tor 2013-06-13 klockan 17:09 +0200 skrev Francois Grieu: > As discussed at > http://crypto.stackexchange.com/questions/8634/how-scrypt-uses-salsa > it appears that the statement made here > http://tools.ietf.org/html/draft-josefsson-scrypt-kdf-01#page-3 > that > > Salsa20/8 Core is not a cryptographic hash function since it is not > > collision-resistant. > is (at least) causing confusion, and (I believe) is wrong, for the Salsa20/8 > Core > is intended to be collision-resistant, and is, AFAIK.
I believe that is false. Salsa20 Core is not designed to be collision-resistant, read DJB's own page: http://cr.yp.to/salsa20.html For example, Salsa20core(x) = Salsa20core(x + c) for c = "0000000800000008...", thus demonstrating trivial collisions. To be concrete, try computing Salsa20core for the the following two inputs: 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 00000000000000000000000000000000 and 00000080000000800000008000000080 00000080000000800000008000000080 00000080000000800000008000000080 00000080000000800000008000000080 the output for both inputs should be all zeros. /Simon
