>From: Joseph Ashwood <[EMAIL PROTECTED]> >Sent: Feb 17, 2005 12:15 AM >To: cryptography@metzdowd.com >Subject: Re: SHA-1 cracked
>This attack means that we need to begin the process for a quick and painless >retirement of SHA-1 in favor of SHA-256/384/512 in the immediate future and >begin further preparations to move to Whirlpool and other hashes in the near >future. I say this because with MD5 completely broken, SHA-0 effectively >completely broken, and SHA-1 showing big cracks, the entire SHA series is in >doubt, and needs to be heavily reconsidered, otherwise we're looking at a >continuing failure of hash functions apparently in a yearly fashion until we >run out of the SHA series. Yep. The thing that's interesting here is that the more-or-less obvious fallbacks for SHA1 are RIPE-MD160 and SHA256/512. But given the pile of bodies in front of Wang's door already (MD4,MD5, Haval, RIPE-MD, SHA0, SHA1), it's hard to have any confidence at all that RIPE-MD160 will survive long. All the remaining SHA functions are the same, modulo some constants and the wordsize used--SHA512 is just SHA256 using 64-bit words, different constants, and a few more rounds. So there's really only one SHA function left. It's different enough from SHA1 that it's plausible Wang's attacks won't work, but I can't see any really strong reason to trust in that. Whirlpool looks like the best bet for a fallback right now, but it really hasn't seen anything like the amount of analysis I'd like. This is what it looks like when someone develops a new class of attack that breaks a whole bunch of your available cryptographic primitives in a big hurry. > Joe --John Kelsey --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]