Re: Question about Shamir secret sharing scheme

2009-10-04 Thread Hal Finney
whether S is even or odd, defeating the privacy of the scheme. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: AES-GMAC as a hash

2009-09-04 Thread Hal Finney
the polynomial variable is secret, it is based on the key. So you don't know how things are being combined. But with a known key and IV, there would be no security at all. It would be linear like a CRC. Hal Finney - The Cryptography

Small-key DSA variant

2009-08-25 Thread Hal Finney
. But it could still probably be smaller than for even ECDSA keys. Anyway, that's the concept. Does anyone recognize it? Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: Certainty

2009-08-25 Thread Hal Finney
message attack to find details, or read: www.di.ens.fr/~bouillaguet/pub/SAC2009.pdf slides (not too informative): http://rump2009.cr.yp.to/ccbe0b9600bfd9f7f5f62ae1d5e915c8.pdf Hal Finney - The Cryptography Mailing List Unsubscribe

Ultimate limits to computation

2009-08-12 Thread Hal Finney
11:04:15 -0700 (PDT) From: h...@finney.org (Hal Finney) Subject: Re: On what the NSA does with its tech MV writes: Yes. They can't break a 128 bit key. That's obvious. (if all the atoms in the universe were computers... goes the argument). Not necessarily, if nanotechnology works. 128 bits

Zooko's semi-private keys

2009-07-21 Thread Hal Finney
solve this - seems like a hard problem.) Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: MD6 withdrawn from SHA-3 competition

2009-07-05 Thread Hal Finney
, how many candidates have offered such a proof, in variants fast enough to beat SHA-2? Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: SHA-1 in 2**52

2009-06-16 Thread Hal Finney
paths with a maximum number of auxiliary paths. (Rather than, we are abandoning our search for more differential paths and working to try to find a real collision using this one. ;) Hal Finney - The Cryptography Mailing List

Re: Popular explanation of fully homomorphic encryption wanted

2009-06-16 Thread Hal Finney
so long sought. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com

Re: Shamir secret sharing and information theoretic security

2009-02-23 Thread Hal Finney
possible v value. Learning a share tells you nothing about v, and in general Shamir sharing, learning all but one of the needed shares similarly tells you nothing about the secret. Hal Finney - The Cryptography Mailing List

Re: Proof of Work - atmospheric carbon

2009-01-28 Thread Hal Finney
remains open: is there a POW system which could be built solely on logically reversible computation? The computation has to be intrinsically time consuming, but with a short and quickly verifiable certificate of validity. Hal Finney

Re: Bitcoin v0.1 released

2009-01-24 Thread Hal Finney
that their owners would be unlikely to notice. This kind of thinking quickly degenerates into unreliable speculation, but it points out the difficulties of analyzing the full ramifications of a world where POW tokens are valuble. Hal Finney

Re: Bitcoin v0.1 released

2009-01-11 Thread Hal Finney
Satoshi Nakamoto writes: Announcing the first release of Bitcoin, a new electronic cash system that uses a peer-to-peer network to prevent double-spending. It's completely decentralized with no server or central authority. See bitcoin.org for screenshots. Download link:

Re: MD5 considered harmful today

2008-12-30 Thread Hal Finney
and move rapidly to SHA1. As long as this happens before Eurocrypt or whenever the results end up being published, the danger will have been averted. This, I think, is the main message that should be communicated from this important result. Hal Finney

Re: Bitcoin P2P e-cash paper

2008-11-13 Thread Hal Finney
as a tool for this purpose is a novel idea well worth further review IMO. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Bitcoin P2P e-cash paper

2008-11-08 Thread Hal Finney
description of the system would be a helpful next step. Hal Finney [1] http://unenumerated.blogspot.com/2005/12/bit-gold.html - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: privacy in public places

2008-08-29 Thread Hal Finney
and ironically may become the first widely fielded use of anonymous credentials.) Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Decimal encryption

2008-08-28 Thread Hal Finney
like AES. To encrypt, do: 1. Encrypt the first 128 bits (ECB mode) 2. Encrypt the last 128 bits (also ECB mode). Hal Finney wrote: I am not familiar with the security proof here, do you have a reference? Or is it an exercise for the student? It's a degenerate case of Rivest's All

