Cryptography Reference
In-Depth Information
that infinitely many texts are mapped to finitely many hash values. This is the
price to be paid for the convenience of hash values of fixed length.
10
Since we must also assume the existence of texts that possess identical
signatures in relation to a particular hash or redundancy function (where we
assume that the same signature key has been used), then it is crucial that such
texts not be easy to find or to construct.
In sum, a hash function should be easy to compute, but this should not be
the case for the inverse mapping. That is, given a value
H
of a hash function it
should not be easy to find a preimage that is mapped to
H
. Functions with this
property are called
one-way functions
. Furthermore, a hash function must be
collision-free
, meaning that it must not be easy to find two different preimages
of a given hash value. Until the present, these properties were satisfied by hash
functions such as the widely used functions RIPEMD-160 (cf. [DoBP]) and the
Secure Hash Algorithm SHA-1 (cf. [ISO1]). It now appears, however, that for digital
signatures in the near term (according to NIST and [RegT] from 2010 on), lengths
of hash values of 256 bits and greater will be required.
In recent months, reports of the discovery of collisions have provoked a
discussion about a requirement to migrate to new hash algorithms. In 2004,
results were published related to the hash functions MD4, MD5, HAVAL128,
RIPEMD, SHA-0,
11
and a weak variant of SHA-1 with a reduced number of passes
(see [WFLY]). In the meantime, while all of these algorithms have come to be
considered broken, and in particular are considered unsuitable for use in creating
digital signatures, a similar development for SHA-1 seems to be in store, with
uncertainty reigning while the drama runs its course. Even if reports on this
issue in February 2005, whose sensational publication seems to have been more
for serving the interests of those bearing the tidings than of the situation itself,
have not led to the outright rejection of the algorithm, the noose seems to be
tightening. However, a panicked reaction based on vague suppositions should
be rejected, given its worldwide use and the significance of SHA-1 for countless
applications.
Given the many different uses to which SHA-1 is being put, it is not very
productive to debate what measures may need to be taken before the possible
consequences of new methods of attack for individual application areas and
thereby the actions to be taken are carefully analyzed. A closer look will show
that in most cases, no rush to action is required, and instead, the measures
already taken in the mid and long terms should suffice. New hash functions will
be needed that will meet security needs for the foreseeable future, given what
is known about the newest methods of attack, and these new functions should
10
In the language of mathematics we would say that hash functions
H
: M
→
Z
n
that map
texts of arbitrary length to values in
Z
n
are not
injective
.
11
This was an earlier version of SHA-1 from 1993, which in 1995 was replaced by SHA-1, which
was designed to overcome specific weaknesses.
