but the slight risk of collision, although practically negligible, is a bit irksome
If you quantify the "practically negligible" risk, it might be less irksome: SHA-1 is a 160 bit hash. The birthday paradox says that you would need to hash 2^80 different credit card numbers before you had a 50% probability of having even one collision in your database keys. Very roughly that means you would need to have a trillion different credit card numbers in your database in order to get as much as a one in a trillion chance of a collision. You would probably find dealing with a trillion different credit card numbers more irksome than the negligible chance of a collision even that many would give you.
-- sidney
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]