Can you keep a secret? This encrypted drive can...

Greg Rose ggr at
Thu Nov 9 00:39:28 EST 2006

>At 17:58  -0500 2006/11/08, Leichter, Jerry wrote:
>No, SHA-1 is holding on (by a thread) because of differences in the
>details of the algorithm - details it shares with SHA-256.  I
>don't think anyone will seriously argue that if SHA-1 is shown to
>be as vulnerable as we now know ND5 to be, then SHA-256 can still
>be taken to be safe for more than a fairly short time.

Hmm, I disagree with this. Firstly, I don't think SHA-1 *is* holding 
on... while we don't have an example collision yet, there is no real 
doubt that one can be found in about 2^64 operations, which is less 
than the required 2^80. And SHA-2 does have a significantly different 
design in one area; the data expansion part is much stronger than 
SHA-1's, and almost certainly defeats the Wang-style attacks. Our 
paper on eprint gives some justification for why SHA-2 would appear 
to be resistant to these kinds of attacks.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list