David Wagner wrote:
> David Honig wrote:
> > Is there a reason not to use AES block cipher
> > in a hashing mode if you need a secure digest
> > of some data?
>
> Yes. The standard hashing modes provide only
> 128-bit hash digests, and for long-term collision-
> resistance, we'd probably like longer outputs.
>
> Also, Rijndael has not been evaluated as thoroughly
> for security in hashing modes as it has for security
> in encryption modes. Since hashing modes stress the
> key schedule much more than encryption modes, the
> level of assurance obtained may not be as high as
> one would like at present.
Besides, a dedicated hashing function is likely to be
considerably faster than a hashing mode (at least if
the underlying block cipher was not purposely designed
to operate within a hashing scheme). This may not be
desirable in many situations.
I've asked previously, but I hope it won't hurt asking
again. Has anyone compared the relative speeds of
(efficient implementations of) the SHA-2 functions and
Rijndael? Are there any figures available?
Cheers,
Paulo Barreto.