[16927] in cryptography@c2.net mail archive
Re: SHA1 broken?
daemon@ATHENA.MIT.EDU (Dave Howe)
Thu Feb 17 08:08:31 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 17 Feb 2005 10:49:29 +0000
From: Dave Howe <DaveHowe@gmx.co.uk>
To: <cypherpunks@al-qaeda.net>, <cryptography@metzdowd.com>
In-Reply-To: <BAY0-SMTP082C5CB3C054AD2EA7F406AC6D0@phx.gbl>
Joseph Ashwood wrote:
> I believe you are incorrect in this statement. It is a matter of public
> record that RSA Security's DES Challenge II was broken in 72 hours by
> $250,000 worth of semi-custom machine, for the sake of solidity let's
> assume they used 2^55 work to break it. Now moving to a completely
> custom design, bumping up the cost to $500,000, and moving forward 7
> years, delivers ~2^70 work in 72 hours (give or take a couple orders of
> magnitude). This puts the 2^69 work well within the realm of realizable
> breaks, assuming your attackers are smallish businesses, and if your
> attackers are large businesses with substantial resources the break can
> be assumed in minutes if not seconds.
>
> 2^69 is completely breakable.
> Joe
Its fine assuming that moore's law will hold forever, but without
that you can't really extrapolate a future tech curve. with *todays*
technology, you would have to spend an appreciable fraction of the
national budget to get a one-per-year "break", not that anything that
has been hashed with sha-1 can be considered breakable (but that would
allow you to (for example) forge a digital signature given an example)
This of course assumes that the "break" doesn't match the criteria
from the previous breaks by the same team - ie, that you *can* create a
collision, but you have little or no control over the plaintext for the
colliding elements - there is no way to know as the paper hasn't been
published yet.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
