2006/467 Chang Yung: silly?

One can build a cryptographic hash function by starting from a ``good''
block cipher with the same output size and running it in one of the 12
Preneel-Govaerts-Vandewalle modes. The conventional wisdom is that this
is a robust design procedure: ``good'' is stronger than the conventional
indistinguishability notion for block ciphers, but it nevertheless seems
to be achieved by the standard cipher-design techniques.

In http://eprint.iacr.org/2006/467, Chang and Yung assert that this
procedure isn't robust and needs to be revised. At first glance, their
argument seems to boil down to the following:

(1) Differential and linear cryptanalysis don't depend on the choice
of AES constants, or on the mixing in the final AES round.

(2) Standard block-cipher cryptanalysis doesn't depend on the choice
of AES constants, or on the final mixing. (Proof: See #1.)

(3) Let's replace the AES constants by 0, and add a final mixing.
Standard block-cipher design could have produced this variant.
(Proof: See #2.)

(4) The resulting hash function allows collisions in time 2^49. Thus
standard block-cipher design can lead to a bad hash.

I find this argument completely unconvincing. Anyone who knows about
slide attacks will see #2 as a wild exaggeration of #1. I haven't
checked whether the Chang-Yung cipher is breakable by a slide attack,
but I have checked that the original Rijndael documentation already
documented the ``usage of round constants'' in Rijndael ``to eliminate
symmetries,'' so the Chang-Yung cipher was specifically barred by the
Rijndael design principles. Obviously #3 is wrong.

Am I missing something here? Do Chang and Yung actually have a serious
argument?

---D. J. Bernstein, Professor, Mathematics, Statistics,
and Computer Science, University of Illinois at Chicago
.

Relevant Pages
Quantcast