SHA1 broken?

[David Shaw]

On Wed, Feb 16, 2005 at 07:54:35PM +0100, Werner Koch wrote:
> On Wed, 16 Feb 2005 11:57:36 -0500, David Shaw said:
> 
> > Yes it is.  Assuming this is true, we must start migrating away from
> > SHA-1.  Actually, we should start this anyway - even the NIST
> > recommends moving away from SHA-1 for long-term security.
> 
> The real problem with the breakthrough is, that it seems that they
> have developed a new cryptoanalytical method and that might pave the
> way for further improvements.  Over the last 2 decades the art of
> cryptoanalysis has changed dramatically in the area of symmetric
> ciphers.  This will probably also happen to hash algorithms now.
> 
> There is however a huge problem replace SHA-1 by something else from
> now to tomorrow: Other algorithms are not as well anaylyzed and
> compared against SHA-1 as for example AES to DES are; so there is no
> immediate successor of SHA-1 of whom we can be sure to withstand the
> possible new techniques.  Second, SHA-1 is tightly integrated in many
> protocols without a fallback algorithms (OpenPGP: fingerprints, MDC,
> default signature algorithm and more).

Yes.  The update cannot happen overnight.  I see this like MD5 a few
years back.  It is time to start the migration now because it will
certainly take several years to complete.

As you point out, the first step in the migration is knowing what to
migrate to, and that is not at all clear yet.  Until we know what
we're doing, I think we can do more harm by running around crazy and
changing things without careful study.

David