Freestart collisions, like the one presented here, do not directly imply a collision for SHA-1. However, this work is an important milestone towards an actual SHA-1 collision and it further shows how graphics cards can be used very efficiently for these kind of attacks. Based on the state-of-the-art collision attack on SHA-1 by Stevens from EUROCRYPT 2013, we are able to present new projections on the computational/financial cost required by a SHA-1 collision computation. These projections are significantly lower than previously anticipated by the industry, due to the use of the more cost efficient graphics cards compared to regular CPUs.
We therefore recommend the industry, in particular Internet browser vendors and Certification Authorities, to retract SHA-1 soon. We hope the industry has learned from the events surrounding the cryptanalytic breaks of MD5 and will retract SHA-1 before example signature forgeries appear in the near future. With our new cost projections in mind, we strongly and urgently recommend against a recent proposal to extend the issuance of SHA-1 certificates with a year in the CAB/forum (vote closes October 9 2015).
Category / Keywords: public-key cryptography / SHA-1, hash function, cryptanalysis, freestart collision, GPU implementation Date: received 8 Oct 2015 Contact author: stevens at cwi nl Available format(s): PDF | BibTeX Citation Version: 20151009:210731 (All versions of this report) Short URL: ia.cr/2015/967 Discussion forum: Show discussion | Start new discussion