Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Re: AES as a hash function?
From: Paulo S. L. M. Barreto (paulo.barretoterra.com.br)
Date: Mon Oct 02 2000 - 18:37:52 CDT

On Mon, 02 Oct 2000, Bram Cohen wrote:

> The announcement didn't mention Rijndael's applicability as a hash
> function. I thing I remember mention in earlier AES documents that it
> should be resistant to 'related key attacks' and thus usable as a hash
> function in some specific mode, who's name I have forgotten.

Rijndael *is* resistant against related-key attacks. The 9-round attack by the
fishing team does not extend to more rounds (it is only applicable to 256-bit
keys, for which the specified number of rounds is 14).

I've touched the subject of hashing function modes of operation twice in the
NIST forum. One was months ago; the other was Saturday, as a comment to the
newly available paper by Helger Lipmaa and David Wagner on counter mode.

As for the hash size, remember that Rijndael supports 192-bit and 256-bit blocks
(though I don't know if NIST will keep this extension); using tandem
or abreast Davies-Meyer with these sizes gives 384-bit and 512-bit hashes.