Re: SHA-1 broken
--- Michael Cordover <michael.cordover@xxxxxxxxx>
wrote:
> The standard response to "where to now" seems
> to be Whirlpool
>
[http://planeta.terra.com.br/informatica/paulobarreto/WhirlpoolPage.html].
> That or Tiger
>
[http://www.cs.technion.ac.il/~biham/Reports/Tiger/].
>
> The team which has cracked SHA1 is the same
> that cracked MD5 and
> exposed weaknesses in the RIPEMD model.
> They're good. And they've
> shown that what I would've thought to be the
> Next Best Thing - RIPEMD
> - is yet another flawed system.
>
> -mjec
> --
> http://mine.mjec.net/
>
> On Wed, 16 Feb 2005 14:56:27 +0200, Gadi Evron
> <gadi@xxxxxxxxxxxxx> wrote:
> > Now, we've all seen this coming for a while.
> >
>
http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
> >
> > Where do we go from here?
> >
> > Gadi.
> >
>
I think Whirlpool and Tiger are both quite
untested at the moment. The reason these
algorithms haven't contained any weaknesses thus
far is likely due to the fact that they haven't
been extensively tested. It seems likely that in
only a few months someone will devise a
theoretical attack against these as well.
A few months ago, assuming that we would soon be
in this situation, I designed some modifications
to SHA-256 and SHA-512 that will keep the
algorithms quite respectably protected under a
partial break. I think the easiest way to
charactize the approach would be that it changes
the algorithm from a many->one approach to a
many->many approach as more than one hash can be
generated per datastream. This allows for the
inevitability that SHA-256 and SHA-512 will one
day suffer a partial-break similar to MD5, MD4,
RIPEMD, SHA-0 and SHA-1. Due to it's design,
even if one hash is broken, another also needs to
be broken in tandem which effectively
exponentially raises the likelyhood of collision
as an attacker has to collide with multiple
hashes at once. Also, some reordering is tossed
in to help hinder exploitation of the appendable
cascading issue. (Hinder mind you, not stop.)
I floated this idea on this list a month ago in
the form of a paper I wrote, a copy can be found
here: http://arxiv.org/abs/cs.CR/0501038
The only sticking points that have been shown at
this point is the re-order modification prevents
hashing of unbound data-streams. Although this
is unfortunate, the algorithm seems fine for
bounded datastreams. (Unbounded datastreams as
well, assuming they are reordered in advance.)
~D.J. Capelis
__________________________________
Do you Yahoo!?
Meet the all-new My Yahoo! - Try it today!
http://my.yahoo.com