Re: SHA1 broken

From: David Wagner (daw_at_taverner.cs.berkeley.edu)
Date: 02/16/05

• Next message: David Wagner: "Re: SHA1 broken"
• Previous message: Paul Rubin: "Re: SHA1 broken"
• In reply to: Paul Rubin: "Re: SHA1 broken"
• Next in thread: Michael Amling: "Re: SHA1 broken"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 16 Feb 2005 17:17:56 +0000 (UTC)

Paul Rubin wrote:
>Well, clearly I didn't expect it to say anything about unknown
>attacks, but when a wide-trail calculation says "6 rounds makes this
>cipher secure against differential cryptanalysis", I'm wondering if
>that means it takes more work than brute force to recover actual
>plaintext by differential cryptanalysis, or whether it can mean it
>takes more work than brute force to merely distinguish the permutation
>from a random one.

Most of the time, a 6-round differential characteristic is used to create
a distinguisher for 6 rounds of the cipher. Then, the cryptanalyst might
guess some of the bits of key in the first and/or last few rounds, to try
to get a 6+epsilon-round key-recovery attack. Of course, if you have a
key-recovery attack, that trivially can be used as a distinguishing attack.

One would have to do a detailed analysis to figure out how large epsilon
can be before the number of guessed key bits gets too large, but for
something like Rijndael, maybe if you're really lucky you get two rounds
on each end, so probably we're safe against distinguishing attacks that use
this simple paradigm (a differential characteristic covers the middle 6
rounds, and we guess some of the key bits of the first two and last two
rounds). You notice it starts getting pretty handwavy somewhere around here.
Also, keep in mind the limits of this kind of calculation. It doesn't say
anything about differentials (multiple paths); it only makes promises about
differential characteristics (one path).

Is that what you were curious about?

---

• Next message: David Wagner: "Re: SHA1 broken"
• Previous message: Paul Rubin: "Re: SHA1 broken"
• In reply to: Paul Rubin: "Re: SHA1 broken"
• Next in thread: Michael Amling: "Re: SHA1 broken"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages associating a key with a permutation for a hash ... I'm looking at building a cryptographic hash starting with a weak ... If you can attack a structure ... differentials where you get to choose the input of just one of them. ... least 25% after x rounds and backwards by at least 25% after y rounds, ... (sci.crypt) Re: associating a key with a permutation for a hash ... If you can attack a structure ... differentials where you get to choose the input of just one of them. ... least 25% after x rounds and backwards by at least 25% after y rounds, ... This combines a new block every n/m rounds, ... (sci.crypt) Re: Consistency (?) ... Dave Lee wrote: ... > Been something of a wierd 2 months of golf. ... > 'differentials' for my rounds in Aug. and Sept.. ... (rec.sport.golf) Re: associating a key with a permutation for a hash ... differentials where you get to choose the input of just one of them. ... least 25% after x rounds and backwards by at least 25% after y rounds, ... blocks every n/m rounds. ... m)=n rounds to exploit deltas in B and C. ... (sci.crypt) Re: Consistency (?) ... Dave Lee wrote: ... 'differentials' for my rounds in Aug. and Sept.. ... It could be as simple as time of day, slope or rating of the courses, what you ate, how much sleep, alcohol, playing partners. ... (rec.sport.golf)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)