Is it safe to ignore the possibility of SHA collisions in practice?

The usual answer goes thus: what is the probability that a rogue asteroid crashes on Earth within the next second, obliterating civilization-as-we-know-it, and killing off a few billion people ? It can be argued that any unlucky event with a probability lower than that is not actually very important.

If we have a "perfect" hash function with output size n, and we have p messages to hash (individual message length is not important), then probability of collision is about p²/2ⁿ⁺¹ (this is an approximation which is valid for "small" p, i.e. substantially smaller than 2^n/2). For instance, with SHA-256 (n=256) and one billion messages (p=10⁹) then the probability is about 4.3*10^-60.

A mass-murderer space rock happens about once every 30 million years on average. This leads to a probability of such an event occurring in the next second to about 10^-15. That's 45 orders of magnitude more probable than the SHA-256 collision. Briefly stated, if you find SHA-256 collisions scary then your priorities are wrong.

In a security setup, where an attacker gets to choose the messages which will be hashed, then the attacker may use substantially more than a billion messages; however, you will find that the attacker's success probability will still be vanishingly small. That's the whole point of using a hash function with a 256-bit output: so that risks of collision can be neglected.

Of course, all of the above assumes that SHA-256 is a "perfect" hash function, which is far from being proven. Still, SHA-256 seems quite robust.

I can't agree with the conclusion. Yes, no hardisks can store that number of files, but you IMO misinterpret the situation. It only takes two files to produce a collision. Although the possibility is very low it still can happen.

sharptooth 2010-10-25 12:00:42

@sharptooth: no, I'm not misrepresenting the situation. The possibility of you and everyone you know dying from a road accident on the same day is very low, but it still can happen (and it is much higher than that of an SHA-256 collision). Yet you are ignoring that possibility.

Michael Borgwardt 2010-10-25 12:18:30

@Michael Borgwardt: You're right, but I don't ignore that possibility - I take certain steps that make the possibility lower. Also in case of a road accident the head count very rarely exceeds say one hundred people, but in case of a nuclear plant disaster head count can easily exceed hundreds thousands of people.

sharptooth 2010-10-25 12:21:57

@sharptooth: I was talking about *separate*, simultaneous road accidents of a few hundred specific people. You can't really take any stepts to make that lower. It would be pointless, as it's already bizarrely low. But still so much more likely than an SHA-256 collision that you can't even imagine how much. It's the same argument as Thomas made.

Michael Borgwardt 2010-10-25 12:31:00

@Michael Borgwardt: I gave this problem a thought and I still believe you're wrong. You don't take the number of program instances into account. Yes, maybe a chance of the program malfunctioning is very low, but if you have a gazillion copies - say on every plastic bag and on every tiny manufactured thing chances grow significantly. I don't say that every such defect is automatically a showstopper, but the number of deployed copies should be taken into account.

sharptooth 2010-10-27 11:42:52

@sharptooth: No, the chances do *not* grow significantly, because the number is still absolutely dwarfed by the size of the SHA-256 hash space. This is the one thing you're not taking into account properly - all the factors have to be weighted by their actual magnitude, not equally. If you generated one billion hashes per second for every single person on Earth, and did that for one thousand years, you'd still have less than 1% chance of a collision.

Michael Borgwardt 2010-10-27 12:24:55

@Michael Borgwardt: Yes, I understand that, but those factors *need to be taken into account*. Just saying that probability of one hash collision is very low regardless of the number of program copies and computation rate is not enough.

sharptooth 2010-10-27 12:41:22

Sounds like good reasoning. What is a "space rock" - some body that is flying out in space and can hit the Earth?

sharptooth 2010-10-25 12:23:48

This is a very good answer, thanks!But, if in case of collision a nuclear power plant will explode, and it depends on you, will you take that risk? If you are completely right, then we can take the risk, because it is 45 orders of magnitude more probable the civilization to be destroyed. Right?

Hristo Hristov 2010-10-25 13:13:30

@Hristo Hristov: My guess is that all cases of such reasoning imply that if such disaster happens either noone survives or noone will take time to find who is at fault and punish that person.

sharptooth 2010-10-25 14:15:14

ansaurus

tags:

views:

answers:

Is it safe to ignore the possibility of SHA collisions in practice?

related questions