[15985] in cryptography@c2.net mail archive
Re: More problems with hash functions
daemon@ATHENA.MIT.EDU (Jerrold Leichter)
Mon Aug 23 14:13:59 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 23 Aug 2004 07:06:51 -0400 (EDT)
From: Jerrold Leichter <jerrold.leichter@smarts.com>
To: Hal Finney <hal@finney.org>
Cc: cryptography@metzdowd.com
In-Reply-To: <20040820184106.A115157E2B@finney.org>
It strikes me that Joux's attack relies on *two* features of current
constructions: The block-at-a-time structure, and the fact that the state
passed from block to block is the same size as the output state. Suppose we
did ciphertext chaining: For block i, the input to the compression function
is the compressed previous state and the xor of block i and block i-1. Then
I can no longer mix-and-match pairs of collisions to find new ones.
Am I missing some obvious generalization of Joux's attack?
(BTW, this is reminiscent of two very different things: (a) Rivest's work on
"all or nothing" package transforms; (b) the old trick in producing MAC's by
using CBC and only sending *some* of the final encrypted value, to force an
attacker to guess the bits that weren't sent.
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
