I (Hal Finney) wrote:
A couple of (rather uninformed) thoughts regarding HMAC-MD5: First,
how could collision attacks be extended to preimage attacks? And second,
how would preimage attacks affect HMAC-MD5?
I have to apologize for that message; I was totally confused particularly
about Adam Shostack's http://www.emergentchaos.com/,
although it seems to be more security than crypto.
Any other good ones?
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL
or chooses keynames, but be unable to guess any keys for any other
keynames. It's a good fit to the security requirements for your problem.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography
show in section 6 various attacks on ad hoc constructions, but some of
them are admittedly impractical.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Plaintext Considered Harmless. A surprising diversity of opinions
were expressed.
http://groups.google.com/group/sci.crypt/browse_thread/thread/f1aae3a2d10dbcd4?tvc=2q=known+plaintext+considered+harmless
Hal Finney
,
how many candidates have offered such a proof, in variants fast enough
to beat SHA-2?
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
On Thu, 2008-08-21 at 10:26 -0700, Hal Finney wrote:
Ron Rivest presented his (along with a dozen other people's) new hash,
MD6, yesterday at Crypto.
The slides for this presentation are available from Ronald's website:
http://people.csail.mit.edu/rivest/Rivest-TheMD6HashFunction.ppt
.
The first MTA would exchange the received RPOW for a new one of equal
value, and pass it along with the message to the next MTA in line.
Hal
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL
is the EU's RACE Integrity Primitives Evaluation
project, and I haven't been able to find out what RACE stands for.
RIPEM was an old implementation by Mark Riordan of the PEM (Privacy
Enhanced Email) standard which preceded S/MIME.
Hal Finney
, unfortunately.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
not get an ordinary hash. You are more likely to get an ordinary
polynomial that will not serve at all well as a crypto hash.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL
operational benefit from all those TPM
chips being installed. I'll be happy to summarize results back to the
list if people want to contact me privately.
Thanks -
Hal Finney
[EMAIL PROTECTED]
-
The Cryptography Mailing List
/rsawrapr.c:RSA_CheckSign())
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
trying to get some government agency involved.
The letter specifically cites 17 USC 1201(a)2 and (b)1, which can be read
here:
http://cyber.law.harvard.edu/openlaw/DVD/1201.html#a2
Hal Finney
-
The Cryptography Mailing List
of choosing your IV,
with CFB mode. A simple counter should be good enough. However the
penalty for erroneously reusing an IV is worse; it reveals the XOR of the
respective plaintexts, whereas in CBC mode it will only reveal whether
the plaintexts are identical.
Hal Finney
PGP Corporation
the encryption key even if
you guess the PIN right.
(Some) details at the BitLocker Drive Encryption Technical Overview page:
http://technet2.microsoft.com/WindowsVista/en/library/ba1a3800-ce29-4f09-89ef-65bce923cdb51033.mspx?mfr=true
Hal Finney
, conservatively we should assume that well funded secret
efforts could already succeed today.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
not look good to encryption purists.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
for dae687514c50.doxdns5.com:
1.2.3.4:34023 TXID=64660
1.2.3.4:50662 TXID=51678
1.2.3.4:55984 TXID=49711
1.2.3.4:17745 TXID=12263
1.2.3.4:26318 TXID=59610
This shows only the last 5 ports so it won't detect an LCG, but at least
it can detect some of the more obvious patterns.
Hal Finney
the polynomial variable is
secret, it is based on the key. So you don't know how things are being
combined. But with a known key and IV, there would be no security at all.
It would be linear like a CRC.
Hal Finney
-
The Cryptography
whether S is even or odd,
defeating the privacy of the scheme.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
like AES. To encrypt, do:
1. Encrypt the first 128 bits (ECB mode)
2. Encrypt the last 128 bits (also ECB mode).
Hal Finney wrote:
I am not familiar with the security proof here, do you have a reference?
Or is it an exercise for the student?
It's a degenerate case of Rivest's All
there is a secret key that makes
the attacker's job harder.
Hal
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Dec 2003 12:31:11 -0500
To: [EMAIL PROTECTED]
On Mon, Dec 01, 2003 at 08:46:25AM -0800, Hal Finney wrote:
It would be good to see these results made available because they might
turn out to be applicable to other types of keys that we might consider
in the future.
