February 17^th, 2005

The German weekly "Der Spiegel" picked up the story (you can read it here). They, unlike the New York Times, also identify the source of the study: Texas A&M University.

Already, from Bruce’s comments:

It’s important to qualify what is meant by “broken” — the ability to find collisions weakens the use of a cryptographic hash in digital signatures. The speedup is about 0.0005 over the brute force average for finding a collision.

and

It’s a 2^69 attack against SHA-1, which has the distinct problem of being 32x the complexity of bruting MD5 (2^5 = 32). We never did see a MD5 brute; we needed Wang’s reduction to a 2^24 to 2^32 for us to eventually end up with vectors.

So there’s no need to panic, there’s need for a response and responsible management of this issue.

It’s already all over the net, but Bruce Schneier says it best:

SHA-1 has been broken. Not a reduced-round version. Not a simplified version. The real thing. [full text]

Now I’m waiting for the usual suspects (Bruce included, of course) to weigh in. Is RIPE-MD160 vulnerable as well? Does the attack actually work? More to follow…