W3C home > Mailing lists > Public > public-webpayments@w3.org > March 2013

Re: Some possible attacks on SHA1

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Sun, 31 Mar 2013 17:11:56 +0200
Message-ID: <CAKaEYh+UwpfOPO=gJKDcAijfG7rOEaZ_WqgPnc+jhkvroVTDNA@mail.gmail.com>
To: David Wood <david@3roundstones.com>
Cc: Manu Sporny <msporny@digitalbazaar.com>, Web Payments <public-webpayments@w3.org>
On 7 October 2012 05:14, David Wood <david@3roundstones.com> wrote:

> Wikipedia has a decent description of the status and issues with SHA-1:
>   https://en.wikipedia.org/wiki/SHA-1


As of 2012, the most efficient attack against SHA-1 is considered to be the
one by Marc Stevens with an estimated cost of $2.77M to break a single hash
value by renting CPU power from cloud
developed this attack in a project called HashClash,
[30] <https://en.wikipedia.org/wiki/SHA-1#cite_note-30> implementing a
differential path attack. On 8 November 2010, he claimed he had a fully
working near-collision attack against full SHA-1 working with an estimated
complexity equivalent to 257.5 SHA-1 compressions. He estimates this attack
can be extended to a full collision with a complexity around 261.

It's interesting to note that bitcoin was based on the HashCash proof of
work system.

With the advent of afordable ASICs capable of 60 trillion hashes per second
,and bitcoin mining pools that number in the 10s of thousands, I'm unsure
that SHA1 will last too long.

> Regards,
> Dave
> On Oct 6, 2012, at 23:10, Manu Sporny <msporny@digitalbazaar.com> wrote:
> On 10/05/2012 04:35 PM, Melvin Carvalho wrote:
> This article shows that attacks could be feasible by 2018
> http://www.schneier.com/blog/archives/2012/10/when_will_we_se.html
> Thanks for the heads-up Melvin. We examined the attack, and while we
> don't agree with Schneier's assertion about the financial cost of using
> an AWS-like system to mount an attack on SHA-1, we do agree that the
> possibility exists within the next decade.
> This affects the PaySwarm specs, specifically the digital signature
> algorithm for signed JSON-LD messages. We explored the idea that we
> could greatly reduce the SHA-1 attack by injecting the length of the
> message in the generation of the digital signature, but instead chose to
> upgrade the spec requirements to SHA-256.
> SHA-256 has no known theoretical attack at present, nor is a brute-force
> attack on the algorithm known to exist that can be accomplished in the
> near term (less than 10 years into the future). As with all things
> crypto-related, this may change tomorrow, but SHA-256 seems to be the
> right solution today. SHA-3 is too new, but I expect that we will
> eventually end up using it.
> Dave Longley has already committed the changes to the production
> PaySwarm code. We'll push the changes to the dev.payswarm.com site soon.
> The PHP WordPress PaySwarm client was updated today:
> https://github.com/digitalbazaar/payswarm-wordpress/commit/0e0be20f20508998d04c95dc4a3009cd2e176a01
> as well as the JavaScript PaySwarm client:
> https://github.com/digitalbazaar/payswarm.js/commit/b8f2ce880c8858b27fad3d572350a22243d85aa3
> -- manu
> --
> Manu Sporny (skype: msporny, twitter: manusporny)
> President/CEO - Digital Bazaar, Inc.
> blog: The Problem with RDF and Nuclear Power
> http://manu.sporny.org/2012/nuclear-rdf/
Received on Sunday, 31 March 2013 15:12:29 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:07:22 UTC