On Tue, 03 Nov 2020 10:24:17 +0100, Justus Winter wrote:
"Neal H. Walfield" neal@walfield.org writes:
I'm not that familiar with Nettle's API, so I don't know if the following is sufficiently idiomatic.
That said, we could do the following: we could add a flag to the sha1 context to indicate to the update function that it should try to detect collision attempts, we could add a few ifs to the update function to do the checks, and we could add a second function to return whether a collision was detected:
void sha1_check_for_collisions(struct sha1_ctx *ctx); int sha1_detected_collision(struct sha1_ctx *ctx);
What do you think?
I think hashing should be fallible. If a collision attack is detected, no digest should be produced, because the digest has none of the properties that we usually associate with a hash digest.
If we come up with a new API anyway, we should make all hash functions fallible, because sooner or later, any algorithm may fall.
I think there are still cases where one may want the digest even if a collision attack was detected. So, I think it should still be possible to get the digest. But, I'd agree that most users of this function shouldn't use it. As such, I'd support making it hard to get the digest.
:) Neal