I'd rather join the headless chickens, actually. True, it took a year's worth of computation with incredibly stock hardware now. But that's only going to get cheaper.
By the way, nation-states won't use GPUs. They'll use ASIC. They tend to be 4-6 orders of magnitude more energy efficient than GPU for this kind of things (at least they are for Bitcoin mining). I just hope nobody succeeded in the business of selling MD5 colliders —it would mean the same could work with SHA-1.
The GPU computations didn't take long for Google, it was the CPU computation that took a long time with 110 years GPU vs 6500 years CPU time. I didn't read into the technical detail but given it wasn't done with GPU I'd guess it wouldn't be easily done with or improved with ASIC either in this particular case.
Hmm, we'll need to wait for the source code and a detailed analysis of the exploit, but 6500 years of CPU time suggest a high degree of parallelism right of the bat.
Depending on the demands of the algorithm, an ASIC could outmatch an x86 farm —possibly by even more orders of magnitude than they do GPUs.
Possible hurdles for the ASIC are memory hardness, (memory costs the same no matter the architecture), branching, and complex operations such as multiplications. They could destroy any advantage the ASIC have.
By the way, nation-states won't use GPUs. They'll use ASIC. They tend to be 4-6 orders of magnitude more energy efficient than GPU for this kind of things (at least they are for Bitcoin mining). I just hope nobody succeeded in the business of selling MD5 colliders —it would mean the same could work with SHA-1.