[Python-Dev] SHA-256 module
"Martin v. Löwis"
martin at v.loewis.de
Sun Sep 12 23:51:27 CEST 2004
Michael Hudson wrote:
> I'm hardly an expert, but I'd still like to know more about this
> attack. If it's as limited as it could possibly be (i.e. it can only
> make very specific strings differing by a handful of bits hash the
> same) then it's only an issue for the paranoid. If it's as wide as it
> could possibly be it seems that all hash functions we currently know
> could be doomed.
The nicest summary I have seen on this so far was Tim Churches' message
<mailman.3198.1094942493.5135.python-list at python.org>. In his
terminology, "collision resistance" has been attacked (i.e. it is now
possible to create pairs of plaintext that hash same). "Preimage
resistance" and "2nd preimage resistance" remain unattacked, atleast
wrt. to this paper. IOW, it is still not possible to easily reconstruct
some plaintext given the hash (good for password hashing), and it is
still not possible to modify a given plaintext so that it still hashes
same (good for signing).
However, the trust into "pseudo-randomness" of the hash is gone now -
for a cryptographically "secure" hash, it should not be possible to
create a collision until the sun collapses.
Regards,
Martin
More information about the Python-Dev
mailing list