[193884] in North American Network Operators' Group
Re: SHA1 collisions proven possisble
daemon@ATHENA.MIT.EDU (James DeVincentis via NANOG)
Wed Mar 1 22:52:41 2017
X-Original-To: nanog@nanog.org
In-Reply-To: <58B79494.6080909@foobar.org>
Date: Wed, 1 Mar 2017 21:50:32 -0600
To: Nick Hilliard <nick@foobar.org>
From: James DeVincentis via NANOG <nanog@nanog.org>
Reply-To: James DeVincentis <james.d@hexhost.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
I like the footnote they attached specifically for SHA1.=20
"[3] Google spent 6500 CPU years and 110 GPU years to convince everyone =
we need to stop using SHA-1 for security critical applications. Also =
because it was cool."
It=E2=80=99s also not preimage. This isn=E2=80=99t even a FIRST preimage =
attack. That table needs an additional field type: =E2=80=9CFirst =
non-preimage deliberate crafted collision created=E2=80=9D.=20
However, it proves a theory that maybe with some refining *could* turn =
into a preimage attack.=20
Realistically any hash function *will* have collisions when two items =
are specifically crafted to collide after expending insane amounts of =
computing power, money, and=E2=80=A6 i wonder how much in power they =
burned for this little stunt.
> On Mar 1, 2017, at 9:42 PM, Nick Hilliard <nick@foobar.org> wrote:
>=20
> James DeVincentis via NANOG wrote:
>> On top of that, the calculations they did were for a stupidly simple
>> document modification in a type of document where hiding extraneous
>> data is easy. This will get exponentially computationally more
>> expensive the more data you want to mask. It took nine quintillion
>> computations in order to mask a background color change in a PDF.
>>=20
>> And again, the main counter-point is being missed. Both the good and
>> bad documents have to be brute forced which largely defeats the
>> purpose. Tthose numbers of computing hours are a brute force. It may
>> be a simplified brute force, but still a brute force.
>>=20
>> The hype being generated is causing management at many places to cry
>> exactly what Google wanted, =E2=80=9CWolf! Wolf!=E2=80=9D.
>=20
> The Reaction state table described in
> https://valerieaurora.org/hash.html appears to be entertainingly =
accurate.
>=20
> Nick