The paper is as yet
From: Hal Finney [EMAIL PROTECTED]
As you are probably aware, existing hashcash implementations do not base
the stamp on the message content. Instead they only lock the stamp to
the receiver's email address. Then the receiver keeps a list of the
hashcash stamps he has seen recently
On 18 Oct 2004, at 12:49 PM, Hal Finney wrote:
Does anyone have pointers to crypto related weblogs? Bruce Schneier
recently announced that Crypto-Gram would be coming out incrementally
in blog form at http://www.schneier.com/blog/. I follow Ian Grigg's
Financial Cryptography blog, http
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Finney, Hal (CR)
[SNIP discussion on ripping cash]
The problem is that if the source code you are purchasing is
bogus, or if the other side doesn't come through, you're
screwed because you've lost the value of the torn cash
[EMAIL PROTECTED] (Hal Finney) writes:
Steven M. Bellovin writes:
Dan Bernstein has a new cache timing attack on AES:
http://cr.yp.to/antiforgery/cachetiming-20050414.pdf
This is a pretty alarming attack.
It is? Recovering a key from a server custom-written to act as an oracle
be designed to allow third
party audits similarly to how paper money cash issuers might be
audited today.
One approach, investigated by Hal Finney, is to run the mint on a platform
that allows remote attestation. Check out rpow.net - he has a working
implementation of a proof of work payment system
Hal Finney wrote:
I had not heard that there had been an official
decision to hold a new competition for hash functions
similar to AES. That is very exciting! The AES
process was one of the most interesting events to have
occured in the last few years in our field.
Seemed like one
Hal Finney wrote:
Perry Metzger writes:
Once the release window has passed,
the attacker will use the compromise aggressively and the authority
will then blacklist the compromised player, which essentially starts
the game over. The studio collects revenue during the release window,
and sometimes
[EMAIL PROTECTED] (Hal Finney) writes:
When the Intel RNG came out several years ago, built into the bus controller
chipset, it was not widely accepted by the cryptographic community due to
fears of back doors or internal weaknesses. A generally positive analysis by
Cryptographic Research (http
At 10:39 AM -0700 7/4/09, Hal Finney wrote:
But how many other hash function candidates would also be excluded if
such a stringent criterion were applied? Or turning it around, if NIST
demanded a proof of immunity to differential attacks as Rivest proposed,
how many candidates have offered
more important to move towards cryptographic
assurance for payment systems.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
source and available
from rpow.net.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
they would buy and sell
RPOWs for money, they could serve in place of ecash. The main question
is whether there will be any use for them so compelling that people
would buy them.
Hal Finney
-
The Cryptography Mailing List
surely must,
then perhaps it is worth exploring.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
to predict.
The name serial number suggests a degree of sequentiality and some
CAs may follow such a policy, which could allow a motivated attacker to
predict the value with considerable accuracy.
Hal Finney
-
The Cryptography
secrets or CAs.
I don't think anonymous is the right word for this, and I hope the
IETF comes up with a better one as they go forward.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL
From: Ian Farquhar [EMAIL PROTECTED]
Sent: Sep 20, 2004 10:14 PM
To: \Hal Finney\ [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: Re: Time for new hash standard
At 05:43 AM 21/09/2004, Hal Finney wrote:
I believe this is a MAC, despite the name. It seems to be easier
don't know if the extra complexity buys you much in this application
though.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
in the footnote was a reference to this fact.
Don't try to interpret it as meaning that the attack won't work against SHA.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
and would not require any special
communication capabilities.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
, and then add a delay using a high-res timer from the
operating system to make it always take the same time.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
everywhere.
A video game chain store in town, I think it's EBX, only accepts these
cards, they won't take credit cards.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
.
It performed a small divisor test (only testing 3, 5, 7 and 11 as
divisors!) and a single base 2 Fermat test, for its RSA keygen.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
actually be fielded in the near future.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
where f is the TPM private key and
zeta is a unique per-site constant) that the site decides are being used
suspiciously often, suggesting that they are being shared by a group.
Hal Finney
-
The Cryptography Mailing List
of outcome
inevitable. But hopefully the hashing competition will learn from the AES
experience and make sure that it takes as much time as it needs to take.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending
to multiple forgeries. The ease or
difficulty of this extension will depend on details of the MAC design,
but in principle, the CW security properties allow for it. This means
that MACs of moderate length, like 64 bits or less, need to be evaluated
much more critically with a CW MAC implementation.
Hal
/bellare01onemorersainversion.html
The One-More-RSA-Inversion Problems and the Security of Chaum's Blind
Signature Scheme by Bellare et al for some discussion of this issue.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe
adding in multiples of the modulus and look for perfect
cubes again, but basically the odds against are 1 in N^(2/3) so there
is no point.
Hal Finney
PGP Corporation
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe
independently made the same error. It would be nice
to know which it is.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
passes the hash number outside the RSA signed data
in addition to using PKCS-1 padding. This simplifies the parsing as it
allows hard-coding the ASN-1 prefix as an opaque bit string, then doing
a simple comparison between the prefix+hash and what it should be.
Hal Finney
of what this software
implements, and I'm also unclear about the patent status of some of the
more sophisticated aspects, but I'm looking forward to being able to
experiment with this technology.
Hal Finney
-
The Cryptography
reuse.
