How reassuring is 64-bit (in)security?
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
In Feb 2017, CWI and Google announced SHAttered hash collision attack on SHA1, which took $2^63.1$ work estimated 6500 CPU years, to achieve. Therefore, 64-bit should be considered now an insecurity.
However, that's on the cloud computers of one of the largest tech company in the world, possibly taking hours if not days and weeks to find the collision. So 64-bit assurance may still be meaningful in some scenario (e.g. hash table in the implementation of associative arrays) assuming it can be correctly achieved (e.g. Gimli permutation in Sponge mode of capacity of at least 128-bit).
Also, $2^-64$ seems to be small enough a probability, that it's not uncommon that some protocals happily truncate their MAC to 64 bits, and some PQC KEMs take that as quite comfortable a margin of encryption failure probability.
So my question is, How reassuring is 64-bit security in terms of the fastest (classical) supercomputer in 2018, the Summit of Oak Ridge National Laboratory.
complexity
add a comment |Â
up vote
1
down vote
favorite
In Feb 2017, CWI and Google announced SHAttered hash collision attack on SHA1, which took $2^63.1$ work estimated 6500 CPU years, to achieve. Therefore, 64-bit should be considered now an insecurity.
However, that's on the cloud computers of one of the largest tech company in the world, possibly taking hours if not days and weeks to find the collision. So 64-bit assurance may still be meaningful in some scenario (e.g. hash table in the implementation of associative arrays) assuming it can be correctly achieved (e.g. Gimli permutation in Sponge mode of capacity of at least 128-bit).
Also, $2^-64$ seems to be small enough a probability, that it's not uncommon that some protocals happily truncate their MAC to 64 bits, and some PQC KEMs take that as quite comfortable a margin of encryption failure probability.
So my question is, How reassuring is 64-bit security in terms of the fastest (classical) supercomputer in 2018, the Summit of Oak Ridge National Laboratory.
complexity
It really depends on your use-case. Eg 64-bit is fine for MACs where you drop the connection and re-negotiate as soon as you see one MAC validation error.
â SEJPMâ¦
6 hours ago
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
In Feb 2017, CWI and Google announced SHAttered hash collision attack on SHA1, which took $2^63.1$ work estimated 6500 CPU years, to achieve. Therefore, 64-bit should be considered now an insecurity.
However, that's on the cloud computers of one of the largest tech company in the world, possibly taking hours if not days and weeks to find the collision. So 64-bit assurance may still be meaningful in some scenario (e.g. hash table in the implementation of associative arrays) assuming it can be correctly achieved (e.g. Gimli permutation in Sponge mode of capacity of at least 128-bit).
Also, $2^-64$ seems to be small enough a probability, that it's not uncommon that some protocals happily truncate their MAC to 64 bits, and some PQC KEMs take that as quite comfortable a margin of encryption failure probability.
So my question is, How reassuring is 64-bit security in terms of the fastest (classical) supercomputer in 2018, the Summit of Oak Ridge National Laboratory.
complexity
In Feb 2017, CWI and Google announced SHAttered hash collision attack on SHA1, which took $2^63.1$ work estimated 6500 CPU years, to achieve. Therefore, 64-bit should be considered now an insecurity.
However, that's on the cloud computers of one of the largest tech company in the world, possibly taking hours if not days and weeks to find the collision. So 64-bit assurance may still be meaningful in some scenario (e.g. hash table in the implementation of associative arrays) assuming it can be correctly achieved (e.g. Gimli permutation in Sponge mode of capacity of at least 128-bit).
Also, $2^-64$ seems to be small enough a probability, that it's not uncommon that some protocals happily truncate their MAC to 64 bits, and some PQC KEMs take that as quite comfortable a margin of encryption failure probability.
So my question is, How reassuring is 64-bit security in terms of the fastest (classical) supercomputer in 2018, the Summit of Oak Ridge National Laboratory.
complexity
complexity
asked 7 hours ago
DannyNiu
769323
769323
It really depends on your use-case. Eg 64-bit is fine for MACs where you drop the connection and re-negotiate as soon as you see one MAC validation error.
