?splints for broken hash functions
Ivan Krstic
krstic at fas.harvard.edu
Sun Aug 29 08:40:22 EDT 2004
John Denker wrote:
> Here's another splint using the same general idea, but
> with less complexity: calculate the hash once then
> prepend that to the message and hash again, i.e.
> hash3(M) := hash1[hash1(M) (+) M]
This is Schneier's and Ferguson's solution to then-known hash function
weaknesses in Practical Cryptography, Wiley Publishing, 2003:
"We do not know of any literature about how to fix the hash functions,
but here is what we came up with when writing this book. ... Let h be
one of the hash functions mentioned above. Instead of m->h(m), we use
m->h(h(m) || m) as hash function. Effectively we put h(m) before the
message we are hashing. This ensures that the iterative hash
computations immediately depend on all the bits of the message, and no
partial-message or length extension attacks can work. ... The
disadvantage of this approach is that it is slow ... Another
disadvantage is that this approach requires the whole message m to be
buffered. You can no longer compute the hash of a stream of data as it
passes by" (p. 93).
Cheers,
Ivan.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list