SHA-1 collisions now at 2^{52}?

Jon Callas jon at
Thu Apr 30 20:44:53 EDT 2009

On Apr 30, 2009, at 4:31 PM, Perry E. Metzger wrote:

> Eric Rescorla <ekr at> writes:
>> McDonald, Hawkes and Pieprzyk claim that they have reduced the  
>> collision
>> strength of SHA-1 to 2^{52}.
>> Slides here:
>> 837a0a8086fa6ca714249409ddfae43d.pdf
>> Thanks to Paul Hoffman for pointing me to this.
> This is a very important result. The need to transition from SHA-1  
> is no
> longer theoretical.

Let me make a couple of comments, one from each side of my mouth.

* I would like to see an implementation of this result, producing a  
collision. 2^52 is a nice number, but it needs a scale. I'm not  
worried about 2^52 years. Or even seconds. I say this solely because I  
expected a practical 2^63 collision by now, and have been wondering  
about what the scale of that 2^63. I would like to see an  

* What do you mean by "no longer theoretical"? The accepted wisdom on  
80-bit security (which includes SHA-1, 1024-bit RSA and DSA keys, and  
other things) is that it is to be retired by the end of 2010. The end  
of 2010 fast approacheth. If you include into development time some  
reasonable level of market adoption, one might convincingly argue that  
the end of SHA-1 ought to be shipping this summer, or certainly in the  
fall, and no later than the *start* of 2010. The need to transition  
from SHA-1 is apparent and manifest. New results merely confirm  
conventional wisdom.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list