Unfortunately I can't remember the author, but there was a paper
showing that an encrypted counter was secure to use as IVs for CBC
mode. So encrypting a shorter random IV should also be secure.
Greg.
On 2010 Jun 2, at 9:36 , Ralph Holz wrote:
Dear all,
A colleague dropped in yesterday an
On 2009 Oct 19, at 9:15 , Jack Lloyd wrote:
On Sat, Oct 17, 2009 at 02:23:25AM -0700, John Gilmore wrote:
DSA was (designed to be) full of covert channels.
And, for that matter, one can make DSA deterministic by choosing the k
values to be HMAC-SHA256(key, H(m)) - this will cause the k value
On 2009 Aug 19, at 3:28 , Paul Hoffman wrote:
At 5:28 PM -0400 8/19/09, Perry E. Metzger wrote:
I believe attacks on Git's use of SHA-1 would require second pre-
image
attacks, and I don't think anyone has demonstrated such a thing for
SHA-1 at this point. None the less, I agree that it would
Target collisions for MD5 can be calculated in seconds on a laptop,
based on just a small change in the first block of input. There was
also a semi-successful demo of MD5 certificate problems; you could
join the special wireless network, and any https connection would be
silently proxied us
On 2009 Apr 30, at 4:31 , Perry E. Metzger wrote:
Eric Rescorla writes:
McDonald, Hawkes and Pieprzyk claim that they have reduced the
collision
strength of SHA-1 to 2^{52}.
Slides here:
http://eurocrypt2009rump.cr.yp.to/
837a0a8086fa6ca714249409ddfae43d.pdf
Thanks to Paul Hoffman for
One of the earlier messages (I lost it) said that Philipp said that
there was information that could be used as a nonce. In that case, I
would recommend a stream cipher used to generate 133 bits at a time; if
the lump of bits represents an integer in the correct range, add it
modulo 10^40... ot
"Hal Finney" wrote:
So, you don't have a 133-bit block cipher lying around? No worries, I'll
sell you one ;-). Actually that is easy too. Take a trustworthy 128-bit
block cipher like AES. To encrypt, do:
1. Encrypt the first 128 bits (ECB mode)
2. Encrypt the last 128 bits (also ECB mode).
I d
Philipp Gühring wrote:
Hi,
G'day Philipp,
I am searching for symmetric encryption algorithms for decimal strings.
Let's say we have various 40-digit decimal numbers:
2349823966232362361233845734628834823823
3250920019325023523623692235235728239462
0198230198519248209721383748374928601923
As
2008 at 2:40 PM, Greg Rose <[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
Basically the method focuses on terms of the polynomial in which
only one secret bit of the key appears, and many of the non-secret
bits. Using chosen (or lucky) plaintexts, vary all but one
David Wagner wrote:
It's a brilliant piece of research. If you weren't at CRYPTO, you missed
an outstanding talk (and this wasn't the only one!).
Yes, the program chair and committee did a great job. Whatsisname? Oh,
yeah, David Wagner.
Greg.
---
James Muir wrote:
Greg Rose wrote:
Basically, any calculation with inputs and outputs can be represented as
an (insanely complicated and probably intractable) set of binary
multivariate polynomials. So long as the degree of the polynomials is
not too large, the method allows most of the
someone wrote:
what about RC4, the most important stream
cipher in the Internet world?
So I cornered Adi for a while. Of course he'd thought of almost
everything I wanted to ask.
You're not the first to think of RC4 (I confess I wasn't either). No, if
you try to express shuffling as a polynomi
Steven M. Bellovin wrote:
Greg, assorted folks noted, way back when, that Skipjack looked a lot
like a stream cipher. Might it be vulnerable?
Hmmm, interesting. I'm getting increasingly closer to talking through my
hat, but...
Skipjack has an 8x8 S-box, so by definition the maximum degree o
Perry E. Metzger wrote:
Greg Rose <[EMAIL PROTECTED]> writes:
His example was an insanely complicated theoretical LFSR-based stream
cipher; recovers keys with 2^28 (from memory, I might be a little
out), with 2^40 precomputation, from only about a million output
bits. They are work
Perry E. Metzger wrote:
According to Bruce Schneier...
http://www.schneier.com/blog/archives/2008/08/adi_shamirs_cub.html
...Adi Shamir described a new generalized cryptanalytic attack at
Crypto today.
Anyone have details to share?