Re: Decimal encryption

2008-08-27 Thread Hal Finney
good ones for being a few bits longer. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Decimal encryption

2008-08-27 Thread Hal Finney
, do you have a reference? Or is it an exercise for the student? Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

The MD6 hash function (rough notes)

2008-08-21 Thread Hal Finney
(October 31), potentially giving an advantage to his competitotrs. He emphasized that his goal is to produce the best possible outcome for the whole process. Hal Finney - The Cryptography Mailing List Unsubscribe by sending

Re: OpenID/Debian PRNG/DNS Cache poisoning advisory

2008-08-08 Thread Hal Finney
relying parties), and that is where my proposed mitigation above comes in. By renaming its URLs, an OpenID provider who had the misfortune to create a weak OpenSSL cert (through no fault of its own) can save its end users considerable potential grief. Hal Finney

Re: On the randomness of DNS

2008-07-30 Thread Hal Finney
for dae687514c50.doxdns5.com: 1.2.3.4:34023 TXID=64660 1.2.3.4:50662 TXID=51678 1.2.3.4:55984 TXID=49711 1.2.3.4:17745 TXID=12263 1.2.3.4:26318 TXID=59610 This shows only the last 5 ports so it won't detect an LCG, but at least it can detect some of the more obvious patterns. Hal Finney

Re: Strength in Complexity?

2008-07-02 Thread Hal Finney
not look good to encryption purists. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: The perils of security tools

2008-05-22 Thread Hal Finney
whether they may be vulnerable to the bug even if their primary servers were not exposed to it, since any client out there may have generated insecure signatures and inadvertantly revealed secret keys. Hal Finney

Re: RNG for Padding

2008-03-17 Thread Hal Finney
Plaintext Considered Harmless. A surprising diversity of opinions were expressed. http://groups.google.com/group/sci.crypt/browse_thread/thread/f1aae3a2d10dbcd4?tvc=2q=known+plaintext+considered+harmless Hal Finney

Re: questions on RFC2631 and DH key agreement

2008-02-09 Thread Hal Finney
, conservatively we should assume that well funded secret efforts could already succeed today. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: questions on RFC2631 and DH key agreement

2008-02-09 Thread Hal Finney
Hi Jeff - How wise (in a real-world sense) is it, in a protocol specification, to specify that one simply obtain an ostensibly random value, and then use that value directly as the signature key in, say, an HMAC-based signature, without any further stipulated checking and/or massaging of

Re: questions on RFC2631 and DH key agreement

2008-02-06 Thread Hal Finney
the implementors would be aware of the need for secure random numbers. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: questions on RFC2631 and DH key agreement

2008-02-06 Thread Hal Finney
. All these considerations motivate using larger parameter sets for DH encryption than for DSA signatures. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Possible backdoor in FIPS SP 800-90 PRNG

2007-11-15 Thread Hal Finney
the standard to use new points and publish the seeds for both of them. There is no need to re-use the points from FIPS 186-3, a new pair of points should be chosen for the PRNG via the specified randomization. Hal Finney PGP Corporation

Re: interesting paper on the economics of security

2007-08-22 Thread Hal Finney
the role economics plays in the crypto and security field. The mere fact that so many of the conclusions are provocative indicates that there is much fertile work yet to be done. Ross is a major pioneer of this effort and I am looking forward to further interesting results. Hal Finney

Re: remote-attestation is not required (Re: The bank fraud blame game)

2007-07-03 Thread Hal Finney
. Sometimes in life, paradoxically, you do better by being able to give up certain options, in a verifiable way. TPM technology's benefits to the user would arise from such paradoxical situations. Hal Finney - The Cryptography

Re: The bank fraud blame game

2007-07-02 Thread Hal Finney
on the DRM aspect and that largely torpedoed the whole idea. Still we might see it eventually. Research in this direction is still going on, particularly in IBM's Integrity Measurement Architecture[1] and some of the new security extensions to the Xen virtualization software[2]. Hal Finney [1] http

