Time for a second thought about SDLH

[ralf]

On Sun, 20 Mar 2005, Steven M. Bellovin wrote:

> "Dominated"?  No, of course not.  But a hash function based on discrete
> log will be slow enough that no one will use it.

This is simply not true, because we are _not always_ going to sign
megabytes, and SDLH is more than fast enough for sensibly crafted texts.
At the end of the day we might consider the option that we don't need
a single hash function for everything.

There is a place for a high end hash function.

I insist on a second thought.

Kind regards

Ralf Senderek


*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*
* Ralf Senderek  <[EMAIL PROTECTED]> http://senderek.com*  What is privacy  *
* Sandstr. 60   D-41849 Wassenberg  +49 2432-3960   *  without  *
* PGP: AB 2C 85 AB DB D3 10 E7  CD A4 F8 AC 52 FC A9 ED *Pure Crypto?   *
49466008763407508762442876812634724277805553224967086648493733366295231438448

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Schneier: SHA-1 has been broken - Time for a second thought about SDLH ?

[Steven M. Bellovin]

In message <[EMAIL PROTECTED]>, Ralf Senderek w
rites:

>
>And that is why I ask to give the Shamir Discrete Logarithm Hash Funktion a se
>cond 
>thought. At leeast we have a proof of collision resistance under the assumptio
>n
>that factoring is infeasible for the modulus used.
>
>And that it more than we ever had regarding the MD4 series.
>
>BTW, choosing the next generation hash function should - as I think - not be 
>dominated by terms of performance. (i.e done in the olde fashion)
>

"Dominated"?  No, of course not.  But a hash function based on discrete 
log will be slow enough that no one will use it.  

--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Schneier: SHA-1 has been broken - Time for a second thought about SDLH ?

[Ralf Senderek]

Bruce Schneier wrote: (in Cryptogram)

> SHA-1 has been broken.  Not a reduced-round version. Not a simplified version.
> The real thing.
> 
> "One-way hash functions are supposed to have two properties.  One, they're one
> way.  This means that it is easy to take a message and compute the hash value,
> but it's impossible to take a hash value and recreate the original message.
> (By 'impossible' I mean 'can't be done in any reasonable amount of time.')
> Two, they're collision free.  This means that it is impossible to find two
> messages that hash to the same hash value.  The cryptographic reasoning behind
> these two properties is subtle, and I invite curious readers to learn more in
> my book Applied Cryptography.
> 
> "Breaking a hash function means showing that either -- or both -- of those
> properties are not true."
> 
> Last month, three Chinese cryptographers showed that SHA-1 is not
> collision-free.  That is, they developed an algorithm for finding collisions
> faster than brute force.

[ ... ]

> Jon Callas, PGP's CTO, put it best: "It's time to walk, but not run, to the
> fire exits.  You don't see smoke, but the fire alarms have gone off."  That's
> basically what I said last August.
> 
> "It's time for us all to migrate away from SHA-1.

[ ... ]

> 
> "Most of the hash functions we have, and all the ones in widespread use, are
> based on the general principles of MD4.  Clearly we've learned a lot about
> hash functions in the past decade, and I think we can start applying that
> knowledge to create something even more secure."

And that is why I ask to give the Shamir Discrete Logarithm Hash Funktion a 
second 
thought. At leeast we have a proof of collision resistance under the assumption
that factoring is infeasible for the modulus used.

And that it more than we ever had regarding the MD4 series.

BTW, choosing the next generation hash function should - as I think - not be 
dominated by terms of performance. (i.e done in the olde fashion)

Ralf Senderek



*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*
* Ralf Senderek  <[EMAIL PROTECTED]> http://senderek.com*  What is privacy  *
* Sandstr. 60   D-41849 Wassenberg  +49 2432-3960   *  without  *
* PGP: AB 2C 85 AB DB D3 10 E7  CD A4 F8 AC 52 FC A9 ED *Pure Crypto?   *
49466008763407508762442876812634724277805553224967086648493733366295231438448


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]