[IncRnd]

That is misleading, since a birthday attack is not required. The security strength of hashes is not measured by the length of the hashes.

md5 was first "broken" in 1995. As of 10 years ago, a collision attack took only a few seconds. Plus, there are a _number_ of other attacks on the hash.

[rocqua]

The argument I replied to concerned best-case for length. I.e. a perfect hash at 128 bits delivers 64 bits of security against collisions. (Note the 'perfect' part)

64 bits of security is good enough against most non-nation state actors.

Obviously, MD5 (and sha-1) aren't anywhere near perfect hashes. And obviously, you need to look at more than length when judging a hash.

Basically my point was that md5's hash length isn't a big problem.

[IncRnd]

You can rent Amazon time and create an md5 collision for less money than people spend going to a movie. Restating the issue as "a perfect hash is perfect" may be correct in a limited sense, but it is also highly misleading.

64 bits of ideal security is about half the industry accepted security strength in bits for a hash function.

[amluto]

The bitcoin network does 2^64 hashes in about 10 seconds. 10 seconds of bitcoin network is a far cry from nation state only.