Re: Hashing of short fixed length messages
- From: Tom St Denis <tom@xxxxxxx>
- Date: Tue, 15 Jun 2010 03:54:29 -0700 (PDT)
On Jun 15, 2:54 am, Francois Grieu <fgr...@xxxxxxxxx> wrote:
Turns out #7 from Table 3..
actually sorry #9 is closest (multitasking fail) where H_{i-1}
can't be zero (but can be anything else).
I disagree on "can't be zero". The above article consider a long
message, while the the thread is about "short fixed length messages", of
size no more than the key or block size of the block cipher.
I think the presumption is that H_{-1} is not zero, so in #9 you can't
have an unmodified key.
In the random oracle model,
H = AES(x , x) and
H = x XOR AES(x XOR 0xEA71EAF, x)
have equivalent security: the left "x XOR" applies a key-dependent
reversible mapping to the ciphertext, and the right "XOR 0xEA71EAF"
applies a reversible mapping on the key; such changes turns a perfect
random oracle into another equally perfect random oracle.
I'd think for a single block it's probably ok, the point I was making
is that #9 doesn't have a non-zero key modifier.
Tom
.
- References:
- Hashing of short fixed length messages
- From: Maaartin
- Re: Hashing of short fixed length messages
- From: Paul Rubin
- Re: Hashing of short fixed length messages
- From: Tom St Denis
- Re: Hashing of short fixed length messages
- From: Tom St Denis
- Re: Hashing of short fixed length messages
- From: Tom St Denis
- Re: Hashing of short fixed length messages
- From: Francois Grieu
- Hashing of short fixed length messages
- Prev by Date: Re: File Handling in Ada -95.- Demonstartion.
- Next by Date: Re: File Handling in Ada -95.- Demonstartion.
- Previous by thread: Re: Hashing of short fixed length messages
- Next by thread: Re: Hashing of short fixed length messages
- Index(es):
