Does “SHAttered” only work for PDF files?

Question

It appears that SHA-1 is broken in practice. The website detailing this attack shows an infographic of how two PDF files can have the same SHA-1 hash value. Also Google's. I've also read Mathew's answer regarding the implications of this, and his explanation example focuses on PDFs.

What is it with PDFs? Does the attack only work on them exclusively? A PDF is just a sequence of bytes arranged in some order specified ages ago by Adobe Inc. I would have thought then that any two arbitrary file types could be attacked and hashed to the same value, not just PDFs.

Answer 1

The current version of the SHAttered website has an image that describes the structure of the attack, relative to the PDF. I believe under fair use we can reproduce the image below:

So the collision blocks reside inside a JPEG image inside the PDFs. JPEG file formats are a complicated topic, but modern software supports a variety of metadata in JPEGs—this is for example how cameras store the date and time that a photo was taken, the GPS coordinates where the photo was taken, camera settings that were used, pre-rendered thumbnails for quicker display at small resolutions, etc. So you can create JPEGs that look exactly the same (same image data) but different metadata; and evidently you can also exploit this property to create JPEG files that look different but have the same SHA-1 digest.

Answer 2

They used PDF because you can change the appearance significantly even based on some random data within the document - in this case the background color of the PDF. A PDF contains programming options that can be executed on some value within the document to make this happen. Furthermore, a PDF can contain other files with binary data, which is very useful for storing this random data - in this case they used a JPG file for that. Finally, PDF's are commonly used for demonstrations and can be read by almost any system for free.

But yes, the PDF is just an example, other files that can contain random data could have been used instead. I once created a two batch files that printed different values while having the same MD5 hash. They could have gone that route as well.