Google today announced they are sunsetting SHA-1. Its fine by me. But that made me realize I am not keeping up with the research on SHA-1. The Wikipedia page only says Stevens' attack is the most efficient but its also on a reduced round SHA-1 - not the SHA-1 with the full rounds. So is there no theoretical attack on SHA-1 or is the one I referred to above enough for it to be considered vulnerable? Are there others?
Asked
Active
Viewed 372 times
2 Answers
6
The cost of finding collision for SHA-1 is currently estimated as $2^{61}$ SHA-1 calls. To understand how much (or how little) it is, we could look at Bitcoin mining. Right now (September 2014) the entire mining network computes 200,000,000 giga-double-hashes of SHA-256 per second, or $2^{61}$ hashes in three seconds.
Dmitry Khovratovich
- 5,737
- 23
- 25
3
Stevens' attack is on full SHA-1, not a reduced round variant. The differentials are on only part of the rounds, but the attack itself extends to the full algorithm. However, the attack (pdf of full paper) described as "fully working" in the slides you link has still not been used to demonstrate actual collisions, so it's indeed theoretical.
Additionally, even without the attack, it might be time to get rid of SHA-1 in situations where collision attacks are possible. 80 bits of brute force is probably feasible for a very dedicated attacker, either now or in the near future.
Related:
