On Wednesday, 11 July 2018 06:57:59 CEST Peter Gutmann wrote: > Hubert Kario <hka...@redhat.com> writes: > >defeating two hashes, when both use use the Merkle-Damgård construction, is > >not much harder than breaking just one of them (increase of work factor > >less than 2) > > "In theory there is no difference between theory and practice. In practice > there is". > > I'm aware of this long-standing theoretical weakness around multicollisions. > I'm just as aware that in the fifteen-odd years since the Joux paper, > no-one has ever managed to demonstrate an even remotely practical attack on > dual hashes, despite the hugely tempting target of all of SSL/TLS being > there as a reward.
2^77 is a rather high barrier of entry just to prove expected result – I'm not surprised about lack of practical attack at all. Nobody has disproved the conclusion of that paper either, so we don't have the luxury of ignoring it. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
