1 |
On Sat, Oct 21, 2017 at 11:26 AM, Robin H. Johnson <robbat2@g.o> wrote: |
2 |
> On Fri, Oct 20, 2017 at 05:21:47PM -0500, R0b0t1 wrote: |
3 |
>> I would like to present my suggestions: |
4 |
>> |
5 |
>> SHA512, (RIPEMD160 | WHIRLPOOL | BLAKE2B), (SHA3_512 | BLAKE2B); |
6 |
>> |
7 |
>> or more definitively: |
8 |
>> |
9 |
>> SHA512, RIPEMD160, BLAKE2B. |
10 |
> Please do NOT reintroduce RIPEMD160. It was one of the older Portage |
11 |
> hashes prior to implementation of GLEP059, and was removed because it |
12 |
> was shown to fall to parts of the same attacks at MD4/MD5 by Wang's |
13 |
> paper in 2004. |
14 |
> |
15 |
> Wang, X. et al. (2004). "Collisions for Hash Functions MD4, MD5, |
16 |
> HAVAL-128 and RIPEMD", rump session, CRYPTO 2004, Cryptology ePrint |
17 |
> Archive, Report 2004/199, first version (August 16, 2004), second |
18 |
> version (August 17, 2004). Available online from: |
19 |
> http://eprint.iacr.org/2004/199.pdf |
20 |
> |
21 |
|
22 |
That is precisely why I didn't suggest it be used on its own (see note |
23 |
about extant use of MD5), and why I gave alternatives. If it is |
24 |
desired that the hashes be computed quickly then weaker hashes will |
25 |
need to be used. One usually can't have both security and speed. |
26 |
|
27 |
Can anyone defend the transition to two hashes, or is it just based on |
28 |
speculation? |
29 |
|
30 |
People are discussing collision resistance, but no one here appears to |
31 |
be trained in cryptography. The only reasonable solution in that case |
32 |
is not to rely on the particular mostly unknowable merits of an |
33 |
algorithm, but the hardness of a successful collision of multiple |
34 |
functions at the same time. |
35 |
|
36 |
*If* collision resistance is important, and *if* no one here can |
37 |
evaluate any of the algorithms intensively by themselves, then *why* |
38 |
are two hashes going to be used instead of three? That is making the |
39 |
system much weaker than it was. |