hedging our bets -- in case SHA-256 turns out to be insecure
Jerry Leichter
leichter at lrw.com
Sun Nov 8 22:11:57 EST 2009
On Nov 8, 2009, at 6:30 AM, Zooko Wilcox-O'Hearn wrote:
> I propose the following combined hash function C, built out of two
> hash functions H1 and H2:
>
> C(x) = H1(H1(x) || H2(x))
I'd worry about using this construction if H1's input block and output
size were the same, since one might be able to leverage some kind of
extension attack. That's not a problem for SHA256 or SHA512, but it's
something to keep in mind if this is supposed to be a general
construction, given that all likely hash functions will be constructed
by some kind of iteration over fixed-size blocks.
Rather than simply concatenating H1(x) and H2(x), you might do better
to interlace them. Even alternating bytes - cheap enough that you'd
never notice - should break up any structure that designs of practical
hash functions might exhibit. (As a matter of theory, a vulnerability
of alternate bytes is as likely as a vulnerability of leading bytes;
but given the way we actually build hash functions, as a practical
matter the latter seems much more likely.)
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list