On 2013-08-17 at 20:52 +0000, Edward Ned Harvey (lopser) wrote: > This is separate from and not to be confused with the birthday attack > - wherein you only need 2^128 operations to produce an expected > collision on a 256 bit hash function.
Skimmed past this before. Quoting from the aforementioned section 3.5.7 (one paragraph should meet "fair use" citation standards for copyright purposes): "A 128-bit key would be great, except for one problem: collision attacks. Time and time again, we find systems that can be attacked -- at least theoretically, if not practically -- by a birthday attack or a meet-in-the-middle attack. We know these attacks exist. Sometimes designers just ignore them, and sometime they think they are safe, but somebody finds a new, clever way of using them. Most block cipher modes allow meet-in-the-middle attacks of some form. We've had enough of this race, so here is our recommendation: For a security level of 𝑛 bits, every cryptographic value should be at least 2𝑛 bits long." So, not just for hash functions. -Phil PS: if '𝑛' is not rendering for you: 0x1D45B, "mathematical italic small n" _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
