secure hash modes for rijndael

Steven M. Bellovin smb at research.att.com
Mon Apr 2 17:11:45 EDT 2001


In message <20010402111524.B13595 at hyena.skygate.co.uk>, Pete Chown writes:

>On the subject of these hash functions...  I looked at some benchmark
>figures and SHA-256 is not substantially faster than Rijndael-256 with
>Davies-Meyer.  I wonder why there was so much energy put into the AES
>process, and then SHA-256 was given to us by the NSA with no public
>review, almost as an afterthought.
>
>

I asked some NIST folks that question.  Their answer was that they 
didn't have the resources to run two large, public efforts 
simultaneously.  Hash functions induce much less public paranoia than 
do encryption algorithms; few people think that NSA wants to forge 
hashes.

The reason for SHA-256 is to provide O(2^128) security, comparable to 
that of AES.  SHA-384 and SHA-512 are complements to the longer key 
lengths available with AES.  There's going to be a revised digital 
signature standard coming soon, partly to match the new hash functions 
and partly because of Bleichenbacher's attack on DSA.


		--Steve Bellovin, http://www.research.att.com/~smb





---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list