Re: [Cfrg] Re: AES-based hash function

[Daniel Brown <DBrown at certicom.com>]

I've been told of the following reason
that constructing a collision resistant hash function from AES is difficult:
The Davies-Meyer construction turns a 128-bit block cipher like AES into
a 128-bit hash function, which obviously offers only 64 bits of security
against collision resistance, well below the 128 bits that we'd want for
long-term security.

Therefore to use AES to build a suitable
collision resistant hash function would require a different kind of construction.
 (Btw, I'm no expert on this - such constructions may already be known
...) That's true even if we assume that AES is an ideal 128-bit block cipher.
 Building a collision resistant hash function with Davies-Meyer requires
a larger sized block cipher. 

Although the only block size of Rijndael
used in AES is 128 bits, Rijndael with a 256-bit block has been proposed
to NIST for building a hash function: http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/aes-hash/aeshash.pdf

Finally, it is perhaps easier to build
a block cipher with just the properties needed for hashing than to build
one with the properties needed for both encryption and hashing, which may
be yet another reason why different block ciphers have been used for encryption
and hashing (in addition to the reasons of block size differences and key
scheduling speed differences).

        Dan


> 
> _______________________________________________
> Cfrg mailing list
> Cfrg at ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg
_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg