Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: jimkirk@CORRAL.UWyo.Edu (James Kirkpatrick)
Newsgroups: comp.virus
Subject: MDC questions
Message-ID: <0007.9104051408.AA00913@ubu.cert.sei.cmu.edu>
Date: 4 Apr 91 20:14:51 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 47
Approved: krvw@sei.cmu.edu

I've been looking into Manipulation Detection Codes (MDCs), partly by
reading Virus-L archives, and have a few questions:

  -  Robert Jueneman published a paper describing his own QCMDCV4 algorithm,
     but Don Coppersmith published a review in which he states:
     ... "the described scheme is insecure (a fact apparently not noted
     elsewhere); its simple construction allows a direct attack.  The reader
     is hereby warned against its implementation."

     My question is, has Coppersmith ever published or described the
     attack?  I have not been able to find anything other than the above
     claim.  Also, has anybody implemented it, or obtained Jueneman's
     implementation?

  -  SNEFRU was discussed on this list, but I was dismayed to find it
     had been broken, and that Merkle's response was to increase the
     number of passes.  This worries me because of the experience of
     knapsack cryptosystems, where a single-iteration system was first
     broken, followed by the introduction of multiple-iteration systems,
     which were in turn broken (at least, that is my recollection; I may
     have some details wrong).

     Questions: does anybody have a better feel for the probable security
     of the multi-pass SNEFRU, knowing that the earlier version was
     broken?  Does the multi-pass version slow down the whole process
     (or is it still acceptably quick)?

  -  MD4 was also discussed, and I have obtained the paper from
     CERT.SEI.CMU.EDU in pub/virus-l/docs md4.rsa.paper.  However,
     the paper appears to be incomplete, in that it claims to contain
     an example implementation, but only contains a few declarations and
     seems to be missing actual code.

     Questions:  How does one get MD4?  Has anybody broken it yet or
     even proposed a method?

General question (last one!): Jueneman carefully points out weaknesses
in other MDCs, such as the inability to distinguish between a last
block that has been padded with (say) zeros, as opposed to a last
block that is "short."  He points out that, for example, ANSI/ISO
standards (X9.9?  I don't have the paper handy, sorry) have this flaw.
Do MD4 and/or SNEFRU suffer from this?  (MD4 appears to be free of
this problem, but it is not explicitly stated as far as I can tell.)

Thanks in advance!

Jim Kirkpatrick    JIMKIRK@CORRAL.UWYO.EDU