Hubert Kario <hka...@redhat.com> writes: >defeating two hashes, when both use use the Merkle-Damgård construction, is >not much harder than breaking just one of them (increase of work factor less >than 2)
"In theory there is no difference between theory and practice. In practice there is". I'm aware of this long-standing theoretical weakness around multicollisions. I'm just as aware that in the fifteen-odd years since the Joux paper, no-one has ever managed to demonstrate an even remotely practical attack on dual hashes, despite the hugely tempting target of all of SSL/TLS being there as a reward. In fact the sole (significant) surviving member of the MD5/SHA-1 era, RIPEMD-160, remains unbroken and uses dual hash chains within the same function, not even as two independent functions. So I'm not losing any sleep over this. >not after quantum computers ... or captured alien technology, or magic, or anything involving pyramids or the Aztecs... >come into play Yeah, not losing any sleep over those either. Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
