We have computed the very first chosen-prefix collision for SHA-1. To put it in another way: all attacks that are practical on MD5 are now also practical on SHA-1.

We have reduced the cost of a collision attack from 2^64.7 to 2^61.2, and the cost of a chosen-prefix collision attack from 2^67.1 to 2^63.4.

Demo: The legacy branch of GnuPG (version 1.4) is vulnerable. We have created two PGP keys with different UserIDs and colliding certificates.

I'm confused. It says this is the first ever chosen prefix collision attack, but also that the performance improvement is only a factor of 10; that is a big improvement, but not big enough to consider something to be in shambles when it wasn't before. Or am I just unaware that SHA-1 is already considered rather insecure.

You're unaware. Sha 1 has been considered "not safe future use" for some time now.

@ScriptFanix @philipwhite SHA-1 is considered academically problematic since 2005 (security claim reduced from 2^80 to 2^69), with better and better attacks coming out every year.

In the ideal world, SHA-1 should've been long retired. Bruce Schneier was arguing for its retirement since 2004...

@niconiconi @ScriptFanix @philipwhite "should have been retired long ago". A lot of times the weaker algorithms are simply being used to detect transfer errors or benign accidental changes instead of malicious intent. Heck, it took me a decade to get the company I work at to move away from identifying file revisions by timestamps.

@niconiconi does this provide a simultaneous collision with SHA1 and MD5?

@niconiconi Well that isn't completely terrifying or anything.

Sign in to participate in the conversation

cybrespace: the social hub of the information superhighway jack in to the mastodon fediverse today and surf the dataflow through our cybrepunk, slightly glitchy web portal support us on patreon or liberapay!