whether S is even or odd,
defeating the privacy of the scheme.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
the polynomial variable is
secret, it is based on the key. So you don't know how things are being
combined. But with a known key and IV, there would be no security at all.
It would be linear like a CRC.
Hal Finney
-
The Cryptography
. But it could still probably be smaller than for even ECDSA keys.
Anyway, that's the concept. Does anyone recognize it?
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
message attack to find details, or read:
www.di.ens.fr/~bouillaguet/pub/SAC2009.pdf
slides (not too informative):
http://rump2009.cr.yp.to/ccbe0b9600bfd9f7f5f62ae1d5e915c8.pdf
Hal Finney
-
The Cryptography Mailing List
Unsubscribe
11:04:15 -0700 (PDT)
From: h...@finney.org (Hal Finney)
Subject: Re: On what the NSA does with its tech
MV writes:
Yes. They can't break a 128 bit key. That's obvious. (if all the
atoms in the
universe were computers... goes the argument).
Not necessarily, if nanotechnology works. 128 bits
solve this -
seems like a hard problem.)
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
,
how many candidates have offered such a proof, in variants fast enough
to beat SHA-2?
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
paths with
a maximum number of auxiliary paths.
(Rather than, we are abandoning our search for more differential paths
and working to try to find a real collision using this one. ;)
Hal Finney
-
The Cryptography Mailing List
so long sought.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
possible v value. Learning a share tells you
nothing about v, and in general Shamir sharing, learning all but one of
the needed shares similarly tells you nothing about the secret.
Hal Finney
-
The Cryptography Mailing List
remains open: is there a POW
system which could be built solely on logically reversible computation?
The computation has to be intrinsically time consuming, but with a short
and quickly verifiable certificate of validity.
Hal Finney
that their owners would be unlikely to notice. This kind of thinking
quickly degenerates into unreliable speculation, but it points out the
difficulties of analyzing the full ramifications of a world where POW
tokens are valuble.
Hal Finney
Satoshi Nakamoto writes:
Announcing the first release of Bitcoin, a new electronic cash
system that uses a peer-to-peer network to prevent double-spending.
It's completely decentralized with no server or central authority.
See bitcoin.org for screenshots.
Download link:
and move
rapidly to SHA1. As long as this happens before Eurocrypt or whenever
the results end up being published, the danger will have been averted.
This, I think, is the main message that should be communicated from this
important result.
Hal Finney
as a tool for this
purpose is a novel idea well worth further review IMO.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
description of the system would be a
helpful next step.
Hal Finney
[1] http://unenumerated.blogspot.com/2005/12/bit-gold.html
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
and ironically may become the first widely
fielded use of anonymous credentials.)
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
like AES. To encrypt, do:
1. Encrypt the first 128 bits (ECB mode)
2. Encrypt the last 128 bits (also ECB mode).
Hal Finney wrote:
I am not familiar with the security proof here, do you have a reference?
Or is it an exercise for the student?
It's a degenerate case of Rivest's All
good ones for being a few bits longer.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
, do you have a reference?
Or is it an exercise for the student?
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
(October 31), potentially giving an
advantage to his competitotrs. He emphasized that his goal is to produce
the best possible outcome for the whole process.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending
relying parties), and that is where my proposed
mitigation above comes in. By renaming its URLs, an OpenID provider who
had the misfortune to create a weak OpenSSL cert (through no fault of
its own) can save its end users considerable potential grief.
Hal Finney
for dae687514c50.doxdns5.com:
1.2.3.4:34023 TXID=64660
1.2.3.4:50662 TXID=51678
1.2.3.4:55984 TXID=49711
1.2.3.4:17745 TXID=12263
1.2.3.4:26318 TXID=59610
This shows only the last 5 ports so it won't detect an LCG, but at least
it can detect some of the more obvious patterns.
Hal Finney
not look good to encryption purists.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
whether
they may be vulnerable to the bug even if their primary servers were not
exposed to it, since any client out there may have generated insecure
signatures and inadvertantly revealed secret keys.
