More problems with hash functions

Jerrold Leichter jerrold.leichter at
Mon Aug 23 07:06:51 EDT 2004

It strikes me that Joux's attack relies on *two* features of current
constructions:  The block-at-a-time structure, and the fact that the state
passed from block to block is the same size as the output state.  Suppose we
did ciphertext chaining:  For block i, the input to the compression function
is the compressed previous state and the xor of block i and block i-1.  Then
I can no longer mix-and-match pairs of collisions to find new ones.

Am I missing some obvious generalization of Joux's attack?

(BTW, this is reminiscent of two very different things:  (a) Rivest's work on
"all or nothing" package transforms; (b) the old trick in producing MAC's by
using CBC and only sending *some* of the final encrypted value, to force an
attacker to guess the bits that weren't sent.

							-- Jerry

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list