Steve Bellovin forwarded me the following links (which he got from Eric Rescorla). Note the bit at the end about a path to second preimage attacks: http://eprint.iacr.org/2006/187 On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1 Jongsung Kim and Alex Biryukov and
The EU Galileo navigation satellite uses a set of pseudo-random numbers to secure access to its data. Galileo is partially investor-funded; part of the business model is to sell access to the data. Some researchers at Cornell took a different approach -- they cryptanalyzed the algorithm...
I believe this has been known for a long time, though I have never seen the proof. I could imagine constructing one based on quadratic sieve. I believe that a proof that the discrete log problem is polynomially reducible to the factorization problem is much harder and more recent (as in
I was registering today for the Crypto conference and discovered that immediately afterwards, and at the same site in Santa Barbara, CA, NIST is holding a two-day workshop on hash function design. The information is here: http://www.csrc.nist.gov/pki/HashWorkshop/index.html In response to the