[cryptography] is there an interation-incremental version of PBKDF2?
Jack Lloyd
lloyd at randombit.net
Fri Sep 10 14:02:43 EDT 2010
On Fri, Sep 10, 2010 at 10:29:32AM -0700, travis+ml-rbcryptography at subspacefield.org wrote:
> I wonder if there are any known identities under hash functions.
A naive hash that does not use bit padding of some kind often has easy
identies. For instance MMO mode constructs the hash using
H(m) = E_h(m) ^ m
for some fixed initial h
Choose your (single block input) m to be D_h(zeros), then the hash
becomes E_h(D_h(zeros)) ^ D_h(zeros), the encrypt and decrypt cancel
out, so you xor m against all zero and then output m as the hash.
Something like this works for most hash functions based on an
invertible permutation, unless you use bit padding. AFAIK padding ala
Merkle-Damgard prevents all attacks of this form.
-Jack
More information about the cryptography
mailing list