We have computed the very first chosen-prefix collision for SHA-1. To put it in another way: all attacks that are practical on MD5 are now also practical on SHA-1.
We have reduced the cost of a collision attack from 2^64.7 to 2^61.2, and the cost of a chosen-prefix collision attack from 2^67.1 to 2^63.4.
Demo: The legacy branch of GnuPG (version 1.4) is vulnerable. We have created two PGP keys with different UserIDs and colliding certificates.
I'm confused. It says this is the first ever chosen prefix collision attack, but also that the performance improvement is only a factor of 10; that is a big improvement, but not big enough to consider something to be in shambles when it wasn't before. Or am I just unaware that SHA-1 is already considered rather insecure.
@ScriptFanix @philipwhite SHA-1 is considered academically problematic since 2005 (security claim reduced from 2^80 to 2^69), with better and better attacks coming out every year. https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html
In the ideal world, SHA-1 should've been long retired. Bruce Schneier was arguing for its retirement since 2004... https://www.schneier.com/essays/archives/2004/08/cryptanalysis_of_md5.html
@niconiconi @ScriptFanix @philipwhite "should have been retired long ago". A lot of times the weaker algorithms are simply being used to detect transfer errors or benign accidental changes instead of malicious intent. Heck, it took me a decade to get the company I work at to move away from identifying file revisions by timestamps.