https://ehash.iaik.tugraz.at/api.php?action=feedcontributions&user=Nobbi&feedformat=atomThe ECRYPT Hash Function Website - User contributions [en]2022-12-03T20:07:03ZUser contributionsMediaWiki 1.31.3https://ehash.iaik.tugraz.at/index.php?title=Talk:SHA-1&diff=1596Talk:SHA-12006-11-21T07:37:10Z<p>Nobbi: Test discussion</p>
<hr />
<div><br />
<br />
== Test discussion ==<br />
<br />
--[[User:Nobbi|Nobbi]] 08:37, 21 November 2006 (CET)</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=HashFunctions&diff=1589HashFunctions2006-11-20T14:26:21Z<p>Nobbi: </p>
<hr />
<div>{| border="1" cellpadding="2" cellspacing="0" align="center" class="wikitable"<br />
|+'''Collection of selected hash functions (in alphabetical order)'''<br />
|- style="background:#efefef;"<br />
! width="300"| Hash Function Name !! Designer(s) !! Issued in !! Status Cryptanalysis<br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/AR AR] || ISO || align="center"|1992 || broken<br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/Boognish Boognish] || Daemen || align="center"|1992 || broken<br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/Cellhash Cellhash] || Daemen, Govaerts, Vandewalle || align="center"|1991 || ?<br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/FFT-HashI FFT-Hash I] || Schnorr || align="center"|1991 || broken<br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/FFT-HashII FFT-Hash II] || Schnorr || align="center"|1992 || broken<br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/FORK256 FORK-256] || Hong, Chang, Sung, Lee, Hong, Lee, Moon, Chee || align="center"|2006 || <br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/FSB FSB] || Augot, Finiasz, Sendrier || align="center"|2005 || ?<br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/GOST GOST R 34.11-94] || Government Committee of Russia for Standards || align="center"|1990 || ?<br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/HAVAL HAVAL] || Zheng, Pieprzyk, Seberry || align="center"|1994 || broken<br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/LASH-n LASH-n] || Bentahar, Page, Saarinen, Silverman, Smart || align="center"|2006 || ?<br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/MD2 MD2] || Rivest || align="center"|1989 || broken<br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/MD4 MD4] || Rivest || align="center"|1990 || broken<br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/MD5 MD5] || Rivest || align="center"|1992 || broken<br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/N-Hash N-Hash] || Miyaguchi, Ohta, Iwata || align="center"|1990 || broken<br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/PANAMA PANAMA] || Daemen, Clapp || align="center"|1998 || wounded<br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/ParallelFFT-Hash Parallel FFT-Hash] || Schnorr, Vaudenay || align="center"|1993 || ?<br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/RadioGatun RadioGatun[w]] || Bertoni, Daemen, Peeters, van Assche || align="center"|2006 || ?<br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/RIPEMD RIPEMD] || The RIPE Consortium || align="center"|1990 || broken<br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/RIPEMD-128 RIPEMD-128] || Dobbertin, Bosselaers, Preneel || align="center"|1996 || ?<br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/RIPEMD-160 RIPEMD-160] || Dobbertin, Bosselaers, Preneel || align="center"|1996 || ?<br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/SHA0 SHA-0] || NIST/NSA || align="center"|1991 || broken <br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/SHA-1 SHA-1] || NIST/NSA || align="center"|1993 || broken/wounded?<br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/SHA-224 SHA-224] || NIST/NSA || align="center"|2004 || <br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/SHA256 SHA-256] || NIST/NSA || align="center"|2000 || <br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/SHA384 SHA-384] || NIST/NSA || align="center"|2000 || <br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/SHA512 SHA-512] || NIST/NSA || align="center"|2000 || <br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/SMASH SMASH] || Knudsen || align="center"|2005 || broken <br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/Snefru-n Snefru-n] || Merkle || align="center"|1990 || broken <br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/StepRightUp StepRightUp] || Daemen || align="center"|1995 || wounded <br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/SubHash SubHash] || Daemen || align="center"|1992 || ?<br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/Tiger Tiger] || Anderson, Biham || align="center"|1996 || some preliminary results<br />
|-<br />
| [http://ehash.iaik.tugraz.at/index.php/Whirlpool Whirlpool] || Barreto and Rijmen || align="center"|2000 || ?<br />
|}</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=The_eHash_Main_Page&diff=1588The eHash Main Page2006-11-20T14:24:47Z<p>Nobbi: </p>
<hr />
<div>== List of Hash Functions ==<br />
<br />
On this page you can find a collection of existing hash functions.<br />
<br />
[http://ehash.iaik.tugraz.at/index.php/HashFunctions Collection of Cryptographic Hash Functions]<br />
<br />
== Notation and Definition ==<br />
<br />
== Generic Attacks on Hash Functions ==<br />
<br />
=== Birthday Attack & Generalized Birthday Attack ===<br />
=== ... ===<br />
<br />
== Some How Tos ==<br />
<br />
[http://ehash.iaik.tugraz.at/index.php/HowTo Some hints how to work with math environments and bibtex]<br />
<br />
== Getting started ==<br />
<br />
* [http://www.mediawiki.org/wiki/Help:FAQ MediaWiki FAQ]<br />
* [http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list]<br />
<br />
<br />
----<br />
ECRYPT is a Network of Excellence within the Information Societies Technology (IST) Programme of the European Commission. The information on this web site is provided as is, and no guarantee or warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at his or her sole risk and liability.<br />
----</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=The_eHash_Main_Page&diff=1584The eHash Main Page2006-11-15T09:25:08Z<p>Nobbi: /* Generic Attacks on Hash Functions */</p>
<hr />
<div>== List of Hash Functions ==<br />
<br />
On this page you can find a collection of existing hash functions.<br />
<br />
[http://mediawiki.iaik.tugraz.at/index.php/HashFunctions Collection of Cryptographic Hash Functions]<br />
<br />
== Notation and Definition ==<br />
<br />
== Generic Attacks on Hash Functions ==<br />
<br />
=== Birthday Attack & Generalized Birthday Attack ===<br />
=== ... ===<br />
<br />
== Some How Tos ==<br />
<br />
[http://mediawiki.iaik.tugraz.at/index.php/HowTo Some hints how to work with math environments and bibtex]<br />
<br />
== Getting started ==<br />
<br />
* [http://www.mediawiki.org/wiki/Help:FAQ MediaWiki FAQ]<br />
* [http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list]<br />
<br />
<br />
----<br />
ECRYPT is a Network of Excellence within the Information Societies Technology (IST) Programme of the European Commission. The information on this web site is provided as is, and no guarantee or warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at his or her sole risk and liability.<br />
----</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=The_eHash_Main_Page&diff=1583The eHash Main Page2006-11-15T08:43:14Z<p>Nobbi: /* Some How Tos */</p>
<hr />
<div>== List of Hash Functions ==<br />
<br />
On this page you can find a collection of existing hash functions.<br />
<br />
[http://mediawiki.iaik.tugraz.at/index.php/HashFunctions Collection of Cryptographic Hash Functions]<br />
<br />
== Notation and Definition ==<br />
<br />
== Generic Attacks on Hash Functions ==<br />
<br />
=== Birthday Attack & Generalized Birthday Attack ===<br />
<br />
== Some How Tos ==<br />
<br />
[http://mediawiki.iaik.tugraz.at/index.php/HowTo Some hints how to work with math environments and bibtex]<br />
<br />
== Getting started ==<br />
<br />
* [http://www.mediawiki.org/wiki/Help:FAQ MediaWiki FAQ]<br />
* [http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list]<br />
<br />
<br />
----<br />
ECRYPT is a Network of Excellence within the Information Societies Technology (IST) Programme of the European Commission. The information on this web site is provided as is, and no guarantee or warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at his or her sole risk and liability.<br />
----</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=HowTo&diff=1582HowTo2006-11-15T08:42:37Z<p>Nobbi: </p>
<hr />
<div>== Working with maths and Tex ==<br />
<br />
We can write "normal" latex equation by using the ''math'' class. For instance the following code <br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<math><br />
{\textbf x}_{t} = {\textbf f}({x}_{t-1},{u}_{t-1},{p}_{t-1})<br />
</math><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as<br />
<br />
<math><br />
{\textbf x}_{t} = {\textbf f}({x}_{t-1},{u}_{t-1},{p}_{t-1})<br />
</math><br />
<br />
In order to use tex commands from the amsmath package we use the class ''amsmath''. <br />
Automated numbering of equations works within a single ''amsmath'' environment.<br />
The class amsmath uses the tex template defined in<br />
/var/www/html/mediawiki/extensions/wikitex/wikitex.math.inc.tex<br />
<br />
I changed the template such that we can define global commands. The template looks like<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
\documentclass[10pt]{article}<br />
\usepackage{amssymb,amsmath,amscd,concmath}<br />
% we can define whatever comments we would like to use for consistency.<br />
% of course we have to somewhere list this special commands (may be we can use<br />
% a pop up with editiing help or somkething similar<br />
% for instance:<br />
\newcommand{\rs}{\ensuremath{\gg}} %right shift >><br />
\newcommand{\ls}{\ensuremath{\ll}} %left shift <<<br />
\newcommand{\rr}{\ensuremath{\ggg}} %right rotate >>><br />
\newcommand{\lr}{\ensuremath{\lll}} %left rotate <<<<br />
\pagestyle{empty}<br />
\begin{document}<br />
%value%<br />
\end{document}<br />
</nowiki></pre></blockquote><br />
<br />
For instance:<br />
<br />
{| align="center" border="1" cellpadding="10" cellspacing="0" <br />
|-<br />
!code fragment <br />
!displayed equation<br />
|-<br />
|<br />
<pre><nowiki><br />
<amsmath><br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
</amsmath><br />
</nowiki></pre><br />
|<br />
<amsmath><br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
</amsmath><br />
|-<br />
! colspan="2" style="background:#ffdead;" | %value% in tex-template is \begin{equation}...\end{equation}<br />
|}<br />
<br />
<br />
<br />
If we start a new ''amsmath'' environment then the equation numbering starts from counter=1 again. Start a new ''amsmath'' environment:<br />
<br />
<amsmath><br />
\begin{equation}<br />
b = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
\begin{eqnarray}<br />
a &\lr& b\\<br />
c &\rr& d\\<br />
e &\ls& f\\<br />
g &\rs& h<br />
\end{eqnarray}<br />
</amsmath><br />
<br />
as we see both envrionments start with 1.<br />
<br />
'''Note: to refer to an equation we will have to use a wiki link ...'''<br />
<br />
If we use math inline then we have the following possibilities:<br />
<br />
* Best know attack: 2<sup>63</sup> by Wang et.al. using html: <pre><nowiki>2<sup>63</sup></nowiki></pre><br />
* Best know attack: <amsmath>\begin{displaymath}2^{63}\end{displaymath}</amsmath> by Wang et.al. using amsmath <pre><nowiki><amsmath>\begin{displaymath}2^{63}\end{displaymath}</amsmath></nowiki></pre><br />
* Best know attack: <math>2^{63}</math> by Wang et.al. using math <pre><nowiki><math>2^{63}</math></nowiki></pre><br />
<br />
<br />
I think the first case looks best regarding the inline alignment. So I would suggest to use html for powers.<br />
<br />
== References and bibtex ==<br />
<br />
=== Misc ===<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as:<br />
<br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
}<br />
</bibtex><br />
<br />
----<br />
=== InProceedings ===<br />
<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as:<br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<br />
----<br />
<br />
=== Article ===<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@ARTICLE{3,<br />
author = {Hans Dobbertin},<br />
title = {Cryptanalysis Of MD4},<br />
journal = {Journal of Cryptology},<br />
year = {1998},<br />
volume = {11},<br />
number = {4},<br />
pages = {253--271},<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as:<br />
<br />
<bibtex><br />
@ARTICLE{3,<br />
author = {Hans Dobbertin},<br />
title = {Cryptanalysis Of MD4},<br />
journal = {Journal of Cryptology},<br />
year = {1998},<br />
volume = {11},<br />
number = {4},<br />
pages = {253--271},<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
=== Book ===<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@BOOK{4,<br />
title = {Handbook of Applied Cryptography},<br />
publisher = {CRC Press},<br />
year = {1997},<br />
author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},<br />
note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as:<br />
<br />
<bibtex><br />
@BOOK{4,<br />
title = {Handbook of Applied Cryptography},<br />
publisher = {CRC Press},<br />
year = {1997},<br />
author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},<br />
note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
== About different skins ==<br />
Every user can define his own skin. Nevertheless, it turnes out the the skin influences the alignment of inline amsmath environments. If we use the standard skin, namely MonoBook (default) then the alignment is pretty ok.<br />
<br />
therefore, I suggest to keep this skin as default.<br />
<br />
<br />
[http://mediawiki.iaik.tugraz.at/index.php/Testpage1 Testpage1]</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=The_eHash_Main_Page&diff=1581The eHash Main Page2006-11-15T08:41:38Z<p>Nobbi: /* Some How Tos */</p>
<hr />
<div>== List of Hash Functions ==<br />
<br />
On this page you can find a collection of existing hash functions.<br />
<br />
[http://mediawiki.iaik.tugraz.at/index.php/HashFunctions Collection of Cryptographic Hash Functions]<br />
<br />
== Notation and Definition ==<br />
<br />
== Generic Attacks on Hash Functions ==<br />
<br />
=== Birthday Attack & Generalized Birthday Attack ===<br />
<br />
== Some How Tos ==<br />
<br />
[http://mediawiki.iaik.tugraz.at/index.php/HowTo Some hints how to work with math environments and bibtex]<br />
<br />
=== Working with maths and Tex ===<br />
<br />
We can write "normal" latex equation by using the ''math'' class. For instance the following code <br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<math><br />
{\textbf x}_{t} = {\textbf f}({x}_{t-1},{u}_{t-1},{p}_{t-1})<br />
</math><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as<br />
<br />
<math><br />
{\textbf x}_{t} = {\textbf f}({x}_{t-1},{u}_{t-1},{p}_{t-1})<br />
</math><br />
<br />
In order to use tex commands from the amsmath package we use the class ''amsmath''. <br />
Automated numbering of equations works within a single ''amsmath'' environment.<br />
The class amsmath uses the tex template defined in<br />
/var/www/html/mediawiki/extensions/wikitex/wikitex.math.inc.tex<br />
<br />
I changed the template such that we can define global commands. The template looks like<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
\documentclass[10pt]{article}<br />
\usepackage{amssymb,amsmath,amscd,concmath}<br />
% we can define whatever comments we would like to use for consistency.<br />
% of course we have to somewhere list this special commands (may be we can use<br />
% a pop up with editiing help or somkething similar<br />
% for instance:<br />
\newcommand{\rs}{\ensuremath{\gg}} %right shift >><br />
\newcommand{\ls}{\ensuremath{\ll}} %left shift <<<br />
\newcommand{\rr}{\ensuremath{\ggg}} %right rotate >>><br />
\newcommand{\lr}{\ensuremath{\lll}} %left rotate <<<<br />
\pagestyle{empty}<br />
\begin{document}<br />
%value%<br />
\end{document}<br />
</nowiki></pre></blockquote><br />
<br />
For instance:<br />
<br />
{| align="center" border="1" cellpadding="10" cellspacing="0" <br />
|-<br />
!code fragment <br />
!displayed equation<br />
|-<br />
|<br />
<pre><nowiki><br />
<amsmath><br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
</amsmath><br />
</nowiki></pre><br />
|<br />
<amsmath><br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
</amsmath><br />
|-<br />
! colspan="2" style="background:#ffdead;" | %value% in tex-template is \begin{equation}...\end{equation}<br />
|}<br />
<br />
<br />
<br />
If we start a new ''amsmath'' environment then the equation numbering starts from counter=1 again. Start a new ''amsmath'' environment:<br />
<br />
<amsmath><br />
\begin{equation}<br />
b = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
\begin{eqnarray}<br />
a &\lr& b\\<br />
c &\rr& d\\<br />
e &\ls& f\\<br />
g &\rs& h<br />
\end{eqnarray}<br />
</amsmath><br />
<br />
as we see both envrionments start with 1.<br />
<br />
'''Note: to refer to an equation we will have to use a wiki link ...'''<br />
<br />
If we use math inline then we have the following possibilities:<br />
<br />
* Best know attack: 2<sup>63</sup> by Wang et.al. using html: <pre><nowiki>2<sup>63</sup></nowiki></pre><br />
* Best know attack: <amsmath>\begin{displaymath}2^{63}\end{displaymath}</amsmath> by Wang et.al. using amsmath <pre><nowiki><amsmath>\begin{displaymath}2^{63}\end{displaymath}</amsmath></nowiki></pre><br />
* Best know attack: <math>2^{63}</math> by Wang et.al. using math <pre><nowiki><math>2^{63}</math></nowiki></pre><br />
<br />
<br />
I think the first case looks best regarding the inline alignment. So I would suggest to use html for powers.<br />
<br />
=== References and bibtex ===<br />
<br />
==== Misc ====<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as:<br />
<br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
}<br />
</bibtex><br />
<br />
----<br />
==== InProceedings ====<br />
<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as:<br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<br />
----<br />
<br />
==== Article ====<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@ARTICLE{3,<br />
author = {Hans Dobbertin},<br />
title = {Cryptanalysis Of MD4},<br />
journal = {Journal of Cryptology},<br />
year = {1998},<br />
volume = {11},<br />
number = {4},<br />
pages = {253--271},<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as:<br />
<br />
<bibtex><br />
@ARTICLE{3,<br />
author = {Hans Dobbertin},<br />
title = {Cryptanalysis Of MD4},<br />
journal = {Journal of Cryptology},<br />
year = {1998},<br />
volume = {11},<br />
number = {4},<br />
pages = {253--271},<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
==== Book ====<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@BOOK{4,<br />
title = {Handbook of Applied Cryptography},<br />
publisher = {CRC Press},<br />
year = {1997},<br />
author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},<br />
note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as:<br />
<br />
<bibtex><br />
@BOOK{4,<br />
title = {Handbook of Applied Cryptography},<br />
publisher = {CRC Press},<br />
year = {1997},<br />
author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},<br />
note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
=== About different skins ===<br />
Every user can define his own skin. Nevertheless, it turnes out the the skin influences the alignment of inline amsmath environments. If we use the standard skin, namely MonoBook (default) then the alignment is pretty ok.<br />
<br />
therefore, I suggest to keep this skin as default.<br />
<br />
<br />
[http://mediawiki.iaik.tugraz.at/index.php/Testpage1 Testpage1]<br />
<br />
== Getting started ==<br />
<br />
* [http://www.mediawiki.org/wiki/Help:FAQ MediaWiki FAQ]<br />
* [http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list]<br />
<br />
<br />
----<br />
ECRYPT is a Network of Excellence within the Information Societies Technology (IST) Programme of the European Commission. The information on this web site is provided as is, and no guarantee or warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at his or her sole risk and liability.<br />
----</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=HashFunctions&diff=1580HashFunctions2006-10-24T14:53:16Z<p>Nobbi: </p>
<hr />
<div>{| border="1" cellpadding="2" cellspacing="0" align="center" class="wikitable"<br />
|+'''Collection of selected hash functions (in alphabetical order)'''<br />
|- style="background:#efefef;"<br />
! width="300"| Hash Function Name !! Designer(s) !! Issued in !! Status Cryptanalysis<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/AR AR] || ISO || align="center"|1992 || broken<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/Boognish Boognish] || Daemen || align="center"|1992 || broken<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/Cellhash Cellhash] || Daemen, Govaerts, Vandewalle || align="center"|1991 || ?<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/FFT-HashI FFT-Hash I] || Schnorr || align="center"|1991 || broken<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/FFT-HashII FFT-Hash II] || Schnorr || align="center"|1992 || broken<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/FORK256 FORK-256] || Hong, Chang, Sung, Lee, Hong, Lee, Moon, Chee || align="center"|2006 || <br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/FSB FSB] || Augot, Finiasz, Sendrier || align="center"|2005 || ?<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/GOST GOST R 34.11-94] || Government Committee of Russia for Standards || align="center"|1990 || ?<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/HAVAL HAVAL] || Zheng, Pieprzyk, Seberry || align="center"|1994 || broken<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/LASH-n LASH-n] || Bentahar, Page, Saarinen, Silverman, Smart || align="center"|2006 || ?<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/MD2 MD2] || Rivest || align="center"|1989 || broken<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/MD4 MD4] || Rivest || align="center"|1990 || broken<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/MD5 MD5] || Rivest || align="center"|1992 || broken<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/N-Hash N-Hash] || Miyaguchi, Ohta, Iwata || align="center"|1990 || broken<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/PANAMA PANAMA] || Daemen, Clapp || align="center"|1998 || wounded<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/ParallelFFT-Hash Parallel FFT-Hash] || Schnorr, Vaudenay || align="center"|1993 || ?<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/RadioGatun RadioGatun[w]] || Bertoni, Daemen, Peeters, van Assche || align="center"|2006 || ?<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/RIPEMD RIPEMD] || The RIPE Consortium || align="center"|1990 || broken<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/RIPEMD-128 RIPEMD-128] || Dobbertin, Bosselaers, Preneel || align="center"|1996 || ?<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/RIPEMD-160 RIPEMD-160] || Dobbertin, Bosselaers, Preneel || align="center"|1996 || ?<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/SHA0 SHA-0] || NIST/NSA || align="center"|1991 || broken <br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/SHA-1 SHA-1] || NIST/NSA || align="center"|1993 || broken/wounded?<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/SHA-224 SHA-224] || NIST/NSA || align="center"|2004 || <br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/SHA256 SHA-256] || NIST/NSA || align="center"|2000 || <br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/SHA384 SHA-384] || NIST/NSA || align="center"|2000 || <br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/SHA512 SHA-512] || NIST/NSA || align="center"|2000 || <br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/SMASH SMASH] || Knudsen || align="center"|2005 || broken <br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/Snefru-n Snefru-n] || Merkle || align="center"|1990 || broken <br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/StepRightUp StepRightUp] || Daemen || align="center"|1995 || wounded <br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/SubHash SubHash] || Daemen || align="center"|1992 || ?<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/Tiger Tiger] || Anderson, Biham || align="center"|1996 || some preliminary results<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/Whirlpool Whirlpool] || Barreto and Rijmen || align="center"|2000 || ?<br />
|}</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=HashFunctions&diff=1579HashFunctions2006-10-24T14:53:01Z<p>Nobbi: </p>
<hr />
<div>{| border="1" cellpadding="2" cellspacing="0" align="center" class="wikitable"<br />
|+'''Collection of selected hash functions (in alphabetical order)'''<br />
|- style="background:#efefef;"<br />
! width="300"| Hash Function Name !! Designer(s) !! Issued in !! Status Cryptanalysis<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/AR AR] || ISO || align="center"|1992 || broken<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/Boognish Boognish] || Daemen || align="center"|1992 || broken<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/Cellhash Cellhash] || Daemen, Govaerts, Vandewalle || align="center"|1991 || ?<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/FFT-HashI FFT-Hash I] || Schnorr || align="center"|1991 || broken<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/FFT-HashII FFT-Hash II] || Schnorr || align="center"|1992 || broken<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/FORK256 FORK-256] || Hong, Chang, Sung,Lee, Hong, Lee, Moon, Chee || align="center"|2006 || <br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/FSB FSB] || Augot, Finiasz, Sendrier || align="center"|2005 || ?<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/GOST GOST R 34.11-94] || Government Committee of Russia for Standards || align="center"|1990 || ?<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/HAVAL HAVAL] || Zheng, Pieprzyk, Seberry || align="center"|1994 || broken<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/LASH-n LASH-n] || Bentahar, Page, Saarinen, Silverman, Smart || align="center"|2006 || ?<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/MD2 MD2] || Rivest || align="center"|1989 || broken<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/MD4 MD4] || Rivest || align="center"|1990 || broken<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/MD5 MD5] || Rivest || align="center"|1992 || broken<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/N-Hash N-Hash] || Miyaguchi, Ohta, Iwata || align="center"|1990 || broken<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/PANAMA PANAMA] || Daemen, Clapp || align="center"|1998 || wounded<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/ParallelFFT-Hash Parallel FFT-Hash] || Schnorr, Vaudenay || align="center"|1993 || ?<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/RadioGatun RadioGatun[w]] || Bertoni, Daemen, Peeters, van Assche || align="center"|2006 || ?<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/RIPEMD RIPEMD] || The RIPE Consortium || align="center"|1990 || broken<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/RIPEMD-128 RIPEMD-128] || Dobbertin, Bosselaers, Preneel || align="center"|1996 || ?<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/RIPEMD-160 RIPEMD-160] || Dobbertin, Bosselaers, Preneel || align="center"|1996 || ?<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/SHA0 SHA-0] || NIST/NSA || align="center"|1991 || broken <br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/SHA-1 SHA-1] || NIST/NSA || align="center"|1993 || broken/wounded?<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/SHA-224 SHA-224] || NIST/NSA || align="center"|2004 || <br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/SHA256 SHA-256] || NIST/NSA || align="center"|2000 || <br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/SHA384 SHA-384] || NIST/NSA || align="center"|2000 || <br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/SHA512 SHA-512] || NIST/NSA || align="center"|2000 || <br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/SMASH SMASH] || Knudsen || align="center"|2005 || broken <br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/Snefru-n Snefru-n] || Merkle || align="center"|1990 || broken <br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/StepRightUp StepRightUp] || Daemen || align="center"|1995 || wounded <br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/SubHash SubHash] || Daemen || align="center"|1992 || ?<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/Tiger Tiger] || Anderson, Biham || align="center"|1996 || some preliminary results<br />
|-<br />
| [http://mediawiki.iaik.tugraz.at/index.php/Whirlpool Whirlpool] || Barreto and Rijmen || align="center"|2000 || ?<br />
|}</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=The_eHash_Main_Page&diff=1578The eHash Main Page2006-10-24T14:46:31Z<p>Nobbi: /* Generic Attacks on Hash Functions */</p>
<hr />
<div>== List of Hash Functions ==<br />
<br />
On this page you can find a collection of existing hash functions.<br />
<br />
[http://mediawiki.iaik.tugraz.at/index.php/HashFunctions Collection of Cryptographic Hash Functions]<br />
<br />
== Notation and Definition ==<br />
<br />
== Generic Attacks on Hash Functions ==<br />
<br />
=== Birthday Attack & Generalized Birthday Attack ===<br />
<br />
== Some How Tos ==<br />
<br />
=== Working with maths and Tex ===<br />
<br />
We can write "normal" latex equation by using the ''math'' class. For instance the following code <br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<math><br />
{\textbf x}_{t} = {\textbf f}({x}_{t-1},{u}_{t-1},{p}_{t-1})<br />
</math><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as<br />
<br />
<math><br />
{\textbf x}_{t} = {\textbf f}({x}_{t-1},{u}_{t-1},{p}_{t-1})<br />
</math><br />
<br />
In order to use tex commands from the amsmath package we use the class ''amsmath''. <br />
Automated numbering of equations works within a single ''amsmath'' environment.<br />
The class amsmath uses the tex template defined in<br />
/var/www/html/mediawiki/extensions/wikitex/wikitex.math.inc.tex<br />
<br />
I changed the template such that we can define global commands. The template looks like<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
\documentclass[10pt]{article}<br />
\usepackage{amssymb,amsmath,amscd,concmath}<br />
% we can define whatever comments we would like to use for consistency.<br />
% of course we have to somewhere list this special commands (may be we can use<br />
% a pop up with editiing help or somkething similar<br />
% for instance:<br />
\newcommand{\rs}{\ensuremath{\gg}} %right shift >><br />
\newcommand{\ls}{\ensuremath{\ll}} %left shift <<<br />
\newcommand{\rr}{\ensuremath{\ggg}} %right rotate >>><br />
\newcommand{\lr}{\ensuremath{\lll}} %left rotate <<<<br />
\pagestyle{empty}<br />
\begin{document}<br />
%value%<br />
\end{document}<br />
</nowiki></pre></blockquote><br />
<br />
For instance:<br />
<br />
{| align="center" border="1" cellpadding="10" cellspacing="0" <br />
|-<br />
!code fragment <br />
!displayed equation<br />
|-<br />
|<br />
<pre><nowiki><br />
<amsmath><br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
</amsmath><br />
</nowiki></pre><br />
|<br />
<amsmath><br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
</amsmath><br />
|-<br />
! colspan="2" style="background:#ffdead;" | %value% in tex-template is \begin{equation}...\end{equation}<br />
|}<br />
<br />
<br />
<br />
If we start a new ''amsmath'' environment then the equation numbering starts from counter=1 again. Start a new ''amsmath'' environment:<br />
<br />
<amsmath><br />
\begin{equation}<br />
b = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
\begin{eqnarray}<br />
a &\lr& b\\<br />
c &\rr& d\\<br />
e &\ls& f\\<br />
g &\rs& h<br />
\end{eqnarray}<br />
</amsmath><br />
<br />
as we see both envrionments start with 1.<br />
<br />
'''Note: to refer to an equation we will have to use a wiki link ...'''<br />
<br />
If we use math inline then we have the following possibilities:<br />
<br />
* Best know attack: 2<sup>63</sup> by Wang et.al. using html: <pre><nowiki>2<sup>63</sup></nowiki></pre><br />
* Best know attack: <amsmath>\begin{displaymath}2^{63}\end{displaymath}</amsmath> by Wang et.al. using amsmath <pre><nowiki><amsmath>\begin{displaymath}2^{63}\end{displaymath}</amsmath></nowiki></pre><br />
* Best know attack: <math>2^{63}</math> by Wang et.al. using math <pre><nowiki><math>2^{63}</math></nowiki></pre><br />
<br />
<br />
I think the first case looks best regarding the inline alignment. So I would suggest to use html for powers.<br />
<br />
=== References and bibtex ===<br />
<br />
==== Misc ====<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as:<br />
<br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
}<br />
</bibtex><br />
<br />
----<br />
==== InProceedings ====<br />
<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as:<br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<br />
----<br />
<br />
==== Article ====<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@ARTICLE{3,<br />
author = {Hans Dobbertin},<br />
title = {Cryptanalysis Of MD4},<br />
journal = {Journal of Cryptology},<br />
year = {1998},<br />
volume = {11},<br />
number = {4},<br />
pages = {253--271},<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as:<br />
<br />
<bibtex><br />
@ARTICLE{3,<br />
author = {Hans Dobbertin},<br />
title = {Cryptanalysis Of MD4},<br />
journal = {Journal of Cryptology},<br />
year = {1998},<br />
volume = {11},<br />
number = {4},<br />
pages = {253--271},<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
==== Book ====<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@BOOK{4,<br />
title = {Handbook of Applied Cryptography},<br />
publisher = {CRC Press},<br />
year = {1997},<br />
author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},<br />
note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as:<br />
<br />
<bibtex><br />
@BOOK{4,<br />
title = {Handbook of Applied Cryptography},<br />
publisher = {CRC Press},<br />
year = {1997},<br />
author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},<br />
note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
=== About different skins ===<br />
Every user can define his own skin. Nevertheless, it turnes out the the skin influences the alignment of inline amsmath environments. If we use the standard skin, namely MonoBook (default) then the alignment is pretty ok.<br />
<br />
therefore, I suggest to keep this skin as default.<br />
<br />
<br />
[http://mediawiki.iaik.tugraz.at/index.php/Testpage1 Testpage1]<br />
<br />
== Getting started ==<br />
<br />
* [http://www.mediawiki.org/wiki/Help:FAQ MediaWiki FAQ]<br />
* [http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list]<br />
<br />
<br />
----<br />
ECRYPT is a Network of Excellence within the Information Societies Technology (IST) Programme of the European Commission. The information on this web site is provided as is, and no guarantee or warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at his or her sole risk and liability.<br />
----</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=Talk:SHA-1&diff=1571Talk:SHA-12006-10-24T11:33:36Z<p>Nobbi: </p>
<hr />
<div></div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=Talk:SHA-1&diff=1570Talk:SHA-12006-10-24T11:33:22Z<p>Nobbi: </p>
<hr />
<div>This is a test for a discussion</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=Talk:SHA-1&diff=1569Talk:SHA-12006-10-24T11:33:03Z<p>Nobbi: TEST</p>
<hr />
<div>This is a test for a discussion<br />
<br />
== TEST ==<br />
<br />
sadsaökdä sadkösaädkasä --[[User:Nobbi|Nobbi]] 13:33, 24 October 2006 (CEST)</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=Talk:SHA-1&diff=1568Talk:SHA-12006-10-24T11:32:05Z<p>Nobbi: </p>
<hr />
<div>This is a test for a discussion</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1567SHA-12006-10-24T11:30:18Z<p>Nobbi: /* Second Preimage Attacks */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup> hash evaluations. The best collision example, a 64-step collision for SHA-1, was publshed by DeCanniere and Rechberger.<br />
