[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SHA-1 broken

To: Gadi Evron <gadi@xxxxxxxxxxxxx>
Subject: Re: SHA-1 broken
From: Robert Sussland <robert@xxxxxxxxxxx>
Date: Wed, 16 Feb 2005 17:25:06 -0800

On Feb 16, 2005, at 4:56 AM, Gadi Evron wrote:

Now, we've all seen this coming for a while.
http://www.schneier.com/blog/archives/2005/02/sha1_broken.html

Where do we go from here?

We abandon the requirement of collision resistance. This is a strange requirement, and is not supported by experience. Collision resistance is not a "hard" problem in the sense that factoring large numbers or computing discrete logs is hard. Collision resistance in deterministic hash functions smells too much like generating entropy without secrets. I have no reason to believe that careful analysis of *any* publicly known deterministic many-to-one function will not allow me to produce a collision, assuming I control all inputs into the function.

From my point of view, the issue is what weaker assumption do we replace collision resistance with -- how about:

target collision resistance, with the "strength" of resistance equal to the average advantage an attacker would gain in matching a fixed target, as the target is averaged over all possible inputs in a measure space? Then, producing "rare" messages which could be targeted would not weaken the hash, as the probability of such messages occurring would be low.

Follow-Ups:
- Re: SHA-1 broken
  - From: dullien

References:
- SHA-1 broken
  - From: Gadi Evron

Prev by Date: RE: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
Next by Date: Re: SHA-1 broken
Previous by thread: Re: SHA-1 broken
Next by thread: Re: SHA-1 broken
Index(es):
- Date
- Thread