First of all, let me start with a disclaimer that I do not write
this with the least tiniest bit of hostility or bitterness towards
the newsgroup. (really, I mean that!)

But I'm kind of wondering what is it with questions related to
programming with OpenSSL in this newsgroup? On several occasions
I have had the distinct impression that asking questions related
to OpenSSL in here is close to a monologue --- talking to myself
like the next crazy guy (ok, this was somewhat of a "comical
exaggeration")

Is OpenSSL programming *that* obscure that those questions go
unanswered because no-one in here knows for sure? Or is it
perhaps that those questions are somewhat off-topic? That would
surprise me a little, but if that was indeed the case, I would
like to know!

brief description. There is a finite abelian group (G, *) of order
\phi(n) for some n=pq. You are given random element P of G. The task is
to compute P^-1 (the inverse of P) using the oracle provided. The
oracle can be used to do multiplication and exponentiation in the
group. However the order of the group is secret (because factors of n
are unknown) so there is no easy way.

http://homepage.cs.latrobe.edu.au/asaxena/oracle.php

just to be clear, there is no prize money!

One can build a cryptographic hash function by starting from a ``good''
block cipher with the same output size and running it in one of the 12
Preneel-Govaerts-Vandewalle modes. The conventional wisdom is that this
is a robust design procedure: ``good'' is stronger than the conventional
indistinguishability notion for block ciphers, but it nevertheless seems
to be achieved by the standard cipher-design techniques.

In http://eprint.iacr.org/2006/467, Chang and Yung assert that this
procedure isn't robust and needs to be revised. At first glance, their
argument seems to boil down to the following:

(1) Differential and linear cryptanalysis don't depend on the choice
of AES constants, or on the mixing in the final AES round.

(2) Standard block-cipher cryptanalysis doesn't depend on the choice
of AES constants, or on the final mixing. (Proof: See #1.)

(3) Let's replace the AES constants by 0, and add a final mixing.
Standard block-cipher design could have produced this variant.
(Proof: See #2.)

(4) The resulting hash function allows collisions in time 2^49. Thus
standard block-cipher design can lead to a bad hash.

I've been trying to get a hold of Tom by email and other electronic
means the past few days.

Seems he's dropping off the internet because of he's getting death
threats and kiddie porn emailed to him (likely from people who read
this group and felt it would be 'funny' or 'righteous').

Just thought you all should be aware of the "quality" of people we're
dealing with here. When people reach a certain age, they realize there
are something thing you don't do because it could ruin a person for
life.
http://www.cbc.ca/world/story/2006/03/14/landslide-porn060314.html

I'm not one to defend Tom's often tactless posts to this group. But
there is chasm between that and what is happening to him now. Having
your feeling hurt or being insulted does not justify such actions.

JLC

dear all,

i'm sorry for my english, because i've never to studied english well.
i'm a newbie in cryptography.
i've read that cryptography can solve the problem for electronic
voting/election. and I think if we develop an application mobile
electronic voting with SMS, we must add cryptography in our
application. but that's not enough, there are so many problem with
implement secure election protocol to mobile application, in most via
SMS. I need the opinion and critics to my idea.
thanks....

Hi All,

When using AES / Rijndael with i.e. a 128-bit key this key is expanded
to 176 bytes. My question is: is it possible to just generate these 176
bytes, and use these 176 bytes as "the key" instead of the 128-bit key?

Something tells me that by doing this the security of the cipher is
affected. But I do not understand in what way. So my question could
also be stated as "what exactly does the key expanding algorithm in AES
do to the security of the entire AES algorithm?".

Many thanks in advance,
Regards,
Robert

Hi!
I have some question about Authentication of messages (MAC) that a not
understand.

If there is authentication tag built of AES and OMAC, and has a size
of, we say 16 bits, an adversary has a 1/2 ^16 of guess, and needs 2^15
messages to break the MAC, if we change the key used in the MAC before
every 2^14 messages. Is this secure? or is the probability of guessing
not OK