From: daw@blowfish.isaac.cs.berkeley.edu (David Wagner)
Newsgroups: sci.crypt
Subject: Re: Standard Hash usage
Date: 11 Jul 1999 19:48:59 -0700
Message-ID: <7mbl2r$sg3$1@blowfish.isaac.cs.berkeley.edu>
References: <7ligan$nfs$1@usenet01.srv.cis.pitt.edu> <FECsF5.4G2@world.std.com> <37821E46.776E149C@sandia.gov> <FEI56F.6tp@world.std.com>

In article <FEI56F.6tp@world.std.com>,
David P Jablon <dpj@world.std.com> wrote:
> In article <37821E46.776E149C@sandia.gov>, John Myre  <jmyre@sandia.gov> wrote:
> >David P Jablon wrote:
> >> That function, hash = sha1(P) || sha1(P || sha1(P)), limits the
> >> entropy to no more than 160-bits, when P has more than 160-bits
> >> of entropy.
> >
> >I don't see why this is so.
> 
> Because it's not.  In a moment of weakness I presumed that 
> sha1(x) == sha1(y) implied sha1(x||z) == sha1(y||z).  Oops.
> 

Actually, I think your last remark is not so far off.

At least in the case where x and y have the same length,
and where that length is also a multiple of 512 bits,
the statement holds with high probability, I believe.

[Why?  If the collision arises because of an internal
collision in the internal chaining value, before the padding
is processed, then indeed sha1(x||z) = sha1(y||z), as is
easy to check.]

Am I mistaken?