From: xmath on
I've been playing a bit with the thought of building a hash out of
Salsa20, for applications that already use it and don't want another
primitive...

Does anyone see an obvious problem with this particular mode of turning
Salsa20 (or any other one-way function where the input size equals the
output size) into a collision-resistant hash function on arbitrary-size
messages:

Pad and split the message into 64-byte blocks m_1 .. m_k, then:

h_0 = IV
h_1 = Salsa20(h_0 + Salsa20(m_1))
h_2 = Salsa20(h_1 + Salsa20(m_2))
h_3 = Salsa20(h_2 + Salsa20(m_3))
....
h_k = Salsa20(h_{k-1} + Salsa20(m_k))

With h_k as the hash output. (By using the same per-word addition as
Salsa20 uses to add in the original input you can save a temporary
16-word array in the implementation.)

I feel a little uncomfortable about allowing the attacker to fully
control the input to Salsa20, however if the IV is chosen properly then
none of the ways (known to me) in which Salsa20 deviates from a perfect
random function are of any utility.

In comparison, the "obvious" chaining mode (32 message bytes, 32
chaining bytes) only allows the attacker to have precise control over
half the input, but she also only needs to find a collision in half the
output. Because of that, simple chaining obviously allows a collision
to be found in about 2^128 operations, while for the mode above I see
no obvious attack faster than about 2^256 operations.

Performance of the two modes is about the same. On my G4 (PPC 7447A),
around 8 cycles/byte.

Any thoughts?

Also, what about the reduced-round versions, Salsa20/8 and /12 ?

- xmath

From: D. J. Bernstein on
On 2006-09-26, xmath <xmath.news(a)gmail.com> wrote:
> Does anyone see an obvious problem with this particular mode

Yes. The diagonal constants in Salsa20 are important. There are many
other sensible choices of constants, but the constants should never be
replaced by attacker-controlled variables.

---D. J. Bernstein, Professor, Mathematics, Statistics,
and Computer Science, University of Illinois at Chicago
From: xmath on
D. J. Bernstein wrote:
> Yes. The diagonal constants in Salsa20 are important. There are many
> other sensible choices of constants, but the constants should never be
> replaced by attacker-controlled variables.

I know about the diagonal rotate issue, but I don't see how it can help
the attacker. If he rotates a message block m_i then Salsa20(m_i)
rotates along, but for this to propagate in a useful way to h_i, she
also needs h_{i-1} to be rotated in the same way, which not only
requires m_{i-1} to be rotated as well, but also h_{i-2} etc until she
hits h_0 (the IV) which quite stubbornly refuses to rotate :-)

Also, even if the attacker could do this successfully, while it would
be an ugly property I don't see it violating collision-resistance.

Or can more evil be done if the diagonal is attacker-controlled?

- xmath

From: Scott Contini on

xmath wrote:
> I've been playing a bit with the thought of building a hash out of
> Salsa20, for applications that already use it and don't want another
> primitive...
>
> Does anyone see an obvious problem with this particular mode of turning
> Salsa20 (or any other one-way function where the input size equals the
> output size) into a collision-resistant hash function on arbitrary-size
> messages:
>
> Pad and split the message into 64-byte blocks m_1 .. m_k, then:
>
> h_0 = IV
> h_1 = Salsa20(h_0 + Salsa20(m_1))
> h_2 = Salsa20(h_1 + Salsa20(m_2))
> h_3 = Salsa20(h_2 + Salsa20(m_3))
> ...
> h_k = Salsa20(h_{k-1} + Salsa20(m_k))
>
> With h_k as the hash output. (By using the same per-word addition as
> Salsa20 uses to add in the original input you can save a temporary
> 16-word array in the implementation.)

I think you can get a collision as follows (please check, I sometimes
make
stupid mistakes).

Let m1 and m1' be anything, with m1 != m1'.
Then take m2 = h_0 + f(m1') and m2' = h_0 + f(m1) , where
you use f = Salsa20. If this is right, then your construction is
bad, the attack does not depend upon the underlying "hash function".

Scott

From: xmath on
Scott Contini wrote:
> I think you can get a collision as follows

Whoops. :-)


I suppose this could be prevented by taking

h_i = F(h_{i-1} + H(m_i))
or
h_i = F(h_{i-1}) + H(m_i)

where F and H are independent one-way functions? actually I think F
doesn't even need to be one-way or anything, just stir things enough to
avoid a generalized birthday attack. Hmm...

I need to think a bit more about this clearly...

- xmath

 |  Next  |  Last
Pages: 1 2 3
Prev: How long to trust 3DES
Next: M.peg biss key finder