Re: SHA1 broken?

[Dave Howe]

Joseph Ashwood wrote:
 > I believe you are incorrect in this statement. It is a matter of public
record that RSA Security's DES Challenge II was broken in 72 hours by 
$250,000 worth of semi-custom machine, for the sake of solidity let's 
assume they used 2^55 work to break it. Now moving to a completely 
custom design, bumping up the cost to $500,000, and moving forward 7 
years, delivers ~2^70 work in 72 hours (give or take a couple orders of 
magnitude). This puts the 2^69 work well within the realm of realizable 
breaks, assuming your attackers are smallish businesses, and if your 
attackers are large businesses with substantial resources the break can 
be assumed in minutes if not seconds.

2^69 is completely breakable.
   Joe
  Its fine assuming that moore's law will hold forever, but without 
that you can't really extrapolate a future tech curve. with *todays* 
technology, you would have to spend an appreciable fraction of the 
national budget to get a one-per-year "break", not that anything that 
has been hashed with sha-1 can be considered breakable (but that would 
allow you to (for example) forge a digital signature given an example)
  This of course assumes that the "break" doesn't match the criteria 
from the previous breaks by the same team - ie, that you *can* create a 
collision, but you have little or no control over the plaintext for the 
colliding elements - there is no way to know as the paper hasn't been 
published yet.

Cybercash on Vacation

[R.A. Hettinga]

Technology Review



TechnologyReview.com
Print  |  Forums

Cybercash on Vacation
By Peter Wayner March 2005


Back in 1996, a small handful of cryptographers, bankers, and blue-sky
thinkers were debating, on Internet mailing lists, the future of money,
when one of them came up with a brilliant idea. If they formed an
organization, booked a Caribbean hotel in the dead of winter, and put a few
papers through the peer review process, they could get their bosses to pay
them to hang out in person. They could sit in the sun and dream about what
it would take to move cash, settle debts, sell things, sign contracts, and
extend credit in the virtual world.


Bob Hettinga, an organizer of the resulting Financial Cryptography
Conference, sounds a bit maudlin when he looks back at that first meeting,
which took place in February 1997 on the island of Anguilla: "It was like
all the net-dot-gods descended on Anguilla. Geeks, financial,
cryptographic, and otherwise. Cypherpunks. Bankpunks, pseudonymous
individuals, guys who would go on to become senior administration
officials, and even people who were paying the $1,000 conference fee in
cash because their corporate-sponsored lawyers told them to stay out of the
papers after various previous escapades."

 This year's conference, taking place in February and March in the
Commonwealth of Dominica, doesn't have the same luster. The program is
jammed with papers about "privacy-preserving protocols" and "probabilistic
escrow" but contains little from the nonacademic world. The people who work
at actual financial institutions just aren't as interested in financial
cryptography as they were in 1997.

It wasn't supposed to be this way. In 1997, the bankers, lawyers, and
accountants were fascinated by what the digital magicians could do with a
few equations. Even though it's easy to make perfect copies of digital
files, for instance, mathematicians found a way to produce a digital $50
bill that would stymie counterfeiters. They didn't stop there. They
imagined transactions that avoided the overhead of a central clearing
house, digital currency that paid interest, and even complicated digital
rights management tools that locked up music, art, and writing with the
same equations used to protect money. Some talked about minting just 500
digital baseball cards for each player and letting the values rise and fall
with batting averages. In short, they imagined a world where wealth was not
frozen in gold and locked in vaults, but rather held in digital mechanisms
that could adapt to whatever people wanted. Some mechanisms could even be
as anonymous as paper cash, and transactions wouldn't require much more
than the click of a mouse.

But while the mathematics is still fascinating, the emergence of any system
based on it is receding into the nebulous future. Today, credit card
companies dominate the Web with a system that, at its heart, is little
different from the one that employed carbon-paper chits. One of the few
companies to find some success in financial cryptography, PayPal, gets most
of its revenue from eBay auctions, where it serves, in essence, as a
well-designed front end for the credit card system.

Adam Shostack, another of the original organizers, thinks that the reason
for the failure of financial cryptography is simple. "People are
conservative in how they pay for things," he says. Indeed, the problem for
financial cryptography's would-be pioneers is that the old credit card
system seems to be good enough for the new online world. If Amazon,
Wal-Mart, and  other e-commerce sites can keep customers happy with plastic
cards, there's little demand for any of the more exciting ideas.