----<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@inproceedings{Yin2006Collision-ResistantUsageOf,<br />
author = {Michael Szydlo and Yiqun Lisa Yin},<br />
title = {Collision-Resistant Usage of MD5 and SHA-1 Via Message Preprocessing.},<br />
booktitle = {CT-RSA 2006},<br />
year = {2006},<br />
pages = {99-114},<br />
url = {http://dx.doi.org/10.1007/11605805_7},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3860},<br />
abstract = {A series of recent papers have demonstrated collision attacks on popularly used hash functions, including the widely deployed MD5 and SHA-1 algorithm. To assess this threat, the natural response has been to evaluate the extent to which various protocols actually depend on collision resistance for their security, and potentially schedule an upgrade to a stronger hash function. Other options involve altering the protocol in some way. This work suggests a different option. We present several simple message pre-processing techniques and show how the techniques can be combined with MD5 or SHA-1 so that applications are no longer vulnerable to the known collision attacks. For some applications, this may a viable alternative to upgrading the hash function.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Pramstaller2005ExploitingCodingTheory,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Exploiting Coding Theory for Collision Attacks on SHA-1},<br />
booktitle = {Cryptography and Coding 2005},<br />
year = {2005},<br />
editor = {Nigel P. Smart},<br />
volume = {3796},<br />
series = {LNCS},<br />
pages = {78-95},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11586821_7},<br />
abstract = {In this article we show that coding theory can be exploited efficiently for the cryptanalysis of hash functions. We will mainly focus on SHA-1. We present different linear codes that are used to find low-weight differences that lead to a collision. We extend existing approaches and include recent results in the cryptanalysis of hash functions. With our approach we are able to find differences with very low weight. Based on the weight of these differences we conjecture the complexity for a collision attack on the full SHA-1.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Pramstaller2005ImpactOfRotations,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Impact of Rotations in SHA-1 and Related Hash Functions.},<br />
booktitle = {SAC 2005},<br />
year = {2006},<br />
pages = {261-275},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3897},<br />
url = {http://dx.doi.org/10.1007/11693383_18},<br />
abstract = {SHA-1 uses a single set of rotation constants within the compression function. However, most other members of the MD4 family of hash functions use multiple sets of rotation constants, MediaObjects/InlineFigure1.pngthe rotation amounts change with the step being processed. To our knowledge, no design rationales on the choice of rotation constants are given on any of these hash functions. This is the first paper that analyzes rotations in iterated hash functions. We focus on SHA-1-like hash functions and use recent developments in the analysis of these hash functions to evaluate the security implications of using multiple sets of rotation constants in the compression function instead of a single set. Additionally, we give some observations on the set of constants used in SHA-0 and SHA-1.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005NewCollisionSearch,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {New Collision Search for SHA-1},<br />
month = {August},<br />
year = {2005},<br />
howpublished = {Presented at rump session of CRYPTO 2005},<br />
note = {Presented at rump session of CRYPTO 2005},<br />
owner = {npramstaller},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005CryptanalysisOfSHA1,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {Cryptanalysis of SHA-1},<br />
howpublished = {Presented at the Cryptographic Hash Workshop hosted by NIST},<br />
month = {October},<br />
year = {2005},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Wang2005FindingCollisionsin,<br />
author = {Xiaoyun Wang and Yiqun Lisa Yin and Hongbo Yu},<br />
title = {Finding Collisions in the Full SHA-1},<br />
booktitle = {Advances in Cryptology - CRYPTO 2005},<br />
year = {2005},<br />
editor = {Victor Shoup},<br />
volume = {3621},<br />
series = {LNCS},<br />
pages = {17-36},<br />
url = {http://dx.doi.org/10.1007/11535218_2},<br />
publisher = {Springer},<br />
abstract = {In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 2<sup>69</sup> hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 2<sup>80</sup> theoretical bound.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Rijmen2005UpdateonSHA-1,<br />
author = {Vincent Rijmen and Elisabeth Oswald},<br />
title = {Update on SHA-1},<br />
booktitle = {CT-RSA 2005},<br />
year = {2005},<br />
editor = {Alfred Menezes},<br />
volume = {3376},<br />
series = {LNCS},<br />
pages = {58-71},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/b105222},<br />
abstract = {We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux [5]. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than 2<sup>80</sup> operations.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Biham2005CollisionsofSHA-0,<br />
author = {Eli Biham and Rafi Chen and Antoine hirose and Patrick Carribault and Christophe Lemuet and William Jalby},<br />
title = {Collisions of SHA-0 and Reduced SHA-1},<br />
booktitle = {Advances in Cryptology - EUROCRYPT 2005},<br />
year = {2005},<br />
editor = {Ronald Cramer},<br />
volume = {3494},<br />
series = {LNCS},<br />
pages = {36-57},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11426639_3},<br />
abstract = {In this paper we describe improvements to the techniques used to cryptanalyze SHA-0 and introduce the first results on SHA-1. The results include a generic multi-block technique that uses near-collisions in order to find collisions, and a four-block collision of SHA-0 found using this technique with complexity 2<sup>51</sup>. Then, extension of this and prior techniques are presented, that allow us to find collisions of reduced versions of SHA-1. We give collisions of variants with up to 40 rounds, and show the complexities of longer variants. These techniques show that collisions up to about 53-58 rounds can still be found faster than by birthday attacks.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Satoh2005HardwareArchitectureAnd,<br />
author = {Akashi Satoh},<br />
title = {Hardware Architecture and Cost Estimates for Breaking SHA-1.},<br />
booktitle = {ISC 2005},<br />
year = {2005},<br />
pages = {259-273},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3650},<br />
url = {http://dx.doi.org/10.1007/11556992_19},<br />
abstract = {The cryptanalysis of hash functions has advanced rapidly, and many hash functions have been broken one after another. The most popular hash function SHA-1 has not been broken yet, but the new collision search techniques proposed by Wang et al. reduced the computational complexity down to 2<sup>69</sup>, which is only 1/2,000 of the 2<sup>80</sup> operations needed for a birthday attack. The complexity is still too large even for today’s supercomputers, but no feasibility study of breaking SHA-1 using specialized hardware has been reported. The well known brute force attack on DES simply repeats the DES operation 2<sup>56</sup> times at a maximum, but the complexity of 2<sup>69</sup> hash operations to break SHA-1 does not mean 2<sup>69</sup> SHA-1 operations. Complex procedures using SHA-1 functions are required, and the total number of operations based on the probability of a collision occurrence is almost equivalent to the 2<sup>69</sup> SHA-1 operations. Therefore, we describe a procedure and propose an LSI architecture to find real collisions for SHA-1 in this paper. The hardware core was synthesized by using a 0.13-µm CMOS standard cell library, and its performances in speed, size, and power consumption were evaluated. A $10 million budget can build a custom hardware system that would consist of 303 personal computers with 16 circuit boards each, in which 32 SHA-1-breaking LSIs are mounted. Each LSI has 64 SHA-1 cores that can run in parallel. This system would find a real collision in 127 days.}<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
<br />
<bibtex><br />
@inproceedings{Kelsey2005SecondPreimageOn,<br />
author = {John Kelsey and Bruce Schneier},<br />
title = {Second Preimages on n-Bit Hash Functions for Much Less than $2^n$ Work.},<br />
booktitle = {EUROCRYPT},<br />
year = {2005},<br />
pages = {474-490},<br />
url = {http://dx.doi.org/10.1007/11426639_28},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3494},<br />
abstract = {We expand a previous result of Dean [Dea99] to provide a second preimage attack on all n-bit iterated hash functions with Damgård-Merkle strengthening and n-bit intermediate states, allowing a second preimage to be found for a 2<sup>k</sup>-message-block message with about k × 2<sup>n/2+1</sup> + 2<sup>n - k + 1</sup> work. Using RIPEMD-160 as an example, our attack can find a second preimage for a 2<sup>60</sup> byte message in about 2<sup>106</sup> work, rather than the previously expected 2<sup>160</sup> work. We also provide slightly cheaper ways to find multicollisions than the method of Joux [Jou04]. Both of these results are based on expandable messages-patterns for producing messages of varying length, which all collide on the intermediate hash result immediately after processing the message. We provide an algorithm for finding expandable messages for any n-bit hash function built using the Damgård-Merkle construction, which requires only a small multiple of the work done to find a single collision in the hash function.},<br />
}<br />
</bibtex><br />
<br />
'''Note:''' This artcle shows that second preimages can be found in much less than 2<sup>n</sup> work. This approach works for all iterated hash functions. Nevertheless, this attack is not practical since a huge amount of data is required.<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any articles w.r.t. preimage attacks on SHA-1.<br />
----<br />
<br />
=== Others ===<br />
<br />
<bibtex><br />
@inproceedings{Saarinen2003CryptanalysisOfBlock,<br />
author = {Markku-Juhani Olavi Saarinen},<br />
title = {Cryptanalysis of Block Ciphers Based on SHA-1 and MD5.},<br />
booktitle = {FSE 2003},<br />
year = {2003},<br />
pages = {36-44},<br />
url = {http://springerlink.metapress.com/content/xu0qg98tg38gl7nf/?p=2664f1c23d3f433f9d3fd6a9a1350eda&pi=3},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2887},<br />
abstract = {We cryptanalyse some block cipher proposals that are based on dedicated hash functions SHA-1 and MD5. We discuss a related-key attack against SHACAL-1 and present a method for finding rdquoslid pairsrdquo for it. We also present simple attacks against MDC-MD5 and the Kaliski-Robshaw block cipher.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Handschuh2001AnalysisOfSHA-1,<br />
author = {Helena Handschuh and Lars R. Knudsen and Matthew J. B. Robshaw},<br />
title = {Analysis of SHA-1 in Encryption Mode.},<br />
booktitle = {CT-RSA 2001},<br />
year = {2001},<br />
pages = {70-83},<br />
url = {http://link.springer.de/link/service/series/0558/bibs/2020/20200070.htm},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2020},<br />
abstract = {This paper analyses the cryptographic hash function SHA-1 in encryption mode. A detailed analysis is given of the resistance of SHA-1 against the most powerful known attacks today. It is concluded that none of these attacks can be applied successfully in practice to SHA-1. Breaking SHA-1 in encryption mode requires either an unrealistic amount of computation time and known/chosen texts, or a major breakthrough in cryptanalysis. The original motivation for this analysis is to investigate a block cipher named SHACAL based on these principles. SHACAL has been submitted to the NESSIE call for cryptographic primitives.},<br />
}<br />
</bibtex><br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{Lee2006,<br />
author = {Yong Ki Lee and Herwin Chan and Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
publisher = {IEEE Computer Society},<br />
year = {2006},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Chaves2006,<br />
author = {Ricardo Chaves and Georgi Kuzmanov and Leonel Sousa and Stamatis Vassiliadis},<br />
title = {Rescheduling for Optimized SHA-1 Calculation.},<br />
booktitle = {SAMOS 2006},<br />
year = {2006},<br />
pages = {425-434},<br />
url = {http://dx.doi.org/10.1007/11796435_43},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {4017},<br />
abstract = {This paper proposes the rescheduling of the SHA-1 hash function operations on hardware implementations. The proposal is mapped on the Xilinx Virtex II Pro technology. The proposed rescheduling allows for a manipulation of the critical path in the SHA-1 function computation, facilitating the implementation of a more parallelized structure without an increase on the required hardware resources. Two cores have been developed, one that uses a constant initialization vector and a second one that allows for different Initialization Vectors (IV), in order to be used in HMAC and in the processing of fragmented messages. A hybrid software/hardware implementation is also proposed. Experimental results indicate a throughput of 1.4 Gbits/s requiring only 533 slices for a constant IV and 596 for an imputable IV. Comparisons to SHA-1 related art suggest improvements of the throughput/slice metric of 29% against the most recent commercial cores and 59% to the current academia proposals.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Michail2005OptimizingSHA-1Hash,<br />
author = {H. E. Michail and A. P. Kakarountas and George N. Selimis and Costas E. Goutis},<br />
title = {Optimizing SHA-1 Hash Function for High Throughput with a Partial Unrolling Study.},<br />
booktitle = {PATMOS 2005},<br />
year = {2005},<br />
pages = {591-600},<br />
url = {http://dx.doi.org/10.1007/11556930_60},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3728},<br />
abstract = {Hash functions are widely used in applications that call for data integrity and signature authentication at electronic transactions. A hash function is utilized in the security layer of every communication protocol. As time passes more sophisticated applications arise that address to more users-clients and thus demand for higher throughput. Furthermore, due to the tendency of the market to minimize devices’ size and increase their autonomy to make them portable, power issues have also to be considered. The existing SHA-1 Hash Function implementations (SHA-1 is common in many protocols e.g. IPSec) limit throughput to a maximum of 2 Gbps. In this paper, a new implementation comes to exceed this limit improving the throughput by 53%. Furthermore,power dissipation is kept low compared to previous works, in such way that the proposed implementation can be characterized as low-power.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Toma2005FormalVerificationOf,<br />
author = {Diana Toma and Dominique Borrione},<br />
title = {Formal Verification of a SHA-1 Circuit Core Using ACL2.},<br />
booktitle = {TPHOLs 2005},<br />
year = {2005},<br />
pages = {326-341},<br />
url = {http://dx.doi.org/10.1007/11541868_21},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3603},<br />
abstract ={Our study was part of a project aiming at the design and verification of a circuit for secure communications between a computer and a terminal smart card reader. A SHA-1 component is included in the circuit. SHA-1 is a cryptographic primive that produces, for any message, a 160 bit message digest. We formalize the standard specification in ACL2, then automatically produce the ACL2 model for the VHDL RTL design; finally, we prove the implementation compliant with the specification. We apply a stepwise approach that proves theorems about each computation step of the RTL design, using intermediate digest functions.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Jarvinen2005ACompactMD5,<br />
author = {Kimmo U. J{\"a}rvinen and Matti Tommiska and Jorma Skytt{\"a}},<br />
title = {A Compact MD5 and SHA-1 Co-Implementation Utilizing Algorithm Similarities.},<br />
booktitle = {ERSA},<br />
year = {2005},<br />
pages = {48-54},<br />
publisher = {CSREA Press},<br />
year = {2005},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Lien2004A1Gbit/s,<br />
author = {Roar Lien and Tim Grembowski and Kris Gaj},<br />
title = {A 1 Gbit/s Partially Unrolled Architecture of Hash Functions SHA-1 and SHA-512.},<br />
booktitle = {CT-RSA},<br />
year = {2004},<br />
pages = {324-338},<br />
url = {http://dx.doi.org/10.1007/b95630},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2964},<br />
abstract = {Hash functions are among the most widespread cryptographic primitives, and are currently used in multiple cryptographic schemes and security protocols, such as IPSec and SSL. In this paper, we investigate a new hardware architecture for a family of dedicated hash functions, including American standards SHA-1 and SHA-512. Our architecture is based on unrolling several message digest steps and executing them in one clock cycle. This modification permits implementing majority of dedicated hash functions with the throughput exceeding 1 Gbit/s using medium-size Xilinx Virtex FPGAs. In particular, our new architecture has enabled us to speed up the implementation of SHA-1 compared to the basic iterative architecture from 544 Mbit/s to 1 Gbit/s using Xilinx XCV1000. The implementation of SHA-512 has been sped up from 717 to 929 Mbit/s for Virtex FPGAs, and exceeded 1 Gbit/s for Virtex-E Xilinx FPGAs.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Wang2004AnHMACProcessor,<br />
author = {Mao-Yin Wang and Chih-Pin Su and Chih-Tsun Huang and Cheng-Wen Wu},<br />
title = {An HMAC processor with integrated SHA-1 and MD5 algorithms.},<br />
booktitle = {ASP-DAC},<br />
year = {2004},<br />
pages = {456-458},<br />
url = {http://doi.acm.org/10.1145/1015090.1015204},<br />
publisher = {IEEE},<br />
abstract = {Cryptographic algorithms are prevalent and important in digital communications and storage, e.g., both SHA-1 and MD5 algorithms are widely used hash functions in IPSec and SSL for checking the data integrity. In this paper, we propose a hardware architecture for the standard HMAC function that supports both. Our HMAC design automatically generates the padding words and reuses the key for consecutive HMAC jobs that use the same key. We have also implemented the HMAC design in silicon. Compared with existing designs, our HMAC processor has lower hardware cost---12.5% by sharing of the SHA-1 and MD5 circuitry and a little performance penalty.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Grembowski2002ComparativeAnalysisOf,<br />
author = {Tim Grembowski and Roar Lien and Kris Gaj and Nghi Nguyen and Peter Bellows and Jaroslav Flidr and Tom Lehman and Brian Schott},<br />
title = {Comparative Analysis of the Hardware Implementations of Hash Functions SHA-1 and SHA-512.},<br />
booktitle = {ISC},<br />
year = {2002},<br />
pages = {75-89},<br />
url = {http://link.springer.de/link/service/series/0558/bibs/2433/24330075.htm},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2433},<br />
abstract = {Hash functions are among the most widespread cryptographic primitives, and are currently used in multiple cryptographic schemes and security protocols such as IPSec and SSL. In this paper, we compare and contrast hardware implementations of the newly proposed draft hash standard SHA-512, and the old standard, SHA-1. In our implementation based on Xilinx Virtex FPGAs, the throughput of SHA-512 is equal to 670 Mbit/s, compared to 530 Mbit/s for SHA-1. Our analysis shows that the newly proposed hash standard is not only orders of magnitude more secure, but also significantly faster than the old standard. The basic iterative architectures of both hash functions are faster than the basic iterative architectures of symmetric-key ciphers with equivalent security.},<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1565SHA-12006-10-23T13:32:46Z<p>Nobbi: /* Second Preimage Attacks */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup> hash evaluations. The best collision example, a 64-step collision for SHA-1, was publshed by DeCanniere and Rechberger.<br />
----<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@inproceedings{Yin2006Collision-ResistantUsageOf,<br />
author = {Michael Szydlo and Yiqun Lisa Yin},<br />
title = {Collision-Resistant Usage of MD5 and SHA-1 Via Message Preprocessing.},<br />
booktitle = {CT-RSA 2006},<br />
year = {2006},<br />
pages = {99-114},<br />
url = {http://dx.doi.org/10.1007/11605805_7},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3860},<br />
abstract = {A series of recent papers have demonstrated collision attacks on popularly used hash functions, including the widely deployed MD5 and SHA-1 algorithm. To assess this threat, the natural response has been to evaluate the extent to which various protocols actually depend on collision resistance for their security, and potentially schedule an upgrade to a stronger hash function. Other options involve altering the protocol in some way. This work suggests a different option. We present several simple message pre-processing techniques and show how the techniques can be combined with MD5 or SHA-1 so that applications are no longer vulnerable to the known collision attacks. For some applications, this may a viable alternative to upgrading the hash function.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Pramstaller2005ExploitingCodingTheory,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Exploiting Coding Theory for Collision Attacks on SHA-1},<br />
booktitle = {Cryptography and Coding 2005},<br />
year = {2005},<br />
editor = {Nigel P. Smart},<br />
volume = {3796},<br />
series = {LNCS},<br />
pages = {78-95},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11586821_7},<br />
abstract = {In this article we show that coding theory can be exploited efficiently for the cryptanalysis of hash functions. We will mainly focus on SHA-1. We present different linear codes that are used to find low-weight differences that lead to a collision. We extend existing approaches and include recent results in the cryptanalysis of hash functions. With our approach we are able to find differences with very low weight. Based on the weight of these differences we conjecture the complexity for a collision attack on the full SHA-1.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Pramstaller2005ImpactOfRotations,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Impact of Rotations in SHA-1 and Related Hash Functions.},<br />
booktitle = {SAC 2005},<br />
year = {2006},<br />
pages = {261-275},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3897},<br />
url = {http://dx.doi.org/10.1007/11693383_18},<br />
abstract = {SHA-1 uses a single set of rotation constants within the compression function. However, most other members of the MD4 family of hash functions use multiple sets of rotation constants, MediaObjects/InlineFigure1.pngthe rotation amounts change with the step being processed. To our knowledge, no design rationales on the choice of rotation constants are given on any of these hash functions. This is the first paper that analyzes rotations in iterated hash functions. We focus on SHA-1-like hash functions and use recent developments in the analysis of these hash functions to evaluate the security implications of using multiple sets of rotation constants in the compression function instead of a single set. Additionally, we give some observations on the set of constants used in SHA-0 and SHA-1.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005NewCollisionSearch,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {New Collision Search for SHA-1},<br />
month = {August},<br />
year = {2005},<br />
howpublished = {Presented at rump session of CRYPTO 2005},<br />
note = {Presented at rump session of CRYPTO 2005},<br />
owner = {npramstaller},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005CryptanalysisOfSHA1,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {Cryptanalysis of SHA-1},<br />
howpublished = {Presented at the Cryptographic Hash Workshop hosted by NIST},<br />
month = {October},<br />
year = {2005},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Wang2005FindingCollisionsin,<br />
author = {Xiaoyun Wang and Yiqun Lisa Yin and Hongbo Yu},<br />
title = {Finding Collisions in the Full SHA-1},<br />
booktitle = {Advances in Cryptology - CRYPTO 2005},<br />
year = {2005},<br />
editor = {Victor Shoup},<br />
volume = {3621},<br />
series = {LNCS},<br />
pages = {17--36},<br />
url = {http://dx.doi.org/10.1007/11535218_2},<br />
publisher = {Springer},<br />
abstract = {In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 2<sup>69</sup> hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 2<sup>80</sup> theoretical bound.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Rijmen2005UpdateonSHA-1,<br />
author = {Vincent Rijmen and Elisabeth Oswald},<br />
title = {Update on SHA-1},<br />
booktitle = {CT-RSA 2005},<br />
year = {2005},<br />
editor = {Alfred Menezes},<br />
volume = {3376},<br />
series = {LNCS},<br />
pages = {58--71},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/b105222},<br />
abstract = {We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux [5]. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than 2<sup>80</sup> operations.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Biham2005CollisionsofSHA-0,<br />
author = {Eli Biham and Rafi Chen and Antoine hirose and Patrick Carribault and Christophe Lemuet and William Jalby},<br />
title = {Collisions of SHA-0 and Reduced SHA-1},<br />
booktitle = {Advances in Cryptology - EUROCRYPT 2005},<br />
year = {2005},<br />
editor = {Ronald Cramer},<br />
volume = {3494},<br />
series = {LNCS},<br />
pages = {36--57},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11426639_3},<br />
abstract = {In this paper we describe improvements to the techniques used to cryptanalyze SHA-0 and introduce the first results on SHA-1. The results include a generic multi-block technique that uses near-collisions in order to find collisions, and a four-block collision of SHA-0 found using this technique with complexity 2<sup>51</sup>. Then, extension of this and prior techniques are presented, that allow us to find collisions of reduced versions of SHA-1. We give collisions of variants with up to 40 rounds, and show the complexities of longer variants. These techniques show that collisions up to about 53-58 rounds can still be found faster than by birthday attacks.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Satoh2005HardwareArchitectureAnd,<br />
author = {Akashi Satoh},<br />
title = {Hardware Architecture and Cost Estimates for Breaking SHA-1.},<br />
booktitle = {ISC 2005},<br />
year = {2005},<br />
pages = {259-273},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3650},<br />
url = {http://dx.doi.org/10.1007/11556992_19},<br />
abstract = {The cryptanalysis of hash functions has advanced rapidly, and many hash functions have been broken one after another. The most popular hash function SHA-1 has not been broken yet, but the new collision search techniques proposed by Wang et al. reduced the computational complexity down to 2<sup>69</sup>, which is only 1/2,000 of the 2<sup>80</sup> operations needed for a birthday attack. The complexity is still too large even for today’s supercomputers, but no feasibility study of breaking SHA-1 using specialized hardware has been reported. The well known brute force attack on DES simply repeats the DES operation 2<sup>56</sup> times at a maximum, but the complexity of 2<sup>69</sup> hash operations to break SHA-1 does not mean 2<sup>69</sup> SHA-1 operations. Complex procedures using SHA-1 functions are required, and the total number of operations based on the probability of a collision occurrence is almost equivalent to the 2<sup>69</sup> SHA-1 operations. Therefore, we describe a procedure and propose an LSI architecture to find real collisions for SHA-1 in this paper. The hardware core was synthesized by using a 0.13-µm CMOS standard cell library, and its performances in speed, size, and power consumption were evaluated. A $10 million budget can build a custom hardware system that would consist of 303 personal computers with 16 circuit boards each, in which 32 SHA-1-breaking LSIs are mounted. Each LSI has 64 SHA-1 cores that can run in parallel. This system would find a real collision in 127 days.}<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
<br />
<bibtex><br />
@inproceedings{Kelsey2005SecondPreimageOn,<br />
author = {John Kelsey and Bruce Schneier},<br />
title = {Second Preimages on n-Bit Hash Functions for Much Less than 2<sup>n</sup> Work.},<br />
booktitle = {EUROCRYPT},<br />
year = {2005},<br />
pages = {474-490},<br />
url = {http://dx.doi.org/10.1007/11426639_28},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3494},<br />
abstract = {We expand a previous result of Dean [Dea99] to provide a second preimage attack on all n-bit iterated hash functions with Damgård-Merkle strengthening and n-bit intermediate states, allowing a second preimage to be found for a 2<sup>k</sup>-message-block message with about k × 2<sup>n/2+1</sup> + 2<sup>n - k + 1</sup> work. Using RIPEMD-160 as an example, our attack can find a second preimage for a 2<sup>60</sup> byte message in about 2<sup>106</sup> work, rather than the previously expected 2<sup>160</sup> work. We also provide slightly cheaper ways to find multicollisions than the method of Joux [Jou04]. Both of these results are based on expandable messages-patterns for producing messages of varying length, which all collide on the intermediate hash result immediately after processing the message. We provide an algorithm for finding expandable messages for any n-bit hash function built using the Damgård-Merkle construction, which requires only a small multiple of the work done to find a single collision in the hash function.},<br />
}<br />
</bibtex><br />
<br />
'''Note:''' This artcle shows that second preimages can be found in much less than 2<sup>n</sup> work. This approach works for all iterated hash functions. Nevertheless, this attack is not practical since a huge amount of data is required.<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any articles w.r.t. preimage attacks on SHA-1.<br />
----<br />
<br />
=== Others ===<br />
<br />
<bibtex><br />
@inproceedings{Saarinen2003CryptanalysisOfBlock,<br />
author = {Markku-Juhani Olavi Saarinen},<br />
title = {Cryptanalysis of Block Ciphers Based on SHA-1 and MD5.},<br />
booktitle = {FSE 2003},<br />
year = {2003},<br />
pages = {36-44},<br />
url = {http://springerlink.metapress.com/content/xu0qg98tg38gl7nf/?p=2664f1c23d3f433f9d3fd6a9a1350eda&pi=3},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2887},<br />
abstract = {We cryptanalyse some block cipher proposals that are based on dedicated hash functions SHA-1 and MD5. We discuss a related-key attack against SHACAL-1 and present a method for finding rdquoslid pairsrdquo for it. We also present simple attacks against MDC-MD5 and the Kaliski-Robshaw block cipher.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Handschuh2001AnalysisOfSHA-1,<br />
author = {Helena Handschuh and Lars R. Knudsen and Matthew J. B. Robshaw},<br />
title = {Analysis of SHA-1 in Encryption Mode.},<br />
booktitle = {CT-RSA 2001},<br />
year = {2001},<br />
pages = {70-83},<br />
url = {http://link.springer.de/link/service/series/0558/bibs/2020/20200070.htm},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2020},<br />
abstract = {This paper analyses the cryptographic hash function SHA-1 in encryption mode. A detailed analysis is given of the resistance of SHA-1 against the most powerful known attacks today. It is concluded that none of these attacks can be applied successfully in practice to SHA-1. Breaking SHA-1 in encryption mode requires either an unrealistic amount of computation time and known/chosen texts, or a major breakthrough in cryptanalysis. The original motivation for this analysis is to investigate a block cipher named SHACAL based on these principles. SHACAL has been submitted to the NESSIE call for cryptographic primitives.},<br />
}<br />
</bibtex><br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{Lee2006,<br />
author = {Yong Ki Lee and Herwin Chan and Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
publisher = {IEEE Computer Society},<br />
year = {2006},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Chaves2006,<br />
author = {Ricardo Chaves and Georgi Kuzmanov and Leonel Sousa and Stamatis Vassiliadis},<br />
title = {Rescheduling for Optimized SHA-1 Calculation.},<br />
booktitle = {SAMOS 2006},<br />
year = {2006},<br />
pages = {425-434},<br />
url = {http://dx.doi.org/10.1007/11796435_43},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {4017},<br />
abstract = {This paper proposes the rescheduling of the SHA-1 hash function operations on hardware implementations. The proposal is mapped on the Xilinx Virtex II Pro technology. The proposed rescheduling allows for a manipulation of the critical path in the SHA-1 function computation, facilitating the implementation of a more parallelized structure without an increase on the required hardware resources. Two cores have been developed, one that uses a constant initialization vector and a second one that allows for different Initialization Vectors (IV), in order to be used in HMAC and in the processing of fragmented messages. A hybrid software/hardware implementation is also proposed. Experimental results indicate a throughput of 1.4 Gbits/s requiring only 533 slices for a constant IV and 596 for an imputable IV. Comparisons to SHA-1 related art suggest improvements of the throughput/slice metric of 29% against the most recent commercial cores and 59% to the current academia proposals.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Michail2005OptimizingSHA-1Hash,<br />
author = {H. E. Michail and A. P. Kakarountas and George N. Selimis and Costas E. Goutis},<br />
title = {Optimizing SHA-1 Hash Function for High Throughput with a Partial Unrolling Study.},<br />
booktitle = {PATMOS 2005},<br />
year = {2005},<br />
pages = {591-600},<br />
url = {http://dx.doi.org/10.1007/11556930_60},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3728},<br />
abstract = {Hash functions are widely used in applications that call for data integrity and signature authentication at electronic transactions. A hash function is utilized in the security layer of every communication protocol. As time passes more sophisticated applications arise that address to more users-clients and thus demand for higher throughput. Furthermore, due to the tendency of the market to minimize devices’ size and increase their autonomy to make them portable, power issues have also to be considered. The existing SHA-1 Hash Function implementations (SHA-1 is common in many protocols e.g. IPSec) limit throughput to a maximum of 2 Gbps. In this paper, a new implementation comes to exceed this limit improving the throughput by 53%. Furthermore,power dissipation is kept low compared to previous works, in such way that the proposed implementation can be characterized as low-power.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Toma2005FormalVerificationOf,<br />
author = {Diana Toma and Dominique Borrione},<br />
title = {Formal Verification of a SHA-1 Circuit Core Using ACL2.},<br />
booktitle = {TPHOLs 2005},<br />
year = {2005},<br />
pages = {326-341},<br />
url = {http://dx.doi.org/10.1007/11541868_21},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3603},<br />
abstract ={Our study was part of a project aiming at the design and verification of a circuit for secure communications between a computer and a terminal smart card reader. A SHA-1 component is included in the circuit. SHA-1 is a cryptographic primive that produces, for any message, a 160 bit message digest. We formalize the standard specification in ACL2, then automatically produce the ACL2 model for the VHDL RTL design; finally, we prove the implementation compliant with the specification. We apply a stepwise approach that proves theorems about each computation step of the RTL design, using intermediate digest functions.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Jarvinen2005ACompactMD5,<br />
