It strikes me that Joux's attack relies on *two* features of current
constructions: The block-at-a-time structure, and the fact that the state
passed from block to block is the same size as the output state. Suppose we
did ciphertext chaining: For block i, the input to the compression function
is the compressed previous state and the xor of block i and block i-1. Then
I can no longer mix-and-match pairs of collisions to find new ones.
Am I missing some obvious generalization of Joux's attack?
(BTW, this is reminiscent of two very different things: (a) Rivest's work on
"all or nothing" package transforms; (b) the old trick in producing MAC's by
using CBC and only sending *some* of the final encrypted value, to force an
attacker to guess the bits that weren't sent.
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
