Is there a known pair of distinct bit strings (A,B) such that SHA-1(A) == SHA-1(B)?
If the answer is no, then how can SHA-1 be considered broken?
Asked
Active
Viewed 1.6k times
2 Answers
50
We call a primitive broken, if there is any attack faster than bruteforce/what we expect of an ideal primitive. Broken does not mean that there are practical attacks.
Even when there were no known collisions in SHA-1, we still called collision resistance of SHA-1 broken, because there is a theoretical attack that can find collisions using fewer than $2^{80}$ calls to SHA-1.
In particular an $n$ bit hash function should have at least the following properties:
- $2^n$ pre-image resistance (both first and second pre-image)
The generic attack is simply trying inputs until one fits the hash - $2^{n/2}$ collision resistance
The generic attack is generating inputs, and comparing their hashes against each other. The birthday problem tells you once you have about $2^{n/2}$ different values, two of them will likely be the same. In case of SHA-1 this that finding a collision takes about $2^{80}$ operations.
A function getting broken often only means that we should start migrating to other, stronger functions, and not that there is practical danger yet. Attacks only get stronger, so it's a good idea to consider alternatives once the first cracks begin to appear.
CodesInChaos
- 25,121
- 2
- 90
- 129
13
Yes, it is considered broken since SHA-1 collision has been found. On 23 February 2017, Google announced the first SHA-1 public collision using the SHAttered attack (100k faster than the brute force attack). The collision was demonstrated on two different PDF files. Therefore it is considered broken.
See also:
