[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] Re: AES-based hash function

To: Shai Halevi <shaih at alum.mit.edu>
Subject: Re: [Cfrg] Re: AES-based hash function
From: John Viega <viega at securesoftware.com>
Date: Thu, 2 Sep 2004 17:34:19 -0400
Cc: cfrg at ietf.org
In-reply-to: <413765A1.9040407@alum.mit.edu>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
References: <200409021502.i82F2Ucs007452@alum-2.mit.edu> <413765A1.9040407@alum.mit.edu>
Sender: cfrg-bounces at ietf.org
User-agent: Mutt/1.5.5.1i

> [...] (You can possibly make 
> some provable constructions in the "perfect cipher model", but this is 
> an exceedingly unrealistic model.)

I think it's quite clear that no hash function from block cipher could
be secure under the PRP assumption, since it requires a secret key
chosen uniformly at random.  However, Black, Rogaway and Shrimpton
have done the most compelling theoretical work I've seen on
collision-resistant hash functions, among their work in this space
being proof of security in the ideal cipher model for the traditional
"hash from cipher" constructs, such as Davies-Meyer.

Now, I do agree the ideal cipher model is unrealistic in that, while
we're assuming AES is an ideal cipher, it clearly cannot be one.
While we could postulate more satisfying theoretical results, the
ideal cipher model seems like the best assurance we're going to get
for this kind of construct any time soon.  

Relying on the ideal cipher model for assurance is similar to relying
on the random oracle model for assurance.  There are systems provably
secure in that model that have no secure instantiation when the oracle
is replaced with a real function.  We know that, yet in practice, it
seems to serve us reasonably well.

> Just to be blunt, I don't see why constructing hash functions from block 
> ciphers is any easier (or more secure) than constructing them from scratch.

I think that anything that moves away from the MD4 family of
constructs is good, at least in the sense of giving us diversity, if
one approach turns out to be fundamentally bad.

And, it seems reasonable that breaking the construct in practice is
going to point to some fundamental worry in AES's ability to do its
job.  I personally feel much more confident that AES has been subject
to extensive peer review.  Considering the dearth of results against
dedicated OWHFs over the years, I think it's clear that we're far
better at designing block ciphers.  And, even if we don't have the
best possible hash-from-cipher construct right now, I think many
people find it more comfortable than the alternative, at least.

John

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

Follow-Ups:
- Re: [Cfrg] Re: AES-based hash function
  - From: Shai Halevi
- Re: [Cfrg] Re: AES-based hash function
  - From: Daniel Brown

References:
- [Cfrg] Re: AES-based hash function
  - From: Shai Halevi

Prev by Date: Re: [Cfrg] Re: AES-based hash function
Next by Date: SHA1 structure (Re: [Cfrg] Re: AES-based hash function)
Previous by thread: Re: [Cfrg] Re: AES-based hash function
Next by thread: Re: [Cfrg] Re: AES-based hash function
Index(es):
- Date
- Thread