Hashing of short fixed length messages
in [Cryptography]
|
From: Tom St Denis on 15 Jun 2010 14:21 On Jun 15, 1:40 pm, g...(a)nope.ucsd.edu (Greg Rose) wrote: > In article <485a0ba3-f470-4689-b6c1-2b80e3f51...(a)w31g2000yqb.googlegroups..com>, > > Maaartin <grajc...(a)seznam.cz> wrote: > >> H = x xor AES(x xor 0xDEADBEEF, x); > > >> Would be fine. Or for the more sensitive in the crowd > > >> H = x xor AES(x xor 0xEA71EAF, x); > > >> Should do :-) > > >I understand "dead beef", but what is 0xEA71EAF? > > "eat leaf" -- vegetarian version. I figured if I was going to screw up my own post so bad I might as well end it with a pun hehehe. At least someone caught on :-) Tom
From: Maaartin on 15 Jun 2010 21:06 On Jun 15, 7:40 pm, g...(a)nope.ucsd.edu (Greg Rose) wrote: > >I understand "dead beef", but what is 0xEA71EAF? > "eat leaf" -- vegetarian version. Thx, this seems to clear out my last point. So I'd like to conclude: - Using H(x) = x ^ aes(k, x) for a fixed known k is a secure hash as long as aes is secure. - It's the same as the first step in the Matyas-Meyer-Oseas schema (used e.g. in Skein), where k is the chaining value (i.e., IV in the first step) and x is the new block to be hashed. - It's probably faster then md5(x) and there's no reason to believe it's less secure. Does everybody agree? On Jun 15, 8:21 pm, Tom St Denis <t...(a)iahu.ca> wrote: > I figured if I was going to screw up my own post so bad I might as > well end it with a pun hehehe. At least someone caught on :-) There's always something to be learned.
From: Greg Rose on 15 Jun 2010 21:13 In article <72ab07e1-93f9-4e02-9d08-0555e177f5b3(a)y11g2000yqm.googlegroups.com>, Maaartin <grajcar1(a)seznam.cz> wrote: >Does everybody agree? Don't know about everyone, but I do. Greg. --
From: Paul Rubin on 15 Jun 2010 21:43 Maaartin <grajcar1(a)seznam.cz> writes: > - Using H(x) = x ^ aes(k, x) for a fixed known k is a secure hash as > long as aes is secure. ... > Does everybody agree? I don't understand Francois Grieu's random oracle proof well enough to say I'm convinced by it. That doesn't mean I think it's wrong, but I have reservations about it. I don't see how any results about random oracles applies when the key is known. It's not an oracle at all, since the cipher's complete internal state is available through every step of the algorithm. But, I haven't studied the theory of such proofs (I've been wanting to). I certainly don't see any obvious breaks against the scheme. It's kind of hackish but probably ok for some limited-deployment application where speed is a big concern. If you're doing a big deployment, you're probably better off sticking to standards.
From: Mok-Kong Shen on 16 Jun 2010 03:06
Maaartin wrote: > - Using H(x) = x ^ aes(k, x) for a fixed known k is a secure hash as > long as aes is secure. > > - It's the same as the first step in the Matyas-Meyer-Oseas schema > (used e.g. in Skein), where k is the chaining value (i.e., IV in the > first step) and x is the new block to be hashed. > > - It's probably faster then md5(x) and there's no reason to believe > it's less secure. I don't have sufficient knowledge to follow much of discussions in this thread but have a couple of questions out of curiosity: (1) How about the other scheme in your original post, namely x^aes(x,x)? (2) How about aes(aes(k,x),x), aes(x,aes(k,x)), etc.? M. K. Shen |