Skip to content

SHA-1 Hash Collision Demonstrated – At Predicted Cost Levels

The research result on October 2015 from Dutch CWI estimated that finding a SHA-1 hash collision is possible, and the order of magnitude of the cost is around $100 000. See our previous: SHA-1 is no longer considered secure.

Fresh result from same team with sponsored computing cluster capacity demonstrates that this is indeed correct cost estimate.

Actual Impact of SHA-1 Hash Collisions

The actual impact has not changed in past year and half:

  • Rapid challenge/response processing is safe because finding a collision takes at least hours, probably weeks or months.
  • Long term signature non-repudiation security depends on the value of that signature — if spending $100 000 is low enough cost for somebody to replace whatever is behind given signature, then that long term signature is not safe if it involves SHA-1 hashes.

Previously the cost level of producing this kind of hash collision has been at levels of so called State Actors. This sub-million cost level is in corporate / criminal organization ball park. Meaning that organizations wanting to do this kind of things have just become a lot more numerous.

When Will SHA-1 Follow MD5?

Both algorithms are built on similar Merkle-Damgård construction, like is also SHA-2 family.

MD5 timeline:

  • MD5 hash algorithm was published in 1992.
  • First public collision was demonstrated in 2004 taking 1 hour in a computer cluster.
  • Collision break in less than 1 second in 2013 with single PC.

SHA-1 timeline:

  • SHA-1 hash algorithm was published in 1995
  • First public collision was demonstrated in 2017 taking a bit over 1 year of time with around 100 device years executed during it.
  • Public collision demo taking 1 hour or less time in ____ ?
  • Collision break in less than 1 second in ____ ?