Re: [Cfrg] Interim MAC function

[Ken Raeburn <raeburn at MIT.EDU>]

On Mar 16, 2005, at 16:29, Hallam-Baker, Phillip wrote:
> What I came up with was the MASH digest, (MAC and SHA) as follows:
>
> 	MASH (m) = HMAC (m, (SHA (m))

Seems like it does make it a bit more challenging; even if you find m 
and m' colliding under plain SHA, in this case you've got two different 
sets of internal state you'd have to produce collisions for with one 
pair of messages, one starting with nothing, and one starting with 
SHA(m) XOR 0x3636....  Without knowing how the current 
collision-finding algorithm works, I couldn't begin to guess how much 
harder that makes it.  (Well, other approaches might be possible, but 
that's the obvious one building on a simple break of SHA.)

I was under the impression that a lot of the strength of HMAC came from 
the secrecy of the key, in combination with the double-hash, but maybe 
I'm wrong.  Haven't actually looked at the papers.

> I am not convinced that I want to go to SHA-256 until the 
> cryptographers
> have given it some serious attention. At the moment everyone appears 
> to be
> too busy stomping on the little pieces of SHA-1 to do that.

They're not that little yet, there's still more stomping to be done. :-)

>  I would much
> rather hear a paper giving a credible estimate of the strength of 
> SHA-256
> than yet another paper arguing whether SHA-1 is a really, really bad 
> idea or
> a really, really, really bad idea.

I'd be interested in hearing the opinions specifically of the team 
that's been breaking all our other hash functions....

Ken


_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg