Re: [cryptography] [Cryptography] basing conclusions on facts
On 6/16/14, ianG i...@iang.org wrote: The revelation that a crypto company was patenting a backdoor in an international standard is indeed faith-shattering. Details aside... Tanja Lange points out that the original filing by Certicom covered both escrow and anti-escrow. Oh, my, how comprehensive they were in their wisdom. They win if they spy, they win if they defend. Yeah - short but excellent summary: They win if they spy, they win if they defend. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] basing conclusions on facts (was: Re: Dual EC backdoor was patented by Certicom?)
On 6/15/14, Stephen Farrell stephen.farr...@cs.tcd.ie wrote: On 15/06/14 14:13, ianG wrote: What is also curious is that Dan Brown is highly active in the IETF working groups for crypto, That is not correct as far as I can see. In my local archives, I see one email from him to the TLS list in 2011 and none in 2012. For the security area list (saag), I see a smattering of mails in 2011 and 2012 and none in 2013. For the IRTF's CFRG, I see a few in 2010, none in 2011 and some in 2012 and 2013. I do see increased participation over the last year on the the DUAL-EC topic. None of the above is anywhere near highly active which is therefore simply false. Pfff - you are nitpicking. 1. The point that ianG made is clearly understood: He/she is condemning Certicom's, Dan Brown's and Scott Vanstone's attempts to patent the backdoor (to invent and then to patent it). ianG has also tried to raise the dilemma among all of us that are following this list what Dan Brown is doing in IETF? 2. The point that you are doing is also clearly understood: By nitpicking you are trying to clear the amoral actions of Certicom, Dan Brown and and Scott Vanstone. David Jr. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] skype backdoor confirmation
Danilo Gligoroski danilo.gligoro...@gmail.com wrote: 1. Indeed these discussions among the security community 2. Eventually some contacts with journalists will help the cause (one live demonstration on some security/crypto conference like Usenix, Black Hat, Crypto, ... will do the job). 3. I see a chance for some other product like: Zfone (that never took significant popularity),maybe Pidgin, maybe Cryptocat, ... 4. Even some open source security plugin for Skype. My two cents: 4a: A SSH Java open source wrapper around Skype will do the job. The chat logs or any other traffic that Skype is leaking to some Echelon-like spying sites will be externally encrypted by the SSH wrapper. Regards, David ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] NIST and other organisations that set up standards in information security cryptography. (was: Doubts over necessity of SHA-3 cryptography standard)
On 4/22/12, Tanja Lange ta...@hyperelliptic.org wrote: In reply to the latest postings: Many submissions were faster than SHA-2 at the time of submission. Lots of people had fun speeding up SHA-2 -- so the competition has definitely led to a faster SHA-2. Also, check out http://bench.cr.yp.to/graph-sha3/long.png to see that on CPUs Blake is faster than SHA-2; for the bigger CPUs also skein is faster than SHA-2, so there are efficiency benefits of the new hash functions. Furthermore, whichever candidate is chosen as SHA-3 will have a bigger security margin than SHA-2. SUPERCOP is one of my favorite web sites. Kudos to you and Dan for the great job. Indeed Blake and Skein are faster than SHA-2, but NOT SIGNIFICANTLY. MD5 is SIGNIFICANTLY faster than SHA-2, and terribly broken. Several other candidates (including CubeHash) are significantly faster than SHA-2 and they were broken with attacks requesting 2^170, 2^200, 2^380, 2^480 hash evaluations. So, on one hand we will have SHA-3 that is NOT significantly faster than SHA-2, and on the other hand we have expert opinions like that of Bart Preneel saying in his talk given at the Twelfth International Conference on Information and Communications Security ICICS 2010: Now, we have learned that an improved MD design should include the following parts: Salt + Output transformation + Counter + Wide pipe. That is my sole point in this thread: I expect this gained knowledge to be used by other rivals of NIST, in order to endorse hash standards that will be as safe as SHA-3, but SIGNIFICANTLY faster than SHA-3. Regards, David Adamson Jr ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] workaround for length extension attacks (was: Doubts over necessity of SHA-3 cryptography standard)
On Fri Apr 13 23:36:26 EDT 2012 Zooko Wilcox-O'Hearn zooko at zooko.com wrote: I guess that's one really good thing about SHA-3 is that the next generation of those web developers, after SHA-2 is removed from standard libraries, will accidentally have safe auth. :-) I really don't know when that will be, though. NSA designed SHA-2 to stay in libraries for a long time. Length extension is not an issue for SHA-2 anymore with SHA-512/256. That is a double-pipe hash function perfectly secure against length-extension attack. On 64-bit platforms SHA512 and SHA512/256 is almost as fast as Skein and Blake (one of which will be the next SHA-3), and according to [1], Furthermore, even the fastest finalists will probably offer only a small performance advantage over the current SHA-256 and SHA-512 implementations. However, since SHA-2 and (to be SHA-3) are 2, 3 or even 4 times slower than MD5 or SHA-1, and NIST running the SHA-3 competition changed their own initial goal SHA-3 to be significantly faster than SHA-2, I expect in the following period several other influential international players in the area of standardizing cryptographic primitives to use that strategic mistake done by NIST, and to push for a hash standard that will be significantly faster than SHA-2 and SHA-3. Remember RIPEMD-160? RIPEMD-160 was proposed and backed up by EU, but being many times slower than MD5 and SHA-1, it never became popular industrial choice. It was nice academic design but not accepted by the industry. Now I expect EU to use the opportunity and finally back up a hash function that industry will prefer. But I see also that Russia, China and Japan can also use the NIST's screw up with the performance of SHA-3 and will try to take over the industrial primacy with their own hash function. At the end, supremacy in setting up cryptographic standards is what will bring reputation, trust and strategic positioning in the world that in the following years will digest exabytes per hour. SO: I expect a new hash competition (run by EU, Russia, China or Japan) where US SHA-3 standard will be a reference point and the goal will be to design 256 and 512 bits hash function that is 3-4 times faster than SHA-3. Regards, David Adamson Jr [1] Shay Gueron, Vlad Krasnov, Parallelizing message schedules to accelerate the computations of hash functions ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography