At 17:58 -0500 2006/11/08, Leichter, Jerry wrote: No, SHA-1 is holding on (by a thread) because of differences in the details of the algorithm - details it shares with SHA-256. I don't think anyone will seriously argue that if SHA-1 is shown to be as vulnerable as we now know ND5 to be, then SHA-256 can still be taken to be safe for more than a fairly short time.
Hmm, I disagree with this. Firstly, I don't think SHA-1 *is* holding on... while we don't have an example collision yet, there is no real doubt that one can be found in about 2^64 operations, which is less than the required 2^80. And SHA-2 does have a significantly different design in one area; the data expansion part is much stronger than SHA-1's, and almost certainly defeats the Wang-style attacks. Our paper on eprint gives some justification for why SHA-2 would appear to be resistant to these kinds of attacks.
Greg. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
