[Cfrg] Re: hash functions, steram ciphers (was: bad day...)

[Shai Halevi <shaih at alum.mit.edu>]

On Thursday Thu, 26 Aug 2004 10:32, "Hallam-Baker, Phillip" wrote:

> I would feel happier moving to a hash function based on AES encryption

I seriously doubt that this would be a good idea, given the vastly 
different needs of collision resistance vs secrecy. 

At present there seems to be a significant developments in our 
understanding of security for collision-resistant hash functions. 
I would think that the best course of action in the near future is to 
stick with what we know (SHA-1), and wait for the cryptanalysts to 
digest and extend the latest developments. 


> RC4 has been compromised by Shamir & co, but as a general rule I don't
> think any stream cipher should ever get a higher status than acceptable. 
> A stream cipher always allows a person who has a plaintext and ciphertext
> corresponding to a key to encode or decode all messages with that key 
> that are shorter or the same size. [...]

In essence, you're claiming that it is easier to misuse a stream cipher 
than a block cipher. I'm interested whether others share the same view. 
(We all know how easy it is to misuse stream ciphers, but on the other 
hand it is also quite easy to misuse block ciphers.)

-- Shai


_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg