Roy Badami wrote:
> 6.4.2 says....
>
> A collision resistant hash function has a second-preimage resistance
> property. The second-preimage resistance property means that
>
> I am not a cryptographer, but... While true, I don't think this is
> relevent. I would reword this to say
>
> A cryptographic hash function has a ...


I managed to miss this one, you are, of course, correct.

> Collision resistance is another specific property of cyrtographic
> hashes, namely that it is computationally infeasable to construct a
> pair of messages that hash to the same value, and AFAICS NSEC3 doesn't
> actually require a collision resitant hash function.
>
> Collision restistance implies second pre-image resitance: if you've
> managed to break second pre-image resitance then you have necessarily
> constructed a collision, but second pre-image resitance is a weaker
> property of a hash than collision resitance.
>
> Weaker in the sense that it is possible to break the collision
> resistance of a hash without breaking second pre-image resistance (ie
> I may be able to construct one or more pairs of messages that hash
> to the same value, assuming I get to choose both messages, but that
> doesn't mean I can construct a message that hashes to the same value
> as a message _you_ choose...
>
> The probability of finding a second preimage is 1 in 2^160 for
> SHA-1 on average
>
> This is clearly not true, unless the adversary simply tries one
> possible preimage at random and gives up if he hasn't succeeded. Just
> by trying two random preimages you can increase the probability to 1
> in 2^159, and perfoming two SHA-1 operations within a reasonably
> timeframe is possible even on the most modest of hardware :-)


I thought I'd already fixed this language.

>
> An attacker can clearly attempt a very large number of test hashes,
> but also cryptanalysis of SHA-1 may allow less computationally
> intensive attacks than random tests...
>
> You can't put a figure on the probability of breaking second preimage
> resistance; cryptography doesn't work that way. It's conceivable
> (though incredibly inplausible) that someone (perhaps the NSA?) is
> capable of producing a second preimage with probablility 1.


Yes, what we should say is that the work factor for finding a second
preimage is of the order of 2^160.

Cheers,

Ben.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: