MD5 considered harmful today, SHA-1 considered harmful tomorrow
Paul Hoffman
paul.hoffman at vpnc.org
Mon Jan 19 11:33:26 EST 2009
At 1:38 PM +0000 1/19/09, Darren J Moffat wrote:
>Can you state the assumptions for why you think that moving to SHA384 would be safe if SHA256 was considered vulnerable in some way please.
Sure. I need 128 bits of pre-image protection for, say, a digital signature. SHA2/256 is giving me that. Then, due to some weakness, it is only giving me 112 bits of protection. The weakness is understood in the crypto community, and it's a straight-line loss of bits of protection.
SHA2/384 would then give me 168 bits of protection, which is more than the 128 what I need.
Even if you don't trust that there is a straight-line loss of bits, you would have to be believing that the attack is much worse for SHA2/384 than it was for SHA2/256 in order to bring the output down to the level that I need.
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list