Re: a new very fast hash algorithm (160 bits), with a technique of "overlapping sums"

From: Tom St Denis (
Date: 09/22/04

  • Next message: George Marsaglia: "Re: PRNG Breaking"
    Date: Tue, 21 Sep 2004 22:00:40 GMT

    Claudio wrote:
    > Hello,
    > This is a method for a hash function, based on a new technique (I
    > think it's new, but this should be validated).

    You think this is new?

    > #define UL unsigned long
    > #define LEFT 13
    > #define RIGHT 19
    > void round()
    > {
    > hash[4] += hash[0] >> RIGHT;
    > hash[0] += hash[0] << LEFT;
    > hash[0] += hash[1] >> RIGHT;
    > hash[1] += hash[1] << LEFT;
    > hash[1] += hash[2] >> RIGHT;
    > hash[2] += hash[2] << LEFT;
    > hash[2] += hash[3] >> RIGHT;
    > hash[3] += hash[3] << LEFT;
    > hash[3] += hash[4] >> RIGHT;
    > hash[4] += hash[4] << LEFT;

    How did you pick these values? What form of analysis led you to pick
    this design?


    > It processes blocks of 800 bits. The same block is processed 3 times.
    > Each time, a sub-block of 160 bits is XORed with the hash block, and the
    > result is mixed with itself (round() function), by making the 32 bits
    > integers overlap with themselves (overlapping, and then addition modulo
    > 2^32).

    You use key material way too slowly.

    > Can anybody tell me whether this idea is completely bad or very
    > interesting ??

    I can't say off the top of my head that it's weak but it certainly isn't
    an interesting design. let me tell you why.

    First off, I know what you are trying to do. You're trying to be the
    first kid on the block with a new cipher design in the wake of the
    recent attacks. Well that's just stupid and lame.

    Second, competent hash designs already exist. Like using block ciphers
    in various chaining modes [like what WHIRLPOOL is] are far more
    effective and easier to analyze.

    Third, a new "160-bit hash" is like a new "1980 honda civic". Just a
    bit dated.

    Fourth, Why not present your design material [e.g. in the form of a
    paper] before presenting the design?

    > The facts:
    > - The avalanche effect seems OK after 5 rounds. This has been
    > empirically checked with the tests programs: ENT, NIST , DIEHARD (I
    > generated a set of hashvalues, from a given 800-bits block where a
    > 32-bits integer at a given position was incremented before generating
    > the next hashvalue. I chosed the following integers: in[0] and in[24]).

    ENT and DIEHARD are not hash function "analyzers". You might as well
    used the algo to pick lotto numbers.

    > - fast algorithm. In Assembly, the inner loop will take about 40 cycles
    > by using MMX instructions, and by storing the hash block in MMX
    > registers (6 cycles per DWORD processed). The processBlock() function
    > will therefore take about 40*5*5 = 1000 cycles, for 100 bytes => about
    > 10 cycles / byte, which is just a little bit slower than MD5.

    Shifts are costly in cryptography. Not because they are slow but
    because they lose information. A rotation is much more useful and on
    the AMD they're just as expensive as a shift [being that the AMD
    processors have real ALUs....].

    > Thanks a lot in advance for your remarks (sorry for my non-perfect
    > english).

    Oh your English is ok. Your presentation just sucks.


  • Next message: George Marsaglia: "Re: PRNG Breaking"

    Relevant Pages

    • Re: [PROPOSAL/PATCH] Fortuna PRNG in /dev/random
      ... was good not to rely *entirely* on the ahsh algorithms. ... The point is that the current random.c design DOES NOT ... RELY on the security of the hash function. ... plaintext that's not one of the two. ...
    • Re: Help creating my own classes...
      ... Hash: SHA1 ... HTML is not a good idea. ... The designer can work on the design part without the fear breaking the ...
    • Re: Tenacity should be rewarded
      ... constructed tree, its a hash table and with hash tables, you either ... create a "perfect hash" design or you design the collision handling ... be individually located with the collision handling code. ... Arrrrgh, CUM the REVOLUTION KOMRADE, your assembler coding can be as ...
    • Re: Does this have a flaw in de-biasing an entropy stream?
      ... It takes the same time to build a bad circuit as it does to build a good circuit. ... The best time to stop this is in design time, ... the output to the user should be the output from a hash function ... If the hash function's output is n bits, feed raw data into it until by some estimate the amount of entropy in the raw data has reached n bits or so, then output the hash value, and start again with more raw data. ...
    • Re: expensive password hash
      ... >>phrase or he will not detect when he guesses the right pass phrase. ... I fail to see how this is done in your design. ... The hash over the buffef full with hashes is used to ... In this design the number of iterations or the time to waste is not ...