----- Original Message -----
From: "Joseph Ashwood"
Sent: Friday, February 18, 2005 3:11 AM
[the attack is reasonable]
Reading through the summary I found a bit of information that means my
estimates of workload have to be re-evaluated. Page 1 "Based on our
estimation, we expect that real collisions of SHA1 reduced to 70-steps can
be found using todays supercomputers." This is a very important statement
for estimating the real workload, assuming there is an implicit "in one
year" in there, and assuming BlueGene (Top 500 list slot 1) this represents
22937.6 GHz*years, or slightly over 2^69 clock cycles, I am obviously still
using gigahertz because information gives us nothing better to work from.
This clearly indicates that the operations used for the workload span
multiple processor clocks, and performing a gross estimation based on pure
guesswork I'm guessing that my numbers are actually off by a factor of
between 50 and 500, this factor will likely work cleanly in either adjusting
the timeframe or production cost.
My suggestion though to make a switch away from SHA-1 as soon as reasonable,
and to prepare to switch hashes very quickly in the future remains the same,
the march of processor progress is not going to halt, and the advance of
cryptographic attacks will not halt which will inevitably squeeze SHA-1 to
broken. I would actually argue that the 2^80 strength it should have is
enough to begin its retirement, 2^80 has been "strong enough" for a decade
in spite of the march of technology. Under the processor speed enhancements
that have happened over the last decade we should have increased the
keylength already to accomodate for dual core chips running at 20 times the
speed for a total of 40 times the prior speed (I was going to use Spec data
for a better calculation but I couldn'd immediately find specs for a Pentium
Pro 200) by adding at least 5 bits preferrably 8 to our necessary protection
profile.
Joe