Joseph Nocera, author of A Piece of the Action, a history of the credit
card industry, says digital currency is facing "a chicken-and-egg question"
but points out that credit cards encountered the same problem, and that
their acceptance took decades. In fact, 2003 was the first year credit
cards and other electronic systems carried more payments than bank checks.

As they come to appreciate just how long the road ahead will likely be,
some financial cryptographers are searching for niches where they can
flourish in the short term. Take, for example, Waltham, MA-based startup
Peppercoin, the brainchild of MIT computer scientists Sylvio Micali and Ron
Rivest. Peppercoin is attempting to specialize in very small sums (see "The
Web's New Currency," December 2003).One of its bigger initiatives is
developing a cryptographic system that would enable people to use their
credit cards at parking meters, an application that would be prohibitively
expensive for the traditional credit card network, which has a minimum
transaction fee of about a quarter. If Peppercoin's technology can cut
transaction costs enough, it can capture this market and also make it
possible for people to spend small amounts online.

The inability to ha

Re: [CYBERIA] a story that might be of interest to cyberians

[R.A. Hettinga]

--- begin forwarded text


User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913)
Date: Thu, 17 Feb 2005 01:08:28 -0500
Reply-To: Law & Policy of Computer Communications <[EMAIL PROTECTED]>
Sender: Law & Policy of Computer Communications <[EMAIL PROTECTED]>
From: Inna Barmash <[EMAIL PROTECTED]>
Subject: Re: [CYBERIA] a story that might be of interest to cyberians
To: [EMAIL PROTECTED]

This is a really interesting project at Princeton, and it's been going
on for decades. (see the book "Margins of Reality" -
http://www.amazon.com/exec/obidos/tg/detail/-/015657246X/qid=1108619801/sr=8-1/ref=pd_csp_1/002-8298211-8744829?v=glance&s=books&n=507846)

I've taken the tour of the laboratory and participated in a couple of
the experiments (as a guinea pig, that is).  The feeling there is quite
surreal, and they have dramatized the setting in the lab itself quite
well.  The random number generator is a huge machine with a downstream
of little balls, which the subjects - through the power of immense
consciuos concentration - make go one way or the other.  They also have
a wave-simulating machine, which supposedly echoes the patterns of the
Jersey shore waves.
For at least some of the machines, the researchers have found a
significant effect not only with people in the same room, but subjects
as far as Australia, AND even in the future -  influencing the "random"
outcome of the past ...

It'll be interesting to see if the significant effects are amplified
with more and more subjects pitching in through this international project.

--Inna





Paul Gowder wrote:

>Check out this article re: random number generators
>apparently influenced by consciousness:
>http://www.rednova.com/news/display/?id=126649#121
>
>the Princeton project that this is connected with:
>http://noosphere.princeton.edu/
>
>This is fascinating, and potentially groundbreakingly
>huge stuff.
>
>God, how I want to go back to school and study math
>and physics.  Maybe in a few years I will.
>
>
>
>__
>Do you Yahoo!?
>Yahoo! Mail - Find what you need with new enhanced search.
>http://info.mail.yahoo.com/mail_250
>
>
>**
>For Listserv Instructions, see http://www.lawlists.net/cyberia
>Off-Topic threads: http://www.lawlists.net/mailman/listinfo/cyberia-ot
>Need more help? Send mail to: [EMAIL PROTECTED]
>**
>
>
>


**
For Listserv Instructions, see http://www.lawlists.net/cyberia
Off-Topic threads: http://www.lawlists.net/mailman/listinfo/cyberia-ot
Need more help? Send mail to: [EMAIL PROTECTED]
**

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Re: SHA1 broken?

[Roland Dowdeswell]

On 1108637369 seconds since the Beginning of the UNIX epoch
Dave Howe wrote:
>

>   Its fine assuming that moore's law will hold forever, but without 
>that you can't really extrapolate a future tech curve. with *todays* 
>technology, you would have to spend an appreciable fraction of the 
>national budget to get a one-per-year "break", not that anything that 
>has been hashed with sha-1 can be considered breakable (but that would 
>allow you to (for example) forge a digital signature given an example)

I think that it is generally prudent to make the most ``conservative''
assumption with regards to Moore's Law in any given context.  I.e.
bet that it will continue when determining how easy your security
is to brute force, and assume that it will not when writing code.

