Re: Re-rolled Salsa20 function
From: D. J. Bernstein (djb_at_cr.yp.to)
Date: 09/27/05
- Next message: Max Power: "Making a weak Hash stronger until a fix comes along -- concatenation of hash functions... .2: Concatenation"
- Previous message: tomstdenis_at_gmail.com: "Re: How To Abandon Microsoft"
- In reply to: David Wagner: "Re: Re-rolled Salsa20 function"
- Next in thread: xmath: "Re: Re-rolled Salsa20 function"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 26 Sep 2005 23:00:46 +0000 (UTC)
David Wagner wrote:
> The above is a slide property on the Salsa20 hash function.
Are we next going to hear about ``slide properties'' of your computer's
instruction set? Taking your computer's state at time 0, and starting
another computer in the same state at time 1, produces an amazing match
of the second computer's state at time 1000001 with the first computer's
state at time 1000000! Wow!
Question: Why don't these trivial ``slide properties'' lead to an actual
attack? Answer: The attacker doesn't control most of the inputs. Talking
about a slide attack is nonsense if you haven't specified an attacker.
In particular, the Salsa20 hash function---like the computer's
instruction set---is a lower-level primitive not exposed directly to an
attacker. The Salsa20 encryption function doesn't allow the attacker to
control most of the hash-function input. That's why trivial ``slide
properties'' of the hash function aren't attacks.
---D. J. Bernstein, Professor, Mathematics, Statistics,
and Computer Science, University of Illinois at Chicago
- Next message: Max Power: "Making a weak Hash stronger until a fix comes along -- concatenation of hash functions... .2: Concatenation"
- Previous message: tomstdenis_at_gmail.com: "Re: How To Abandon Microsoft"
- In reply to: David Wagner: "Re: Re-rolled Salsa20 function"
- Next in thread: xmath: "Re: Re-rolled Salsa20 function"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
