Re: Salsa20 hashing
- From: "xmath" <xmath.news@xxxxxxxxx>
- Date: 26 Sep 2006 17:24:17 -0700
D. J. Bernstein wrote:
Yes. The diagonal constants in Salsa20 are important. There are many
other sensible choices of constants, but the constants should never be
replaced by attacker-controlled variables.
I know about the diagonal rotate issue, but I don't see how it can help
the attacker. If he rotates a message block m_i then Salsa20(m_i)
rotates along, but for this to propagate in a useful way to h_i, she
also needs h_{i-1} to be rotated in the same way, which not only
requires m_{i-1} to be rotated as well, but also h_{i-2} etc until she
hits h_0 (the IV) which quite stubbornly refuses to rotate :-)
Also, even if the attacker could do this successfully, while it would
be an ugly property I don't see it violating collision-resistance.
Or can more evil be done if the diagonal is attacker-controlled?
- xmath
.
- References:
- Salsa20 hashing
- From: xmath
- Re: Salsa20 hashing
- From: D. J. Bernstein
- Salsa20 hashing
- Prev by Date: Re: NMR experiment factors numbers with Gauss sums - A threat to RSA ?
- Next by Date: Re: Why not biometric fingerprint door locks?
- Previous by thread: Re: Salsa20 hashing
- Next by thread: Re: Salsa20 hashing
- Index(es):
