In 2017, Google researchers generated two different PDF files with identical SHA-1 hashes, finally proving what cryptographers had warned about for years: hash functions don’t create truly unique fingerprints. This “SHAttered” attack required 9 quintillion SHA-1 computations—equivalent to 6,500 years of single-CPU computation.
Yet despite this proof, we still trust hash functions for everything from Git commits to blockchain transactions to password storage. Why? Because the full story of hash collisions is more nuanced than “unique” versus “not unique.”
“In cryptography, ‘secure’ doesn’t mean ‘perfect.’ It means ‘safe for the next 30 years.’”