Re: Free Rootkit with Every New Intel Machine

2007-06-27 Thread Hal Finney
the encryption key even if you guess the PIN right. (Some) details at the BitLocker Drive Encryption Technical Overview page: http://technet2.microsoft.com/WindowsVista/en/library/ba1a3800-ce29-4f09-89ef-65bce923cdb51033.mspx?mfr=true Hal Finney

RE: Free Rootkit with Every New Intel Machine

2007-06-26 Thread Hal Finney
Ian Farquhar writes: [Hal Finney wrote:] It seems odd for the TPM of all devices to be put on a pluggable module as shown here. The whole point of the chip is to be bound tightly to the motherboard and to observe the boot and initial program load sequence. Maybe I am showing my eternal

Re: Free Rootkit with Every New Intel Machine

2007-06-25 Thread Hal Finney
encryption we will see more use of TPMs. I saw the other day that Microsoft was about to make BitLocker available to home users (it's only in the high-end Vistas now) but changed their mind at the last minute. Hal Finney

Re: Public key encrypt-then-sign or sign-then-encrypt?

2007-05-16 Thread Hal Finney
decryption is valid even without revealing your long term secret keys. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: More info in my AES128-CBC question

2007-05-13 Thread Hal Finney
of choosing your IV, with CFB mode. A simple counter should be good enough. However the penalty for erroneously reusing an IV is worse; it reveals the XOR of the respective plaintexts, whereas in CBC mode it will only reveal whether the plaintexts are identical. Hal Finney PGP Corporation

Re: Was a mistake made in the design of AACS?

2007-05-05 Thread Hal Finney
would imagine is a generally loose affiliation of attackers with diverse motivations. But as I said, my crystal ball is foggy. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL

Re: Yet a deeper crack in the AACS

2007-05-05 Thread Hal Finney
this work took place right out in the open, before the public eye. Definitely some smart people involved there. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

AACS and Processing Key

2007-05-02 Thread Hal Finney
to technical difficulties in revocation strategy when a new processing key is published. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Was a mistake made in the design of AACS?

2007-05-02 Thread Hal Finney
at least some of its goals. But these other considerations will work against them. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: can a random number be subject to a takedown?

2007-05-01 Thread Hal Finney
trying to get some government agency involved. The letter specifically cites 17 USC 1201(a)2 and (b)1, which can be read here: http://cyber.law.harvard.edu/openlaw/DVD/1201.html#a2 Hal Finney - The Cryptography Mailing List

Re: Governance of anonymous financial services

2007-03-30 Thread Hal Finney
Steve Schear writes: Here is the situation. An on-line financial service, for example a DBC (Digital Bearer Certificate), operator wishes his meat space identity, physical whereabouts, the transaction servers and at least some of the location(s) of the service's asset backing to remain

Re: virtualization as a threat to RNG

2007-03-23 Thread Hal Finney
reuse. The thread index will allow reading more of the discussion at http://www1.ietf.org/mail-archive/web/cfrg/current/threads.html under the title, how to guard against VM rollbacks. Hal Finney - The Cryptography Mailing List

Re: News.com: IBM donates new privacy tool to open-source Higgins

2007-02-04 Thread Hal Finney
of what this software implements, and I'm also unclear about the patent status of some of the more sophisticated aspects, but I'm looking forward to being able to experiment with this technology. Hal Finney - The Cryptography

Re: analysis and implementation of LRW

2007-01-25 Thread Hal Finney
of the cipher, and at this point we must largely rely on heuristic and informal arguments to see whether any weaknesses are real or merely theoretical. Hal Finney PGP Corporation P1619 Member - The Cryptography Mailing List Unsubscribe

RE: Exponent 3 damage spreads...

