Propping up SHA-1 (or MD5)

Ben Laurie ben at
Tue Mar 22 11:51:12 EST 2005

Barney Wolff wrote:
> On Mon, Mar 21, 2005 at 11:56:44AM +0000, Ben Laurie wrote:
>>Musing on these points, I wondered about the construction:
>>H'(x)=H(H(x) || H(H(x) || x))
>>which doesn't allow an attacker any choice, doesn't change APIs and 
>>doesn't change the length of the hash. Does this have any merit? Note 
>>that this is essentially an HMAC where the key is H(x). I omitted the 
>>padding because it seems to me that this actually makes HMAC weaker 
>>against the current attacks.
> I believe the fatal flaw here is not the crypto, but losing the ability
> to hash a stream without keeping all of it.  Both the hashes and HMAC
> have this sometimes-vital property.

This can be fixed quite easily:

H'(x)=H(H(x || H(x)) || H(x))




"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list