[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Let's shrink Packages.xz

On Mon, 14 Jul 2014, Jakub Wilk wrote:
> * Peter Palfrader <weasel@debian.org>, 2014-07-14, 20:25:
> >>The basic idea is that it's much harder to come up with a
> >>simultaneoush hash collision with both SHA-1 and SHA-2 than
> >>breaking either of them independently.
> >
> >ISTR reading papers that put this "much harder" into doubt.  But I
> >can't find those references, alas.
> 
> You might have had this paper in mind:
> https://www.iacr.org/archive/crypto2004/31520306/multicollisions.pdf
> Quoting §4: “If F and G are good iterated hash functions with no
> attack better than the generic birthday paradox attack, we claim
> that the hash function F||G obtained by concatenating F and G is not
> really more secure that F or G by itself.”

We don't want F|G to be more secure than F or G by itself.  We want it to be
at least as secure as the stronger of F or G.

Which means it continues being secure if one of G or F, but not both, is
"compromised".

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
Reply to: