ietf-openpgp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: I don't think that collides the way you think it does

2009-05-05 15:35:48
from [Daniel Franke] [Permanent Link] 
Jon Callas <jon(_at_)callas(_dot_)org> writes:


Adi Shamir has pointed out for years now that no one has found *any*  
first or second preimage collision for SHA1. I'll shill for him here.

The new results for 2^52 work, assuming it's actually doable, are  
still for migrating a bitstring into two dependent bitstrings that  
collide. This has significance for people who run CAs with sequential  
serial numbers, or who want to tweak PDFs to project the future, or  
create binary distributions that have and do not have malware. It's  
serious *for* *those* *and* *similar* *cases*.


I think you mean "no one has found any first or second preimage
*attacks* for SHA-1".  To the best of my knowledge, nobody has found any
SHA-1 collisions at all, either chosen or otherwise.  The 2^52 result is
still theoretical, because while 2^52 hash operations is tractable for a
WFO, it's still a formidable amount of work, and Cameron McDonald is not
a WFO.

Preimage attacks are hard.  Even long, long-ago deprecated hash
functions have held up well agaist them.  The one in the worst shape is
MD2, and that attack requires 2^104 operations (vs. 2^128 brute force).
I'm pretty confident that by the time there's a computer that can do
2^104 of anything, nobody is going care about my secrets.

Here's a threat model I suggest for future work on OpenPGP: assume that
the hash function is ideal, but that the adversary has an oracle that
takes as input two messages and pointers to n/2 bits of each message
(where n is the digest length), and outputs colliding messages by
filling in those bits.  In other words, preimage attacks are impossible
(short of brute force), but birthday attacks are trivial.

I think securing OpenPGP against this threat model is possible.  As you
and others have already pointed out, most of OpenPGP's uses of hash
functions already depend only on one-wayness.

-- 
 Daniel Franke         df(_at_)dfranke(_dot_)us         http://www.dfranke.us
 |----| =|\     \\\\    
 || * | -|-\---------   Man is free at the instant he wants to be. 
 -----| =|  \   ///     --Voltaire

Attachment: pgpjo89JXDWZh.pgp
Description: PGP signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  I don't think that collides the way you think it does, Jon Callas
Next by Date:  Re: I don't think that collides the way you think it does, Jon Callas
Previous by Thread:  I don't think that collides the way you think it does, Jon Callas
Next by Thread:  Re: I don't think that collides the way you think it does, Jon Callas
Indexes:  [Date] [Thread] [Top] [All Lists]