From mboxrd@z Thu Jan  1 00:00:00 1970
Message-ID: <cd8ecdef05021919534dabce04@mail.gmail.com>
Date: Sat, 19 Feb 2005 22:53:23 -0500
From: Karl Magdsick <kmagnum@gmail.com>
To: Bruce Ellis <bruce.ellis@gmail.com>,
	Fans of the OS Plan 9 from Bell Labs <9fans@cse.psu.edu>
Subject: Re: [9fans] Venti security in view of SHA-1 exploit
In-Reply-To: <775b8d19050219152164c1e976@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
References: <20050219183814.GISZ2048.imf19aec.mail.bellsouth.net@p1.stuart.org>
	<ee9e417a0502191058484e4422@mail.gmail.com>
	<9e8b82886fac51f78a70e17b6ba26813@telus.net>
	<ee9e417a05021912153b6c45ee@mail.gmail.com>
	<01a701c516d1$f8df3200$1f587d50@kilgore>
	<775b8d19050219152164c1e976@mail.gmail.com>
Cc:
Topicbox-Message-UUID: 4f3eea56-eace-11e9-9e20-41e7f4b1d025

Note that the work factor is 2**69, being compared to 2**80 (birthday
attack).  In other words, SHA-1 is still believed to be weakly
collision resistant.  In other words, it still takes an attacker on
the order of 2**160 operations to find a collision between two blocks
if one of the blocks is pre-determined.

Strong collision resistance implies weak collision resistance and
you'd prefer a strongly collision resistant hash function.  A
demonstration that SHA-1 is not strongly collision resistant means
researchers are closer to demonstrating that SHA-1 is not weakly
collision resistant.  However, for fossil, you only need weak
collision resistance for most applications.

If you're worried about an attacker being able to create one file and
give it to you and being able to corrupt it later, then worry.

This attack does not seem to have direct implications for most
applications of fossil.

The sky isn't falling.  You'll probably want to start thinking about
changing hash functions once other hash functions start getting more
scrutiny as researchers start debating SHA-1 replacements.  The SHA-2
family (SHA-224,SHA-256,SHA-384, and SHA-512) have structure similar
to eachother, but perhaps different enough from SHA-1 to not be
vulnerable.  In any case, it would be brash to change hash functions
any time soon.


-Karl


On Sun, 20 Feb 2005 10:21:16 +1100, Bruce Ellis <bruce.ellis@gmail.com> wrote:
> from slashdot
>
> "Using a modified DES Cracker, for the small sum of up to $38M, SHA-1
> can be broken in 56 hours, with current computing power."
>
> so there you go.
>
> brucee
>