On 2009 Aug 19, at 3:28 , Paul Hoffman wrote:

At 5:28 PM -0400 8/19/09, Perry E. Metzger wrote:
I believe attacks on Git's use of SHA-1 would require second pre- image
attacks, and I don't think anyone has demonstrated such a thing for
SHA-1 at this point. None the less, I agree that it would be better if Git eventually used better hash functions. Attacks only get better with
time, and SHA-1 is certainly creaking.

I understand that "creaking" is not a technical cryptography term, but "certainly" is. When do we become "certain" that devastating attacks on one feature of hash functions (collision resistance) have any effect at all on even weak attacks on a different feature (either first or second preimages)?

This is a serious question. Has anyone seen any research that took some of the excellent research on collision resistance and used it directly for preimage attacks, even with greatly reduced rounds?

Not directly, as far as I know. But some research and success on preimages, yes.

The longer that MD5 goes without any hint of preimage attacks, the less "certain" I am that collision attacks are even related to preimage attacks.

They aren't particularly related, but there was a presentation at Eurocrypt about MD5 preimages earlier this year. Or maybe it was MD4...

Greg.


Of course, I still believe in hash algorithm agility: regardless of how preimage attacks will be found, we need to be able to deal with them immediately.

--Paul Hoffman, Director
--VPN Consortium

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to