How reassuring is 64-bit (in)security?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite
1












In Feb 2017, CWI and Google announced SHAttered hash collision attack on SHA1, which took $2^63.1$ work estimated 6500 CPU years, to achieve. Therefore, 64-bit should be considered now an insecurity.



However, that's on the cloud computers of one of the largest tech company in the world, possibly taking hours if not days and weeks to find the collision. So 64-bit assurance may still be meaningful in some scenario (e.g. hash table in the implementation of associative arrays) assuming it can be correctly achieved (e.g. Gimli permutation in Sponge mode of capacity of at least 128-bit).



Also, $2^-64$ seems to be small enough a probability, that it's not uncommon that some protocals happily truncate their MAC to 64 bits, and some PQC KEMs take that as quite comfortable a margin of encryption failure probability.



So my question is, How reassuring is 64-bit security in terms of the fastest (classical) supercomputer in 2018, the Summit of Oak Ridge National Laboratory.










share|improve this question





















  • It really depends on your use-case. Eg 64-bit is fine for MACs where you drop the connection and re-negotiate as soon as you see one MAC validation error.
    – SEJPM♦
    6 hours ago














up vote
1
down vote

favorite
1












In Feb 2017, CWI and Google announced SHAttered hash collision attack on SHA1, which took $2^63.1$ work estimated 6500 CPU years, to achieve. Therefore, 64-bit should be considered now an insecurity.



However, that's on the cloud computers of one of the largest tech company in the world, possibly taking hours if not days and weeks to find the collision. So 64-bit assurance may still be meaningful in some scenario (e.g. hash table in the implementation of associative arrays) assuming it can be correctly achieved (e.g. Gimli permutation in Sponge mode of capacity of at least 128-bit).



Also, $2^-64$ seems to be small enough a probability, that it's not uncommon that some protocals happily truncate their MAC to 64 bits, and some PQC KEMs take that as quite comfortable a margin of encryption failure probability.



So my question is, How reassuring is 64-bit security in terms of the fastest (classical) supercomputer in 2018, the Summit of Oak Ridge National Laboratory.










share|improve this question





















  • It really depends on your use-case. Eg 64-bit is fine for MACs where you drop the connection and re-negotiate as soon as you see one MAC validation error.
    – SEJPM♦
    6 hours ago












up vote
1
down vote

favorite
1









up vote
1
down vote

favorite
1






1





In Feb 2017, CWI and Google announced SHAttered hash collision attack on SHA1, which took $2^63.1$ work estimated 6500 CPU years, to achieve. Therefore, 64-bit should be considered now an insecurity.



However, that's on the cloud computers of one of the largest tech company in the world, possibly taking hours if not days and weeks to find the collision. So 64-bit assurance may still be meaningful in some scenario (e.g. hash table in the implementation of associative arrays) assuming it can be correctly achieved (e.g. Gimli permutation in Sponge mode of capacity of at least 128-bit).



Also, $2^-64$ seems to be small enough a probability, that it's not uncommon that some protocals happily truncate their MAC to 64 bits, and some PQC KEMs take that as quite comfortable a margin of encryption failure probability.



So my question is, How reassuring is 64-bit security in terms of the fastest (classical) supercomputer in 2018, the Summit of Oak Ridge National Laboratory.










share|improve this question













In Feb 2017, CWI and Google announced SHAttered hash collision attack on SHA1, which took $2^63.1$ work estimated 6500 CPU years, to achieve. Therefore, 64-bit should be considered now an insecurity.



However, that's on the cloud computers of one of the largest tech company in the world, possibly taking hours if not days and weeks to find the collision. So 64-bit assurance may still be meaningful in some scenario (e.g. hash table in the implementation of associative arrays) assuming it can be correctly achieved (e.g. Gimli permutation in Sponge mode of capacity of at least 128-bit).



Also, $2^-64$ seems to be small enough a probability, that it's not uncommon that some protocals happily truncate their MAC to 64 bits, and some PQC KEMs take that as quite comfortable a margin of encryption failure probability.



