[Cfrg] Re: AES-based hash function

[Shai Halevi <shaih at alum.mit.edu>]

> Date: Wed, 1 Sep 2004 18:33:09 -0400
> From: John Viega <viega at securesoftware.com>
> Subject: AES-based hash function
>
> Recent events have made it painfully clear to several people that, 
> while there are no real disasters in our immediate future, the crypto 
> community is nowhere near as good at collision-resistant one-way hash 
> function design as it is block cipher design.
>
> We even know how to turn a block cipher into a hash function.  [...]

No, we don't. In fact, from a purely theoretical point of view, it is 
unlikely that there are "black box constructions" of collision-resistant 
hash functions from secure block ciphers (cf. Dan Simon's paper from 
Eurocrypt'98).

What this means is that any "black box construction" (including MDC-2 
and MDC-4) must use properties of the underlying block cipher well 
beyond just "being a secure block cipher". Everyone is vaguely aware of 
the fact that you need resistance to some variants of key-related 
attacks, but I don't know of any good way of characterizing exactly what 
are the added properties that you really need. (You can possibly make 
some provable constructions in the "perfect cipher model", but this is 
an exceedingly unrealistic model.)

Just to be blunt, I don't see why constructing hash functions from block 
ciphers is any easier (or more secure) than constructing them from scratch.

-- Shai


_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg