- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Sun, 31 Mar 2013 17:32:33 +0200
- To: David Wood <david@3roundstones.com>
- Cc: Manu Sporny <msporny@digitalbazaar.com>, Web Payments <public-webpayments@w3.org>
- Message-ID: <CAKaEYhKSwjavpsHwVTt2hRBSMDd7QNQ2dzTX164zj0oUhQc+JQ@mail.gmail.com>
On 31 March 2013 17:11, Melvin Carvalho <melvincarvalho@gmail.com> wrote: > > > > On 7 October 2012 05:14, David Wood <david@3roundstones.com> wrote: > >> Wikipedia has a decent description of the status and issues with SHA-1: >> https://en.wikipedia.org/wiki/SHA-1 >> > > FTA > > [[ > As of 2012, the most efficient attack against SHA-1 is considered to be > the one by Marc Stevens with an estimated cost of $2.77M to break a single > hash value by renting CPU power from cloud servers.[29]<https://en.wikipedia.org/wiki/SHA-1#cite_note-29>Stevens developed this attack in a project called HashClash, > [30] <https://en.wikipedia.org/wiki/SHA-1#cite_note-30> implementing a > differential path attack. On 8 November 2010, he claimed he had a fully > working near-collision attack against full SHA-1 working with an estimated > complexity equivalent to 257.5 SHA-1 compressions. He estimates this > attack can be extended to a full collision with a complexity around 261. > ]] > > It's interesting to note that bitcoin was based on the HashCash proof of > work system. > > With the advent of afordable ASICs capable of 60 trillion hashes per > second ,and bitcoin mining pools that number in the 10s of thousands, I'm > unsure that SHA1 will last too long. > Perhaps also worth noting is that git uses SHA-1 Adding a nonce in a comment could produce an attack surface on modified source code. > > >> >> Regards, >> Dave >> >> >> >> >> On Oct 6, 2012, at 23:10, Manu Sporny <msporny@digitalbazaar.com> wrote: >> >> On 10/05/2012 04:35 PM, Melvin Carvalho wrote: >> >> This article shows that attacks could be feasible by 2018 >> http://www.schneier.com/blog/archives/2012/10/when_will_we_se.html >> >> >> Thanks for the heads-up Melvin. We examined the attack, and while we >> don't agree with Schneier's assertion about the financial cost of using >> an AWS-like system to mount an attack on SHA-1, we do agree that the >> possibility exists within the next decade. >> >> This affects the PaySwarm specs, specifically the digital signature >> algorithm for signed JSON-LD messages. We explored the idea that we >> could greatly reduce the SHA-1 attack by injecting the length of the >> message in the generation of the digital signature, but instead chose to >> upgrade the spec requirements to SHA-256. >> >> SHA-256 has no known theoretical attack at present, nor is a brute-force >> attack on the algorithm known to exist that can be accomplished in the >> near term (less than 10 years into the future). As with all things >> crypto-related, this may change tomorrow, but SHA-256 seems to be the >> right solution today. SHA-3 is too new, but I expect that we will >> eventually end up using it. >> >> Dave Longley has already committed the changes to the production >> PaySwarm code. We'll push the changes to the dev.payswarm.com site soon. >> The PHP WordPress PaySwarm client was updated today: >> >> >> https://github.com/digitalbazaar/payswarm-wordpress/commit/0e0be20f20508998d04c95dc4a3009cd2e176a01 >> >> as well as the JavaScript PaySwarm client: >> >> >> https://github.com/digitalbazaar/payswarm.js/commit/b8f2ce880c8858b27fad3d572350a22243d85aa3 >> >> -- manu >> >> -- >> Manu Sporny (skype: msporny, twitter: manusporny) >> President/CEO - Digital Bazaar, Inc. >> blog: The Problem with RDF and Nuclear Power >> http://manu.sporny.org/2012/nuclear-rdf/ >> >> >> >
Received on Sunday, 31 March 2013 15:33:03 UTC