[17147] in cryptography@c2.net mail archive
Re: [saag] Re: Propping up SHA-1 (or MD5)
daemon@ATHENA.MIT.EDU (Ben Laurie)
Fri Mar 25 10:29:31 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 24 Mar 2005 18:19:36 +0000
From: Ben Laurie <ben@algroup.co.uk>
To: "Blumenthal, Uri" <uri.blumenthal@intel.com>
Cc: saag@mit.edu, Cryptography <cryptography@metzdowd.com>
In-Reply-To: <3DEC199BD7489643817ECA151F7C5929DE0F8C@pysmsx401.amr.corp.intel.com>
Blumenthal, Uri wrote:
> Ernie Brickell suggested the following construct:
>
> H'(x) = H( H(x) || H(0 || x) )
>
> Like him, I see no reason in going (H(x) || H(0||x) || ... || H(n||x)).
Sorry, I got my parentheses wrong. I meant...
H'(x)=H(H(x || H(0 || x)) || H(0 || x))
or:
H'(x)=H(H(x || H(0 || x)) || H(1 || x))
the former being almost the same construction as suggested, except that
H(0 || x) is appended to the first inner hash. I used this construction
because nested keyed hashes have provable security properties (which is
why HMAC is made the way it is). The second form is the one required to
get those properties, I should point out.
I will confess that I have punted on whether those properties are
actually useful.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