2006-09-21 Thread Hal Finney
Anton Stiglic writes: I tried coming up with my own forged signature that could be validated with OpenSSL (which I intended to use to test other libraries). ... Now let's look at s^3 1FFF\

Re: Why the exponent 3 error happened:

2006-09-17 Thread Hal Finney
/rsawrapr.c:RSA_CheckSign()) Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Real World Exploit for Bleichenbachers Attack on SSL from Crypto'06 working

2006-09-15 Thread Hal Finney
independently made the same error. It would be nice to know which it is. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Why the exponent 3 error happened:

2006-09-15 Thread Hal Finney
passes the hash number outside the RSA signed data in addition to using PKCS-1 padding. This simplifies the parsing as it allows hard-coding the ASN-1 prefix as an opaque bit string, then doing a simple comparison between the prefix+hash and what it should be. Hal Finney

Re: Exponent 3 damage spreads...

2006-09-14 Thread Hal Finney
adding in multiples of the modulus and look for perfect cubes again, but basically the odds against are 1 in N^(2/3) so there is no point. Hal Finney PGP Corporation - The Cryptography Mailing List Unsubscribe by sending unsubscribe

Re: Raw RSA

2006-09-08 Thread Hal Finney
/bellare01onemorersainversion.html The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme by Bellare et al for some discussion of this issue. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe

Bleichenbacher's RSA signature forgery based on implementation error

2006-08-30 Thread Hal Finney
using RSA keys with exponents of 3. Even if your own implementation is not vulnerable to this attack, there's no telling what the other guy's code may do. And he is the one relying on your signature. Hal Finney - The Cryptography

Re: switching from SHA-1 to Tiger ?

2006-07-11 Thread Hal Finney
to multiple forgeries. The ease or difficulty of this extension will depend on details of the MAC design, but in principle, the CW security properties allow for it. This means that MACs of moderate length, like 64 bits or less, need to be evaluated much more critically with a CW MAC implementation. Hal

Re: NIST hash function design competition

2006-07-11 Thread Hal Finney
a buffer period into the process to let people take their final shots. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

NIST hash function design competition

2006-07-10 Thread Hal Finney
of outcome inevitable. But hopefully the hashing competition will learn from the AES experience and make sure that it takes as much time as it needs to take. Hal Finney - The Cryptography Mailing List Unsubscribe by sending

Re: Use of TPM chip for RNG?

2006-06-29 Thread Hal Finney
a TSS solution to be available on that platform as well. Thanks again to the people who provided me information about these various solutions! Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe

Use of TPM chip for RNG?

2006-06-12 Thread Hal Finney
operational benefit from all those TPM chips being installed. I'll be happy to summarize results back to the list if people want to contact me privately. Thanks - Hal Finney [EMAIL PROTECTED] - The Cryptography Mailing List

Re: picking a hash function to be encrypted

2006-05-15 Thread Hal Finney
not get an ordinary hash. You are more likely to get an ordinary polynomial that will not serve at all well as a crypto hash. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL

Re: what's wrong with HMAC?

2006-05-02 Thread Hal Finney
show in section 6 various attacks on ad hoc constructions, but some of them are admittedly impractical. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Unforgeable Blinded Credentials

2006-04-05 Thread Hal Finney
where f is the TPM private key and zeta is a unique per-site constant) that the site decides are being used suspiciously often, suggesting that they are being shared by a group. Hal Finney - The Cryptography Mailing List

Re: Unforgeable Blinded Credentials

2006-04-04 Thread Hal Finney
actually be fielded in the near future. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Unforgeable Blinded Credentials

2006-04-01 Thread Hal Finney
/camlys02b.pdf . Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: [Cfrg] HMAC-MD5

2006-03-30 Thread Hal Finney
I (Hal Finney) wrote: A couple of (rather uninformed) thoughts regarding HMAC-MD5: First, how could collision attacks be extended to preimage attacks? And second, how would preimage attacks affect HMAC-MD5? I have to apologize for that message; I was totally confused particularly

Re: [Cfrg] HMAC-MD5

2006-03-29 Thread Hal Finney
attacks against MD5 can be advanced to that point remains to be seen. If it works it will certainly be one of the premier cryptographic accomplishments of recent years. Hal Finney - The Cryptography Mailing List Unsubscribe

Re: Entropy Definition (was Re: passphrases with more than 160 bits of entropy)

2006-03-23 Thread Hal Finney
constant specific to the UTM). Hence even if we consider successive approximations to Omega of ever increasing length, their measures would tend asymptotically to zero. Hal Finney - The Cryptography Mailing List Unsubscribe

