 This website contains latest news and background information regarding the SHA-1 freestart collision work from Marc Stevens (CWI, the Netherlands), Pierre Karpman (Inria, France and NTU Singapore) and Thomas Peyrin (NTU Singapore). You can find the latest version of our technical article here (currently under submission) and the corresponding press release here. A freestart collision example for SHA-1The following two input IV/message pairs give the same output value after applying the SHA-1 compression function:
You can verify this freestart collision by yourself using this tester. Kraken, our cheap GPU clusterWe have computed the SHA-1 freestart collision on Kraken, our 64-GPU cluster. More precisely Kraken is composed of 16 nodes, each node being made of simple, cheap and widely available hardware: 4 GTX-970 GPUs, 1 Haswell i5-4460 processor and 16GB of RAM.  Our recommendationsWe recommend that SHA-1 based signatures should be marked as unsafe much sooner than prescribed by current international policy. Even though freestart collisions do not directly lead to actual collisions for SHA-1, in our case, the experimental data we obtained in the process enable significantly more accurate projections on the real-world cost of actual collisions for SHA-1, compared to previous projections. Concretely, we estimate the SHA-1 collision cost today (i.e., Fall 2015) between 75K$ and 120K$ renting Amazon EC2 cloud computing over a few months. By contrast, security expert Bruce Schneier previously projected (based on calculations from Jesse Walker) the SHA-1 collision cost to be ~173K$ by 2018. Note that he deems this to be within the resources of a criminal syndicate. Large corporations and governments may possess even greater resources and may not require Amazon EC2. Microsoft, Google and Mozilla have all announced that their respective browsers will stop accepting SHA-1 based SSL certificates by 2017 (and that SHA-1-based certificates should not be issued after 2015). In conclusion, our estimates imply SHA-1 collisions to be now (Fall 2015) within the resources of criminal syndicates, two years earlier than previously expected and one year before SHA-1 will be marked as unsafe in modern Internet browsers. This motivates our recommendations for industry standard SHA-1 to be retracted as soon as possible. With our new cost projections in mind, we strongly and urgently recommend against a recent proposal to extend the issuance of SHA-1 certificates with a year in the CAB/forum (discussion closes October 9 2015, vote closes October 16). Background information on SHA-1Here follows an overview of background information on the SHA-1 hash function industry standard. On the recent proposal to extend issuance of SHA-1 certificates On SHA-1 migration On the cost of SHA-1 collisions
On SHA-1 freestart collisions and graphics cards
On MD5-based signature forgeries and the 2012 Flame malware On MD5-based signature forgeries and the 2008 academic HTTPS break
AcknowledgementsMarc Stevens is supported by the Netherlands Organization for Scientific Research Veni Grant 2014. Pierre Karpman and Thomas Peyrin are supported by the Singapore National Research Foundation Fellowship 2012 (NRF-NRFF2012-06). Pierre Karpman is also supported by the Direction Générale de l'Armement.    |