[17155] in cryptography@c2.net mail archive
RE: Propping up SHA-1 (or MD5)
daemon@ATHENA.MIT.EDU (Pablo Abad)
Fri Mar 25 10:38:03 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: "Pablo Abad" <pabad@fibertel.com.ar>
To: "'Ben Laurie'" <ben@algroup.co.uk>
Cc: "'Cryptography'" <cryptography@metzdowd.com>
Date: Fri, 25 Mar 2005 12:22:59 -0300
In-reply-to: <42404D00.6030001@algroup.co.uk>
X-Fib-Al-From: pabad@fibertel.com.ar
Ben,
>> I believe the fatal flaw here is not the crypto, but losing the ability
>> to hash a stream without keeping all of it. Both the hashes and HMAC
>> have this sometimes-vital property.
>
>This can be fixed quite easily:
>
>H'(x)=H(H(x || H(x)) || H(x))
I think this construction doesn't provide any additional security. If
someone manages to find x1 and x2 such that H(x1)=H(x2), he will have also
broken H'(X).
If you get h=H(x1)=H(x2) (of course we are talking about hash functions
using the same iterative model as SHA-1), then you would end calculating
H(H(x1 || h) || h) vs H(H(x2 || h) || h), but since both x1 and x2 leave the
internal state of the hash function the same, H(x1 || h) = H(x2 || h) and
hence H'(x1) = H'(x2)
Cheers,
Pablo
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
