On Sat, Oct 21, 2017 at 11:26 AM, Robin H. Johnson <robb...@gentoo.org> wrote: > On Fri, Oct 20, 2017 at 05:21:47PM -0500, R0b0t1 wrote: >> I would like to present my suggestions: >> >> SHA512, (RIPEMD160 | WHIRLPOOL | BLAKE2B), (SHA3_512 | BLAKE2B); >> >> or more definitively: >> >> SHA512, RIPEMD160, BLAKE2B. > Please do NOT reintroduce RIPEMD160. It was one of the older Portage > hashes prior to implementation of GLEP059, and was removed because it > was shown to fall to parts of the same attacks at MD4/MD5 by Wang's > paper in 2004. > > Wang, X. et al. (2004). "Collisions for Hash Functions MD4, MD5, > HAVAL-128 and RIPEMD", rump session, CRYPTO 2004, Cryptology ePrint > Archive, Report 2004/199, first version (August 16, 2004), second > version (August 17, 2004). Available online from: > http://eprint.iacr.org/2004/199.pdf >
That is precisely why I didn't suggest it be used on its own (see note about extant use of MD5), and why I gave alternatives. If it is desired that the hashes be computed quickly then weaker hashes will need to be used. One usually can't have both security and speed. Can anyone defend the transition to two hashes, or is it just based on speculation? People are discussing collision resistance, but no one here appears to be trained in cryptography. The only reasonable solution in that case is not to rely on the particular mostly unknowable merits of an algorithm, but the hardness of a successful collision of multiple functions at the same time. *If* collision resistance is important, and *if* no one here can evaluate any of the algorithms intensively by themselves, then *why* are two hashes going to be used instead of three? That is making the system much weaker than it was.
