Hubert Kario <hka...@redhat.com> writes: >And the practical research: >https://eprint.iacr.org/2016/131.pdf >https://www.iacr.org/archive/asiacrypt2009/59120136/59120136.pdf >only confirms that.
That would be the practical research that says: Due to these constraints, the practical impact of our second preimage attack is limited and its main significance is theoretical. This is obviously some strange use of the word "practical" that I wasn't previously aware of. The other one is a bit too vague to comment on: would lead to an attack on the combiner MD5 || SHA-1 with complexity less than 2^59 (assuming the type 1 collision attack on SHA-1 is fast enough). "assuming" and "fast enough" could mean anything ("this leads to an attack on AES-GCM with complexity less than 2^59 assuming the key recovery attack on AES-128 is fast enough"). However earlier on the paper says: Let’s further assume that a breakthrough in cryptanalysis of SHA-1 brings down the complexity of a collision search attack to 2^52. We know that the best collision search attacks on MD5 are as fast as 2^15 So what's being shown is that the strength is 2^59 assuming some unspecified but pretty spectacular new attack on SHA-1 suddenly turns up, rather than e..g. 2^(52+15) = 2^67. Even with the appearance of this imaginary new attack, the security of MD5||SHA1 is still better than either MD5 or SHA-1 by itself, which is what TLS 1.2 specifies. So I think Martin's point is proven. Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls