Difference between revisions of "SHA-1"

From The ECRYPT Hash Function Website
(Cryptanalysis)
(Collision Attacks)
Line 16: Line 16:
  
 
<bibtex>
 
<bibtex>
@MISC{HATTORI2004Complexityofthe,
+
@INPROCEEDINGS{Pramstaller2005ExploitingCodingTheory,
   author = {Mitsuhiro HATTORI and Shoichi HIROSE and Susumu YOSHIDA},
+
   author = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},
   title = {Complexity of the Collision and Near-Collision Attack on SHA-0 with Different Message Schedules},
+
   title = {Exploiting Coding Theory for Collision Attacks on SHA-1},
   howpublished = {Cryptology ePrint Archive, Report 2004/325},
+
  booktitle = {10th Cryptography and Coding 2005},
   year = {2004},
+
  year = {2005},
   note = {\url{http://eprint.iacr.org/}},
+
  editor = {Nigel P. Smart},
   url = {http://eprint.iacr.org/},
+
   volume = {3796},
 +
  series = {LNCS},
 +
   pages = {78-95},
 +
   publisher = {Springer},
 +
  url       = {http://dx.doi.org/10.1007/11586821_7},
 +
  abstract  = {In this article we show that coding theory can be exploited efficiently for the cryptanalysis of hash functions. We will mainly focus on SHA-1. We present different linear codes that are used to find low-weight differences that lead to a collision. We extend existing approaches and include recent results in the cryptanalysis of hash functions. With our approach we are able to find differences with very low weight. Based on the weight of these differences we conjecture the complexity for a collision attack on the full SHA-1.}
 +
}
 +
</bibtex>
 +
 
 +
<bibtex>
 +
@inproceedings{Pramstaller2005ImpactOfRotations,
 +
  author    = {Norbert Pramstaller and Christian Rechberger and Vincent Rijmen},
 +
  title    = {Impact of Rotations in SHA-1 and Related Hash Functions.},
 +
  booktitle = {SAC 2005},
 +
  year      = {2006},
 +
  pages    = {261-275},
 +
  publisher = {Springer},
 +
  series    = {LNCS},
 +
  volume    = {3897},
 +
   url       = {http://dx.doi.org/10.1007/11693383_18},
 +
  abstract  = {SHA-1 uses a single set of rotation constants within the compression function. However, most other members of the MD4 family of hash functions use multiple sets of rotation constants, MediaObjects/InlineFigure1.pngthe rotation amounts change with the step being processed. To our knowledge, no design rationales on the choice of rotation constants are given on any of these hash functions. This is the first paper that analyzes rotations in iterated hash functions. We focus on SHA-1-like hash functions and use recent developments in the analysis of these hash functions to evaluate the security implications of using multiple sets of rotation constants in the compression function instead of a single set. Additionally, we give some observations on the set of constants used in SHA-0 and SHA-1.},
 +
}
 +
</bibtex>
 +
 
 +
<bibtex>
 +
@MISC{Wang2005NewCollisionSearch,
 +
  author = {Xiaoyun Wang and Andrew Yao and Frances Yao},
 +
  title = {{New Collision Search for SHA-1}},
 +
  month = {August},
 +
  year = {2005},
 +
  note = {Presented at rump session of CRYPTO 2005},
 +
  owner = {npramstaller},
 
}
 
}
 
</bibtex>
 
</bibtex>
  
 
<bibtex>
 
<bibtex>
@INPROCEEDINGS{2,
+
@MISC{Wang2005CryptanalysisOfSHA1,
   author = {Daewan Han and Sangwoo Park and Seongtaek Chee},
+
   author = {Xiaoyun Wang and Andrew Yao and Frances Yao},
   title = {Cryptanalysis of the Modified Version of the Hash Function Proposed at PKC'98.},
+
   title = {{Cryptanalysis of SHA-1}},
   booktitle = {Fast Software Encryption 2002},
+
  howpublished = {Presented at the Cryptographic Hash Workshop hosted by NIST},
   year = {2002},
+
  month = {October},
 +
  year = {2005},
 +
}
 +
</bibtex>
 +
 
 +
<bibtex>
 +
@INPROCEEDINGS{Wang2005FindingCollisionsin,
 +
  author = {Xiaoyun Wang and Yiqun Lisa Yin and Hongbo Yu},
 +
  title = {{Finding Collisions in the Full SHA-1}},
 +
   booktitle = {Advances in Cryptology - CRYPTO 2005},
 +
   year = {2005},
 +
  editor = {Victor Shoup},
 +
  volume = {3621},
 
   series = {LNCS},
 
   series = {LNCS},
   pages = {252-262},
+
   pages = {17--36},
   volume = {2365},
+
   url    = {http://dx.doi.org/10.1007/11535218_2},
 
   publisher = {Springer},
 
   publisher = {Springer},
   editor = {Joan Daemen and Vincent Rijmen},
+
   abstract  = {In this paper, we present new collision search attacks on the hash function SHA-1. We show that collisions of SHA-1 can be found with complexity less than 2<sup>69</sup> hash operations. This is the first attack on the full 80-step SHA-1 with complexity less than the 2<sup>80</sup> theoretical bound.},
  abstract = {This is the abstract of this paper}
 
