[148610] in cryptography@c2.net mail archive
Re: [Cryptography] BitCoin Question - This may not be the best
daemon@ATHENA.MIT.EDU (ianG)
Mon Dec 23 02:35:53 2013
X-Original-To: cryptography@metzdowd.com
Date: Mon, 23 Dec 2013 10:06:08 +0300
From: ianG <iang@iang.org>
To: cryptography@metzdowd.com, robertjchristian@gmail.com
In-Reply-To: <CAB==r-DQw4aeLpub9Gkd8u+v27JA1ihtF2KdjhEDLQgMeG_nhA@mail.gmail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 23/12/13 05:31 AM, Robert Christian wrote:
> Exactly my point. What's the collision resolution strategy and why
> isn't this a scary proposition?
That is the collision strategy. Consider this: in the old days we used
to use MD5 which was 128 bits long, so a collision could be engineered
in 2^64 bits space. That's now achievable.
So in or around 1996 we mostly (should have) shifted to SHA1 which is
160 bits. That is now scary, and has been scary since 2005 when the
Shandong team of Xiaoyun Wang, Yiqun Lisa Yin, Hongbo Yu found weaknesses.
So people started switching to SHA2 which has 256 bits to 512 bits, and
NIST started a SHA3 competition which is now revealed.
1991 1996 2001 2012
MD5 -> SHA1 -> SHA2 -> Keccak/SHA3
128 -> 160 -> 256-512 -> ...
The collision resolution strategy is (1) use a big enough hash to start
with and (2) have some means of changing it if the cryptanalysis starts
to get dodgy.
That's standard in crypto work. It works. There are even proofs in the
market place that it works -- Verisign used MD5 too long in a CA of
theirs and got hacked. In 2011 or so, various fabricated certs based on
MD5 started appearing.
What Bitcoin's strategy for (2) is I don't know. That's a bit murky
because they haven't got a clear roll-over path built in.
iang
ps; which might become the ultimate test of the concept of One True
Cipher Suite ... also scary!
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
