Talk:Security of cryptographic hash functions

Restructuring proposal
It seems out of place to have an article dedicated to Provably secure cryptographic hash functions when only the second half of the article discusses these functions, where as the first half discusses security of hash functions in general. Also, the first half of this article is redundant with information given in the first half of Cryptographic hash function. This article appears to be trying to discuss the security of hash functions in general in addition to providing information on "provably secure" ones. — Preceding unsigned comment added by RavelTwig (talk • contribs) 01:52, 28 January 2014
 * Both proposals seem uncontroversial. I'll do the move myself. You can feel free to also do the merge. Let me know if you need any help with this (I know nothing about the subject at hand, but I can help perform the merge). --BDD (talk) 18:34, 12 February 2014 (UTC)

Move Proposal

 * The following discussion is an archived discussion of the proposal. Please do not modify it. Subsequent comments should be made in a new section on the talk page. No further edits should be made to this section. 

The result of the proposal was moved. --BDD (talk) 18:35, 12 February 2014 (UTC)

Provably secure cryptographic hash function → Security of cryptographic hash functions – Possibly move this article to Security of cryptographic hash functions and then incorporate the content of Cryptographic hash function and Provably secure cryptographic hash function along with a section about Provably secure cryptographic hash functions. Relisted. Brown HairedGirl (talk) • (contribs) 18:07, 5 February 2014 (UTC) RavelTwig (talk) 02:11, 28 January 2014 (UTC)
 * The above discussion is preserved as an archive of the proposal. Please do not modify it. Subsequent comments should be made in a new section on this talk page. No further edits should be made to this section.

Merge Proposal
OR merge this article into a "Security" section under Cryptographic hash function and then add subsection Provably secure cryptographic hash function.

RavelTwig (talk) 02:12, 28 January 2014 (UTC)


 * Most of this article is about provably secure hash functions. If we remove the section on cryptographic hash functions then the article can be suitably renamed "Provably secure hash function". The comparison to cryptographic hash functions is made in the lead section, so nothing is lost. Nxavar (talk) 09:52, 5 June 2014 (UTC)

Second paragraph
Just a few thoughts.

"In the second category are functions that are not based on mathematical problems but on an ad hoc basis, where the bits of the message are mixed to produce the hash. They are then believed to be hard to break, but no such formal proof is given. Almost all widely spread hash functions fall in this category. Some of these functions are already broken and are no longer in use."

Seems to imply that the "second category of functions" algorithms necessarily 'mixes the bits or a message', and what does that even mean? Also, "some of these functions are already broken and are no longer in use", could be elaborated on or perhaps have its own subsection in the article.

"The Meaning of Hard" section seems out of place
"The Meaning of Hard" section doesn't seem to fit well in the immediate section it is in. But my primary concern is that it doesn't make a clear distinction between the hash size and the key size used in public key systems.

> However, non-existence of a polynomial time algorithm does not automatically ensure that the system is secure. The difficulty of a problem also depends on its size. For example, RSA public key cryptography relies on the difficulty of integer factorization. However, it is considered secure only with keys that are at least 1024 bits large.

In this case, 1024 bits is the key size of the RSA key, and has nothing to do with the "modified hash" that the RSA algorithm encrypts with the public key. I'm assuming the length of the hash is relevant to how "hard" it is to bruteforce, but isn't even mentioned. Anyone who reads that section and isn't already familiar with public key cryptography is going to misunderstand the information; I can't tell if the section needs a rewrite, or if it should be removed entirely.

IQAndreas (talk) 03:05, 9 July 2016 (UTC)

PSPACE-complete?!
The text says that finding a collision in a particular hash function "is supposed to be hard, at least PSPACE-complete." But, this can't be true unless NP = PSPACE, since finding a collision is trivially in NP. Right?! — Preceding unsigned comment added by NoahSD (talk • contribs) 18:17, 9 January 2019 (UTC)

Parts of the article need to be rewritten
As a computer scientist with knowledge of complexity theory but not of cryptographic hashing I am a bit puzzled about what is being said in the article.

As far as I can understand, the article seems to say that commonly used cryptographic hash functions are "hard" only in the sense that nobody seems to have figured out to "break" them (whatever notion of "breaking" is being used.) This seems like a very weak form of "hardness".

Then, there are other cryptographic hash functions, that are "hard" in the complexity theory sense, e.g. NP-hard, so that breaking seems unlikely given that no NP-hard problem has a polynomial time solution algorithm.

However, also this latter hardness is not very strong: very large instances of NP-hard problems are solved, as not all instances of NP-hard problems are at all difficult to solve. There are large classes of instances from any NP-hard problem that can be solved in linear time: they are trivial.

To have a convincing proof of hardness also in the complexity theory sense, one would need to somehow tie the hardness to some empirically hard class of instances of an NP-hard problem.