The thread index will allow reading more of the discussion at
http://www1.ietf.org/mail-archive/web/cfrg/current/threads.html
under the title, how to guard against VM rollbacks.
Hal Finney
-
The Cryptography Mailing List
would imagine
is a generally loose affiliation of attackers with diverse motivations.
But as I said, my crystal ball is foggy.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL
decryption
is valid even without revealing your long term secret keys.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
on the DRM aspect and that largely
torpedoed the whole idea. Still we might see it eventually. Research
in this direction is still going on, particularly in IBM's Integrity
Measurement Architecture[1] and some of the new security extensions to
the Xen virtualization software[2].
Hal Finney
[1]
http
the implementors would be
aware of the need for secure random numbers.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
, do you have a reference?
Or is it an exercise for the student?
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
and ironically may become the first widely
fielded use of anonymous credentials.)
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
possible v value. Learning a share tells you
nothing about v, and in general Shamir sharing, learning all but one of
the needed shares similarly tells you nothing about the secret.
Hal Finney
-
The Cryptography Mailing List
paths with
a maximum number of auxiliary paths.
(Rather than, we are abandoning our search for more differential paths
and working to try to find a real collision using this one. ;)
Hal Finney
-
The Cryptography Mailing List
message attack to find details, or read:
www.di.ens.fr/~bouillaguet/pub/SAC2009.pdf
slides (not too informative):
http://rump2009.cr.yp.to/ccbe0b9600bfd9f7f5f62ae1d5e915c8.pdf
Hal Finney
-
The Cryptography Mailing List
Unsubscribe
and you can collide in 2^80 work. You worked
harder than you needed to, so this is not a break.
Hal
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
, compared to m which is 3072 bits.
It is not bigger than m, and does not need to be adjusted. 3057 is
precisely the correct number of bits for a PKCS-1 padded value for a
3072 bit exponent.
Hal
-
The Cryptography Mailing List
Peter Gutman writes:
[EMAIL PROTECTED] (Hal Finney) writes:
Steven M. Bellovin writes:
Dan Bernstein has a new cache timing attack on AES:
http://cr.yp.to/antiforgery/cachetiming-20050414.pdf
This is a pretty alarming attack.
It is? Recovering a key from a server custom-written
Ian Farquhar writes:
[Hal Finney wrote:]
It seems odd for the TPM of all devices to be put on a pluggable module as
shown here. The whole point of the chip is to be bound tightly to the
motherboard and to observe the boot and initial program load sequence.
Maybe I am showing my eternal
On Thu, Nov 04, 2004 at 03:01:15PM -0800, Hal Finney wrote:
Another idea along these lines is gradual payment for gradual release
of the goods. You pay 10% of the amount and they give you 10% of the
source code. You pay another 10% and you get the next 10% of the source,
and so
* Travis H.:
On 7/11/06, Hal Finney [EMAIL PROTECTED] wrote:
: So what went wrong? Answer: NIST failed to recognize that table lookups
: do not take constant time. âTable lookup: not vulnerable to timing
: attacks, NIST stated in [19, Section 3.6.2]. NIST's statement was,
: and is, incorrect
.
Sent: Friday, July 21, 2006 9:09 AM
To: Florian Weimer
Cc: Hal Finney; [EMAIL PROTECTED]; cryptography@metzdowd.com
Subject: Re: NIST hash function design competition
On 7/20/06, Florian Weimer [EMAIL PROTECTED] wrote:
Is this about Colin Percival's work?
The paper was by Dan Berstein
Ian G wrote:
Hal Finney wrote:
Perry Metzger writes:
Once the release window has passed,
the attacker will use the compromise aggressively and the authority
will then blacklist the compromised player, which essentially starts
the game over. The studio collects revenue during the release
[EMAIL PROTECTED] (Hal Finney) writes:
The idea of putting a TPM on a smart card or other removable device is even
more questionable from this perspective.
It's not just questionable, it's a really, really bad idea. TPMs are
fundamentally just severely feature-crippled smart cards
h...@finney.org (Hal Finney) on Saturday, January 24, 2009 wrote:
Countermeasures by botnet operators would include moderating their take,
perhaps only stealing 10% of the productive capacity of invaded computers,
so that their owners would be unlikely to notice. This kind of thinking
quickly
On Tue, Jun 16, 2009 at 09:31:36AM -0700, Hal Finney wrote:
Udhay Shankar N quotes wikipedia:
The question was finally resolved in 2009 with the development of the
first true fully homomorphic cryptosystem. The scheme, constructed by
Craig Gentry, employs lattice based encryption and allows
At 10:39 AM -0700 7/4/09, Hal Finney wrote:
But how many other hash function candidates would also be excluded if
such a stringent criterion were applied? Or turning it around, if NIST
demanded a proof of immunity to differential attacks as Rivest proposed,
how many candidates have offered
h...@finney.org (Hal Finney) writes:
Paul Hoffman wrote:
Getting a straight answer on whether or not the recent preimage work
is actually related to the earlier collision work would be useful.
