Re: [Cryptography] RSA equivalent key length/strength
On 30 September 2013 23:35, John Kelsey wrote:
> If there is a weak curve class of greater than about 2^{80} that NSA knew
> about 15 years ago and were sure nobody were ever going to find that weak
> curve class and exploit it to break classified communications protected by
> it, then they could have generated 2^{80} or so seeds to hit that weak
> curve class.
>
If the NSA's attack involves generating some sort of collision between a
curve and something else over a 160-bit space, they wouldn't have to be
worried that someone else would find and attack that "weak curve class"
with less than 2^160 work.
___
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] People should turn on PFS in TLS (was Re: Fwd: NYTimes.com: N.S.A. Foils Much Internet Encryption)
At a stretch, one can imagine circumstances in which trying multiple seeds to choose a curve would lead to an attack that we would not easily replicate. I don't suggest that this is really what happened; I'm just trying to work out whether it's possible. Suppose you can easily break an elliptic curve with the right "attack string". Attack strings are very expensive to generate, at say 2^80 operations. Moreover, you can't tell what curves they break until they are generated, but it's cheap to test whether a given string breaks a given curve. Each string breaks about one curve in 2^80. Thus the NSA generate an attack string, then generate 2^80 curves looking for one that is broken by the string they generated. They can safely publish this curve, knowing that unless a new attack is developed it will take 2^160 effort for anyone else to generate an attack string that breaks the curve they have chosen. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Squaring Zooko's triangle
>From the title it sounds like you're talking about my 2007 proposal: http://www.lshift.net/blog/2007/11/10/squaring-zookos-triangle http://www.lshift.net/blog/2007/11/21/squaring-zookos-triangle-part-two This uses key stretching to increase the work of generating a colliding identifier from 2^64 to 2^88 steps. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [cryptography] What's the state of the art in factorization?
Jonathan Katz wrote: [2] http://www.cs.umd.edu/~jkatz/papers/dh-sigs-full.pdf On the other hand, there is one published scheme that gives a slight improvement to our paper (it has fewer on-line computations): it is a paper by Chevallier-Mames in Crypto 2005 titled "An Efficient CDH-Based Signature Scheme with a Tight Security Reduction". My preferred signature scheme is the second, DDH-based one in the linked paper, since it produces shorter signatures - are there any proposals which improve on that? Incidentally, the paper doesn't note this but that second scheme has a non-tight reduction to the discrete log problem in exactly the way that Schnorr does. -- __ \/ o\ Paul Crowley, p...@ciphergoth.org /\__/ http://www.ciphergoth.org/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: full-disk encryption standards released
Steven M. Bellovin wrote: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9126869&intsrc=hm_ts_head I think the standard itself is here: https://www.trustedcomputinggroup.org/specs/Storage/ Browsing "TCG Storage Security Subsystem Class: Opal", I'm having a hard time seeing where the actual cryptography is specified. They mention that they use AES but I can't see where they tell us what mode of operation they are using. -- __ \/ o\ Paul Crowley /\__/ www.ciphergoth.org - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: CPRNGs are still an issue.
Damien Miller wrote: On Thu, 11 Dec 2008, James A. Donald wrote: If one uses a higher resolution counter - sub microsecond - and times multiple disk accesses, one gets true physical randomness, since disk access times are effected by turbulence, which is physically true random. Until someone runs your software on a SSD instead of a HDD. Oops. How would software that attempted to measure the entropy of the incoming seek times behave when an SSD replaced an HDD? Would the reduction in measured entropy be proportional to the reduction in entropy from the attacker's point of view? -- __ \/ o\ Paul Crowley /\__/ www.ciphergoth.org - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: SRP implementation - choices for N and g
Michael Tschannen wrote: Has anybody already gained experience concerning the technical implementation of SRP (http://srp.stanford.edu)? There is one point I couldn't find in any documentation: Should the modulus and the generator (N and g) be unique for each client or can they be chosen application-wide? What are the (security-related) implications in each case? They can safely be chosen application-wide, so long as they are secure choices as per the "Group parameter agreement" section of the SRP spec. -- __ \/ o\ Paul Crowley, [EMAIL PROTECTED] /\__/ http://www.ciphergoth.org/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
5x speedup for AES using SSE5?
http://www.ddj.com/hpc-high-performance-computing/201803067 In the above Dr Dobb's article from a little over a year ago, AMD Senior Fellow Leendert vanDoorn states "the Advanced Encryption Standard (AES) algorithm gets a factor of 5 performance improvement by using the new SSE5 extension". However, glancing through the SSE5 specification, I can't see at all how such a dramatic speedup might be achieved. Does anyone know any more, or can anyone see more than I can in the spec? http://developer.amd.com/cpu/SSE5/Pages/default.aspx -- __ \/ o\ Paul Crowley /\__/ www.ciphergoth.org - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
