Re: SHA-1 broken

[Dan Harkless <bugtraq@xxxxxxxxxxxx>]

On February 17, 2005, Michael Cordover <michael.cordover@xxxxxxxxx> wrote:
> On Wed, 16 Feb 2005 14:56:27 +0200, Gadi Evron <gadi@xxxxxxxxxxxxx> wrote:
> > 
> > Where do we go from here?
> 
> The standard response to "where to now" seems to be Whirlpool
> [http://planeta.terra.com.br/informatica/paulobarreto/WhirlpoolPage.html].
>  That or Tiger [http://www.cs.technion.ac.il/~biham/Reports/Tiger/].

There has indeed been a lot of positive buzz about Whirlpool.  I have seen
comments, though, that Whirlpool is quite slow, but that Tiger is pretty
reasonable on 64-bit CPUs.

No doubt we'll see more analyses of these as the old standbys start to look
more and more shaky.

> The team which has cracked SHA1 is the same that cracked MD5 and
> exposed weaknesses in the RIPEMD model.  They're good.  And they've
> shown that what I would've thought to be the Next Best Thing - RIPEMD

Yeah, for instance RIPEMD-160 is the only other message digest algorithm
currently implemented in the OpenSSL library that would be worth using
(other than perhaps MDC2, which I haven't seen much discussion of -- it's
apparently a method of constructing a 128-bit output hash function out of a
block cipher -- the OpenSSL implementation uses DES).

> - is yet another flawed system.

The original RIPEMD is indeed flawed, as shown by Hans Dobbertin in '95 for
a reduced-round version and by the Chinese team for the full-round version.
However, I have not seen analysis saying that this weakness also applies to
RIPEMD-128 / RIPEMD-160 / RIPEMD-256 / RIPEMD-320
(<http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html>), the
strengthened versions which were co-developed by Dobbertin in '96, partially
in response to the weakness that he found.

Pages like The Hashing Function Lounge
(<http://planeta.terra.com.br/informatica/paulobarreto/hflounge.html>) agree
with this separation of RIPEMD vs. the RIPEMD-160 family.

-- 
Dan Harkless
http://harkless.org/dan/