The Pure Crypto Project's Hash Function

Ian Grigg iang at systemics.com
Sun May 4 11:02:07 EDT 2003


Ralf Senderek wrote:

> So everything new must be bad, because it isn't "known to be .. secure"?

Close.  Let's put it this way.  RSA has been
subject to more cryptanalysis than pretty much
any other algorithm, ('cepting maybe DES and
Enigma) in the last century.  Give it another
decade and AES/Rijndael might join that select
list.

That's all based on the functions of encryption
and signing.  So when we say that RSA is good,
we say it on the basis of something like 25 (?)
years of aggressive analysis.  Not because we
can explain it.

(Indeed, I couldn't explain it to save my life.)

But, and here's the clanger:  there is relatively
little (possibly none) of that analysis directed
to RSA as digest algorithm.  So, no-one here is
going to say it is "secure" because there is no
analysis reporting how secure it is.

Now, in crypto, having no analysis is generally
a warning sign.  Having someone say "I know it
to be secure" is a red flag.  Someone saying
"it's better because I can explain it" makes no
sense to anyone, and when someone implies that it
is more secure because it is more explainable,
that's definately proof that someone has ignored
the last couple of centuries of cryptographic
development.

And that, basically is the problem:  you are
ignoring the way things are done in the crypt
industry.  For that pecadillo, you'd better
have a really good reason.  And "easier to
explain" isn't it.  Lots of algorithms have
fallen with that sort of publicity shackled
around their necks.

As a postscript:  The guy who came up with RSA
also came up with the MDn series (MD1, MD2...
MD5).  SHA-x series is essentially based on the
MDn series, they are derivations of the same
process.  So, tuck that thought in the back of
your mind;  you are doing something that the
original guy didn't spend much time over.

-- 
iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list