On Wed, 1 Sep 2004, David Wagner wrote:
Hal Finney writes:
[John Denker proposes:] the Bi are the input blocks:
(IV) - B1 - B2 - B3 - ... Bk - H1
(IV) - B2 - B3 - ... Bk - B1 - H2
then we combine H1 and H2 nonlinearly.
This does not add any strength against Joux's attack. One can find
how about this simpler construction?
(IV1) - B1 - B2 - B3 - ... Bk - H1
(IV2) - B1 - B2 - B3 - ... Bk - H2
This approach and the cache Block 1 until the end approach
are both special-case versions of maintain more state attacks.
This special case maintains 2*(size of hash output) bits of
From: Ivan Krstic [EMAIL PROTECTED]
Sent: Aug 29, 2004 8:40 AM
To: Metzdowd Crypto [EMAIL PROTECTED]
Subject: Re: ?splints for broken hash functions
This is Schneier's and Ferguson's solution to then-known hash function
weaknesses in Practical Cryptography, Wiley Publishing, 2003:
We do
John Kelsey critiques the proposal from Practical Cryptography:
We do not know of any literature about how to fix the hash functions,
but here is what we came up with when writing this book. ... Let h be
one of the hash functions mentioned above. Instead of m-h(m), we use
m-h(h(m) || m) as
I wrote
the Bi are the input blocks:
(IV) - B1 - B2 - B3 - ... Bk - H1
(IV) - B2 - B3 - ... Bk - B1 - H2
then we combine H1 and H2 nonlinearly.
(Note that I have since proposed a couple of improvements,
but I don't think they are relevant to the present remarks.)
David Wagner wrote:
This
Jerry Leichter writes:
However ... *any* on-line algorithm falls to a Joux-style attack.
Hal Finney wrote:
... hashes that support incremental hashing, as any useful hash surely must,
If you insist on being able to hash exceedingly long strings
(i.e. longer than your storage capacity) here is a
I agree with 99% of what Hal Finney wrote. I won't repeat
the parts we agree on.
But let's discuss these parts:
how much harder?
Well, probably a lot. Finding a regular B2 collision in a perfect
160 bit hash compression function takes 2^80 work. Finding a double
collision like this is
