Jakub Wilk <jw...@debian.org> writes: > You might have had this paper in mind: > https://www.iacr.org/archive/crypto2004/31520306/multicollisions.pdf > Quoting §4: “If F and G are good iterated hash functions with no attack > better than the generic birthday paradox attack, we claim that the hash > function F||G obtained by concatenating F and G is not really more secure > that F or G by itself.”
Ah, if that's the case, that's an argument about a different use case. I wouldn't expect just adding more hashes to add more security when the hashes haven't been broken. SHA-256 by itself provides more than enough security if one assumes that it has ideal properties. The (theoretical) security benefit argued for here is precisely the case where the hash functions *do* have attacks better than the generic birthday paradox attack (that we possibly don't know about yet). It's basically a defense in depth argument, coupled with the argument that the special construction of a file to create a collision for one hash function may be incompatible with the special construction of a file required to create a collision with the other hash function. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87oawr2194....@windlord.stanford.edu
