1 |
On Sat, Oct 21, 2017 at 12:12 PM, R0b0t1 <r030t1@×××××.com> wrote: |
2 |
> On Sat, Oct 21, 2017 at 11:26 AM, Robin H. Johnson <robbat2@g.o> wrote: |
3 |
>> On Fri, Oct 20, 2017 at 05:21:47PM -0500, R0b0t1 wrote: |
4 |
>>> I would like to present my suggestions: |
5 |
>>> |
6 |
>>> SHA512, (RIPEMD160 | WHIRLPOOL | BLAKE2B), (SHA3_512 | BLAKE2B); |
7 |
>>> |
8 |
>>> or more definitively: |
9 |
>>> |
10 |
>>> SHA512, RIPEMD160, BLAKE2B. |
11 |
>> Please do NOT reintroduce RIPEMD160. It was one of the older Portage |
12 |
>> hashes prior to implementation of GLEP059, and was removed because it |
13 |
>> was shown to fall to parts of the same attacks at MD4/MD5 by Wang's |
14 |
>> paper in 2004. |
15 |
>> |
16 |
>> Wang, X. et al. (2004). "Collisions for Hash Functions MD4, MD5, |
17 |
>> HAVAL-128 and RIPEMD", rump session, CRYPTO 2004, Cryptology ePrint |
18 |
>> Archive, Report 2004/199, first version (August 16, 2004), second |
19 |
>> version (August 17, 2004). Available online from: |
20 |
>> http://eprint.iacr.org/2004/199.pdf |
21 |
>> |
22 |
> |
23 |
|
24 |
Also important is that the existence of a constructed collision is not |
25 |
necessarily an indication that the function is weak for real data. |
26 |
|
27 |
|
28 |
> Can anyone defend the transition to two hashes, or is it just based on |
29 |
> speculation? |
30 |
> |
31 |
|
32 |
This thread in particular is the worst case of bikeshedding I have |
33 |
seen on gentoo-dev. No one here is well equipped to evaluate the |
34 |
cryptographic primitives being discussed[1] but there are still many |
35 |
strong opinions and unwarranted suggestions. |
36 |
|
37 |
Respectfully, |
38 |
R0b0t1 |
39 |
|
40 |
|
41 |
[1]: In fairness perhaps no one is, as the cryptography of one |
42 |
particular function takes very intensive study. Most published |
43 |
algorithms are never studied intently until they are adopted. Still, |
44 |
people should be justifying any suggestion by referencing real data or |
45 |
tested deficiencies. Not guessing. |