secure hash modes for rijndael
John Kelsey
kelsey.j at ix.netcom.com
Tue Apr 3 20:53:16 EDT 2001
At 09:53 AM 4/3/01 +0100, Pete Chown wrote:
...
>Given the amount of analysis that has gone into AES, I think this hash
>function probably has reasonable security. Interestingly there have
>been far more successful attacks on hash functions than block ciphers.
>Damaging attacks have been found on both MD4 and MD5. It might be
>that we could get better hash functions by using a block cipher rather
>than an MD4-style compression function.
Keep in mind, though, that it's much easier to attack a hash function than
a block cipher, because there's *nothing* unknown to the attacker in a hash
function. And attacks that require, say, 2^{60} adaptive chosen inputs
against a hash function are more-or-less practical; similar attacks against
a block cipher are ridiculously academic.
>--
>Pete
--John Kelsey, kelsey.j at ix.netcom.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list