secure hash modes for rijndael

Paulo S. L. M. Barreto paulo.barreto at
Sat Mar 31 08:41:31 EST 2001

On Sat, 31 Mar 2001, Bram Cohen wrote:
> On Fri, 30 Mar 2001, Pete Chown wrote:
> > Bram Cohen wrote:
> > 
> > > It would be nice if there was an algorithm which used rijndael with 256
> > > bit blocks to produce a hash of 256 bits and had a hash rate of 1, but I
> > > haven't been able to come up with one.
> > 
> > Why not just use Matyas-Meyer-Oseas (or one of the variants) with
> > 256-bit keys and blocks?
> Uh, because I don't know them.
> The following might be equivalent to one of those - I just came up with it
> today.

There are many hash constructions based on block ciphers with the same block
and key length; most are insecure. Matyas-Meyer-Oseas, Davies-Meyer, and
Miyaguchi-Preneel are three of the few so far unbroken constructions. See
either Schneier's "Applied Cryptography" or  Menezes' et al. "Handbook of
Applied Cryptography" for details.

As always, any new scheme should undergo intense cryptanalysis for reasonably
long before being actually deployed. You could, of course, submit your proposal
to a crypto conference (or at least to the IACR e-Print archive) for peer

Paulo Barreto.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list