author = {Kimmo U. J{\"a}rvinen and Matti Tommiska and Jorma Skytt{\"a}},<br />
title = {A Compact MD5 and SHA-1 Co-Implementation Utilizing Algorithm Similarities.},<br />
booktitle = {ERSA},<br />
year = {2005},<br />
pages = {48-54},<br />
publisher = {CSREA Press},<br />
year = {2005},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Lien2004A1Gbit/s,<br />
author = {Roar Lien and Tim Grembowski and Kris Gaj},<br />
title = {A 1 Gbit/s Partially Unrolled Architecture of Hash Functions SHA-1 and SHA-512.},<br />
booktitle = {CT-RSA},<br />
year = {2004},<br />
pages = {324-338},<br />
url = {http://dx.doi.org/10.1007/b95630},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2964},<br />
abstract = {Hash functions are among the most widespread cryptographic primitives, and are currently used in multiple cryptographic schemes and security protocols, such as IPSec and SSL. In this paper, we investigate a new hardware architecture for a family of dedicated hash functions, including American standards SHA-1 and SHA-512. Our architecture is based on unrolling several message digest steps and executing them in one clock cycle. This modification permits implementing majority of dedicated hash functions with the throughput exceeding 1 Gbit/s using medium-size Xilinx Virtex FPGAs. In particular, our new architecture has enabled us to speed up the implementation of SHA-1 compared to the basic iterative architecture from 544 Mbit/s to 1 Gbit/s using Xilinx XCV1000. The implementation of SHA-512 has been sped up from 717 to 929 Mbit/s for Virtex FPGAs, and exceeded 1 Gbit/s for Virtex-E Xilinx FPGAs.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Wang2004AnHMACProcessor,<br />
author = {Mao-Yin Wang and Chih-Pin Su and Chih-Tsun Huang and Cheng-Wen Wu},<br />
title = {An HMAC processor with integrated SHA-1 and MD5 algorithms.},<br />
booktitle = {ASP-DAC},<br />
year = {2004},<br />
pages = {456-458},<br />
url = {http://doi.acm.org/10.1145/1015090.1015204},<br />
publisher = {IEEE},<br />
abstract = {Cryptographic algorithms are prevalent and important in digital communications and storage, e.g., both SHA-1 and MD5 algorithms are widely used hash functions in IPSec and SSL for checking the data integrity. In this paper, we propose a hardware architecture for the standard HMAC function that supports both. Our HMAC design automatically generates the padding words and reuses the key for consecutive HMAC jobs that use the same key. We have also implemented the HMAC design in silicon. Compared with existing designs, our HMAC processor has lower hardware cost---12.5% by sharing of the SHA-1 and MD5 circuitry and a little performance penalty.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Grembowski2002ComparativeAnalysisOf,<br />
author = {Tim Grembowski and Roar Lien and Kris Gaj and Nghi Nguyen and Peter Bellows and Jaroslav Flidr and Tom Lehman and Brian Schott},<br />
title = {Comparative Analysis of the Hardware Implementations of Hash Functions SHA-1 and SHA-512.},<br />
booktitle = {ISC},<br />
year = {2002},<br />
pages = {75-89},<br />
url = {http://link.springer.de/link/service/series/0558/bibs/2433/24330075.htm},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2433},<br />
abstract = {Hash functions are among the most widespread cryptographic primitives, and are currently used in multiple cryptographic schemes and security protocols such as IPSec and SSL. In this paper, we compare and contrast hardware implementations of the newly proposed draft hash standard SHA-512, and the old standard, SHA-1. In our implementation based on Xilinx Virtex FPGAs, the throughput of SHA-512 is equal to 670 Mbit/s, compared to 530 Mbit/s for SHA-1. Our analysis shows that the newly proposed hash standard is not only orders of magnitude more secure, but also significantly faster than the old standard. The basic iterative architectures of both hash functions are faster than the basic iterative architectures of symmetric-key ciphers with equivalent security.},<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1564SHA-12006-10-23T13:20:48Z<p>Nobbi: /* Performance Evaluation / Implementation (HW and SW) */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup> hash evaluations. The best collision example, a 64-step collision for SHA-1, was publshed by DeCanniere and Rechberger.<br />
----<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@inproceedings{Yin2006Collision-ResistantUsageOf,<br />
author = {Michael Szydlo and Yiqun Lisa Yin},<br />
title = {Collision-Resistant Usage of MD5 and SHA-1 Via Message Preprocessing.},<br />
booktitle = {CT-RSA 2006},<br />
year = {2006},<br />
pages = {99-114},<br />
url = {http://dx.doi.org/10.1007/11605805_7},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3860},<br />
abstract = {A series of recent papers have demonstrated collision attacks on popularly used hash functions, including the widely deployed MD5 and SHA-1 algorithm. To assess this threat, the natural response has been to evaluate the extent to which various protocols actually depend on collision resistance for their security, and potentially schedule an upgrade to a stronger hash function. Other options involve altering the protocol in some way. This work suggests a different option. We present several simple message pre-processing techniques and show how the techniques can be combined with MD5 or SHA-1 so that applications are no longer vulnerable to the known collision attacks. For some applications, this may a viable alternative to upgrading the hash function.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Pramstaller2005ExploitingCodingTheory,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Exploiting Coding Theory for Collision Attacks on SHA-1},<br />
booktitle = {Cryptography and Coding 2005},<br />
year = {2005},<br />
editor = {Nigel P. Smart},<br />
volume = {3796},<br />
series = {LNCS},<br />
pages = {78-95},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11586821_7},<br />
abstract = {In this article we show that coding theory can be exploited efficiently for the cryptanalysis of hash functions. We will mainly focus on SHA-1. We present different linear codes that are used to find low-weight differences that lead to a collision. We extend existing approaches and include recent results in the cryptanalysis of hash functions. With our approach we are able to find differences with very low weight. Based on the weight of these differences we conjecture the complexity for a collision attack on the full SHA-1.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Pramstaller2005ImpactOfRotations,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Impact of Rotations in SHA-1 and Related Hash Functions.},<br />
booktitle = {SAC 2005},<br />
year = {2006},<br />
pages = {261-275},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3897},<br />
url = {http://dx.doi.org/10.1007/11693383_18},<br />
abstract = {SHA-1 uses a single set of rotation constants within the compression function. However, most other members of the MD4 family of hash functions use multiple sets of rotation constants, MediaObjects/InlineFigure1.pngthe rotation amounts change with the step being processed. To our knowledge, no design rationales on the choice of rotation constants are given on any of these hash functions. This is the first paper that analyzes rotations in iterated hash functions. We focus on SHA-1-like hash functions and use recent developments in the analysis of these hash functions to evaluate the security implications of using multiple sets of rotation constants in the compression function instead of a single set. Additionally, we give some observations on the set of constants used in SHA-0 and SHA-1.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005NewCollisionSearch,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {New Collision Search for SHA-1},<br />
month = {August},<br />
year = {2005},<br />
howpublished = {Presented at rump session of CRYPTO 2005},<br />
note = {Presented at rump session of CRYPTO 2005},<br />
owner = {npramstaller},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005CryptanalysisOfSHA1,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {Cryptanalysis of SHA-1},<br />
howpublished = {Presented at the Cryptographic Hash Workshop hosted by NIST},<br />
month = {October},<br />
year = {2005},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Wang2005FindingCollisionsin,<br />
author = {Xiaoyun Wang and Yiqun Lisa Yin and Hongbo Yu},<br />
title = {Finding Collisions in the Full SHA-1},<br />
booktitle = {Advances in Cryptology - CRYPTO 2005},<br />
year = {2005},<br />
editor = {Victor Shoup},<br />
volume = {3621},<br />
series = {LNCS},<br />
pages = {17--36},<br />
url = {http://dx.doi.org/10.1007/11535218_2},<br />
publisher = {Springer},<br />
abstract = {In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 2<sup>69</sup> hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 2<sup>80</sup> theoretical bound.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Rijmen2005UpdateonSHA-1,<br />
author = {Vincent Rijmen and Elisabeth Oswald},<br />
title = {Update on SHA-1},<br />
booktitle = {CT-RSA 2005},<br />
year = {2005},<br />
editor = {Alfred Menezes},<br />
volume = {3376},<br />
series = {LNCS},<br />
pages = {58--71},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/b105222},<br />
abstract = {We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux [5]. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than 2<sup>80</sup> operations.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Biham2005CollisionsofSHA-0,<br />
author = {Eli Biham and Rafi Chen and Antoine hirose and Patrick Carribault and Christophe Lemuet and William Jalby},<br />
title = {Collisions of SHA-0 and Reduced SHA-1},<br />
booktitle = {Advances in Cryptology - EUROCRYPT 2005},<br />
year = {2005},<br />
editor = {Ronald Cramer},<br />
volume = {3494},<br />
series = {LNCS},<br />
pages = {36--57},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11426639_3},<br />
abstract = {In this paper we describe improvements to the techniques used to cryptanalyze SHA-0 and introduce the first results on SHA-1. The results include a generic multi-block technique that uses near-collisions in order to find collisions, and a four-block collision of SHA-0 found using this technique with complexity 2<sup>51</sup>. Then, extension of this and prior techniques are presented, that allow us to find collisions of reduced versions of SHA-1. We give collisions of variants with up to 40 rounds, and show the complexities of longer variants. These techniques show that collisions up to about 53-58 rounds can still be found faster than by birthday attacks.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Satoh2005HardwareArchitectureAnd,<br />
author = {Akashi Satoh},<br />
title = {Hardware Architecture and Cost Estimates for Breaking SHA-1.},<br />
booktitle = {ISC 2005},<br />
year = {2005},<br />
pages = {259-273},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3650},<br />
url = {http://dx.doi.org/10.1007/11556992_19},<br />
abstract = {The cryptanalysis of hash functions has advanced rapidly, and many hash functions have been broken one after another. The most popular hash function SHA-1 has not been broken yet, but the new collision search techniques proposed by Wang et al. reduced the computational complexity down to 2<sup>69</sup>, which is only 1/2,000 of the 2<sup>80</sup> operations needed for a birthday attack. The complexity is still too large even for today’s supercomputers, but no feasibility study of breaking SHA-1 using specialized hardware has been reported. The well known brute force attack on DES simply repeats the DES operation 2<sup>56</sup> times at a maximum, but the complexity of 2<sup>69</sup> hash operations to break SHA-1 does not mean 2<sup>69</sup> SHA-1 operations. Complex procedures using SHA-1 functions are required, and the total number of operations based on the probability of a collision occurrence is almost equivalent to the 2<sup>69</sup> SHA-1 operations. Therefore, we describe a procedure and propose an LSI architecture to find real collisions for SHA-1 in this paper. The hardware core was synthesized by using a 0.13-µm CMOS standard cell library, and its performances in speed, size, and power consumption were evaluated. A $10 million budget can build a custom hardware system that would consist of 303 personal computers with 16 circuit boards each, in which 32 SHA-1-breaking LSIs are mounted. Each LSI has 64 SHA-1 cores that can run in parallel. This system would find a real collision in 127 days.}<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
<br />
<bibtex><br />
@inproceedings{Kelsey2005SecondPreimageOn,<br />
author = {John Kelsey and Bruce Schneier},<br />
title = {Second Preimages on n-Bit Hash Functions for Much Less than 2<sup>n</sup> Work.},<br />
booktitle = {EUROCRYPT},<br />
year = {2005},<br />
pages = {474-490},<br />
url = {http://dx.doi.org/10.1007/11426639_28},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3494},<br />
abstract = {We expand a previous result of Dean [Dea99] to provide a second preimage attack on all n-bit iterated hash functions with Damgård-Merkle strengthening and n-bit intermediate states, allowing a second preimage to be found for a 2<sup>k</sup>-message-block message with about k × 2<sup>n/2+1</sup> + 2<sup>n - k + 1</sup> work. Using RIPEMD-160 as an example, our attack can find a second preimage for a 2<sup>60</sup> byte message in about 2<sup>106</sup> work, rather than the previously expected 2<sup>160</sup> work. We also provide slightly cheaper ways to find multicollisions than the method of Joux [Jou04]. Both of these results are based on expandable messages-patterns for producing messages of varying length, which all collide on the intermediate hash result immediately after processing the message. We provide an algorithm for finding expandable messages for any n-bit hash function built using the Damgård-Merkle construction, which requires only a small multiple of the work done to find a single collision in the hash function.},<br />
}<br />
</bibtex><br />
<br />
'''Note:''' This artcle shows that second preimages can be found in much less than 2<sup>n</sup> work. This approach works for all iterated hash functions. Nevertheless, this attack is not practical since a inpractical amount of data is required.<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any articles w.r.t. preimage attacks on SHA-1.<br />
----<br />
<br />
=== Others ===<br />
<br />
<bibtex><br />
@inproceedings{Saarinen2003CryptanalysisOfBlock,<br />
author = {Markku-Juhani Olavi Saarinen},<br />
title = {Cryptanalysis of Block Ciphers Based on SHA-1 and MD5.},<br />
booktitle = {FSE 2003},<br />
year = {2003},<br />
pages = {36-44},<br />
url = {http://springerlink.metapress.com/content/xu0qg98tg38gl7nf/?p=2664f1c23d3f433f9d3fd6a9a1350eda&pi=3},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2887},<br />
abstract = {We cryptanalyse some block cipher proposals that are based on dedicated hash functions SHA-1 and MD5. We discuss a related-key attack against SHACAL-1 and present a method for finding rdquoslid pairsrdquo for it. We also present simple attacks against MDC-MD5 and the Kaliski-Robshaw block cipher.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Handschuh2001AnalysisOfSHA-1,<br />
author = {Helena Handschuh and Lars R. Knudsen and Matthew J. B. Robshaw},<br />
title = {Analysis of SHA-1 in Encryption Mode.},<br />
booktitle = {CT-RSA 2001},<br />
year = {2001},<br />
pages = {70-83},<br />
url = {http://link.springer.de/link/service/series/0558/bibs/2020/20200070.htm},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2020},<br />
abstract = {This paper analyses the cryptographic hash function SHA-1 in encryption mode. A detailed analysis is given of the resistance of SHA-1 against the most powerful known attacks today. It is concluded that none of these attacks can be applied successfully in practice to SHA-1. Breaking SHA-1 in encryption mode requires either an unrealistic amount of computation time and known/chosen texts, or a major breakthrough in cryptanalysis. The original motivation for this analysis is to investigate a block cipher named SHACAL based on these principles. SHACAL has been submitted to the NESSIE call for cryptographic primitives.},<br />
}<br />
</bibtex><br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{Lee2006,<br />
author = {Yong Ki Lee and Herwin Chan and Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
publisher = {IEEE Computer Society},<br />
year = {2006},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Chaves2006,<br />
author = {Ricardo Chaves and Georgi Kuzmanov and Leonel Sousa and Stamatis Vassiliadis},<br />
title = {Rescheduling for Optimized SHA-1 Calculation.},<br />
booktitle = {SAMOS 2006},<br />
year = {2006},<br />
pages = {425-434},<br />
url = {http://dx.doi.org/10.1007/11796435_43},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {4017},<br />
abstract = {This paper proposes the rescheduling of the SHA-1 hash function operations on hardware implementations. The proposal is mapped on the Xilinx Virtex II Pro technology. The proposed rescheduling allows for a manipulation of the critical path in the SHA-1 function computation, facilitating the implementation of a more parallelized structure without an increase on the required hardware resources. Two cores have been developed, one that uses a constant initialization vector and a second one that allows for different Initialization Vectors (IV), in order to be used in HMAC and in the processing of fragmented messages. A hybrid software/hardware implementation is also proposed. Experimental results indicate a throughput of 1.4 Gbits/s requiring only 533 slices for a constant IV and 596 for an imputable IV. Comparisons to SHA-1 related art suggest improvements of the throughput/slice metric of 29% against the most recent commercial cores and 59% to the current academia proposals.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Michail2005OptimizingSHA-1Hash,<br />
author = {H. E. Michail and A. P. Kakarountas and George N. Selimis and Costas E. Goutis},<br />
title = {Optimizing SHA-1 Hash Function for High Throughput with a Partial Unrolling Study.},<br />
booktitle = {PATMOS 2005},<br />
year = {2005},<br />
pages = {591-600},<br />
url = {http://dx.doi.org/10.1007/11556930_60},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3728},<br />
abstract = {Hash functions are widely used in applications that call for data integrity and signature authentication at electronic transactions. A hash function is utilized in the security layer of every communication protocol. As time passes more sophisticated applications arise that address to more users-clients and thus demand for higher throughput. Furthermore, due to the tendency of the market to minimize devices’ size and increase their autonomy to make them portable, power issues have also to be considered. The existing SHA-1 Hash Function implementations (SHA-1 is common in many protocols e.g. IPSec) limit throughput to a maximum of 2 Gbps. In this paper, a new implementation comes to exceed this limit improving the throughput by 53%. Furthermore,power dissipation is kept low compared to previous works, in such way that the proposed implementation can be characterized as low-power.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Toma2005FormalVerificationOf,<br />
author = {Diana Toma and Dominique Borrione},<br />
title = {Formal Verification of a SHA-1 Circuit Core Using ACL2.},<br />
booktitle = {TPHOLs 2005},<br />
year = {2005},<br />
pages = {326-341},<br />
url = {http://dx.doi.org/10.1007/11541868_21},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3603},<br />
abstract ={Our study was part of a project aiming at the design and verification of a circuit for secure communications between a computer and a terminal smart card reader. A SHA-1 component is included in the circuit. SHA-1 is a cryptographic primive that produces, for any message, a 160 bit message digest. We formalize the standard specification in ACL2, then automatically produce the ACL2 model for the VHDL RTL design; finally, we prove the implementation compliant with the specification. We apply a stepwise approach that proves theorems about each computation step of the RTL design, using intermediate digest functions.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Jarvinen2005ACompactMD5,<br />
author = {Kimmo U. J{\"a}rvinen and Matti Tommiska and Jorma Skytt{\"a}},<br />
title = {A Compact MD5 and SHA-1 Co-Implementation Utilizing Algorithm Similarities.},<br />
booktitle = {ERSA},<br />
year = {2005},<br />
pages = {48-54},<br />
publisher = {CSREA Press},<br />
year = {2005},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Lien2004A1Gbit/s,<br />
author = {Roar Lien and Tim Grembowski and Kris Gaj},<br />
title = {A 1 Gbit/s Partially Unrolled Architecture of Hash Functions SHA-1 and SHA-512.},<br />
booktitle = {CT-RSA},<br />
year = {2004},<br />
pages = {324-338},<br />
url = {http://dx.doi.org/10.1007/b95630},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2964},<br />
abstract = {Hash functions are among the most widespread cryptographic primitives, and are currently used in multiple cryptographic schemes and security protocols, such as IPSec and SSL. In this paper, we investigate a new hardware architecture for a family of dedicated hash functions, including American standards SHA-1 and SHA-512. Our architecture is based on unrolling several message digest steps and executing them in one clock cycle. This modification permits implementing majority of dedicated hash functions with the throughput exceeding 1 Gbit/s using medium-size Xilinx Virtex FPGAs. In particular, our new architecture has enabled us to speed up the implementation of SHA-1 compared to the basic iterative architecture from 544 Mbit/s to 1 Gbit/s using Xilinx XCV1000. The implementation of SHA-512 has been sped up from 717 to 929 Mbit/s for Virtex FPGAs, and exceeded 1 Gbit/s for Virtex-E Xilinx FPGAs.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Wang2004AnHMACProcessor,<br />
author = {Mao-Yin Wang and Chih-Pin Su and Chih-Tsun Huang and Cheng-Wen Wu},<br />
title = {An HMAC processor with integrated SHA-1 and MD5 algorithms.},<br />
booktitle = {ASP-DAC},<br />
year = {2004},<br />
pages = {456-458},<br />
url = {http://doi.acm.org/10.1145/1015090.1015204},<br />
publisher = {IEEE},<br />
abstract = {Cryptographic algorithms are prevalent and important in digital communications and storage, e.g., both SHA-1 and MD5 algorithms are widely used hash functions in IPSec and SSL for checking the data integrity. In this paper, we propose a hardware architecture for the standard HMAC function that supports both. Our HMAC design automatically generates the padding words and reuses the key for consecutive HMAC jobs that use the same key. We have also implemented the HMAC design in silicon. Compared with existing designs, our HMAC processor has lower hardware cost---12.5% by sharing of the SHA-1 and MD5 circuitry and a little performance penalty.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Grembowski2002ComparativeAnalysisOf,<br />
author = {Tim Grembowski and Roar Lien and Kris Gaj and Nghi Nguyen and Peter Bellows and Jaroslav Flidr and Tom Lehman and Brian Schott},<br />
title = {Comparative Analysis of the Hardware Implementations of Hash Functions SHA-1 and SHA-512.},<br />
booktitle = {ISC},<br />
year = {2002},<br />
pages = {75-89},<br />
url = {http://link.springer.de/link/service/series/0558/bibs/2433/24330075.htm},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2433},<br />
abstract = {Hash functions are among the most widespread cryptographic primitives, and are currently used in multiple cryptographic schemes and security protocols such as IPSec and SSL. In this paper, we compare and contrast hardware implementations of the newly proposed draft hash standard SHA-512, and the old standard, SHA-1. In our implementation based on Xilinx Virtex FPGAs, the throughput of SHA-512 is equal to 670 Mbit/s, compared to 530 Mbit/s for SHA-1. Our analysis shows that the newly proposed hash standard is not only orders of magnitude more secure, but also significantly faster than the old standard. The basic iterative architectures of both hash functions are faster than the basic iterative architectures of symmetric-key ciphers with equivalent security.},<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1563SHA-12006-10-23T13:12:24Z<p>Nobbi: /* Performance Evaluation / Implementation (HW and SW) */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup> hash evaluations. The best collision example, a 64-step collision for SHA-1, was publshed by DeCanniere and Rechberger.<br />
----<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@inproceedings{Yin2006Collision-ResistantUsageOf,<br />
author = {Michael Szydlo and Yiqun Lisa Yin},<br />
title = {Collision-Resistant Usage of MD5 and SHA-1 Via Message Preprocessing.},<br />
booktitle = {CT-RSA 2006},<br />
year = {2006},<br />
pages = {99-114},<br />
url = {http://dx.doi.org/10.1007/11605805_7},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3860},<br />
abstract = {A series of recent papers have demonstrated collision attacks on popularly used hash functions, including the widely deployed MD5 and SHA-1 algorithm. To assess this threat, the natural response has been to evaluate the extent to which various protocols actually depend on collision resistance for their security, and potentially schedule an upgrade to a stronger hash function. Other options involve altering the protocol in some way. This work suggests a different option. We present several simple message pre-processing techniques and show how the techniques can be combined with MD5 or SHA-1 so that applications are no longer vulnerable to the known collision attacks. For some applications, this may a viable alternative to upgrading the hash function.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Pramstaller2005ExploitingCodingTheory,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Exploiting Coding Theory for Collision Attacks on SHA-1},<br />
booktitle = {Cryptography and Coding 2005},<br />
year = {2005},<br />
editor = {Nigel P. Smart},<br />
volume = {3796},<br />
series = {LNCS},<br />
pages = {78-95},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11586821_7},<br />
abstract = {In this article we show that coding theory can be exploited efficiently for the cryptanalysis of hash functions. We will mainly focus on SHA-1. We present different linear codes that are used to find low-weight differences that lead to a collision. We extend existing approaches and include recent results in the cryptanalysis of hash functions. With our approach we are able to find differences with very low weight. Based on the weight of these differences we conjecture the complexity for a collision attack on the full SHA-1.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Pramstaller2005ImpactOfRotations,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Impact of Rotations in SHA-1 and Related Hash Functions.},<br />
booktitle = {SAC 2005},<br />
year = {2006},<br />
pages = {261-275},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3897},<br />
url = {http://dx.doi.org/10.1007/11693383_18},<br />
abstract = {SHA-1 uses a single set of rotation constants within the compression function. However, most other members of the MD4 family of hash functions use multiple sets of rotation constants, MediaObjects/InlineFigure1.pngthe rotation amounts change with the step being processed. To our knowledge, no design rationales on the choice of rotation constants are given on any of these hash functions. This is the first paper that analyzes rotations in iterated hash functions. We focus on SHA-1-like hash functions and use recent developments in the analysis of these hash functions to evaluate the security implications of using multiple sets of rotation constants in the compression function instead of a single set. Additionally, we give some observations on the set of constants used in SHA-0 and SHA-1.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005NewCollisionSearch,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {New Collision Search for SHA-1},<br />
month = {August},<br />
year = {2005},<br />
howpublished = {Presented at rump session of CRYPTO 2005},<br />
note = {Presented at rump session of CRYPTO 2005},<br />
owner = {npramstaller},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005CryptanalysisOfSHA1,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {Cryptanalysis of SHA-1},<br />
howpublished = {Presented at the Cryptographic Hash Workshop hosted by NIST},<br />
month = {October},<br />
year = {2005},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Wang2005FindingCollisionsin,<br />
author = {Xiaoyun Wang and Yiqun Lisa Yin and Hongbo Yu},<br />
title = {Finding Collisions in the Full SHA-1},<br />
booktitle = {Advances in Cryptology - CRYPTO 2005},<br />
year = {2005},<br />
editor = {Victor Shoup},<br />
volume = {3621},<br />
series = {LNCS},<br />
pages = {17--36},<br />
url = {http://dx.doi.org/10.1007/11535218_2},<br />
publisher = {Springer},<br />
abstract = {In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 2<sup>69</sup> hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 2<sup>80</sup> theoretical bound.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Rijmen2005UpdateonSHA-1,<br />
author = {Vincent Rijmen and Elisabeth Oswald},<br />
title = {Update on SHA-1},<br />
booktitle = {CT-RSA 2005},<br />
year = {2005},<br />
editor = {Alfred Menezes},<br />
volume = {3376},<br />
series = {LNCS},<br />
pages = {58--71},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/b105222},<br />
abstract = {We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux [5]. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than 2<sup>80</sup> operations.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Biham2005CollisionsofSHA-0,<br />
author = {Eli Biham and Rafi Chen and Antoine hirose and Patrick Carribault and Christophe Lemuet and William Jalby},<br />
title = {Collisions of SHA-0 and Reduced SHA-1},<br />
booktitle = {Advances in Cryptology - EUROCRYPT 2005},<br />
year = {2005},<br />
editor = {Ronald Cramer},<br />
volume = {3494},<br />
series = {LNCS},<br />
pages = {36--57},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11426639_3},<br />
abstract = {In this paper we describe improvements to the techniques used to cryptanalyze SHA-0 and introduce the first results on SHA-1. The results include a generic multi-block technique that uses near-collisions in order to find collisions, and a four-block collision of SHA-0 found using this technique with complexity 2<sup>51</sup>. Then, extension of this and prior techniques are presented, that allow us to find collisions of reduced versions of SHA-1. We give collisions of variants with up to 40 rounds, and show the complexities of longer variants. These techniques show that collisions up to about 53-58 rounds can still be found faster than by birthday attacks.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Satoh2005HardwareArchitectureAnd,<br />
author = {Akashi Satoh},<br />
title = {Hardware Architecture and Cost Estimates for Breaking SHA-1.},<br />
booktitle = {ISC 2005},<br />
year = {2005},<br />
pages = {259-273},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3650},<br />
url = {http://dx.doi.org/10.1007/11556992_19},<br />
abstract = {The cryptanalysis of hash functions has advanced rapidly, and many hash functions have been broken one after another. The most popular hash function SHA-1 has not been broken yet, but the new collision search techniques proposed by Wang et al. reduced the computational complexity down to 2<sup>69</sup>, which is only 1/2,000 of the 2<sup>80</sup> operations needed for a birthday attack. The complexity is still too large even for today’s supercomputers, but no feasibility study of breaking SHA-1 using specialized hardware has been reported. The well known brute force attack on DES simply repeats the DES operation 2<sup>56</sup> times at a maximum, but the complexity of 2<sup>69</sup> hash operations to break SHA-1 does not mean 2<sup>69</sup> SHA-1 operations. Complex procedures using SHA-1 functions are required, and the total number of operations based on the probability of a collision occurrence is almost equivalent to the 2<sup>69</sup> SHA-1 operations. Therefore, we describe a procedure and propose an LSI architecture to find real collisions for SHA-1 in this paper. The hardware core was synthesized by using a 0.13-µm CMOS standard cell library, and its performances in speed, size, and power consumption were evaluated. A $10 million budget can build a custom hardware system that would consist of 303 personal computers with 16 circuit boards each, in which 32 SHA-1-breaking LSIs are mounted. Each LSI has 64 SHA-1 cores that can run in parallel. This system would find a real collision in 127 days.}<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
<br />
<bibtex><br />
@inproceedings{Kelsey2005SecondPreimageOn,<br />
author = {John Kelsey and Bruce Schneier},<br />
title = {Second Preimages on n-Bit Hash Functions for Much Less than 2<sup>n</sup> Work.},<br />
booktitle = {EUROCRYPT},<br />
year = {2005},<br />
pages = {474-490},<br />
url = {http://dx.doi.org/10.1007/11426639_28},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3494},<br />
abstract = {We expand a previous result of Dean [Dea99] to provide a second preimage attack on all n-bit iterated hash functions with Damgård-Merkle strengthening and n-bit intermediate states, allowing a second preimage to be found for a 2<sup>k</sup>-message-block message with about k × 2<sup>n/2+1</sup> + 2<sup>n - k + 1</sup> work. Using RIPEMD-160 as an example, our attack can find a second preimage for a 2<sup>60</sup> byte message in about 2<sup>106</sup> work, rather than the previously expected 2<sup>160</sup> work. We also provide slightly cheaper ways to find multicollisions than the method of Joux [Jou04]. Both of these results are based on expandable messages-patterns for producing messages of varying length, which all collide on the intermediate hash result immediately after processing the message. We provide an algorithm for finding expandable messages for any n-bit hash function built using the Damgård-Merkle construction, which requires only a small multiple of the work done to find a single collision in the hash function.},<br />
}<br />
</bibtex><br />
<br />
'''Note:''' This artcle shows that second preimages can be found in much less than 2<sup>n</sup> work. This approach works for all iterated hash functions. Nevertheless, this attack is not practical since a inpractical amount of data is required.<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any articles w.r.t. preimage attacks on SHA-1.<br />
----<br />
<br />
=== Others ===<br />
<br />
<bibtex><br />
@inproceedings{Saarinen2003CryptanalysisOfBlock,<br />
author = {Markku-Juhani Olavi Saarinen},<br />
title = {Cryptanalysis of Block Ciphers Based on SHA-1 and MD5.},<br />
booktitle = {FSE 2003},<br />
year = {2003},<br />
pages = {36-44},<br />
url = {http://springerlink.metapress.com/content/xu0qg98tg38gl7nf/?p=2664f1c23d3f433f9d3fd6a9a1350eda&pi=3},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2887},<br />
abstract = {We cryptanalyse some block cipher proposals that are based on dedicated hash functions SHA-1 and MD5. We discuss a related-key attack against SHACAL-1 and present a method for finding rdquoslid pairsrdquo for it. We also present simple attacks against MDC-MD5 and the Kaliski-Robshaw block cipher.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Handschuh2001AnalysisOfSHA-1,<br />
author = {Helena Handschuh and Lars R. Knudsen and Matthew J. B. Robshaw},<br />
title = {Analysis of SHA-1 in Encryption Mode.},<br />
booktitle = {CT-RSA 2001},<br />
year = {2001},<br />
