>From: Ben Laurie <[EMAIL PROTECTED]> >Sent: Aug 26, 2004 7:41 AM >To: Amir Herzberg <[EMAIL PROTECTED]> >Cc: "Perry E. Metzger" <[EMAIL PROTECTED]>, [EMAIL PROTECTED] >Subject: Re: HMAC?
>Amir Herzberg wrote: >> So, finding specific collisions in the hash function should not cause >> too much worry about its use in HMAC. Of course, if this would lead to >> finding many collisions easily, including to messages with random >> prefixes, this could be more worrying... >Hmmm ... if you could persuade your victim to use a key that was known >to be a suitable prefix for finding collisions... The big question is what the probability is of getting a successful colliding message pair when you have complete control over the message, but don't know the IV. For repeated queries, you can know it's always the *same* IV, if that helps, just not what it is. I don't think we can know that until we've seen the full explanation in the Wang, et. al. paper, which hasn't been released yet. --John Kelsey --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
