SHA1 broken?

[Joseph Ashwood]

----- Original Message ----- 
From: "Joseph Ashwood" <ashwood at msn.com>
Sent: Friday, February 18, 2005 3:11 AM

[the attack is reasonable]

Reading through the summary I found a bit of information that means my 
estimates of workload have to be re-evaluated. Page 1 "Based on our 
estimation, we expect that real collisions of SHA1 reduced to 70-steps can 
be found using todays supercomputers." This is a very important statement 
for estimating the real workload, assuming there is an implicit "in one 
year" in there, and assuming BlueGene (Top 500 list slot 1) this represents 
22937.6 GHz*years, or slightly over 2^69 clock cycles, I am obviously still 
using gigahertz because information gives us nothing better to work from. 
This clearly indicates that the operations used for the workload span 
multiple processor clocks, and performing a gross estimation based on pure 
guesswork I'm guessing that my numbers are actually off by a factor of 
between 50 and 500, this factor will likely work cleanly in either adjusting 
the timeframe or production cost.

My suggestion though to make a switch away from SHA-1 as soon as reasonable, 
and to prepare to switch hashes very quickly in the future remains the same, 
the march of processor progress is not going to halt, and the advance of 
cryptographic attacks will not halt which will inevitably squeeze SHA-1 to 
broken. I would actually argue that the 2^80 strength it should have is 
enough to begin its retirement, 2^80 has been "strong enough" for a decade 
in spite of the march of technology. Under the processor speed enhancements 
that have happened over the last decade we should have increased the 
keylength already to accomodate for dual core chips running at 20 times the 
speed for a total of 40 times the prior speed (I was going to use Spec data 
for a better calculation but I couldn'd immediately find specs for a Pentium 
Pro 200) by adding at least 5 bits preferrably 8 to our necessary protection 
profile.
                Joe