Steve Bellovin forwarded me the following links (which he got from
Eric Rescorla). Note the bit at the end about a path to second
preimage attacks:
http://eprint.iacr.org/2006/187
On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1
Jongsung Kim and Alex Biryukov and
The EU Galileo navigation satellite uses a set of pseudo-random numbers to
secure access to its data. Galileo is partially investor-funded; part of
the business model is to sell access to the data. Some researchers at
Cornell took a different approach -- they cryptanalyzed the algorithm...
I believe this has been known for a long time, though I have never seen the
proof. I could imagine constructing one based on quadratic sieve.
I believe that a proof that the discrete log problem is polynomially reducible
to the factorization problem is much harder and more recent (as in
I was registering today for the Crypto conference and discovered that
immediately afterwards, and at the same site in Santa Barbara, CA, NIST
is holding a two-day workshop on hash function design. The information
is here:
http://www.csrc.nist.gov/pki/HashWorkshop/index.html
In response to the
