Re: Hashing of short fixed length messages

Paul Rubin <> wrote:
I don't understand Francois Grieu's random oracle proof well enough to
say I'm convinced by it. That doesn't mean I think it's wrong, but I
have reservations about it. I don't see how any results about random
oracles applies when the key is known. It's not an oracle at all, since
the cipher's complete internal state is available through every step of
the algorithm.

The same holds for hash functions as well, so this is not an objection
against random oracle arguments.

The idea is that the adversary doesn't really care about the internals
of the function, and the function should be a typical example of a
"random function" (or "random permutation").

Once you believe that about aes(k,.), the argument should be plausible.

Kristian Gjøsteen