Travis H. wrote:
On 1/10/06, Ian G <[EMAIL PROTECTED]> wrote:
2. DSA has a problem, it relies on a 160
bit hash, which is for most purposes the
SHA-1 hash. Upgrading the crypto to cope
with current hash circumstances is not
worthwhile; we currently are waiting on
NIST to lead review in hashes so as to
craft a new generation.
What's wrong with SHA-256 and SHA-512?
http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf
I agree though that hashes (I hate the term, hashing has little to do
with creating OWFs) are not as advanced as block cipher design, and
160 bits seems rather small, but surely SHA-256 would be better than
throwing one's hands up, claiming it's unsolvable, and sticking with
SHA-1, right?
Well, it's a pragmatic situation:
* all SHA algorithms are under a cloud
* anything 160 bits or less is under a dark-ish cloud
* the bigger ones won't break, but maybe
the engineering will all change anyway
* DSA has to be upgraded anyway
* what's wrong with RSA in this role?
* where's the threat to the DSA algorithm given that
the attack is the birthday attack?
* where's the threat to any extent usage of DSA
(within its application profile)?
Pragmatically, wait and see is a good choice here,
IMO, but others disagree.
If the problem is size, the answer is there. If the problem is
structural, a temporary answer is there.
DSA is fixed to a 160 bit hash (or is it DSS?).
So, it's possible to do RIPEM or a chopped off
version of SHA-256. The question is, what does
that gain you? Not that much, and probably not
as much as the pain of rolling out a new digsig
algorithm.
Using two structurally different hashes seems like a grand idea for
collision restistance, but bad for one-wayness. One-wayness seems to
matter for message encryption, but doesn't seem to matter for signing
public keys - or am I missing something?
Well, using two different MDs to cover one
failing is a plausible idea - but at a logical
and cryptographic level, all you are doing is
inventing your own hash algorithm, constructed
from some prior work.
So, we can look at for example cipher chaining
like triple-DES. There are strange artifacts
such as groups where non-obvious things come
in and trip you up. Even though triple-DES
is still considered to have avoided that trap,
its relatively small block size means you can
now put the entire decrypt table on a dvd (or
somesuch, I forget the maths).
So in general, it's not a good idea to just
invent your own algorithms; if you could do
better so easily, so could the professional
cryptographers, and they would have by now.
iang
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
