Unformatted text preview: ying about. The first scheme was described in [1028]. The third scheme was described in [1555, 1105, 1106] and was proposed as an ISO standard [766]. The fifth scheme was proposed by Carl Meyer, but is commonly called DaviesMeyer in the literature [1606, 1607, 434, 1028]. The tenth scheme was proposed as a hashfunction mode for LOKI [273]. The first, second, third, fourth, ninth, and eleventh schemes have a hash rate of 1; the key length equals the block length. The others have a rate of k/n, where k is the key length. This means that if the key length is shorter than the block length, then the message block can only be the length of the key. It is not recommended that the message block be longer than the key length, even if the encryption algorithm’s key length is longer than the block length. If the block algorithm has a DESlike complementation property and DESlike weak keys, there is an additional attack that is possible against all 12 schemes. The attack isn’t very dangerous and not really worth worrying about. However, you can solve it by fixing bits 2 and 3 of the key to “01” or “10” [1081, 1107]. Of course, this reduces the length of k from 56 bits to 54 bits (in DES, for example) and decreases the hash rate. The following schemes, proposed in the literature, have been shown to be insecure. Figure 18.9 The four secure hash functions where the block length equals the hash size. This scheme [1282] was broken in [369]: Hi = EMi(Hi  1) Davies and Price proposed a variant which cycles the entire message through the algorithm twice [432, 433]. Coppersmith’s attack works on this variant with not much larger computational requirements [369]. Another scheme [432, 458] was shown insecure in [1606]: Hi = EMi• Hi 1 (Hi 1) This scheme was shown insecure in [1028] (c is a constant): Hi = Ec (Mi • Hi  1) • Mi • Hi 1 Modified DaviesMeyer
Lai and Massey modified the DaviesMeyer technique to work with the IDEA cipher [930, 925]. IDEA has a 64bit block size and 128bit key size. Their scheme is Ho = IH, where IH is a random initial value Hi = EHi 1,Mi(Hi 1) This fu...
View
Full Document
 Fall '10
 ALIULGER
 Cryptography, Bruce Schneier, Applied Cryptography, EarthWeb, Search Search Tips

Click to edit the document details