Hal Finney
Plaintext Considered Harmless. A surprising diversity of opinions
were expressed.
http://groups.google.com/group/sci.crypt/browse_thread/thread/f1aae3a2d10dbcd4?tvc=2q=known+plaintext+considered+harmless
Hal Finney
, conservatively we should assume that well funded secret
efforts could already succeed today.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Hi Jeff -
How wise (in a real-world sense) is it, in a protocol specification, to
specify that one simply obtain an ostensibly random value, and then use that
value directly as the signature key in, say, an HMAC-based signature, without
any further stipulated checking and/or massaging of
the implementors would be
aware of the need for secure random numbers.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
. All these considerations motivate
using larger parameter sets for DH encryption than for DSA signatures.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
the standard to use new points and publish the seeds for both of them.
There is no need to re-use the points from FIPS 186-3, a new pair of
points should be chosen for the PRNG via the specified randomization.
Hal Finney
PGP Corporation
the role economics plays in the crypto and security field.
The mere fact that so many of the conclusions are provocative indicates
that there is much fertile work yet to be done. Ross is a major pioneer
of this effort and I am looking forward to further interesting results.
Hal Finney
. Sometimes in life, paradoxically, you do better by being
able to give up certain options, in a verifiable way. TPM technology's
benefits to the user would arise from such paradoxical situations.
Hal Finney
-
The Cryptography
on the DRM aspect and that largely
torpedoed the whole idea. Still we might see it eventually. Research
in this direction is still going on, particularly in IBM's Integrity
Measurement Architecture[1] and some of the new security extensions to
the Xen virtualization software[2].
Hal Finney
[1]
http
the encryption key even if
you guess the PIN right.
(Some) details at the BitLocker Drive Encryption Technical Overview page:
http://technet2.microsoft.com/WindowsVista/en/library/ba1a3800-ce29-4f09-89ef-65bce923cdb51033.mspx?mfr=true
Hal Finney
Ian Farquhar writes:
[Hal Finney wrote:]
It seems odd for the TPM of all devices to be put on a pluggable module as
shown here. The whole point of the chip is to be bound tightly to the
motherboard and to observe the boot and initial program load sequence.
Maybe I am showing my eternal
encryption we
will see more use of TPMs. I saw the other day that Microsoft was about
to make BitLocker available to home users (it's only in the high-end
Vistas now) but changed their mind at the last minute.
Hal Finney
decryption
is valid even without revealing your long term secret keys.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
of choosing your IV,
with CFB mode. A simple counter should be good enough. However the
penalty for erroneously reusing an IV is worse; it reveals the XOR of the
respective plaintexts, whereas in CBC mode it will only reveal whether
the plaintexts are identical.
Hal Finney
PGP Corporation
would imagine
is a generally loose affiliation of attackers with diverse motivations.
But as I said, my crystal ball is foggy.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL
this work took
place right out in the open, before the public eye. Definitely some
smart people involved there.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
to technical difficulties in revocation strategy when a new processing
key is published.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
at least some of
its goals. But these other considerations will work against them.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
trying to get some government agency involved.
The letter specifically cites 17 USC 1201(a)2 and (b)1, which can be read
here:
http://cyber.law.harvard.edu/openlaw/DVD/1201.html#a2
Hal Finney
-
The Cryptography Mailing List
Steve Schear writes:
Here is the situation. An on-line financial service, for example a DBC
(Digital Bearer Certificate), operator wishes his meat space identity,
physical whereabouts, the transaction servers and at least some of the
location(s) of the service's asset backing to remain
reuse.
The thread index will allow reading more of the discussion at
http://www1.ietf.org/mail-archive/web/cfrg/current/threads.html
under the title, how to guard against VM rollbacks.
Hal Finney
-
The Cryptography Mailing List
of what this software
implements, and I'm also unclear about the patent status of some of the
more sophisticated aspects, but I'm looking forward to being able to
experiment with this technology.
Hal Finney
-
The Cryptography
of the cipher, and at this point we must largely rely on heuristic and
informal arguments to see whether any weaknesses are real or merely
theoretical.
Hal Finney
PGP Corporation
P1619 Member
-
The Cryptography Mailing List
Unsubscribe
Anton Stiglic writes:
I tried coming up with my own forged signature that could be validated with
OpenSSL (which I intended to use to test other libraries). ...
Now let's look at s^3
1FFF\
/rsawrapr.c:RSA_CheckSign())
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
independently made the same error. It would be nice
to know which it is.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
passes the hash number outside the RSA signed data
in addition to using PKCS-1 padding. This simplifies the parsing as it
allows hard-coding the ASN-1 prefix as an opaque bit string, then doing
a simple comparison between the prefix+hash and what it should be.
Hal Finney
adding in multiples of the modulus and look for perfect
cubes again, but basically the odds against are 1 in N^(2/3) so there
is no point.
Hal Finney
PGP Corporation
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe
/bellare01onemorersainversion.html
The One-More-RSA-Inversion Problems and the Security of Chaum's Blind
Signature Scheme by Bellare et al for some discussion of this issue.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe
using RSA keys with exponents
of 3. Even if your own implementation is not vulnerable to this attack,
there's no telling what the other guy's code may do. And he is the one
relying on your signature.
Hal Finney
-
The Cryptography
to multiple forgeries. The ease or
difficulty of this extension will depend on details of the MAC design,
but in principle, the CW security properties allow for it. This means
that MACs of moderate length, like 64 bits or less, need to be evaluated
much more critically with a CW MAC implementation.
Hal
a buffer period into the process to let
people take their final shots.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
of outcome
inevitable. But hopefully the hashing competition will learn from the AES
experience and make sure that it takes as much time as it needs to take.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending
a TSS solution to be
available on that platform as well.
Thanks again to the people who provided me information about these
various solutions!
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe
operational benefit from all those TPM
chips being installed. I'll be happy to summarize results back to the
list if people want to contact me privately.
Thanks -
Hal Finney
[EMAIL PROTECTED]
-
The Cryptography Mailing List
not get an ordinary hash. You are more likely to get an ordinary
polynomial that will not serve at all well as a crypto hash.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL
show in section 6 various attacks on ad hoc constructions, but some of
them are admittedly impractical.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
where f is the TPM private key and
zeta is a unique per-site constant) that the site decides are being used
suspiciously often, suggesting that they are being shared by a group.
Hal Finney
-
The Cryptography Mailing List
actually be fielded in the near future.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
/camlys02b.pdf .
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
I (Hal Finney) wrote:
A couple of (rather uninformed) thoughts regarding HMAC-MD5: First,
how could collision attacks be extended to preimage attacks? And second,
how would preimage attacks affect HMAC-MD5?
I have to apologize for that message; I was totally confused particularly
attacks against
MD5 can be advanced to that point remains to be seen. If it works it
will certainly be one of the premier cryptographic accomplishments of
recent years.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe
constant specific to the UTM).
Hence even if we consider successive approximations to Omega of ever
increasing length, their measures would tend asymptotically to zero.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe
.
It performed a small divisor test (only testing 3, 5, 7 and 11 as
divisors!) and a single base 2 Fermat test, for its RSA keygen.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Ben Laurie writes:
Apologies, slightly at cross-purposes here. For a start, Sophie Germain
primes are needed for D-H (or rather, safe primes), and secondly, I was
talking about proving arbitrary primes, rather than constructing
provable primes.
Dan Bernstein has lots of good information on
bandwidth.
Unless you're looking for primes with a special format, like Sophie
Germain primes or ones with lots of 1's up front and/or in the back, or
primes considerably larger than 2048 bits, current methods should be fast
enough for most applications even on sequential processors.
Hal Finney
forward secrecy) under the traditional Dolev-Yao model.
It's interesting that these attacks exist given this security analysis.
Maybe it was treating the arithmetic as something of a black box?
Chalk it up as another example of the limitations of these kinds of tools.
Hal Finney
, unfortunately.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
technique at Crypto next month, so perhaps there will
be additional discussion there.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
everywhere.
A video game chain store in town, I think it's EBX, only accepts these
cards, they won't take credit cards.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Peter Gutman writes:
[EMAIL PROTECTED] (Hal Finney) writes:
Steven M. Bellovin writes:
Dan Bernstein has a new cache timing attack on AES:
http://cr.yp.to/antiforgery/cachetiming-20050414.pdf
This is a pretty alarming attack.
