crypto « WordPress.com Tag Feed

di notti ed altri demoni

patricia — Tue, 24 Nov 2009 13:49:50 +0000

Mi capita spesso di desiderare un foglio e una matita per appuntare di corsa quello che mi passa per

Is it on curve? (on prime fields)

CG — Fri, 20 Nov 2009 08:15:20 +0000

Sample parameters (from Guide to Elliptic Curve Cryptography #262)

P-192: p = 2^192 − 2^64 − 1, a = −3, h = 1
S = 0x 3045AE6F C8422F64 ED579528 D38120EA E12196D5
r = 0x 3099D2BB BFCB2538 542DCD5F B078B6EF 5F3D6FE2 C745DE65
b = 0x 64210519 E59C80E7 0FA7E9AB 72243049 FEB8DEEC C146B9B1
n = 0x FFFFFFFF FFFFFFFF FFFFFFFF 99DEF836 146BC9B1 B4D22831
x = 0x 188DA80E B03090F6 7CBF20EB 43A18800 F4FF0AFD 82FF1012
y = 0x 07192B95 FFC8DA78 631011ED 6B24CDD5 73F977A1 1E794811

The variables:
x = 602046282375688656758213480587526111916698976636884684818
y = 174050332293622031404857552280219410364023488927386650641
b = 2455155546008943817740293915197451784769108058161191238065

Calculating in PARI:

Last login: Thu Nov 19 10:29:35 on ttys002
CGs-MacBook:~ chika$ gp
Reading GPRC: /sw/etc/gprc ...Done.

                  GP/PARI CALCULATOR Version 2.1.7 (released)
                             unknown 32-bit version
                (readline v5.0 enabled, extended help available)

                       Copyright (C) 2002 The PARI Group

PARI/GP is free software, covered by the GNU General Public License, and
comes WITHOUT ANY WARRANTY WHATSOEVER.

Type ? for help, \q to quit.
Type ?12 for how to get moral (and possibly technical) support.

   realprecision = 28 significant digits
   seriesprecision = 16 significant terms
   format = g0.28

parisize = 4000000, primelimit = 500000
(13:41) gp > p = 2^192-2^64-1
%1 = 6277101735386680763835789423207666416083908700390324961279
(13:42) gp > a = Mod(-3,p)
%2 = Mod(6277101735386680763835789423207666416083908700390324961276, 6277101735386680763835789423207666416083908700390324961279)
(13:44) gp > b = Mod(2455155546008943817740293915197451784769108058161191238065,p)
%3 = Mod(2455155546008943817740293915197451784769108058161191238065, 6277101735386680763835789423207666416083908700390324961279)
(13:46) gp > E = ([0,0,0,a,b])
%4 = [0, 0, 0, Mod(6277101735386680763835789423207666416083908700390324961276, 6277101735386680763835789423207666416083908700390324961279), Mod(2455155546008943817740293915197451784769108058161191238065, 6277101735386680763835789423207666416083908700390324961279)]
(13:47) gp > ? isoncuve
  ***   isoncuve: unknown identifier.
(13:47) gp > ?isoncurve
  ***   obsolete function: isoncurve
                           ^---------
For full compatibility with GP 1.39, type "default(compatible,3)" (you can
also set "compatible = 3" in your GPRC file).

New syntax: isoncurve(e,x) ===> ellisoncurve(e,x)

ellisoncurve(e,x): true(1) if x is on elliptic curve e, false(0) if not.

(13:47) gp > ellisoncurve
  ***   expected character: '(' instead of: ellisoncurve
                                                        ^

(13:47) gp > ?isoncurve
  ***   obsolete function: isoncurve
                           ^---------
For full compatibility with GP 1.39, type "default(compatible,3)" (you can
also set "compatible = 3" in your GPRC file).

New syntax: isoncurve(e,x) ===> ellisoncurve(e,x)

ellisoncurve(e,x): true(1) if x is on elliptic curve e, false(0) if not.

(13:47) gp > x = Mod(602046282375688656758213480587526111916698976636884684818,p)
%5 = Mod(602046282375688656758213480587526111916698976636884684818, 6277101735386680763835789423207666416083908700390324961279)
(13:48) gp > ellisoncurve(E, x)
  ***   bad argument for an elliptic curve related function
(13:48) gp > ellisoncurve(E, x)
  ***   bad argument for an elliptic curve related function
(13:48) gp > ellisoncurve(E,x)
  ***   bad argument for an elliptic curve related function
(13:49) gp > y = Mod(174050332293622031404857552280219410364023488927386650641,p)
%6 = Mod(174050332293622031404857552280219410364023488927386650641, 6277101735386680763835789423207666416083908700390324961279)
(13:49) gp > z = (x,y)
  ***   expected character: ')' instead of: z=(x,y)
                                                ^---

(13:49) gp > z=(x,y)
  ***   expected character: ')' instead of: z=(x,y)
                                                ^---

(13:49) gp > z = (x,y)
  ***   expected character: ')' instead of: z=(x,y)
                                                ^---

(13:49) gp > z=[x,y]
%7 = [Mod(602046282375688656758213480587526111916698976636884684818, 6277101735386680763835789423207666416083908700390324961279), Mod(174050332293622031404857552280219410364023488927386650641, 6277101735386680763835789423207666416083908700390324961279)]
(13:49) gp > ellisoncurve(E,z)
%8 = 1
(13:50) gp >

[editing is on progress]

ASA VPN Server config template

geniesis — Fri, 20 Nov 2009 04:21:05 +0000

I keep forgetting the config required for setting up an ASA VPN server, so here it is for reference:

This is an ASA config with Radius authentication.

aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host <HOST>
key <KEY>

access-list VPN_splitTunnelAcl standard permit <NETWORK> <SUBNET>
ip local pool VPN-IP-POOL <FROM_IP>-<TO_IP> mask 255.255.255.0

access-list nonat extended permit ip any <NETWORK> <SUBNET>
nat (inside) 0 access-list nonat

group-policy <GROUP> internal
group-policy <GROUP> attributes
dns-server value <DNS_IP>
vpn-tunnel-protocol IPSec webvpn
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_splitTunnelAcl
default-domain value <DNS_SUFFIX>
webvpn
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
isakmp nat-traversal 20

tunnel-group <TUNNEL> type ipsec-ra
tunnel-group <TUNNEL> ipsec-attributes
pre-shared-key <PRESHAREKEY>
isakmp keepalive threshold 10 retry 2
tunnel-group <TUNNEL> general-attributes
address-pool VPN-IP-POOL
authentication-server-group RADIUS
default-group-policy <GROUP>

Filmación del "Nessie de Normandía"

esencia21 — Thu, 19 Nov 2009 13:25:34 +0000

Hay algo grandes en los lagos de los canales de Madeira Beach, en la costa del condado de Pinellas,

Another simple hash function

CG — Mon, 16 Nov 2009 03:11:30 +0000

Another simple example:

/*
   Simple Hash Example
   CG - 15112009
*/      

#include <stdio.h>

#define L 32     //the length of the message is 32 bit
#define N 8      //the length of the message block is 8 bit 

int main(){
   char M[L] = {1,0,1,0,1,0,1,0,1,0,0,1,0,1,1,0,1,1,0,0,1,1,0,0,1,1,1,1,0,0,1,1};
   int x = L/N;
   int i, j, k;

   char m[x][N];
   int c[N];

   j = 0;
   k = 0;
   for (i = 0; i < L; i++){
      m[j][k] = M[i];
//      printf("\nm[%d][%d] = %d", j, k, m[j][k]);
      k++;
      if ((i != 0) && ((i % N) == 0)){
         j++;
         k = 0;
      }
   }   

   printf("\nM = ");
   for (i = 0; i < L; i++)
      printf("%d ", M[i]);

   for (j = 0; j < x; j++)
      for (k = 0; k < N; k++){
         printf("\nm[%d][%d] = %d", j, k, m[j][k]);
      }
   printf("\n");

   for (i = 0; i < N; i++)
      c[i] = 0;

   for (k = 0; k < N; k++)
      for (j = 0; j < x; j++)
         c[k] = c[k] ^ m[j][k];

   printf("\nThe N-bit hash code : \n");
   for (i = 0; i < N; i++)
      printf("%d ", c[i]);

   printf("\n");
}

The result is:

M = 1 0 1 0 1 0 1 0 1 0 0 1 0 1 1 0 1 1 0 0 1 1 0 0 1 1 1 1 0 0 1 1 m[0][0] = 1 m[0][1] = 0 m[0][2] = 1 m[0][3] = 0 m[0][4] = 1 m[0][5] = 0 m[0][6] = 1 m[0][7] = 0 m[1][0] = 0 m[1][1] = 0 m[1][2] = 1 m[1][3] = 0 m[1][4] = 1 m[1][5] = 1 m[1][6] = 0 m[1][7] = 1 m[2][0] = 1 m[2][1] = 0 m[2][2] = 0 m[2][3] = 1 m[2][4] = 1 m[2][5] = 0 m[2][6] = 0 m[2][7] = 1 m[3][0] = 1 m[3][1] = 1 m[3][2] = 1 m[3][3] = 0 m[3][4] = 0 m[3][5] = 1 m[3][6] = 1 m[3][7] = 0

The N-bit hash code : 1 1 1 1 1 0 0 0

Qaqrat

jessiedesmond — Sun, 15 Nov 2009 00:53:39 +0000

There’s been some questioning of what’s going on with the Qaqrat case. Photos were sent to Mike Castellini at the Coastal Marine Institute at UAF. The Smithsonian was also contacted. I’m guessing the Marine Science Department or the Conservation and Research Center.

Anyone want to tackle this?