--
Roland Dowdeswell  http://www.Imrryr.ORG/~elric/

Re: Digital Water Marks Thieves

[Adam Fields]

On Tue, Feb 15, 2005 at 01:40:33PM -0500, R.A. Hettinga wrote:
> Until, of course, people figure out that taggants on everything do nothing
> but confuse evidence and custody, not help it.
> 
> Go ask the guys in the firearms labs about *that* one.

I like Bruce Schneier's take on this:

"The idea is for me to paint this stuff on my valuables as proof of
ownership. I think a better idea would be for me to paint it on your
valuables, and then call the police."

http://www.schneier.com/blog/archives/2005/02/smart_water.html

-- 
- Adam

-
** My new project --> http://www.visiognomy.com/daily
   **  Flagship blog --> http://www.aquick.org/blog
Hire me: [ http://www.adamfields.com/Adam_Fields_Resume.htm ]
Links:   [ http://del.icio.us/fields ]
Photos:  [ http://www.aquick.org/photoblog ]

Malware, spam prompts mass net turn off

[R.A. Hettinga]

The Register


 Biting the hand that feeds IT

The Register » Internet and Law » eCommerce »

 Original URL:
http://www.theregister.co.uk/2005/01/14/malware_mass_net_turn_off/

Malware, spam prompts mass net turn off
By Andrew Orlowski in San Francisco (andrew.orlowski at theregister.co.uk)
Published Friday 14th January 2005 10:12 GMT

Both beginners and veterans are finding the Interweb experience so
repellent that they're disconnecting in droves, blaming malware and spam.
Despite an overall increase in numbers of humans connected to the internet,
the mass turn-off is beginning to hit ecommerce in the United States.

"Instead of making life easier - the essential promise of technologies
since the steam engine - the home PC of late has made some users feel
stupid, endangered or just hassled beyond reason," writes Joe Menn, who
penned the definitive book on the Napster phenomenon, in a must-read
feature
(http://www.latimes.com/business/la-fi-fedup14jan14,0,111456.story?coll=la-home-headlines)
for the Los AngelesTimes.

Gee. And we thought everyone was joining the 'blogosphere' - melding into
one enormous global hive mind. Clearly, something is spoiling this happy
picture.

Although overall internet usage is increasing, ecommerce has felt the brunt
of the mass turn-off, as newcomers find the net is less than they expected,
and veterans decide that being connected is no longer tolerable.

The Times cites a survey in which almost a third of online shoppers are
buying less than they used to because of security worries. Despite the US
broadband boom, the number of online shoppers rose only one per cent last
year.

Menn also suggests why. A recent survey reckoned 80 per cent of PCs are
infected by malware. The speed with which an unprotected labs was infected
- just four minutes
(http://www.theregister.co.uk/2004/12/01/honeypot_test/) - bears that out.
And there's little sign of respite. Malware authors are creating 150
zombies a week
(http://www.theregister.co.uk/2005/01/05/mcafee_avert_report/).

Now comes the hard part. Mired deep in New Age gloop, California's internet
evangelists can't even see the problem, let alone suggest a solution. Into
this intellectual vacuum, draconian solutions - almost all of which involve
compromising the end-to-end principles that have allowed so much malware to
flourish - seem likely to find favor with fed-up net users.

Over two years ago we speculated that lock-down solutions such as Palladium
and TCPA, or safe, private nets may one day be welcomed as a solution to
the internet's tragedy of the commons. This looks more likely than ever.

Self-healing, it ain't. ®

-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

Undeliverable Mail

[Postmaster]

No message body: [EMAIL PROTECTED]


Original message follows.

Yahoo!: Please Verify Your Email Address

[Yahoo! Member Services]

Title: Yahoo! Email Verification







	
		
			

	
		
	
	
		
			
Help
			
		
	
	

			
		
	
	
		
			

	Do not reply to this message. If this account doesn't belong to you, please follow the instructions at the end of this email.

			
			
			

	Verify Your Email Address

			
			

	Please confirm that this is your email address. Click on the link below and then enter your Yahoo! password into the form.


	


	Important! Please click here to verify this email address for your account.

			
			
			

	
		
			
Your Yahoo! ID:
hkan_akman
			
			
Your Email Address:
cypherpunks@minder.net
			
		
	

			
			
			
			

	
	

	Email verification helps make Yahoo! safer and more enjoyable for everyone.


