SHA1 broken?

[David Shaw]

On Wed, Feb 16, 2005 at 12:48:29AM -0800, Eric Anopolsky wrote:
> http://it.slashdot.org/it/05/02/16/0146218.shtml?tid=93&tid=172&tid=218
> 
> Does anyone know anything about this?

The paper has not been published yet, but the information released
thus far indicates the team was able to find a collision in SHA-1 in
2^69 operations.  Since SHA-1 should have been resistant to collision
to 2^80 operations, this is a very impressive attack.  Incidentally,
this is same team that was behind the successful attack on MD5.

However, in the real world this doesn't seem like a very useful
attack.  It's rather like someone pointing out that the 100 foot high
wall around your house is only 50 feet high.  True, the wall is not as
tell as claimed, but it's still probably taller than it needs to be.
To put this in perspective, the "broken" SHA-1 is stronger than MD5
was thought to be before the MD5 breaks were discovered (MD5 was
2^64).

Still, I'm speculating based on the little information that has been
released.  Nobody really knows all the details yet since the paper
hasn't been published.  It is not yet known if the attack can be
extended to the SHA-2 hashes (SHA-256, SHA-384, and SHA-512).  Even if
it can be extended, the sheer length of the SHA-2 hashes may render
the attack moot in practical terms... or it might not.  We just don't
know yet.

In terms of GnuPG: it's up to you whether you want to switch hashes or
not.  GnuPG supports all of the SHA-2 hashes, so they are at least
available.  Be careful you don't run up against compatibility
problems: PGP doesn't support 384 or 512, and only recently started
supporting 256.  GnuPG before 1.2.2 (2003-05-01), doesn't have any of
the new hashes.  Finally, if you have a DSA signing key (most people
do) you are required to use either SHA-1 or RIPEMD/160.  RSA signing
keys can use any hash.

David