New, Faster Attack against SHA-1 Revealed

VxSote writes "According to Bruce Schneier's blog, a team of Chinese cryptographers has announced new results against SHA-1 that speed up the time required to find collisions compared to their previously published attack. Schneier says that a SHA-1 collision search is now 'squarely in the realm of feasibility,' and that further improvements are expected."

Is that the attack...

[RevDobbs]

Is that the same attack the chinese exchange student used in Lineage II?

Re:Is that the attack...

[Dwonis]

Let's see if they're the same attack, by comparing the two files that Schneier has linked to in the last few weeks:

$ sha1sum wang_sha1_v2.pdf sha1-crypto-auth-new-2-yao.pdf
f4489045822c1940a3 71c87d7d54cfca5fedd6f7 wang_sha1_v2.pdf
f4489045822c1940a3 71c87d7d54cfca5fedd6f7 sha1-crypto-auth-new-2-yao.pdf

So it's the same attack.

Oh, wait...

The world is collapsing around me!

[frinkacheese]

Next there will be massive ASIC machines crunching your PGP ciphertext and nobody will be able to proove anything until Lt Cmdr Data comes up with another Fractal Encryption algorythm that even the Borg cannot break.

oh God bless them, those kooky spookies

[peculiarmethod]

I repeat the saying I've heard comes from inside the NSA: "Attacks always get better; they never get worse."

And THAT kind of forward thinking, gentlemen, is why we're number one over here in the good ol' U.S. of A. So glad we spend money in all the right places.

Big deal

[That's+Unpossible!]

All they did was look for a near-collision
differential path which has low Hamming weight in the "disturbance vector" where each 1-bit represents a 6-step local collision. Then they simply adjusted the differential path in the first round to another possible differential path so as to avoid impossible consecutive local collisions and truncated local collisions. Then obviously the final step taken was to transform two one-block near-collision differential paths into a twoblock
collision differential path with twice the search complexity.

Duh...

Re:Big deal

[gardyloo]

You forgot to add a link to where he describes this process and how he derrived it. A fascinating read, really.

Not Found
The requested URL /blog/archives/2005/08/new_cryptanalyt_details.htm l was not found on this server.

    Oh, yes, I've just wet my pants with excitement.

Re:Big deal

[gardyloo]

Invariant manifolds? You were lucky! We dreamed of invariant manifolds. We had to make do with symplectic diffeomorphisms of the torus, what with its four fixed points, you know, assuming that the eigenvalues of the Jacobi matrix are not equal to minus unity at any point... and we liked it.

Now can we panic?

[John.P.Jones]

Alas poor SHA-1, I knew him...

Okay so we still have SHA-256 and SHA-512 but can we really feel good about them?

Wanted: One reliable hash...

Re:Now can we panic?

[MightyMartian]

Commit everything to memory, keep a cyanide pill close by and hope like hell that that crazy guy with the tinfoil hat is wrong.

Security

[bredk]

I've just changed away from using SHA-1. Double ROT13 seems most appealing these days. ;)

Re:Security

[CRCulver]

SHA-1 isn't a cipher, it's a hash algorithm. Therefore, it has nothing to do with encryption (like ROT13), but with authentication. Sorry to ruin your little joke, which has become a tired amusement lamely presented in every new Slashdot story on cryptography.

Re:Security

[cpeikert]

Wait a minute, you don't sound sorry at all!

Re:i'll never understand why...

[Hack+Jandy]

I'd rather the NSA found the exploits...

The NSA did this six years ago. Just pick up any phone and ask them.

HJ