[145048] in cryptography@c2.net mail archive
Re: hedging our bets -- in case SHA-256 turns out to be insecure
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Mon Nov 9 20:03:46 2009
Cc: Cryptography List <cryptography@metzdowd.com>,
tahoe-dev@allmydata.org
From: Jerry Leichter <leichter@lrw.com>
To: Zooko Wilcox-O'Hearn <zooko@zooko.com>
In-Reply-To: <23136884-5881-4ED7-88DB-9A1F600A148D@zooko.com>
Date: Sun, 8 Nov 2009 22:11:57 -0500
On Nov 8, 2009, at 6:30 AM, Zooko Wilcox-O'Hearn wrote:
> I propose the following combined hash function C, built out of two
> hash functions H1 and H2:
>
> C(x) = H1(H1(x) || H2(x))
I'd worry about using this construction if H1's input block and output
size were the same, since one might be able to leverage some kind of
extension attack. That's not a problem for SHA256 or SHA512, but it's
something to keep in mind if this is supposed to be a general
construction, given that all likely hash functions will be constructed
by some kind of iteration over fixed-size blocks.
Rather than simply concatenating H1(x) and H2(x), you might do better
to interlace them. Even alternating bytes - cheap enough that you'd
never notice - should break up any structure that designs of practical
hash functions might exhibit. (As a matter of theory, a vulnerability
of alternate bytes is as likely as a vulnerability of leading bytes;
but given the way we actually build hash functions, as a practical
matter the latter seems much more likely.)
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
