Re: Re-rolled Salsa20 function
From: D. J. Bernstein (djb_at_cr.yp.to)
Date: 09/27/05
- Next message: David Wagner: "Re: Making a weak Hash stronger until a fix comes along -- concatenation of hash functions... .2: Concatenation"
- Previous message: Max Power: "Making a weak Hash stronger until a fix comes along -- concatenation of hash functions... .2: Concatenation"
- In reply to: David Wagner: "Re: Re-rolled Salsa20 function"
- Next in thread: David Wagner: "Re: Re-rolled Salsa20 function"
- Reply: David Wagner: "Re: Re-rolled Salsa20 function"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 26 Sep 2005 23:12:48 +0000 (UTC)
David Wagner wrote:
> I'll note one can find collisions in this hash function in approximately
> 2^87 time and space by using the generalized birthday attack [1].
Incorrect. The intermediate results are 512 bits, not 256 bits, so all
of your exponents need to be doubled.
Perhaps you missed the final Salsa20 invocation before the truncation to
256 bits: ``The final 64-byte output can be fed through Salsa20 again
and truncated to 32 bytes.''
---D. J. Bernstein, Professor, Mathematics, Statistics,
and Computer Science, University of Illinois at Chicago
- Next message: David Wagner: "Re: Making a weak Hash stronger until a fix comes along -- concatenation of hash functions... .2: Concatenation"
- Previous message: Max Power: "Making a weak Hash stronger until a fix comes along -- concatenation of hash functions... .2: Concatenation"
- In reply to: David Wagner: "Re: Re-rolled Salsa20 function"
- Next in thread: David Wagner: "Re: Re-rolled Salsa20 function"
- Reply: David Wagner: "Re: Re-rolled Salsa20 function"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
