[Cryptography] Collisions w/SHA-1 ~$100,000 TODAY
ianG
iang at iang.org
Sat Oct 10 14:14:08 EDT 2015
On 10/10/2015 17:41 pm, Scott Elcomb wrote:
> On Sat, Oct 10, 2015 at 11:40 AM, ianG <iang at iang.org> wrote:
>> Can anyone provide a pointy-eared boss description of what a *freestart*
>> collision is?
>
> The closest I've found is "A freestart collision is a collision where
> the attacker can choose the initialisation vector."
>
>
> Source: <http://crypto.stackexchange.com/a/29696>
>
> In the Damgard-Merkle construction for hash functions the compression
> function takes as input:
>
> * a message block and
> * a chaining value.
>
> For the very first block there is not previous "chaining value".
> Instead a particular value, called an initialisation vector (IV) is
> given.
>
> A freestart collision is a collision where the attacker can choose the IV.
Thanks to Scott and Philipp for (almost identical) answers. That I
understand.
I guess the next question would be, how long we expect the freestart
limitation to last as a meaningful barrier to full SHA1 collision attacks.
It is fascinating to watch. 11 years after the Shandong Hashquake, SHA1
is still saying "I'm not dead yet!"
iang
More information about the cryptography
mailing list