Randomness of MD5 vs. SHA1
in [Cryptography]
|
Prev: The incompatibility hurdle
Next: Hash combining
From: bmearns on 26 Jan 2010 10:53 Ideally, the output of a cryptographically secure hash function should be uniformly distributed, right? With regards to this property only, is there any known difference between MD5 and SHA1? Specifically, I'm feeding relatively short strings of 7-bit ASCII text into the hash, and using the output as a password. Will one of these produce algorithms a stronger bias in the output than the other? Note, this isn't an authentication scheme in itself, I'm not concerned directly about collisions. For instance, I don't care if somebody can find another plaintext that will produce the same digest: it's the digest itself that is the secret. So I'm only concerned if one of the functions will add a significant bias to this secret. Thanks, -Brian
From: Tom St Denis on 26 Jan 2010 10:55 On Jan 26, 10:53 am, bmearns <mearn...(a)gmail.com> wrote: > Ideally, the output of a cryptographically secure hash function should > be uniformly distributed, right? With regards to this property only, > is there any known difference between MD5 and SHA1? > > Specifically, I'm feeding relatively short strings of 7-bit ASCII text > into the hash, and using the output as a password. Will one of these > produce algorithms a stronger bias in the output than the other? > > Note, this isn't an authentication scheme in itself, I'm not concerned > directly about collisions. For instance, I don't care if somebody can > find another plaintext that will produce the same digest: it's the > digest itself that is the secret. So I'm only concerned if one of the > functions will add a significant bias to this secret. Nobody knows for sure. They're both believed to be respectable PRFs in their own rights. MD5 is computationally cheaper than SHA-1 if that helps. Tom
From: bmearns on 26 Jan 2010 10:58 On Jan 26, 10:55 am, Tom St Denis <t...(a)iahu.ca> wrote: > On Jan 26, 10:53 am, bmearns <mearn...(a)gmail.com> wrote: > > > Ideally, the output of a cryptographically secure hash function should > > be uniformly distributed, right? With regards to this property only, > > is there any known difference between MD5 and SHA1? > > > Specifically, I'm feeding relatively short strings of 7-bit ASCII text > > into the hash, and using the output as a password. Will one of these > > produce algorithms a stronger bias in the output than the other? > > > Note, this isn't an authentication scheme in itself, I'm not concerned > > directly about collisions. For instance, I don't care if somebody can > > find another plaintext that will produce the same digest: it's the > > digest itself that is the secret. So I'm only concerned if one of the > > functions will add a significant bias to this secret. > > Nobody knows for sure. They're both believed to be respectable PRFs > in their own rights. > > MD5 is computationally cheaper than SHA-1 if that helps. > > Tom Thanks a lot for the prompt response, Tom. I get the point, but what specifically does PRF means? Thanks, -Brian
From: bmearns on 26 Jan 2010 11:02 On Jan 26, 10:58 am, bmearns <mearn...(a)gmail.com> wrote: > On Jan 26, 10:55 am, Tom St Denis <t...(a)iahu.ca> wrote: > > > > > On Jan 26, 10:53 am, bmearns <mearn...(a)gmail.com> wrote: > > > > Ideally, the output of a cryptographically secure hash function should > > > be uniformly distributed, right? With regards to this property only, > > > is there any known difference between MD5 and SHA1? > > > > Specifically, I'm feeding relatively short strings of 7-bit ASCII text > > > into the hash, and using the output as a password. Will one of these > > > produce algorithms a stronger bias in the output than the other? > > > > Note, this isn't an authentication scheme in itself, I'm not concerned > > > directly about collisions. For instance, I don't care if somebody can > > > find another plaintext that will produce the same digest: it's the > > > digest itself that is the secret. So I'm only concerned if one of the > > > functions will add a significant bias to this secret. > > > Nobody knows for sure. They're both believed to be respectable PRFs > > in their own rights. > > > MD5 is computationally cheaper than SHA-1 if that helps. > > > Tom > > Thanks a lot for the prompt response, Tom. > > I get the point, but what specifically does PRF means? > > Thanks, > -Brian Sorry, I will google before I ask. PRF is a Pseudorandom function. -Brian
From: Tom St Denis on 26 Jan 2010 11:39
On Jan 26, 11:02 am, bmearns <mearn...(a)gmail.com> wrote: > On Jan 26, 10:58 am, bmearns <mearn...(a)gmail.com> wrote: > > > > > On Jan 26, 10:55 am, Tom St Denis <t...(a)iahu.ca> wrote: > > > > On Jan 26, 10:53 am, bmearns <mearn...(a)gmail.com> wrote: > > > > > Ideally, the output of a cryptographically secure hash function should > > > > be uniformly distributed, right? With regards to this property only, > > > > is there any known difference between MD5 and SHA1? > > > > > Specifically, I'm feeding relatively short strings of 7-bit ASCII text > > > > into the hash, and using the output as a password. Will one of these > > > > produce algorithms a stronger bias in the output than the other? > > > > > Note, this isn't an authentication scheme in itself, I'm not concerned > > > > directly about collisions. For instance, I don't care if somebody can > > > > find another plaintext that will produce the same digest: it's the > > > > digest itself that is the secret. So I'm only concerned if one of the > > > > functions will add a significant bias to this secret. > > > > Nobody knows for sure. They're both believed to be respectable PRFs > > > in their own rights. > > > > MD5 is computationally cheaper than SHA-1 if that helps. > > > > Tom > > > Thanks a lot for the prompt response, Tom. > > > I get the point, but what specifically does PRF means? > > > Thanks, > > -Brian > > Sorry, I will google before I ask. PRF is a Pseudorandom function. Hehehe, I'm glad you googled at least. Yes, it stands for that. Briefly, a PRF is a function which pseudorandomly maps an input from one domain to another. E.g. MD5 maps the binary strings of upto 2^64-1 bits in length to 128-bits. PRFs differ from PRPs (permutations) in that they're not required to be bijection. For example, AES is a PRP since there is a 1-to-1 mapping of plaintext to ciphertext for a given key, if you consider the plaintext and key as part of the input then AES is a PRF. In fact, MD5 is essentially a block cipher where the message is the "key." For your task you need to map arbitrary length strings to passwords (or do you mean cipher keys?) which means a PRF. You may wish to look at the PKCS #5 [v2] algorithm which maps a password and salt into an arbitrary length bit string. It's used by things like PKCS #8, #12 and I think #7 [iirc] for example. Tom |