It is? Recovering a key from a server custom-written
, and then add a delay using a high-res timer from the
operating system to make it always take the same time.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
or chooses keynames, but be unable to guess any keys for any other
keynames. It's a good fit to the security requirements for your problem.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography
and would not require any special
communication capabilities.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
in the footnote was a reference to this fact.
Don't try to interpret it as meaning that the attack won't work against SHA.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Enzo Michelangeli writes:
In the world of international trade, where mutual distrust between buyer
and seller is often the rule and there is no central authority to enforce
the law, this is traditionally achieved by interposing not less than three
trusted third parties: the shipping line, the
Tyler Durden writes:
So my newbie-style question is, is there an eGold that can be verified, but
not accessed, until a 'release' code is sent?
In other words, say I'm buying some hacker-ed code and pay in egold. I don't
want them to be able to 'cash' the gold until I have the code.
don't know if the extra complexity buys you much in this application
though.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
about Adam Shostack's http://www.emergentchaos.com/,
although it seems to be more security than crypto.
Any other good ones?
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL
Bruce Schneier wrote:
Luckily, there are alternatives. The National Institute of Standards and
Technology already has standards for longer - and harder to break - hash
functions: SHA-224, SHA-256, SHA-384, and SHA-512. They're already
government standards, and can already be used. This is a
secrets or CAs.
I don't think anonymous is the right word for this, and I hope the
IETF comes up with a better one as they go forward.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL
-width hash construction is not as secure
as an ideal hash. It is safe against multicollisions but not against
multipreimages.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL
Hi, Adam - Yes, that's interesting. Seth Schoen's posting and
subsequent blog entries do compare his goals with hashcash and similar
stamp minting systems; where hashcash wants to make minting expensive
and verification easy, Seth's HTV signatures aim to make signing easy
and verifying expensive.
John Kelsey critiques the proposal from Practical Cryptography:
We do not know of any literature about how to fix the hash functions,
but here is what we came up with when writing this book. ... Let h be
one of the hash functions mentioned above. Instead of m-h(m), we use
m-h(h(m) || m) as
to find a collision between the lines. This level of
work is greater than that needed to invert the overall hash construction
hence does not represent an attack.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending
to predict.
The name serial number suggests a degree of sequentiality and some
CAs may follow such a policy, which could allow a motivated attacker to
predict the value with considerable accuracy.
Hal Finney
-
The Cryptography
surely must,
then perhaps it is worth exploring.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Jerry Leichter writes:
It all depends on how you define an attack, and how you choose to define your
security. I explored the outer edge: Distinguishability from a random
function. For a random function from {0,1}*-{0,1}^k, we expect to have to do
2^k work (where the unit of work is an
to n*2^(n/2). Your approach effectively makes
this (n^3)*2^(n/2) which is an improvement, but still not attaining
the exponential security increase expected from ideal hash functions.
Hal Finney
-
The Cryptography Mailing List
to find a way of combining sub-blocks which will retain the
strength of the individual pieces rather than throwing half of it away.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL
|| (M1 xor M2)
M1 || (M1 xor M2')
M1' || (M1' xor M2)
M1' || (M1' xor M2')
In each case the actual input to the 2nd block compression function
(after xoring with the first block input) would be M2 or M2', as desired.
Hal Finney
is the EU's RACE Integrity Primitives Evaluation
project, and I haven't been able to find out what RACE stands for.
RIPEM was an old implementation by Mark Riordan of the PEM (Privacy
Enhanced Email) standard which preceded S/MIME.
Hal Finney
Matt Crawford writes:
If you think of POW as a possible SPAM mitigation, how does the first
receiving MTA assure the next MTA in line that a message was paid
for? Certainly the mail relay doesn't want to do new work, but the
second MTA doesn't know that the first isn't a spambot.
The
they would buy and sell
RPOWs for money, they could serve in place of ecash. The main question
is whether there will be any use for them so compelling that people
would buy them.
Hal Finney
-
The Cryptography Mailing List
values, which would
make it harder to attack HMAC since you presumably would not be able to
choose the data without knowing the IV. It may still be that you could
do something with HMAC built on one of the broken ciphers, but we will
have to wait for a fuller description of the technique.
Hal
1 - 100 of 102 matches
Mail list logo