pages = {70-83},<br />
url = {http://link.springer.de/link/service/series/0558/bibs/2020/20200070.htm},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2020},<br />
abstract = {This paper analyses the cryptographic hash function SHA-1 in encryption mode. A detailed analysis is given of the resistance of SHA-1 against the most powerful known attacks today. It is concluded that none of these attacks can be applied successfully in practice to SHA-1. Breaking SHA-1 in encryption mode requires either an unrealistic amount of computation time and known/chosen texts, or a major breakthrough in cryptanalysis. The original motivation for this analysis is to investigate a block cipher named SHACAL based on these principles. SHACAL has been submitted to the NESSIE call for cryptographic primitives.},<br />
}<br />
</bibtex><br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{Lee2006,<br />
author = {Yong Ki Lee and Herwin Chan and Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68 <br />
publisher = {IEEE Computer Society},<br />
year = {2006},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Chaves2006,<br />
author = {Ricardo Chaves and Georgi Kuzmanov and Leonel Sousa and Stamatis Vassiliadis},<br />
title = {Rescheduling for Optimized SHA-1 Calculation.},<br />
booktitle = {SAMOS 2006},<br />
year = {2006},<br />
pages = {425-434},<br />
url = {http://dx.doi.org/10.1007/11796435_43},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {4017},<br />
abstract = {This paper proposes the rescheduling of the SHA-1 hash function operations on hardware implementations. The proposal is mapped on the Xilinx Virtex II Pro technology. The proposed rescheduling allows for a manipulation of the critical path in the SHA-1 function computation, facilitating the implementation of a more parallelized structure without an increase on the required hardware resources. Two cores have been developed, one that uses a constant initialization vector and a second one that allows for different Initialization Vectors (IV), in order to be used in HMAC and in the processing of fragmented messages. A hybrid software/hardware implementation is also proposed. Experimental results indicate a throughput of 1.4 Gbits/s requiring only 533 slices for a constant IV and 596 for an imputable IV. Comparisons to SHA-1 related art suggest improvements of the throughput/slice metric of 29% against the most recent commercial cores and 59% to the current academia proposals.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Michail2005OptimizingSHA-1Hash,<br />
author = {H. E. Michail and A. P. Kakarountas and George N. Selimis and Costas E. Goutis},<br />
title = {Optimizing SHA-1 Hash Function for High Throughput with a Partial Unrolling Study.},<br />
booktitle = {PATMOS 2005},<br />
year = {2005},<br />
pages = {591-600},<br />
url = {http://dx.doi.org/10.1007/11556930_60},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3728},<br />
abstract = {Hash functions are widely used in applications that call for data integrity and signature authentication at electronic transactions. A hash function is utilized in the security layer of every communication protocol. As time passes more sophisticated applications arise that address to more users-clients and thus demand for higher throughput. Furthermore, due to the tendency of the market to minimize devices’ size and increase their autonomy to make them portable, power issues have also to be considered. The existing SHA-1 Hash Function implementations (SHA-1 is common in many protocols e.g. IPSec) limit throughput to a maximum of 2 Gbps. In this paper, a new implementation comes to exceed this limit improving the throughput by 53%. Furthermore,power dissipation is kept low compared to previous works, in such way that the proposed implementation can be characterized as low-power.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Toma2005FormalVerificationOf,<br />
author = {Diana Toma and Dominique Borrione},<br />
title = {Formal Verification of a SHA-1 Circuit Core Using ACL2.},<br />
booktitle = {TPHOLs 2005},<br />
year = {2005},<br />
pages = {326-341},<br />
url = {http://dx.doi.org/10.1007/11541868_21},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3603},<br />
abstract ={Our study was part of a project aiming at the design and verification of a circuit for secure communications between a computer and a terminal smart card reader. A SHA-1 component is included in the circuit. SHA-1 is a cryptographic primive that produces, for any message, a 160 bit message digest. We formalize the standard specification in ACL2, then automatically produce the ACL2 model for the VHDL RTL design; finally, we prove the implementation compliant with the specification. We apply a stepwise approach that proves theorems about each computation step of the RTL design, using intermediate digest functions.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Jarvinen2005ACompactMD5,<br />
author = {Kimmo U. J{\"a}rvinen and Matti Tommiska and Jorma Skytt{\"a}},<br />
title = {A Compact MD5 and SHA-1 Co-Implementation Utilizing Algorithm Similarities.},<br />
booktitle = {ERSA},<br />
year = {2005},<br />
pages = {48-54},<br />
publisher = {CSREA Press},<br />
year = {2005},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Lien2004A1Gbit/s,<br />
author = {Roar Lien and Tim Grembowski and Kris Gaj},<br />
title = {A 1 Gbit/s Partially Unrolled Architecture of Hash Functions SHA-1 and SHA-512.},<br />
booktitle = {CT-RSA},<br />
year = {2004},<br />
pages = {324-338},<br />
url = {http://dx.doi.org/10.1007/b95630},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2964},<br />
abstract = {Hash functions are among the most widespread cryptographic primitives, and are currently used in multiple cryptographic schemes and security protocols, such as IPSec and SSL. In this paper, we investigate a new hardware architecture for a family of dedicated hash functions, including American standards SHA-1 and SHA-512. Our architecture is based on unrolling several message digest steps and executing them in one clock cycle. This modification permits implementing majority of dedicated hash functions with the throughput exceeding 1 Gbit/s using medium-size Xilinx Virtex FPGAs. In particular, our new architecture has enabled us to speed up the implementation of SHA-1 compared to the basic iterative architecture from 544 Mbit/s to 1 Gbit/s using Xilinx XCV1000. The implementation of SHA-512 has been sped up from 717 to 929 Mbit/s for Virtex FPGAs, and exceeded 1 Gbit/s for Virtex-E Xilinx FPGAs.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Wang2004AnHMACProcessor,<br />
author = {Mao-Yin Wang and Chih-Pin Su and Chih-Tsun Huang and Cheng-Wen Wu},<br />
title = {An HMAC processor with integrated SHA-1 and MD5 algorithms.},<br />
booktitle = {ASP-DAC},<br />
year = {2004},<br />
pages = {456-458},<br />
url = {http://doi.acm.org/10.1145/1015090.1015204},<br />
publisher = {IEEE},<br />
abstract = {Cryptographic algorithms are prevalent and important in digital communications and storage, e.g., both SHA-1 and MD5 algorithms are widely used hash functions in IPSec and SSL for checking the data integrity. In this paper, we propose a hardware architecture for the standard HMAC function that supports both. Our HMAC design automatically generates the padding words and reuses the key for consecutive HMAC jobs that use the same key. We have also implemented the HMAC design in silicon. Compared with existing designs, our HMAC processor has lower hardware cost---12.5% by sharing of the SHA-1 and MD5 circuitry and a little performance penalty.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Grembowski2002ComparativeAnalysisOf,<br />
author = {Tim Grembowski and Roar Lien and Kris Gaj and Nghi Nguyen and Peter Bellows and Jaroslav Flidr and Tom Lehman and Brian Schott},<br />
title = {Comparative Analysis of the Hardware Implementations of Hash Functions SHA-1 and SHA-512.},<br />
booktitle = {ISC},<br />
year = {2002},<br />
pages = {75-89},<br />
url = {http://link.springer.de/link/service/series/0558/bibs/2433/24330075.htm},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2433},<br />
abstract = {Hash functions are among the most widespread cryptographic primitives, and are currently used in multiple cryptographic schemes and security protocols such as IPSec and SSL. In this paper, we compare and contrast hardware implementations of the newly proposed draft hash standard SHA-512, and the old standard, SHA-1. In our implementation based on Xilinx Virtex FPGAs, the throughput of SHA-512 is equal to 670 Mbit/s, compared to 530 Mbit/s for SHA-1. Our analysis shows that the newly proposed hash standard is not only orders of magnitude more secure, but also significantly faster than the old standard. The basic iterative architectures of both hash functions are faster than the basic iterative architectures of symmetric-key ciphers with equivalent security.},<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1562SHA-12006-10-23T12:50:16Z<p>Nobbi: /* Preimage Attacks */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup> hash evaluations. The best collision example, a 64-step collision for SHA-1, was publshed by DeCanniere and Rechberger.<br />
----<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@inproceedings{Yin2006Collision-ResistantUsageOf,<br />
author = {Michael Szydlo and Yiqun Lisa Yin},<br />
title = {Collision-Resistant Usage of MD5 and SHA-1 Via Message Preprocessing.},<br />
booktitle = {CT-RSA 2006},<br />
year = {2006},<br />
pages = {99-114},<br />
url = {http://dx.doi.org/10.1007/11605805_7},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3860},<br />
abstract = {A series of recent papers have demonstrated collision attacks on popularly used hash functions, including the widely deployed MD5 and SHA-1 algorithm. To assess this threat, the natural response has been to evaluate the extent to which various protocols actually depend on collision resistance for their security, and potentially schedule an upgrade to a stronger hash function. Other options involve altering the protocol in some way. This work suggests a different option. We present several simple message pre-processing techniques and show how the techniques can be combined with MD5 or SHA-1 so that applications are no longer vulnerable to the known collision attacks. For some applications, this may a viable alternative to upgrading the hash function.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Pramstaller2005ExploitingCodingTheory,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Exploiting Coding Theory for Collision Attacks on SHA-1},<br />
booktitle = {Cryptography and Coding 2005},<br />
year = {2005},<br />
editor = {Nigel P. Smart},<br />
volume = {3796},<br />
series = {LNCS},<br />
pages = {78-95},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11586821_7},<br />
abstract = {In this article we show that coding theory can be exploited efficiently for the cryptanalysis of hash functions. We will mainly focus on SHA-1. We present different linear codes that are used to find low-weight differences that lead to a collision. We extend existing approaches and include recent results in the cryptanalysis of hash functions. With our approach we are able to find differences with very low weight. Based on the weight of these differences we conjecture the complexity for a collision attack on the full SHA-1.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Pramstaller2005ImpactOfRotations,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Impact of Rotations in SHA-1 and Related Hash Functions.},<br />
booktitle = {SAC 2005},<br />
year = {2006},<br />
pages = {261-275},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3897},<br />
url = {http://dx.doi.org/10.1007/11693383_18},<br />
abstract = {SHA-1 uses a single set of rotation constants within the compression function. However, most other members of the MD4 family of hash functions use multiple sets of rotation constants, MediaObjects/InlineFigure1.pngthe rotation amounts change with the step being processed. To our knowledge, no design rationales on the choice of rotation constants are given on any of these hash functions. This is the first paper that analyzes rotations in iterated hash functions. We focus on SHA-1-like hash functions and use recent developments in the analysis of these hash functions to evaluate the security implications of using multiple sets of rotation constants in the compression function instead of a single set. Additionally, we give some observations on the set of constants used in SHA-0 and SHA-1.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005NewCollisionSearch,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {New Collision Search for SHA-1},<br />
month = {August},<br />
year = {2005},<br />
howpublished = {Presented at rump session of CRYPTO 2005},<br />
note = {Presented at rump session of CRYPTO 2005},<br />
owner = {npramstaller},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005CryptanalysisOfSHA1,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {Cryptanalysis of SHA-1},<br />
howpublished = {Presented at the Cryptographic Hash Workshop hosted by NIST},<br />
month = {October},<br />
year = {2005},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Wang2005FindingCollisionsin,<br />
author = {Xiaoyun Wang and Yiqun Lisa Yin and Hongbo Yu},<br />
title = {Finding Collisions in the Full SHA-1},<br />
booktitle = {Advances in Cryptology - CRYPTO 2005},<br />
year = {2005},<br />
editor = {Victor Shoup},<br />
volume = {3621},<br />
series = {LNCS},<br />
pages = {17--36},<br />
url = {http://dx.doi.org/10.1007/11535218_2},<br />
publisher = {Springer},<br />
abstract = {In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 2<sup>69</sup> hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 2<sup>80</sup> theoretical bound.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Rijmen2005UpdateonSHA-1,<br />
author = {Vincent Rijmen and Elisabeth Oswald},<br />
title = {Update on SHA-1},<br />
booktitle = {CT-RSA 2005},<br />
year = {2005},<br />
editor = {Alfred Menezes},<br />
volume = {3376},<br />
series = {LNCS},<br />
pages = {58--71},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/b105222},<br />
abstract = {We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux [5]. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than 2<sup>80</sup> operations.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Biham2005CollisionsofSHA-0,<br />
author = {Eli Biham and Rafi Chen and Antoine hirose and Patrick Carribault and Christophe Lemuet and William Jalby},<br />
title = {Collisions of SHA-0 and Reduced SHA-1},<br />
booktitle = {Advances in Cryptology - EUROCRYPT 2005},<br />
year = {2005},<br />
editor = {Ronald Cramer},<br />
volume = {3494},<br />
series = {LNCS},<br />
pages = {36--57},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11426639_3},<br />
abstract = {In this paper we describe improvements to the techniques used to cryptanalyze SHA-0 and introduce the first results on SHA-1. The results include a generic multi-block technique that uses near-collisions in order to find collisions, and a four-block collision of SHA-0 found using this technique with complexity 2<sup>51</sup>. Then, extension of this and prior techniques are presented, that allow us to find collisions of reduced versions of SHA-1. We give collisions of variants with up to 40 rounds, and show the complexities of longer variants. These techniques show that collisions up to about 53-58 rounds can still be found faster than by birthday attacks.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Satoh2005HardwareArchitectureAnd,<br />
author = {Akashi Satoh},<br />
title = {Hardware Architecture and Cost Estimates for Breaking SHA-1.},<br />
booktitle = {ISC 2005},<br />
year = {2005},<br />
pages = {259-273},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3650},<br />
url = {http://dx.doi.org/10.1007/11556992_19},<br />
abstract = {The cryptanalysis of hash functions has advanced rapidly, and many hash functions have been broken one after another. The most popular hash function SHA-1 has not been broken yet, but the new collision search techniques proposed by Wang et al. reduced the computational complexity down to 2<sup>69</sup>, which is only 1/2,000 of the 2<sup>80</sup> operations needed for a birthday attack. The complexity is still too large even for today’s supercomputers, but no feasibility study of breaking SHA-1 using specialized hardware has been reported. The well known brute force attack on DES simply repeats the DES operation 2<sup>56</sup> times at a maximum, but the complexity of 2<sup>69</sup> hash operations to break SHA-1 does not mean 2<sup>69</sup> SHA-1 operations. Complex procedures using SHA-1 functions are required, and the total number of operations based on the probability of a collision occurrence is almost equivalent to the 2<sup>69</sup> SHA-1 operations. Therefore, we describe a procedure and propose an LSI architecture to find real collisions for SHA-1 in this paper. The hardware core was synthesized by using a 0.13-µm CMOS standard cell library, and its performances in speed, size, and power consumption were evaluated. A $10 million budget can build a custom hardware system that would consist of 303 personal computers with 16 circuit boards each, in which 32 SHA-1-breaking LSIs are mounted. Each LSI has 64 SHA-1 cores that can run in parallel. This system would find a real collision in 127 days.}<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
<br />
<bibtex><br />
@inproceedings{Kelsey2005SecondPreimageOn,<br />
author = {John Kelsey and Bruce Schneier},<br />
title = {Second Preimages on n-Bit Hash Functions for Much Less than 2<sup>n</sup> Work.},<br />
booktitle = {EUROCRYPT},<br />
year = {2005},<br />
pages = {474-490},<br />
url = {http://dx.doi.org/10.1007/11426639_28},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3494},<br />
abstract = {We expand a previous result of Dean [Dea99] to provide a second preimage attack on all n-bit iterated hash functions with Damgård-Merkle strengthening and n-bit intermediate states, allowing a second preimage to be found for a 2<sup>k</sup>-message-block message with about k × 2<sup>n/2+1</sup> + 2<sup>n - k + 1</sup> work. Using RIPEMD-160 as an example, our attack can find a second preimage for a 2<sup>60</sup> byte message in about 2<sup>106</sup> work, rather than the previously expected 2<sup>160</sup> work. We also provide slightly cheaper ways to find multicollisions than the method of Joux [Jou04]. Both of these results are based on expandable messages-patterns for producing messages of varying length, which all collide on the intermediate hash result immediately after processing the message. We provide an algorithm for finding expandable messages for any n-bit hash function built using the Damgård-Merkle construction, which requires only a small multiple of the work done to find a single collision in the hash function.},<br />
}<br />
</bibtex><br />
<br />
'''Note:''' This artcle shows that second preimages can be found in much less than 2<sup>n</sup> work. This approach works for all iterated hash functions. Nevertheless, this attack is not practical since a inpractical amount of data is required.<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any articles w.r.t. preimage attacks on SHA-1.<br />
----<br />
<br />
=== Others ===<br />
<br />
<bibtex><br />
@inproceedings{Saarinen2003CryptanalysisOfBlock,<br />
author = {Markku-Juhani Olavi Saarinen},<br />
title = {Cryptanalysis of Block Ciphers Based on SHA-1 and MD5.},<br />
booktitle = {FSE 2003},<br />
year = {2003},<br />
pages = {36-44},<br />
url = {http://springerlink.metapress.com/content/xu0qg98tg38gl7nf/?p=2664f1c23d3f433f9d3fd6a9a1350eda&pi=3},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2887},<br />
abstract = {We cryptanalyse some block cipher proposals that are based on dedicated hash functions SHA-1 and MD5. We discuss a related-key attack against SHACAL-1 and present a method for finding rdquoslid pairsrdquo for it. We also present simple attacks against MDC-MD5 and the Kaliski-Robshaw block cipher.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Handschuh2001AnalysisOfSHA-1,<br />
author = {Helena Handschuh and Lars R. Knudsen and Matthew J. B. Robshaw},<br />
title = {Analysis of SHA-1 in Encryption Mode.},<br />
booktitle = {CT-RSA 2001},<br />
year = {2001},<br />
pages = {70-83},<br />
url = {http://link.springer.de/link/service/series/0558/bibs/2020/20200070.htm},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2020},<br />
abstract = {This paper analyses the cryptographic hash function SHA-1 in encryption mode. A detailed analysis is given of the resistance of SHA-1 against the most powerful known attacks today. It is concluded that none of these attacks can be applied successfully in practice to SHA-1. Breaking SHA-1 in encryption mode requires either an unrealistic amount of computation time and known/chosen texts, or a major breakthrough in cryptanalysis. The original motivation for this analysis is to investigate a block cipher named SHACAL based on these principles. SHACAL has been submitted to the NESSIE call for cryptographic primitives.},<br />
}<br />
</bibtex><br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{DBLP:conf/asap/LeeCV06,<br />
author = {Yong Ki Lee and Herwin Chan and Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
series = {IEEE Computer Society},<br />
year = {2006},<br />
isbn = {0-7695-2682-9},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.}<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1561SHA-12006-10-23T12:43:44Z<p>Nobbi: /* Second Preimage Attacks */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup> hash evaluations. The best collision example, a 64-step collision for SHA-1, was publshed by DeCanniere and Rechberger.<br />
----<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@inproceedings{Yin2006Collision-ResistantUsageOf,<br />
author = {Michael Szydlo and Yiqun Lisa Yin},<br />
title = {Collision-Resistant Usage of MD5 and SHA-1 Via Message Preprocessing.},<br />
booktitle = {CT-RSA 2006},<br />
year = {2006},<br />
pages = {99-114},<br />
url = {http://dx.doi.org/10.1007/11605805_7},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3860},<br />
abstract = {A series of recent papers have demonstrated collision attacks on popularly used hash functions, including the widely deployed MD5 and SHA-1 algorithm. To assess this threat, the natural response has been to evaluate the extent to which various protocols actually depend on collision resistance for their security, and potentially schedule an upgrade to a stronger hash function. Other options involve altering the protocol in some way. This work suggests a different option. We present several simple message pre-processing techniques and show how the techniques can be combined with MD5 or SHA-1 so that applications are no longer vulnerable to the known collision attacks. For some applications, this may a viable alternative to upgrading the hash function.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Pramstaller2005ExploitingCodingTheory,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Exploiting Coding Theory for Collision Attacks on SHA-1},<br />
booktitle = {Cryptography and Coding 2005},<br />
year = {2005},<br />
editor = {Nigel P. Smart},<br />
volume = {3796},<br />
series = {LNCS},<br />
pages = {78-95},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11586821_7},<br />
abstract = {In this article we show that coding theory can be exploited efficiently for the cryptanalysis of hash functions. We will mainly focus on SHA-1. We present different linear codes that are used to find low-weight differences that lead to a collision. We extend existing approaches and include recent results in the cryptanalysis of hash functions. With our approach we are able to find differences with very low weight. Based on the weight of these differences we conjecture the complexity for a collision attack on the full SHA-1.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Pramstaller2005ImpactOfRotations,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Impact of Rotations in SHA-1 and Related Hash Functions.},<br />
booktitle = {SAC 2005},<br />
year = {2006},<br />
pages = {261-275},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3897},<br />
url = {http://dx.doi.org/10.1007/11693383_18},<br />
abstract = {SHA-1 uses a single set of rotation constants within the compression function. However, most other members of the MD4 family of hash functions use multiple sets of rotation constants, MediaObjects/InlineFigure1.pngthe rotation amounts change with the step being processed. To our knowledge, no design rationales on the choice of rotation constants are given on any of these hash functions. This is the first paper that analyzes rotations in iterated hash functions. We focus on SHA-1-like hash functions and use recent developments in the analysis of these hash functions to evaluate the security implications of using multiple sets of rotation constants in the compression function instead of a single set. Additionally, we give some observations on the set of constants used in SHA-0 and SHA-1.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005NewCollisionSearch,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {New Collision Search for SHA-1},<br />
month = {August},<br />
year = {2005},<br />
howpublished = {Presented at rump session of CRYPTO 2005},<br />
note = {Presented at rump session of CRYPTO 2005},<br />
owner = {npramstaller},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005CryptanalysisOfSHA1,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {Cryptanalysis of SHA-1},<br />
howpublished = {Presented at the Cryptographic Hash Workshop hosted by NIST},<br />
month = {October},<br />
year = {2005},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Wang2005FindingCollisionsin,<br />
author = {Xiaoyun Wang and Yiqun Lisa Yin and Hongbo Yu},<br />
title = {Finding Collisions in the Full SHA-1},<br />
booktitle = {Advances in Cryptology - CRYPTO 2005},<br />
year = {2005},<br />
editor = {Victor Shoup},<br />
volume = {3621},<br />
series = {LNCS},<br />
pages = {17--36},<br />
url = {http://dx.doi.org/10.1007/11535218_2},<br />
publisher = {Springer},<br />
abstract = {In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 2<sup>69</sup> hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 2<sup>80</sup> theoretical bound.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Rijmen2005UpdateonSHA-1,<br />
author = {Vincent Rijmen and Elisabeth Oswald},<br />
title = {Update on SHA-1},<br />
booktitle = {CT-RSA 2005},<br />
year = {2005},<br />
editor = {Alfred Menezes},<br />
volume = {3376},<br />
series = {LNCS},<br />
pages = {58--71},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/b105222},<br />
abstract = {We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux [5]. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than 2<sup>80</sup> operations.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Biham2005CollisionsofSHA-0,<br />
author = {Eli Biham and Rafi Chen and Antoine hirose and Patrick Carribault and Christophe Lemuet and William Jalby},<br />
title = {Collisions of SHA-0 and Reduced SHA-1},<br />
booktitle = {Advances in Cryptology - EUROCRYPT 2005},<br />
year = {2005},<br />
editor = {Ronald Cramer},<br />
volume = {3494},<br />
series = {LNCS},<br />
pages = {36--57},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11426639_3},<br />
abstract = {In this paper we describe improvements to the techniques used to cryptanalyze SHA-0 and introduce the first results on SHA-1. The results include a generic multi-block technique that uses near-collisions in order to find collisions, and a four-block collision of SHA-0 found using this technique with complexity 2<sup>51</sup>. Then, extension of this and prior techniques are presented, that allow us to find collisions of reduced versions of SHA-1. We give collisions of variants with up to 40 rounds, and show the complexities of longer variants. These techniques show that collisions up to about 53-58 rounds can still be found faster than by birthday attacks.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Satoh2005HardwareArchitectureAnd,<br />
author = {Akashi Satoh},<br />
title = {Hardware Architecture and Cost Estimates for Breaking SHA-1.},<br />
booktitle = {ISC 2005},<br />
year = {2005},<br />
pages = {259-273},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3650},<br />
url = {http://dx.doi.org/10.1007/11556992_19},<br />
abstract = {The cryptanalysis of hash functions has advanced rapidly, and many hash functions have been broken one after another. The most popular hash function SHA-1 has not been broken yet, but the new collision search techniques proposed by Wang et al. reduced the computational complexity down to 2<sup>69</sup>, which is only 1/2,000 of the 2<sup>80</sup> operations needed for a birthday attack. The complexity is still too large even for today’s supercomputers, but no feasibility study of breaking SHA-1 using specialized hardware has been reported. The well known brute force attack on DES simply repeats the DES operation 2<sup>56</sup> times at a maximum, but the complexity of 2<sup>69</sup> hash operations to break SHA-1 does not mean 2<sup>69</sup> SHA-1 operations. Complex procedures using SHA-1 functions are required, and the total number of operations based on the probability of a collision occurrence is almost equivalent to the 2<sup>69</sup> SHA-1 operations. Therefore, we describe a procedure and propose an LSI architecture to find real collisions for SHA-1 in this paper. The hardware core was synthesized by using a 0.13-µm CMOS standard cell library, and its performances in speed, size, and power consumption were evaluated. A $10 million budget can build a custom hardware system that would consist of 303 personal computers with 16 circuit boards each, in which 32 SHA-1-breaking LSIs are mounted. Each LSI has 64 SHA-1 cores that can run in parallel. This system would find a real collision in 127 days.}<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
<br />
<bibtex><br />
@inproceedings{Kelsey2005SecondPreimageOn,<br />
author = {John Kelsey and Bruce Schneier},<br />
title = {Second Preimages on n-Bit Hash Functions for Much Less than 2<sup>n</sup> Work.},<br />
booktitle = {EUROCRYPT},<br />
year = {2005},<br />
pages = {474-490},<br />
url = {http://dx.doi.org/10.1007/11426639_28},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3494},<br />
abstract = {We expand a previous result of Dean [Dea99] to provide a second preimage attack on all n-bit iterated hash functions with Damgård-Merkle strengthening and n-bit intermediate states, allowing a second preimage to be found for a 2<sup>k</sup>-message-block message with about k × 2<sup>n/2+1</sup> + 2<sup>n - k + 1</sup> work. Using RIPEMD-160 as an example, our attack can find a second preimage for a 2<sup>60</sup> byte message in about 2<sup>106</sup> work, rather than the previously expected 2<sup>160</sup> work. We also provide slightly cheaper ways to find multicollisions than the method of Joux [Jou04]. Both of these results are based on expandable messages-patterns for producing messages of varying length, which all collide on the intermediate hash result immediately after processing the message. We provide an algorithm for finding expandable messages for any n-bit hash function built using the Damgård-Merkle construction, which requires only a small multiple of the work done to find a single collision in the hash function.},<br />
}<br />
</bibtex><br />
<br />
'''Note:''' This artcle shows that second preimages can be found in much less than 2<sup>n</sup> work. This approach works for all iterated hash functions. Nevertheless, this attack is not practical since a inpractical amount of data is required.<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
=== Others ===<br />
<br />
<bibtex><br />
@inproceedings{Saarinen2003CryptanalysisOfBlock,<br />
author = {Markku-Juhani Olavi Saarinen},<br />
title = {Cryptanalysis of Block Ciphers Based on SHA-1 and MD5.},<br />
booktitle = {FSE 2003},<br />
year = {2003},<br />
pages = {36-44},<br />
url = {http://springerlink.metapress.com/content/xu0qg98tg38gl7nf/?p=2664f1c23d3f433f9d3fd6a9a1350eda&pi=3},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2887},<br />
abstract = {We cryptanalyse some block cipher proposals that are based on dedicated hash functions SHA-1 and MD5. We discuss a related-key attack against SHACAL-1 and present a method for finding rdquoslid pairsrdquo for it. We also present simple attacks against MDC-MD5 and the Kaliski-Robshaw block cipher.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Handschuh2001AnalysisOfSHA-1,<br />
author = {Helena Handschuh and Lars R. Knudsen and Matthew J. B. Robshaw},<br />
title = {Analysis of SHA-1 in Encryption Mode.},<br />
booktitle = {CT-RSA 2001},<br />
year = {2001},<br />
pages = {70-83},<br />
url = {http://link.springer.de/link/service/series/0558/bibs/2020/20200070.htm},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2020},<br />
abstract = {This paper analyses the cryptographic hash function SHA-1 in encryption mode. A detailed analysis is given of the resistance of SHA-1 against the most powerful known attacks today. It is concluded that none of these attacks can be applied successfully in practice to SHA-1. Breaking SHA-1 in encryption mode requires either an unrealistic amount of computation time and known/chosen texts, or a major breakthrough in cryptanalysis. The original motivation for this analysis is to investigate a block cipher named SHACAL based on these principles. SHACAL has been submitted to the NESSIE call for cryptographic primitives.},<br />
}<br />
</bibtex><br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{DBLP:conf/asap/LeeCV06,<br />
author = {Yong Ki Lee and Herwin Chan and Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
series = {IEEE Computer Society},<br />
year = {2006},<br />
isbn = {0-7695-2682-9},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.}<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1560SHA-12006-10-23T12:43:13Z<p>Nobbi: /* Second Preimage Attacks */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup> hash evaluations. The best collision example, a 64-step collision for SHA-1, was publshed by DeCanniere and Rechberger.<br />
----<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@inproceedings{Yin2006Collision-ResistantUsageOf,<br />
author = {Michael Szydlo and Yiqun Lisa Yin},<br />
title = {Collision-Resistant Usage of MD5 and SHA-1 Via Message Preprocessing.},<br />
booktitle = {CT-RSA 2006},<br />
year = {2006},<br />
pages = {99-114},<br />
url = {http://dx.doi.org/10.1007/11605805_7},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3860},<br />
abstract = {A series of recent papers have demonstrated collision attacks on popularly used hash functions, including the widely deployed MD5 and SHA-1 algorithm. To assess this threat, the natural response has been to evaluate the extent to which various protocols actually depend on collision resistance for their security, and potentially schedule an upgrade to a stronger hash function. Other options involve altering the protocol in some way. This work suggests a different option. We present several simple message pre-processing techniques and show how the techniques can be combined with MD5 or SHA-1 so that applications are no longer vulnerable to the known collision attacks. For some applications, this may a viable alternative to upgrading the hash function.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Pramstaller2005ExploitingCodingTheory,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Exploiting Coding Theory for Collision Attacks on SHA-1},<br />
booktitle = {Cryptography and Coding 2005},<br />
year = {2005},<br />
editor = {Nigel P. Smart},<br />
volume = {3796},<br />
series = {LNCS},<br />
pages = {78-95},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11586821_7},<br />
