picking a hash function to be encrypted
Travis H.
solinym at gmail.com
Sun May 14 04:04:41 EDT 2006
So...
Suppose I want a function to provide integrity and authentication, and
that is to be combined with a stream cipher (as is the plaintext). I
believe that authentication is free once I have integrity given the
fact that the hash value is superencrypted using the stream cipher,
whose key is shared by only the sender and recipient. I believe what
I'm looking for is a strongly universal hash. I don't need much;
everything I've seen is simultaneously too much and too little, often
calling upon a block cipher, which seems redundant.
What I was thinking of doing was using Poly1305, and using the stream
cipher instead of AES. I think in this case that I can leave the MAC
exposed, since it's a MAC and not a hash. Is there an analogous, hash
function that does not use encryption internally?
Backing up a bit, are there simpler hash functions (or families of
functions) that could scale and, given the stream cipher, do the job?
For example, the wikipedia entry for UMAC* shows a very simple hash
family, which is trivial to scale to give a desired security level
|D|. So I have a couple of questions about it; first, is it
appropriate to use in this circumstance? Second, how would I
authenticate variable-length messages; do I merely break them up into
sequential pieces and authenticate each piece seperately, or is there
a way to authenticate the whole thing without using some other hash
function?
[*] http://en.wikipedia.org/wiki/UMAC
I'd really like to read the fine literature, but most of the papers
I've found appear to predate the web. Any URLs would be much
appreciated.
And for reading this whole email, you get a present:
http://dsns.csie.nctu.edu.tw/research/crypto/
--
"Curiousity killed the cat, but for a while I was a suspect" -- Steven Wright
Security Guru for Hire http://www.lightconsulting.com/~travis/ -><-
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list