[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] Re: [saag] Bad day at the hash function factory

To: "D. J. Bernstein" <djb at cr.yp.to>
Subject: Re: [Cfrg] Re: [saag] Bad day at the hash function factory
From: John Viega <viega at securesoftware.com>
Date: Mon, 1 Nov 2004 09:45:17 -0500
Cc: saag at mit.edu, cfrg at ietf.org
In-reply-to: <20041101062804.56140.qmail@cr.yp.to>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
References: <151A63B4E33B4F49896AC6D1BA788A6E15C57F@EXCHVS2.louisville.stortek.com> <20040926155422.1F55F1AE84@berkshire.research.att.com> <20040926195031.59299.qmail@cr.yp.to> <200410280205.WAA29306@Sparkle.Rodents.Montreal.QC.CA> <kjoeinh8qp.fsf@romeo.rtfm.com> <20041101062804.56140.qmail@cr.yp.to>
Sender: cfrg-bounces at ietf.org
User-agent: Mutt/1.5.5.1i

What Dan says is true in the case of modern MACs, but is not true for
the case of unkeyed hash functions built from a block cipher. There,
the best we have been able to do is prove security if the underlying
block cipher behaves like an ideal block cipher, much weaker than the
PRP assumption used in proving block cipher-based MACs secure.

As Eric mentioned, modern hash functions can be viewed as block
ciphers in Davies-Meyer mode. There's a proof of security for
Davies-Meyer mode in the ideal cipher model, and yet the recent
cryptanalytic results due to Joux et al. really take advantage of
Davies-Meyer mode. That is not to say that Davies-Meyer with a
stronger underlying block cipher wouldn't be better (e.g., Whirlpool),
but it does suggest that it might be good to move to one of the other
modes with similar security proofs, one that doesn't use the data
being hashed as the block cipher key, such as Matyas-Meyer-Oseas. 

This will slow down our hash functions, because the Davies-Meyer
approach essentially allows one to avoid key scheduling, and run fewer
iterations of the block cipher at the same time.  But it seems far
more conservative.

John

On Mon, Nov 01, 2004 at 06:28:04AM -0000, D. J. Bernstein wrote:
> Eric Rescorla writes:
> > You can then demonstrate that the MAC/Hash is secure if the
> > encryption algorithm has a bunch of (somewhat idealized) properties.
> 
> There's just one assumption needed for these proofs: namely, someone who
> doesn't know the key k can't distinguish AES_k from a uniform random
> permutation of the set of 16-byte strings. This was an explicit design
> criterion for AES.
> 
> ---D. J. Bernstein, Associate Professor, Department of Mathematics,
> Statistics, and Computer Science, University of Illinois at Chicago
> 
> _______________________________________________
> Cfrg mailing list
> Cfrg at ietf.org
> https://www1.ietf.org/mailman/listinfo/cfrg

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

Follow-Ups:
- Re: [Cfrg] Re: [saag] Bad day at the hash function factory
  - From: Jack Lloyd

References:
- [Cfrg] Re: [saag] Bad day at the hash function factory
  - From: Hughes, James P
- [Cfrg] Re: [saag] Bad day at the hash function factory
  - From: Steven M. Bellovin
- Re: [Cfrg] Re: [saag] Bad day at the hash function factory
  - From: D. J. Bernstein
- Re: [Cfrg] Re: [saag] Bad day at the hash function factory
  - From: der Mouse
- Re: [Cfrg] Re: [saag] Bad day at the hash function factory
  - From: Eric Rescorla
- Re: [Cfrg] Re: [saag] Bad day at the hash function factory
  - From: D. J. Bernstein

Prev by Date: Re: [Cfrg] Re: [saag] Algorithm upgrades
Next by Date: RE: [Cfrg] Re: [saag] Algorithm upgrades
Previous by thread: Re: [Cfrg] Re: [saag] Bad day at the hash function factory
Next by thread: Re: [Cfrg] Re: [saag] Bad day at the hash function factory
Index(es):
- Date
- Thread