[cabfpub] SHA-1 Collision Found

philliph at comodo.com philliph at comodo.com
Fri Feb 24 21:44:27 UTC 2017

It seems I mis-spoke on EdDSA. Curve448x uses SHAKE-256 as the internal compression function and that is a part of SHA-3. Curve25519 uses SHA-2. I thought I had lost that battle.

Now I have not read the specs deeply enough to work out if that means SHA-3 is a requirement. But just as you effectively get Blake2 for free with Cha-Cha, it means SHA-3 is going to be pulled along by Curve-X.

There are actually important security reasons to insist on only using one hash function with a particular DSA key which is why DSA has always mandated use of a particular hash function rather than the mix-n-match approach of RSA.

Also there is the issue of whether to pre-hash or not. Given that certs (and OCSP tokens) are small not pre-hashing looked like the way to go. 

> On Feb 24, 2017, at 3:37 PM, Rob Stradling via Public <public at cabforum.org> wrote:
> On 24/02/17 20:11, Adam Langley wrote:
> <snip>
>> (Although, I was just about to note that they often use OpenSSL and
>> OpenSSL surely will support SHA-3 before BLAKE2. But it appears I'm
>> wrong and OpenSSL has had BLAKE2 for nine months and still lacks SHA-3?)
> Correct.  BLAKE2 is in OpenSSL 1.1.0.  SHA-3 will be "Post 1.1.0" according to https://github.com/openssl/openssl/issues/439
> -- 
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list