Re: Fermat's primality test vs. Miller-Rabin

2005-11-15 Thread Hal Finney
. It performed a small divisor test (only testing 3, 5, 7 and 11 as divisors!) and a single base 2 Fermat test, for its RSA keygen. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Fwd: Tor security advisory: DH handshake flaw

2005-08-22 Thread Hal Finney
Ben Laurie writes: Apologies, slightly at cross-purposes here. For a start, Sophie Germain primes are needed for D-H (or rather, safe primes), and secondly, I was talking about proving arbitrary primes, rather than constructing provable primes. Dan Bernstein has lots of good information on

Re: Fwd: Tor security advisory: DH handshake flaw

2005-08-21 Thread Hal Finney
bandwidth. Unless you're looking for primes with a special format, like Sophie Germain primes or ones with lots of 1's up front and/or in the back, or primes considerably larger than 2048 bits, current methods should be fast enough for most applications even on sequential processors. Hal Finney

Re: Fwd: Tor security advisory: DH handshake flaw

2005-08-19 Thread Hal Finney
forward secrecy) under the traditional Dolev-Yao model. It's interesting that these attacks exist given this security analysis. Maybe it was treating the arithmetic as something of a black box? Chalk it up as another example of the limitations of these kinds of tools. Hal Finney

Re: Possibly new result on truncating hashes

2005-08-02 Thread Hal Finney
, unfortunately. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Menezes on HQMV

2005-07-12 Thread Hal Finney
technique at Crypto next month, so perhaps there will be additional discussion there. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Why Blockbuster looks at your ID.

2005-07-11 Thread Hal Finney
everywhere. A video game chain store in town, I think it's EBX, only accepts these cards, they won't take credit cards. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: AES cache timing attack

2005-06-17 Thread Hal Finney
Peter Gutman writes: [EMAIL PROTECTED] (Hal Finney) writes: Steven M. Bellovin writes: Dan Bernstein has a new cache timing attack on AES: http://cr.yp.to/antiforgery/cachetiming-20050414.pdf This is a pretty alarming attack. It is? Recovering a key from a server custom-written

Re: AES cache timing attack

2005-06-16 Thread Hal Finney
, and then add a delay using a high-res timer from the operating system to make it always take the same time. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: expanding a password into many keys

2005-06-14 Thread Hal Finney
or chooses keynames, but be unable to guess any keys for any other keynames. It's a good fit to the security requirements for your problem. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography

Re: [IP] SHA-1 cracked?

2005-03-05 Thread Hal Finney
and would not require any special communication capabilities. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: SHA-1 cracked

2005-02-22 Thread Hal Finney
in the footnote was a reference to this fact. Don't try to interpret it as meaning that the attack won't work against SHA. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: Your source code, for sale

2004-11-06 Thread Hal Finney
Enzo Michelangeli writes: In the world of international trade, where mutual distrust between buyer and seller is often the rule and there is no central authority to enforce the law, this is traditionally achieved by interposing not less than three trusted third parties: the shipping line, the

RE: Your source code, for sale

2004-11-04 Thread Hal Finney
Tyler Durden writes: So my newbie-style question is, is there an eGold that can be verified, but not accessed, until a 'release' code is sent? In other words, say I'm buying some hacker-ed code and pay in egold. I don't want them to be able to 'cash' the gold until I have the code.

Re: Financial identity is *dangerous*? (was re: Fake companies, real money)

2004-10-21 Thread Hal Finney
don't know if the extra complexity buys you much in this application though. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Crypto blogs?

