[147596] in cryptography@c2.net mail archive
[Cryptography] Other Backdoors?
daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Thu Oct 10 15:21:40 2013
X-Original-To: cryptography@metzdowd.com
Date: Thu, 10 Oct 2013 13:29:08 -0400
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============5344667752901033299==
Content-Type: multipart/alternative; boundary=001a11c32e88db076604e8665641
--001a11c32e88db076604e8665641
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
I sarcastically proposed the use of GOST as an alternative to NIST crypto.
Someone shot back a note saying the elliptic curves might be 'bent'.
Might be interesting for EC to take another look at GOST since it might be
the case that the GRU and the NSA both found a similar backdoor but one was
better at hiding it than the other.
On the NIST side, can anyone explain the reason for this mechanism for
truncating SHA512?
Denote H(0)=E2=80=B2
to be the initial hash value of SHA-512 as specified in Section 5.3.5
above.
Denote H(0)=E2=80=B2=E2=80=B2 to be the initial hash value computed below.
H(0) is the IV for SHA-512/t.
For i =3D 0 to 7
{
(0)=E2=80=B2=E2=80=B2 (0)=E2=80=B2 Hi =3D Hi =E2=8A=95 a5a5a5a5a5a5a5a5(in =
hex).
}
H(0) =3D SHA-512 (=E2=80=9CSHA-512/t=E2=80=9D) using H(0)=E2=80=B2=E2=80=B2
as the IV, where t is the specific truncation value.
(end.)
[Can't link to FIPS180-4 right now as its down]
I really don't like the futzing with the IV like that, not least because a
lot of implementations don't give access to the IV. Certainly the object
oriented ones I tend to use don't.
But does it make the scheme weaker?
Is there anything wrong with just truncating the output?
The only advantage I can see to the idea is to stop the truncated digest
being used as leverage to reveal the full digest in a scheme where one was
public and the other was not.
--=20
Website: http://hallambaker.com/
--001a11c32e88db076604e8665641
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">I sarcastically proposed the use of GOST as an alternative=
to NIST crypto. Someone shot back a note saying the elliptic curves might =
be 'bent'.<div><br></div><div>Might be interesting for EC to take a=
nother look at GOST since it might be the case that the GRU and the NSA bot=
h found a similar backdoor but one was better at hiding it than the other.=
=C2=A0</div>
<div><br></div><div><br></div><div>On the NIST side, can anyone explain the=
reason for this mechanism for truncating SHA512?</div><div><br></div><div>=
<div>Denote H(0)=E2=80=B2=C2=A0</div><div>to be the initial hash value of S=
HA-512 as specified in Section 5.3.5 above.=C2=A0</div>
<div>Denote H(0)=E2=80=B2=E2=80=B2 to be the initial hash value computed be=
low.=C2=A0</div><div>H(0) is the IV for SHA-512/t.=C2=A0</div><div>For i =
=3D 0 to 7=C2=A0</div><div>{=C2=A0</div><div>(0)=E2=80=B2=E2=80=B2 (0)=E2=
=80=B2 Hi =3D Hi =E2=8A=95 =E2=80=A9a5a5a5a5a5a5a5a5(in hex).</div><div>=C2=
=A0</div><div>
}</div><div>=C2=A0</div><div>H(0) =3D SHA-512 (=E2=80=9CSHA-512/t=E2=80=9D)=
using H(0)=E2=80=B2=E2=80=B2=C2=A0</div><div>as the IV, where t is the spe=
cific truncation value.=C2=A0</div><div>(end.)=C2=A0</div></div><div><br></=
div><div>[Can't link to FIPS180-4 right now as its down]</div>
<div><br></div><div>I really don't like the futzing with the IV like th=
at, not least because a lot of implementations don't give access to the=
IV. Certainly the object oriented ones I tend to use don't.</div><div>
<br></div><div>But does it make the scheme weaker?</div><div><br></div><div=
>Is there anything wrong with just truncating the output?=C2=A0</div><div><=
br></div><div>The only advantage I can see to the idea is to stop the trunc=
ated digest being used as leverage to reveal the full digest in a scheme wh=
ere one was public and the other was not.</div>
<div><br clear=3D"all"><div><br></div>-- <br>Website: <a href=3D"http://hal=
lambaker.com/">http://hallambaker.com/</a><br>
</div></div>
--001a11c32e88db076604e8665641--
--===============5344667752901033299==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============5344667752901033299==--
