Crypto is usually about economics and scalability. If you're doing this for DOS/DDOS prevention, you don't need the NP-completeness perfection you get from Hamiltonian paths or similar problems - SHA is fine, or any other hash that's quick to verify and hard to reverse. Even MD5 is probably still ok... Calculating any of the hashes probably takes less time than handling the packets does.
It's almost certainly better for you if they harass you by sending you bogus SHA pieces that you can process quickly than bogus DH pieces that take you a while, and if it's not too distributed an attack, you can also blacklist senders IP addresses. At present I'm skeptical about the need for that kind of protection - a simple UDP or TCP handshake and maybe a Photuris cookie are enough to take care of most forgery attacks and let you blacklist hostile senders. But malware writers are tenacious bastards, and perhaps there are or will be applications where this sort of protection could be useful - merely insisting that attackers use _your_ protocol is probably enough to cut down on 99.99% of attacks unless you get the protocol widely adopted. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]