[cabfpub] Posted on behalf of customer

Gervase Markham gerv at mozilla.org
Fri Dec 16 14:22:16 UTC 2016

On 13/12/16 21:40, Ryan Sleevi via Public wrote:
> I understand the desire to remove SHA-1 before it has actually shown
> true weakness.

https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html :

"The cost of the attack will be approximately:

    2^13 * 28.4 = 221.4 ~ $2.77M in 2012

    2^11 * 28.4 = 219.4 ~ $700K by 2015

    2^9 * 28.4 = 217.4 ~ $173K by 2018

    2^7 * 28.4 = 215.4 ~ $43K by 2021

A collision attack is therefore well within the range of what an
organized crime syndicate can practically budget by 2018, and a
university research project by 2021.

Since this argument only takes into account commodity hardware and not
instruction set improvements (e.g., ARM 8 specifies a SHA-1
instruction), other commodity computing devices with even greater
processing power (e.g., GPUs), and custom hardware, the need to
transition from SHA-1 for collision resistance functions is probably
more urgent than this back-of-the-envelope analysis suggests."

If I were going to calculate a SHA-1 collision, the certificate of a
machine handling tens or hundreds of thousands of credit cards a day
would be a reasonably obvious target, ISTM.


More information about the Public mailing list