Re: Re-secured Algorithm?

From: Regis (
Date: 08/28/05

Date: Sat, 27 Aug 2005 23:46:48 -0400

On 27 Aug 2005 19:12:53 -0700, wrote:

>MD5 collisions are actually trivial to generate.

Prove it.
Generate some collisions for everyone to see.
Seeing as how it's "trivial", I would expect to see something within
the hour...or by tomorrow evening at the latest.

>Of course that'd require you to open your eyes and be knowledgeable of
>what you speak.

Uh huh.

>You assume everyone is computationally bounded to a 16Mhz 386.

No, I assume no such thing.

>Point is computing power is very accessible. To think that people
>won't exploit openings in MD5/SHA1 is naive.

The desire to achieve something and the ability to achieve that thing
are two very different things.

>2^63 work is not out of reach.

No, I never said it was out of reach.
What I said -- and will say again -- is that it's impractical.
Period...end of story.

>Sounds bad. Except if I was really keen on finding collisions I'd use
>this thing called the net to cluster people.

No...actually, you wouldn't...because that would require other people
to join in. Lots and lots of other people. My personal bet is that
you wouldn't be able to organize anything even remotely adequate in
terms of collective processing power because nobody gives a rat's ass
about you.

When SETI sets up a distributed computing effort, there's no shortage
of volunteers. But when Tom St. Denis tries to set up something to
find collisions in SHA-1 or MD5, how many people do you really think
would even bat an eyelash?

> But suppose that wasn't an option

Don't isn't.

>The point is to think OF THE FUTURE. Do I want to develop a new system
>using SHA-1 if it means the life of the system will only be ten years?

Nobody here is touting SHA-1 as being the hash-of-choice in ten years.
Common sense tells us that.
But common sense also tells us that as things stand today, there's
virtually zero risk in using it because 2^63 is still a really really
big number with a lot of zeroes attached to it.

>The problem is you're not thinking of ten years from now. Some of us
>have to develop systems that intend to be used for a long time.

I'm sure that you (being 23 and all) are developing systems that will
be in use ten years from now.
Although I suppose it's technically possible...but then
again...developing system that only YOU will be using hardly counts..

>The other thing is there is no reason to propose SHA-1 anymore. At the
>very least use SHA-2 and there are others yet [WHIRLPOOL and Tiger/192
>come to mind].

SHA-1 is tried and tested and proven effective over the course of the
last 10 years. It's been the most widely used hash (next to MD5), and
the most scrutinized. The fact that we're just now discovering these
"weaknesses" 10 years later which still require 2^63 work, tells us
that there's nothing wrong with continuing to use it for the
foreseeable future -- especially if you've already implemented it into
a vast infrastructure.

WHIRLPOOL is way too new to be trusted. I like the fact that one of
its creators is Rijmen (of Rijndael fame), but this one thing alone is
not enough for me to put my trust into it.

Tiger is not as new...which is good, but also not as
scrutinized...which is bad.

SHA-2 is way too new, AND is nowhere near as scrutinized. This makes
it that much more of a risk for early adopters.

If it turns out that by 2010 there are still no major weaknesses found
in SHA-2, then it can safely be used to replace SHA-1. And seeing as
how SHA-1 will in all likelihood continue to remain practically-secure
until 2010, I see no reason to jump on the SHA-2 bandwagon this early
in the game.

Relevant Pages

  • Re: Re-secured Algorithm?
    ... >>MD5 collisions are actually trivial to generate. ... SHA-1 had real collisions in MD5. ... Personal attacks aside I doubt many ...
  • Re: sha3 competition?
    ... way too much for practical use), using SHA-1 or Jenkin's Hashing (or ... Jenkins: 92501 collisions in 23712ms ... respect to its use in a Bloom filter. ... I always wondered if a cryptographic hash function can perform worse ...
  • Re: [9fans] Some arithmetic [was: Re: Sources Gone?]
    ... I read it like it was just sufficiently secure against ... It's not intended to encrypt, ... While SHA-1 is indeed not intended to encrypt, ... that would be a big help for people trying to find collisions ...
  • Re: Re-secured Algorithm?
    ... > Show me a list of collisions that you personally have come up with ... two dual processor boxes and several single core boxes. ... 55,000 MIPS cluster]. ... using SHA-1 if it means the life of the system will only be ten years? ...
  • Re: Re-secured Algorithm?
    ... It was my understanding that SHA-2 was identical to SHA-1, ... coming in 256, 38something, and 512 bit lengths. ...