Thanks for the clarification, Codes. I'm not all that familiar with the second preimage issue. I'll go research it.
Liam: if you use a truncated hash, use SHA-512, since it doesn't have the length extension problem. But it sounds like the dual construction may be more useful than I thought. On Sep 27, 2013 7:51 AM, "CodesInChaos" <[email protected]> wrote: > Bitcoin only uses RIPEMD160(SHA256(x)) only in places where the relevant > attack is a second pre-image, not a collision. If neither hashfunction is > pathological, the pre-image resistance of this construction can't be broken > without breaking both hashes. So this construction isn't that silly. > > > As for length extension attacks, I don't believe I should be > concerned, should I? The transfer of messages within the network is > dependent on a defined protocol, so any extra bytes would just be > interpreted as a malformed message. > > If you use it in a broken construction, you should be concerned. If you're > not, then there is little reason to worry. > > Length extensions are only a problem with a few specific constructions. In > particular using SHA256(k||m) as MAC is broken. If you want a hash based > MAC with SHA-2, use HMAC instead. > > _______________________________________________ > p2p-hackers mailing list > [email protected] > http://lists.zooko.com/mailman/listinfo/p2p-hackers > >
_______________________________________________ p2p-hackers mailing list [email protected] http://lists.zooko.com/mailman/listinfo/p2p-hackers
