Jon Callas <jon(_at_)callas(_dot_)org> writes:
Adi Shamir has pointed out for years now that no one has found *any*
first or second preimage collision for SHA1. I'll shill for him here.
The new results for 2^52 work, assuming it's actually doable, are
still for migrating a bitstring into two dependent bitstrings that
collide. This has significance for people who run CAs with sequential
serial numbers, or who want to tweak PDFs to project the future, or
create binary distributions that have and do not have malware. It's
serious *for* *those* *and* *similar* *cases*.
I think you mean "no one has found any first or second preimage
*attacks* for SHA-1". To the best of my knowledge, nobody has found any
SHA-1 collisions at all, either chosen or otherwise. The 2^52 result is
still theoretical, because while 2^52 hash operations is tractable for a
WFO, it's still a formidable amount of work, and Cameron McDonald is not
Preimage attacks are hard. Even long, long-ago deprecated hash
functions have held up well agaist them. The one in the worst shape is
MD2, and that attack requires 2^104 operations (vs. 2^128 brute force).
I'm pretty confident that by the time there's a computer that can do
2^104 of anything, nobody is going care about my secrets.
Here's a threat model I suggest for future work on OpenPGP: assume that
the hash function is ideal, but that the adversary has an oracle that
takes as input two messages and pointers to n/2 bits of each message
(where n is the digest length), and outputs colliding messages by
filling in those bits. In other words, preimage attacks are impossible
(short of brute force), but birthday attacks are trivial.
I think securing OpenPGP against this threat model is possible. As you
and others have already pointed out, most of OpenPGP's uses of hash
functions already depend only on one-wayness.
Daniel Franke df(_at_)dfranke(_dot_)us http://www.dfranke.us
|----| =|\ \\\\
|| * | -|-\--------- Man is free at the instant he wants to be.
-----| =| \ /// --Voltaire
Description: PGP signature