Python e RSA

bitentropy — Sat, 14 Nov 2009 15:01:38 +0000

Ci stanno tanti toolkit crypto per Python, ma spero di aver fatto la scelta migliore (almeno per ora). Piccola classettina d utilità per chiavi RSA, a sua volta un wrapper alla già completa classe di m2crypto.

import M2Crypto

class RSA (object):
    def __init__ (self, bits=1024, padding=M2Crypto.RSA.pkcs1_padding, exp=65537):
        self.bits = bits
        self.padding = padding
        self.exp = exp
        self.rsa = None

    def generate (self):
        self.rsa = M2Crypto.RSA.gen_key(
            self.bits, self.exp, lambda x: None)

    def encrypt (self, s):
        c = ""
        bytes = self.bits/8-11
        for i in range(0, len(s), bytes):
            c += self.rsa.public_encrypt (s[i:i+bytes], self.padding)
        return c

    def sign (self, s, algo="sha1"):
        dgst = M2Crypto.EVP.MessageDigest (algo)
        dgst.update (s)
        return self.rsa.sign (dgst.digest (), algo)

    def verify (self, s, sign, algo="sha1"):
        dgst = M2Crypto.EVP.MessageDigest (algo)
        dgst.update (s)
        try:
            self.rsa.verify (dgst.digest (), sign, algo)
        except:
            return False
        return True

    def decrypt (self, c):
        s = ""
        bytes = self.bits/8
        for i in range(0, len(c), bytes):
            s += self.rsa.private_decrypt (c[i:i+bytes], self.padding)
        return s

Esempio d’utilizzo

rsa = RSA ()
rsa.generate () # generate key pair
s = "a"*2000 # test data
edata = rsa.encrypt (s)
sign = rsa.sign (s)

ddata = rsa.decrypt (edata)
assert rsa.verify (ddata, sign) == True

Dicen que esta es la foto de una boa de casi 17 metros

esencia21 — Fri, 13 Nov 2009 23:12:51 +0000

Es la nueva sensación en Internet y no es para menos, se trataría de un descomunal ofidio constricto

Do we have too few problems to work on?

jonkatz — Fri, 13 Nov 2009 18:02:27 +0000

Recently I submitted a paper and found that someone else was working on the same problem. (In this particular case there was more involved, as well as a possible breach of ethics, but none of that is relevant to the point I am trying to make in this post.) I don’t have any statistics here, but this seems to happen relatively often in our field. It has happened to me at least 3 times — once on a problem that I would consider relatively obscure — with the result being a merged paper each time. Sometimes the results obtained were incomparable, but it was determined that a merge was in everyone’s best interests as well as the right thing to do scientifically. Other times the results were essentially the same.

I know I am not alone in this. At just about every conference there is at least one merged paper (I am aware of one at the upcoming TCC). An example from the summer that caught my attention was a set of three overlapping results showing constructions of HIBE based on lattices: here, here, and here. I am aware of several other examples as well, though will refrain from mentioning them since sometimes the authors don’t want information about the way a paper was written to become public. (Feel free to share your own stories in the comments…)

What does it mean? Are there too few [good] problems to work on, so that we are all mining the same ground? If so, is this an indication that the community is stuck in a rut, or have we all just collectively identified what are the most important problems? While I think this explains part of the issue, many of the cases I am aware of involve, as I said, pretty obscure problems that are not the type I would expect everyone to jump on. Perhaps the social nature of our field, with people discussing their latest results at workshops, and open problems being “in the air”, encourages people to focus on similar sets of problems. Is this a good thing or a bad thing?

What do you think?

Israeli ambassador welcomed with eggs in Turkey

agaahipk — Thu, 05 Nov 2009 05:34:42 +0000

PressTv

Israel’s ambassador to Ankara has been pelted with eggs during a visit to a Turkish university in the coastal city of Trabzon.

Angry Turkish students threw eggs at Gabi Levy as he arrived at Karadeniz Teknik university on Wednesday.

The students protesting against Tel Aviv’s policies regarding the Palestinians, including the issues of illegal settlement activity in the West bank and the war on the Gaza Strip.

Police detained a group of 20 students and the Israeli ambassador left without getting out of his vehicle, Anatolia reported.

The embarrassing incident came only one day after Gabi Levy, who is on a tour of the region, faced harsh criticism in the nearby city of Rize, where local officials condemned Israel’s “policies of expansion and occupation” and said that the so-called “self-defense” should not involve “killing children.”

Ankara-Tel Aviv re relations deteriorated after Israel’s deadly military offensive in Gaza that killed over 1,400 Palestinians, mostly civilians, at the turn of the year.

The two side’s bilateral relations further deteriorated last month, after Ankara excluded Israel from an international air force exercise in protest at “the humanitarian tragedy” in Gaza and called for an immediate lifting of Gaza siege, which has put the region’s 1.5 million population in desperate need of basic necessities.

On Mathematical Diseases

rjlipton — Wed, 04 Nov 2009 23:29:49 +0000

Mathematical diseases: symptoms and examples

Underwood Dudley is a number theorist, who is perhaps best known for his popular books on mathematics. The most famous one is A Budget of Trisections, which studies the many failed attempts at the ancient problem of trisecting an angle with only a ruler and a compass. This problem is impossible, yet that has not stopped some people from working day and night looking for a solution. Trying to find such a solution is an obsession for some; it’s almost like they have a malady that forces them to work on the problem.

Today I plan on talking about other mathematical obsessions. They are like diseases that affect some, and make them feel they have to work on certain mathematical problems. Perhaps P=NP is one?

