If I understand what you're saying, it's that a hash defined as e.g. (with b1, b... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

JoachimSchipper on Sept 24, 2012 | parent | context | favorite | on: SHA-3 to Be Announced

If I understand what you're saying, it's that a hash defined as e.g. (with b1, b2, ... standing for blocks) H(b1, b2, b3) = H(b1) ^ H(b2) ^ H(b3) is not very secure because it allows one to recover b2 from H(b1, b2, b3), b1 and b3 in time 2^(|b2|) ("2 to the power length-of-b2"). This is obviously true, but no sensible hash function is defined in this way, and I don't think any of the SHA candidates use blocks of a size that can easily be bruteforced.

tptacek on Sept 24, 2012 [–]

Just to put this in perspective: SHA1 has a 512 bit block. Nobody is brute forcing 2^512. MD5 has an output size of 128 bits; nobody is brute forcing 2^128 either.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact