[Cryptography] Creating a Parallelizeable Cryptographic Hash Function

Jerry Leichter leichter at lrw.com
Tue Oct 7 14:58:49 EDT 2014


On Oct 7, 2014, at 7:02 AM, Bill Cox <waywardgeek at gmail.com> wrote:
> Actually, this is one of my favorite processes for producing good ideas.  Continuing with this process, what's wrong with:
> 
> Digest = H(1 || B1) * H(2 || B2) * ... * H(n | Bn) mod p
This falls immediately to a prefix attack:  If I know Digest(M) and length(M) (assume for simplicity that length(M) is a multiple of the block size) then

Digest(M || Bn+1) = Digest(M) * H(n + 1 || Bn+1) mod p

- taking the remainder mod p twice produces the same result as doing it only once.

> I think I've shown this is secure based on the difficulty of the discrete log problem.  If true, isn't this exactly what you say is unlikely to happen?
You've tossed around a powerful result without tying it to the security of what you wanted to secure!
                                                        -- Jerry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141007/1f88580c/attachment.bin>


More information about the cryptography mailing list