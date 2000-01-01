The internal state would play back the same sequence from there on, just like two random number generators starting from the same seed.
Here is a comparison of internal state sizes:
https://en.wikipedia.org/wiki/SHA-0#Comparison_of_SHA_functi...
SHA-256 is susceptible to this same flaw, it would just take longer because it has about about 128 bits of security instead of less than 80 for SHA-1. It looks like only SHA-3 really "gets it" with a 1600 bit state size.
After all of the effort put into making highly pseudo-random hash functions, it's a wonder that the state size was only the size of the hash. By comparison, Mersenne Twister's state size is 19937 bits (624 words of 32 bits minus 31 bits):
http://www.quadibloc.com/crypto/co4814.htm
Does anyone know why hash algorithms keep using such small state sizes, leaving us vulnerable to this same issue?
I actually feel that this can be even more generalized: At some point people learned to create unbreakable algorithms.
There is literally no mainstream crypto algorithm beyond the 2000s that has seen any significant breakage. And very likely there never will be, with one exception: quantum computers will break modern ECC.
I think there's simply a dark age of crypto research with 90s algos and earlier. Which isn't surprising: Back then people were fighting whether it's even legal to do that kind of research.
And RSA. And Diffie-Helman.
My point was: Modern ECC (X25519 and friends) are the only post-2000 invented mainstream algs where any realistic breakage is in sight.
