Symmetric ciphers as hash functions
Travis H.
solinym at gmail.com
Tue Nov 1 02:33:17 EST 2005
> How does one properly use a symmetric cipher as a cryptographic hash
> function? I seem to be going around in circles.
Isn't this is like asking a mechanic how to use a screwdriver as a hammer?
> Reversing the situation (using the data as the key and a known plain-
> text) makes a plaintext attack seem like a joy etc..
This is exactly how traditional Unix crypt(3) implementations used
DES, although they used a null string as the input and added some salt
to prevent dictionary attacks. What exactly do you mean by "plaintext
attack"? If we choose the plaintext, then we can compute the hash...
what's the problem? All hashes I can think of work this way.
Incidentally, does anyone know how crypt(3) used salt, and why it used
so little instead of using a 64-bit IV in some mode with feedback?
> Are there any papers/books/etc that explain the implementation/use of
> symmetric ciphers (particularly AES) as cryptographic hash functions?
> btw I know that hash functions and symmetric ciphers share the same
> structural heritage (feistel rounds etc...), I just don't seem to be
> making the usage link at this point in time... :D
The latest hashes, such as SHA-1, gave up on Feistel. It's not
necessary for the hash to be invertible, but OTOH there's no guarantee
of the lack of collisions.
--
http://www.lightconsulting.com/~travis/ -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list