[saag] Propping up SHA-1 (or MD5)
Ben Laurie
ben at algroup.co.uk
Tue Mar 22 12:31:44 EST 2005
Nicolas Williams wrote:
> On Mon, Mar 21, 2005 at 11:56:44AM +0000, Ben Laurie wrote:
>
>>It was suggested at the SAAG meeting at the Minneapolis IETF that a way
>>to deal with weakness in hash functions was to create a new hash
>>function from the old like so:
>>
>>H'(x)=Random || H(Random || x)
>
>
> Eric proposed sending Random, Signature(H(Random || M)) and I then
> proposed sending Random || Signature(H(Random || M)) to avoid having to
> add a slot in existing protocols for Random.
>
> Another alternative: send Random-Key || Signature(HMAC(H(), Random-Key, M).
>
>
>>However, this allows an attacker to play with Random (the advice I've
>>seen is that if one is going to use an IV with a hash function, then one
>>should transfer the IV with integrity checks to deny attackers this
>>freedom).
>
>
> This proposal is specific to the use of hashes in signatures.
>
>
>>Another objection is that this construction changes the API at the
>>sender end, which could lead to a great deal of complexity when the use
>>of the hash API is deeply embedded.
>
>
> Yes.
>
>
>>A third is that the length of the hash is changed, which could break
>>existing protocols.
>
>
> Tie this to new algorithm OIDs and this problem goes away. You still
> have to figure out how to deploy new software.
>
>
>>Musing on these points, I wondered about the construction:
>>
>>H'(x)=H(H(x) || H(H(x) || x))
>
>
> Note that this is not on-line.
>
>
>>which doesn't allow an attacker any choice, doesn't change APIs and
>>doesn't change the length of the hash. Does this have any merit? Note
>>that this is essentially an HMAC where the key is H(x). I omitted the
>>padding because it seems to me that this actually makes HMAC weaker
>>against the current attacks.
>
>
> Yes.
>
> Now that we know that the attack is a differential cryptanalysis where
> the attacker has to control the first pair of blocks of the original
> message anything that makes it hard for the attacker to do this helps.
>
> H'(x) = H(H(x))) might do that trick, and on-line, but surely there's
> problems with that too (IANAC).
This construction cannot solve the problem since H(x)=H(x') =>
H(H(x))=H(H(x')).
> Note that the attack implies that there exist weak messages, and Wang
> et. al. explicitly mention this in the paper on breaking MD4, and they
> mention the use of weak messages in second pre-image computation -- if a
> given message begins with a weak block pair then you can construct
> second pre-images. It'd be nice to know what the weak message
> distribution is for MD5 and SHA-1...
Wouldn't it?
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list