[...]
There was an amusing demo at the rump session though of a different
kind of preimage
--- begin forwarded text
To: [EMAIL PROTECTED]
Subject: RPOW - Reusable Proofs of Work
Date: Sun, 15 Aug 2004 10:43:09 -0700 (PDT)
From: [EMAIL PROTECTED] (Hal Finney)
Sender: [EMAIL PROTECTED]
I'd like to invite members of this list to try out my new
hashcash-based server, rpow.net
|| (M1 xor M2)
M1 || (M1 xor M2')
M1' || (M1' xor M2)
M1' || (M1' xor M2')
In each case the actual input to the 2nd block compression function
(after xoring with the first block input) would be M2 or M2', as desired.
Hal Finney
-width hash construction is not as secure
as an ideal hash. It is safe against multicollisions but not against
multipreimages.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL
technique at Crypto next month, so perhaps there will
be additional discussion there.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
bandwidth.
Unless you're looking for primes with a special format, like Sophie
Germain primes or ones with lots of 1's up front and/or in the back, or
primes considerably larger than 2048 bits, current methods should be fast
enough for most applications even on sequential processors.
Hal Finney
/camlys02b.pdf .
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
a buffer period into the process to let
people take their final shots.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
of the cipher, and at this point we must largely rely on heuristic and
informal arguments to see whether any weaknesses are real or merely
theoretical.
Hal Finney
PGP Corporation
P1619 Member
-
The Cryptography Mailing List
Unsubscribe
copy of U-prove also.
Adam
On Sun, Feb 04, 2007 at 10:34:33AM -0800, Hal Finney wrote:
John Gilmore forwards:
http://news.com.com/IBM+donates+new+privacy+tool+to+open-source/2100-1029_3-6153625.html
IBM donates new privacy tool to open-source
By Joris Evers
Staff Writer, CNET
this work took
place right out in the open, before the public eye. Definitely some
smart people involved there.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
the role economics plays in the crypto and security field.
The mere fact that so many of the conclusions are provocative indicates
that there is much fertile work yet to be done. Ross is a major pioneer
of this effort and I am looking forward to further interesting results.
Hal Finney
relying parties), and that is where my proposed
mitigation above comes in. By renaming its URLs, an OpenID provider who
had the misfortune to create a weak OpenSSL cert (through no fault of
its own) can save its end users considerable potential grief.
Hal Finney
]
Clarifications below...
Eugen Leitl wrote:
- Forwarded message from \Hal Finney\ [EMAIL PROTECTED] -
From: [EMAIL PROTECTED] (Hal Finney)
Date: Thu, 9 Sep 2004 12:57:29 -0700 (PDT)
To: [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]
Subject: Re: potential new IETF WG on anonymous
by
Wagner shows, you can find arbitrarily large multicollisions in a true
random k-bit function with less than 2^k work. Since Joux's attack
takes more than this, it does not distinguish this hash construction
from a random function.
Hal
you
could do the same by using y = x^{2^w} instead of x^{x^w}. Then you could
precompute z = 2^w mod phi and you would have a single exponentiation
to verify just like in my scheme. The RSW time-lock-puzzle paper does
it this way, they use 2^w as the exponent where w is the work factor.
Hal
- I vaguely recall
seeing something like that in an RFC.
Hal
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
(see [RFC4086]).
Not all that different in thrust than the spec you are looking at.
Hal
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
like 100 million
to 1! Even if the odds of Bitcoin succeeding to this degree are slim,
are they really 100 million to one against? Something to think about...
Hal
-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe
11:04:15 -0700 (PDT)
From: h...@finney.org (Hal Finney)
Subject: Re: On what the NSA does with its tech
MV writes:
Yes. They can't break a 128 bit key. That's obvious. (if all the
atoms in the
universe were computers... goes the argument).
Not necessarily, if nanotechnology works. 128 bits
values, which would
make it harder to attack HMAC since you presumably would not be able to
choose the data without knowing the IV. It may still be that you could
do something with HMAC built on one of the broken ciphers, but we will
have to wait for a fuller description of the technique.
Hal
to n*2^(n/2). Your approach effectively makes
this (n^3)*2^(n/2) which is an improvement, but still not attaining
the exponential security increase expected from ideal hash functions.
Hal Finney
-
The Cryptography Mailing List
to find a collision between the lines. This level of
work is greater than that needed to invert the overall hash construction
hence does not represent an attack.
Hal Finney
-
The Cryptography Mailing List
Unsubscribe by sending
1 - 100 of 203 matches
Mail list logo