Meet-in-the-Middle Preimage Attacks Against Reduced SHA-0 and SHA-1

  • Kazumaro Aoki
  • Yu Sasaki
Conference paper

DOI: 10.1007/978-3-642-03356-8_5

Part of the Lecture Notes in Computer Science book series (LNCS, volume 5677)
Cite this paper as:
Aoki K., Sasaki Y. (2009) Meet-in-the-Middle Preimage Attacks Against Reduced SHA-0 and SHA-1. In: Halevi S. (eds) Advances in Cryptology - CRYPTO 2009. Lecture Notes in Computer Science, vol 5677. Springer, Berlin, Heidelberg


Preimage resistance of several hash functions has already been broken by the meet-in-the-middle attacks and they utilize a property that their message schedules consist of only permutations of message words. It is unclear whether this type of attacks is applicable to a hash function whose message schedule does not consist of permutations of message words. This paper proposes new attacks against reduced SHA-0 and SHA-1 hash functions by analyzing a message schedule that does not consist of permutations but linear combinations of message words. The newly developed cryptanalytic techniques enable the meet-in-the-middle attack to be applied to reduced SHA-0 and SHA-1 hash functions. The attacks find preimages of SHA-0 and SHA-1 in 2156.6 and 2159.3 compression function computations up to 52 and 48 steps, respectively, compared to the brute-force attack, which requires 2160 compression function computations. The previous best attacks find preimages up to 49 and 44 steps, respectively.


SHA-0 SHA-1 meet-in-the-middle one-way preimage 
Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Kazumaro Aoki
    • 1
  • Yu Sasaki
    • 1
  1. 1.NTTTokyoJapan

Personalised recommendations