Newsgroups: sci.crypt
From: (Miroslav D Asic)

Subject: Re: IBM-PC random generator, source included
Message-ID: <>
Summary: CRC is not safe
Keywords: MD5, hashing, CRC
Organization: The Ohio State University
References: <> <1992Jun26.231556.
+ > <>
Date: Mon, 29 Jun 1992 00:35:32 GMT
Lines: 42

In article <>
(Philip Zimmermann) writes:
>In article <>
(Terry Ritter) writes:
>> In <>
>> (Philip Zimmermann) writes:
   ...  ...
>This is the nature of the avalanche effect of a perfect hash function--
>I was using MD5 as an example.  You can replace it with any other stronger
>hash.  If your hash is perfect, there is indeed reason to believe that
>the essential randomness will be avalanched throughout the output, regardless
>of which bits were the random bits in the input. 
>>    If we want every bit of the output to depend on every
>>    bit of the input we could use CRC's.
>                      ^^^^^^^^^^^^^^^^^^^
>I wouldn't trust a CRC for this.  If your hash is one-way, and
>cryptographically strong, it would hide any patterns in the imperfect 
>noisy input.  CRC is not as good as MD5 for this. 
   ...  ... 
      That's a mild understatement! It appears from this (and
some earlier postings) that quite a few people believe that
CRC has some cryptographic value. An article in Dr. Dobb's
Journal (May 1992) suggests that it could be used to detect a
virus infested file (giving a warning that `an exceptionally
clever' virus might be able to fool CRC). CRC was not designed
for that and should *not* be used for that. Specifically, it is
_easy_ to:
 - Find two different files with the same CRC;
 - Construct a file with an arbitrary CRC (given in advance).
      These two are (allegedly) computationally infeasible when
MD5 or the proposed SHA are used. CRC is a great tool to detect
accidental changes to files, but to use it in cryptography is
downright dangerous.
                                              Cheerio, Miroslav
***** Miroslav D. Asic, Dept. of Math., The Ohio State Univ. *****
*****  or  asic.1@ohstmail  *****