Propping up SHA-1 (or MD5)

Pablo Abad pabad at
Fri Mar 25 10:22:59 EST 2005


>> I believe the fatal flaw here is not the crypto, but losing the ability
>> to hash a stream without keeping all of it.  Both the hashes and HMAC
>> have this sometimes-vital property.
>This can be fixed quite easily:
>H'(x)=H(H(x || H(x)) || H(x))

I think this construction doesn't provide any additional security. If
someone manages to find x1 and x2 such that H(x1)=H(x2), he will have also
broken H'(X).

If you get h=H(x1)=H(x2) (of course we are talking about hash functions
using the same iterative model as SHA-1), then you would end calculating
H(H(x1 || h) || h) vs H(H(x2 || h) || h), but since both x1 and x2 leave the
internal state of the hash function the same, H(x1 || h) = H(x2 || h) and
hence H'(x1) = H'(x2)


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list