?splints for broken hash functions

Bill Stewart bill.stewart at pobox.com
Thu Sep 2 03:54:55 EDT 2004


>>how about this simpler construction?
>>   (IV1) -> B1 -> B2 -> B3 -> ... Bk -> H1
>>   (IV2) -> B1 -> B2 -> B3 -> ... Bk -> H2

This approach and the "cache Block 1 until the end" approach
are both special-case versions of "maintain more state" attacks.

This special case maintains 2*(size of hash output) bits of state.
The "cache block 1" case maintains
         (size of hash output) + (size of block 1) bits of state,
but doesn't change the (size of block 1) bits between cycles.
         (Also, if you're going to do that, could you maintain
         (hash(Block1)) bits between cycles instead of the raw bits?)

They both have some obvious simplicity to them,
but I'm not convinced that simplicity actually helps,
compared to other ways of getting more state.

Perhaps the effective state of the 2-IV version is
twice the size of the basic hash, perhaps it's less.
My intuition is that more mixing might be better,
and probably isn't worse, but I could easily be wrong.






---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list