	
	

	If you can't click on the sentence labeled "Important!" above, you can also verify your email address by cutting and pasting (or typing) the following address into your browser:http://edit.yahoo.com/v/recv?06e39bFor your records, your verification code is: 06e39b

			
			
			
			

	


	
	
		
			


Policies: Please remember that your use of Yahoo! products and services is subject to the Yahoo! Terms of Service and Privacy Policy. 
Maintaining Your Account: Please update your email address whenever it changes so we can help with any account access issues. (You will be asked to sign in first.) Or, sign in to Yahoo!, go to Account Information, click the Edit button next to Member Information, and you will be able to change your alternate email address(es)."
Not Your Account?: If this email is in reference to a Yahoo! account not created or used by you, please click here.

			
		
		
	

			
			
		
	

Time to regulate the software industry?

[R.A. Hettinga]

CNET News


 Time to regulate the software industry?

 By Dawn Kawamoto

 Story last modified Wed Feb 16 20:20:00 PST 2005



 SAN FRANCISCO--A panel of security experts on Wednesday debated the merits
of regulating the software industry to curtail software flaws--and hence
reduce the volume of virus attacks.

With software flaws serving as the open door to viruses and worms, a panel
of industry experts at the RSA Conference here debated whether it's time to
regulate software companies. The experts were mixed on the effectiveness of
such a plan and whether it could be undertaken without curtailing
innovation.

 "The issue is not to regulate or not," said Harris Miller, president of
the Information Technology Association of America. "Our industry is all
about innovation, and my concern with regulation is it's often the enemy of
innovation."

 In that same vein, Rick White, chief executive of technology advocacy
group TechNet, said the industry should come together and develop
guidelines for best practices on developing software with minimal flaws,
rather than imposing regulations.

 "Congress will never solve the problem as well as the people who work in
the industry," said White, a former congressman from Washington state.

 But other panelists were not as sure.

 Dick Clarke, chairman of Good Harbor Consulting and former presidential
special advisor on cybersecurity, noted efforts to have industries develop
guidelines and follow through have failed in the past. He pointed to a deal
Michael Powell, outgoing Federal Communications Commission chairman, struck
with Internet service providers (ISPs).


Powell held a meeting with ISPs, where in they developed guidelines. And
although Powell threatened to regulate their industry if they did not abide
by those guidelines, the ISPs did not adhere to those self-imposed
practices, Clarke said.

 "Powell bluffed them. They knew it, and now he is leaving office," Clarke
said.

 Other panelists, such as encryption expert and author Bruce Schneier, also
called for more action in prompting software vendors to vet through their
code before releasing it to the market.

 "If we make it in their best interest to do this, then it will happen. You
need to find a set of financial incentives," Schneier said. "Regulations
would increase the cost of not doing security, and that would increase
security (testing)."

 He noted companies that currently take the time to test the security of
their software before releasing it to the markets are at a
disadvantage--higher costs and potential late arrival to the market.

 Additional financial incentives may come from customers demanding a
certain level of security testing from a vendor, before agreeing to sign a
contract to purchase their products, Schneier said.

 In offering a post Sept. 11, 2001, warning, Clarke said: "Regulation is
neither good nor bad...but the industry should bear this in mind. After we
have an incident, regulations will be much worse."

-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation 
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

[osint] Switzerland Repatriates $458m to Nigeria

[R.A. Hettinga]

--- begin forwarded text


To: "Bruce Tefft" <[EMAIL PROTECTED]>
Thread-Index: AcUVCpcZCIoZtD6dRp62Gatn1nTR2g==
From: "Bruce Tefft" <[EMAIL PROTECTED]>
Mailing-List: list osint@yahoogroups.com; contact [EMAIL PROTECTED]
Delivered-To: mailing list osint@yahoogroups.com
Date: Thu, 17 Feb 2005 11:06:28 -0500
Subject: [osint] Switzerland Repatriates $458m to Nigeria
Reply-To: osint@yahoogroups.com


http://allafrica.com/stories/200502170075.html



Switzerland Repatriates $458m to Nigeria











This
  Day (Lagos)

February 17, 2005
Posted to the web February 17, 2005

Kunle Aderinokun
Abuja

FG to start drawing funds in March

The Federal Government yesterday announced that the Swiss government has
approved the repatriation of $458 million, being bulk of the $505 million of
public fund stashed away in various private bank accounts in that country by
the late General Sani Abacha and his family.

