John Kelsey kelsey.j at
Thu Aug 26 11:09:14 EDT 2004

>From: Ben Laurie <ben at>
>Sent: Aug 26, 2004 7:41 AM
>To: Amir Herzberg <herzbea at>
>Cc: "Perry E. Metzger" <perry at>, cryptography at
>Subject: Re: HMAC?

>Amir Herzberg wrote:

>> So, finding specific collisions in the hash function should not cause 
>> too much worry about its use in HMAC. Of course, if this would lead to 
>> finding many collisions easily, including to messages with random 
>> prefixes, this could be more worrying...

>Hmmm ... if you could persuade your victim to use a key that was known 
>to be a suitable prefix for finding collisions...

The big question is what the probability is of getting a successful
colliding message pair when you have complete control over the
message, but don't know the IV.  For repeated queries, you can know
it's always the *same* IV, if that helps, just not what it is.  I
don't think we can know that until we've seen the full explanation in
the Wang, et. al. paper, which hasn't been released yet.

--John Kelsey

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list