Opened at 2009-03-02T21:47:31Z
Closed at 2010-02-23T04:13:48Z
#14 closed enhancement (wontfix)
Tiger hash function
| Reported by: | zooko | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Version: | 0.5.1 | Keywords: | |
| Cc: | Launchpad Bug: |
Description
It might be useful to use Crypto++'s implementation of the Tiger hash function. Tiger is more efficient than SHA-256 -- it takes about 1/3 as many cpu cycles on 64-bit machines -- and its output size is 192 bits, which is closer to what I want to put into tahoe capabilities than SHA-256's 256-bit output size. Unfortunately Tiger is more likely to be insecure than SHA-256. Florian Mendel and Vincent Rijmen have found how to generate pseudo-near-collisions in Tiger requiring about 247 invocations of the hash function, and a pseudo (free-start) collision on Tiger reduced to 23 instead of its full 24 rounds with the same complexity.
So, it is possible that in the future someone will figure out how to actually generate collisions in Tiger. On the other hand, Tiger is still safer and faster than SHA-1, which git users and a lot of other people still happily rely on...
Florian Mendel, Vincent Rijmen - "Cryptanalysis of the Tiger Hash Function" - Advances in Cryptology – ASIACRYPT 2007
https://online.tu-graz.ac.at/tug_online/voe_main2.getvolltext?pDocumentNr=81263
Attachments (1)
Change History (3)
Changed at 2009-03-02T21:49:10Z by zooko
comment:1 Changed at 2009-03-03T04:18:31Z by zooko
#6 was a duplicate of this.
comment:2 Changed at 2010-02-23T04:13:48Z by zooko
- Resolution set to wontfix
- Status changed from new to closed
Forget it! We're probably going to move to 256-bit hashes anyway. (Besides which, Tiger-192 has been shown to be dangerously weak, although still much stronger than that weakling SHA-1.)
patch (untested) to add tiger