Linus Torvalds wrote: > So you'd have to be able to attack both the full SHA1, _and_ whatever > other different good hash to 128 bits.
There's a surprising result of combining iterated hash functions, that the combination is no more difficult to attack than the strongest hash function used. https://www.iacr.org/cryptodb/archive/2004/CRYPTO/1472/1472.pdf Perhaps you already knew about this, but I had only heard rumors that was the case, until I found that reference recently. -- see shy jo
signature.asc
Description: PGP signature
