[tahoe-dev] AES in hashing modes (was: Running Tahoe on ARM plugs)

Sun Feb 20 08:08:25 PST 2011

On 2011-02-20 12:44, Greg Troxel wrote:
> 
>   > but unfortunately it
>   > appears like the crypto processor is only accessible from kernel mode
>   ...
>   > so the distro, or the user, would
>   > have to patch them in - and the number of people who are going to roll
>   > their own custom patched kernel is pretty small compared to the number
>   > of people who might theoretically want to run Tahoe on a plug).
> 
>   Well, if people aren't willing and able to do that, then they could
>   run Davies-Meyer-AES-128 in software. I wonder how efficient that
>   would be.

Don't use Davies-Meyer with AES. Davies-Meyer depends on the cipher being
secure against related-key attacks, which AES isn't (sufficiently).

For once, Wikipedia is right about a cryptographic subject:
<http://en.wikipedia.org/wiki/Cryptographic_hash_function#Hash_functions_based_on_block_ciphers>

# There are several methods to use a block cipher to build a cryptographic
# hash function, specifically a one-way compression function.
#
# The methods resemble the block cipher modes of operation usually used for
# encryption. All well-known hash functions, including MD4, MD5, SHA-1 and
# SHA-2 are built from block-cipher-like components designed for the purpose,
# with feedback to ensure that the resulting function is not bijective.
# SHA-3 finalists include functions with block-cipher-like components (e.g.,
# Skein, BLAKE) and functions based on other designs (e.g., JH, Keccak).
#
# A standard block cipher such as AES can be used in place of these custom
# block ciphers; that might be useful when an embedded system needs to
# implement both encryption and hashing with minimal code size or hardware
# area. However, that approach can have costs in efficiency and security.
# The ciphers in hash functions are built for hashing: they use large keys
# and blocks, can efficiently change keys every block, and have been
# designed and vetted for resistance to related-key attacks. General-
# purpose ciphers tend to have different design goals. In particular, AES
# has key and block sizes that make it nontrivial to use to generate long
# hash values; AES encryption becomes less efficient when the key changes
# each block; and related-key attacks make it potentially less secure for
# use in a hash function than for encryption.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
URL: <http://tahoe-lafs.org/pipermail/tahoe-dev/attachments/20110220/b0a8658f/attachment.pgp>