At 17:58  -0500 2006/11/08, Leichter, Jerry wrote:
No, SHA-1 is holding on (by a thread) because of differences in the
details of the algorithm - details it shares with SHA-256.  I
don't think anyone will seriously argue that if SHA-1 is shown to
be as vulnerable as we now know ND5 to be, then SHA-256 can still
be taken to be safe for more than a fairly short time.

Hmm, I disagree with this. Firstly, I don't think SHA-1 *is* holding on... while we don't have an example collision yet, there is no real doubt that one can be found in about 2^64 operations, which is less than the required 2^80. And SHA-2 does have a significantly different design in one area; the data expansion part is much stronger than SHA-1's, and almost certainly defeats the Wang-style attacks. Our paper on eprint gives some justification for why SHA-2 would appear to be resistant to these kinds of attacks.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to