SHA1 collisions proven possisble

Ricky Beam jfbeam at
Thu Feb 23 22:40:42 UTC 2017

On Thu, 23 Feb 2017 15:03:34 -0500, Patrick W. Gilmore <patrick at>  
> More seriously: The attack (or at least as much as we can glean from the  
> blog post) cannot find a collision (file with same hash) from an  
> arbitrary file. The attack creates two files which have the same hash,  
> which is scary, but not as bad as it could be.

Exactly. This is just more sky-is-falling nonsense. Of course collisions  
exist. They occur in every hash function. It's only marginally noteworthy  
when someone finds a collision. It's neat the Google has found a way to  
generate a pair of files with the same hash -- at colossal computational  
cost! However this in no way invalidates SHA-1 or documents signed by  
SHA-1. You still cannot take an existing document, modify it in a  
meaningful way, and keep the same hash.

[Nor can you generate a blob to match an arbitrary hash (which would be  
death of all bittorrent)]

More information about the NANOG mailing list