Making this disclosure yesterday in Abuja at the instance of Swiss
Ambassador to Nigeria, Dr. Pierre Helg, Finance Ministe Ngozi Okonjo-Iweala
said the fund will be transferred into the International Bank for Settlement
(BIS) in Basel, Switzerland, and that Nigeria will be able to withdraw the
money by the end of March this year.

Okonjo-Iweala, who said the Swiss authorities did not attach any condition
for the repatriation of the siphoned monies, said the release was sequel to
the judgment of the Swiss Federal Court, which ruled that the "Swiss
authorities may return assets of obviously criminal origin to Nigeria even
without a court decision in the country concerned."

The finance minister said President Olusegun Obasanjo since assumption of
office had vigorously and relentlessly pursued return of the funds with the
help of the National Security Adviser and herself.

Noting that with this development, Switzerland has earned a positive status
as the first country to return funds illegally placed by the Abacha family,
Okonjo-Iweala said "the Federal Government is indeed grateful to the
government of Switzerland for the principled and focused manner in which it
has pursued this just cause."

"We hope that the Swiss example at both the political and judicial level
will show the way for other countries where our national resources have been
illegally transferred. Switzerland's policy on this issue is a clear sign
that crime does not pay. Nigeria is ready to work with other governments to
achieved the repatriation of other funds which were siphoned out of the
country illegally," she added.

She recalled that Obasanjo had on behalf of the administration made a
commitment to the Swiss government that the Abacha loots will be used for
developmental projects in health and education as well as for infrastructure
(roads, electricity and water supply) for the benefit of Nigerians.

"This", she pointed out, "is of course, very much in keeping with the
priorities of the National Economic Empowerment and Development Strategy
(NEEDS), the nation's blue-print for reducing poverty, creating wealth and
generating employment."

She stated that after receiving the assurances of the Swiss authorities that
the funds will be released , the federal government had "decided to factor
most of the Abacha funds into the 2004 budget so that the urgent challenges
of providing infrastructure and social services to our people would not be
delayed. This is to ensure that our programmes which are on-going are
adequately funded."

According to her, the Federal Government had distributed the recovered $505
million looted funds in the 2004 budget as: rural electrification,
$170million (N21.70billion); priority economic roads, $140 million
(N18.60billion); primary health care vaccination programme, $80 million
(N10.83 billion); support to secondary and basic education, $60 million
(N7.74 billion); and portable water and rural irrigation, $50 million (N6.20
billion).

In his remarks, the Swiss ambassador to Nigeria, Helg said "Switzerland
possesses an efficient set of legal instruments to defend itself against the
inflow of illegal assets, and to recognize, block and return them to their
rightful owners." He noted that "the recent decision of the Federal Supreme
Court will strengthen the deterrent effect of Switzer-land's legal mechanism
against potential future inflows of illegal capital."

He added that "the decision strengthens the Swiss position regarding the
restitution of funds of politically exposed persons, which is: Switzerland
has no interest in accepting illegal funds. It's financial center does not
provide for a safe haven for illegal money, which should primarily be used
for the benefit of the people of the country in question. The point must
again be made that Swiss banking secrecy is not an obstacle to the
investigation of criminal acts and to the international efforts to combat
crime."

He said Switzerland has received assurances from Obasanjo and Okonjo

How are you? [BZY]

[Russ Copeland]

How are you?!

Let's get discounts right now!


Come in and see yourself: http://holeusingtechnique.com/?a=837

Re: [CYBERIA] a story that might be of interest to cyberians

[SK]

Saw a posting on a blog on this -
http://silenteloquence.blogspot.com/2005/02/future-of-future-teller.html

Reproduced below:

Background: Rednova recently publised an article, 'Can This Black Box
See Into the Future' about a new machine developed by the scientists
at Princeton that can predict future events. It relies on two main
things : random number generation and the power of the collective
human conciousness to 'influence' that random number generation. This
is not your usual conspiracy theory kind of stuff, about 75 respected
scientists from 41 different nations have thrown their weight behind
this idea.I dont want to go into more details on what is already given
in the article, but heres my two cents to the noise that the article
has already generated:

(1)My own future:
One of the main criticisms about the Global Conciousness Project and
the use of the Black box to predict a world event is that there are so
many events happening in the world at any given time - so it must be
easy to relate a set of data points to some event. Now this is a very
valid argument. Moreover, the definition of a 'world event' or an
'event', for that matter, is very subjective. What maybe eventful to
me may not be eventful to someone living in Africa. I may not even
come to know about a major political turmoil that happened, say in
South America. So who is to decide what is an event? However, if the
researchers at Princeton want to argue that the human subconcious can
predict the future of the world, they should also be able to reproduce
it at an individual level. Along the same lines of logic they have
used, can I train my subconcious to predict my own future? In this
case, there is no ambiguity in the definition of an event. I
'influence' the egg. I decide what an event is. And if the egg can
read my thoughts (about the future) and show it to me now, the egg
works! Feels kinda sad that I need an egg to read my own mind! Hmm..
we have a new strain of shrinks? I am not a sceptic, but just couldn't
resist the dig.

