[saag] Propping up SHA-1 (or MD5)
Ben Laurie
ben at algroup.co.uk
Tue Mar 22 14:34:29 EST 2005
Nicolas Williams wrote:
> On Tue, Mar 22, 2005 at 05:31:44PM +0000, Ben Laurie wrote:
>
>>Nicolas Williams wrote:
>>
>>>Now that we know that the attack is a differential cryptanalysis where
>>>the attacker has to control the first pair of blocks of the original
>>>message anything that makes it hard for the attacker to do this helps.
>>>
>>>H'(x) = H(H(x))) might do that trick, and on-line, but surely there's
>>>problems with that too (IANAC).
>>
>>This construction cannot solve the problem since H(x)=H(x') =>
>>H(H(x))=H(H(x')).
>
>
> But it changes the attacker's problem.
>
> Currently the attacker has to find a first block of a weak message, then
> find the second block of the same, then he can generate collisions at
> will. The weak message generation requires some effort, and surely --
> huge assumption here -- it takes more effort to find a weak message
> whose hash is also a weak message.
The hash does not need to be weak, since the two hashes are the same,
and so their hashes are also the same.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list