SHA-1 in 2**52

Hal Finney hal at finney.org
Tue Jun 16 13:55:44 EDT 2009


> Differential Path for SHA-1 with complexity O(2**52)
> Cameron McDonald, Philip Hawkes, and Josef Pieprzyk
> Macquarie University
>
> http://eprint.iacr.org/2009/259.pdf

I wonder now with this new improved differential path if any distributed
computations may be forming to finally create a SHA-1 collision? (I have
a small side bet resting on the outcome...)

I checked http://boinc.iaik.tugraz.at/ this morning, a distributed SHA-1
collision search whichhad been going on since 2007 based on a method
with an estimated cost of 2^60+. However I see that the project page
announces that the effort has been suspended as of May 12, 2009 "due
to lack of progress". I wonder if the suspension may also be related to
this new method, reports of which had begun to leak out by that time.

2^52 work should lower the bar substantially, although it would still
be a major task for a single organization. It would be great if the
authors of the improved path could be the ones to announce a collision,
but it sounds like they are more theoretically than practically oriented:

"We believe that practical collisions are now within reach of a dedicated
system. We are continuing our search for more differential paths with
a maximum number of auxiliary paths."

(Rather than, "we are abandoning our search for more differential paths
and working to try to find a real collision using this one." ;)

Hal Finney

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list