[saag] Propping up SHA-1 (or MD5)

[Ben Laurie]

Nicolas Williams wrote:
> On Tue, Mar 22, 2005 at 05:31:44PM +0000, Ben Laurie wrote:
> 
>>Nicolas Williams wrote:
>>
>>>Now that we know that the attack is a differential cryptanalysis where
>>>the attacker has to control the first pair of blocks of the original
>>>message anything that makes it hard for the attacker to do this helps.
>>>
>>>H'(x) = H(H(x))) might do that trick, and on-line, but surely there's
>>>problems with that too (IANAC).
>>
>>This construction cannot solve the problem since H(x)=H(x') => 
>>H(H(x))=H(H(x')).
> 
> 
> But it changes the attacker's problem.
> 
> Currently the attacker has to find a first block of a weak message, then
> find the second block of the same, then he can generate collisions at
> will.  The weak message generation requires some effort, and surely --
> huge assumption here -- it takes more effort to find a weak message
> whose hash is also a weak message.

The hash does not need to be weak, since the two hashes are the same, 
and so their hashes are also the same.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com