[18106] in cryptography@c2.net mail archive
Possible non-extension property for hash functions
daemon@ATHENA.MIT.EDU (Bill Frantz)
Sat Aug 6 20:55:01 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 6 Aug 2005 15:27:40 -0700
From: Bill Frantz <frantz@pwpconsult.com>
To: cryptography@metzdowd.com
In-Reply-To: <20050721141111.D29AC3BFF12@berkshire.machshav.com>
In Steve Bellovin and Eric Rescorla's paper, "Deploying a New Hash Algorith=
m"*, the author's note the well known property of hash functions:
=46or two different stings x and y,
H(x) =3D H(y) =3D=3D> H(x||s) =3D H(y||s)
It seems to me that there might be a class of hash functions for which this=
property did not hold. While hashes in this class might require random ac=
cess to the entire input, they could prevent the "message extension" class =
of attack exploited by Lucks and Daum (see <http://th.informatik.uni-mannhe=
im.de/people/lucks/HashCollisions>) when they generated two Postscript file=
s with very different output, but the same MD5 hash.
* A draft of Bellovin and Rescorla's paper is available at <http://www.cs.c=
olumbia.edu/~smb/papers/new-hash.ps> and <http://www.cs.columbia.edu/~smb/p=
apers/new-hash.pdf>.)
Cheers - Bill
---------------------------------------------------------------------
Bill Frantz | The first thing you need | Periwinkle=20
(408)356-8506 | when using a perimeter | 16345 Englewood Ave
www.pwpconsult.com | defense is a perimeter. | Los Gatos, CA 95032
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