Stunningly smart, and an excellent and understandable presen
Erik Ostermueller wrote:
If I exchange messages with a system and the messages are encrypted with a
symmetric key, what further benefit would we get by using a MAC (Message
Authentication Code) along with the message encryption?
Being new to all this, using the encrytpion and MAC together seem
Perry E. Metzger wrote:
A wonderful place. I hope it manages to pull through.
http://resources.zdnet.co.uk/articles/imagegallery/0,102003,39415278,00.htm?r=234
There is a mechanism whereby US donors can send tax deductible donations
to the trust. Go to http://www.cafamerica.org and search
At 10:44 -0700 2007/06/22, Ali, Saqib wrote:
...whereas the key distribution systems we have aren't affected by
eavesdropping unless the attacker has the ability to perform 2^128 or
more operations, which he doesn't.
Paul: Here you are assuming that key exchange has already taken place.
But ke
At 13:55 +0100 2007/05/23, Dave Korn wrote:
On 21 May 2007 19:44, Perry E. Metzger wrote:
http://www.physorg.com/news98962171.html
My take: clearly, 1024 bits is no longer sufficient for RSA use for
high value applications, though this has been on the horizon for some
time. Presumably, i
At 17:58 -0500 2006/11/08, Leichter, Jerry wrote:
No, SHA-1 is holding on (by a thread) because of differences in the
details of the algorithm - details it shares with SHA-256. I
don't think anyone will seriously argue that if SHA-1 is shown to
be as vulnerable as we now know ND5 to be, then SHA
At 19:13 -0500 2006/10/17, Travis H. wrote:
So I was reading about the OTP system (based on S/Key) described in RFC 2289.
It basically hashes a secret several times (with salt to individualize
it) and stores
the value that the correct password will hash to.
Now my question is, if we restrict ou
At 17:05 -0400 2006/10/12, Steven M. Bellovin wrote:
This is a very interesting suggestion, but I suspect people need to be
cautious about false positives. MP3 and JPG files will, I think, have
similar entropy statistics to encrypted files; so will many compressed
files.
Actually, no. I have
At 14:33 -0400 2006/09/28, Leichter, Jerry wrote:
|
VMS has for years had a simple CHECKSUM command, which had a variant,
CHECKSUM/IMAGE, applicable only to executable image files. It knew
enough about the syntax of executables to skip over irrelevant metadata
like link date and time. (The che
At 23:40 +1200 2006/09/14, Peter Gutmann wrote:
But wait, there's more! From what I understand of the attack, all you need
for it to work is for the sig.value to be a perfect cube. To do this, all you
need to do is vary a few of the bytes of the hash value, which you can do via
a simple brute-
At 19:02 +1000 2006/09/14, James A. Donald wrote:
Suppose the padding was simply
010101010101010 ... 1010101010101 hash
with all leading zeros in the hash omitted, and four
zero bits showing where the actual hash begins.
Then the error would never have been possible.
I beg to differ. A
So, there is at least one top-level CA installed in some common
browsers (I checked Firefox) that uses exponent-3. It is "Starfield
Technologies Inc." "Starfield Class 2 CA". There may well be
others... I only looked far enough to determine that that was a
problem.
So the next question become
At 15:03 + 2006/08/28, D. J. Bernstein wrote:
You left the rump session too early, Greg! What you saw was my first
presentation, which was scheduled for 0 minutes, slideless, and titled
``FFT-based acoustic side-channel analysis of piano keystrokes''; Stuart
wasn't even supposed to announce
At 15:26 +0200 2006/08/23, Erik Zenner wrote:
Hi all!
At the rump session of Crypto 2006, we started the "chasing the Rabbit"
contest. Dan Bernstein was so kind as to present the slides on our
behalf. The details of the contest are given below; they can also be
downloaded from http://www.crypti
At 16:29 -0600 2006/06/08, John R. Black wrote:
> >It is taught by good people, but I find it a bit strange they are all
>Microsoft employees. This is perhaps because U. Wash doesn't have any
>cryptographers.
