在实践中忽略 SHA 冲突的可能性是否安全? [英] Is it safe to ignore the possibility of SHA collisions in practice?

问题描述

假设我们有 10 亿张独特的图片，每个图片 1 兆字节.我们计算每个文件内容的 SHA-256 哈希值.碰撞的可能性取决于:

Let's say we have a billion unique images, one megabyte each. We calculate the SHA-256 hash for the contents of each file. The possibility of collision depends on:

• 文件数量
• 单个文件的大小

假设它为零，我们可以忽略这种可能性有多远?

How far can we go ignoring this possibility, assuming it is zero?

推荐答案

通常的答案是这样的:一颗流氓小行星在下一秒内撞击地球，摧毁我们所知道的文明的概率是多少，并杀死数十亿人?可以说，任何低于这个概率的不幸事件实际上都不是很重要.

The usual answer goes thus: what is the probability that a rogue asteroid crashes on Earth within the next second, obliterating civilization-as-we-know-it, and killing off a few billion people? It can be argued that any unlucky event with a probability lower than that is not actually very important.

如果我们有一个输出大小为 n 的完美"散列函数，并且我们有 p 条消息要散列(单个消息长度不重要)，那么概率碰撞大约是 p²/2ⁿ⁺¹(这是一个近似值，适用于小"p，即远小于2^n/2).例如，使用 SHA-256 (n=256) 和 10 亿条消息 (p=10⁹) 那么概率约为 4.3*10^-60.

If we have a "perfect" hash function with output size n, and we have p messages to hash (individual message length is not important), then probability of collision is about p²/2ⁿ⁺¹ (this is an approximation which is valid for "small" p, i.e. substantially smaller than 2^n/2). For instance, with SHA-256 (n=256) and one billion messages (p=10⁹) then the probability is about 4.3*10^-60.

大规模杀人的太空岩石平均每 3000 万年发生一次.这导致下一秒发生此类事件的概率约为 10^-15.这比 SHA-256 冲突的可能性高 45 个数量级.简而言之，如果您发现 SHA-256 冲突很可怕，那么您的优先级就错了.

A mass-murderer space rock happens about once every 30 million years on average. This leads to a probability of such an event occurring in the next second to about 10^-15. That's 45 orders of magnitude more probable than the SHA-256 collision. Briefly stated, if you find SHA-256 collisions scary then your priorities are wrong.

在安全设置中，攻击者可以选择将被散列的消息，然后攻击者可能使用超过 10 亿条消息；但是，您会发现攻击者的成功概率仍然非常小.这就是使用具有 256 位输出的哈希函数的全部意义所在:这样可以忽略碰撞风险.

In a security setup, where an attacker gets to choose the messages which will be hashed, then the attacker may use substantially more than a billion messages; however, you will find that the attacker's success probability will still be vanishingly small. That's the whole point of using a hash function with a 256-bit output: so that risks of collision can be neglected.

当然，以上都是假设SHA-256是一个完美"的散列函数，远未得到证实.不过，SHA-256 似乎非常健壮.

Of course, all of the above assumes that SHA-256 is a "perfect" hash function, which is far from being proven. Still, SHA-256 seems quite robust.

这篇关于在实践中忽略 SHA 冲突的可能性是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！