â SEJPMâ¦
6 hours ago
add a comment |Â
It really depends on your use-case. Eg 64-bit is fine for MACs where you drop the connection and re-negotiate as soon as you see one MAC validation error.
â SEJPMâ¦
6 hours ago
It really depends on your use-case. Eg 64-bit is fine for MACs where you drop the connection and re-negotiate as soon as you see one MAC validation error.
â SEJPMâ¦
6 hours ago
It really depends on your use-case. Eg 64-bit is fine for MACs where you drop the connection and re-negotiate as soon as you see one MAC validation error.
â SEJPMâ¦
6 hours ago
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
2
down vote
accepted
Some hash performance results;
- On Amazon AWS P2, up to 16 Nvidia Tesla K80 GPUs has total $31664.7$ MH/s SHA-1 calculations.
- on 8x Nvidia GTX 1080 Hashcat Benchmarks has total $68771.0$ MH/s SHA-1 calculations.
GTX 1080
This answer based on the second machine's performance with cost of one machine is 21,169$;
$ 31664.7;MH/s approx 2^34 H/s$
If you run the second machine for one hour;
$2^36*2^12 approx 2^48 H/s$ calculations.
Titan
Now Titan contains $18,688 approx 2^15$ physical nodes each contains an NVIDIA Kepler⢠accelerator (GPU). Assuming that Kepler = GTX 1080 and one node = second machine;
Total SHA-1 calculations of Titan in one hour $ approx 2^48*2^15= 2^60$
Therefore: The SHAttered hash collision attack on SHA1 can be executed in 8 hours on Titan, since we stared with a machine with 8 GPU.
Cost
$2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instancesSejPm's comment;
Note: This calculation is based only GPU side and CPUs are slower in magnitude order. Only Titan has GPU. rhea has only 9. Eos and ARM doesn't' have any.
1
One may want to note that $2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instances.
â SEJPMâ¦
6 hours ago
@SEJPM I was looking for this info. Thanks.
â kelalaka
5 hours ago
add a comment |Â
up vote
3
down vote
There is a huge difference between $2^-64$ probability of failure, which is indeed very small, and having to run $2^64$ in order to carry out the attack. The latter is much too small to be considered reasonable. Of course, one could argue about protecting secrets that are not very significant and you only need weak protection. However, it is usually very problematic to argue about this. My salary (sexual preference, health situation, etc.) may not be very secret to me, but may be very secret for someone else. It also may not be very secret now but may become so later on. However, beyond all of these arguments, the chance that this is the bottleneck and problem in your application is almost zero. You should use strong cryptography and not make these types of calculations at all. Bottom line, 128-bit security is the minimum required today.
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
accepted
Some hash performance results;
- On Amazon AWS P2, up to 16 Nvidia Tesla K80 GPUs has total $31664.7$ MH/s SHA-1 calculations.
- on 8x Nvidia GTX 1080 Hashcat Benchmarks has total $68771.0$ MH/s SHA-1 calculations.
GTX 1080
This answer based on the second machine's performance with cost of one machine is 21,169$;
$ 31664.7;MH/s approx 2^34 H/s$
If you run the second machine for one hour;
$2^36*2^12 approx 2^48 H/s$ calculations.
Titan
Now Titan contains $18,688 approx 2^15$ physical nodes each contains an NVIDIA Kepler⢠accelerator (GPU). Assuming that Kepler = GTX 1080 and one node = second machine;
Total SHA-1 calculations of Titan in one hour $ approx 2^48*2^15= 2^60$
Therefore: The SHAttered hash collision attack on SHA1 can be executed in 8 hours on Titan, since we stared with a machine with 8 GPU.
Cost
$2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instancesSejPm's comment;
Note: This calculation is based only GPU side and CPUs are slower in magnitude order. Only Titan has GPU. rhea has only 9. Eos and ARM doesn't' have any.
