secure hash modes for rijndael

Bram Cohen bram at
Fri Mar 30 23:12:56 EST 2001

On Fri, 30 Mar 2001 sao19677 at wrote:

> Why not using tandem or abreast Davies-Meyer, as
> it is done with IDEA? These modes are designed for
> block ciphers whose key length is twice the block
> length -- certainly the case for AES-256 -- and
> generate hashes with twice the block length.

The one I gave has the same hash rate as those and uses plain old AES-128.

> I'm resisting the temptation to say that they were
> also more thoroughly analyzed (this should be the
> case because they are long known by now, but I'm not
> aware of any such analysis).

There doesn't appear to have been much study of how to construct secure
hash functions using block ciphers - applied cryptography mostly has a
list of things it tells you not to use.

> I have asked NIST's Jim Foti about this issue some
> time ago. Maybe it's a good idea to submit a public
> comment for NIST's modes of operation process, just
> in case...

I'd love to do that, but don't know how - is it possible to do without an
academic affiliation?

-Bram Cohen

Soko! puzzle game -

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list