[cryptography] is there an interation-incremental version of PBKDF2?

Jack Lloyd lloyd at randombit.net
Fri Sep 10 14:02:43 EDT 2010

On Fri, Sep 10, 2010 at 10:29:32AM -0700, travis+ml-rbcryptography at subspacefield.org wrote:

> I wonder if there are any known identities under hash functions.

A naive hash that does not use bit padding of some kind often has easy
identies. For instance MMO mode constructs the hash using

H(m) = E_h(m) ^ m

for some fixed initial h

Choose your (single block input) m to be D_h(zeros), then the hash
becomes E_h(D_h(zeros)) ^ D_h(zeros), the encrypt and decrypt cancel
out, so you xor m against all zero and then output m as the hash.

Something like this works for most hash functions based on an
invertible permutation, unless you use bit padding. AFAIK padding ala
Merkle-Damgard prevents all attacks of this form.


More information about the cryptography mailing list