Dudley’s book is quite funny, in my opinion, although it does border on being a little bit unkind. As the title suggests, in “A Budget of Trisections,” he presents one attempt after another at a general method for trisecting any angle. For most he points out that when the angle is equal to some value what the exact error is. For others he adds a comment like:

This construction almost worked, if only the points and and had really been co-linear it would have worked. Perhaps the author could move

His book is about the kind of mathematical problems that I will discuss today: problems that act almost like a real disease.

I cannot resist a quote from Underwood that attacks bloggers. Note he uses “he” to refer to himself in this quote:

He has done quite a bit of editing in his time–the College Mathematics Journal for five years, the Pi Mu Epsilon Journal for three, the Dolciani Mathematical Expositions book series (six years), and the New Mathematical Library book series (three years). As a result he has a complete grasp of the distinction between “that” and “which” (very rare) and the conviction that no writing, including this, should appear before the public before passing through the hands, eyes, and brain of an editor. Take that, bloggers!

(Bold added by me.)

Oh well.

What Is a Mathematical Disease?

This is the flu season in Atlanta, and many are getting it. I hope you either miss the bug, or if you are unfortunate enough to get it, get a mild case.

There is another type of “bug” that affects mathematicians—the attempt to solve certain problems. These problems have been called “diseases,” which is a term coined by the great graph theorist Frank Harary. They include many famous problems from graph theory, some from algebra, some from number theory, some from complexity theory, and so on.

The symptoms of the flu are well known—I hope again you stay away from fever, chills, and the aches—but the symptoms for a mathematical disease (MD) are less well established. There are some signs however that a problem is a MD.

A problem must be easy to state to be a MD. This is not sufficient, but is required. Thus, the Hodge-Conjecture will never be a disease. I have no clue what it is about.
A problem must seem to be accessible, even to an amateur. This is a key requirement. When you first hear the problem your reaction should be: that is open? The problem must seem to be easy.
A problem must also have been repeatedly “solved” to be a true MD. A good MD usually has been “proved” many times—often by the same person. If you see a paper in arXiv.org with many “updates” that’s a good sign that the problem is a MD.

Unlike real diseases, MD’s have no known cure. Even the solution of the problem will not stop attempts by some to continue working on it. If the proof shows that something is impossible—like the situation with angle trisection—those with the MD will often still work hard on trying to get around the proof. Even when there is a fine proof, those with the disease may continue trying to find a simple proof. For example, Andrew Wiles’ proof of Fermat’s Last Theorem has not stopped some from trying to find Pierre de Fermat’s “the truly marvellous proof.”

Some Mathematical Diseases

Here are some of the best known MD’s along with a couple of lesser known ones. I would like to hear from you with additional suggestions. As I stated earlier Harary was probably the first to call certain problems MD’s. His original list was restricted to graph problems, however.

Graph Isomorphism: This is the classic question of whether or not there is a polynomial time algorithm that can tell if two graphs are isomorphic. The problem seems so easy, but it has resisted all attempts so far. I admit to being mildly infected by this MD: in the 1970’s I worked on GI for special classes of graphs using a method I called the beacon set method.

There are some beautiful partial results: for example, the work of László Babai, Yu Grigoryev, and David Mount on the case where the graphs have bounded multiplicity of eigenvalues is one of my favorites. Also the solution by Eugene Luks of the bounded degree case is one of the major milestones.

I would like to raise one question that I believe is open: Is there a polynomial time algorithm for the GI problem for expander graphs? I asked several people at the recent Theory Day and no one seem to know the answer. Perhaps you do.

Group Isomorphism: This problem is not as well known as the GI problem. The question is given two finite groups of size are they isomorphic? The key is that the groups are presented by their multiplication tables. The best known result is that isomorphism can be done in time . This result is due to Zeke Zalcstein and myself and independently Bob Tarjan. It is quite a simple observation based on the fact that groups always have generator sets of cardinality at most .

I have been affected with this MD for decades. Like some kind of real diseases I get “bouts” where I think that I have a new idea, and I then work hard on the problem. It seems so easy, but is also like GI—very elusive. I would be personally excited by any improvement over the above bound. Note, the hard case seems to be the problem of deciding isomorphism for -groups. If you can make progress on such groups, I believe that the general case might yield. In any event -groups seem to be quite hard.

Graph Reconstruction: This is a famous problem due to Stanislaw Ulam. The conjecture is that the vertex deleted subgraphs of a graph determine the graph up to isomorphism, provided it has at least vertices. It is one of the best known problems in graph theory, and is one of the original diseases that Harary discussed.

I somehow have been immune to this disease—I have never thought about it at all. The problem does seem to be solvable; how can all the subgraphs not determine a graph? My only thought has been that this problem somehow seems to be related to GI. But, I have no idea why I believe that is true.

Jacobian Conjecture: This is a famous problem about when a polynomial map has an inverse. Suppose that we consider the map that sends a pair of complex numbers to where and are both integer polynomials. The conjecture is that the mapping is 1-1 if and only if the mapping is locally 1-1. The reason it is called the Jacobian Conjecture is that the map is locally 1-1 if and only if the determinant of the matrix

is a non-zero constant. Note, is the partial derivative of the polynomial with respect to . The above matrix is called the Jacobian of the map.

