On 2009 Aug 19, at 3:28 , Paul Hoffman wrote:
At 5:28 PM -0400 8/19/09, Perry E. Metzger wrote:
I believe attacks on Git's use of SHA-1 would require second pre-
image
attacks, and I don't think anyone has demonstrated such a thing for
SHA-1 at this point. None the less, I agree that it would be better
if
Git eventually used better hash functions. Attacks only get better
with
time, and SHA-1 is certainly creaking.
I understand that "creaking" is not a technical cryptography term,
but "certainly" is. When do we become "certain" that devastating
attacks on one feature of hash functions (collision resistance) have
any effect at all on even weak attacks on a different feature
(either first or second preimages)?
This is a serious question. Has anyone seen any research that took
some of the excellent research on collision resistance and used it
directly for preimage attacks, even with greatly reduced rounds?
Not directly, as far as I know. But some research and success on
preimages, yes.
The longer that MD5 goes without any hint of preimage attacks, the
less "certain" I am that collision attacks are even related to
preimage attacks.
They aren't particularly related, but there was a presentation at
Eurocrypt about MD5 preimages earlier this year. Or maybe it was MD4...
Greg.
Of course, I still believe in hash algorithm agility: regardless of
how preimage attacks will be found, we need to be able to deal with
them immediately.
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com