[142742] in cryptography@c2.net mail archive
Re: MD5 considered harmful today, SHA-1 considered harmful
daemon@ATHENA.MIT.EDU (Paul Hoffman)
Tue Jan 20 16:34:11 2009
In-Reply-To: <4974823A.8040409@Sun.COM>
Date: Mon, 19 Jan 2009 08:33:26 -0800
To: Darren J Moffat <Darren.Moffat@Sun.COM>
From: Paul Hoffman <paul.hoffman@vpnc.org>
Cc: cryptography@metzdowd.com
At 1:38 PM +0000 1/19/09, Darren J Moffat wrote:
>Can you state the assumptions for why you think that moving to SHA384 would be safe if SHA256 was considered vulnerable in some way please.
Sure. I need 128 bits of pre-image protection for, say, a digital signature. SHA2/256 is giving me that. Then, due to some weakness, it is only giving me 112 bits of protection. The weakness is understood in the crypto community, and it's a straight-line loss of bits of protection.
SHA2/384 would then give me 168 bits of protection, which is more than the 128 what I need.
Even if you don't trust that there is a straight-line loss of bits, you would have to be believing that the attack is much worse for SHA2/384 than it was for SHA2/256 in order to bring the output down to the level that I need.
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
