On 7/11/06, Zooko O'Whielacronx <[EMAIL PROTECTED]> wrote:
I hope that the hash function designers will be aware that hash functions are being used in more and more contexts outside of the traditional digital signatures and MACs. These new contexts include filesystems like ZFS [3], decentralized revision control systems like Monotone [4], git [5], mercurial [6] and bazaar-ng [7], and peer-to-peer file-sharing systems such as Direct Connect, Gnutella, and Bitzi [6].
MD4/5 are commonly used as a unique fixed-size identifier of an arbitrarily-chosen* length of data in p2p file systems, and we are all aware of the collision attacks. They bring up some interesting points to consider: 1) What semantics can one induce by using a collision attack, given the existing protocols/clients? There are some rumors the MPAA or RIAA is using protocol-level attacks to "poison" p2p networks like bittorrent and KaZaa. Can cryptanalysis results be playing a part? 2) How do we refactor these widely deployed systems with a new, stronger hash function? 3) Are the requirements of this hash different than for cryptographic uses? For example, I can imagine an argument being made that finding one preimage is not a problem with such hashes, since the purpose of the hashes is to use them as a reference to the preimage, which you may simply download. On the other hand, you don't want people to be able to find a second preimage. [*] In this sense there may be two kinds of arbitrary, (a) fixed by the protocol, and (b) unspecified by the protocol. Similar questions may be asked about e.g. operating systems which use hashes to indicate what binaries are allowed to be executed (I have seen a patch somewhere which does this for NetBSD). -- Resolve is what distinguishes a person who has failed from a failure. Unix "guru" for sale or rent - http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]