Certainty

[Greg Rose]

On 2009 Aug 19, at 3:28 , Paul Hoffman wrote:

> At 5:28 PM -0400 8/19/09, Perry E. Metzger wrote:
>> I believe attacks on Git's use of SHA-1 would require second pre- 
>> image
>> attacks, and I don't think anyone has demonstrated such a thing for
>> SHA-1 at this point. None the less, I agree that it would be better  
>> if
>> Git eventually used better hash functions. Attacks only get better  
>> with
>> time, and SHA-1 is certainly creaking.
>
> I understand that "creaking" is not a technical cryptography term,  
> but "certainly" is. When do we become "certain" that devastating  
> attacks on one feature of hash functions (collision resistance) have  
> any effect at all on even weak attacks on a different feature  
> (either first or second preimages)?
>
> This is a serious question. Has anyone seen any research that took  
> some of the excellent research on collision resistance and used it  
> directly for preimage attacks, even with greatly reduced rounds?

Not directly, as far as I know. But some research and success on  
preimages, yes.
>
> The longer that MD5 goes without any hint of preimage attacks, the  
> less "certain" I am that collision attacks are even related to  
> preimage attacks.

They aren't particularly related, but there was a presentation at  
Eurocrypt about MD5 preimages earlier this year. Or maybe it was MD4...

Greg.

>
> Of course, I still believe in hash algorithm agility: regardless of  
> how preimage attacks will be found, we need to be able to deal with  
> them immediately.
>
> --Paul Hoffman, Director
> --VPN Consortium
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com