This is a perfect example of a MD. I have worked some on it with one of the experts in the area—we proved a small result about the problem. During the time we started to work together, within a few months the full result was claimed twice. One of the claims was by a faculty member of a well known mathematics department. They even went as far to schedule a series of “special” talks to present the great proof. Another expert in the area had looked at their proof and announced that it was “correct.” Eventually, the talks were cancelled, since the proof fell apart.

Crypto-Systems: This is the quest to create new public key crypto-systems. While factoring, discrete logarithm, and elliptic curves seem to be fine existing public key systems, there is a constant interest in creating new ones that are based on other assumptions.

Some of this work is quite technical, but it seems a bit like an MD to me. There are amateurs and professionals who both seem to always want to create a new system. Many times these systems are broken quite quickly—it is really hard to design a crypto-system.

A recent example of this was the work of Sarah Flannery and David Flannery in creating a new system detailed in their book In Code. The book gives the story of her discovery of her system, and its eventual collapse.

P=NP: You all know this problem. See this for a nice list of attempts over the years to resolve the problem. Thanks to Gerhard Woeginger for maintaining the list.

Open Problems

What are other MD’s? What is your favorite? Why do some problems become diseases? While others do not?

I would love to see some progress made on group isomorphism—I guess I have a bad case of this disease. I promise that if you solve it I will stop thinking about it. Really.

Crypto

paoblog — Wed, 04 Nov 2009 10:31:14 +0000

Crypto

di Dan Brown – Ediz. Mondadori – Pagg. 427 – € 18,60

Trama: Washington. La trentottenne Susan Fletcher, brillantissima mente matematica e responsabile della divisione di crittologia della National Security Agency, viene convocata d’urgenza nell’ufficio del comandante Strathmore. Qualcuno ha realizzato un programma capace di “ingannare” il più sofisticato strumento informatico di spionaggio al mondo, un supercomputer che può decodificare qualunque testo cifrato a una velocità strabiliante. Pochissimi conoscono l’esistenza di questa macchina, ideata per contrastare le nuove minacce alla sicurezza nell’era di Internet e in grado di controllare la posta elettronica di chiunque. La stessa NSA, nata per proteggere le comunicazione del governo americano e intercettare quelle delle potenze straniere, opera in semiclandestinità, al di fuori del controllo pubblico. Susan non si stupisce quando viene a sapere che “Fortezza Digitale”, così è stato battezzato il programma, è frutto delle ricerche di un genio dell’informatica: il giapponese Ensei Tankado, handicappato dalla nascita per gli effetti del disastro atomico di Hiroshima, che dopo essere stato chiamato negli Stati Uniti a lavorare per l’NSA ha sbattuto la porta in faccia ai suoi capi quando si è accorto che il supercomputer rischiava di trasformarsi in un nuovo Grande Fratello. I suoi intenti sono nobili, ma la sua decisione di boicottare l’operato dell’NSA, mettendo il programma in rete e permettendo a chiunque di scaricarlo, rischia di creare l’anarchia e di assicurare libertà d’azione a spie e criminali.

Letto da: Ro

Opinione: Complicato per chi non mastica di informatica e deludente.

P1363 A.2.1 Modular exponentiation

CG — Mon, 02 Nov 2009 16:05:06 +0000

Next will be A.2.5 Finding Square Roots Modulo a Prime

Los Monstruos Acuáticos invaden Londres

esencia21 — Sun, 01 Nov 2009 18:34:48 +0000

El Centro para Investigaciones (CFI) ubicado en el Conway Hall, Plaza del León Rojo, 25, Londres, Re

.kroonika

Nirti — Sat, 31 Oct 2009 22:57:33 +0000

Ma olen kõikidest emotsioonidest tühjaks tehtud ja… Neljapäev oli mul “patareide laadimi

Stop using unsafe keyed hashes, use HMAC

Nate Lawson — Thu, 29 Oct 2009 15:00:01 +0000

The HMAC construction turns a cryptographic hash algorithm into a keyed hash. It is commonly used for integrity protection when the sender and recipient share a secret key. It was developed to address various problems with arbitrary keyed hash constructions. So why are developers still rolling their own?

One of the original papers on keyed hash constructions describes the motivations for developing a standard for HMAC. In 1995, there was no standardization and cryptographers only worked from hunches as to what constituted a secure keyed hash. This paper summarized two known attacks on some common schemes that had evolved in the absence of a standard.

The first construction the paper attacks is H(k || m), aka “secret prefix”. The key and the message to be authenticated were concatenated and hashed. The authenticator was the resulting hash. This was fatally flawed, as I mentioned in my previous talks on web crypto. Standard hash algorithms that use the Merkle-Damgard construction (like SHA-1) are subject to a length-extension attack. An attacker can trivially create an authenticator for m’ where m’ = m1 || pad || m2 if they have seen the authenticator for m1. (The “pad” value makes the input a multiple of the compression function block size and includes the total length hashed). This flaw was most recently found in the Flickr API.

The second construction was H(m || k), aka “secret suffix”. While the length-extension attack no longer applies because k is unknown to the attacker, this still maximally exposes you to weaknesses in the hash algorithm. Preneel et al described two attacks on this approach.

