From: daw@blowfish.isaac.cs.berkeley.edu (David Wagner)
Newsgroups: sci.crypt
Subject: Re: Standard Hash usage
Date: 11 Jul 1999 19:48:59 -0700
Message-ID: <7mbl2r$sg3$1@blowfish.isaac.cs.berkeley.edu>
References: <7ligan$nfs$1@usenet01.srv.cis.pitt.edu> <37821E46.776E149C@sandia.gov>
In article ,
David P Jablon wrote:
> In article <37821E46.776E149C@sandia.gov>, John Myre wrote:
> >David P Jablon wrote:
> >> That function, hash = sha1(P) || sha1(P || sha1(P)), limits the
> >> entropy to no more than 160-bits, when P has more than 160-bits
> >> of entropy.
> >
> >I don't see why this is so.
>
> Because it's not. In a moment of weakness I presumed that
> sha1(x) == sha1(y) implied sha1(x||z) == sha1(y||z). Oops.
>
Actually, I think your last remark is not so far off.
At least in the case where x and y have the same length,
and where that length is also a multiple of 512 bits,
the statement holds with high probability, I believe.
[Why? If the collision arises because of an internal
collision in the internal chaining value, before the padding
is processed, then indeed sha1(x||z) = sha1(y||z), as is
easy to check.]
Am I mistaken?