1) there is no speedup using GPGPU, since this is already based on my co-authored GPGPU framework for SHA1 collisions.

2) Yes FPGAs and ASICs potentially could do better, but no: research in that direction has failed.

It is actually not pointless: by comparing these costs we can evaluate whether there is an improved attack.
What I'm saying here is that we already showed a $110k sha1 attack in 2015, and that this claim of $100k is actually not substantiated. Moreover, their current attack directly recycles the $110k and does *more* work, so in any metric it should always cost more than our attack.
Lastly, there is your point of cost effectiveness. This we already showed is optimized using GPUs. GPUs provide the most computation per $ for this particular problem. Potentially FPGAs could do better, but efforts in that direction have failed. In our papers we give the complexity cost and estimation in GPU resources (say 110 years on 1 GTX-970, or 110/k years on k cards). But of course the most fair $-based metric is by renting the GPUs in the cloud, since this cost is independent of the number k of GPUs you rent.

Yes! Since Git 2.13.0! https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fgithub.com%2Fgit%2Fgit%2Fblo...

I'm Marc Stevens, realhashbreaker. Git is actually safe from this chosen-prefix collision attack on SHA-1 as explained on the github blog: https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fgithub.blog%2F2017-03-20...
Git is in a transition to a more secure hash function (sha-2-256), but for now it has replaced plain SHA-1 by a hardened SHA-1 using the sha1collisiondetection library (https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fgithub.com%2Fcr-marcstevens%2Fsha1collisiondetection).
Our hardened SHA-1 (https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fgithub.com%2Fcr-marcstevens%2Fsha1collisiondetection) directly protects against all SHA-1 collision attacks based on my EUROCRYPT2013 SHA-1 collision attack (like SHAttered and this somewhat improved chosen-prefix collision attack) as well as many other potential feasible SHA-1 collision attacks from the literature. The idea behind this hardening is counter-cryptanalysis (see my award-winning CRYPTO2013 paper) that has immediately proved itself by exposing the MD5 collision attack within the Flame supermalware that used a forged signature to masquerade as a valid Windows update executable (eg see https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Farstechnica.com%2Finform...).

I'm Marc Stevens, realhashbreaker, one of the lead researchers that introduced the first chosen-prefix collision attack for MD5 as well as for SHA-1, and found the first practical SHA-1 collision. Here's my take:

1. Our SHAttered research (CRYPTO2017) demonstrated the first, and still only, SHA-1 collision. It is directly based on my 2^61-cost attack in EUROCRYPT2013. Besides other improvements SHAttered used GPUs at higher cost (2^64.7) but at much greater effectivity, making it practical.

2. This research is only an improvement for a more difficult and costlier collision attack for 'chosen-prefix collisions'. The first chosen-prefix collision attack on SHA-1, see my EUROCRYPT2013 paper, costs 2^77 SHA-1 calls which they improve to 2^66.9 SHA-1 calls in theory, it has not been executed yet.

3. This new research paper directly recycles almost the entire SHAttered collision attack, except, as is usual, it modifies the first and last few steps to turn the 'identical-prefix collision' into a 'chosen-prefix collison' and uses an improved strategy for the sequence of 'near-collision attacks'.

4. Using similar analysis in previous papers on the cost of SHA-1 collision attacks, their attack would cost 2^2.2 more than SHAttered, so 2^2.2 x $110K = about $500K.

5. Their claim of less than $100K is based on as-of-yet undisclosed improvements, and has not stand up to peer review yet. I am very sceptical that they can claim a cost lower than the SHAttered attack on which they rely on (see below). Historically, there have been quite a few erroneous claims of new low complexities to break SHA-1, and these have not stand up to academic peer-review.