hedging our bets -- in case SHA-256 turns out to be insecure

james hughes hughejp at mac.com
Wed Nov 18 10:33:58 EST 2009 

I guess I need a slight correction... I missed a 'not'. 

On Nov 12, 2009, at 10:32 PM, james hughes wrote:

> 
> On Nov 11, 2009, at 10:03 AM, Sandy Harris wrote:
> 
>> On 11/8/09, Zooko Wilcox-O'Hearn <zooko at zooko.com> wrote:
>> 
>>> Therefore I've been thinking about how to make Tahoe-LAFS robust against
>>> the possibility that SHA-256 will turn out to be insecure.
>> 
>> NIST are dealing with that via the AHS process. Shouldn't you just use
>> their results?
>> 
>>> We could use a different hash function ...
>>> There are fourteen candidates left in the SHA-3
>>> contest at the moment.  Several of them have conservative designs and good
>>> performance, but there is always the risk that they will be found to have
>>> catastrophic design flaws or that a great advance in hash function
>>> cryptanalysis will suddenly show how to crack them.
>> 
>> Yes, but there's also a risk that whatever you come up with will turn
>> out to be flawed.
> 
> I agree.
> 
> The logic of a "unknown flaw" being fixed flies in the face of prudent cryptanalysis. If you don't know the flaw, how can do you know you can or have fixed it. 
> 
> What if there is an unknown flaw in the fix? Wrap that again? Turtles all the way down. 
> 
> Putting multiple insecure algorithms together does guarantee a secure one.

Putting multiple insecure algorithms together does NOT guarantee a secure one.

> The only solution that works is a new hash algorithm that is secure against this (and all other) vulnerabilities. It may include SHA 256 as a primitive, but a true fix is fundamentally a new hash algorithm. 
> 
> This process is being worked on by a large number of smart people. I can guarantee you that this kind of construction has been looked at. 
> 
> It is my opinion that putting a bandaid around SHA 256 "just in case" is not cryptanalysis, it's marketing.
> 
> Jim
> 
> P.S. once Sha-3 comes out, your bandaid will look silly.
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list