I hardly think that you can discount the skills of Josh Beneloh and
Brian LaMac
At 20:34 -0600 2006/06/06, John R. Black wrote:
On Tue, Jun 06, 2006 at 01:57:25AM -0700, Udhay Shankar N wrote:
> http://it.slashdot.org/article.pl?sid=06/06/04/1311243
It is taught by good people, but I find it a bit strange they are all
Microsoft employees. This is perhaps because U. Was
At 1:41 -0600 2006/04/02, Travis H. wrote:
So I'm reading up on unconditionally secure authentication in Simmon's
"Contemporary Cryptology", and he points out that with RSA, given d,
you could calculate e (remember, this is authentication not
encryption) if you could factor n, which relates the
At 22:09 -0500 2006/03/22, John Denker wrote:
Aram Perez wrote:
* Can you add or increase entropy?
Shuffling a deck of cards increases the entropy of the deck.
As a minor nit, shuffling *in an unpredictable manner* adds entropy,
because there is extra randomness being brought into the pro
At 01:33 2005-11-01 -0600, Travis H. wrote:
The latest hashes, such as SHA-1, gave up on Feistel.
Not so... the SHA family are all unbalanced Feistel structures.
Basically, for SHA-1 a complex function of 4 words and key material
(in this case expanded data to be hashed) is combined with the
At 03:25 2005-10-18 -0500, Travis H. wrote:
Speaking of two-factor authentication, can anyone explain how servers
validate the code from a SecurID token in the presence of clockskew?
Does it look backwards and forwards in time a few minutes?
Yes, at registration time the server checks that the
all the tapes once onto a big RAID, and set the
cluster to work for a year or two.
Greg.
Greg RoseINTERNET: [EMAIL PROTECTED]
Qualcomm Incorporated VOICE: +1-858-651-5733 FAX: +1-858-651-5766
5775 Morehouse Drivehttp://people.qualcomm.
price setting precedent.
They (NSA) did pay, and they (Certicom) did stick it in our faces.
See, eg., http://www.eweek.com/article2/0,1895,1498136,00.asp . Did
you miss this at the time?
Greg.
Greg RoseINTERNET: [EMAIL PROTECTED]
Qualcomm Incorporated
At 11:47 2005-08-12 -0400, Tim Dierks wrote:
I'm attempting to design a block cipher with an "odd" block size (34
bits). I'm planning to use a balanced Feistel structure with AES as the
function f(), padding the 17-bit input blocks to 128 bits with a pad
dependent on the round number, encrypting
27;t actually help either.
(*) actually each layer reduces the space of output keys slightly; not
enough to matter in practice, but it is actually infinitesimally worse than
just doing the hash.
Greg.
Greg RoseINTERNET: [EMAIL PROTECTED]
Qualcomm Incorporated
abase from disclosure...
or not.
Greg.
Greg RoseINTERNET: [EMAIL PROTECTED]
Qualcomm Incorporated VOICE: +1-858-651-5733 FAX: +1-858-651-5766
5775 Morehouse Drivehttp://people.qualcomm.com/ggr/
San Diego, CA 92121 232B EC8F 44C6 C853 D68F
iously*
beefed up. My guess is that the NSA were already worried about this kind of
attack (whether they'd found it or not). We don't have a good analysis of
the data-expansion part, but I'm pretty sure that it'll defeat the Wang
attacks.
Greg.
Greg Rose
ks at a time; for OFB and counter mode, it ends up
making the keystream distinguishable from random. Also, most of the
security proofs for block cipher constructions (like the secure CBC-MAC
schemes) limit the number of blocks to some constant factor times 2^{n/2}.
I'm surprised that no-o
the problem on
the entropy pool, not to mention CPU load for primality testing.
I must be misunderstanding. Surely. Please?
Greg.
Greg RoseINTERNET: [EMAIL PROTECTED]
Qualcomm Incorporated VOICE: +1-858-651-5733 FAX: +1-858-651-5766
5775
I wrote:
> Phil Hawkes' paper on the SHA-2 round function has just been
> posted as
> Eprint number 207. It contains rather a lot of detail, unlike
> some of the
> other papers on the subject of hash function collisions.
At 14:17 2004-08-23 -0400, Trei, Peter wrote:
Could you possibly post a direct
Phil Hawkes' paper on the SHA-2 round function has just been posted as
Eprint number 207. It contains rather a lot of detail, unlike some of the
other papers on the subject of hash function collisions.
Greg.
Greg RoseINTERNET: [EMAIL PROTECTED]
Qua
not
close to breaking SHA-1 with this".
Greg.
Greg RoseINTERNET: [EMAIL PROTECTED]
Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199
Level 3, 230 Victoria Road, http://people.qualcomm.com/ggr/
Gladesville NSW 2111/232B
that 2^-80 is a much better chance than you would have had for
two random messages (which is really message M and a random delta).
