?splints for broken hash functions

Ivan Krstic krstic at fas.harvard.edu
Sun Aug 29 08:40:22 EDT 2004


John Denker wrote:
> Here's another splint using the same general idea, but
> with less complexity:  calculate the hash once then
> prepend that to the message and hash again, i.e.
>    hash3(M) := hash1[hash1(M) (+) M]

This is Schneier's and Ferguson's solution to then-known hash function 
weaknesses in Practical Cryptography, Wiley Publishing, 2003:

"We do not know of any literature about how to fix the hash functions, 
but here is what we came up with when writing this book. ... Let h be 
one of the hash functions mentioned above. Instead of m->h(m), we use 
m->h(h(m) || m) as hash function. Effectively we put h(m) before the 
message we are hashing. This ensures that the iterative hash 
computations immediately depend on all the bits of the message, and no 
partial-message or length extension attacks can work. ... The 
disadvantage of this approach is that it is slow ... Another 
disadvantage is that this approach requires the whole message m to be 
buffered. You can no longer compute the hash of a stream of data as it 
passes by" (p. 93).

Cheers,
Ivan.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list