AES + Yarrow + ?hash? = PGP X
David Crick
Yarrow is claimed by Bruce Schneier to be a good PRNG.
But what about the other key ingredient to an encryption system -
the hashing algorithm?
SHA-1 is considered to be pretty good, although very sneakily allows
information to be leaked (I recall this mentioned in Applied Crypt.)
It also "only" generates a 160-bit hash, whereas AES may demand up
to 256-bits for a key.
I'm basically asking if there's a new hash algorithm on the horizon
that together with AES, Yarrow, etc could form the basis of the next
generation of PGP (or whatever).
Any thoughts?
David.
--
+---------------------------------------------------------------------+
| David Crick dac...@mcmail.com http://members.tripod.com/~vidcad/ |
| Damon Hill WC '96 Tribute: http://www.geocities.com/MotorCity/4236/ |
| Brundle Quotes Page: http://members.tripod.com/~vidcad/martin_b.htm |
| PGP Public Key: (RSA) 0x22D5C7A9 00252D3E4FDECAB3 F9842264F64303EC |
+---------------------------------------------------------------------+
Rich Ankney
it was mentioned at an ANSI meeting in July. There were no
details (meaning they're just starting), beyond the idea that
it will support long (and probably multiple) output sizes. I
asked if it would be backward compatible with SHA-1 and got
"dunno" as an answer...
/ Rich
David Crick <dac...@mcmail.com> wrote in article
<3649DF3F...@mcmail.com>...
Bruce Schneier
wrote:
>The AES will hopefully give us a very secure symmetric algorithm.
>
>Yarrow is claimed by Bruce Schneier to be a good PRNG.
>
>But what about the other key ingredient to an encryption system -
>the hashing algorithm?
>
>SHA-1 is considered to be pretty good, although very sneakily allows
>information to be leaked (I recall this mentioned in Applied Crypt.)
>It also "only" generates a 160-bit hash, whereas AES may demand up
>to 256-bits for a key.
>
>I'm basically asking if there's a new hash algorithm on the horizon
>that together with AES, Yarrow, etc could form the basis of the next
>generation of PGP (or whatever).
There is only one 256-bit hash function published, Tiger, but I don't
know of any analysis. You can chain SHA to get more bits:
x = SHA(stuff)
y = SHA(x,some more stuff)
People are going to analyze using the AES submissions themselves as
hash functions.
Bruce
**********************************************************************
Bruce Schneier, President, Counterpane Systems Phone: 612-823-1098
101 E Minnehaha Parkway, Minneapolis, MN 55419 Fax: 612-823-1590
Free crypto newsletter. See: http://www.counterpane.com
tbb...@mail.lrz-muenchen.de
> There is only one 256-bit hash function published, Tiger, but I don't
> know of any analysis. You can chain SHA to get more bits:
>
> x = SHA(stuff)
> y = SHA(x,some more stuff)
>
> People are going to analyze using the AES submissions themselves as
> hash functions.
>
> Bruce
> ...
Tiger produces 'only' 192 bit, as far as I know. But what about haval?
Are hashes like 'Tandem-Twofish' as fast as haval or tiger?
In this case I'd prefer to use the AES candidate so we wouldn't need
additional programs.
Andreas Enterrottacher
enterro...@lrz.tu-muenchen.de
enterro...@t-online.de
Kent Briggs
> There is only one 256-bit hash function published, Tiger, but I don't
> know of any analysis.
Doesn't the Russian GOST hash function produce a 256-bit hash? I could be
wrong but I thought Tiger only produced a hash up to 192 bits in length.
Kent
Bruce Schneier
You're right about Tiger; I misremembered.
GOST has a 256-bit key, but its key schedule is so weak that I would
not use it as a hash function under any circumstances.
tbb...@mail.lrz-muenchen.de
> Bruce Schneier wrote:
>
> > There is only one 256-bit hash function published, Tiger, but I don't
> > know of any analysis.
>
> Doesn't the Russian GOST hash function produce a 256-bit hash? ...
It does, but it needs four GOST encryptions for only one block of data.
This way it is slower than MD2 and not likely to become a new standard.
Andreas Enterrottacher
enterro...@t-online.de
enterro...@lrz.tu-muenchen.de
Paul Rubin
Bruce Schneier <schn...@counterpane.com> wrote:
>GOST has a 256-bit key, but its key schedule is so weak that I would
>not use it as a hash function under any circumstances.
IIRC there is a GOST hash function with 256-bit output, which is quite
different from the GOST block cipher with the weak key schedule. The
hash function is intended for use with the GOST digital signature
algorithm which is similar to DSA but with a 256-bit submodulus.
Bruce Schneier
You're right. I just read up on that hash function in Applied
Cryptography (which you would think I would remember better). Again,
I don't know of any serious cryptanalysis of this hash function, and
would hesitate to use it.
Kent Briggs
> You're right. I just read up on that hash function in Applied
> Cryptography (which you would think I would remember better). Again,
> I don't know of any serious cryptanalysis of this hash function, and
> would hesitate to use it.
I think a patent-free, variable-size hashing function (up to 256 bits)
would be an excellent project for the Counterpane team, hint, hint. ;-)
Kent
Bruce Schneier
Agreed. But unless someone funds the work, we'll do it in our spare
time, hint, hint. :-)