 
}
 
}
 
</bibtex>
 
</bibtex>
  
 
<bibtex>
 
<bibtex>
@ARTICLE{Dobbertin1998CryptanalysisOfMD4,
+
@INPROCEEDINGS{Rijmen2005UpdateonSHA-1,
   author = {Hans Dobbertin},
+
   author = {Vincent Rijmen and Elisabeth Oswald},
   title = {{Cryptanalysis Of MD4}},
+
   title = {Update on SHA-1},
   journal = {Journal of Cryptology},
+
  booktitle = {CT-RSA 2005},
   year = {1998},
+
   year = {2005},
   volume = {11},
+
   editor = {Alfred Menezes},
   number = {4},
+
   volume = {3376},
   pages = {253--271},
+
   series = {LNCS},
 +
   pages = {58--71},
 +
  publisher = {Springer},
 +
  url      = {http://dx.doi.org/10.1007/b105222},
 +
  abstract  = {We report on the experiments we performed in order to assess the security of SHA-1 against the attack by Chabaud and Joux [5]. We present some ideas for optimizations of the attack and some properties of the message expansion routine. Finally, we show that for a reduced version of SHA-1, with 53 rounds instead of 80, it is possible to find collisions in less than 2<sup>80</sup> operations.},
 
}
 
}
 
</bibtex>
 
</bibtex>
  
 
<bibtex>
 
<bibtex>
@BOOK{Menezes1997HandbookofApplied,
+
@INPROCEEDINGS{Biham2005CollisionsofSHA-0,
   title = {Handbook of Applied Cryptography},
+
  author = {Eli Biham and Rafi Chen and Antoine hirose and Patrick Carribault and Christophe Lemuet and William Jalby},
   publisher = {CRC Press},
+
   title = {Collisions of SHA-0 and Reduced SHA-1},
   year = {1997},
+
   booktitle = {Advances in Cryptology - EUROCRYPT 2005},
   author = {Alfred J. Menezes and Paul C. van Oorschot and Scott A. Vanstone},
+
   year = {2005},
   note = {Available online at \url{http://www.cacr.math.uwaterloo.ca/hac/}},
+
  editor = {Ronald Cramer},
 +
  volume = {3494},
 +
  series = {LNCS},
 +
   pages = {36--57},
 +
   publisher = {Springer},
 +
  url       = {http://dx.doi.org/10.1007/11426639_3},
 +
  abstract    = {In this paper we describe improvements to the techniques used to cryptanalyze SHA-0 and introduce the first results on SHA-1. The results include a generic multi-block technique that uses near-collisions in order to find collisions, and a four-block collision of SHA-0 found using this technique with complexity 2<sup>51</sup>. Then, extension of this and prior techniques are presented, that allow us to find collisions of reduced versions of SHA-1. We give collisions of variants with up to 40 rounds, and show the complexities of longer variants. These techniques show that collisions up to about 53-58 rounds can still be found faster than by birthday attacks.},
 
}
 
}
 
</bibtex>
 
</bibtex>
  
Here I would list all papers that deal with SHA-1. We should also give the abstract and the bibtex entry for the corresponding paper. Additionall we should give our opinion about the attack described in the paper.
+
<bibtex>
----
+
@inproceedings{Satoh2005HardwareArchitectureAnd,
 +
  author    = {Akashi Satoh},
 +
  title    = {Hardware Architecture and Cost Estimates for Breaking SHA-1.},
 +
  booktitle = {ISC 2005},
 +
  year      = {2005},
 +
  pages    = {259-273},
 +
  publisher = {Springer},
 +
  series    = {LNCS},
 +
  volume    = {3650},
 +
  url      = {http://dx.doi.org/10.1007/11556992_19},
 +
  abstract = {The cryptanalysis of hash functions has advanced rapidly, and many hash functions have been broken one after another. The most popular hash function SHA-1 has not been broken yet, but the new collision search techniques proposed by Wang et al. reduced the computational complexity down to 2<sup>69</sup>, which is only 1/2,000 of the 2<sup>80</sup> operations needed for a birthday attack. The complexity is still too large even for today’s supercomputers, but no feasibility study of breaking SHA-1 using specialized hardware has been reported. The well known brute force attack on DES simply repeats the DES operation 2<sup>56</sup> times at a maximum, but the complexity of 2<sup>69</sup> hash operations to break SHA-1 does not mean 2<sup>69</sup> SHA-1 operations. Complex procedures using SHA-1 functions are required, and the total number of operations based on the probability of a collision occurrence is almost equivalent to the 2<sup>69</sup> SHA-1 operations. Therefore, we describe a procedure and propose an LSI architecture to find real collisions for SHA-1 in this paper. The hardware core was synthesized by using a 0.13-µm CMOS standard cell library, and its performances in speed, size, and power consumption were evaluated. A $10 million budget can build a custom hardware system that would consist of 303 personal computers with 16 circuit boards each, in which 32 SHA-1-breaking LSIs are mounted. Each LSI has 64 SHA-1 cores that can run in parallel. This system would find a real collision in 127 days.}
 +
}
 +
</bibtex>
  
 
=== Second Preimage Attacks ===
 
=== Second Preimage Attacks ===

Revision as of 14:23, 23 October 2006

1 General

2 Cryptanalysis

2.1 Best Known Results

The best collision attack on full SHA-1 was published by Wang etal. It has complexity of 269 hash evaluations. The best collision example, a 64-step collision for SHA-1, was publshed by DeCanniere and Rechberger.