(2) One global conciousness is not a new concept:
The central theme of the global conciousness is not a new concept.
This was exactly what was propounded centuries ago in the Bhagavad
Gita, which is a very revered book that many Hindus, including me,
still hold on to. The Gita is quite clear on what it wants to say (my
simplified interpretation): At the beginning of the world, all beings
are created from one central source. At the end of it, they go back to
that one source. If you die and you had understood the true meaning
during your lifetime, you attain nirvana and become one with the one
global conciousness. If you dont, you are reborn again and again, till
you eventually 'get it, duh'. But the point is, you share one
conciousness with everyone else around you. You are just one small
figment of the great collectivity ( as I write this I, am beginning to
wonder if the Gita had anything to do with the rise of communism).

(3) Data can lie, often very convincingly:
I am not a sceptic to this theory. As much as I am a logical person, I
intuitively believe that it is possible to predict the future. I have
had a few, very clear ( god forbid, I never want to experience them
ever again) deja vu's. Several astrologers (like a good Indian, I have
visited a fair share of astrologers, admittedly more because of
intellectual curiosity about the paranormal) have predicted events in
my life with amazing accuracy. And more importantly, they have
generally been accurate in predicting my state of mind, which has
never failed to surprise me. And from a physics perspective, if time
is the fourth dimension, shouldn't you be able to travel back and
forth like we can in the other three dimensions. It seems more
difficult to believe that the fourth dimension is different from the
other three, than to believe that it is similar. So, I dont have
problems believing the results per se. But I am a sceptic when it
comes to the methodology. A random number generator with 1s and 0s
over years - that is a lot of data points over a very small range. It
seems to me like data that is difficult to read - and data that can be
easily manipulated. Mind you, I am not accusing anyone of anything. I
have full faith in the integrity of all involved. But I used to work
as an analyst and one of the first things that I learned was that you
can always make the data say what you want it to. If you dont believe
me, read the book 'How to Lie with Statistics' by Darrell Huff. And
sometimes it is not a matter of intentional effort. When you want to
see a particular result, it is possible that your mind subconciously
picks on that trend and only that trend. This is nobody's fault - it
is just an extension of the saying 'The eyes can only see what the
mind wants it to'. I would be hard-pressed to believe that the people
who want to make us believe about the powers of human subconcious to
predict the future cannot believe that the same subconcious is
powerful eno

Re: [p2p-hackers] SHA1 broken?

[R.A. Hettinga]

--- begin forwarded text


Delivered-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: [p2p-hackers] SHA1 broken?
Date: Thu, 17 Feb 2005 14:25:36 -0800 (PST)
From: [EMAIL PROTECTED] ("Hal Finney")
Reply-To: "Peer-to-peer development." <[EMAIL PROTECTED]>
Sender: [EMAIL PROTECTED]

The problem with the attack scenario where two versions of a program are
created with the same hash, is that from what little we know of the new
attacks, they aren't powerful enough to do this.

All of the collisions they have shown have the property where the two
alternatives start with the same initial value for the hash; they then
have one or two blocks which are very carefully selected, with a few
bits differing between the two blocks; and at the end, they are back
to a common value for the hash.

It is known that their techniques are not sensitive to this initial value.
They actually made a mistake when they published their MD5 collision,
because they had the wrong initial values due to a typo in Schneier's
book.  When people gave them the correct initial values, they were able
to come up with new collisions within a matter of hours.

If you look at their MD5 collision in detail, it was two blocks long.
Each block was almost the same as the other, with just a few bits
different.  They start with the common initial value.  Then they run
the first blocks through.  Amazingly, this has only a small impact on
the intermediate value after this first block.  Only a relatively few
bits are different.

If you or I tried to take two blocks with a few bits different and feed
them to MD5, we would get totally different outputs.  Changing even
one bit will normally change half the output bits.  The fact that they
are able to change several bits and get only a small difference in the
output is the first miracle.