So my question is, How reassuring is 64-bit security in terms of the fastest (classical) supercomputer in 2018, the Summit of Oak Ridge National Laboratory.







complexity






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 7 hours ago









DannyNiu

769323




769323











  • It really depends on your use-case. Eg 64-bit is fine for MACs where you drop the connection and re-negotiate as soon as you see one MAC validation error.
    – SEJPM♦
    6 hours ago
















  • It really depends on your use-case. Eg 64-bit is fine for MACs where you drop the connection and re-negotiate as soon as you see one MAC validation error.
    – SEJPM♦
    6 hours ago















It really depends on your use-case. Eg 64-bit is fine for MACs where you drop the connection and re-negotiate as soon as you see one MAC validation error.
– SEJPM♦
6 hours ago




It really depends on your use-case. Eg 64-bit is fine for MACs where you drop the connection and re-negotiate as soon as you see one MAC validation error.
– SEJPM♦
6 hours ago










2 Answers
2






active

oldest

votes

















up vote
2
down vote



accepted










Some hash performance results;



  1. On Amazon AWS P2, up to 16 Nvidia Tesla K80 GPUs has total $31664.7$ MH/s SHA-1 calculations.

  2. on 8x Nvidia GTX 1080 Hashcat Benchmarks has total $68771.0$ MH/s SHA-1 calculations.

GTX 1080



This answer based on the second machine's performance with cost of one machine is 21,169$;



$ 31664.7;MH/s approx 2^34 H/s$



If you run the second machine for one hour;



$2^36*2^12 approx 2^48 H/s$ calculations.



Titan



Now Titan contains $18,688 approx 2^15$ physical nodes each contains an NVIDIA Kepler™ accelerator (GPU). Assuming that Kepler = GTX 1080 and one node = second machine;



Total SHA-1 calculations of Titan in one hour $ approx 2^48*2^15= 2^60$



Therefore: The SHAttered hash collision attack on SHA1 can be executed in 8 hours on Titan, since we stared with a machine with 8 GPU.



Cost



$2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instancesSejPm's comment;




Note: This calculation is based only GPU side and CPUs are slower in magnitude order. Only Titan has GPU. rhea has only 9. Eos and ARM doesn't' have any.






share|improve this answer


















  • 1




    One may want to note that $2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instances.
    – SEJPM♦
    6 hours ago










  • @SEJPM I was looking for this info. Thanks.
    – kelalaka
    5 hours ago

















up vote
3
down vote













There is a huge difference between $2^-64$ probability of failure, which is indeed very small, and having to run $2^64$ in order to carry out the attack. The latter is much too small to be considered reasonable. Of course, one could argue about protecting secrets that are not very significant and you only need weak protection. However, it is usually very problematic to argue about this. My salary (sexual preference, health situation, etc.) may not be very secret to me, but may be very secret for someone else. It also may not be very secret now but may become so later on. However, beyond all of these arguments, the chance that this is the bottleneck and problem in your application is almost zero. You should use strong cryptography and not make these types of calculations at all. Bottom line, 128-bit security is the minimum required today.






share|improve this answer




















    Your Answer




    StackExchange.ifUsing("editor", function ()
    return StackExchange.using("mathjaxEditing", function ()
    StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
    StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
    );
    );
    , "mathjax-editing");

    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "281"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63536%2fhow-reassuring-is-64-bit-insecurity%23new-answer', 'question_page');

    );

    Post as a guest






























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    2
    down vote



    accepted










    Some hash performance results;



    1. On Amazon AWS P2, up to 16 Nvidia Tesla K80 GPUs has total $31664.7$ MH/s SHA-1 calculations.

    2. on 8x Nvidia GTX 1080 Hashcat Benchmarks has total $68771.0$ MH/s SHA-1 calculations.

    GTX 1080



    This answer based on the second machine's performance with cost of one machine is 21,169$;



    $ 31664.7;MH/s approx 2^34 H/s$



    If you run the second machine for one hour;



    $2^36*2^12 approx 2^48 H/s$ calculations.



    Titan



    Now Titan contains $18,688 approx 2^15$ physical nodes each contains an NVIDIA Kepler™ accelerator (GPU). Assuming that Kepler = GTX 1080 and one node = second machine;



    Total SHA-1 calculations of Titan in one hour $ approx 2^48*2^15= 2^60$



    Therefore: The SHAttered hash collision attack on SHA1 can be executed in 8 hours on Titan, since we stared with a machine with 8 GPU.



