Talk:One-way compression function: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Add topic

Revision as of 12:38, 19 February 2009 edit Atwater (talk \| contribs) 26 edits →Attack on Davies-Meyer: Clarified that the Kelsey, Schneier attack applies to every Merkle-Damgård construction. ← Previous edit		Latest revision as of 05:47, 4 February 2024 edit undo Qwerfjkl (bot) (talk \| contribs) Bots, Mass message senders 4,080,787 edits Implementing WP:PIQA (Task 26) Tag: Talk banner shell conversion
(6 intermediate revisions by 6 users not shown)
Line 1: {{WikiProject banner shell\|class=C\| ~~{{CryptographyProject}}~~ {{WikiProject Cryptography \|importance=Top \|computer-science-importance=high}} }} == Attack on Davies-Meyer == Line 6 ⟶ 8: ::''According to Bruce Schneier this "is not really worth worrying about"[4]'' He probably meant '''in practice''', this is not worth worrying about. In the Eurocrypt 2005 paper with Kelsey, Schneier DOES use the fixpoint attack to show that the MD construction is far from being a random oracle, and so in a sense more brittle than one would wish it to be. However their attack is completely impractical because to be effective, it requires gigantic messages. [[User:71.142.222.181\|71.142.222.181]] 19:04, 9 March 2007 (UTC) My earlier statement (which I now have removed from this discussion) that the finding of a fixed point requires “exponential time” iswas not correct: itfixed point can be easily found for a ~~block~~Davies-Meyer ~~cipher~~construction. The correct way is to say that fixed points do not enable the attacker to go below the birthday paradox bound (2<sup>n/2</sup> time) when Merkle-Damgård (MD) strengthening (bitlength of the message is appended at its end) is used. ~~- however~~However the fixed points enable a slightly more efficient second preimage attack than a Merkle-Damgård construction whose f-function does not provide easy calculation of fixed points. The Kelsey and Schneier attack applies to every Merkle-Damgård construction, not just the Davies-Meyer. For Davies-Meyer (using fixed points) to attack a 2<sup>k</sup>-message-block message the attack requires 3 x 2<sup>n/2+1</sup>+2<sup>n-k+1</sup> time which does not go below the ~~more~~ ~~beautiful~~birthday paradox (2<sup>n/2</sup>) limit. asIf ~~described~~fixed inpoints are not used i.e. the construction is other than Davies-Meyer (e.g Matyas-Meyer-Oseas, Miyaguchi-Preneel) then this attack can be done in k x 2<sup>n/2+1</sup>+2<sup>n-k+1</sup> time. Note that when messages get shorter the complexity of ~~Kelsey~~the ~~and~~attack ~~Schneier~~approaches 2<sup>n</sup>.[[User:Atwater\|Atwater]] ([[User talk:Atwater\|talk]]) 1016:3924, 19 February 2009 (UTC) One should also note that the Kelsey and Schneier attack applies to every Merkle-Damgård construction, not just the Davies-Meyer. For Davies-Meyer (using fixed points) to attack a 2<sup>k</sup>-message-block message the attack requires 3 x 2<sup>n/2+1</sup>+2<sup>n-k+1</sup> time which does not go below the birthday paradox (2<sup>n/2</sup>) limit but goes below the more beautiful 2<sup>n</sup> limit. If fixed points are not used i.e. the construction is other than Davies-Meyer (e.g Matyas-Meyer-Oseas, Miyaguchi-Preneel) then this attack can be done in k x 2<sup>n/2+1</sup>+2<sup>n-k+1</sup> time. Note that when messages get shorter the complexity of the attack approaches 2<sup>n</sup>.[[User:Atwater\|Atwater]] ([[User talk:Atwater\|talk]]) 12:38, 19 February 2009 (UTC) == Comparisons? == Line 59: : I've made some small changes. Not sure if the black box model and the ideal cipher model are exactly the same. Similar to the random oracle model there exist some (contrieved?) constructions that are secure in the ideal cipher model, but not secure with any instantiation of a block cipher, hence showing that the "ideal cipher world = real world" assumption cannot be made in general. [[Special:Contributions/85.2.78.238\|85.2.78.238]] ([[User talk:85.2.78.238\|talk]]) 08:10, 19 November 2007 (UTC) : I'm not yet satisfied with my changes, but are looking for some specific references. In particular, in order to get a secure hash function the block cipher needs some properties that would not be necessary to just make encryption secure. [[Special:Contributions/85.2.78.238\|85.2.78.238]] ([[User talk:85.2.78.238\|talk]]) 08:46, 19 November 2007 (UTC) == Ciphers with Expensive Key Setup == Might be useful to note that block ciphers with expensive key setup (e.g. [[Twofish]]) do not interact well with any of these constructions because the key setup must be done once for every message block. [[User:Aragorn2\|Aragorn2]] ([[User talk:Aragorn2\|talk]]) 11:31, 12 June 2019 (UTC)