Ben, >> I believe the fatal flaw here is not the crypto, but losing the ability >> to hash a stream without keeping all of it. Both the hashes and HMAC >> have this sometimes-vital property. > >This can be fixed quite easily: > >H'(x)=H(H(x || H(x)) || H(x))
I think this construction doesn't provide any additional security. If someone manages to find x1 and x2 such that H(x1)=H(x2), he will have also broken H'(X). If you get h=H(x1)=H(x2) (of course we are talking about hash functions using the same iterative model as SHA-1), then you would end calculating H(H(x1 || h) || h) vs H(H(x2 || h) || h), but since both x1 and x2 leave the internal state of the hash function the same, H(x1 || h) = H(x2 || h) and hence H'(x1) = H'(x2) Cheers, Pablo --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]