SHA1 collisions proven possisble

Royce Williams royce at
Thu Feb 23 23:24:53 UTC 2017

We just need to keep the likely timeline in mind.

As I saw someone say on Twitter today ... "don't panic, just deprecate".

Valeria Aurora's hash-lifecycle table is very informative (emphasis mine):

Reactions to stages in the life cycle of cryptographic hash functions
StageExpert reactionProgrammer reactionNon-expert ("slashdotter") reaction
Initial proposal Skepticism, don't recommend use in practice Wait to hear
from the experts before adding to your crypto library SHA-what?
Peer review Moderate effort to find holes and garner an easy publication Used
by a particularly adventurous developers for specific purposes Name-drop
the hash at cocktail parties to impress other geeks
General acceptance Top-level researchers begin serious work on finding a
weakness (and international fame) Even Microsoft is using the hash function
now Flame anyone who suggests the function may be broken in our lifetime
Minor weakness discovered Massive downloads of turgid pre-prints from
arXiv, calls for new hash functions Start reviewing other hash functions
for replacement Long semi-mathematical posts comparing the complexity of
the attack to the number of protons in the universe
Serious weakness discovered Tension-filled CRYPTO rump sessions! A full
break is considered inevitable Migrate to new hash functions immediately,
where necessary Point out that no actual collisions have been found
First collision found *Uncork the champagne! Interest in the details of the
construction, but no surprise* *Gather around a co-worker's computer,
comparing the colliding inputs and running the hash function on them* *Explain
why a simple collision attack is still useless, it's really the second
pre-image attack that counts*
Meaningful collisions generated on home computer How adorable! I'm busy
trying to break this new hash function, though Send each other colliding
X.509 certificates as pranks Claim that you always knew it would be broken
Collisions generated by hand Memorize as fun party trick for next faculty
mixer Boggle Try to remember how to do long division by hand
Assumed to be weak but no one bothers to break No one is getting a
publication out of breaking this What's this crypto library function
for? Update
Pokemon Wikipedia pages


On Thu, Feb 23, 2017 at 2:11 PM, J. Hellenthal <jhellenthal at>

> It's actually pretty serious in Git and the banking markets where there is
> high usage of sha1. Considering the wide adoption of Git, this is a pretty
> serious issue that will only become worse ten-fold over the years. Visible
> abuse will not be near as widely seen as the initial shattering but
> escalate over much longer periods.
> Take it serious ? Why wouldn't you !?
> --
>  Onward!,
>  Jason Hellenthal,
>  Systems & Network Admin,
>  Mobile: 0x9CA0BD58,
> On Feb 23, 2017, at 16:40, Ricky Beam <jfbeam at> wrote:
> > On Thu, 23 Feb 2017 15:03:34 -0500, Patrick W. Gilmore <
> patrick at> wrote:
> > More seriously: The attack (or at least as much as we can glean from the
> blog post) cannot find a collision (file with same hash) from an arbitrary
> file. The attack creates two files which have the same hash, which is
> scary, but not as bad as it could be.
> Exactly. This is just more sky-is-falling nonsense. Of course collisions
> exist. They occur in every hash function. It's only marginally noteworthy
> when someone finds a collision. It's neat the Google has found a way to
> generate a pair of files with the same hash -- at colossal computational
> cost! However this in no way invalidates SHA-1 or documents signed by
> SHA-1. You still cannot take an existing document, modify it in a
> meaningful way, and keep the same hash.
> [Nor can you generate a blob to match an arbitrary hash (which would be
> death of all bittorrent)]

More information about the NANOG mailing list