Certainty

[Paul Hoffman]

At 5:28 PM -0400 8/19/09, Perry E. Metzger wrote:
>I believe attacks on Git's use of SHA-1 would require second pre-image
>attacks, and I don't think anyone has demonstrated such a thing for
>SHA-1 at this point. None the less, I agree that it would be better if
>Git eventually used better hash functions. Attacks only get better with
>time, and SHA-1 is certainly creaking.

I understand that "creaking" is not a technical cryptography term, but "certainly" is. When do we become "certain" that devastating attacks on one feature of hash functions (collision resistance) have any effect at all on even weak attacks on a different feature (either first or second preimages)?

This is a serious question. Has anyone seen any research that took some of the excellent research on collision resistance and used it directly for preimage attacks, even with greatly reduced rounds?

The longer that MD5 goes without any hint of preimage attacks, the less "certain" I am that collision attacks are even related to preimage attacks.

Of course, I still believe in hash algorithm agility: regardless of how preimage attacks will be found, we need to be able to deal with them immediately.

--Paul Hoffman, Director
--VPN Consortium

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com