SHA-1 collisions now at 2^{52}?
Jon Callas
jon at callas.org
Thu Apr 30 20:44:53 EDT 2009
On Apr 30, 2009, at 4:31 PM, Perry E. Metzger wrote:
>
> Eric Rescorla <ekr at networkresonance.com> writes:
>> McDonald, Hawkes and Pieprzyk claim that they have reduced the
>> collision
>> strength of SHA-1 to 2^{52}.
>>
>> Slides here:
>> http://eurocrypt2009rump.cr.yp.to/
>> 837a0a8086fa6ca714249409ddfae43d.pdf
>>
>> Thanks to Paul Hoffman for pointing me to this.
>
> This is a very important result. The need to transition from SHA-1
> is no
> longer theoretical.
Let me make a couple of comments, one from each side of my mouth.
* I would like to see an implementation of this result, producing a
collision. 2^52 is a nice number, but it needs a scale. I'm not
worried about 2^52 years. Or even seconds. I say this solely because I
expected a practical 2^63 collision by now, and have been wondering
about what the scale of that 2^63. I would like to see an
implementation.
* What do you mean by "no longer theoretical"? The accepted wisdom on
80-bit security (which includes SHA-1, 1024-bit RSA and DSA keys, and
other things) is that it is to be retired by the end of 2010. The end
of 2010 fast approacheth. If you include into development time some
reasonable level of market adoption, one might convincingly argue that
the end of SHA-1 ought to be shipping this summer, or certainly in the
fall, and no later than the *start* of 2010. The need to transition
from SHA-1 is apparent and manifest. New results merely confirm
conventional wisdom.
Jon
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list