Re: Re-rolled Salsa20 function
From: David Wagner (daw_at_taverner.cs.berkeley.edu)
Date: 09/27/05
- Next message: D. J. Bernstein: "Re: Re-rolled Salsa20 function"
- Previous message: WifiFan: "Re: Google Secure Access"
- In reply to: xmath: "Re: Re-rolled Salsa20 function"
- Next in thread: D. J. Bernstein: "Re: Re-rolled Salsa20 function"
- Reply: D. J. Bernstein: "Re: Re-rolled Salsa20 function"
- Reply: xmath: "Re: Re-rolled Salsa20 function"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 26 Sep 2005 22:14:07 +0000 (UTC)
D. J. Bernstein wrote:
> For example, it seems difficult to find collisions in the 64-byte string
> Salsa20(m0,c) ^ Salsa20(m1,c^1), where m0, m1 are 48-byte message blocks
> and c is a 16-byte constant. [....]
> The final
> 64-byte output can be fed through Salsa20 again and truncated to 32
> bytes, producing a 256-bit hash with one Salsa20 invocation for each 32
> message bytes.
I'll note one can find collisions in this hash function in approximately
2^87 time and space by using the generalized birthday attack [1]. In such
an attack, one searches for values m0,m1,m0',m1' such that
Salsa20(m0,c) ^ Salsa20(m1,c^1) ^ Salsa20(m0',c) ^ Salsa20(m1',c^1) = 0.
which can be done in something like 2^{256/3} operations.
Such an attack is clearly impractical today, but one might hope for better
security when using a 256-bit hash.
[1] David Wagner, "A Generalized Birthday Problem", CRYPTO 2002.
http://www.cs.berkeley.edu/~daw/papers/genbday.html
- Next message: D. J. Bernstein: "Re: Re-rolled Salsa20 function"
- Previous message: WifiFan: "Re: Google Secure Access"
- In reply to: xmath: "Re: Re-rolled Salsa20 function"
- Next in thread: D. J. Bernstein: "Re: Re-rolled Salsa20 function"
- Reply: D. J. Bernstein: "Re: Re-rolled Salsa20 function"
- Reply: xmath: "Re: Re-rolled Salsa20 function"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
