If it's just HMAC with K = h(m) then it's currently (or just recently)
been discussed on cfrg: http://www.irtf.org/cfrg/, starting here:
http://www1.ietf.org/mail-archive/web/cfrg/current/msg00708.html.
-- Michael
On Mon, 21 Mar 2005 11:56:44 +, Ben Laurie [EMAIL PROTECTED] wrote:
It was
Dan Kaminsky wrote:
Ben,
x can equal either test vector released by Wang, and H(x) will be
identical. With H(x) identical, the rest of the HMAC stays identical too.
This does not appear to be correct - in my construction, i.e. without
padding, then the fact that x and x' differ means that
Ken Raeburn wrote:
On Mar 22, 2005, at 11:51, Ben Laurie wrote:
This can be fixed quite easily:
H'(x)=H(H(x || H(x)) || H(x))
Doesn't this take us back to the original problem, by factoring in x
only at the start of hash computations, so H'(x') will generate the same
H(x') and the same internal
All hash functions I'm aware of consist of an inner compression function
that hashes a fixed size block of data into a smaller fixed size block
and an outer composition function that applies the inner function
iteratively to the variable length data to be hashed. Essentially you're
proposing a
Charlie Kaufman wrote:
All hash functions I'm aware of consist of an inner compression function
that hashes a fixed size block of data into a smaller fixed size block
and an outer composition function that applies the inner function
iteratively to the variable length data to be hashed. Essentially
Blumenthal, Uri wrote:
Ernie Brickell suggested the following construct:
H'(x) = H( H(x) || H(0 || x) )
Like him, I see no reason in going (H(x) || H(0||x) || ... || H(n||x)).
Sorry, I got my parentheses wrong. I meant...
H'(x)=H(H(x || H(0 || x)) || H(0 || x))
or:
H'(x)=H(H(x || H(0 || x)) ||
]
Subject: Re: Propping up SHA-1 (or MD5)
Charlie Kaufman wrote:
All hash functions I'm aware of consist of an inner compression
function
that hashes a fixed size block of data into a smaller fixed size block
and an outer composition function that applies the inner function
iteratively to the variable
Ben,
I believe the fatal flaw here is not the crypto, but losing the ability
to hash a stream without keeping all of it. Both the hashes and HMAC
have this sometimes-vital property.
This can be fixed quite easily:
H'(x)=H(H(x || H(x)) || H(x))
I think this construction doesn't provide any