From: Lodewijk andré de la porte
Subject: Re: [cryptography] Weak random data XOR good enough random data =
better random data?
Come to think of it, is there or why isn't there a block-cipher mode that
chains using a hashing algorithm?
The main reason would be difficulty in proving security.
Spacing on the term right now, but I’ll call it a cycle. Every hash function
has cycles, so to define it:
H[0] = Hash(input)
H[N]= Hash(H[N-1])
The problem is that H[i] == H[j] where i =/= j. Every input for every hash
has cycles, and current hashes have large numbers of them.
CTR mode relies on the cycle length being the 2^block_size. CBC relies on
the cycle length being very long. Proving the minimum cycle length in a hash
is not something that I am aware ever having been done, making it
effectively impossible to prove security.
So while using a hash function in the block chaining sounds like a good
idea, because we have proofs of security for CTR and CBC that say they are
no weaker than the cipher, the hash mode would have to actually prove that
it is stronger than the underlying cipher for the extra computation to be
worth it.
I can’t say that it is impossible to do, just that it hasn't been done, and
I don't expect it to be done.
Joe
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography