Ingo Luetkebohle wrote:
On Fri, 2005-02-18 at 13:02 +0100, Werner Koch wrote:
We should however not kick out SHA-1 from all places where it is now
used and replace it by SHA-256 before we understand the new attack.
Hmm, maybe this is stupid and it is definetely more effort
computationally, but what about using several hashing methods
simultaneously, mandating that all hashes have to check out?
Scientifically, it's very hard to show that that
is an improvement in and of itself. If the two
(or more) hashes are similar, there is no real
expectation that their security is improved.
For example, MD5 and SHA-1 are both attacked
by the same techniques, so combining them
isn't going to give any definitive advantage.
And, if one of the hashes is much stronger,
then just use that. I.e., if we were to use both
SHA-2 and SHA-1 then in almost all circumstances,
the security of SHA-2 would dominate that of
SHA-1, so there is little point in using the latter.
Also, there is one bad side: complexity. The
addition of complexity is always a 'bad' as it
introduces the possibility of wierd effects.
Think of it this way, if the algorithm delivers
TRUE if (n-1) of n hashes deliver TRUE, then
we have the possibility of implementation
bugs that muck up the checking in some way
and returning TRUE on 0.
iang
PS: there is a new cryptosystem called ciphire
(sp?) that does precisely that: it uses two
algorithms everywhere, in different ways.
Looks great on paper now, but what happens
in 3 years time when they have to replace
half the algorithms?
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/