secure hash modes for rijndael

Pete Chown Pete.Chown at
Mon Apr 2 06:15:24 EDT 2001

Paulo S. L. M. Barreto wrote:

> There are many hash constructions based on block ciphers with the same block
> and key length; most are insecure. Matyas-Meyer-Oseas, Davies-Meyer, and
> Miyaguchi-Preneel are three of the few so far unbroken constructions. See
> either Schneier's "Applied Cryptography" or  Menezes' et al. "Handbook of
> Applied Cryptography" for details.

According to the HAC those three have provable security, subject of
course to any weaknesses in the underlying block cipher.  Of course
this may make them sound better than they are.  It is possible that
the cipher may be less secure in this mode than in one of its more
usual encryption modes.

> As always, any new scheme should undergo intense cryptanalysis for reasonably
> long before being actually deployed.

The snag is that it is going to be hard to get any significant review
of this scheme.  If current schemes offer provable security with the
same hash rate, no one is going to be interested in a new one.

On the subject of these hash functions...  I looked at some benchmark
figures and SHA-256 is not substantially faster than Rijndael-256 with
Davies-Meyer.  I wonder why there was so much energy put into the AES
process, and then SHA-256 was given to us by the NSA with no public
review, almost as an afterthought.

I'm not saying that SHA-256 is deliberately broken.  If that was what
the NSA wanted they would go for a broken AES not a broken hash.  In
fact I'm just wondering what is going on because SHA-256 seems like a
bit of a waste of time.

Do the NSA know something about Rijndael-256 that we don't?  Also, do
they know something about SHA-1 that we don't?  This might explain why
the new revision is so much slower...


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list