[Cryptography] hash size
Bill Cox
waywardgeek at gmail.com
Sat Nov 3 14:16:53 EDT 2018
On Thu, Nov 1, 2018 at 3:57 PM Kristian Gjøsteen <kristian.gjosteen at ntnu.no>
wrote:
> 31. okt. 2018 kl. 23:03 skrev jamesd at echeque.com:
> > Launching a birthday attack on a 128 bit hash would involve generating
> 2^64 hashes and sorting them.
>
> Does it? Pollard’s lambda certainly does not. I believe it can be made
> parallel with the usual techniques. That is, you can find collisions with
> little communication and insignificant storage.
>
> Parallel Pollard Rho works in ~2^64 time, and has trivial memory and
communication overhead. A recent paper about this algorithm that was
invented in 1994:
https://www.semanticscholar.org/paper/Parallel-hash-collision-search-by-Rho-method-with-Weber-Zhang/a953b65f6feb9dae15f5cb0d9458579836a1199e
128-bit is simply not collision resistant for any modern efficiently
computed hash. If you don't care about collisions, sha1 still is secure.
There are already collisions for SHA1
<https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html>.
Generating the collision took ~2^63 SHA1 computations. Google did it for
fun (well... really to make the point that SHA1 is insecure).
Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20181103/42ce3d26/attachment.html>
More information about the cryptography
mailing list