2004-10-19 Thread Hal Finney
about Adam Shostack's http://www.emergentchaos.com/, although it seems to be more security than crypto. Any other good ones? Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL

Re: Time for new hash standard

2004-09-20 Thread Hal Finney
Bruce Schneier wrote: Luckily, there are alternatives. The National Institute of Standards and Technology already has standards for longer - and harder to break - hash functions: SHA-224, SHA-256, SHA-384, and SHA-512. They're already government standards, and can already be used. This is a

Re: potential new IETF WG on anonymous IPSec

2004-09-10 Thread Hal Finney
secrets or CAs. I don't think anonymous is the right word for this, and I hope the IETF comes up with a better one as they go forward. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL

Joux attack against multipreimages

2004-09-08 Thread Hal Finney
-width hash construction is not as secure as an ideal hash. It is safe against multicollisions but not against multipreimages. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL

Re: Seth Schoen's Hard to Verify Signatures

2004-09-08 Thread Hal Finney
Hi, Adam - Yes, that's interesting. Seth Schoen's posting and subsequent blog entries do compare his goals with hashcash and similar stamp minting systems; where hashcash wants to make minting expensive and verification easy, Seth's HTV signatures aim to make signing easy and verifying expensive.

Re: ?splints for broken hash functions

2004-09-01 Thread Hal Finney
John Kelsey critiques the proposal from Practical Cryptography: We do not know of any literature about how to fix the hash functions, but here is what we came up with when writing this book. ... Let h be one of the hash functions mentioned above. Instead of m-h(m), we use m-h(h(m) || m) as

Re: A splint for broken hash functions

2004-08-31 Thread Hal Finney
to find a collision between the lines. This level of work is greater than that needed to invert the overall hash construction hence does not represent an attack. Hal Finney - The Cryptography Mailing List Unsubscribe by sending

Re: How thorough are the hash breaks, anyway?

2004-08-31 Thread Hal Finney
to predict. The name serial number suggests a degree of sequentiality and some CAs may follow such a policy, which could allow a motivated attacker to predict the value with considerable accuracy. Hal Finney - The Cryptography

Re: More problems with hash functions

2004-08-28 Thread Hal Finney
surely must, then perhaps it is worth exploring. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

Re: More problems with hash functions

2004-08-28 Thread Hal Finney
Jerry Leichter writes: It all depends on how you define an attack, and how you choose to define your security. I explored the outer edge: Distinguishability from a random function. For a random function from {0,1}*-{0,1}^k, we expect to have to do 2^k work (where the unit of work is an

Re: More problems with hash functions

2004-08-26 Thread Hal Finney
to n*2^(n/2). Your approach effectively makes this (n^3)*2^(n/2) which is an improvement, but still not attaining the exponential security increase expected from ideal hash functions. Hal Finney - The Cryptography Mailing List

Re: More problems with hash functions

2004-08-24 Thread Hal Finney
to find a way of combining sub-blocks which will retain the strength of the individual pieces rather than throwing half of it away. Hal Finney - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL

Re: More problems with hash functions

2004-08-24 Thread Hal Finney
|| (M1 xor M2) M1 || (M1 xor M2') M1' || (M1' xor M2) M1' || (M1' xor M2') In each case the actual input to the 2nd block compression function (after xoring with the first block input) would be M2 or M2', as desired. Hal Finney

Re: On hash breaks, was Re: First quantum crypto bank transfer

2004-08-24 Thread Hal Finney
is the EU's RACE Integrity Primitives Evaluation project, and I haven't been able to find out what RACE stands for. RIPEM was an old implementation by Mark Riordan of the PEM (Privacy Enhanced Email) standard which preceded S/MIME. Hal Finney

Re: RPOW - Reusable Proofs of Work

2004-08-21 Thread Hal Finney
Matt Crawford writes: If you think of POW as a possible SPAM mitigation, how does the first receiving MTA assure the next MTA in line that a message was paid for? Certainly the mail relay doesn't want to do new work, but the second MTA doesn't know that the first isn't a spambot. The

Re: RPOW - Reusable Proofs of Work

2004-08-20 Thread Hal Finney
they would buy and sell RPOWs for money, they could serve in place of ecash. The main question is whether there will be any use for them so compelling that people would buy them. Hal Finney - The Cryptography Mailing List

Re: HMAC?

2004-08-20 Thread Hal Finney
values, which would make it harder to attack HMAC since you presumably would not be able to choose the data without knowing the IV. It may still be that you could do something with HMAC built on one of the broken ciphers, but we will have to wait for a fuller description of the technique. Hal

  1   2   >