On Mon, 14 Jul 2014, Jakub Wilk wrote: > * Peter Palfrader <wea...@debian.org>, 2014-07-14, 20:25: > >>The basic idea is that it's much harder to come up with a > >>simultaneoush hash collision with both SHA-1 and SHA-2 than > >>breaking either of them independently. > > > >ISTR reading papers that put this "much harder" into doubt. But I > >can't find those references, alas. > > You might have had this paper in mind: > https://www.iacr.org/archive/crypto2004/31520306/multicollisions.pdf > Quoting §4: “If F and G are good iterated hash functions with no > attack better than the generic birthday paradox attack, we claim > that the hash function F||G obtained by concatenating F and G is not > really more secure that F or G by itself.”
We don't want F|G to be more secure than F or G by itself. We want it to be at least as secure as the stronger of F or G. Which means it continues being secure if one of G or F, but not both, is "compromised". -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140714195728.gb5...@khazad-dum.debian.net
