[16067] in cryptography@c2.net mail archive
Re: ?splints for broken hash functions
daemon@ATHENA.MIT.EDU (John Kelsey)
Wed Sep 1 12:52:55 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 1 Sep 2004 10:37:10 -0400 (GMT-04:00)
From: John Kelsey <kelsey.j@ix.netcom.com>
Reply-To: John Kelsey <kelsey.j@ix.netcom.com>
To: Ivan Krstic <krstic@fas.harvard.edu>,
Metzdowd Crypto <cryptography@metzdowd.com>
>From: Ivan Krstic <krstic@fas.harvard.edu>
>Sent: Aug 29, 2004 8:40 AM
>To: Metzdowd Crypto <cryptography@metzdowd.com>
>Subject: Re: ?splints for broken hash functions
>This is Schneier's and Ferguson's solution to then-known hash function
>weaknesses in Practical Cryptography, Wiley Publishing, 2003:
>"We do not know of any literature about how to fix the hash functions,
>but here is what we came up with when writing this book. ... Let h be
>one of the hash functions mentioned above. Instead of m->h(m), we use
>m->h(h(m) || m) as hash function. Effectively we put h(m) before the
>message we are hashing. This ensures that the iterative hash
>computations immediately depend on all the bits of the message, and no
>partial-message or length extension attacks can work. ...
I believe this falls to a generalization of the Joux attack, as well. (Someone may have already noticed this.)
a. I build a 2^{80} multicollision on h(m) using Joux' attack, requiring 80*2^{80} work.
b. I now have 2^{80} different messages which are being hashed with the same IV. I expect one pair of them to give me a collision.
>Cheers,
>Ivan.
Comments?
--John
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
