Questions about generating keys (hash firewalls)

Robert J. Hansen rjh at
Fri Aug 24 22:15:18 CEST 2007

Oskar L. wrote:
> calculators designed to show very large numbers can show the result. Now I
> compare all the hashes from one picture to all the hashes from the other.

Doing a birthday attack is highly nontrivial.  E.g., to do a birthday
attack on SHA256 requires a minimum, a _minimum_, of over 10**17 joules
to be liberated as heat.  That's about as much as you'd get from an
entire full-out strategic nuclear exchange between the US and Russia.
You're talking global climate change at that point, along with potential
mass extinction of humanity.  It's not pretty.

> Do hash firewalls have any drawbacks (performance decrease, difficult to
> implement, patent issues etc.)? What's the reason DSA doesn't have one?

Historical reasons.  Nobody ever thought DSA would be used with anything
other than SHA-1, so if there's only one approved hash function, there's
no need for a hash firewall.

DSS explicitly requires SHA-1 as a hash.

More information about the Gnupg-users mailing list