--- Michael Cordover <michael.cordover@xxxxxxxxx> wrote: > The standard response to "where to now" seems > to be Whirlpool > [http://planeta.terra.com.br/informatica/paulobarreto/WhirlpoolPage.html]. > That or Tiger > [http://www.cs.technion.ac.il/~biham/Reports/Tiger/]. > > The team which has cracked SHA1 is the same > that cracked MD5 and > exposed weaknesses in the RIPEMD model. > They're good. And they've > shown that what I would've thought to be the > Next Best Thing - RIPEMD > - is yet another flawed system. > > -mjec > -- > http://mine.mjec.net/ > > On Wed, 16 Feb 2005 14:56:27 +0200, Gadi Evron > <gadi@xxxxxxxxxxxxx> wrote: > > Now, we've all seen this coming for a while. > > > http://www.schneier.com/blog/archives/2005/02/sha1_broken.html > > > > Where do we go from here? > > > > Gadi. > > > I think Whirlpool and Tiger are both quite untested at the moment. The reason these algorithms haven't contained any weaknesses thus far is likely due to the fact that they haven't been extensively tested. It seems likely that in only a few months someone will devise a theoretical attack against these as well. A few months ago, assuming that we would soon be in this situation, I designed some modifications to SHA-256 and SHA-512 that will keep the algorithms quite respectably protected under a partial break. I think the easiest way to charactize the approach would be that it changes the algorithm from a many->one approach to a many->many approach as more than one hash can be generated per datastream. This allows for the inevitability that SHA-256 and SHA-512 will one day suffer a partial-break similar to MD5, MD4, RIPEMD, SHA-0 and SHA-1. Due to it's design, even if one hash is broken, another also needs to be broken in tandem which effectively exponentially raises the likelyhood of collision as an attacker has to collide with multiple hashes at once. Also, some reordering is tossed in to help hinder exploitation of the appendable cascading issue. (Hinder mind you, not stop.) I floated this idea on this list a month ago in the form of a paper I wrote, a copy can be found here: http://arxiv.org/abs/cs.CR/0501038 The only sticking points that have been shown at this point is the re-order modification prevents hashing of unbound data-streams. Although this is unfortunate, the algorithm seems fine for bounded datastreams. (Unbounded datastreams as well, assuming they are reordered in advance.) ~D.J. Capelis __________________________________ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com
