Re: SHA-1 Variants
From: Tom St Denis (tomstdenis_at_iahu.ca)
Date: 06/01/04
- Next message: Simon Johnson: "Re: U.S. to build world's fastest computer"
- Previous message: Sebastian Gottschalk: "Re: HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed registry key"
- In reply to: Jim Steuert: "Re: SHA-1 Variants"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 01 Jun 2004 11:39:18 GMT
Jim Steuert wrote:
> Tom St Denis wrote:
>
>> So in the case of a 3x1 this means two different 3-bit inputs must
>> cause an output difference of 1 always. But this is not true and
>> therefore not a multipermutation.
>>
>
> You are wrong. The jargon doesn't help.
> A += ((B>>>k)^C) really is a multipermutation. For every B value, each C
> yields
> a unique A. Likewise, for every C value, every B yields a unique A.
Um that's not what a multipermutation is though. For that to be a
(3,1)-multipermutation a change in two bits would have to cause a bit
difference in the output. This isn't the case. A change in bit 0 of C
and bit k of B will cancel out and cause no difference in A.
>> What the f'ing f!@# do you think a wide-trail design is? Had you
>> actually read any suggested material [the first time you popped up in
>> this group] you wouldn't be bashing your head against the wall again
>> here.
>
>
> And yes, I have collected and read your Wide-Trail paper.
> I just couldn't see the design idea in it. Sort of like, it's
> a good thing to have, but how does it suggest a design?
Um my WT paper? Daemen invented WT designs. I wrote a survey on it but
you should read it from the original designer as well. Also how does it
suggest a design? Well it specifically states to use components with a
known branch.
> Then explain what elements of SHA-1 are designs
> based on your wide-trail principle. Or is the wide-trail
> merely an artifact of other design principles you've missed?
SHA-1 was designed before Daemen's thesis was published. If you're so
quick to dismiss the design strategy keep in mind that AES uses it.
>>> The idea is basic engineering 101. You are the one who cannot
>>> reduce your "theories" to "practice".
>>
>>
>> Um, DMWT, CS^2 and FPHT-HASH are all practical examples of my recent
>> study work. They're all based on solid science with a reasonable
>> grounding to prior art [e.g. not left-field too much].
>>
> Ok, you've got lots of theory.
> But you still can't explain simple ole SHA-1.
I didn't design SHA-1. I don't know how they analyzed it. What does
that have to do with anything? All I'm saying is if *you* want to
design hashes and ciphers that *you* should be able to prove things
about it. I mean I can take AES and tell you the branch is 25 over four
rounds. What can you say about your SHA modifications?
Keep in mind *you're* the one proposing designs not me. So why would
the burden be on me to prove things for you?
>> You on the other hand probably have never read a crypto journal.
>> Don't know the first thing about cryptanalysis [or engineering in
>> general] and are not progressing any.
>
>
> Really. What about my GER-semiring public key algorithm, or the
> 4-perm construction, which at least offers some insight into how SHA-1
> builds stronger ciphers from weaker ones.
Last I checked you haven't designed anything that has garnished any
serious attention. IIRC all of your pk algorithms were broken or at
least shown to be not as secure as claimed.
As for your posts about SHA-1... well so far they've been rather "same
old same old". Just more random changes in the hopes of doing something
right.
> You can't explain the simple design elements of SHA-1, which is
> precisely my
> point. Your theories are great handwaving but you really can't explain even
> the simplest and most pervasive crypto-device around: SHA-1.
I don't see this as a really valid counter argument of any sort. SHA-1
isn't a wide-trail design. To figure out the minimal trail weight you
would have to brute force check all differential trails [over at least a
few rounds and be lucky if you found one].
My papers were all wide-trail designs based of PHT and MDS transforms.
They're well known, better understood and have more grounding in
academia. They are also "not handwaving" as the theories in my papers
were proven true.
Anyways, trying to turn this around on me doesn't make you look any
smarter or your posts any more worthwhile.
> As regards my SHA-1 mod, I have created a mini-sha with 6-bit digest vars
> as a means of experimentation, and also a test routine for finding some
> (not all)
> low-weight differentials. Preliminary differential testing indicates
> that SHAMOD is as
> good as SHA-1. <http://users.rcn.com/pjsteuert>.
Assuming the analysis is correct, does it carry to the full-size SHA and
is SHAMOD any faster than SHA-224?
> I'm still looking for a quantified combinatorial "stirring" theorem
> which explains why
> more rounds improve round statistics (see the minisha.c program for
> experimental verification).
Um it shouldn't. If I find [say] a 4R differential then every four
rounds you add make it p times harder [p == prob of 4R]. At 112 rounds
unless you have p=1 differentials over several rounds you're pretty much
safe from a differential attack.
But that's not that impressive. At 112 rounds you're also going to be
much slower than SHA-224.
Tom
- Next message: Simon Johnson: "Re: U.S. to build world's fastest computer"
- Previous message: Sebastian Gottschalk: "Re: HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed registry key"
- In reply to: Jim Steuert: "Re: SHA-1 Variants"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
