[Cryptography] Creating a Parallelizeable Cryptographic Hash Function
Jason Resch
jresch at cleversafe.com
Fri Oct 3 14:16:43 EDT 2014
On 10/03/2014 12:25 PM, Jonathan Katz wrote:
> On Fri, Oct 3, 2014 at 1:18 PM, Jason Resch <jresch at cleversafe.com
> <mailto:jresch at cleversafe.com>> wrote:
>
> On 10/02/2014 06:50 PM, Jonathan Katz wrote:
>> On Thu, Oct 2, 2014 at 6:53 PM, Jason Resch
>> <jresch at cleversafe.com <mailto:jresch at cleversafe.com>> wrote:
>>
>> Assuming there was a secure cryptographic function H() with
>> an output of L bits, what attacks or weaknesses would exist
>> in a protocol that did the following:
>>
>>
>> Digest = H(B_0 || C_0) ^ H(B_1 || C_1) ^ H(B_2 || C_2) ^ ...
>> ^ H(B_N || C_N) ^ H(N)
>>
>>
>> Where B_0 through B_N are the blocks (of size L) constituting
>> the message and C_0 through C_N are L-bit counters.
>>
>> One problem seems to be that if any collision can be found
>> for a given H(X || C_i) and H(Y || C_i), it leads to an
>> essentially infinite number of collisions (any message that
>> contains X as a block can have that block replaced with Y),
>> but what other vulnerabilities does this construction have
>> that would make it unsuitable as a general purpose
>> cryptographic hash function?
>>
>> Thanks for your expertise.
>>
>>
>> There are several issues. Most obvious is that your hash is
>> homomorphic, i.e.,
>> digest(B_0, B_1) ^ digest(B'_0, B_1) ^ digest(B_0, B'_1) =
>> digest(B'_0, B'_1)
>
> But here you are not using counter values in the digest
> calculation. Is there a way to determine any kind of homomorphism
> when no collisions can be found in H()?
>
>
> Yes, I was. By digest(., .), I meant to apply your scheme.
Okay I see how that works now. That is an interesting property, but can
it be used to undermine the security of any typical applications of hash
functions?
Thanks,
Jason
>>
>> Also, collisions in your hash function can be found in faster
>> than square-root time using Wagner's generalized birthday attack.
>
> Interesting, thanks for pointing this out. If I interpret the
> improvement of the GBA correctly, does that mean the time
> complexity to find a collision is N^(L/2) / L vs. N^(L/2)?
>
> Thanks,
>
> Jason
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141003/01a93545/attachment.html>
More information about the cryptography
mailing list