[16037] in cryptography@c2.net mail archive
Re: ?splints for broken hash functions
daemon@ATHENA.MIT.EDU (Ivan Krstic)
Tue Aug 31 14:20:22 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sun, 29 Aug 2004 14:40:22 +0200
From: Ivan Krstic <krstic@fas.harvard.edu>
To: Metzdowd Crypto <cryptography@metzdowd.com>
In-Reply-To: <412E95B0.2010009@av8n.com>
John Denker wrote:
> Here's another splint using the same general idea, but
> with less complexity: calculate the hash once then
> prepend that to the message and hash again, i.e.
> hash3(M) := hash1[hash1(M) (+) M]
This is Schneier's and Ferguson's solution to then-known hash function
weaknesses in Practical Cryptography, Wiley Publishing, 2003:
"We do not know of any literature about how to fix the hash functions,
but here is what we came up with when writing this book. ... Let h be
one of the hash functions mentioned above. Instead of m->h(m), we use
m->h(h(m) || m) as hash function. Effectively we put h(m) before the
message we are hashing. This ensures that the iterative hash
computations immediately depend on all the bits of the message, and no
partial-message or length extension attacks can work. ... The
disadvantage of this approach is that it is slow ... Another
disadvantage is that this approach requires the whole message m to be
buffered. You can no longer compute the hash of a stream of data as it
passes by" (p. 93).
Cheers,
Ivan.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
