[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Cfrg] AES-based hash function

To: cfrg at ietf.org
Subject: [Cfrg] AES-based hash function
From: John Viega <viega at securesoftware.com>
Date: Wed, 1 Sep 2004 18:33:09 -0400
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
Sender: cfrg-bounces at ietf.org

Recent events have made it painfully clear to several people that, while there are no real disasters in our immediate future, the crypto community is nowhere near as good at collision-resistant one-way hash function design as it is block cipher design.

We even know how to turn a block cipher into a hash function. The whirlpool function does exactly that, with a custom block cipher modeled after AES, thus avoiding the low birthday bound if one were to simply use AES.

It would be nice to have a solution that can leverage the great degree of scrutiny AES has received, and Whirlpool does reasonably well there. But, Whirlpool isn't AES, so hardware engineers can't benefit from the availability of cheap AES hardware.

There are two known constructs for turning a cipher with n-bit blocks into a collision-resistant OWHF, MDC-2 and MDC-4. MDC-2 is specified for use with DES in ISO standard 10118-2, and is reasonably well regarded... the best known attack is a preimage attack, with complexity O(2^(3n/2)), where n is the block size of the underlying cipher.

Whether a good thing or bad, it's clear that intellectual property issues can hinder adoption of crypto constructs. MDC-2 has made it into a few real-world systems, but between SHA-1 and these IP issues, it appears no one has gotten serious about using it with AES.

The IBM patent covering MDC-2 and MDC-4 expired last Saturday. I have specified the use of MDC-2 with AES. Since MDC-2 generally evokes thoughts of DES, I'm calling the instantiation AHASH.

I've placed the specification at http://www.cryptobarn.com/papers/ahash.pdf. I'd appreciate review, and it would be particularly nice for someone to validate my test vectors.

John

----
John Viega
CTO, Secure Software, Inc.

Secure Programming Cookbook: http://secureprogramming.com
Building Secure Software: http://buildingsecuresoftware.com


_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

Prev by Date: [Cfrg] (no subject)
Next by Date: Re: [Cfrg] updating RFC 1750
Previous by thread: [Cfrg] Re: hash functions, steram ciphers (was: bad day...)
Next by thread: [Cfrg] Re: AES-based hash function
Index(es):
- Date
- Thread