On Feb 19, 2009, at 15:19 PM, Brian Warner wrote: > the observation that a fast (but no longer cryptographically- > secure) hash like MD4 is good enough
Nitpick: I prefer not to say that MD4 used to be secure before 1996 and then became insecure. Rather: we used to think, back in 1995, that MD4 was secure, and in 1996 we learned that it was insecure. Who was the first person who figured out how to generate collisions in MD4? Was it Hans Dobbertin, who published the technique in 1996? If so, people who were relying on the collision-resistance of MD4 in 1995, but who stopped relying on it by 1996, were in no danger. But how do you know that Dobbertin was the first person to think of that technique? If someone else thought of that technique in 1995, or if Dobbertin (who worked for the German counter-eavesdropping agency) thought of that technique before he published it, then people who were relying on the security of MD4 in 1995 were vulnerable. So you can't say that in 1995 MD4 was secure. It might or might not have had the sort of security of "nobody has figured out how to break this yet". It definitely *didn't* have the sort of security of "it is impossible to break this". Regards, Zooko _______________________________________________ tahoe-dev mailing list [email protected] http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
