[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: MD4-derived hash functions




>Does anyone know whether Rivest was motivated to design
>MD5 by the partial attacks on MD4, or whether those came later?
>(This is totally idle curiousity.)

It was after...

>All of the well-known software hash functions seem to be based on
>MD4 these days, but that doesn't mean much about the security of
>MD4--3DES with three independent keys looks pretty strong, as does.
>3DES with two independent keys, but that doesn't mean that single
>DES is a strong enough cipher for modern applications.

3DES with only two independent keys is only slightly more secure than
DES, consider a variant of the meet in the middle attack exploiting 
the fact that the constraint network is reductible to two equations
in one unknown.

>Is there a generic construction for
>arbitrary-length hash functions from good block or stream ciphers?

Yes, see Bruce's book.

	Phill