[OT] Reasons not to use multiple hash functions for "more security"
John Arbash Meinel
john at arbash-meinel.com
Sun Jan 21 20:30:42 GMT 2007
I found this slashdot post quite interesting.
It basically says that trying to use both MD5 and SHA1 as an improved
overall hash is:
1) Better than just one. If MD5 has a security of 2^64 and SHA1 has
2^80, then MD5 + SHA1 is better than 2^80
2) Much worse than a single well designed hash of the total length. So
even with (1) you end up with an additive function rather than
multiplicative. In the case of SHA1 + MD5 the complexity should be:
m*2^(n/2) + 2^(m/2)
(128)*2^(160/2) + 2^(128/2)
= 128 * 2^80 + 2^64
= 2^7 * 2^80 + 2^64
= 2^87 + 2^64
Since 2^87 >> 2^64 this is approximately 2^87.
Another way to put it is the final security is approx:
Compare that to a well designed hash of size n+m where the security
3) Summary, SHA256 is *much* more secure (with a theoretical security of
2^128 versus MD5+SHA1 @ 2^87, and it has fewer bytes (256 versus 288).
I guess it has to do with how collisions work. That once you've found a
collision, it is easy to generate many collisions. So instead of having
to solve the whole MD5 + SHA1 problem, you just solve multi-collision
MD5, and check if any of those collide in SHA1. (Or maybe you need to
do it the other way).
I mostly posted this because I thought people would find it interesting,
and because the argument had come up in the group in the past. (It even
has a journal reference to give it some credibility.)
More information about the bazaar