[379] in cryptography@c2.net mail archive
Re: Q: security of 2-barreled hashing
daemon@ATHENA.MIT.EDU (David Wagner)
Tue Mar 18 21:29:39 1997
To: cryptography@c2.net
From: daw@cs.berkeley.edu (David Wagner)
Date: 18 Mar 1997 14:05:32 -0800
In article <199703180010.LAA13700@mippet.ci.com.au>,
Munro Saunders <munro@ci.com.au> wrote:
> My modification (where "," is concatenation):
>
> Superhash(M) = ( CRC(M , SHA1(M)) , SHA1(M) )
>
> Can anyone, see anything wrong with this?
Yeah. This modification to Bill Stewart's proposal also falls to the
same attacks on the original proposal that I posted.
For inversion: you know SHA1(M), so given CRC(M,SHA1(M)) you can easily
calculate CRC(M) [easy: linear algebra], and then use the attacks I
previously posted.
For collision-resistance: if CRC(M) = CRC(M') and SHA1(M) = SHA1(M'),
then M,M' form a collision for Superhash:
Superhash(M) = CRC(M, SHA1(M)) = CRC(M, SHA1(M'))
= CRC(M', SHA1(M')) = Superhash(M').
Now you can find M,M' using the attacks I previously posted.
So your variant is no more secure than Bill Stewart's original proposal.
