Hubert Kario <hka...@redhat.com> writes:
>And the practical research:
>https://eprint.iacr.org/2016/131.pdf
>https://www.iacr.org/archive/asiacrypt2009/59120136/59120136.pdf
>only confirms that.
That would be the practical research that says:
Due to these constraints, the practical impact of our second preimage attack
is limited and its main significance is theoretical.
This is obviously some strange use of the word "practical" that I wasn't
previously aware of.
The other one is a bit too vague to comment on:
would lead to an attack on the combiner MD5 || SHA-1 with complexity less
than 2^59 (assuming the type 1 collision attack on SHA-1 is fast enough).
"assuming" and "fast enough" could mean anything ("this leads to an attack on
AES-GCM with complexity less than 2^59 assuming the key recovery attack on
AES-128 is fast enough"). However earlier on the paper says:
Let’s further assume that a breakthrough in cryptanalysis of SHA-1 brings
down the complexity of a collision search attack to 2^52. We know that the
best collision search attacks on MD5 are as fast as 2^15
So what's being shown is that the strength is 2^59 assuming some unspecified
but pretty spectacular new attack on SHA-1 suddenly turns up, rather than e..g.
2^(52+15) = 2^67.
Even with the appearance of this imaginary new attack, the security of
MD5||SHA1 is still better than either MD5 or SHA-1 by itself, which is what
TLS 1.2 specifies. So I think Martin's point is proven.
Peter.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
