[17133] in cryptography@c2.net mail archive
Re: [saag] Re: Propping up SHA-1 (or MD5)
daemon@ATHENA.MIT.EDU (Ben Laurie)
Fri Mar 25 10:08:35 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 22 Mar 2005 17:48:46 +0000
From: Ben Laurie <ben@algroup.co.uk>
To: Ken Raeburn <raeburn@MIT.EDU>
Cc: Barney Wolff <barney@databus.com>, saag@mit.edu,
Cryptography <cryptography@metzdowd.com>
In-Reply-To: <b171bc9d77e4e7f27add5d5de91d54bb@mit.edu>
Ken Raeburn wrote:
> On Mar 22, 2005, at 11:51, Ben Laurie wrote:
>
>> This can be fixed quite easily:
>>
>> H'(x)=H(H(x || H(x)) || H(x))
>
>
> Doesn't this take us back to the original problem, by factoring in x
> only at the start of hash computations, so H'(x') will generate the same
> H(x') and the same internal state for H(x'||...) as for H(x||...) and
> thus the same H(x'||H(x')) etc, resulting in the same final value?
Doh. Yes. Slightly less elegantly, then:
H'(x)=H(H(x || H(0 || x) || H(0 || x))
Then you need two hashes running in parallel, but at least it is still
online. Or, with three parallel streams:
H'(x)=H(H(x || H(0 || x) || H(1 || x))
I don't feel as comfortable with either as the original construction,
though.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
