[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] Re: AES-based hash function

To: Shai Halevi <shaih at alum.mit.edu>
Subject: Re: [Cfrg] Re: AES-based hash function
From: John Viega <viega at securesoftware.com>
Date: Tue, 7 Sep 2004 07:59:34 -0400
Cc: cfrg at ietf.org
In-reply-to: <NDEFLDJKJNMAKNCBLAJAGEBBCAAA.shaih@alum.mit.edu>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
References: <200409041611.i84GBsbx015500@alum-1.mit.edu> <NDEFLDJKJNMAKNCBLAJAGEBBCAAA.shaih@alum.mit.edu>
Sender: cfrg-bounces at ietf.org
User-agent: Mutt/1.5.5.1i

On Sat, Sep 04, 2004 at 10:53:23PM -0400, Shai Halevi wrote:
> On Saturday, 4 Sep 2004 10:39:53, John Viega wrote:
> 
> > I don't see how the properties needed for using a block cipher in
> > a hashing mode are any different than ones we find desirable for
> > encryption.  
> 
> That's exactly my point, that I don't believe this to be true. 
> The kind of attacks and considerations that you have in mind when 
> designing a block cipher are not very relevant to the security of 
> the result when used to build a hash function. 

Unless people are going to start designing OWHFs that can't be
expressed based on a block cipher, I think it's worth knowing what the
properties a block cipher should have, specific to this issue. That
is, I don't see a good methodology for designing cryptographic one-way
hash functions anywhere, particularly beyond "build a block cipher
that seems to resist related key attacks, and use that".

Right now, as far as I can tell, the only path to any sort of
theoretic assurance in these kinds of functions is going to rely on
somewhat unsatisfying models, and then trying to understand where the
model fails, and evaluating constructs relative to that.  If you don't
think that it offers you any assurance, I can understand that, and I
hope you take it as a challenge to come up with something better.

Anyway, the argument that you seemed to be making originally was that
there's no point in using AES in a hash function construct.  I think
my argument is that, given that the MD4 family of constructs all seem
to be built directly from block ciphers in the MMO hashing mode, it
would be nice to have a block cipher that we think is more likely to
do the job.

That's not to say that we necessarily have a good grasp on what the
job is.  Of course there couldn't be a weakness in AES that makes it
appropriate for everything except for hashing constructs. I agree with
you on that.  I hold little hope, though, that we will ever get to the
level of appeal as we have with the PRP assumption.

John

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

References:
- [Cfrg] Re: AES-based hash function
  - From: Shai Halevi

Prev by Date: Re: [Cfrg] Re: AES-based hash function
Next by Date: Re: [Cfrg] Re: AES-based hash function
Previous by thread: [Cfrg] Re: AES-based hash function
Next by thread: [no subject]
Index(es):
- Date
- Thread