Warn that SHA-1 is practically broken! #8
Description
In 2005, February, an attack on full SHA-1 was first published, 211× faster than bruteforce. Schneier estimated that this would allow “a machine that cost $25M-$38M”, in 2005, to find an SHA-1 collision in 56 hours.
In addition to another decade following Moore's law, some other attacks have since improved on the computational efficiency. Some rough calculations by Walker in 2012 estimated ~2.77M$ per collision in 2012 and projected ~700k$ per collision by 2015.
On 2015-10-08, a freestart collision attack on SHA-1's compression function, with an example freestart collision, was published that requires only 257.5 SHA-1 evaluations per freestart collision, and this allowed the research team to more accurately update the cost estimate of a full collision:
“Concretely, we estimate the SHA-1 collision cost today (i.e., Fall 2015) between 75K$ and 120K$ renting Amazon EC2 cloud computing[.]”
On 2017-02-23, an example full SHA-1 collision was published for the first time. Although this was the first published collision example of SHA-1 as a whole, the attack to produce it will have actually cost more than the use of the most efficient published SHA-1 collision attack. It requires 263.1 SHA-1 calculations rather than Stevens' 260 because the attack went beyond a mere example SHA-1 collision and applied the attack elaborately to forge a collision on PDF documents:
“[…] Furthermore, the prefix of the colliding messages was carefully chosen so that they allow an attacker to forge two PDF documents with the same SHA-1 hash yet that display arbitrarily-chosen distinct visual contents.
We were able to find this collision by combining many special cryptanalytic techniques in complex ways and improving upon previous work. […]”
I suppose that having the ‘first published SHA-1 collision’ be a fancy PDF advertisement makes for a clever PR stunt that is expected to more than cover the roughly 8.6× extra cost of the forgery's greater computational complexity.
Nonetheless, the raw SHA-1 collision cost will be well under 100k$ per collision by now – affordable for criminal syndicates.
These risks must not be ignored. Hashr should warn the user about the risk of SHA-1 collisions whenever they is on the SHA-1 tab. If they is using the SHA-1 function then perhaps they didn't know that SHA-1 is insecure, hence they should be warned!