[Cryptography] Signature Hashing Choices ... So Many Choices ...

Florian Weimer fw at deneb.enyo.de
Mon Oct 23 17:58:03 EDT 2017


* Andrew Donoho:

> 	hash(preamble || BLOB) != hash(preamble || hash(BLOB))
>
> To my cryptographically unsophisticated eye, they look to be
> equivalently secure. Are they?

If the hash function is broken, it may be possible to generate
collisions for hash(BLOB) (and thus hash(preamble || hash(BLOB)),
independently of the preamble value), but not for hash(preamble ||
BLOB), particularly if you need to commit to a specific value of BLOB
before you can learn (or predict with reasonable probability) the
preamble.

In many cases, this helped to extend the practical lifetime of MD5 and
SHA-1, beyond the point where collision resistance for the unadorned
hash function has been demonstrated not to exist.


More information about the cryptography mailing list