But then they do an even better trick.  They now go on and do the
second pair of blocks.  The initial values for these blocks (which are
the outputs from the previous stage) are close but not quite the same.
And amazingly, these second blocks not only keep things from getting
worse, they manage to heal the differences.  They precisely compensate
for the changes and bring the values back together.  This is the second
miracle and it is even greater.

Now, it would be a big leap from this to being able to take two arbitrary
different initial values and bring them together to a common output.
That is what would be necessary to mount the code fraud attack.  But as
we can see by inspection of the collisions produced by the researchers
(who are keeping their methodology secret for now), they don't seem to
have that power.  Instead, they are able to introduce a very carefully
controlled difference between the two blocks, and then cancel it.
Being able to cancel a huge difference between blocks would be a problem
of an entirely different magnitude.

Now, there is this other idea which Zooko alludes to, from Dan Kaminsky,
www.doxpara.com, which could exploit the power of the new attacks to
do something malicious.  Let us grant that the only ability we have is
that we can create slightly different pairs of blocks that collide.
We can't meaningfully control the contents of these blocks, and they
will differ in only a few bits.  And these blocks have to be inserted
into a program being distributed, which will have two versions that
are *exactly the same* except for the few bits of difference between
the blocks.  This way the two versions will have the same hash, and this
is the power which the current attacks seem to have.

Kaminsky shows that you could still have "good" and "bad" versions of
such a program.  You'd have to write a program which tested a bit in
the colliding blocks, and behaved "good" if the bit was set, and "bad"
if the bit was clear.  When someone reviewed this program, they'd see
the potential bad behavior, but they'd also see that the behavior was
not enabled because the bit that enabled it was not set.  Maybe the
bad behavior could be a back door used during debugging, and there is
some flag bit that turns off the debugging mode.  So the reviewer might
assume that the program was OK despite this somewhat questionable code,
because he builds it and makes sure to sign or validate the hash when
built in the mode when the bad features are turned off.

But what he doesn't know is, Kaminsky has another block of data prepared
which has that flag bit in the opposite state, and which he can substitute
without changing the hash.  That will cause the program to behave in its
"bad" mode, even though the only change was a few bits in this block
of random data.  So this way he can distribute a malicious build and it
has the hash which was approved by the reviewer.

And as Zooko points out, this doesn't have to be the main developer
who is doing this, anyone who is doing some work on creating the final
package might be able to do so.

On the other hand, this attack is pretty blatant once you know it is
possible.  The lesson is t

RE: SHA1 broken?

[Trei, Peter]

Actually, the final challenge was solved in 23 hours, about
1/3 Deep Crack, and 2/3 Distributed.net. They were lucky, finding
the key after only 24% of the keyspace had been searched.

More recently, RC5-64 was solved about a year ago. It took
d.net 4 *years*. 

2^69 remains non-trivial.

Peter


-Original Message-
From: [EMAIL PROTECTED] on behalf of Dave Howe
Sent: Thu 2/17/2005 5:49 AM
To: Cypherpunks; Cryptography
Subject: Re: SHA1 broken?
 
Joseph Ashwood wrote:
  > I believe you are incorrect in this statement. It is a matter of public
> record that RSA Security's DES Challenge II was broken in 72 hours by 
> $250,000 worth of semi-custom machine, for the sake of solidity let's 
> assume they used 2^55 work to break it. Now moving to a completely 
> custom design, bumping up the cost to $500,000, and moving forward 7 
> years, delivers ~2^70 work in 72 hours (give or take a couple orders of 
> magnitude). This puts the 2^69 work well within the realm of realizable 
> breaks, assuming your attackers are smallish businesses, and if your 
> attackers are large businesses with substantial resources the break can 
> be assumed in minutes if not seconds.
> 
> 2^69 is completely breakable.
>Joe
   Its fine assuming that moore's law will hold forever, but without 
that you can't really extrapolate a future tech curve. with *todays* 
technology, you would have to spend an appreciable fraction of the 
national budget to get a one-per-year "break", not that anything that 
has been hashed with sha-1 can be considered breakable (but that would 
allow you to (for example) forge a digital signature given an example)
   This of course assumes that the "break" doesn't match the criteria 
from the previous breaks by the same team - ie, that you *can* create a 
collision, but you have little or no control over the plaintext for the 
colliding elements - there is no way to know as the paper hasn't been 
published yet.