SHA-1 rumors
John Black
johnblackjr at hotmail.com
Tue Aug 17 02:13:00 EDT 2004
>
>No, it was on the compression function, but not in any sense "reduced". But
>you had to start with particular values of the chaining variables, and in
>practice no-one knows how to do that, so MD5 (as a whole) isn't broken by
>this, at least until tomorrow evening. The rumour here is that MD5, HAVAL,
>and RIPE-MD are all goners. We know SHA-0 is toast too. There might also be
>results against SHA-1. Hash functions are hard.
>
What I've heard (also at CRYPTO right now like Greg) is that the four
Chinese researchers (Wang, Fang, Lai, Yu) have found collisions in
MD4, MD5, HAVAL, and RIPEMD. They state that SHA-0 collisions can be
found as well. However, the collision they list for MD5 doesn't
produce work because the Chinese translation of [MOV] had an error
which caused an endianness problem. So they have a collision for
a PARTICULAR IV. One of the four researchers is back in China, so they
are on the phone trying to fix the problem for the announcment tomorrow
evening.
However, they have announced nothing regarding SHA-1 or any of the
larger-output SHA versions like SHA-256, etc. We haven't seen their
methods yet, but one has to believe that their methods are fairly
general given the range of hash functions they've attacked. This would
SEEM to put the SHA family into jeopardy as well, but we should know
more tomorrow evening.
John Black
[MOV] Menezes, van Oorschot, Vanstone; Handbook of Applied Cryptography,
CRC Press.
_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar – get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list