Re: NIST publishes new DSA draft

["Ian Grigg" <iang@xxxxxxxxxxxxx>]

>
> James Couzens writes:
>> I had thought it a bit strange that someone writing so comprehensively
>> about something related to digital signatures and to then make the
>> statement as you did at the end of the paragraph I quoted.  Did you have
>> some other intended meaning, such as broken by draft explicit
>> prohibition or otherwise declared deprecated in a future draft?
>
> Yes, sorry, my language was not as precise as it might have been.
> I said we should be ready in case SHA-1 were broken, but as you note
> it has been officially "broken" for over a year.  However that is just
> a theoretical break and no actual examples of SHA-1 message collisions
> have yet been published.  So at this point SHA-1 is in a bit of a limbo
> state, theoretically broken but still in widespread use.


The problem lies in the use of the term "broken"
which sounds great in the popular press, but is
insufficiently precise for serious forums and
serious protocol work.  A more appropriate term is
that SHA1 is weakened - from 80 bits to 69 bits -
for some uses.

Analysis in this forum in the past has indicated
that - approximately - SHA1 is still good, but we
should move over as and when we can select good
alternatives.  NIST's new DSA announcement I think
makes the case that SHA256 is going to be around a
lot longer than some of us earlier speculated, so
that looks like the target for now.

> If the attack should get worse so that SHA-1 collisions could be found
> in a practical amount of time, then we would have a much more urgent
> need to switch to another hash.  That is what I really meant when I
> said we should be ready if SHA-1 should be broken.

Yes, it's a concern.  FTR, I agree with Hal that
we should seriously consider taking the draft out
of last call (dammit!) ... hopefully it won't take
too long to get enough consensus and some rough
working code?

iang