Hi Robin, On Wed, Apr 06, 2022 at 05:31:09PM +0000, Robin H. Johnson wrote: > On Wed, Apr 06, 2022 at 07:06:30PM +0200, Jason A. Donenfeld wrote: > > No, you're still missing the point. > > > > If SHA-512 breaks, the security of the system fails, regardless of > > what change we make. This is because GnuPG uses SHA-512 for its > > signatures. > Question directly for you Jason, because you make a professional study > of this: does the type of breakage/successful attack against against > SHA-512 matter? > > e.g. is it possible that some type of attack would only work against the > Manifest entry, but NOT against the GPG signature's embedded SHA-512 (or > the opposite). > > The best hypothetical idea I had was that there exists some large > special input that lets an attacker reset the output to an arbitrary > hash after their malicious payload: but it wouldn't fit in the GPG > signature space. Generally speaking, the more control an attacker has over the input, the easier certain types of attacks might be. So maybe in the most general sense that applies. I wouldn't model a security analysis around that, though. Rather, the usual way to apply that sort of thinking is to design algorithms that rely on certain properties of hash functions, but not others; for example, Ed25519 does not rely on the hash function being collision resistant due to its construction.
Jason
