[Cryptography] Hashing with CTR mode?
Judson Lester
nyarly at gmail.com
Thu Aug 25 19:36:40 EDT 2016
This is likely a dumb question, but it came to mind as I was reading the
paper describing SWEET32. There, the authors assert that because block
ciphers are random permutations as opposed to random functions, their
collision properties under CTR mode are the same as under CBC.
Parenthetically, they relate that the collision time increases to 2^n if
you used a random function.
Based on that, I wonder: what's wrong with using CTR where the "block
cipher" is SHA256(IV | key)? The intent is to use the hash as a keyed
random function - if there's a problem with the naive approach here, can
the construction be done?
Judson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160825/224db7f6/attachment.html>
More information about the cryptography
mailing list