[Cryptography] Secure parallel hash, with constant time update

Bill Cox waywardgeek at gmail.com
Mon Oct 13 17:49:51 EDT 2014

On Mon, Oct 13, 2014 at 5:08 PM, Jerry Leichter <leichter at lrw.com> wrote:

> On Oct 13, 2014, at 4:53 PM, Bill Cox <waywardgeek at gmail.com> wrote:
> > Can I take it as a good sign than no one offered any attacks or found
> any weaknesses so far? :-)
> You can take it as a sign that people aren't very interested.
> I lost interest after an exchange we had that went:  "It's secure because
> of the discrete log problem.  But it violates its own basic security
> requirements when it produces a 0 result!  Oh, that's so unlikely - why
> worry about it?"  At that point, we left the realm of mathematics and
> proofs for someplace else where I, for one prefer not to go.

Hi, Jerry.  Thanks for making the attempt, but your attack fails.  To mount
it, an attacker must have an algorithm for finding x such that H(x) = 0.
If he has such an algorithm, he has broken H completely, which contradicts
the assumption that H is a secure cryptographic hash.

A more interesting point is does the algorithm have a practical use?  Is
there need for a hashing algorithm that defends well against the
generalized birthday attack?

It probably is worth noting that there is such an algorithm in any case,
and we cannot assume that this attack breaks all hashes of this form.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20141013/80afc82f/attachment.html>

More information about the cryptography mailing list