5

The google collision website shattered.it refers to a collision detector: https://github.com/cr-marcstevens/sha1collisiondetection.

It claims a false positive rate of $2^{-90}$ and to take less then twice the time of regular SHA-1. But the counter-cryptanalysis paper mentions that the false positive rate is $C \cdot 2^{-160}$ and it takes $C+1$ times longer then regular SHA-1 - and they suggest using $C=14$.

What am I missing? How many triplets does the detector use? Is there another paper explaining a more advanced technique that explains the performance?

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
Meir Maor
  • 12,053
  • 1
  • 24
  • 55

1 Answers1

4

One trick used by the collision detector you mention is to check for "unavoidable conditions", described in the paper here: http://oai.cwi.nl/oai/asset/23932/23932A.pdf

Essentially, the unavoidable conditions are a faster check, but may have false positives. If a given block meets these conditions, the detector then runs the full check. Per the paper above, the total cost of doing this is only 1.96 times the regular SHA-1 runtime.

William Luc Ritchie
  • 156
  • 1
  • 4