[8640] in cryptography@c2.net mail archive
Re: secure hash modes for rijndael
daemon@ATHENA.MIT.EDU (John Kelsey)
Thu Apr 5 10:19:46 2001
Message-Id: <4.1.20010403205041.00a05aa0@pop.ix.netcom.com>
Date: Tue, 03 Apr 2001 20:53:16 -0400
To: Pete Chown <Pete.Chown@skygate.co.uk>, coderpunks@toad.com,
cryptography@wasabisystems.com
From: John Kelsey <kelsey.j@ix.netcom.com>
In-Reply-To: <20010403095346.B2123@hyena.skygate.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
At 09:53 AM 4/3/01 +0100, Pete Chown wrote:
...
>Given the amount of analysis that has gone into AES, I think this hash
>function probably has reasonable security. Interestingly there have
>been far more successful attacks on hash functions than block ciphers.
>Damaging attacks have been found on both MD4 and MD5. It might be
>that we could get better hash functions by using a block cipher rather
>than an MD4-style compression function.
Keep in mind, though, that it's much easier to attack a hash function than
a block cipher, because there's *nothing* unknown to the attacker in a hash
function. And attacks that require, say, 2^{60} adaptive chosen inputs
against a hash function are more-or-less practical; similar attacks against
a block cipher are ridiculously academic.
>--
>Pete
--John Kelsey, kelsey.j@ix.netcom.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
