http://www.cs.duke.edu/~anderson/hashing/
One question I don't know the answer to is the relative distribution
properties of md5 and sha-1 on very short messages (the kinf we are
discussing here).
They are almost identical. Remember that both are simply developments of
MD4.
In Md5 Ron added an extra round.
In SHA-1 the NSA added a round, added a fifth chaining register and
introduced a dispersion function to the key schedule.
The dispersion function was added in a revision of the draft. When Ron's
reading group discussed the Hans Dobertine attack on MD5 several people
thought that the dispersion function would foil it.
So the upshot is that SHA1 is no worse than MD5. It is only slightly worse
in terms of computation time but the security properties are important.
First though lets rethink what we are trying to achieve with SRS from
scratch. I think we need to think a bit more about forwarding than a
four page paper :-)
Lets not get into the crypto-weeds here until we have thunk through all
the implementation use cases.
Phill