On Thu, Nov 17, 2005 at 12:10:53PM -0500, John Kelsey wrote: > c. Maybe they just got it wrong. SHA0 and SHA1 demonstrate that this > is all too possible. (It's quite plausible to me that they have very > good tools for analyzing block ciphers, but that they aren't or > weren't sure how to best apply them to hash functions.)
SHA-* also look very much like the already existing and public MD4 and MD5... I would be very willing to bet that the NSA's classified hash functions (I assume it has some, though to be honest I have only ever seen information about block ciphers) look nothing like SHA. Perhaps their analysis tools apply well to the ones that they build internally, but did not to an MDx-style hash, and they did not want to release a design based on some clever design technique of theirs that the public didn't know about; when SHA was released, Clipper and the export controls were still in full swing, so it seems pretty plausible that the NSA wanted to limit how many goodies it gave away. </speculation> -Jack --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]