New Preimage Attacks against Reduced SHA-1

  • Simon Knellwolf
  • Dmitry Khovratovich
Conference paper

DOI: 10.1007/978-3-642-32009-5_22

Part of the Lecture Notes in Computer Science book series (LNCS, volume 7417)
Cite this paper as:
Knellwolf S., Khovratovich D. (2012) New Preimage Attacks against Reduced SHA-1. In: Safavi-Naini R., Canetti R. (eds) Advances in Cryptology – CRYPTO 2012. Lecture Notes in Computer Science, vol 7417. Springer, Berlin, Heidelberg


This paper shows preimage attacks against reduced SHA-1 up to 57 steps. The best previous attack has been presented at CRYPTO 2009 and was for 48 steps finding a two-block preimage with incorrect padding at the cost of \(2^{159.3}\) evaluations of the compression function. For the same variant our attacks find a one-block preimage at \(2^{150.6}\) and a correctly padded two-block preimage at \(2^{151.1}\) evaluations of the compression function. The improved results come out of a differential view on the meet-in-the-middle technique originally developed by Aoki and Sasaki. The new framework closely relates meet-in-the-middle attacks to differential cryptanalysis which turns out to be particularly useful for hash functions with linear message expansion and weak diffusion properties.


SHA-1 preimage attack differential meet-in-the-middle 
Download to read the full conference paper text

Copyright information

© International Association for Cryptologic Research 2012 2012

Authors and Affiliations

  • Simon Knellwolf
    • 1
  • Dmitry Khovratovich
    • 2
  1. 1.ETH Zurich and FHNWZurichSwitzerland
  2. 2.Microsoft Research RedmondRedmondUSA

Personalised recommendations