Re: 2006/467 Chang Yung: silly?
 From: "Valery Pryamikov" <valery@xxxxxxxxx>
 Date: 15 Dec 2006 11:27:17 0800
D. J. Bernstein skrev:
One can build a cryptographic hash function by starting from a ``good''
block cipher with the same output size and running it in one of the 12
PreneelGovaertsVandewalle modes. The conventional wisdom is that this
is a robust design procedure: ``good'' is stronger than the conventional
indistinguishability notion for block ciphers, but it nevertheless seems
to be achieved by the standard cipherdesign techniques.
In http://eprint.iacr.org/2006/467, Chang and Yung assert that this
procedure isn't robust and needs to be revised. At first glance, their
argument seems to boil down to the following:
(1) Differential and linear cryptanalysis don't depend on the choice
of AES constants, or on the mixing in the final AES round.
(2) Standard blockcipher cryptanalysis doesn't depend on the choice
of AES constants, or on the final mixing. (Proof: See #1.)
(3) Let's replace the AES constants by 0, and add a final mixing.
Standard blockcipher design could have produced this variant.
(Proof: See #2.)
(4) The resulting hash function allows collisions in time 2^49. Thus
standard blockcipher design can lead to a bad hash.
I find this argument completely unconvincing. Anyone who knows about
slide attacks will see #2 as a wild exaggeration of #1. I haven't
checked whether the ChangYung cipher is breakable by a slide attack,
but I have checked that the original Rijndael documentation already
documented the ``usage of round constants'' in Rijndael ``to eliminate
symmetries,'' so the ChangYung cipher was specifically barred by the
Rijndael design principles. Obviously #3 is wrong.
Am I missing something here? Do Chang and Yung actually have a serious
argument?
D. J. Bernstein, Professor, Mathematics, Statistics,
and Computer Science, University of Illinois at Chicago
Eliminating round keys from AES indeed produces a different cipher than
AES. Round constants are important part of design for protecting
against rounds symmetry. It looks that Chang and Yung exploited round
symmetry that they introduced by removing round constants to reduce
work factor from 2^64 to 2^49. I think that the point they are making
is valid, however they should have made a stronger distinction of
analyzed cipher from the AES.
Valery.
http://www.harper.no/valery
.
 References:
 2006/467 Chang Yung: silly?
 From: D. J. Bernstein
 2006/467 Chang Yung: silly?
 Prev by Date: Re: Elliptic curve factoring with points *NOT* on the curve
 Next by Date: Re: So, what is it about OpenSSL and sci.crypt?
 Previous by thread: 2006/467 Chang Yung: silly?
 Next by thread: crypto challenge
 Index(es):
Relevant Pages