1
One may want to note that $2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instances.
â SEJPMâ¦
6 hours ago
@SEJPM I was looking for this info. Thanks.
â kelalaka
5 hours ago
add a comment |Â
up vote
2
down vote
accepted
Some hash performance results;
- On Amazon AWS P2, up to 16 Nvidia Tesla K80 GPUs has total $31664.7$ MH/s SHA-1 calculations.
- on 8x Nvidia GTX 1080 Hashcat Benchmarks has total $68771.0$ MH/s SHA-1 calculations.
GTX 1080
This answer based on the second machine's performance with cost of one machine is 21,169$;
$ 31664.7;MH/s approx 2^34 H/s$
If you run the second machine for one hour;
$2^36*2^12 approx 2^48 H/s$ calculations.
Titan
Now Titan contains $18,688 approx 2^15$ physical nodes each contains an NVIDIA Kepler⢠accelerator (GPU). Assuming that Kepler = GTX 1080 and one node = second machine;
Total SHA-1 calculations of Titan in one hour $ approx 2^48*2^15= 2^60$
Therefore: The SHAttered hash collision attack on SHA1 can be executed in 8 hours on Titan, since we stared with a machine with 8 GPU.
Cost
$2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instancesSejPm's comment;
Note: This calculation is based only GPU side and CPUs are slower in magnitude order. Only Titan has GPU. rhea has only 9. Eos and ARM doesn't' have any.
1
One may want to note that $2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instances.
â SEJPMâ¦
6 hours ago
@SEJPM I was looking for this info. Thanks.
â kelalaka
5 hours ago
add a comment |Â
up vote
2
down vote
accepted
up vote
2
down vote
accepted
Some hash performance results;
- On Amazon AWS P2, up to 16 Nvidia Tesla K80 GPUs has total $31664.7$ MH/s SHA-1 calculations.
- on 8x Nvidia GTX 1080 Hashcat Benchmarks has total $68771.0$ MH/s SHA-1 calculations.
GTX 1080
This answer based on the second machine's performance with cost of one machine is 21,169$;
$ 31664.7;MH/s approx 2^34 H/s$
If you run the second machine for one hour;
$2^36*2^12 approx 2^48 H/s$ calculations.
Titan
Now Titan contains $18,688 approx 2^15$ physical nodes each contains an NVIDIA Kepler⢠accelerator (GPU). Assuming that Kepler = GTX 1080 and one node = second machine;
Total SHA-1 calculations of Titan in one hour $ approx 2^48*2^15= 2^60$
Therefore: The SHAttered hash collision attack on SHA1 can be executed in 8 hours on Titan, since we stared with a machine with 8 GPU.
Cost
$2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instancesSejPm's comment;
Note: This calculation is based only GPU side and CPUs are slower in magnitude order. Only Titan has GPU. rhea has only 9. Eos and ARM doesn't' have any.
Some hash performance results;
- On Amazon AWS P2, up to 16 Nvidia Tesla K80 GPUs has total $31664.7$ MH/s SHA-1 calculations.
- on 8x Nvidia GTX 1080 Hashcat Benchmarks has total $68771.0$ MH/s SHA-1 calculations.
GTX 1080
This answer based on the second machine's performance with cost of one machine is 21,169$;
$ 31664.7;MH/s approx 2^34 H/s$
If you run the second machine for one hour;
$2^36*2^12 approx 2^48 H/s$ calculations.
Titan
Now Titan contains $18,688 approx 2^15$ physical nodes each contains an NVIDIA Kepler⢠accelerator (GPU). Assuming that Kepler = GTX 1080 and one node = second machine;
Total SHA-1 calculations of Titan in one hour $ approx 2^48*2^15= 2^60$
Therefore: The SHAttered hash collision attack on SHA1 can be executed in 8 hours on Titan, since we stared with a machine with 8 GPU.
Cost
$2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instancesSejPm's comment;
Note: This calculation is based only GPU side and CPUs are slower in magnitude order. Only Titan has GPU. rhea has only 9. Eos and ARM doesn't' have any.
edited 5 hours ago
answered 6 hours ago
kelalaka
1,908420
1,908420
1
One may want to note that $2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instances.
â SEJPMâ¦
6 hours ago
@SEJPM I was looking for this info. Thanks.
â kelalaka
5 hours ago
add a comment |Â
1
One may want to note that $2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instances.
â SEJPMâ¦
6 hours ago
@SEJPM I was looking for this info. Thanks.
â kelalaka
5 hours ago
1
1
One may want to note that $2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instances.
â SEJPMâ¦
6 hours ago
One may want to note that $2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instances.
â SEJPMâ¦
6 hours ago
@SEJPM I was looking for this info. Thanks.
â kelalaka
5 hours ago
@SEJPM I was looking for this info. Thanks.
â kelalaka
5 hours ago
add a comment |Â
up vote
3
down vote
There is a huge difference between $2^-64$ probability of failure, which is indeed very small, and having to run $2^64$ in order to carry out the attack. The latter is much too small to be considered reasonable. Of course, one could argue about protecting secrets that are not very significant and you only need weak protection. However, it is usually very problematic to argue about this. My salary (sexual preference, health situation, etc.) may not be very secret to me, but may be very secret for someone else. It also may not be very secret now but may become so later on. However, beyond all of these arguments, the chance that this is the bottleneck and problem in your application is almost zero. You should use strong cryptography and not make these types of calculations at all. Bottom line, 128-bit security is the minimum required today.
add a comment |Â
up vote
3
down vote
There is a huge difference between $2^-64$ probability of failure, which is indeed very small, and having to run $2^64$ in order to carry out the attack. The latter is much too small to be considered reasonable. Of course, one could argue about protecting secrets that are not very significant and you only need weak protection. However, it is usually very problematic to argue about this. My salary (sexual preference, health situation, etc.) may not be very secret to me, but may be very secret for someone else. It also may not be very secret now but may become so later on. However, beyond all of these arguments, the chance that this is the bottleneck and problem in your application is almost zero. You should use strong cryptography and not make these types of calculations at all. Bottom line, 128-bit security is the minimum required today.
add a comment |Â
up vote
3
down vote
up vote
3
down vote
There is a huge difference between $2^-64$ probability of failure, which is indeed very small, and having to run $2^64$ in order to carry out the attack. The latter is much too small to be considered reasonable. Of course, one could argue about protecting secrets that are not very significant and you only need weak protection. However, it is usually very problematic to argue about this. My salary (sexual preference, health situation, etc.) may not be very secret to me, but may be very secret for someone else. It also may not be very secret now but may become so later on. However, beyond all of these arguments, the chance that this is the bottleneck and problem in your application is almost zero. You should use strong cryptography and not make these types of calculations at all. Bottom line, 128-bit security is the minimum required today.
There is a huge difference between $2^-64$ probability of failure, which is indeed very small, and having to run $2^64$ in order to carry out the attack. The latter is much too small to be considered reasonable. Of course, one could argue about protecting secrets that are not very significant and you only need weak protection. However, it is usually very problematic to argue about this. My salary (sexual preference, health situation, etc.) may not be very secret to me, but may be very secret for someone else. It also may not be very secret now but may become so later on. However, beyond all of these arguments, the chance that this is the bottleneck and problem in your application is almost zero. You should use strong cryptography and not make these types of calculations at all. Bottom line, 128-bit security is the minimum required today.
answered 5 hours ago
Yehuda Lindell
17.3k2954
17.3k2954
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63536%2fhow-reassuring-is-64-bit-insecurity%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
It really depends on your use-case. Eg 64-bit is fine for MACs where you drop the connection and re-negotiate as soon as you see one MAC validation error.
â SEJPMâ¦
6 hours ago