Chosen-prefix collision for SHA-1 (2019) (opens in new tab)

(sha-mbles.github.io)

22 pointsaburan282y ago8 comments

8 comments

(2019)

How are other algorithms fairing recently, anything else started tumbling over in the last few years?

SHA-2 uses a Merkle-Damgard construction like SHA-1 does, but is not widely believed to be vulnerable to the same attacks. SHA-3 was developed and standardized in part to mitigate future breaks in SHA-2, but those breaks have (so far) not materialized[1].

TL;DR: If all you need is a fast cryptographic digest, SHA-2 is still the gold standard. If you care about length-extension attacks, SHA-3's construction prevents them. If you're hashing passwords, you should use a KDF instead.

[1]: https://www.imperialviolet.org/2017/05/31/skipsha3.html

magicalhippo2y ago

> SHA-2 is still the gold standard

Truncated SHA-2, eg SHA-512/256, has some resistance against length extension attacks[1] while non-truncated has none, so wouldn't that be the gold standard?

edit: Thinking a bit more, I guess there are a lot of interesting cases which are not prone to length extension attacks where the full SHA-512 would be better.

[1]: https://en.wikipedia.org/wiki/SHA-2#Comparison_of_SHA_functi...

2 more replies

jwilk2y ago

Is it 2019? They link to a 2020 paper.

The earliest copy in the Wayback Machine is from 2020-01-07. That's also when it was first submitted to HN: https://news.ycombinator.com/item?id=21979333 (354 comments)

aidenn02y ago

This was definitely January 2020 (January 7th, a Tuesday, per the Ars Technica article); I think the 2019 confusion is because that is when they disclosed the attacks to the related projects.

woodruffw2y ago

For those wondering: this work was presented at RWC 2020[1], so it's not a new (but still valuable!) finding.

[1]: https://sha-mbles.github.io/Shambles_RWC.pdf

j / k navigate · click thread line to collapse

8 comments

zamadatix2y ago

(2019)

How are other algorithms fairing recently, anything else started tumbling over in the last few years?

woodruffw2y ago

[1]: https://www.imperialviolet.org/2017/05/31/skipsha3.html

magicalhippo2y ago

> SHA-2 is still the gold standard

Truncated SHA-2, eg SHA-512/256, has some resistance against length extension attacks[1] while non-truncated has none, so wouldn't that be the gold standard?

edit: Thinking a bit more, I guess there are a lot of interesting cases which are not prone to length extension attacks where the full SHA-512 would be better.

[1]: https://en.wikipedia.org/wiki/SHA-2#Comparison_of_SHA_functi...

2 more replies

jwilk2y ago

Is it 2019? They link to a 2020 paper.

The earliest copy in the Wayback Machine is from 2020-01-07. That's also when it was first submitted to HN: https://news.ycombinator.com/item?id=21979333 (354 comments)

aidenn02y ago

This was definitely January 2020 (January 7th, a Tuesday, per the Ars Technica article); I think the 2019 confusion is because that is when they disclosed the attacks to the related projects.

woodruffw2y ago

For those wondering: this work was presented at RWC 2020[1], so it's not a new (but still valuable!) finding.

[1]: https://sha-mbles.github.io/Shambles_RWC.pdf

j / k navigate · click thread line to collapse