[16084] in cryptography@c2.net mail archive
Re: ?splints for broken hash functions
daemon@ATHENA.MIT.EDU (Bill Stewart)
Mon Sep 6 16:34:00 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 02 Sep 2004 00:54:55 -0700
To: cryptography@metzdowd.com
From: Bill Stewart <bill.stewart@pobox.com>
In-Reply-To: <41321F89.4090908@av8n.com>
>>how about this simpler construction?
>> (IV1) -> B1 -> B2 -> B3 -> ... Bk -> H1
>> (IV2) -> B1 -> B2 -> B3 -> ... Bk -> H2
This approach and the "cache Block 1 until the end" approach
are both special-case versions of "maintain more state" attacks.
This special case maintains 2*(size of hash output) bits of state.
The "cache block 1" case maintains
(size of hash output) + (size of block 1) bits of state,
but doesn't change the (size of block 1) bits between cycles.
(Also, if you're going to do that, could you maintain
(hash(Block1)) bits between cycles instead of the raw bits?)
They both have some obvious simplicity to them,
but I'm not convinced that simplicity actually helps,
compared to other ways of getting more state.
Perhaps the effective state of the 2-IV version is
twice the size of the basic hash, perhaps it's less.
My intuition is that more mixing might be better,
and probably isn't worse, but I could easily be wrong.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
