Re: Hashing of short fixed length messages



On Jun 15, 2:54 am, Francois Grieu <fgr...@xxxxxxxxx> wrote:
Turns out #7 from Table 3..
actually sorry #9 is closest (multitasking fail) where H_{i-1}
can't be zero (but can be anything else).

I disagree on "can't be zero". The above article consider a long
message, while the the thread is about "short fixed length messages", of
size no more than the key or block size of the block cipher.

I think the presumption is that H_{-1} is not zero, so in #9 you can't
have an unmodified key.

In the random oracle model,
   H =       AES(x              , x)            and
   H = x XOR AES(x XOR 0xEA71EAF, x)
have equivalent security: the left "x XOR" applies a key-dependent
reversible mapping to the ciphertext, and the right "XOR 0xEA71EAF"
applies a reversible mapping on the key; such changes turns a perfect
random oracle into another equally perfect random oracle.

I'd think for a single block it's probably ok, the point I was making
is that #9 doesn't have a non-zero key modifier.

Tom
.