    Cost



    $2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instancesSejPm's comment;




    Note: This calculation is based only GPU side and CPUs are slower in magnitude order. Only Titan has GPU. rhea has only 9. Eos and ARM doesn't' have any.






    share|improve this answer


















    • 1




      One may want to note that $2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instances.
      – SEJPM♦
      6 hours ago










    • @SEJPM I was looking for this info. Thanks.
      – kelalaka
      5 hours ago














    up vote
    2
    down vote



    accepted










    Some hash performance results;



    1. On Amazon AWS P2, up to 16 Nvidia Tesla K80 GPUs has total $31664.7$ MH/s SHA-1 calculations.

    2. on 8x Nvidia GTX 1080 Hashcat Benchmarks has total $68771.0$ MH/s SHA-1 calculations.

    GTX 1080



    This answer based on the second machine's performance with cost of one machine is 21,169$;



    $ 31664.7;MH/s approx 2^34 H/s$



    If you run the second machine for one hour;



    $2^36*2^12 approx 2^48 H/s$ calculations.



    Titan



    Now Titan contains $18,688 approx 2^15$ physical nodes each contains an NVIDIA Kepler™ accelerator (GPU). Assuming that Kepler = GTX 1080 and one node = second machine;



    Total SHA-1 calculations of Titan in one hour $ approx 2^48*2^15= 2^60$



    Therefore: The SHAttered hash collision attack on SHA1 can be executed in 8 hours on Titan, since we stared with a machine with 8 GPU.



    Cost



    $2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instancesSejPm's comment;




    Note: This calculation is based only GPU side and CPUs are slower in magnitude order. Only Titan has GPU. rhea has only 9. Eos and ARM doesn't' have any.






    share|improve this answer


















    • 1




      One may want to note that $2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instances.
      – SEJPM♦
      6 hours ago










    • @SEJPM I was looking for this info. Thanks.
      – kelalaka
      5 hours ago












    up vote
    2
    down vote



    accepted







    up vote
    2
    down vote



    accepted






    Some hash performance results;



    1. On Amazon AWS P2, up to 16 Nvidia Tesla K80 GPUs has total $31664.7$ MH/s SHA-1 calculations.

    2. on 8x Nvidia GTX 1080 Hashcat Benchmarks has total $68771.0$ MH/s SHA-1 calculations.

    GTX 1080



    This answer based on the second machine's performance with cost of one machine is 21,169$;



    $ 31664.7;MH/s approx 2^34 H/s$



    If you run the second machine for one hour;



    $2^36*2^12 approx 2^48 H/s$ calculations.



    Titan



    Now Titan contains $18,688 approx 2^15$ physical nodes each contains an NVIDIA Kepler™ accelerator (GPU). Assuming that Kepler = GTX 1080 and one node = second machine;



    Total SHA-1 calculations of Titan in one hour $ approx 2^48*2^15= 2^60$



    Therefore: The SHAttered hash collision attack on SHA1 can be executed in 8 hours on Titan, since we stared with a machine with 8 GPU.



    Cost



    $2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instancesSejPm's comment;




    Note: This calculation is based only GPU side and CPUs are slower in magnitude order. Only Titan has GPU. rhea has only 9. Eos and ARM doesn't' have any.






    share|improve this answer














    Some hash performance results;



    1. On Amazon AWS P2, up to 16 Nvidia Tesla K80 GPUs has total $31664.7$ MH/s SHA-1 calculations.

    2. on 8x Nvidia GTX 1080 Hashcat Benchmarks has total $68771.0$ MH/s SHA-1 calculations.

    GTX 1080



    This answer based on the second machine's performance with cost of one machine is 21,169$;



    $ 31664.7;MH/s approx 2^34 H/s$



    If you run the second machine for one hour;



    $2^36*2^12 approx 2^48 H/s$ calculations.



    Titan



    Now Titan contains $18,688 approx 2^15$ physical nodes each contains an NVIDIA Kepler™ accelerator (GPU). Assuming that Kepler = GTX 1080 and one node = second machine;



    Total SHA-1 calculations of Titan in one hour $ approx 2^48*2^15= 2^60$



    Therefore: The SHAttered hash collision attack on SHA1 can be executed in 8 hours on Titan, since we stared with a machine with 8 GPU.



