[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: scrypt Internet Draft

To: Francois Grieu <fgrieu@gmail.com>
Subject: Re: scrypt Internet Draft
From: Simon Josefsson <simon@josefsson.org>
Date: Thu, 13 Jun 2013 20:25:02 +0200
Cc: scrypt@tarsnap.com
In-reply-to: <51B9E0B8.1060303@gmail.com>
References: <5057BDEF.9040708@tarsnap.com> <51B9E0B8.1060303@gmail.com>

tor 2013-06-13 klockan 17:09 +0200 skrev Francois Grieu:
> As discussed at
> http://crypto.stackexchange.com/questions/8634/how-scrypt-uses-salsa
> it appears that the statement made here
> http://tools.ietf.org/html/draft-josefsson-scrypt-kdf-01#page-3
> that
> >  Salsa20/8 Core is not a cryptographic hash function since it is not collision-resistant.
> is (at least) causing confusion, and (I believe) is wrong, for the Salsa20/8 Core
> is intended to be collision-resistant, and is, AFAIK.

I believe that is false.  Salsa20 Core is not designed to be
collision-resistant, read DJB's own page:

http://cr.yp.to/salsa20.html

For example, Salsa20core(x) = Salsa20core(x + c) for c =
"0000000800000008...", thus demonstrating trivial collisions.

To be concrete, try computing Salsa20core for the the following two
inputs:

00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000
00000000000000000000000000000000

and

00000080000000800000008000000080
00000080000000800000008000000080
00000080000000800000008000000080
00000080000000800000008000000080

the output for both inputs should be all zeros.

/Simon

References:
- scrypt Internet Draft
  - From: Colin Percival <cperciva@tarsnap.com>
- Re: scrypt Internet Draft
  - From: Francois Grieu <fgrieu@gmail.com>

Prev by Date: Re: scrypt Internet Draft
Next by Date: Re: scrypt Internet Draft
Previous by thread: Re: scrypt Internet Draft
Next by thread: Re: scrypt Internet Draft
Index(es):
- Date
- Thread