2010 Reports :  Cryptology ePrint Archive Forum
Discussion forum for Cryptology ePrint Archive reports posted in 2010. Please put the report number in the subject.  
Goto Thread: PreviousNext
Goto: Forum ListMessage ListNew TopicSearchLog In
Some views on 2010/652
Posted by: wai2ha (IP Logged)
Date: 26 July 2011 09:13

This paper tried to give a new mode to improve a codomain reducing problem for narrow-pipe hash functions.The paper is very badly written and full of typos.But I don't think those views on the mode are right:
1.It fails to be secure against multicollision attacks.
To see this, group calls to F by pairs calling the result G and consider messages of the restricted form (M_1, -M_1, M_2, -M_2, M_3, -M_3, ...)
Then, all calls to G are of the form G(CV_i,0,M_i)=F(F(CV_{i-1},0,M_i),M_i,-M_i). As a consequence, G only receives 2 arguments as in a classical Merkle-Damgard and multicollision attacks do apply.

My reason is:
a. sum M_{i}=CV_{i-1}+sum M_{i-1}+M_{i},one can't simultaneously select a message and control an exact value of CV_{i-1} to make the block sum M_{i-1}=0

b. Even the case of sum M_{i-1}=0,it doesn't mean the mode is in a classical Merkle-Damgard.the sum M_{i-1}=0 is one of the 2^{m}(where,m=1024) results,any a result is additional addend for the normal step functions of compression function.

c. We can improve the step functions as(e.g.):for the steps of first round,the additional addend is m_{i,j} (where j=0,1,...,15),for steps of second round,the additional addend is cv_{i,j},in this way,no matter sum M_{i-1} is 0 or not, at least there will be effective additional addend for one round.
So,multicollision attacks don't apply.

2. However, using this method, the hash function is no longer narrow-piped. Therefore the result is not surprised. In general, the method is straightforward.

My reason is:
The mode is not a wide-pipe hash,in reality,it has the attribute of narrow-pipe hash.A normal wide-pipe hash must make CV of 2 size big.e.g,if we make SHA512 tobe a wide-pipe hash,there must be 32 variables in stead of 16 variables,the added 16 variables must be uniformity and indistinguishability as the normal 16 variables strictly.So,it'a hard work.But in the new mode,it produce 16 variables just as a normal SHA512,it needn't the hard work of expanding 16 variables to 32 variables which of uniformity and indistinguishability,it only offers additional addend for the normal 16 step functions in each a round.
The mode is straightforward,this is not the mistake of itself.



Edited 4 time(s). Last edit at 21-Oct-2011 07:52 by wai2ha.

Re: Some views on 2010/652
Posted by: wai2ha (IP Logged)
Date: 27 July 2011 03:16

The mode is not a wide-pipe hash,it doesn't really
produce CV of 2 size big,besides this,for a wide-pipe hash,it must transform the CV of 2 size big back into one size big in the end.



Please log in for posting a message. Only registered users may post in this forum.