[Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?
John Kelsey
crypto.jmk at gmail.com
Fri Oct 4 10:23:38 EDT 2013
On Oct 4, 2013, at 10:10 AM, Phillip Hallam-Baker <hallam at gmail.com> wrote:
...
> Dobertin demonstrated a birthday attack on MD5 back in 1995 but it had no impact on the security of certificates issued using MD5 until the attack was dramatically improved and the second pre-image attack became feasible.
Just a couple nitpicks:
a. Dobbertin wasn't doing a birthday (brute force collision) attack, but rather a collision attack from a chosen IV.
b. Preimages with MD5 still are not practical. What is practical is using the very efficient modern collision attacks to do a kind of herding attack, where you commit to one hash and later get some choice about which message gives that hash.
...
> Proofs are good for getting tenure. They produce papers that are very citable.
There are certainly papers whose only practical importance is getting a smart cryptographer tenure somewhere, and many of those involve proofs. But there's also a lot of value in being able to look at a moderately complicated thing, like a hash function construction or a block cipher chaining mode, and show that the only way anything can go wrong with that construction is if some underlying cryptographic object has a flaw. Smart people have proposed chaining modes that could be broken even when used with a strong block cipher. You can hope that security proofs will keep us from doing that.
Now, sometimes the proofs are wrong, and almost always, they involve a lot of simplification of reality (like most proofs aren't going to take low-entropy RNG outputs into account). But they still seem pretty valuable to me for real-world things. Among other things, they give you a completely different way of looking at the security of a real-world thing, with different people looking over the proof and trying to attack things.
--John
More information about the cryptography
mailing list