On Sat, Nov 26, 2005 at 10:59:57AM +0100, Florian Weimer wrote: > * Anthony Towns: >> On Fri, Nov 25, 2005 at 07:59:40PM +0100, Florian Weimer wrote: >>> * Anthony Towns:
>>> Moving away from MD5 is certainly not a bad idea, but it's not >>> clear whether the alternatives are any better. Sure, everyone >>> recommends SHA-256 at this stage, but nobody can give a rationale. >> MD5 is broken; SHA-1 is where MD5 was a couple of years ago, SHA256 >> (or higher) are significantly harder to break in practice, > So? If SHA256 is so much better, why is that nobody can prove it, > or at least can provide some evidence which supports that claim? The idea behind using SHA256 (or SHA512) is that we have more _margin_. If we are targeting MD5's design security (2^64 against collisions), even if SHA512 is "broken" significantly - say an attack four times better than birthday - we still have our expected strength. It is also the best we can get to *right* *now*, unless we escape to humongous hash sizes (arithmetic-based designs). >> and there's nothing better yet. > In terms of security, there are some better hash functions. But > those are academic designs, most of them based on big integer > arithmetic instead of bit fiddling. Currently, nobody seems to be > willing to pay the price that comes with them. What this means is that your hashes will be as big as your asymmetric keys, and hashing as slow as asymmetric cryptography. That's significant. They also seem to have deeply different security properties as far as the user is concerned: the one I know, at least (http://diswww.mit.edu/bloom-picayune/crypto/13190) relies (as asymmetric crypto) on n a hard to factor product of two primes p and q. The "security proof under assumption that factoring is hard" is that if you generate a collision, you have factored n (roughly). Now, what I don't get is who generates n and thus knows p and q and thus _can_ generate collisions? Does everyone use his own n (and thus everyone can generate collisions for the hash _he_ uses, but not for the hash others use), do we use a trusted third party (that's a _significantly_ different security model!) that publishes n? (When I write n above, I obviously mean the pair (n,g), g element of maximal order in Z/nZ.) -- Lionel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]