What a carefully worded response. :) Fortunately SHA-2 is now, and SHA-3 is next year.
On Fri, Oct 5, 2012 at 12:30 PM, Andrew S. Baker <[email protected]> wrote: > > I don't disagree with the analysis or the conclusion. > > ASB > http://XeeMe.com/AndrewBaker > Harnessing the Advantages of Technology for the SMB market… > > > > > On Fri, Oct 5, 2012 at 3:07 PM, Crawford, Scott <[email protected]> wrote: >> >> >> >> >> >> Feed: Schneier on Security >> Posted on: Friday, October 05, 2012 1:25 PM >> Author: schneier >> Subject: When Will We See Collisions for SHA-1? >> >> >> >> On a NIST-sponsored hash function mailing list, Jesse Walker (from Intel; >> also a member of the Skein team) did some back-of-the-envelope calculations >> to estimate how long it will be before we see a practical collision attack >> against SHA-1. I'm reprinting his analysis here, so it reaches a broader >> audience. >> >> According to E-BASH, the cost of one block of a SHA-1 operation on already >> deployed commodity microprocessors is about 214 cycles. If Stevens' attack >> of 260 SHA-1 operations serves as the baseline, then finding a collision >> costs about 214 * 260 ~ 274 cycles. >> >> A core today provides about 231 cycles/sec; the state of the art is 8 = 23 >> cores per processor for a total of 23 * 231 = 234 cycles/sec. A server >> typically has 4 processors, increasing the total to 22 * 234 = 236 >> cycles/sec. Since there are about 225 sec/year, this means one server >> delivers about 225 * 236 = 261 cycles per year, which we can call a "server >> year." >> >> There is ample evidence that Moore's law will continue through the mid >> 2020s. Hence the number of doublings in processor power we can expect >> between now and 2021 is: >> >> 3/1.5 = 2 times by 2015 (3 = 2015 - 2012) 6/1.5 = 4 times by 2018 (6 = 2018 >> - 2012) 9/1.5 = 6 times by 2021 (9 = 2021 - 2012) >> >> So a commodity server year should be about: >> >> 261 cycles/year in 2012 22 * 261 = 263 cycles/year by 2015 24 * 261 = 265 >> cycles/year by 2018 26 * 261 = 267 cycles/year by 2021 >> >> Therefore, on commodity hardware, Stevens' attack should cost approximately: >> >> 274 / 261 = 213 server years in 2012 274 / 263 = 211 server years by 2015 >> 274 / 265 = 29 server years by 2018 274 / 267 = 27 server years by 2021 >> >> Today Amazon rents compute time on commodity servers for about $0.04 / hour >> ~ $350 /year. Assume compute rental fees remain fixed while server capacity >> keeps pace with Moore's law. Then, since log2(350) ~ 8.4 the cost of the >> attack will be approximately: >> >> 213 * 28.4 = 221.4 ~ $2.77M in 2012 211 * 28.4 = 219.4 ~ $700K by 2015 29 * >> 28.4 = 217.4 ~ $173K by 2018 27 * 28.4 = 215.4 ~ $43K by 2021 >> >> A collision attack is therefore well within the range of what an organized >> crime syndicate can practically budget by 2018, and a university research >> project by 2021. >> >> Since this argument only takes into account commodity hardware and not >> instruction set improvements (e.g., ARM 8 specifies a SHA-1 instruction), >> other commodity computing devices with even greater processing power (e.g., >> GPUs), and custom hardware, the need to transition from SHA-1 for collision >> resistance functions is probably more urgent than this back-of-the-envelope >> analysis suggests. >> >> Any increase in the number of cores per CPU, or the number of CPUs per >> server, also affects these calculations. Also, any improvements in >> cryptanalysis will further reduce the complexity of this attack. >> >> The point is that we in the community need to start the migration away from >> SHA-1 and to SHA-2/SHA-3 now. >> >> >> View article... ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
