[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: re-consideration of TIGER

On 18 Aug 2004, at 6:54 AM, <vedaal@xxxxxxxx> wrote:

would it be reasonable to re-accept the non-sha based hashes, (e.g. TIGER)
as a potential backup hash for implementations/users that may wish to
begin doing so?

Not really, no. There are already perfectly good backup algorithms.

The reason we removed Tiger is that it hasn't been examined or used at all. None of these things apply to Tiger, and it is therefore still not well examined nor used. Going from a hash function that has been examined to one that hasn't isn't presently warranted.

SHA-1 isn't broken yet. Even the ones that have been broken haven't been broken (yet) in ways that permit signature forging. What we know now is that the functions we've been saying for close to a decade shouldn't be used really shouldn't be used.

If you're worried about SHA-1, you should move to SHA-256. Don't be scared by the fact that it's called "SHA."

If you want to do something *really* practical and good, stop using your V3 keys. (That's the editorial you, not vedaal specifically.)

I'm sitting in the hash sessions at Crypto now, and SHA-1 isn't broken. Again, if you still want to do something, start using SHA-256.