The first attack is that secret suffix is weaker against offline second-preimage attacks. That is, an attacker can take an authenticator for a known plaintext m and calculate their own plaintext m’ that hashes to the same value as the block just before k. If the input to the hash function just before k is identical, then the output is also the same. This means the attacker can just send m’ and the previously seen authenticator for m and the two will match.

For a secure cryptographic hash function, a second-preimage attack takes 2ⁿ tries where n is the hash size in bits[1]. However, the secret suffix approach is marginally weaker to this kind of attack. If an attacker has seen t text and authenticator pairs, then the effort is only 2ⁿ / t since they can attempt a second-preimage match against any of the authenticators they have seen. This is usually not a problem since second-preimage attacks are usually much harder than finding collisions. As they have aged, all widely-used hash algorithms have fallen to collisions before second-preimage attacks.

The other attack is much more powerful. If the attacker can submit a chosen message to be authenticated, she can attempt an offline collision search. In this case, an attacker searches for two messages, m and m’, that hash to the same value. Once they are found, she requests an authenticator for the innocuous message m. Since a collision means the intermediate hash state before k is mixed in is identical (an “internal collision”), the final authenticator for both will be identical. The attacker then sends the evil message m’ with the authenticator for m, the two match, and the message is accepted as authentic.

This means the secret suffix construction is insecure if collisions can be found in the underlying hash function. Due to the birthday paradox, this takes 2^n/2 work even for a secure hash function (e.g., 2⁶⁴ operations for a 128-bit hash). But it gets worse if the hash is weaker to collisions.

MD5 has multiple demonstrated collisions. Many systems continue to use HMAC-MD5 because a collision alone is not enough to compromise it. Because of the way the key is applied in HMAC, an attacker would have to generate an internal collision with the secret key, which is much harder than colliding with a chosen message[2]. Although this may provide some immediate comfort, it is still important to move to HMAC-SHA256 soon if you are using HMAC-MD5.

In contrast, MD5 with secret suffix is completely compromised due to collisions, especially with the recent advance in chosen-prefix collisions. Currently, this takes about 30 seconds on a laptop. To repeat, under no circumstances should you use an arbitrary hash construction instead of HMAC, and MD5 with secret suffix is completely broken. If you were putting off moving away from MD5(m || k), now would be an excellent time to move to HMAC-SHA256.

Thanks go to Trevor Perrin and Peter Gutmann for comments on this article.

[1] This is not true for longer messages. Multicollisions can be used against each block of a longer message. See the work by Kelsey and Schneier and Joux for more details.

[2] This is a very broad statement about HMAC. A more detailed analysis of its security will have to wait for another post.

Generating EC parameters

CG — Thu, 29 Oct 2009 14:12:20 +0000

… is not as easy as generating random numbers.

P1363 Section 1.9.5 mention that

The most difficult part of generating EC parameters is finding a base point of prime order

So the next things to do is finding a random point in an elliptic curve (prime case A.11.1/binary case A.11.2), and use A.2.5 to find a square root modulo p and use A.2.1 to calculate modular exponentiation.

In the text book, algorithm for elliptic curve key pair generation is only 5 lines. But implementing one line requires many hours understanding P1363.

Now let’s start with A.2.1.

Short-Term and Long-Term Academic Utility (guest post)

jonkatz — Thu, 29 Oct 2009 11:20:07 +0000

Another guest post by Yehuda Lindell. My reaction will be in a follow-up post.

Recently I thought about applying game-theoretic principles to our work as academics. What are our utility functions and how are they maximized? I have the following observations (if you don’t detect the cynicism below then this is a problem with written media):

The first observation is that the “best strategy” is to write papers that are just good enough to get into the conference that you want, but no better. This way you minimize your work while maximizing your publications. “Best paper prizes” can somewhat improve this situation, but it’s not clear that going for “best paper” is a good strategy (it involves much more work, decisions about best paper are rather arbitrary so the chances of winning aren’t that great, and it doesn’t make much of a difference for promotion).
The second observation is that you should spend as little time as possible writing. That is, your presentation should be as bad as is possible to have it accepted. Once again, wasting loads of time writing well just reduces your publication count.
If your university doesn’t require that you have journal papers, then not only should you not write such papers, you also shouldn’t bother writing up full versions with full proofs. Specifically, write proof sketches that are “just good enough” to convince the program committee and don’t bother fully verifying. It helps to repeatedly use “the full proof will appear in the full version”, but then make sure that you never actually write such a version.
I’m sure that one can argue that it’s best to research “easy questions” than hard ones and so on, but I’m not going to relate to this.
Finally, you should definitely not waste time writing a book. It seems that a book is considered a nice addition, but 5 papers would probably do more for your promotion.

So, what’s the result of all of the above? You’ll have a nice long CV full of papers that no one will want to read, let alone follow up on. Is it really worth it? After 25 years of research, will you be able to look back and say that you had an impact? What about publishing 1-2 really good papers a year? I personally believe that this will yield much more satisfaction and impact. (I actually did this exercise and looked back over the last 5 years and asked myself how many papers that I published I actually really like and think had a real contribution. I reached the conclusion of 1-2 papers a year, so I’m happy with that. One could always ask me why I bothered doing the others. First, you don’t always know how things will turn out, and there are other reasons. But I don’t want to get too personal with myself .)

