[cabfpub] Posted on behalf of customer

Peter Bowen pzb at amzn.com
Fri Dec 16 15:31:33 UTC 2016 

And that is a year old.  Last month, we announced new faster GPU options for customers.  So that cost probably is even lower today.

> On Dec 16, 2016, at 7:25 AM, Erwann Abalea via Public <public at cabforum.org> wrote:
> 
> Dr Stevens has more up to date cost estimates: https://sites.google.com/site/itstheshappening/ <https://sites.google.com/site/itstheshappening/>
> 
> "Concretely, we estimate the SHA-1 collision cost today (i.e., Fall 2015) between 75K$ and 120K$ renting Amazon EC2 cloud computing over a few months."
> 
> Cordialement,
> Erwann Abalea
> 
>> Le 16 déc. 2016 à 15:22, Gervase Markham via Public <public at cabforum.org <mailto:public at cabforum.org>> a écrit :
>> 
>> On 13/12/16 21:40, Ryan Sleevi via Public wrote:
>>> I understand the desire to remove SHA-1 before it has actually shown
>>> true weakness.
>> 
>> https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html <https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html> :
>> 
>> "The cost of the attack will be approximately:
>> 
>>    2^13 * 28.4 = 221.4 ~ $2.77M in 2012
>> 
>>    2^11 * 28.4 = 219.4 ~ $700K by 2015
>> 
>>    2^9 * 28.4 = 217.4 ~ $173K by 2018
>> 
>>    2^7 * 28.4 = 215.4 ~ $43K by 2021
>> 
>> A collision attack is therefore well within the range of what an
>> organized crime syndicate can practically budget by 2018, and a
>> university research project by 2021.
>> 
>> Since this argument only takes into account commodity hardware and not
>> instruction set improvements (e.g., ARM 8 specifies a SHA-1
>> instruction), other commodity computing devices with even greater
>> processing power (e.g., GPUs), and custom hardware, the need to
>> transition from SHA-1 for collision resistance functions is probably
>> more urgent than this back-of-the-envelope analysis suggests."
>> 
>> If I were going to calculate a SHA-1 collision, the certificate of a
>> machine handling tens or hundreds of thousands of credit cards a day
>> would be a reasonably obvious target, ISTM.
>> 
>> Gerv
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org <mailto:Public at cabforum.org>
>> https://cabforum.org/mailman/listinfo/public
>> 
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161216/5bea497f/attachment-0003.html>

More information about the Public mailing list