I believe this is a MAC, despite the name. It seems to be easier to create secure MACs than secure hash functions, perhaps because there are no secrets in a hash, while in a MAC there is a secret key that makes the attacker's job harder.
Interestingly, a crypto-specialist from DSD (Australian NSA-equivalent) said exactly this to me in 1997-1998. He called them "strange" functions to design. I subsequently asked if they - which in the context meant the tier one UKUSA agencies - had many hash functions developed for classified uses. He indicated that they had quite a few MAC-style keyed functions, but not many unkeyed hashes.
This was all over a lunch to discuss SENECA, Oz's VLSI proposal to replace DES for sensitive-but-unclassified applications (64 bit keys, produced on an otherwise moribund 1.5u fab in Sydney). SENECA lost funding, basically due to internal politics and external commercial realities. I was trying to get them to release the algorithm in SENECA publicly, knowing the hardware implementation was failing in the marketplace, but was told it wasn't going to happen as it incorporated design features that DSD considered sensitive. The actual design came out of DSTO.
Ian.
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
