About 9 days ago something incredibly unlikely happened… something so rare that
If you had five million programmers each generating one commit per second, your chances of generating a single accidental collision before the Sun turns into a red giant and engulfs the Earth is about 50%.
A few weeks ago, researchers announced SHAttered, the first collision of the SHA-1 hash function, at Github. Similar to how a Bitcoin is a series of zeroes in a long row discovered by gradually adding static noise to the signal, this collission is likely a big chunk of random characters and noise.
Amazingly this event now has it’s own website, and Y2K style frenzied rush to swap out sha1 for sha256/512. Never fear though because as they say:
Today, many applications still rely on SHA-1, even though theoretical attacks have been known since 2005, and SHA-1 was officially deprecated by NIST in 2011. We hope our practical attack on SHA-1 will increase awareness and convince the industry to quickly move to safer alteratives, such as SHA-256.
Try This At Home?
This attack required over 9,223,372,036,854,775,808 SHA1 computations. This took the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations. So give it a go yourself (hehe) the source code is available.
What about SHA256 any chances there of a collision?
The hash input space of SHA256, which to be honest is not something I think I understand because I thought all hash functions have infinite input space, is something like this many terabytes:
120,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000
By my calculations, to get even a slim 0.0000001% chance of a collision with SHA256 you’d need to run through 4.8×10 to 29 of hash runs, or this many:
480,000,000,000,000,000,000,000,000,000
That’s just for a 0.0000001% chance of collision.
