[Cfrg] Re: [saag] Bad day at the hash function factory

[der Mouse <mouse at Rodents.Montreal.QC.CA>]

> I believe that the proof that HMAC is secure requires a collision
> resistant hash function.

Yes - but what type of collision?

As I understand it, it needs a second-preimage-resistant function,
which (as I understand it) MD5 still is.  (At least as far as the
public literature goes, but that caveat applies to practically all
public crypto discussion.)

The reason I think MD5 should not be used for new work, and should be
withdrawn from existing work to the extent feasible, is not that it's
broken, but that it's showing cracks: that these recent results
indicate that it's comparatively likely to be broken in other ways
(such as second-preimage) relatively soon, even if the current attacks
cannot be used for anything but chosen-preimage-pair collisions.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse at rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg