On Thu, 23 Feb 2017 15:03:34 -0500, Patrick W. Gilmore <patr...@ianai.net>
wrote:
More seriously: The attack (or at least as much as we can glean from the
blog post) cannot find a collision (file with same hash) from an
arbitrary file. The attack creates two files which have the same hash,
which is scary, but not as bad as it could be.
Exactly. This is just more sky-is-falling nonsense. Of course collisions
exist. They occur in every hash function. It's only marginally noteworthy
when someone finds a collision. It's neat the Google has found a way to
generate a pair of files with the same hash -- at colossal computational
cost! However this in no way invalidates SHA-1 or documents signed by
SHA-1. You still cannot take an existing document, modify it in a
meaningful way, and keep the same hash.
[Nor can you generate a blob to match an arbitrary hash (which would be
death of all bittorrent)]
