> I'm aware of that (and related) work, but this is about finding > multicollisions in MD5 || SHA1.
To be clear, there is no published collision on MD5 || SHA1 right now. In our paper, we only say that *if SHA-1 collisions were to appear* with complexity 2^x, then MD5||SHA1 collisions would cost 2^(6+x). Hence, if the current estimate of 2^61 for SHA1 were true, then the cost of MD5||SHA1 is 2^67. It is up to protocol designers and implementers to decide whether this is an acceptable security margin. If we decide to wait for a “real” SHA-1 collision to appear, then we must be prepared for “real” attacks to appear soon after. Best, Karthik _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
