Daniel Franke wrote:
Jon Callas <jon(_at_)callas(_dot_)org> writes:
Adi Shamir has pointed out for years now that no one has found *any*
first or second preimage collision for SHA1. I'll shill for him here.
The new results for 2^52 work, assuming it's actually doable, are
still for migrating a bitstring into two dependent bitstrings that
collide. This has significance for people who run CAs with sequential
serial numbers, or who want to tweak PDFs to project the future, or
create binary distributions that have and do not have malware. It's
serious *for* *those* *and* *similar* *cases*.
I think you mean "no one has found any first or second preimage
*attacks* for SHA-1". To the best of my knowledge, nobody has found any
SHA-1 collisions at all, either chosen or otherwise. The 2^52 result is
still theoretical, because while 2^52 hash operations is tractable for a
WFO, it's still a formidable amount of work, and Cameron McDonald is not
Just to give you some perspective what WFO means at this day and age: my
cryptography lab at the University has just built and tested a DES cracker that
cost us less than €20000 EUR. It iterates through the 56-bit key space in about
We are considering using it for finding a SHA1 collision using these new
results. But, as noted above, this would be a collision where both pre-images
are carefully chosen by the attacker.
Description: OpenPGP digital signature