SHA-1 collisions now at 2^{52}?
Greg Rose
ggr at qualcomm.com
Thu Apr 30 22:54:43 EDT 2009
On 2009 Apr 30, at 4:31 , Perry E. Metzger wrote:
>
> Eric Rescorla <ekr at networkresonance.com> writes:
>> McDonald, Hawkes and Pieprzyk claim that they have reduced the
>> collision
>> strength of SHA-1 to 2^{52}.
>>
>> Slides here:
>> http://eurocrypt2009rump.cr.yp.to/
>> 837a0a8086fa6ca714249409ddfae43d.pdf
>>
>> Thanks to Paul Hoffman for pointing me to this.
>
> This is a very important result. The need to transition from SHA-1
> is no
> longer theoretical.
It already wasn't theoretical... if you know what I mean. The writing
has been on the wall since Wang's attacks four years ago.
BTW, it is my (our) opinion that the current attacks can't be extended
to the SHA-2 family, due to the avalanche effect in the data
expansion, which is significantly different to the designs of its
ancestors. SHA-2 would need a new breakthrough.
Greg.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list