    Cost



    $2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instancesSejPm's comment;




    Note: This calculation is based only GPU side and CPUs are slower in magnitude order. Only Titan has GPU. rhea has only 9. Eos and ARM doesn't' have any.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited 5 hours ago

























    answered 6 hours ago









    kelalaka

    1,908420




    1,908420







    • 1




      One may want to note that $2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instances.
      – SEJPM♦
      6 hours ago










    • @SEJPM I was looking for this info. Thanks.
      – kelalaka
      5 hours ago












    • 1




      One may want to note that $2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instances.
      – SEJPM♦
      6 hours ago










    • @SEJPM I was looking for this info. Thanks.
      – kelalaka
      5 hours ago







    1




    1




    One may want to note that $2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instances.
    – SEJPM♦
    6 hours ago




    One may want to note that $2^64$ SHA1 evaluations cost about 1M USD on AWS using p3.16xlarge instances.
    – SEJPM♦
    6 hours ago












    @SEJPM I was looking for this info. Thanks.
    – kelalaka
    5 hours ago




    @SEJPM I was looking for this info. Thanks.
    – kelalaka
    5 hours ago










    up vote
    3
    down vote













    There is a huge difference between $2^-64$ probability of failure, which is indeed very small, and having to run $2^64$ in order to carry out the attack. The latter is much too small to be considered reasonable. Of course, one could argue about protecting secrets that are not very significant and you only need weak protection. However, it is usually very problematic to argue about this. My salary (sexual preference, health situation, etc.) may not be very secret to me, but may be very secret for someone else. It also may not be very secret now but may become so later on. However, beyond all of these arguments, the chance that this is the bottleneck and problem in your application is almost zero. You should use strong cryptography and not make these types of calculations at all. Bottom line, 128-bit security is the minimum required today.






    share|improve this answer
























      up vote
      3
      down vote













      There is a huge difference between $2^-64$ probability of failure, which is indeed very small, and having to run $2^64$ in order to carry out the attack. The latter is much too small to be considered reasonable. Of course, one could argue about protecting secrets that are not very significant and you only need weak protection. However, it is usually very problematic to argue about this. My salary (sexual preference, health situation, etc.) may not be very secret to me, but may be very secret for someone else. It also may not be very secret now but may become so later on. However, beyond all of these arguments, the chance that this is the bottleneck and problem in your application is almost zero. You should use strong cryptography and not make these types of calculations at all. Bottom line, 128-bit security is the minimum required today.






      share|improve this answer






















        up vote
        3
        down vote










        up vote
        3
        down vote









        There is a huge difference between $2^-64$ probability of failure, which is indeed very small, and having to run $2^64$ in order to carry out the attack. The latter is much too small to be considered reasonable. Of course, one could argue about protecting secrets that are not very significant and you only need weak protection. However, it is usually very problematic to argue about this. My salary (sexual preference, health situation, etc.) may not be very secret to me, but may be very secret for someone else. It also may not be very secret now but may become so later on. However, beyond all of these arguments, the chance that this is the bottleneck and problem in your application is almost zero. You should use strong cryptography and not make these types of calculations at all. Bottom line, 128-bit security is the minimum required today.






        share|improve this answer












        There is a huge difference between $2^-64$ probability of failure, which is indeed very small, and having to run $2^64$ in order to carry out the attack. The latter is much too small to be considered reasonable. Of course, one could argue about protecting secrets that are not very significant and you only need weak protection. However, it is usually very problematic to argue about this. My salary (sexual preference, health situation, etc.) may not be very secret to me, but may be very secret for someone else. It also may not be very secret now but may become so later on. However, beyond all of these arguments, the chance that this is the bottleneck and problem in your application is almost zero. You should use strong cryptography and not make these types of calculations at all. Bottom line, 128-bit security is the minimum required today.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 5 hours ago









        Yehuda Lindell

        17.3k2954




        17.3k2954



























             

            draft saved


            draft discarded















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63536%2fhow-reassuring-is-64-bit-insecurity%23new-answer', 'question_page');

            );

            Post as a guest













































































            Comments

            Popular posts from this blog

            What does second last employer means? [closed]

            Installing NextGIS Connect into QGIS 3?

            One-line joke