On Fri, Sep 10, 2010 at 10:29:32AM -0700, [email protected] wrote:
> I wonder if there are any known identities under hash functions. A naive hash that does not use bit padding of some kind often has easy identies. For instance MMO mode constructs the hash using H(m) = E_h(m) ^ m for some fixed initial h Choose your (single block input) m to be D_h(zeros), then the hash becomes E_h(D_h(zeros)) ^ D_h(zeros), the encrypt and decrypt cancel out, so you xor m against all zero and then output m as the hash. Something like this works for most hash functions based on an invertible permutation, unless you use bit padding. AFAIK padding ala Merkle-Damgard prevents all attacks of this form. -Jack _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