I also argue that the strategy above of doing as bad a job as possible without being detected (which is really what 1-5 lead to) may “make sense” for researchers who are very borderline and may not get tenure. However, for all the rest of the community, it makes no sense whatsoever. I would rather publish much less, but have people be happy to read my papers because they have full proofs and are easy to read. What I would really like to argue is that researchers who don’t need to follow the above strategies (and let’s hope that this is the vast majority) should make sure not to get pulled into such behavior. I strongly believe that it will raise your long-term utility!

Unfortunately, in my humble opinion there are too many people who do. Just for one example, I know of a number of great researchers with excellent papers and results that are ridiculously hard to read (and of course do not have full versions). I guess that this is my loss, because I usually don’t read such papers, but I assume that I’m not the only one…

.kolmapäev

Nirti — Wed, 28 Oct 2009 18:46:12 +0000

Huzzah! Nüüd on homme, ülehomme ka vabad, vahenädal ikkagi! Reedel hääletan koos L.-ga Kassi sünnipä

Video on Homomorphic Encryption and IBM Research

jonkatz — Fri, 23 Oct 2009 21:19:24 +0000

Via Luca, a nice video on the IBM crypto group and homomorphic encryption. (Yes, the lunches are really like that!)

Israelis to boycott Turkish resorts and coffee

agaahipk — Thu, 22 Oct 2009 04:51:03 +0000

by: Daily.Pk

As most of ‘political aware’ persons know – Zionist regime is well-known for its self-denial – even if the truth about its Zionazi policies comes from respected Jewish individulas, such as South African Jewish judge, Goldstone.

In response to Ankara’s non-stop rubbing of Zionist noses (read it as ‘anti-Semitism’) – Israel’s national airline EIAI has decided to stop subsiding its employees visiting Turkey during the Passover holidays – during which over 80,000 Israeli Jews visit Turkey and spread their immoral culture.

Israel’s major coffee shop chain, IIan, too has decided to join the boycott, according to its director of marketing, Michael Steg, saying: “We have for the time being to stop selling ‘Istambul Coffee’ – our Turkish coffee blend, and we shall keep doing it until matters improve – the airing of Turkish TV drama Ayrilik (Farewell) showing Israeli soldiers as child-killers during Israel’s ‘Operation Cast Lead’ against 1.5 million Palestinians trapped inside Gaza Strip.

Ankara’s recent actions against its old ally – which Zionist-controlled media keeps ignoring – has nothing to do with the so-called ‘anti-Semitism’. It’s as Professor Ephraim Inbar (Bar-IIan University) put it: “Someone has decided to teach Israel a lesson”. Recently, Tel Aviv turned down Turkish Foreign Minister Ahmet Davutoglu’s request to visit Gaza strip and meet Hamas government leaders to negotiate a sort of fair deal between Israeli government and Hamas. Earlier, the reason why the Turkish PM Erdogan blasted Israeli president Shimon Peres at Davos conference – was that Israeli PM Ehud Olmert met Erdogan in Istanbul a few days before Israeli attack on Gaza in December 2008 – and “betrayed” Erdogan, who was conveying messages on phone between Olmer and Damascus (Turkey, then, was playing the part of a negotiator on Israeli request). Israel also infuriated Turkish generals by delaying the delivery of the pre-paid Heron unmanned aviation vehicles (UAV) – and 2008 failed coup against Erdogan government.

“Things have changed. In Davutoglu’s idealogical framework, Israel soesn’t play a central role,” – Ofra Bengio, an expert on Turkey at the Moshe Dayan Center for Middle Eastern and African Studies at Tel Aviv University.

According to Israeli daily Ha’aretz, Turkey is the most popular foreign destination for Israel tourists representing 13% of all departures and generating US$300 million in annual revenue. More than 500,000 Israeli Jews visit Turkey each year for beaches and cheap shopping. Yossi Fattal, head of Israel Tourist and Travel Agent Association, said that travellers’ boycott is unprecedented in Israel (since Peres’ outbusrt against Erdogan at Davos). He believes, however, that the impact will not be as severe as it appears now. “Israeli memory isn’t very long – half a year is like an ice age and the memory will fade.”

Now, how much impact the Israeli (population 7 million) boycott would have on Turkey (70 million) – would be interesting to watch. Turkey is home to over 26,000 Jews (second largest Jewish community in a Muslim-majority country – after Islamic Iran). Turkish Jews are (96% Sephardic, and the rest Ashkenazi and Kurds. However, they have carried immense power in the secular Turkey since WW I – as Christopher Jon Bjerknes wrote:

“Long before the ‘cultural revolution’ of communist china, and starting before the Bolshevik Jews of Russia destroyed Christianity and Christians in the Slavik World, the Doenmeh (the secret Jews of Turkey) and especially Mustafa Kemal (Attaturk), tried very hard to strip Turkey of its religion and its culture. It’s vital to World Jewry to prevent the Muslims of Turkey from taking back their nation and their faith and aligning themselves with their Muslim neighbours.

El-Gamal with Pari

CG — Wed, 21 Oct 2009 15:14:24 +0000

Encrypt – decrypt successful.

