[16011] in cryptography@c2.net mail archive
Re: HMAC?
daemon@ATHENA.MIT.EDU (John Kelsey)
Thu Aug 26 11:43:58 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 26 Aug 2004 11:09:14 -0400 (GMT-04:00)
From: John Kelsey <kelsey.j@ix.netcom.com>
Reply-To: John Kelsey <kelsey.j@ix.netcom.com>
To: Ben Laurie <ben@algroup.co.uk>,
Amir Herzberg <herzbea@macs.biu.ac.il>
Cc: "Perry E. Metzger" <perry@piermont.com>,
cryptography@metzdowd.com
>From: Ben Laurie <ben@algroup.co.uk>
>Sent: Aug 26, 2004 7:41 AM
>To: Amir Herzberg <herzbea@macs.biu.ac.il>
>Cc: "Perry E. Metzger" <perry@piermont.com>, cryptography@metzdowd.com
>Subject: Re: HMAC?
>Amir Herzberg wrote:
>> So, finding specific collisions in the hash function should not cause
>> too much worry about its use in HMAC. Of course, if this would lead to
>> finding many collisions easily, including to messages with random
>> prefixes, this could be more worrying...
>Hmmm ... if you could persuade your victim to use a key that was known
>to be a suitable prefix for finding collisions...
The big question is what the probability is of getting a successful
colliding message pair when you have complete control over the
message, but don't know the IV. For repeated queries, you can know
it's always the *same* IV, if that helps, just not what it is. I
don't think we can know that until we've seen the full explanation in
the Wang, et. al. paper, which hasn't been released yet.
--John Kelsey
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
