hedging our bets -- in case SHA-256 turns out to be insecure

Jerry Leichter leichter at lrw.com
Sun Nov 8 22:11:57 EST 2009

On Nov 8, 2009, at 6:30 AM, Zooko Wilcox-O'Hearn wrote:
> I propose the following combined hash function C, built out of two  
> hash functions H1 and H2:
> C(x) = H1(H1(x) || H2(x))
I'd worry about using this construction if H1's input block and output  
size were the same, since one might be able to leverage some kind of  
extension attack.  That's not a problem for SHA256 or SHA512, but it's  
something to keep in mind if this is supposed to be a general  
construction, given that all likely hash functions will be constructed  
by some kind of iteration over fixed-size blocks.

Rather than simply concatenating H1(x) and H2(x), you might do better  
to interlace them.  Even alternating bytes - cheap enough that you'd  
never notice - should break up any structure that designs of practical  
hash functions might exhibit.  (As a matter of theory, a vulnerability  
of alternate bytes is as likely as a vulnerability of leading bytes;  
but given the way we actually build hash functions, as a practical  
matter the latter seems much more likely.)
                                                         -- Jerry

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list