Mozilla's Weave and cryptography.

abrown969 — Wed, 21 Oct 2009 12:20:59 +0000

Recently I had delved into the source code of Mozilla’s Weave (the firefox extension part) to check how things are done. I did that because in the recent years, I never found a way to sync different parts of my digital life in a painless way and as a result I’m always in the look for new tools/products that might ease my pain (explaining why nothing works for me, will be analyzed in a different post).

So, during my adventures with the Weave extension, I stumbled upon the “crypto” directory:

[abrown@bifteki]weave $ pwd /usr/home/abrown/clones/weave [abrown@bifteki]weave $ ls -1 Makefile README crypto/ source/ tests/ tools/

Unfortunately, I didn’t even try building the component due to lack of time. But before bringing my little exploration to a halt, I tried to find some more information about how their cryptography module is utilized by the Weave extension but I didn’t had any luck. However, after a month or so, a friend of mine passed me this wonderful link:
How does Weave use Cryptography?

Really a very nice article explaining Weave’s crypto scheme. Thanks!

Database

jessiedesmond — Wed, 21 Oct 2009 00:22:10 +0000

I’ve added a database that we can all update. It’s currently still in the works. Right now I only have UFO, Hauntings, and Cryptids for categories, but I plan on adding a Religious section and a Mysterious Locations section.

You can update it, but you have to sign up as a contributor. If you need me to re-send you the invite, you have to let me know.

Eurocrypt deadline today; partial fairness

jonkatz — Tue, 20 Oct 2009 19:09:29 +0000

The Eurocrypt deadline is today, which gives me an excuse to talk about a recent paper of mine that I had been promising to talk about for a while.

In the setting of distributed computation, a protocol is fair if all parties receive their outputs even in the event of malicious behavior by some of the other parties (in particular, even if they abort the protocol early). Unfortunately, Cleve showed in 1986 that complete fairness is impossible — even for some very simple functions — whenever an honest majority is not present. In particular, fairness is impossible, in general, in the two-party setting. (Although complete fairness turns out to be possible for some non-trivial functions, as discussed here.)

As such, there has been a significant amount of work trying to achieve partial fairness. I won’t survey all this work here; instead, I will just note that (1) several papers on the topic don’t give any formal definition of what they are trying to achieve; (2) a few papers give definitions that are either ad-hoc, or are not very easy to understand (to put it mildly); (3) protocols suggested in many of the papers have significant drawbacks.

Expanding a little on this last point, one line of work has studied protocols guaranteeing something of the following form: at any point in the protocol, the computational efforts required by each party to recover their output are within a constant factor of each other. While at first appealing, one severe drawback of this approach is that it leaves ambiguous what the honest party is supposed to do in case of an abort! If the honest party always tries to recover its output, then it can be forced to run for exponential time. On the other hand, if there is some cut-off round before which point the honest party does not invest the time to recover its output, then the adversary can always abort the protocol just before that point.

In a recent paper by Dov Gordon and myself, we suggest for the first time a simulation-based definition of partial fairness within the standard real/ideal world paradigm. (A slightly outdated version of our paper is available here.) Our definition is as follows: we take the usual ideal-world model (used when defining secure computation with complete fairness) and require that the real-world execution of the protocol and this ideal world be indistinguishable up to to an additive distance of (for some specified polynomial ). We refer to this notion as “-security”. Note that -security is technically incomparable to (but intuitively more appealing than) the standard approach (“security with abort”), which weakens the ideal model to one where fairness is not guaranteed at all but requires full-fledged computational indistinguishability (with respect to this weaker ideal model). Also, although the definition of -security allows privacy to be violated with probability , in fact all our protocols are completely private. (Some of them will also be secure with abort.)

In addition to introducing this new definition, we also completely settle the question of feasibility of partial fairness (with respect to this definition) in the two-party setting. Namely, we show:

Positive results:
Let be a (randomized) functionality, where player 1 provides input and receives output , and player 2 provides input and receives output .

As long as one of is polynomial-size, then for any polynomial there is a protocol computing that is both -secure and secure-with-abort.
As long as one of is polynomial-size, then for any polynomial there is a protocol computing that is -secure.

Negative results:
Our negative results show that the above are optimal:

There is a (deterministic) function where each of have super-polynomial size, such that there is no protocol computing that is both -secure and secure-with-abort.
There is a (deterministic) function where each of have super-polynomial size, such that there is no protocol computing that is -secure.

Open questions:

This line of work (continuing the earlier work on complete fairness) is among my favorites of the things I’ve worked on recently. Fairness is a natural and basic problem that we still don’t fully understand; questions in the area are easily accessible, yet resolving these questions is difficult and seems to require new techniques. Several compelling questions remain; here are some of my favorites:

Partial fairness in the multi-party setting is wide open. The only positive results I am aware of (besides those functions for which complete fairness is possible) are for coin tossing, and the only negative results I know about are those that can be derived as extensions of the impossibility results from the two-party case.
Determining the exact round complexity of protocols achieving fairness or partial fairness seems interesting — not just in its own right, but because I suspect it will shed light on the issue of fairness itself. The round complexity of partially fair, two-party coin tossing was recently resolved by Moran, Naor, and Segev; other than that, the question is completely open.