[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] Re: AES-based hash function

To: John Viega <viega at securesoftware.com>
Subject: Re: [Cfrg] Re: AES-based hash function
From: Daniel Brown <DBrown at certicom.com>
Date: Tue, 7 Sep 2004 12:09:58 -0400
Cc: cfrg at ietf.org
In-reply-to: <20040904143953.GE76432@zork.org>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
Sender: cfrg-bounces at ietf.org

John Viega wrote on 09/04/2004 10:39:53 AM: > On Fri, Sep 03, 2004 at 10:29:44AM -0400, Daniel Brown wrote: > > [...] > > > Therefore to use AES to build a suitable collision resistant hash function > > would require a different kind of construction. (Btw, I'm no expert on > > this - such constructions may already be known ...) > > As I said in my original mail on this topic, there are two constructs > for converting a block cipher into a hash function that is twice the > block length of the cipher, MDC-2 and MDC-4. MDC-2 for use with DES
Sorry: I completely missed your original point that MDC-2 and MDC-4 were length-doubling cipher-to-hash constructions. I just now looked at the HAC (S. 9.4) to learn about them.

What is the security risk of MDC-2 that the extra ciphering in MDC-4 is meant to avoid?

> > But, neither of these constructs is AES, which is now readily > available in most environments, including hardware implementations. > Plus, it is well-vetted as-is.

I agree.
> > By the way, the Rijndael-based hash that was proposed to NIST used > Davies-Meyer, which, of the Preneel family of constructs, is the most > worrisome if there are related key attacks, since the keying in > Davies-Meyer is taken from the string being hashed directly. In other
As far as I can tell, SHA-1 and the SHA-2 functions use the Davies-Meyer construction, not the MMO. Do your concerns with DM apply to them, or am I missing something (again)?
> > I don't see how the properties needed for using a block cipher in a > hashing mode are any different than ones we find desirable for > encryption. Particularly, we know that such constructs are secure if > the cipher is an ideal cipher. Therefore, the properties we would
Are you saying that security proofs are known for MDC-2 and MDC-4 in the ideal cipher model? (The HAC mentions that DM, MMO, and MP are secure in the ideal cipher model, but I didn't find such a statement for length-doubling hashes like MDC-2 and MDC-4.)

Can such proofs be extended to length-quadrupling hash constructions, and so on to arbitrary length hash functions?
In the random oracle model (i.e. ideal hash model), isn't it possible to double any hash length? If H1 is random, then isn't H2 = (H1(0,M),H1(1,M)) also random? There must be some good reasons such a construction is not used.

Dan

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

Follow-Ups:
- Re: [Cfrg] Re: AES-based hash function
  - From: John Viega

References:
- Re: [Cfrg] Re: AES-based hash function
  - From: John Viega

Prev by Date: Re: [Cfrg] Re: AES-based hash function
Next by Date: Re: [Cfrg] Re: AES-based hash function
Previous by thread: Re: [Cfrg] Re: AES-based hash function
Next by thread: Re: [Cfrg] Re: AES-based hash function
Index(es):
- Date
- Thread