SHA1 Collision detected on Github

About 9 days ago something incredibly unlikely happened... something so rare that

If you had five million programmers each generating one commit per second, your chances of generating a single accidental collision before the Sun turns into a red giant and engulfs the Earth is about 50%.

A few weeks ago, researchers announced SHAttered, the first collision of the SHA-1 hash function, at Github. Similar to how a Bitcoin is a series of zeroes in a long row discovered by gradually adding static noise to the signal, this collission is likely a big chunk of random characters and noise.

Amazingly this event now has it's own website, and Y2K style frenzied rush to swap out sha1 for sha256/512. Never fear though because as they say:

Today, many applications still rely on SHA-1, even though theoretical attacks have been known since 2005, and SHA-1 was officially deprecated by NIST in 2011. We hope our practical attack on SHA-1 will increase awareness and convince the industry to quickly move to safer alteratives, such as SHA-256.

Try This At Home?

This attack required over 9,223,372,036,854,775,808 SHA1 computations. This took the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations. So give it a go yourself (hehe) the source code is available.

What about SHA256 any chances there of a collision?

The hash input space of SHA256, which to be honest is not something I think I understand because I thought all hash functions have infinite input space, is something like this many terabytes:


By my calculations, to get even a slim 0.0000001% chance of a collision with SHA256 you'd need to run through 4.8×10 to 29 of hash runs, or this many:


That's just for a 0.0000001% chance of collision.