> One downside of these devices is that they are not reprogrammable, so one needs an FPGA designed to try SHA-1 hashes, and one cannot repurpose an FPGA built for BitCoin mining (since that performs SHA-2 hashes).
This is not accurate and I think they confused FPGAs with ASICs. The “FP” in FPGA means “field programmable.” You do need a new design to use an FPGA for SHA-1 instead of SHA-2, but there are probably plenty of SHA-1 implementations out there, and the hardware stays the same.
Yes, that quote is incorrect. An FPGA is the epitome of reprogrammable computing devices, they don't have memory within themselves and must load a bitstream from an external memory device on every power cycle.
"Schneier’s analysis concludes that finding a SHA-1 collision would cost approximately $700,000 USD by 2015, $173,000 USD by 2018, and $43,000 USD by 2021. These numbers are considered within the range of an organized crime syndicate in 2018, and a university project by 2021."
I'd like to know where the organized crime syndicate budget numbers came from
That criminals can't afford it when it's ~4x the price seems incredibly suspicious.
Maybe it's not worth their money now, but I'm skeptical that having to pony up ~4x the money is going to stop an organized crime syndicate from being in striking range of a collision.
It's already in the range of many mid-sized companies at that price point.
Schneier's estimate assumes rented hardware time, but purchased hardware and multiple attempts would drive down the cost dramatically over time. This estimate also doesn't include optimizations by leveraging previous cycles or spends, or the impact of storing something like a rainbow table.
Given a government budget and time-scale, and ignoring sunk costs, I would think a collision attack could already be in a negligible cost range for any well funded sophisticated attacker that has setup shop.
I don't understand the conclusion that urges the move to sha256 certificates. If the cost of an attack is going down by a factor of 1.5 every year and sha256 is only 1.4x more expensive, then doesn't transitioning to sha256 only serve delay the problem by less than a year?
You misparsed that line, it's talking about the time to complete a single hash rather than the amount of relative time to find a collision. SHA256 has 128 bits of security to SHA1's heavily wounded <80 bits, there's a significant increase in complexity between the two.
This is not accurate and I think they confused FPGAs with ASICs. The “FP” in FPGA means “field programmable.” You do need a new design to use an FPGA for SHA-1 instead of SHA-2, but there are probably plenty of SHA-1 implementations out there, and the hardware stays the same.