hedging our bets -- in case SHA-256 turns out to be insecure

David-Sarah Hopwood david-sarah at jacaranda.org
Wed Nov 11 19:03:44 EST 2009

Sandy Harris wrote:
> On 11/8/09, Zooko Wilcox-O'Hearn <zooko at zooko.com> wrote:
>>  Therefore I've been thinking about how to make Tahoe-LAFS robust against
>> the possibility that SHA-256 will turn out to be insecure.
> Since you are encrypting the files anyway, I wonder if you could
> use one of the modes developed for IPsec where a single pass
> with a block cipher gives both encrypted text and a hash-like
> authentication output.  That gives you a "free" value to use as
> H3 in my scheme or H2 in yours, and its security depends on
> the block cipher, not on any hash.

Tahoe is intended to provide resistance to collision attacks by the
creator of an immutable file: the creator should not be able to generate
files with different contents, that can be read and verified by the same
read capability.

An authenticated encryption mode won't provide that -- unless, perhaps,
it relies on a collision-resistant hash.

David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 292 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20091112/76fc5559/attachment.pgp>

More information about the cryptography mailing list