Daniel Franke wrote: > Jon Callas <jon@xxxxxxxxxx> writes: > >> Adi Shamir has pointed out for years now that no one has found *any* >> first or second preimage collision for SHA1. I'll shill for him here. >> >> The new results for 2^52 work, assuming it's actually doable, are >> still for migrating a bitstring into two dependent bitstrings that >> collide. This has significance for people who run CAs with sequential >> serial numbers, or who want to tweak PDFs to project the future, or >> create binary distributions that have and do not have malware. It's >> serious *for* *those* *and* *similar* *cases*. > > I think you mean "no one has found any first or second preimage > *attacks* for SHA-1". To the best of my knowledge, nobody has found any > SHA-1 collisions at all, either chosen or otherwise. The 2^52 result is > still theoretical, because while 2^52 hash operations is tractable for a > WFO, it's still a formidable amount of work, and Cameron McDonald is not > a WFO. Just to give you some perspective what WFO means at this day and age: my cryptography lab at the University has just built and tested a DES cracker that cost us less than €20000 EUR. It iterates through the 56-bit key space in about one week. We are considering using it for finding a SHA1 collision using these new results. But, as noted above, this would be a collision where both pre-images are carefully chosen by the attacker. -- Daniel
Attachment:
signature.asc
Description: OpenPGP digital signature