[tahoe-dev] nitpick about security terminology (was: Tahoe performance)

[zooko]

On Feb 19, 2009, at 15:19 PM, Brian Warner wrote:

> the observation that a fast (but no longer cryptographically- 
> secure) hash like MD4 is good enough

Nitpick: I prefer not to say that MD4 used to be secure before 1996  
and then became insecure.  Rather: we used to think, back in 1995,  
that MD4 was secure, and in 1996 we learned that it was insecure.

Who was the first person who figured out how to generate collisions  
in MD4?  Was it Hans Dobbertin, who published the technique in 1996?   
If so, people who were relying on the collision-resistance of MD4 in  
1995, but who stopped relying on it by 1996, were in no danger.  But  
how do you know that Dobbertin was the first person to think of that  
technique?  If someone else thought of that technique in 1995, or if  
Dobbertin (who worked for the German counter-eavesdropping agency)  
thought of that technique before he published it, then people who  
were relying on the security of MD4 in 1995 were vulnerable.

So you can't say that in 1995 MD4 was secure.  It might or might not  
have had the sort of security of "nobody has figured out how to break  
this yet".  It definitely *didn't* have the sort of security of "it  
is impossible to break this".

Regards,

Zooko