[144761] in cryptography@c2.net mail archive
Re: Certainty
daemon@ATHENA.MIT.EDU (Greg Rose)
Fri Aug 21 17:11:29 2009
Cc: Greg Rose <ggr@qualcomm.com>, "Perry E. Metzger" <perry@piermont.com>,
Cryptography List <cryptography@metzdowd.com>
From: Greg Rose <ggr@qualcomm.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <p06240807c6b22bf61439@[10.20.30.158]>
Date: Wed, 19 Aug 2009 21:02:39 -0700
On 2009 Aug 19, at 3:28 , Paul Hoffman wrote:
> At 5:28 PM -0400 8/19/09, Perry E. Metzger wrote:
>> I believe attacks on Git's use of SHA-1 would require second pre-
>> image
>> attacks, and I don't think anyone has demonstrated such a thing for
>> SHA-1 at this point. None the less, I agree that it would be better
>> if
>> Git eventually used better hash functions. Attacks only get better
>> with
>> time, and SHA-1 is certainly creaking.
>
> I understand that "creaking" is not a technical cryptography term,
> but "certainly" is. When do we become "certain" that devastating
> attacks on one feature of hash functions (collision resistance) have
> any effect at all on even weak attacks on a different feature
> (either first or second preimages)?
>
> This is a serious question. Has anyone seen any research that took
> some of the excellent research on collision resistance and used it
> directly for preimage attacks, even with greatly reduced rounds?
Not directly, as far as I know. But some research and success on
preimages, yes.
>
> The longer that MD5 goes without any hint of preimage attacks, the
> less "certain" I am that collision attacks are even related to
> preimage attacks.
They aren't particularly related, but there was a presentation at
Eurocrypt about MD5 preimages earlier this year. Or maybe it was MD4...
Greg.
>
> Of course, I still believe in hash algorithm agility: regardless of
> how preimage attacks will be found, we need to be able to deal with
> them immediately.
>
> --Paul Hoffman, Director
> --VPN Consortium
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
