SHA1 broken?

Werner Koch wk at
Wed Feb 16 10:54:35 PST 2005

On Wed, 16 Feb 2005 11:57:36 -0500, David Shaw said:

> Yes it is.  Assuming this is true, we must start migrating away from
> SHA-1.  Actually, we should start this anyway - even the NIST
> recommends moving away from SHA-1 for long-term security.

The real problem with the breakthrough is, that it seems that they
have developed a new cryptoanalytical method and that might pave the
way for further improvements.  Over the last 2 decades the art of
cryptoanalysis has changed dramatically in the area of symmetric
ciphers.  This will probably also happen to hash algorithms now.

There is however a huge problem replace SHA-1 by something else from
now to tomorrow: Other algorithms are not as well anaylyzed and
compared against SHA-1 as for example AES to DES are; so there is no
immediate successor of SHA-1 of whom we can be sure to withstand the
possible new techniques.  Second, SHA-1 is tightly integrated in many
protocols without a fallback algorithms (OpenPGP: fingerprints, MDC,
default signature algorithm and more).



Gnupg-users mailing list
Gnupg-users at

--- end forwarded text

R. A. Hettinga <mailto: rah at>
The Internet Bearer Underwriting Corporation <>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list