A Davies-Meyer ccompression function operates with $H_{i} = E(m_{i}, H_{i-1}) \oplus H_{i-1}$. Why not use $H_{i} = E(m_{i}, H_{i-1})$ instead?
Asked
Active
Viewed 160 times
1
-
2Opens up meet-in-the-middle requiring double the state size. – CodesInChaos Jan 22 '18 at 06:09
-
Just think about how you invert this function... You only need the meet in the middle if you have a specific message padding that you have to match and a fixed IV – mephisto Jan 22 '18 at 09:00
-
Related (but unfortunately no answer) Complexity to find an preimage of a hash function – CodesInChaos Jan 22 '18 at 09:35
-
@CodesInChaos: now Complexity to find an preimage of a hash function is answered. – fgrieu Jan 27 '18 at 22:15