[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Let's shrink Packages.xz

Jakub Wilk <jwilk@debian.org> writes:

> You might have had this paper in mind:
> https://www.iacr.org/archive/crypto2004/31520306/multicollisions.pdf
> Quoting §4: “If F and G are good iterated hash functions with no attack
> better than the generic birthday paradox attack, we claim that the hash
> function F||G obtained by concatenating F and G is not really more secure
> that F or G by itself.”

Ah, if that's the case, that's an argument about a different use case.  I
wouldn't expect just adding more hashes to add more security when the
hashes haven't been broken.  SHA-256 by itself provides more than enough
security if one assumes that it has ideal properties.

The (theoretical) security benefit argued for here is precisely the case
where the hash functions *do* have attacks better than the generic
birthday paradox attack (that we possibly don't know about yet).  It's
basically a defense in depth argument, coupled with the argument that the
special construction of a file to create a collision for one hash function
may be incompatible with the special construction of a file required to
create a collision with the other hash function.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: