[8631] in cryptography@c2.net mail archive
Re: secure hash modes for rijndael
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Mon Apr 2 17:24:55 2001
From: "Steven M. Bellovin" <smb@research.att.com>
To: Pete Chown <Pete.Chown@skygate.co.uk>
Cc: cryptography@wasabisystems.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Mon, 02 Apr 2001 17:11:45 -0400
Message-Id: <20010402211145.600A335C42@berkshire.research.att.com>
In message <20010402111524.B13595@hyena.skygate.co.uk>, Pete Chown writes:
>On the subject of these hash functions... I looked at some benchmark
>figures and SHA-256 is not substantially faster than Rijndael-256 with
>Davies-Meyer. I wonder why there was so much energy put into the AES
>process, and then SHA-256 was given to us by the NSA with no public
>review, almost as an afterthought.
>
>
I asked some NIST folks that question. Their answer was that they
didn't have the resources to run two large, public efforts
simultaneously. Hash functions induce much less public paranoia than
do encryption algorithms; few people think that NSA wants to forge
hashes.
The reason for SHA-256 is to provide O(2^128) security, comparable to
that of AES. SHA-384 and SHA-512 are complements to the longer key
lengths available with AES. There's going to be a revised digital
signature standard coming soon, partly to match the new hash functions
and partly because of Bleichenbacher's attack on DSA.
--Steve Bellovin, http://www.research.att.com/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
