Re: Re-rolled Salsa20 function
From: David Wagner (daw_at_taverner.cs.berkeley.edu)
Date: 09/27/05
- Next message: David Wagner: "Re: Attacks on multiple cryptanalytic targets."
- Previous message: David Wagner: "Re: Making a weak Hash stronger until a fix comes along -- concatenation of hash functions... .2: Concatenation"
- In reply to: D. J. Bernstein: "Re: Re-rolled Salsa20 function"
- Next in thread: xmath: "Re: Re-rolled Salsa20 function"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 26 Sep 2005 23:43:28 +0000 (UTC)
D. J. Bernstein wrote:
>David Wagner wrote:
>> I'll note one can find collisions in this hash function in approximately
>> 2^87 time and space by using the generalized birthday attack [1].
>
>Incorrect. The intermediate results are 512 bits, not 256 bits, so all
>of your exponents need to be doubled.
>
>Perhaps you missed the final Salsa20 invocation before the truncation to
>256 bits: ``The final 64-byte output can be fed through Salsa20 again
>and truncated to 32 bytes.''
Oops! You're absolutely right. Sorry. I did indeed miss that.
My apologies; everything I said was erroneous. Thanks for correcting
my mistake.
- Next message: David Wagner: "Re: Attacks on multiple cryptanalytic targets."
- Previous message: David Wagner: "Re: Making a weak Hash stronger until a fix comes along -- concatenation of hash functions... .2: Concatenation"
- In reply to: D. J. Bernstein: "Re: Re-rolled Salsa20 function"
- Next in thread: xmath: "Re: Re-rolled Salsa20 function"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
