[16928] in cryptography@c2.net mail archive
Re: SHA-1 cracked
daemon@ATHENA.MIT.EDU (Ian G)
Thu Feb 17 08:09:27 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 16 Feb 2005 22:33:06 +0000
From: Ian G <iang@systemics.com>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Cc: cryptography@metzdowd.com
In-Reply-To: <20050216042943.1BA4F3C03BD@berkshire.machshav.com>
Steven M. Bellovin wrote:
>According to Bruce Schneier's blog
>(http://www.schneier.com/blog/archives/2005/02/sha1_broken.html), a
>team has found collisions in full SHA-1. It's probably not a practical
>threat today, since it takes 2^69 operations to do it and we haven't
>heard claims that NSA et al. have built massively parallel hash
>function collision finders, but it's an impressive achievement
>nevertheless -- especially since it comes just a week after NIST stated
>that there were no successful attacks on SHA-1.
>
>
Stefan Brands just posted on my blog (and I saw
reference to this in other blogs, posted anon)
saying that "it seems that Schneier forgot to
mention that the paper has a footnote which
says that the attack on full SHA-1 only works
if some padding (which SHA-1 requires) is not
done."
http://www.financialcryptography.com/mt/archives/000355.html
I think this might be an opportune time to introduce a
new way of looking at algorithms. I've written it up
in draft (excuse the postit notes) :
http://iang.org/papers/pareto_secure.html
In short, what I do is apply the concepts of the econ
theory of "Pareto efficiency" to the metric of security.
This allows a definition of what we mean by "secure"
which is quite close to colloquial usage; in the
language so introduced, I'd suggest that SHA-1 used
to be Pareto-complete, and is now Pareto-secure for
certain applications. I have a little table down
the end that now needs to be updated!
Comments welcome, it is not a long nor mathematical
paper! Some small consolation for those not at the
RSA conference.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