abstract = {In this article we show that coding theory can be exploited efficiently for the cryptanalysis of hash functions. We will mainly focus on SHA-1. We present different linear codes that are used to find low-weight differences that lead to a collision. We extend existing approaches and include recent results in the cryptanalysis of hash functions. With our approach we are able to find differences with very low weight. Based on the weight of these differences we conjecture the complexity for a collision attack on the full SHA-1.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Pramstaller2005ImpactOfRotations,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Impact of Rotations in SHA-1 and Related Hash Functions.},<br />
booktitle = {SAC 2005},<br />
year = {2006},<br />
pages = {261-275},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3897},<br />
url = {http://dx.doi.org/10.1007/11693383_18},<br />
abstract = {SHA-1 uses a single set of rotation constants within the compression function. However, most other members of the MD4 family of hash functions use multiple sets of rotation constants, MediaObjects/InlineFigure1.pngthe rotation amounts change with the step being processed. To our knowledge, no design rationales on the choice of rotation constants are given on any of these hash functions. This is the first paper that analyzes rotations in iterated hash functions. We focus on SHA-1-like hash functions and use recent developments in the analysis of these hash functions to evaluate the security implications of using multiple sets of rotation constants in the compression function instead of a single set. Additionally, we give some observations on the set of constants used in SHA-0 and SHA-1.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005NewCollisionSearch,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {New Collision Search for SHA-1},<br />
month = {August},<br />
year = {2005},<br />
howpublished = {Presented at rump session of CRYPTO 2005},<br />
note = {Presented at rump session of CRYPTO 2005},<br />
owner = {npramstaller},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005CryptanalysisOfSHA1,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {Cryptanalysis of SHA-1},<br />
howpublished = {Presented at the Cryptographic Hash Workshop hosted by NIST},<br />
month = {October},<br />
year = {2005},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Wang2005FindingCollisionsin,<br />
author = {Xiaoyun Wang and Yiqun Lisa Yin and Hongbo Yu},<br />
title = {Finding Collisions in the Full SHA-1},<br />
booktitle = {Advances in Cryptology - CRYPTO 2005},<br />
year = {2005},<br />
editor = {Victor Shoup},<br />
volume = {3621},<br />
series = {LNCS},<br />
pages = {17--36},<br />
url = {http://dx.doi.org/10.1007/11535218_2},<br />
publisher = {Springer},<br />
abstract = {In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 2<sup>69</sup> hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 2<sup>80</sup> theoretical bound.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Rijmen2005UpdateonSHA-1,<br />
author = {Vincent Rijmen and Elisabeth Oswald},<br />
title = {Update on SHA-1},<br />
booktitle = {CT-RSA 2005},<br />
year = {2005},<br />
editor = {Alfred Menezes},<br />
volume = {3376},<br />
series = {LNCS},<br />
pages = {58--71},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/b105222},<br />
abstract = {We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux [5]. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than 2<sup>80</sup> operations.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Biham2005CollisionsofSHA-0,<br />
author = {Eli Biham and Rafi Chen and Antoine hirose and Patrick Carribault and Christophe Lemuet and William Jalby},<br />
title = {Collisions of SHA-0 and Reduced SHA-1},<br />
booktitle = {Advances in Cryptology - EUROCRYPT 2005},<br />
year = {2005},<br />
editor = {Ronald Cramer},<br />
volume = {3494},<br />
series = {LNCS},<br />
pages = {36--57},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11426639_3},<br />
abstract = {In this paper we describe improvements to the techniques used to cryptanalyze SHA-0 and introduce the first results on SHA-1. The results include a generic multi-block technique that uses near-collisions in order to find collisions, and a four-block collision of SHA-0 found using this technique with complexity 2<sup>51</sup>. Then, extension of this and prior techniques are presented, that allow us to find collisions of reduced versions of SHA-1. We give collisions of variants with up to 40 rounds, and show the complexities of longer variants. These techniques show that collisions up to about 53-58 rounds can still be found faster than by birthday attacks.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Satoh2005HardwareArchitectureAnd,<br />
author = {Akashi Satoh},<br />
title = {Hardware Architecture and Cost Estimates for Breaking SHA-1.},<br />
booktitle = {ISC 2005},<br />
year = {2005},<br />
pages = {259-273},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3650},<br />
url = {http://dx.doi.org/10.1007/11556992_19},<br />
abstract = {The cryptanalysis of hash functions has advanced rapidly, and many hash functions have been broken one after another. The most popular hash function SHA-1 has not been broken yet, but the new collision search techniques proposed by Wang et al. reduced the computational complexity down to 2<sup>69</sup>, which is only 1/2,000 of the 2<sup>80</sup> operations needed for a birthday attack. The complexity is still too large even for today’s supercomputers, but no feasibility study of breaking SHA-1 using specialized hardware has been reported. The well known brute force attack on DES simply repeats the DES operation 2<sup>56</sup> times at a maximum, but the complexity of 2<sup>69</sup> hash operations to break SHA-1 does not mean 2<sup>69</sup> SHA-1 operations. Complex procedures using SHA-1 functions are required, and the total number of operations based on the probability of a collision occurrence is almost equivalent to the 2<sup>69</sup> SHA-1 operations. Therefore, we describe a procedure and propose an LSI architecture to find real collisions for SHA-1 in this paper. The hardware core was synthesized by using a 0.13-µm CMOS standard cell library, and its performances in speed, size, and power consumption were evaluated. A $10 million budget can build a custom hardware system that would consist of 303 personal computers with 16 circuit boards each, in which 32 SHA-1-breaking LSIs are mounted. Each LSI has 64 SHA-1 cores that can run in parallel. This system would find a real collision in 127 days.}<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
<br />
<bibtex><br />
@inproceedings{Kelsey2005SecondPreimageOn,<br />
author = {John Kelsey and Bruce Schneier},<br />
title = {Second Preimages on n-Bit Hash Functions for Much Less than 2$^{\mbox{n}}$ Work.},<br />
booktitle = {EUROCRYPT},<br />
year = {2005},<br />
pages = {474-490},<br />
url = {http://dx.doi.org/10.1007/11426639_28},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3494},<br />
abstract = {We expand a previous result of Dean [Dea99] to provide a second preimage attack on all n-bit iterated hash functions with Damgård-Merkle strengthening and n-bit intermediate states, allowing a second preimage to be found for a 2<sup>k</sup>-message-block message with about k × 2<sup>n/2+1</sup> + 2<sup>n - k + 1</sup> work. Using RIPEMD-160 as an example, our attack can find a second preimage for a 2<sup>60</sup> byte message in about 2<sup>106</sup> work, rather than the previously expected 2<sup>160</sup> work. We also provide slightly cheaper ways to find multicollisions than the method of Joux [Jou04]. Both of these results are based on expandable messages-patterns for producing messages of varying length, which all collide on the intermediate hash result immediately after processing the message. We provide an algorithm for finding expandable messages for any n-bit hash function built using the Damgård-Merkle construction, which requires only a small multiple of the work done to find a single collision in the hash function.},<br />
}<br />
</bibtex><br />
<br />
'''Note:''' This artcle shows that second preimages can be found in much less than 2<sup>n</sup> work. This approach works for all iterated hash functions. Nevertheless, this attack is not practical since a inpractical amount of data is required.<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
=== Others ===<br />
<br />
<bibtex><br />
@inproceedings{Saarinen2003CryptanalysisOfBlock,<br />
author = {Markku-Juhani Olavi Saarinen},<br />
title = {Cryptanalysis of Block Ciphers Based on SHA-1 and MD5.},<br />
booktitle = {FSE 2003},<br />
year = {2003},<br />
pages = {36-44},<br />
url = {http://springerlink.metapress.com/content/xu0qg98tg38gl7nf/?p=2664f1c23d3f433f9d3fd6a9a1350eda&pi=3},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2887},<br />
abstract = {We cryptanalyse some block cipher proposals that are based on dedicated hash functions SHA-1 and MD5. We discuss a related-key attack against SHACAL-1 and present a method for finding rdquoslid pairsrdquo for it. We also present simple attacks against MDC-MD5 and the Kaliski-Robshaw block cipher.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Handschuh2001AnalysisOfSHA-1,<br />
author = {Helena Handschuh and Lars R. Knudsen and Matthew J. B. Robshaw},<br />
title = {Analysis of SHA-1 in Encryption Mode.},<br />
booktitle = {CT-RSA 2001},<br />
year = {2001},<br />
pages = {70-83},<br />
url = {http://link.springer.de/link/service/series/0558/bibs/2020/20200070.htm},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2020},<br />
abstract = {This paper analyses the cryptographic hash function SHA-1 in encryption mode. A detailed analysis is given of the resistance of SHA-1 against the most powerful known attacks today. It is concluded that none of these attacks can be applied successfully in practice to SHA-1. Breaking SHA-1 in encryption mode requires either an unrealistic amount of computation time and known/chosen texts, or a major breakthrough in cryptanalysis. The original motivation for this analysis is to investigate a block cipher named SHACAL based on these principles. SHACAL has been submitted to the NESSIE call for cryptographic primitives.},<br />
}<br />
</bibtex><br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{DBLP:conf/asap/LeeCV06,<br />
author = {Yong Ki Lee and Herwin Chan and Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
series = {IEEE Computer Society},<br />
year = {2006},<br />
isbn = {0-7695-2682-9},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.}<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1559SHA-12006-10-23T12:36:59Z<p>Nobbi: /* Best Known Results */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup> hash evaluations. The best collision example, a 64-step collision for SHA-1, was publshed by DeCanniere and Rechberger.<br />
----<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@inproceedings{Yin2006Collision-ResistantUsageOf,<br />
author = {Michael Szydlo and Yiqun Lisa Yin},<br />
title = {Collision-Resistant Usage of MD5 and SHA-1 Via Message Preprocessing.},<br />
booktitle = {CT-RSA 2006},<br />
year = {2006},<br />
pages = {99-114},<br />
url = {http://dx.doi.org/10.1007/11605805_7},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3860},<br />
abstract = {A series of recent papers have demonstrated collision attacks on popularly used hash functions, including the widely deployed MD5 and SHA-1 algorithm. To assess this threat, the natural response has been to evaluate the extent to which various protocols actually depend on collision resistance for their security, and potentially schedule an upgrade to a stronger hash function. Other options involve altering the protocol in some way. This work suggests a different option. We present several simple message pre-processing techniques and show how the techniques can be combined with MD5 or SHA-1 so that applications are no longer vulnerable to the known collision attacks. For some applications, this may a viable alternative to upgrading the hash function.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Pramstaller2005ExploitingCodingTheory,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Exploiting Coding Theory for Collision Attacks on SHA-1},<br />
booktitle = {Cryptography and Coding 2005},<br />
year = {2005},<br />
editor = {Nigel P. Smart},<br />
volume = {3796},<br />
series = {LNCS},<br />
pages = {78-95},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11586821_7},<br />
abstract = {In this article we show that coding theory can be exploited efficiently for the cryptanalysis of hash functions. We will mainly focus on SHA-1. We present different linear codes that are used to find low-weight differences that lead to a collision. We extend existing approaches and include recent results in the cryptanalysis of hash functions. With our approach we are able to find differences with very low weight. Based on the weight of these differences we conjecture the complexity for a collision attack on the full SHA-1.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Pramstaller2005ImpactOfRotations,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Impact of Rotations in SHA-1 and Related Hash Functions.},<br />
booktitle = {SAC 2005},<br />
year = {2006},<br />
pages = {261-275},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3897},<br />
url = {http://dx.doi.org/10.1007/11693383_18},<br />
abstract = {SHA-1 uses a single set of rotation constants within the compression function. However, most other members of the MD4 family of hash functions use multiple sets of rotation constants, MediaObjects/InlineFigure1.pngthe rotation amounts change with the step being processed. To our knowledge, no design rationales on the choice of rotation constants are given on any of these hash functions. This is the first paper that analyzes rotations in iterated hash functions. We focus on SHA-1-like hash functions and use recent developments in the analysis of these hash functions to evaluate the security implications of using multiple sets of rotation constants in the compression function instead of a single set. Additionally, we give some observations on the set of constants used in SHA-0 and SHA-1.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005NewCollisionSearch,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {New Collision Search for SHA-1},<br />
month = {August},<br />
year = {2005},<br />
howpublished = {Presented at rump session of CRYPTO 2005},<br />
note = {Presented at rump session of CRYPTO 2005},<br />
owner = {npramstaller},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005CryptanalysisOfSHA1,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {Cryptanalysis of SHA-1},<br />
howpublished = {Presented at the Cryptographic Hash Workshop hosted by NIST},<br />
month = {October},<br />
year = {2005},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Wang2005FindingCollisionsin,<br />
author = {Xiaoyun Wang and Yiqun Lisa Yin and Hongbo Yu},<br />
title = {Finding Collisions in the Full SHA-1},<br />
booktitle = {Advances in Cryptology - CRYPTO 2005},<br />
year = {2005},<br />
editor = {Victor Shoup},<br />
volume = {3621},<br />
series = {LNCS},<br />
pages = {17--36},<br />
url = {http://dx.doi.org/10.1007/11535218_2},<br />
publisher = {Springer},<br />
abstract = {In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 2<sup>69</sup> hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 2<sup>80</sup> theoretical bound.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Rijmen2005UpdateonSHA-1,<br />
author = {Vincent Rijmen and Elisabeth Oswald},<br />
title = {Update on SHA-1},<br />
booktitle = {CT-RSA 2005},<br />
year = {2005},<br />
editor = {Alfred Menezes},<br />
volume = {3376},<br />
series = {LNCS},<br />
pages = {58--71},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/b105222},<br />
abstract = {We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux [5]. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than 2<sup>80</sup> operations.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Biham2005CollisionsofSHA-0,<br />
author = {Eli Biham and Rafi Chen and Antoine hirose and Patrick Carribault and Christophe Lemuet and William Jalby},<br />
title = {Collisions of SHA-0 and Reduced SHA-1},<br />
booktitle = {Advances in Cryptology - EUROCRYPT 2005},<br />
year = {2005},<br />
editor = {Ronald Cramer},<br />
volume = {3494},<br />
series = {LNCS},<br />
pages = {36--57},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11426639_3},<br />
abstract = {In this paper we describe improvements to the techniques used to cryptanalyze SHA-0 and introduce the first results on SHA-1. The results include a generic multi-block technique that uses near-collisions in order to find collisions, and a four-block collision of SHA-0 found using this technique with complexity 2<sup>51</sup>. Then, extension of this and prior techniques are presented, that allow us to find collisions of reduced versions of SHA-1. We give collisions of variants with up to 40 rounds, and show the complexities of longer variants. These techniques show that collisions up to about 53-58 rounds can still be found faster than by birthday attacks.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Satoh2005HardwareArchitectureAnd,<br />
author = {Akashi Satoh},<br />
title = {Hardware Architecture and Cost Estimates for Breaking SHA-1.},<br />
booktitle = {ISC 2005},<br />
year = {2005},<br />
pages = {259-273},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3650},<br />
url = {http://dx.doi.org/10.1007/11556992_19},<br />
abstract = {The cryptanalysis of hash functions has advanced rapidly, and many hash functions have been broken one after another. The most popular hash function SHA-1 has not been broken yet, but the new collision search techniques proposed by Wang et al. reduced the computational complexity down to 2<sup>69</sup>, which is only 1/2,000 of the 2<sup>80</sup> operations needed for a birthday attack. The complexity is still too large even for today’s supercomputers, but no feasibility study of breaking SHA-1 using specialized hardware has been reported. The well known brute force attack on DES simply repeats the DES operation 2<sup>56</sup> times at a maximum, but the complexity of 2<sup>69</sup> hash operations to break SHA-1 does not mean 2<sup>69</sup> SHA-1 operations. Complex procedures using SHA-1 functions are required, and the total number of operations based on the probability of a collision occurrence is almost equivalent to the 2<sup>69</sup> SHA-1 operations. Therefore, we describe a procedure and propose an LSI architecture to find real collisions for SHA-1 in this paper. The hardware core was synthesized by using a 0.13-µm CMOS standard cell library, and its performances in speed, size, and power consumption were evaluated. A $10 million budget can build a custom hardware system that would consist of 303 personal computers with 16 circuit boards each, in which 32 SHA-1-breaking LSIs are mounted. Each LSI has 64 SHA-1 cores that can run in parallel. This system would find a real collision in 127 days.}<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
* There exists a generic attack (works for all iterated hash functions). See ....<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
=== Others ===<br />
<br />
<bibtex><br />
@inproceedings{Saarinen2003CryptanalysisOfBlock,<br />
author = {Markku-Juhani Olavi Saarinen},<br />
title = {Cryptanalysis of Block Ciphers Based on SHA-1 and MD5.},<br />
booktitle = {FSE 2003},<br />
year = {2003},<br />
pages = {36-44},<br />
url = {http://springerlink.metapress.com/content/xu0qg98tg38gl7nf/?p=2664f1c23d3f433f9d3fd6a9a1350eda&pi=3},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2887},<br />
abstract = {We cryptanalyse some block cipher proposals that are based on dedicated hash functions SHA-1 and MD5. We discuss a related-key attack against SHACAL-1 and present a method for finding rdquoslid pairsrdquo for it. We also present simple attacks against MDC-MD5 and the Kaliski-Robshaw block cipher.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Handschuh2001AnalysisOfSHA-1,<br />
author = {Helena Handschuh and Lars R. Knudsen and Matthew J. B. Robshaw},<br />
title = {Analysis of SHA-1 in Encryption Mode.},<br />
booktitle = {CT-RSA 2001},<br />
year = {2001},<br />
pages = {70-83},<br />
url = {http://link.springer.de/link/service/series/0558/bibs/2020/20200070.htm},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2020},<br />
abstract = {This paper analyses the cryptographic hash function SHA-1 in encryption mode. A detailed analysis is given of the resistance of SHA-1 against the most powerful known attacks today. It is concluded that none of these attacks can be applied successfully in practice to SHA-1. Breaking SHA-1 in encryption mode requires either an unrealistic amount of computation time and known/chosen texts, or a major breakthrough in cryptanalysis. The original motivation for this analysis is to investigate a block cipher named SHACAL based on these principles. SHACAL has been submitted to the NESSIE call for cryptographic primitives.},<br />
}<br />
</bibtex><br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{DBLP:conf/asap/LeeCV06,<br />
author = {Yong Ki Lee and Herwin Chan and Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
series = {IEEE Computer Society},<br />
year = {2006},<br />
isbn = {0-7695-2682-9},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.}<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1558SHA-12006-10-23T12:36:49Z<p>Nobbi: /* Collision Attacks */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup> hash evaluations. The best collision example, a 64-step collision for SHA-1, was publshed by DeCanniere and Rechberger.<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@inproceedings{Yin2006Collision-ResistantUsageOf,<br />
author = {Michael Szydlo and Yiqun Lisa Yin},<br />
title = {Collision-Resistant Usage of MD5 and SHA-1 Via Message Preprocessing.},<br />
booktitle = {CT-RSA 2006},<br />
year = {2006},<br />
pages = {99-114},<br />
url = {http://dx.doi.org/10.1007/11605805_7},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3860},<br />
abstract = {A series of recent papers have demonstrated collision attacks on popularly used hash functions, including the widely deployed MD5 and SHA-1 algorithm. To assess this threat, the natural response has been to evaluate the extent to which various protocols actually depend on collision resistance for their security, and potentially schedule an upgrade to a stronger hash function. Other options involve altering the protocol in some way. This work suggests a different option. We present several simple message pre-processing techniques and show how the techniques can be combined with MD5 or SHA-1 so that applications are no longer vulnerable to the known collision attacks. For some applications, this may a viable alternative to upgrading the hash function.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Pramstaller2005ExploitingCodingTheory,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Exploiting Coding Theory for Collision Attacks on SHA-1},<br />
booktitle = {Cryptography and Coding 2005},<br />
year = {2005},<br />
editor = {Nigel P. Smart},<br />
volume = {3796},<br />
series = {LNCS},<br />
pages = {78-95},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11586821_7},<br />
abstract = {In this article we show that coding theory can be exploited efficiently for the cryptanalysis of hash functions. We will mainly focus on SHA-1. We present different linear codes that are used to find low-weight differences that lead to a collision. We extend existing approaches and include recent results in the cryptanalysis of hash functions. With our approach we are able to find differences with very low weight. Based on the weight of these differences we conjecture the complexity for a collision attack on the full SHA-1.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Pramstaller2005ImpactOfRotations,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Impact of Rotations in SHA-1 and Related Hash Functions.},<br />
booktitle = {SAC 2005},<br />
year = {2006},<br />
pages = {261-275},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3897},<br />
url = {http://dx.doi.org/10.1007/11693383_18},<br />
abstract = {SHA-1 uses a single set of rotation constants within the compression function. However, most other members of the MD4 family of hash functions use multiple sets of rotation constants, MediaObjects/InlineFigure1.pngthe rotation amounts change with the step being processed. To our knowledge, no design rationales on the choice of rotation constants are given on any of these hash functions. This is the first paper that analyzes rotations in iterated hash functions. We focus on SHA-1-like hash functions and use recent developments in the analysis of these hash functions to evaluate the security implications of using multiple sets of rotation constants in the compression function instead of a single set. Additionally, we give some observations on the set of constants used in SHA-0 and SHA-1.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005NewCollisionSearch,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {New Collision Search for SHA-1},<br />
month = {August},<br />
year = {2005},<br />
howpublished = {Presented at rump session of CRYPTO 2005},<br />
note = {Presented at rump session of CRYPTO 2005},<br />
owner = {npramstaller},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005CryptanalysisOfSHA1,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {Cryptanalysis of SHA-1},<br />
howpublished = {Presented at the Cryptographic Hash Workshop hosted by NIST},<br />
month = {October},<br />
year = {2005},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Wang2005FindingCollisionsin,<br />
author = {Xiaoyun Wang and Yiqun Lisa Yin and Hongbo Yu},<br />
title = {Finding Collisions in the Full SHA-1},<br />
booktitle = {Advances in Cryptology - CRYPTO 2005},<br />
year = {2005},<br />
editor = {Victor Shoup},<br />
volume = {3621},<br />
series = {LNCS},<br />
pages = {17--36},<br />
url = {http://dx.doi.org/10.1007/11535218_2},<br />
publisher = {Springer},<br />
abstract = {In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 2<sup>69</sup> hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 2<sup>80</sup> theoretical bound.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Rijmen2005UpdateonSHA-1,<br />
author = {Vincent Rijmen and Elisabeth Oswald},<br />
title = {Update on SHA-1},<br />
booktitle = {CT-RSA 2005},<br />
year = {2005},<br />
editor = {Alfred Menezes},<br />
volume = {3376},<br />
series = {LNCS},<br />
pages = {58--71},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/b105222},<br />
abstract = {We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux [5]. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than 2<sup>80</sup> operations.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Biham2005CollisionsofSHA-0,<br />
author = {Eli Biham and Rafi Chen and Antoine hirose and Patrick Carribault and Christophe Lemuet and William Jalby},<br />
title = {Collisions of SHA-0 and Reduced SHA-1},<br />
booktitle = {Advances in Cryptology - EUROCRYPT 2005},<br />
year = {2005},<br />
editor = {Ronald Cramer},<br />
volume = {3494},<br />
series = {LNCS},<br />
pages = {36--57},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11426639_3},<br />
abstract = {In this paper we describe improvements to the techniques used to cryptanalyze SHA-0 and introduce the first results on SHA-1. The results include a generic multi-block technique that uses near-collisions in order to find collisions, and a four-block collision of SHA-0 found using this technique with complexity 2<sup>51</sup>. Then, extension of this and prior techniques are presented, that allow us to find collisions of reduced versions of SHA-1. We give collisions of variants with up to 40 rounds, and show the complexities of longer variants. These techniques show that collisions up to about 53-58 rounds can still be found faster than by birthday attacks.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Satoh2005HardwareArchitectureAnd,<br />
author = {Akashi Satoh},<br />
title = {Hardware Architecture and Cost Estimates for Breaking SHA-1.},<br />
booktitle = {ISC 2005},<br />
year = {2005},<br />
pages = {259-273},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3650},<br />
url = {http://dx.doi.org/10.1007/11556992_19},<br />
abstract = {The cryptanalysis of hash functions has advanced rapidly, and many hash functions have been broken one after another. The most popular hash function SHA-1 has not been broken yet, but the new collision search techniques proposed by Wang et al. reduced the computational complexity down to 2<sup>69</sup>, which is only 1/2,000 of the 2<sup>80</sup> operations needed for a birthday attack. The complexity is still too large even for today’s supercomputers, but no feasibility study of breaking SHA-1 using specialized hardware has been reported. The well known brute force attack on DES simply repeats the DES operation 2<sup>56</sup> times at a maximum, but the complexity of 2<sup>69</sup> hash operations to break SHA-1 does not mean 2<sup>69</sup> SHA-1 operations. Complex procedures using SHA-1 functions are required, and the total number of operations based on the probability of a collision occurrence is almost equivalent to the 2<sup>69</sup> SHA-1 operations. Therefore, we describe a procedure and propose an LSI architecture to find real collisions for SHA-1 in this paper. The hardware core was synthesized by using a 0.13-µm CMOS standard cell library, and its performances in speed, size, and power consumption were evaluated. A $10 million budget can build a custom hardware system that would consist of 303 personal computers with 16 circuit boards each, in which 32 SHA-1-breaking LSIs are mounted. Each LSI has 64 SHA-1 cores that can run in parallel. This system would find a real collision in 127 days.}<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
* There exists a generic attack (works for all iterated hash functions). See ....<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
=== Others ===<br />
<br />
<bibtex><br />
@inproceedings{Saarinen2003CryptanalysisOfBlock,<br />
author = {Markku-Juhani Olavi Saarinen},<br />
title = {Cryptanalysis of Block Ciphers Based on SHA-1 and MD5.},<br />
booktitle = {FSE 2003},<br />
year = {2003},<br />
pages = {36-44},<br />
url = {http://springerlink.metapress.com/content/xu0qg98tg38gl7nf/?p=2664f1c23d3f433f9d3fd6a9a1350eda&pi=3},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2887},<br />
abstract = {We cryptanalyse some block cipher proposals that are based on dedicated hash functions SHA-1 and MD5. We discuss a related-key attack against SHACAL-1 and present a method for finding rdquoslid pairsrdquo for it. We also present simple attacks against MDC-MD5 and the Kaliski-Robshaw block cipher.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Handschuh2001AnalysisOfSHA-1,<br />
author = {Helena Handschuh and Lars R. Knudsen and Matthew J. B. Robshaw},<br />
title = {Analysis of SHA-1 in Encryption Mode.},<br />
booktitle = {CT-RSA 2001},<br />
year = {2001},<br />
pages = {70-83},<br />
url = {http://link.springer.de/link/service/series/0558/bibs/2020/20200070.htm},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2020},<br />
abstract = {This paper analyses the cryptographic hash function SHA-1 in encryption mode. A detailed analysis is given of the resistance of SHA-1 against the most powerful known attacks today. It is concluded that none of these attacks can be applied successfully in practice to SHA-1. Breaking SHA-1 in encryption mode requires either an unrealistic amount of computation time and known/chosen texts, or a major breakthrough in cryptanalysis. The original motivation for this analysis is to investigate a block cipher named SHACAL based on these principles. SHACAL has been submitted to the NESSIE call for cryptographic primitives.},<br />
}<br />
</bibtex><br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{DBLP:conf/asap/LeeCV06,<br />
author = {Yong Ki Lee and Herwin Chan and Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
series = {IEEE Computer Society},<br />
year = {2006},<br />
isbn = {0-7695-2682-9},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.}<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1557SHA-12006-10-23T12:35:39Z<p>Nobbi: /* Collision Attacks */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup> hash evaluations. The best collision example, a 64-step collision for SHA-1, was publshed by DeCanniere and Rechberger.<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@inproceedings{Yin2006Collision-ResistantUsageOf,<br />
author = {Michael Szydlo and Yiqun Lisa Yin},<br />
title = {Collision-Resistant Usage of MD5 and SHA-1 Via Message Preprocessing.},<br />
booktitle = {CT-RSA 2006},<br />
year = {2006},<br />
pages = {99-114},<br />
url = {http://dx.doi.org/10.1007/11605805_7},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3860},<br />
abstract = {A series of recent papers have demonstrated collision attacks on popularly used hash functions, including the widely deployed MD5 and SHA-1 algorithm. To assess this threat, the natural response has been to evaluate the extent to which various protocols actually depend on collision resistance for their security, and potentially schedule an upgrade to a stronger hash function. Other options involve altering the protocol in some way. This work suggests a different option. We present several simple message pre-processing techniques and show how the techniques can be combined with MD5 or SHA-1 so that applications are no longer vulnerable to the known collision attacks. For some applications, this may a viable alternative to upgrading the hash function.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Pramstaller2005ExploitingCodingTheory,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Exploiting Coding Theory for Collision Attacks on SHA-1},<br />
booktitle = {Cryptography and Coding 2005},<br />
year = {2005},<br />
editor = {Nigel P. Smart},<br />
volume = {3796},<br />
series = {LNCS},<br />
pages = {78-95},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11586821_7},<br />
abstract = {In this article we show that coding theory can be exploited efficiently for the cryptanalysis of hash functions. We will mainly focus on SHA-1. We present different linear codes that are used to find low-weight differences that lead to a collision. We extend existing approaches and include recent results in the cryptanalysis of hash functions. With our approach we are able to find differences with very low weight. Based on the weight of these differences we conjecture the complexity for a collision attack on the full SHA-1.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Pramstaller2005ImpactOfRotations,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Impact of Rotations in SHA-1 and Related Hash Functions.},<br />
booktitle = {SAC 2005},<br />
year = {2006},<br />
pages = {261-275},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3897},<br />
url = {http://dx.doi.org/10.1007/11693383_18},<br />
abstract = {SHA-1 uses a single set of rotation constants within the compression function. However, most other members of the MD4 family of hash functions use multiple sets of rotation constants, MediaObjects/InlineFigure1.pngthe rotation amounts change with the step being processed. To our knowledge, no design rationales on the choice of rotation constants are given on any of these hash functions. This is the first paper that analyzes rotations in iterated hash functions. We focus on SHA-1-like hash functions and use recent developments in the analysis of these hash functions to evaluate the security implications of using multiple sets of rotation constants in the compression function instead of a single set. Additionally, we give some observations on the set of constants used in SHA-0 and SHA-1.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005NewCollisionSearch,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {New Collision Search for SHA-1},<br />
month = {August},<br />
year = {2005},<br />
howpublished = {Presented at rump session of CRYPTO 2005},<br />
note = {Presented at rump session of CRYPTO 2005},<br />
