A similar approach enabled Bleichenbacher's SSL attack on
RSA with PKCS#1 padding. This sounds very dangerous to me.
William
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of cyphrpunk
Sent: Friday, October 28, 2005 5:07 AM
To: [EMAIL PROTECTED];
I haven't read the original paper, and I have a great deal of
respect for Markus Jakobsson. However, techniques that establish
that the parties share a weak secret without leaking that secret
have been around for years -- Bellovin and Merritt's DH-EKE,
David Jablon's SPEKE. And they don't require
http://theory.csail.mit.edu/~yiqun/shanote.pdf
No real details, just collisions for 80 round SHA-0 (which I
just confirmed)
and 58 round SHA-1 (which I haven't bothered with), plus the
now famous work
factor estimate of 2^69 for full SHA-1.
As usual, Technical details will be
