Richard Barnes writes: > * Given an existing signature, an attacker can find another payload > that produces the same signature value with a weaker algorithm I think one of the major points is that hash algorithms try to make sure that collisions are hard but ONLY INSIDE the same algorithm. I.e. it is hard to find collisions for SHA-256. On the other hand nothing is said how hard it is said to create SHA-1 hash that matches some SHA-256-160 message. I.e. all the security analysis we have for SHA-256 are worthless as they do not cover creating collision between SHA-256 and SHA-1. I.e. SHA-256 was designed to be collision resistant with SHA-256, but not with SHA-1. It might be secure, or it might not. I think there are some papers talking about creating collisions between MD5 and SHA-1, but those are done by analysing the hash functions, i.e. not while designing the algorithms. I.e. this kind of attacks were not major design criteria when algorithms were made. I.e. most of the properties designed in to the hash functions are not true anymore if we try to match two different algorithms against each other. On the other hand I think that one of the design criteria for creating SHA-2 family was that there is no collisions between different algorithms in the same family. -- kivinen@xxxxxx