owner = {npramstaller},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005CryptanalysisOfSHA1,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {Cryptanalysis of SHA-1},<br />
howpublished = {Presented at the Cryptographic Hash Workshop hosted by NIST},<br />
month = {October},<br />
year = {2005},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Wang2005FindingCollisionsin,<br />
author = {Xiaoyun Wang and Yiqun Lisa Yin and Hongbo Yu},<br />
title = {Finding Collisions in the Full SHA-1},<br />
booktitle = {Advances in Cryptology - CRYPTO 2005},<br />
year = {2005},<br />
editor = {Victor Shoup},<br />
volume = {3621},<br />
series = {LNCS},<br />
pages = {17--36},<br />
url = {http://dx.doi.org/10.1007/11535218_2},<br />
publisher = {Springer},<br />
abstract = {In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 2<sup>69</sup> hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 2<sup>80</sup> theoretical bound.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Rijmen2005UpdateonSHA-1,<br />
author = {Vincent Rijmen and Elisabeth Oswald},<br />
title = {Update on SHA-1},<br />
booktitle = {CT-RSA 2005},<br />
year = {2005},<br />
editor = {Alfred Menezes},<br />
volume = {3376},<br />
series = {LNCS},<br />
pages = {58--71},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/b105222},<br />
abstract = {We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux [5]. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than 2<sup>80</sup> operations.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Biham2005CollisionsofSHA-0,<br />
author = {Eli Biham and Rafi Chen and Antoine hirose and Patrick Carribault and Christophe Lemuet and William Jalby},<br />
title = {Collisions of SHA-0 and Reduced SHA-1},<br />
booktitle = {Advances in Cryptology - EUROCRYPT 2005},<br />
year = {2005},<br />
editor = {Ronald Cramer},<br />
volume = {3494},<br />
series = {LNCS},<br />
pages = {36--57},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11426639_3},<br />
abstract = {In this paper we describe improvements to the techniques used to cryptanalyze SHA-0 and introduce the first results on SHA-1. The results include a generic multi-block technique that uses near-collisions in order to find collisions, and a four-block collision of SHA-0 found using this technique with complexity 2<sup>51</sup>. Then, extension of this and prior techniques are presented, that allow us to find collisions of reduced versions of SHA-1. We give collisions of variants with up to 40 rounds, and show the complexities of longer variants. These techniques show that collisions up to about 53-58 rounds can still be found faster than by birthday attacks.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Satoh2005HardwareArchitectureAnd,<br />
author = {Akashi Satoh},<br />
title = {Hardware Architecture and Cost Estimates for Breaking SHA-1.},<br />
booktitle = {ISC 2005},<br />
year = {2005},<br />
pages = {259-273},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3650},<br />
url = {http://dx.doi.org/10.1007/11556992_19},<br />
abstract = {The cryptanalysis of hash functions has advanced rapidly, and many hash functions have been broken one after another. The most popular hash function SHA-1 has not been broken yet, but the new collision search techniques proposed by Wang et al. reduced the computational complexity down to 2<sup>69</sup>, which is only 1/2,000 of the 2<sup>80</sup> operations needed for a birthday attack. The complexity is still too large even for today’s supercomputers, but no feasibility study of breaking SHA-1 using specialized hardware has been reported. The well known brute force attack on DES simply repeats the DES operation 2<sup>56</sup> times at a maximum, but the complexity of 2<sup>69</sup> hash operations to break SHA-1 does not mean 2<sup>69</sup> SHA-1 operations. Complex procedures using SHA-1 functions are required, and the total number of operations based on the probability of a collision occurrence is almost equivalent to the 2<sup>69</sup> SHA-1 operations. Therefore, we describe a procedure and propose an LSI architecture to find real collisions for SHA-1 in this paper. The hardware core was synthesized by using a 0.13-µm CMOS standard cell library, and its performances in speed, size, and power consumption were evaluated. A $10 million budget can build a custom hardware system that would consist of 303 personal computers with 16 circuit boards each, in which 32 SHA-1-breaking LSIs are mounted. Each LSI has 64 SHA-1 cores that can run in parallel. This system would find a real collision in 127 days.}<br />
}<br />
</bibtex><br />
<br />
=== Second Preimage Attacks ===<br />
* There exists a generic attack (works for all iterated hash functions). See ....<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
=== Others ===<br />
<br />
<bibtex><br />
@inproceedings{Saarinen2003CryptanalysisOfBlock,<br />
author = {Markku-Juhani Olavi Saarinen},<br />
title = {Cryptanalysis of Block Ciphers Based on SHA-1 and MD5.},<br />
booktitle = {FSE 2003},<br />
year = {2003},<br />
pages = {36-44},<br />
url = {http://springerlink.metapress.com/content/xu0qg98tg38gl7nf/?p=2664f1c23d3f433f9d3fd6a9a1350eda&pi=3},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2887},<br />
abstract = {We cryptanalyse some block cipher proposals that are based on dedicated hash functions SHA-1 and MD5. We discuss a related-key attack against SHACAL-1 and present a method for finding rdquoslid pairsrdquo for it. We also present simple attacks against MDC-MD5 and the Kaliski-Robshaw block cipher.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Handschuh2001AnalysisOfSHA-1,<br />
author = {Helena Handschuh and Lars R. Knudsen and Matthew J. B. Robshaw},<br />
title = {Analysis of SHA-1 in Encryption Mode.},<br />
booktitle = {CT-RSA 2001},<br />
year = {2001},<br />
pages = {70-83},<br />
url = {http://link.springer.de/link/service/series/0558/bibs/2020/20200070.htm},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2020},<br />
abstract = {This paper analyses the cryptographic hash function SHA-1 in encryption mode. A detailed analysis is given of the resistance of SHA-1 against the most powerful known attacks today. It is concluded that none of these attacks can be applied successfully in practice to SHA-1. Breaking SHA-1 in encryption mode requires either an unrealistic amount of computation time and known/chosen texts, or a major breakthrough in cryptanalysis. The original motivation for this analysis is to investigate a block cipher named SHACAL based on these principles. SHACAL has been submitted to the NESSIE call for cryptographic primitives.},<br />
}<br />
</bibtex><br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{DBLP:conf/asap/LeeCV06,<br />
author = {Yong Ki Lee and Herwin Chan and Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
series = {IEEE Computer Society},<br />
year = {2006},<br />
isbn = {0-7695-2682-9},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.}<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1556SHA-12006-10-23T12:35:30Z<p>Nobbi: /* Others */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup> hash evaluations. The best collision example, a 64-step collision for SHA-1, was publshed by DeCanniere and Rechberger.<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@INPROCEEDINGS{Pramstaller2005ExploitingCodingTheory,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Exploiting Coding Theory for Collision Attacks on SHA-1},<br />
booktitle = {Cryptography and Coding 2005},<br />
year = {2005},<br />
editor = {Nigel P. Smart},<br />
volume = {3796},<br />
series = {LNCS},<br />
pages = {78-95},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11586821_7},<br />
abstract = {In this article we show that coding theory can be exploited efficiently for the cryptanalysis of hash functions. We will mainly focus on SHA-1. We present different linear codes that are used to find low-weight differences that lead to a collision. We extend existing approaches and include recent results in the cryptanalysis of hash functions. With our approach we are able to find differences with very low weight. Based on the weight of these differences we conjecture the complexity for a collision attack on the full SHA-1.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Pramstaller2005ImpactOfRotations,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Impact of Rotations in SHA-1 and Related Hash Functions.},<br />
booktitle = {SAC 2005},<br />
year = {2006},<br />
pages = {261-275},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3897},<br />
url = {http://dx.doi.org/10.1007/11693383_18},<br />
abstract = {SHA-1 uses a single set of rotation constants within the compression function. However, most other members of the MD4 family of hash functions use multiple sets of rotation constants, MediaObjects/InlineFigure1.pngthe rotation amounts change with the step being processed. To our knowledge, no design rationales on the choice of rotation constants are given on any of these hash functions. This is the first paper that analyzes rotations in iterated hash functions. We focus on SHA-1-like hash functions and use recent developments in the analysis of these hash functions to evaluate the security implications of using multiple sets of rotation constants in the compression function instead of a single set. Additionally, we give some observations on the set of constants used in SHA-0 and SHA-1.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005NewCollisionSearch,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {New Collision Search for SHA-1},<br />
month = {August},<br />
year = {2005},<br />
howpublished = {Presented at rump session of CRYPTO 2005},<br />
note = {Presented at rump session of CRYPTO 2005},<br />
owner = {npramstaller},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005CryptanalysisOfSHA1,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {Cryptanalysis of SHA-1},<br />
howpublished = {Presented at the Cryptographic Hash Workshop hosted by NIST},<br />
month = {October},<br />
year = {2005},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Wang2005FindingCollisionsin,<br />
author = {Xiaoyun Wang and Yiqun Lisa Yin and Hongbo Yu},<br />
title = {Finding Collisions in the Full SHA-1},<br />
booktitle = {Advances in Cryptology - CRYPTO 2005},<br />
year = {2005},<br />
editor = {Victor Shoup},<br />
volume = {3621},<br />
series = {LNCS},<br />
pages = {17--36},<br />
url = {http://dx.doi.org/10.1007/11535218_2},<br />
publisher = {Springer},<br />
abstract = {In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 2<sup>69</sup> hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 2<sup>80</sup> theoretical bound.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Rijmen2005UpdateonSHA-1,<br />
author = {Vincent Rijmen and Elisabeth Oswald},<br />
title = {Update on SHA-1},<br />
booktitle = {CT-RSA 2005},<br />
year = {2005},<br />
editor = {Alfred Menezes},<br />
volume = {3376},<br />
series = {LNCS},<br />
pages = {58--71},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/b105222},<br />
abstract = {We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux [5]. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than 2<sup>80</sup> operations.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Biham2005CollisionsofSHA-0,<br />
author = {Eli Biham and Rafi Chen and Antoine hirose and Patrick Carribault and Christophe Lemuet and William Jalby},<br />
title = {Collisions of SHA-0 and Reduced SHA-1},<br />
booktitle = {Advances in Cryptology - EUROCRYPT 2005},<br />
year = {2005},<br />
editor = {Ronald Cramer},<br />
volume = {3494},<br />
series = {LNCS},<br />
pages = {36--57},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11426639_3},<br />
abstract = {In this paper we describe improvements to the techniques used to cryptanalyze SHA-0 and introduce the first results on SHA-1. The results include a generic multi-block technique that uses near-collisions in order to find collisions, and a four-block collision of SHA-0 found using this technique with complexity 2<sup>51</sup>. Then, extension of this and prior techniques are presented, that allow us to find collisions of reduced versions of SHA-1. We give collisions of variants with up to 40 rounds, and show the complexities of longer variants. These techniques show that collisions up to about 53-58 rounds can still be found faster than by birthday attacks.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Satoh2005HardwareArchitectureAnd,<br />
author = {Akashi Satoh},<br />
title = {Hardware Architecture and Cost Estimates for Breaking SHA-1.},<br />
booktitle = {ISC 2005},<br />
year = {2005},<br />
pages = {259-273},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3650},<br />
url = {http://dx.doi.org/10.1007/11556992_19},<br />
abstract = {The cryptanalysis of hash functions has advanced rapidly, and many hash functions have been broken one after another. The most popular hash function SHA-1 has not been broken yet, but the new collision search techniques proposed by Wang et al. reduced the computational complexity down to 2<sup>69</sup>, which is only 1/2,000 of the 2<sup>80</sup> operations needed for a birthday attack. The complexity is still too large even for today’s supercomputers, but no feasibility study of breaking SHA-1 using specialized hardware has been reported. The well known brute force attack on DES simply repeats the DES operation 2<sup>56</sup> times at a maximum, but the complexity of 2<sup>69</sup> hash operations to break SHA-1 does not mean 2<sup>69</sup> SHA-1 operations. Complex procedures using SHA-1 functions are required, and the total number of operations based on the probability of a collision occurrence is almost equivalent to the 2<sup>69</sup> SHA-1 operations. Therefore, we describe a procedure and propose an LSI architecture to find real collisions for SHA-1 in this paper. The hardware core was synthesized by using a 0.13-µm CMOS standard cell library, and its performances in speed, size, and power consumption were evaluated. A $10 million budget can build a custom hardware system that would consist of 303 personal computers with 16 circuit boards each, in which 32 SHA-1-breaking LSIs are mounted. Each LSI has 64 SHA-1 cores that can run in parallel. This system would find a real collision in 127 days.}<br />
}<br />
</bibtex><br />
<br />
=== Second Preimage Attacks ===<br />
* There exists a generic attack (works for all iterated hash functions). See ....<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
=== Others ===<br />
<br />
<bibtex><br />
@inproceedings{Saarinen2003CryptanalysisOfBlock,<br />
author = {Markku-Juhani Olavi Saarinen},<br />
title = {Cryptanalysis of Block Ciphers Based on SHA-1 and MD5.},<br />
booktitle = {FSE 2003},<br />
year = {2003},<br />
pages = {36-44},<br />
url = {http://springerlink.metapress.com/content/xu0qg98tg38gl7nf/?p=2664f1c23d3f433f9d3fd6a9a1350eda&pi=3},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2887},<br />
abstract = {We cryptanalyse some block cipher proposals that are based on dedicated hash functions SHA-1 and MD5. We discuss a related-key attack against SHACAL-1 and present a method for finding rdquoslid pairsrdquo for it. We also present simple attacks against MDC-MD5 and the Kaliski-Robshaw block cipher.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Handschuh2001AnalysisOfSHA-1,<br />
author = {Helena Handschuh and Lars R. Knudsen and Matthew J. B. Robshaw},<br />
title = {Analysis of SHA-1 in Encryption Mode.},<br />
booktitle = {CT-RSA 2001},<br />
year = {2001},<br />
pages = {70-83},<br />
url = {http://link.springer.de/link/service/series/0558/bibs/2020/20200070.htm},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2020},<br />
abstract = {This paper analyses the cryptographic hash function SHA-1 in encryption mode. A detailed analysis is given of the resistance of SHA-1 against the most powerful known attacks today. It is concluded that none of these attacks can be applied successfully in practice to SHA-1. Breaking SHA-1 in encryption mode requires either an unrealistic amount of computation time and known/chosen texts, or a major breakthrough in cryptanalysis. The original motivation for this analysis is to investigate a block cipher named SHACAL based on these principles. SHACAL has been submitted to the NESSIE call for cryptographic primitives.},<br />
}<br />
</bibtex><br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{DBLP:conf/asap/LeeCV06,<br />
author = {Yong Ki Lee and Herwin Chan and Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
series = {IEEE Computer Society},<br />
year = {2006},<br />
isbn = {0-7695-2682-9},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.}<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1555SHA-12006-10-23T12:35:11Z<p>Nobbi: /* Others */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup> hash evaluations. The best collision example, a 64-step collision for SHA-1, was publshed by DeCanniere and Rechberger.<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@INPROCEEDINGS{Pramstaller2005ExploitingCodingTheory,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Exploiting Coding Theory for Collision Attacks on SHA-1},<br />
booktitle = {Cryptography and Coding 2005},<br />
year = {2005},<br />
editor = {Nigel P. Smart},<br />
volume = {3796},<br />
series = {LNCS},<br />
pages = {78-95},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11586821_7},<br />
abstract = {In this article we show that coding theory can be exploited efficiently for the cryptanalysis of hash functions. We will mainly focus on SHA-1. We present different linear codes that are used to find low-weight differences that lead to a collision. We extend existing approaches and include recent results in the cryptanalysis of hash functions. With our approach we are able to find differences with very low weight. Based on the weight of these differences we conjecture the complexity for a collision attack on the full SHA-1.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Pramstaller2005ImpactOfRotations,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Impact of Rotations in SHA-1 and Related Hash Functions.},<br />
booktitle = {SAC 2005},<br />
year = {2006},<br />
pages = {261-275},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3897},<br />
url = {http://dx.doi.org/10.1007/11693383_18},<br />
abstract = {SHA-1 uses a single set of rotation constants within the compression function. However, most other members of the MD4 family of hash functions use multiple sets of rotation constants, MediaObjects/InlineFigure1.pngthe rotation amounts change with the step being processed. To our knowledge, no design rationales on the choice of rotation constants are given on any of these hash functions. This is the first paper that analyzes rotations in iterated hash functions. We focus on SHA-1-like hash functions and use recent developments in the analysis of these hash functions to evaluate the security implications of using multiple sets of rotation constants in the compression function instead of a single set. Additionally, we give some observations on the set of constants used in SHA-0 and SHA-1.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005NewCollisionSearch,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {New Collision Search for SHA-1},<br />
month = {August},<br />
year = {2005},<br />
howpublished = {Presented at rump session of CRYPTO 2005},<br />
note = {Presented at rump session of CRYPTO 2005},<br />
owner = {npramstaller},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005CryptanalysisOfSHA1,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {Cryptanalysis of SHA-1},<br />
howpublished = {Presented at the Cryptographic Hash Workshop hosted by NIST},<br />
month = {October},<br />
year = {2005},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Wang2005FindingCollisionsin,<br />
author = {Xiaoyun Wang and Yiqun Lisa Yin and Hongbo Yu},<br />
title = {Finding Collisions in the Full SHA-1},<br />
booktitle = {Advances in Cryptology - CRYPTO 2005},<br />
year = {2005},<br />
editor = {Victor Shoup},<br />
volume = {3621},<br />
series = {LNCS},<br />
pages = {17--36},<br />
url = {http://dx.doi.org/10.1007/11535218_2},<br />
publisher = {Springer},<br />
abstract = {In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 2<sup>69</sup> hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 2<sup>80</sup> theoretical bound.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Rijmen2005UpdateonSHA-1,<br />
author = {Vincent Rijmen and Elisabeth Oswald},<br />
title = {Update on SHA-1},<br />
booktitle = {CT-RSA 2005},<br />
year = {2005},<br />
editor = {Alfred Menezes},<br />
volume = {3376},<br />
series = {LNCS},<br />
pages = {58--71},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/b105222},<br />
abstract = {We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux [5]. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than 2<sup>80</sup> operations.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Biham2005CollisionsofSHA-0,<br />
author = {Eli Biham and Rafi Chen and Antoine hirose and Patrick Carribault and Christophe Lemuet and William Jalby},<br />
title = {Collisions of SHA-0 and Reduced SHA-1},<br />
booktitle = {Advances in Cryptology - EUROCRYPT 2005},<br />
year = {2005},<br />
editor = {Ronald Cramer},<br />
volume = {3494},<br />
series = {LNCS},<br />
pages = {36--57},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11426639_3},<br />
abstract = {In this paper we describe improvements to the techniques used to cryptanalyze SHA-0 and introduce the first results on SHA-1. The results include a generic multi-block technique that uses near-collisions in order to find collisions, and a four-block collision of SHA-0 found using this technique with complexity 2<sup>51</sup>. Then, extension of this and prior techniques are presented, that allow us to find collisions of reduced versions of SHA-1. We give collisions of variants with up to 40 rounds, and show the complexities of longer variants. These techniques show that collisions up to about 53-58 rounds can still be found faster than by birthday attacks.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Satoh2005HardwareArchitectureAnd,<br />
author = {Akashi Satoh},<br />
title = {Hardware Architecture and Cost Estimates for Breaking SHA-1.},<br />
booktitle = {ISC 2005},<br />
year = {2005},<br />
pages = {259-273},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3650},<br />
url = {http://dx.doi.org/10.1007/11556992_19},<br />
abstract = {The cryptanalysis of hash functions has advanced rapidly, and many hash functions have been broken one after another. The most popular hash function SHA-1 has not been broken yet, but the new collision search techniques proposed by Wang et al. reduced the computational complexity down to 2<sup>69</sup>, which is only 1/2,000 of the 2<sup>80</sup> operations needed for a birthday attack. The complexity is still too large even for today’s supercomputers, but no feasibility study of breaking SHA-1 using specialized hardware has been reported. The well known brute force attack on DES simply repeats the DES operation 2<sup>56</sup> times at a maximum, but the complexity of 2<sup>69</sup> hash operations to break SHA-1 does not mean 2<sup>69</sup> SHA-1 operations. Complex procedures using SHA-1 functions are required, and the total number of operations based on the probability of a collision occurrence is almost equivalent to the 2<sup>69</sup> SHA-1 operations. Therefore, we describe a procedure and propose an LSI architecture to find real collisions for SHA-1 in this paper. The hardware core was synthesized by using a 0.13-µm CMOS standard cell library, and its performances in speed, size, and power consumption were evaluated. A $10 million budget can build a custom hardware system that would consist of 303 personal computers with 16 circuit boards each, in which 32 SHA-1-breaking LSIs are mounted. Each LSI has 64 SHA-1 cores that can run in parallel. This system would find a real collision in 127 days.}<br />
}<br />
</bibtex><br />
<br />
=== Second Preimage Attacks ===<br />
* There exists a generic attack (works for all iterated hash functions). See ....<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
=== Others ===<br />
<br />
<bibtex><br />
@inproceedings{Yin2006Collision-ResistantUsageOf,<br />
author = {Michael Szydlo and Yiqun Lisa Yin},<br />
title = {Collision-Resistant Usage of MD5 and SHA-1 Via Message Preprocessing.},<br />
booktitle = {CT-RSA 2006},<br />
year = {2006},<br />
pages = {99-114},<br />
url = {http://dx.doi.org/10.1007/11605805_7},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3860},<br />
abstract = {A series of recent papers have demonstrated collision attacks on popularly used hash functions, including the widely deployed MD5 and SHA-1 algorithm. To assess this threat, the natural response has been to evaluate the extent to which various protocols actually depend on collision resistance for their security, and potentially schedule an upgrade to a stronger hash function. Other options involve altering the protocol in some way. This work suggests a different option. We present several simple message pre-processing techniques and show how the techniques can be combined with MD5 or SHA-1 so that applications are no longer vulnerable to the known collision attacks. For some applications, this may a viable alternative to upgrading the hash function.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Saarinen2003CryptanalysisOfBlock,<br />
author = {Markku-Juhani Olavi Saarinen},<br />
title = {Cryptanalysis of Block Ciphers Based on SHA-1 and MD5.},<br />
booktitle = {FSE 2003},<br />
year = {2003},<br />
pages = {36-44},<br />
url = {http://springerlink.metapress.com/content/xu0qg98tg38gl7nf/?p=2664f1c23d3f433f9d3fd6a9a1350eda&pi=3},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2887},<br />
abstract = {We cryptanalyse some block cipher proposals that are based on dedicated hash functions SHA-1 and MD5. We discuss a related-key attack against SHACAL-1 and present a method for finding rdquoslid pairsrdquo for it. We also present simple attacks against MDC-MD5 and the Kaliski-Robshaw block cipher.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Handschuh2001AnalysisOfSHA-1,<br />
author = {Helena Handschuh and Lars R. Knudsen and Matthew J. B. Robshaw},<br />
title = {Analysis of SHA-1 in Encryption Mode.},<br />
booktitle = {CT-RSA 2001},<br />
year = {2001},<br />
pages = {70-83},<br />
url = {http://link.springer.de/link/service/series/0558/bibs/2020/20200070.htm},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {2020},<br />
abstract = {This paper analyses the cryptographic hash function SHA-1 in encryption mode. A detailed analysis is given of the resistance of SHA-1 against the most powerful known attacks today. It is concluded that none of these attacks can be applied successfully in practice to SHA-1. Breaking SHA-1 in encryption mode requires either an unrealistic amount of computation time and known/chosen texts, or a major breakthrough in cryptanalysis. The original motivation for this analysis is to investigate a block cipher named SHACAL based on these principles. SHACAL has been submitted to the NESSIE call for cryptographic primitives.},<br />
}<br />
</bibtex><br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{DBLP:conf/asap/LeeCV06,<br />
author = {Yong Ki Lee and Herwin Chan and Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
series = {IEEE Computer Society},<br />
year = {2006},<br />
isbn = {0-7695-2682-9},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.}<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1554SHA-12006-10-23T12:24:36Z<p>Nobbi: /* Collision Attacks */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup> hash evaluations. The best collision example, a 64-step collision for SHA-1, was publshed by DeCanniere and Rechberger.<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@INPROCEEDINGS{Pramstaller2005ExploitingCodingTheory,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Exploiting Coding Theory for Collision Attacks on SHA-1},<br />
booktitle = {Cryptography and Coding 2005},<br />
year = {2005},<br />
editor = {Nigel P. Smart},<br />
volume = {3796},<br />
series = {LNCS},<br />
pages = {78-95},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11586821_7},<br />
abstract = {In this article we show that coding theory can be exploited efficiently for the cryptanalysis of hash functions. We will mainly focus on SHA-1. We present different linear codes that are used to find low-weight differences that lead to a collision. We extend existing approaches and include recent results in the cryptanalysis of hash functions. With our approach we are able to find differences with very low weight. Based on the weight of these differences we conjecture the complexity for a collision attack on the full SHA-1.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Pramstaller2005ImpactOfRotations,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Impact of Rotations in SHA-1 and Related Hash Functions.},<br />
booktitle = {SAC 2005},<br />
year = {2006},<br />
pages = {261-275},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3897},<br />
url = {http://dx.doi.org/10.1007/11693383_18},<br />
abstract = {SHA-1 uses a single set of rotation constants within the compression function. However, most other members of the MD4 family of hash functions use multiple sets of rotation constants, MediaObjects/InlineFigure1.pngthe rotation amounts change with the step being processed. To our knowledge, no design rationales on the choice of rotation constants are given on any of these hash functions. This is the first paper that analyzes rotations in iterated hash functions. We focus on SHA-1-like hash functions and use recent developments in the analysis of these hash functions to evaluate the security implications of using multiple sets of rotation constants in the compression function instead of a single set. Additionally, we give some observations on the set of constants used in SHA-0 and SHA-1.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005NewCollisionSearch,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {New Collision Search for SHA-1},<br />
month = {August},<br />
year = {2005},<br />
howpublished = {Presented at rump session of CRYPTO 2005},<br />
note = {Presented at rump session of CRYPTO 2005},<br />
owner = {npramstaller},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005CryptanalysisOfSHA1,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {Cryptanalysis of SHA-1},<br />
howpublished = {Presented at the Cryptographic Hash Workshop hosted by NIST},<br />
month = {October},<br />
year = {2005},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Wang2005FindingCollisionsin,<br />
author = {Xiaoyun Wang and Yiqun Lisa Yin and Hongbo Yu},<br />
title = {Finding Collisions in the Full SHA-1},<br />
booktitle = {Advances in Cryptology - CRYPTO 2005},<br />
year = {2005},<br />
editor = {Victor Shoup},<br />
volume = {3621},<br />
series = {LNCS},<br />
pages = {17--36},<br />
url = {http://dx.doi.org/10.1007/11535218_2},<br />
publisher = {Springer},<br />
abstract = {In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 2<sup>69</sup> hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 2<sup>80</sup> theoretical bound.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Rijmen2005UpdateonSHA-1,<br />
author = {Vincent Rijmen and Elisabeth Oswald},<br />
title = {Update on SHA-1},<br />
booktitle = {CT-RSA 2005},<br />
year = {2005},<br />
editor = {Alfred Menezes},<br />
volume = {3376},<br />
series = {LNCS},<br />
pages = {58--71},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/b105222},<br />
abstract = {We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux [5]. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than 2<sup>80</sup> operations.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Biham2005CollisionsofSHA-0,<br />
author = {Eli Biham and Rafi Chen and Antoine hirose and Patrick Carribault and Christophe Lemuet and William Jalby},<br />
title = {Collisions of SHA-0 and Reduced SHA-1},<br />
booktitle = {Advances in Cryptology - EUROCRYPT 2005},<br />
year = {2005},<br />
editor = {Ronald Cramer},<br />
volume = {3494},<br />
series = {LNCS},<br />
pages = {36--57},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11426639_3},<br />
abstract = {In this paper we describe improvements to the techniques used to cryptanalyze SHA-0 and introduce the first results on SHA-1. The results include a generic multi-block technique that uses near-collisions in order to find collisions, and a four-block collision of SHA-0 found using this technique with complexity 2<sup>51</sup>. Then, extension of this and prior techniques are presented, that allow us to find collisions of reduced versions of SHA-1. We give collisions of variants with up to 40 rounds, and show the complexities of longer variants. These techniques show that collisions up to about 53-58 rounds can still be found faster than by birthday attacks.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Satoh2005HardwareArchitectureAnd,<br />
author = {Akashi Satoh},<br />
title = {Hardware Architecture and Cost Estimates for Breaking SHA-1.},<br />
booktitle = {ISC 2005},<br />
year = {2005},<br />
pages = {259-273},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3650},<br />
url = {http://dx.doi.org/10.1007/11556992_19},<br />
abstract = {The cryptanalysis of hash functions has advanced rapidly, and many hash functions have been broken one after another. The most popular hash function SHA-1 has not been broken yet, but the new collision search techniques proposed by Wang et al. reduced the computational complexity down to 2<sup>69</sup>, which is only 1/2,000 of the 2<sup>80</sup> operations needed for a birthday attack. The complexity is still too large even for today’s supercomputers, but no feasibility study of breaking SHA-1 using specialized hardware has been reported. The well known brute force attack on DES simply repeats the DES operation 2<sup>56</sup> times at a maximum, but the complexity of 2<sup>69</sup> hash operations to break SHA-1 does not mean 2<sup>69</sup> SHA-1 operations. Complex procedures using SHA-1 functions are required, and the total number of operations based on the probability of a collision occurrence is almost equivalent to the 2<sup>69</sup> SHA-1 operations. Therefore, we describe a procedure and propose an LSI architecture to find real collisions for SHA-1 in this paper. The hardware core was synthesized by using a 0.13-µm CMOS standard cell library, and its performances in speed, size, and power consumption were evaluated. A $10 million budget can build a custom hardware system that would consist of 303 personal computers with 16 circuit boards each, in which 32 SHA-1-breaking LSIs are mounted. Each LSI has 64 SHA-1 cores that can run in parallel. This system would find a real collision in 127 days.}<br />
}<br />
</bibtex><br />
<br />
=== Second Preimage Attacks ===<br />
* There exists a generic attack (works for all iterated hash functions). See ....<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
=== Others ===<br />
everything that does not fit into coll/(2nd)preimage and implementation<br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{DBLP:conf/asap/LeeCV06,<br />
author = {Yong Ki Lee and Herwin Chan and Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
series = {IEEE Computer Society},<br />
year = {2006},<br />
isbn = {0-7695-2682-9},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.}<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1553SHA-12006-10-23T12:23:26Z<p>Nobbi: /* Collision Attacks */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup> hash evaluations. The best collision example, a 64-step collision for SHA-1, was publshed by DeCanniere and Rechberger.<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@INPROCEEDINGS{Pramstaller2005ExploitingCodingTheory,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Exploiting Coding Theory for Collision Attacks on SHA-1},<br />
booktitle = {10th Cryptography and Coding 2005},<br />
year = {2005},<br />
editor = {Nigel P. Smart},<br />
volume = {3796},<br />
series = {LNCS},<br />
pages = {78-95},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11586821_7},<br />
abstract = {In this article we show that coding theory can be exploited efficiently for the cryptanalysis of hash functions. We will mainly focus on SHA-1. We present different linear codes that are used to find low-weight differences that lead to a collision. We extend existing approaches and include recent results in the cryptanalysis of hash functions. With our approach we are able to find differences with very low weight. Based on the weight of these differences we conjecture the complexity for a collision attack on the full SHA-1.}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Pramstaller2005ImpactOfRotations,<br />
author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},<br />
title = {Impact of Rotations in SHA-1 and Related Hash Functions.},<br />
booktitle = {SAC 2005},<br />
year = {2006},<br />
pages = {261-275},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3897},<br />
url = {http://dx.doi.org/10.1007/11693383_18},<br />
abstract = {SHA-1 uses a single set of rotation constants within the compression function. However, most other members of the MD4 family of hash functions use multiple sets of rotation constants, MediaObjects/InlineFigure1.pngthe rotation amounts change with the step being processed. To our knowledge, no design rationales on the choice of rotation constants are given on any of these hash functions. This is the first paper that analyzes rotations in iterated hash functions. We focus on SHA-1-like hash functions and use recent developments in the analysis of these hash functions to evaluate the security implications of using multiple sets of rotation constants in the compression function instead of a single set. Additionally, we give some observations on the set of constants used in SHA-0 and SHA-1.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005NewCollisionSearch,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {{New Collision Search for SHA-1}},<br />
month = {August},<br />
year = {2005},<br />
note = {Presented at rump session of CRYPTO 2005},<br />
owner = {npramstaller},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@MISC{Wang2005CryptanalysisOfSHA1,<br />
author = {Xiaoyun Wang and Andrew Yao and Frances Yao},<br />
title = {{Cryptanalysis of SHA-1}},<br />
howpublished = {Presented at the Cryptographic Hash Workshop hosted by NIST},<br />
month = {October},<br />
year = {2005},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Wang2005FindingCollisionsin,<br />
author = {Xiaoyun Wang and Yiqun Lisa Yin and Hongbo Yu},<br />
title = {{Finding Collisions in the Full SHA-1}},<br />
booktitle = {Advances in Cryptology - CRYPTO 2005},<br />
year = {2005},<br />
editor = {Victor Shoup},<br />
volume = {3621},<br />
series = {LNCS},<br />
pages = {17--36},<br />
url = {http://dx.doi.org/10.1007/11535218_2},<br />
publisher = {Springer},<br />
abstract = {In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 2<sup>69</sup> hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 2<sup>80</sup> theoretical bound.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Rijmen2005UpdateonSHA-1,<br />
author = {Vincent Rijmen and Elisabeth Oswald},<br />
title = {Update on SHA-1},<br />
booktitle = {CT-RSA 2005},<br />
year = {2005},<br />
editor = {Alfred Menezes},<br />
volume = {3376},<br />
series = {LNCS},<br />
pages = {58--71},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/b105222},<br />
abstract = {We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux [5]. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than 2<sup>80</sup> operations.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{Biham2005CollisionsofSHA-0,<br />
author = {Eli Biham and Rafi Chen and Antoine hirose and Patrick Carribault and Christophe Lemuet and William Jalby},<br />
title = {Collisions of SHA-0 and Reduced SHA-1},<br />
booktitle = {Advances in Cryptology - EUROCRYPT 2005},<br />
year = {2005},<br />
editor = {Ronald Cramer},<br />
volume = {3494},<br />
series = {LNCS},<br />
pages = {36--57},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11426639_3},<br />
abstract = {In this paper we describe improvements to the techniques used to cryptanalyze SHA-0 and introduce the first results on SHA-1. The results include a generic multi-block technique that uses near-collisions in order to find collisions, and a four-block collision of SHA-0 found using this technique with complexity 2<sup>51</sup>. Then, extension of this and prior techniques are presented, that allow us to find collisions of reduced versions of SHA-1. We give collisions of variants with up to 40 rounds, and show the complexities of longer variants. These techniques show that collisions up to about 53-58 rounds can still be found faster than by birthday attacks.},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@inproceedings{Satoh2005HardwareArchitectureAnd,<br />
author = {Akashi Satoh},<br />
title = {Hardware Architecture and Cost Estimates for Breaking SHA-1.},<br />
booktitle = {ISC 2005},<br />
year = {2005},<br />
pages = {259-273},<br />
publisher = {Springer},<br />
series = {LNCS},<br />
volume = {3650},<br />
url = {http://dx.doi.org/10.1007/11556992_19},<br />
abstract = {The cryptanalysis of hash functions has advanced rapidly, and many hash functions have been broken one after another. The most popular hash function SHA-1 has not been broken yet, but the new collision search techniques proposed by Wang et al. reduced the computational complexity down to 2<sup>69</sup>, which is only 1/2,000 of the 2<sup>80</sup> operations needed for a birthday attack. The complexity is still too large even for today’s supercomputers, but no feasibility study of breaking SHA-1 using specialized hardware has been reported. The well known brute force attack on DES simply repeats the DES operation 2<sup>56</sup> times at a maximum, but the complexity of 2<sup>69</sup> hash operations to break SHA-1 does not mean 2<sup>69</sup> SHA-1 operations. Complex procedures using SHA-1 functions are required, and the total number of operations based on the probability of a collision occurrence is almost equivalent to the 2<sup>69</sup> SHA-1 operations. Therefore, we describe a procedure and propose an LSI architecture to find real collisions for SHA-1 in this paper. The hardware core was synthesized by using a 0.13-µm CMOS standard cell library, and its performances in speed, size, and power consumption were evaluated. A $10 million budget can build a custom hardware system that would consist of 303 personal computers with 16 circuit boards each, in which 32 SHA-1-breaking LSIs are mounted. Each LSI has 64 SHA-1 cores that can run in parallel. This system would find a real collision in 127 days.}<br />
}<br />
</bibtex><br />
<br />
=== Second Preimage Attacks ===<br />
* There exists a generic attack (works for all iterated hash functions). See ....<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
=== Others ===<br />
everything that does not fit into coll/(2nd)preimage and implementation<br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{DBLP:conf/asap/LeeCV06,<br />
author = {Yong Ki Lee and Herwin Chan and Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
series = {IEEE Computer Society},<br />
year = {2006},<br />
isbn = {0-7695-2682-9},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.}<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1552SHA-12006-10-23T11:21:25Z<p>Nobbi: /* Cryptanalysis */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup> hash evaluations. The best collision example, a 64-step collision for SHA-1, was publshed by DeCanniere and Rechberger.<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@ARTICLE{Dobbertin1998CryptanalysisOfMD4,<br />
author = {Hans Dobbertin},<br />
title = {{Cryptanalysis Of MD4}},<br />
journal = {Journal of Cryptology},<br />
year = {1998},<br />
volume = {11},<br />
number = {4},<br />
pages = {253--271},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@BOOK{Menezes1997HandbookofApplied,<br />
title = {Handbook of Applied Cryptography},<br />
publisher = {CRC Press},<br />
year = {1997},<br />
author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},<br />
note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},<br />
}<br />
</bibtex><br />
<br />
Here I would list all papers that deal with SHA-1. We should also give the abstract and the bibtex entry for the corresponding paper. Additionall we should give our opinion about the attack described in the paper.<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
* There exists a generic attack (works for all iterated hash functions). See ....<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
=== Others ===<br />
everything that does not fit into coll/(2nd)preimage and implementation<br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{DBLP:conf/asap/LeeCV06,<br />
author = {Yong Ki Lee and Herwin Chan and Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
series = {IEEE Computer Society},<br />
year = {2006},<br />
isbn = {0-7695-2682-9},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.}<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1551SHA-12006-10-23T11:17:25Z<p>Nobbi: /* Best Known Results */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup> hash evaluations. The best collision example, a 64-step collision for SHA-1, was publshed by DeCanniere and Rechberger.<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@ARTICLE{Dobbertin1998CryptanalysisOfMD4,<br />
author = {Hans Dobbertin},<br />
title = {{Cryptanalysis Of MD4}},<br />
journal = {Journal of Cryptology},<br />
year = {1998},<br />
volume = {11},<br />
number = {4},<br />
pages = {253--271},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@BOOK{Menezes1997HandbookofApplied,<br />
title = {Handbook of Applied Cryptography},<br />
publisher = {CRC Press},<br />
year = {1997},<br />
author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},<br />
note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},<br />
}<br />
</bibtex><br />
<br />
Here I would list all papers that deal with SHA-1. We should also give the abstract and the bibtex entry for the corresponding paper. Additionall we should give our opinion about the attack described in the paper.<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
* There exists a generic attack (works for all iterated hash functions). See ....<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{DBLP:conf/asap/LeeCV06,<br />
author = {Yong Ki Lee and Herwin Chan and Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
series = {IEEE Computer Society},<br />
year = {2006},<br />
isbn = {0-7695-2682-9},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.}<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1550SHA-12006-10-23T10:04:22Z<p>Nobbi: /* Collision Attacks */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup>. The best collision example for 64-step SHA-1 was publshed by DeCanniere and Rechberger.<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@ARTICLE{Dobbertin1998CryptanalysisOfMD4,<br />
author = {Hans Dobbertin},<br />
title = {{Cryptanalysis Of MD4}},<br />
journal = {Journal of Cryptology},<br />
year = {1998},<br />
volume = {11},<br />
number = {4},<br />
pages = {253--271},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@BOOK{Menezes1997HandbookofApplied,<br />
title = {Handbook of Applied Cryptography},<br />
publisher = {CRC Press},<br />
year = {1997},<br />
author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},<br />
note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},<br />
}<br />
</bibtex><br />
<br />
Here I would list all papers that deal with SHA-1. We should also give the abstract and the bibtex entry for the corresponding paper. Additionall we should give our opinion about the attack described in the paper.<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
* There exists a generic attack (works for all iterated hash functions). See ....<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{DBLP:conf/asap/LeeCV06,<br />
author = {Yong Ki Lee and Herwin Chan and Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
series = {IEEE Computer Society},<br />
year = {2006},<br />
isbn = {0-7695-2682-9},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.}<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1549SHA-12006-10-23T10:03:58Z<p>Nobbi: /* Collision Attacks */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup>. The best collision example for 64-step SHA-1 was publshed by DeCanniere and Rechberger.<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@ARTICLE{Dobbertin1998CryptanalysisOfMD4,<br />
author = {Hans Dobbertin},<br />
title = {{Cryptanalysis Of MD4}},<br />
journal = {Journal of Cryptology},<br />
year = {1998},<br />
volume = {11},<br />
number = {4},<br />
pages = {253--271},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@BOOK{Menezes1997HandbookofApplied,<br />
title = {{Handbook of Applied Cryptography}},<br />
publisher = {CRC Press},<br />
year = {1997},<br />
author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},<br />
note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},<br />
}<br />
</bibtex><br />
<br />
Here I would list all papers that deal with SHA-1. We should also give the abstract and the bibtex entry for the corresponding paper. Additionall we should give our opinion about the attack described in the paper.<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
* There exists a generic attack (works for all iterated hash functions). See ....<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{DBLP:conf/asap/LeeCV06,<br />
author = {Yong Ki Lee and Herwin Chan and Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
series = {IEEE Computer Society},<br />
year = {2006},<br />
isbn = {0-7695-2682-9},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.}<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1548SHA-12006-10-23T09:57:14Z<p>Nobbi: /* Collision Attacks */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup>. The best collision example for 64-step SHA-1 was publshed by DeCanniere and Rechberger.<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
pdf = {Hattori2004ComplexityOfThe.pdf},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
pdf = {test.pdf},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@ARTICLE{Dobbertin1998CryptanalysisOfMD4,<br />
author = {Hans Dobbertin},<br />
title = {{Cryptanalysis Of MD4}},<br />
journal = {Journal of Cryptology},<br />
year = {1998},<br />
volume = {11},<br />
number = {4},<br />
pages = {253--271},<br />
pdf = {Q:\pdf\Dobbertin1997CryptanalysisOfMD4.pdf},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@BOOK{Menezes1997HandbookofApplied,<br />
title = {{Handbook of Applied Cryptography}},<br />
publisher = {CRC Press},<br />
year = {1997},<br />
author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},<br />
note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},<br />
}<br />
</bibtex><br />
<br />
Here I would list all papers that deal with SHA-1. We should also give the abstract and the bibtex entry for the corresponding paper. Additionall we should give our opinion about the attack described in the paper.<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
* There exists a generic attack (works for all iterated hash functions). See ....<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{DBLP:conf/asap/LeeCV06,<br />
author = {Yong Ki Lee and Herwin Chan and Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
series = {IEEE Computer Society},<br />
year = {2006},<br />
isbn = {0-7695-2682-9},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.}<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=The_eHash_Main_Page&diff=1547The eHash Main Page2006-10-23T09:54:11Z<p>Nobbi: /* References and bibtex */</p>
<hr />
<div>== List of Hash Functions ==<br />
<br />
On this page you can find a collection of existing hash functions.<br />
<br />
[http://mediawiki.iaik.tugraz.at/index.php/HashFunctions Collection of Cryptographic Hash Functions]<br />
<br />
== Notation and Definition ==<br />
<br />
== Generic Attacks on Hash Functions ==<br />
<br />
== Some How Tos ==<br />
<br />
=== Working with maths and Tex ===<br />
<br />
We can write "normal" latex equation by using the ''math'' class. For instance the following code <br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<math><br />
{\textbf x}_{t} = {\textbf f}({x}_{t-1},{u}_{t-1},{p}_{t-1})<br />
</math><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as<br />
<br />
<math><br />
{\textbf x}_{t} = {\textbf f}({x}_{t-1},{u}_{t-1},{p}_{t-1})<br />
</math><br />
<br />
In order to use tex commands from the amsmath package we use the class ''amsmath''. <br />
Automated numbering of equations works within a single ''amsmath'' environment.<br />
The class amsmath uses the tex template defined in<br />
/var/www/html/mediawiki/extensions/wikitex/wikitex.math.inc.tex<br />
<br />
I changed the template such that we can define global commands. The template looks like<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
\documentclass[10pt]{article}<br />
\usepackage{amssymb,amsmath,amscd,concmath}<br />
% we can define whatever comments we would like to use for consistency.<br />
% of course we have to somewhere list this special commands (may be we can use<br />
% a pop up with editiing help or somkething similar<br />
% for instance:<br />
\newcommand{\rs}{\ensuremath{\gg}} %right shift >><br />
\newcommand{\ls}{\ensuremath{\ll}} %left shift <<<br />
\newcommand{\rr}{\ensuremath{\ggg}} %right rotate >>><br />
\newcommand{\lr}{\ensuremath{\lll}} %left rotate <<<<br />
\pagestyle{empty}<br />
\begin{document}<br />
%value%<br />
\end{document}<br />
</nowiki></pre></blockquote><br />
<br />
For instance:<br />
<br />
{| align="center" border="1" cellpadding="10" cellspacing="0" <br />
|-<br />
!code fragment <br />
!displayed equation<br />
|-<br />
|<br />
<pre><nowiki><br />
<amsmath><br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
</amsmath><br />
</nowiki></pre><br />
|<br />
<amsmath><br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
</amsmath><br />
|-<br />
! colspan="2" style="background:#ffdead;" | %value% in tex-template is \begin{equation}...\end{equation}<br />
|}<br />
<br />
<br />
<br />
If we start a new ''amsmath'' environment then the equation numbering starts from counter=1 again. Start a new ''amsmath'' environment:<br />
<br />
<amsmath><br />
\begin{equation}<br />
b = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
\begin{eqnarray}<br />
a &\lr& b\\<br />
c &\rr& d\\<br />
e &\ls& f\\<br />
g &\rs& h<br />
\end{eqnarray}<br />
</amsmath><br />
<br />
as we see both envrionments start with 1.<br />
<br />
'''Note: to refer to an equation we will have to use a wiki link ...'''<br />
<br />
If we use math inline then we have the following possibilities:<br />
<br />
* Best know attack: 2<sup>63</sup> by Wang et.al. using html: <pre><nowiki>2<sup>63</sup></nowiki></pre><br />
* Best know attack: <amsmath>\begin{displaymath}2^{63}\end{displaymath}</amsmath> by Wang et.al. using amsmath <pre><nowiki><amsmath>\begin{displaymath}2^{63}\end{displaymath}</amsmath></nowiki></pre><br />
* Best know attack: <math>2^{63}</math> by Wang et.al. using math <pre><nowiki><math>2^{63}</math></nowiki></pre><br />
<br />
<br />
I think the first case looks best regarding the inline alignment. So I would suggest to use html for powers.<br />
<br />
=== References and bibtex ===<br />
<br />
==== Misc ====<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as:<br />
<br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
}<br />
</bibtex><br />
<br />
----<br />
==== InProceedings ====<br />
<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as:<br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<br />
----<br />
<br />
==== Article ====<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@ARTICLE{3,<br />
author = {Hans Dobbertin},<br />
title = {Cryptanalysis Of MD4},<br />
journal = {Journal of Cryptology},<br />
year = {1998},<br />
volume = {11},<br />
number = {4},<br />
pages = {253--271},<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as:<br />
<br />
<bibtex><br />
@ARTICLE{3,<br />
author = {Hans Dobbertin},<br />
title = {Cryptanalysis Of MD4},<br />
journal = {Journal of Cryptology},<br />
year = {1998},<br />
volume = {11},<br />
number = {4},<br />
pages = {253--271},<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
==== Book ====<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@BOOK{4,<br />
title = {Handbook of Applied Cryptography},<br />
publisher = {CRC Press},<br />
year = {1997},<br />
author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},<br />
note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as:<br />
<br />
<bibtex><br />
@BOOK{4,<br />
title = {Handbook of Applied Cryptography},<br />
publisher = {CRC Press},<br />
year = {1997},<br />
author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},<br />
note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
=== About different skins ===<br />
Every user can define his own skin. Nevertheless, it turnes out the the skin influences the alignment of inline amsmath environments. If we use the standard skin, namely MonoBook (default) then the alignment is pretty ok.<br />
<br />
therefore, I suggest to keep this skin as default.<br />
<br />
<br />
[http://mediawiki.iaik.tugraz.at/index.php/Testpage1 Testpage1]<br />
<br />
== Getting started ==<br />
<br />
* [http://www.mediawiki.org/wiki/Help:FAQ MediaWiki FAQ]<br />
* [http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list]<br />
<br />
<br />
----<br />
ECRYPT is a Network of Excellence within the Information Societies Technology (IST) Programme of the European Commission. The information on this web site is provided as is, and no guarantee or warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at his or her sole risk and liability.<br />
----</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=The_eHash_Main_Page&diff=1546The eHash Main Page2006-10-23T09:52:16Z<p>Nobbi: /* References and bibtex */</p>
<hr />
<div>== List of Hash Functions ==<br />
<br />
On this page you can find a collection of existing hash functions.<br />
<br />
[http://mediawiki.iaik.tugraz.at/index.php/HashFunctions Collection of Cryptographic Hash Functions]<br />
<br />
== Notation and Definition ==<br />
<br />
== Generic Attacks on Hash Functions ==<br />
<br />
== Some How Tos ==<br />
<br />
=== Working with maths and Tex ===<br />
<br />
We can write "normal" latex equation by using the ''math'' class. For instance the following code <br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<math><br />
{\textbf x}_{t} = {\textbf f}({x}_{t-1},{u}_{t-1},{p}_{t-1})<br />
</math><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as<br />
<br />
<math><br />
{\textbf x}_{t} = {\textbf f}({x}_{t-1},{u}_{t-1},{p}_{t-1})<br />
</math><br />
<br />
In order to use tex commands from the amsmath package we use the class ''amsmath''. <br />
Automated numbering of equations works within a single ''amsmath'' environment.<br />
The class amsmath uses the tex template defined in<br />
/var/www/html/mediawiki/extensions/wikitex/wikitex.math.inc.tex<br />
<br />
I changed the template such that we can define global commands. The template looks like<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
\documentclass[10pt]{article}<br />
\usepackage{amssymb,amsmath,amscd,concmath}<br />
% we can define whatever comments we would like to use for consistency.<br />
% of course we have to somewhere list this special commands (may be we can use<br />
% a pop up with editiing help or somkething similar<br />
% for instance:<br />
\newcommand{\rs}{\ensuremath{\gg}} %right shift >><br />
\newcommand{\ls}{\ensuremath{\ll}} %left shift <<<br />
\newcommand{\rr}{\ensuremath{\ggg}} %right rotate >>><br />
\newcommand{\lr}{\ensuremath{\lll}} %left rotate <<<<br />
\pagestyle{empty}<br />
\begin{document}<br />
%value%<br />
\end{document}<br />
</nowiki></pre></blockquote><br />
<br />
For instance:<br />
<br />
{| align="center" border="1" cellpadding="10" cellspacing="0" <br />
|-<br />
!code fragment <br />
!displayed equation<br />
|-<br />
|<br />
<pre><nowiki><br />
<amsmath><br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
</amsmath><br />
</nowiki></pre><br />
|<br />
<amsmath><br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
</amsmath><br />
|-<br />
! colspan="2" style="background:#ffdead;" | %value% in tex-template is \begin{equation}...\end{equation}<br />
|}<br />
<br />
<br />
<br />
If we start a new ''amsmath'' environment then the equation numbering starts from counter=1 again. Start a new ''amsmath'' environment:<br />
<br />
<amsmath><br />
\begin{equation}<br />
b = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
\begin{eqnarray}<br />
a &\lr& b\\<br />
c &\rr& d\\<br />
e &\ls& f\\<br />
g &\rs& h<br />
\end{eqnarray}<br />
</amsmath><br />
<br />
as we see both envrionments start with 1.<br />
<br />
'''Note: to refer to an equation we will have to use a wiki link ...'''<br />
<br />
If we use math inline then we have the following possibilities:<br />
<br />
* Best know attack: 2<sup>63</sup> by Wang et.al. using html: <pre><nowiki>2<sup>63</sup></nowiki></pre><br />
* Best know attack: <amsmath>\begin{displaymath}2^{63}\end{displaymath}</amsmath> by Wang et.al. using amsmath <pre><nowiki><amsmath>\begin{displaymath}2^{63}\end{displaymath}</amsmath></nowiki></pre><br />
* Best know attack: <math>2^{63}</math> by Wang et.al. using math <pre><nowiki><math>2^{63}</math></nowiki></pre><br />
<br />
<br />
I think the first case looks best regarding the inline alignment. So I would suggest to use html for powers.<br />
<br />
=== References and bibtex ===<br />
<br />
==== Misc ====<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as:<br />
<br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
}<br />
</bibtex><br />
<br />
----<br />
==== InProceedings ====<br />
<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as:<br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<br />
----<br />
<br />
==== Article ====<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@ARTICLE{3,<br />
author = {Hans Dobbertin},<br />
title = {{Cryptanalysis Of MD4}},<br />
journal = {Journal of Cryptology},<br />
year = {1998},<br />
volume = {11},<br />
number = {4},<br />
pages = {253--271},<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as:<br />
<br />
<bibtex><br />
@ARTICLE{3,<br />
author = {Hans Dobbertin},<br />
title = {{Cryptanalysis Of MD4}},<br />
journal = {Journal of Cryptology},<br />
year = {1998},<br />
volume = {11},<br />
number = {4},<br />
pages = {253--271},<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
==== Book ====<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@BOOK{4,<br />
title = {{Handbook of Applied Cryptography}},<br />
publisher = {CRC Press},<br />
year = {1997},<br />
author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},<br />
note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as:<br />
<br />
<bibtex><br />
@BOOK{4,<br />
title = {{Handbook of Applied Cryptography}},<br />
publisher = {CRC Press},<br />
year = {1997},<br />
author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},<br />
note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
=== About different skins ===<br />
Every user can define his own skin. Nevertheless, it turnes out the the skin influences the alignment of inline amsmath environments. If we use the standard skin, namely MonoBook (default) then the alignment is pretty ok.<br />
<br />
therefore, I suggest to keep this skin as default.<br />
<br />
<br />
[http://mediawiki.iaik.tugraz.at/index.php/Testpage1 Testpage1]<br />
<br />
== Getting started ==<br />
<br />
* [http://www.mediawiki.org/wiki/Help:FAQ MediaWiki FAQ]<br />
* [http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list]<br />
<br />
<br />
----<br />
ECRYPT is a Network of Excellence within the Information Societies Technology (IST) Programme of the European Commission. The information on this web site is provided as is, and no guarantee or warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at his or her sole risk and liability.<br />
----</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=The_eHash_Main_Page&diff=1545The eHash Main Page2006-10-23T09:51:35Z<p>Nobbi: /* References and bibtex */</p>
<hr />
<div>== List of Hash Functions ==<br />
<br />
On this page you can find a collection of existing hash functions.<br />
<br />
[http://mediawiki.iaik.tugraz.at/index.php/HashFunctions Collection of Cryptographic Hash Functions]<br />
<br />
== Notation and Definition ==<br />
<br />
== Generic Attacks on Hash Functions ==<br />
<br />
== Some How Tos ==<br />
<br />
=== Working with maths and Tex ===<br />
<br />
We can write "normal" latex equation by using the ''math'' class. For instance the following code <br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<math><br />
{\textbf x}_{t} = {\textbf f}({x}_{t-1},{u}_{t-1},{p}_{t-1})<br />
</math><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as<br />
<br />
<math><br />
{\textbf x}_{t} = {\textbf f}({x}_{t-1},{u}_{t-1},{p}_{t-1})<br />
</math><br />
<br />
In order to use tex commands from the amsmath package we use the class ''amsmath''. <br />
Automated numbering of equations works within a single ''amsmath'' environment.<br />
The class amsmath uses the tex template defined in<br />
/var/www/html/mediawiki/extensions/wikitex/wikitex.math.inc.tex<br />
<br />
I changed the template such that we can define global commands. The template looks like<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
\documentclass[10pt]{article}<br />
\usepackage{amssymb,amsmath,amscd,concmath}<br />
% we can define whatever comments we would like to use for consistency.<br />
% of course we have to somewhere list this special commands (may be we can use<br />
% a pop up with editiing help or somkething similar<br />
% for instance:<br />
\newcommand{\rs}{\ensuremath{\gg}} %right shift >><br />
\newcommand{\ls}{\ensuremath{\ll}} %left shift <<<br />
\newcommand{\rr}{\ensuremath{\ggg}} %right rotate >>><br />
\newcommand{\lr}{\ensuremath{\lll}} %left rotate <<<<br />
\pagestyle{empty}<br />
\begin{document}<br />
%value%<br />
\end{document}<br />
</nowiki></pre></blockquote><br />
<br />
For instance:<br />
<br />
{| align="center" border="1" cellpadding="10" cellspacing="0" <br />
|-<br />
!code fragment <br />
!displayed equation<br />
|-<br />
|<br />
<pre><nowiki><br />
<amsmath><br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
</amsmath><br />
</nowiki></pre><br />
|<br />
<amsmath><br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
</amsmath><br />
|-<br />
! colspan="2" style="background:#ffdead;" | %value% in tex-template is \begin{equation}...\end{equation}<br />
|}<br />
<br />
<br />
<br />
If we start a new ''amsmath'' environment then the equation numbering starts from counter=1 again. Start a new ''amsmath'' environment:<br />
<br />
<amsmath><br />
\begin{equation}<br />
b = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
\begin{eqnarray}<br />
a &\lr& b\\<br />
c &\rr& d\\<br />
e &\ls& f\\<br />
g &\rs& h<br />
\end{eqnarray}<br />
</amsmath><br />
<br />
as we see both envrionments start with 1.<br />
<br />
'''Note: to refer to an equation we will have to use a wiki link ...'''<br />
<br />
If we use math inline then we have the following possibilities:<br />
<br />
* Best know attack: 2<sup>63</sup> by Wang et.al. using html: <pre><nowiki>2<sup>63</sup></nowiki></pre><br />
* Best know attack: <amsmath>\begin{displaymath}2^{63}\end{displaymath}</amsmath> by Wang et.al. using amsmath <pre><nowiki><amsmath>\begin{displaymath}2^{63}\end{displaymath}</amsmath></nowiki></pre><br />
* Best know attack: <math>2^{63}</math> by Wang et.al. using math <pre><nowiki><math>2^{63}</math></nowiki></pre><br />
<br />
<br />
I think the first case looks best regarding the inline alignment. So I would suggest to use html for powers.<br />
<br />
=== References and bibtex ===<br />
<br />
==== Misc ====<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
will be displayed as:<br />
<br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
}<br />
</bibtex><br />
<br />
----<br />
==== InProceedings ====<br />
<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
will be displayed as:<br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<br />
----<br />
<br />
==== Article ====<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@ARTICLE{3,<br />
author = {Hans Dobbertin},<br />
title = {{Cryptanalysis Of MD4}},<br />
journal = {Journal of Cryptology},<br />
year = {1998},<br />
volume = {11},<br />
number = {4},<br />
pages = {253--271},<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
will be displayed as:<br />
<br />
<bibtex><br />
@ARTICLE{3,<br />
author = {Hans Dobbertin},<br />
title = {{Cryptanalysis Of MD4}},<br />
journal = {Journal of Cryptology},<br />
year = {1998},<br />
volume = {11},<br />
number = {4},<br />
pages = {253--271},<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
==== Book ====<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@BOOK{4,<br />
title = {{Handbook of Applied Cryptography}},<br />
publisher = {CRC Press},<br />
year = {1997},<br />
author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},<br />
note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
will be displayed as:<br />
<br />
<bibtex><br />
@BOOK{4,<br />
title = {{Handbook of Applied Cryptography}},<br />
publisher = {CRC Press},<br />
year = {1997},<br />
author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},<br />
note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
=== About different skins ===<br />
Every user can define his own skin. Nevertheless, it turnes out the the skin influences the alignment of inline amsmath environments. If we use the standard skin, namely MonoBook (default) then the alignment is pretty ok.<br />
<br />
therefore, I suggest to keep this skin as default.<br />
<br />
<br />
[http://mediawiki.iaik.tugraz.at/index.php/Testpage1 Testpage1]<br />
<br />
== Getting started ==<br />
<br />
* [http://www.mediawiki.org/wiki/Help:FAQ MediaWiki FAQ]<br />
* [http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list]<br />
<br />
<br />
----<br />
ECRYPT is a Network of Excellence within the Information Societies Technology (IST) Programme of the European Commission. The information on this web site is provided as is, and no guarantee or warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at his or her sole risk and liability.<br />
----</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=The_eHash_Main_Page&diff=1544The eHash Main Page2006-10-23T09:49:31Z<p>Nobbi: /* References and bibtex */</p>
<hr />
<div>== List of Hash Functions ==<br />
<br />
On this page you can find a collection of existing hash functions.<br />
<br />
[http://mediawiki.iaik.tugraz.at/index.php/HashFunctions Collection of Cryptographic Hash Functions]<br />
<br />
== Notation and Definition ==<br />
<br />
== Generic Attacks on Hash Functions ==<br />
<br />
== Some How Tos ==<br />
<br />
=== Working with maths and Tex ===<br />
<br />
We can write "normal" latex equation by using the ''math'' class. For instance the following code <br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<math><br />
{\textbf x}_{t} = {\textbf f}({x}_{t-1},{u}_{t-1},{p}_{t-1})<br />
</math><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as<br />
<br />
<math><br />
{\textbf x}_{t} = {\textbf f}({x}_{t-1},{u}_{t-1},{p}_{t-1})<br />
</math><br />
<br />
In order to use tex commands from the amsmath package we use the class ''amsmath''. <br />
Automated numbering of equations works within a single ''amsmath'' environment.<br />
The class amsmath uses the tex template defined in<br />
/var/www/html/mediawiki/extensions/wikitex/wikitex.math.inc.tex<br />
<br />
I changed the template such that we can define global commands. The template looks like<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
\documentclass[10pt]{article}<br />
\usepackage{amssymb,amsmath,amscd,concmath}<br />
% we can define whatever comments we would like to use for consistency.<br />
% of course we have to somewhere list this special commands (may be we can use<br />
