[jlcooke@certainkey.com: Re: SHA-0]

[Jean-Luc Cooke]

> --- Begin Message ---
> No it does not...we think...
>
> SHA-0 is the nick-name for the first draft of SHA put forward by NIST/NSA of
> the US Gov't.  Cryptographers got up in arms about how it had a "lazy bit" (a
> bit that does not effect the output of the hash) and how it did not have
> enough rounds.
>
> So, they named the "first" SHA SHA-0 because it wasn't good enough.  And
> SHA-1 the "first released" SHA.  SHA-1 was designed to be stronger than
> SHA-0 in at least one of the ways SHA-0 was recently exploited.
>
> Still, this is a very interesting development in the field of hash function
> cryptanalysis.  Biham should be co-presenting a paper explain how they did
> it soon.  They give allusion to a possible attack on SHA-1...but I hear it's
> still theoretical.
>
> SHA-256 is looking better.  Though SHA-1 is still strong enough, it may not
> last to its 2012 "expiry date" for vulnerabilities to collision attacks set
> by Lenstra/Verheul in (1).
>
> Cheers,
>
> JLC
>
> (1) Selecting Cryptographic Key Sizes</a> by Arjen K. Lenstra, Eric R. Verheul
>     <http://www.cacr.math.uwaterloo.ca/conferences/1999/ecc99/lenstra.doc>
>
> On Thu, Aug 12, 2004 at 11:12:03PM -0400, James Morris wrote:
> > Hi Jean-Luc,
> > 
> > I read on sci.crypt about the SHA-0 collision, do you know if this casts 
> > doubt on SHA-1?
> > 
> > - James
> > -- 
> > James Morris
> > <jmorris@xxxxxxxxxx>
> > 
>
> --- End Message ---