secure hash modes for rijndael
Steven M. Bellovin
smb at research.att.com
Mon Apr 2 17:11:45 EDT 2001
In message <20010402111524.B13595 at hyena.skygate.co.uk>, Pete Chown writes:
>On the subject of these hash functions... I looked at some benchmark
>figures and SHA-256 is not substantially faster than Rijndael-256 with
>Davies-Meyer. I wonder why there was so much energy put into the AES
>process, and then SHA-256 was given to us by the NSA with no public
>review, almost as an afterthought.
>
>
I asked some NIST folks that question. Their answer was that they
didn't have the resources to run two large, public efforts
simultaneously. Hash functions induce much less public paranoia than
do encryption algorithms; few people think that NSA wants to forge
hashes.
The reason for SHA-256 is to provide O(2^128) security, comparable to
that of AES. SHA-384 and SHA-512 are complements to the longer key
lengths available with AES. There's going to be a revised digital
signature standard coming soon, partly to match the new hash functions
and partly because of Bleichenbacher's attack on DSA.
--Steve Bellovin, http://www.research.att.com/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list