|
| From: | Paul Crowley |
| Subject: | Re: [Monotone-devel] Re: Crypto and SHA-1, was Policy branches - first steps |
| Date: | Tue, 27 Feb 2007 09:12:04 +0000 |
| User-agent: | Icedove 1.5.0.9 (X11/20061220) |
Lapo Luchini wrote:
I could be nice if the policy could define one (or more!) "hash change horizon" before of which the less secure hash is accepted: this way the old history wouldn't need to be re-signed (thus losing the verifiability of the original author's signature). Of course the whole hash of the horizon's revisions could be signed (in the policy) using the better hash, to protect them.
If there's a practical second pre-image attack, signing the horizon isn't enough, because the broken hash function isn't enough to chain in all the revisions before the horizon.
However, this mechanism is something like what I'd have in mind as a way of transitioning from SHA-256 to the new standard hash function; we can make it so that if you haven't made a collision by the time the project has transitioned, it's too late to mount a collision attack and only a second preimage attack becomes possible. Which I think is good enough for practical purposes.
While we are talking of hashes: shouldn't we maybe follow Schneier's suggestion to use "double SHA-256"?
No, I don't think so. We don't anticipate even a single collision being found in SHA-256 in the foreseeable future, so the fact that one leads to multiple collisions isn't a big deal for us, and we don't need the hash function to have any property other than collision resistance.
-- __ \/ o\ Paul Crowley, address@hidden /\__/ http://www.ciphergoth.org/
| [Prev in Thread] | Current Thread | [Next in Thread] |