[7907] in cryptography@c2.net mail archive
Re: AES as a hash function?
daemon@ATHENA.MIT.EDU (Paulo S. L. M. Barreto)
Tue Oct 3 11:41:17 2000
From: "Paulo S. L. M. Barreto" <paulo.barreto@terra.com.br>
To: Bram Cohen <bram@gawth.com>, cryptography@c2.net,
People who supposedly write code <coderpunks@toad.com>
Date: Mon, 2 Oct 2000 21:37:52 -0200
Content-Type: text/plain
In-Reply-To: <Pine.LNX.4.21.0010021552330.22701-100000@ultra.gawth.com>
MIME-Version: 1.0
Message-Id: <00100221430502.00392@anubis>
Content-Transfer-Encoding: 8bit
On Mon, 02 Oct 2000, Bram Cohen wrote:
> The announcement didn't mention Rijndael's applicability as a hash
> function. I thing I remember mention in earlier AES documents that it
> should be resistant to 'related key attacks' and thus usable as a hash
> function in some specific mode, who's name I have forgotten.
Rijndael *is* resistant against related-key attacks. The 9-round attack by the
fishing team does not extend to more rounds (it is only applicable to 256-bit
keys, for which the specified number of rounds is 14).
I've touched the subject of hashing function modes of operation twice in the
NIST forum. One was months ago; the other was Saturday, as a comment to the
newly available paper by Helger Lipmaa and David Wagner on counter mode.
As for the hash size, remember that Rijndael supports 192-bit and 256-bit blocks
(though I don't know if NIST will keep this extension); using tandem
or abreast Davies-Meyer with these sizes gives 384-bit and 512-bit hashes.
Cheers,
Paulo.
