Re: migration paradigm (was: Is PGP broken?)

David Honig wrote: >Is there a reason not to use AES block cipher in a hashing mode >if you need a secure digest of some data? Yes. The standard hashing modes provide only 128-bit hash digests, and for long-term collision-resistance, we'd probably like longer outputs. Also, Rijndael has not b

Re: IBM press release - encryption and authentication

Enzo Michelangeli wrote: >OpenPGP tries to detect such "wrong key" situations for >symmetrically-encrypted packets in a pretty simplistic way, [...] > The repetition of 16 bits in the 80 bits of random data prefixed to > the message allows the receiver to immediately check whether the > sess

Re: IBM press release - encryption and authentication

William Allen Simpson wrote: >As far as I can tell, the only unique element is the mod 2^128 - 159 >function. We just need to use another function. > >My own favorite (in CBCS) has been rotation by the population count [...] The uniquely valuable aspect of Jutla's scheme (and other related sc

Re: Perfect compression and true randomness

Paul Crowley wrote: >This supports your main point: perfect compression is a *much* less >realistic idea than true randomness! Yeah. Now that you mention it, it's not entirely clear what perfect compression means, but it seems that it would at a minimum require ability to break every cryptosyst

Re: NONSTOP Crypto Query

In a paper on side channel cryptanalysis by John Kelsey, Bruce Schneier, Chris Hall, and I, we speculated on possible meanings of NONSTOP and HIJACK: [...] It is our belief that most operational cryptanalysis makes use of side-channel information. [...] And Peter Wright discussed data

Re: What's Wrong With Content Protection

Hal Finney writes: >But when we deal with content protection which is provided on a >competitive basis in the marketplace, it is another matter. In that >case it is ultimately a question of satisfying the desires of the consumer >which determines which products will succeed. [...] > >I understand

Re: 802.11 Wired Equivalent Privacy (WEP) attacks

Arnold G. Reinhold wrote: >Thus there is a need for a short term remedy that can work with the >existing standard. Maybe the easiest short term remedy that does not require any changes to hardware is the following: * Put the wireless network outside your firewall (or place a firewall betw

Re: A5/1 cracking hardware estimate

Brute force keysearch is not the best algorithm for cracking A5/1. Much better is Jovan Golic's technique for breaking A5 with something like 2^40 steps. (See ``Cryptanalysis of Alleged A5 Stream Cipher'', EUROCRYPT'97, and .) The question, as I see it, is how fast yo

Re: depleting the random number generator

In article , Arnold G. Reinhold <[EMAIL PROTECTED]> wrote: > One nice advantage of using RC4 as a nonce generator is that you can easily > switch back and forth between key setup and code byte generation. You can > even do both at the same time. (There is no

LA wiretaps

that lets prosecutors introduce computer evidence (obtained, e.g., from wiretaps) without allowing defense attorneys a chance to review its accuracy or to cross-examine the prosecution's experts. In my view, the LA wiretaps are yet another example of why we need _more_ scrutiny in the courtroom, not le

Re: LA wiretaps -- full details available

Right. The scope of this violation of wiretap laws is breathtaking. There's no need for conspiracy theories anymore; we've got conspiracy theorems, complete with proof and everything. There's one amazing paragraph that deserves quotation here: [...] The [LAPD] engage in two totally different

Re: Digital Transmission Content Protection: www.dtcp.com

y, M6 is a family of ciphers. The exact cipher used in consumer products remains a secret.) What's notable is that some members of the M6 family have been found in the academic literature to be severely broken. See the following paper: ``Mod n Cryptanalysis, with Applications Against RC5

Re: rate of finding collisions

In article <[EMAIL PROTECTED]>, Paul Crowley <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] (Ian Goldberg) writes: > > The expected number of collisions you get if you sample S items out of > > a universe of size U (=2^N in the above case) is about (S^2)/U. > > I know this is a month old but I'm

Re: Interesting point about the declassified Capstone spec

In article , Arnold G. Reinhold <[EMAIL PROTECTED]> wrote: > Clipper/Capstone was always advertised to the public as providing a > higher level (80-bits) of security than DES while allowing access by > law enforcement agencies. Law enforcement friendly is v