Given the rate required for this its not a reasonable assumption. It's like saying Amazon sees sha256 collisions between S3 buckets. Just doesn't happen in practice.
But that number is super misleading - you cant actually get that much compute from nicehash, you would struggle to get that much compute even from aws.
You real costs are going to be much higher, it would probably take you more than an hour to spin it all up and execute the attack. I feel realistic number is 10x to 100x higher
Because if we can drive storage costs much closer to zero (e.g.: a beefed up local server), we can keep storing hashes and the next collision should be much closer. Starting and stopping and throwing away the previous work does work out to $560K per collision, but doesn't it just keep getting cheaper if you keep going?
Hashing hardware capability is typically measured in trillions per second (TH/s) so the math might be better using trillion instead of billion. As I understand it, the rental cost of 1 PH/s (which I think is one-thousand-trillion?) is about $10/hour. From that I think you could work out an actual cost to generate a collision!
Does it? At 50M TH/s (https://www.blockchain.com/en/charts/hash-rate) that's 10^8 TH/s, or 10^8.10^12 = 10^20 hashes per second. There's less than 10^5 seconds so surely that's only 10^25 per day. If I've messed up each of these numbers by an order of magnitude, that would leave it still well under 10^30.
> The time needed for a homogeneous cluster to produce the collision would then have been of 114 K20-years, 95 K40-years or 71 K80-years
If I'm reading that correctly, 852 (71 * 12) K80 cards gets that down to a month, which sounds well within the reach of NSA et al.
Even getting it down to a day (71 * 12 * 30=25,560 cards) seems feasible. Assuming $10k per card ($5k launch price + doubled to account for supporting hardware), the upfront investment is around $0.25 billion, a figure that sounds plausible given, e.g., that the Utah data centre is budgeted at around $2 billion.
Edit: formatting fix. Also, this is of course assuming custom hardware designed for a specific hash function isn't employed.
The 1 trillion figure is only after factoring in that you would need multiple false positives to trigger the feature. It's not descriptive of the actual false positive rate of the hashing itself.
As a point of comparison, it looks like you can get 650 million/s on a cg1.4xlarge instance [1] (Amazon's GPU computing instance with 2x Tesla Fermi M2050 GPUs), and it looks like they cost $2.10/hour per instance. So some quick math does show that cracking SRP is only about 572 times slower, if we normalize for cost of the instances on EC2.
It takes approximately 2^64 attempts to find a 128-bit collision. The Bitcoin network as a whole--with custom ASICs--computes 2^61 SHA256 compression function calls per second and consumes 150 MW, so it would take it 8 seconds. Or it would take 160 000 secs/44 hours with a single dense rack (7.5 kW) of custom ASICs.
So yeah if you care about the security of a crypto currency, this 2^64 collision attack is very doable and unacceptable. The rule of thumb in crypto is to aim at making attacks cost at least 2^128.
Unless my math is off, the combined power of the bitcoin network could find collisions in seconds (ignoring SHA-1 vs SHA-256). It isn't too unreasonable to assume that kind of hardware power would be available to nation states.
> the AGC results in a hash rate of 10.3 seconds per Bitcoin hash VS a relatively slow USB hash device that performs at 130 billion hashes per second.
> it would take the AGC 4×10^23 seconds on average to find a block. Since the universe is only 4.3×10^17 seconds old, it would take the AGC about a billion times the age of the universe to successfully mine a block.
I would think they are sophisticated enough that they could have a parameter for their client specifying a target hash rate and slowly ramp it up (over weeks/months), looking more or less just like other sorts of hardware coming online. It would take some work to hide in a pool or whatever, but I don't think it would be a big problem.
Or, if you had sufficient budget, not even completely unreasonable for a nation-state that presumably could use a very large cluster for other purposes, generate a collision in an hour or two. That would be an interesting exercise - how much hardware/kwH would it take to generate a SHA-1 collision in 60 minutes.
reply