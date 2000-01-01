Hacker News new | comments | show | ask | jobs | submit login
Lessons from the History of Attacks on Secure Hash Functions (z.cash)
From what I understand, the Feb 23rd SHA-1 attack was possible because they figured out how to get the internal state (160 bits or 5 words of 32 bits) to match from two separate pieces of data. After that, additional data could be appended to the first two pieces as long as it was identical.

The internal state would play back the same sequence from there on, just like two random number generators starting from the same seed.

Here is a comparison of internal state sizes:

https://en.wikipedia.org/wiki/SHA-0#Comparison_of_SHA_functi...

SHA-256 is susceptible to this same flaw, it would just take longer because it has about about 128 bits of security instead of less than 80 for SHA-1. It looks like only SHA-3 really "gets it" with a 1600 bit state size.

After all of the effort put into making highly pseudo-random hash functions, it's a wonder that the state size was only the size of the hash. By comparison, Mersenne Twister's state size is 19937 bits (624 words of 32 bits minus 31 bits):

http://www.quadibloc.com/crypto/co4814.htm

Does anyone know why hash algorithms keep using such small state sizes, leaving us vulnerable to this same issue?

> Another interesting pattern that I perceive in these results is that maybe sometime between 1996 (Tiger) and 2000 (Whirlpool), humanity learned how to make collision-resistant hash functions,

I actually feel that this can be even more generalized: At some point people learned to create unbreakable algorithms. There is literally no mainstream crypto algorithm beyond the 2000s that has seen any significant breakage. And very likely there never will be, with one exception: quantum computers will break modern ECC.

I think there's simply a dark age of crypto research with 90s algos and earlier. Which isn't surprising: Back then people were fighting whether it's even legal to do that kind of research.

This is far too optimistic - just look at the "History" chart. The average age of 90s hashes when they were broken was 10-15 years. It's equally probable that the "modern" algorithms are just too young for us to see them broken.

SHA-2 was originally published in 2001. The digest sizes are also much bigger. I don't think it's really 'equally probable'. There are even cryptographers who think it's not at all probable, ever.

"Unbreakable algorithms"? Save for the OTP - in the mathematical, not the rubber hose sense - as far as we know, there is no such thing.

> quantum computers will break modern ECC

And RSA. And Diffie-Helman.

They're far older than 2000.

My point was: Modern ECC (X25519 and friends) are the only post-2000 invented mainstream algs where any realistic breakage is in sight.

