Time for new hash standard

[John Kelsey]

>From: Ian Farquhar <ianf at dreamscape.com.au>
>Sent: Sep 20, 2004 10:14 PM
>To: "\"Hal Finney\"" <hal at finney.org>, cryptography at metzdowd.com, 
>	nelson at crynwr.com
>Subject: Re: Time for new hash standard

>At 05:43 AM 21/09/2004, Hal Finney wrote:
>>I believe this is a MAC, despite the name.  It seems to be easier to
>>create secure MACs than secure hash functions, perhaps because there are
>>no secrets in a hash, while in a MAC there is a secret key that makes
>>the attacker's job harder.

>Interestingly, a crypto-specialist from DSD (Australian NSA-equivalent) 
>said exactly this to me in 1997-1998.  He called them "strange" functions 
>to design. I subsequently asked if they - which in the context meant the 
>tier one UKUSA agencies - had many hash functions developed for classified 
>uses.  He indicated that they had quite a few MAC-style keyed functions, 
>but not many unkeyed hashes.

Note that in the open world, there are very nice security proofs for existing MACs based on combining universal hashing with strong crypto components (such as block ciphers).  I gather that the classified world isn't as enamored of security proofs as we are, but it's pretty easy to see that it's harder to find a colliding pair of messages when you don't know the internal state, for almost any nontrivial function.  Even if you're doing a differential attack on the function, you can choose message blocks to make sure that your differential clears some rounds with probability one, and you get to do all your trial hashes offline, on your own equipment, rather than online on your intended victim's equipment.  

>Ian. 

--John


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com