Certainty
Greg Rose
ggr at qualcomm.com
Thu Aug 20 00:02:39 EDT 2009
On 2009 Aug 19, at 3:28 , Paul Hoffman wrote:
> At 5:28 PM -0400 8/19/09, Perry E. Metzger wrote:
>> I believe attacks on Git's use of SHA-1 would require second pre-
>> image
>> attacks, and I don't think anyone has demonstrated such a thing for
>> SHA-1 at this point. None the less, I agree that it would be better
>> if
>> Git eventually used better hash functions. Attacks only get better
>> with
>> time, and SHA-1 is certainly creaking.
>
> I understand that "creaking" is not a technical cryptography term,
> but "certainly" is. When do we become "certain" that devastating
> attacks on one feature of hash functions (collision resistance) have
> any effect at all on even weak attacks on a different feature
> (either first or second preimages)?
>
> This is a serious question. Has anyone seen any research that took
> some of the excellent research on collision resistance and used it
> directly for preimage attacks, even with greatly reduced rounds?
Not directly, as far as I know. But some research and success on
preimages, yes.
>
> The longer that MD5 goes without any hint of preimage attacks, the
> less "certain" I am that collision attacks are even related to
> preimage attacks.
They aren't particularly related, but there was a presentation at
Eurocrypt about MD5 preimages earlier this year. Or maybe it was MD4...
Greg.
>
> Of course, I still believe in hash algorithm agility: regardless of
> how preimage attacks will be found, we need to be able to deal with
> them immediately.
>
> --Paul Hoffman, Director
> --VPN Consortium
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list