But I could also be mistaken on this.
Greg.
Greg RoseINTERNET: [EMAIL PROTECTED]
Qualcomm Australia VOICE:
At 00:49 2004-08-19 +1000, Greg Rose wrote:
There has been criticism about the Wang et. al paper that "it doesn't
explain how they get the collisions". That isn't right. Note that from the
incorrect paper to the corrected one, the "delta" values didn't chan
In the light of day and less inebriated, I'd like to clarify some of what I
wrote last night, and maybe expand a bit. My original account wasn't what
I'd like to think of as a record for posterity.
Greg.
At 13:11 2004-08-18 +1000, Greg Rose wrote:
Xiaoyun Wang was almost unint
Regards,
Mads Rasmussen
Open Communications Security
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Greg RoseINTERNET: [EMAIL PROTECTED]
Qualcomm Australia VOICE: +61-2-9817 4188 FA
told him to either stop working on it, or stop talking about it,
depending which version of the story you've heard. Since he works for the
German NSA-equivalent, I guess he would take this seriously.
Greg.
Greg RoseINTERNET: [EMAIL PROTECTED]
Qualcomm Austr
1000 per year.
What incentive does a miscreant have to
reprogram hundreds or thousands of other
cars???
Until recently, when viruses and worms started to be used to assist
spamming, what incentive did a miscreant have to invade hundreds or
thousands of compute
At 15:41 2004-06-19 -0400, Perry E. Metzger wrote:
http://news.bbc.co.uk/1/hi/technology/3804895.stm
No real new info, but some good background. Several familiar names,
such as Ross Anderson, are interviewed.
Gee, a pity they can't calculate 2^128 correctly.
Greg.
Greg
hich would be ideal for online purchasing.
>
> IIRC, the offering was withdrawn because there weren't enough takers.
American Express still does this, although it's difficult to find and use.
They call it "Private Payments".
Actually, they just discontin
of them will slip occasionally, and the house of cards would fall down.
Therefore there is no house of cards.
Greg.
Greg Rose INTERNET: [EMAIL PROTECTED]
Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199
Level 3, 230
> * non-repudiation
I.e., its provenance?
Google shows only a few hits, indicating
it is not widespread.
iang
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECT
there are block ciphers (such as FEAL, same vintage as RC4) that aren't
even vaguely secure.
Greg.
Greg Rose INTERNET: [EMAIL PROTECTED]
Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199
Level 3, 230 Victoria Road,
IX library dbm uses essentially this philosophy, but the
tree is not binary; rather each node stores up to one disk block's worth of
pointers. Nodes split when they get too full. When the point is to handle a
lot of data, this makes much more sense.
Hope that helps,
ature independent of the modulus,
so long as the public exponent is 3. Adding (and checking) correct padding
(eg. OAEP or PSS, see the PKCS standards) makes it extremely unlikely that
there will be a cube root for the attack to work on.
Others may want to correct me or el
y way compromised by this attack.
Greg.
Greg Rose INTERNET: [EMAIL PROTECTED]
Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199
Level 3, 230 Victoria Road,http://people.qualcomm.com/ggr/
Gladesville NSW 2111232B EC8F
, a device to break GSM using this attack is not going to cost
much more than a cellphone (without subsidies). Patenting the attack
prevents the production of the "radio shack (tm) gsm scanner", so that it
at least requires serious attackers, not idle retirees
redictable but non-repeating 32 bit nonce.
If you aren't prepared to accept the cost of a (scaled down) block cipher,
then you'll have to restate your requirements.
Greg.
Greg Rose INTERNET: [EMAIL PROTECTED]
Qualcomm Australia VOICE: +
eral Chair)
Greg Rose INTERNET: [EMAIL PROTECTED]
Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199
Level 3, 230 Victoria Road,http://people.qualcomm.com/ggr/
Gladesville NSW 2111232B EC8F 44C6 C853 D68F E107 E6BF CD2F
low attack, or a distributed attack, much of the value will have gone out
of it for them.
Greg.
Greg Rose INTERNET: [EMAIL PROTECTED]
Qualcomm Australia VOICE: +61-2-9817 4188 FAX: +61-2-9817 5199
Level 3, 230 Victoria Road,http://peo
63 matches
Mail list logo
