On 04/13/2012 01:52 AM, Zooko Wilcox-O'Hearn wrote:

HASH_d(x) = HASH(HASH(x))

I pretty much always use the HASH_d technique, and that way I don't
have to spend time figuring out what length-extension attacks can or
can't do to my designs.

But now SHA-2 takes a 50% performance hit on messages of 55 bytes and shorter. Sometimes these messages are very common. For example, it's around half of TCP packets, and guaranteed to be at least half of all messages processed by the hash in HMAC constructions. So something like IPsec AH would see around a 66% loss in performance if its bottleneck were actually the authentication (estimating from a handy packet capture).

Maybe you wouldn't use SHA-2-d with HMAC? But now you're back to "figuring out what length-extension can do to your designs". Can you even always know in advance how your protocol will be used?

Also, the H(H(m)) construct doesn't seem to address those other ways in which SHA-2 differs from the ideal. But hopefully those will remain theoretical for SHA-2.

- Marsh
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography

Reply via email to