[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Cfrg] Interim MAC function

To: "Hallam-Baker, Phillip" <pbaker at verisign.com>
Subject: RE: [Cfrg] Interim MAC function
From: Hugo Krawczyk <hugo at ee.technion.ac.il>
Date: Thu, 17 Mar 2005 20:17:23 +0200 (IST)
Cc: cfrg at ietf.org
In-reply-to: <198A730C2044DE4A96749D13E167AD37038263@MOU1WNEXMB04.vcorp.ad.vrsn.com>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
Sender: cfrg-bounces at ietf.org

It seems that the proposal was
MASH(m)=HMAC-SHA1(K=SHA1(m), M=m)
(i.e. HMAC-SHA1 with message m and key SHA1(m))

If we ignore the opad/ipad padding of HMAC and the length-encoding
padding of SHA1 this becomes something like
H(H(m)|H(H(m)|m))
(where | stands for concatenation and H is SHA1 with length padding omitted).
Up to some IV replacemnt and assuming m to be a multiple
of 512 bits one has that H(H(m)|m) is "close" to H(m|m).
In this case we get that MASH(m) can be "approximated" by
H(H(m)|H(m|m)).

For the latter to be considered collision resistant one needs to assume
that finding collisions between two messages m,m' and alsso between m|m
and m'|m' is difficult.  I would not count on it.

But then again this is only an approximation.

Hugo




_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

References:
- RE: [Cfrg] Interim MAC function
  - From: Hallam-Baker, Phillip

Prev by Date: RE: [Cfrg] Interim MAC function
Next by Date: [Cfrg] Who needs collision-resistance, anyway?
Previous by thread: RE: [Cfrg] Interim MAC function
Next by thread: [Cfrg] MASH Hash Function
Index(es):
- Date
- Thread