Schneier: SHA-1 has been broken - Time for a second thought about SDLH ?

Sun, 20 Mar 2005 08:59:11 -0800 

Bruce Schneier wrote: (in Cryptogram)

> SHA-1 has been broken.  Not a reduced-round version. Not a simplified version.
> The real thing.
> 
> "One-way hash functions are supposed to have two properties.  One, they're one
> way.  This means that it is easy to take a message and compute the hash value,
> but it's impossible to take a hash value and recreate the original message.
> (By 'impossible' I mean 'can't be done in any reasonable amount of time.')
> Two, they're collision free.  This means that it is impossible to find two
> messages that hash to the same hash value.  The cryptographic reasoning behind
> these two properties is subtle, and I invite curious readers to learn more in
> my book Applied Cryptography.
> 
> "Breaking a hash function means showing that either -- or both -- of those
> properties are not true."
> 
> Last month, three Chinese cryptographers showed that SHA-1 is not
> collision-free.  That is, they developed an algorithm for finding collisions
> faster than brute force.

[ ... ]

> Jon Callas, PGP's CTO, put it best: "It's time to walk, but not run, to the
> fire exits.  You don't see smoke, but the fire alarms have gone off."  That's
> basically what I said last August.
> 
> "It's time for us all to migrate away from SHA-1.

[ ... ]

> 
> "Most of the hash functions we have, and all the ones in widespread use, are
> based on the general principles of MD4.  Clearly we've learned a lot about
> hash functions in the past decade, and I think we can start applying that
> knowledge to create something even more secure."

And that is why I ask to give the Shamir Discrete Logarithm Hash Funktion a 
second 
thought. At leeast we have a proof of collision resistance under the assumption
that factoring is infeasible for the modulus used.

And that it more than we ever had regarding the MD4 series.

BTW, choosing the next generation hash function should - as I think - not be 
dominated by terms of performance. (i.e done in the olde fashion)

    Ralf Senderek



*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*
* Ralf Senderek  <[EMAIL PROTECTED]> http://senderek.com*  What is privacy  *
* Sandstr. 60   D-41849 Wassenberg  +49 2432-3960       *      without      *
* PGP: AB 2C 85 AB DB D3 10 E7  CD A4 F8 AC 52 FC A9 ED *    Pure Crypto?   *
49466008763407508762442876812634724277805553224967086648493733366295231438448


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to