Re: hedging our bets -- in case SHA-256 turns out to be insecure

--- On Wed, 11/11/09, Eugen Leitl wrote:

From: Eugen Leitl Subject: hedging our bets -- in case SHA-256 turns out to be insecure To: info@postbiota.org, cypherpunks@al-qaeda.net Date: Wednesday, November 11, 2009, 8:35 PM ----- Forwarded message from Zooko Wilcox-O'Hearn -----

From: Zooko Wilcox-O'Hearn Date: Sun, 8 Nov 2009 03:30:47 -0800 To: Cryptography List , tahoe-dev@allmydata.org Subject: hedging our bets -- in case SHA-256 turns out to be insecure X-Mailer: Apple Mail (2.753.1)

Folks:

[...]

I propose the following combined hash function C, built out of two hash functions H1 and H2:

C(x) = H1(H1(x) || H2(x))

Why not use C(x) = H1(x) XOR H2(x) ? That solves your length of the hash doubling problem and removes the time in computing the outer hash function. What is your attack model? Sarad.