> Now, we've all seen this coming for a while.
> http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
>
> Where do we go from here?
>
We abandon the requirement of collision resistance. This is a strange
requirement, and is not supported by experience. Collision resistance
is not a "hard" problem in the sense that factoring large numbers or
computing discrete logs is hard. Collision resistance in deterministic
hash functions smells too much like generating entropy without secrets.
I have no reason to believe that careful analysis of *any* publicly
known deterministic many-to-one function will not allow me to produce a
collision, assuming I control all inputs into the function.
From my point of view, the issue is what weaker assumption do we
replace collision resistance with -- how about:
target collision resistance, with the "strength" of resistance equal to
the average advantage an attacker would gain in matching a fixed
target, as the target is averaged over all possible inputs in a measure
space? Then, producing "rare" messages which could be targeted would
not weaken the hash, as the probability of such messages occurring
would be low.
On Feb 16, 2005, at 4:56 AM, Gadi Evron wrote:
> Now, we've all seen this coming for a while.
> http://www.schneier.com/blog/archives/2005/02/sha1_broken.html
>
> Where do we go from here?
>
We abandon the requirement of collision resistance. This is a strange
requirement, and is not supported by experience. Collision resistance
is not a "hard" problem in the sense that factoring large numbers or
computing discrete logs is hard. Collision resistance in deterministic
hash functions smells too much like generating entropy without secrets.
I have no reason to believe that careful analysis of *any* publicly
known deterministic many-to-one function will not allow me to produce a
collision, assuming I control all inputs into the function.
From my point of view, the issue is what weaker assumption do we
replace collision resistance with -- how about:
target collision resistance, with the "strength" of resistance equal to
the average advantage an attacker would gain in matching a fixed
target, as the target is averaged over all possible inputs in a measure
space? Then, producing "rare" messages which could be targeted would
not weaken the hash, as the probability of such messages occurring
would be low.
[ reply ]