The Pure Crypto Project's Hash Function

John Kelsey kelsey.j at ix.netcom.com
Mon May 5 12:38:00 EDT 2003 

At 03:07 PM 5/4/03 +0100, Pete Chown wrote:
>Eric Murray wrote:
>
>>SHA1 as a primitive can be used for other things like making a
>>symmetric encryption algorithm.  There have even been some research
>>papers published on the strength of SHA-MDC.
>
>The other option is to use Rijndael for encryption; you can then reuse
>the code in a Davies-Meyer hash function.  The nice thing about Rijndael
>is that it supports 256-bit blocks, so you get a 256-bit version of
>Davies-Meyer.  If you are doing 128-bit encryption, you may well want
>256-bit hash functions to avoid problems with the birthday "paradox".

You really might want to make sure it's seen some review in that oddball 
mode of operation, too.  If you want a Rijndael-related hash function, 
Whirlpool is probably your best bet.

...
>I wonder if there is an alternative way of verifying something like a 
>SHA-1 implementation.  First of all, you try to make sure that there are 
>no memory problems such as buffer overruns.  You then treat the algorithm 
>as a black box and try a few test vectors.  If it gets the test vectors 
>right, and it looks roughly like SHA-1, it's probably correct.  It would 
>be difficult to come up with an algorithm that is the same as SHA-1 for 
>nearly all inputs, has code which looks identical to SHA-1 on a casual 
>inspection, and can be made to leak something worthwhile if you know about 
>the bug.

I think you could arrange this for some algorithms, but not so easily for 
SHA1.  I know MARS (the IBM AES submission) had a complicated key schedule 
for which there were many fairly low-probability events.  I believe that 
just trying 10-15 keys wouldn't have been enough to fully test that key 
schedule.  (The key schedule generated values to be multiplied, and 
required no runs of more than 10 zeros or ones in the multiplying value.)

>Pete

--John Kelsey, kelsey.j at ix.netcom.com
PGP: FA48 3237 9AD5 30AC EEDD  BBC8 2A80 6948 4CAA F259



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list