% a pop up with editiing help or somkething similar<br />
% for instance:<br />
\newcommand{\rs}{\ensuremath{\gg}} %right shift >><br />
\newcommand{\ls}{\ensuremath{\ll}} %left shift <<<br />
\newcommand{\rr}{\ensuremath{\ggg}} %right rotate >>><br />
\newcommand{\lr}{\ensuremath{\lll}} %left rotate <<<<br />
\pagestyle{empty}<br />
\begin{document}<br />
%value%<br />
\end{document}<br />
</nowiki></pre></blockquote><br />
<br />
For instance:<br />
<br />
{| align="center" border="1" cellpadding="10" cellspacing="0" <br />
|-<br />
!code fragment <br />
!displayed equation<br />
|-<br />
|<br />
<pre><nowiki><br />
<amsmath><br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
</amsmath><br />
</nowiki></pre><br />
|<br />
<amsmath><br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
</amsmath><br />
|-<br />
! colspan="2" style="background:#ffdead;" | %value% in tex-template is \begin{equation}...\end{equation}<br />
|}<br />
<br />
<br />
<br />
If we start a new ''amsmath'' environment then the equation numbering starts from counter=1 again. Start a new ''amsmath'' environment:<br />
<br />
<amsmath><br />
\begin{equation}<br />
b = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
\begin{eqnarray}<br />
a &\lr& b\\<br />
c &\rr& d\\<br />
e &\ls& f\\<br />
g &\rs& h<br />
\end{eqnarray}<br />
</amsmath><br />
<br />
as we see both envrionments start with 1.<br />
<br />
'''Note: to refer to an equation we will have to use a wiki link ...'''<br />
<br />
If we use math inline then we have the following possibilities:<br />
<br />
* Best know attack: 2<sup>63</sup> by Wang et.al. using html: <pre><nowiki>2<sup>63</sup></nowiki></pre><br />
* Best know attack: <amsmath>\begin{displaymath}2^{63}\end{displaymath}</amsmath> by Wang et.al. using amsmath <pre><nowiki><amsmath>\begin{displaymath}2^{63}\end{displaymath}</amsmath></nowiki></pre><br />
* Best know attack: <math>2^{63}</math> by Wang et.al. using math <pre><nowiki><math>2^{63}</math></nowiki></pre><br />
<br />
<br />
I think the first case looks best regarding the inline alignment. So I would suggest to use html for powers.<br />
<br />
=== References and bibtex ===<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
pdf = {Q:\pdf\Hattori2004ComplexityOfThe.pdf},<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
will be displayed as:<br />
<br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
pdf = {Q:\pdf\Hattori2004ComplexityOfThe.pdf},<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
pdf = {/test.pdf},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
will be displayed as:<br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
pdf = {/test.pdf},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<br />
----<br />
<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@ARTICLE{3,<br />
author = {Hans Dobbertin},<br />
title = {{Cryptanalysis Of MD4}},<br />
journal = {Journal of Cryptology},<br />
year = {1998},<br />
volume = {11},<br />
number = {4},<br />
pages = {253--271},<br />
pdf = {Q:\pdf\Dobbertin1997CryptanalysisOfMD4.pdf},<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
will be displayed as:<br />
<br />
<bibtex><br />
@ARTICLE{3,<br />
author = {Hans Dobbertin},<br />
title = {{Cryptanalysis Of MD4}},<br />
journal = {Journal of Cryptology},<br />
year = {1998},<br />
volume = {11},<br />
number = {4},<br />
pages = {253--271},<br />
pdf = {Q:\pdf\Dobbertin1997CryptanalysisOfMD4.pdf},<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<bibtex><br />
@BOOK{4,<br />
title = {{Handbook of Applied Cryptography}},<br />
publisher = {CRC Press},<br />
year = {1997},<br />
author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},<br />
note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},<br />
}<br />
</bibtex><br />
</nowiki></pre></blockquote><br />
<br />
will be displayed as:<br />
<br />
<bibtex><br />
@BOOK{4,<br />
title = {{Handbook of Applied Cryptography}},<br />
publisher = {CRC Press},<br />
year = {1997},<br />
author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},<br />
note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},<br />
}<br />
</bibtex><br />
<br />
----<br />
<br />
=== About different skins ===<br />
Every user can define his own skin. Nevertheless, it turnes out the the skin influences the alignment of inline amsmath environments. If we use the standard skin, namely MonoBook (default) then the alignment is pretty ok.<br />
<br />
therefore, I suggest to keep this skin as default.<br />
<br />
<br />
[http://mediawiki.iaik.tugraz.at/index.php/Testpage1 Testpage1]<br />
<br />
== Getting started ==<br />
<br />
* [http://www.mediawiki.org/wiki/Help:FAQ MediaWiki FAQ]<br />
* [http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list]<br />
<br />
<br />
----<br />
ECRYPT is a Network of Excellence within the Information Societies Technology (IST) Programme of the European Commission. The information on this web site is provided as is, and no guarantee or warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at his or her sole risk and liability.<br />
----</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=The_eHash_Main_Page&diff=1543The eHash Main Page2006-10-23T09:44:08Z<p>Nobbi: /* References and bibtex */</p>
<hr />
<div>== List of Hash Functions ==<br />
<br />
On this page you can find a collection of existing hash functions.<br />
<br />
[http://mediawiki.iaik.tugraz.at/index.php/HashFunctions Collection of Cryptographic Hash Functions]<br />
<br />
== Notation and Definition ==<br />
<br />
== Generic Attacks on Hash Functions ==<br />
<br />
== Some How Tos ==<br />
<br />
=== Working with maths and Tex ===<br />
<br />
We can write "normal" latex equation by using the ''math'' class. For instance the following code <br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<math><br />
{\textbf x}_{t} = {\textbf f}({x}_{t-1},{u}_{t-1},{p}_{t-1})<br />
</math><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as<br />
<br />
<math><br />
{\textbf x}_{t} = {\textbf f}({x}_{t-1},{u}_{t-1},{p}_{t-1})<br />
</math><br />
<br />
In order to use tex commands from the amsmath package we use the class ''amsmath''. <br />
Automated numbering of equations works within a single ''amsmath'' environment.<br />
The class amsmath uses the tex template defined in<br />
/var/www/html/mediawiki/extensions/wikitex/wikitex.math.inc.tex<br />
<br />
I changed the template such that we can define global commands. The template looks like<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
\documentclass[10pt]{article}<br />
\usepackage{amssymb,amsmath,amscd,concmath}<br />
% we can define whatever comments we would like to use for consistency.<br />
% of course we have to somewhere list this special commands (may be we can use<br />
% a pop up with editiing help or somkething similar<br />
% for instance:<br />
\newcommand{\rs}{\ensuremath{\gg}} %right shift >><br />
\newcommand{\ls}{\ensuremath{\ll}} %left shift <<<br />
\newcommand{\rr}{\ensuremath{\ggg}} %right rotate >>><br />
\newcommand{\lr}{\ensuremath{\lll}} %left rotate <<<<br />
\pagestyle{empty}<br />
\begin{document}<br />
%value%<br />
\end{document}<br />
</nowiki></pre></blockquote><br />
<br />
For instance:<br />
<br />
{| align="center" border="1" cellpadding="10" cellspacing="0" <br />
|-<br />
!code fragment <br />
!displayed equation<br />
|-<br />
|<br />
<pre><nowiki><br />
<amsmath><br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
</amsmath><br />
</nowiki></pre><br />
|<br />
<amsmath><br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
</amsmath><br />
|-<br />
! colspan="2" style="background:#ffdead;" | %value% in tex-template is \begin{equation}...\end{equation}<br />
|}<br />
<br />
<br />
<br />
If we start a new ''amsmath'' environment then the equation numbering starts from counter=1 again. Start a new ''amsmath'' environment:<br />
<br />
<amsmath><br />
\begin{equation}<br />
b = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
\begin{eqnarray}<br />
a &\lr& b\\<br />
c &\rr& d\\<br />
e &\ls& f\\<br />
g &\rs& h<br />
\end{eqnarray}<br />
</amsmath><br />
<br />
as we see both envrionments start with 1.<br />
<br />
'''Note: to refer to an equation we will have to use a wiki link ...'''<br />
<br />
If we use math inline then we have the following possibilities:<br />
<br />
* Best know attack: 2<sup>63</sup> by Wang et.al. using html: <pre><nowiki>2<sup>63</sup></nowiki></pre><br />
* Best know attack: <amsmath>\begin{displaymath}2^{63}\end{displaymath}</amsmath> by Wang et.al. using amsmath <pre><nowiki><amsmath>\begin{displaymath}2^{63}\end{displaymath}</amsmath></nowiki></pre><br />
* Best know attack: <math>2^{63}</math> by Wang et.al. using math <pre><nowiki><math>2^{63}</math></nowiki></pre><br />
<br />
<br />
I think the first case looks best regarding the inline alignment. So I would suggest to use html for powers.<br />
<br />
=== References and bibtex ===<br />
<br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
pdf = {Q:\pdf\Hattori2004ComplexityOfThe.pdf},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
pdf = {/test.pdf},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@ARTICLE{Dobbertin1998CryptanalysisOfMD4,<br />
author = {Hans Dobbertin},<br />
title = {{Cryptanalysis Of MD4}},<br />
journal = {Journal of Cryptology},<br />
year = {1998},<br />
volume = {11},<br />
number = {4},<br />
pages = {253--271},<br />
pdf = {Q:\pdf\Dobbertin1997CryptanalysisOfMD4.pdf},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@BOOK{Menezes1997HandbookofApplied,<br />
title = {{Handbook of Applied Cryptography}},<br />
publisher = {CRC Press},<br />
year = {1997},<br />
author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},<br />
note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},<br />
}<br />
</bibtex><br />
<br />
=== About different skins ===<br />
Every user can define his own skin. Nevertheless, it turnes out the the skin influences the alignment of inline amsmath environments. If we use the standard skin, namely MonoBook (default) then the alignment is pretty ok.<br />
<br />
therefore, I suggest to keep this skin as default.<br />
<br />
<br />
[http://mediawiki.iaik.tugraz.at/index.php/Testpage1 Testpage1]<br />
<br />
== Getting started ==<br />
<br />
* [http://www.mediawiki.org/wiki/Help:FAQ MediaWiki FAQ]<br />
* [http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list]<br />
<br />
<br />
----<br />
ECRYPT is a Network of Excellence within the Information Societies Technology (IST) Programme of the European Commission. The information on this web site is provided as is, and no guarantee or warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at his or her sole risk and liability.<br />
----</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=The_eHash_Main_Page&diff=1542The eHash Main Page2006-10-23T09:43:35Z<p>Nobbi: /* Working with maths and Tex */</p>
<hr />
<div>== List of Hash Functions ==<br />
<br />
On this page you can find a collection of existing hash functions.<br />
<br />
[http://mediawiki.iaik.tugraz.at/index.php/HashFunctions Collection of Cryptographic Hash Functions]<br />
<br />
== Notation and Definition ==<br />
<br />
== Generic Attacks on Hash Functions ==<br />
<br />
== Some How Tos ==<br />
<br />
=== Working with maths and Tex ===<br />
<br />
We can write "normal" latex equation by using the ''math'' class. For instance the following code <br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
<math><br />
{\textbf x}_{t} = {\textbf f}({x}_{t-1},{u}_{t-1},{p}_{t-1})<br />
</math><br />
</nowiki></pre></blockquote><br />
<br />
is displayed as<br />
<br />
<math><br />
{\textbf x}_{t} = {\textbf f}({x}_{t-1},{u}_{t-1},{p}_{t-1})<br />
</math><br />
<br />
In order to use tex commands from the amsmath package we use the class ''amsmath''. <br />
Automated numbering of equations works within a single ''amsmath'' environment.<br />
The class amsmath uses the tex template defined in<br />
/var/www/html/mediawiki/extensions/wikitex/wikitex.math.inc.tex<br />
<br />
I changed the template such that we can define global commands. The template looks like<br />
<br />
<blockquote style="background: white; border: 1px solid black; padding: 1em;"><pre><nowiki><br />
\documentclass[10pt]{article}<br />
\usepackage{amssymb,amsmath,amscd,concmath}<br />
% we can define whatever comments we would like to use for consistency.<br />
% of course we have to somewhere list this special commands (may be we can use<br />
% a pop up with editiing help or somkething similar<br />
% for instance:<br />
\newcommand{\rs}{\ensuremath{\gg}} %right shift >><br />
\newcommand{\ls}{\ensuremath{\ll}} %left shift <<<br />
\newcommand{\rr}{\ensuremath{\ggg}} %right rotate >>><br />
\newcommand{\lr}{\ensuremath{\lll}} %left rotate <<<<br />
\pagestyle{empty}<br />
\begin{document}<br />
%value%<br />
\end{document}<br />
</nowiki></pre></blockquote><br />
<br />
For instance:<br />
<br />
{| align="center" border="1" cellpadding="10" cellspacing="0" <br />
|-<br />
!code fragment <br />
!displayed equation<br />
|-<br />
|<br />
<pre><nowiki><br />
<amsmath><br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
</amsmath><br />
</nowiki></pre><br />
|<br />
<amsmath><br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
</amsmath><br />
|-<br />
! colspan="2" style="background:#ffdead;" | %value% in tex-template is \begin{equation}...\end{equation}<br />
|}<br />
<br />
<br />
<br />
If we start a new ''amsmath'' environment then the equation numbering starts from counter=1 again. Start a new ''amsmath'' environment:<br />
<br />
<amsmath><br />
\begin{equation}<br />
b = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
\begin{equation}<br />
a = \sum_{i=0}^{n}{2^i}<br />
\end{equation}<br />
\begin{eqnarray}<br />
a &\lr& b\\<br />
c &\rr& d\\<br />
e &\ls& f\\<br />
g &\rs& h<br />
\end{eqnarray}<br />
</amsmath><br />
<br />
as we see both envrionments start with 1.<br />
<br />
'''Note: to refer to an equation we will have to use a wiki link ...'''<br />
<br />
If we use math inline then we have the following possibilities:<br />
<br />
* Best know attack: 2<sup>63</sup> by Wang et.al. using html: <pre><nowiki>2<sup>63</sup></nowiki></pre><br />
* Best know attack: <amsmath>\begin{displaymath}2^{63}\end{displaymath}</amsmath> by Wang et.al. using amsmath <pre><nowiki><amsmath>\begin{displaymath}2^{63}\end{displaymath}</amsmath></nowiki></pre><br />
* Best know attack: <math>2^{63}</math> by Wang et.al. using math <pre><nowiki><math>2^{63}</math></nowiki></pre><br />
<br />
<br />
I think the first case looks best regarding the inline alignment. So I would suggest to use html for powers.<br />
<br />
=== References and bibtex ===<br />
<br />
=== About different skins ===<br />
Every user can define his own skin. Nevertheless, it turnes out the the skin influences the alignment of inline amsmath environments. If we use the standard skin, namely MonoBook (default) then the alignment is pretty ok.<br />
<br />
therefore, I suggest to keep this skin as default.<br />
<br />
<br />
[http://mediawiki.iaik.tugraz.at/index.php/Testpage1 Testpage1]<br />
<br />
== Getting started ==<br />
<br />
* [http://www.mediawiki.org/wiki/Help:FAQ MediaWiki FAQ]<br />
* [http://mail.wikipedia.org/mailman/listinfo/mediawiki-announce MediaWiki release mailing list]<br />
<br />
<br />
----<br />
ECRYPT is a Network of Excellence within the Information Societies Technology (IST) Programme of the European Commission. The information on this web site is provided as is, and no guarantee or warranty is given or implied that the information is fit for any particular purpose. The user thereof uses the information at his or her sole risk and liability.<br />
----</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1541SHA-12006-10-23T09:42:48Z<p>Nobbi: /* Performance Evaluation / Implementation (HW and SW) */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup>. The best collision example for 64-step SHA-1 was publshed by DeCanniere and Rechberger.<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
pdf = {Q:\pdf\Hattori2004ComplexityOfThe.pdf},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
pdf = {/test.pdf},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@ARTICLE{Dobbertin1998CryptanalysisOfMD4,<br />
author = {Hans Dobbertin},<br />
title = {{Cryptanalysis Of MD4}},<br />
journal = {Journal of Cryptology},<br />
year = {1998},<br />
volume = {11},<br />
number = {4},<br />
pages = {253--271},<br />
pdf = {Q:\pdf\Dobbertin1997CryptanalysisOfMD4.pdf},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@BOOK{Menezes1997HandbookofApplied,<br />
title = {{Handbook of Applied Cryptography}},<br />
publisher = {CRC Press},<br />
year = {1997},<br />
author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},<br />
note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},<br />
}<br />
</bibtex><br />
<br />
Here I would list all papers that deal with SHA-1. We should also give the abstract and the bibtex entry for the corresponding paper. Additionall we should give our opinion about the attack described in the paper.<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
* There exists a generic attack (works for all iterated hash functions). See ....<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{DBLP:conf/asap/LeeCV06,<br />
author = {Yong Ki Lee and Herwin Chan and Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
series = {IEEE Computer Society},<br />
year = {2006},<br />
isbn = {0-7695-2682-9},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.}<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1540SHA-12006-10-23T09:33:21Z<p>Nobbi: /* Performance Evaluation / Implementation (HW and SW) */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup>. The best collision example for 64-step SHA-1 was publshed by DeCanniere and Rechberger.<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
pdf = {Q:\pdf\Hattori2004ComplexityOfThe.pdf},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
pdf = {/test.pdf},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@ARTICLE{Dobbertin1998CryptanalysisOfMD4,<br />
author = {Hans Dobbertin},<br />
title = {{Cryptanalysis Of MD4}},<br />
journal = {Journal of Cryptology},<br />
year = {1998},<br />
volume = {11},<br />
number = {4},<br />
pages = {253--271},<br />
pdf = {Q:\pdf\Dobbertin1997CryptanalysisOfMD4.pdf},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@BOOK{Menezes1997HandbookofApplied,<br />
title = {{Handbook of Applied Cryptography}},<br />
publisher = {CRC Press},<br />
year = {1997},<br />
author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},<br />
note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},<br />
}<br />
</bibtex><br />
<br />
Here I would list all papers that deal with SHA-1. We should also give the abstract and the bibtex entry for the corresponding paper. Additionall we should give our opinion about the attack described in the paper.<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
* There exists a generic attack (works for all iterated hash functions). See ....<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{DBLP:conf/asap/LeeCV06,<br />
author = {Yong Ki Lee and<br />
Herwin Chan and<br />
Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
series = {IEEE Computer Society},<br />
year = {2006},<br />
isbn = {0-7695-2682-9},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.}<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1539SHA-12006-10-23T09:32:47Z<p>Nobbi: /* Collision Attacks */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup>. The best collision example for 64-step SHA-1 was publshed by DeCanniere and Rechberger.<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
pdf = {Q:\pdf\Hattori2004ComplexityOfThe.pdf},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
pdf = {/test.pdf},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@ARTICLE{Dobbertin1998CryptanalysisOfMD4,<br />
author = {Hans Dobbertin},<br />
title = {{Cryptanalysis Of MD4}},<br />
journal = {Journal of Cryptology},<br />
year = {1998},<br />
volume = {11},<br />
number = {4},<br />
pages = {253--271},<br />
pdf = {Q:\pdf\Dobbertin1997CryptanalysisOfMD4.pdf},<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@BOOK{Menezes1997HandbookofApplied,<br />
title = {{Handbook of Applied Cryptography}},<br />
publisher = {CRC Press},<br />
year = {1997},<br />
author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},<br />
note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},<br />
}<br />
</bibtex><br />
<br />
Here I would list all papers that deal with SHA-1. We should also give the abstract and the bibtex entry for the corresponding paper. Additionall we should give our opinion about the attack described in the paper.<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
* There exists a generic attack (works for all iterated hash functions). See ....<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{DBLP:conf/asap/LeeCV06,<br />
author = {Yong Ki Lee and<br />
Herwin Chan and<br />
Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding<br />
Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
series = {IEEE Computer Society},<br />
year = {2006},<br />
isbn = {0-7695-2682-9},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.}<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1538SHA-12006-10-23T09:31:11Z<p>Nobbi: /* Collision Attacks */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup>. The best collision example for 64-step SHA-1 was publshed by DeCanniere and Rechberger.<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
url = {http://eprint.iacr.org/},<br />
pdf = {Q:\pdf\Hattori2004ComplexityOfThe.pdf},<br />
}<br />
</bibtex><br />
<br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
pdf = {/test.pdf},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
Here I would list all papers that deal with SHA-1. We should also give the abstract and the bibtex entry for the corresponding paper. Additionall we should give our opinion about the attack described in the paper.<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
* There exists a generic attack (works for all iterated hash functions). See ....<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{DBLP:conf/asap/LeeCV06,<br />
author = {Yong Ki Lee and<br />
Herwin Chan and<br />
Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding<br />
Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
series = {IEEE Computer Society},<br />
year = {2006},<br />
isbn = {0-7695-2682-9},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.}<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1537SHA-12006-10-23T09:25:21Z<p>Nobbi: /* Collision Attacks */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup>. The best collision example for 64-step SHA-1 was publshed by DeCanniere and Rechberger.<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@MISC{HATTORI2004Complexityofthe,<br />
author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},<br />
title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},<br />
howpublished = {Cryptology ePrint Archive, Report 2004/325},<br />
year = {2004},<br />
note = {\url{http://eprint.iacr.org/}},<br />
pdf = {Q:\pdf\Hattori2004ComplexityOfThe.pdf},<br />
}<br />
</bibtex><br />
<br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Anton},<br />
title = {Suppa sache the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Advances in Cryptology - ASIACRYPT 2006},<br />
year = {2007},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
pdf = {/test.pdf},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
pdf = {/test.pdf},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
Here I would list all papers that deal with SHA-1. We should also give the abstract and the bibtex entry for the corresponding paper. Additionall we should give our opinion about the attack described in the paper.<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
* There exists a generic attack (works for all iterated hash functions). See ....<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{DBLP:conf/asap/LeeCV06,<br />
author = {Yong Ki Lee and<br />
Herwin Chan and<br />
Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding<br />
Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
series = {IEEE Computer Society},<br />
year = {2006},<br />
isbn = {0-7695-2682-9},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.}<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1536SHA-12006-10-23T09:19:56Z<p>Nobbi: /* Collision Attacks */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup>. The best collision example for 64-step SHA-1 was publshed by DeCanniere and Rechberger.<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex>@inproceedings</bibtex><br />
<br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Anton},<br />
title = {Suppa sache the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Advances in Cryptology - ASIACRYPT 2006},<br />
year = {2007},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
pdf = {/test.pdf},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption 2002},<br />
year = {2002},<br />
series = {LNCS},<br />
pages = {252-262},<br />
volume = {2365},<br />
publisher = {Springer},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
pdf = {/test.pdf},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
Here I would list all papers that deal with SHA-1. We should also give the abstract and the bibtex entry for the corresponding paper. Additionall we should give our opinion about the attack described in the paper.<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
* There exists a generic attack (works for all iterated hash functions). See ....<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{DBLP:conf/asap/LeeCV06,<br />
author = {Yong Ki Lee and<br />
Herwin Chan and<br />
Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding<br />
Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
series = {IEEE Computer Society},<br />
year = {2006},<br />
isbn = {0-7695-2682-9},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.}<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1535SHA-12006-10-23T08:44:11Z<p>Nobbi: /* Performance Evaluation / Implementation (HW and SW) */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup>. The best collision example for 64-step SHA-1 was publshed by DeCanniere and Rechberger.<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@INPROCEEDINGS{1,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption, 9th International Workshop, FSE 2002, Leuven, Belgium, February 4-6, 2002, Revised Papers},<br />
year = {2002},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
volume = {2365},<br />
series = {Lecture Notes in Computer Science},<br />
pages = {252-262},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11799313_8},<br />
pdf = {/test.pdf},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption, 9th International Workshop, FSE 2002, Leuven, Belgium, February 4-6, 2002, Revised Papers},<br />
year = {2002},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
volume = {2365},<br />
series = {Lecture Notes in Computer Science},<br />
pages = {252-262},<br />
publisher = {Springer},<br />
pdf = {/test.pdf},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
Here I would list all papers that deal with SHA-1. We should also give the abstract and the bibtex entry for the corresponding paper. Additionall we should give our opinion about the attack described in the paper.<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
* There exists a generic attack (works for all iterated hash functions). See ....<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
<bibtex><br />
@inproceedings{DBLP:conf/asap/LeeCV06,<br />
author = {Yong Ki Lee and<br />
Herwin Chan and<br />
Ingrid Verbauwhede},<br />
title = {Throughput Optimized SHA-1 Architecture Using Unfolding<br />
Transformation.},<br />
booktitle = {ASAP 2006},<br />
year = {2006},<br />
pages = {354-359},<br />
url = {http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68},<br />
series = {IEEE Computer Society},<br />
year = {2006},<br />
isbn = {0-7695-2682-9},<br />
abstract = {In this paper, we analyze the theoretical delay bound of the SHA-1 algorithm and propose architectures to achieve high throughput hardware implementations which approach this bound. According to the results of FPGA implementations, 3,541 Mbps with a pipeline and 893 Mbps without a pipeline were achieved. Moreover, synthesis results using 0.18..m CMOS technology showed that 10.4 Gbps with a pipeline and 3.1 Gbps without a pipeline can be achieved. These results are much faster than previously published results. The high throughputs are due to the unfolding transformation, which reduces the number of required cycles for one block hash. We reduced the required number of cycles to 12 cycles for a 512 bit block and showed that 12 cycles is the optimal in our design.}<br />
}<br />
</bibtex><br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1534SHA-12006-10-23T08:39:15Z<p>Nobbi: </p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup>. The best collision example for 64-step SHA-1 was publshed by DeCanniere and Rechberger.<br />
<br />
=== Collision Attacks ===<br />
<br />
<bibtex><br />
@INPROCEEDINGS{1,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption, 9th International Workshop, FSE 2002, Leuven, Belgium, February 4-6, 2002, Revised Papers},<br />
year = {2002},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
volume = {2365},<br />
series = {Lecture Notes in Computer Science},<br />
pages = {252-262},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11799313_8},<br />
pdf = {/test.pdf},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption, 9th International Workshop, FSE 2002, Leuven, Belgium, February 4-6, 2002, Revised Papers},<br />
year = {2002},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
volume = {2365},<br />
series = {Lecture Notes in Computer Science},<br />
pages = {252-262},<br />
publisher = {Springer},<br />
pdf = {/test.pdf},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
Here I would list all papers that deal with SHA-1. We should also give the abstract and the bibtex entry for the corresponding paper. Additionall we should give our opinion about the attack described in the paper.<br />
----<br />
<br />
=== Second Preimage Attacks ===<br />
* There exists a generic attack (works for all iterated hash functions). See ....<br />
----<br />
<br />
=== Preimage Attacks ===<br />
* We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1533SHA-12006-10-23T08:36:24Z<p>Nobbi: </p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 2<sup>69</sup>. The best collision example for 64-step SHA-1 was publshed by DeCanniere and Rechberger.<br />
<br />
=== Collection of Articles ===<br />
<br />
'''Collision Attacks'''<br />
<br />
<bibtex><br />
@INPROCEEDINGS{1,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption, 9th International Workshop, FSE 2002, Leuven, Belgium, February 4-6, 2002, Revised Papers},<br />
year = {2002},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
volume = {2365},<br />
series = {Lecture Notes in Computer Science},<br />
pages = {252-262},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11799313_8},<br />
pdf = {/test.pdf},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption, 9th International Workshop, FSE 2002, Leuven, Belgium, February 4-6, 2002, Revised Papers},<br />
year = {2002},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
volume = {2365},<br />
series = {Lecture Notes in Computer Science},<br />
pages = {252-262},<br />
publisher = {Springer},<br />
pdf = {/test.pdf},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
Here I would list all papers that deal with SHA-1. We should also give the abstract and the bibtex entry for the corresponding paper. Additionall we should give our opinion about the attack described in the paper.<br />
----<br />
<br />
'''Second Preimage Attacks'''<br />
* There exists a generic attack (works for all iterated hash functions). See ....<br />
----<br />
<br />
'''Preimage Attacks'''<br />
* We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1532SHA-12006-10-23T08:33:28Z<p>Nobbi: </p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
Here we summarize the best knonw (published) results. In text form ...<br />
<br />
=== Collection of Articles ===<br />
<br />
* '''Collision Attacks'''<br />
<br />
<bibtex><br />
@INPROCEEDINGS{1,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption, 9th International Workshop, FSE 2002, Leuven, Belgium, February 4-6, 2002, Revised Papers},<br />
year = {2002},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
volume = {2365},<br />
series = {Lecture Notes in Computer Science},<br />
pages = {252-262},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11799313_8},<br />
pdf = {/test.pdf},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption, 9th International Workshop, FSE 2002, Leuven, Belgium, February 4-6, 2002, Revised Papers},<br />
year = {2002},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
volume = {2365},<br />
series = {Lecture Notes in Computer Science},<br />
pages = {252-262},<br />
publisher = {Springer},<br />
pdf = {/test.pdf},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<br />
Here I would list all papers that deal with SHA-1. We should also give the abstract and the bibtex entry for the corresponding paper. Additionall we should give our opinion about the attack described in the paper.<br />
----<br />
<br />
* '''Second Preimage Attacks'''<br />
** There exists a generic attack (works for all iterated hash functions). See ....<br />
----<br />
<br />
* '''Preimage Attacks'''<br />
** We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
== Performance Evaluation / Implementation (HW and SW) ==<br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbihttps://ehash.iaik.tugraz.at/index.php?title=SHA-1&diff=1531SHA-12006-10-23T08:32:09Z<p>Nobbi: /* Collection of Articles */</p>
<hr />
<div>== General ==<br />
<br />
* digest size: 160 bits<br />
* max. message length: < 2<sup>64</sup> bits<br />
* type: iterative hash function<br />
* compression function: 512-bit message block, 160-bit chaining variable<br />
* [http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Specification: FIPS 180-2 Secure Hash Standard]<br />
<br />
== Cryptanalysis ==<br />
<br />
=== Best Known Results ===<br />
<br />
Here we summarize the best knonw (published) results. In text form ...<br />
<br />
=== Collection of Articles ===<br />
<br />
* '''Collision Attacks'''<br />
<br />
<bibtex><br />
@INPROCEEDINGS{1,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption, 9th International Workshop, FSE 2002, Leuven, Belgium, February 4-6, 2002, Revised Papers},<br />
year = {2002},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
volume = {2365},<br />
series = {Lecture Notes in Computer Science},<br />
pages = {252-262},<br />
publisher = {Springer},<br />
url = {http://dx.doi.org/10.1007/11799313_8},<br />
pdf = {/test.pdf},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<bibtex><br />
@INPROCEEDINGS{2,<br />
author = {Daewan Han and Sangwoo Park and Seongtaek Chee},<br />
title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},<br />
booktitle = {Fast Software Encryption, 9th International Workshop, FSE 2002, Leuven, Belgium, February 4-6, 2002, Revised Papers},<br />
year = {2002},<br />
editor = {Joan Daemen and Vincent Rijmen},<br />
volume = {2365},<br />
series = {Lecture Notes in Computer Science},<br />
pages = {252-262},<br />
publisher = {Springer},<br />
pdf = {/test.pdf},<br />
abstract = {This is the abstract of this paper}<br />
}<br />
</bibtex><br />
<br />
<br />
Here I would list all papers that deal with SHA-1. We should also give the abstract and the bibtex entry for the corresponding paper. Additionall we should give our opinion about the attack described in the paper.<br />
----<br />
<br />
* '''Second Preimage Attacks'''<br />
** There exists a generic attack (works for all iterated hash functions). See ....<br />
----<br />
<br />
* '''Preimage Attacks'''<br />
** We are not aware of any article regarding preimage attacks on SHA-1.<br />
----<br />
<br />
== eHash Recommendation (optional) or eHash Opinion ==<br />
Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.</div>Nobbi