2.2 Collision Attacks

Norbert Pramstaller, Christian Rechberger, Vincent Rijmen - Exploiting Coding Theory for Collision Attacks on SHA-1

10th Cryptography and Coding 2005 3796:78-95,2005
http://dx.doi.org/10.1007/11586821_7
Bibtex
Author : Norbert Pramstaller, Christian Rechberger, Vincent Rijmen
Title : Exploiting Coding Theory for Collision Attacks on SHA-1
In : 10th Cryptography and Coding 2005 -
Address :
Date : 2005

Norbert Pramstaller, Christian Rechberger, Vincent Rijmen - Impact of Rotations in SHA-1 and Related Hash Functions.

SAC 2005 3897:261-275,2006
http://dx.doi.org/10.1007/11693383_18
Bibtex
Author : Norbert Pramstaller, Christian Rechberger, Vincent Rijmen
Title : Impact of Rotations in SHA-1 and Related Hash Functions.
In : SAC 2005 -
Address :
Date : 2006

Xiaoyun Wang, Andrew Yao, Frances Yao - {New Collision Search for SHA-1}

, August 2005
Bibtex
Author : Xiaoyun Wang, Andrew Yao, Frances Yao
Title : {New Collision Search for SHA-1}
In : -
Address :
Date : August 2005

Xiaoyun Wang, Andrew Yao, Frances Yao - {Cryptanalysis of SHA-1}

, October 2005
Bibtex
Author : Xiaoyun Wang, Andrew Yao, Frances Yao
Title : {Cryptanalysis of SHA-1}
In : -
Address :
Date : October 2005

Xiaoyun Wang, Yiqun Lisa Yin, Hongbo Yu - {Finding Collisions in the Full SHA-1}

Advances in Cryptology - CRYPTO 2005 3621:17--36,2005
http://dx.doi.org/10.1007/11535218_2
Bibtex
Author : Xiaoyun Wang, Yiqun Lisa Yin, Hongbo Yu
Title : {Finding Collisions in the Full SHA-1}
In : Advances in Cryptology - CRYPTO 2005 -
Address :
Date : 2005

Vincent Rijmen, Elisabeth Oswald - Update on SHA-1

CT-RSA 2005 3376:58--71,2005
http://dx.doi.org/10.1007/b105222
Bibtex
Author : Vincent Rijmen, Elisabeth Oswald
Title : Update on SHA-1
In : CT-RSA 2005 -
Address :
Date : 2005

Eli Biham, Rafi Chen, Antoine hirose, Patrick Carribault, Christophe Lemuet, William Jalby - Collisions of SHA-0 and Reduced SHA-1

Advances in Cryptology - EUROCRYPT 2005 3494:36--57,2005
http://dx.doi.org/10.1007/11426639_3
Bibtex
Author : Eli Biham, Rafi Chen, Antoine hirose, Patrick Carribault, Christophe Lemuet, William Jalby
Title : Collisions of SHA-0 and Reduced SHA-1
In : Advances in Cryptology - EUROCRYPT 2005 -
Address :
Date : 2005

Akashi Satoh - Hardware Architecture and Cost Estimates for Breaking SHA-1.

ISC 2005 3650:259-273,2005
http://dx.doi.org/10.1007/11556992_19
Bibtex
Author : Akashi Satoh
Title : Hardware Architecture and Cost Estimates for Breaking SHA-1.
In : ISC 2005 -
Address :
Date : 2005

2.3 Second Preimage Attacks

  • There exists a generic attack (works for all iterated hash functions). See ....

2.4 Preimage Attacks

  • We are not aware of any article regarding preimage attacks on SHA-1.

2.5 Others

everything that does not fit into coll/(2nd)preimage and implementation


3 Performance Evaluation / Implementation (HW and SW)

Yong Ki Lee, Herwin Chan, Ingrid Verbauwhede - Throughput Optimized SHA-1 Architecture Using Unfolding Transformation.

ASAP 2006 pp. 354-359,2006
http://doi.ieeecomputersociety.org/10.1109/ASAP.2006.68
Bibtex
Author : Yong Ki Lee, Herwin Chan, Ingrid Verbauwhede
Title : Throughput Optimized SHA-1 Architecture Using Unfolding Transformation.
In : ASAP 2006 -
Address :
Date : 2006

4 eHash Recommendation (optional) or eHash Opinion

Something like: SHA-1 is considered to be broken. Please do not incorporate SHA-1 in new application any longer. Try to migrate to another hash function.