[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] Re: AES-based hash function

To: Shai Halevi <shaih at alum.mit.edu>
Subject: Re: [Cfrg] Re: AES-based hash function
From: Greg Rose <ggr at qualcomm.com>
Date: Fri, 03 Sep 2004 07:12:04 +1000
Cc: cfrg at ietf.org
In-reply-to: <413765A1.9040407@alum.mit.edu>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
References: <200409021502.i82F2Ucs007452@alum-2.mit.edu> <413765A1.9040407@alum.mit.edu>
Sender: cfrg-bounces at ietf.org

At 14:25 2004-09-02 -0400, Shai Halevi wrote:

Date: Wed, 1 Sep 2004 18:33:09 -0400 From: John Viega <viega at securesoftware.com> Subject: AES-based hash function Recent events have made it painfully clear to several people that, while there are no real disasters in our immediate future, the crypto community is nowhere near as good at collision-resistant one-way hash function design as it is block cipher design. We even know how to turn a block cipher into a hash function. [...]
No, we don't. In fact, from a purely theoretical point of view, it is unlikely that there are "black box constructions" of collision-resistant hash functions from secure block ciphers (cf. Dan Simon's paper from Eurocrypt'98).

What this means is that any "black box construction" (including MDC-2 and MDC-4) must use properties of the underlying block cipher well beyond just "being a secure block cipher". Everyone is vaguely aware of the fact that you need resistance to some variants of key-related attacks, but I don't know of any good way of characterizing exactly what are the added properties that you really need. (You can possibly make some provable constructions in the "perfect cipher model", but this is an exceedingly unrealistic model.)

Just to be blunt, I don't see why constructing hash functions from block ciphers is any easier (or more secure) than constructing them from scratch.

I second Shai. In fact, look at the structure of the things that were all just broken... they *are* block ciphers, used in Merkle-Damgard mode. The data is used as the key, the chaining variables are the block, and the data expansion phase is just a key-scheduling operation. The only way they differ from things like AES is that more emphasis was placed on fast key scheduling, since it changes for every block.

Greg.


Greg Rose                                    INTERNET: ggr at qualcomm.com
Qualcomm Australia       VOICE:  +61-2-9817 4188   FAX: +61-2-9817 5199
Level 3, 230 Victoria Road,             http://people.qualcomm.com/ggr/
Gladesville NSW 2111/232B EC8F 44C6 C853 D68F  E107 E6BF CD2F 1081 A37C


_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

Follow-Ups:
- Re: [Cfrg] Re: AES-based hash function
  - From: Henrick Hellström
- Re: [Cfrg] Re: AES-based hash function
  - From: John Viega
- SHA1 structure (Re: [Cfrg] Re: AES-based hash function)
  - From: Adam Back

References:
- [Cfrg] Re: AES-based hash function
  - From: Shai Halevi

Prev by Date: [Cfrg] Re: AES-based hash function
Next by Date: Re: [Cfrg] Re: AES-based hash function
Previous by thread: [Cfrg] Re: AES-based hash function
Next by thread: SHA1 structure (Re: [Cfrg] Re: AES-based hash function)
Index(es):
- Date
- Thread