Certainty

james hughes hughejp at mac.com
Wed Aug 19 22:10:22 EDT 2009 

Caution, the following contains a rant.

On Aug 19, 2009, at 3:28 PM, Paul Hoffman wrote:
> I understand that "creaking" is not a technical cryptography term,  
> but "certainly" is. When do we become "certain" that devastating  
> attacks on one feature of hash functions (collision resistance) have  
> any effect at all on even weak attacks on a different feature  
> (either first or second preimages)?
>
> This is a serious question. Has anyone seen any research that took  
> some of the excellent research on collision resistance and used it  
> directly for preimage attacks, even with greatly reduced rounds?

This is being done. What Perry said.

> The longer that MD5 goes without any hint of preimage attacks, the  
> less "certain" I am that collision attacks are even related to  
> preimage attacks.

There was an invited talk at Crypto about "Alice and Bob Go To  
Washington: A Cryptographic Theory of Politics and Policy". This was  
interesting in that it explained that facts are not what politicians  
want
	http://www.iacr.org/conferences/crypto2009/acceptedpapers.html#crypto06
and that politicians form blocks to create shared power.

It seems that your comment about "certainty" is not a technical one,  
but a political one. The block of people that have implemented MD-5  
believe that this algorithm is good enough and that the facts that the  
hash function contains no science of how it works, can not be proven  
to be resistant to pre-image, nor even reduced to any known hard  
problem, are not "certain". Maybe this particular block just wants it  
to be secure? If MD-5 is secure to pre-image attacks, the  
cryptographic community does not know why. It seems that the only  
proof that can be accepted as "certainty" is an existence proof that  
the bad deed _has_ be done.

Maybe this is not really an MD-5 block, but an HMAC implementer's  
block. This block does have some results to hang their hats on. The  
paper "New Proofs for NMAC and HMAC: Security without Collision- 
Resistance" was publushed in 2006
	http://eprint.iacr.org/2006/043.pdf
that states that as long as the "compression function is a PRF" HMAC  
is secure. This is mostly because the algorithm is keyed. This places  
HMAC into the class of ciphers as PRF and out of the class of hash  
functions.

I find this "interesting". Cryptographers knew in 2004 that the wheels  
just came off MD-5, and it's future was going to be grim. The "common  
sense" was that a collision by itself was not relevant. Then there was  
the “Colliding X.509 Certificates”
	http://eprint.iacr.org/2005/067
and still the "common sense" was that it could still be used. So then  
there was "Chosen-Prefix Collisions for MD5 and Colliding X.509  
Certificates for Different Identities"
	http://www.win.tue.nl/hashclash/EC07v2.0.pdf
but that was still not enough. This Crypto, the paper "Short Chosen- 
Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate"
	http://www.iacr.org/conferences/crypto2009/acceptedpapers.html#crypto04
	https://documents.epfl.ch/users/l/le/lenstra/public/papers/Crypto09nonanom.pdf
seems to have put a nail in this issue, but not the issue of the  
"certainty" of pre-image attacks.

Some believe that the Best Paper award was given for the persistence  
that the authors showed to continue to spend time and effort on what  
the cryptographic community knows is an cart with no wheels on it to  
counter the "common sense" implementing block that do not believe it  
until they see it.

Effort placed on replacing MD-5 is more important now than taunting  
the cryptographers to prove that MD-5 pre-images are feasible when  
there is literally nothing proving that pre-images of MD-5 are  
difficult. (Again, this is for bare MD-5, not HMAC.)

> Of course, I still believe in hash algorithm agility: regardless of  
> how preimage attacks will be found, we need to be able to deal with  
> them immediately.

I am curious if you mean Immediately as in now, or immediately when a  
pre-image attack is found?

> --Paul Hoffman, Director
> --VPN Consortium

Jim

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list