How easy is it in 2022 to find a SHA1 collision?

Meet this huge !!
According to some Hashcat benchmarks, a current Nvidia GPU can compute SHA-1 hashes at a rate of:

NVIDIA GeForce RTX 3090 ~22.6×109 hashes per second
NVIDIA GeForce RTX 3080 Ti ~21.7×109 hashes per second

And AMD graphics cards seems to perform in the same range as per this benchmark:

SHA-1 Speed.#1………: 20.6×109

Given its MSRP price of ~\$649, the AMD RX 6800 XT seems to be our best candidate to conduct a similar attack. (Notwithstanding any chip shortage driving the prices Up like crazy…)

Next, according to the 2017 shattered.it Website and paper:

This attack required over 9,223,372,036,854,775,808 SHA1 computations [9×1018]. This took the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations.

But as mentioned in fgrieu’s comment, in 2020, a new paper (“SHA-1 is a Shambles”) came out, further improving the SHAttered attack in which they estimated the cost of their attack to \$~2^{61.6}=3.5times 10^{18}\$ SHA-1 computations vs. the \$2^{63}\$ computations in the SHAttered one (see Table 4.)

We can thus compute that with the current GPUs it takes:

\$\$frac{2^{61.6}}{20.6×10^9} approx 169times10^6\$\$

seconds with a single GPU, which is ~5.36 years.
But this parallelizes relatively well, so you could just add more GPUs to the mix and you could get one in six months with 10 GPUs, or in 2 months with 30 GPUs… And that’s at a theoretical cost of ~\$19,470 of GPUs, plus ~ \$2,000 of electricity costs running your 30 GPUs for 2 months…

You can also just rent three p3.16xlarge AWS instance with a hash rate of ~135GH/s each at a cost of ~\$24.48 per instance per hour, for a total of 405GH/s for \$73.44 per hour. That would take you ~2397.12 hours (3 months) and cost you ~\$176,044.

Remarkably, we can see that in only 5 years, we’re down from an attack costing ~110 GPU years to an attack costing ~8 GPU-years in 2020 (thanks to theoretical improvements & newer GPUs) to just ~5.4 GPU years nowadays (thanks to newer, faster GPUs).

Also note that this is not taking possible ASICs into account, unlike this 2021 paper (“On The Cost of ASIC Hardware Crackers: A SHA-1 Case Study”) which answers your question when assuming custom ASICs are an option:

In particular, we remark that the chosen-prefix collisions for SHA-1 can be generated in under a minute, with an ASIC cluster that costs a few dozen Millions dollars. Such ability would allow an attacker to apply the SLOTH attack on TLS or SSH connections using SHA-1.

Finally, if we take into account supercomputers and the Bitcoin network, this question is already covered in this excellent answer by kelalaka from 2018, and things aren’t looking good: the Bitcoin network could do it in 1s, given its current hashrate of over 200TH/s… Yup: one second! But that’s not technically true since Bitcoin’s dedicated hardware is actually specialized in computing SHA-256 hashes.

In a more realistic way, it would take less than a day to do it on a super-computer such as the one owned by the US Department of Energy’s Oak Ridge National Laboratory (ORNL) named “Summit”.

Share this on knowasiak.com to discuss with people on this topicSign Up on Knowasiak.com now if you’re not registered yet.

About the author: Roxane

Get involved!

Get Connected!
One of the Biggest Social Platform for Entrepreneurs, College Students and all. Come and join our community. Expand your network and get to know new people!