directly

Oh, and by the way the way that TahoeLAFS uses public key
cryptography highlights some of the weaknesses of current public key
techniques and some of the strengths of possible future techniques
such as hyperelliptic curves. (I know that Tanja Lange has done a
lot of work on those.)

On Fri, Jul 17, 2009 at 01:37:43PM -0500,
travis+ml-cryptogra...@subspacefield.org wrote:
I'm curious if there's a way to express this calculation as a
mathematical formula, rather than an algorithm, but right now I'm just
blanking on how I could do it.
This has been dubbed the guesswork of a