On Wednesday, 11 July 2018 06:57:59 CEST Peter Gutmann wrote:
> Hubert Kario <hka...@redhat.com> writes:
> >defeating two hashes, when both use use the Merkle-Damgård construction, is
> >not much harder than breaking just one of them (increase of work factor
> >less than 2)
> "In theory there is no difference between theory and practice.  In practice
> there is".
> I'm aware of this long-standing theoretical weakness around multicollisions.
> I'm just as aware that in the fifteen-odd years since the Joux paper,
> no-one has ever managed to demonstrate an even remotely practical attack on
> dual hashes, despite the hugely tempting target of all of SSL/TLS being
> there as a reward.

2^77 is a rather high barrier of entry just to prove expected result – I'm not 
surprised about lack of practical attack at all.

Nobody has disproved the conclusion of that paper either, so we don't have the 
luxury of ignoring it.

Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

Attachment: signature.asc
Description: This is a digitally signed message part.

TLS mailing list

Reply via email to