SHA-1 Broken
I’m not an expert in cryptography, but I try to pay attention to what’s happening in the crypto world. Today, Bruce Schneier announced:
SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing.
The research team of Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu (mostly from Shandong University in China) have been quietly circulating a paper announcing their results:
- collisions in the the full SHA-1 in 269 hash operations, much less than the brute-force attack of 280 operations based on the hash length.
- collisions in SHA-0 in 239 operations.
- collisions in 58-round SHA-1 in 233 operations
So, unless I’m mis-reading this, SHA-1 lost a factor of 2,048; that’s enough to start moving away from SHA-1, but not enough to run screaming in the streets. The last time that SHA-1 attacks showed up, similar attacks were possible against MD5 and possibly also the newer SHA family members; I’m not really sure if there are cryptographic hashes in common use that aren’t at least slightly tainted right now.
Suggest moving to RIPEMD-160?
From what I’ve heard, SHA-2 (SHA-384/512) is not more secure than SHA-1 except for the greater length, but RIPEMD-160 (in contrast to RIPEMD) still looks great.
Any cryptographers know about it? (I’d like to hear from you, even per eMail.)
Btw, RIPEMD-160 is better than SHA-1 anyway, because it’s from Europe ;-)
PS: This is the first time I consider commenting a blog…
Far out… I eagerly await more detail…
peace, core
We should shift attention from MD5- and SHA-based MAC design to block cipher-based MAC/MDC.
MD4, MD5, HAVAL-128 and RIPEMD already found broken in CRYPTO’04.
http://eprint.iacr.org/2004/199.pdf
the same team had broken the MD5 earlier…seems its the programmer’s generic “am god” syndrome