[Dnssec-deployment] Starting with SHA1?

Florian Weimer fweimer at bfk.de
Thu Aug 5 10:38:56 EDT 2010

* Ondřej Surý:

> f.e. if I have a RRSet 2^13 bits long (approx what .CZ has for DNSKEY
> RRSIG now) then the collision search is reduced to 2^(256/2)-(13/2),
> i.e. to 2^122.

Are you sure about the numbers?  I think 2**k is supposed to be the
block count, so you've got k=4.  And if the formulas indeed apply, you
still need 2**(256/2 - 4/2 + 4) = 2**130 invocations of the
compression function, which is more effort than the 2**128 invocations
needed for finding a collision using the birthday approach.

Also keep in mind that we don't know whether SHA-512 is indeed more
secure than SHA-256.

Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the Dnssec-deployment mailing list