Xiaoyun Wang, one of the team of Chinese cryptographers that
successfully broke SHA-0 and SHA-1, along with Andrew Yao and Frances
Yao, announced new results against SHA-1 at Crypto's rump
session. (Actually, Adi Shamir announced the results in their name,
since she and her student did not receive U.S. visas in time to attend
the conference.)
Shamir presented few details -- and there's no paper -- but the time
complexity of the new attack is 2^63. (Their previous result was 2^69;
brute force is 2^80.) He did say that he expected Wang and her
students to improve this result over the next few months. The
modifications to their published attack are still new, and more
improvements are likely over the next several months. There is no
reason to believe that 2^63 is anything like a lower limit.
But an attack that's faster than 2^64 is a significant
milestone. We've already done massive computations with complexity
2^64. Now that the SHA-1 collision search is squarely in the realm of
feasibility, some research group will try to implement it. Writing
working software will both uncover hidden problems with the attack, and
illuminate hidden improvements. And while a paper describing an attack
against SHA-1 is damaging, software that produces actual collisions is
even more so.
The story of SHA-1 is not over. Again, I repeat the saying I've heard
comes from inside the NSA: "Attacks always get better; they never get
worse."
Details of the SHA break:
<869K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4U0K9r3&6W2K9h3g2J5i4K6u0W2j5$3!0E0i4K6u0r3j5X3I4G2k6#2)9J5c8X3q4J5j5$3S2A6N6X3g2K6i4K6u0r3x3U0l9H3y4g2)9J5c8U0l9J5i4K6u0r3j5%4u0&6M7s2c8S2L8X3q4D9P5i4y4A6M7#2)9#2k6X3!0Q4x3X3g2Z5N6r3#2D9i4K6t1$3k6%4c8Q4x3@1t1`.
NIST's Hash Function Workshop, to be held in late October:
<9a1K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3y4K6M7X3y4Q4x3X3g2F1K9i4y4@1i4K6u0W2k6$3!0$3i4K6u0r3M7r3E0A6i4K6u0r3d9r3q4K6K9q4N6G2M7X3E0K6K9r3!0H3i4K6u0r3K9h3&6V1k6i4S2Q4x3X3g2Z5N6r3#2D9i4K6t1$3k6%4c8Q4x3@1t1`.
Effects of the attack on S/MIME, TLS, and IPsec:
<e9eK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3g2V1N6h3y4S2N6r3g2V1k6%4g2W2M7%4y4%4L8%4u0C8i4K6u0W2L8%4u0Y4i4K6u0r3L8h3!0$3j5h3u0D9k6i4c8&6M7r3g2Q4x3V1k6S2M7X3y4Z5K9i4k6W2M7#2)9J5c8U0t1H3x3o6g2Q4x3V1j5H3y4#2)9J5c8X3c8W2M7r3I4G2P5h3W2F1k6H3`.`.
_a_new.html> or <b11K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4c8A6L8Y4W2#2M7X3I4Q4x3X3g2U0L8$3#2Q4x3V1k6U0P5U0c8D9k6W2)9J5y4X3N6@1i4K6y4n7
Xiaoyun Wang's two papers from Crypto:
Efficient Collision Search Attacks on SHA-0
<ef1K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0t1H3x3W2)9J5k6e0p5&6y4q4)9J5k6e0g2Q4x3X3f1I4x3K6m8Q4x3V1k6S2k6r3#2A6L8W2)9J5c8X3W2F1k6X3!0K6k6h3y4Q4x3V1k6V1L8%4N6F1L8r3!0S2k6q4)9J5k6i4m8Z5M7q4)9K6c8X3W2V1i4K6y4p5x3g2)9J5y4X3N6@1i4K6y4n7
Finding Collisions in the Full SHA-1
<5ddK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0t1H3x3W2)9J5k6e0p5&6y4q4)9J5k6e0g2Q4x3X3f1I4x3K6m8Q4x3V1k6S2k6r3#2A6L8W2)9J5c8X3W2F1k6X3!0K6k6h3y4Q4x3V1k6V1L8%4N6F1L8r3!0S2k6q4)9J5k6i4m8Z5M7q4)9K6c8X3W2V1i4K6y4p5x3W2)9J5y4X3N6@1i4K6y4n7
The rest of her papers:
<f7aK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3W2F1k6X3!0K6k6h3y4Q4x3X3g2K6k6s2g2Q4x3X3g2W2k6s2g2Q4x3X3g2U0L8W2)9J5c8Y4m8W2L8%4m8D9k6g2)9J5c8Y4N6S2L8X3N6^5K9h3q4G2P5i4g2F1i4K6u0W2K9s2c8E0i4K6t1$3k6%4c8Q4x3@1t1`.
Story of them being denied visas to attend the conference:
<c84K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6i4y4U0K9r3&6W2K9h3g2J5i4K6u0W2j5$3!0E0i4K6u0r3j5X3I4G2k6#2)9J5c8X3q4J5j5$3S2A6N6X3g2K6i4K6u0r3x3U0l9H3y4g2)9J5c8U0l9^5i4K6u0r3j5$3S2A6L8X3g2K6k6g2)9#2k6X3y4J5P5i4m8@1L8$3N6Q4x3X3g2Z5N6r3#2D9i4K6t1$3k6%4c8Q4x3@1t1`.
<897K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3&6S2N6Y4W2K6k6h3q4D9M7#2)9J5k6h3y4G2L8g2)9J5c8X3y4G2L8h3#2#2L8X3W2@1P5g2)9J5c8X3q4J5N6r3W2U0L8r3g2K6i4K6u0r3j5i4u0@1K9h3y4D9k6g2)9J5k6h3y4X3L8g2)9K6c8X3W2V1i4K6y4p5y4K6M7#2y4#2)9J5y4X3N6@1i4K6y4n7
